100 AWS Solutions Architect (SAA-C03) Practice Questions & Answers

Pass the AWS Solutions Architect exam on the first try.

Original questions in true SAA-C03 exam style
Compute · Storage · Networking · Databases · Security · Architecture
Every topic the exam actually tests
100 questions · 6 sections · ordered like the exam blueprint
The answer that scores
The trap in every wrong option
$19 · 14-day money-back guarantee
The exam costs $150 per attempt. An AWS architect earns $130k+. This costs less than dinner.
or browse all 100 questions ↓
100 questions total
Compute Services18 questions1 free
Storage15 questions1 free
Networking & Content Delivery15 questions1 free
Databases15 questions1 free
Security & IAM15 questions1 free
Architecture & Design22 questions1 free
> filter: 100/100
compute-services1 free ↓
01
A startup runs a web application on a single On-Demand EC2 instance. Traffic spikes unpredictably throughout the day and sometimes the instance runs at 5% CPU for hours. The CTO wants to cut costs without sacrificing availability. What purchasing and architecture changes would you recommend?
free
The first step is right-sizing: use AWS Compute Optimizer or CloudWatch metrics to identify the correct instance family and size. For a burstable workload with low baseline CPU, a T4g (Graviton-based) instance with Unlimited burst mode often covers the spikes while being cheaper than a fixed M or C family. Next, move the baseline capacity to a 1-year Convertible Reserved Instance or a Compute Savings Plan. Savings Plans are more flexible because they apply across instance families, sizes, and regions, and typically yield 20-66% savings over On-Demand. For the unpredictable spikes, add EC2 Auto Scaling with a target tracking policy keyed to CPU or request count, and configure the launch template to prefer Spot Instances in an instance-diversified Spot fleet across multiple AZs. If the app can tolerate interruption with a 2-minute warning, Spot cuts costs by up to 90%. Front the Auto Scaling group with an Application Load Balancer so traffic shifts seamlessly as instances come and go. Together: Savings Plan covers committed baseline, Spot handles burst, T4g cuts the per-hour rate, and Auto Scaling eliminates idle over-provisioning.
Insider read
Really testing: Whether you understand the full purchasing-option spectrum and can layer multiple cost levers rather than giving a single one-size answer. The SAA-C03 expects you to combine Reserved or Savings Plan baseline with Spot burst and Auto Scaling.
The tell: Weak candidates jump straight to "use Reserved Instances" without addressing the idle CPU or the unpredictable spike shape. Strong candidates ask about the workload profile, mention Compute Optimizer, and propose Savings Plans over Standard RIs for flexibility.
Follow-up: The application stores session state on the local instance disk. What has to change before Auto Scaling and Spot Instances can work correctly?
Say thisLayer your purchasing: Savings Plan for committed baseline, Spot for burst, and Auto Scaling to eliminate the idle gap between them.
02
What is the difference between stopping, hibernating, and terminating an EC2 instance, and what happens to instance store volumes in each case?
Tricky because "stop" sounds safe but instance store data is silently lost, and the hibernate path has hard prerequisites that are easy to miss under exam pressure.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
03
A company needs guaranteed low-latency communication between a tightly coupled HPC cluster. Which EC2 placement strategy should they use, and what are the trade-offs compared to the other two options?
Tricky because cluster placement groups sound like an obvious win, but the failure domain risk and capacity limitations create a real tension the exam exploits.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
04
When should you choose AWS Lambda over EC2 or ECS for running application logic, and what are Lambda's hard limits that could disqualify it?
Tricky because Lambda seems simpler by default, but the 15-minute timeout and ephemeral storage ceiling quietly eliminate it for many real workloads before you even start building.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
05
A team wants to run containers without managing EC2 instances. They are choosing between Amazon ECS with Fargate and Amazon EKS with Fargate. How do you help them decide?
Tricky because Fargate removes server management in both cases, so the real decision hinges on Kubernetes ecosystem requirements that the exam question will bury in the scenario details.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
06
Explain the difference between a Compute Savings Plan, an EC2 Instance Savings Plan, and a Standard Reserved Instance. When is each the right choice?
Tricky because all three reduce cost against On-Demand, but flexibility and discount depth trade off in opposite directions, and the exam scenario will describe a constraint that disqualifies two of the three.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
07
A web tier Auto Scaling group is slow to respond to traffic spikes, causing latency increases for 5-10 minutes before new instances are ready. How would you reduce that warm-up time?
Tricky because the obvious answer is "scale sooner," but the actual bottleneck is usually bootstrap time, and the fix that matters most is pre-baking the AMI, not touching the scaling policy thresholds.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
08
What is EC2 Spot Instance interruption, how much notice does AWS give, and what architectures or workloads handle interruption gracefully?
Tricky because candidates often think Spot is only for batch jobs, missing that stateless web tiers and containerized microservices behind a load balancer can safely absorb the 2-minute interruption window.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
09
A financial services company needs a single-tenant physical server for compliance reasons. Which EC2 option provides this, and how does it differ from a Dedicated Instance?
Tricky because "dedicated" appears in both option names, but the difference in socket-level isolation and licensing implications is exactly what compliance auditors and exam writers exploit.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
10
How does EC2 Auto Scaling differ between simple scaling, step scaling, and target tracking policies? When would you use each?
Tricky because simple scaling looks intuitive but its cooldown behavior makes it dangerously slow during sharp traffic ramps, a nuance the exam hides behind a "cost optimization" framing.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
11
What is AWS Elastic Beanstalk, what does it abstract away, and when is it a better choice than deploying directly to ECS or EC2?
Tricky because Elastic Beanstalk still uses EC2 under the hood, so candidates who understand that gain access to the harder question of whether the abstraction helps or hides problems for a given team.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
12
A company migrates a Windows workload to EC2 and wants to apply their existing SQL Server per-core licenses. Which EC2 purchasing feature enables this, and what EC2 configuration constraints does it impose?
