Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSAA-C03Exam Questions

Amazon Web Services · Free Practice Questions · Last reviewed May 2026

SAA-C03 Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

65 exam questions
130 min time limit
Pass: 720/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Design Secure Architectures2. Design Resilient Architectures3. Design High-Performing Architectures4. Design Cost-Optimized Architectures
1

Domain 1: Design Secure Architectures

30% of exam · 6 sample questions below

All Design Secure Architectures questions
Q1
easyFull explanation →

A Lambda function needs to read the current value of exactly one AWS Secrets Manager secret at startup. Which least-privilege IAM permission (action and resource scope) should you grant to the Lambda execution role?

A

secretsmanager:ListSecrets on all secrets (resource set to "*")

B

secretsmanager:GetSecretValue on only the secret’s full ARN

GetSecretValue is the specific action required to retrieve the secret value. Scoping the permission to the secret’s full ARN ensures the Lambda role can read only that secret and cannot access other secrets.

C

secretsmanager:UpdateSecret on the specific secret ARN

D

secretsmanager:DescribeSecret on all secrets (resource set to "*")

Why: The Lambda function needs to read the current value of exactly one secret at startup. The least-privilege permission is `secretsmanager:GetSecretValue` scoped to that secret's full ARN. This action retrieves the secret value, and restricting the resource to the specific ARN ensures the function cannot access any other secrets.
Q2
easyFull explanation →

A security team requires that every object uploaded to s3://secure-bucket/uploads/ must be encrypted using SSE-KMS with a specific customer-managed KMS key. Which S3 bucket policy condition approach best enforces this requirement for PutObject requests?

A

Deny PutObject unless s3:x-amz-server-side-encryption equals "aws:kms" and s3:x-amz-server-side-encryption-aws-kms-key-id equals the required CMK ARN

This enforces the encryption choice at upload time by validating the request headers that specify SSE-KMS and the exact KMS key ID/ARN. Using a Deny condition ensures uploads that do not include the correct SSE-KMS headers (for example, unencrypted uploads or uploads using a different KMS key) are rejected immediately.

B

Allow PutObject only when aws:SecureTransport is true; encryption is then guaranteed automatically

C

Deny PutObject if the request includes Content-Type other than "application/octet-stream"

D

Deny PutObject when the caller’s role is not allowed to kms:Decrypt in their IAM policy

Why: Option A is correct because it uses a Deny effect with the s3:x-amz-server-side-encryption condition key set to 'aws:kms' and the s3:x-amz-server-side-encryption-aws-kms-key-id condition key set to the specific customer-managed KMS key ARN. This ensures that any PutObject request that does not include both the required encryption header and the exact KMS key identifier is denied, enforcing the encryption requirement at the bucket policy level.
Q3
mediumFull explanation →

An application in Account B (IAM role arn:aws:iam::account-b:role/app-read) reads objects from an S3 bucket in Account A. The bucket uses SSE-KMS with a customer-managed KMS key in Account A. Object reads consistently fail with an error that includes "AccessDenied" and "kms:Decrypt".

The IAM permissions in Account B for kms:Decrypt are correct, but the requests still fail.

Which change will most directly fix the failure?

A

Add kms:Decrypt to the KMS key policy in Account A for the Account B role arn:aws:iam::account-b:role/app-read, and remove kms:Decrypt from the role policy in Account B.

B

Update the IAM role in Account B to use the s3:GetObject permission only, and rely on S3 to authorize KMS decrypt automatically.

C

Modify the KMS key policy in Account A to allow kms:Decrypt for the Account B role arn:aws:iam::account-b:role/app-read, using the appropriate cross-account conditions (for example, allowing the use via S3 and the expected encryption context for the bucket).

For SSE-KMS, S3 must call KMS Decrypt when serving objects. KMS authorization is evaluated against the KMS key policy in Account A in addition to the identity policy in Account B. If the error includes kms:Decrypt AccessDenied in a cross-account scenario, the most direct fix is to update the KMS key policy to allow the Account B role to use the key for decrypt (often with conditions tied to S3 usage and the specific bucket/object encryption context).

