200+ Free AWS Solutions Architect Practice Questions

Pass your AWS Certified Solutions Architect – Associate (SAA-C03) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65% Pass Rate

200+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

A company needs to allow an EC2 instance to read objects from an S3 bucket without embedding AWS credentials in the application. What is the recommended approach?

Store access keys in the EC2 instance user data

Assign an IAM role to the EC2 instance with the required S3 permissions

Create an IAM user, attach an S3 policy, and store the credentials in a config file

Enable public access on the S3 bucket

to track

2026 Statistics

Key Facts: AWS Solutions Architect Exam

~65%

Estimated Pass Rate

Industry estimate

720/1000

Passing Score

AWS

80-120 hrs

Study Time

Recommended

$159,933

Avg SAA Salary

Global Knowledge

1.5M+

Certifications Held

AWS 2025

$150

Exam Fee

AWS

The AWS Solutions Architect Associate (SAA-C03) requires a scaled score of 720/1000 (approximately 72%) to pass. The exam has 65 questions (50 scored + 15 unscored) in 130 minutes. Domain 1 (Secure Architectures) is the largest at 30%, followed by Resilient (26%), High-Performing (24%), and Cost-Optimized (20%). AWS-certified Solutions Architects earn a median salary of $159,933/year according to Global Knowledge. The exam fee is $150.

Sample AWS Solutions Architect Practice Questions

Try these sample questions to test your AWS Solutions Architect exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1A company needs to allow an EC2 instance to read objects from an S3 bucket without embedding AWS credentials in the application. What is the recommended approach?

A.Store access keys in the EC2 instance user data

B.Assign an IAM role to the EC2 instance with the required S3 permissions

C.Create an IAM user, attach an S3 policy, and store the credentials in a config file

D.Enable public access on the S3 bucket

Explanation: IAM roles attached to EC2 instances provide temporary credentials automatically rotated by AWS, eliminating the need to manage long-term credentials. The instance profile delivers credentials via the Instance Metadata Service (IMDS), which is the AWS best-practice approach.

2An IAM policy contains the following statement: `{"Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "*"}`. A user has another policy that grants `s3:DeleteObject`. What happens when the user attempts to delete an S3 object?

A.The delete succeeds because the Allow policy takes precedence

B.The delete is denied because Deny always overrides Allow

C.The outcome depends on which policy was created first

D.The delete succeeds only if the user is an IAM admin

Explanation: In AWS IAM, an explicit Deny always overrides any Allow. The policy evaluation logic first checks for explicit Denies; if found, access is denied regardless of any Allow statements. This "Deny wins" rule is fundamental to AWS security design.

3A developer needs temporary access to an AWS account owned by a different company to perform a security audit. Which IAM feature enables this without creating a permanent user in the target account?

A.IAM user with cross-account permissions

B.IAM cross-account role with an external ID

C.AWS Directory Service federation

D.Amazon Cognito identity pool

Explanation: IAM cross-account roles allow an entity from one AWS account to assume a role in another account using STS AssumeRole. Adding an external ID (a shared secret) prevents the "confused deputy" problem where an attacker tricks a trusted third-party service into acting on their behalf.

4A security team wants to ensure that no IAM principal in an AWS account can disable CloudTrail logging, even if they have full admin privileges. What is the most effective solution?

A.Apply an IAM policy to all users that denies cloudtrail:StopLogging

B.Use AWS Organizations Service Control Policies (SCPs) to deny cloudtrail:StopLogging

C.Enable MFA delete on the CloudTrail S3 bucket

D.Configure CloudTrail with a log file validation checksum

Explanation: Service Control Policies (SCPs) in AWS Organizations act as guardrails that restrict the maximum permissions available in member accounts, including those of account root users. An SCP denying cloudtrail:StopLogging cannot be overridden by any IAM policy in the member account, making it the strongest enforcement mechanism.

5A company uses AWS Organizations with multiple accounts. A solutions architect needs to prevent developers in sandbox accounts from launching EC2 instances larger than t3.medium. Which approach satisfies this requirement with the least operational overhead?

A.Create IAM permission boundaries in each sandbox account

B.Apply an SCP at the Organizational Unit (OU) level that denies ec2:RunInstances for instance types larger than t3.medium

C.Use AWS Config rules to automatically terminate oversized instances

D.Configure IAM policies for every developer IAM user in each sandbox account

Explanation: SCPs applied at the OU level automatically apply to all current and future accounts in that OU, requiring no per-account or per-user configuration. SCPs can use condition keys like ec2:InstanceType to allow only specific instance sizes. This provides centralized governance with minimal operational overhead compared to managing per-account IAM policies.