Tricky because BYOL sounds simple but Dedicated Hosts impose rigid capacity planning constraints that conflict with Auto Scaling assumptions, leaving you at risk on both cost and availability.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
13
What are T-series burstable instances, how does the CPU credit system work, and when should you switch to a fixed-performance instance family instead?
Tricky because the credit balance looks like a buffer but it depletes silently in Standard mode, creating a performance cliff that only appears under sustained load and surprises teams during incident response.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
14
A company wants to run a Lambda function that processes large video files uploaded to S3. The processing takes up to 20 minutes. What changes are needed, and what are the hard limits that cannot be configured away?
Tricky because 15-minute Lambda timeout is a firm ceiling with no workaround inside Lambda itself, and the right answer requires decomposing the job rather than tuning Lambda settings.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
15
What is AWS Graviton, why might you choose a Graviton-based instance over an Intel or AMD equivalent, and what workload types are least suitable?
Tricky because Graviton's price-performance advantage is real for most workloads, but the architecture dependency for native binaries and certain legacy enterprise software creates a blocker that shows up only at migration time.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
16
A data analytics team runs nightly EMR jobs that currently use On-Demand instances. The jobs run for 4-6 hours and can restart from checkpoints. How would you cut the compute cost by the largest possible margin?
Tricky because Spot Instances are the obvious answer, but the multi-instance-type diversification strategy that actually prevents capacity-related job failures is the detail most candidates skip.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
17
Describe the difference between ECS task definitions and ECS services, and explain how service auto scaling in ECS differs from EC2 Auto Scaling.
Tricky because the two scaling layers, scaling the ECS service's task count and scaling the underlying EC2 capacity provider, operate independently and failing to configure both creates a resource starvation deadlock under load.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
18
A Solutions Architect needs to choose between EC2 instance types for a memory-intensive in-memory database. Walk through how you would select the right instance family and size, including the role of enhanced networking and placement groups.
Tricky because picking the "R family" is the surface answer, but the exam wants you to combine memory sizing, network throughput, ENA vs EFA, and placement group choice into a coherent architecture decision.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
storage1 free ↓
19
A company stores 200 TB of infrequently accessed log files. They need objects available within milliseconds on the rare occasions they are retrieved, and they want to minimize storage cost. Which S3 storage class should they use, and why not Standard-IA?
free
The right choice is S3 Standard-IA for millisecond access with lower storage cost, but the question exposes a common trap. If objects are small (under 128 KB) or retrieved very frequently, Standard-IA charges per-retrieval fees that quickly exceed Standard pricing. For 200 TB of large log files accessed rarely, Standard-IA is the correct answer: storage cost drops roughly 55% compared to Standard, and retrieval latency is still milliseconds, same as Standard. If millisecond latency were not required and the files were accessed perhaps once a quarter, S3 Glacier Instant Retrieval would be cheaper still: similar millisecond access but lower storage price than Standard-IA, at the cost of a 90-day minimum storage duration and higher per-retrieval fee. The decision tree is: Do you need milliseconds? If no, Glacier Instant or Flexible. Do you access less than once a month? If yes, Glacier Instant beats Standard-IA. Is each object small or retrieved often? If yes, Standard wins over IA despite the higher storage rate. Avoid confusing Glacier Flexible Retrieval (minutes-to-hours) with Glacier Instant. The word "Glacier" no longer means slow since AWS split the class. That nuance is exactly what the exam tests.
Insider read
Really testing: Whether you understand the cost levers in S3 storage classes: storage price, retrieval fee, minimum object size charge, and minimum duration charge, not just a ranked list of classes by price.
The tell: Weak candidates say "Glacier because it's cheapest." They miss that Glacier Flexible Retrieval takes minutes to hours and violates the millisecond requirement. Strong candidates name the retrieval SLA first, then optimize cost within that constraint.
Follow-up: If access patterns are unpredictable and the team cannot commit to infrequent access, what S3 feature removes the need to guess?
Say thisAlways establish the retrieval latency SLA before choosing a storage class: cost optimization is only valid within the latency budget.
20
Explain how S3 Intelligent-Tiering works and when it is not the right default choice for all objects.
Tricky because Intelligent-Tiering sounds like a universal win, but it carries a per-object monitoring fee that makes it counterproductive for a specific and very common object category.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
21
A media company uploads raw video files that must be retained for 7 years for compliance. Files are never accessed after 90 days. Design the most cost-effective S3 lifecycle policy.
Tricky because multiple transitions are allowed but each hop has a minimum duration constraint, and picking the wrong sequence leaves money on the table while still technically passing compliance.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
22
What is S3 strong consistency and what changed in December 2020? Does this affect how you architect applications that read immediately after a PUT?
Tricky because many architects still design around eventual consistency guards that are no longer necessary, but the exam probes whether you know the exact consistency model for different S3 operations including LIST.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
23
Compare SSE-S3, SSE-KMS, and SSE-C for S3 encryption at rest. When would you specifically require SSE-KMS over SSE-S3?
Tricky because SSE-S3 is simpler and cheaper, yet there is a precise compliance and audit scenario where it is definitively the wrong answer regardless of cost.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
24
A developer wants to allow a partner to upload a single file to a private S3 bucket without giving them AWS credentials. What is the correct mechanism, and what are the security constraints you must set?
Tricky because the obvious answer (make the bucket public) is a critical security failure, while the correct mechanism has a time and permission scope that most candidates misstate.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
25
You need to replicate S3 objects between two buckets in different AWS accounts and different regions for disaster recovery. Walk through the replication configuration and any prerequisites.
Tricky because cross-account replication requires both a replication role and a bucket policy on the destination, and candidates routinely configure only one side and then wonder why replication silently fails.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
26
Compare gp3, io2, and st1 EBS volume types. A database requires 64,000 IOPS with sub-millisecond latency. Which volume type must you use and what instance requirement accompanies it?
