Pass the Amazon Web Services AWS Certified Associate SAA-C03 Questions and answers with CertsForce

To enable DNS resolution from AWS VPCs to on-premises DNS servers over Direct Connect or VPN, AWS recommends using Amazon Route 53 Resolver with outbound endpoints. An outbound endpoint allows DNS queries originating in the VPC to be forwarded to a customer-managed DNS server (e.g., on-prem).

Next, a forwarding rule (Forward type) must be created to forward DNS queries for the custom domain internal.example.com to the on-premises DNS IP addresses. This rule defines what domain names are forwarded and to which DNS servers.

Finally, the rule must be associated with all workload VPCs to allow those VPCs to use the rule. There is no need to deploy endpoints in every VPC — one outbound endpoint is sufficient and can be shared across VPCs via rule association.

???? Reference:

Route 53 Resolver Endpoints

Best practices for hybrid DNS resolution

AmazonEventBridgeAPI destinations allow you to send data from AWS to external systems, like Salesforce, using HTTP APIs, including those secured with OAuth. This provides a secure and scalable solution for sending messages from the order processing application to Salesforce.

Option A and B (SNS): SNS is not ideal for OAuth-secured external APIs and lacks the necessary OAuth integration.

Option D (MSK): Amazon MSK is a Kafka-based streaming solution, which is overkill for simple message forwarding to Salesforce.

AWS References:

Amazon EventBridge API Destinations

Amazon API Gatewayprovides a scalable and reusable solution for interacting with DynamoDB without requiring direct access by developers. By setting up a REST API with a POST methodthat integrates with DynamoDB ' sPutItemaction, developers can submit data (such as user ratings) to the DynamoDB table through API Gateway, without having to directly interact with the database. This solution is serverless and minimizes operational overhead.

Option A: Using ALB with Lambda adds complexity and is less efficient for this use case.

Option B: While using Lambda is possible, API Gateway provides a more scalable, reusable interface.

Option C: SQS with Lambda introduces unnecessary components for a simple put operation.

AWS References:

Amazon API Gateway with DynamoDB

Amazon CloudWatch Container Insightsis designed for monitoring containerized environments like EKS. It provides native support for collecting and visualizing metrics and logs in a centralized location through CloudWatch dashboards, offering the most operationally efficient solution.

Option A:Using the CloudWatch agent provides basic metrics but lacks the specific insights required for containerized applications.

Option B:Kinesis Data Streams and Firehose add unnecessary complexity for this use case.

Option C:CloudTrail is for auditing API activity and is not designed for application metrics and log aggregation.

AWS Documentation References:

Amazon CloudWatch Container Insights

The company wants to move from an on-premises Docker environment to fully managed AWS services with persistent storage. The best fit is:

Amazon ECS with AWS Fargate launch type: This is a serverless container orchestration solution where AWS manages the underlying infrastructure, removing the need to manage EC2 or Kubernetes nodes.

Amazon EFS (Elastic File System): This is a fully managed, scalable, and shared file system for use with ECS tasks. It supports persistent storage for containers, replacing the local volumes used on-premises.

This combination (ECS + Fargate + EFS) is fully managed and requires no manual server maintenance.

Option A uses EKS with self-managed nodes, which is not fully managed.

Option C (DynamoDB) is for structured key-value storage, not for persistent file storage.

Option D uses ECS with EC2 launch type, which is not serverless and requires managing instances.

???? Reference:

Using Amazon ECS with AWS Fargate

Mounting EFS volumes in ECS tasks

Security groups are stateful, but they cannot explicitly deny traffic — only allow.

Network ACLs are stateless and support explicit deny rules.To prevent Application A from sending traffic to Application B, configure a deny outbound rule in the network ACL of Application A’s subnet to block traffic to Application B’s subnet.

“Unlike security groups, network ACLs support both allow and deny rules, enabling you to explicitly block traffic.”

— Network ACLs

This is the correct method to block outbound traffic between subnets.

Automated backupsare the correct answer because Amazon RDS uses daily automated backups together with transaction logs to support point-in-time recovery. AWS documentation states that RDS can retain automated backups for up to 35 days and uploads transaction logs every 5 minutes, which supports restoring to a specific point in time with a maximum of about 5 minutes of data loss. Read replicas are mainly for scaling reads, not for fine-grained restore after accidental edits. Manual snapshots are point-in-time copies, but they do not provide continuous point-in-time recovery. Multi-AZ improves availability, not historical recovery from user mistakes. Therefore, automated backups are the right feature for this data-loss recovery requirement. (AWS Documentation)

============

AWS Auto Scaling is the right answer because the requirement is to adjust capacity automatically based on a predictable time-based usage pattern. AWS documentation states that you can use scheduled scaling actions with Amazon EC2 Auto Scaling to change desired capacity at specific times or on recurring schedules. That makes it well suited for workloads that need more capacity during the day and less at night. Spot Instances and Reserved Instances are pricing models, not automation mechanisms for scheduled capacity changes. CloudFormation provisions infrastructure but does not itself optimize day-night scaling behavior. Therefore, AWS Auto Scaling is the correct service for this requirement.

