AWS Certification · SAA-C03

Solutions Architect
Associate

Comprehensive coverage of compute, storage, networking, databases, security, and the Well-Architected Framework for the AWS SAA-C03 exam.

4exam domains
65questions
720pass score
130minutes

Overview

Exam domain weights

Domain 1 — Resilient Architectures
26%
Domain 2 — High-Performing Arch.
24%
Domain 3 — Secure Architectures
30%
Domain 4 — Cost-Optimized Arch.
20%

Domain 3 (Secure Architectures) has the highest weight at 30%. IAM policies, encryption at rest and in transit, and VPC security are the most-tested topics within that domain.

Most-tested services by frequency

Amazon EC2 & Auto Scaling
Critical
Amazon S3
Critical
Amazon VPC & networking
Critical
IAM
Critical
Amazon RDS & Aurora
Very high
Elastic Load Balancing
Very high
AWS Lambda & serverless
Very high
Amazon CloudFront
High
Amazon SQS & SNS
High
AWS Storage Gateway / EFS
Medium

The Well-Architected Framework — 6 Pillars

Operational Excellence

  • Automate operations with code
  • Annotate documentation
  • Make frequent, small, reversible changes
  • Refine operations procedures frequently
  • Anticipate failure; learn from all operational events

Security

  • Implement a strong identity foundation (IAM)
  • Enable traceability (CloudTrail, Config)
  • Apply security at all layers
  • Automate security best practices
  • Protect data in transit and at rest (KMS, TLS)

Reliability

  • Automatically recover from failure
  • Test recovery procedures
  • Scale horizontally to increase availability
  • Stop guessing capacity (Auto Scaling)
  • Manage change through automation

Performance Efficiency

  • Democratize advanced technologies
  • Go global in minutes
  • Use serverless architectures
  • Experiment more often
  • Consider mechanical sympathy

Cost Optimization

  • Implement cloud financial management
  • Adopt a consumption model (pay-as-you-go)
  • Measure overall efficiency
  • Stop spending on undifferentiated heavy lifting
  • Analyse and attribute expenditure

Sustainability

  • Understand your impact
  • Establish sustainability goals
  • Maximize utilization
  • Anticipate and adopt more efficient offerings
  • Reduce downstream impact

Compute

EC2 — instance types and purchasing options

Instance familyOptimized forUse case
t3 / t4g GeneralBurstable CPU creditsDev/test, low-traffic web servers
m6i / m7g GeneralBalanced CPU + memoryApplication servers, mid-size databases
c6i / c7g ComputeHigh vCPU-to-memory ratioBatch, media encoding, HPC, gaming
r6i / r7g MemoryHigh memory-to-vCPU ratioIn-memory caches, SAP, real-time analytics
p4 / g5 AcceleratedGPUML training/inference, graphics rendering
i4i / d3 StorageHigh local NVMe IOPSNoSQL, data warehousing, Hadoop
Purchasing optionDiscount vs On-DemandCommitmentBest for
On-DemandNoneShort-term, unpredictable workloads
Reserved (Standard)Up to 72%1 or 3 yearsSteady-state production workloads
Reserved (Convertible)Up to 66%1 or 3 yearsLong-term but instance type may change
Savings Plans (Compute)Up to 66%1 or 3 yearsFlexible — works across EC2, Lambda, Fargate
Spot InstancesUp to 90%None (can be interrupted)Fault-tolerant batch, CI/CD, stateless
Dedicated HostsVariesOn-Demand or ReservedCompliance, BYOL software licensing

The exam heavily tests Spot Instances — key rule: Spot is appropriate only when the workload can tolerate interruption (batch jobs, data processing). Never use Spot for databases or stateful applications without a recovery strategy.

