AWS SAA-C04 Practice Questions: 25 Free Sample Questions With Answers

The AWS SAA-C04 practice questions below are 25 scenario-based questions modeled on the actual exam format, covering all four domains — Design Secure Architectures (30%), Design Resilient Architectures (26%), Design High-Performing Architectures (24%), and Design Cost-Optimized Architectures (20%). Each question includes the correct answer and a detailed explanation of why the correct answer is right and why the other options are wrong.

These questions mirror the difficulty and style of the real SAA-C04 exam. The real exam gives you 65 questions in 130 minutes — roughly 2 minutes per question. Time yourself as you work through these to build exam pacing. For a complete exam format breakdown, see our SAA-C04 exam guide.


Domain 1: Design Secure Architectures (Questions 1-8)

Question 1

A financial services company stores sensitive customer data in Amazon S3. The company's compliance team requires that all objects in the bucket be encrypted at rest using encryption keys managed by the company's security team. The security team must be able to rotate the keys annually and audit key usage through AWS CloudTrail. Which encryption configuration meets these requirements?

A. Enable SSE-S3 default encryption on the bucket B. Enable SSE-KMS default encryption using an AWS-managed KMS key C. Enable SSE-KMS default encryption using a customer-managed KMS key D. Enable SSE-C and provide the encryption key with each PUT request

Correct Answer: C

Explanation: SSE-KMS with a customer-managed KMS key satisfies all three requirements. The security team manages the key (including creating key policies and controlling who can use it), they can configure automatic annual key rotation in KMS, and all key usage is logged in CloudTrail. SSE-S3 (A) uses Amazon-managed keys that the security team cannot control or rotate. SSE-KMS with an AWS-managed key (B) logs usage in CloudTrail but does not allow the security team to manage rotation schedules or key policies. SSE-C (D) requires the customer to provide the key with every request, adding operational complexity, and KMS auditing through CloudTrail does not apply to SSE-C.


Question 2

A company is designing a multi-account architecture using AWS Organizations. The security team wants to prevent any IAM user or role in development accounts from launching EC2 instances in the eu-west-1 region, while allowing all other regions. Which approach implements this restriction with the least operational overhead?

A. Create an IAM policy in each development account that denies ec2:RunInstances in eu-west-1 and attach it to all IAM users and roles B. Create an SCP attached to the development OU that denies ec2:RunInstances when the region is eu-west-1 C. Configure AWS Config rules in each development account to detect and terminate EC2 instances launched in eu-west-1 D. Create a Lambda function triggered by CloudTrail events that terminates any EC2 instance launched in eu-west-1

Correct Answer: B

Explanation: An SCP attached to the development OU is the correct approach because it enforces the restriction across all accounts in the OU without requiring individual account configuration. SCPs are preventive controls — they block the action before it happens. Option A requires creating and maintaining IAM policies in every development account and attaching them to every user and role, which is operationally heavy and error-prone. Options C and D are detective/reactive controls — they detect the violation after it happens and attempt remediation, which means instances briefly exist in the restricted region. The question asks for "least operational overhead," and a single SCP at the OU level satisfies that.


Question 3

An application running on Amazon EC2 instances in a private subnet needs to download software packages from the internet during deployment. The security team requires that the instances must NOT be directly accessible from the internet. Which solution allows outbound internet access while preventing inbound access?

A. Attach an internet gateway to the VPC and associate an Elastic IP with each instance B. Deploy a NAT gateway in a public subnet and update the private subnet route table to route internet traffic through the NAT gateway C. Create a VPC endpoint for the software package repository D. Attach the instances to a public subnet and configure security groups to block all inbound traffic

Correct Answer: B

Explanation: A NAT gateway in a public subnet provides outbound internet access for instances in private subnets while preventing inbound connections from the internet. The private subnet route table routes 0.0.0.0/0 traffic to the NAT gateway, which then forwards it to the internet gateway. Return traffic is allowed because NAT is stateful. Option A puts instances in a position to receive inbound traffic since Elastic IPs make them publicly addressable. Option C only works if the specific software repository has a VPC endpoint — most third-party package repositories do not. Option D is fundamentally flawed: instances in a public subnet have public IP addresses, and security groups are not a substitute for proper network architecture (security groups can be misconfigured).


