Solutions Architect Associate · 30% of the exam

Design Secure Architectures: free practice questions

5 sample questions from our 75-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real AWS exam.

1. A company uses AWS CloudTrail across all regions with a multi-region trail that delivers logs to a centralized S3 bucket. A security analyst discovers that CloudTrail logs for several recent API calls are missing. What are the TWO MOST likely causes? (Select TWO)

  • A. The S3 bucket's Block Public Access settings were enabled, preventing CloudTrail from writing logs.
  • B. The S3 bucket policy was modified and no longer grants CloudTrail the s3:PutObject permission for the log prefix.✓ Correct
  • C. The multi-region trail was stopped or deleted in the management account.✓ Correct
  • D. CloudTrail does not support logging API calls made using temporary IAM role credentials.
  • E. The logs were written to a different S3 bucket because CloudTrail automatically rotates log destinations monthly.
  • F. AWS KMS key rotation was enabled on the bucket's SSE-KMS key, invalidating previously generated data keys.
Explanation

Option B is a common real-world issue: if the bucket policy is updated to remove CloudTrail's write permission, CloudTrail silently fails to deliver logs (it will display delivery errors in the console). Option C (trail stopped or deleted) is the most direct cause — no trail means no log delivery. Option A is incorrect — Block Public Access prevents public ACLs and policies but does not block CloudTrail's service-principal writes, which use a bucket policy grant. Option D is incorrect — CloudTrail logs all API calls regardless of credential type, including temporary credentials. Option E is incorrect — CloudTrail does not automatically change log destinations; the trail configuration is static until manually changed. Option F is incorrect — KMS key rotation replaces the key material for future encryption but does not invalidate existing encrypted objects or prevent new writes; CloudTrail would continue writing logs.

2. A healthcare company stores patient records in Amazon RDS (MySQL) and requires all data to be encrypted at rest. The company is migrating an existing unencrypted RDS instance to an encrypted one. Which process correctly achieves this with minimal downtime?

  • A. Enable encryption on the existing RDS instance by modifying the instance settings and selecting a KMS key; RDS will transparently encrypt data in place.
  • B. Take a snapshot of the unencrypted RDS instance, copy the snapshot while enabling encryption and specifying a KMS key, then restore a new RDS instance from the encrypted snapshot.✓ Correct
  • C. Create a new encrypted RDS instance, use AWS Database Migration Service (DMS) to migrate data, and enable encryption-in-transit using SSL certificates on the existing instance first.
  • D. Enable AWS Macie on the RDS instance to detect sensitive data, then use Macie's auto-remediation feature to encrypt the instance.
Explanation

Option B is correct because RDS does not support enabling encryption on an existing unencrypted instance in place. The supported process is: (1) take an unencrypted snapshot, (2) copy that snapshot and enable encryption with a KMS key during the copy operation, and (3) restore a new encrypted RDS instance from the encrypted snapshot. This is the AWS-documented migration path. Option A is incorrect because RDS does not allow you to enable encryption on an existing instance after creation — this setting is immutable and cannot be changed via a modify operation. Option C is incorrect because while DMS is a valid migration tool and could work, the question asks for minimal downtime and the snapshot copy/restore method is simpler, lower-cost, and more straightforward than setting up a DMS task for this specific use case. Additionally, enabling SSL on the source doesn't encrypt data at rest. Option D is incorrect because Amazon Macie is a data discovery and classification service for S3 — it does not support RDS, does not inspect RDS data, and has no capability to encrypt RDS instances.

3. A retail company is designing an API that allows partners to submit orders. The API is hosted on Amazon API Gateway with AWS Lambda integrations. The security team wants to ensure that only authorized partner systems can invoke the API and that each partner's request rate is individually tracked and limited. Which solution BEST meets these requirements?

  • A. Enable IAM authorization on the API Gateway and require partners to sign requests with SigV4. Create separate usage plans with API keys and throttle settings per partner.✓ Correct
  • B. Place an Application Load Balancer (ALB) in front of API Gateway and configure ALB listener rules to validate partner IP ranges.
  • C. Create a Lambda authorizer that validates a shared secret in the Authorization header. Apply the same throttle settings to all partners via a single usage plan.
  • D. Configure a resource-based policy on the API Gateway to allow invocation from specific partner AWS account IDs, and enable AWS WAF rate limiting at the stage level.
Explanation

IAM authorization with SigV4 signed requests provides strong, credential-based authentication for partner systems. API keys tied to separate usage plans allow per-partner throttling and quota tracking — exactly what the requirements specify. Option B (ALB with IP filtering) does not provide per-partner identity tracking and IP ranges can change or be spoofed; ALBs also do not natively integrate with API Gateway for throttle tracking. Option C uses a shared secret (weak: single compromise affects all partners) and a single usage plan means throttle limits cannot be differentiated per partner. Option D (resource-based policy by account ID) is appropriate for intra-AWS integrations but many external partners do not have AWS accounts; WAF rate limiting is aggregate and not per-partner without custom rule sets.

