☁︎SAA-C03

Week5 Security Cost Governance — SAA-C03 Mock Test

Mock Test — Week 5 Security, Monitoring, Cost & Governance (15 questions)

  • Date: 2026-06-22
  • Topics: CloudWatch, CloudTrail, Config, KMS, Secrets Manager, Parameter Store, WAF, Shield, GuardDuty, Inspector, Macie, Cost (Budgets, CE, Compute Optimizer, SP/RI), Organizations, IAM Identity Center, Control Tower, RAM, Well-Architected, Migration (DMS, MGN, DataSync)
  • Difficulty: exam-realistic
  • Suggested time: ~25 min

Q1.

A security team must know who deleted a specific S3 bucket and when. Which AWS service provides this audit?

  • A) AWS Config
  • B) AWS CloudTrail
  • C) Amazon CloudWatch Logs
  • D) Amazon Macie

Q2.

You need to continuously evaluate whether all S3 buckets are encrypted and auto-remediate any non-compliant bucket. Which service combination fits?

  • A) CloudTrail + EventBridge
  • B) AWS Config rule + SSM Automation remediation
  • C) GuardDuty + Lambda
  • D) Trusted Advisor + Budgets

Q3.

An RDS MySQL database password must be rotated automatically every 30 days without app changes beyond using SDK calls. Which service?

  • A) AWS Systems Manager Parameter Store SecureString
  • B) AWS Secrets Manager
  • C) AWS KMS data key
  • D) IAM database authentication

Q4.

A company must protect its e-commerce site against SQL injection and XSS. The site sits behind a CloudFront distribution backed by an ALB. Which is the best native solution?

  • A) Amazon GuardDuty
  • B) AWS WAF with managed rule groups attached to CloudFront
  • C) AWS Network Firewall in the VPC
  • D) Security groups blocking common attack ports

Q5.

A solutions architect wants automatic 24x7 DDoS Response Team support and cost protection during DDoS attacks for their CloudFront + ALB workload. Which option?

  • A) AWS Shield Standard
  • B) AWS Shield Advanced
  • C) WAF rate-based rules only
  • D) Global Accelerator

Q6.

The security team needs to identify sensitive PII in S3 buckets automatically. Which service?

  • A) Amazon Macie
  • B) Amazon Inspector
  • C) Amazon GuardDuty
  • D) AWS Audit Manager

Q7.

A company uses AWS Organizations and must prevent any member account from disabling CloudTrail. Which control is best?

  • A) IAM permissions boundary on each role
  • B) Service Control Policy denying cloudtrail:Stop*Logging
  • C) AWS Config rule
  • D) GuardDuty finding

Q8.

Engineers in 30 AWS accounts need single sign-on with their corporate Active Directory credentials. Which service is the AWS-recommended choice?

  • A) AWS Directory Service Microsoft AD
  • B) Amazon Cognito
  • C) AWS IAM Identity Center (with AD as IdP)
  • D) Per-account IAM users with SAML federation

Q9.

A team must detect crypto-mining or compromised IAM credentials in their AWS accounts with no agents. Which service fits?

  • A) Amazon Inspector
  • B) Amazon GuardDuty
  • C) AWS Macie
  • D) AWS Audit Manager

Q10.

A finance team wants to stop EC2 instances automatically if monthly spend exceeds $5,000. Which AWS native combination?

  • A) Cost Explorer + Lambda
  • B) AWS Budgets with a Budget Action
  • C) Trusted Advisor + SNS
  • D) Compute Optimizer

Q11.

A company has 100 EC2 instances and wants automatic right-sizing recommendations based on CloudWatch metrics. Which service fits?

  • A) Trusted Advisor
  • B) Compute Optimizer
  • C) AWS Config
  • D) AWS Budgets

Q12.

For a predictable 24x7 production workload running on 50 EC2 instances across multiple families, what gives the best long-term discount with flexibility?

  • A) Standard Reserved Instances locked to one family
  • B) Compute Savings Plan
  • C) Spot Instances
  • D) Dedicated Hosts

Q13.

A company migrates an on-prem Oracle database to Aurora PostgreSQL with minimal downtime. Which combination is appropriate?

  • A) AWS DataSync only
  • B) AWS Snowball
  • C) AWS Schema Conversion Tool (SCT) + AWS DMS
  • D) AWS MGN

Q14.

You need to migrate a fleet of VMware virtual machines to EC2 with continuous block-level replication and a cutover window. Which AWS service?

  • A) AWS Application Migration Service (MGN)
  • B) AWS Database Migration Service
  • C) AWS DataSync
  • D) AWS Snowball

Q15.

A solutions architect wants to add CloudWatch monitoring of memory and disk usage on EC2 instances. Which step is required?

  • A) Nothing — default EC2 metrics include memory and disk usage
  • B) Install and configure the CloudWatch Agent
  • C) Enable detailed monitoring
  • D) Subscribe Lambda to instance metrics

Your answers

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Answer Key & Explanations — don't peek!

Q1 — Correct: B

CloudTrail records API calls with identity, source IP, time — exact fit for an audit "who deleted" question.

Q2 — Correct: B

AWS Config evaluates resources against rules and integrates with Systems Manager Automation for auto-remediation.

Q3 — Correct: B

Secrets Manager has built-in rotation via Lambda templates for RDS engines. Parameter Store has no native rotation.

Q4 — Correct: B

WAF managed rule groups (Core, SQLi, XSS) attach to CloudFront/ALB and stop L7 attacks. GuardDuty detects but doesn't block at request layer.

Q5 — Correct: B

Shield Advanced ($3,000/month) gives DRT (now SRT) access, cost protection, and L7 enhancements over the free Standard tier.

Q6 — Correct: A

Macie is purpose-built for discovering PII / sensitive data in S3.

Q7 — Correct: B

SCPs apply to OUs/accounts and can deny specific API calls regardless of IAM policies in member accounts (management account exempt).

Q8 — Correct: C

IAM Identity Center is the modern SSO solution for AWS multi-account environments and supports AD as an identity source.

Q9 — Correct: B

GuardDuty uses ML on CloudTrail / VPC Flow / DNS logs; no agents required.

Q10 — Correct: B

AWS Budgets supports Budget Actions that can stop EC2 instances or apply restrictive SCPs/policies when thresholds are crossed.

Q11 — Correct: B

Compute Optimizer provides ML-based right-sizing for EC2, ASG, EBS, and Lambda.

Q12 — Correct: B

Compute Savings Plan offers up to ~66% off across instance families, regions, OS, and even Lambda/Fargate. Standard RIs lock instance family.

Q13 — Correct: C

SCT converts the Oracle schema to PostgreSQL; DMS handles initial load + CDC replication for minimal downtime cutover.

Q14 — Correct: A

MGN performs continuous block-level replication of on-prem servers / VMs into AWS for staged cutover.

Q15 — Correct: B

EC2 default metrics don't include memory or disk-used %. CloudWatch Agent installs the necessary collectors and ships them as custom metrics.