AWS Solutions Architect Associate Exam
Pack 2026/2027 – Complete Exam-Style
Questions | 100% Verified | Detailed
Rationales – Pass Guaranteed – A+
Graded
The questions align with the four SAA-C03 domains and their weightings:
• Domain 1: Design Secure Architectures (30%)
• Domain 2: Design Resilient Architectures (26%)
• Domain 3: Design High-Performing Architectures (24%)
• Domain 4: Design Cost-Optimized Architectures (20%)
Domain 1: Design Secure Architectures (Questions 1–30)
1. A company needs to grant temporary access to an S3 bucket for an external
auditor. The access should expire automatically after 48 hours. What is the
most secure way to provide this access?
A) Create a new IAM user with a complex password
B) Generate a presigned URL with a 48-hour expiration
C) Make the S3 bucket public temporarily
D) Share the AWS root account credentials
*Rationale: Presigned URLs grant time-limited access to S3 objects without
managing additional IAM users. They are the most secure for temporary, delegated
access scenarios.*
,2. A company is using AWS Organizations with multiple accounts. The
security team wants to enforce that no S3 bucket can be made public across
all accounts. Which mechanism should be used?
A) IAM policies applied to each account's users
B) Service Control Policy (SCP) at the root OU
C) S3 bucket policies in each account
D) AWS Shield Advanced
Rationale: SCPs allow centralized control over maximum available permissions
across all accounts in an organization. An SCP can explicitly
deny s3:PutBucketPublicAccessBlock actions.
3. An application stores sensitive data in an S3 bucket. Compliance requires
that data be encrypted at rest with customer-managed keys that can be
rotated and revoked. Which solution meets this requirement?
A) S3 server-side encryption with S3-managed keys (SSE-S3)
B) S3 server-side encryption with AWS KMS customer-managed keys (SSE-
KMS)
C) Client-side encryption before upload
D) S3 default encryption with AES-256
Rationale: SSE-KMS allows use of customer-managed keys (CMK) in KMS,
providing centralized control, key rotation, and revocation capabilities for
compliance requirements.
4. A solutions architect is designing a VPC with both public and private
subnets. Web servers must be accessible from the internet, but database
servers must have no direct internet access. How should security be
configured?
A) Place web servers in private subnets, databases in public subnets
B) Place web servers in public subnets with public IPs, databases in private
subnets with NAT gateway for outbound
C) Place all servers in public subnets and use security groups
,D) Place all servers in private subnets and use a VPN connection
Rationale: Public subnets route to an internet gateway for inbound traffic; private
subnets do not. Databases in private subnets gain outbound internet access via a
NAT gateway while remaining inaccessible from the internet.
5. A company must securely connect its on-premises data center to AWS for
ongoing hybrid workloads. The connection must be private, high-bandwidth,
and consistent. Which service should be used?
A) Site-to-Site VPN
B) AWS Direct Connect
C) Client VPN
D) VPC peering
Rationale: Direct Connect provides a dedicated, private, high-bandwidth
connection from on-premises to AWS, bypassing the public internet for consistent
performance.
6. An application needs to store database credentials and API keys securely.
Which AWS service is designed for this purpose?
A) IAM policies
B) AWS Secrets Manager
C) Parameter Store (SecureString)
D) AWS KMS
Rationale: Secrets Manager is purpose-built for rotating and managing secrets
like database credentials and API keys throughout their lifecycle.
7. A security group is associated with an EC2 instance. Which statement
about security groups is true?
A) Security groups are stateful and evaluate all rules
B) Security groups are stateful; return traffic is automatically allowed
regardless of outbound rules
C) Security groups are stateless and require explicit outbound rules
D) Security groups operate at the subnet level
, Rationale: Security groups are stateful: if inbound traffic is allowed, return
outbound traffic is automatically allowed regardless of outbound rules.
8. A company needs to detect unauthorized attempts to access EC2 instances
and S3 buckets, including unusual API calls. Which AWS service should be
used?
A) AWS Shield
B) Amazon GuardDuty
C) AWS WAF
D) AWS Config
Rationale: GuardDuty is a threat detection service that continuously monitors for
malicious activity and unauthorized behavior across AWS accounts and
workloads.
9. A web application needs to protect against common web exploits like SQL
injection and cross-site scripting (XSS). Which service should be deployed?
A) Network ACLs
B) Security groups
C) AWS WAF
D) AWS Shield Advanced
Rationale: AWS WAF is a web application firewall that filters and monitors
HTTP/HTTPS requests to protect against common web exploits like SQL injection
and XSS.
10. An application running on EC2 needs to access an S3 bucket without using
internet-routable IP addresses. How should this be configured?
A) Place EC2 in a public subnet
B) Create a gateway VPC endpoint for S3
C) Use a NAT gateway
D) Assign a public IP to the EC2 instance
Rationale: Gateway VPC endpoints provide private connectivity from a VPC to S3
without traversing the internet, using private IP addresses only.