Question 4

A development team stores application secrets (database passwords, API keys, third-party credentials) in plaintext configuration files deployed with their application. The security team wants to migrate these secrets to a managed service that supports automatic rotation, encryption at rest, and fine-grained access control through IAM policies. Which AWS service should they use?

A. AWS Systems Manager Parameter Store (Standard tier) B. AWS Systems Manager Parameter Store (Advanced tier) C. AWS Secrets Manager D. AWS KMS

Correct Answer: C

Explanation: AWS Secrets Manager is designed specifically for managing secrets with built-in automatic rotation (using Lambda rotation functions), encryption at rest using KMS, and IAM-based access control. It supports automatic rotation for RDS, Redshift, and DocumentDB credentials natively, and custom rotation for other secret types via Lambda. Parameter Store Standard (A) supports encryption via KMS but does NOT support automatic rotation. Parameter Store Advanced (B) adds higher throughput and parameter policies but still does not natively support automatic rotation. KMS (D) manages encryption keys, not application secrets — it encrypts data but does not store, retrieve, or rotate database passwords and API keys.


Question 5

A company runs a web application behind an Application Load Balancer (ALB). The security team discovered that the application is receiving HTTP requests with SQL injection patterns in query strings. They want to block these requests before they reach the application. Which solution addresses this requirement?

A. Configure the ALB to inspect request headers and drop malicious requests B. Deploy AWS WAF with an AWS-managed SQL injection rule set and associate it with the ALB C. Enable AWS Shield Advanced on the ALB D. Configure security groups on the EC2 instances to block requests containing SQL patterns

Correct Answer: B

Explanation: AWS WAF (Web Application Firewall) inspects HTTP/HTTPS requests at Layer 7 and can block requests matching SQL injection patterns using managed rule sets. AWS provides an AWS-managed SQL injection rule set that you can attach to an ALB with minimal configuration. Option A is incorrect because ALBs do not have built-in request inspection for SQL injection. Option C is incorrect because Shield Advanced protects against DDoS attacks, not application-layer attacks like SQL injection. Option D is incorrect because security groups operate at Layer 3/4 (IP and port) and cannot inspect request content like query strings.


Question 6

A company has a REST API deployed on Amazon API Gateway. The API serves mobile applications and must authenticate users via their existing identity provider (IdP) that supports OIDC. After authentication, the API needs to authorize requests based on the user's group membership. Which approach provides authentication and authorization with the least custom code?

A. Use an API Gateway Lambda authorizer that validates tokens and checks group membership B. Use an Amazon Cognito user pool as the API Gateway authorizer with Cognito groups mapped to IAM roles C. Use IAM authentication with temporary credentials obtained via the IdP D. Implement authentication logic in the backend Lambda functions

Correct Answer: B

Explanation: A Cognito user pool can federate with the existing OIDC identity provider, handle authentication, and use Cognito groups for authorization — all with minimal custom code. API Gateway natively integrates with Cognito user pools as an authorizer. Users authenticate via the OIDC IdP through Cognito, receive tokens with group claims, and API Gateway validates those tokens automatically. Option A works but requires writing and maintaining custom Lambda authorizer code, which violates "least custom code." Option C requires significant custom code to exchange IdP tokens for temporary AWS credentials. Option D pushes authentication into business logic, which is an anti-pattern that increases attack surface and code complexity.


Question 7

An application stores user profile images in Amazon S3. The images must be accessible only through the company's CloudFront distribution, not directly via S3 URLs. Which configuration prevents direct S3 access while allowing CloudFront to serve the images?

A. Make the S3 bucket public and add a bucket policy restricting access to the CloudFront distribution's IP ranges B. Configure an Origin Access Control (OAC) on the CloudFront distribution and update the S3 bucket policy to allow access only from the OAC C. Enable S3 Transfer Acceleration and route all requests through CloudFront D. Create a VPC endpoint for S3 and route CloudFront through the VPC

Correct Answer: B

Explanation: Origin Access Control (OAC) is AWS's current recommended method for restricting S3 access to CloudFront. With OAC, CloudFront signs requests to S3 using the OAC identity, and the S3 bucket policy allows access only from that OAC. Direct S3 URLs return 403 Forbidden. Option A is insecure — making the bucket public and restricting by IP ranges is fragile and does not prevent access if CloudFront IP ranges change. Note that AWS deprecated Origin Access Identity (OAI) in favor of OAC, so if you see OAI in older study materials, OAC is the current answer. Option C is unrelated — Transfer Acceleration speeds up uploads to S3 and has nothing to do with access control. Option D is architecturally incorrect — CloudFront is not a VPC-based service and cannot route through VPC endpoints.


