A W S C E R T I F I C A T I O N
SAA C03 Solutions Architect Associate Practice Exam
Exam Number: 1207 | Last updated April 24, 2026 | 700+ questions across 4 vendor-aligned objectives
The AWS Certified Solutions Architect Associate (SAA-C03) is the most popular AWS associate-level credential and validates the ability to design solutions that use AWS services to meet business requirements. Candidates have one or more years of hands-on experience designing cloud solutions and are expected to balance cost, performance, security, and resilience across the full AWS service catalog. The exam favors scenarios that have multiple workable answers but only one optimal answer.
Design Secure Architectures and Design Resilient Architectures together account for more than half the exam. Design Secure Architectures (30%) is the heaviest weighted domain and covers AWS Identity and Access Management, AWS Key Management Service, encryption at rest and in transit, AWS Web Application Firewall, AWS Shield, and Amazon GuardDuty. Design Resilient Architectures (26%) covers multi-AZ deployments, Amazon Route 53 failover routing, AWS Backup, Amazon S3 versioning and replication, and decoupled architectures using Amazon SQS and Amazon SNS.
The remaining domains balance compute and cost concerns. Design High-Performing Architectures (24%) covers Amazon EC2 instance families, AWS Lambda, Amazon ElastiCache, Amazon CloudFront, and AWS Global Accelerator. Design Cost-Optimized Architectures (20%) covers Reserved Instances and Savings Plans, Amazon S3 storage classes, lifecycle policies, AWS Cost Explorer, and right-sizing recommendations from AWS Compute Optimizer.
Every answer links to the source. Each explanation below includes a hyperlink to the exact AWS documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
856
practice exam users
99.3%
satisfied users
88.3%
passed the exam
4.8/5
quality rating
Test your aws-solutions-architect-associate knowledge
10 of 700+ questions
Question #1 - Design Secure Architectures
A web application running in a public subnet stores files in an S3 bucket. The team wants the EC2 instances to access S3 without traversing the public internet.
Which feature provides this?
A) S3 Gateway VPC Endpoint
B) NAT Gateway
C) Internet Gateway
D) Direct Connect
Show solution
Correct answers: A – Explanation:
An S3 Gateway VPC Endpoint adds a route to S3 over the AWS network at no charge. NAT Gateway and IGW route over the internet; Direct Connect is for hybrid links and overkill here. Source: [Gateway VPC endpoints for S3](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html)
Question #2 - Design Resilient Architectures
An application requires 99.99% availability and uses an RDS PostgreSQL database.
Which configuration best supports this SLA?
A) Single-AZ DB instance with daily backups
B) Multi-AZ DB cluster (with two readable standbys)
C) Read replica only in the same AZ
D) Snapshots stored in S3 only
Show solution
Correct answers: B – Explanation:
Multi-AZ DB cluster (or at minimum Multi-AZ instance) provides synchronous replication with automatic failover, the foundation of high availability. Single-AZ backups can take hours to restore; same-AZ replicas don’t survive AZ failure; snapshots aren’t HA. Source: [RDS Multi-AZ DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html)
Question #3 - Design High-Performing Architectures
A read-heavy application using RDS shows database CPU at 90% during peak hours; writes are minimal.
Which change improves performance with the least disruption?
A) Increase storage size only
B) Switch to DynamoDB
C) Add RDS read replicas and direct read traffic to them
D) Disable encryption
Show solution
Correct answers: C – Explanation:
Read replicas offload read traffic and reduce primary CPU; minimal app change (point reads at the replica endpoint). Switching engines is disruptive; storage size doesn’t fix CPU; encryption isn’t the cause. Source: [RDS read replicas](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html)
Question #4 - Design Cost-Optimized Architectures
Logs are written daily to S3 and queried within 30 days; after that they are rarely accessed but must be retained for 7 years.
Which lifecycle policy is most cost-effective?
A) Keep all data in S3 Standard for 7 years
B) Delete after 30 days
C) Move immediately to S3 One Zone-IA
D) Transition to S3 Standard-IA after 30 days, then Glacier Deep Archive after 90 days
Show solution
Correct answers: D – Explanation:
Standard-IA fits 30–90 day retention with infrequent access; Deep Archive is cheapest for long-term retention with rare access. Standard for 7 years is wasteful; One Zone-IA loses an AZ of redundancy and isn’t always cheaper for archival; deletion violates retention. Source: [S3 storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html)
Question #5 - Design Resilient Architectures
A stateless web tier runs behind an Application Load Balancer in three AZs. Traffic is sticky to a session store.
Where should the session store live for highest resilience?
A) On each EC2 instance’s local disk
B) Single S3 bucket via instance-mounted FUSE
C) Amazon ElastiCache (Redis) Multi-AZ replication
D) Local /tmp on the load balancer
Show solution
Correct answers: C – Explanation:
ElastiCache for Redis with Multi-AZ replication externalizes session state with low latency and survives AZ failure. Local disk loses sessions on instance loss; FUSE on S3 is high-latency; ALBs don’t have local storage. Source: [ElastiCache Multi-AZ](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/AutoFailover.html)
Question #6 - Design Secure Architectures
A bucket holds confidential PII. The team must guarantee that no object is ever made publicly accessible, even by accident.