Auto Scaling Groups — key concepts

ConceptDetail
Launch TemplateDefines AMI, instance type, key pair, security groups, user data. Preferred over launch configurations (which are legacy).
Scaling policiesTarget Tracking — maintain a metric (e.g. CPU at 50%). Step Scaling — add N instances when alarm breaches threshold. Simple Scaling — single step, with cooldown.
Cooldown periodDefault 300s after scale-out/in. Prevents thrashing. Target tracking policies manage their own cooldown.
Lifecycle hooksPause instances during launch (Pending:Wait) or termination (Terminating:Wait) to run custom scripts (install software, drain connections).
Warm poolsPre-initialised, stopped instances that can launch faster than cold-start EC2. Reduces scale-out latency for slow-to-boot apps.
Health checksEC2 status checks by default. Can add ELB health checks so unhealthy instances are replaced by ASG.

Lambda & serverless compute

Lambda key facts

  • Max execution time: 15 minutes
  • Memory: 128 MB – 10,240 MB
  • CPU allocated proportional to memory
  • Concurrency default: 1,000 per region (soft limit)
  • Deployment package: 50 MB zipped, 250 MB unzipped
  • Ephemeral storage: /tmp up to 10 GB
  • VPC access: attach ENI to reach private resources

Serverless architecture components

  • API Gateway — REST, HTTP, WebSocket APIs; integrates directly with Lambda
  • SQS — decouple producers/consumers; Lambda event source mapping
  • DynamoDB — serverless NoSQL with Streams → Lambda triggers
  • Step Functions — orchestrate multi-Lambda workflows with state
  • EventBridge — event bus; schedule or route events to targets
  • Fargate — serverless containers; no EC2 to manage

Lambda cold starts add latency when a new container is initialised. Mitigation: Provisioned Concurrency keeps warm instances ready. Also avoid placing Lambda in a VPC unless the function needs private resource access — VPC adds cold-start time due to ENI creation.

Elastic Load Balancing — choosing the right type

Load balancerLayerProtocolsKey feature / choose when
ALB — ApplicationL7HTTP, HTTPS, gRPCContent-based routing (path, host, headers), WebSockets, Lambda targets, microservices
NLB — NetworkL4TCP, UDP, TLSUltra-low latency, millions of requests/sec, static IP, preserves source IP, PrivateLink
GLB — GatewayL3All IP trafficInline security appliances (IDS/IPS, firewalls) — transparent bump-in-the-wire
CLB — ClassicL4/L7HTTP, HTTPS, TCPLegacy only — do not use for new architectures

Sticky sessions (session affinity) keep a user routed to the same target. ALB uses a cookie; NLB uses source IP hashing. Only use sticky sessions when the application cannot be made stateless — it limits the even distribution of load.

Storage

Amazon S3 — storage classes

Storage classMin storageRetrievalUse case
S3 StandardNoneMillisecondsFrequently accessed data, websites, content distribution
S3 Intelligent-TieringNoneMillisecondsUnknown or changing access patterns — auto-tiers to save cost
S3 Standard-IA30 daysMillisecondsInfrequent access, disaster recovery, backups
S3 One Zone-IA30 daysMillisecondsInfrequent, reproducible data; lower cost, single AZ
S3 Glacier Instant90 daysMillisecondsArchive accessed a few times per year (e.g., medical images)
S3 Glacier Flexible90 days1–12 hoursArchive; cost-sensitive; occasional retrieval acceptable
S3 Glacier Deep Archive180 days12–48 hoursLowest cost; long-term compliance retention (7–10 years)

S3 — key features for the exam

Data protection

  • Versioning — keeps all versions; delete creates a delete marker
  • MFA Delete — requires MFA to permanently delete a version
  • Object Lock — WORM (Governance or Compliance mode)
  • Replication (CRR/SRR) — cross-region or same-region; requires versioning
  • Lifecycle policies — automate transitions between storage classes

Access control

  • Bucket policies — resource-based, JSON, can grant cross-account access
  • ACLs — legacy; prefer bucket policies and IAM instead
  • Block Public Access — account-level or bucket-level safeguard
  • Pre-signed URLs — temporary access for specific objects (time-limited)
  • S3 Access Points — per-application access policies at scale
  • CORS — required when a browser requests S3 from a different domain

For static website hosting, S3 must have public read access and a bucket website endpoint (not the REST endpoint). Combine with CloudFront for HTTPS, caching, and custom domains via Certificate Manager.

