Browse papers
LevelAWS Solutions Architect — Associate
SubjectAWS Solutions Architect - Associate
Year2025 BS
Exam sessionModel questions
Full marks65
Time allowed130 minutes
Questions10, all with step-by-step solutions
A

AWS SAA-C03

Select the best answer.

10 questions·1 mark each
1Multiple choice1 mark

A company needs to run a memory-intensive in-memory caching workload that requires 512 GiB of RAM and a high memory-to-CPU ratio. The workload runs continuously and the data stored in memory must persist through instance reboots. Which EC2 instance family should the solutions architect recommend?

  • a

    C-family (compute-optimized) instances

  • b

    T-family (burstable general-purpose) instances

  • c

    R-family (memory-optimized) instances

  • d

    I-family (storage-optimized) instances

Correct answer: c

R-family (memory-optimized) instances

The correct answer is (c) R-family (memory-optimized) instances. AWS EC2 instance families are designed for different workload profiles. R-family instances (such as R6g, R6i) are memory-optimized and provide a high ratio of memory to CPU, making them ideal for in-memory caching workloads such as Redis, Memcached, or SAP HANA. C-family instances are compute-optimized with a higher CPU-to-memory ratio, suited for compute-intensive tasks like batch processing and scientific modeling. T-family instances are burstable general-purpose instances designed for workloads that do not consistently use full CPU, such as development environments. I-family instances are storage-optimized, designed for workloads requiring high sequential read/write access to large data sets on local storage, such as data warehousing.

ec2instance-types
2Multiple choice1 mark

A company stores application log files in Amazon S3 Standard. Compliance requires the logs to be retained for 7 years, but they are rarely accessed after 30 days and almost never accessed after 90 days. The company needs to minimize storage costs while maintaining the ability to retrieve logs within 12 hours when needed. Which S3 lifecycle configuration should the solutions architect recommend?

  • a

    Transition to S3 One Zone-IA after 30 days, then to S3 Glacier Deep Archive after 90 days

  • b

    Transition to S3 Standard-IA after 30 days, then to S3 Glacier Flexible Retrieval after 90 days

  • c

    Transition to S3 Glacier Instant Retrieval after 30 days, then to S3 Glacier Deep Archive after 90 days

  • d

    Keep all data in S3 Intelligent-Tiering for the entire 7-year retention period

Correct answer: b

Transition to S3 Standard-IA after 30 days, then to S3 Glacier Flexible Retrieval after 90 days

The correct answer is (b) Transition to S3 Standard-IA after 30 days, then to S3 Glacier Flexible Retrieval after 90 days. This configuration optimizes costs at each stage of the data lifecycle. S3 Standard-IA (Infrequent Access) costs less than S3 Standard for storage while still providing millisecond access, making it suitable for the 30-90 day period when occasional access may be needed. After 90 days, S3 Glacier Flexible Retrieval provides significantly lower storage costs with retrieval times of 1-5 minutes (expedited), 3-5 hours (standard), or 5-12 hours (bulk), which satisfies the 12-hour retrieval requirement. S3 One Zone-IA stores data in a single Availability Zone, reducing durability, which may be risky for compliance data. S3 Glacier Deep Archive has lower costs but retrieval takes 12-48 hours, which may not consistently meet the 12-hour requirement. Keeping data in S3 Intelligent-Tiering for the full 7 years is more expensive than Glacier for data known to be rarely accessed.

s3storage-classeslifecycle
3Multiple choice1 mark

A company needs to deploy EC2 instances in a private subnet that must download software updates from the internet but should NOT be directly reachable from the internet. The VPC has both a public subnet with an internet gateway and a private subnet. Which configuration should the solutions architect implement?