Question 8

A company needs to enable AWS CloudTrail logging across all 15 accounts in its AWS Organization. Logs must be stored in a centralized S3 bucket in the security account, encrypted with a KMS key managed by the security team, and protected against deletion. Which combination of actions meets these requirements? (Select THREE.)

A. Create an organization trail in the management account that logs events from all accounts B. Create individual trails in each of the 15 accounts pointing to the centralized S3 bucket C. Configure the centralized S3 bucket with a bucket policy allowing CloudTrail from the organization to write logs D. Enable S3 Object Lock in compliance mode on the centralized bucket E. Enable S3 versioning on the centralized bucket without Object Lock F. Configure the trail to use the security team's customer-managed KMS key for encryption

Correct Answer: A, D, F

Explanation: An organization trail (A) automatically logs events from all accounts in the organization — no need to create individual trails per account. The S3 bucket policy for organization trails is automatically configured by AWS when you create the trail. S3 Object Lock in compliance mode (D) prevents anyone, including the root user, from deleting or overwriting log files during the retention period, which satisfies "protected against deletion." Option F enables encryption with the security team's KMS key. Option B is operationally heavy and unnecessary when organization trails exist. Option C is handled automatically by the organization trail setup. Option E provides versioning but does not prevent deletion — an administrator could still delete versions.


Domain 2: Design Resilient Architectures (Questions 9-14)

Question 9

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer across two Availability Zones. The application uses an Amazon RDS MySQL database in a Multi-AZ deployment. The company's RTO is 4 hours and RPO is 1 hour. A regional disaster has been identified as a risk. Which disaster recovery strategy meets these requirements at the lowest cost?

A. Multi-site active-active with a full production environment in a second region B. Warm standby with a scaled-down version of the production environment in a second region C. Pilot light with the database replicated to a second region and AMIs copied for quick EC2 launch D. Backup and restore with automated backups stored in a second region

Correct Answer: C

Explanation: Pilot light meets the 4-hour RTO and 1-hour RPO at the lowest cost among the options that satisfy the requirements. In pilot light, the core infrastructure (database) runs in the second region via an RDS cross-region read replica, and EC2 AMIs are pre-copied. During failover, you promote the read replica and launch EC2 instances from the AMIs — achievable within 4 hours. The RPO is determined by the replication lag of the read replica, which is typically minutes, well within the 1-hour RPO. Option A (multi-site active-active) exceeds requirements and is the most expensive option. Option B (warm standby) also meets requirements but is more expensive than pilot light because it runs a scaled-down environment continuously. Option D (backup and restore) is cheapest but typically has RTO of 12-24 hours and RPO based on backup frequency, which may not meet the 1-hour RPO.


Question 10

An e-commerce application experiences traffic spikes during daily flash sales (10x normal traffic for 30 minutes). The application runs on EC2 instances in an Auto Scaling group behind an ALB. During the last flash sale, the application experienced degraded performance for the first 5 minutes because new instances took too long to launch and pass health checks. How should the team prevent this?

A. Increase the minimum capacity of the Auto Scaling group to handle peak traffic at all times B. Configure a scheduled scaling action to increase capacity 10 minutes before each flash sale C. Switch to target tracking scaling with a lower CPU threshold D. Use a predictive scaling policy based on historical traffic patterns

Correct Answer: B

Explanation: Scheduled scaling is the correct answer because the flash sales occur at known times. By increasing capacity 10 minutes before the sale, instances are already launched, warmed up, and passing health checks before traffic arrives. Option A handles peak traffic but wastes money during the 23.5 hours per day of normal traffic. Option C reduces the scaling threshold but does not solve the cold-start delay — reactive scaling still takes minutes to launch and warm instances. Option D (predictive scaling) works for patterns that are consistent but may not be precise enough for exact daily flash sale times. Scheduled scaling gives deterministic pre-warming, which is what the scenario requires.


