AWS SAA-C03 - Practice Test #6

Question 1

A MedTech startup stores X-rays in an Amazon S3 bucket. They have hired a third-party analytics company (SaaS) that requires read-only access to this bucket to train their AI models. The third-party company will provide their own AWS account ID. How can third-party access be secured in a safe and auditable manner strictly following the PRINCIPLE OF LEAST PRIVILEGE?

Accepted Answer

Establish a VPC Peering connection between the startup's network and the SaaS company's network.

Answer

Configure a Bucket Policy granting public read access only if the source IP address matches the SaaS company's IPs.

Answer

Create an IAM Role in the startup's account with a Trust Policy allowing the external account to assume it, requiring an External ID.

Answer

Create an IAM User in the startup's account, generate read-only Access Keys, and share them securely with the SaaS company.

Question 2

A set of Amazon EC2 instances processing financial data are located in a private subnet. The application needs to download security updates from a specific company Amazon S3 bucket. Auditors demand that network traffic cannot be intercepted on the internet. Which solution guarantees that the data NEVER traverses the public internet?

Accepted Answer

Create a Gateway VPC Endpoint for Amazon S3 and update the routing table.

Answer

Enable Server-Side Encryption (SSE-S3) on the S3 bucket to protect traffic in transit.

Answer

Establish an AWS Site-to-Site VPN connection to Amazon S3.

Answer

Deploy a NAT Gateway in a public subnet and route S3 traffic through it.

Question 3

A company processes credit card transactions. PCI DSS regulations require that data stored in Amazon Elastic Block Store (Amazon EBS) be encrypted at rest. The company must be the sole authority capable of auditing the use of the encryption key and must be able to automatically rotate the cryptographic material every 90 days. Which encryption method allows the company to maintain full control over the encryption keys?

Accepted Answer

EBS encryption by importing external key material (BYOK) and enabling automatic rotation in AWS KMS.

Answer

Implement OS-level encryption (e.g., BitLocker/LUKS) storing the keys in AWS Secrets Manager.

Answer

EBS encryption using a Customer Managed Key (CMK) in AWS KMS with automatic rotation enabled.

Answer

EBS encryption using AWS Managed Keys in AWS KMS.

Question 4

A large corporation uses AWS Organizations to manage 50 accounts for different departments. The Information Security (InfoSec) team has established a strict policy: 'Under no circumstances can public Amazon S3 buckets be created in any account'. They want to enforce this globally so that not even users with administrative (root) permissions in local accounts can bypass it. Which configuration requires the MINIMAL administration effort?

Accepted Answer

Create a Service Control Policy (SCP) at the Organization root level to block S3 public access.

Answer

Configure AWS Config Rules to alert and automatically revert public buckets to private.

Answer

Apply a Permissions Boundary to each IAM role across all member accounts.

Answer

Use AWS IAM Access Analyzer to monitor public access and run a remediation script.

Question 5

An architect must design an architecture to log network flow in a VPC. The security team requires investigating incoming port scanning attempts. Furthermore, they must be able to query the exact state of Security Groups at a specific point in time last month. Which configuration will provide maximum visibility into network configuration changes and ensure data security? (Select 2)

Accepted Answer

Answer

Use AWS CloudTrail exclusively to track network packets at layer 4.

Answer

Configure Amazon GuardDuty to record the history of Security Group rules.

Answer

Use AWS Config to record the configuration history of Security Groups over time.

Answer

Install a third-party Intrusion Prevention System (IPS) on dedicated EC2 instances to log scans.

Answer

Enable VPC Flow Logs to capture IP traffic information and store them in Amazon S3.

Question 6

A company deploys a web application on Amazon EC2 behind an Application Load Balancer (ALB). Recently they suffered an outage due to a massive volumetric attack (DDoS) combined with an SQL Injection (SQLi) attempt through the website forms. Which approach is the easiest to maintain long-term to protect the web application?

Accepted Answer

Associate AWS WAF to the ALB using AWS Managed Rules, and subscribe to AWS Shield Advanced.

Answer

Use AWS Lambda@Edge with Amazon CloudFront to manually parse each incoming HTTP request and block malicious traffic.

Answer

Configure the ALB's Security Groups to inspect the HTTP packet content for SQLi.

Answer

Install a third-party firewall software directly on the EC2 instances and create blocking scripts based on network logs.

Question 7

A Serverless application uses AWS Lambda and connects to an Amazon RDS for PostgreSQL database. To comply with strict corporate policies, the database password must be automatically rotated every 30 days without the application experiencing downtime, and without needing to update the Lambda function code. Which configuration will meet these requirements with the LOWEST operational overhead?

Accepted Answer

Use AWS Secrets Manager enabling its native rotation integration for Amazon RDS.

Answer

Use AWS Systems Manager Parameter Store as SecureStrings.

Answer

Save the password as an encrypted environment variable in the AWS Lambda function.

Answer

Configure an EventBridge rule to invoke a custom Python script that changes the password.

Question 8

An enterprise application processes global transactions using a MySQL relational database currently deployed in the `us-east-1` region via Amazon RDS. In the event a natural disaster completely destroys the primary region, the team must be able to continue write operations in `eu-west-1` in under 1 minute (RTO < 1 min), with data loss of less than 1 second (RPO < 1 sec). Which architecture is the MOST RESILIENT to a Region-level disaster?

Accepted Answer

Migrate to Amazon Aurora Global Database and configure managed failover.

Answer

Use Amazon DynamoDB Global Tables.

Answer

Configure Amazon RDS with a Read Replica in eu-west-1 and use custom scripts to promote it.

Answer

Enable Amazon RDS Multi-AZ on the current instance spanning both regions.

Question 9

An architect is designing an e-commerce application on AWS. The compute tier uses an Auto Scaling Group of EC2 instances, and the database is hosted on Amazon RDS for PostgreSQL. So the system experiences no downtime during hardware failures in a physical data center, Multiple Availability Zones (Multi-AZ) must be used. Which design guarantees HIGH AVAILABILITY against the failure of an Availability Zone (AZ)?

Accepted Answer

Deploy an Application Load Balancer (ALB) in front of the ASG configured across multiple AZs, and enable the Multi-AZ deployment option on RDS.

Answer

Deploy RDS with a Read Replica in the same AZ to absorb traffic spikes.

Answer

Place the EC2 instances in a Cluster Placement Group to ensure fast replication to the RDS database.

Answer

Assign Elastic IPs to each instance and use Amazon Route 53 to balance traffic.

Question 10

Hundreds of Linux servers on Amazon EC2 need to access a shared file system. Occasionally, certain AZs experience local outages. The storage system must remain accessible even if the AZ housing the primary EC2 servers fails, allowing instances in healthy AZs to continue writing data transparently. Which design guarantees HIGH AVAILABILITY against the failure of an Availability Zone (AZ)?

Accepted Answer

Amazon Elastic File System (Amazon EFS) Standard.

Answer

Amazon Elastic File System (Amazon EFS) One Zone.

Answer

Amazon Elastic Block Store (Amazon EBS) provisioned with Multi-Attach.

Answer

Amazon FSx for Windows File Server deployed across multiple subnets.

AWS SAA-C03 - Practice Test #6

Explanation

Cross-Account Access and External ID

Official Documentation