Amazon Web Services AWS Certified Solutions Architect - Associate (SAA-C03) SAA-C03 Exam Dumps: Updated Questions & Answers (November 2025)

Security groups are stateful, but they cannot explicitly deny traffic — only allow.

Network ACLs are stateless and support explicit deny rules.To prevent Application A from sending traffic to Application B, configure a deny outbound rule in the network ACL of Application A’s subnet to block traffic to Application B’s subnet.

“Unlike security groups, network ACLs support both allow and deny rules, enabling you to explicitly block traffic.”

— Network ACLs

This is the correct method to block outbound traffic between subnets.

Amazon GuardDuty includes RDS Protection that “monitors and profiles access to your Amazon Aurora and Amazon RDS databases” to detect threats such as suspicious login attempts, brute-force activity, and anomalous authentication patterns. GuardDuty can be enabled organization-wide in AWS Organizations with a delegated administrator to centralize findings for all member accounts, minimizing operational overhead. Findings include context like source IP, user, and DB instance, and integrate with Amazon EventBridge for alerting and automated response. SCPs (A) enforce or deny API permissions but do not provide detection/analytics. Exporting general logs (C) requires building and maintaining custom parsing/analytics pipelines. CloudTrail (D) records AWS control-plane API calls and does not log database-level login attempts. Therefore, enabling GuardDuty RDS Protection across the org provides the most operationally efficient, managed detection of abnormal failed and incomplete login attempts.

AWS STS issues temporary credentials with automatically expiring permissions based on IAM roles. This eliminates the need to manually manage or deactivate IAM users.

“You can use AWS STS to grant temporary security credentials that automatically expire after a specified duration.”

— Temporary Security Credentials

This is the least operational overhead and follows AWS best practices for short-term access.

Option Ais the most automated and cost-efficient solution for exporting data to S3 for analytics.

Option Binvolves manual setup of Streams to S3.

Options C and Dintroduce complexity with EMR.

DAX does not support enabling encryption at rest on an existing cluster. To use encryption at rest, you must create a new DAX cluster with encryption enabled at creation time and migrate workloads accordingly.

AWS Control Tower: Provides a managed service to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of AWS Organizations and applies security controls (guardrails).

Networking Account:

Create a centralized networking account that includes a VPC with both private and public subnets.

This centralized VPC will manage and control the networking resources.

AWS Resource Access Manager (AWS RAM):

Use AWS RAM to share the subnets from the networking account with the other workload accounts.

This allows different workload accounts to utilize the shared networking resources without the need to manage their own VPCs.

Operational Efficiency: Using AWS Control Tower simplifies the setup and governance of multiple AWS accounts, while AWS RAM facilitates centralized management of networking resources, reducing operational overhead and ensuring consistent security and compliance.

Comprehensive and Detailed Step-by-Step Explanation:

To accurately charge customers based on their monthly data download usage, the following solution is recommended:

Structured Logging Configuration:

Action:Ensure that the AWS Transfer for SFTP server is configured to log user activity, including details about file downloads, to Amazon S3 in a structured format.

Implementation:Utilize AWS Transfer Family's structured logging feature to capture detailed information about user sessions, including actions performed and data transferred.

docs.aws.amazon.com

Justification:Structured logs provide comprehensive data necessary for analyzing customer-specific download activities.

Data Analysis with Amazon Athena:

Action:Use Amazon Athena to run SQL queries on the structured log data stored in the S3 bucket to calculate the amount of data each customer has downloaded.

Implementation:

a.Define a Schema:Create a table in Athena that maps to the structure of your log files. This involves specifying the format of the logs and the location in S3.

b.Query Data:Write SQL queries to sum the total bytes downloaded by each customer over the billing period. This can be achieved by filtering logs based on user identifiers and summing the data transfer amounts.

