Ultimate AWS Certified Solutions Architect Associate 2025-2026 latest updated version with verified solutions

IAM Policies Structure + Statement structure.

-Consists of

• Version: policy language version, always include "2012 -10 - 17"

• Id: an identifier for the policy (optional)

• Statement: one or more individual statements (required)

-Statements consists of

• Sid: an identifier for the statement (optional)

• Effect: whether the statement allows or denies access (Allow, Deny)

• Principal: account/user/role to which this policy applied to

• Action: list of actions this policy allows or denies •Resource: list of resources to which the actions applied to

• Condition: conditions for when this policy is in effect (optional)

Which DataBase is HIPAA compliant in-memory database that supports caching results of SQL queries.

ElasticCache for Redis/Memcached

Why should I use ElasticCache

Amazon ElastiCache is an ideal front-end for data stores such as Amazon RDS, providing a high-performance middle tier for applications with extremely high request rates and/or low latency requirements. The best part of caching is that it's minimally invasive to implement and by doing so, your application performance regarding both scale and speed is dramatically improved.

Do Read Replicas lower latency

No

spread placement groups limitations

A rack spread placement group supports a maximum of seven running instances per Availability Zone.

Can Direct connect to Tools in the same AWS region?

Yes

With Amazon Aurora Multi-AZ how can we lower?

Set up a read replica and modify the application to use the appropriate endpoint

AWS Transit Gateway does what?

connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub.

key points of consideration when using AWS Lambda Big 3

1.If you intend to reuse code in more than one AWS Lambda function, you should consider creating an AWS Lambda Layer for the reusable code

2.By default, AWS Lambda functions always operate from an AWS-owned VPC and hence have access to any public internet address or public AWS APIs. Once an AWS Lambda function is VPC-enabled, it will need a route through a Network Address Translation gateway (NAT gateway) in a public subnet to access public resources

3.Since AWS Lambda functions can scale extremely quickly, it's a good idea to deploy a Amazon CloudWatch Alarm that notifies your team when function metrics such as ConcurrentExecutions or Invocations exceeds the expected threshold

S3 Transfer Acceleration

Amazon S3 Transfer Acceleration (Amazon S3TA) is a bucket-level feature that enables fast, easy, and secure transfers of files over long distances between your client and an Amazon S3 bucket.

How to transfer Data between two buckets in separate regions

1.Copy data from the source bucket to the destination bucket using the aws S3 sync command

2.Set up Amazon S3 batch replication to copy objects across Amazon S3 buckets in another Region using S3 console and then delete the replication configuration

What is AWS Global Accelerator vs CloudFront

CloudFront uses Edge Locations to cache content while Global Accelerator uses Edge Locations to find an optimal pathway to the nearest regional endpoint. Global Accelerator can use UDP.

What is the difference between S3 standard-IA and one zone-IA

S3 One Zone-IA stores data in a single AZ and costs 20% less than S3 Standard-IA

Before transferring an object to S3 standard-IA and one zone-IA how long does it have to exists in an s3

30 days

How to ensure Data is encyprted in flight from a RDS

Configure Amazon RDS to use SSL for data in transit

What is versioning on the Amazon S3 bucket

Versioning is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning-enabled buckets enable you to recover objects from accidental deletion or overwrite.

What is a VPC Endpoint

enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink

AWS Database Migration Service

WS DMS enables you to seamlessly migrate data from supported sources to relational databases, data warehouses, streaming platforms, and other data stores in AWS cloud.

You can use it for Data streams

RDS Custom

Database Administrator (DBA) to access and customize the database environment and the underlying operating system

How to store key-value pairs in AWS

Dyanmo DB to save them Lambada to process them

NAT GateWay

A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

NAT instances

A NAT instance provides network address translation (NAT). You can use a NAT instance to allow resources in a private subnet to communicate with destinations outside the virtual private cloud (VPC), such as the internet or an on-premises network. The resources in the private subnet can initiate outbound IPv4 traffic to the internet, but they can't receive inbound traffic initiated on the internet

Guard Duty looks over what

VPC Flow Logs, Domain Name System (DNS) logs, AWS CloudTrail events, and data stored in Amazon S3

When using DynamoDB which caching option should we use?

DAX

AWS Global Accelerator

provides you with static IP addresses that serve as a fixed entry point to your applications hosted in one or more AWS Regions

Amazon FSx for Lustre

high-performance file system.

Amazon Macie

is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data on Amazon S3.

How to speed up Kinesis Data Streams

Use Enhanced Fanout feature

Amazon API Gateway vs Loadbalancers who can throttle requests?

Amazon API Gateway

With increasing load, the Amazon ECS cluster is experiencing higher network usage. The development team has looked into the network usage and found that 90% of it is due to distributing static content of the application. How can we lower the network usage

Distributing the static content through Amazon S3 allows us to offload most of the network usage to Amazon S3 and free up our applications running on Amazon ECS.

