Mock Test — Full SAA-C03 Simulation (65 questions)

• Date: 2026-06-28
• Topics: All SAA-C03 domains
• Difficulty: exam-realistic
• Suggested time: 130 min (real exam is 130 min)

Treat this like the real exam: no notes, single sitting. Write answers below, grade afterwards.

Q1.

A company runs a 3-tier web app on EC2 across two AZs behind an Application Load Balancer. Users complain about session loss when the ALB routes them to a different instance. Which solution is most cost-effective?

• A) Use sticky sessions on the ALB
• B) Store sessions in Amazon ElastiCache for Redis
• C) Store sessions in an RDS database
• D) Use Amazon S3 for session state

Q2.

A global SaaS platform requires single-digit-millisecond writes in four regions simultaneously. Which AWS database fits best?

• A) Aurora Global Database
• B) DynamoDB Global Tables
• C) Amazon RDS for PostgreSQL with cross-region read replicas
• D) Amazon DocumentDB

Q3.

A company must ensure that EC2 instances in a private subnet can access AWS S3 without leaving the AWS network or incurring NAT data-processing charges. Which solution should you implement?

• A) Add a NAT Gateway in the public subnet
• B) Add an S3 Gateway VPC endpoint
• C) Use AWS Direct Connect Public VIF
• D) Use a Site-to-Site VPN

Q4.

A company wants to host a static website with HTTPS and a custom domain at lowest cost. Which combination is best?

• A) Amazon S3 + CloudFront + ACM certificate in us-east-1 + Route 53 Alias
• B) EC2 + ALB + ACM in the website region
• C) Lightsail with a static site plugin
• D) Amazon S3 website endpoint + Route 53 Alias

Q5.

A FinTech app has unpredictable traffic spikes. The DB workload reads and writes JSON documents with millions of items, each < 8 KB. Which AWS database fits best?

• A) Amazon Aurora Serverless v2
• B) Amazon DynamoDB (On-Demand mode)
• C) Amazon Redshift
• D) Amazon RDS for MySQL Multi-AZ

Q6.

A company has 250 TB of on-prem data to migrate to S3, and only a 100 Mbps internet link. What is the fastest reliable transfer method?

• A) Multipart upload over the internet
• B) AWS Snowball Edge
• C) AWS DataSync over the same link
• D) Direct Connect (provisioned now)

Q7.

You must decouple a web tier from a worker tier with at-least-once delivery and best-effort ordering. Which service fits?

• A) Amazon SQS Standard
• B) Amazon SQS FIFO
• C) Amazon SNS
• D) Amazon Kinesis Data Streams

Q8.

Which DR strategy gives the best RTO and RPO for a region failure but at the highest cost?

• A) Backup & Restore
• B) Pilot Light
• C) Warm Standby
• D) Multi-Site Active-Active

Q9.

A workload needs immediate seconds-level failover between us-east-1 and us-west-2 for a TCP API. Which AWS service is most appropriate?

• A) Amazon Route 53 failover with 60s TTL
• B) AWS Global Accelerator with endpoint groups in both regions
• C) CloudFront with multi-origin failover
• D) ALB with cross-region target groups

Q10.

A company stores extremely large archive files in S3 that may need to be restored within 12 hours at the lowest possible price. Which storage class fits best?

• A) S3 Standard-IA
• B) S3 Glacier Instant Retrieval
• C) S3 Glacier Flexible Retrieval (Standard tier)
• D) S3 Glacier Deep Archive

Q11.

A Lambda function inside a VPC must access DynamoDB without using a NAT Gateway. Which is correct?

• A) Add a Gateway VPC endpoint for DynamoDB
• B) Attach an Elastic IP to the Lambda ENI
• C) Use Direct Connect Private VIF
• D) Place Lambda in a public subnet

Q12.

A company's compliance officer needs a WORM archive for trade confirmations for 7 years. Which combination fits best?

• A) S3 with versioning + lifecycle expiration
• B) S3 with Object Lock in Compliance mode + retention 7 years
• C) EBS encrypted volumes with snapshots
• D) Glacier vault without policy

Q13.

For a media streaming application that serves video to global users, what combination optimizes cost and latency?

• A) S3 + CloudFront
• B) EBS + EC2 stream server
• C) S3 + Global Accelerator
• D) EFS + EC2 streaming workers

Q14.

Which mechanism ensures that an S3 object is encrypted with a specific customer-managed KMS key?

