Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

The current architecture tightly couples image upload, resizing, and storage into a single synchronous workflow handled by EC2 instances. This increases upload latency and degrades user experience. The optimal solution is to decouple upload from processing and offload work to managed services.

Option C allows users’ browsers to upload images directly to Amazon S3 using presigned URLs, bypassing the EC2 web servers entirely. This significantly reduces server load, network hops, and request latency while improving scalability and performance. Presigned URLs also maintain security by granting time-limited, scoped access to S3.

Option D complements this by using S3 Event Notifications to invoke an AWS Lambda function whenever a new image is uploaded. The Lambda function performs the image resizing asynchronously and stores the processed image back in S3. This event-driven, serverless pattern eliminates tight coupling between upload and processing and ensures automatic scaling with minimal operational overhead.

Option A is unsuitable because Glacier is for archival storage and not designed for active uploads or processing. Option B still routes uploads through EC2, maintaining the bottleneck. Option E introduces unnecessary delays and inefficiency by resizing images on a schedule instead of reacting to upload events.

Therefore, C and D together provide the most performant, scalable, and operationally efficient image upload and processing architecture using AWS-native, event-driven services.

The correct answer is D because the application runs on AWS Fargate On-Demand capacity , cannot tolerate interruptions, and the company wants to optimize costs while keeping the application operational. A Compute Savings Plan is designed to reduce costs for consistent compute usage across AWS services, including AWS Fargate , without requiring changes to the application architecture or using interruptible capacity.

A Savings Plan provides discounted pricing in exchange for a usage commitment over a period of time. This is ideal for workloads that must continue running without interruption because the application can remain on Fargate On-Demand , which avoids the termination risk associated with Spot capacity. The company gets cost savings while preserving the reliability characteristics of the current deployment model.

Option A is incorrect because On-Demand Capacity Reservations are used to reserve EC2 capacity in a specific Availability Zone and do not apply as the main cost optimization mechanism for Fargate tasks. Option B is incorrect because Convertible Reserved Instances apply to Amazon EC2, not Fargate. Option C is incorrect because Fargate Spot can be interrupted and therefore does not meet the requirement that the application cannot tolerate sudden interruptions.

AWS cost optimization guidance recommends selecting discount models that align with workload needs. For predictable, steady serverless container usage on Fargate that must remain highly available, Compute Savings Plans offer the best balance of lower cost and uninterrupted operation. Therefore, purchasing a Compute Savings Plan is the most appropriate solution.

Compute Savings Plansoffer the most flexible and cost-effective solution for the production instances, as they provide significant savings (up to 66%) for both EC2 and AWS Lambda usage, while allowing flexibility in the type of instance family, size, and even region. For nonproduction instances, usingOn-Demand Instancesensures you only pay for the instances when they are running, and shutting them down during off-hours further optimizes cost.

Key AWS features:

Compute Savings Plans: Provide savings based on consistent usage, making it ideal for production environments with steady load.

On-Demand Instances: Suitable for nonproduction environments that are used intermittently. Shutting them down when not in use avoids unnecessary costs.

AWS Documentation: According to AWS ' s cost optimization best practices, using a combination of Savings Plans for production and On-Demand Instances for nonproduction environments that are used sparingly results in optimal cost savings​​.

Why Option C is Correct:

NAT Gateway: Allows private subnets to access the internet for outbound requests while preventing inbound connections.

High Availability: Deploying NAT gateways in both AZs ensures fault tolerance.

Shared Route Table: Simplifies routing configuration for private subnets.

Why Other Options Are Not Ideal:

Option A: Creating separate route tables for each subnet adds unnecessary complexity.

Option B: Internet gateways allow inbound access, violating the requirement to block public IPv4 access.

Option D: Egress-only internet gateways are designed for IPv6, not IPv4.

