Free AWS Certified Solutions Architect Associate Exam Practice
Explore realistic practice questions for the AWS Certified Solutions Architect Associate exam. Gain hands-on experience with scenarios covering security, networking, storage, scalability, and cost optimization to reinforce your understanding and exam readiness.
Question 1
A company uses AWS Organizations and wants to ensure that no IAM principal in any member account can make an Amazon S3 bucket public, either through bucket policies or public ACLs. The security team requires a solution that is preventative and centrally enforced across all accounts.
Which solution should a solutions architect implement to meet these requirements?
A. Enable S3 Block Public Access on each bucket and require developers to keep it enabled.
B. Enable AWS Config managed rules to detect public buckets and run remediation.
C. Use a Service Control Policy (SCP) to deny s3:PutBucketPolicy and s3:PutBucketAcl for all principals in member accounts.
D. Use Amazon GuardDuty to alert on public bucket activity.
Question 2
A company runs workloads in private subnets, and an application needs to read objects from a sensitive S3 bucket. The security team requires that access must only occur from within the VPC and must not traverse the public internet, while also avoiding NAT Gateway costs.
A. Create an S3 Interface VPC endpoint (AWS PrivateLink) and configure the application to send S3 traffic through the endpoint.
B. Create a Gateway VPC endpoint for S3 and add a bucket policy that allows access only when aws:SourceVpce matches the endpoint ID.
C. Keep the NAT Gateway and add a bucket policy that denies access unless requests come from the VPC CIDR.
D. Enable S3 Transfer Acceleration.
Question 3
A company centralizes CloudTrail logs in an S3 bucket in a logging account. Security requires tamper resistance, ensuring that administrators in member accounts cannot alter or delete logs. The company also needs the ability to prove log integrity during audits.
Which action will meet these requirements?
A. Enable versioning on the central S3 bucket.
B. Use CloudTrail log file validation and configure the S3 bucket policy to allow writes only from the CloudTrail service principal, denying deletes to everyone.
C. Store logs in CloudWatch Logs only and set retention to 10 years.
D. Encrypt the logs with SSE-S3.
Question 4
A fintech company must allow a third-party auditor to review only CloudTrail logs in a centralized S3 bucket. Access must be temporary, prefix-scoped, and immediately revocable, with no changes to the application. (Select any two options.)
A. Create an IAM role in the logging account with a trust policy for the auditor’s AWS account, allowing only s3:GetObject on the CloudTrail prefix.
B. Create an IAM user in the logging account and share access keys with the auditor.
C. Use an S3 Access Point scoped to the CloudTrail prefix and allow the auditor to assume a role permitted to access the access point.
D. Enable S3 static website hosting and provide pre-signed URLs to requested objects.
E. Replicate the CloudTrail logs to an S3 bucket in the auditor’s account.
Question 5
A company uses KMS CMKs to encrypt S3 and EBS data. Security wants to ensure that administrators in application accounts cannot decrypt production data without explicit approval from the security team, which manages keys in a separate security account.
Which solution meets these requirements with the least risk of unauthorized access?
A. Allow the application account administrators to manage the key policy and rely on IAM policies to restrict decryption.
B. Use CloudTrail alerts for kms:Decrypt and remove access after detection.
C. Use SSE-S3 instead of SSE-KMS so AWS manages encryption keys.
D. Keep KMS keys in the security account, use a key policy that grants decrypt only to a tightly controlled security role, and require applications to access data through approved roles.
Question 6
A web application processes user requests synchronously and writes results to a database. During sudden traffic spikes, the database becomes overloaded, causing request timeouts. The business requirement is that no user requests may be lost, even if processing is delayed.
What should a solutions architect do to meet this requirement?
A. Increase the database instance size.
B. Place an Amazon SQS queue between the application and the database writer.
C. Enable Multi-AZ on the database.
D. Add read replicas to the database.
Question 7
An application runs on Amazon EC2 instances within an Auto Scaling group, which is protected by an Application Load Balancer. Each request can take several minutes to process. During scale-in events, some requests fail even though the instances are healthy.
What should a solutions architect do to prevent request failures during scale-in?
A. Increase the Auto Scaling group cooldown period.
B. Enable sticky sessions on the Application Load Balancer.
C. Increase the target group deregistration delay.
D. Increase the EC2 instance size.
Question 8
An Auto Scaling group hosts a stateful application that must complete cleanup tasks before it is terminated. The cleanup logic can take several minutes, and termination must not proceed until it finishes. The solution must be automated.
What should a solutions architect implement?
A. Store application state on instance store volumes.
B. Increase the Auto Scaling group cooldown period.
C. Configure Auto Scaling life cycle hooks with a completion signal.
D. Enable termination protection on instances.
Question 9
A global application runs active workloads in two AWS Regions. Amazon Route 53 uses latency-based routing. During a partial outage in one Region, the application continues to receive traffic even though it is returning errors.
What should a solutions architect do to ensure traffic is routed only to healthy application endpoints?
