Back to SAA-C03 questions

Scenario-based practice

Hard Difficulty Questions

Practise SAA-C03 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SAA-C03
exam code
Amazon Web Services
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SAA-C03 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A warehouse integration service must use shared file storage across Linux EC2 instances in multiple Availability Zones. The storage must remain available during an AZ failure. Which service should be used? The architecture review board prefers a managed AWS-native control.

Question 2hardmultiple choice
Full question →

A SaaS vendor’s automation account in Account B needs to assume a role in a customer account in Account A to read a specific S3 bucket and publish a deployment status file. The customer is worried about confused deputy attacks because multiple customers use the same vendor software. Which trust-policy design best meets the requirement?

Question 3hardmulti select
Full question →

A serverless checkout API uses AWS Lambda behind API Gateway. Every weekday at 09:00 UTC, marketing triggers a predictable surge. The first few minutes after each surge show cold-start latency, but traffic volume is forecastable and the business wants stable p95 latency. Which two changes should the team implement? Select two.

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A warehouse integration service must process every event at least once, but duplicate processing is acceptable if the consumer handles idempotency. Which eventing approach is most suitable? The architecture review board prefers a managed AWS-native control.

Question 5hardmulti select
Full question →

A studio keeps 4 PB of completed video projects in Amazon S3. Editors work on active projects for about 60 days, auditors occasionally review the same objects for several months, and legal policy requires retention for 7 years. Retrieval of very old files can take hours. Which three actions should the architect recommend? Select three.

Question 6hardmultiple choice
Full question →

Based on the exhibit, which change best reduces latency during peak traffic without overprovisioning the fleet?

Exhibit

ALB and ASG snapshot (15-minute peak):
- RequestCountPerTarget: 1,920
- TargetResponseTime p95: 2.9 seconds
- HTTPCode_Target_5XX_Count: 0
EC2 application metrics from CloudWatch agent:
- CPUUtilization: 33%
- MemoryUtilization: 46%
- NetworkIn/Out: steady
Application logs:
[WARN] worker queue depth reached 5,000
[INFO] rejecting requests after thread pool saturation
Current Auto Scaling policy:
- Target tracking on CPUUtilization = 55%
Question 7hardmulti select
Read the full NAT/PAT explanation →

A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.

Question 8hardmulti select
Full question →

A regional web application for a content publishing system must fail over automatically to a secondary Region if the primary endpoint becomes unhealthy. Which two services or features are required?

Question 9hardmulti select
Full question →

A claims workflow requires point-in-time recovery and accidental-delete protection for a DynamoDB table. Which two settings should the architect enable? The design must avoid adding custom operational scripts.

Question 10hardmultiple choice
Full question →

A claims portal must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

Question 11hardmultiple choice
Full question →

Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?

Exhibit

{
  "current_state": {
    "approved_boundary": "arn:aws:iam::111122223333:policy/ApprovedAppBoundary",
    "developer_role_policy": ["iam:CreateRole", "iam:PutRolePolicy", "iam:AttachRolePolicy"],
    "incident": "A new role was created without a permissions boundary and attached an overly permissive policy"
  },
  "desired_state": "All future roles must be created with ApprovedAppBoundary"
}
Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A DynamoDB table for a travel booking site has a partition key based only on the current date. Write throttling occurs during business hours. What is the best design change? The architecture review board prefers a managed AWS-native control.

Question 13hardmulti select
Full question →

A distributed analytics engine runs 12 EC2 instances in one Availability Zone. The nodes exchange thousands of tiny messages per second and must keep jitter as low as possible. The current design launches the instances across multiple placement groups and uses general-purpose burstable instances. Which two changes will most directly lower east-west network latency and variability? Select two.

Question 14hardmulti select
Full question →

A customer portal uses Amazon Aurora MySQL. The application currently sends all SELECT queries to the writer instance endpoint. During traffic spikes, read latency increases, and the team wants the cluster to survive a writer failover without manual endpoint changes for the application. Which changes should the team make? Select three.

Question 15hardmultiple choice
Full question →

A claims portal uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend?

Question 16hardmultiple choice
Full question →

A DynamoDB table for a retail API has a partition key based only on the current date. Write throttling occurs during business hours. What is the best design change?

Question 17hardmultiple choice
Full question →

Based on the exhibit, a media rendering job runs on a single EC2 instance and writes a large working set of metadata to block storage. The workload performs sustained random reads and writes and must keep latency consistently low for the entire run. The instance may be stopped and started between jobs, and the data must persist. Which storage choice best meets the requirements?

Exhibit

fio benchmark from the current volume:
- 4 KiB random read IOPS target: 22,000
- 4 KiB random write IOPS target: 18,000
- 99th percentile latency target: < 2 ms
- Current volume: gp3, 12,000 provisioned IOPS
- Observed latency during peak: 3.8-5.4 ms
- Data must remain attached to one EC2 instance and persist after stop/start

A latency-sensitive telemetry service uses a custom TCP protocol on EC2 instances in private subnets. The service must preserve the client source IP for rate limiting, avoid HTTP header inspection, and keep per-request overhead as low as possible. Which changes should the team make? Select three.

Question 19hardmulti select
Read the full NAT/PAT explanation →

A nightly video rendering pipeline runs on Linux EC2 instances and is compatible with ARM64. The jobs are CPU-bound, checkpoint frequently, and can resume if interrupted. The business wants the best throughput per dollar for the batch window. Which two changes should the team make? Select two.

Question 20hardmulti select
Full question →

A product catalog system uses a relational database for orders and a simple key-value profile store for shopping carts. Traffic is unpredictable, and the company wants to avoid paying for large idle database instances. Which two choices are best? Select two.

These SAA-C03 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SAA-C03 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.