Block & file storage

ServiceTypeScopeKey characteristic
EBS — Elastic Block StoreBlockSingle AZ, single instance*Persistent volumes for EC2. Types: gp3 (general), io2 (high IOPS), st1 (throughput HDD), sc1 (cold HDD)
Instance StoreBlockInstance lifetime onlyFastest local NVMe; data lost on stop/terminate. Good for temp buffers, caches
EFS — Elastic File SystemFile (NFS)Multi-AZ, multi-instanceShared POSIX filesystem. Scales automatically. Standard and Infrequent Access tiers
FSx for WindowsFile (SMB)Multi-AZ optionManaged Windows Server file shares; Active Directory integration
FSx for LustreFile (Lustre)Single or multi-AZHPC, ML training; integrates with S3; sub-millisecond latency

*EBS Multi-Attach is available for io1/io2 volumes in the same AZ, allowing up to 16 Nitro-based instances to attach simultaneously — use cases are clustered databases.

Networking & Content Delivery

VPC — core components

ComponentWhat it doesKey exam notes
SubnetIP range within an AZPublic subnet has route to IGW; private subnet does not. Each subnet in exactly one AZ.
Internet Gateway (IGW)VPC ↔ internetHorizontally scaled, HA by design. One per VPC. Enables public IP/EIP instances to reach internet.
NAT GatewayPrivate subnet → internet (outbound only)Managed, HA within AZ. Deploy one per AZ for HA. Charged per GB processed. Cannot be used as a Bastion.
Security GroupStateful instance-level firewallAllow rules only. Return traffic allowed automatically. Applied to ENIs.
Network ACL (NACL)Stateless subnet-level firewallAllow and deny rules. Numbered priority. Must explicitly allow return traffic. Applied to subnets.
VPC PeeringPrivate routing between two VPCsNon-transitive — A↔B and B↔C does NOT mean A↔C. Works cross-region and cross-account.
Transit GatewayHub-and-spoke VPC routingTransitive. Connects VPCs, VPNs, Direct Connect. Scales to thousands of attachments.
VPC EndpointsPrivate access to AWS servicesGateway endpoint: free; S3 and DynamoDB only. Interface endpoint: ENI-based; most other services; charged.

NACLs are stateless — you must explicitly add both inbound and outbound rules for two-way communication, including ephemeral ports (1024–65535) for return traffic. Security groups are stateful — return traffic is automatically allowed.

Route 53 — routing policies

Routing policyUse case
SimpleSingle resource; no health checks. Can return multiple values (client picks randomly).
WeightedA/B testing; gradual traffic shifting between versions. Weight 0 = exclude from DNS.
Latency-basedRoute to the AWS region with lowest latency for the user.
FailoverActive/passive DR. Primary + secondary. Route 53 health check triggers failover.
GeolocationRoute based on user's location (country, continent). Default record for unmatched locations.
GeoproximityRoute based on geographic proximity with bias adjustment. Requires Traffic Flow.
Multi-value AnswerReturns up to 8 healthy records. Not a substitute for a load balancer but adds basic resiliency.
IP-basedRoute based on client's IP CIDR. Useful for on-premises CIDR ranges.

