View SAA-C03 Exam Questions

Q: 1

A gaming company is building an application that uses a database to store user data. The company wants the database to have an active-active configuration that allows data writes to a secondary AWS Region. The database must achieve a sub-second recovery point objective (RPO). Options:

Options

Discussion

Cameron D. Feb 15, 2026 1:35 am

D . Aurora (C) is tempting but it's not multi-active for writes, that's the trap here. Similar questions on practice tests.

Aaron Q. Feb 3, 2026 8:43 am

I don’t think it’s D. C.

MethodicalMentor1028 Feb 12, 2026 7:30 pm

D or maybe C if they asked for SQL, but D fits best. DynamoDB global tables are built for active-active across regions with sub-second RPO, exactly what the scenario described. Aurora's global feature is more active-passive. I think D is right here but open to arguments if someone has a different take.

SeasonedLearner3859 Feb 14, 2026 4:57 pm

Likely D, that's the only one with DynamoDB global tables for true active-active and sub-second RPO. Fits what they're asking for.

Anita X. Jan 29, 2026 12:41 am

Can someone double check if Aurora Global Database (option C) really supports active-active writes across regions? I thought only DynamoDB Global Tables (D) let you do true multi-region active-active writes, which matters for this gaming scenario. Maybe I'm missing something in how Aurora handles replication?

Sanjay W. Feb 7, 2026 2:33 pm

D vs C here, but pretty sure it's D since global tables support true active-active writes. Aurora (C) only does active-passive, easy trap. Anyone see it differently?

QuietConsultant7218 Jan 30, 2026 1:15 pm

I don’t think C fits here, D is the right one. You’ll see this covered in the AWS docs and official practice tests, global tables are built for active-active across regions.

Sanjay Y. Feb 9, 2026 8:37 pm

Logan N. Feb 12, 2026 10:28 pm

D imo, had something like this in a mock-global tables do active-active with sub-second RPO.

Kevin X. Feb 4, 2026 10:08 pm

Its D, only DynamoDB global tables give true multi-region active-active writes with sub-second RPO. The other options don’t meet all requirements.

Be respectful. No spam.

Correct Answer:

Explanation

Amazon DynamoDB global tables provide a fully managed, multi-region, and multi-active database solution. This configuration directly meets the requirement for an active-active setup, allowing write operations in both the primary and secondary AWS Regions. DynamoDB automatically propagates writes between regions, with replication typically completing in under one second. This satisfies the sub-second recovery point objective (RPO) and is ideal for globally distributed applications like gaming that require low-latency data access and high availability.

Why Incorrect

A. An Amazon ElastiCache for Redis global datastore uses a primary cluster for writes and read-only secondary clusters, which is an active-passive configuration, not active-active for writes.

B. Using DynamoDB Streams with AWS Lambda is a custom, complex solution. A fully managed service like DynamoDB global tables is a more reliable and operationally simple way to achieve the same goal.

C. Amazon Aurora Global Database supports writes only in the primary Region. The secondary Regions contain read-only replicas, making it an active-passive solution for disaster recovery, not active-active.

References

1. Amazon DynamoDB Developer Guide - Global tables: "Global tables build on the global Amazon DynamoDB footprint to provide you with a fully managed

multi-region

and multi-active database... You can write data to any of your replica tables in any of the Regions." and "When an application writes data to a replica table in one Region

DynamoDB propagates the write to the other replica tables in the other AWS Regions automatically... a replicated write is completed in under one second."

Source: AWS Documentation

Amazon DynamoDB Developer Guide

Section: "Global tables".

2. Amazon Aurora User Guide - Overview of Amazon Aurora global databases: "An Aurora global database consists of one primary AWS Region where your data is mastered

and up to five read-only

secondary AWS Regions... You issue write operations directly to the primary cluster in the primary AWS Region."

Source: AWS Documentation

Amazon Aurora User Guide

Section: "Working with Amazon Aurora global databases"

Subsection: "Overview of Amazon Aurora global databases".

3. Amazon ElastiCache for Redis User Guide - Replication across AWS Regions using global datastores: "A global datastore is a collection of one primary and one or more secondary clusters that are replicated to one another... Write to your primary cluster and have the data available for reads from your secondary clusters to enable low-latency local reads."

Source: AWS Documentation

Amazon ElastiCache for Redis User Guide

Section: "Replication across AWS Regions using global datastores".

Q: 2

A company has an application that serves clients that are deployed in more than 20.000 retail storefront locations around the world. The application consists of backend web services that are exposed over HTTPS on port 443 The application is hosted on Amazon EC2 Instances behind an Application Load Balancer (ALB). The retail locations communicate with the web application over the public internet. The company allows each retail location to register the IP address that the retail location has been allocated by its local ISP. The company's security team recommends to increase the security of the application endpoint by restricting access to only the IP addresses registered by the retail locations. What should a solutions architect do to meet these requirements?

Options

Discussion

Zoe E. Feb 11, 2026 3:48 pm

Makes sense to use A here, since AWS WAF with an IP set is built for this kind of mass IP filtering. Managing thousands of addresses with network ACLs would be a nightmare. Pretty sure about A but let me know if you think otherwise.

Jordan U. Feb 14, 2026 11:21 pm

WAF with IP sets is the only thing that scales to thousands of addresses. A

EmmaH Feb 6, 2026 9:15 pm

WAF using IP sets is built for handling thousands of IPs and integrates directly with ALB, so A fits best here. NACLs (like in D) get too messy with 20k+ entries. Pretty sure it’s A but open to other takes.