4. A company's application running on EC2 instances needs to retrieve database credentials at runtime. The credentials must be automatically rotated every 30 days without any application code changes. The solution must also support retrieving the credentials using the AWS SDK with minimal latency. Which service should the solutions architect use?

  • A. AWS Systems Manager Parameter Store (Standard tier) with a SecureString parameter, using an EventBridge scheduled rule to trigger a Lambda function that rotates the credentials every 30 days.
  • B. AWS Secrets Manager with automatic rotation enabled, configured with a Lambda rotation function for the specific database engine, and the application using the GetSecretValue API call.✓ Correct
  • C. AWS Key Management Service (KMS) to store the credentials as a KMS secret, using the GenerateDataKey API to retrieve and decrypt them at runtime.
  • D. An encrypted Amazon S3 object containing the credentials, with an S3 event notification triggering a Lambda function to update the object every 30 days.
Explanation

Option B is correct because AWS Secrets Manager is purpose-built for secrets management with native automatic rotation support. It provides built-in Lambda rotation functions for popular database engines (RDS MySQL, PostgreSQL, etc.), runs rotation automatically on a configurable schedule without application code changes, and the GetSecretValue SDK call retrieves the latest version seamlessly — the application always gets current credentials without modification. Option A is incorrect because Parameter Store (Standard tier) does not have native automatic rotation; the EventBridge + Lambda approach described requires custom rotation code and ongoing maintenance, does not update the parameter atomically with the database credential change, and is more operationally complex than Secrets Manager. Option C is incorrect because KMS is an encryption key management service — it does not store application secrets or credentials, and GenerateDataKey generates data encryption keys for envelope encryption, not a mechanism to retrieve database passwords. Option D is incorrect because storing credentials in S3 objects and rotating them via Lambda is a fragile custom solution that involves race conditions (what if the app reads mid-rotation?), requires application code to fetch and parse objects, and has higher latency than Secrets Manager's regional API endpoint.

5. A company wants to allow third-party auditors to review AWS resource configurations and CloudTrail logs in a read-only capacity without granting access to any application data. The auditors use their own AWS accounts. Which is the MOST secure and operationally efficient way to grant this access?

  • A. Create IAM users for each auditor in the company's AWS account, attach the AWS managed ReadOnlyAccess policy, and share the access keys securely.
  • B. Create an IAM role in the company's account with a trust policy that specifies the auditors' AWS account IDs, attach a least-privilege read-only policy scoped to config and CloudTrail, and provide the auditors with the role ARN to assume using sts:AssumeRole.✓ Correct
  • C. Create an S3 bucket, export CloudTrail logs and AWS Config snapshots to it daily using a Lambda function, generate a presigned URL, and share the URL with the auditors.
  • D. Enable cross-account access by configuring the company's root account to share its credentials with the auditors' accounts via AWS Resource Access Manager (RAM).
Explanation

Option B is correct because cross-account IAM role assumption is the standard AWS mechanism for granting third-party access. The trust policy restricts which external accounts can assume the role, no long-term credentials are issued to the auditors, all role assumptions are logged by CloudTrail (with sts:AssumeRole events), and the policy can be narrowly scoped to read-only actions on Config and CloudTrail only — satisfying least privilege and operational efficiency. Option A is incorrect because creating IAM users with access keys generates long-term credentials that are harder to revoke, must be rotated, and are not tied to the auditors' own identity management practices. Option C is incorrect because exporting logs to S3 and using presigned URLs provides only delayed/batch access to historical data, not real-time configuration review capability, and requires significant ongoing automation effort. Option D is incorrect because AWS Resource Access Manager (RAM) is used to share specific resource types (like Transit Gateways, subnets, etc.) across accounts — it cannot share account-level credentials and has nothing to do with root account credential sharing, which is an extreme security anti-pattern.

70 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free
Design Secure Architectures — Free Solutions Architect Associate Practice Questions | DataCertPrep — Certification Prep