• A) Enable default encryption with SSE-KMS and add a bucket policy denying uploads missing the correct KMS key header
• B) Use S3 versioning
• C) Use SSE-S3 default encryption
• D) Use S3 Object Lock

Q15.

Two private VPCs in the same region with non-overlapping CIDRs need to communicate without transitive routing. What is the simplest solution?

• A) VPC peering
• B) Transit Gateway
• C) PrivateLink
• D) Site-to-Site VPN

Q16.

A team needs to manage dependent multi-step workflows with retry, branch, and human approval behavior. Which service?

• A) AWS Step Functions
• B) Amazon SQS
• C) Amazon EventBridge
• D) AWS Glue

Q17.

Which load balancer supports path-based routing between microservices?

• A) Application Load Balancer
• B) Network Load Balancer
• C) Gateway Load Balancer
• D) Classic Load Balancer

Q18.

A team needs per-customer rate limits on a REST API exposed via API Gateway. Which feature?

• A) AWS WAF rate-based rule
• B) API Gateway Usage Plans + API keys
• C) Cognito throttling
• D) CloudFront cache policies

Q19.

A solutions architect needs to protect web traffic from SQL injection and XSS, attached at the global edge. Which combination?

• A) Network Firewall + ALB
• B) AWS WAF with managed rule groups on CloudFront
• C) Security groups on EC2
• D) Shield Standard

Q20.

A bank must process transactions in strict order per account with exactly-once delivery. Which AWS service?

• A) Amazon SQS Standard
• B) Amazon SQS FIFO with MessageGroupId=accountId
• C) Amazon SNS Standard
• D) AWS Step Functions Express

Q21.

A web app needs sub-millisecond cache for hot DB queries. Which AWS service?

• A) ElastiCache for Redis
• B) Amazon EFS
• C) S3 Intelligent-Tiering
• D) Amazon DynamoDB

Q22.

A team needs microsecond-level reads specifically for DynamoDB data. Which service fits?

• A) ElastiCache for Redis in front of DDB
• B) DynamoDB DAX
• C) Amazon CloudFront
• D) DynamoDB Global Tables

Q23.

For a multi-region active-active relational DB with a single writer and fast cross-region replication < 1s, which service?

• A) DynamoDB Global Tables
• B) Aurora Global Database
• C) RDS for MySQL Multi-AZ
• D) ElastiCache Global Datastore

Q24.

Which combination protects an S3 origin so that only CloudFront can access it?

• A) Bucket policy + Block Public Access + Origin Access Control (OAC)
• B) Public ACL set to read-only
• C) S3 Object Lock + signed URLs
• D) AWS WAF + Shield

Q25.

A company wants the simplest, fully-managed way to deploy a containerized web app with HTTPS and auto-scaling, no infrastructure to manage.

• A) Amazon EKS on EC2
• B) AWS Fargate behind ALB
• C) AWS App Runner
• D) AWS Lambda with container image

Q26.

A workload analyzes streaming clickstream data and requires multiple independent consumers that can replay events for 7 days. Which AWS service?

• A) SQS Standard
• B) Amazon Kinesis Data Streams
• C) Amazon EventBridge
• D) Amazon MQ

Q27.

A solutions architect needs CloudWatch metrics for EC2 memory and disk usage. What is required?

• A) Install the CloudWatch Agent
• B) Enable detailed monitoring
• C) Use Amazon Inspector
• D) Default metrics already cover these

Q28.

A company runs predictable production workloads 24×7 across multiple instance families. Which purchase option gives the best long-term discount with flexibility?

• A) Spot Instances
• B) Compute Savings Plan
• C) Dedicated Hosts
• D) Standard RI locked to one family

Q29.

For a workload that must survive an AZ failure with minimum downtime and a read replica is not required, which RDS feature applies?

• A) Cross-region read replica
• B) Multi-AZ deployment (classic)
• C) DAX
• D) Read replicas in each AZ

Q30.

Which AWS service provides continuous configuration tracking and rule-based compliance checks for resources?

• A) AWS CloudTrail
• B) AWS Config
• C) Amazon GuardDuty
• D) Amazon Inspector

Q31.

A solutions architect must prevent all member accounts in an Organization from using any AWS region outside the EU. Which is the right mechanism?

• A) IAM permissions boundary
• B) Service Control Policy at the OU level
• C) Resource policy on each service
• D) Config rule

Q32.