CloudFront & content delivery

CloudFront key facts

  • 450+ edge locations globally
  • Origins: S3, ALB, EC2, custom HTTP
  • Signed URLs / Signed Cookies for private content
  • OAC (Origin Access Control) — restricts S3 to CloudFront only
  • Cache behaviour: TTL controlled by origin headers or CloudFront policy
  • Geo Restriction: allowlist or blocklist countries
  • Lambda@Edge / CloudFront Functions: run code at edge

Hybrid connectivity

  • Site-to-Site VPN — encrypted IPSec over public internet; fast to set up; ~1.25 Gbps per tunnel; Virtual Private Gateway or Transit Gateway
  • Direct Connect — dedicated 1/10/100 Gbps private line; low latency, consistent bandwidth; takes weeks to provision
  • Direct Connect + VPN — Direct Connect with IPSec VPN for encryption (DX is not encrypted by default)
  • AWS Global Accelerator — routes traffic via AWS backbone to nearest edge; static Anycast IPs; good for non-HTTP (gaming, VoIP)

Databases

Choosing a database service

ServiceTypeChoose when
RDSRelational (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server)Traditional RDBMS workloads; managed patching, backups, Multi-AZ failover
AuroraRelational (MySQL/PostgreSQL compatible)Need 5× MySQL or 3× PostgreSQL performance; auto-scaling storage up to 128 TB; Aurora Serverless for variable workloads
DynamoDBNoSQL key-value & documentSingle-digit millisecond at any scale; serverless; gaming, IoT, sessions, carts
ElastiCacheIn-memory (Redis / Memcached)Reduce DB read load with a caching layer; sessions; leaderboards. Redis adds persistence, pub/sub, replication.
RedshiftData warehouse (OLAP, columnar)Analytics and BI on petabyte-scale data; complex SQL; integrates with S3 via Redshift Spectrum
NeptuneGraph (Gremlin, SPARQL, openCypher)Social networks, recommendation engines, fraud detection, knowledge graphs
DocumentDBDocument (MongoDB compatible)JSON document store with MongoDB API compatibility
TimestreamTime-seriesIoT, DevOps metrics, clickstream data with time-based queries

RDS & Aurora HA patterns

RDS Multi-AZ

  • Synchronous replication to standby in different AZ
  • Automatic failover in 1–2 minutes (DNS CNAME flip)
  • Standby is NOT readable — only for failover
  • Backups taken from standby (no I/O impact on primary)
  • Multi-AZ DB Cluster: 1 writer + 2 readable standbys (faster failover, ~35s)

Read Replicas

  • Asynchronous replication — eventual consistency
  • Up to 5 replicas per source (15 for Aurora)
  • Cross-region replicas supported
  • Can be promoted to standalone instance
  • Use to offload read traffic (analytics, reporting)
  • Replicas within region are free (data transfer); cross-region has cost

Read Replicas are for performance, not disaster recovery — they use asynchronous replication. Multi-AZ is for HA/DR with synchronous replication. These are complementary features, not alternatives.

DynamoDB — key exam concepts

ConceptDetail
Primary keyPartition key only (simple) or Partition + Sort key (composite). Must be unique per item.
GSI / LSIGlobal Secondary Index: different partition key, can be added anytime. Local Secondary Index: same partition key, different sort key, must be created at table creation.
Read consistencyEventually consistent reads (default, cheaper). Strongly consistent reads (double the RCU, latest data).
DAXDynamoDB Accelerator — in-memory cache, microsecond reads, write-through. Transparent to application.
StreamsOrdered change log of item modifications. Consumed by Lambda triggers or Kinesis Data Streams.
TTLTime-to-live: automatically delete expired items at no cost. Set a Unix epoch timestamp attribute.
Global TablesMulti-region, multi-master replication. Active-active: write to any region, changes replicate globally.
On-demand capacityPay per request; scales instantly. Good for unpredictable traffic. Provisioned capacity is cheaper for predictable workloads.