  • a

    Attach an internet gateway directly to the private subnet

  • b

    Create a VPC endpoint for internet access in the private subnet

  • c

    Set up a VPN connection from the private subnet to the internet

  • d

    Deploy a NAT gateway in the public subnet and add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway

Correct answer: d

Deploy a NAT gateway in the public subnet and add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway

The correct answer is (d) Deploy a NAT gateway in the public subnet and add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. A NAT (Network Address Translation) gateway enables instances in a private subnet to initiate outbound connections to the internet (for example, to download software updates) while preventing inbound connections from the internet. The NAT gateway must be placed in a public subnet (one that has a route to an internet gateway) and must have an Elastic IP address. The private subnet's route table is then configured to send internet-bound traffic (0.0.0.0/0) to the NAT gateway. An internet gateway attached directly to the private subnet would make the instances publicly accessible if they have public IPs, violating the requirement. A VPC endpoint is used for accessing AWS services privately, not for general internet access. A VPN connection creates a secure tunnel to an on-premises network, not to the internet.

vpcnetworkingnat-gateway
4Multiple choice1 mark

A company needs to grant a third-party auditing firm temporary read-only access to specific S3 buckets containing financial reports. The auditors have their own AWS accounts. The access should expire automatically after 12 hours. Which approach BEST follows the principle of least privilege?

  • a

    Create IAM users for each auditor with access keys and an inline policy granting full S3 access

  • b

    Create an IAM role with a policy granting s3:GetObject and s3:ListBucket only on the specific bucket ARNs, and allow the auditor's AWS account to assume the role with a maximum session duration of 12 hours

  • c

    Make the S3 buckets publicly accessible with a time-limited bucket policy

  • d

    Create an IAM role granting s3:* on all buckets and share the role ARN with the auditors

Correct answer: b

Create an IAM role with a policy granting s3:GetObject and s3:ListBucket only on the specific bucket ARNs, and allow the auditor's AWS account to assume the role with a maximum session duration of 12 hours

The correct answer is (b) Create an IAM role with a policy granting s3:GetObject and s3:ListBucket only on the specific bucket ARNs, and allow the auditor's AWS account to assume the role with a maximum session duration of 12 hours. This approach follows the principle of least privilege because: (1) it uses an IAM role with cross-account access rather than creating IAM users with long-lived credentials; (2) the policy is scoped to only the specific actions needed (GetObject and ListBucket) and only on the specific bucket resources required; (3) the session duration automatically limits the access window to 12 hours. Creating IAM users with access keys provides long-lived credentials that must be manually revoked, creating security risk. Making the bucket publicly accessible exposes data to everyone, not just the auditors. Granting s3:* permissions on all buckets violates least privilege by providing far more access than needed.

iamleast-privilege
5Multiple choice1 mark

A company needs to build an e-commerce shopping cart service that handles millions of requests per second with single-digit millisecond latency. The data model consists of simple key-value lookups using a session ID to retrieve cart contents. The traffic pattern is highly variable, with 10x spikes during flash sales. Which database service should the solutions architect recommend?

  • a

    Amazon RDS for MySQL with Multi-AZ deployment

  • b

    Amazon Redshift with concurrency scaling

  • c

    Amazon DynamoDB with on-demand capacity mode

  • d

    Amazon ElastiCache for Redis as the primary data store

Correct answer: c

Amazon DynamoDB with on-demand capacity mode

The correct answer is (c) Amazon DynamoDB with on-demand capacity mode. DynamoDB is a fully managed NoSQL database that provides consistent single-digit millisecond latency at any scale. It is ideal for key-value lookup patterns like a shopping cart where data is accessed by a primary key (session ID). On-demand capacity mode automatically scales to accommodate workload spikes without capacity planning, which is perfect for the 10x traffic spikes during flash sales. Amazon RDS with Multi-AZ is a relational database service better suited for complex queries, joins, and transactions with a fixed schema; it does not scale as dynamically for simple key-value lookups. Amazon Redshift is a data warehousing service optimized for analytical queries on large datasets, not for transactional key-value access patterns. Amazon ElastiCache is an in-memory caching service that provides sub-millisecond latency but is not a durable primary database and would lose data if the cluster fails.

databasesrdsdynamodb
6Multiple choice1 mark

A company needs to deploy a load balancer for a real-time multiplayer gaming platform. The application uses custom TCP and UDP protocols on non-standard ports and requires ultra-low latency with millions of connections per second. The load balancer must support static IP addresses for firewall whitelisting by partners. Which Elastic Load Balancing option should the solutions architect choose?

