AWS Solutions Architect Associate
(SAA-C04) Practice Exam
2026|||questions and answers with
rationales/graded A+/2026
update/100% correct /instant
download
Exam Guide: SAA-C04
Total Questions: 80
Time Allowed (Suggested): 120 Minutes
Passing Score:
Domains Covered:
1. Design Secure Architectures (30%)
2. Design Resilient Architectures (26%)
3. Design High-Performing Architectures (24%)
4. Design Cost-Optimized Architectures (20%)
Domain 1: Design Secure Architectures
1. A company wants to ensure that an EC2 instance can access a specific S3
bucket without exposing credentials in the application code or passing traffic
over the public internet.
Which combination of steps should a Solutions Architect take to meet these
requirements?
A) Create an IAM user with access keys, embed them in the application, and use a
NAT Gateway.
B) Create an IAM Role, attach an S3 FullAccess policy, and launch the EC2
instance with that Role.
,C) Create an IAM Role, attach a policy allowing S3 access, launch the instance
with the Role, and create a Gateway VPC Endpoint for S3.
D) Store credentials in AWS Secrets Manager and enable S3 Transfer Acceleration.
Correct Answer: C
Rationale: Using an IAM Role is the best practice for granting permissions to
AWS services, avoiding hard-coded keys. To ensure traffic does not traverse the
public internet (private connectivity), you must create a Gateway VPC
Endpoint for S3. Option B provides secure permissions but does not guarantee
private network connectivity.
2. A Solutions Architect needs to grant hundreds of temporary, revocable
permissions to users federating into AWS from a corporate Active Directory.
What is the most secure and operationally efficient way to manage this?
A) Create individual IAM users for every corporate employee.
B) Use IAM Roles with a trust policy specifying the corporate Identity Provider
(IdP). Assign users to IAM Groups via SAML assertions.
C) Create a single IAM user shared by all corporate employees and rotate the
password daily.
D) Disable IAM and rely solely on S3 bucket policies.
Correct Answer: B
Rationale: Federating Active Directory with AWS IAM allows users to
assume IAM Roles using SAML 2.0. This provides temporary security credentials,
adhering to the principle of least privilege and allowing for role-based access
control (RBAC) without managing IAM users in AWS.
3. A company requires that all data stored in Amazon S3 be automatically
encrypted server-side upon upload, using a key managed by AWS Key
Management Service (KMS) every time.
How can this be enforced organization-wide?
A) Enable default encryption on each bucket individually.
B) Use an S3 Bucket Policy with a Deny effect for PutObject requests that do not
include the s3:x-amz-server-side-encryption header with aws:kms.
C) Instruct all users to encrypt files manually before uploading.
D) Enable S3 Block Public Access.
Correct Answer: B
Rationale: While default encryption helps, the most secure enforcement is
a Bucket Policy that denies unencrypted uploads. A policy condition
,checking "s3:x-amz-server-side-encryption": "aws:kms" forces users to specify
KMS encryption. Option A is passive and can be overridden.
4. An application running on EC2 needs to retrieve database credentials to
connect to an RDS instance.
Which AWS service should be used to securely store and automatically rotate these
credentials?
A) Systems Manager Parameter Store (Standard tier)
B) IAM Role
C) AWS Secrets Manager
D) CloudWatch Logs
Correct Answer: C
Rationale: AWS Secrets Manager is specifically designed to manage secrets (like
database credentials) with built-in automatic rotation capabilities. While Parameter
Store (Option A) can store secrets via SecureString, Secrets Manager offers better
lifecycle management and rotation for RDS.
5. A company wants to block malicious traffic before it reaches their web
application running on EC2. They need to filter based on IP addresses,
countries, and SQL injection patterns.
Which AWS service provides these features?
A) Network ACLs
B) Security Groups
C) AWS WAF
D) VPC Flow Logs
Correct Answer: C
Rationale: AWS WAF (Web Application Firewall) operates at Layer 7 to filter
HTTP/S traffic based on rules (IP sets, geo-match, SQL injection, XSS). Security
Groups (B) and NACLs (A) are stateful/stateless firewalls at the instance/subnet
level but do not inspect application-layer threats like SQLi.