Security & Identity

IAM — policies and roles

Policy evaluation logic

  • Explicit Deny always wins — overrides any Allow
  • If no explicit Allow → implicit Deny (default)
  • Service Control Policies (SCPs) in AWS Organizations restrict the maximum permissions available — they do NOT grant permissions
  • Permission boundaries set max permissions for an IAM entity
  • Evaluation order: SCPs → Resource policies → Identity policies → Permission boundaries → Session policies

Best practices

  • Never use root account for daily operations — create admin IAM user
  • Enable MFA on root and privileged users
  • Grant least-privilege permissions
  • Use IAM Roles for EC2 instances (instance profiles) — never embed credentials in code
  • Use IAM Roles for cross-account access
  • Rotate access keys regularly; prefer short-lived credentials
  • Use AWS Organizations + SCPs for guardrails across accounts

Encryption & key management

Service / featureWhat it does
KMS CMK (Customer Managed)You control key policies, rotation, deletion. Managed in KMS. Used by most AWS services.
KMS AWS Managed KeysAWS creates and manages key per service (e.g., aws/s3). Auto-rotated every year. Less control.
CloudHSMDedicated hardware security module. You control keys. FIPS 140-2 Level 3. Use when regulations require exclusive HSM control.
S3 SSE-S3Managed entirely by S3, AES-256. Zero admin overhead.
S3 SSE-KMSUses KMS. Audit trail in CloudTrail. Requires kms:GenerateDataKey permission.
S3 SSE-CCustomer provides key per request. AWS does not store the key.
Secrets ManagerStore and auto-rotate DB passwords, API keys. Native integration with RDS. Different from Parameter Store.
Parameter StoreFree tier for standard params; KMS optional. Good for non-secret config. No auto-rotation built in.

Monitoring & threat detection

ServiceWhat it monitors / detects
CloudTrailAPI call history for every AWS action — who, what, when, from where. Management events free; data events charged. Enable in all regions.
CloudWatchMetrics, logs, alarms, dashboards. EC2 basic metrics every 5 min free; detailed every 1 min charged. Custom metrics via PutMetricData API.
VPC Flow LogsIP traffic metadata at VPC / subnet / ENI level. Accepted and rejected traffic. Published to CloudWatch Logs or S3.
GuardDutyThreat detection using ML on CloudTrail, DNS, VPC Flow Logs. Detects compromised instances, crypto-mining, reconnaissance. Enable per region.
Security HubAggregates security findings from GuardDuty, Inspector, Macie, IAM Analyzer into a single pane.
AWS ConfigConfiguration compliance — records resource config changes, evaluates against rules. Point-in-time snapshots.
InspectorAutomated vulnerability scanning for EC2 (OS CVEs) and ECR container images.
MacieUses ML to discover and protect sensitive data (PII, credit card numbers) in S3 buckets.
WAFWeb Application Firewall — blocks SQL injection, XSS, rate limiting. Attached to ALB, CloudFront, API Gateway.
Shield Standard / AdvancedDDoS protection. Standard is free and automatic. Advanced adds 24/7 DDoS Response Team and cost protection.

Architecture Patterns

High availability & fault tolerance

Availability targets

  • 99.9% = ~8.7 hours downtime/year
  • 99.95% = ~4.4 hours downtime/year
  • 99.99% = ~52 minutes downtime/year
  • 99.999% = ~5 minutes downtime/year
  • Multi-AZ deployments typically achieve 99.99%
  • Multi-region deployments target 99.999%+

Disaster recovery strategies

  • Backup & Restore — lowest cost, highest RTO/RPO (hours)
  • Pilot Light — core services running at minimal scale; scale up on DR event (minutes–hours)
  • Warm Standby — scaled-down but fully functional copy; faster failover (minutes)
  • Multi-Site Active/Active — full production in two regions; near-zero RTO/RPO; highest cost

RTO (Recovery Time Objective) = how long you can be down. RPO (Recovery Point Objective) = how much data loss is acceptable. Backup & Restore has high RTO and RPO; Active/Active has near-zero for both.