Question 11

A company's application uses Amazon SQS to decouple its order processing system. The processing Lambda function occasionally fails due to transient errors. Failed messages must be retried up to 3 times before being moved to a separate queue for manual investigation. How should this be configured?

A. Configure the SQS queue with a redrive policy that moves messages to a dead-letter queue after 3 receives B. Add retry logic in the Lambda function code with a counter stored in DynamoDB C. Create a CloudWatch alarm that triggers a Lambda function to move failed messages D. Configure Lambda destinations for failures to send messages to a second SQS queue

Correct Answer: A

Explanation: An SQS redrive policy (also called a dead-letter queue policy) automatically moves messages to a designated dead-letter queue (DLQ) after the message has been received (and not deleted) a specified number of times — in this case, 3. This is the native SQS mechanism for handling repeatedly failed messages. Each time the Lambda function fails to process a message, it returns to the queue and increments the receive count. After 3 failed processing attempts, SQS moves it to the DLQ. Option B works but adds unnecessary complexity and a DynamoDB dependency. Option C is reactive and may miss messages between alarm intervals. Option D sends a notification about the failure but does not handle the retry mechanism — Lambda destinations fire once per invocation, not per retry.


Question 12

A company runs a three-tier web application: web servers in a public subnet, application servers in a private subnet, and an RDS database in a private subnet. The application servers need to call a third-party payment API over the internet. The security team requires all outbound traffic to be inspected. Which architecture meets these requirements?

A. Deploy a NAT gateway and route application subnet traffic through it B. Deploy AWS Network Firewall in the VPC and route traffic through it before the NAT gateway C. Configure VPC Flow Logs to monitor all outbound traffic D. Use a VPC endpoint to reach the third-party payment API

Correct Answer: B

Explanation: AWS Network Firewall provides stateful inspection of outbound traffic, including packet-level inspection, domain filtering, and intrusion prevention. Placing it in the traffic path before the NAT gateway ensures all outbound internet traffic from the application subnet is inspected. Option A provides outbound access but does not inspect traffic. Option C monitors and logs traffic but does not inspect or block it — Flow Logs are passive. Option D only works for AWS services with VPC endpoints — third-party payment APIs do not have VPC endpoints.


Question 13

A media company stores video files in Amazon S3 with cross-region replication enabled to a bucket in a secondary region. The company discovers that when they delete a video from the primary bucket, it is also deleted from the replica bucket. For compliance reasons, deleted files must be retained in the replica for 7 years. How should they modify their configuration?

A. Enable versioning on both buckets and configure lifecycle policies to retain deleted objects for 7 years B. Disable delete marker replication in the cross-region replication rule C. Enable S3 Object Lock on the replica bucket D. Create a separate backup of the replica bucket using AWS Backup

Correct Answer: B

Explanation: By default, S3 cross-region replication replicates delete markers, which causes objects to appear deleted in the replica when they are deleted in the primary. Disabling delete marker replication means deletes in the primary do not propagate to the replica — the original object remains intact in the secondary region. This is the simplest solution. Option A retains deleted versions but adds complexity with lifecycle management. Option C prevents deletion entirely, which may be too restrictive for operational needs beyond compliance. Option D adds unnecessary cost and complexity when the native replication feature handles the requirement.


Question 14

A global application serves users in North America, Europe, and Asia. The application is deployed in us-east-1. European and Asian users report latency of 300-500ms per request. The application reads from an Amazon DynamoDB table that must remain consistent across regions. Which solution reduces latency for all users while maintaining data consistency?

A. Deploy the application in three regions and use Route 53 latency-based routing B. Enable DynamoDB global tables and deploy the application in eu-west-1 and ap-southeast-1 in addition to us-east-1 C. Place Amazon CloudFront in front of the application and cache API responses at edge locations D. Use AWS Global Accelerator to route users to the us-east-1 deployment

Correct Answer: B

Explanation: DynamoDB global tables provide multi-region, multi-active replication with single-digit millisecond read latency in each region. By deploying the application in three regions with DynamoDB global tables, each user is served by the closest region with local read access. Global tables handle replication with eventual consistency across regions (typically under 1 second). Option A requires the application to be deployed in multiple regions but does not address the database — all reads would still go to us-east-1 unless the database is also replicated. Option C only helps for cacheable, static content — dynamic database reads cannot be cached at edge locations without stale data risks. Option D improves network routing but still sends all traffic to us-east-1, so the fundamental latency issue remains.