Ajay E. Jan 28, 2026 1:19 pm

Maybe D here. Network ACLs can restrict inbound by IP, so you could technically add all those IP addresses, though it's a bit messy to maintain for 20k+ entries. It might look tempting on the exam as a direct way to block/allow, but I think that's the trap in this question.

Neha Z. Feb 3, 2026 6:21 am

Its A, but I guess B might work too if WAF isn't enabled by default on the ALB.

Parker I. Jan 30, 2026 11:22 am

B. not D. Saw something like this in exam reports and WAF IP sets (A) always comes up for big IP lists.

Ravi Feb 15, 2026 9:03 pm

A , similar question came up in practice exams and official guide covers WAF with IP sets for this scale.

SteadyNeteng3660 Feb 4, 2026 2:27 pm

D tbh, network ACL rules seem like they'd work for IP filtering in this setup.

Ryan B. Jan 29, 2026 5:13 am

Option D

Be respectful. No spam.

Correct Answer:

Explanation

The most appropriate solution is to use AWS WAF (Web Application Firewall) with an IP set match rule. AWS WAF is designed to protect web applications from common exploits and can filter traffic based on various conditions, including the source IP address. A solutions architect can create one or more IP sets containing the 20,000+ registered IP addresses. This IP set is then used in a rule within a web ACL, which is associated directly with the Application Load Balancer (ALB). This approach efficiently filters traffic at the edge, allowing only requests from known retail locations to reach the application, fulfilling the security requirement in a scalable and manageable way.

Why Incorrect

B: AWS Firewall Manager is a service for centrally managing security policies (like WAF rules) across multiple accounts and resources, not the primary tool for creating the IP filtering logic itself for a single application.

C: This proposes a complex, custom-built solution using Lambda and DynamoDB. AWS WAF provides a native, more performant, and cost-effective managed service for this exact IP filtering use case.

D: Network ACLs have a very low limit on the number of rules (40 maximum per ACL), making it impossible to add rules for over 20,000 distinct IP addresses.

References

1. AWS WAF Developer Guide - IP set rule statement: "The IP set rule statement inspects the IP address of a web request's origin against a set of IP addresses and address ranges. ... You associate a web ACL with an AWS resource

to protect the resource. The resource can be an Amazon CloudFront distribution

an Amazon API Gateway REST API

an Application Load Balancer..."

Source: AWS WAF

AWS Firewall Manager

and AWS Shield Advanced Developer Guide

"Rule statement list

" section "IP set rule statement."

2. AWS WAF Developer Guide - Working with IP sets: "An IP set can hold up to 10

000 IP addresses or IP address ranges that you specify in CIDR notation." (Note: To accommodate over 20

000 IPs

multiple IP sets can be created and combined within a web ACL rule group).

Source: AWS WAF

AWS Firewall Manager

and AWS Shield Advanced Developer Guide

"Working with IP sets."

3. Amazon VPC User Guide - Network ACL quotas: "Rules per network ACL: 20 (default)

40 (maximum)". This hard limit makes NACLs unsuitable for the scale required in the scenario.

Source: Amazon VPC User Guide

"Quotas for your VPCs

" table entry for "Network ACLs."

4. AWS Firewall Manager Developer Guide - What is AWS Firewall Manager?: "AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organization." This highlights its role as a central management tool

not the direct implementation mechanism for a single ALB.

Source: AWS WAF

AWS Firewall Manager

and AWS Shield Advanced Developer Guide

"What is AWS Firewall Manager?".

Q: 3

A company runs multiple applications on Amazon EC2 instances in a VPC. Application A runs in a private subnet that has a custom route table and network ACL. Application B runs in a second private subnet in the same VPC. The company needs to prevent Application A from sending traffic to Application B. Which solution will meet this requirement?

Options

Discussion

Priya A. Feb 11, 2026 8:37 am

Totally agree it should be D. Only NACLs let you explicitly deny outbound at the subnet level, which blocks App A from sending to B. Security groups just don't do denies. If anyone disagrees, jump in.

RaviA Jan 29, 2026 3:47 am

Yeah, D makes sense because NACLs can explicitly block outbound traffic from Application A's subnet to B. Security groups don't support deny rules for outgoing traffic, just allow. I think this fits the ask but let me know if you see it differently.

Owen O. Jan 31, 2026 8:14 pm

I'm a bit stuck but pretty sure it's D. Since NACLs control subnet-level traffic and are stateless, adding an outbound deny rule on Application A's subnet stops any packets from A going out to B. Security groups don't let you set explicit deny rules like that. Not 100% though, did anyone else try this in practice?

Morgan Feb 12, 2026 1:28 am

B is wrong, D. Security groups can't do explicit deny, NACL on A's subnet outbound fits.

Mia X. Feb 8, 2026 10:53 am

Is there a reason everyone’s skipping A? I know security groups can’t do an explicit deny, but just want to double check I’m not missing a trick. NACLs look right here but AWS changes stuff sometimes.

Alex L. Feb 6, 2026 6:37 pm

Yeah, that's D. Outbound deny on App A's subnet NACL lines up with how AWS wants this done.

Nora J. Feb 3, 2026 2:31 pm

Makes sense to use D since NACLs allow you to set an explicit deny at the subnet level for outbound traffic. Security groups can't do that. Pretty sure that's what AWS expects here, but if I'm missing a twist let me know.

Nora C. Feb 9, 2026 5:10 am

This looks like D, since you want to prevent Application A from sending anything to B, and NACLs handle outbound subnet traffic with explicit denies. Security groups can’t block outbound that way. I think that covers the requirement but not totally sure if there’s a catch with how traffic could route inside the VPC. Anyone disagree?