D

Switch the S3 bucket encryption from SSE-KMS to SSE-S3, keeping all existing IAM and KMS configuration unchanged.

Why: Option C is correct because when using SSE-KMS with a customer-managed KMS key in a cross-account scenario, the KMS key policy must explicitly grant the external IAM role (arn:aws:iam::account-b:role/app-read) permission to perform kms:Decrypt. Even if the IAM role in Account B has the correct kms:Decrypt permission, the KMS key policy in Account A acts as a resource-based policy that must also allow the cross-account principal. Without this, the KMS service denies the decrypt request, resulting in the 'AccessDenied' error.
Q4
mediumFull explanation →

A server assumes an IAM role and must read export objects only from this prefix in an S3 bucket: s3://customer-data/exports/acme/ . The application also needs to list the objects under that exact prefix so it can discover which export folders exist. The application performs ListBucket requests with Prefix set to exactly "exports/acme/".

The current role policy allows s3:ListBucket on the bucket ARN without a prefix condition, and security reports the role can list other tenants’ export object keys.

Which IAM policy change best enforces least privilege for both ListBucket and GetObject?

A

Keep s3:ListBucket allowed on arn:aws:s3:::customer-data, but restrict s3:GetObject to arn:aws:s3:::customer-data/exports/acme/*.

B

Allow s3:ListBucket on arn:aws:s3:::customer-data only when s3:prefix equals "exports/acme/" (for example, using a StringEquals condition on s3:prefix). Also allow s3:GetObject only on arn:aws:s3:::customer-data/exports/acme/*.

ListBucket must be authorized at the bucket ARN level, then scoped using a Condition on the request prefix (so only the approved listing prefix is allowed). GetObject is authorized at the object ARN level and is restricted to exports/acme/*, preventing reads outside the prefix.

C

Allow s3:ListBucket only on arn:aws:s3:::customer-data/exports/acme/* and allow s3:GetObject on arn:aws:s3:::customer-data/*.

D

Add a Deny statement for s3:GetObject outside arn:aws:s3:::customer-data/exports/acme/*, but keep s3:ListBucket unrestricted on arn:aws:s3:::customer-data.

Why: Option B is correct because it uses an s3:prefix condition with StringEquals on the ListBucket action to restrict listing to exactly 'exports/acme/', preventing the role from enumerating other tenants' objects. It also restricts GetObject to the same prefix using a resource ARN of arn:aws:s3:::customer-data/exports/acme/*, ensuring least privilege for both read operations. This combination enforces the principle of least privilege by scoping both actions to the specific tenant prefix.
Q5
hardFull explanation →

A platform team lets project administrators create IAM roles for workloads in their own AWS accounts, but every role must stay inside a fixed security baseline. The organization also wants to block all member accounts from using AWS Regions outside us-east-1 and us-west-2. Which three controls should be used? Select three.

A

Attach a permissions boundary to each role created through the delegation process.

A permissions boundary caps the maximum permissions a created role can ever receive, even if an administrator later attaches broader policies. This is the right mechanism for a fixed security baseline on delegated role creation.

B

Require iam:PermissionsBoundary in the role creation policy so every new role must include the approved boundary.

The creation policy should enforce that the boundary is present at creation time. This prevents a delegated admin from simply omitting the boundary and creating a role that exceeds the approved limit.

C

Use an SCP to deny actions in all AWS Regions except us-east-1 and us-west-2.

An SCP is the correct organizational guardrail for region restrictions across member accounts. It applies broadly and consistently, which is ideal for blocking unapproved Regions regardless of the local IAM configuration.

D

Grant AdministratorAccess to the project administrators and rely on later audits for enforcement.

E

Use an AWS Config rule alone to stop role creation if the permissions are too broad.