Domain 3: Design High-Performing Architectures (Questions 15-20)

Question 15

A machine learning team runs batch processing jobs that analyze 10 TB of data stored in Amazon S3. Each job runs for 2-4 hours and requires high sequential read throughput from local storage. The data is reprocessed weekly, and the team can tolerate restarting a job if it fails. Which EC2 storage configuration provides the highest throughput at the lowest cost?

A. EBS io2 volumes with provisioned IOPS B. EBS gp3 volumes with increased throughput setting C. Instance store volumes on a storage-optimized instance (i3 family) D. Amazon EFS with max I/O performance mode

Correct Answer: C

Explanation: Instance store volumes provide the highest sequential read throughput of any EC2 storage option because the storage is physically attached to the host. Storage-optimized instances (i3 family) offer NVMe SSD instance stores with sequential read throughput exceeding 16 GB/s. Since the data is reprocessed weekly and the team tolerates restarts, the ephemeral nature of instance store is acceptable — data loss on instance stop/termination is not a concern because the source data resides in S3 and can be re-copied. Options A and B (EBS volumes) provide lower throughput than instance store and incur ongoing storage costs. Option D (EFS) provides shared storage but at lower throughput than local NVMe and with higher per-GB cost.


Question 16

A company is migrating a PostgreSQL database from on-premises to AWS. The database is 500 GB and handles 50,000 transactions per second at peak. The application requires read replicas for analytics queries. Which AWS database service meets these requirements with the least operational overhead?

A. Amazon RDS for PostgreSQL with Multi-AZ and read replicas B. Amazon Aurora PostgreSQL with read replicas C. Self-managed PostgreSQL on EC2 instances with streaming replication D. Amazon DynamoDB with a PostgreSQL-compatible access pattern

Correct Answer: B

Explanation: Amazon Aurora PostgreSQL is purpose-built for high-throughput transactional workloads. It provides up to 5x the throughput of standard PostgreSQL, supports up to 15 read replicas with millisecond replication lag, and is fully managed (automatic patching, backups, failover). For 50,000 TPS, Aurora's distributed storage architecture handles the throughput without the manual tuning required by standard RDS PostgreSQL. Option A (RDS PostgreSQL) supports read replicas but may struggle at 50,000 TPS without significant instance sizing and tuning. It also has higher replication lag than Aurora. Option C works but requires managing replication, patching, backups, and failover manually — significant operational overhead. Option D is not compatible — DynamoDB is a key-value/document store and cannot serve as a PostgreSQL replacement without complete application rewrite.


Question 17

A video streaming application needs to deliver content to global users with low latency. Video files are stored in Amazon S3. The most popular 20% of videos account for 80% of requests. Which caching strategy provides the best performance at the lowest cost?

A. Deploy an ElastiCache Redis cluster in each region to cache video files B. Use Amazon CloudFront with S3 as the origin, with default TTL settings C. Copy the most popular videos to S3 buckets in each region and use Route 53 latency routing D. Use AWS Global Accelerator to route requests to the nearest S3 bucket

Correct Answer: B

Explanation: CloudFront is designed for exactly this use case — caching content at 400+ edge locations worldwide. The popular 20% of videos will be cached at edge locations after the first request, serving subsequent requests with single-digit millisecond latency from cache without returning to S3. CloudFront only charges for data transfer from edge locations, which is cheaper than data transfer directly from S3 to the internet. Option A (ElastiCache) is designed for database query caching, not serving large video files — it would be expensive and architecturally wrong. Option C (multi-region S3 copies) works but costs significantly more than CloudFront because you are paying for storage in every region plus managing synchronization. Option D improves routing but does not cache content — it only optimizes the network path to the origin.


Question 18

A real-time analytics application ingests 100,000 events per second from IoT devices. Each event is 1 KB. The data must be available for querying within 60 seconds of ingestion. The analytics team queries the data using SQL. Which architecture meets these requirements?

