Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

Amazon GuardDuty detects cryptocurrency mining and sends findings to Amazon EventBridge. You can use EventBridge to trigger an automated Lambda function to isolate EC2 instances (such as by removing security group access or stopping/isolating the instance).

AWS Documentation Extract:

" Amazon GuardDuty findings can be sent to Amazon EventBridge, which enables you to trigger an automated response using AWS Lambda. "

(Source: AWS GuardDuty documentation)

B, C, D: Security Hub, Inspector, and Config are not directly used for this detection-to-isolation workflow.

AWS Compute Optimizerprovides detailed recommendations for optimizingAmazon EBS volumes, including insights into underutilized volumes, inefficient configurations, and potential cost savings. It analyzes usage patterns and provides recommendations based on historical data, making it the ideal tool for this use case.

Option A (Amazon Inspector): Amazon Inspector is for security assessments, not for cost optimization.

Option B (Systems Manager): Systems Manager does not specifically provide EBS optimization recommendations.

Option C (CloudWatch): CloudWatch metrics help monitor usage but do not offer optimization recommendations like Compute Optimizer.

AWS References:

AWS Compute Optimizer

Amazon EMR on EC2 supports “runtime roles (application-scoped IAM roles)” so each application/step assumes its own IAM role with least-privilege S3 access. You enable this via an EMR security configuration by setting “EnableApplicationScopedIAMRole = true.” The EMR core/Task nodes run under the cluster’s EC2 instance profile; therefore the instance profile must be permitted to “sts:AssumeRole” into the defined EMR runtime roles, and each runtime role must trust the instance profile (trust policy principal is the instance profile role). This design limits each job’s S3 scope via role policies and enforces per-job access segregation. Option B reverses the trust (incorrect). Option E trusts the EMR service role (not used to assume runtime roles). Option F is unrelated (encryption in transit). The correct trio is to enable application-scoped roles (A), authorize the instance profile to assume them (C), and configure the runtime roles’ trust relationship to allow that assumption (D).

Provisioned concurrency is the key requirement match because AWS documentation states that it pre-initializes Lambda execution environments and is designed to reduce cold-start latency, supporting predictable response times in the double-digit millisecond range. That makes it ideal for APIs that must remain consistently low-latency during peak traffic periods. Reserved concurrency does not solve cold starts; it only reserves capacity. ECS and EKS could certainly host the API, but both introduce more infrastructure management than API Gateway plus Lambda. Since the question asks for theleast operational overheadwhile maintaining consistent low latency, the serverless pattern with API Gateway and Lambdawith provisioned concurrencyis the strongest AWS-native answer. (AWS Documentation)

============

For predictable workloads requiring a relational database, Amazon RDS for MySQL offers a managed, cost-effective solution. Storing product images in Amazon S3 is highly durable and cost-efficient, especially for static assets like images. This combination leverages managed services to reduce operational overhead and costs.

For application access to AWS services from ECS tasks, the correct identity is the ECS task role. AWS separates the task execution role, which is mainly for pulling images and sending logs, from the task role, which is used by the application code running inside the container. Because the application itself needs to read from S3, the least-effort and most secure design is to grant the necessary S3 permissions directly to the task role. Using IAM users and access keys would introduce unnecessary credential management and reduce security. Therefore, assigning the required S3 permissions to the task role is the proper AWS best-practice solution.

============

Since the application uses long-lived TCP connections and must remain idle for up to 1 hour without timeout, all components involved in the connection path (ALB, GWLB, and firewall) must have their idle timeout values configured to at least 1 hour.

Gateway Load Balancer supports transparent insertion of firewalls, and configuring consistent idle timeouts ensures connections don’t drop mid-session.

Using just one firewall (option B) introduces a single point of failure. Increasing capacity (option D) doesn ' t solve idle timeout issues. Therefore, C provides a resilient and complete configuration.

VPC Endpoint for S3: A gateway endpoint for Amazon S3 enables you to privately connect your VPC to S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Configuration Steps:

In the VPC console, navigate to " Endpoints " and create a new endpoint.

Select the service name for S3 (com.amazonaws.region.s3).

Choose the VPC and the subnets where your EC2 instances are running.

Update the route tables for the selected subnets to include a route pointing to the endpoint.

