AWS Solutions Architect — Associate AWS Solutions Architect - Associate Practice Test 2025
This is the official AWS Solutions Architect — Associate AWS Solutions Architect - Associate question paper for 2025, as set in the Model questions examination. It carries 65 full marks and a time allowance of 130 minutes, across 10 questions. On Kekkei you can attempt this AWS Solutions Architect - Associate past paper online with a timer, get instant AI feedback and step-by-step solutions, and track the topics where you lose marks — completely free. Whether you are revising for your AWS Solutions Architect — Associate AWS Solutions Architect - Associate exam or solving previous years' question papers, this 2025 paper is a great way to practise under real exam conditions.
| Level | AWS Solutions Architect — Associate |
|---|---|
| Subject | AWS Solutions Architect - Associate |
| Year | 2025 BS |
| Exam session | Model questions |
| Full marks | 65 |
| Time allowed | 130 minutes |
| Questions | 10, all with step-by-step solutions |
AWS SAA-C03
Select the best answer.
A company needs to run a memory-intensive in-memory caching workload that requires 512 GiB of RAM and a high memory-to-CPU ratio. The workload runs continuously and the data stored in memory must persist through instance reboots. Which EC2 instance family should the solutions architect recommend?
R-family (memory-optimized) instances
The correct answer is (c) R-family (memory-optimized) instances. AWS EC2 instance families are designed for different workload profiles. R-family instances (such as R6g, R6i) are memory-optimized and provide a high ratio of memory to CPU, making them ideal for in-memory caching workloads such as Redis, Memcached, or SAP HANA. C-family instances are compute-optimized with a higher CPU-to-memory ratio, suited for compute-intensive tasks like batch processing and scientific modeling. T-family instances are burstable general-purpose instances designed for workloads that do not consistently use full CPU, such as development environments. I-family instances are storage-optimized, designed for workloads requiring high sequential read/write access to large data sets on local storage, such as data warehousing.
A company stores application log files in Amazon S3 Standard. Compliance requires the logs to be retained for 7 years, but they are rarely accessed after 30 days and almost never accessed after 90 days. The company needs to minimize storage costs while maintaining the ability to retrieve logs within 12 hours when needed. Which S3 lifecycle configuration should the solutions architect recommend?
Transition to S3 Standard-IA after 30 days, then to S3 Glacier Flexible Retrieval after 90 days
The correct answer is (b) Transition to S3 Standard-IA after 30 days, then to S3 Glacier Flexible Retrieval after 90 days. This configuration optimizes costs at each stage of the data lifecycle. S3 Standard-IA (Infrequent Access) costs less than S3 Standard for storage while still providing millisecond access, making it suitable for the 30-90 day period when occasional access may be needed. After 90 days, S3 Glacier Flexible Retrieval provides significantly lower storage costs with retrieval times of 1-5 minutes (expedited), 3-5 hours (standard), or 5-12 hours (bulk), which satisfies the 12-hour retrieval requirement. S3 One Zone-IA stores data in a single Availability Zone, reducing durability, which may be risky for compliance data. S3 Glacier Deep Archive has lower costs but retrieval takes 12-48 hours, which may not consistently meet the 12-hour requirement. Keeping data in S3 Intelligent-Tiering for the full 7 years is more expensive than Glacier for data known to be rarely accessed.
A company needs to deploy EC2 instances in a private subnet that must download software updates from the internet but should NOT be directly reachable from the internet. The VPC has both a public subnet with an internet gateway and a private subnet. Which configuration should the solutions architect implement?
Deploy a NAT gateway in the public subnet and add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway
The correct answer is (d) Deploy a NAT gateway in the public subnet and add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. A NAT (Network Address Translation) gateway enables instances in a private subnet to initiate outbound connections to the internet (for example, to download software updates) while preventing inbound connections from the internet. The NAT gateway must be placed in a public subnet (one that has a route to an internet gateway) and must have an Elastic IP address. The private subnet's route table is then configured to send internet-bound traffic (0.0.0.0/0) to the NAT gateway. An internet gateway attached directly to the private subnet would make the instances publicly accessible if they have public IPs, violating the requirement. A VPC endpoint is used for accessing AWS services privately, not for general internet access. A VPN connection creates a secure tunnel to an on-premises network, not to the internet.
A company needs to grant a third-party auditing firm temporary read-only access to specific S3 buckets containing financial reports. The auditors have their own AWS accounts. The access should expire automatically after 12 hours. Which approach BEST follows the principle of least privilege?