A. Amazon Kinesis Data Streams → Lambda (transformation) → Amazon Redshift B. Amazon Kinesis Data Streams → Kinesis Data Firehose → Amazon S3, queried by Amazon Athena C. Amazon SQS → Lambda → Amazon DynamoDB, queried by DynamoDB PartiQL D. Direct HTTPS ingestion into Amazon RDS PostgreSQL

Correct Answer: B

Explanation: Kinesis Data Streams handles 100,000 events/second ingestion. Kinesis Data Firehose buffers and delivers data to S3 within 60 seconds (configurable buffer interval of 60-900 seconds). Athena provides serverless SQL queries directly on S3 data without managing any infrastructure. This architecture scales horizontally, and Athena handles SQL queries natively. Option A could work but Redshift requires managing a cluster and has higher costs — the 60-second latency requirement does not justify a dedicated data warehouse. Option C (SQS to DynamoDB) works for ingestion but DynamoDB is not optimized for ad-hoc SQL analytics. Option D (direct to RDS) would collapse under 100,000 events/second — RDS PostgreSQL cannot handle that ingestion rate on a single instance without extreme optimization.


Question 19

An application runs on EC2 instances in an Auto Scaling group and makes frequent API calls to a relational database. During performance testing, the database CPU reaches 90% under load, while the application servers remain at 30% CPU. Most database queries are read operations retrieving product catalog data that changes once per hour. Which solution reduces database load most effectively?

A. Scale up the RDS instance to a larger instance type B. Add RDS read replicas and distribute read traffic across them C. Deploy an ElastiCache Redis cluster and cache product catalog query results with a 1-hour TTL D. Switch from RDS to DynamoDB for the product catalog

Correct Answer: C

Explanation: ElastiCache Redis with a 1-hour TTL directly addresses the root cause: repeated read queries for data that only changes hourly. Caching query results eliminates those reads from hitting the database entirely, reducing CPU from 90% dramatically. With a 1-hour TTL matching the data change frequency, the cache stays fresh. Option A (scaling up) addresses the symptom but not the cause — the database is doing unnecessary work serving identical results repeatedly. Option B (read replicas) distributes the load but still processes every query against a database, which is wasteful when the data is static for an hour. Option D requires a complete data model redesign and application rewrite, which is disproportionate to the problem. Caching is the surgical fix.


Question 20

A company needs to run a high-performance computing (HPC) workload that requires low-latency, high-bandwidth communication between EC2 instances. The workload uses MPI (Message Passing Interface) and involves 50 instances communicating simultaneously. Which EC2 configuration optimizes network performance between instances?

A. Place all instances in a spread placement group across multiple Availability Zones B. Place all instances in a cluster placement group in a single Availability Zone C. Place all instances in a partition placement group with 7 partitions D. Distribute instances across multiple regions and use AWS Global Accelerator

Correct Answer: B

Explanation: A cluster placement group places instances on the same underlying hardware rack within a single AZ, enabling the lowest latency and highest bandwidth between instances. Combined with Elastic Fabric Adapter (EFA), this provides the network performance required for MPI workloads. Option A (spread) deliberately places instances on different hardware to maximize fault isolation — the opposite of what HPC needs. Option C (partition) distributes instances across isolated fault domains, which increases latency between partitions. Option D (multi-region) introduces the highest possible latency between instances. For HPC/MPI workloads, co-location is essential.


Domain 4: Design Cost-Optimized Architectures (Questions 21-25)

Question 21

A company stores 100 TB of log data in Amazon S3 Standard. Analysis shows: logs from the last 30 days are accessed daily, logs from 31-90 days are accessed weekly, logs from 91-365 days are accessed monthly, and logs older than 365 days are never accessed but must be retained for 7 years per regulation. Which S3 lifecycle configuration minimizes storage costs?

A. Move to S3 Standard-IA after 30 days, S3 Glacier Flexible Retrieval after 90 days, S3 Glacier Deep Archive after 365 days B. Move to S3 One Zone-IA after 30 days, S3 Glacier Instant Retrieval after 90 days, delete after 365 days C. Use S3 Intelligent-Tiering for all data D. Keep all data in S3 Standard and use S3 Object Lock for retention

Correct Answer: A

Explanation: This lifecycle policy matches each access pattern to the cheapest appropriate storage class. S3 Standard-IA (30-90 days) costs less than Standard for infrequently accessed data while maintaining millisecond access needed for weekly queries. Glacier Flexible Retrieval (90-365 days) costs significantly less and supports monthly access with retrieval times of 3-5 hours (acceptable for monthly analysis). Glacier Deep Archive (after 365 days) is the cheapest option for data that is never accessed but must be retained — exactly the 7-year compliance requirement. Option B uses One Zone-IA, which has lower durability (single AZ) — risky for compliance data. It also deletes data after 365 days, violating the 7-year retention requirement. Option C (Intelligent-Tiering) adds a per-object monitoring fee that is costly at 100 TB scale when you already know the access patterns. Option D is the most expensive because Standard storage costs apply to all 100 TB indefinitely.