A. Replace latency-based routing with weighted routing.
B. Configure Route 53 health checks to evaluate an application-level health endpoint.
C. Add more EC2 instances in the affected Region.
D. Enable CloudWatch alarms on HTTP 5xx errors.
Question 10
A serverless event-driven architecture processes events from multiple producers. The system must automatically retry transient failures and ensure that failed events are not lost, allowing them to be reprocessed later with minimal custom code.
Which solution best meets these requirements?
A. Use Amazon SNS and implement retry logic in subscriber code.
B. Use Amazon EventBridge with retry policies and a dead-letter queue (DLQ).
C. Log failed events to Amazon CloudWatch Logs.
D. Place an Application Load Balancer in front of Lambda functions.
Question 11
A telemetry ingestion system receives events from thousands of devices. The system must process events in order per device, while still scaling horizontally to handle traffic spikes.
Which solution best meets these requirements?
A. Send all events to a single Amazon SQS standard queue.
B. Use Amazon Kinesis Data Streams with the device ID as the partition key.
C. Publish events to Amazon SNS and fan out to multiple consumers.
D. Store events in Amazon S3 and process them with batch jobs.
Question 12
A mobile application reads user profile data from a relational database. The same profiles are frequently requested within short time windows, causing high read load and increased response latency.
What should a solutions architect do to improve performance without changing the database?
A. Increase the database instance size.
B. Introduce an in-memory cache with appropriate TTL and invalidation logic.
C. Enable Multi-AZ for the database.
D. Add additional read replicas.
Question 13
An analytics application performs large, parallel file-based computations. During processing, the workload requires very high-throughput shared storage. After processing, results must be stored durably and be quickly retrievable for reprocessing.
Which solution best meets these requirements?
A. Use Amazon EFS for processing and Amazon S3 for long-term storage.
B. Use Amazon FSx for Lustre integrated with Amazon S3.
C. Use Amazon EBS volumes attached to each instance and synchronize files manually.
D. Process data directly in Amazon S3 using multiple EC2 instances.
Question 14
A trading application requires single-digit millisecond read latency, high write throughput, and automatic failover. The dataset is frequently updated and must remain available during infrastructure failures.
Which solution best meets these requirements?
A. Amazon ElastiCache for Memcached
B. Amazon ElastiCache for Redis in a single Availability Zone
C. Amazon MemoryDB for Redis with Multi-AZ configuration
D. Amazon RDS with read replicas
Question 15
A company uses Amazon CloudFront to serve static assets from Amazon S3. Assets are updated frequently, resulting in frequent cache invalidations and reduced cache hit ratios.
What should a solutions architect recommend to improve cache efficiency?
A. Reduce CloudFront TTL values.
B. Disable caching for frequently updated objects.
C. Version asset filenames and use long TTLs.
D. Enable S3 Transfer Acceleration.
Question 16
A workload runs continuously, 24/7, with predictable CPU and memory usage. The company expects the workload to run for at least 18 months. However, the team wants flexibility to change EC2 instance families if performance characteristics change.
Which pricing model provides the lowest cost while preserving flexibility?
A. On-Demand Instances
B. Standard Reserved Instances for a specific instance family
C. Compute Savings Plans
D. Spot Instances
Question 17
A company stores application logs in Amazon S3. Access patterns are:
Frequent reads for the first 30 days
Rare access for the next 12 months
Compliance retention requirement of 7 years
Retrieval within 12 hours is acceptable after the first year
Which storage strategy minimizes cost while meeting access requirements?
A. Store all logs in S3 Standard for 7 years.
B. Use a life cycle policy: S3 Standard → S3 Standard-IA → S3 Glacier Deep Archive.
C. Transition logs directly to S3 Glacier Deep Archive after 30 days.
D. Store logs in Amazon EFS with life cycle management.
Question 18
An application runs in private subnets and frequently accesses Amazon S3 and Amazon DynamoDB. The architecture uses a NAT Gateway for outbound traffic. The monthly AWS bill shows unexpectedly high NAT data processing charges.
What should a solutions architect do to reduce cost without reducing security or changing the application?
A. Add interface VPC endpoints for both S3 and DynamoDB.
B. Add Gateway VPC endpoints for Amazon S3 and Amazon DynamoDB.
C. Replace the NAT Gateway with a NAT instance.
D. Move workloads to public subnets and assign public IP addresses.
Question 19
A batch workload runs nightly for 4 hours. The workload can tolerate interruptions and checkpoints progress every 5 minutes. The company wants to minimize compute cost while maintaining reliable completion.
Which approach best meets these requirements?
A. Use On-Demand instances with Auto Scaling.
B. Use Reserved Instances sized for the batch workload.
C. Use Spot Instances with diversified instance types and capacity-optimized allocation.
D. Rewrite the workload to run on AWS Lambda.
Question 20
A VPC spans three Availability Zones. Each AZ has its own NAT Gateway. Most outbound traffic consists of OS updates and package downloads. The company wants to reduce costs and accepts reduced resilience during rare AZ outages.
What should a solutions architect recommend?
A. Reduce subnet sizes to lower NAT Gateway costs.
B. Use a single shared NAT Gateway and update route tables accordingly.
C. Attach an Internet Gateway directly to private subnets.
D. Use VPC peering to route traffic through another VPC’s NAT Gateway.