Tricky because gp3 can be configured up to 16,000 IOPS, which sounds high, but the 64,000 IOPS requirement forces a different volume type whose maximum is only reachable under a specific attachment condition most candidates overlook.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
27
An application requires the absolute highest single-instance disk throughput available on EC2 and can tolerate total data loss if the instance stops. What storage type should be used and what is the trade-off?
Tricky because the highest throughput answer is not an EBS volume at all, and the data durability model is fundamentally different in a way that makes it unsuitable for anything requiring persistence across stop or terminate.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
28
A team needs shared file storage accessible by 1,000 Linux EC2 instances simultaneously across three Availability Zones. Compare EFS and EBS for this requirement and explain why EBS alone cannot satisfy it.
Tricky because a common misconception is that EBS Multi-Attach solves the multi-instance problem, but there is a hard limit and operating-system-level constraint that makes it impractical for general shared storage at this scale.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
29
A company is migrating a Windows file server with 50 TB of data that uses Active Directory for access control. They need a managed cloud share that preserves NTFS permissions and SMB protocol. What AWS service do you recommend?
Tricky because EFS looks like the obvious "managed file system" answer but it is POSIX-based and NFS, and Windows SMB with Active Directory integration requires a service most candidates never think of first.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
30
Describe the three AWS Storage Gateway modes. A company has an on-premises application that must continue reading and writing files locally while asynchronously syncing to S3. Which mode applies?
Tricky because File Gateway, Volume Gateway, and Tape Gateway all involve local caching and S3, but the protocols, cache semantics, and use cases are distinct enough that picking the wrong mode means the on-premises application never works the way the question requires.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
31
A company needs to migrate 8 PB of data to AWS. Their internet connection is 1 Gbps and is needed for normal operations. Walk through the Snow family options and how you decide between Snowball Edge and Snowmobile.
Tricky because the decision is not purely about dataset size: network bandwidth utilization math reveals why online transfer is impractical here, and the Snowmobile threshold is a specific number that the exam expects you to know precisely.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
32
An S3 bucket receives 15,000 PUT requests per second all targeting keys that begin with the same prefix. The team is seeing HTTP 503 SlowDown errors. What is the root cause and how do you fix it?
Tricky because the fix changed significantly in 2018 when AWS removed the old random-prefix guidance, and candidates who studied older material will prescribe a solution that is now unnecessary, revealing that they do not understand the current partitioning model.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
33
Compare Glacier Instant Retrieval, Glacier Flexible Retrieval (Expedited), and Glacier Deep Archive on retrieval time, minimum storage duration, and cost. Give a concrete use case where each is the correct choice.
Tricky because AWS renamed and restructured the Glacier tiers in 2021, so the word "Glacier" alone is ambiguous, and the exam exploits that ambiguity by describing retrieval SLAs that only match one specific tier.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
networking-content-delivery1 free ↓
34
A company is designing a three-tier web application on AWS. They need public-facing web servers, private application servers, and a private database tier. How should they design the VPC CIDR and subnet layout, and what routing configuration makes each tier work correctly?
free
Start with a VPC CIDR large enough for growth: a /16 like 10.0.0.0/16 gives 65,536 addresses. Carve it into at least six subnets across two Availability Zones: two public subnets (e.g., 10.0.0.0/24 and 10.0.1.0/24), two private application subnets (10.0.10.0/24 and 10.0.11.0/24), and two private database subnets (10.0.20.0/24 and 10.0.21.0/24). Using multiple AZs at every tier is essential for high availability. Routing is what separates public from private. Public subnets get a route table with a default route (0.0.0.0/0) pointing to an Internet Gateway. Instances in public subnets also need public IPs or Elastic IPs. Private subnets must never have a route to the IGW. Instead, their default route points to a NAT Gateway deployed in the public subnet, which lets private instances reach the internet for updates while remaining unreachable inbound. Database subnets should have no default route at all unless they absolutely need outbound access. Security controls layer on top: security groups on each instance or load balancer control stateful inbound and outbound traffic. The web tier security group allows 443 from 0.0.0.0/0. The app tier security group allows only from the web tier security group. The database security group allows only port 3306 (or 5432) from the app tier security group. NACLs add a stateless layer at the subnet boundary for coarse-grained allow/deny rules but are optional if security groups are tight. Place the Application Load Balancer in the public subnets and the web EC2 instances in the private application tier, pointing the ALB target group there, so no web server needs a public IP.
Insider read
Really testing: Whether you understand the relationship between subnet routing and internet accessibility, and can translate a three-tier architecture into concrete CIDR and route table decisions.
The tell: Many candidates place web servers in the public subnet and assume that is sufficient isolation. Strong candidates know the ALB belongs in the public subnet and the actual EC2 instances should stay private, reducing the blast radius of any compromise.
Follow-up: If the application tier needs to pull container images from ECR without traversing the internet, what do you add to the private subnet design?
Say thisPublic vs. private is a routing decision: a subnet is public only because its route table has a path to an Internet Gateway, and everything else flows from that.
35
A private EC2 instance needs to download OS patches from the internet but must never be reachable from the internet. What options exist, and when would you choose a NAT Gateway over a NAT instance?
Tricky because both options appear to solve the same problem, but the exam probes whether you know the hidden operational and scaling differences that make one the wrong answer under certain constraints.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
36
Explain the difference between security groups and Network ACLs. A company wants to block a specific malicious IP range at the network layer. Which control should they use and why?
Tricky because both seem like firewall controls, but one is stateful and one is stateless, and that distinction determines whether the block actually works the way the team expects it to.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
37
Two VPCs in different AWS accounts need to communicate privately. Compare VPC peering to AWS Transit Gateway and describe when you would choose each.