FocusedReviewer7772 Feb 12, 2026 8:12 am

Probably D since NACLs let you explicitly block traffic at the subnet level and the question wants to stop A from reaching B, not both ways. Security groups can’t do outbound denies so this fits the scenario. Pretty sure this is the intended solution but open to other ideas.

Owen R. Feb 5, 2026 3:13 pm

Totally agree with D here. NACLs work at the subnet level and you use an outbound deny on Application A's subnet to stop anything headed to B, exactly what the scenario is asking for. Pretty sure that's how you'd see it in exam reports.

Be respectful. No spam.

Correct Answer:

Explanation

The requirement is to prevent traffic originating from Application A from reaching Application B. Network Access Control Lists (NACLs) are the appropriate tool for this scenario as they operate at the subnet level and support explicit deny rules. By adding an outbound deny rule to the NACL associated with Application A's subnet, with the destination being the CIDR block of Application B's subnet, all traffic from A to B is blocked before it leaves the source subnet. NACLs are stateless, so this single rule effectively prevents the communication as requested.

Why Incorrect

A. Security groups do not support explicit deny rules. Furthermore, an outbound rule on Application B's security group would not block inbound traffic.

B. Security groups do not have explicit deny rules; they only support allow rules. Any traffic not matching an allow rule is implicitly denied.

C. An outbound rule on Application B's subnet NACL controls traffic leaving that subnet, not traffic entering it from Application A's subnet.

References

1. AWS Documentation: VPC User Guide - Network ACLs. This document states

"A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets." It also specifies under "Network ACL rules" that rules can either "ALLOW" or "DENY" traffic. The solution in option D correctly applies a DENY rule to the outbound traffic of the source subnet.

Source: AWS VPC User Guide

Section: "Control traffic to subnets using network ACLs"

Sub-section: "Network ACL rules".

2. AWS Documentation: VPC User Guide - Security groups. This document clarifies the function of security groups

stating

"A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic." Under "Security group rules

" it specifies

"Security group rules are always permissive; you can't create rules that deny access." This directly invalidates options A and B.

Source: AWS VPC User Guide

Section: "Control traffic to resources using security groups"

Sub-section: "Security group rules".

3. AWS Documentation: VPC User Guide - Compare security groups and network ACLs. This comparison table explicitly highlights the key differences. It shows that Security Groups operate at the instance level and support "Allow rules only

" while Network ACLs operate at the subnet level and support "Allow and deny rules." This confirms that a NACL is the correct tool for a deny action and that applying it to the source subnet's outbound traffic (as in option D) is the correct implementation.

Source: AWS VPC User Guide

Section: "Control traffic to resources using security groups"

Sub-section: "Compare security groups and network ACLs".

Q: 4

A large financial services company uses Amazon ElastiCache (Redis OSS) for its new application that has a global user base. A solutions architect must develop a caching solution that will be available across AWS Regions and include low-latency replication and failover capabilities for disaster recovery (DR). The company's security team requires the encryption of cross-Region data transfers. Which solution meets these requirements with the LEAST amount of operational effort?

Options

Discussion

Sara S. Feb 6, 2026 6:58 am

B , seen this in practice tests and AWS official docs cover global data store as the easiest managed way.

Maya Feb 3, 2026 1:35 am

B seems right, is it. Had something like this in a mock before-global data store for ElastiCache Redis does auto encrypted cross-Region sync and has the failover built in with almost no management overhead. Other options are way more hands-on. Anyone disagree?

Adam M. Feb 9, 2026 3:03 am

It’s D, not B. Snapshots make DR easy and seem like less effort, though I could be missing a catch with encryption.

Jordan Feb 15, 2026 10:13 am

B is the right pick here since ElastiCache global datastore gives you managed cross-Region replication with encryption baked in. No need for extra DMS setup or manual failover steps, which keeps operational effort low. I think that's what the question aims for, but happy to discuss if someone sees a gap.

Jamie J. Feb 9, 2026 7:03 pm

B/C? Leaning B because global datastore seems more automated, but not 100% sure if there's a hidden catch.

Rowan B. Feb 6, 2026 5:54 am

Tricky part here is the encryption for cross-Region transfers, which rules out D since snapshot copies aren't encrypted in-transit by default. So B is the only one that actually meets all requirements without manual setup or extra tooling. If encryption wasn't called out, maybe D could work, but not for this specific scenario I think. Disagree?

Nora S. Feb 8, 2026 6:05 am

B Just one step, global datastore covers cross-Region replication and encryption automatically. No need to set up DMS or handle snapshots. Pretty sure that's exactly what AWS wants you to use for this scenario.

Liam W. Jan 31, 2026 1:23 am

I don’t think it’s D. B matches the least effort part, global datastore is built for this and traps you if you miss the encryption bit.

Sara H. Feb 14, 2026 1:50 pm

C/D? If cluster mode is off, DMS might not support all replication needs for Redis OSS, so depends.

Ishaan U. Jan 29, 2026 6:37 pm

I don't think A, C or D match the "least operational effort" part. B uses global data store which handles cross-Region encrypted replication automatically, so you avoid all the manual DMS or snapshot work. Saw a similar question in practice sets. Only thing to watch is that D might trick folks if you miss the encryption requirement!

Be respectful. No spam.