When on-premises DNS servers need to resolve private DNS names in a VPC, the correct pattern is to create a Route 53 Resolver inbound endpoint. The inbound endpoint allows DNS queries to flow from the on-premises environment into the VPC, where Route 53 can resolve VPC-specific names (such as private hosted zones or private resource records). Outbound endpoints (C) are for sending VPC DNS queries to on-premises, not the reverse. Verified Access (A) is unrelated to DNS resolution. Direct Connect (B) provides network connectivity but does not provide DNS forwarding capabilities. Therefore, option D is the correct design.

The correct answer isAbecause the application must acceptTLS connections from IPv4 clients, provideoutbound internet access, present asingle entry point, and maintain thelowest possible attack surface. Placing the Amazon ECS tasks inprivate subnetsis the key security design decision because it prevents direct inbound access from the internet to the tasks themselves. The public-facing entry point is the load balancer, while outbound internet access for the private tasks is provided through aNAT gatewayin the public subnet.

ANetwork Load Balancer (NLB)is well suited for handlingTLSat Layer 4 and can expose a single public endpoint for client connections. Withawsvpcnetwork mode, each ECS task receives its own elastic network interface, making it straightforward to place tasks securely in private subnets while still registering them as targets behind the load balancer.

Option B is incorrect because anegress-only internet gatewayis forIPv6 outbound traffic only, while the requirement specifically mentionsIPv4 clients. Option C is incorrect because placing ECS tasks inpublic subnetsincreases the attack surface by exposing application infrastructure more directly to the internet. Option D is also incorrect for two reasons: it uses anegress-only internet gateway, which does not satisfy IPv4 outbound needs, and it places tasks inpublic subnets, which violates the goal of minimizing exposure.

AWS security design guidance emphasizes reducing exposure by placing application workloads in private subnets and exposing only the required front-end endpoint. Therefore, a publicNLBwith private ECS tasks and aNAT gatewayis the most secure and appropriate architecture.

With AWS Shield Advanced, you can add multiple protected resources (like ALBs) to a protection group and choose an aggregation type for mitigation and billing.

Sum aggregation provides combined protection for all resources in the group during blue/green deployment.

“You can add multiple resources to a Shield Advanced protection group and choose an aggregation type. Sum aggregation provides combined protection across all resources.”

— Shield Advanced Protection Groups

This ensures the new ALB inherits protection and avoids additional configuration during deployment.

Cluster Placement Group: This type of placement group is designed to provide low-latency network performance and high throughput by grouping instances within a single Availability Zone. It is ideal for applications that require tightly coupled node-to-node communication.

Configuration:

When launching EC2 instances, specify the option to launch them in a cluster placement group.

This ensures that the instances are physically located close to each other, reducing latency and increasing network throughput.

Benefits:

Low-Latency Communication: Instances in a cluster placement group benefit from enhanced networking capabilities, enabling low-latency communication.

High Network Throughput: The network performance within a cluster placement group is optimized for high throughput, which is essential for HPC workloads.

Protecting an application from layer 7 (application layer) DDoS attacks is best achieved by using AWS WAF (Web Application Firewall), which provides customizable protection against common web exploits including DDoS attacks at the application layer. AWS WAF supports managed rule groups maintained by AWS, which offer robust, tested protections against OWASP top 10 vulnerabilities and common attack patterns without requiring extensive manual rule creation.

While AWS Shield Standard provides basic network-layer DDoS protection automatically at no additional charge, it does not offer application-layer filtering capabilities. Therefore, option A alone is insufficient.

Option B, involving only custom rules, requires significant operational overhead and expertise, whereas AWS managed rules offer a turnkey solution with ongoing updates from AWS security teams.

Option D, using CloudFront in front of the ALB, can provide additional protection benefits such as caching and geographic restrictions, but the question specifically asks for protecting against layer 7 DDoS on the ALB directly. CloudFront plus WAF is a valid enhanced solution, but the direct and recommended answer in AWS official documents is to use AWS WAF managed rules directly with ALB for application-level protection.