Why: Option A is correct because attaching a permissions boundary to each role created through delegation ensures that even if a project administrator grants excessive permissions, the effective permissions are limited by the boundary. This enforces the fixed security baseline without preventing administrators from creating roles within those constraints.
Q6
easyFull explanation →

A company serves private images stored in S3 through Amazon CloudFront. Only authenticated users should be able to access each image, and access should expire after 1 hour. Which CloudFront feature best meets this requirement?

A

Signed URLs or signed cookies with an expiration time of 1 hour

Signed URLs/cookies provide cryptographic, edge-enforced authorization for specific CloudFront resources and include an expiration timestamp. After expiry, CloudFront rejects requests (for example, with 403) without needing the origin to handle time-based authorization.

B

A WAF rule that blocks requests without valid JWTs, without using signed URLs

C

Turning on S3 bucket public access block, without any CloudFront viewer authentication

D

Enabling CloudFront geo restriction to allow only one country

Why: Signed URLs or signed cookies allow CloudFront to grant temporary access to private content by embedding authentication information (policy, signature, key pair ID) directly in the request. By setting an expiration time of 1 hour in the policy statement, access automatically becomes invalid after that period, meeting both the authentication and expiry requirements without exposing the S3 bucket publicly.

Want more Design Secure Architectures practice?

Practice this domain
2

Domain 2: Design Resilient Architectures

26% of exam · 6 sample questions below

All Design Resilient Architectures questions
Q1
mediumFull explanation →

An order-processing service consumes messages from an Amazon SQS Standard queue using a custom worker. During traffic spikes, the worker occasionally times out after performing some work but before acknowledging the message, so SQS redelivers it and it may be processed again.

You also observe that a small set of “poison” messages always fail validation.

What change most directly improves resilience by (1) preventing poison messages from retrying indefinitely and (2) avoiding duplicate side effects caused by legitimate retries?

A

Increase the SQS visibility timeout and, when validation fails, call DeleteMessage in the consumer to remove the message immediately.

B

Move to SNS topics with subscriptions and rely on SNS to provide exactly-once delivery to eliminate duplicates automatically.

C

Configure a dead-letter queue (DLQ) with a redrive policy that moves messages after maxReceiveCount, and implement idempotent processing in the consumer using an idempotency key.

SQS Standard is at-least-once delivery, so timeouts can cause redelivery and duplicates. A DLQ with a redrive policy prevents poison messages from retrying forever by moving them after repeated failures. Idempotent processing (for example, storing a processed marker in a database with conditional logic keyed by an idempotency key) prevents duplicate side effects when retries occur for valid messages.

D

Change the queue to FIFO and enable content-based deduplication, leaving the consumer logic unchanged.

Why: Option C is correct because a dead-letter queue (DLQ) with a maxReceiveCount redrive policy directly addresses the poison message problem by moving messages that repeatedly fail validation out of the main queue after a set number of retries, preventing indefinite retries. Implementing idempotent processing using an idempotency key ensures that even if a legitimate message is redelivered due to a visibility timeout, the consumer can detect and skip duplicate side effects, thus solving both requirements most directly.
Q2
mediumFull explanation →

Based on the exhibit, the application sees several minutes of connection errors during an Aurora failover. What is the best change to reduce failover impact?

A

Change the application to use the Aurora cluster writer endpoint and retry transient connections.

The current configuration targets a specific instance endpoint, which becomes stale after failover. The Aurora cluster writer endpoint always resolves to the current writer, so the application can reconnect without manual endpoint changes. Adding retries with backoff helps the application survive the short DNS and connection transition during failover.

B

Add an Aurora read replica and keep using the same JDBC URL.

C

Increase the EC2 instance size of the application servers.

D

Switch to a single-AZ RDS PostgreSQL instance for simpler connectivity.

Why: The Aurora cluster writer endpoint always points to the current primary instance, even after a failover. By using this endpoint and implementing retry logic for transient connection errors, the application can automatically reconnect to the new writer without manual intervention, reducing the impact of the failover from several minutes to seconds.
Q3
mediumFull explanation →

A payments service receives payment orders by consuming messages from an Amazon SQS Standard queue. The downstream processor occasionally exceeds its processing timeout. As a result, some messages reappear in the queue and may be processed more than once.