Correct Answer:

Explanation

Amazon ElastiCache for Redis Global Datastore is a feature specifically designed to meet these requirements. It provides a fully managed, fast, and secure solution for replicating a Redis cluster across multiple AWS Regions. This feature enables low-latency global reads and disaster recovery by allowing a secondary cluster in another Region to be promoted to primary with minimal downtime. All cross-Region traffic within a Global Datastore is encrypted, fulfilling the security requirement. This managed service approach represents the least operational effort compared to manual replication or backup-and-restore methods.

Why Incorrect

A. Using AWS Database Migration Service (AWS DMS) for cache replication is not a standard pattern and introduces significant operational complexity, contradicting the "least effort" requirement.

C. This option is incorrect for the same reason as option A; AWS DMS is not the appropriate tool for low-latency cache replication and adds unnecessary operational overhead.

D. A snapshot-and-restore strategy is a valid disaster recovery method but does not provide low-latency replication. This approach leads to a higher Recovery Point Objective (RPO).

References

1. AWS ElastiCache User Guide for Redis: "Replication Across AWS Regions Using Global Datastore" - This section details that Global Datastore is designed for "fully managed

fast

reliable

and secure cross-region replication." It explicitly states its use for "low latency global reads and disaster recovery."

2. AWS ElastiCache User Guide for Redis: "Disaster Recovery with Global Datastore" - This page describes the process of promoting a secondary cluster to primary in a disaster recovery scenario

highlighting the managed failover capability. It notes

"In the unlikely event of regional degradation

one of the healthy secondary clusters can be promoted to become the new primary with full read/write capabilities."

3. AWS ElastiCache User Guide for Redis: "Encryption in Transit" - This section confirms that for Global Datastore

"All inter-region traffic between the clusters is encrypted." This directly addresses the security requirement in the question.

Q: 5

A company stores a large dataset for an online advertising business in an Amazon RDS for MySQL DB instance. The company wants to run business reporting queries on the data without affecting write operations to the DB instance. Which solution will meet these requirements?

Options

Discussion

Layla Feb 7, 2026 8:30 pm

Option A had something like this in a mock and read replicas are the usual AWS way to separate reporting reads from production writes.

Sean I. Feb 15, 2026 4:05 pm

A . Read replicas are meant for offloading read-heavy stuff like reporting so the primary keeps handling writes smoothly. Scaling up (C) just makes everything share one bigger box, doesn't separate reads from writes. Anyone see it different?

Robin E. Feb 1, 2026 3:10 pm

Chris Y. Feb 12, 2026 1:37 pm

Yeah, A is right here. Using read replicas lets you run reporting queries without impacting the main RDS write workload.

Liam G. Feb 10, 2026 4:24 pm

C or A? I think it's supposed to be A with read replicas for reporting but not totally sure since horizontal scaling can be confusing with RDS. Anyone else see something like this?

Meera Jan 26, 2026 11:11 am

C. scaling up the DB instance feels like it would let both writes and reporting work better at once, right?

Sean Z. Feb 7, 2026 8:12 am

Y AWS makes this so convoluted sometimes, but it's A for sure.

Jason Feb 15, 2026 1:57 pm

Read replicas are built for this use case. A

Jack D. Feb 7, 2026 1:08 am

A makes more sense is what I picked on something almost identical in a mock. Read replicas are made for offloading heavy reporting reads so writes on the main DB instance don't get slowed down. Scaling up (C) just throws more power at it, doesn't isolate traffic. Not 100% but pretty confident here, anyone see it different?

Emma D. Jan 28, 2026 1:35 am

Nah, it's not B-ELB can't balance database read traffic like that. A is the right move here.

Be respectful. No spam.

Correct Answer:

Explanation

Amazon RDS Read Replicas are designed specifically for offloading read-heavy workloads, such as business reporting queries, from the primary (source) DB instance. By creating a read replica, you get a read-only copy of your database that is updated asynchronously from the source. Directing the reporting queries to the read replica isolates this workload, ensuring that the performance of write operations on the primary DB instance is not affected. This solution directly addresses the requirement to separate read and write traffic to maintain performance.

Why Incorrect

B: You cannot place a standard RDS DB instance behind an Elastic Load Balancer to scale it horizontally. This architecture is not supported and does not solve the read/write workload separation issue.

C: Scaling up (vertical scaling) provides more resources to a single instance but does not isolate workloads. An intensive reporting query can still consume shared resources and impact write performance.

D: A standby DB instance is part of a Multi-AZ deployment for high availability and disaster recovery. It is not accessible for read traffic and only becomes active if the primary instance fails.

References

1. AWS Documentation - Amazon RDS User Guide: "Working with Amazon RDS read replicas" - This document states

"You can reduce the load on your source DB instance by routing read queries from your applications to the read replica. Read replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads." It also explicitly mentions

"One common use for read replicas is for business intelligence (BI) reporting."

2. AWS Documentation - Amazon RDS User Guide: "High availability (Multi-AZ) for Amazon RDS" - This guide clarifies the purpose of a standby instance: "The primary benefit of a Multi-AZ deployment is high availability... You can't use a standby replica to serve read traffic." This directly refutes the solution proposed in option D.

3. AWS Documentation - Amazon RDS User Guide: "DB instance classes" - This section describes modifying an instance class (scaling up). While this increases capacity

it does not provide the workload isolation required by the question

making it a less suitable solution than read replicas for this specific use case.

