SAA-C03 · topic practice

Cloudfront practice questions

Practise SAA-C03 Cloudfront practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Cloudfront

What the exam tests

What to know about Cloudfront

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Cloudfront exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Cloudfront questions

20 questions · select your answer, then reveal the explanation

Question 1mediummulti select
Read the full Cloudfront explanation →

A static site is hosted in Amazon S3 and delivered by CloudFront. After a frontend release, the same JavaScript bundles are fetched repeatedly from the origin. Logs show that requests include unneeded query strings and cookies, which prevent cache reuse. Which two changes should the team make to reduce origin traffic and cost? Select two.

Question 2mediummultiple choice
Read the full Cloudfront explanation →

A static website uses an Amazon S3 bucket as the origin for an Amazon CloudFront distribution. The team accidentally configured the S3 bucket policy to allow s3:GetObject to Principal "*", so objects are accessible via direct S3 URLs. They want to ensure objects are retrievable only through CloudFront. What is the best corrective action?

Question 3mediummulti select
Read the full Cloudfront explanation →

A single EC2 instance hosts a low-latency database cache that writes a large random working set to block storage. The application needs sustained high IOPS and low latency, and the storage must remain attached to the instance while it runs. Which two design choices best meet the requirement? Select two.

Question 4easymultiple choice
Read the full Cloudfront explanation →

You want to protect an Application Load Balancer (ALB) from common web exploits using AWS WAF. The application is not using CloudFront. Which AWS WAF deployment scope should you choose so the WAF rules apply to the ALB?

Question 5easymultiple choice
Read the full Cloudfront explanation →

A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?

A telemetry pipeline uses an Application Load Balancer in one Region. Global users need lower network latency to the application without caching dynamic responses. What should be considered?

Question 7easymultiple choice
Read the full NAT/PAT explanation →

A inventory service exposes a static website from S3 and CloudFront. Users should still receive cached pages if the S3 origin has a short outage. Which feature helps most? The architecture review board prefers a managed AWS-native control.

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A site serves static assets (JS/CSS) through CloudFront from an S3 origin. After a recent frontend change, CloudFront shows a cache hit ratio below 20%. In CloudFront access logs, requests to the same asset URL path differ by a query parameter named rnd (a random value appended by the app on every request). The origin content is identical regardless of rnd. What is the best CloudFront configuration change to restore effective caching?

Question 9easymultiple choice
Read the full Cloudfront explanation →

A inventory service exposes a static website from S3 and CloudFront. Users should still receive cached pages if the S3 origin has a short outage. Which feature helps most? The team wants the control to be enforceable during normal operations.

Question 10mediummultiple choice
Read the full Cloudfront explanation →

A caching layer uses Amazon ElastiCache for Redis in front of a stateless web service. The service must continue to read cached responses during maintenance events and should automatically fail over to another node if one AZ becomes impaired. Which design change best satisfies this requirement?

Question 11easymultiple choice
Read the full Cloudfront explanation →

A company hosts static images, CSS, and JavaScript files in an Amazon S3 bucket. Users around the world report slow page loads, and the origin receives many repeated requests for the same files. What should the team use to improve performance?

Question 12easymultiple choice
Read the full Cloudfront explanation →

A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?

Question 13easymultiple choice
Read the full Cloudfront explanation →

A company serves private images stored in S3 through Amazon CloudFront. Only authenticated users should be able to access each image, and access should expire after 1 hour. Which CloudFront feature best meets this requirement?

Question 14mediummultiple choice
Read the full Cloudfront explanation →

A company uses Amazon RDS with automated backups enabled (retention period: 7 days). At 10:30 UTC, a bad release corrupts specific rows in a production table. The team detects the issue at 11:10 UTC. They need to revert the database state to what it was from 10:00–10:30 UTC, recover quickly, and minimize risk to the currently running workload. What is the best option?

Question 15mediummultiple choice
Read the full Cloudfront explanation →

A company stores private customer documents in an S3 bucket. They want only CloudFront to be able to read objects from the bucket (no direct S3 URL access), even if the bucket name and object key are known. Which configuration best meets this requirement?

Question 16mediummultiple choice
Read the full Cloudfront explanation →

A DynamoDB table uses this schema: partition key = customerId, sort key = timestamp. During a marketing campaign, one customer generates extremely high read traffic and the application sees ProvisionedThroughputExceeded errors even though the table’s total capacity is sufficient. What change most directly improves read distribution across partitions?

Question 17easymultiple choice
Read the full Cloudfront explanation →

A company serves public JavaScript and CSS files from S3 using CloudFront. After a frontend change, customers report a low CloudFront cache hit ratio. Requests now include an Authorization header, but these assets do not require authentication. The CloudFront distribution is configured such that Authorization is included in the cache key. Which change best maximizes cache reuse?

Question 18easymultiple choice
Read the full NAT/PAT explanation →

A content publishing system exposes a static website from S3 and CloudFront. Users should still receive cached pages if the S3 origin has a short outage. Which feature helps most? The architecture review board prefers a managed AWS-native control.

A latency-sensitive telemetry service uses a custom TCP protocol on EC2 instances in private subnets. The service must preserve the client source IP for rate limiting, avoid HTTP header inspection, and keep per-request overhead as low as possible. Which changes should the team make? Select three.

Question 20mediummultiple choice
Read the full Cloudfront explanation →

A company serves versioned images from S3 through CloudFront. After a release, CloudFront origin fetches increased sharply and the monthly CloudFront bill went up. They reviewed CloudFront logs and found that many requests include a query string parameter `reqId` that is unique per request (for example, `...?v=2026-04-01&reqId=...`). The team currently forwards all query strings to the cache key. What change is most likely to reduce origin fetches and cost while keeping the versioned images correct?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Cloudfront sessions

Start a Cloudfront only practice session

Every question in these sessions is drawn from the Cloudfront domain — nothing else.

Related practice questions

Related SAA-C03 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAA-C03 exam test about Cloudfront?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Cloudfront questions in a focused session?
Yes — the session launcher on this page draws every question from the Cloudfront domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAA-C03 topics?
Use the topic links above to move to related areas, or go back to the SAA-C03 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAA-C03 exam covers. They are not copied from any real exam or dump site.