Back to SAA-C03 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise SAA-C03 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SAA-C03
exam code
Amazon Web Services
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SAA-C03 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Based on the exhibit, which change best reduces latency during peak traffic without overprovisioning the fleet?

Exhibit

ALB and ASG snapshot (15-minute peak):
- RequestCountPerTarget: 1,920
- TargetResponseTime p95: 2.9 seconds
- HTTPCode_Target_5XX_Count: 0
EC2 application metrics from CloudWatch agent:
- CPUUtilization: 33%
- MemoryUtilization: 46%
- NetworkIn/Out: steady
Application logs:
[WARN] worker queue depth reached 5,000
[INFO] rejecting requests after thread pool saturation
Current Auto Scaling policy:
- Target tracking on CPUUtilization = 55%
Question 2hardmultiple choice
Full question →

Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?

Exhibit

{
  "current_state": {
    "approved_boundary": "arn:aws:iam::111122223333:policy/ApprovedAppBoundary",
    "developer_role_policy": ["iam:CreateRole", "iam:PutRolePolicy", "iam:AttachRolePolicy"],
    "incident": "A new role was created without a permissions boundary and attached an overly permissive policy"
  },
  "desired_state": "All future roles must be created with ApprovedAppBoundary"
}
Question 3hardmultiple choice
Full question →

Based on the exhibit, a media rendering job runs on a single EC2 instance and writes a large working set of metadata to block storage. The workload performs sustained random reads and writes and must keep latency consistently low for the entire run. The instance may be stopped and started between jobs, and the data must persist. Which storage choice best meets the requirements?

Exhibit

fio benchmark from the current volume:
- 4 KiB random read IOPS target: 22,000
- 4 KiB random write IOPS target: 18,000
- 99th percentile latency target: < 2 ms
- Current volume: gp3, 12,000 provisioned IOPS
- Observed latency during peak: 3.8-5.4 ms
- Data must remain attached to one EC2 instance and persist after stop/start
Question 4easymultiple choice
Full question →

Based on the exhibit, which EBS volume type should the team use to meet the performance need at lower cost than overprovisioning capacity?

Exhibit

Database storage review:
- Current volume type: gp2
- Peak Read/Write IOPS observed: 9,700
- VolumeQueueLength increases during busy periods
- ReadLatency reaches 8-12 ms
- Requirement: provision about 10,000 IOPS without buying much extra capacity
Question 5hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, an application runs in private subnets without a NAT gateway and must retrieve a secret from AWS Secrets Manager. Security requires the traffic to stay on the AWS network and not traverse the public internet. What is the best solution?

Exhibit

{
  "subnet_route_table": [
    {"destination": "10.0.0.0/16", "target": "local"},
    {"destination": "0.0.0.0/0", "target": "-"}
  ],
  "dns_test": {
    "command": "nslookup secretsmanager.us-east-1.amazonaws.com",
    "result": "Name: secretsmanager.us-east-1.amazonaws.com\nAddress: 54.239.28.82"
  },
  "application_log": [
    "2026-04-18T12:10:04Z ERROR GetSecretValue timed out after 3000 ms",
    "2026-04-18T12:10:04Z INFO calling https://secretsmanager.us-east-1.amazonaws.com"
  ]
}
Question 6mediummultiple choice
Full question →

Based on the exhibit, the business needs Regional disaster recovery with an RTO of 45 minutes and an RPO of 15 minutes. The solution should keep cost lower than running two fully active production environments. Which DR strategy is the best fit?

Exhibit

Business requirements:
  RTO: 45 minutes
  RPO: 15 minutes
  Budget: lower than a fully duplicated production stack

Current state:
  One production Region hosts the live application
  Daily backups are stored in a separate Region
  The application tier can be recreated from automation scripts
Question 7hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, a company wants EC2 instances in private subnets to access Amazon S3 without using a NAT gateway, and bucket access must be allowed only when requests come through the approved VPC endpoint. Which design is the most appropriate?

Exhibit

Route table for private subnet:
Destination        Target
10.0.0.0/16        local
pl-68a54001        vpce-s3-gateway

S3 bucket policy draft:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRequestsNotFromEndpoint",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::app-data", "arn:aws:s3:::app-data/*"],
      "Condition": {
        "StringNotEquals": {"aws:SourceVpce": "vpce-0a1b2c3d4e5f6a7b8"}
      }
    }
  ]
}

Application log:
GET s3://app-data/config.json failed before endpoint change
GET s3://app-data/config.json succeeded after endpoint change
Question 8hardmultiple choice
Full question →

Based on the exhibit, an application repeatedly reads the same DynamoDB items with extremely low latency requirements. The business can tolerate data that is a few seconds stale. Which architecture change best improves read performance?