Q: 6

A company that has multiple AWS accounts maintains an on-premises Microsoft Active Directory. The company needs a solution to implement Single Sign-On for its employees. The company wants to use AWS IAM Identity Center. The solution must meet the following requirements: Allow users to access AWS accounts and third-party applications by using existing Active Directory credentials. Enforce multi-factor authentication (MFA) to access AWS accounts. Centrally manage permissions to access AWS accounts and applications. Options:

Options

Correct Answer:

Explanation

AWS IAM Identity Center (formerly AWS SSO) is designed for centrally managing Single Sign-On (SSO) access to multiple AWS accounts and applications. It integrates with AWS Organizations to provide a single point of administration. By configuring the existing on-premises Active Directory as the identity source (typically via AWS Directory Service AD Connector), the company can allow employees to use their current credentials. IAM Identity Center has built-in capabilities to enforce multi-factor authentication (MFA). Permissions are managed centrally by creating permission sets and assigning Active Directory groups to these sets for specific AWS accounts, fulfilling all the stated requirements in a streamlined and recommended manner.

Why Incorrect

A. This approach is decentralized and inefficient. Managing IAM identity providers and roles in each account separately defeats the purpose of central management, which is a core benefit of IAM Identity Center.

B. This solution creates a new, separate directory instead of using the existing on-premises Active Directory, which directly violates a primary requirement of the company.

D. This describes a complex, custom synchronization solution that creates duplicate IAM users. This is an anti-pattern that increases management overhead and security risks compared to using federation with IAM Identity Center.

References

1. AWS IAM Identity Center User Guide - How it works: "IAM Identity Center is integrated with AWS Organizations

which helps you to centrally manage the billing

apply policies

and simplify access management across multiple AWS accounts... You can choose to manage your users and groups in IAM Identity Center

or manage them in a connected directory

including AWS Directory Service

or an external identity provider." This supports the central management and identity source aspects of option C.

Source: AWS IAM Identity Center User Guide

"What is AWS IAM Identity Center?"

"How it works" section.

2. AWS IAM Identity Center User Guide - Choose your identity source: "When you use Active Directory as your identity source

your users can sign in to the AWS access portal with their Active Directory credentials. You can connect to your self-managed Active Directory in your on-premises data center..." This confirms the ability to use an existing on-premises AD.

Source: AWS IAM Identity Center User Guide

"Manage your identity source"

"Choose your identity source" section.

3. AWS IAM Identity Center User Guide - Multi-factor authentication: "You can enable multi-factor authentication (MFA) for your users in IAM Identity Center... When MFA is enabled

users are prompted for an MFA code from their authenticator app when they sign in to the AWS access portal." This confirms the MFA enforcement capability.

Source: AWS IAM Identity Center User Guide

"Security"

"Multi-factor authentication" section.

4. AWS Directory Service Administration Guide - AD Connector: "AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud." This explains the mechanism for connecting the on-premises AD.

Source: AWS Directory Service Administration Guide

"What is AWS Directory Service?"

"AD Connector" section.

Q: 7

A company is creating a mobile financial app that gives users the ability to sign up and store personal information. The app uses an Amazon DynamoDB table to store user details and preferences. The app generates a credit score report by using the data that is stored in DynamoDB. The app sends credit score reports to users once every month. The company needs to provide users with an option to remove their data and preferences. The app must delete customer data within one month of receiving a request to delete the data. Which solution will meet these requirements with the LEAST operational overhead?

Options

Discussion

Olivia E. Feb 4, 2026 9:38 am

Option C TTL on DynamoDB fits best for auto deletion, keeps it simple and low maintenance.

Vikram H. Jan 30, 2026 3:32 am

C . EventBridge and Config look tempting but just add extra steps for no reason here.

QuietReviewer3730 Feb 7, 2026 3:18 pm

C/B? TTL's delayed deletion can miss strict deadlines so if "within one month" must be exact B could fit.

QuickLearner1489 Feb 9, 2026 3:29 am

C here. TTL is the built-in way to handle this with almost zero ops overhead. B is a trap, adds unnecessary complexity by using streams and manual deletes. Pretty sure C matches the AWS best practice. Anyone see a reason not to use TTL?

NoahY Feb 15, 2026 8:36 am

C imo. TTL in DynamoDB is built for scheduled deletion like this, and using Lambda just to set the TTL keeps things fully managed with minimal overhead. B looks tempting, but adding streams and extra functions means more moving parts than needed. If you need to guarantee strict timing or complex workflows, maybe B, but here C fits best. Disagree?

Noah T. Jan 29, 2026 6:46 pm

That might break if DynamoDB TTL doesn't trigger exactly on the 30-day mark, so B.

Morgan C. Feb 12, 2026 3:45 pm

Had something like this in a mock and pretty sure C is the way to go. Using DynamoDB TTL with a Lambda function just to set the expiration date keeps things mostly serverless, and AWS handles the deletion afterward. No need for custom stream handling or extra services. Only possible caveat is TTL isn't instant, but "within one month" seems fine for most use cases. Anyone see a risk with this approach?

QuietArchitect9209 Feb 10, 2026 7:06 am

Its C since enabling TTL in DynamoDB plus a Lambda to set the expiration is low effort and AWS manages most of the process. Official AWS docs and practice exams mention TTL for these scenarios. Pretty sure this fits, anyone disagree?

Sara I. Feb 14, 2026 5:26 am

C or B? TTL isn't perfectly precise, so if exact month cutoff is mandatory, maybe B fits better.

Sofia M. Jan 28, 2026 6:27 pm

Why does AWS have to make these TTL and Lambda combos so confusing? I don’t think it’s C, B makes more sense to me. With a DynamoDB stream you can handle the data as soon as TTL is hit by piping straight into Lambda-feels more real time and less likely to miss an edge case if DynamoDB’s background process doesn’t catch something. Unless I'm missing a hidden overhead here… open to correction.

