📋 AWS Config - SAA-C03 Practice Questions

AWS Config tracks resource configurations and compliance. Learn about config rules, conformance packs, remediation actions, and multi-account aggregation.

32Questions Available
1Exam Domains

Practice AWS Config Questions Now

Start a timed practice session focusing on AWS Config topics from the SAA-C03 question bank.

Start SAA-C03 Practice Quiz →

How AWS Config Is Really Tested in SAA-C03

AWS Config questions are compliance-state visibility and remediation design questions. The exam expects you to detect configuration drift from policy and respond consistently across accounts.

SAA-C03 often pairs Config with CloudTrail and Organizations for governance at scale. The right answer usually includes both detection and corrective action flow.

Strong governance answers use rules and conformance packs to codify standards rather than relying on periodic manual audits.

AWS Config governance patterns commonly tested in SAA-C03

Decision PointOption AOption BExam Takeaway
Compliance assessment modelConfig rules with continuous evaluation against policy baselinesManual periodic checks without continuous state trackingContinuous compliance monitoring scenarios usually indicate AWS Config rule usage.
Multi-account governance rolloutOrganization-wide aggregator and standardized conformance packsIndependent account-by-account rule definitionsLarge environments typically require centralized aggregation for visibility and governance consistency.
Remediation strategyAutomated remediation actions for known drift conditionsTicket-only remediation with no automated correction pathFor repeatable drift cases, automated remediation is often favored for speed and reliability.

Security baseline enforcement across enterprise accounts

A platform team must ensure encryption and logging controls stay compliant across many AWS accounts and detect violations quickly.

  • Define Config rules aligned to mandatory security baselines.
  • Aggregate findings centrally for governance and reporting.
  • Automate remediation for common non-compliant resource states.
  • Integrate findings with security operations alerting workflows.

Common Exam Trap: Relying only on annual audit checks without continuous rule evaluation is usually an insufficient compliance strategy.

SAA-C03 AWS Config Question Bank (32 Questions)

Browse all 32 practice questions covering AWS Config for the SAA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Design Secure Architectures

    A distributed application experiences latency from repeated small reads of configuration data. You want to improve performance without changing client code. Which AWS-managed solution is most suitable?

    AUse DynamoDB global tables and require code changes to query DynamoDB.
    BUse Amazon ElastiCache (Redis) as a cache in front of the config store and configure read-through caching with a managed client library so clients continue to read from the same endpoint.
    CStore configs in S3 and rely on eventual consistency.
    DHard-code configuration into containers.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  2. Question 2Design Resilient Architectures

    A database requires high IOPS performance and fault tolerance against volume failures. The application can handle block-level redundancy management. Which EBS configuration provides both performance and resilience?

    ASingle io2 Block Express volume with maximum IOPS provisioning.
    BRAID 0 (striping) across multiple gp3 volumes for performance only.
    CRAID 1 (mirroring) across multiple io2 volumes for redundancy only.
    DRAID 10 (striped mirroring) combining RAID 0 and RAID 1 across multiple volumes.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  3. Question 3Design Secure Architectures

    A Lambda function in a VPC needs to access both an RDS database in a private subnet and an external API on the internet. Which network configuration allows both connections?

    APlace Lambda in private subnets with a NAT Gateway for internet access.
    BPlace Lambda in public subnets with an Internet Gateway.
    CUse VPC endpoints for both RDS and external API access.
    DConfigure Lambda outside the VPC and use VPC peering for database access.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  4. Question 4Design Secure Architectures

    A security team needs to analyze network traffic patterns to identify potential threats and compliance violations. The analysis should include source/destination IPs, ports, and protocols. Which logging configuration provides the required visibility?

    AEnable VPC Flow Logs at the VPC level capturing accepted and rejected traffic.
    BConfigure CloudTrail to log all VPC API calls and network changes.
    CUse AWS Config to monitor VPC security group and NACL changes.
    DDeploy Amazon Inspector agents to monitor network traffic on instances.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  5. Question 5Design Secure Architectures

    A client application connects to an RDS PostgreSQL database and must encrypt all data in transit to meet compliance requirements. Which configuration ensures end-to-end encryption?

    AEnable RDS encryption at rest only; use application-level encryption for transit.
    BForce SSL connections in RDS parameter group; configure client applications to use SSL.
    CUse VPC endpoints to encrypt traffic between client and RDS.
    DEnable RDS Multi-AZ deployment for encrypted replication.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  6. Question 6Mixed

    A company wants all Amazon EC2 instances to automatically join its AWS Directory Service managed Active Directory domain at launch. The solution must minimize manual configuration. What should the solutions architect recommend?