Create an IAM role with a policy granting s3:GetObject and s3:ListBucket only on the specific bucket ARNs, and allow the auditor's AWS account to assume the role with a maximum session duration of 12 hours
The correct answer is (b) Create an IAM role with a policy granting s3:GetObject and s3:ListBucket only on the specific bucket ARNs, and allow the auditor's AWS account to assume the role with a maximum session duration of 12 hours. This approach follows the principle of least privilege because: (1) it uses an IAM role with cross-account access rather than creating IAM users with long-lived credentials; (2) the policy is scoped to only the specific actions needed (GetObject and ListBucket) and only on the specific bucket resources required; (3) the session duration automatically limits the access window to 12 hours. Creating IAM users with access keys provides long-lived credentials that must be manually revoked, creating security risk. Making the bucket publicly accessible exposes data to everyone, not just the auditors. Granting s3:* permissions on all buckets violates least privilege by providing far more access than needed.
A company needs to build an e-commerce shopping cart service that handles millions of requests per second with single-digit millisecond latency. The data model consists of simple key-value lookups using a session ID to retrieve cart contents. The traffic pattern is highly variable, with 10x spikes during flash sales. Which database service should the solutions architect recommend?
Amazon DynamoDB with on-demand capacity mode
The correct answer is (c) Amazon DynamoDB with on-demand capacity mode. DynamoDB is a fully managed NoSQL database that provides consistent single-digit millisecond latency at any scale. It is ideal for key-value lookup patterns like a shopping cart where data is accessed by a primary key (session ID). On-demand capacity mode automatically scales to accommodate workload spikes without capacity planning, which is perfect for the 10x traffic spikes during flash sales. Amazon RDS with Multi-AZ is a relational database service better suited for complex queries, joins, and transactions with a fixed schema; it does not scale as dynamically for simple key-value lookups. Amazon Redshift is a data warehousing service optimized for analytical queries on large datasets, not for transactional key-value access patterns. Amazon ElastiCache is an in-memory caching service that provides sub-millisecond latency but is not a durable primary database and would lose data if the cluster fails.
A company needs to deploy a load balancer for a real-time multiplayer gaming platform. The application uses custom TCP and UDP protocols on non-standard ports and requires ultra-low latency with millions of connections per second. The load balancer must support static IP addresses for firewall whitelisting by partners. Which Elastic Load Balancing option should the solutions architect choose?
Network Load Balancer (NLB)
The correct answer is (b) Network Load Balancer (NLB). NLB operates at Layer 4 (transport layer) of the OSI model and is designed to handle millions of requests per second with ultra-low latency. It supports both TCP and UDP protocols, which is essential for the gaming platform's custom protocols. NLB also provides static IP addresses per Availability Zone (and supports Elastic IP addresses), which satisfies the firewall whitelisting requirement. Application Load Balancer (ALB) operates at Layer 7 (application layer) and only supports HTTP/HTTPS protocols, making it unsuitable for custom TCP/UDP protocols. Classic Load Balancer is a legacy option with limited features and does not support UDP. Gateway Load Balancer is used for deploying, scaling, and managing third-party virtual network appliances (such as firewalls and intrusion detection systems), not for general application load balancing.
A company needs to configure Auto Scaling for a web application that experiences predictable traffic increases every weekday at 9:00 AM and decreases at 6:00 PM. During these peak hours, the application consistently requires exactly 20 instances. Outside peak hours, 5 instances are sufficient. Which Auto Scaling policy type should the solutions architect use to handle this pattern most efficiently?
Scheduled scaling
The correct answer is (a) Scheduled scaling. Scheduled scaling allows you to define scaling actions that occur at specific dates and times. Since the traffic pattern is predictable and follows a consistent daily schedule (scaling up at 9:00 AM and scaling down at 6:00 PM on weekdays), scheduled scaling is the most efficient approach. It ensures instances are ready before the traffic increase, avoiding any warm-up delay. Target tracking scaling adjusts capacity to maintain a specific metric value (like average CPU at 50%) but would be reactive, adding instances only after the metric changes, which could cause latency spikes. Simple scaling adds or removes a fixed number of instances based on a single CloudWatch alarm and does not account for time-based patterns. Manual scaling requires human intervention each time and is operationally inefficient for a daily recurring pattern.
A company needs to deploy identical infrastructure stacks across development, staging, and production environments in three different AWS regions. The infrastructure includes VPCs, EC2 instances, RDS databases, and S3 buckets. Environment-specific values such as instance sizes and database configurations must vary between environments. Which AWS CloudFormation approach should the solutions architect use?