Domain 2: Design Resilient Architectures
6. A Solutions Architect is designing a fault-tolerant application spanning
three Availability Zones (AZs) in a single Region. The application uses a fleet
of EC2 instances.
What is the minimum number of instances required to ensure zero downtime if one
, entire AZ fails?
A) 1
B) 2
C) 3
D) 6
Correct Answer: C
Rationale: With 3 AZs, if one AZ fails, you still have 2 AZs running. However, to
ensure the remaining load doesn't overwhelm them, you generally plan for N+1.
The fundamental requirement to survive the loss of an AZ is to have capacity in the
other two AZs. The minimum instance count is 3 (one in each AZ), assuming the
remaining two can handle full load.
7. A company runs a MySQL database on a single EC2 instance. They need
high availability with automatic failover.
What is the most operationally efficient solution?
A) Configure a cluster of EC2 instances with a shared EBS volume.
B) Take hourly EBS snapshots and automate recovery with CloudFormation.
C) Migrate to Amazon RDS for MySQL with Multi-AZ deployment.
D) Use Amazon Route 53 health checks to route traffic to a standby instance.
Correct Answer: C
Rationale: RDS Multi-AZ automatically creates a primary DB instance and
synchronously replicates data to a standby instance in a different AZ. If the primary
fails, Amazon RDS automatically fails over to the standby. This is a fully managed
solution vs. manual scripting.
8. A web application uses an Application Load Balancer (ALB) in front of an
Auto Scaling group of EC2 instances. There are no existing lifecycle hooks.
What happens when a scale-in event occurs (terminating an instance)?
A) The instance is terminated immediately, and ELB removes it from the target
group.
B) The instance receives a SIGTERM signal; if still running after a timeout, it is
force-stopped.
C) The instance is deregistered, the load balancer waits for connections to drain
(deregistration delay), then the instance is terminated.
D) The instance goes into Standby state.
Correct Answer: C
Rationale: When an Auto Scaling group terminates an instance behind an ALB,
(SAA-C04) Practice Exam
2026|||questions and answers with
rationales/graded A+/2026
update/100% correct /instant
download
Exam Guide: SAA-C04
Total Questions: 80
Time Allowed (Suggested): 120 Minutes
Passing Score:
Domains Covered:
1. Design Secure Architectures (30%)
2. Design Resilient Architectures (26%)
3. Design High-Performing Architectures (24%)
4. Design Cost-Optimized Architectures (20%)
Domain 1: Design Secure Architectures
1. A company wants to ensure that an EC2 instance can access a specific S3
bucket without exposing credentials in the application code or passing traffic
over the public internet.
Which combination of steps should a Solutions Architect take to meet these
requirements?
A) Create an IAM user with access keys, embed them in the application, and use a
NAT Gateway.
B) Create an IAM Role, attach an S3 FullAccess policy, and launch the EC2
instance with that Role.
,C) Create an IAM Role, attach a policy allowing S3 access, launch the instance
with the Role, and create a Gateway VPC Endpoint for S3.
D) Store credentials in AWS Secrets Manager and enable S3 Transfer Acceleration.
Correct Answer: C
Rationale: Using an IAM Role is the best practice for granting permissions to
AWS services, avoiding hard-coded keys. To ensure traffic does not traverse the
public internet (private connectivity), you must create a Gateway VPC
Endpoint for S3. Option B provides secure permissions but does not guarantee
private network connectivity.
2. A Solutions Architect needs to grant hundreds of temporary, revocable
permissions to users federating into AWS from a corporate Active Directory.
What is the most secure and operationally efficient way to manage this?
A) Create individual IAM users for every corporate employee.
B) Use IAM Roles with a trust policy specifying the corporate Identity Provider
(IdP). Assign users to IAM Groups via SAML assertions.
C) Create a single IAM user shared by all corporate employees and rotate the
password daily.
D) Disable IAM and rely solely on S3 bucket policies.
