Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

Amazon RDSBlue/Green Deploymentsis the ideal solution for upgrading the database version with minimal operational overhead and no data loss. Blue/Green Deployments allows you to create a separate, fully managed "green" environment with the upgraded database version. You can test the new version in the green environment while the "blue" environment continuesserving production traffic. Once testing is complete, you can seamlessly switch traffic to the green environment without downtime.

This solution provides:

Fast, non-disruptive upgrade: Traffic is only switched to the new environment after testing, ensuring zero data loss.

Minimal operational overhead: AWS handles the infrastructure management, reducing manual intervention.

Option A (Manual snapshot): This requires manual intervention and involves more operational overhead.

Option B (Native backup/restore): This approach is more labor-intensive and slower than Blue/Green Deployments.

Option C (DMS): AWS DMS adds unnecessary complexity for a simple version upgrade when Blue/Green Deployments can handle the task more efficiently.

AWS References:

Amazon RDS Blue/Green Deployments

Amazon S3 Intelligent-Tiering: This storage class is designed to optimize costs by automatically moving data between two access tiers (frequent and infrequent) when access patterns change. It provides cost savings without performance impact or operational overhead.

S3 Lifecycle Rules: By creating an S3 Lifecycle rule, the company can automatically transition objects to the Intelligent-Tiering storage class. This eliminates the need for manual intervention and ensures that objects are moved to the most cost-effective storage tier based on their access patterns.

Operational Efficiency: Intelligent-Tiering requires no additional management and delivers immediate availability for frequently accessed objects. This makes it the most operationally efficient solution for the given requirements.

Using S3 gateway endpoints allows private and cost-free access to S3 without routing traffic through a NAT gateway. NAT gateway traffic incurs charges, especially when used across multiple Availability Zones.

By using an S3 gateway endpoint, EC2 instances in private subnets can access S3 directly without needing internet access, reducing both data transfer and NAT gateway costs.

Interface endpoints are more expensive and typically used for services like API Gateway or Systems Manager.

Option Censures dynamic scaling based on demand using a target tracking scaling policy, optimizing costs.

Option Aresults in over-provisioning, leading to higher costs.

Option Bincreases costs by using larger instances.

Option Dis not feasible as instance store volumes are ephemeral and unsuitable for shared storage like EFS.

Amazon Macieis purpose-built for detecting PII in S3.

Option Auses EventBridge to filter SensitiveData findings and notify via SNS, meeting the requirements.

Options B and Dinvolve GuardDuty, which is not designed for PII detection.

Option Cuses SQS, which is less suitable for immediate notifications.

AWS Shield Advanced provides:

Advanced DDoS detection and mitigation

24/7 access to the AWS DDoS Response Team (DRT)

Real-time metrics and alerts via CloudWatch

Integrated with CloudFront, ALB, Route 53, and Global Accelerator

“Shield Advanced provides enhanced detection and mitigation for more sophisticated DDoS attacks and gives you access to the AWS DDoS Response Team (DRT).”

— AWS Shield Advanced Overview

Incorrect Options:

A (AWS WAF): For application-layer filtering only.

B (Shield Standard): Basic protection, no DRT or attack visibility.

C (Macie): Used for discovering sensitive data in S3, unrelated to DDoS.

AWS Backup is a fully managed backup service that can create backup plans for EC2 instances, including both instance configurations and attached EBS volumes, with scheduled and cross-Region copy capabilities. By adding the EC2 instances to the resource assignment in the backup plan, AWS Backup automatically backs up all configurations and attached EBS volumes, and can copy backups to a secondary Region for disaster recovery, providing the highest operational efficiency with the least manual effort.

AWS Documentation Extract:

“AWS Backup provides fully managed backup for EC2 instances and attached EBS volumes, with scheduling, retention, and cross-Region copy built in. By adding the EC2 instance as a resource, the backup includes both configuration and attached volumes.”

(Source: AWS Backup documentation)

A, D: Custom Lambda scripts increase operational overhead and are not as integrated or robust as AWS Backup.

C: Assigning only EBS volumes does not include the EC2 instance configuration, which is needed for full recovery.

AWS Systems Manager Session Manager allows secure, auditable SSH-like access to EC2 instances without the need to open SSH ports or manage bastion hosts. For this to work in a private subnet, an interface VPC endpoint is required (not a gateway endpoint).

The EC2 instances must have the AmazonSSMManagedInstanceCore policy attached to their IAM roles to allow Systems Manager operations.

With Session Manager, all session activity can be logged centrally to Amazon CloudWatch Logs or S3, satisfying the audit requirement and improving operational efficiency over manual SSH and bastion configurations.

