The AWS SAA exam validates your knowledge of designing systems on AWS, focusing on the ability to create scalable, fault-tolerant, and cost-effective cloud solutions. By obtaining this certification, you show employers and clients that you can architect robust solutions on the AWS Cloud. Here are 10 free SAA-level practice questions to help you prepare. Try these repeatedly to strengthen your exam readiness!
Question 1: Optimal Solution for Redshift Cluster API Call Auditing and Compliance
A retail company uses an Amazon Redshift data warehouse for sales data analysis. For internal audits and external regulatory requirements, they need to track and log all API calls to the Redshift cluster (such as creating, modifying, deleting clusters, or managing snapshots). These logs must be retained in a form that can be submitted during compliance audits. Which AWS service best meets these requirements?
AWS CloudTrail records and stores API calls made within an AWS account, including management operations (create, modify, delete) on Redshift clusters. This makes it easy to gather the data required for compliance audits. Additionally, CloudTrail logs can be securely stored in Amazon S3, allowing you to provide these logs to external auditors if needed.
Other Choices
- Redshift Spectrum queries data in Amazon S3 using Redshift SQL, which does not address auditing API calls.
- CloudWatch primarily focuses on performance metrics and event alerts; it’s not designed for detailed API call auditing.
- X-Ray is for distributed tracing and latency analysis across applications, not for auditing Redshift management API calls.
Question 2: Selecting a Cloud-Extended Storage Solution for an On-Premises Application
A medical research lab stores patient medical imaging data in an on-premises data center. Due to a new research project, the volume of these images is expected to increase significantly. Most data is historical and rarely accessed, but newly acquired data and recent images must be frequently analyzed with low latency. The lab wants to avoid limitless on-prem storage expansion and instead mount a backup storage volume in the cloud via iSCSI. They also want to ensure that the most recent data is immediately accessible. Which AWS Storage Gateway type best meets these needs?
A cached volume gateway stores frequently accessed data locally while maintaining the primary dataset in Amazon S3, effectively reducing on-premises storage needs but still providing low-latency access to recent data.
Other Choices
- A stored volume gateway keeps a full copy of all data on-premises, using the cloud primarily as a backup, which doesn’t optimize cloud usage or reduce local storage expansion enough.
- A tape gateway provides a virtual tape library for archival and backup but isn’t suitable for frequent, low-latency data access.
- A file gateway uses NFS or SMB, which isn’t directly aligned with the iSCSI/block storage low-latency requirement.
Question 3: Designing Automatic DNS Failover to a DR Environment with Route 53
A genomics company runs HPC workloads on Amazon ECS in both a primary region and a DR region. Each region has the same application stack. If the primary region becomes unavailable, traffic must be switched to the DR region automatically. End users access the application via a DNS name, so if the primary region fails, DNS queries should route to the DR environment. What is the simplest way to achieve this automatic failover with minimal operational overhead?
By applying Route 53 failover routing and health checks to the primary environment, DNS queries will automatically be directed to the DR environment if the primary is detected as down. Users continue accessing the same DNS name, minimizing operational overhead while achieving automatic failover.
Other Choices
- CloudFront is mainly for content delivery; its failover capabilities are limited.
- Using CloudWatch Events and Lambda for manual record rewrites increases complexity compared to Route 53’s built-in failover routing.
- AWS Global Accelerator can provide performance optimization and health checks, but pure DNS-level failover is simpler and more aligned with the requirement using Route 53.
Question 4: Achieving Ultra-Low Latency EKS Deployment on 5G Edge with Role-Based Access Control
A gaming company plans to run a new cloud gaming platform at the 5G network edge for single-digit millisecond latency. The game servers are containerized and will be hosted on Amazon EKS as a Kubernetes cluster. The development team wants to enforce RBAC (role-based access control) for IAM users and map appropriate roles for cluster authentication. Which configuration best satisfies both high performance and authentication requirements?
AWS Wavelength Zones enable ultra-low latency by bringing compute resources closer to users at the 5G edge. Deploying your EKS cluster in a Wavelength Zone means your containerized game servers are near end users, reducing latency. Meanwhile, the aws-auth ConfigMap links IAM roles with Kubernetes RBAC, streamlining cluster access control. This combination addresses both performance and authentication requirements.
Other Choices
- CloudFront optimizes content delivery but doesn’t provide the low-latency Kubernetes environment or RBAC integration that EKS with Wavelength offers.
- Using a separate AZ outside the Wavelength Zone misses the low-latency benefits. Managing RBAC with external tools can be cumbersome.
- Manually installing Kubernetes on EC2 lacks the managed convenience of EKS and the aws-auth ConfigMap for easy IAM/Kubernetes integration.
Question 5: Managing Encryption Certificates in a Container Environment with Highly Available Storage
A media streaming company needs to retrieve encryption keys and associated certificates in near real time from its containerized application running on Amazon ECS, to securely communicate with other services. These encryption/decryption operations must be highly secure, and the encrypted keys/certificates must be stored in a highly available solution. Minimizing infrastructure management and manual processes is also crucial. Which method best fulfills these requirements?
