AWS Solutions Architect Associate Exam
Pack 2026/2027 – Complete Exam-Style
Questions | 100% Verified | Detailed
Rationales – Pass Guaranteed – A+
Graded
Domain 1: Design Secure Architectures (Questions 1–30)
1. A company needs to grant temporary, limited-privilege access to an S3
bucket for an external auditor. The access must expire after 72 hours. What is
the MOST secure way to provide this access?
A) Create an IAM user with a password and delete it after 72 hours
B) Generate a presigned URL with a 72-hour expiration
C) Make the bucket public and use a signed URL
D) Share the root account access keys
*Rationale: Presigned URLs grant time-limited, permission-based access to S3
objects without managing IAM users, and they expire automatically.*
2. A company uses AWS Organizations with multiple accounts. A security
policy requires that no S3 bucket can be made public in any account. Which
method enforces this centrally?
A) S3 bucket policies in each account
B) IAM policies applied to each user
C) Service Control Policy (SCP) denying s3:PutBucketPublicAccessBlock
D) AWS Config rules with automatic remediation
,Rationale: SCPs apply at the organizational level (OU/root) and cannot be
overridden by account administrators, providing central guardrails.
3. An application stores sensitive customer data in S3. Compliance requires
encryption at rest with customer-managed keys that support automatic
rotation. Which solution meets this requirement?
A) S3 server-side encryption with S3-managed keys (SSE-S3)
B) S3 server-side encryption with AWS KMS (SSE-KMS) using a customer-
managed key
C) Client-side encryption with a custom key
D) S3 default encryption with AES-256
Rationale: SSE-KMS with a customer-managed key allows key rotation,
centralized control, and audit trails via CloudTrail.
4. A VPC has public and private subnets. Web servers must be accessible
from the internet; database servers must have no direct internet access. How
should this be designed?
A) Web servers in private subnets, databases in public subnets
B) Web servers in public subnets with internet gateway, databases in private
subnets with NAT gateway for outbound patches
C) All servers in public subnets with restrictive security groups
D) All servers in private subnets with a VPN connection
Rationale: Public subnets route to an internet gateway (IGW) for inbound access;
private subnets lack IGW routes. NAT gateway allows outbound internet for
updates without inbound access.
5. A company needs a dedicated, private, high-bandwidth connection from its
on-premises data center to AWS for hybrid workloads. Which service should
be used?
A) Site-to-Site VPN
B) AWS Direct Connect
C) Client VPN endpoint
,D) VPC peering
Rationale: Direct Connect provides a dedicated private connection with consistent
bandwidth, bypassing the public internet.
6. An application requires secure storage of database credentials, API keys,
and rotation schedules. Which AWS service is purpose-built for this?
A) IAM roles
B) AWS Secrets Manager
C) Parameter Store (SecureString)
D) AWS KMS
Rationale: Secrets Manager automatically rotates secrets (including RDS
credentials) and integrates with other AWS services.
7. Which statement about security groups (SGs) is correct?
A) SGs are stateless and evaluate all rules
B) SGs are stateful; return traffic is automatically allowed regardless of
outbound rules
C) SGs operate at the subnet level
D) SGs require explicit allow rules for both inbound and outbound return traffic
Rationale: Security groups are stateful; if inbound is allowed, the response
outbound is automatically permitted.
8. A company needs to detect suspicious API calls, unusual EC2 instance
activity, and unauthorized access attempts across its AWS account. Which
service provides this?
A) AWS Shield
B) Amazon GuardDuty
C) AWS WAF
D) AWS Config
Rationale: GuardDuty is a threat detection service that continuously analyzes
CloudTrail, VPC Flow Logs, and DNS logs.
, 9. A web application needs to block SQL injection and cross-site scripting
(XSS) attacks. Which service should be deployed in front of the application?
A) Network ACLs
B) Security groups
C) AWS WAF
D) AWS Shield Advanced
Rationale: AWS WAF is a web application firewall that filters HTTP/HTTPS
requests for common exploits like SQLi and XSS.
10. An EC2 instance in a private subnet needs to download patches from S3
without traversing the internet. What is the correct configuration?
A) Assign a public IP to the EC2 instance
B) Create a gateway VPC endpoint for S3
C) Use a NAT instance in a public subnet
D) Use an internet gateway attached to the private subnet
Rationale: Gateway VPC endpoints allow private traffic to S3 within AWS
network, avoiding internet and NAT.
11. A company wants to centralize workforce SSO access to multiple AWS
accounts from an existing identity provider (Microsoft Entra ID). Which
AWS service should be used?
A) AWS Organizations
B) IAM Identity Center (formerly AWS SSO)
C) IAM roles
D) AWS Directory Service for Microsoft Active Directory
Rationale: IAM Identity Center integrates with external IdPs for workforce SSO
and centrally manages access across accounts.
12. According to the AWS shared responsibility model, which responsibility
belongs to the customer for AWS Lambda?