Be respectful. No spam.

Correct Answer:

Explanation

This solution provides the most operationally efficient and automated method to meet the requirements. When a user requests data deletion, an event triggers an AWS Lambda function. This function updates the specific user's item in the DynamoDB table by adding or updating a TTL attribute with a timestamp set for one month in the future. With TTL enabled on the table, DynamoDB's managed background process automatically checks for and deletes items whose TTL timestamp has passed. This approach is serverless, requires no custom scheduling or scanning logic, and leverages a built-in DynamoDB feature designed for this exact purpose, ensuring the least operational overhead.

Why Incorrect

A. DynamoDB TTL expirations do not natively emit events to Amazon EventBridge. This architecture proposes a non-existent trigger mechanism.

B. A DynamoDB stream is populated after an item is deleted by TTL. The Lambda function's described purpose—to delete the data—is redundant as the deletion has already occurred.

D. AWS Config is a service for assessing and auditing resource configurations (e.g., table settings), not for tracking or reacting to item-level data plane operations like TTL deletions.

References

1. AWS DynamoDB Developer Guide

"Expiring Items by Using DynamoDB Time to Live (TTL)": This document explains the core mechanism. It states

"Time to Live (TTL) for Amazon DynamoDB automatically deletes expired items from your tables... You can set a specific timestamp for an item to be deleted... DynamoDB deletes expired items on a best-effort basis... at no extra cost." This directly supports the use of TTL as the deletion mechanism in option C.

2. AWS DynamoDB Developer Guide

"TTL and DynamoDB Streams": This section clarifies the interaction between TTL and other services. It notes

"Each item deleted by TTL is removed from the table. If you have DynamoDB Streams enabled on the table

a delete stream record is generated for each item that is deleted by the TTL process." This confirms that the deletion happens first

making the logic in option B incorrect.

3. AWS Lambda Developer Guide

"Using AWS Lambda with Amazon DynamoDB": This guide details how to trigger Lambda functions from user actions or API calls to interact with DynamoDB. Section "Tutorial: Using an API Gateway REST API to access DynamoDB" shows a common pattern where an API call (like a user request) invokes a Lambda function that then performs an action on a DynamoDB table

which aligns with the workflow in option C.

4. AWS Config Developer Guide

"AWS Resource and Property Types Reference": Under the AWS::DynamoDB::Table resource type

the trackable properties are listed. These include AttributeDefinitions

KeySchema

and TimeToLiveSpecification

but not individual item deletions. This confirms that AWS Config is not the correct tool for this task

invalidating option D.

Q: 8

A company has developed an API using an Amazon API Gateway REST API and AWS Lambda functions. The API serves static and dynamic content to users worldwide. The company wants to decrease the latency of transferring content for API requests. Options:

Options

Discussion

Emma Y. Feb 2, 2026 7:11 pm

I’m going with A. Edge-optimized gets you CloudFront, so traffic from anywhere hits the closest edge which means lower latency for global users. Caching and content encoding are nice bonuses but only matter if the data is distributed closer to users. Pretty sure this is the textbook AWS way for reducing latency across regions, but I could be missing a detail here. Anyone see another angle?

Jamie F. Feb 4, 2026 1:48 am

Feels like A. Regional endpoints wouldn’t help global latency as much, that's a common trap here. Caching and compression both help but edge-optimized is key for worldwide users.

Luke Feb 11, 2026 9:10 pm

That matters if "worldwide" is really the key here, since edge-optimized endpoints only help with global routing. A

Kevin F. Feb 4, 2026 5:23 pm

A reserved concurrency is more about backend Lambda performance, not edge/caching for global latency.

Ishaan A. Jan 27, 2026 8:01 am

I was thinking C. Edge-optimized with caching makes sense, but isn't reserved concurrency supposed to help Lambda performance too?

Sara K. Feb 4, 2026 7:07 pm

A tbh. Only flips if they wanted just regional users, then B might edge it out.

Nina S. Feb 11, 2026 10:42 am

Had something similar in a mock, pretty sure it's A since edge-optimized with caching and content encoding handles global latency best.

Riley D. Feb 13, 2026 7:05 am

Pretty sure A makes the most sense if you're trying to cut latency for users globally. Edge-optimized endpoints use CloudFront, so requests hit the nearest edge location and that speeds things up a lot. Caching plus compression with content encoding helps too. Reserved concurrency only helps backend Lambda scaling, not network latency, so I think A covers all the key points for this scenario. Open to hearing other angles though.

SharpOps8277 Jan 29, 2026 7:40 am

Option C. since edge-optimized plus caching should help with global latency. Reserved concurrency might be a trick option here though.

Meera T. Feb 1, 2026 12:42 pm

Makes sense to me-A is the best pick since edge-optimized uses CloudFront for lower latency worldwide. Caching plus content encoding are small extras. Similar question popped up on my last practice set.

Be respectful. No spam.

Correct Answer:

Explanation

To decrease latency for a global user base, an edge-optimized API endpoint is the best choice. This endpoint type leverages the Amazon CloudFront content delivery network (CDN) to route requests to the nearest edge location, minimizing network latency. Enabling API caching serves frequently requested data from the cache at the edge, further reducing latency by avoiding calls to the backend Lambda function. Additionally, enabling content encoding compresses the API payload, which reduces the amount of data transferred over the network. This smaller payload size decreases transfer time, directly contributing to lower overall latency for the end-user.

