Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

AWS Secrets Manager is the recommended service for storing database credentials and performing automated rotation. Any Lambda function version or alias can fetch the latest secret value at runtime, ensuring no outdated credentials exist in deployed versions.

Environment variables (Option C) are static per version. Embedding credentials in code (Option B) is insecure and requires redeployment. Parameter Store (Option D) supports rotation but requires more configuration and is not as seamless as Secrets Manager for database credential rotation.

=====================================================

Sporadic HTTP 500 errors in an application that depends on DynamoDB often indicate intermittent downstream failures (for example, transient throttling, temporary network issues, request timeouts, or service-side retryable exceptions). The prompt notes that the DynamoDB table is in on-demand mode and other applications use it without problems, which suggests the issue is not a sustained capacity shortfall or a systemic DynamoDB outage. Instead, the web application likely needs to handle occasional retryable failures more gracefully.

Option C is the best practice for improving reliability when calling AWS services: implement exponential backoff with retries. AWS SDKs commonly include retry behavior, but many systems still require tuning (for example, increasing maximum retries, adding jitter, ensuring idempotent operations where required, and retrying only on retryable errors). Exponential backoff reduces the chance of overwhelming a service during brief contention periods and helps the application recover quickly from transient errors without user-visible failures. This approach is also minimally disruptive because it is a configuration and logic improvement rather than an architectural migration.

Option A is not a standard DynamoDB configuration; DynamoDB has item size limits and throughput is managed via on-demand or provisioned capacity, not by “supporting larger write requests.” Option B (Streams) provides a change data capture feed but does not prevent or mitigate request failures; it is for event processing, replication, or auditing. Option D (strongly consistent reads) addresses stale reads, not HTTP 500 errors, and could increase read cost/RCU consumption without solving the root cause.

Therefore, adding exponential backoff and retries is the most appropriate and operationally sound way to reduce sporadic failures without disrupting the application’s architecture or performance.

AWS recommends using cost allocation tags to associate costs with owners (e.g., department, project) and AWS Budgets to create cost or usage budgets with alerts at defined thresholds (e.g., 60%). Budgets can send notifications via email or Amazon SNS when “Actual or forecasted” spend exceeds the threshold. Cost Explorer forecasts help visualize trends but do not provide budget alerting or ownership attribution by themselves. Trusted Advisor does not generate budget threshold alerts. Therefore, tagging resources for accountability and setting a budget with a 60% alert provides governance and proactive notifications aligned with cost control best practices for experimentation.

When an application is fronted by an Application Load Balancer (ALB) and malicious traffic is detected from a specific IP, the correct way to block the IP is by using AWS WAF (Web Application Firewall).

With AWS WAF, you can create an IP Set to include the offending IP address or range.

Then create a Web ACL (Access Control List) with a rule set to BLOCK requests from that IP set.

Finally, associate the Web ACL with the ALB.

Security groups (Option A) cannot deny specific IPs because they are stateful and allow-only rules.

Amazon Detective (Option B) is a security analysis and investigation tool; it doesn’t block traffic.

AWS RAM (Option C) is for resource sharing across accounts, not for blocking IPs.

This approach aligns with AWS’s Security Pillar of the Well-Architected Framework and is fully managed, with minimal operational effort.

🔗 Reference:

Using AWS WAF with an Application Load Balancer

Block IPs with AWS WAF

The requirements combine long-term, low-cost storage with retrieval within minutes, which narrows the viable storage classes significantly. Amazon S3 Glacier Flexible Retrieval is designed for exactly this use case: infrequently accessed data that must still be retrievable quickly.

Option C provides substantially lower storage cost than EBS snapshots or EFS while supporting expedited retrievals, which can return data within minutes when required for audits. This meets both the cost and retrieval time constraints. Glacier Flexible Retrieval also integrates seamlessly with S3 lifecycle policies, enabling automated transitions from EBS snapshots or S3 Standard to archival storage.

Option A (EBS snapshots) provides durability but is more expensive for long-term storage at this scale. Option B (Glacier Deep Archive) is cheaper but does not meet the retrieval requirement, as restore times are measured in hours, not minutes. Option D (EFS) is a high-performance file system and is the most expensive option for long-term backups.

Therefore, C is the correct choice because it balances cost efficiency, durability, and audit-friendly retrieval times, aligning with AWS storage best practices for compliance-driven archival data.

AmazonSES (Simple Email Service)allows for the automatic ingestion of incoming emails. By setting up email receiving in SES and creating a rule set with a receipt rule, you can configure SES to invoke anAWS Lambda functionwhenever an email is received. The Lambda function can then process the email body and attachments, saving any attachments to an Amazon S3 bucket. This solution is highly scalable, cost-effective, and provides near real-time processing of emails with minimal operational overhead.

Option B (Content filtering): This only filters emails based on content and does not provide the functionality to save attachments to S3.

Option C (S3 Event Notifications): While SES can store emails in S3, SES with Lambda offers more flexibility for processing attachments in real-time.

Option D (EventBridge rule): EventBridge cannot directly listen for incoming emails, making this solution incorrect.

AWS References:

Receiving Email with Amazon SES

Invoking Lambda from SES

AWS Secrets Manager is purpose-built to securely store, manage, and rotate sensitive credentials such as database user names and passwords. Option A is the most operationally efficient solution because it eliminates manual password rotation, reduces human error, and centralizes secret lifecycle management. Secrets Manager integrates natively with Amazon Aurora, enabling automated credential rotation using AWS-managed or custom Lambda rotation logic. Once rotation is enabled, Secrets Manager updates the database credentials and stores the new values securely without requiring administrators to manually update files on EC2 instances.

By assigning IAM permissions to the secret, access can be tightly controlled using least-privilege principles. The application retrieves credentials at runtime, removing the need to store passwords locally on disk, which significantly improves security posture. Secrets Manager also provides auditing capabilities through AWS CloudTrail, allowing visibility into secret access and changes.

Option B (Systems Manager Parameter Store) can securely store secrets, but automated rotation is not natively supported in the same way as Secrets Manager. Implementing rotation with Parameter Store would require additional custom automation, increasing operational complexity. Option C stores credentials in S3, which is not designed for frequent credential rotation or secure secret access patterns, even when encrypted. Option D only encrypts credentials at rest on individual instances and does not address rotation, distribution, or centralized management, resulting in high operational overhead.

Therefore, A best meets the requirements by providing secure storage, automated monthly rotation, fine-grained access control, and minimal operational effort, aligning with AWS security and operational excellence best practices.

Amazon EMR allows the creation of security configurations to specify settings for encrypting data at rest, data in transit, or both. These configurations can be applied to clusters to ensure that data stored in Amazon S3, local disks, and data moving between nodes is encrypted.

By creating and applying an EMR security configuration, the company can ensure that all data processing complies with encryption requirements for sensitive patient data.

Option Censures dynamic scaling based on demand using a target tracking scaling policy, optimizing costs.

Option Aresults in over-provisioning, leading to higher costs.

Option Bincreases costs by using larger instances.

Option Dis not feasible as instance store volumes are ephemeral and unsuitable for shared storage like EFS.

IAM Access Analyzer analyzes permissions granted using policies to determine what resources are shared with an external entity, and helps identify excessive permissions or least privilege violations across all accounts in an AWS Organization. It is specifically designed for reviewing and refining IAM permissions with minimal administrative effort.

AWS Documentation Extract:

“IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. You can also use Access Analyzer policy checks to refine permissions and implement least privilege.”

(Source: IAM Access Analyzer documentation)

A: Network Access Analyzer is for VPC network access analysis, not IAM permissions.

B: CloudWatch alarms are not suitable for detailed permission analysis.

D: Amazon Inspector is for security vulnerability assessment, not IAM policy review.

AWS documentation states that the most secure method for granting private S3 access from VPCs is to use gateway VPC endpoints for Amazon S3. Endpoint policies enforce least privilege by allowing only specific IAM roles access to specific S3 buckets. Because users can obtain temporary credentials through IAM roles, no permanent access keys must be distributed.

S3 bucket policies based on CIDR ranges (Option B) are less secure because CIDR-based access is broader and can grant unintended access. Access points (Option C) still rely on public S3 endpoints unless combined with VPC-only access, which is not stated here. Option D exposes S3 to public internet egress and depends on public IPs, violating least-privilege principles.

=====================================================

To break down consolidated billing costs by “product line” using tags, the company must use cost allocation tags and ensure those tags are activated for billing at the payer/management level. Because the teams have already applied user-defined tags to the compute resources across accounts, the correct approach is to (1) use those user-defined tags in the billing tools and (2) activate them so they appear in cost and usage reporting for consolidated billing.

B is required because cost reporting by product line depends on selecting the user-defined cost allocation tag key (for example, ProductLine=...) in AWS billing and cost management tooling (such as Cost Explorer reports). AWS-generated tags are not what teams typically use for chargeback by business dimension, and the scenario explicitly says teams tagged resources (i.e., user-defined).

E is required because in an AWS Organizations consolidated billing setup, cost allocation tag activation is handled centrally from the Organizations management account so that the tags can be used consistently in consolidated cost views and reporting. Activating tags centrally ensures the billing system recognizes and includes those tag dimensions in cost allocation data.

Option C is not relevant to billing breakdown; Resource Groups is for organizing and operating on resources, not for consolidated billing allocation. Option D is unnecessary in this scenario’s intended best practice because activation for consolidated billing reporting is done from the management account to standardize reporting. In short, you tag resources (already done), then activate the tag for billing and use it in billing reports to see cost by product line across accounts and Regions.

Therefore, B and E together meet the requirement with the correct billing-focused steps.

Converting the existing DynamoDB table to aglobal tableprovides active-active replication and low-latency reads and writes in both Regions. DynamoDB global tables are specifically designed for multi-Region and multi-active use cases.

Option A:GSIs do not provide multi-Region replication or active-active capabilities.

Option B and D:Using DynamoDB Streams and custom replication is less operationally efficient than global tables and introduces additional complexity.

AWS Documentation References:

DynamoDB Global Tables

AWSDirect Connectis the best solution for establishing a consistent, low-latency connection from an on-premises data center to AWS without using the public internet. Direct Connect offers dedicated, high-throughput, and low-latency network connections, which are ideal for performance-sensitive applications like a trading platform that processes high volumes of market data and stock trades.

Direct Connect provides a private connection to your AWS VPC, ensuring that data doesn ' t traverse the public internet, which enhances both security and performance consistency.

AWS References:

AWS Direct Connectprovides a dedicated network connection to AWS services with consistent, low-latency performance.

Best Practices for High Performance on AWSfor performance-sensitive workloads like trading platforms.

Why the other options are incorrect:

A. AWS Client VPN: While this offers secure connectivity, it ' s over the public internet and is not designed for the low-latency, high-performance needs of a trading platform.

C. AWS PrivateLink: PrivateLink is used for connecting VPCs and services within AWS, but it is not designed for connecting on-premises data centers to AWS.

D. AWS Site-to-Site VPN: Although this provides secure connectivity, it uses the public internet, which can introduce latency and doesn ' t meet the low-latency requirements of the use case.

Amazon RDS for Oracle is a managed database service, which significantly reduces operational overhead compared to running Oracle on EC2 or on-premises. AWS Secrets Manager natively integrates with RDS and supports automatic, scheduled password rotation with minimal setup. You can configure the rotation schedule (including yearly), and Secrets Manager will handle the secure password storage and rotation workflow for you.

AWS Documentation Extract:

" AWS Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure. You can configure automatic rotation for supported databases such as Amazon RDS for Oracle. "

(Source: AWS Secrets Manager documentation)

A, C, D: These solutions require custom scripting, Lambda, and alarms, leading to more operational overhead.

Concurrency Scaling allows Amazon Redshift to add transient capacity automatically to handle bursts in concurrent queries. This is ideal for scenarios with predictable surge periods, such as end-of-month reporting.

It improves performance without manual resizing or cluster modification and without affecting availability. Resizing requires manual intervention and potential downtime, and Redshift Spectrum is designed for querying data in S3, not for solving concurrency issues.

Predictive scaling in EC2 Auto Scaling uses machine learning to analyze historical load and forecast future capacity needs, then pre-scales capacity before the demand occurs. It is specifically designed for recurring, cyclical workloads such as weekly batch jobs.

In this scenario:

The workload pattern is known and recurring (weekly scripted jobs).

The company explicitly does not want to manually analyze trends.

They need capacity to be ready 30 minutes before jobs start.

Predictive scaling lets you:

Set the metric (CPU utilization) and target (60%).

Configure the policy to pre-launch instances 30 minutes in advance, satisfying the requirement automatically with minimal operational overhead.

Dynamic scaling (Option A) reacts after CPU increases, not before.

Scheduled scaling (Option B) requires manual analysis and ongoing adjustment of capacity values.

EventBridge + Lambda (Option D) introduces unnecessary custom logic and still reacts after CPU reaches 60%, not 30 minutes before.

AmazonTextractcan extract text from the PDFs, andAmazon Comprehendis the most suitable service to analyze the extracted text for sentiment and insights. Comprehend offers a fully managed, low-operational overhead solution for analyzing text data. The results can then be stored in anAmazon S3bucket, ensuring scalability and easy access.

Option A: Athena is for querying structured data and is not suitable for sentiment analysis.

Option B: SageMaker adds complexity and is not necessary when Comprehend can handle sentiment analysis natively.

Option D: QuickSight is used for visualization and analytics, but it does not provide sentiment analysis.

AWS References:

Amazon Comprehend

Amazon Textract

Why Option C is Correct:

NAT Gateway: Allows private subnets to access the internet for outbound requests while preventing inbound connections.

High Availability: Deploying NAT gateways in both AZs ensures fault tolerance.

Shared Route Table: Simplifies routing configuration for private subnets.

Why Other Options Are Not Ideal:

Option A: Creating separate route tables for each subnet adds unnecessary complexity.

Option B: Internet gateways allow inbound access, violating the requirement to block public IPv4 access.

Option D: Egress-only internet gateways are designed for IPv6, not IPv4.

AWS References:

Amazon VPC NAT Gateway:AWS Documentation - NAT Gateway