When should I use EFS over EBS

The current architecture is using two separate EBS volumes, one for each EC2 instance. This means that each instance only has a subset of the documents. When a user refreshes the website, the Application Load Balancer will randomly direct them to one of the two instances. If the user's documents are not on the instance that they are directed to, they will not be able to see them.

AWS ssm parameter store

provides secure, hierarchical storage for configuration data management and secrets management. Does not rotate passwords or keys

AWS Network Firewall

AWS Network Firewall is a managed firewall service that provides filtering for both inbound and outbound network traffic. It allows you to create rules for traffic inspection and filtering, which can help protect your production VPC.

Does Amazon QuickSight support IAM to view dashboards

No

What can trigger a lambda function?

Elastic Load Balancing (Application Load Balancer)

Amazon Cognito

Amazon Lex

Amazon Alexa

Amazon API Gateway

Amazon CloudFront (Lambda@Edge)

Amazon Kinesis Data Firehose

Amazon Simple Storage Service

Amazon Simple Notification Service

Amazon Simple Email Service

AWS CloudFormation

Amazon CloudWatch Logs

Amazon CloudWatch Events

AWS CodeCommit

AWS Config

Amazon Kinesis

Amazon SQS

Amazon DynamoDB Streams

Gateway Load Balancer

operates at the third layer of the Open Systems Interconnection (OSI) model, the network layer. It listens for all IP packets across all ports and forwards traffic to the target group that's specified in the listener rule.

AWS Cost Explorer

easy to use interface that lets you visualize, understand, and manage your AWS costs and usage over time

AWS Config

is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.

Which Load balancer supports UDP

NLB

Real time solutions imply

Amazon Kinesis Data Streams

AWS Systems Manager Session Manager

With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises servers, and virtual machines (VMs). You can use either an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and logs with node access details, while providing end users with simple one-click cross-platform access to your managed nodes. To get started with Session Manager, open the Systems Manager console. In the navigation pane, choose Session Manager.

Cloud front is more cost effective then Global Accelerator

True

burstable performance instance class

Means better CPU

Provisioned IOPS SSD

Means better I/O

Gateway VPC Endpoint

provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Data transfer between the VPC and the service through a gateway VPC endpoint is free of charge

Instance Store

a storage volume that acts as a physical hard drive.

EFS pros

Securely and reliably access your files with a fully managed file system designed for 99.999999999 percent (11 9s) durability and up to 99.99 percent (4 9s) of availability

AWS Systems Manager

an operations management service that provides a unified user interface so one can easily track and manage system configurations, patch installations, and operating statuses of your AWS resources.

A company has more than 5 TB of file data on Windows file servers that run on premises. Users and applications interact with the data each day.The company is moving its Windows workloads to AWS. As the company continues this process, the company requires access to AWS and on-premises file storage with minimum latency. The company needs a solution that minimizes operational overhead and requires no significant changes to the existing file access patterns. The company uses an AWS Site-to-Site VPN connection for connectivity to AWS.

Deploy and configure Amazon FSx for Windows File Server on AWS. Deploy and configure an Amazon FSx File Gateway on premises. Move the on-premises file data to the FSx File Gateway. Configure the cloud workloads to use FSx for Windows File Server on AWS. Configure the on-premises workloads to use the FSx File Gateway.

This visibility timeout in SQS

In case of SQS - multi-consumers if one consumer has already picked the message and is processing, in meantime other consumer can pick it up and process the message there by two copies are added at the end. To avoid this the message is made invisible from the time its picked and deleted after processing.

site-to-site VPN

Interconnects two sites, as an alternative to a leased line, at a reduced cost.

For high availability should we use use Multi Regions?

No usually multi AZ should be enough most startegies only use multi-az

Does NLB have health checks?

Yes but they point to an I.P. address not a dns

Can Dyanmo DB use EBS

No that for non serverless objects

When connecting a bastion host in a public subnet to an ec2 in a private network what should w edo

Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host.

Since they are in the same VPC they can share IPS

When should I use AWS Database Migration Service

When working with RDS and want to transfer data in

When should I use AWS Glue

AWS Glue could do ETL by itself, so don't need lambda.

Dynamo DB Point in time recovery

is used to recover your table to any point in time in a rolling 35 day window. For longer time periods use Use AWS Backup to create backup schedules and retention policies for the table.

Re look at

https://www.examtopics.com/exams/amazon/aws-certified-solutions-architect-associate-saa-c03/view/8/ you got 4/10 right

NAT Gateways vs NAT Instances

Same thing but NAT Gateways are newer so when we have both choices use those

To automate the process of transferring the data from the on-premises SFTP server to an EC2 instance with an EFS file system, you can use

AWS DataSync. AWS DataSync is a fully managed data transfer service that simplifies, automates, and accelerates transferring data between on-premises storage systems and Amazon S3, Amazon EFS, or Amazon FSx for Windows File Server. To use AWS DataSync for this task, you should first install an AWS DataSync agent in the on-premises data center. This agent is a lightweight software application that you install on your on-premises data source. The agent communicates with the AWS DataSync service to transfer data between the data source and target locations.