AWS References:

Amazon VPC NAT Gateway:AWS Documentation - NAT Gateway

The critical requirement is immediate processing upon customer submission, with a typical compute duration of about 10 seconds. This is an ideal fit for a synchronous, request-driven, serverless pattern: API Gateway + AWS Lambda. API Gateway provides a managed HTTPS front door for the application, handles request validation/throttling if needed, and integrates directly with Lambda. Lambda is designed for short-lived computations, scales automatically with request volume, and can complete 10-second tasks well within typical Lambda execution limits.

Option A therefore meets the requirement with low latency and minimal operational overhead. When a customer submits data, API Gateway invokes the Lambda function immediately, and the function returns the calculated premium response. This preserves an interactive user experience and avoids provisioning or managing servers. It also handles bursts gracefully because Lambda concurrency can scale quickly, and API Gateway can absorb high request rates.

Option B is unsuitable because launching a Spot instance per upload introduces significant startup latency (instance launch time) and is not reliable due to Spot interruptions. Option C and D are not “immediate”: Transfer Family is for file transfers, and scheduled EKS jobs or Batch jobs introduce queuing and scheduling delays. While Batch can be event-driven, it is typically used for longer-running or batch-oriented workloads and still has job-start overhead compared to Lambda.

Therefore, A best matches the requirements for immediate execution, scalability, and low operational burden while maintaining responsive performance for customers.

CloudFront Signed Cookies:

CloudFront signed cookies allow the company to provide access to premium users while maintaining a single, consistent URL.

This approach is simpler and more scalable than managing presigned URLs for each file.

Incorrect Options Analysis:

Option A: Using EC2 and EBS increases complexity and cost.

Option B: Managing presigned URLs for each file is not scalable.

Option D: CloudFront signed URLs require unique URLs for each file, which does not meet the requirement for a single URL.

Setting the RDS backup retention policy to 30 days forautomated backupsthrough AWS Backup allows the company to retain backups cost-effectively. Manual backups, however, are notautomatically managed by RDS ' s retention policy, so they need to be manually deleted if they are older than 30 days to avoid unnecessary storage costs.

Key AWS features:

Automated Backups: Can be configured with a retention policy of up to 35 days, ensuring that older automated backups are deleted automatically.

Manual Backups: These are not subject to the automated retention policy and must be manually managed to avoid extra costs.

AWS Documentation: AWS recommends using backup retention policies for automated backups while manually managing manual backups​.

The best practice for granting AWS resource access to EC2 instances is to use IAM roles, not users or long-lived access keys. You create an IAM role with a policy that grants the minimum permissions required, then attach that role to an instance profile associated with the EC2 instance. The instance then automatically receives temporary credentials for AWS service access.

AWS Documentation Extract:

" Attach an IAM role to your EC2 instances to securely grant permissions to AWS services according to the principle of least privilege. Never embed access keys in EC2 instances. "

(Source: AWS EC2 documentation, IAM Roles for EC2)

A, B: Using IAM users and embedding keys violates security best practices.

C: IAM role credentials are automatically managed and never need to be manually attached as keys.

Amazon Cognitoprovides scalable, serverless authentication, andLambda@Edgeis used for authorization, providing low-latency access control at the edge.Amazon CloudFrontserves the web application globally with reduced latency and ensures secure access for users around the world. This solution minimizes operational overhead while providing scalability and security.

Option B (Directory Service): Directory Service is more suitable for enterprise use cases involving Active Directory, not for web-based applications.

Option C (S3 Transfer Acceleration): S3 Transfer Acceleration helps with file transfers but does not provide authorization features.

Option D (Elastic Beanstalk): Elastic Beanstalk adds unnecessary overhead when CloudFront can handle global delivery efficiently.

AWS References:

Amazon Cognito

Lambda@Edge

Amazon Aurora Serverless v2 is ideal for applications with unpredictable or intermittent workloads. It automatically scales capacity up or down based on demand, significantly reducing costs. It supports automated backups to Amazon S3, making it suitable and cost-effective for new applications with variable traffic.

