Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›SAA-C03›Objectives›Design Secure Architectures
Objective 1.030% of exam

Design Secure Architectures

SAA-C03 Practice Questions

Use this page to practise secure architecture questions. The most common mistake is confusing the responsibility boundary — know which security controls AWS manages and which are your responsibility.

Full Practice Test →All Objectives

What this objective tests

SAA-C03 Design Secure Architectures — Key Topics

Secure architecture questions test IAM policies, VPC security controls, encryption at rest and in transit, and the right AWS security service for a given threat.

  • IAM policies: identity-based, resource-based, permission boundaries.
  • VPC security: security groups vs NACLs, route tables, VPC endpoints.
  • Encryption: KMS, SSE-S3, SSE-KMS, client-side encryption.
  • AWS security services: GuardDuty, Inspector, Macie, Shield, WAF.

Common exam traps

Where candidates lose marks on Design Secure Architectures

  • ⚠Security groups are stateful; NACLs are stateless.
  • ⚠KMS manages keys; it does not encrypt data directly.
  • ⚠GuardDuty detects threats; Inspector assesses vulnerabilities; Macie finds sensitive data.
  • ⚠A VPC endpoint keeps traffic off the public internet; it does not encrypt traffic.

SAA-C03 Design Secure Architectures — Practice Questions

30 questions from this objective · 30% of your SAA-C03 exam

Question 2easymultiple choice
Full question →

A Lambda function needs to read the current value of exactly one AWS Secrets Manager secret at startup. Which least-privilege IAM permission (action and resource scope) should you grant to the Lambda execution role?

Question 3easymultiple choice
Full question →

A security team requires that every object uploaded to s3://secure-bucket/uploads/ must be encrypted using SSE-KMS with a specific customer-managed KMS key. Which S3 bucket policy condition approach best enforces this requirement for PutObject requests?

Question 4mediummultiple choice
Full question →

An application in Account B (IAM role arn:aws:iam::account-b:role/app-read) reads objects from an S3 bucket in Account A. The bucket uses SSE-KMS with a customer-managed KMS key in Account A. Object reads consistently fail with an error that includes "AccessDenied" and "kms:Decrypt".

The IAM permissions in Account B for kms:Decrypt are correct, but the requests still fail.

Which change will most directly fix the failure?

Question 5mediummultiple choice
Full question →

A server assumes an IAM role and must read export objects only from this prefix in an S3 bucket: s3://customer-data/exports/acme/ . The application also needs to list the objects under that exact prefix so it can discover which export folders exist. The application performs ListBucket requests with Prefix set to exactly "exports/acme/".

The current role policy allows s3:ListBucket on the bucket ARN without a prefix condition, and security reports the role can list other tenants’ export object keys.

Which IAM policy change best enforces least privilege for both ListBucket and GetObject?

Question 6hardmulti select
Full question →

A platform team lets project administrators create IAM roles for workloads in their own AWS accounts, but every role must stay inside a fixed security baseline. The organization also wants to block all member accounts from using AWS Regions outside us-east-1 and us-west-2. Which three controls should be used? Select three.

Question 7easymultiple choice
Full question →

A company serves private images stored in S3 through Amazon CloudFront. Only authenticated users should be able to access each image, and access should expire after 1 hour. Which CloudFront feature best meets this requirement?

Question 8hardmulti select
Read the full NAT/PAT explanation →

A batch job runs on EC2 instances in isolated private subnets with no NAT Gateway. The job uses STS AssumeRole to access an operations account and then retrieves a secret from AWS Secrets Manager. After a network hardening change, both calls fail. Which two interface VPC endpoints should be created? Select two.

Question 9mediummultiple choice
Full question →

A backend service uses an IAM role to read files from an S3 bucket. It must only read objects under s3://prod-reporting/incoming/ but currently receives AccessDenied (403) on GetObject for that prefix.

The role already has this statement: - Action: s3:ListBucket - Resource: arn:aws:s3:::prod-reporting

Which policy statement would most directly follow least privilege to allow only the required reads under the incoming prefix?

Question 10hardmulti select
Full question →

A third-party payroll vendor in another AWS account must assume a role in your account to write a daily settlement file to Amazon S3. You want to prevent confused-deputy attacks and make every assumed session traceable in CloudTrail back to an individual vendor user. Which three trust-policy or session controls should be used? Select three.

Question 11mediummultiple choice
Full question →

A SaaS vendor will access your AWS resources by assuming an IAM role in your account. You want to prevent confused-deputy attacks and ensure the vendor can only assume the role using an agreed external identifier.

Your role trust policy currently allows sts:AssumeRole from the vendor’s principal, but it does not include any external ID protection. Which change is the best next step?

Question 12mediummultiple choice
Study the full ACL explanation →

You use Amazon CloudFront in front of a private content S3 origin. To mitigate an OWASP Top 10 issue, you created a WAF web ACL and associated it to the CloudFront distribution, but attacks are still reaching the origin.

CloudWatch logs show the web ACL rules never match for the CloudFront requests.

What is the most likely configuration mistake?

