Back to SAA-C03 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise SAA-C03 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SAA-C03
exam code
Amazon Web Services
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SAA-C03 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?

Question 2easymultiple choice
Full question →

A security team needs an audit trail to investigate suspicious API activity across multiple AWS accounts. Which AWS approach best provides centralized visibility into who did what, when, for service API calls?

Question 3easymultiple choice
Full question →

A service role has an IAM policy granting kms:Decrypt for a specific AWS KMS key. The application still fails to decrypt with an AccessDenied error. What change most directly fixes this when the KMS key policy is missing the role’s permissions?

Question 4mediummultiple choice
Full question →

Developers for a e-learning platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best? The design must avoid adding custom operational scripts.

Question 5mediummultiple choice
Full question →

Developers for a image sharing application need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

Question 6mediummultiple choice
Full question →

An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?

Question 7hardmultiple choice
Full question →

Based on the exhibit, the company wants to lower CloudWatch and EC2 monitoring costs. Auditors require logs to be retained for 90 days, but operations only uses detailed per-instance metrics during rare troubleshooting events. Which change best reduces recurring cost while preserving the required visibility?

Exhibit

CloudWatch billing snapshot:
  Logs ingestion: moderate
  Logs storage: high
  Custom metrics: low
  Detailed monitoring charges: high
EC2 fleet:
  200 instances across 4 Auto Scaling groups
  Detailed monitoring enabled on every instance
CloudWatch Logs groups:
  /app/prod/web: retention = Never Expire
  /app/prod/api: retention = Never Expire
  /app/prod/batch: retention = 365 days
Compliance note:
  Keep logs available for at least 90 days
  No requirement for 1-minute EC2 metrics on all instances
Question 8mediummultiple choice
Full question →

Developers for a B2B file exchange site need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

Question 9mediummultiple choice
Full question →

Developers for a customer analytics portal need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

Question 10mediummultiple choice
Full question →

A team wants detective controls to investigate suspected exfiltration from an S3 bucket. They need to know when objects are accessed (GetObject) and also when new encrypted objects are written.

They already enabled AWS CloudTrail for management events, but their investigation shows no visibility into object-level reads/writes in the logs they review.

Which CloudTrail configuration change most directly provides the missing object-level visibility?

Question 11mediummultiple choice
Full question →

A team runs an EC2-based service and ships logs to Amazon CloudWatch Logs. They enabled long log retention and turned on detailed monitoring to improve troubleshooting. Their monthly CloudWatch costs have grown unexpectedly. Compliance requires that the logs remain available in CloudWatch Logs (for querying and audits) for 90 days, and alerts/alarms do not require detailed EC2 monitoring. What change best reduces cost while meeting requirements?

Question 12easymultiple choice
Full question →

A team stores application logs in Amazon S3. They need access to the logs only occasionally for troubleshooting (infrequent access), and they want to reduce storage cost automatically over time without manually moving objects. What should they implement?

Question 13mediummultiple choice
Full question →

An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?

Question 14mediummultiple choice
Full question →

Developers for a financial reporting platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best? The design must avoid adding custom operational scripts.

Question 15mediummultiple choice
Full question →

Developers for a e-learning platform need temporary elevated access to production resources for troubleshooting. The security team wants approvals, expiry, and audit logging. Which approach is best?

These SAA-C03 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SAA-C03 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.