6What is the primary difference between a Security Group and a Network ACL (NACL) in Amazon VPC?

A.Security Groups operate at the subnet level; NACLs operate at the instance level

B.Security Groups are stateful and NACLs are stateless

C.NACLs support only Allow rules; Security Groups support both Allow and Deny

D.Security Groups apply to VPCs; NACLs apply to individual EC2 instances

Explanation: Security Groups are stateful — if inbound traffic is allowed, the response traffic is automatically allowed regardless of outbound rules. NACLs are stateless — both inbound and outbound rules must explicitly permit the traffic, including ephemeral ports for return traffic. Security Groups operate at the instance/ENI level; NACLs operate at the subnet level.

7A web application runs on EC2 instances in a private subnet. The application must communicate with an external payment processor API over HTTPS. The company does not want to use a NAT Gateway due to cost concerns. Which solution allows outbound HTTPS while keeping instances private?

A.Attach an Internet Gateway directly to the private subnet

B.Use a VPC endpoint for the payment processor API

C.Place a NAT instance in a public subnet and configure the private subnet route table

D.Assign Elastic IP addresses to the EC2 instances

Explanation: A NAT instance (a self-managed EC2 instance with source/destination check disabled) in a public subnet can route outbound internet traffic for private subnet instances at lower cost than a NAT Gateway. VPC endpoints only work for AWS services; external APIs require a NAT. Assigning Elastic IPs requires moving instances to a public subnet.

8A company needs to connect its on-premises data center to AWS securely using a private, dedicated connection that does NOT traverse the public internet. Which service should they use?

A.AWS Site-to-Site VPN

B.AWS Direct Connect

C.Amazon VPC Peering

D.AWS Transit Gateway

Explanation: AWS Direct Connect provides a dedicated, private physical network connection from an on-premises facility to AWS. Traffic never traverses the public internet, offering consistent latency, higher throughput, and reduced bandwidth costs compared to VPN. Site-to-Site VPN is encrypted but travels over the public internet. VPC Peering connects VPCs, not on-premises networks.

9A three-tier web application has a web tier, application tier, and database tier. What is the best practice for network security group design?

A.Use a single shared security group for all three tiers to reduce management complexity

B.Each tier should only allow traffic from the security group of the tier directly in front of it

C.Allow all inbound traffic from the VPC CIDR range in each tier for simplicity

D.All tiers should share the same NACL to centralize firewall rules

Explanation: Defense in depth requires isolating each tier: the database security group should only allow traffic from the application tier's security group, not the entire VPC. This limits the blast radius if the web tier is compromised — attackers cannot directly reach the database. Referencing a security group ID (rather than a CIDR) in rules is more precise and easier to maintain.

10A company stores sensitive customer data in Amazon S3. They require that all data be encrypted at rest using keys managed by the company, with full audit capability of every key usage event. Which encryption option meets these requirements?

A.SSE-S3 (Server-Side Encryption with Amazon S3-managed keys)

B.SSE-KMS with a customer-managed CMK

C.SSE-C (Server-Side Encryption with Customer-Provided Keys)

D.Client-side encryption with an on-premises key

Explanation: SSE-KMS with a customer-managed Customer Master Key (CMK) allows the company to manage key rotation policies, define key usage permissions via key policies, and view all key usage in AWS CloudTrail. Unlike SSE-S3 where AWS fully controls the keys, CMKs give the customer control over the encryption lifecycle and full auditability.

About the AWS Solutions Architect Exam

The AWS Certified Solutions Architect – Associate (SAA-C03) validates your ability to design cost-effective, secure, resilient, and high-performing architectures on AWS. It is one of the most sought-after cloud certifications worldwide, held by over 1.5 million professionals. The exam covers IAM, VPC, EC2, S3, RDS, Lambda, and dozens of core AWS services across 4 architecture domains.

Questions

65 scored questions

Time Limit

2 hours 10 minutes

Passing Score

720/1000

Exam Fee

$150 (Amazon Web Services (AWS))

AWS Solutions Architect Exam Content Outline

30%

Design Secure Architectures

IAM policies, VPC security, encryption with KMS, WAF, Shield, GuardDuty, Organizations SCPs

26%

Design Resilient Architectures

Multi-AZ, Auto Scaling, Load Balancing, SQS/SNS, S3 replication, disaster recovery strategies

24%

Design High-Performing Architectures

EC2 selection, ElastiCache, EBS/EFS/FSx, Aurora, DynamoDB, Lambda, CloudFront, API Gateway

20%

Design Cost-Optimized Architectures

Reserved Instances, Savings Plans, Spot Instances, S3 lifecycle, Cost Explorer, Trusted Advisor

