Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSAA-C03TopicsDesign Secure Architectures
Free · No Signup RequiredAmazon Web Services · SAA-C03

SAA-C03 Design Secure Architectures Practice Questions

20+ practice questions focused on Design Secure Architectures — one of the most tested topics on the SAA-C03 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Design Secure Architectures Practice

Exam Domains

Design Secure ArchitecturesDesign Resilient ArchitecturesDesign High-Performing ArchitecturesDesign Cost-Optimized ArchitecturesAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Design Secure Architectures Questions

Practice all 20+ →
1.

A Lambda function needs to read the current value of exactly one AWS Secrets Manager secret at startup. Which least-privilege IAM permission (action and resource scope) should you grant to the Lambda execution role?

A.secretsmanager:ListSecrets on all secrets (resource set to "*")
B.secretsmanager:GetSecretValue on only the secret’s full ARN
C.secretsmanager:UpdateSecret on the specific secret ARN
D.secretsmanager:DescribeSecret on all secrets (resource set to "*")

Explanation: The Lambda function needs to read the current value of exactly one secret at startup. The least-privilege permission is `secretsmanager:GetSecretValue` scoped to that secret's full ARN. This action retrieves the secret value, and restricting the resource to the specific ARN ensures the function cannot access any other secrets.

2.

A security team requires that every object uploaded to s3://secure-bucket/uploads/ must be encrypted using SSE-KMS with a specific customer-managed KMS key. Which S3 bucket policy condition approach best enforces this requirement for PutObject requests?

A.Deny PutObject unless s3:x-amz-server-side-encryption equals "aws:kms" and s3:x-amz-server-side-encryption-aws-kms-key-id equals the required CMK ARN
B.Allow PutObject only when aws:SecureTransport is true; encryption is then guaranteed automatically
C.Deny PutObject if the request includes Content-Type other than "application/octet-stream"
D.Deny PutObject when the caller’s role is not allowed to kms:Decrypt in their IAM policy

Explanation: Option A is correct because it uses a Deny effect with the s3:x-amz-server-side-encryption condition key set to 'aws:kms' and the s3:x-amz-server-side-encryption-aws-kms-key-id condition key set to the specific customer-managed KMS key ARN. This ensures that any PutObject request that does not include both the required encryption header and the exact KMS key identifier is denied, enforcing the encryption requirement at the bucket policy level.

3.

An application in Account B (IAM role arn:aws:iam::account-b:role/app-read) reads objects from an S3 bucket in Account A. The bucket uses SSE-KMS with a customer-managed KMS key in Account A. Object reads consistently fail with an error that includes "AccessDenied" and "kms:Decrypt". The IAM permissions in Account B for kms:Decrypt are correct, but the requests still fail. Which change will most directly fix the failure?

A.Add kms:Decrypt to the KMS key policy in Account A for the Account B role arn:aws:iam::account-b:role/app-read, and remove kms:Decrypt from the role policy in Account B.
B.Update the IAM role in Account B to use the s3:GetObject permission only, and rely on S3 to authorize KMS decrypt automatically.
C.Modify the KMS key policy in Account A to allow kms:Decrypt for the Account B role arn:aws:iam::account-b:role/app-read, using the appropriate cross-account conditions (for example, allowing the use via S3 and the expected encryption context for the bucket).
D.Switch the S3 bucket encryption from SSE-KMS to SSE-S3, keeping all existing IAM and KMS configuration unchanged.

Explanation: Option C is correct because when using SSE-KMS with a customer-managed KMS key in a cross-account scenario, the KMS key policy must explicitly grant the external IAM role (arn:aws:iam::account-b:role/app-read) permission to perform kms:Decrypt. Even if the IAM role in Account B has the correct kms:Decrypt permission, the KMS key policy in Account A acts as a resource-based policy that must also allow the cross-account principal. Without this, the KMS service denies the decrypt request, resulting in the 'AccessDenied' error.

4.

A server assumes an IAM role and must read export objects only from this prefix in an S3 bucket: s3://customer-data/exports/acme/ . The application also needs to list the objects under that exact prefix so it can discover which export folders exist. The application performs ListBucket requests with Prefix set to exactly "exports/acme/". The current role policy allows s3:ListBucket on the bucket ARN without a prefix condition, and security reports the role can list other tenants’ export object keys. Which IAM policy change best enforces least privilege for both ListBucket and GetObject?

A.Keep s3:ListBucket allowed on arn:aws:s3:::customer-data, but restrict s3:GetObject to arn:aws:s3:::customer-data/exports/acme/*.
B.Allow s3:ListBucket on arn:aws:s3:::customer-data only when s3:prefix equals "exports/acme/" (for example, using a StringEquals condition on s3:prefix). Also allow s3:GetObject only on arn:aws:s3:::customer-data/exports/acme/*.
C.Allow s3:ListBucket only on arn:aws:s3:::customer-data/exports/acme/* and allow s3:GetObject on arn:aws:s3:::customer-data/*.
D.Add a Deny statement for s3:GetObject outside arn:aws:s3:::customer-data/exports/acme/*, but keep s3:ListBucket unrestricted on arn:aws:s3:::customer-data.

Explanation: Option B is correct because it uses an s3:prefix condition with StringEquals on the ListBucket action to restrict listing to exactly 'exports/acme/', preventing the role from enumerating other tenants' objects. It also restricts GetObject to the same prefix using a resource ARN of arn:aws:s3:::customer-data/exports/acme/*, ensuring least privilege for both read operations. This combination enforces the principle of least privilege by scoping both actions to the specific tenant prefix.

5.

A platform team lets project administrators create IAM roles for workloads in their own AWS accounts, but every role must stay inside a fixed security baseline. The organization also wants to block all member accounts from using AWS Regions outside us-east-1 and us-west-2. Which three controls should be used? Select three.

A.Attach a permissions boundary to each role created through the delegation process.
B.Require iam:PermissionsBoundary in the role creation policy so every new role must include the approved boundary.
C.Use an SCP to deny actions in all AWS Regions except us-east-1 and us-west-2.
D.Grant AdministratorAccess to the project administrators and rely on later audits for enforcement.

Explanation: Option A is correct because attaching a permissions boundary to each role created through delegation ensures that even if a project administrator grants excessive permissions, the effective permissions are limited by the boundary. This enforces the fixed security baseline without preventing administrators from creating roles within those constraints.

+15 more Design Secure Architectures questions available

Practice all Design Secure Architectures questions

How to master Design Secure Architectures for SAA-C03

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Design Secure Architectures. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Design Secure Architectures questions on the SAA-C03 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SAA-C03 Design Secure Architectures questions are on the real exam?

The exact number varies per candidate. Design Secure Architectures is tested as part of the SAA-C03 blueprint. Practicing with targeted Design Secure Architectures questions ensures you can handle any format or difficulty that appears.

Are these SAA-C03 Design Secure Architectures practice questions free?

Yes. Courseiva provides free SAA-C03 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Design Secure Architectures one of the harder SAA-C03 topics?

Difficulty is subjective, but Design Secure Architectures is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Design Secure Architectures practice session with instant scoring and detailed explanations.

Start Design Secure Architectures Practice →

Topic Info

Topic

Design Secure Architectures

Exam

SAA-C03

Questions available

20+