Amazon DynamoDB provides single-digit millisecond performance at any scale and is fully managed to handle millions of catalog records. It is ideal for structured catalog data such as product metadata and scales seamlessly during high-traffic events like sales. Amazon S3 is optimized for storing unstructured large objects such as videos and manuals, with virtually unlimited scalability and high durability. Option A (RDS) would not handle massive scale or traffic spikes as efficiently. Option C overloads DynamoDB by forcing it to store large binary data, which is not its purpose. Option D (DocumentDB) is suitable for JSON-like documents but not optimal for storing large media files and would add operational complexity. Therefore, option B represents the best separation of structured and unstructured data storage.

Option B: FSx for Lustre is designed for HPC workloads with high IOPS.

Option E: A cluster placement group ensures low-latency networking for HPC analytics workloads.

Option A: Amazon EFS is not optimized for HPC.

Option D: Mountpoint for S3 does not meet high IOPS needs.

The correct answers are A, B, and C because the company needs to handle a sharp increase in read traffic , maintain high availability , and avoid application changes . These three options improve scaling at different layers of the architecture while remaining aligned with the current application design.

A. Amazon CloudFront helps reduce load on the web tier by caching content closer to users at edge locations. This improves responsiveness and reduces the number of requests that must reach the origin web servers during the marketing event. It is a common way to scale web traffic without changing the application.

B. Auto Scaling for the application layer is also appropriate because the application layer is already described as stateless and supports automatic scaling. Adding or removing EC2 instances based on demand helps the application remain responsive under high load.

C. Amazon Aurora with Aurora Replicas and Aurora Auto Scaling is the best way to scale the relational database layer for read-heavy workloads. Aurora Replicas can offload read traffic from the writer instance, and Aurora Auto Scaling can automatically adjust replica capacity based on demand. This preserves the relational architecture while improving read scalability and availability.

Option D can reduce database read pressure, but adding ElastiCache effectively requires the application to use the cache, which conflicts with the requirement to avoid modifying the application. Option E is incorrect because replacing the ALB with an NLB does not solve the application’s scaling or read-traffic bottlenecks. Option F is incorrect because migrating from a relational database to DynamoDB would require a major redesign.

So the best combination is CloudFront , Auto Scaling for the stateless application tier , and Aurora with read scaling features .

The workload described is event-driven, low volume, and sporadic, making serverless architecture the most cost-effective choice. AWS Lambda, when triggered by S3 event notifications, runs only when new photos are uploaded and incurs cost only for execution time.

Option C uses S3 event notifications to invoke a Lambda function whenever a new object is created. The Lambda function generates a thumbnail and uploads it to a second S3 bucket. This solution requires no servers, no scheduling, and no idle compute costs, making it extremely cost-efficient for 150 uploads per day.

Options A and B involve running long-lived compute resources that would remain idle most of the time, resulting in unnecessary cost. Option D is invalid because S3 Storage Lens is designed for storage analytics and reporting, not event-driven processing.

Therefore, C is the most cost-effective and operationally efficient solution.

SSE-KMS: Server-side encryption with AWS Key Management Service (SSE-KMS) provides robust encryption of data at rest, integrated with AWS KMS for key management and auditing.

Automatic Key Rotation: By enabling automatic rotation for the KMS keys, the system ensures that keys are rotated annually without manual intervention, meeting compliance requirements.

Logging and Auditing: AWS KMS automatically logs all key usage and management actions in AWS CloudTrail, providing the necessary audit logs.

Implementation:

Create a KMS key with automatic rotation enabled.

Configure the S3 bucket to use SSE-KMS with the created KMS key.

Ensure CloudTrail is enabled for logging KMS key usage.

Operational Efficiency: This solution provides encryption, automatic key management, and auditing in a seamless, fully managed way, reducing operational overhead.