Page 1 of 176
Solutions Architect Associate (SAA-C03)
Practice Exam 2025 /2026 Latest 200
Questions & Verified Answers | Instant PDF
Download.
1. A company uses AWS Organizations to manage multiple
accounts. The security team requires that all users in the
organization must access an S3 bucket in the Management
Account. How can you grant access ONLY to principals within
the organization?
A) Add a Principal element listing all the IAM roles in the
organization.
B) Add the aws:PrincipalOrgID condition key with the
Organization ID to the bucket policy.
C) Add the aws:PrincipalArn condition key with a StringLike to
,Page 2 of 176
the root of the organization.
D) Enable S3 Block Public Access on the bucket.
Answer: B
Rationale: The aws:PrincipalOrgID global condition key allows
you to grant access to any principal (user, role, or account) that
belongs to the specific AWS Organization ID. This is the
operational least overhead method .
2. A Solutions Architect needs to grant an EC2 instance
permissions to write logs to a specific S3 bucket and read
secrets from Secrets Manager. What is the MOST secure way
to do this?
A) Store AWS credentials directly in the application code.
B) Create a single IAM user with permissions for both services
and place the credentials in a file on the EC2 instance.
C) Create an IAM Role with least privilege policies for S3 and
,Page 3 of 176
Secrets Manager, and attach it to the EC2 Instance Profile.
D) Create an IAM Group and add the EC2 instance to the group.
Answer: C
Rationale: IAM Roles are the best practice for granting
permissions to AWS services. Instance Profiles allow EC2 to
assume a role, rotating temporary credentials automatically.
Never hard-code keys.
3. A company is designing a Zero Trust architecture. Which
IAM feature enforces that users must re-authenticate to access
sensitive operations?
A) Permissions Boundaries
B) Service Control Policies (SCPs)
C) IAM Roles
D) IAM Policy Conditions (aws:MultiFactorAuthPresent)
Answer: D
Rationale: Zero Trust principles require continuous verification.
, Page 4 of 176
Using the aws:MultiFactorAuthPresent condition (or similar) in an
IAM policy forces users to have authenticated with MFA to
perform specific actions, ensuring step-up authentication .
4. A developer accidentally uploaded a file containing
"Access Key Id" and "Secret Access Key" to a public GitHub
repository. What is the immediate remediation action?
A) Wait for the automatic key rotation.
B) Delete the IAM User.
C) Deactivate or delete the compromised access key via the IAM
console.
D) Change the password of the AWS root user.
Answer: C
Rationale: The immediate step is to deactivate or delete the
compromised key to prevent unauthorized API calls. You can then
generate a new key and rotate it in the application.
Solutions Architect Associate (SAA-C03)
Practice Exam 2025 /2026 Latest 200
Questions & Verified Answers | Instant PDF
Download.
1. A company uses AWS Organizations to manage multiple
accounts. The security team requires that all users in the
organization must access an S3 bucket in the Management
Account. How can you grant access ONLY to principals within
the organization?
A) Add a Principal element listing all the IAM roles in the
organization.
B) Add the aws:PrincipalOrgID condition key with the
Organization ID to the bucket policy.
C) Add the aws:PrincipalArn condition key with a StringLike to
,Page 2 of 176
the root of the organization.
D) Enable S3 Block Public Access on the bucket.
Answer: B
Rationale: The aws:PrincipalOrgID global condition key allows
you to grant access to any principal (user, role, or account) that
belongs to the specific AWS Organization ID. This is the
operational least overhead method .
2. A Solutions Architect needs to grant an EC2 instance
permissions to write logs to a specific S3 bucket and read
secrets from Secrets Manager. What is the MOST secure way
to do this?
A) Store AWS credentials directly in the application code.
B) Create a single IAM user with permissions for both services
and place the credentials in a file on the EC2 instance.
C) Create an IAM Role with least privilege policies for S3 and
,Page 3 of 176
Secrets Manager, and attach it to the EC2 Instance Profile.
D) Create an IAM Group and add the EC2 instance to the group.
Answer: C
Rationale: IAM Roles are the best practice for granting
permissions to AWS services. Instance Profiles allow EC2 to
assume a role, rotating temporary credentials automatically.
Never hard-code keys.
3. A company is designing a Zero Trust architecture. Which
IAM feature enforces that users must re-authenticate to access
sensitive operations?
A) Permissions Boundaries
B) Service Control Policies (SCPs)
C) IAM Roles
D) IAM Policy Conditions (aws:MultiFactorAuthPresent)
Answer: D
Rationale: Zero Trust principles require continuous verification.
, Page 4 of 176
Using the aws:MultiFactorAuthPresent condition (or similar) in an
IAM policy forces users to have authenticated with MFA to
perform specific actions, ensuring step-up authentication .
4. A developer accidentally uploaded a file containing
"Access Key Id" and "Secret Access Key" to a public GitHub
repository. What is the immediate remediation action?
A) Wait for the automatic key rotation.
B) Delete the IAM User.
C) Deactivate or delete the compromised access key via the IAM
console.
D) Change the password of the AWS root user.
Answer: C
Rationale: The immediate step is to deactivate or delete the
compromised key to prevent unauthorized API calls. You can then
generate a new key and rotate it in the application.
