Amazon Web Services AWS Certified Solutions Architect - Associate (SAA-C03) SAA-C03 Exam Dumps: Updated Questions & Answers (May 2026)

Amazon CloudFront is a global content delivery network (CDN) that caches and distributes content to users with low latency. By setting the existing ALB as the origin, CloudFront can cache dynamic and static content closer to users worldwide, improving performance and reducing the load on the application servers. This is the most cost-optimized and AWS-recommended way to globally serve dynamic content for web applications.

Reference Extract:

" CloudFront accelerates delivery of both static and dynamic content, reducing latency and offloading origin resources by caching content at edge locations. "

Source: AWS Certified Solutions Architect – Official Study Guide, CloudFront and Global Application section.

When using an SQS queue as an event source for AWS Lambda, the visibility timeout of the SQS queue plays a critical role in preventing duplicate message processing.

" If your Lambda function doesn ' t process the message and delete it from the queue within the visibility timeout period, the message becomes visible again and can be processed again by the same or another function instance. "

— AWS Lambda with SQS

In this scenario, the third-party API may take up to 60 seconds to respond. Since the Lambda function is configured with a 65-second timeout, the visibility timeout of the queue must be greater than or equal to the maximum function execution time to avoid the same message being reprocessed.

Incorrect Options:

A: Memory allocation doesn’t impact duplicate message handling.

B: Timeout is already sufficient; increasing it further does not solve the core issue.

C: Delivery delay controls initial delivery delay, not reprocessing logic.

Amazon DynamoDB supports TTL (Time To Live) for automated, scheduled deletion of expired items. It also offers point-in-time recovery (PITR) to restore the table to any second within the retention window (typically up to 35 days), providing full data durability and protection. DynamoDB can efficiently handle frequent updates and offers predictable performance. MemoryDB is an in-memory store, not designed for durable recovery. S3 with lifecycle policies does not handle updates as efficiently for small, frequent writes and is not as optimal for session data.

Reference Extract:

" DynamoDB supports TTL for automated expiration and deletion of items and PITR for continuous backups and restoration of data. "

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB section.

BothAmazon KinesisandSQS FIFOqueues ensure the sequential processing of messages. By using the payment ID as the partition key in Kinesis or as the message group in the SQS FIFOqueue, messages are processed in order. Both solutions also allow for long-term retention (up to 10 days) of messages, making them suitable for this payment processing use case.

Option A (DynamoDB): DynamoDB does not guarantee message ordering for real-time processing.

Option C (ElastiCache): ElastiCache is for caching, not suitable for sequential message processing.

Option D (Standard SQS queue): A standard SQS queue does not guarantee ordering of messages.

AWS References:

Amazon Kinesis

Amazon SQS FIFO Queues

Amazon RDS for MySQL Reserved Instances provide significant savings over on-demand pricing when you plan to run the database for long periods. This is the most cost-effective option for non-production, long-running managed MySQL workloads.

Reference Extract:

" Reserved Instances provide a significant discount compared to On-Demand pricing and are recommended for steady-state workloads that run for an extended period. "

Source: AWS Certified Solutions Architect – Official Study Guide, RDS Cost Optimization section.

AWS Budgets allows you to set custom cost and usage budgets. When actual or forecasted usage exceeds the threshold, AWS Budgets can automatically send alerts to an Amazon SNS topic. You can use AWS Cost Explorer in parallel for visual tracking of spending. This solution requires no code and has minimal operational overhead.

The requirement is to route users to the nearest AWS Region where the application is deployed. The best solution is to use Amazon Route 53 with a geolocation routing policy, which routes traffic based on the geographic location of the user making the request.

Geolocation Routing: This routing policy ensures that users are directed to the resources (in this case, EC2 instances) that are geographically closest to them, thereby reducing latency and improving the user experience.

Application Load Balancer (ALB): Within each Region, an internet-facing Application Load Balancer (ALB) is used to distribute incoming traffic across multiple EC2 instances in different Availability Zones. ALBs are designed to handle HTTP/HTTPS traffic and provide advanced features like content-based routing, SSL termination, and user authentication.

Why Not Other Options?:

Option B (Geoproximity + NLB): Geoproximity routing is similar but more complex as it requires fine-tuning the proximity settings. A Network Load Balancer (NLB) is better suited for TCP/UDP traffic rather than HTTP/HTTPS.

Option C (Multivalue Answer Routing + ALB): Multivalue answer routing does not direct traffic based on user location but rather returns multiple values and lets the client choose. This does not meet the requirement for geographically routing users.

Option D (Weighted Routing + NLB): Weighted routing splits traffic based on predefined weights and does not consider the user ' s geographic location. NLB is not ideal for this scenario due to its focus on lower-level protocols.

AWS References:

Amazon Route 53 Routing Policies- Detailed explanation of the various routing policies available in Route 53, including geolocation.

