Pass the Amazon Web Services AWS Certified Associate SAA-C03 Questions and answers with CertsForce

IAM Identity Center (formerly AWS SSO) is designed for:

Federated access from external directories (e.g., Active Directory, Okta)

Centralized permission management

Support for MFA

Granular control via Attribute-based access control (ABAC)

“IAM Identity Center allows you to manage SSO access to AWS accounts and business applications centrally. You can assign users and groups permissions based on directory attributes such as Region and job role.”

— IAM Identity Center Docs

This option ensures:

Federated, centralized access

Region-specific permissions

MFA and role mapping via existing directory service

AWS documentation states that EC2 Auto Scaling is the recommended, cost-effective, and fault-tolerant method to manage workloads with predictable or varying demand. Auto Scaling automatically adds instances during peak traffic and terminates them when demand is low, reducing compute cost while maintaining availability across multiple Availability Zones.

Reserved Instances (Option B) would force the company to pay for peak capacity all day, which is not cost-effective.

Stopping instances manually (Option C) or vertically scaling instances (Option D) reduces fault tolerance and increases operational overhead.

=====================================================

Amazon S3 is the most scalable and cost-optimized object storage for large amounts of data. It integrates natively with Amazon SageMaker, which allows direct access to S3 data for machine learning training jobs without the need to copy data elsewhere. The S3 Intelligent-Tiering storage class further optimizes storage costs for data with unknown or changing access patterns, while maintaining immediate availability for ML training.

Copying to FSx for Lustre or EFS adds unnecessary complexity and cost unless ultra-high throughput POSIX file access is specifically required, which is not mentioned here.

AWS Documentation Extract:

" Amazon S3 provides cost-effective storage for ML data sets, and Amazon SageMaker can directly access data in S3. S3 Intelligent-Tiering automatically moves data between frequent and infrequent access tiers, optimizing costs for changing data access patterns. "

(Source: AWS S3 and SageMaker documentation)

A, D: FSx for Lustre or EFS may be used in specialized cases but are not cost-optimized for general large-scale ML data storage.

C: SageMaker notebook instance storage is not designed for large-scale data ingestion or long-term storage.

AWS DataSync provides managed, incremental, parallelized transfers between EFS file systems across Regions, supporting scheduled or continuously running tasks with automatic change detection, encryption in transit, and integrity verification. You can configure two tasks in opposite directions (bi-directional) to achieve two-way synchronization with high availability using agents in each Region and EFS locations connected via VPC endpoints. Native EFS replication (B) is one-way (read-only target) and not intended for active/active two-way sync. Options A and D rely on custom rsync and cross-Region mounts or SFTP, which introduce operational overhead, latency, and fail to provide resilient, managed synchronization. DataSync minimizes operational burden while delivering fault-tolerant, scalable, cross-Region EFS sync.

AWS documentation states that the correct and least-privilege method for cross-account SNS-to-SQS integration is:

• Add specific SNS topic ARNs to the SQS queue policy.

• Allow only those topics to publish messages to the queue.

• Ensure SNS has permission to publish to the specific queue ARN.

This ensures strict scoping and adheres to least privilege.

Options A and D grant overly broad permissions. Option B allows publishing to any queue, which violates least privilege.

Amazon Aurora Serverless v2 provides cost-effective, on-demand, and auto-scaling database capacity. You pay only for actual usage, making it ideal for development and test environments that are not used continuously. It supports PostgreSQL and is suitable for variable and short-duration workloads, minimizing costs when databases are idle.

AWS Documentation Extract:

“Amazon Aurora Serverless v2 automatically adjusts database capacity based on application needs, ideal for development and test environments with intermittent usage.”

(Source: Aurora Serverless v2 documentation)

B: RDS instances run and accrue charges even when idle.

C, D: Aurora clusters/global databases are overkill and incur higher costs for dev/test.

The correct answer is C because the requirement separates encryption into two parts: encryption at rest and encryption in transit . For data at rest , AWS uses AWS Key Management Service (AWS KMS) to manage encryption keys for services such as Amazon EBS and Amazon Aurora . EBS volumes can be created as encrypted volumes by using KMS keys, and Aurora supports encryption at rest through KMS as well. This protects stored application and database data without requiring the company to build its own key management system.

For data in transit , the proper AWS service is AWS Certificate Manager (ACM) . An Application Load Balancer can use an ACM-issued or ACM-imported SSL/TLS certificate to terminate HTTPS connections and encrypt traffic between clients and the load balancer. This is the AWS standard approach for securing web traffic to internet-facing applications.

Option A is incorrect because it reverses the roles of the services. KMS does not provide certificates for TLS termination on an ALB , and ACM does not encrypt EBS or Aurora storage at rest . Option B is incorrect because there is no single account-wide console setting that automatically turns on all encryption for all services in this way, and use of the root account is not an AWS best practice for normal configuration tasks. Option D is incorrect because BitLocker is not the appropriate general AWS-native answer for EBS and Aurora encryption, and ALBs do not use KMS keys directly as TLS certificates.

AWS security best practices recommend KMS for encryption at rest and ACM certificates for encryption in transit . Therefore, option C is the correct solution.