Tricky because peering looks simpler until you add a third VPC, at which point the transitive routing limitation of peering becomes a critical architectural flaw the exam loves to exploit.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
38
A company's on-premises data center must connect to AWS with consistent sub-10 ms latency and dedicated bandwidth. Compare AWS Direct Connect to AWS Site-to-Site VPN and explain which fits this requirement.
Tricky because the exam frames VPN as a cheaper Direct Connect, but the real distinction is about shared vs. dedicated paths, and understanding that gap is what separates architects who design for reliability from those who just design for cost.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
39
An application on EC2 needs to read from S3 and call DynamoDB without its traffic ever leaving the AWS network. What are VPC endpoints, and when do you use a gateway endpoint versus an interface endpoint?
Tricky because gateway endpoints and interface endpoints look interchangeable at first glance, but they differ in routing mechanism, DNS resolution, and which services support each type, and getting that wrong means traffic still exits over the internet.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
40
A global application must route users to the nearest healthy endpoint, failover automatically when a region goes down, and split traffic between two versions for A/B testing. Which Route 53 routing policies address each requirement?
Tricky because several routing policies appear to solve latency or failover on the surface, but each has a specific activation mechanism and health-check dependency that the exam uses to disqualify the obvious answer.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
41
A media company streams video to a global audience. They want to reduce origin load, serve content from edge locations, and enforce that only CloudFront can access their S3 bucket. How do they configure this, and what is Origin Access Control?
Tricky because OAC replaces the older OAI mechanism and the exam tests whether you know the architectural difference between letting S3 stay public versus signing requests at the CloudFront layer, which changes the entire threat model.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
42
Describe the difference between CloudFront cache behaviors, TTL settings, and invalidation. A company deploys a new version of their SPA and users still see stale assets. What went wrong and how do they fix it without a cache purge?
Tricky because invalidation seems like the obvious fix, but it costs money per path and does not prevent future staleness, and the exam wants you to know the versioning pattern that eliminates the problem entirely at the origin level.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
43
A company needs to load-balance HTTPS traffic with path-based routing to microservices, while another team needs to load-balance TCP traffic for a real-time trading system with ultra-low latency and a static IP. Which AWS load balancer type fits each use case?
Tricky because ALB and NLB both appear on many architecture diagrams and the exam relies on candidates confusing connection-level features like static IPs and TLS termination placement to steer them toward the wrong answer.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
44
What is a Gateway Load Balancer, and how does it enable transparent insertion of third-party network appliances such as firewalls and intrusion detection systems into a VPC traffic flow?
Tricky because GLB uses GENEVE encapsulation and a bump-in-the-wire model that looks nothing like traditional ALB or NLB routing, and candidates who conflate them with ALB path routing will design a topology that does not intercept traffic at all.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
45
A company serves a latency-sensitive SaaS product to enterprise customers across North America, Europe, and Asia-Pacific. Compare AWS Global Accelerator to CloudFront and explain which fits this use case and why.
Tricky because both services use AWS edge locations and the marketing language sounds nearly identical, but one caches and one routes, and choosing the wrong one for a dynamic API means paying for infrastructure that provides no benefit.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
46
A company has a hub-and-spoke network with a shared services VPC (DNS, security tools, logging) and 20 workload VPCs. They need all workload VPCs to reach shared services but not each other. How do you design this with Transit Gateway route tables?
Tricky because Transit Gateway route tables look like regular VPC route tables but operate at a different layer, and candidates who do not understand TGW route table isolation end up accidentally granting full mesh connectivity when they intended segmentation.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
47
A financial services company establishes a Direct Connect connection but needs a backup path for when the dedicated circuit fails. What is the recommended resilient architecture, and what are the tradeoffs between a backup VPN and a second Direct Connect circuit?
Tricky because AWS recommends different resilience models depending on whether the priority is cost or uptime, and the exam expects you to know which failover pattern satisfies high-availability requirements versus which one only satisfies a budget-constrained baseline.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
48
A company migrates its internal DNS from on-premises to AWS. They need on-premises resolvers to resolve private Route 53 hosted zone records, and Route 53 to resolve on-premises hostnames. How do Route 53 Resolver inbound and outbound endpoints work?
Tricky because Route 53 Resolver endpoints live inside a VPC and use ENIs, so the direction of the endpoint (inbound vs. outbound) is defined from the VPC's perspective, and confusing the two means DNS queries travel the wrong way and silently fail.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
94 more answers + insider reads
// compute · storage · networking · databases · security · architecture
Unlock all 100 · $19
databases1 free ↓
49
A company runs a transactional MySQL database on RDS. They need the database to survive an Availability Zone failure with minimal downtime and without manually promoting a replica. How should the architect configure this, and what is the recovery mechanism?
free
Enable RDS Multi-AZ deployment. When Multi-AZ is active, RDS maintains a synchronous standby replica in a different Availability Zone within the same region. Every write to the primary is committed to the standby before the write is acknowledged to the application, so there is zero data loss (RPO of 0) on an AZ failure. When RDS detects that the primary is unavailable, it automatically promotes the standby and updates the CNAME DNS endpoint to point at the new primary, typically within 60 to 120 seconds. Applications must use the RDS endpoint, not the underlying instance IP, so the failover is transparent to them. Multi-AZ is not a read-scaling mechanism. The standby is not accessible for reads. If the team also needs read scaling, they should add Read Replicas, which use asynchronous replication and can serve SELECT traffic. Read Replicas can be in the same region or in other regions for cross-region disaster recovery, but they require manual promotion to become a primary during a failover event. The key distinction the exam tests: Multi-AZ is for high availability and automatic failover; Read Replicas are for read scalability and cross-region DR. Using a Read Replica as the HA mechanism fails the automatic-promotion requirement unless the team also enables Multi-AZ on it after promotion.
