Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

Enabling Multi-AZ deployment for an Amazon RDS DB instance is the simplest and most effective way to improve database availability and eliminate a single point of failure. Multi-AZ deployments provide automatic failover to a standby instance in case of a failure of the primary instance. This approach is managed by AWS and only requires a modification to the existing instance, with minimal manual intervention or downtime, thus providing the least implementation effort.

Reference Extract from AWS Documentation / Study Guide:

" With Multi-AZ deployments, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). In case of a failure of the primary DB Instance, Amazon RDS automatically fails over to the standby so that database operations can resume quickly. "

Source: AWS Certified Solutions Architect – Official Study Guide, RDS High Availability section.

AWS Budgets allows you to set custom cost and usage budgets. When actual or forecasted usage exceeds the threshold, AWS Budgets can automatically send alerts to an Amazon SNS topic. You can use AWS Cost Explorer in parallel for visual tracking of spending. This solution requires no code and has minimal operational overhead.

The correct answer is B because the company wants to view both Amazon EKS clusters and on-premises Kubernetes clusters from a central location with the least operational overhead . Amazon EKS Connector is designed for this purpose. It allows externally managed Kubernetes clusters, including on-premises clusters, to be registered to AWS so they can be viewed in the Amazon EKS console alongside native EKS clusters. This creates a centralized management experience without requiring the company to migrate or rebuild the existing on-premises clusters.

EKS Connector is a low-overhead solution because it extends visibility into Kubernetes environments that are not running directly on Amazon EKS. It provides centralized cluster registration and observability at the AWS management layer while preserving the existing cluster deployments. This is especially useful for hybrid Kubernetes environments where organizations want a single control point for inventory and visibility.

Option A is incorrect because Amazon CloudWatch Container Insights is primarily for metrics, logs, and performance monitoring. Although it provides observability, it is not the primary service for centrally registering and viewing clusters themselves in a unified cluster-management context. Option C is incorrect because AWS Systems Manager is not the main service for centralized Kubernetes cluster management. Option D is incorrect because Amazon EKS Anywhere is used to run Kubernetes on-premises, but it is not the simplest way to centrally view existing clusters with the least operational effort.

AWS guidance for hybrid Kubernetes visibility recommends Amazon EKS Connector for connecting external Kubernetes clusters to AWS. Therefore, it is the most appropriate solution.

This solution directly addresses the scalability and high availability requirements with minimal downtime.

Additional Reader Instances: Adding more reader instances to the Aurora cluster will distribute the read load, improving the performance of the application under heavy read traffic. Aurora reader instances automatically replicate the data from the writer instance, enabling you to scale out read operations.

Amazon RDS Proxy: RDS Proxy improves database availability by managing database connections more efficiently and providing a connection pool. This reduces the overhead on the Aurora cluster during peak loads, further enhancing performance and availability without requiring changes to the application code.

Why Not Other Options?:

Option A (EventBridge and Lambda): This doesn’t directly address the performance and availability issues. Logging state changes and adding reader nodes on failure events doesn’t provide proactive scalability.

Option B (Zero-Downtime Restart and Activity Streams): Zero-Downtime Restart (ZDR) is useful for minimizing downtime during maintenance but doesn’t directly improve scalability. Database Activity Streams are more for security monitoring than for performance enhancement.

Option D (ElastiCache for Redis): While adding a caching layer can help with read performance, it introduces complexity and may not be necessary if additional reader instances can handle the load.

AWS References:

Amazon Aurora Scaling- Information on scaling Aurora clusters with reader instances.

Amazon RDS Proxy- Details on how RDS Proxy can improve database performance and availability.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The security requirement is preventive: “prevent the deployment” of IAM roles that contain an overly permissive inline policy (Allow on Action:* and Resource:*). Preventive enforcement should occur at deployment time so noncompliant IAM resources are blocked before they exist. In a Control Tower-governed environment where resources are provisioned through CloudFormation, the most appropriate mechanism is a proactive control that evaluates templates and denies noncompliant stack operations.