  • a

    Application Load Balancer (ALB)

  • b

    Network Load Balancer (NLB)

  • c

    Classic Load Balancer (CLB)

  • d

    Gateway Load Balancer (GWLB)

Correct answer: b

Network Load Balancer (NLB)

The correct answer is (b) Network Load Balancer (NLB). NLB operates at Layer 4 (transport layer) of the OSI model and is designed to handle millions of requests per second with ultra-low latency. It supports both TCP and UDP protocols, which is essential for the gaming platform's custom protocols. NLB also provides static IP addresses per Availability Zone (and supports Elastic IP addresses), which satisfies the firewall whitelisting requirement. Application Load Balancer (ALB) operates at Layer 7 (application layer) and only supports HTTP/HTTPS protocols, making it unsuitable for custom TCP/UDP protocols. Classic Load Balancer is a legacy option with limited features and does not support UDP. Gateway Load Balancer is used for deploying, scaling, and managing third-party virtual network appliances (such as firewalls and intrusion detection systems), not for general application load balancing.

load-balancingalbnlb
7Multiple choice1 mark

A company needs to configure Auto Scaling for a web application that experiences predictable traffic increases every weekday at 9:00 AM and decreases at 6:00 PM. During these peak hours, the application consistently requires exactly 20 instances. Outside peak hours, 5 instances are sufficient. Which Auto Scaling policy type should the solutions architect use to handle this pattern most efficiently?

  • a

    Scheduled scaling

  • b

    Target tracking scaling

  • c

    Simple scaling

  • d

    Manual scaling

Correct answer: a

Scheduled scaling

The correct answer is (a) Scheduled scaling. Scheduled scaling allows you to define scaling actions that occur at specific dates and times. Since the traffic pattern is predictable and follows a consistent daily schedule (scaling up at 9:00 AM and scaling down at 6:00 PM on weekdays), scheduled scaling is the most efficient approach. It ensures instances are ready before the traffic increase, avoiding any warm-up delay. Target tracking scaling adjusts capacity to maintain a specific metric value (like average CPU at 50%) but would be reactive, adding instances only after the metric changes, which could cause latency spikes. Simple scaling adds or removes a fixed number of instances based on a single CloudWatch alarm and does not account for time-based patterns. Manual scaling requires human intervention each time and is operationally inefficient for a daily recurring pattern.

auto-scalingscaling-policies
8Multiple choice1 mark

A company needs to deploy identical infrastructure stacks across development, staging, and production environments in three different AWS regions. The infrastructure includes VPCs, EC2 instances, RDS databases, and S3 buckets. Environment-specific values such as instance sizes and database configurations must vary between environments. Which AWS CloudFormation approach should the solutions architect use?

  • a

    Create three separate CloudFormation templates, one for each environment, with hardcoded values

  • b

    Use AWS CDK instead of CloudFormation for multi-region deployments

  • c

    Manually create the resources in each region through the AWS Management Console

  • d

    Create a single CloudFormation template with Parameters and Mappings, and use separate parameter files for each environment

Correct answer: d

Create a single CloudFormation template with Parameters and Mappings, and use separate parameter files for each environment

The correct answer is (d) Create a single CloudFormation template with Parameters and Mappings, and use separate parameter files for each environment. This approach follows infrastructure as code best practices by maintaining a single source of truth for the infrastructure definition while allowing environment-specific customization through parameters. Parameters allow values like instance types and database sizes to be specified at stack creation time, and Mappings can provide region-specific values automatically. Separate parameter files (one for dev, staging, and production) keep environment configurations organized and version-controlled. Creating separate templates per environment leads to configuration drift and maintenance burden. AWS CDK is a valid IaC tool but the question specifically asks about CloudFormation. Manually creating resources through the console is not infrastructure as code and is error-prone and not repeatable.

cloudformationinfrastructure-as-code
9Multiple choice1 mark

A company needs to build an image processing pipeline. When users upload images to an S3 bucket, the system must automatically generate thumbnails in three different sizes and store them in another S3 bucket. The processing takes approximately 15 seconds per image, and uploads are sporadic, ranging from 0 to 500 images per hour. The company wants to minimize operational overhead and costs. Which architecture should the solutions architect recommend?