Insider read
Really testing: Whether you understand the difference between synchronous Multi-AZ replication for automatic HA and asynchronous read replicas for scaling, and which mechanism provides zero-data-loss automatic failover.
The tell: Candidates who say "add a Read Replica" are picking the wrong tool. Read Replicas use asynchronous replication and require manual promotion, which violates the "minimal downtime without manual intervention" requirement in the scenario.
Follow-up: If the team promotes a Read Replica to primary manually after a failure, what replication lag risk exists, and how would you quantify it before promoting?
Say thisMulti-AZ is synchronous, automatic, and zero-data-loss; Read Replicas are asynchronous, manual to promote, and built for reads, not HA.
50
An architect is designing a new high-throughput relational database layer and is evaluating Amazon Aurora versus standard RDS. Walk through Aurora's storage architecture and explain when Aurora's design gives a meaningful advantage over RDS.
Tricky because Aurora is still "RDS under the hood" in the console, yet its storage architecture is fundamentally different in ways that matter at scale, and conflating the two leads to the wrong capacity and replication decisions.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
51
A startup has an application with unpredictable database traffic. Some days the database is idle for hours, other days it receives heavy write bursts. They want to minimize cost and eliminate capacity planning. Which Aurora option fits, and what are the trade-offs?
Tricky because Aurora Serverless sounds like the obvious answer, but the v1 vs v2 distinction and cold-start behavior create real production trade-offs that the exam probes.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
52
A team is designing a DynamoDB table for a global e-commerce order system. They expect 50 million orders per day with heavy reads by customer ID. Explain how to choose a partition key and when to add a Global Secondary Index versus a Local Secondary Index.
Tricky because a naive partition key choice creates hot partitions that throttle writes at scale, and the GSI vs LSI trade-off involves base table sort key constraints that trip up many candidates.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
53
A DynamoDB table is receiving read-heavy traffic for a product catalog that changes only a few times per day. Response times are spiking under load. What is the recommended caching solution, and how does it integrate with DynamoDB?
Tricky because DynamoDB Accelerator and ElastiCache both cache DynamoDB reads, but the correct choice depends on whether the application can tolerate write-through latency or needs microsecond in-memory speed.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
54
Compare DynamoDB provisioned capacity mode and on-demand capacity mode. Walk through the decision criteria an architect should use to choose between them for a new workload.
Tricky because on-demand always sounds simpler, but at high sustained throughput the cost difference is significant and the exam expects you to reason about traffic patterns rather than default to one mode.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
55
A solutions architect needs to react to item-level changes in a DynamoDB table in near real-time to update a search index and send notifications. What AWS feature enables this, and how does it guarantee ordering?
Tricky because DynamoDB Streams and Kinesis Data Streams for DynamoDB are both options, and candidates often pick the wrong one when ordering and long-term retention requirements collide.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
56
An application uses ElastiCache. The team is choosing between Redis and Memcached. List the criteria that would lead you to choose Redis over Memcached, and give one scenario where Memcached is the better fit.
Tricky because Redis has so many features that candidates reflexively choose it, missing the cases where Memcached's simpler multi-threaded architecture genuinely outperforms it at pure cache throughput.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
57
A company is migrating a large Oracle database to Aurora PostgreSQL. Describe the roles of AWS Database Migration Service and AWS Schema Conversion Tool, and explain the sequence in which you would use them.
Tricky because DMS and SCT have overlapping names and candidates frequently reverse their roles, applying DMS to schema conversion or expecting SCT to move ongoing row-level data.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
58
A Lambda function is opening a new RDS connection on every invocation, causing the database to hit its connection limit under burst traffic. What is the recommended solution, and how does it work?
Tricky because developers instinctively think "scale up the RDS instance," but the connection exhaustion problem requires a connection pooling layer whose behavior is subtly different from simply increasing max_connections.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
59
An architect needs to choose between Amazon RDS and Amazon DynamoDB for a new microservice. Describe the decision framework you would apply, and give examples of workloads that clearly belong to each service.
Tricky because the question sounds open-ended, but the exam expects a structured framework around data shape, query patterns, and scale, not just "use DynamoDB for NoSQL."
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
60
A data warehouse team needs to run complex analytical queries across petabytes of historical sales data. They need columnar storage and integration with S3-based data lake files. Which AWS service fits, and what makes its architecture well-suited for this workload?
Tricky because Athena and Redshift both query S3 data, and candidates must distinguish between serverless ad-hoc queries and a managed columnar warehouse with its own compute and storage.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
61
Explain RDS automated backups and manual snapshots. What is Point-in-Time Recovery, what is its granularity, and what is the maximum retention window for automated backups?
Tricky because candidates confuse the retention window limits for automated backups with the unlimited retention of manual snapshots, leading to incorrect RPO calculations in exam scenarios.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
62
A security team requires that all data in an RDS database be encrypted at rest and in transit. Describe how RDS encryption works, when it must be enabled, and how to encrypt an existing unencrypted RDS instance.
Tricky because encryption cannot be enabled on a running unencrypted RDS instance directly, and the snapshot-copy workaround is a step candidates miss, creating a gap between the security requirement and what they think is achievable.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
63
A company is running a large RDS MySQL database and wants to migrate to Aurora MySQL with near-zero downtime, keeping the production RDS instance live until cutover. What migration approach lets them achieve this?