Exhibit

DynamoDB access pattern report:
- TableName: SessionState
- Read pattern: GetItem on the same 500 keys during active sessions
- Read frequency: 1.2 million reads/minute during peak periods
- Cacheability: yes, stale data up to 5 seconds is acceptable

CloudWatch metrics:
- ConsumedReadCapacityUnits: 92% of provisioned limit
- SuccessfulRequestLatency p95: 7.5 ms
- ThrottledRequests: intermittent during peaks

Application note:
- Writes are comparatively rare and do not need multi-Region replication.
Question 9mediummultiple choice
Read the full DNS explanation →

Based on the exhibit, the company wants DNS traffic to fail over automatically from the primary Region to a secondary Region when the primary endpoint is unhealthy. Which Route 53 change is best?

Exhibit

Route 53 record set
  Name: app.example.com
  Type: A (Alias)
  Routing policy: Simple
  Alias target: alb-primary-123.us-east-1.elb.amazonaws.com
  TTL: 60 seconds
Health check
  ID: hc-44
  Status: Inactive
Secondary environment
  ALB target exists in us-west-2: alb-secondary-456.us-west-2.elb.amazonaws.com
Operational note
  A Region outage should shift users to the secondary ALB without manual DNS changes.
Question 10hardmultiple choice
Full question →

Based on the exhibit, a media company serves versioned JavaScript and CSS files from an Amazon S3 origin through CloudFront. After a frontend release, the cache hit ratio dropped sharply even though the file names are versioned. The application team says the browser requests include the same Authorization header on every asset request because the frontend and API share one domain. What should the solutions architect do to improve CloudFront cache hit ratio without changing the application authentication model for the API?

Exhibit

CloudFront access log sample:
2026-04-18T09:12:41Z LAX1 1234 Miss GET d111111abcdef8.cloudfront.net /app/v42/main.8f3d2.js 200 - Mozilla/5.0 Authorization=Bearer eyJhbGciOi...
2026-04-18T09:12:42Z LAX1 1235 Miss GET d111111abcdef8.cloudfront.net /app/v42/vendor.9c1a0.css 200 - Mozilla/5.0 Authorization=Bearer eyJhbGciOi...

Distribution behavior summary:
- Origin: S3 bucket
- Cache policy: legacy default
- Origin request policy: forwards all headers, cookies, and query strings
- Objects are immutable after release and have content-hash file names
Question 11easymultiple choice
Full question →

Based on the exhibit, the database must continue serving if the current Availability Zone fails. What should you change?

Exhibit

Amazon RDS for PostgreSQL
DB instance identifier: orders-db
Multi-AZ: false
Automated backups: enabled
Availability Zone: us-east-1b
Publicly accessible: no
Question 12hardmultiple choice
Full question →

Based on the exhibit, a central deployment role in Account A is assumed by several CI/CD pipelines from Account B. The role must remain reusable, but the team wants the TeamA pipeline to upload artifacts only to s3://artifact-bucket/teamA/prod/ without creating a separate IAM role. What is the best approach?

Network Topology
"assume_role_command": "aws sts assume-rolerole-arn arn:aws:iam::111122223333:role/CentralDeployRolerole-session-name teamA-ci","role_policy": {"Version": "2012-10-17","Statement": ["Effect": "Allow","Action": "s3:PutObject","Resource": "arn:aws:s3:::artifact-bucket/*"},
Question 13hardmultiple choice
Full question →

Based on the exhibit, users must access private PDF reports only through CloudFront. Direct requests to the S3 object URL must fail, and the bucket should not be publicly readable. Which solution is the best fit?

Exhibit

Current S3 bucket policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::reports-private/*"
    }
  ]
}

CloudFront distribution:
- Origin: s3://reports-private
- Viewer protocol policy: Redirect HTTP to HTTPS
- No origin access identity or origin access control configured

Security requirement:
- Clients must use CloudFront signed URLs or signed cookies
- S3 object URLs must not be directly accessible
Question 14easymultiple choice
Full question →

Based on the exhibit, which Amazon EFS performance mode is the best fit for this workload?

Exhibit

EFS usage summary:
- 25 EC2 workers mounted to one file system
- Mostly small metadata reads and writes
- Each request needs very low file system latency
- No requirement for massive concurrent throughput across thousands of clients
Question 15hardmultiple choice
Full question →

Based on the exhibit, a batch-processing service runs on Amazon EC2. The workload is Linux-based, can run on ARM64, and is CPU-bound during its nightly processing window. The team wants the best throughput per dollar without changing the application logic. Which EC2 instance family should the solutions architect recommend?

Exhibit

Benchmark summary from current fleet:
- Current instances: c6i.2xlarge
- Average CPU during processing: 88%-96%
- Disk and network utilization remain below 30%
- Application runtime on test ARM build: 11% faster than x86 build
- Engineering note: binaries are already compatible with ARM64
- Business goal: lower cost while keeping or improving throughput

These SAA-C03 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SAA-C03 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.