Justification:Athena allows for efficient querying

Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large numbers of encrypted objects. Switching to AWS managed keys (A) does not reduce the frequency of API calls. Removing encryption (B) would violate compliance/security requirements. Using CloudHSM (C) adds cost and operational burden. Therefore, the correct solution is D — enabling S3 Bucket Keys with SSE-KMS, which significantly reduces decryption costs while maintaining secure encryption.

A. Edge-optimized API + Caching:Reduces latency by using Amazon CloudFront for edge locations and enables caching for dynamic content. Compression reduces data transfer latency.

B. Regional API + Caching:Increases latency for global users due to the lack of edge locations.

C. Edge-optimized API + Reserved Concurrency:Reserved concurrency ensures Lambda availability but does not address latency for dynamic content.

D. Regional API + Reserved Concurrency:Lacks edge optimization, increasing latency for global users.

To improve read performance for a MySQL-based RDS database under load, you can:

Use Read Replicas: Amazon RDS supports MySQL read replicas, which help offload read operations from the primary database, improving performance during high traffic.

Use ElastiCache (Memcached): Adding an in-memory cache layer using Amazon ElastiCache reduces the load on the RDS instance by serving frequent queries directly from memory, especially when data is not updated often.

Option A (AWS WAF) is for web security, not database performance. Option D relates to storage optimization, not query latency. Option E would require re-architecting from relational to NoSQL, which is unnecessary and disruptive.

This solution meets the requirement of encrypting each customer’s data separately with the least operational overhead by leveraging AWS Key Management Service (KMS).

Separate AWS KMS Keys: By creating separate KMS keys for each customer, you can ensure that each customer’s data is encrypted with a unique key. This approach satisfies the compliance requirement for separate encryption and provides fine-grained control over access to the keys.

Granular Access Control: AWS KMS allows you to define key policies and use IAM policies to grant specific permissions to the keys. This ensures that only authorized users or services can access the keys, thereby maintaining the principle of least privilege.

Logging and Monitoring: AWS KMS integrates with AWS CloudTrail, which logs all key usage and management activities. This provides an audit trail that is essential for meeting compliance requirements.

Why Not Other Options?:

Option A (Store keys in S3): Storing keys in S3 is not recommended because it does not provide the same level of security, access control, or integration with AWS services as KMS does.

Option B (Hardware security appliance): Deploying a hardware security appliance adds significant operational overhead and complexity, which is unnecessary given that KMS already provides a secure and centralized key management solution.

Option C (Single KMS key for all data): Using a single KMS key does not meet the requirement of encrypting each customer's data separately.

AWS References:

AWS Key Management Service (KMS)- Overview of KMS, its features, and best practices for key management.

Using AWS KMS for Multi-Tenant Applications- Guidance on how to design applications using KMS for multi-tenancy.

Amazon RDS Proxy helps manage thousands of concurrent database connections by pooling and reusing them efficiently. It is especially useful for serverless applications like AWS Lambda that can open numerous connections quickly, potentially overwhelming the database. Using RDS Proxy reduces connection management overhead and improves fault tolerance.

AWS Organizations: AWS Organizations allows you to create multiple AWS accounts and manage them centrally. You can organize accounts into organizational units (OUs) and apply policies to these units.

Organizational Units (OUs):

Create separate OUs for each department: finance, data analytics, and development.

Place the respective AWS accounts for each department into their corresponding OUs.

Service Control Policies (SCPs):

SCPs are policies that can restrict which AWS services and actions are available to accounts in an OU.

Create SCPs to define which services each department can use and attach these policies to the appropriate OUs.

SCPs apply to all IAM users, groups, and roles within the accounts in the OU, providing centralized control over service usage.

Operational Efficiency: Using AWS Organizations and SCPs provides a scalable and centralized way to manage permissions across multiple accounts with minimal operational overhead.

To securely access AWS services like S3 and Secrets Manager from a private VPC without using public IPs, interface VPC endpoints are required. These endpoints are accessible via private IP addresses. For the application to reach these endpoints, appropriate routes must be configured in the route table.