A team must give on-prem AD users SSO across 30 AWS accounts. Which is the AWS-recommended choice?

• A) IAM users in each account with federation
• B) Amazon Cognito
• C) AWS IAM Identity Center with AD as IdP
• D) Active Directory Connector

Q33.

A company processes 1 million IoT readings per minute, queried by device and time range. Which database fits best?

• A) Amazon Timestream
• B) Amazon Aurora MySQL
• C) Amazon Redshift
• D) Amazon Neptune

Q34.

A media app must insert a third-party firewall appliance transparently between subnets. Which load balancer?

• A) ALB
• B) NLB
• C) GWLB
• D) CLB

Q35.

A workload spikes 100× during flash sales. The architect wants the simplest scaling for Lambda + DynamoDB. Which combination?

• A) Lambda + DynamoDB On-Demand
• B) Lambda + RDS Multi-AZ
• C) Lambda + Aurora Provisioned
• D) Lambda + Elasticsearch

Q36.

A team needs to route AWS events from many accounts to a central security account with archive and replay. Which service?

• A) Amazon SNS
• B) Amazon EventBridge
• C) AWS Step Functions
• D) Amazon SQS

Q37.

A team wants to encrypt an existing unencrypted RDS DB. What works?

• A) Use modify-db-instance --kms-key-id
• B) Restore an encrypted copy from an unencrypted snapshot using KMS
• C) Take a snapshot, copy snapshot with encryption enabled, restore to new instance
• D) Enable Transparent Data Encryption (TDE) in the DB parameter group

Q38.

For Windows file shares that integrate with on-prem Active Directory ACLs and require Multi-AZ, which storage service fits?

• A) Amazon EFS
• B) Amazon FSx for Windows File Server (Multi-AZ)
• C) Amazon FSx for Lustre
• D) Amazon S3

Q39.

A workload runs batch processing that can resume from checkpoints, and the architect wants lowest compute cost. Which option?

• A) Reserved Instances
• B) Compute Savings Plan
• C) Spot Instances
• D) Dedicated Hosts

Q40.

A company must detect anomalous AWS API activity suggesting compromised credentials. Which service?

• A) Amazon Inspector
• B) Amazon GuardDuty
• C) Amazon Macie
• D) AWS Config

Q41.

A solutions architect must scan EC2 AMIs and ECR container images for CVEs. Which service?

• A) Amazon GuardDuty
• B) Amazon Inspector
• C) Amazon Macie
• D) AWS Audit Manager

Q42.

A company wants to discover PII in S3 buckets automatically. Which service?

• A) Macie
• B) Inspector
• C) Detective
• D) GuardDuty

Q43.

A solutions architect wants to capture all denied VPC traffic for forensic analysis. Which feature should be enabled?

• A) VPC Flow Logs
• B) CloudTrail data events
• C) GuardDuty foundational
• D) AWS Config recorder

Q44.

A monolithic on-prem MySQL DB must be migrated to Aurora MySQL with minimal downtime and ongoing CDC replication. Which combination fits?

• A) AWS DataSync + Aurora Global
• B) AWS Snowball + native MySQL dump
• C) AWS DMS with ongoing replication, then cutover
• D) AWS Server Migration Service

Q45.

A team needs to migrate on-prem VMware VMs to EC2 with continuous block replication. Which service?

• A) AWS DMS
• B) AWS Snow Family
• C) AWS Application Migration Service (MGN)
• D) AWS DataSync

Q46.

A company sends mobile push notifications to iOS and Android. Which service fits best?

• A) Amazon SQS
• B) Amazon SNS with platform endpoints
• C) Amazon SES
• D) Amazon Pinpoint Email

Q47.

A solutions architect needs to schedule a Lambda function every 5 minutes. Which is the most appropriate?

• A) Amazon EventBridge Scheduler
• B) Amazon CloudFront Functions
• C) Amazon SQS delay queue
• D) AWS Step Functions Wait state

Q48.

A team builds a GraphQL API with real-time subscriptions on AWS. Which service is purpose-built?

• A) API Gateway REST
• B) AWS AppSync
• C) Amazon MQ
• D) ALB

Q49.

Which feature ensures EBS root volumes are encrypted by default for all new instances in a region?

• A) Enable Amazon EBS encryption-by-default in account settings (per region)
• B) Create a default KMS key in IAM
• C) Encrypt the AMI
• D) Set Block Public Access on EC2

Q50.