Decoupling & messaging

ServicePatternKey facts
SQS StandardQueue (pull, async)At-least-once delivery; best-effort ordering; up to 14-day retention; unlimited throughput
SQS FIFOQueue (pull, ordered)Exactly-once; strict ordering within message group; 3,000 msg/sec with batching
SNSPub/sub (push, fan-out)Topic → multiple subscriptions (SQS, Lambda, HTTP, email, SMS). SNS → SQS fan-out is a classic pattern.
Kinesis Data StreamsReal-time streamingOrdered per shard; 1–7 day retention; consumers can replay. Use for real-time analytics, log ingestion.
Kinesis Data FirehoseStreaming ETL (near real-time)Fully managed; delivers to S3, Redshift, OpenSearch, Splunk. No consumer management. 60s min buffering.
EventBridgeEvent busRich filtering on event content; 90+ AWS service sources; custom event buses; schema registry

The classic exam trap: SQS visibility timeout — after a message is received, it becomes invisible for the timeout period (default 30s). If not deleted before timeout, it reappears. If your Lambda or consumer takes longer than the timeout, the message will be processed again. Set visibility timeout to 6× your function timeout.

Scalability patterns

Horizontal scaling (scale out) — preferred on AWS

Add more instances behind a load balancer. Stateless application tier enables this. Store session state in ElastiCache or DynamoDB, not on the instance. Use Auto Scaling Groups with target tracking.

Caching layers to reduce backend load

CloudFront for static assets and API responses. ElastiCache Redis for database query results and session data. DAX for DynamoDB acceleration. Route 53 TTLs to cache DNS lookups.

Offload with async processing

Replace synchronous request chains with SQS queues. Producers write to queue; consumers (EC2, Lambda) process at their own pace. Queue depth drives Auto Scaling of consumers.

Read replicas and read scaling for databases

RDS and Aurora read replicas serve read-heavy traffic. Separate analytics queries to Redshift. DynamoDB on-demand capacity handles unpredictable read/write bursts automatically.

Cost optimization strategies

StrategyAWS tools / services
Right-size instancesAWS Compute Optimizer, Trusted Advisor, Cost Explorer — identify over-provisioned EC2, RDS, Lambda
Reserved capacityReserved Instances (1 or 3 yr), Savings Plans (Compute, EC2, SageMaker) for predictable workloads
Spot for batch & flexibleSpot Instances (up to 90% discount) for fault-tolerant jobs; Spot Fleet mixes types to maintain capacity
S3 storage tiersS3 Lifecycle rules to transition to IA, Glacier; S3 Intelligent-Tiering for unknown access patterns
Serverless for variable loadLambda (pay per invocation), Fargate (pay per vCPU/memory), API Gateway — zero cost when idle
Data transfer minimisationVPC Gateway Endpoints (free for S3/DynamoDB), same-region data transfer, CloudFront to cache at edge
Visibility & governanceCost Explorer, AWS Budgets (alerts), Cost Allocation Tags, AWS Organizations consolidated billing

Cheat sheet

Most-tested decision points — quick reference

EC2 — fault-tolerant batch
Spot Instances
EC2 — steady-state production
Reserved Instances or Savings Plans
Load balancer — HTTP routing
ALB (Application, Layer 7)
Load balancer — TCP/UDP, static IP
NLB (Network, Layer 4)
Load balancer — inline firewalls
GLB (Gateway, Layer 3)
S3 — infrequent, reproducible
S3 One Zone-IA
S3 — unknown access pattern
S3 Intelligent-Tiering
S3 — 7-10 year archive
S3 Glacier Deep Archive
Block storage — highest IOPS
EBS io2 Block Express
Shared file system (Linux)
EFS (NFS)
Shared file system (Windows)
FSx for Windows
VPC — private subnet internet
NAT Gateway (per AZ)
VPC — private S3 access
Gateway Endpoint (free)
Multi-VPC connectivity (transitive)
Transit Gateway
DNS — active/passive DR
Route 53 Failover routing
DNS — A/B testing
Route 53 Weighted routing
DB — relational HA
RDS Multi-AZ
DB — read scaling
RDS / Aurora Read Replicas
DB — single-digit ms at any scale
DynamoDB
DB cache / session store
ElastiCache Redis
Async decoupling
SQS Standard Queue
Fan-out messaging
SNS → SQS (fan-out pattern)
Real-time streaming ordered
Kinesis Data Streams
Streaming to S3/Redshift
Kinesis Data Firehose
Secrets with auto-rotation
Secrets Manager
Config / non-secret params
Systems Manager Parameter Store
Threat detection (ML)
GuardDuty
API call audit log
CloudTrail
DDoS protection
AWS Shield (+ WAF for L7)
SQL injection / XSS blocking
AWS WAF
Data classification in S3
Amazon Macie
Compliance config tracking
AWS Config