Option A matches this intent. Control Tower proactive controls are designed to provide preventative guardrails by checking resource configurations (including Infrastructure as Code deployments) against defined rules and blocking deployments that violate policy. This stops risky IAM roles from being created in the first place, which is preferable to after-the-fact detection and cleanup.

Options B, C, and D are detective or reactive patterns. Detective controls (and AWS Config rules) can identify noncompliance after resources are created, but that does not “prevent deployment.” Even if remediation is automated (Option C), there is still a window where an overly permissive role exists and could be assumed or exploited. Option D only notifies, which is insufficient. Option B suggests deleting policies on deployment, but Control Tower detective controls are not intended to automatically delete deployed IAM policies; they primarily detect and report drift/noncompliance.

Therefore, A is the best solution because it enforces the requirement proactively by blocking noncompliant CloudFormation deployments, maintaining a stronger security posture and reducing operational burden associated with detection and remediation.

To ensure ALB access only via CloudFront, AWS prescribes restricting the origin to traffic from CloudFront. For ALB origins, the standard pattern is to allow inbound to the ALB only from CloudFront edge IP ranges using security groups or ALB listener rules. Network ACLs are coarse and stateless and add operational burden. CloudFront does not have a “VPC origin” object; instead, CloudFront references the ALB DNS name. By limiting the ALB’s security group to CloudFront IP ranges, direct client access to the ALB is blocked while CloudFront remains permitted. This aligns with security best practices to “restrict origin access to only CloudFront” and use SGs for instance/ALB layer controls.

AWS documentation states that workloads running 24/7 should use Reserved Instances or Savings Plans for the lowest cost. Therefore, the frontend nodes, which always run, should use Reserved Instances.

The backend nodes process asynchronous, restartable jobs, which makes them ideal for EC2 Spot Instances, the most cost-effective compute option for interruption-tolerant workloads.

Fargate (Options A and D) is significantly more expensive for large compute usage. Spot Instances cannot be used for critical frontend nodes (Option C).

=====================================================

The correct answer is C because the workload is a batch processing job that runs during a limited time window each night and can tolerate interruptions. The key statement is that if a job fails on one instance, another instance will reprocess the job . That means the workload is fault-tolerant and well suited for Amazon EC2 Spot Instances , which provide unused EC2 capacity at a much lower cost than On-Demand Instances.

Batch jobs, big data processing, background analytics, and other interruptible workloads are classic use cases for Spot Instances. Because the instances run only from 12:00 AM to 06:00 AM and do not need to be available continuously, committing to a 1-year Savings Plan or Reserved Instances would not be the most cost-effective approach. Those options are better for steady and predictable long-running usage, not for short-duration nightly workloads.

Using a new launch template configured for Spot Instances allows the Auto Scaling group to launch lower-cost capacity for the processing window. Scaling based on CPU usage can help the group add or remove instances according to processing demand, improving both elasticity and cost efficiency.

Option A is less cost-effective because Savings Plans are more suitable for consistent usage over time. Option B is also less cost-effective because Reserved Instances lock in a commitment for capacity that is used only a few hours each day. Option D does not address the cost model and could even increase cost by using larger instances.

AWS cost optimization guidance recommends Spot Instances for fault-tolerant, flexible, interruption-tolerant workloads , making option C the best answer.

Deploying the web application on EC2 instances in private subnets behind an internal ALB ensures that the application is not directly accessible from the internet. By setting up a Site-to-Site VPN connection, the application can be accessed securely from the company ' s office network. Deploying NAT gateways in public subnets allows instances in private subnets to initiate outbound connections to the internet for downloading security patches.

