Pass the Amazon Web Services AWS Certified Associate SAA-C03 Questions and answers with CertsForce

The best practice for granting AWS service access to EC2 instances is to assign IAM roles with the least privilege necessary. IAM roles attached to EC2 instances provide temporary credentials automatically rotated by AWS, avoiding hard-coded credentials in the application code.

Option C adheres to security best practices by assigning an IAM role scoped with the minimum permissions needed to access the S3 bucket.

Option A grants administrative access, which violates least privilege principles. Options B and D use IAM users with static credentials, increasing the risk of credential exposure and requiring manual rotation, which is not recommended.

Amazon S3 Intelligent-Tiering automatically moves objects between frequent and infrequent access tiers based on access patterns, which minimizes cost without performance impact. Storing photo metadata in Amazon DynamoDB provides fast and scalable lookup by user or tag.

From AWS Documentation:

“The S3 Intelligent-Tiering storage class automatically optimizes storage costs by moving data between frequent and infrequent access tiers when access patterns change.”

(Source: Amazon S3 User Guide – Intelligent-Tiering)

Why B is correct:

S3 Intelligent-Tiering optimizes storage automatically for cost without lifecycle management overhead.

DynamoDB stores small metadata items and S3 URLs, enabling efficient queries and photo lookups.

This architecture scales globally, integrates seamlessly with applications, and minimizes operational cost.

Why other options are incorrect:

A & D: DynamoDB is not intended for storing binary objects like images.

C: Lifecycle rules are static and don’t adapt dynamically to unpredictable access patterns.

IAM Role: Attaching an IAM role to an EC2 instance profile is a secure way to manage permissions without embedding credentials.

AWS Secrets Manager: Grants controlled access to database credentials and automatically rotates secrets if configured.

Identity-Based Policy: Ensures the IAM role only has access to specific secrets, enhancing security.

AWS Secrets Manager Documentation

Amazon Aurora MySQL provides:

Continuous, incremental backups to Amazon S3 with point-in-time recovery (PITR), allowing recovery to any point within the retention window (typically up to 35 days). This easily achieves an RPO of less than 5 hours, often down to seconds.

Support for database auditing parameters so audit logs can be retained and managed (for example, in database logs or external log services) to meet the 7-day audit requirement.

Auto scaling (via read replicas, Aurora Serverless v2, or capacity management) to handle variable read/write demand throughout the year with minimal operational overhead.

Why others are less suitable:

A: DynamoDB is NoSQL and does not directly satisfy typical relational database + SQL audit requirements; Streams also only retain 24 hours, not 7 days, and on-demand backups do not inherently give an RPO < 5 hours without frequent scheduling.

B: Amazon Redshift is a data warehouse, not a primary transactional application database.

C: Snapshots every 5 hours give an RPO of up to 5 hours, not less than 5 hours, and rely on discrete snapshot points rather than continuous PITR.

HPC workloads require high-throughput, low-latency networking, especially for tightly-coupled applications like weather modeling, genomics, or real-time rendering.

A cluster placement group places instances in the same Availability Zone and on physically connected hardware, reducing network latency and increasing throughput.

Elastic Fabric Adapter (EFA) is a network device for EC2 instances that enables low-latency, high-throughput networking using OS-bypass technology, ideal for tightly-coupled HPC applications.

Each instance can support single-flow 10 Gbps bandwidth using EFA, and collectively, the cluster can achieve up to 100 Gbps aggregate throughput when properly configured.

This solution supports the Performance Efficiency and Resilience design principles and is a standard AWS-recommended pattern for HPC.

???? References:

EC2 Placement Groups

Elastic Fabric Adapter Overview

Best Practices for HPC on AWS

AWS Global Accelerator provides static anycast IP addresses that remain constant regardless of Regional failover. AWS directs traffic to the optimal healthy Region without relying on DNS TTL values, eliminating the risk of stale DNS caches.

Route 53 routing (Options B and D) still depends on DNS caching behavior. CloudFront (Option A) is for content delivery, not Regional failover for applications.

=====================================================

This solution is the most cost-effective and meets the RPO and RTO requirements of 24 hours.

Automatic Snapshots: Amazon RDS automatically creates snapshots of your DB instance at regular intervals. By copying these snapshots to another AWS Region every 24 hours, you ensure that you have a backup available in a different geographic location, providing disaster recovery capability.

RPO and RTO: Since the company’s RPO and RTO are both 24 hours, copying snapshots daily to another Region is sufficient. In the event of a disaster, you can restore the DB instance from the most recent snapshot in the target Region.

Why Not Other Options?:

Option A (Cross-Region Read Replica): This could provide a faster recovery time but is more costly due to the ongoing replication and resource usage in another Region.

Option B (DMS Cross-Region Replication): While effective for continuous replication, it introduces complexity and cost that isn’t necessary given the 24-hour RPO/RTO.

Option C (Cross-Region Native Backup Copy): This involves more manual steps and doesn’t offer as straightforward a solution as automated snapshot copying.

AWS References:

Amazon RDS Automated Backups and Snapshots- Details on automated backups and snapshots in RDS.

Copying an Amazon RDS DB Snapshot- How to copy DB snapshots to another Region.

Latency-based routing in Amazon Route 53 is designed to route users to the Region that provides the lowest network latency, based on Amazon’s measurements of latency between AWS Regions and users’ networks. For applications deployed in multiple Regions, this provides the highest performance experience for global users.