Elastic Load Balancing- Information on the different types of load balancers in AWS and when to use them.

AWS STS is the best choice because it issuestemporary security credentialsthat expire automatically, which removes the need to create and later deactivate long-lived IAM users. AWS guidance for third-party and short-term access explicitly recommends roles and temporary credentials instead of sharing long-term credentials. Using predefined IAM roles also makes it easy to assign different permission levels to different contractors while keeping access centrally controlled. IAM users create more administrative effort and leave credential-lifecycle management to the company. AWS Config and CloudTrail are useful for governance and auditing, but they are not the primary mechanism for granting short-term role-based access. Therefore, STS with predefined roles is the most secure and lowest-overhead solution.

============

The question focuses on minimizing costs while serving static content to users in the US and Europe.

Option Auses a single S3 bucket and configures CloudFront to limit edge locations, reducing costs by using fewer edge locations while still improving performance.

Option Bmaximizes edge locations, which increases costs unnecessarily.

Options C and Dinvolve storing data in multiple regions, which increases storage and operational costs.Thus, Option A is the most cost-effective solution.

Amazon S3 is the most scalable and cost-optimized object storage for large amounts of data. It integrates natively with Amazon SageMaker, which allows direct access to S3 data for machine learning training jobs without the need to copy data elsewhere. The S3 Intelligent-Tiering storage class further optimizes storage costs for data with unknown or changing access patterns, while maintaining immediate availability for ML training.

Copying to FSx for Lustre or EFS adds unnecessary complexity and cost unless ultra-high throughput POSIX file access is specifically required, which is not mentioned here.

AWS Documentation Extract:

" Amazon S3 provides cost-effective storage for ML data sets, and Amazon SageMaker can directly access data in S3. S3 Intelligent-Tiering automatically moves data between frequent and infrequent access tiers, optimizing costs for changing data access patterns. "

(Source: AWS S3 and SageMaker documentation)

A, D: FSx for Lustre or EFS may be used in specialized cases but are not cost-optimized for general large-scale ML data storage.

C: SageMaker notebook instance storage is not designed for large-scale data ingestion or long-term storage.

The best solution is to useAmazon SQSto receive updates from the mobile app and process them with anAWS Lambdafunction. The Lambda function can rewrite the message body as necessary for each shipper and then publish the updates to the appropriateSNS topicfor distribution. Thissetup ensures that each shipper receives only the relevant data and minimizes operational overhead by using managed services.

Option A (SNS filter policy): SNS does not have the capability to rewrite message bodies before forwarding.

Option C (Second SNS topic): Using an additional SNS topic adds unnecessary complexity without solving the message rewriting requirement.

Option D (EventBridge Pipes): EventBridge Pipes is more complex than necessary for this use case, and Lambda can handle the logic more efficiently.

AWS References:

Amazon SQS

Amazon SNS with Lambda

Incremental Exports: Exporting DynamoDB data directly to Amazon S3 provides an automated, serverless way to make data available for analytics without operational overhead.

Analytics-Friendly Storage: Amazon S3 supports long-term analytics workloads and can integrate with tools like Athena or QuickSight.

DynamoDB Export to S3 Documentation

Amazon Elastic File System (Amazon EFS) is a fully managed, elastic, shared file system that can be mounted concurrently by multiple EC2 instances across multiple Availability Zones. EFS automatically grows and shrinks as files are added or removed, providing seamless scalability for unpredictable and growing storage needs. It supports simultaneous access from multiple compute resources, making it ideal for applications where several EC2 instances must read and write to the same data set concurrently. EBS volumes cannot be shared across multiple Availability Zones, and S3 Glacier is intended for archival and infrequent access, not for active, hourly data analysis.

Reference Extract from AWS Documentation / Study Guide:

" Amazon EFS provides a scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It can be mounted to many EC2 instances across multiple Availability Zones and is ideal for shared data scenarios. "

Source: AWS Certified Solutions Architect – Official Study Guide, Storage Solutions section; Amazon EFS User Guide.

The most secure way to grant an external vendor’s AWS-hosted automation tool access into a company AWS account is to use cross-account IAM role assumption. Option A follows the standard AWS pattern: the company creates an IAM role in its own account that has only the permissions the vendor needs, and the role’s trust policy allows the vendor’s IAM role (in the vendor’s AWS account) to assume it. This approach avoids creating long-lived credentials in the company account and supports least privilege, auditing, and easy revocation.

With role assumption, the vendor continues to authenticate in its own AWS account and uses AWS STS to obtain temporary credentials when accessing the company account. Temporary credentials reduce exposure compared to access keys because they expire automatically and can be constrained with session duration, external IDs (where appropriate), and conditions. The company retains full control over permissions through the role policy, and CloudTrail can record AssumeRole events and subsequent API activity for auditing.