The team wants to prevent duplicate side effects (for example, double-charging) and also ensure poison messages do not repeatedly consume processing capacity.

What approach best satisfies both goals?

A

Implement idempotent processing (for example, store processed payment IDs in DynamoDB) and configure an SQS dead-letter queue (DLQ) using a redrive policy with an appropriate maxReceiveCount.

With SQS Standard’s at-least-once delivery, duplicates can occur. Idempotency ensures repeated processing of the same payment ID does not create duplicate side effects. A DLQ with redrive policy isolates poison messages: after a message is received and fails processing more than maxReceiveCount times, SQS moves it to the DLQ instead of cycling it back to the main queue indefinitely.

B

Rely only on increasing the SQS visibility timeout so duplicates rarely occur, without adding idempotency checks or a DLQ.

C

Switch to a FIFO queue and delete messages immediately upon receipt to avoid duplicates.

D

Move the workload to SNS and use synchronous HTTP endpoints so the sender retries until the receiver confirms success.

Why: Option A is correct because it addresses both requirements: idempotent processing (e.g., storing processed payment IDs in DynamoDB) ensures that even if a message is processed more than once, duplicate side effects like double-charging are prevented. Configuring an SQS dead-letter queue (DLQ) with a redrive policy and an appropriate maxReceiveCount (e.g., 3 or 5) automatically moves messages that exceed the maximum number of receives to the DLQ, preventing poison messages from repeatedly consuming processing capacity.
Q4
mediumFull explanation →

A company runs an application behind an Application Load Balancer (ALB). An Auto Scaling group (ASG) is configured with desired capacity 2, but it is attached only to subnets in a single Availability Zone. The ALB is healthy because it is configured across multiple Availability Zones.

When the Availability Zone that contains the ASG subnets experiences an outage, what change most directly improves resilience and allows capacity to be restored automatically?

A

Update the ASG to use subnet IDs that span at least two Availability Zones so it can launch replacement instances after an AZ outage.

If the ASG is attached to subnets in multiple Availability Zones, when instances in the failed AZ become unhealthy/terminate, Auto Scaling can launch new instances in the remaining AZs to restore the desired capacity. This directly addresses the root cause: the ASG cannot create capacity outside the AZs it is configured for.

B

Reduce the ALB health check interval to speed up detection of unhealthy targets.

C

Enable connection draining on the ALB so existing requests complete before targets are terminated.

D

Increase the ASG desired capacity from 2 to 6 to compensate for the missing subnets.

Why: Option A is correct because an Auto Scaling group (ASG) can only launch instances into the subnets explicitly assigned to it. If those subnets reside in a single Availability Zone (AZ) and that AZ fails, the ASG has no capacity to launch replacement instances, even though the ALB is multi-AZ. By configuring the ASG with subnet IDs spanning at least two AZs, the ASG can automatically launch instances in a healthy AZ, restoring capacity and resilience.
Q5
hardFull explanation →

Based on the exhibit, DNS still sends traffic to the primary Region even though Route 53 health checks show the primary endpoint is unhealthy. What is the best change to make failover work as intended?

A

Change both records to weighted routing with a 50/50 split so Route 53 can shift traffic gradually.

B

Use a failover routing policy with a primary record and a secondary record, and attach the health check to the primary record.

Failover routing is designed for active-passive DNS behavior. With a primary and secondary record, Route 53 answers with the primary record when it is healthy and returns the secondary record when the primary health check fails. The exhibit shows simple routing, which does not express the failover intent. Switching to failover routing aligns the DNS policy with the stated requirement.

C

Switch to latency-based routing so users are always directed to the lowest-latency Region.

D

Use geolocation routing so clients in one Region are sent to the healthier endpoint.

Why: Option B is correct because a failover routing policy with a health check attached to the primary record is the only configuration that allows Route 53 to automatically stop sending traffic to an unhealthy primary endpoint and redirect it to the secondary endpoint. Without the health check attached to the primary record, Route 53 has no mechanism to detect the failure and will continue routing traffic to the primary Region, even if the health check status shows unhealthy.
Q6
mediumFull explanation →

Based on the exhibit, the web application must remain available even if one Availability Zone fails. What is the best change to improve resilience with the least redesign?