How to Pass the AWS Solutions Architect Exam

What You Need to Know

Passing score: 720/1000
Exam length: 65 questions
Time limit: 2 hours 10 minutes
Exam fee: $150

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

AWS Solutions Architect Study Tips from Top Performers

1Focus on Domain 1 (Secure Architectures, 30%) — it's the largest domain; master IAM policies, VPC security groups vs NACLs, and encryption options

2Know the key difference: RDS Multi-AZ is for high availability (synchronous standby), Read Replicas are for read scaling (asynchronous, readable)

3Understand the 4 DR strategies (Backup & Restore → Pilot Light → Warm Standby → Multi-Site) and their RTO/RPO/cost tradeoffs

4Master VPC fundamentals: public vs private subnets, Internet Gateway, NAT Gateway, VPC endpoints (Gateway vs Interface), security groups vs NACLs

5Know when to use SQS vs SNS vs Kinesis vs EventBridge — these service selection questions appear frequently

6Learn S3 storage classes and when to use each: Standard, Intelligent-Tiering, Standard-IA, Glacier Instant, Glacier Flexible, Deep Archive

7Understand EC2 pricing models: On-Demand, Reserved Instances (Standard vs Convertible), Savings Plans (EC2 vs Compute), and Spot Instances

8Complete 200+ practice questions and score 80%+ consistently before scheduling the exam

Frequently Asked Questions

What is the AWS Solutions Architect Associate pass rate?

The AWS Solutions Architect Associate (SAA-C03) exam has an estimated pass rate of around 65% for well-prepared candidates. AWS requires a scaled score of 720 out of 1000. The exam has 65 questions (50 scored + 15 unscored) in 130 minutes. Candidates with 1+ years of hands-on AWS experience and 2-3 months of focused study typically pass on their first attempt.

How many questions are on the AWS Solutions Architect Associate exam?

The SAA-C03 exam has 65 total questions: 50 scored questions and 15 unscored pretest questions. You have 130 minutes to complete the exam. Questions are either multiple choice (one correct answer) or multiple response (two or more correct answers). Approximately 70% of questions are scenario-based, presenting real-world architecture challenges.

What are the four domains of the SAA-C03 exam?

The four exam domains are: Domain 1 – Design Secure Architectures (30%): IAM, VPC security, encryption, WAF, GuardDuty; Domain 2 – Design Resilient Architectures (26%): HA, Auto Scaling, disaster recovery, SQS/SNS; Domain 3 – Design High-Performing Architectures (24%): compute, storage, databases, caching, serverless; Domain 4 – Design Cost-Optimized Architectures (20%): Reserved Instances, Savings Plans, Spot, S3 tiering.

How long should I study for the AWS Solutions Architect Associate?

Most candidates study for 6-12 weeks, investing 80-120 hours total. If you already have the Cloud Practitioner certification, 6-8 weeks is typical. Key study areas: 1) Hands-on labs in the AWS Free Tier for EC2, S3, VPC, RDS, and Lambda. 2) AWS Well-Architected Framework (all 6 pillars). 3) Practice questions — aim for 80%+ on practice exams before scheduling. 4) Study whitepapers: Architecting for the Cloud, Security Best Practices.

What AWS services are most important for the SAA-C03 exam?

Core services tested heavily: Compute (EC2 instance types, Auto Scaling, Lambda, ECS/Fargate); Storage (S3 storage classes, EBS volume types, EFS, Glacier); Database (RDS Multi-AZ vs Read Replica, Aurora, DynamoDB Global Tables, ElastiCache); Networking (VPC, subnets, NACLs vs Security Groups, Route 53, CloudFront, Direct Connect); Security (IAM roles vs users, KMS, WAF, Shield, GuardDuty); Architecture patterns (SQS/SNS fan-out, S3 presigned URLs, VPC endpoints).

What is the difference between RDS Multi-AZ and Read Replicas?

RDS Multi-AZ creates a synchronous standby replica in a different AZ for automatic failover (HA purpose; standby is not readable). RDS Read Replicas use asynchronous replication and are readable, used for read scaling. Multi-AZ protects against AZ failures with automatic failover in 60-120 seconds. Read Replicas can be in different regions (cross-region replication) and can be manually promoted to standalone databases for DR.

How is AWS Solutions Architect Associate different from Cloud Practitioner?

Cloud Practitioner (CLF-C02) is foundational — it tests conceptual cloud knowledge (what services exist, pricing basics). Solutions Architect Associate (SAA-C03) is architectural — it tests how to design systems using AWS services. SAA questions are scenario-based ('a company needs X; which architecture is best?') requiring deep service knowledge. SAA is significantly harder, requires 1+ years of hands-on experience, and is one of the top-paying IT certifications.