Which controls should they apply? (Choose two.)
A) Enable S3 Block Public Access at the account and bucket levels
B) Use a bucket policy that explicitly denies public principals/conditions
C) Make the bucket public for ease of testing
D) Disable encryption to simplify scanning
Show solution
Correct answers: AB – Explanation:
Account/bucket Block Public Access stops public ACL/policy grants; an explicit deny in the bucket policy adds defense in depth. Making the bucket public is the opposite of the requirement; disabling encryption weakens posture. Source: [Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)
Question #7 - Design High-Performing Architectures
An analytics workload reads multi-terabyte datasets from S3 and runs ad-hoc SQL queries that finish in seconds to minutes.
Which service is most appropriate?
A) Amazon Redshift Provisioned with daily ETL only
B) Amazon Athena
C) Amazon RDS
D) Amazon DynamoDB
Show solution
Correct answers: B – Explanation:
Athena queries S3 with serverless SQL, paying per scan — ideal for ad-hoc analytics on data lakes. Provisioned Redshift fits sustained warehousing workloads; RDS is OLTP; DynamoDB is key-value. Source: [Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/what-is.html)
Question #8 - Design Cost-Optimized Architectures
A nightly batch job runs for 4 hours and is fault-tolerant — it can be checkpointed and restarted.
Which compute purchase option is most cost-effective?
A) Spot Instances with checkpointing
B) On-Demand
C) 1-year No-Upfront Reserved Instances
D) Dedicated Hosts
Show solution
Correct answers: A – Explanation:
Spot offers up to ~90% discount and suits fault-tolerant, restartable batch jobs. On-Demand and RIs are pricier; Dedicated Hosts are for license/compliance constraints. Source: [Amazon EC2 Spot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html)
Question #9 - Design Resilient Architectures
A messaging system must absorb spikes of 10x normal load without losing messages, then drain to consumers at their natural rate.
Which service is the right fit?
A) Amazon SES
B) Direct synchronous Lambda invocation
C) Amazon SQS standard queue
D) Amazon Route 53
Show solution
Correct answers: C – Explanation:
SQS decouples producers from consumers and acts as a durable buffer for spikes. Direct sync invocation lacks buffering; SES is email; Route 53 is DNS. Source: [Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html)
Question #10 - Design Secure Architectures
An ALB is the entry point for a public web app. The team needs to block SQL injection and known-bad IPs.
Which service provides this directly?
A) S3 Block Public Access
B) AWS Shield Standard alone
C) Security groups only
D) AWS WAF with managed rule groups
Show solution
Correct answers: D – Explanation:
AWS WAF inspects HTTP(S) requests for SQLi/XSS and supports IP-set rules; managed rule groups speed deployment. Shield Standard mitigates DDoS but not L7 attacks; security groups are L3/L4; Block Public Access is for S3. Source: [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html)
Get 700+ more questions with source-linked explanations
Every answer traces to the exact AWS documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 24, 2026
Learn more...
What the aws-solutions-architect-associate exam measures
- Design Secure Architectures (30%) — Apply AWS Identity and Access Management, AWS Key Management Service, AWS WAF, AWS Shield, and Amazon GuardDuty to enforce defense in depth.
- Design Resilient Architectures (26%) — Architect multi-AZ and multi-Region resilience, configure Amazon Route 53 failover, and decouple workloads with Amazon SQS and Amazon SNS.
- Design High-Performing Architectures (24%) — Select Amazon EC2 instance families, scale serverless with AWS Lambda, accelerate with Amazon CloudFront, and cache with Amazon ElastiCache.
- Design Cost-Optimized Architectures (20%) — Choose Amazon S3 storage classes, apply lifecycle policies, evaluate Savings Plans and Reserved Instances, and right-size with AWS Compute Optimizer.
How to prepare for this exam
- Review the official AWS exam guide and confirm the latest domain weights and content scope before scheduling.
- Complete the matching learning plan on AWS Skill Builder, including the digital courses and exam prep modules.
- Build hands-on muscle memory in an AWS Free Tier account by deploying the services that appear in the Design Secure Architectures domain.
- Apply your skills to a real-world project — workplace assignments, volunteer work, or open-source contributions where AWS services solve a concrete problem.
- Master one objective at a time, beginning with the highest-weighted domain so the score impact of each study session is maximized.
- Run PowerKram in Learn mode to read the explanations and follow every sourced documentation link until you can predict the right answer before reading the choices.
- Switch to PowerKram Exam mode across all objectives once your accuracy in Learn mode passes 85%, simulating the timed exam experience.
Career paths and salary outlook
The SAA-C03 is one of the most marketable single certifications in cloud:
- Cloud Solutions Architect — $135,000 to $200,000. Levels.fyi: Solutions Architect Compensation
- AWS Cloud Engineer — $115,000 to $175,000. Glassdoor: AWS Cloud Engineer Salaries
- Cloud Infrastructure Architect — $140,000 to $215,000. BLS: Computer Network Architects Outlook
Official resources
This is the canonical AWS architecture exam — anchor your study in the Well-Architected Framework: