Pass the Amazon Web Services AWS Certified Associate SAA-C03 Questions and answers with CertsForce

Amazon S3 Glacier Flexible Retrieval is a low-cost archival storage class that supports retrieval of data within minutes (expedited access ~1–5 minutes), making it ideal for audit scenarios where occasional, quick access to archived data is required. In contrast, Glacier Deep Archive takes hours to retrieve.

The correct answer is D because the application is written entirely in JavaScript and runs in users’ web browsers , which means the workload is essentially a static web application . Static assets such as HTML, JavaScript, CSS, and related files are best hosted on Amazon S3 , which provides highly durable and low-cost object storage. Putting Amazon CloudFront in front of the S3 bucket allows the application to be delivered globally through edge locations, which reduces latency for users in many countries while also lowering the load on the origin.

This design is more cost-effective than continuing to serve the application from EC2 instances behind an ALB because it eliminates most of the compute and load balancing cost for static content delivery. CloudFront caches the content close to users and can improve performance worldwide without the complexity of deploying full application stacks in multiple Regions.

Option A is less cost-effective because it still depends on the ALB and EC2 instances as the origin for content that is static. Also, CloudFront requires an ACM certificate in us-east-1 for custom domain names, so reusing the existing certificate from the ALB is not the right assumption. Option B introduces significant multi-Region infrastructure cost and management overhead. Option C is unnecessarily complex because multiple S3 buckets in multiple Regions are not required when CloudFront can cache globally from a single origin.

AWS best practices for static web applications recommend Amazon S3 for storage and Amazon CloudFront for global distribution . This approach provides strong performance, simplicity, and cost optimization.

When AWS workloads must resolve DNS names from on-premises systems over a hybrid network (like VPN or Direct Connect), the best solution is to use Amazon Route 53 Resolver outbound endpoints.

The outbound endpoint enables DNS queries to be forwarded from your VPC to on-premises DNS servers.

You must also configure a Route 53 Resolver forwarding rule to define which domain names (e.g., corp.internal) should be forwarded to the specific on-premises DNS IPs.

This setup allows private DNS resolution from AWS to on-premises systems and is fully managed, eliminating the need to run and maintain EC2-based DNS proxies (as in option A).

Options C and D are incorrect:

C is not DNS-specific and doesn’t solve name resolution.

D misuses a public hosted zone for a private DNS domain.

???? Reference:

Route 53 Resolver Outbound Endpoints

The correct answer is B because the company has a predictable baseline workload that will run for at least 1 year , plus a temporary 2-week increase in demand during a holiday period. The most cost-effective approach is to use a long-term discount option for the steady-state workload and a flexible pricing model for the short-term burst capacity.

An EC2 Instance Savings Plan is a strong fit for the existing workload because it provides cost savings for committed EC2 usage while matching a stable, predictable application footprint. Since the company is already using EC2 and the workload pattern is known, this is an efficient commitment for the baseline capacity. For the additional temporary holiday demand, On-Demand Instances are appropriate because the extra capacity is needed only for a short duration. This avoids overcommitting to capacity that will not be used after the holiday period ends.

Option A is less cost-effective because it misses the savings opportunity for the predictable baseline workload. Option C is incorrect because the application is described as stateful , which makes Spot Instances a poor fit due to potential interruption. Option D is incorrect because purchasing a 12-month commitment for both the normal workload and the temporary holiday increase would likely result in paying for excess committed usage after the 2-week peak ends.

AWS cost optimization guidance recommends using discounted commitment models for steady-state usage and On-Demand for short-lived, temporary spikes. Therefore, the best answer is to use an EC2 Instance Savings Plan for the baseline and On-Demand Instances for the seasonal increase.

Workload Discovery on AWS is a tool that automatically discovers AWS resources across multiple accounts and Regions and builds visual architecture diagrams that show resource relationships. It is specifically designed to help teams understand and document existing workloads with minimal manual effort.

This service provides multi-account visibility, relationship mapping, and exportable diagrams, which directly satisfies the need to “build and map the relationship details of the various workloads” with the least operational overhead.

Systems Manager Inventory (Option A) focuses on collecting configuration and inventory data (primarily for instances and some resources) and does not generate architecture diagrams or full relationship views.

Step Functions (Option B) and X-Ray (Option D) would require custom collection and manual diagramming and are not purpose-built for environment discovery and mapping.

This solution directly addresses the scalability and high availability requirements with minimal downtime.

Additional Reader Instances: Adding more reader instances to the Aurora cluster will distribute the read load, improving the performance of the application under heavy read traffic. Aurora reader instances automatically replicate the data from the writer instance, enabling you to scale out read operations.

Amazon RDS Proxy: RDS Proxy improves database availability by managing database connections more efficiently and providing a connection pool. This reduces the overhead on the Aurora cluster during peak loads, further enhancing performance and availability without requiring changes to the application code.

Why Not Other Options?:

Option A (EventBridge and Lambda): This doesn’t directly address the performance and availability issues. Logging state changes and adding reader nodes on failure events doesn’t provide proactive scalability.

Option B (Zero-Downtime Restart and Activity Streams): Zero-Downtime Restart (ZDR) is useful for minimizing downtime during maintenance but doesn’t directly improve scalability. Database Activity Streams are more for security monitoring than for performance enhancement.

Option D (ElastiCache for Redis): While adding a caching layer can help with read performance, it introduces complexity and may not be necessary if additional reader instances can handle the load.

AWS References:

Amazon Aurora Scaling- Information on scaling Aurora clusters with reader instances.

Amazon RDS Proxy- Details on how RDS Proxy can improve database performance and availability.

Amazon DynamoDB provides single-digit millisecond performance at any scale and is fully managed to handle millions of catalog records. It is ideal for structured catalog data such as product metadata and scales seamlessly during high-traffic events like sales. Amazon S3 is optimized for storing unstructured large objects such as videos and manuals, with virtually unlimited scalability and high durability. Option A (RDS) would not handle massive scale or traffic spikes as efficiently. Option C overloads DynamoDB by forcing it to store large binary data, which is not its purpose. Option D (DocumentDB) is suitable for JSON-like documents but not optimal for storing large media files and would add operational complexity. Therefore, option B represents the best separation of structured and unstructured data storage.

The best solution is to useAmazon SQSto receive updates from the mobile app and process them with anAWS Lambdafunction. The Lambda function can rewrite the message body as necessary for each shipper and then publish the updates to the appropriateSNS topicfor distribution. Thissetup ensures that each shipper receives only the relevant data and minimizes operational overhead by using managed services.

Option A (SNS filter policy): SNS does not have the capability to rewrite message bodies before forwarding.

Option C (Second SNS topic): Using an additional SNS topic adds unnecessary complexity without solving the message rewriting requirement.

Option D (EventBridge Pipes): EventBridge Pipes is more complex than necessary for this use case, and Lambda can handle the logic more efficiently.

AWS References:

Amazon SQS

Amazon SNS with Lambda

Amazon Route 53 health checks can automatically perform DNS failover to healthy endpoints. When integrated with an Application Load Balancer, this provides a highly resilient system architecture that automatically routes traffic to healthy resources across Regions or endpoints.

From AWS Documentation:

“Route 53 DNS failover automatically routes traffic away from unhealthy resources and directs it to healthy resources that you specify in DNS records.”

(Source: Amazon Route 53 Developer Guide – DNS Failover)

Why B is correct:

Route 53 health checks automatically monitor endpoint health and switch to a healthy target when the primary endpoint fails.

The failover process is automatic, with no manual updates to DNS records required.

Combined with ALB’s built-in multi-AZ resilience, this provides maximum availability.

Why others are incorrect:

A & C: Require manual DNS updates, which are not automatic and introduce latency.

D: Creating new ALBs during failover increases downtime and is operationally inefficient.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

To capture traffic metadata to and from network interfaces in a VPC, the correct telemetry source is VPC Flow Logs. Flow Logs can publish records to destinations such as CloudWatch Logs, which is a natural first landing zone for near-real-time log ingestion and centralized retention/permissions. The next requirement is to stream that data to Amazon OpenSearch Service for analysis with minimal operational overhead.

Amazon Data Firehose is purpose-built for fully managed delivery of streaming data to destinations including OpenSearch. Firehose handles buffering, batching, retry behavior, and optional transformations, and it minimizes the need to build and operate custom consumers. Therefore, sending VPC Flow Logs to CloudWatch Logs and then using Firehose to deliver to OpenSearch is an operationally efficient and scalable pattern.

Option A uses Kinesis Data Streams, which would require building/operating consumers (or additional integration components) to read from the stream and load into OpenSearch, adding operational complexity compared with Firehose’s managed delivery. Options C and D are incorrect because CloudTrail records API activity and governance events, not VPC network flow records; VPC Flow Logs do not publish to CloudTrail trails.

Thus, B best meets the requirement: Flow Logs capture the network interface traffic metadata; CloudWatch Logs provides near-real-time log collection; and Firehose provides managed streaming delivery into OpenSearch for indexing and analytics with minimal operational effort.

Amazon EFS allows automatic transitions to Infrequent Access (IA) and back to Standard when accessed again using the lifecycle policy.

By specifying the bursting throughput mode, throughput scales automatically with file system size.

“With EFS Lifecycle Management, you can automatically move files to EFS Infrequent Access storage and automatically return them to Standard storage when accessed.”

“The Bursting Throughput mode scales with your file system size.”

— Amazon EFS Lifecycle Management

This option matches all requirements:

Auto transition to IA after 30 days.

Auto transition back to Standard on access.

Bursting throughput for scaling with file system size.

Amazon Kinesis Data Streams in on-demand mode is purpose-built for real-time ingestion of streaming data and scales automatically with traffic, which is ideal for fluctuating workloads like clickstream data.

Combined with AWS Lambda, which scales concurrently based on incoming events, this setup ensures efficient, real-time processing with minimal configuration and cost overhead.

Option B involves Firehose, which is not optimal for low-latency processing. Option C is incorrect as Kinesis Video Streams is designed for video data, not clickstream. Option D introduces Flink, which adds unnecessary complexity when Lambda suffices.

Amazon S3 Object Lambda allows you to add your own code to process data retrieved from S3 before it is returned to an application. You can use this to dynamically redact or remove PII for specific applications on-the-fly, eliminating the need to manage multiple buckets or datasets, thus minimizing operational overhead.

Reference Extract:

" S3 Object Lambda enables you to process and transform data as it is retrieved from S3, supporting use cases such as redacting sensitive information before returning data to an application. "

Source: AWS Certified Solutions Architect – Official Study Guide, Data Security and Transformation section.

The requirement explicitly states that the solution must not involve training a machine learning model, which immediately eliminates options that require custom ML development. Amazon Rekognition is a fully managed computer vision service that can analyze images and detect inappropriate or unwanted content using pretrained models provided by AWS.

Option B correctly uses Amazon Rekognition’s image moderation capabilities to analyze uploaded photos and identify unsafe or unwanted content categories. By invoking Rekognition from an AWS Lambda function, the solution remains serverless, automatically scalable, and operationally efficient. The Lambda function URL provides a secure HTTPS endpoint that the web application can call synchronously during uploads.

Option A violates the requirement because SageMaker Autopilot is designed to build and train ML models. Option C is incorrect because Amazon Comprehend is a natural language processing service for text analysis, not image moderation. CloudFront Functions also do not support calling external AWS services like Rekognition. Option D uses Rekognition Video, which is intended for analyzing video streams, not static images.

Using Lambda and Rekognition together ensures minimal operational overhead, no ML training effort, and immediate enforcement of content moderation policies. The architecture also allows easy extension, such as logging moderation results or blocking uploads based on confidence thresholds.

Therefore, B is the correct solution because it meets the content moderation requirement using AWS-managed ML services without requiring model training.