The correct answer is D because the application is written entirely in JavaScript and runs in users’ web browsers , which means the workload is essentially a static web application . Static assets such as HTML, JavaScript, CSS, and related files are best hosted on Amazon S3 , which provides highly durable and low-cost object storage. Putting Amazon CloudFront in front of the S3 bucket allows the application to be delivered globally through edge locations, which reduces latency for users in many countries while also lowering the load on the origin.

This design is more cost-effective than continuing to serve the application from EC2 instances behind an ALB because it eliminates most of the compute and load balancing cost for static content delivery. CloudFront caches the content close to users and can improve performance worldwide without the complexity of deploying full application stacks in multiple Regions.

Option A is less cost-effective because it still depends on the ALB and EC2 instances as the origin for content that is static. Also, CloudFront requires an ACM certificate in us-east-1 for custom domain names, so reusing the existing certificate from the ALB is not the right assumption. Option B introduces significant multi-Region infrastructure cost and management overhead. Option C is unnecessarily complex because multiple S3 buckets in multiple Regions are not required when CloudFront can cache globally from a single origin.

AWS best practices for static web applications recommend Amazon S3 for storage and Amazon CloudFront for global distribution . This approach provides strong performance, simplicity, and cost optimization.

Aurora I/O-Optimized: This storage configuration is designed to provide consistent high performance for Aurora databases. It automatically scales IOPS as the workload increases, without needing to provision IOPS separately.

Cost-Effectiveness: With Aurora I/O-Optimized, you only pay for the storage and I/O you use, making it a cost-effective solution for applications with varying and unpredictable I/O demands.

Implementation:

During the creation of the Aurora PostgreSQL Serverless v2 cluster, select the I/O-Optimized storage configuration.

The storage system will automatically handle scaling and performance optimization based on the application load.

Operational Efficiency: This configuration reduces the need for manual tuning and ensures optimal performance without additional administrative overhead.

The best solution to enforce encryption at rest for Amazon EBS volumes is to use anIAM policyto restrict the creation of unencrypted volumes. To automatically identify and remediate unencryptedvolumes, you can useAWS Configrules, which continuously monitor the compliance of resources, andAWS Systems Managerto automate the remediation by encrypting existing unencrypted volumes. This setup requires minimal administrative overhead while ensuring compliance.

Option B (KMS): KMS is for managing encryption keys, but Config and Systems Manager provide a better solution for automatic detection and enforcement.

Option C (Macie): Macie is for data classification and is not suitable for this use case.

Option D (Inspector): Inspector is used for security vulnerabilities, not encryption compliance.

AWS References:

AWS Config Rules

AWS Systems Manager

AWS Control Tower provides automatic account governance, centralized logging, CloudTrail aggregation, and integrates directly with AWS Security Hub, which evaluates compliance against FSBP standards. This is the lowest operational overhead AWS-native solution.

The issue described is a classic case of read-heavy reporting workloads interfering with transactional application traffic. Although the RDS instance is configured for Multi-AZ, Multi-AZ deployments are designed for high availability and failover, not for scaling read performance. All reads and writes still occur on the primary instance, which explains why reporting queries negatively affect customer-facing performance.

Option C, adding an Amazon RDS read replica, is the most effective and AWS-recommended solution. Read replicas asynchronously replicate data from the primary instance and provide a separate endpoint for read-only workloads such as reporting, analytics, and dashboards. By redirecting the finance team’s reporting queries to the replica endpoint, the primary database is freed to handle transactional workloads, significantly improving overall application performance.

Option A (RDS Proxy) helps manage database connections efficiently, especially for bursty workloads, but it does not offload query execution or isolate heavy read traffic. Option B is invalid because RDS Multi-AZ does not support spreading a single DB instance across three AZs, and even if it did, it would not reduce read contention. Option D increases instance resources but does not solve the root cause; reporting queries would still compete with production traffic and would also increase cost unnecessarily.

Therefore, C is the optimal solution because it isolates reporting workloads, scales read capacity, improves application responsiveness, and aligns with AWS best practices for high-performance database architectures.