Tricky because there are multiple migration paths, including native snapshot restore and DMS continuous replication, and each has different downtime windows and replication lag behaviors that determine which actually achieves near-zero downtime.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
security-iam1 free ↓
64
A company has an EC2 instance that needs to read objects from an S3 bucket. A developer suggests creating an IAM user, generating access keys, and storing them in the instance. What is wrong with that approach, and what should you do instead?
free
Hardcoding IAM user credentials on an EC2 instance is a well-known anti-pattern for several reasons. First, static access keys do not rotate automatically, so a leaked key remains valid until someone notices and revokes it manually. Second, keys stored in environment variables, config files, or code often end up in version control or AMI snapshots, creating a permanent credential leak. Third, the blast radius of a compromise is tied to the key owner, not the instance, so you cannot easily scope the damage to one host. The correct approach is to attach an IAM instance profile to the EC2 instance. An instance profile is a container for an IAM role. When the instance starts, the EC2 Instance Metadata Service (IMDS) provides temporary, automatically rotated credentials via STS AssumeRole under the hood. The AWS SDKs pick these up from the metadata endpoint automatically, so no credential is ever written to disk. Create an IAM role with a trust policy that allows the EC2 service principal to assume it, attach an identity-based policy granting only s3:GetObject on the specific bucket and prefix, and associate the role with the instance at launch or attach it afterward. IMDSv2 should be enforced (requiring a session token) to prevent SSRF attacks from stealing the metadata credentials. The instance never holds a long-lived secret, and if the instance is terminated the credentials die with it.
Insider read
Really testing: Whether you understand the difference between IAM users (long-lived identities with static keys) and IAM roles (assumable identities with temporary credentials), and why temporary credentials are the correct primitive for workloads.
The tell: Candidates who say "just use an IAM user but rotate the keys regularly" are still wrong. Rotation reduces risk but does not eliminate the fundamental problem of static credentials living on a machine. The right answer kills static credentials entirely.
Follow-up: The instance is behind a proxy that rewrites outbound requests. An attacker uses SSRF to hit the metadata endpoint and steal the instance role credentials. How do you prevent that?
Say thisEC2 workloads should never hold static IAM credentials: use instance profiles, which deliver temporary STS credentials through IMDS, and enforce IMDSv2 to close the SSRF vector.
65
Explain the difference between an identity-based IAM policy and a resource-based policy. When does AWS require both, and when is one sufficient?
Tricky because most people learn identity-based policies first and assume they cover every access scenario, but cross-account access introduces a two-sided evaluation model that breaks that assumption.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
66
Walk through AWS IAM policy evaluation logic. An explicit Allow exists in an identity-based policy and an explicit Deny exists in an SCP. What is the result, and why?
Tricky because candidates often treat the policy evaluation layers as independent vote-counting, missing that a Deny at any layer is a circuit-breaker regardless of what the identity policy says.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
67
A Lambda function in Account A needs to write to a DynamoDB table in Account B. Describe every IAM component you need to configure to make this work.
Tricky because cross-account access with Lambda requires coordinating trust policies, identity policies, and resource policies across two separate accounts, and missing any single piece silently denies access.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
68
What is the difference between AWS KMS customer managed keys, AWS managed keys, and AWS owned keys? When would you choose each?
Tricky because all three types use KMS under the hood, so candidates conflate them, missing the critical distinctions around key policy control, rotation, and auditability that drive the correct choice for regulated workloads.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
69
Explain envelope encryption as implemented by AWS KMS. Why does S3 not send your entire 5 GB object to KMS when you enable SSE-KMS?
Tricky because the spec says "KMS encrypts data" which sounds like the key service does all the work, but the actual encryption happens locally, and understanding that distinction reveals the performance and cost model.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
70
A team stores database passwords and API keys. Compare AWS Secrets Manager and AWS Systems Manager Parameter Store. Which would you recommend and under what conditions?
Tricky because Parameter Store is free at standard tier and looks like it covers the same use case, but the exam tests whether you know the specific capabilities that justify Secrets Manager's cost for production credential management.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
71
A mobile app lets users sign in with Google and then access objects in a private S3 bucket scoped to their user ID. Describe how Cognito User Pools and Identity Pools work together to make this possible.
Tricky because User Pools and Identity Pools solve different halves of the problem, and conflating them leads to an architecture that either authenticates users but cannot issue AWS credentials, or issues credentials but cannot do user directory functions.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
72
Your public ALB is receiving a flood of HTTP requests from a rotating set of IP addresses attempting credential stuffing. Which AWS services do you layer together to detect and block this, and what does each one contribute?
Tricky because WAF, Shield, and GuardDuty each have overlapping-sounding descriptions, but they operate at different layers and against different threat models, and using only one leaves a gap the attacker exploits.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
73
Explain the difference between AWS Shield Standard and Shield Advanced. What does Shield Advanced give you that Standard does not, and when is the cost justified?
Tricky because Shield Standard is automatically enabled for free, making candidates assume Advanced is only a cost-center add-on, but the exam tests specific capabilities that only Advanced provides for large-scale DDoS scenarios.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
74
Compare GuardDuty, Inspector, and Macie. A security team wants to know: who is doing reconnaissance on our accounts, which EC2 instances have unpatched CVEs, and which S3 buckets contain PII. Map each requirement to the right service.
Tricky because all three appear under "AWS Security" in the console and documentation, so candidates bundle them together, missing that they analyze fundamentally different data sources and answer fundamentally different security questions.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
75
What is an AWS Organizations Service Control Policy (SCP)? Explain how it interacts with IAM identity policies, and give a concrete example where an SCP prevents an action even though the IAM role has an explicit Allow.
Tricky because SCPs do not grant permissions themselves, they only constrain what member accounts can grant, and candidates who treat SCPs as just "org-level IAM policies" misapply them and leave gaps in their guardrails strategy.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
76
A company wants to prevent any account in its AWS Organization from disabling CloudTrail or creating IAM users with console passwords. How do you implement this without affecting the management account's own operations?
Tricky because the obvious answer is "attach an SCP to the root OU" but that also affects the management account in a way most candidates do not expect, exposing a nuance that separates SAA from SAP-level thinking.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
77
Describe what "least privilege" means in practice for a new IAM policy. What AWS tools help you discover the actual permissions a role needs versus what it was originally granted?