    AConfigure an AWS Systems Manager State Manager association that joins instances to the domain by using the AWS-JoinDirectoryServiceDomain document.
    BCreate a cron job on each instance that runs the netdom command at startup.
    CLaunch instances in a public subnet and use AWS Client VPN to join the domain.
    DUse IAM roles attached to the instances to request temporary credentials for the domain join.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  7. Question 7Mixed

    A media company uses Amazon S3 to store video archives. Access patterns show that objects are frequently accessed during the first month and rarely accessed afterward. The company wants to minimize storage cost while keeping data immediately available. What lifecycle configuration should the solutions architect recommend?

    ATransition objects to S3 Standard-Infrequent Access after 30 days and keep them there indefinitely.
    BMove objects to S3 Glacier Instant Retrieval after 30 days.
    CArchive objects to S3 Glacier Deep Archive after 30 days.
    DTransition objects to S3 One Zone-Infrequent Access immediately upon upload.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  8. Question 8Mixed

    A relational database running on an Amazon RDS MySQL instance must withstand an AZ failure with minimal downtime. Which configuration should be used?

    ARDS Single-AZ
    BRDS Multi-AZ
    CRDS Read Replica in a different region
    DRDS with Provisioned IOPS

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  9. Question 9Mixed

    An application needs to store configuration data that can be accessed by multiple services. The data should be encrypted and support versioning. Which service should be used?

    AAmazon S3
    BAWS Systems Manager Parameter Store
    CAWS Secrets Manager
    DAmazon DynamoDB

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  10. Question 10Design High-Performing Architectures

    A company runs a web application that experiences traffic spikes during product launches. The application must scale quickly without over-provisioning. Which Auto Scaling configuration is MOST appropriate?

    AScheduled scaling before product launches
    BTarget tracking scaling with CPU utilization target
    CStep scaling with multiple scaling steps
    DSimple scaling with cooldown periods

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  11. Question 11Design High-Performing Architectures

    An application experiences variable traffic with sudden spikes. The application must scale quickly without over-provisioning. Which Auto Scaling configuration is MOST appropriate?

    AScheduled scaling
    BTarget tracking scaling
    CStep scaling
    DSimple scaling

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  12. Question 12Design High-Performing Architectures

    A research lab runs a tightly coupled High Performance Computing (HPC) workload on EC2 instances. The application relies on very low network latency and high internal bandwidth between nodes for MPI (Message Passing Interface) communication. Which network configuration is required?

    ALaunch instances in a Cluster Placement Group and use an Elastic Fabric Adapter (EFA).
    BLaunch instances in a Spread Placement Group and use an Elastic Network Adapter (ENA).
    CLaunch instances in a Partition Placement Group in a single Availability Zone.
    DUse a Transit Gateway to interconnect the instances with high bandwidth.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  13. Question 13Design High-Performing Architectures

    A company wants to keep a copy of their recently accessed files on-premises for low-latency access, but needs unlimited storage capacity and wants to offload older data to AWS S3 automatically. Which Storage Gateway configuration fits?

    AFile Gateway
    BVolume Gateway - Stored Mode
    CVolume Gateway - Cached Mode
    DTape Gateway

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  14. Question 14Design High-Performing Architectures

    A media processing application uses up to 2,000 EC2 instances in parallel to process video files stored on Amazon EFS. The application is hitting the throughput limit of the file system, causing delays. What configuration change can alleviate this?

    AChange the EFS Performance Mode to "Max I/O".
    BChange the EFS Throughput Mode to "Provisioned".
    CImplement EFS Lifecycle Management to move files to Infrequent Access.
    DUse EBS Provisioned IOPS volumes instead.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  15. Question 15Design High-Performing Architectures

    A developer builds a mobile app where users can browse content as guests but must sign in to post comments. The app needs temporary AWS credentials to access DynamoDB directly. Which Cognito configuration supports this?

    AUse a Cognito User Pool with the "Enable Guest Access" setting.
    BUse a Cognito Identity Pool with "Unauthenticated identities" enabled.
    CCreate a generic IAM user for guests and embed credentials in the app.
    DUse API Gateway with a usage plan for guests.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  16. Question 16Design Secure Architectures

    A company with multiple AWS accounts under AWS Organizations needs to centralize security logs. The requirements are that logs from all member accounts must be sent to a single S3 bucket in a dedicated security account, and member accounts must not be able to stop or modify the logging configuration. Which solution is the most secure and efficient?

    AIn each member account, configure an AWS CloudTrail trail to send logs to the central S3 bucket.
    BIn the management account, create an Organization Trail that logs events for all accounts and delivers them to the S3 bucket in the security account.
    CDevelop a Lambda function that runs daily in each member account to copy logs to the central S3 bucket.
    DUse AWS Config in each account to monitor for CloudTrail changes and send notifications to the security team.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  17. Question 17Design Secure Architectures

    An online game needs low-latency, ordered message processing for gameplay events. Which service and configuration is most appropriate?

