Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

Amazon S3 Standard-IA: This storage class is designed for data that is accessed less frequently but requires rapid access when needed. It offers lower storage costs compared to S3 Standard while still providing high availability and durability.

Access Patterns: Since the files are frequently accessed in the first 30 days and rarely accessed afterward, transitioning them to S3 Standard-IA after 30 days aligns with their access patterns and reduces storage costs significantly.

Lifecycle Policy: Implementing a lifecycle policy to transition the files to S3 Standard-IA ensures automatic management of the data lifecycle, moving files to a lower-cost storage class without manual intervention. Deleting the files after 4 years further optimizes costs by removing data that is no longer needed.

Amazon EFS is a “fully managed, elastic, shared file system” that provides NFSv4 access across many EC2 instances and AZs, ideal for lift-and-shift of Linux NFS workloads. AWS DataSync “automates moving data between on-premises NFS servers and Amazon EFS,” performing incremental, parallel transfers with encryption and integrity checks, enabling cutover with minimal disruption. FSx for Lustre (A) targets HPC and S3-backed workloads, not general NFS shares. FSx for Windows (D) exposes SMB, not NFS. S3 (C) is object storage and not directly NFS-accessible by multiple EC2 hosts. EFS + DataSync satisfies NFS compatibility, multi-client access, and low-touch migration while remaining cost-effective for a 200-GB dataset.

The company’s requirements are:

Store gigabytes of rarely accessed files daily.

Files must be available within minutes during the first year.

Retain files for 7 years cost-effectively.

The S3 Glacier Instant Retrieval storage class provides low-cost, long-term storage for data accessed occasionally, with millisecond retrieval time. This fits the requirement for availability within minutes during the first year. After one year, transitioning files to S3 Glacier Deep Archive (the lowest cost S3 storage class) with longer retrieval times is cost-effective for data retention over 7 years.

Option B uses S3 Standard and Glacier Flexible Retrieval, which is higher cost during the first year and slower retrieval times. Option C is less cost-efficient because EBS volumes are expensive for rarely accessed data and snapshots incur additional costs. Option D uses EFS, which is designed for low-latency file storage but is more expensive than S3 Glacier classes for long-term archival.

The requirement calls for three capabilities at fleet scale: (1) regular security/vulnerability scanning of EC2 instances, (2) scheduled patching, and (3) reporting on patch compliance/status. The AWS-managed services designed for this are Amazon Inspector for vulnerability scanning and AWS Systems Manager Patch Manager for patch orchestration and compliance reporting.

Amazon Inspector provides automated vulnerability management that can assess EC2 instances for software vulnerabilities and exposure, producing findings that identify missing patches and vulnerable packages. This addresses the security scanning portion without requiring custom tooling on each instance beyond standard agent/configuration requirements.

Systems Manager Patch Manager allows you to define patch baselines, schedule patching operations via maintenance windows, and apply patches across large fleets in a controlled manner. Patch Manager also provides compliance views and reporting so you can see which instances are compliant, which are missing patches, and the results of patch operations. This directly meets the need to patch “on a regular schedule” and to “provide a report of each instance’s patch status.”

The other options are mismatched services: Macie focuses on discovering and protecting sensitive data (especially in S3), not scanning EC2 for software vulnerabilities. GuardDuty is for threat detection based on logs and events; it is not an EC2 vulnerability scanner and does not function as a patching orchestrator. Detective helps investigate security events and relationships; it is not a vulnerability scanning or patch deployment tool. Additionally, cron jobs on each instance create high operational overhead and inconsistent reporting—exactly what the company wants to avoid.

Therefore, D is the correct, operationally excellent approach: use Inspector for vulnerability scanning and Systems Manager Patch Manager for automated, scheduled patching with centralized compliance reporting.

IAM Roles for Service Accounts (IRSA): IRSA allows you to associate an IAM role with a Kubernetes service account. This enables pods to assume the IAM role and access AWS resources securely.

Annotating Service Accounts: By annotating Kubernetes service accounts with the ARN of the IAM role, you establish the association required for IRSA.

OIDC Identity Provider: EKS clusters use OpenID Connect (OIDC) to authenticate service accounts. Setting up a trust relationship between the IAM role and the OIDC provider allows the Kubernetes service account to assume the IAM role.

Amazon RDS for MySQL supports read replicas that offload read-intensive workloads such as reporting, leaving the primary instance free for write operations.

“You can use Amazon RDS read replicas to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.”

— Working with Read Replicas

This is the recommended approach for minimizing performance impact on the primary DB instance.

AWS CloudTrail Lakeis a fully managed service that allows the collection, storage, and querying ofCloudTrail eventsfor both AWS and non-AWS services. CloudTrail Lake can be customized to collect logs from various sources, ensuring a centralized audit solution. It also supports long-term storage, so logs can be retained for 7 years, meeting the compliance requirement.