Tricky because "least privilege" is easy to say and hard to implement, and the exam tests whether you know the specific service that analyzes CloudTrail data to surface unused permissions rather than just recommending you "write tighter policies."
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
78
A financial services company runs workloads across 40 AWS accounts. Regulators require that all data at rest use KMS CMKs, no public S3 buckets exist, and all API calls are logged. How do you enforce these controls at the organization level without touching each account individually?
Tricky because the question implies a single enforcement mechanism, but each requirement maps to a different AWS service, and candidates who reach for SCPs alone cannot enforce S3 bucket ACL settings or KMS encryption choices through SCPs.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
architecture-design1 free ↓
79
A startup is deploying its first production web application on AWS. The team wants high availability but has a limited budget. What architectural pattern should they use, and which AWS services should anchor it?
free
The standard starting point for a budget-conscious, highly available web application is a two-tier architecture spanning at least two Availability Zones behind an Application Load Balancer (ALB). Place EC2 instances or containers inside an Auto Scaling Group across private subnets in two AZs. Use Amazon RDS Multi-AZ for the database: it keeps a synchronous standby in a second AZ and fails over automatically, usually within 60 to 120 seconds, with no manual intervention. Put static assets on Amazon S3 and serve them through Amazon CloudFront to reduce origin load and improve global latency. For DNS, use Route 53 with health checks so traffic stops routing to an unhealthy endpoint. Store session state in Amazon ElastiCache for Redis rather than on the instance, which lets the ALB route any request to any healthy instance without sticky sessions. This achieves roughly 99.99% availability at a fraction of the cost of a multi-region setup. The key design principle is eliminating single points of failure at the compute, database, and DNS layers while keeping costs predictable. As traffic grows, the Auto Scaling Group adds capacity automatically, so the team pays for what they use rather than overprovisioning.
Insider read
Really testing: Whether you can translate the Well-Architected Reliability pillar into concrete service choices for a resource-constrained team. The exam wants to see you pick Multi-AZ over multi-region when budget and RTO allow.
The tell: Candidates who jump straight to multi-region active-active or who forget to decouple session state from the instance. Both answers signal they are not reasoning about cost vs. availability trade-offs, just naming services.
Follow-up: The application suddenly needs to serve users in Europe with low latency. What is the minimum change to this architecture to support that without rebuilding the data tier?
Say thisMulti-AZ gives you high availability against infrastructure failure. Multi-region gives you disaster recovery and latency: choose the right tool based on what you are actually protecting against.
80
Compare the four AWS disaster recovery strategies: backup and restore, pilot light, warm standby, and multi-site active-active. How do RTO and RPO differ across them?
Tricky because candidates conflate cost and complexity with actual recovery time, and the exam always asks you to pick the cheapest strategy that still meets a specific RTO/RPO target.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
81
A financial services company requires an RPO of 15 minutes and an RTO of 30 minutes for its transaction processing system. Which DR strategy and AWS services should you recommend?
Tricky because warm standby and pilot light are both plausible, but only one actually meets a 30-minute RTO without manual intervention, and the answer hinges on what "warm" really means in terms of running capacity.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
82
When should you choose a multi-region active-active architecture over a multi-AZ single-region design? What are the data consistency trade-offs?
Tricky because multi-region sounds like it is always "more available," but it introduces write-conflict and latency problems that multi-AZ avoids, and the exam rewards candidates who articulate the cost of that trade-off precisely.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
83
Explain the difference between SQS, SNS, EventBridge, and Kinesis Data Streams. When is each the right choice for decoupling services?
Tricky because all four are "messaging" services, but they solve fundamentally different problems, and picking the wrong one on the exam is the most common decoupling mistake candidates make.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
84
A monolithic e-commerce application is experiencing intermittent failures during flash sales because the checkout service overwhelms the inventory service. What decoupling pattern should you apply, and which AWS service implements it?
Tricky because adding a queue sounds obvious, but the exam also tests whether you understand what happens to in-flight messages if the inventory service still crashes, and whether the queue alone solves the consistency problem.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
85
Design a serverless web application architecture that handles 10 requests per second at steady state but must scale to 50,000 requests per second during a product launch. What services do you use and where are the scaling bottlenecks?
Tricky because Lambda and API Gateway scale automatically, but most candidates forget that RDS does not, and the bottleneck on the exam is always the stateful layer, not the compute layer.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
86
What are the differences between API Gateway REST APIs and HTTP APIs? When would you choose one over the other?
Tricky because HTTP APIs are cheaper and faster, which makes them sound like the obvious choice, but REST APIs have features like usage plans, API keys, request validation, and caching that HTTP APIs lack entirely.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
87
A workflow requires calling five microservices in sequence, where each step's output is the next step's input, and any step can fail and need to be retried or compensated. What AWS service manages this, and how does it handle failures?
Tricky because you could technically implement this with SQS chaining or Lambda callbacks, but the exam is asking you to recognize the orchestration pattern that belongs to Step Functions, and the failure modes are what make the distinction clear.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
88
Walk through the five pillars of the AWS Well-Architected Framework. For each pillar, name one design principle and one AWS service or feature that directly implements it.
Tricky because the exam rarely asks you to recite the pillars. Instead, it gives you a scenario and expects you to recognize which pillar a recommendation belongs to, so pure memorization without applied mapping will fail you.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
89
What is the difference between CloudWatch, CloudTrail, and AWS Config? A security team asks you which service tells them "who changed this S3 bucket policy and when." Which do you use?
Tricky because all three services involve logging and visibility, but they answer fundamentally different questions, and candidates who have not used all three in production routinely confuse CloudTrail and Config in particular.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
90
Describe a complete caching strategy for a read-heavy web application, from the CDN edge to the database. What AWS services sit at each layer, and what invalidation strategy do you use?