Pack 2026/2027 – Complete Exam-Style
Questions | 100% Verified | Detailed
Rationales – Pass Guaranteed – A+
Graded
The questions align with the four SAA-C03 domains and their weightings:
• Domain 1: Design Secure Architectures (30%)
• Domain 2: Design Resilient Architectures (26%)
• Domain 3: Design High-Performing Architectures (24%)
• Domain 4: Design Cost-Optimized Architectures (20%)
Domain 1: Design Secure Architectures (Questions 1–30)
1. A company needs to grant temporary access to an S3 bucket for an external
auditor. The access should expire automatically after 48 hours. What is the
most secure way to provide this access?
A) Create a new IAM user with a complex password
B) Generate a presigned URL with a 48-hour expiration
C) Make the S3 bucket public temporarily
D) Share the AWS root account credentials
*Rationale: Presigned URLs grant time-limited access to S3 objects without
managing additional IAM users. They are the most secure for temporary, delegated
access scenarios.*
,2. A company is using AWS Organizations with multiple accounts. The
security team wants to enforce that no S3 bucket can be made public across
all accounts. Which mechanism should be used?
A) IAM policies applied to each account's users
B) Service Control Policy (SCP) at the root OU
C) S3 bucket policies in each account
D) AWS Shield Advanced
Rationale: SCPs allow centralized control over maximum available permissions
across all accounts in an organization. An SCP can explicitly
deny s3:PutBucketPublicAccessBlock actions.
3. An application stores sensitive data in an S3 bucket. Compliance requires
that data be encrypted at rest with customer-managed keys that can be
rotated and revoked. Which solution meets this requirement?
A) S3 server-side encryption with S3-managed keys (SSE-S3)
B) S3 server-side encryption with AWS KMS customer-managed keys (SSE-
KMS)
C) Client-side encryption before upload
D) S3 default encryption with AES-256
Rationale: SSE-KMS allows use of customer-managed keys (CMK) in KMS,
providing centralized control, key rotation, and revocation capabilities for
compliance requirements.
4. A solutions architect is designing a VPC with both public and private
subnets. Web servers must be accessible from the internet, but database
servers must have no direct internet access. How should security be
configured?
A) Place web servers in private subnets, databases in public subnets
B) Place web servers in public subnets with public IPs, databases in private
subnets with NAT gateway for outbound
C) Place all servers in public subnets and use security groups
,D) Place all servers in private subnets and use a VPN connection
Rationale: Public subnets route to an internet gateway for inbound traffic; private
subnets do not. Databases in private subnets gain outbound internet access via a
NAT gateway while remaining inaccessible from the internet.
5. A company must securely connect its on-premises data center to AWS for
ongoing hybrid workloads. The connection must be private, high-bandwidth,
and consistent. Which service should be used?
A) Site-to-Site VPN
B) AWS Direct Connect
C) Client VPN
D) VPC peering
Rationale: Direct Connect provides a dedicated, private, high-bandwidth
connection from on-premises to AWS, bypassing the public internet for consistent
performance.
6. An application needs to store database credentials and API keys securely.
Which AWS service is designed for this purpose?
A) IAM policies
B) AWS Secrets Manager
C) Parameter Store (SecureString)
D) AWS KMS
Rationale: Secrets Manager is purpose-built for rotating and managing secrets
like database credentials and API keys throughout their lifecycle.
7. A security group is associated with an EC2 instance. Which statement
about security groups is true?
A) Security groups are stateful and evaluate all rules
B) Security groups are stateful; return traffic is automatically allowed
regardless of outbound rules
C) Security groups are stateless and require explicit outbound rules
D) Security groups operate at the subnet level
, Rationale: Security groups are stateful: if inbound traffic is allowed, return
outbound traffic is automatically allowed regardless of outbound rules.
8. A company needs to detect unauthorized attempts to access EC2 instances
and S3 buckets, including unusual API calls. Which AWS service should be
used?
A) AWS Shield
B) Amazon GuardDuty
C) AWS WAF
D) AWS Config
Rationale: GuardDuty is a threat detection service that continuously monitors for
malicious activity and unauthorized behavior across AWS accounts and
workloads.
9. A web application needs to protect against common web exploits like SQL
injection and cross-site scripting (XSS). Which service should be deployed?
A) Network ACLs
B) Security groups
C) AWS WAF
D) AWS Shield Advanced
Rationale: AWS WAF is a web application firewall that filters and monitors
HTTP/HTTPS requests to protect against common web exploits like SQL injection
and XSS.
10. An application running on EC2 needs to access an S3 bucket without using
internet-routable IP addresses. How should this be configured?
A) Place EC2 in a public subnet
B) Create a gateway VPC endpoint for S3
C) Use a NAT gateway
D) Assign a public IP to the EC2 instance
Rationale: Gateway VPC endpoints provide private connectivity from a VPC to S3
without traversing the internet, using private IP addresses only.