    AUse Amazon SQS Standard queues with many consumers to maximize throughput.
    BUse Amazon SQS FIFO queues to preserve order and ensure exactly-once processing semantics with message group IDs; scale consumers accordingly.
    CUse SNS topics only.
    DUse Kinesis Data Firehose.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  18. Question 18Design Secure Architectures

    A site uses ALB with multiple EC2 instance types. Sessions must remain sticky for certain user workflows and latency must remain under 150 ms. Which ALB configuration best meets goals while maintaining resilience?

    AEnable ALB sticky sessions (target group stickiness) with a reasonable duration and ensure health checks and autoscaling policies keep instance capacity to meet latency targets; avoid sticky session dependence for write operations by storing session state in ElastiCache or DynamoDB for failover.
    BUse NLB for stickiness and use local session files on instance disks.
    CTurn off health checks to keep instances registered.
    DHardcode user-to-instance routing in DNS.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  19. Question 19Design Secure Architectures

    An application needs predictable, low-latency I/O for database storage at scale. Which EBS configuration is most appropriate?

    AUse gp2 volumes and rely on burst credits.
    BUse io2 or io2 Block Express volumes with provisioned IOPS (PIOPS) sized to required IOPS and throughput, and place in appropriate instance types that support required EBS bandwidth.
    CUse instance-store only volumes for persistence.
    DUse EFS General Purpose NFS for high IOPS.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  20. Question 20Design Secure Architectures

    A team is using EBS gp3 volumes for general workloads and wants to reduce cost while maintaining required IOPS and throughput. Which gp3 configuration minimizes cost?

    AUse default gp3 settings and increase instance size.
    BRight-size gp3 IOPS and throughput independently from storage size to pay only for the IOPS and throughput you need while keeping storage capacity modest, and delete unused volumes and snapshots.
    CUse io2 for all workloads.
    DUse magnetic volumes.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  21. Question 21Design Secure Architectures

    During a regional outage, DNS failover must switch traffic from the primary region to a secondary region within seconds. Which Route 53 configuration gives rapid, health-checked failover with minimal complexity?

    AUse Route 53 simple routing and manually update records.
    BUse Route 53 health checks with weighted or failover routing policies and set low TTLs for the records; for multi-region active-active, use latency-based routing combined with health checks and automate failover.
    CUse Route 53 only for internal names.
    DUse a third-party DNS provider only.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  22. Question 22Design Resilient Architectures

    A critical single-instance application runs on EC2 with an Elastic IP and needs to maintain the same instance ID and network configuration if hardware fails. The application cannot be redesigned for multi-instance deployment. Which recovery strategy preserves the instance identity?

    AConfigure an Auto Scaling Group with min/max capacity of 1 and health checks.
    BCreate a CloudWatch alarm for `StatusCheckFailed_System` with an EC2 Auto Recovery action.
    CUse AWS Systems Manager to automatically restart the instance on failure.
    DCreate an AMI snapshot every hour and restore manually when needed.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  23. Question 23Design Resilient Architectures

    A web application takes 8 minutes to fully initialize after boot (OS startup + application deployment + warm-up). The Auto Scaling Group terminates instances after 2 minutes because they fail the health check, creating an endless launch-terminate cycle. What configuration change resolves this?

    AIncrease the Health Check Grace Period to 600 seconds (10 minutes).
    BChange the Health Check Type from EC2 to ELB.
    CReduce the instance boot time by using a larger instance type.
    DDisable health checks during the scaling process.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  24. Question 24Design Resilient Architectures

    A financial application uses RDS MySQL and requires automatic failover with zero manual intervention during database failures. The application can tolerate 1-2 minutes of downtime but must maintain strong consistency. Which RDS configuration meets these requirements?

    AEnable Multi-AZ deployment for automatic failover with synchronous replication.
    BCreate Read Replicas in multiple AZs and promote manually during failures.
    CEnable automated backups and restore from snapshot during failures.
    DUse RDS Proxy to handle connection management during failures.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  25. Question 25Design Resilient Architectures

    A Redis ElastiCache cluster stores session data for a web application. If the cluster fails, the application should automatically failover to minimize user logout events. Which configuration provides automatic failover capability?

    AEnable Multi-AZ with Automatic Failover for ElastiCache Redis.
    BCreate multiple single-node clusters and use application-level load balancing.
    CUse ElastiCache Memcached with cluster mode enabled.
    DEnable backup and restore functionality for Redis clusters.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  26. Question 26Design Resilient Architectures

    A microservices application behind an ALB has an initialization endpoint `/health` that returns HTTP 200 only after the service is fully ready. During deployments, new instances should not receive traffic until they pass health checks. How should health check configuration ensure traffic routing accuracy?