Question 22

A development team runs 20 EC2 instances for testing during business hours (8 AM to 6 PM, Monday through Friday). The instances are idle on weekends and overnight. The testing workload can tolerate instance interruptions, as tests can be restarted. Which purchasing strategy minimizes cost?

A. On-Demand instances running 24/7 B. On-Demand instances with scheduled start/stop using AWS Instance Scheduler C. Spot Instances with scheduled start/stop using AWS Instance Scheduler D. 1-year Reserved Instances with no upfront payment

Correct Answer: C

Explanation: Combining Spot Instances (up to 90% discount vs On-Demand) with scheduled start/stop eliminates both the pricing premium and the idle-time waste. The workload explicitly tolerates interruptions, making it an ideal Spot candidate. Running only during business hours (50 hours/week vs 168 hours/week) reduces running time by 70%. Option A is the most expensive — full price, running 24/7. Option B reduces running time but still pays full On-Demand rates during business hours. Option D commits to a year of 24/7 running at a moderate discount (~30-40%), which is less savings than Spot + scheduling even though Reserved Instances are cheaper per-hour than On-Demand.


Question 23

A company uses a NAT gateway to provide internet access to EC2 instances in private subnets. The instances make frequent API calls to Amazon S3 and Amazon DynamoDB, generating significant data processing charges through the NAT gateway. How can the company reduce these costs without changing the application?

A. Replace the NAT gateway with a NAT instance on a t3.micro EC2 instance B. Create gateway VPC endpoints for S3 and DynamoDB C. Move the EC2 instances to a public subnet D. Enable VPC peering to the S3 and DynamoDB VPCs

Correct Answer: B

Explanation: Gateway VPC endpoints for S3 and DynamoDB are free to create and use — they route traffic directly to these services through the AWS network without going through the NAT gateway. This eliminates NAT gateway data processing charges ($0.045/GB) for all S3 and DynamoDB traffic. Since S3 and DynamoDB are the most common destinations for VPC traffic, this can dramatically reduce NAT gateway costs. Option A (NAT instance) reduces the gateway hourly charge but still incurs data processing costs and introduces management overhead and lower availability. Option C exposes instances to the internet, which is a security regression. Option D is incorrect — S3 and DynamoDB are AWS services, not VPC-hosted services, so VPC peering does not apply.


Question 24

A startup runs a web application on a single m5.xlarge On-Demand instance (4 vCPU, 16 GB RAM). CloudWatch metrics show average CPU utilization of 10% and average memory utilization of 15%. The application serves 500 requests per minute with average response time of 200ms. The CTO wants to reduce infrastructure costs. Which recommendation is most appropriate?

A. Purchase a 1-year Reserved Instance for the m5.xlarge B. Switch to a t3.medium instance (2 vCPU, 4 GB RAM) with burstable performance C. Migrate the application to AWS Lambda behind API Gateway D. Switch to a Spot Instance

Correct Answer: B

Explanation: The metrics show the instance is massively over-provisioned — 10% CPU and 15% memory utilization on a 4 vCPU/16 GB instance means the workload needs approximately 0.4 vCPU and 2.4 GB RAM. A t3.medium (2 vCPU, 4 GB RAM) provides ample headroom at roughly half the cost. The t3 burstable model is appropriate because the low average utilization indicates the workload is not CPU-intensive, and CPU credits will accumulate during idle periods for occasional spikes. Option A locks in savings on an oversized instance — the right move is to right-size first, then consider reservations. Option C may work but introduces architectural complexity for a simple web application and may not reduce costs if Lambda cold starts affect the 200ms response time requirement. Option D is inappropriate for a web application that needs consistent availability — Spot instances can be terminated with 2 minutes notice.