A

Increase DesiredCapacity to 4 while keeping all instances in subnet-a1.

B

Add subnet-b1 in a different Availability Zone to the Auto Scaling group.

This spreads EC2 instances across two Availability Zones, so the Auto Scaling group can continue serving traffic if one AZ becomes unavailable. Because the ALB is already deployed in both subnets, this is the smallest change that adds true zonal resilience to the compute tier.

C

Replace the Application Load Balancer with a Network Load Balancer.

D

Enable EBS encryption on the launch template volumes.

Why: Adding subnet-b1 in a different Availability Zone to the Auto Scaling group ensures that EC2 instances are launched across two Availability Zones. If one zone fails, the ALB can route traffic to healthy instances in the other zone, maintaining application availability. This change requires minimal redesign because it only modifies the Auto Scaling group's subnet configuration without altering the load balancer or compute architecture.

Want more Design Resilient Architectures practice?

Practice this domain
3

Domain 3: Design High-Performing Architectures

24% of exam · 6 sample questions below

All Design High-Performing Architectures questions
Q1
mediumFull explanation →

A Lambda function behind API Gateway has predictable traffic spikes every hour. The function does not need access to resources in a VPC, and p95 latency spikes are caused by cold starts during scale-out. Which two actions are most effective? Select two.

A

Enable provisioned concurrency for the function.

Provisioned concurrency keeps a pool of initialized execution environments ready to handle requests. That removes most cold-start delay and is the most direct way to stabilize p95 latency during predictable bursts.

B

Remove the function from a VPC because it has no VPC dependencies.

If the function does not need private network access, keeping it out of a VPC avoids the extra networking setup associated with VPC-enabled Lambdas. That reduces startup overhead and helps new execution environments become available faster.

C

Set reserved concurrency to a low fixed number.

D

Increase the Lambda timeout to 15 minutes.

E

Add an SQS dead-letter queue to reduce startup latency.

Why: Option A is correct because provisioned concurrency pre-warms a specified number of Lambda execution environments, eliminating cold starts for those instances. This directly addresses the p95 latency spikes caused by cold starts during predictable traffic spikes, as the function will have warm containers ready to handle incoming requests without the initialization delay.
Q2
mediumFull explanation →

An Aurora PostgreSQL application has an OLTP writer and a reporting dashboard that issues many read-only queries. The writer is healthy, but read latency rises noticeably during reporting windows. Which two changes should you make? Select two.

A

Add Aurora Replicas to scale out the read workload.

Aurora Replicas provide additional read capacity, which lets you spread read-only traffic away from the writer instance.

B

Send read-only application traffic to the reader endpoint.

The reader endpoint automatically distributes reads across available replicas, reducing load on the writer and improving throughput.

C

Scale up only the writer instance and keep all queries on it.

D

Replace the cluster with a single-AZ RDS instance to reduce replication overhead.

E

Move the dashboard to DynamoDB without changing the query model.

Why: Adding Aurora Replicas (Option A) is correct because Aurora Replicas are dedicated read-only instances that share the same underlying storage volume as the writer, allowing you to scale read capacity linearly without impacting write performance. Sending read-only traffic to the reader endpoint (Option B) is correct because the reader endpoint automatically load-balances connections across all available Aurora Replicas, ensuring that dashboard queries are distributed and do not overload a single instance.
Q3
mediumFull explanation →

A production application writes to an Amazon Aurora PostgreSQL cluster. Users report that during business-hour reporting runs, write latency increases. The application team wants to keep the writer focused on OLTP writes while still providing low-latency reads for reporting queries. What architectural approach should the solutions architect recommend?

A

Create Aurora read replicas and direct reporting read-only connections to the cluster reader endpoint.

Read replicas offload read workloads from the writer. Using the reader endpoint lets reporting queries use replicas, improving write responsiveness.