Detailed Explanation:

A. IAM identity provider:Does not support centralized management across multiple accounts.

B. AWS Managed AD:Unnecessary if an on-premises Active Directory already exists.

C. IAM Identity Center + Existing AD:Best approach to integrate existing Active Directory for SSO, with MFA and centralized permissions.

D. Lambda for synchronization:Adds complexity and does not leverage IAM Identity Center capabilities.

AWS Outposts extends AWS infrastructure and services to on-premises locations. Running Amazon EMR on Outposts allows for processing data that resides locally while benefiting from the managed services of EMR. This enables compliance with data residency requirements and provides scalability and manageability for analytics.

Amazon API Gateway supportsresource policies, which allow you to control access to your API by specifying the IP addresses or ranges that can access the API. By creating a resource policythat explicitly denies access to any IP address outside the allowed set, you can ensure that only trusted IP addresses (such as those from your internal network) can access the critical information in your API. This approach provides fine-grained access control without the need for additional infrastructure or complex configurations.

Option A (Private integration): API Gateway private integrations are for creating private APIs that are only accessible within a VPC, but this solution is about restricting access to certain IP addresses.

Option C (Private subnet and ACLs): Deploying the API in a private subnet and using network ACLs adds unnecessary complexity and isn't the best fit for HTTP APIs.

Option D (Security group): API Gateway doesn't have a security group because it isn't a resource inside a VPC. Instead, resource policies are the correct mechanism for controlling IP-based access.

AWS References:

Controlling Access to API Gateway with Resource Policies

The best solution to enforce encryption at rest for Amazon EBS volumes is to use anIAM policyto restrict the creation of unencrypted volumes. To automatically identify and remediate unencryptedvolumes, you can useAWS Configrules, which continuously monitor the compliance of resources, andAWS Systems Managerto automate the remediation by encrypting existing unencrypted volumes. This setup requires minimal administrative overhead while ensuring compliance.

Option B (KMS): KMS is for managing encryption keys, but Config and Systems Manager provide a better solution for automatic detection and enforcement.

Option C (Macie): Macie is for data classification and is not suitable for this use case.

Option D (Inspector): Inspector is used for security vulnerabilities, not encryption compliance.

AWS References:

AWS Config Rules

AWS Systems Manager

Amazon EFSwithMax I/O performance modeis designed for workloads that require high levels of parallelism, such as video processing across multiple EC2 instances. EFS provides shared file storage that can be mounted on both Windows and Linux EC2 instances, and the Max I/O mode ensures the best performance for handling large files and concurrent access across multiple instances.

Option A and B (FSx for Windows File Server): FSx for Windows File Server is optimized for Windows workloads and would not be ideal for Linux instances or high-throughput, parallel workloads.

Option D (EFS General Purpose mode): General Purpose mode offers lower latency but doesn't support the high throughput needed for large, concurrent workloads.

AWS References:

Amazon EFS Performance Modes

AWS Secrets Manager is designed specifically to securely store and manage sensitive information such as database credentials. It integrates seamlessly with AWS services like Lambda and RDS, and it provides automatic credential rotation with minimal operational overhead.

AWS Secrets Manager: By storing the database credentials in Secrets Manager, you ensure that the credentials are securely stored, encrypted, and managed. Secrets Manager provides a built-in mechanism to automatically rotate credentials at regular intervals (e.g., every 30 days), which helps in maintaining security best practices without requiring additional manual intervention.

Lambda Integration: The Lambda function can be easily configured to retrieve the credentials from Secrets Manager using the AWS SDK, ensuring that the credentials are accessed securely at runtime.

Why Not Other Options?:

Option A (Parameter Store with Rotation): While Parameter Store can store parameters securely, Secrets Manager is more tailored for secrets management and automatic rotation, offering more features and less operational overhead.

Option C (Encrypted Lambda environment variable): Storing credentials directly in Lambda environment variables, even when encrypted, requires custom code to manage rotation, which increases operational complexity.

Option D (KMS with automatic rotation): KMS is for managing encryption keys, not for storing and rotating secrets like database credentials. This option would require more custom implementation to manage credentials securely.

AWS References:

AWS Secrets Manager- Detailed documentation on how to store, manage, and rotate secrets using AWS Secrets Manager.

Using Secrets Manager with AWS Lambda- Guidance on integrating Secrets Manager with Lambda for secure credential management.

Aurora PostgreSQL supports the pgvector extension, which allows storage and querying of vector embeddings directly inside the database. This eliminates the need for external vector databases and provides cost-effective and performant integration for AI workloads.