AWS recommends using cost allocation tags to associate costs with owners (e.g., department, project) and AWS Budgets to create cost or usage budgets with alerts at defined thresholds (e.g., 60%). Budgets can send notifications via email or Amazon SNS when “Actual or forecasted” spend exceeds the threshold. Cost Explorer forecasts help visualize trends but do not provide budget alerting or ownership attribution by themselves. Trusted Advisor does not generate budget threshold alerts. Therefore, tagging resources for accountability and setting a budget with a 60% alert provides governance and proactive notifications aligned with cost control best practices for experimentation.

The best practice to securely provide short-term access to AWS resources, such as Amazon S3, without using long-term credentials, is to use AWS Security Token Service (STS). According to the AWS IAM Best Practices and the Security Pillar of the AWS Well-Architected Framework, temporary credentials should always be used over long-term credentials when possible.

From AWS IAM Documentation:

“Use temporary credentials (IAM roles and AWS STS) instead of long-term access keys. Temporary security credentials are short-term, automatically expire, and are retrieved using AWS STS.”

(Source: IAM Best Practices – IAM User Guide)

Option D outlines the use of a trust relationship and assume-role mechanism via AWS STS. This allows the on-premises application to request temporary, scoped-down credentials to upload files to S3 securely. This approach is:

Secure – Uses short-lived credentials with least privilege

Scalable – No need for EC2 or VPN tunnels

Low Operational Overhead – No infrastructure to maintain

AWS-Recommended – Aligned with security best practices

In contrast:

Option A uses long-term credentials, which is a security risk.

Option B requires additional infrastructure (EC2, VPN), increasing complexity and cost.

Option C relies on IP-based access, which is insecure and not a form of identity-based authentication.

Option Censures dynamic scaling based on demand using a target tracking scaling policy, optimizing costs.

Option Aresults in over-provisioning, leading to higher costs.

Option Bincreases costs by using larger instances.

Option Dis not feasible as instance store volumes are ephemeral and unsuitable for shared storage like EFS.

The workload described is event-driven, low volume, and sporadic, making serverless architecture the most cost-effective choice. AWS Lambda, when triggered by S3 event notifications, runs only when new photos are uploaded and incurs cost only for execution time.

Option C uses S3 event notifications to invoke a Lambda function whenever a new object is created. The Lambda function generates a thumbnail and uploads it to a second S3 bucket. This solution requires no servers, no scheduling, and no idle compute costs, making it extremely cost-efficient for 150 uploads per day.

Options A and B involve running long-lived compute resources that would remain idle most of the time, resulting in unnecessary cost. Option D is invalid because S3 Storage Lens is designed for storage analytics and reporting, not event-driven processing.

Therefore, C is the most cost-effective and operationally efficient solution.

To enforce that IAM users can only access Amazon RDS and no other AWS services, the recommended approach is to use a Deny statement with NotAction. This ensures that all actions are denied except RDS actions. Options A and B do not fully achieve the restriction: A only allows RDS but does not explicitly deny access to other services if another policy grants access; B’s explicit Deny for “*” would override all other permissions, including the intended RDS Allow, which would result in no access at all. Option D with permissions boundaries still allows other attached policies to grant access outside RDS. Therefore, C is the correct approach to enforce RDS-only access.

The most resilient and scalable architecture for handling millions of high-resolution images with frequent updates is to store the binary images in Amazon S3 and store their metadata or reference (geographic code and S3 URL) in Amazon DynamoDB.

From AWS Documentation:

“Store large objects like images in Amazon S3 and use Amazon DynamoDB to store metadata and references. This design pattern is scalable, highly available, and cost-effective.”

(Source: AWS Architecture Blog – Best Practices for Handling Large Objects)

Why B is correct:

Amazon S3 is designed for storing large volumes of binary data (images).

DynamoDB provides low-latency reads/writes using the geographic code as the partition key.

Highly available, serverless, and auto-scaling, suitable for disaster scenarios with bursts of activity.

Reduces pressure on the database layer by separating metadata from image storage.

Why the others are incorrect:

Option A and D: Storing images directly in RDS is expensive, unscalable, and not optimal for binary storage.

Option C: DynamoDB is suitable, but storing actual binary image data in DynamoDB is not best practice due to item size limits (400 KB) and performance concerns.

The application requires independent scaling, ordered asynchronous processing, and relational data storage. Option A provides a microservices-oriented, decoupled architecture using managed services.

Amazon ECS with AWS Fargate enables containerized workloads without server management and allows each component to scale independently. Amazon RDS supports relational data storage for user profiles and content. Amazon SQS ensures reliable, ordered message processing and decouples long-running background tasks, allowing services to evolve independently.

Option B uses SNS, which does not guarantee message ordering. Option C uses DynamoDB, which does not meet the relational data requirement. Option D offers less granular scaling and higher coupling.

Therefore, A best meets scalability, resilience, and modularity requirements.

S3 Object Lock: Enables Write Once Read Many (WORM) protection for data, preventing objects from being deleted or modified for a set retention period.

S3 Versioning: Helps maintain object versions and ensures a recovery path for accidental overwrites.

CloudFront Distribution: Ensures secure and efficient public access by serving content through an edge-optimized delivery network while protecting S3 data with OAC.

Bucket Policy for OAC: Restricts public access to only the CloudFront origin, ensuring maximum security.

Amazon S3 Object Lock Documentation