The correct answer isAbecause the company needs to rotatedatabase credentials every 30 dayswhile maximizing security and minimizing development effort.AWS Secrets Manageris the AWS service specifically designed to store, manage, and rotate secrets such as database usernames and passwords. It supportsautomatic rotationfor supported databases, includingAmazon Aurora MySQL, which makes it the most secure and operationally efficient solution.

With Secrets Manager, credentials are encrypted at rest, access can be controlled through IAM policies, and applications can retrieve secrets programmatically without embedding them in source code or configuration files. Automatic rotation reduces the risk associated with static credentials and helps meet compliance requirements with minimal manual work. Because rotation is built into the service, the development effort is significantly lower than creating and maintaining custom rotation logic.

Option B can work, but it requires building and operating a customLambda rotation function, which adds complexity compared with the native automation available in Secrets Manager. Options C and D are not best practices because storing credentials in environment files or configuration files increases security risk and does not provide a managed secrets lifecycle.

AWS security best practices recommend centralizing sensitive credentials inAWS Secrets Managerand enablingautomatic rotationwhenever possible. This improves security posture, reduces operational overhead, and aligns directly with compliance requirements for regular credential changes. Therefore, storing Aurora MySQL credentials inSecrets Managerwith30-day automatic rotationis the best solution.

Amazon SQS supports Interface VPC endpoints (AWS PrivateLink), enabling private connectivity from your VPC to SQS without using public IPs, traversing the public Internet, or requiring NAT/IGW. You can restrict access by attaching a queue resource policy that allows only the specific VPC endpoint and denies all other principals/paths, enforcing that all traffic stays on the AWS network. SSE-SQS (B) encrypts data at rest but does not influence network pathing. STS temporary credentials (C) handle authentication/authorization, not routing. VPC Flow Logs (D) are monitoring/visibility and do not prevent public egress. Creating an SQS VPC endpoint and tightening the queue policy satisfies the requirement of no public IP usage while maintaining secure, private access from serverless components in VPC subnets.

To improve read performance for a MySQL-based RDS database under load, you can:

Use Read Replicas: Amazon RDS supports MySQL read replicas, which help offload read operations from the primary database, improving performance during high traffic.

Use ElastiCache (Memcached): Adding an in-memory cache layer using Amazon ElastiCache reduces the load on the RDS instance by serving frequent queries directly from memory, especially when data is not updated often.

Option A (AWS WAF) is for web security, not database performance. Option D relates to storage optimization, not query latency. Option E would require re-architecting from relational to NoSQL, which is unnecessary and disruptive.

For maximum resiliency and fault tolerance in a mission-critical scenario, AWS recommends redundant Direct Connect connections from multiple data centers to multiple AWS Direct Connect locations.

This protects against:

Data center failure

Device failure

Location outages

“For workloads that require high availability, we recommend that you use multiple Direct Connect connections at multiple Direct Connect locations.”

— AWS Direct Connect Resiliency Recommendations

Option C follows AWS maximum resiliency model.

The most cost-effective and scalable solution for generating thumbnails when photos are uploaded to an S3 bucket is to useS3 event notificationsto trigger anAWS Lambda function. This approach avoids the need for a long-running EC2 instance or EMR cluster, making it highly cost-effective because Lambda only charges for the time it takes to process each event.

S3 Event Notifications: Automatically triggers the Lambda function when a new photo is uploaded to the S3 bucket.

AWS Lambda: A serverless compute service that scales automatically and only charges for execution time, which makes it the most economical choice when dealing with periodic events like photo uploads.

The Lambda function can generate the thumbnail and upload it to a second S3 bucket, fulfilling the requirement efficiently.

Option AandOption B(EMR or EC2 with scheduled scripts)**: These are less cost-effective as they involve continuously running infrastructure, which incurs unnecessary costs.

Option D (S3 Storage Lens): S3 Storage Lens is a tool for storage analytics and is not designed for event-based photo processing.

AWS References:

Amazon S3 Event Notifications

AWS Lambda Pricing

Why Option B is Correct:

AWS WAF: Provides a simple way to create geographic match rules to block or allow traffic based on country IP ranges.

Least Operational Overhead: Attaching the WAF rule to the ALB ensures centralized control without modifying ACLs or instance firewalls.

Why Other Options Are Not Ideal:

Option A: Network ACLs operate at the subnet level and can become complex to manage for dynamic or evolving IP ranges.

Option C: Managing IP-based rules in security groups and ACLs lacks scalability and does not provide country-based filtering.

Option D: Configuring host-based firewalls increases operational overhead and does not leverage AWS-managed solutions.

AWS References:

AWS WAF Geomatch:AWS Documentation - WAF Geomatch