ANSWERED: Amazon Web Services (AWS) Certified Solutions Architect (CSA) – Associate Level, Sample Exam Questions

There are many posts with various accounts from the AWS CSA exam, I feel obligated to post my experience, and I will try to keep mine concise and to the point. You need to know the basics of all AWS services. The exam is not weighted towards any one specific service over another, though some crosscut other services like IAM for example, and come up several times. Questions are situational and focused on specific knowledge of various AWS services. The sample exam questions accurately represent the format of the questions on the exam. The questions focus on specific technical aspects and nuances of AWS services. A test for your familiarity with their products perhaps rather than a test of your knowledge about applying their services to larger systems architecture and design requirements.

My studies for the AWS Certified Solutions Architect Exam began in the natural starting place, the sample exam questions provided by AWS. AWS does not answer the questions and though I knew the answer to most or could make a reasonable guess on others I found myself researching a couple of subjects. Since I cannot give any specifics on questions I saw on the exam, I thought I would answer the sample questions.

AWS Sample Exam Questions:

The 7 sample exam questions can be found at: 

** Note that these questions published by AWS. I am providing answers based on my knowledge and experience but these are unofficial and not supported by AWS. **


  1. Amazon Glacier is designed for (Choose 2 answers)
    • Answer(s): B - infrequently accessed data, C - data archives.
    • Explanation: Glacier is an archival storage service. You are charged every-time you access data over the free tier threshold. When you put data in Glacier you want to have a reasonable expectation that you will at most need to recover a small portion at most per-month unless there is a disaster/emergency scenario.
    • Other Choices: The other choices suggest scenarios where data access is required much more frequently than the ideal Glacier use case.
  2. Your web application front end consists of multiple EC2 instances behind an Elastic Load Balancer. You configured ELB to perform health checks on these EC2 instances. If an instance fails to pass health checks, which statement will be true?
    • Answer(s): C - The ELB stops sending traffic to the instance that failed its health check.
    • Explanation: ELBs are deigned to dynamically forward traffic to the eth0 interface of some set of ec2 instances in one or more availability zones of a single region. When monitoring is setup, the ELB will see that the instance is not responding and stop sending traffic to the failed instance.
    • Other Choices: The other choices suggest that an ELB will take unsupported or inaccurate actions against your instances or actions that are capabilities of other services, specifically Auto Scaling.
  3. You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?
    • Answer(s): A - Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
    • Explanation: CloudFront is a CDN capability that distributes S3 objects geographically. An OAI is sort of like a service account for a CloudFront distribution. Using an OAI you can restrict access to S3 content effectively preventing direct access to content in S3 but still allowing CloudFront access to distribute that data.
    • Other Choices: The other choices either refer to actions that do not make sense in the context of the question.
  4. Which of the following will occur when an EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is stopped and started? (Choose 2 answers)
    • Answer(s): B - All data on instance-store devices will be lost, E - The underlying host for the instance is changed
    • Explanation: It is important in this question to note that the instance is in a VPC to rule out other answers. Any instance storage device is only persisted during the running life of the instance because instance storage is physically attached to the host rather than SAN storage like EBS. Now part of the reason that instance storage only persists while an instance is powered on is because the host could/always changes when the instance is started. Remember that instance resources are very loosely coupled with other resources. When you start an instance, it gets a resource reservation on a carefully chosen, presumably with some complex algorithm, available host.
    • Other Choices: The other choices either refer to behaviors of instances not in a VPC, are outright incorrect or do not make sense in the context of the question. Reference the AWS article for behaviors when stopping or starting an instance.
  5. In the basic monitoring package for EC2, Amazon CloudWatch provides the following metrics:
    • Answer(s): D - hypervisor visible metrics such as CPU utilization
    • Explanation: A responsibility boundary exists between the hypervisor and guest operating system. AWS does not have access to the guest operating system and therefore cannot see anything that is not visible to the hypervisor. Such information would be resource demands of the guest operating system that the hypervisor must service like, CPU usage. Refer back to the shared responsibility model discussed in the AWS Security Whitepaper.
    • Other Choices: The other choices refer to data that would not be visible to the hypervisor and that would not be visible within CloudWatch unless published by the instance owner. See publishing custom metrics.
  6. Which is an operational process performed by AWS for data security?
    • Answer(s): B - Decommissioning of storage devices using industry-standard practices
    • Explanation: The key to this question is understanding the shared responsibility boundary between AWS and its customers as well as the specific statement "operational process". Again, we need to refer to the AWS Security Whitepaper. As a standard practice, AWS shreds all physical disks after magnetically wiping them as part of their decommissioning process. 
    • Other Choices: The other options refer to processes or practices that cross the responsibility boundary or that simply do not make sense in the context of the question or AWS operations.
  7. To protect S3 data from both accidental deletion and accidental overwriting, you should:
    • Answer(s): A - enable S3 versioning on the bucket 
    • Explanation: By enabling versioning, you ensure that if accidentally or otherwise overwritten any previous object version is persisted as a previous version. In addition, you protect against complete loss from accidental deletion. 
    • Other Choices: The other choices, though referring to valid S3 bucket features, would not provide any protection against deletion or overwriting.