  • a

    Configure an S3 event notification to trigger an AWS Lambda function that processes each image and writes thumbnails to the destination bucket

  • b

    Run an EC2 Auto Scaling group that polls the S3 bucket every minute for new uploads

  • c

    Deploy an Amazon ECS Fargate service that continuously monitors the S3 bucket

  • d

    Use Amazon SQS to queue upload events and process them with a fleet of EC2 spot instances

Correct answer: a

Configure an S3 event notification to trigger an AWS Lambda function that processes each image and writes thumbnails to the destination bucket

The correct answer is (a) Configure an S3 event notification to trigger an AWS Lambda function that processes each image and writes thumbnails to the destination bucket. This is the ideal serverless architecture for event-driven, sporadic workloads. When an image is uploaded to S3, an S3 event notification automatically triggers a Lambda function. Lambda scales automatically to handle concurrent uploads (up to 500 per hour is well within Lambda's concurrency limits), and you only pay for the actual compute time used (15 seconds per invocation). With sporadic traffic, there will be many periods with zero cost. The 15-second processing time is well within Lambda's maximum execution limit. An EC2 Auto Scaling group would require running instances continuously (or dealing with cold start delays), incurring costs even when no images are being processed. An ECS Fargate service has higher minimum costs and more operational overhead. Amazon SQS with EC2 workers adds complexity and requires managing the polling infrastructure.

lambdaserverless
10Multiple choice1 mark

A company needs to design a disaster recovery strategy for a mission-critical application with a Recovery Time Objective (RTO) of 1 hour and a Recovery Point Objective (RPO) of 15 minutes. The application uses an RDS database and EC2-based web servers behind an ALB. The primary deployment is in us-east-1. Which disaster recovery strategy should the solutions architect implement?

  • a

    Multi-AZ deployment within us-east-1 only, with automated failover

  • b

    Backup and restore: take daily RDS snapshots and copy them to us-west-2, restore during disaster

  • c

    Warm standby: run a scaled-down version of the full environment in us-west-2 with RDS cross-region read replica, and scale up during failover using Route 53 health checks

  • d

    Pilot light: maintain only the RDS cross-region read replica in us-west-2 with no running EC2 instances

Correct answer: c

Warm standby: run a scaled-down version of the full environment in us-west-2 with RDS cross-region read replica, and scale up during failover using Route 53 health checks

The correct answer is (c) Warm standby: run a scaled-down version of the full environment in us-west-2 with RDS cross-region read replica, and scale up during failover using Route 53 health checks. A warm standby strategy maintains a scaled-down but fully functional copy of the production environment in a second region. The RDS cross-region read replica provides continuous asynchronous replication, achieving an RPO of typically a few minutes (well within 15 minutes). During a disaster, the read replica is promoted to a standalone database, the EC2 instances are scaled up to production capacity, and Route 53 DNS failover routes traffic to the secondary region, all achievable within 1 hour (meeting the RTO). Multi-AZ deployment within a single region protects against AZ failures but not regional outages. Backup and restore from S3 has a much longer RTO (potentially many hours to restore and configure). A pilot light approach maintains only the database and minimal infrastructure, which typically has a longer RTO than warm standby because more components need to be started and configured during failover.

high-availabilitymulti-azmulti-region

Frequently asked questions

Where can I find the AWS Solutions Architect — Associate AWS Solutions Architect - Associate question paper 2025?
The full AWS Solutions Architect — Associate AWS Solutions Architect - Associate 2025 (Model questions) question paper is available free on Kekkei. You can read every question online and attempt the paper under timed exam conditions.
Does the AWS Solutions Architect - Associate 2025 paper come with solutions?
Yes. Every question on this AWS Solutions Architect - Associate past paper includes a step-by-step solution, plus instant AI feedback when you attempt it on Kekkei.
How many marks is the AWS Solutions Architect — Associate AWS Solutions Architect - Associate 2025 paper?
The AWS Solutions Architect — Associate AWS Solutions Architect - Associate 2025 paper carries 65 full marks and is meant to be completed in 130 minutes, across 10 questions.
Is practising this AWS Solutions Architect - Associate past paper free?
Yes — reading and attempting this AWS Solutions Architect - Associate past paper on Kekkei is completely free.