Tricky because candidates often name CloudFront and ElastiCache without explaining what data belongs at each layer or how a cache miss at one layer propagates to the next, which is exactly what the exam probes with follow-up constraints.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
91
A company runs a batch processing workload that takes 6 hours to complete, has no fixed schedule, and the business can tolerate it being interrupted mid-run. How do you cut the EC2 compute cost as much as possible?
Tricky because Spot Instances are the right answer but carry a constraint: they can be interrupted with 2 minutes notice, so your architecture must handle that gracefully or the cost savings are meaningless.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
92
Explain S3 storage class tiering. A company stores 500 TB of log files. Logs are accessed frequently for the first 30 days, rarely for the next 60 days, and never after 90 days. Design the lifecycle policy.
Tricky because the exam scenario always has a minimum storage duration or retrieval time constraint that rules out the cheapest tier, and getting the 30/60/90 day transitions wrong is the most common answer on this question type.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
93
A SaaS company's AWS bill is dominated by data transfer costs. The architecture has EC2 instances in one region calling an S3 bucket in a different region via the public internet. What changes reduce data transfer costs the most?
Tricky because the instinct is to add a CDN, but the root cause is cross-region traffic, and the correct fix involves moving data or using a VPC endpoint, both of which require understanding AWS's data transfer pricing model at a level most candidates skip.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
94
Compare Compute Savings Plans, EC2 Instance Savings Plans, and Reserved Instances. Which commitment model gives the most flexibility, and when does that flexibility matter?
Tricky because Savings Plans sound strictly superior to Reserved Instances for flexibility, but there are specific workloads where Reserved Instances still win on price, and the exam will give you exactly that scenario to see if you know the boundary.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
95
An application uses Auto Scaling with EC2 instances. What is the difference between target tracking, step scaling, and scheduled scaling policies? When is each appropriate?
Tricky because target tracking sounds like the obvious default for every case, but scheduled scaling is often more cost-effective when traffic patterns are predictable, and the exam tests whether you know that responding to a predictable spike is different from responding to an unpredictable one.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
96
A company wants to migrate from a tightly coupled three-tier application to an event-driven architecture. What pattern do you use, and how does EventBridge fit into the design?
Tricky because "event-driven" sounds like it just means adding SQS, but the exam distinguishes between point-to-point messaging and a true event bus, and EventBridge's schema registry and routing rules are what separate the two architectures in practice.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
97
What is the difference between horizontal and vertical scaling on AWS, and why does horizontal scaling require stateless application design?
Tricky because "just add more instances" glosses over the session state problem, and the exam consistently presents scenarios where horizontal scaling fails not because of capacity but because the application stores user state locally on the instance.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
98
A media company stores 2 PB of video assets in S3. Editors in three continents need sub-100ms access to assets they are actively working on. What architecture minimizes latency without replicating all 2 PB globally?
Tricky because the instinct is to use S3 Cross-Region Replication, but that replicates everything and does not solve the selective access pattern, and the correct answer involves a feature most candidates have never used in the wild.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
99
What is the strangler fig pattern, and how would you use it to migrate a monolithic application to microservices on AWS without a big-bang rewrite?
Tricky because candidates describe the pattern conceptually but cannot map it to concrete AWS services, and the exam scenario always includes a constraint about zero downtime that forces you to show you understand the routing mechanics, not just the theory.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
100
A company's CloudWatch dashboard shows that CPU utilization on its EC2 fleet averages 12% but spikes to 95% for 90 seconds every hour. The Auto Scaling Group does not respond fast enough. What scaling and architectural changes fix this?
Tricky because the reflex answer is "lower the scale-out threshold," but the real fix requires understanding the difference between metric lag, warm-up time, and predictive scaling, and the exam expects you to address all three rather than just tuning one number.
unlock
Full answer + insider read in the complete set.Unlock all 100 · $19
Complete set
94 more questions. Every answer. Every trap explained.
Compute to architecture design. Every scenario decoded: what it really asks, and which wrong option is bait.
$19
// one-time · lifetime access · all 100 questions
// video course: $300+ · practice exam bundles: $40+ · this playbook: $19
Unlock all 100 · $19
✓ 14-day money-back guarantee
// what happens when you pay
1Secure checkout opens. Card, Apple Pay, Google Pay or PayPal, processed by Stripe.
2All 100 unlock instantly. Your private link opens the moment payment clears.
3It's yours for good. The receipt email contains your permanent link. Lose it? Email us, we resend.
VISAMastercardAmexApple PayGoogle PayPayPal
// payment handled by Lemon Squeezy, our merchant of record. We never see your card details. Support: support@howto-playbooks.com
Common questions
Are these real exam questions?+
They are 100 original practice questions written in the style and blueprint of the SAA-C03 exam: scenario-based, covering all domains. We deliberately do not sell real exam dumps: that violates the AWS exam NDA and teaches pattern-matching instead of architecture. These teach the decision logic the exam tests.
What's different from free dumps?+
Dumps are stale, frequently wrong, and NDA-violating. This gives you the model answer plus what the exam is actually testing, the trap inside the tempting wrong option, and the harder follow-up variation.
What if it doesn't help?+
14-day, no-questions-asked refund. Email support@howto-playbooks.com with your order number and we refund in full.
What format is it?+
A single web page, bookmarkable, works on any device. All 100 questions expandable with answers and insider reads. Lifetime access.
How do I get access after paying?+
Instantly. The moment payment clears, your private link opens with all 100 questions and answers. Your receipt email contains the same permanent link, so you can come back anytime, on any device. If you ever lose it, email support@howto-playbooks.com and we resend it.
Is the payment secure?+
Yes. Checkout is handled by Lemon Squeezy, our merchant of record, with payments processed by Stripe, the same infrastructure used by Amazon and Shopify. Card, Apple Pay, Google Pay and PayPal are supported. Your card details never touch our servers.
// more playbooks: 100 questions each
$19 one-time
// 100 questions · insider reads · 14-day refund
Unlock all 100