Storage selection guide

If the question says…Answer is likely…
Shared, POSIX filesystem, multiple EC2 Linux instancesEFS
Shared filesystem for Windows workloads / Active DirectoryFSx for Windows File Server
HPC, ML training, needs S3 integration, sub-ms latencyFSx for Lustre
Database storage, boot volume, single EC2 instanceEBS
Temporary scratch data, highest possible IOPS, lose on termination OKInstance Store
Object storage, internet-accessible, static websiteS3
On-premises backup to AWS, hybrid NFS/SMB accessStorage Gateway (File/Volume/Tape)
Large one-time data transfer, limited bandwidth, petabytesAWS Snowball / Snowmobile
Continuous data sync from on-premises to S3AWS DataSync

IAM policy evaluation — quick rules

RuleDetail
Deny always winsAn explicit Deny in any policy — identity, resource, SCP, or boundary — always takes precedence over any Allow, no exceptions.
SCPs limit, not grantSCP set the ceiling of what's allowed across an AWS Organization member account. They never grant permissions by themselves.
Cross-account needs bothFor cross-account access, BOTH the calling identity's policy must Allow AND the resource policy in the target account must Allow.
Role assumptionEC2, Lambda, and other services assume IAM Roles via instance profiles / execution roles. Never hard-code credentials.

Practice quiz

Question 1 of 10

A company runs a web application with unpredictable traffic spikes. They need to ensure that EC2 instances launch automatically during peak hours and that costs remain low during off-peak hours. The instances must handle interruptions gracefully. Which EC2 purchasing option and AWS service combination is most cost-effective?

Spot Instances (up to 90% cheaper than On-Demand) combined with an ASG using target tracking is the most cost-effective choice for stateless, interruption-tolerant web applications with unpredictable traffic. The ASG automatically replaces Spot Instances that are interrupted. On-Demand is correct but not most cost-effective. Reserved requires a commitment and doesn't auto-scale. Dedicated Hosts are for licensing compliance.

Question 2 of 10

A financial services company needs to store compliance documents for 7 years. The documents are accessed only during annual audits. Retrieval within 12 hours is acceptable. What is the most cost-effective S3 storage class?

S3 Glacier Deep Archive is designed for long-term compliance archival (7–10 year retention), has the lowest storage cost per GB of all S3 classes, and retrieval within 12–48 hours — which meets the "12 hours acceptable" requirement. S3 Glacier Flexible also works but is slightly more expensive and has a 90-day minimum. Standard and Standard-IA are far more expensive for data accessed only once per year.

Question 3 of 10

A solutions architect needs to restrict outbound internet traffic from instances in a private subnet while allowing those instances to download OS updates. The solution must be highly available across Availability Zones. What should they deploy?

For high availability, you must deploy a NAT Gateway in each AZ's public subnet and configure each private subnet's route table to use the NAT Gateway in the same AZ. A single NAT Gateway creates a single point of failure — if that AZ goes down, all private subnets lose internet access. NAT Instances are legacy and require self-management. Attaching an IGW to a private subnet would make it public.

Question 4 of 10

A company needs a database solution for a gaming leaderboard that requires single-digit millisecond read/write latency and must scale to millions of concurrent users without operational management. Which service is the best fit?