A) Securing the Lambda execution environment
B) Writing and securing the function code and IAM permissions
Pack 2026/2027 – Complete Exam-Style
Questions | 100% Verified | Detailed
Rationales – Pass Guaranteed – A+
Graded
Domain 1: Design Secure Architectures (Questions 1–30)
1. A company needs to grant temporary, limited-privilege access to an S3
bucket for an external auditor. The access must expire after 72 hours. What is
the MOST secure way to provide this access?
A) Create an IAM user with a password and delete it after 72 hours
B) Generate a presigned URL with a 72-hour expiration
C) Make the bucket public and use a signed URL
D) Share the root account access keys
*Rationale: Presigned URLs grant time-limited, permission-based access to S3
objects without managing IAM users, and they expire automatically.*
2. A company uses AWS Organizations with multiple accounts. A security
policy requires that no S3 bucket can be made public in any account. Which
method enforces this centrally?
A) S3 bucket policies in each account
B) IAM policies applied to each user
C) Service Control Policy (SCP) denying s3:PutBucketPublicAccessBlock
D) AWS Config rules with automatic remediation
,Rationale: SCPs apply at the organizational level (OU/root) and cannot be
overridden by account administrators, providing central guardrails.
3. An application stores sensitive customer data in S3. Compliance requires
encryption at rest with customer-managed keys that support automatic
rotation. Which solution meets this requirement?
A) S3 server-side encryption with S3-managed keys (SSE-S3)
B) S3 server-side encryption with AWS KMS (SSE-KMS) using a customer-
managed key
C) Client-side encryption with a custom key
D) S3 default encryption with AES-256
Rationale: SSE-KMS with a customer-managed key allows key rotation,
centralized control, and audit trails via CloudTrail.
4. A VPC has public and private subnets. Web servers must be accessible
from the internet; database servers must have no direct internet access. How
should this be designed?
A) Web servers in private subnets, databases in public subnets
B) Web servers in public subnets with internet gateway, databases in private
subnets with NAT gateway for outbound patches
C) All servers in public subnets with restrictive security groups
D) All servers in private subnets with a VPN connection
Rationale: Public subnets route to an internet gateway (IGW) for inbound access;
private subnets lack IGW routes. NAT gateway allows outbound internet for
updates without inbound access.
5. A company needs a dedicated, private, high-bandwidth connection from its
on-premises data center to AWS for hybrid workloads. Which service should
be used?
A) Site-to-Site VPN
B) AWS Direct Connect
C) Client VPN endpoint
,D) VPC peering
Rationale: Direct Connect provides a dedicated private connection with consistent
bandwidth, bypassing the public internet.
6. An application requires secure storage of database credentials, API keys,
and rotation schedules. Which AWS service is purpose-built for this?
A) IAM roles
B) AWS Secrets Manager
C) Parameter Store (SecureString)
D) AWS KMS
Rationale: Secrets Manager automatically rotates secrets (including RDS
credentials) and integrates with other AWS services.
7. Which statement about security groups (SGs) is correct?
A) SGs are stateless and evaluate all rules
B) SGs are stateful; return traffic is automatically allowed regardless of
outbound rules
C) SGs operate at the subnet level
D) SGs require explicit allow rules for both inbound and outbound return traffic
Rationale: Security groups are stateful; if inbound is allowed, the response
outbound is automatically permitted.
8. A company needs to detect suspicious API calls, unusual EC2 instance
activity, and unauthorized access attempts across its AWS account. Which
service provides this?
A) AWS Shield
B) Amazon GuardDuty
C) AWS WAF
D) AWS Config
Rationale: GuardDuty is a threat detection service that continuously analyzes
CloudTrail, VPC Flow Logs, and DNS logs.
, 9. A web application needs to block SQL injection and cross-site scripting
(XSS) attacks. Which service should be deployed in front of the application?
A) Network ACLs
B) Security groups
C) AWS WAF
D) AWS Shield Advanced
Rationale: AWS WAF is a web application firewall that filters HTTP/HTTPS
requests for common exploits like SQLi and XSS.
10. An EC2 instance in a private subnet needs to download patches from S3
without traversing the internet. What is the correct configuration?
A) Assign a public IP to the EC2 instance
B) Create a gateway VPC endpoint for S3
C) Use a NAT instance in a public subnet
D) Use an internet gateway attached to the private subnet
Rationale: Gateway VPC endpoints allow private traffic to S3 within AWS
network, avoiding internet and NAT.
11. A company wants to centralize workforce SSO access to multiple AWS
accounts from an existing identity provider (Microsoft Entra ID). Which
AWS service should be used?
A) AWS Organizations
B) IAM Identity Center (formerly AWS SSO)
C) IAM roles
D) AWS Directory Service for Microsoft Active Directory
Rationale: IAM Identity Center integrates with external IdPs for workforce SSO
and centrally manages access across accounts.
12. According to the AWS shared responsibility model, which responsibility
belongs to the customer for AWS Lambda?
A) Securing the Lambda execution environment
B) Writing and securing the function code and IAM permissions
