Top 10 AWS SAA-C03 interview questions and how to answer them in 2026

The 10 questions

1. What’s the difference between a Security Group and a Network ACL?

Security Groups are stateful firewalls attached to ENIs — return traffic is automatically allowed. NACLs are stateless rules attached to subnets — you must allow return traffic with an explicit outbound rule. Security Groups have allow-only semantics; NACLs support both allow and deny and are evaluated by ascending rule number, first-match-wins. NACLs are the right answer when an interviewer asks how to block a specific malicious IP across an entire subnet — Security Groups can’t do that.

2. When would you choose an ALB vs an NLB?

ALB for HTTP/HTTPS workloads needing path- or host-based routing, WebSockets, or container target groups (ECS, EKS). NLB for TCP/UDP, sub-100ms latency requirements, static IPs (or BYOIP), or workloads that exceed ALB’s per-second connection ceiling. NLB also preserves the source IP at the application without needing X-Forwarded-For headers. Saying “ALB is always better” is the disqualifying answer — the interviewer is checking whether you understand the L4 vs L7 trade-off.

3. RDS Multi-AZ vs Read Replicas — which solves what?

Multi-AZ is for availability: a synchronous standby in another AZ that AWS fails over to automatically — the standby is not readable. Read Replicas are for scaling reads: asynchronous copies you can promote manually but with replication lag. They solve different problems and production stacks usually run both: Multi-AZ for the primary DR posture and Read Replicas for query offload. Confusing the two in a senior interview is a fast no-hire.

4. How would you decouple a synchronous monolith?

SQS for at-least-once point-to-point queues with a single consumer pool; SNS for fan-out pub/sub to multiple subscribers; EventBridge for routing typed events with content-based filtering and AWS-service-native sources. Most modern AWS architectures combine SNS + SQS (fan-out into per-consumer queues) or use EventBridge as the bus. Naming only Lambda is the rookie answer — Lambda is the consumer, not the decoupling layer.

5. CloudFront in front of an S3 origin — how do you secure it?

Use Origin Access Control (OAC), not Origin Access Identity (OAI). OAI was deprecated in favor of OAC in 2022 — OAC uses SigV4 signed requests, supports SSE-KMS encrypted buckets, and works with all regions including those launched after 2022. Block all public bucket access at the bucket level, then allow only the CloudFront distribution principal in the bucket policy. Citing OAI as the current best practice signals stale knowledge.

6. VPC peering vs Transit Gateway — when does TGW win?

Peering is non-transitive and cheap — fine for two or three VPCs. Transit Gateway is the right answer the moment you have more than four VPCs, multi-region connectivity, or a hub-and-spoke topology with shared services. TGW also natively integrates with Direct Connect Gateway and Site-to-Site VPN. The cost is approximately $0.05 per hour per attachment plus $0.02 per GB of data processed — mention this; interviewers want to see cost-awareness.

7. Which EBS volume type would you pick for a Postgres workload?

gp3 is the default correct answer in 2026 — it decouples IOPS and throughput from volume size, so you can provision 16,000 IOPS on a 100 GB volume. io2 Block Express is the answer only when you need sub-millisecond latency or more than 64,000 IOPS per volume. gp2 is legacy — suggesting gp2 in 2026 is a tell that the candidate hasn’t touched a recent AWS environment. st1 and sc1 are for sequential big-data workloads, not OLTP.

8. How do you let an EC2 instance call S3 without storing credentials?

Attach an IAM Instance Profile wrapping an IAM Role with the minimum S3 permissions; the EC2 metadata service supplies short-lived credentials to the SDK automatically. Always require IMDSv2 to defend against SSRF attacks. Storing access keys on disk — even in a config file — is the wrong answer that gets candidates filtered out instantly. The principle the interviewer wants to hear: “roles for services, users for humans.”

9. Design a highly available web tier for 99.95% SLA.

Two-AZ minimum: ALB across two public subnets, an Auto Scaling Group spanning both AZs with min=2, target tracking on average CPU at 50%, behind RDS Multi-AZ in the database subnets. Add CloudFront in front for global edge caching and shield-style DDoS protection. The interviewer is checking that you don’t answer “multi-region” — multi-region is for higher SLAs (99.99%+) and adds significant cost and complexity. Match the architecture to the SLA, not the buzzword.

10. How do you optimize an S3 bucket holding 50 TB of logs?

Enable an S3 Lifecycle policy: transition objects to S3 Standard-IA after 30 days, Glacier Instant Retrieval after 90 days, Deep Archive after 180 days, expire after retention requirement. For unpredictable access, use S3 Intelligent-Tiering instead — AWS handles transitions automatically for a small per-object monitoring fee. Quote the actual storage costs ($0.023/GB Standard, $0.0125/GB IA, $0.004/GB Glacier IR) — specificity here separates senior candidates from juniors.

What these questions test

Every question above has a “book answer” and an “operational answer.” Interviewers are looking for the operational version — the version that mentions OAC replacing OAI, gp3 replacing gp2, the cost of a TGW attachment, IMDSv2 over IMDSv1. Passing SAA-C03 proves you know the concepts. Answering these correctly proves you’ve actually built things on AWS in the last 18 months.

Frequently asked questions