Option A (Data Lake): Setting up a data lake in S3 introduces unnecessary operational complexity compared to CloudTrail Lake.

Option C (Ingest non-AWS services into CloudTrail): CloudTrail Lake is better suited for this task with less operational overhead.

Option D (CloudWatch Logs): While CloudWatch can store logs, CloudTrail Lake is specifically designed for API auditing and storage.

AWS References:

AWS CloudTrail Lake

Amazon EFS allows automatic transitions to Infrequent Access (IA) and back to Standard when accessed again using the lifecycle policy.

By specifying the bursting throughput mode, throughput scales automatically with file system size.

“With EFS Lifecycle Management, you can automatically move files to EFS Infrequent Access storage and automatically return them to Standard storage when accessed.”

“The Bursting Throughput mode scales with your file system size.”

— Amazon EFS Lifecycle Management

This option matches all requirements:

Auto transition to IA after 30 days.

Auto transition back to Standard on access.

Bursting throughput for scaling with file system size.

Comprehensive and Detailed Step-by-Step Explanation:

The goal is totransfer 500 GB dailyfrom multiple global locationsquicklyintoa single S3 bucketwhile keeping operational complexity low.

Option A:✅

Turn on S3 Transfer Acceleration on the destination S3 bucket. Use multipart uploads to directly upload site data to the destination S3 bucket.

S3 Transfer Acceleration (S3-TA)allowsfasterglobal uploads by routing traffic throughAmazon CloudFront’s globally distributed edge locations.

Multipart uploadsimprove efficiency bybreaking large filesinto smaller parts, transferring them in parallel.

Low operational complexity: No need for additional resources or manual replication.

Why is this best?It ensureshigh-speed transferswhileminimizing complexity.

For steady, predictable EC2 usage with potential changes in instance families over time, AWS recommends Savings Plans. Compute Savings Plans “apply to any EC2 instance regardless of region, instance family, operating system, or tenancy,” and also apply to AWS Fargate and AWS Lambda, delivering the most flexibility over a multi-year horizon. A 3-year term provides the highest discount among Savings Plans for long-lived workloads. EC2 Instance Savings Plans are limited to a chosen instance family in a region; as needs evolve (e.g., size or family changes), discounts may not fully apply. Spot Instances are not appropriate for long, interruption-sensitive jobs because Spot capacity can be reclaimed with short notice. Therefore, a Compute Savings Plan (3-year) best matches cost optimization with flexibility for growth and changes.

Explanation (AWS Docs):

Although the question says “before sending it,” AWS best practice for sensitive data is SSE-KMS (Server-side encryption with AWS KMS keys), which gives full key usage auditing. It integrates with AWS KMS and provides compliance-friendly encryption at rest automatically.

“SSE-KMS uses AWS Key Management Service to manage encryption keys. SSE-KMS also provides an audit trail of key usage.”

— Protecting Data Using Server-Side Encryption

Why not D?

Client-side encryption requires custom key management and adds operational overhead. C is simpler and compliant.

Amazon S3 Intelligent-Tiering: This storage class is designed to optimize costs by automatically moving data between two access tiers (frequent and infrequent) when access patterns change. It provides cost savings without performance impact or operational overhead.

S3 Lifecycle Rules: By creating an S3 Lifecycle rule, the company can automatically transition objects to the Intelligent-Tiering storage class. This eliminates the need for manual intervention and ensures that objects are moved to the most cost-effective storage tier based on their access patterns.

Operational Efficiency: Intelligent-Tiering requires no additional management and delivers immediate availability for frequently accessed objects. This makes it the most operationally efficient solution for the given requirements.

Amazon DynamoDB is a serverless, NoSQL database that is fully managed, highly available, and scales automatically. It is ideal for data without a fixed schema and for use cases where fields can vary by user. DynamoDB Streams enables the capture of changes to table items in real time, which is ideal for triggering additional processing or workflows on data modifications.

Reference Extract from AWS Documentation / Study Guide:

"DynamoDB provides a scalable, highly available NoSQL database service for applications requiring flexible schema. DynamoDB Streams captures table activity for processing changes in real time."

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB and Serverless section.

AWS VPC endpoints (interface and gateway) allow private connectivity from VPC resources to AWS services without requiring public IP addresses or internet gateways. This ensures applications remain isolated in private subnets while securely accessing AWS services. NAT gateways (B) would allow internet access, which does not meet the security requirement. Internet gateways (C) directly expose traffic to the internet, which violates the isolation requirement. Direct Connect (D) connects on-premises environments to AWS but does not provide service access from private subnets. Therefore, option A — using interface VPC endpoints — is the correct solution.