Security Compliance: By configuring an S3 gateway endpoint, all traffic between the VPC and S3 stays within the AWS network, complying with the company ' s security regulations to avoid internet traversal.

AWS documentation states that the correct and least-privilege method for cross-account SNS-to-SQS integration is:

• Add specific SNS topic ARNs to the SQS queue policy.

• Allow only those topics to publish messages to the queue.

• Ensure SNS has permission to publish to the specific queue ARN.

This ensures strict scoping and adheres to least privilege.

Options A and D grant overly broad permissions. Option B allows publishing to any queue, which violates least privilege.

This solution is the most cost-effective and efficient way to break down costs per application.

Tagging Resources: By tagging all AWS resources with a specific key (e.g., " cost " ) and a value representing the application ' s name, you can easily identify and categorize costs associated with each application. This tagging strategy allows for granular tracking of costs within AWS.

Activating Cost Allocation Tags: Once tags are applied to resources, you need to activate cost allocation tags in the AWS Billing and Cost Management console. This ensures that the costs associated with each tag are included in your billing reports and can be used for cost analysis.

AWS Cost Explorer: Cost Explorer is a powerful tool that allows you to visualize, understand, and manage your AWS costs and usage over time. You can filter and group your cost data by the tags you’ve applied to resources, enabling you to easily see the cost breakdown for each application. Cost Explorer also supports generating regular reports, which can be scheduled and emailed to stakeholders.

Why Not Other Options?:

Option A (AWS Budgets): AWS Budgets is more focused on setting cost and usage thresholds and monitoring them, rather than providing detailed cost breakdowns by application.

Option B (Load Cost and Usage Reports into RDS): This approach is less cost-effective and involves more operational overhead, as it requires setting up and maintaining an RDS instance and running SQL queries.

Option D (AWS Billing and Cost Management Console): While you can download bills, this method is more manual and less dynamic compared to using Cost Explorer with activated tags.

AWS References:

AWS Tagging Strategies- Overview of how to use tagging to organize and track AWS resources.

AWS Cost Explorer- Details on how to use Cost Explorer to analyze costs.

To decouple distributed workloads and improve scalability and resiliency, Amazon SQS should be used as a reliable job queue. The compute nodes (workers) can poll the SQS queue for tasks, and EC2 Auto Scaling can dynamically scale instances based on the ApproximateNumberOfMessages metric.

From AWS Documentation:

“Amazon SQS enables you to decouple application components, allowing each part to scale independently. You can scale EC2 instances automatically based on the number of messages in the queue.”

(Source: Amazon SQS Developer Guide – Scaling Consumers with Auto Scaling)

Why B is correct:

Eliminates the single point of failure (the primary coordinator).

Enables event-driven scaling based on queue depth.

Provides durability and resiliency since messages are stored redundantly.

Fully managed and integrates seamlessly with Auto Scaling policies.

Why other options are incorrect:

A: Scheduled scaling does not respond to variable workloads.

C & D: Misuse of CloudTrail/EventBridge; not intended for workload coordination.

AWS Step Functions is the recommended service for orchestrating multi-step, long-running workflows with state tracking, retries, and external API calls. It reduces operational overhead by eliminating the need for custom orchestration logic.

API Gateway receiving work items and sending them to SQS (Option E) provides buffering, elasticity, and decoupling, ensuring immediate ingestion regardless of backend load.

Option A forces Lambda to handle long execution paths, which is not optimal for 30-minute tasks and multi-state workflows. Option C triggers Lambda directly without buffering. Option D uses fixed EC2 instances, which does not scale dynamically.

=====================================================

For Amazon RDS relational databases experiencing read-heavy workloads, AWS best practice is to create read replicas and offload read traffic to those replicas. A read replica:

Uses asynchronous replication from the primary.

Can serve read-only queries, thereby reducing load and query latency on the primary.

Can be used behind an application-level read/write splitting mechanism or via endpoints that direct read traffic to replicas.

Performance Insights (Option A) helps diagnose performance problems but does not itself offload traffic.

DAX (Option B) is a cache for DynamoDB, not RDS.

Kinesis Data Firehose (Option D) is a streaming ingestion service and cannot increase RDS query concurrency.