Option B is less secure because it creates an IAM user in the company account and would typically require managing long-lived credentials for the vendor tool, increasing the risk of leakage and ongoing operational overhead. Option C is not valid because IAM users are not shared across accounts; you cannot “add” a user from another account into an IAM group in your account. Option D is incorrect because “AWS account” is not a typical IAM identity provider type for this purpose; cross-account access is done through role trust policies, not by creating an IdP with an AWS account ID and username.

Therefore, A is the most secure solution because it uses short-lived credentials, enforces least privilege, centralizes control in the company account, and provides strong auditability without issuing permanent access keys.

Provisioned Concurrency:

AWS Lambda’s provisioned concurrency ensures that a predefined number of execution environments are pre-warmed and ready to handle requests, reducing latency during traffic spikes.

This solution optimizes costs during low-traffic periods when combined with AWS Application Auto Scaling to dynamically adjust the provisioned concurrency based ondemand.

Incorrect Options Analysis:

Option B: Switching to EC2 would increase complexity and cost for a serverless application.

Option C: A fixed concurrency level may result in over-provisioning during low-traffic periods, leading to higher costs.

Option D: Periodically warming functions does not effectively handle sudden spikes in traffic.

AWS Secrets Manager is the recommended service for managing and automatically rotating database credentials. It integrates natively with Amazon RDS (including PostgreSQL), supports built-in rotation functionality, and requires minimal setup.

Secrets Manager also supports versioning and auditing, which enhances operational excellence and security. Parameter Store does not natively support credential rotation. AWS KMS manages key encryption—not application secrets—so it is not applicable here.

The correct answer isDbecause the workload isinterruptible, runs for onlyup to 48 hours each week, and the company wants themost cost-effectivesolution while alsominimizing interruptions. These requirements strongly align withAmazon EC2 Spot Instances. Spot Instances provide significant savings compared with On-Demand pricing and are ideal for batch processing, analytics, and other fault-tolerant workloads that can recover from interruptions.

To minimize the chance of interruption, the best allocation strategy iscapacity-optimized. This strategy places Spot requests into the most available Spot capacity pools, which reduces the likelihood that the running instances will be reclaimed. That is more aligned with the requirement than focusing primarily on the absolute lowest price. By usinginstance type overridesin the Auto Scaling group, the company can specify multiple acceptable instance types across generations and sizes. This improves access to capacity and helps the company adoptnewer generation instancesover time without locking into a single family or type.

Option A is incorrect becauseConvertible Reserved Instancesare not as cost-effective as Spot for an interruptible workload that runs only part of the week, and a 3-year term reduces flexibility. Option B is incorrect becauseStandard Reserved Instancesare better for steady-state workloads and do not support the requirement to move to the latest generation each year as flexibly. Option C is close, butprice-capacity-optimizedbalances cost and capacity; the question prioritizes minimizing interruptions, socapacity-optimizedis the better answer.

AWS cost optimization guidance recommendsSpot Instances with a capacity-focused strategyfor fault-tolerant workloads that need low cost and fewer interruptions.

AWSService Catalogis designed to allow organizations to manage a catalog of approved products (including AMIs) that users can deploy. By creating a portfolio that contains only EC2 instances launched with preapproved AMIs, the company can enforce compliance with the approved operating system and software for all EC2 instances. Service Catalog also streamlines the process of launching EC2 instances, reducing the lead time while ensuring that developers use only the approved configurations.

Option B (EC2 Image Builder): While EC2 Image Builder helps in creating and managing AMIs, it doesn ' t provide the enforcement mechanism that Service Catalog does.

Option C (EventBridge rule and Systems Manager script): This solution is reactive and involves more operational complexity compared to Service Catalog.

Option D (AWS Config rule): This option is reactive (it terminates non-compliant instances after launch) and introduces additional operational overhead.

AWS References:

AWS Service Catalog

Explanation (AWS Docs):

You cannot “place” DynamoDB inside a VPC. Instead, you use a VPC endpoint.

A Gateway VPC Endpoint for DynamoDB enables private connectivity between your VPC and DynamoDB without traversing the public internet.

“Use a gateway VPC endpoint to privately connect your VPC to DynamoDB without requiring an internet gateway or NAT.”

— Gateway VPC Endpoints

A highly available relational database with minimal manual intervention is best delivered by Amazon RDS Multi-AZ, which provides managed standby infrastructure and automatic failover. For the container-based application layer, Amazon ECS with the Fargate launch type reduces operational effort because AWS manages the underlying compute capacity for the containers. That combination provides managed availability for both the database and the application tier. Read replicas can help scale reads, but they do not replace Multi-AZ as the primary high-availability pattern for the database. ECS on EC2 is workable, but it requires more instance management than Fargate. This makes A and D the strongest pair for high availability with minimal operational overhead.

============