DynamoDB with on-demand capacity is the canonical answer for single-digit millisecond latency at any scale with zero operational management. It's serverless, horizontally scalable, and well-suited for gaming leaderboards (sorted sets via GSI on score). RDS has higher latency and requires capacity planning. ElastiCache Redis is faster but doesn't provide durable persistence without configuration. Redshift is an OLAP warehouse, not suited for low-latency OLTP.

Question 5 of 10

An application running on EC2 needs to access an S3 bucket securely. The security team prohibits storing credentials on EC2 instances. What is the correct approach?

IAM Roles attached as instance profiles are the AWS best practice for granting EC2 applications access to AWS services. The EC2 instance automatically receives temporary, rotating credentials via the instance metadata service (IMDS). No credentials are stored on the instance. Options A and C violate the security requirement. Option D uses the root account (never recommended) and still requires credentials to access Secrets Manager.

Question 6 of 10

A company wants to implement an event-driven architecture where an image upload to S3 triggers a Lambda function for thumbnail generation, and also sends a notification to an SQS queue for further processing by a separate service. How should this be designed?

The SNS fan-out pattern (Option B) is the canonical answer for publishing one event to multiple different consumers simultaneously and independently. S3 publishes the event once to SNS; SNS fans it out to all subscribers (Lambda and SQS) in parallel. Option A works technically but tightly couples the event routing to S3. Option C makes the processing sequential rather than parallel, and the SQS notification is delayed until after thumbnail generation completes.

Question 7 of 10

A company has a VPC with 3 private subnets in different AZs. They need EC2 instances in those subnets to access S3 buckets without traversing the public internet, and without incurring NAT Gateway data transfer charges. What is the most cost-effective solution?

A VPC Gateway Endpoint for S3 is free, routes traffic within the AWS network (no internet), and requires no additional charges. You add prefix list entries to route tables pointing to the endpoint. Interface Endpoints (Option C) also work but cost ~$7.50/month per AZ plus data processing charges. NAT Gateways charge per GB processed. Assigning public IPs violates the private subnet requirement.

Question 8 of 10

A web application uses an RDS MySQL database. The operations team reports that read queries are causing high CPU on the primary instance, slowing down write operations. The application can tolerate slightly stale data for reporting queries. What should the architect recommend?

RDS Read Replicas are the correct answer when the goal is to offload read-heavy queries from the primary. The application can tolerate stale data (replicas use asynchronous replication), which makes read replicas appropriate. Multi-AZ standbys are NOT readable — they exist only for failover. Upgrading instance type is vertical scaling (expensive, doesn't solve the architectural problem). ElastiCache could help but requires application changes and doesn't solve all query patterns.

Question 9 of 10

A security auditor requires that all API calls made across the AWS account are logged and stored durably for 90 days. The logs must be tamper-evident. Which service and configuration achieves this?

CloudTrail records every API call (who, what, when, from where) for all AWS services. Delivering to S3 provides durable, long-term storage. Enabling log file validation creates SHA-256 hash digests that detect any modification or deletion of log files — this is the tamper-evident requirement. VPC Flow Logs capture network traffic metadata, not API calls. AWS Config tracks resource configuration changes, not API calls. CloudWatch Metrics capture numerical data, not API events.

Question 10 of 10

A company runs a critical e-commerce application that must remain available even if an entire AWS Region becomes unavailable. The recovery time objective (RTO) is under 1 minute and the recovery point objective (RPO) is near zero. Which DR strategy meets these requirements?

Multi-Site Active/Active is the only strategy that achieves sub-minute RTO and near-zero RPO. Both regions are simultaneously serving live traffic; if one fails, Route 53 health checks immediately remove it and the other region absorbs all traffic — no provisioning delay. RPO is near-zero because both regions are continuously in sync. Backup & Restore has RTO of hours. Pilot Light requires scale-out (minutes). Warm Standby requires promotion (typically minutes). All are cheaper than Active/Active but cannot meet the stated requirements.