    ASet health check path to `/health` with 30-second intervals and 3 consecutive success thresholds.
    BUse TCP health checks on port 80 instead of HTTP health checks.
    CConfigure health check grace period to match instance startup time.
    DDisable health checks during deployment windows.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  27. Question 27Design Resilient Architectures

    An ALB target group contains 3 instances. During a deployment, 2 instances are temporarily unhealthy while updating. The ALB should continue serving traffic from the healthy instance. What target group configuration ensures continued availability?

    ASet unhealthy threshold to 5 consecutive failures with 30-second intervals.
    BEnable Connection Draining with 300-second delay.
    CConfigure health check path to a lightweight endpoint (e.g., `/ping`).
    DReduce healthy threshold to 1 consecutive success with 10-second intervals.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  28. Question 28Design Secure Architectures

    A company with 50 AWS accounts needs centralized CloudTrail logging. Security requirements mandate that individual account administrators cannot disable or modify logging for their accounts. Which CloudTrail configuration enforces this requirement?

    ACreate individual CloudTrails in each account with S3 bucket policies preventing modification.
    BCreate an Organization Trail in the management account with delivery to a security account S3 bucket.
    CUse AWS Config to aggregate CloudTrail events from all accounts.
    DDeploy CloudTrail using StackSets across all member accounts.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  29. Question 29Design Secure Architectures

    An application in a private subnet needs to access both S3 and a third-party SaaS service that supports AWS PrivateLink. Traffic must not traverse the public internet. Which VPC endpoint configuration is required?

    ACreate Gateway VPC Endpoints for both S3 and the SaaS service.
    BCreate Interface VPC Endpoints for both S3 and the SaaS service.
    CCreate a Gateway VPC Endpoint for S3 and an Interface VPC Endpoint for the SaaS service.
    DUse a single NAT Gateway with security group restrictions for both services.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  30. Question 30Design Secure Architectures

    A TCP-based application requires load balancing with client IP preservation and protection against DDoS attacks. The application handles encryption at the application layer. Which load balancer configuration provides optimal security?

    AApplication Load Balancer with SSL/TLS termination and WAF integration.
    BNetwork Load Balancer with client IP preservation and Shield Advanced protection.
    CClassic Load Balancer with SSL termination and security groups.
    DApplication Load Balancer with connection draining and health checks.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  31. Question 31Design High-Performing Architectures

    A web application needs session storage that supports data persistence during cluster maintenance and provides high availability with automatic failover. Which ElastiCache engine and configuration provides these features?

    AElastiCache Memcached with cluster mode enabled.
    BElastiCache Redis with Multi-AZ and automatic failover enabled.
    CElastiCache Redis in cluster mode disabled with backup enabled.
    DElastiCache Memcached with multi-node configuration.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  32. Question 32Design High-Performing Architectures

    A REST API experiences high traffic for data that changes infrequently. Response times must be optimized while ensuring data accuracy. Which API Gateway caching configuration balances performance and accuracy?

    AEnable API Gateway caching with TTL based on data update frequency and cache key parameters.
    BDisable caching and optimize backend database performance instead.
    CUse CloudFront in front of API Gateway for response caching.
    DImplement application-level caching in Lambda functions behind API Gateway.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz

Key AWS Config Concepts for SAA-C03

configconfigurationcomplianceconfig ruleconformance packremediation

SAA-C03 AWS Config Exam Tips

AWS Config questions in SAA-C03 are typically scenario-based. Focus on architecture trade-offs, resilience, and secure-by-default design choices. Priority concepts: config, configuration, compliance, config rule, conformance pack, remediation.

What SAA-C03 Expects

  • Anchor your answer in choose the most reliable and cost-aware architecture pattern, not just a feature match.
  • AWS Config scenarios for SAA-C03 are frequently mapped to Domain 1 (30%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where AWS Config interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value AWS Config Concepts

  • Know the core AWS Config building blocks cold: config, configuration, compliance, config rule.
  • Review the edge-case features and limits for conformance pack, remediation; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how AWS Config pairs with CloudTrail, Organizations, IAM in real deployment patterns.
  • For SAA-C03, explain why the chosen AWS Config design meets reliability, security, and cost expectations better than the alternatives.

Common SAA-C03 Traps

  • Watch for answers that solve today's issue but do not scale across multiple AZs.
  • Questions in Design Secure Architectures often include distractors that look correct for AWS Config but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two AWS Config implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Design Secure Architectures (30%) outcomes for SAA-C03?
  • Can you explain security and access boundaries for AWS Config without relying on default-open assumptions?
  • Can you describe how AWS Config integrates with CloudTrail and Organizations during failure, scaling, and monitoring events?

Exam Domains Covering AWS Config

Domain 1Design Secure Architectures30%

Related Resources

🎯 Free SAA-C03 Mock Exam CloudTrail Questions Organizations Questions IAM Questions

More SAA-C03 Study Resources

← SAA-C03 Study Hub30-Day Study PlanFull Practice Exam