B

Resize the writer instance to a larger class so it can handle both writes and reads with fewer slowdowns.

C

Enable cross-region replication for the entire cluster so reporting always runs in the secondary Region.

D

Disable read replicas and use caching only in the application layer, keeping all queries connected to the writer endpoint.

Why: A is correct because creating Aurora read replicas and directing reporting read-only connections to the cluster reader endpoint offloads read traffic from the writer instance. This allows the writer to focus on OLTP writes, while the reader endpoint load-balances read-only queries across replicas, providing low-latency reads for reporting without impacting write performance.
Q4
mediumFull explanation →

A DynamoDB table stores device status items. The partition key is deviceId, and the partition distribution is healthy (no single partition dominates). However, during peak periods the application experiences high read latency because many clients repeatedly request the latest status for the same devices. Which action best improves read latency without changing the DynamoDB partitioning model?

A

Add Amazon DAX as a caching layer in front of DynamoDB and route repeated read operations through DAX.

Amazon DAX is an in-memory caching layer for DynamoDB that accelerates repeated reads. When many clients request the same items (for example, “latest status” point reads by deviceId), DAX can serve cached responses directly, reducing round trips to DynamoDB and lowering read latency during peak periods.

B

Change the partition key to a random value for each request to eliminate hot partitions.

C

Increase write capacity only, because writes generally determine read latency in DynamoDB.

D

Create an additional Global Secondary Index (GSI) and read exclusively from the index to accelerate reads.

Why: Amazon DAX is a fully managed, in-memory cache for DynamoDB that provides microsecond read latency. By caching the results of repeated GetItem and Query requests for the same device status items, DAX offloads read traffic from the underlying DynamoDB table, reducing the number of read capacity units consumed and eliminating the latency caused by repeated fetches from disk. This directly addresses the high read latency during peak periods without altering the existing partition key or partitioning model.
Q5
mediumFull explanation →

A team is splitting a new workload into two fronts. The first front serves HTTPS microservices that need host- and path-based routing plus health checks. The second front must handle TCP and UDP traffic for a real-time service and preserve static IP addresses for firewall allowlisting. Which two AWS load balancer choices best match these requirements? Select two.

A

Application Load Balancer

Application Load Balancer supports HTTP and HTTPS routing with host- and path-based rules, making it ideal for microservices.

B

Network Load Balancer

Network Load Balancer handles TCP and UDP traffic and can preserve stable IP addresses for allowlisting.

C

Amazon API Gateway

D

Amazon CloudFront

E

Gateway Load Balancer

Why: The Application Load Balancer (ALB) is correct because it supports host-based and path-based routing for HTTP/HTTPS traffic, which is essential for the microservices front. It also provides health checks at the target group level, enabling automatic routing away from unhealthy instances. ALB operates at Layer 7, making it ideal for the HTTPS microservices requirement.
Q6
mediumFull explanation →

An API team runs an AWS Lambda function behind an Application Load Balancer (ALB). During predictable hourly traffic spikes, p95 response latency increases due to occasional cold starts. The team wants stable latency during those spikes without permanently overprovisioning resources for all functions. Which configuration is the most appropriate way to reduce cold starts for this Lambda function?

A

Publish a version of the function and configure provisioned concurrency on an alias, using autoscaling for the alias.

Provisioned concurrency pre-initializes execution environments for a specific published function version. By attaching provisioned concurrency to an alias, you can control warm capacity and (with the right settings) autoscale the provisioned capacity for predictable spike patterns, reducing cold-start-driven latency increases.

B

Increase the function memory size and rely on faster initialization to reduce cold starts.

C

Set reserved concurrency equal to the expected peak requests per second for the function.

D

Use an event source mapping with a higher batch size so Lambda triggers earlier and keeps the runtime warm.

Why: Provisioned concurrency initializes a specified number of execution environments in advance, keeping them warm and ready to handle requests without cold start latency. By configuring provisioned concurrency on an alias with autoscaling, the team can dynamically adjust the number of pre-warmed environments to match predictable traffic spikes, avoiding permanent overprovisioning while ensuring stable p95 latency.