Correct Answer: B
Rationale: Federating Active Directory with AWS IAM allows users to
assume IAM Roles using SAML 2.0. This provides temporary security credentials,
adhering to the principle of least privilege and allowing for role-based access
control (RBAC) without managing IAM users in AWS.
3. A company requires that all data stored in Amazon S3 be automatically
encrypted server-side upon upload, using a key managed by AWS Key
Management Service (KMS) every time.
How can this be enforced organization-wide?
A) Enable default encryption on each bucket individually.
B) Use an S3 Bucket Policy with a Deny effect for PutObject requests that do not
include the s3:x-amz-server-side-encryption header with aws:kms.
C) Instruct all users to encrypt files manually before uploading.
D) Enable S3 Block Public Access.
Correct Answer: B
Rationale: While default encryption helps, the most secure enforcement is
a Bucket Policy that denies unencrypted uploads. A policy condition
,checking "s3:x-amz-server-side-encryption": "aws:kms" forces users to specify
KMS encryption. Option A is passive and can be overridden.
4. An application running on EC2 needs to retrieve database credentials to
connect to an RDS instance.
Which AWS service should be used to securely store and automatically rotate these
credentials?
A) Systems Manager Parameter Store (Standard tier)
B) IAM Role
C) AWS Secrets Manager
D) CloudWatch Logs
Correct Answer: C
Rationale: AWS Secrets Manager is specifically designed to manage secrets (like
database credentials) with built-in automatic rotation capabilities. While Parameter
Store (Option A) can store secrets via SecureString, Secrets Manager offers better
lifecycle management and rotation for RDS.
5. A company wants to block malicious traffic before it reaches their web
application running on EC2. They need to filter based on IP addresses,
countries, and SQL injection patterns.
Which AWS service provides these features?
A) Network ACLs
B) Security Groups
C) AWS WAF
D) VPC Flow Logs
Correct Answer: C
Rationale: AWS WAF (Web Application Firewall) operates at Layer 7 to filter
HTTP/S traffic based on rules (IP sets, geo-match, SQL injection, XSS). Security
Groups (B) and NACLs (A) are stateful/stateless firewalls at the instance/subnet
level but do not inspect application-layer threats like SQLi.
Domain 2: Design Resilient Architectures
6. A Solutions Architect is designing a fault-tolerant application spanning
three Availability Zones (AZs) in a single Region. The application uses a fleet
of EC2 instances.
What is the minimum number of instances required to ensure zero downtime if one
, entire AZ fails?
A) 1
B) 2
C) 3
D) 6
Correct Answer: C
Rationale: With 3 AZs, if one AZ fails, you still have 2 AZs running. However, to
ensure the remaining load doesn't overwhelm them, you generally plan for N+1.
The fundamental requirement to survive the loss of an AZ is to have capacity in the
other two AZs. The minimum instance count is 3 (one in each AZ), assuming the
remaining two can handle full load.
7. A company runs a MySQL database on a single EC2 instance. They need
high availability with automatic failover.
What is the most operationally efficient solution?
A) Configure a cluster of EC2 instances with a shared EBS volume.
B) Take hourly EBS snapshots and automate recovery with CloudFormation.
C) Migrate to Amazon RDS for MySQL with Multi-AZ deployment.
D) Use Amazon Route 53 health checks to route traffic to a standby instance.
Correct Answer: C
Rationale: RDS Multi-AZ automatically creates a primary DB instance and
synchronously replicates data to a standby instance in a different AZ. If the primary
fails, Amazon RDS automatically fails over to the standby. This is a fully managed
solution vs. manual scripting.
8. A web application uses an Application Load Balancer (ALB) in front of an
Auto Scaling group of EC2 instances. There are no existing lifecycle hooks.
What happens when a scale-in event occurs (terminating an instance)?
A) The instance is terminated immediately, and ELB removes it from the target
group.
B) The instance receives a SIGTERM signal; if still running after a timeout, it is
force-stopped.
C) The instance is deregistered, the load balancer waits for connections to drain
(deregistration delay), then the instance is terminated.
D) The instance goes into Standby state.
Correct Answer: C
Rationale: When an Auto Scaling group terminates an instance behind an ALB,