AWS Shield Advanced can only be attached to

services such as CloudFront, Route 53, Global Accelerator, LB or (in the most direct way using) Elastic IP (attached to the EC2 instance)

Can a lambda be triggerd from an RDS

Only through a Amazon RDS Proxy

AWS Fargate

run containers without having to manage servers or clusters of Amazon EC2 instances.

NAT Gateway VS VPC endpoint

The VPC Endpoint does not use the public internet while the NAT Gateway does

You can enable encryption for an Amazon RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by

creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance

Can a NLB use HTTP or HTTPS listeners?

No

Can a ALB use HTTP or HTTPS listeners?

Yes

Spot vs On demand instances

Cost is a significant factor when choosing between spot and on-demand instances. Spot instances can provide substantial cost savings, often up to 90% compared to on-demand pricing. On the other hand, while on-demand instances are more expensive, they provide more stability and predictability.

A NAT gateway is

You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

S3 Intelligent-Tiering

automatically stores objects in three access tiers: one tier optimized for frequent access, a lower-cost tier optimized for infrequent access, and a very-low-cost tier optimized for rarely accessed data.

Instance store vs ebs

Amazon EC2 Instance Store is suited for temporary storage needs where high performance and low latency are critical. Amazon EBS, on the other hand, is ideal for long-term data storage with better durability and accessibility features.

An Origin Access Identity

used for sharing private content via CloudFront.

CloudFront vs Global Accelerator

CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery). Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. Both services integrate with AWS Shield for DDoS protection.

Reserved vs dedicated instances

A dedicated instance is an EC2 instance that runs on hardware dedicated to a single AWS customer account. A reserved instance, on the other hand, is a billing discount model where you commit to using specific instance types in a particular region for a one- or three-year term in exchange for a discounted hourly rate.

AWS control tower

used by cloud administrators and architects to set up and govern a secure, multi-account AWS environment based on AWS best practices.

AWS Control Tower orchestration extends the capabilities of AWS Organizations.

AWS Organizations

an account management service that lets you consolidate multiple AWS accounts into an organization that you create and centrally manage. With Organizations, you can create member accounts and invite existing accounts to join your organization.

S3 Governance Mode

Only users with special permissions can overwrite, delete, or alter object lock settings

S3 Compliance Mode

No user, including the root user in an AWS account, can overwrite, delete, or alter object lock settings

With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS and ......

Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it.

are objects in parameter store parameter encrypted

Yes and they must be decrypted before use.

What does AWS WAF protect

CloudFront, ALB, API Gateway

What does Shield protect

Load Balancer, CloudFront, Route53

If you need to rotate keys which service should you use?

AWS KMS

AWS Elastic Beanstalk for testing

Has URL Swapping

Amazon ElastiCache for Memcached

a Memcached-compatible, in-memory, key-value store service that can be used as a cache or a data store.

Amazon ElastiCache for Redis

Better than memcached

Amazon Pinpoint

an AWS service that you can use to engage with your customers across multiple messaging channels.

When should I use SSE-S3

When the keys only need to be rotated once a year

What can we attach SGs to

Amazon EC2 instances

Services that launch EC2 instances:

AWS Elastic Beanstalk

Amazon Elastic MapReduce

Services that use EC2 instances (without appearing directly in the EC2 service):

Amazon RDS (Relational Database Service)

Amazon Redshift

Amazon ElastiCache

Amazon CloudSearch

Elastic Load Balancing

Lambda

Add the EC2 types here

Can a VPC span multiple Availability Zones?

Yes

Simple routing policy

Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website. You can use simple routing to create records in a private hosted zone.

Failover routing policy

Use when you want to configure active-passive failover. You can use failover routing to create records in a private hosted zone.

Geolocation routing policy

Use when you want to route traffic based on the location of your users. You can use geolocation routing to create records in a private hosted zone.

Geoproximity routing policy

Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another location. You can use geoproximity routing to create records in a private hosted zone.

Latency routing policy

Use when you have resources in multiple AWS Regions and you want to route traffic to the Region that provides the best latency. You can use latency routing to create records in a private hosted zone.

IP-based routing policy

Use when you want to route traffic based on the location of your users, and have the IP addresses that the traffic originates from.

Multivalue answer routing policy

Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random. You can use multivalue answer routing to create records in a private hosted zone.

Weighted routing policy

Use to route traffic to multiple resources in proportions that you specify. You can use weighted routing to create records in a private hosted zone.