Want more Design High-Performing Architectures practice?

Practice this domain
4

Domain 4: Design Cost-Optimized Architectures

20% of exam · 6 sample questions below

All Design Cost-Optimized Architectures questions
Q1
easyFull explanation →

You store application logs in an S3 bucket. After 30 days, the logs are rarely accessed, but you must retain them for 1 year for compliance. Which S3 feature is the best way to reduce storage cost while meeting the retention requirement?

A

Create an S3 lifecycle rule to transition older objects to a colder storage class after 30 days, then expire after 1 year

S3 lifecycle policies can automatically transition objects to lower-cost storage classes based on age. Transitioning after 30 days reduces ongoing storage costs because the logs are rarely accessed, while expiring after 1 year ensures you still meet the compliance retention window.

B

Keep all logs in S3 Standard and rely on lower request rates to reduce cost

C

Copy logs to EBS snapshots each week and delete the original files

D

Use S3 replication to a second bucket in another region to reduce costs

Why: Option A is correct because an S3 Lifecycle rule can automatically transition objects from S3 Standard to a colder storage class (e.g., S3 Glacier Instant Retrieval or S3 Glacier Deep Archive) after 30 days, reducing storage costs for rarely accessed logs. After 1 year, the rule can expire the objects, which permanently deletes them, meeting the compliance retention requirement without manual intervention.
Q2
easyFull explanation →

CloudWatch metrics show your EC2 instances have average CPU utilization around 10% with stable performance over several weeks. The application does not require additional headroom right now. What is the most effective cost-optimization action?

A

Right-size the instances to a smaller size that matches the observed utilization

Right sizing reduces cost by matching instance capacity to actual demand. If average CPU is consistently low (around 10%) and performance is stable, it strongly indicates overprovisioning. Moving to a smaller instance (or a smaller capability within the same family) typically lowers hourly cost while maintaining sufficient capacity for the workload.

B

Increase the Auto Scaling desired capacity to add more instances

C

Switch to Spot Instances immediately even though interruptions would impact users

D

Disable detailed monitoring to reduce CPU usage from the monitoring agent

Why: Right-sizing EC2 instances to match observed utilization is the most effective cost-optimization action because the current instances are over-provisioned (average CPU at 10%). By selecting a smaller instance type that aligns with the actual workload, you reduce hourly costs without impacting performance, as the application has stable behavior and no need for headroom.
Q3
mediumFull explanation →

A marketing site serves versioned JavaScript and CSS files from Amazon S3 through CloudFront. The origin bill is rising because CloudFront keeps fetching the same files too often, and the application never changes a file at the same URL once it is published. Which two changes should you make? Select two.

A

Set long-lived Cache-Control headers, such as a high max-age and immutable policy, on the versioned assets.

Versioned assets are ideal for long cache lifetimes because their URLs change when the content changes. Strong Cache-Control headers let CloudFront serve more requests from edge locations instead of repeatedly fetching the same files from S3.

B

Configure the CloudFront cache policy to avoid forwarding unnecessary query strings, headers, and cookies.

A smaller cache key improves the cache hit rate because more viewer requests map to the same cached object. Avoiding unnecessary request attributes also reduces origin fetches and lowers the bandwidth sent to the origin.

C

Move the static assets to an EC2 web server behind an Application Load Balancer.

D

Disable CloudFront caching so every request always reaches the origin.

E

Add more viewer-facing headers to the cache key so each browser variation gets a unique cached object.

Why: Option A is correct because setting long-lived Cache-Control headers (e.g., `max-age=31536000` and `immutable`) on versioned assets tells CloudFront and browsers to cache the files aggressively. Since the application never changes a file at the same URL, this eliminates redundant origin fetches, directly reducing the origin bill.
Q4
easyFull explanation →

An application serves static images through Amazon CloudFront. The team observes higher-than-expected origin fetches, which increases origin bandwidth costs. Which change most directly improves CloudFront cache reuse to reduce origin requests for the static content?