Question 13hardmulti select
Read the full NAT/PAT explanation →

A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.

Question 14easymultiple choice
Full question →

A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?

Question 15easymultiple choice
Full question →

You want to protect an Application Load Balancer (ALB) from common web exploits using AWS WAF. The application is not using CloudFront. Which AWS WAF deployment scope should you choose so the WAF rules apply to the ALB?

Question 16easymultiple choice
Full question →

You use a customer managed AWS KMS key (CMK) to encrypt objects in an S3 bucket using SSE-KMS. A specific IAM role must be able to decrypt objects. Where should you grant kms:Decrypt permissions so that the role can decrypt data encrypted with that CMK?

Question 17mediummultiple choice
Full question →

A team wants detective controls to investigate suspected exfiltration from an S3 bucket. They need to know when objects are accessed (GetObject) and also when new encrypted objects are written.

They already enabled AWS CloudTrail for management events, but their investigation shows no visibility into object-level reads/writes in the logs they review.

Which CloudTrail configuration change most directly provides the missing object-level visibility?

Question 18easymultiple choice
Full question →

You manage multiple AWS accounts under AWS Organizations. A compliance requirement states: no account is allowed to create new IAM access keys for IAM users. Local administrators may attempt to override permissions. Which mechanism should you use to enforce this guardrail across all accounts?

Question 19easymultiple choice
Full question →

A CI pipeline needs to upload build artifacts only to s3://ci-artifacts/uploads/*. You also want the pipeline to list only objects under uploads/ to verify that the upload succeeded. Which IAM policy approach is the best fit for least privilege?

Question 20hardmulti select
Full question →

Security responders suspect exfiltration from an Amazon S3 bucket that stores sensitive reports encrypted with a customer managed KMS key. They need to identify which IAM principal downloaded each object and whether any principals called KMS Decrypt on the key during the same time window. Which two detective controls should be enabled? Select two.

Question 21mediummultiple choice
Full question →

Your company requires that all requests to an S3 bucket use HTTPS and that all objects uploaded to the bucket are encrypted at rest. You manage the S3 bucket policy and want enforcement that does not rely on application code compliance.

Which bucket policy change best enforces both requirements?

Question 22hardmulti select
Full question →

A reporting application in Account B must read files from an S3 bucket in Account A. The bucket contains objects encrypted with a customer managed KMS key in Account A. The application role in Account B already has an identity policy allowing s3:GetObject on the bucket prefix, but requests still fail with AccessDenied. Which two changes are required for the application to read the objects? Select two.

Question 23easymultiple choice
Full question →

Your company allows application teams to create IAM roles. Each team must be prevented from granting permissions beyond a defined per-role baseline, even if they attach overly permissive identity-based policies to the role. Which AWS feature best enforces this ceiling at the IAM role level?

Question 24hardmulti select
Full question →

A public web application sits behind Amazon CloudFront with an Application Load Balancer as the origin. The security team wants all edge traffic inspected by AWS WAF and also wants to prevent anyone on the internet from reaching the ALB directly. Which two changes should be made? Select two.

Question 25easymultiple choice
Full question →

Account A hosts an IAM role that Account B developers must assume for a limited task. You want to require MFA for anyone assuming the role. Which trust policy condition most directly enforces that requirement for sts:AssumeRole?

Question 26easymultiple choice
Full question →

Your organization hosts an internet-facing application behind an Amazon CloudFront distribution. You want to mitigate common web exploits (for example, SQL injection and XSS) at the edge. Which action is the most appropriate way to do this using AWS services?

Question 27easymultiple choice
Full question →

A web application behind an Application Load Balancer (ALB) currently allows client connections over HTTP (port 80). The security policy requires all client traffic to use HTTPS. What is the best ALB change to enforce this requirement?

Question 28easymultiple choice
Read the full NAT/PAT explanation →

You have an EC2 instance in private subnets with no NAT Gateway. The instance must access an Amazon S3 bucket (for example, to read configuration files) without sending traffic to the public internet. What VPC endpoint type should you use for S3?

Question 29hardmulti select
Full question →

A marketing portal serves private PDF files stored in Amazon S3 through CloudFront. Users authenticate to the portal first, and each download link must expire after one hour. The S3 origin must never be directly reachable from the internet. Which three actions should be used? Select three.

Question 30mediummultiple choice
Read the full NAT/PAT explanation →

A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager.

Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?

Question 31mediummultiple choice
Full question →

Your team hosts a private web app on an S3 bucket and serves it through CloudFront using a modern Origin Access Control (OAC). After deployment, users receive HTTP 403 from CloudFront with the S3 origin error "AccessDenied".

Which S3 bucket policy change best aligns with CloudFront OAC so the distribution can fetch objects privately?

More Design Secure Architectures questions available in the full practice test.

Continue Practising →

Next objective

Design Resilient Architectures

→

All SAA-C03 Objectives

  • 1.Design Secure Architectures30%
  • 2.Design Resilient Architectures26%
  • 3.Design High-Performing Architectures24%
  • 4.Design Cost-Optimized Architectures20%