Amazon CloudFront is a global content delivery network (CDN) that caches and distributes content to users with low latency. By setting the existing ALB as the origin, CloudFront can cache dynamic and static content closer to users worldwide, improving performance and reducing the load on the application servers. This is the most cost-optimized and AWS-recommended way to globally serve dynamic content for web applications.

Reference Extract:

" CloudFront accelerates delivery of both static and dynamic content, reducing latency and offloading origin resources by caching content at edge locations. "

Source: AWS Certified Solutions Architect – Official Study Guide, CloudFront and Global Application section.

A. Aurora MySQL:Handles OLTP workloads efficiently with built-in replication and auto-scaling capabilities.

B. EC2 with MySQL:Requires heavy manual maintenance and does not scale seamlessly.

C. RDS for MySQL:Limited in auto-scaling compared to Aurora.

D. Redshift:Primarily for OLAP, not suitable for OLTP workloads.

AWS KMS with SSE-KMS provides granular key management and auditability. All use of KMS keys is logged in AWS CloudTrail, which allows compliance teams to monitor encryption and decryption operations. A bucket policy can be configured to enforce uploads only with the designated KMS key, ensuring that users cannot bypass encryption or change methods. Option A (SSE-S3 with bucket policy) enforces encryption but does not provide the same level of control or auditable key usage. Option C (client-side encryption) increases complexity and key management burden. Option D prevents bucket setting changes but does not prevent unencrypted uploads. Therefore, B ensures the most granular control, auditability, and compliance with financial data requirements.

Explanation (AWS Docs):

A: Use Direct Connect with a private VIF to ensure private connectivity from on-premises to AWS.

E: Peer the networking VPC with VPCs in the accounts hosting S3 buckets to allow private routing.

“A private virtual interface enables private connectivity to your VPC.”

— Direct Connect Private VIF

The key requirements are (1) MySQL compatibility for existing applications and (2) the ability to scale automatically during demand spikes for a transactional workload. Amazon Aurora (MySQL-compatible) satisfies compatibility while providing managed database capabilities designed for high performance and scalability. Using AWS Database Migration Service (DMS) is operationally efficient for migration because it supports moving data from on-premises databases to AWS with options for continuous replication to minimize downtime, which is commonly required for transactional systems.

Turning on Aurora Auto Scaling (for Aurora Replicas) allows the database tier to automatically add or remove read replicas based on demand, which helps absorb increased read traffic without manual intervention. This meets the “scale automatically” requirement more directly than simply scaling storage. (Write scaling is addressed through Aurora’s architecture and capacity planning; for many workloads, scaling reads is the dominant elasticity need.)

Option A only mentions configuring storage scaling, which does not address compute scaling during load increases; RDS storage autoscaling helps prevent running out of space but does not automatically add compute capacity in response to demand. Option B is incorrect because Amazon Redshift is a data warehouse designed for analytics/OLAP, not a transactional MySQL OLTP replacement, and mysqldump to Redshift does not preserve application compatibility. Option D changes the data model by migrating to DynamoDB, which is not MySQL-compatible and would require application redesign—violating the compatibility requirement.

Therefore, C best satisfies compatibility and automatic scaling needs while using managed services that reduce operational overhead during and after migration.

The correct recommendation is to useAWS Schema Conversion Tool AWS SCTtogether withAWS DMSand run afull load plus CDCmigration so Oracle and Aurora PostgreSQL stay synchronized during the staged application cutover. AWS prescriptive guidance for Oracle-to-Aurora PostgreSQL migration explicitly uses AWS SCT and AWS DMS for this pattern. Because the source workload has a high number of reads and writes, amemory-optimized replication instanceis the stronger fit for heavy replication activity. DataSync is not the service used for relational database migration. Selecting only the largest tables would not satisfy the requirement to keep all application data synchronized across the whole migration window.

============

If the SQS visibility timeout is set shorter than the time it takes for the application to process and delete the message, the message becomes visible to other consumers and can be processed again, resulting in duplicate processing. This is a common cause of duplicate messages when using SQS.

Reference Extract from AWS Documentation / Study Guide:

" If the visibility timeout for a message is set shorter than the time it takes to process the message, the message becomes visible again and can be received and processed again, resulting in duplicate processing. "

Source: AWS Certified Solutions Architect – Official Study Guide, SQS and Messaging section.