A

Set appropriate Cache-Control headers (or origin cache settings) so CloudFront caches responses longer

Cache headers and TTL determine how long objects are kept in CloudFront’s edge caches. Longer caching for static assets increases the cache hit ratio, reducing how often requests must go back to the origin.

B

Disable caching for the distribution so every request goes back to the origin

C

Configure CloudFront to forward all request headers and query strings to the origin

D

Move the S3 bucket to a different AWS Region, without changing CloudFront caching behavior

Why: Option A is correct because setting appropriate Cache-Control headers (e.g., max-age or s-maxage) or configuring origin cache settings tells CloudFront how long to keep objects in its edge cache before revalidating with the origin. By extending the cache duration, CloudFront serves more requests from its cache, reducing the number of origin fetches and lowering bandwidth costs.
Q5
easyFull explanation →

Your team runs a batch processing workload on EC2 that can tolerate interruptions. If an instance is terminated, the job can restart from checkpoints. To reduce compute costs, what is the most cost-optimized approach?

A

Use EC2 Spot Instances for the batch workers

Spot provides significantly lower pricing than On-Demand for interruptible workloads. Because the workload can restart from checkpoints, termination interruptions are acceptable and the application can recover efficiently, meeting both correctness and throughput requirements at a lower cost.

B

Use Dedicated Hosts to ensure capacity for the cheapest instance

C

Use On-Demand instances and schedule extra runs to offset interruptions

D

Use Reserved Instances only, because they eliminate instance termination events

Why: Spot Instances are ideal for fault-tolerant, interruption-tolerant batch workloads because they offer significant cost savings (up to 90% compared to On-Demand) while allowing the job to resume from checkpoints if terminated. This aligns perfectly with the requirement to reduce compute costs without compromising the ability to restart interrupted jobs.
Q6
mediumFull explanation →

An internal rendering job runs on EC2 workers in an Auto Scaling group. Each job writes checkpoints every few minutes to S3 and can resume from the latest checkpoint after an interruption. The queue depth varies sharply, and the team wants the lowest possible compute cost. Which two changes should they make? Select two.

A

Run the worker fleet on EC2 Spot Instances.

Spot Instances usually provide the lowest EC2 compute price and fit workloads that can tolerate interruption. Because the job checkpoints to S3, the application can resume after Spot interruptions without losing all progress.

B

Purchase Dedicated Hosts so the fleet keeps physical servers reserved for the workload.

C

Use a Mixed Instances Policy with several compatible instance types and Spot capacity-optimized allocation.

Diversifying instance types improves the chance that Auto Scaling can obtain cheap Spot capacity. A mixed policy also reduces the risk of a single instance type shortage stopping the job fleet.

D

Run the entire fleet on On-Demand Instances to avoid any interruption risk.

E

Move the workers to AWS Outposts to keep compute close to the data.

Why: Option A is correct because Spot Instances can be interrupted with a two-minute warning, and since the rendering job writes checkpoints to S3 every few minutes and can resume from the latest checkpoint, it is fault-tolerant to interruptions. This allows the team to leverage the significantly lower cost of Spot Instances (up to 90% off On-Demand) while maintaining job completion, achieving the lowest compute cost for variable queue depths.

Want more Design Cost-Optimized Architectures practice?

Practice this domain

Frequently asked questions

How many questions are on the SAA-C03 exam?

The SAA-C03 exam has 65 questions and must be completed in 130 minutes. The passing score is 720/1000.

What types of questions appear on the SAA-C03 exam?

Architecture scenario questions on AWS service selection, resilience, cost optimisation, security, and networking trade-offs.

How are SAA-C03 questions organised by domain?

The exam covers 4 domains: Design Secure Architectures, Design Resilient Architectures, Design High-Performing Architectures, Design Cost-Optimized Architectures. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SAA-C03 exam questions?

No. These are original exam-style practice questions written against the official Amazon Web Services SAA-C03 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice SAA-C03?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SAA-C03 questionsTake a timed practice test