Question 25

A data engineering team runs a daily ETL job that processes 500 GB of CSV files from S3, transforms the data, and loads it into Amazon Redshift. The job currently runs on a persistent EMR cluster with 10 r5.xlarge instances that runs 24/7. The ETL job takes 3 hours to complete. Which change reduces cost the most?

A. Switch the EMR cluster to use Spot Instances for the core nodes B. Terminate the EMR cluster after the job completes and launch a new cluster each day before the job runs C. Replace EMR with AWS Glue ETL jobs D. Reduce the cluster to 5 r5.xlarge instances and accept longer job duration

Correct Answer: B

Explanation: The cluster runs 24/7 but the job only takes 3 hours — the cluster is idle 87.5% of the time (21 out of 24 hours). Launching a transient EMR cluster that starts before the job, processes for 3 hours, and terminates after completion eliminates 87.5% of compute costs. EMR supports transient clusters natively. You can automate cluster creation with Step Functions or a scheduled Lambda function. Option A (Spot for core nodes) reduces per-hour cost but still wastes money on 21 idle hours. Option C (Glue) could work but Glue has different pricing characteristics and may not be cheaper for 500 GB jobs — it charges per DPU-hour and the migration effort is significant. Option D reduces cost by 50% but still wastes money on idle hours. Transient clusters are the primary cost optimization for batch EMR workloads.


How to Use These Practice Questions

Scoring Your Results

Count your correct answers and calculate your percentage:

Score Percentage Assessment
20-25 80-100% Strong — you are likely ready for the exam
17-19 68-76% Borderline — review weak domains before scheduling
13-16 52-64% Needs work — study for 2-4 more weeks
Below 13 Below 52% Significant gaps — complete a structured study plan

Analyzing Your Mistakes

For each wrong answer, identify the pattern:

  • Did you misread the question? Look for constraint words you missed: "lowest cost," "least operational overhead," "without changing application code."
  • Did you lack service knowledge? If you did not know what a service does, add it to your study list.
  • Did you choose a solution that works but is not the BEST answer? The exam often has two answers that technically work — the correct answer is the one that best matches all stated constraints.

Next Steps

These 25 questions sample across all four domains. For comprehensive preparation, combine practice questions with hands-on labs and structured study. Start with our complete SAA-C04 study plan, review the SAA-C04 exam format guide for exam-day strategy, and explore our free cloud courses for guided hands-on projects.

FAQ

Are these questions from the actual AWS exam?

No. These are independently created practice questions designed to match the format, difficulty, and topic coverage of the SAA-C04. Sharing actual exam questions violates the AWS certification NDA. However, these questions are based on the published SAA-C04 exam guide and content outline, covering the same services and scenario patterns you will encounter on exam day.

How many practice questions should I complete before taking the exam?

Complete at least 200-300 practice questions from multiple sources before scheduling your exam. Use questions from at least 3 different providers to avoid memorizing one provider's question patterns. The goal is consistent 80%+ accuracy on timed practice sets.

Why do some questions have two answers that seem correct?

This mirrors the real exam. AWS designs questions where multiple solutions technically work, but one is the BEST answer based on the stated constraints. Read the question requirements carefully — phrases like "lowest cost," "least operational overhead," or "most secure" narrow the correct answer to the option that best satisfies those specific constraints.

Should I study every service mentioned in these questions?

Yes. Every service mentioned in these practice questions appears in the SAA-C04 exam content outline. At minimum, you should know what each service does, when to use it, and how it compares to similar services. For the core services (EC2, S3, VPC, RDS, Lambda, IAM), you need deeper configuration-level knowledge.

How do these domain-weighted questions compare to the real exam?

The real exam has 50 scored questions distributed across domains: approximately 15 for Domain 1, 13 for Domain 2, 12 for Domain 3, and 10 for Domain 4. This practice set has 8 Domain 1 questions, 6 Domain 2 questions, 6 Domain 3 questions, and 5 Domain 4 questions — proportionally aligned with the exam blueprint.

Key Takeaway

Practice questions train you to identify the constraint words in each scenario (lowest cost, least overhead, most secure) and eliminate answers that violate those constraints — aim for 80%+ accuracy on timed practice sets across all four domains before scheduling your exam.

You might also like