A company needs cross-account access to an S3 bucket from a partner's AWS account. Which approach is simplest and most secure?

• A) Share the bucket owner's IAM user access keys
• B) Create a bucket policy granting access to the partner account ARN; partner uses their own IAM role
• C) Replicate the bucket cross-account
• D) Move the bucket to the partner's account

Q51.

A team needs HTTP caching with fine-grained per-path TTLs and signed URLs for global users. Which service fits?

• A) Route 53 latency policy
• B) Amazon CloudFront with cache policies
• C) Global Accelerator
• D) S3 Transfer Acceleration

Q52.

A solutions architect wants to insert a logical layer between Lambda functions and an RDS DB to pool connections and reduce failover impact. Which?

• A) Aurora Global Database
• B) RDS Proxy
• C) ElastiCache
• D) NLB

Q53.

For a stateless web tier behind ALB that must auto-scale across ≥2 AZs, which is the baseline pattern?

• A) Auto Scaling Group across multiple AZs targeted by the ALB
• B) Multiple Lambda functions
• C) Single large EC2 with EIP
• D) ECS with no service definition

Q54.

Which load balancer offers 2 static EIPs per AZ for IP whitelisting?

• A) ALB
• B) NLB
• C) GWLB
• D) CloudFront

Q55.

For petabyte-scale BI dashboards with concurrent users on historical data, which service is optimal?

• A) Amazon Redshift
• B) Amazon Athena
• C) Amazon Aurora MySQL
• D) Amazon DynamoDB

Q56.

A team has 15 VPCs across 5 accounts requiring full any-to-any connectivity, with central segmentation. Which choice fits?

• A) VPC peering full mesh
• B) AWS Transit Gateway with attachments and route tables
• C) PrivateLink between every pair
• D) Site-to-Site VPN tunnels

Q57.

You need to automatically expire DynamoDB items after 30 days. Which feature?

• A) DynamoDB Streams + Lambda
• B) Time-To-Live (TTL) attribute
• C) Custom backup retention
• D) S3 lifecycle policy

Q58.

Which service is purpose-built for high-throughput parallel file system access for ML training linked to S3?

• A) Amazon EFS
• B) Amazon FSx for Lustre
• C) Amazon FSx for Windows
• D) Amazon EBS multi-attach

Q59.

A solutions architect must implement a cost-effective DR for a non-critical workload with RTO of hours. Which strategy?

• A) Backup & Restore
• B) Pilot Light
• C) Warm Standby
• D) Multi-site active-active

Q60.

Which feature prevents accidental deletion of S3 objects while supporting version recovery?

• A) Versioning + MFA Delete
• B) Block Public Access
• C) Server-side encryption
• D) Bucket replication

Q61.

For HPC computing across many EC2 with the lowest network latency, which placement strategy?

• A) Cluster placement group
• B) Spread placement group
• C) Partition placement group
• D) Multi-AZ ASG

Q62.

You need a central, fully managed Active Directory in AWS for Windows EC2 and FSx for Windows. Which service?

• A) AWS Directory Service for Microsoft AD (Managed AD)
• B) Amazon Cognito User Pool
• C) IAM Identity Center
• D) AWS Lambda Authorizer

Q63.

A monitoring team wants central security findings from GuardDuty, Inspector, Macie, and IAM Access Analyzer with CIS standard checks. Which service?

• A) AWS Security Hub
• B) AWS Trusted Advisor
• C) AWS Audit Manager
• D) Amazon Detective

Q64.

A company runs an EC2 with an EBS root and an Instance Store volume. They stop the instance. What happens?

• A) Both are preserved
• B) EBS root persists; Instance Store data is lost
• C) Instance Store persists; EBS is lost
• D) Both are lost

Q65.

Which AWS service is purpose-built for graph relationships (Gremlin / SPARQL)?

• A) Amazon Neptune
• B) Amazon DocumentDB
• C) Amazon DynamoDB
• D) Amazon Keyspaces

Your answers

1.   2.   3.   4.   5.   6.   7.   8.   9.   10.
11.  12.  13.  14.  15.  16.  17.  18.  19.  20.
21.  22.  23.  24.  25.  26.  27.  28.  29.  30.
31.  32.  33.  34.  35.  36.  37.  38.  39.  40.
41.  42.  43.  44.  45.  46.  47.  48.  49.  50.
51.  52.  53.  54.  55.  56.  57.  58.  59.  60.
61.  62.  63.  64.  65.