Create a single CloudFormation template with Parameters and Mappings, and use separate parameter files for each environment
The correct answer is (d) Create a single CloudFormation template with Parameters and Mappings, and use separate parameter files for each environment. This approach follows infrastructure as code best practices by maintaining a single source of truth for the infrastructure definition while allowing environment-specific customization through parameters. Parameters allow values like instance types and database sizes to be specified at stack creation time, and Mappings can provide region-specific values automatically. Separate parameter files (one for dev, staging, and production) keep environment configurations organized and version-controlled. Creating separate templates per environment leads to configuration drift and maintenance burden. AWS CDK is a valid IaC tool but the question specifically asks about CloudFormation. Manually creating resources through the console is not infrastructure as code and is error-prone and not repeatable.
A company needs to build an image processing pipeline. When users upload images to an S3 bucket, the system must automatically generate thumbnails in three different sizes and store them in another S3 bucket. The processing takes approximately 15 seconds per image, and uploads are sporadic, ranging from 0 to 500 images per hour. The company wants to minimize operational overhead and costs. Which architecture should the solutions architect recommend?
Configure an S3 event notification to trigger an AWS Lambda function that processes each image and writes thumbnails to the destination bucket
The correct answer is (a) Configure an S3 event notification to trigger an AWS Lambda function that processes each image and writes thumbnails to the destination bucket. This is the ideal serverless architecture for event-driven, sporadic workloads. When an image is uploaded to S3, an S3 event notification automatically triggers a Lambda function. Lambda scales automatically to handle concurrent uploads (up to 500 per hour is well within Lambda's concurrency limits), and you only pay for the actual compute time used (15 seconds per invocation). With sporadic traffic, there will be many periods with zero cost. The 15-second processing time is well within Lambda's maximum execution limit. An EC2 Auto Scaling group would require running instances continuously (or dealing with cold start delays), incurring costs even when no images are being processed. An ECS Fargate service has higher minimum costs and more operational overhead. Amazon SQS with EC2 workers adds complexity and requires managing the polling infrastructure.
A company needs to design a disaster recovery strategy for a mission-critical application with a Recovery Time Objective (RTO) of 1 hour and a Recovery Point Objective (RPO) of 15 minutes. The application uses an RDS database and EC2-based web servers behind an ALB. The primary deployment is in us-east-1. Which disaster recovery strategy should the solutions architect implement?
Warm standby: run a scaled-down version of the full environment in us-west-2 with RDS cross-region read replica, and scale up during failover using Route 53 health checks
The correct answer is (c) Warm standby: run a scaled-down version of the full environment in us-west-2 with RDS cross-region read replica, and scale up during failover using Route 53 health checks. A warm standby strategy maintains a scaled-down but fully functional copy of the production environment in a second region. The RDS cross-region read replica provides continuous asynchronous replication, achieving an RPO of typically a few minutes (well within 15 minutes). During a disaster, the read replica is promoted to a standalone database, the EC2 instances are scaled up to production capacity, and Route 53 DNS failover routes traffic to the secondary region, all achievable within 1 hour (meeting the RTO). Multi-AZ deployment within a single region protects against AZ failures but not regional outages. Backup and restore from S3 has a much longer RTO (potentially many hours to restore and configure). A pilot light approach maintains only the database and minimal infrastructure, which typically has a longer RTO than warm standby because more components need to be started and configured during failover.
Frequently asked questions
- Where can I find the AWS Solutions Architect — Associate AWS Solutions Architect - Associate question paper 2025?
- The full AWS Solutions Architect — Associate AWS Solutions Architect - Associate 2025 (Model questions) question paper is available free on Kekkei. You can read every question online and attempt the paper under timed exam conditions.
- Does the AWS Solutions Architect - Associate 2025 paper come with solutions?
- Yes. Every question on this AWS Solutions Architect - Associate past paper includes a step-by-step solution, plus instant AI feedback when you attempt it on Kekkei.
- How many marks is the AWS Solutions Architect — Associate AWS Solutions Architect - Associate 2025 paper?
- The AWS Solutions Architect — Associate AWS Solutions Architect - Associate 2025 paper carries 65 full marks and is meant to be completed in 130 minutes, across 10 questions.
- Is practising this AWS Solutions Architect - Associate past paper free?
- Yes — reading and attempting this AWS Solutions Architect - Associate past paper on Kekkei is completely free.