AWS KMS lets you securely manage encryption keys, and using an EC2 role (task role) lets ECS tasks perform encryption/decryption. Storing encrypted data in Amazon S3 provides high availability and durability. This setup maintains security and scalability while minimizing operational overhead.
Other Choices
- Manually storing data in EBS snapshots requires more effort and automation.
- Using Secrets Manager with manually updated secrets can be labor-intensive if updates are frequent, and it doesn’t integrate seamlessly with KMS for near real-time operations.
- Lambda + DynamoDB can work, but it’s more complex than leveraging KMS’s built-in encryption flows with S3.
Question 6: Missing Data from a Kinesis Stream and the Default Retention Period
A tourism analytics company collects visitor-count data from sensors placed in a park, sending it in real time to an Amazon Kinesis stream. They plan to batch-process this data every day and store it in Amazon S3. However, they discovered that some data is missing in S3. The sensors have been confirmed to send a full day’s data to the Kinesis stream, so why isn’t all the data making it into S3?
By default, Amazon Kinesis Data Streams retains data for 24 hours. If you only run your processing job once every 24 hours or more, you risk losing data that has already aged out of the stream. You can extend the retention period or run the processing more frequently to address this.
Other Choices
- The sensors have been confirmed to send data properly.
- S3 won’t automatically move data to Glacier unless lifecycle rules are configured, and that doesn’t explain data missing within 24 hours.
- A security breach is less likely than hitting the Kinesis retention limit, which is a straightforward explanation.
Question 7: Ensuring Reliable Data Ingestion Even When SNS Notifications Are Unstable
A distribution company receives notifications whenever new product data is registered, using an Amazon SNS topic that triggers an AWS Lambda function to process metadata and ingest it into a data warehouse. However, due to network instability, the Lambda function sometimes misses notifications, causing data loss unless a manual retry is performed. How can they guarantee that all notification data is ingested without loss? (Select two.)
When SNS directly triggers a Lambda function, any network disruption can cause an event to be lost. However, having SNS publish messages to an SQS queue, they remain queued until Lambda retrieves and processes them. This approach guarantees that even if a disruption occurs, the message stays in SQS until processing is completed successfully.
Other Choices
- Increasing Lambda memory or concurrency helps performance but doesn’t prevent lost notifications.
- Lambda is already multi-AZ within a region; that alone won’t fix missed messages.
Question 8: High Availability for Oracle Database and Rapid AWS Migration
A financial service provider must urgently migrate an on-premises Oracle database used for global transaction analytics to AWS. The application receives and processes frequent data from a worldwide user base every minute. Post-migration, the database solution must remain highly available, even if a database instance fails, allowing operations to continue without interruption. Which solution most effectively meets these requirements?
RDS with Multi-AZ Oracle is the standard way to achieve automatic high availability on AWS. In a Multi-AZ deployment, if the primary instance fails, RDS automatically fails over to the standby instance with minimal downtime, making it ideal for a mission-critical financial analytics application.
Other Choices
- AWS SCT and DMS to migrate Oracle to Aurora can fail if Oracle-specific features are incompatible. Aurora isn’t fully Oracle-compatible, so it’s not suited for immediate migration.
- RAC is not supported on RDS.
- RMAN alone does not provide automated high availability. A single-instance database cannot fail over automatically.
Question 9: Switching the AMI Used by an Auto Scaling Group
An online education company uses an Auto Scaling group to manage EC2 instances according to demand. They plan to update the application and use a new Amazon Machine Image (AMI) for all future EC2 instances while continuing to use the existing Auto Scaling group. How should they make the switch to the new AMI?
Auto Scaling groups reference a launch configuration or launch template to start instances. A launch configuration cannot be edited after creation, so you must create a new one (or a new template) with the updated AMI, and then point the Auto Scaling group to it.
Other Choices
- Launch configurations are immutable; you cannot modify the existing one directly.
- Changing the target group is unrelated to updating the AMI.
- You can’t directly assign an AMI to an Auto Scaling group without using a launch configuration or template.
Question 10: SQS Message Reprocessing Mechanism
A news distribution service sends a message to an Amazon SNS topic each time a new article is published, which then fans out to multiple Amazon SQS queues. Spot EC2 instances retrieve messages from these queues to process article metadata. One day, an EC2 instance suddenly terminated during message processing, and it never finished the task. What happens to that SQS message?
In Amazon SQS, once a message is received by a consumer (the EC2 instance), the visibility timeout countdown begins. If the instance terminates without deleting the message, the visibility timeout will expire and the message reappears in the queue. This allows a different consumer to pick up and process the message, preventing data loss.
Other Choices
- SQS does not delete the message or wait for the same instance to come back.
- The message won’t go directly to a dead-letter queue unless you’ve configured DLQ rules, and even then, it typically requires multiple processing failures.
- S3 auto-storage is not a feature of SQS.