Why Incorrect

B. A Regional API endpoint is not suitable for a global user base as it does not use the CloudFront CDN, leading to higher latency for users geographically distant from the deployment region.

C. Reserved concurrency for Lambda manages execution capacity and prevents throttling; it does not directly reduce network transfer latency, which is the primary concern for a global audience.

D. This option combines two suboptimal choices: a Regional endpoint, which increases network latency for global users, and reserved concurrency, which does not address the core issue of transfer latency.

References

1. AWS API Gateway Developer Guide

"Choosing an API endpoint type to set up": This document states

"An edge-optimized API endpoint is best for geographically distributed clients. API requests are routed to the nearest CloudFront Point of Presence (POP)." This supports the choice of an edge-optimized endpoint for a worldwide user base.

2. AWS API Gateway Developer Guide

"Enable payload compression for an API": This guide explains

"When a client enables compression

the client can receive the API's response with a compressed payload... This can reduce the size of the response payload

which can reduce the latency of your API." This validates the use of content encoding.

3. AWS API Gateway Developer Guide

"Enabling API caching to enhance responsiveness": This source details how caching works: "You can enable API caching in Amazon API Gateway to cache your endpoint's responses. With caching

you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API."

4. AWS Lambda Developer Guide

"Configuring reserved concurrency": This document clarifies the purpose of reserved concurrency: "To guarantee that a specific function can scale to a certain number of concurrent executions without being throttled

you can configure reserved concurrency." This shows it's for performance and availability

not network latency reduction.

Q: 9

A gaming company hosts a browser-based application on AWS. The users of the application consume a large number of videos and images that are stored in Amazon S3. This content is the same for all users. The application has increased in popularity, and millions of users worldwide are accessing these media files. The company wants to provide the files to the users while reducing the load on the origin. Which solution meets these requirements MOST cost-effectively?

Options

Discussion

Sara Y. Jan 30, 2026 1:37 am

Ajay R. Feb 7, 2026 7:44 pm

Totally B here. CloudFront is meant to cache S3 content at edge locations, so it cuts down on origin requests and saves money. ElastiCache and Global Accelerator don't help with global static content caching like this. Think this is the most AWS-ish solution, but let me know if you see it differently.

Ivy J. Feb 7, 2026 9:54 pm

Its B, Global Accelerator (A) might trip people up but it doesn't cache S3 content.

Layla V. Feb 4, 2026 1:04 am

B tbh

FriendlyConsultant1756 Jan 28, 2026 6:35 pm

If the files change often or need quick cache invalidation, would ElastiCache (C/D) actually be better than CloudFront (B) for this global setup?

Mia Feb 14, 2026 8:25 am

I think this is same as a common exam questions. on practice, pick is B

Mia X. Feb 8, 2026 3:30 am

Had something like this in a mock. Not A, B is it.

Aaron R. Jan 31, 2026 7:20 am

I was thinking C could be useful too since ElastiCache handles caching but that's more for dynamic data or database results, not S3 media files. Pretty sure you'd want something more CDN-focused for static content, but open to other ideas.

Daniel K. Feb 2, 2026 6:25 pm

Wouldn't C handle cache for media at scale too if it's set in front of web servers?

FocusedAuditor1402 Feb 15, 2026 1:50 am

B vs A, pretty sure B is right based on exam reports for global S3 content.

Be respectful. No spam.

Correct Answer:

Explanation

The scenario requires distributing static media files (videos, images) from an Amazon S3 bucket to a large, global user base while reducing the load on the S3 origin. Amazon CloudFront is a Content Delivery Network (CDN) specifically designed for this purpose. It caches copies of the S3 content at edge locations worldwide, physically closer to the users. When a user requests a file, it is served from the nearest edge location, which significantly reduces latency and improves performance. This caching mechanism also minimizes direct requests to the S3 bucket, thereby reducing origin load and often lowering data transfer costs.

Why Incorrect

A. AWS Global Accelerator improves network pathing to application endpoints but does not cache content. It would not reduce the request load on the S3 origin.

C. Amazon ElastiCache (Redis OSS) is an in-memory caching service used to accelerate applications and databases, not for distributing static web content globally to end-users.

D. Amazon ElastiCache (Memcached) is also an in-memory cache for application-level data. It is not a CDN and is unsuitable for this use case.

References

1. Amazon CloudFront Developer Guide: "Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content

such as .html

.css

.js

and image files

to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations... If the content is not in that edge location

CloudFront retrieves it from an origin that you've defined—such as an Amazon S3 bucket..." (Source: AWS Documentation

"What is Amazon CloudFront?"

Introduction).

2. AWS Global Accelerator Developer Guide: "AWS Global Accelerator and Amazon CloudFront are separate services that use the AWS global network and its edge locations... CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content... Global Accelerator improves performance for a wide range of applications over TCP or UDP..." (Source: AWS Documentation

"Comparing AWS Global Accelerator and Amazon CloudFront"

Section: "When to use Global Accelerator or CloudFront").

3. Amazon ElastiCache User Guide: "Common use cases for ElastiCache include caching database query results

sessions

and other data that is accessed frequently to improve application performance. It is not designed to serve as a content delivery network (CDN) for static assets like images and videos to end-users." (Source: AWS Documentation

"What is Amazon ElastiCache?"

Section: "Common Use Cases").

4. AWS Well-Architected Framework

Performance Efficiency Pillar (Dec 2023): "For static assets that are accessed frequently

use a content delivery network (CDN). A CDN places your content in multiple locations worldwide

which reduces the latency to retrieve these assets. It also reduces the load on your origin servers because requests are served from the cache in the CDN." (Source: AWS Whitepaper

"AWS Well-Architected Framework

Performance Efficiency Pillar"

Page 26

Section: "Use caching to reduce latency").