Therefore, creating an A record with a latency routing policy is the correct choice.

Geolocation (Option B) routes based on user location, which may not always correspond to the lowest latency.

Failover (Option C) is for active-passive architectures, not performance optimization.

Geoproximity (Option D) is more complex and focused on directing traffic based on geographic bias rather than measured latency.

Using API Gateway and Lambda enables serverless handling of form submissions with minimal cost and infrastructure. When coupled with Amazon SNS, it allows instant email notifications without running servers, making it ideal for low-traffic workloads.

AWS Glue jobs are designed for extract, transform, and load (ETL) operations, which are perfect for transforming clinical trial data. AWS Glue integrates with AWS Key Management Service (KMS), allowing for customer-specific encryption keys, fulfilling the encryption requirement with minimal operational effort. Client-side encryption with AWS KMS ensures that the data is encrypted before it is sent to S3, aligning with the security needs specified in the scenario.

Key aspects:

AWS Glue: This managed ETL service simplifies data transformation, reduces operational overhead, and integrates seamlessly with KMS.

CSE-KMS: Client-side encryption with KMS ensures that the data is encrypted with customer-specific keys before it is processed or stored in S3, offering robust security​​.

Minimal Operational Overhead: Compared to managing an EMR cluster, AWS Glue automates much of the process, making it a lower-effort solution.

AWS Documentation: According to the AWS Well-Architected Framework, encryption with AWS KMS offers strong security controls that meet the needs of industries requiring high levels of confidentiality​​.

Option B (Amazon FSx for Lustre): FSx for Lustre is optimized for high-performance file systems required by HPC workloads, scaling to millions of IOPS and supporting parallelized data access.

Option E (Cluster Placement Group with Auto Scaling): A cluster placement group ensures low-latency communication between EC2 instances, critical for HPC workloads. Amazon EMR simplifies running large-scale analytics jobs.

Amazon FSx for Lustre Documentation,AWS Placement Groups Documentation

The requirement is to monitor network metrics such as total packet loss and round-trip time (RTT) between on-premises and AWS over Site-to-Site VPN with minimal operational overhead. AWS CloudWatch Network Monitor (formerly known as VPC Network Manager) provides a managed solution to monitor connectivity, including packet loss and latency, between AWS and on-premises networks. This solution does not require managing any additional infrastructure like EC2 instances or Lambda functions and thus reduces operational overhead significantly.

CloudWatch Network Monitor leverages AWS-managed probes and integrates natively with CloudWatch dashboards and alarms, enabling automated, centralized monitoring of network health. This aligns with the AWS Well-Architected Framework’s operational excellence pillar by minimizing manual intervention and enabling proactive detection of network issues.

Option B, C, and D involve creating custom probes with EC2, Lambda, or Batch jobs, which increases complexity, cost, and maintenance effort. They also require scheduling, script management, and additional monitoring infrastructure.

AWS PrivateLinkis the most suitable solution for providing fine-grained access control while allowing multiple VPCs, potentially across multiple accounts, to access the new application. This approach offers the following advantages:

Fine-grained control: Endpoint policies can restrict access to specific services or principals.

No need for route table updates: Unlike VPC peering or transit gateways, AWS PrivateLink does not require complex route table management.

Scalable architecture: PrivateLink scales to support traffic from multiple VPCs.

Secure connectivity: Ensures private connectivity over the AWS network, without exposing resources to the internet.

Why Other Options Are Not Ideal:

Option A:

VPC peering is not scalable when connecting multiple VPCs or accounts.

Route table management becomes complex as the number of VPCs increases.Not scalable.

Option B:

While transit gateways provide scalable VPC connectivity, they are not ideal for fine-grained access control.

Transit gateways allow connectivity but do not inherently restrict access to specific applications.Not ideal for fine-grained access control.

Option D:

Exposing the application through an ALB over the internet is not secure and does not align with the requirement to use private network resources.Security risk.

AWS References:

AWS PrivateLink:AWS Documentation - PrivateLink

AWS Networking Services Comparison:AWS Whitepaper - Networking Services

AWS Spot best practices recommend diversifying capacity across multiple instance types and Availability Zones and using the capacity-optimized (price-capacity-optimized) allocation strategy to choose pools with the deepest capacity for higher availability. Adding a small On-Demand base in the Auto Scaling group maintains steady, uninterrupted baseline processing while keeping costs low and absorbing Spot interruptions. Option C (lowest price) increases interruption risk. Capacity Reservations (B) target On-Demand capacity guarantees and add cost, not needed for Spot-based elasticity. Option E is redundant; diversification is already achieved with (D). This combination maximizes resiliency of Spot workloads while preserving strong cost efficiency and aligns with AWS guidance for fault-tolerant, stateless applications on Spot.

IAM Identity Center (formerly AWS SSO) is designed for:

Federated access from external directories (e.g., Active Directory, Okta)

Centralized permission management

Support for MFA

Granular control via Attribute-based access control (ABAC)

“IAM Identity Center allows you to manage SSO access to AWS accounts and business applications centrally. You can assign users and groups permissions based on directory attributes such as Region and job role.”

— IAM Identity Center Docs

This option ensures:

Federated, centralized access

Region-specific permissions

MFA and role mapping via existing directory service