Question 1hardmulti select
Full question →hardmulti selectObjective-mapped
A media company serves versioned JavaScript and CSS from an S3 origin through CloudFront. After a release, the cache hit ratio drops because the SPA sends an Authorization header and several tracking query strings on every request, even though the assets are public and identical for all users. Which changes would most improve cache efficiency without changing the content returned? Select three.
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Create a CloudFront cache policy that excludes the Authorization header from the cache key when the assets do not require per-user authorization.
Correct because an unnecessary Authorization header fragments the cache into many unique variants. If the files are truly public and identical, CloudFront should not vary the cache key on that header.
B
Best answer
Use versioned object names for each release and apply long cache TTLs so viewers reuse the same objects until the content changes.
Correct because versioned filenames let you cache aggressively without risking stale content. Long TTLs improve reuse, and a new versioned key naturally forces a fresh fetch when the build changes.
C
Best answer
Use a cache policy that forwards only required query strings and ignores the tracking parameters that do not affect object content.
Correct because query strings become part of the cache key when forwarded. Removing irrelevant parameters keeps more requests mapped to the same cached object and increases hit ratio.
D
Distractor review
Place the S3 origin behind an Application Load Balancer so CloudFront can reuse more cached responses.
Incorrect because an ALB does not inherently improve CloudFront cache efficiency for static S3 assets. It adds unnecessary complexity and does not remove the cache-busting headers or query strings.
E
Distractor review
Enable S3 Transfer Acceleration to increase the cache hit ratio for repeated browser requests.
Incorrect because Transfer Acceleration helps upload and download paths to S3, not CloudFront cache-key behavior. It does not solve header or query-string fragmentation at the edge.
Common exam trap
Common exam trap: authentication is not authorization
Logging in proves the user can authenticate. It does not automatically mean the user is allowed to enter privileged or configuration mode. Watch for AAA authorization, privilege level and command authorization details.
Technical deep dive
How to think about this question
This kind of question is testing the difference between identity and permission. A user may successfully log in to a router because authentication is working, but still fail to enter configuration mode because authorization is missing, misconfigured or mapped to a lower privilege level.
KKey Concepts to Remember
- Authentication checks who the user is.
- Authorization controls what the user is allowed to do after login.
- Privilege levels affect access to EXEC and configuration commands.
- AAA, TACACS+ and RADIUS can separate login success from command access.
TExam Day Tips
- Do not assume successful login means full administrative access.
- Look for words such as cannot enter configuration mode, privilege level, authorization or command access.
- Separate login problems from permission problems before choosing the answer.
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?
Question 2
A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?
Question 3
A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.
Question 4
A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Question 5
A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
Question 6
A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
FAQ
Questions learners often ask
What does this SAA-C03 question test?
Authentication checks who the user is.
What is the correct answer to this question?
The correct answer is: Create a CloudFront cache policy that excludes the Authorization header from the cache key when the assets do not require per-user authorization. — The best fixes are to reduce cache-key variation at the edge and make the static asset names cache-friendly. Excluding the Authorization header and irrelevant query strings prevents CloudFront from treating identical files as different objects. Versioned filenames allow long TTLs while still supporting rapid releases. Together, these changes raise cache hit ratio and reduce origin fetches without altering what viewers receive. An ALB is not a caching feature for S3-origin static content, and Transfer Acceleration targets S3 transfer performance rather than edge caching. Neither option addresses the real issue: the request metadata is causing CloudFront to store too many object variants.
What should I do if I get this SAA-C03 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.