Q: 10

A transaction processing company has weekly scripted batch jobs that run on Amazon EC2 instances. The EC2 instances are in an Auto Scaling group. The number of transactions can vary, but the baseline CPU utilization that is noted on each run is at least 60%. The company needs to provision the capacity 30 minutes before the jobs run. Currently, engineers complete this task by manually modifying the Auto Scaling group parameters. The company does not have the resources to analyze the required capacity trends for the Auto Scaling group counts. The company needs an automated way to modify the Auto Scaling group's desired capacity. Which solution will meet these requirements with the LEAST operational overhead?

Options

Discussion

Sara E. Feb 10, 2026 9:26 pm

Option C for sure. Predictive scaling is best here since it adapts automatically to changing loads and timing, especially with weekly jobs. B looks tempting but it's a common trap for fixed schedules, while C truly minimizes ongoing effort. Open to other thoughts but pretty sure this matches AWS best practices.

Sara P. Feb 14, 2026 11:24 pm

C , AWS is obsessed with predictive scaling on these recurring workload questions lately. Feels like that's what they want here.

Parker S. Feb 3, 2026 10:10 pm

C imo. Predictive scaling can forecast based on past CPU usage and handles the pre-launch automatically, so nobody needs to fiddle with configs every week. B is easy if the schedule never changes, but C fits the 'least overhead' requirement better I think. Anybody see a risk with predictive here?

Meera I. Jan 29, 2026 5:22 pm

Feels like B here. Scheduled scaling seems simpler if the job timing is always known, and it just adjusts capacity automatically each week. I think predictive scaling (C) is more complex than needed unless the schedule changes often. Pretty sure B would work fine for basic weekly jobs, but happy to hear other thoughts.

Meera R. Feb 12, 2026 4:40 pm

Actually pretty sure C is right here. Predictive scaling learns the workload pattern and that way you don't have to maintain or analyze schedules yourself. Option B is easy but still manual config, so more effort long run.

Jason J. Feb 7, 2026 11:45 am

Its C, but is there a clear requirement for jobs always running at the same time every week? If the schedule changed often, maybe B would make more sense. Predictive scaling works best with consistent, repetitive workloads.

RaviO Feb 4, 2026 4:42 am

Not B here, it's C. Predictive scaling handles recurring batch jobs automatically and figures out capacity based on past trends, so you don't have to tweak schedules or analyze usage. B's a trap if load varies much, I think.

PreciseArchitect7732 Jan 29, 2026 1:18 am

Seriously AWS loves to throw these predictive scaling vs scheduled scaling situations. I think C is right since predictive scaling handles recurring patterns and automatically figures out timing, but not totally ruling out B for super rigid jobs. Agree/disagree?

ParkerG Feb 7, 2026 8:51 am

C makes sense since predictive scaling can automate the pre-provisioning without needing manual work. Uses ML to figure out trends so you don't have to update schedules or analyze metrics. Pretty sure that's what AWS recommends for pattern workloads, but let me know if I'm missing something.

Parker Feb 14, 2026 6:37 am

C , but only if the job timing sometimes shifts. If it's always same time, B could work too.

Be respectful. No spam.

Correct Answer:

Explanation

Predictive scaling is the optimal solution as it is designed for workloads with recurring, cyclical patterns, such as the weekly batch jobs described. It uses machine learning to analyze historical CloudWatch metrics (like CPU utilization) to forecast future capacity needs. This allows it to proactively launch the required number of instances in advance of the anticipated demand, directly meeting the requirement to provision capacity 30 minutes before the jobs run. This approach is fully automated, handles the variable transaction load by adjusting its forecast, and requires the least operational overhead as it eliminates the need for manual trend analysis and configuration.

Why Incorrect

A. A dynamic scaling policy is reactive. It would only scale out after CPU utilization has already reached 60%, failing the requirement to provision capacity 30 minutes in advance.

B. A scheduled scaling policy requires manually setting a fixed desired capacity. This is inefficient for a variable workload and contradicts the requirement of having no resources to analyze capacity trends.

D. This custom solution using EventBridge and Lambda is reactive, triggering only after high CPU usage. It also introduces significantly more development and maintenance overhead compared to a native Auto Scaling feature.

References

1. AWS Auto Scaling User Guide

"Predictive scaling for Amazon EC2 Auto Scaling": This document states

"Predictive scaling is well suited for applications that have recurring load patterns... It predicts future traffic... and provisions the right number of EC2 instances in advance of predicted changes." This directly supports the proactive and automated nature of the correct answer.

2. AWS Auto Scaling User Guide

"Scaling policy types": This section compares scaling policies. It describes dynamic scaling as a reactive method

while highlighting predictive scaling's ability to "proactively scale your Auto Scaling group." This contrast clarifies why option A is incorrect.

3. AWS Auto Scaling User Guide

"Scheduled scaling for Amazon EC2 Auto Scaling": This guide explains that for scheduled actions

you must specify the new values for minimum

maximum

and desired size. This confirms the manual input required

making it less suitable than predictive scaling for this scenario

as explained for option B.

4. AWS Auto Scaling User Guide

"Target tracking scaling policies for Amazon EC2 Auto Scaling": The documentation describes how target tracking works to keep a metric at or close to a specified target value. This confirms its reactive nature

as it adjusts capacity based on current

not future

load.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE