Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

SSE-KMS (Server-side encryption with AWS Key Management Service) not only encrypts data at rest but also integrates with AWS CloudTrail to provide detailed logs of key usage — meeting the audit requirement.

“SSE-KMS provides the ability to audit key usage to see who used the key and when, via AWS CloudTrail.”

— Amazon S3 Encryption Documentation

Benefits:

Encryption with customer-managed or AWS-managed KMS keys

Audit trails of key usage events

Fine-grained access control

Incorrect Options:

A: SSE-S3 does not support auditing of key usage.

C: SSE-C does not integrate with CloudTrail or KMS.

D: Self-managed keys require external key infrastructure and custom audit logging.

Amazon ECS is the lowest-overhead choice because it avoids the control-plane and node-management work of EKS or raw EC2 while still supporting highly available multi-AZ placement. AWS ECS guidance notes that the service scheduler canspread tasks across Availability Zones, and target tracking scaling is a standard way to scale ECS services based on demand. Setting a minimum capacity of 3 ensures at least one task can remain in each Availability Zone, improving resilience. The EC2 and EKS options require more infrastructure management, and Lambda is not the right fit for generic containerized application workloads. Therefore, ECS with spread placement across AZs and service auto scaling is the best answer.

SQS Standard queues provide at-least-once delivery; they can, by design, deliver duplicate messages, and you cannot turn that off.

To guarantee no duplicates to consumers, AWS provides SQS FIFO queues with exactly-once processing semantics in conjunction with deduplication.

The minimal change to achieve this behavior is to:

Recreate the queue as a FIFO queue and

Enable content-based deduplication, so SQS automatically deduplicates messages with identical bodies within the deduplication window.

Why others are not correct:

A: Long polling reduces empty responses and costs but does not eliminate duplicates.

C: Content-based deduplication is available only for FIFO queues, not for standard queues—so you cannot “modify” a standard queue this way.

D: Moving to Amazon MQ is a much bigger architectural change and adds more operational overhead; it’s not the “fewest changes” approach.

To meet the requirement of deleting objects older than 3 years while retaining certain data, this solution leverages serverless technologies to minimize operational overhead.

S3 Inventory: S3 Inventory provides a flat file that lists all the objects in an S3 bucket and their metadata, which can be configured to include data such as the last modified date. This inventory can be generated daily or weekly.

AWS Lambda Function: A Lambda function can be created to process the S3 Inventory report, filtering out the objects that need to be retained and identifying those that should be deleted.

S3 Batch Operations: S3 Batch Operations can execute tasks such as object deletion at scale. By invoking the Lambda function through S3 Batch Operations, you can automate the process of deleting the identified objects, ensuring that the solution is serverless and requires minimal operational management.

Why Not Other Options?:

Option A (AWS CLI script on EC2): Running a script on an EC2 instance adds unnecessary operational overhead and is not serverless.

Option B (AWS Batch): AWS Batch is designed for running large-scale batch computing workloads, which is overkill for this scenario.

Option C (AWS Glue + script): AWS Glue is more suited for ETL tasks, and this approach would add unnecessary complexity compared to the serverless Lambda solution.

AWS References:

Amazon S3 Inventory- Information on how to set up and use S3 Inventory.

S3 Batch Operations- Documentation on how to perform bulk operations on S3 objects using S3 Batch Operations.

The requirement has three key elements: high availability with automatic recovery, separation of transactional and analytical workloads, and acceptable reporting lag up to 4 hours. The clean AWS-native pattern for isolating heavy read/reporting traffic from transactional writes in RDS for MySQL is to use read replicas and direct reporting queries to the replica endpoint(s).

Option C meets these requirements well. The primary RDS for MySQL instance handles transactional traffic (reads/writes). One or more RDS read replicas asynchronously replicate data from the primary. Because replication is asynchronous, some lag is expected; the requirement explicitly tolerates up to a 4-hour lag, which fits the read replica model. Directing batch reporting and analytical queries to a replica prevents those expensive queries from consuming CPU, memory, and I/O on the primary, thereby protecting interactive user performance. Deploying replicas across multiple Availability Zones also improves availability of the reporting tier and reduces the risk that an AZ issue prevents reporting access.

Option A is incorrect because a standard Multi-AZ DB instance uses a synchronous standby that is not readable and is intended for failover, not for serving analytical queries. Option B describes a Multi-AZ DB cluster deployment, which does provide readable standbys in some RDS engines; however, for the classic RDS MySQL exam pattern, the most direct and widely used method to isolate analytics is read replicas. Option D creates a nightly snapshot-based read-only copy; this increases operational complexity, can result in stale data for most of the day, and introduces provisioning delays, which is unnecessary when replicas provide continuous near-real-time copies.

Therefore, C is the best fit because it provides HA for the primary, isolates reporting reads to replicas, and meets the allowed replication lag requirement.

Caching frequently accessed, identical datasets is a well-established way to improve backend application performance by reducing load on the database. Amazon ElastiCache with Redis (open source) offers a fast, in-memory data store to cache query results, reducing latency and database requests.

Option B directly addresses the problem by offloading repeated read requests from the database to the cache.

Option A (SNS) is a messaging service and is unrelated to caching or improving database performance. Option C (DAX) accelerates DynamoDB but the backend uses RDS MySQL, so DAX is inapplicable. Option D (Data Firehose) is a data streaming service and does not optimize database read performance.

A. Kinesis Data Streams:Supports high throughput, strict ordering, multiple consumers, and data retention for 365 days.

B. SNS + SQS FIFO:Can enforce ordering but lacks native support for 500 KB messages and retention requirements.

C. EventBridge:Lacks strict ordering and message size compatibility.

D. SNS + Firehose:Not designed for strict ordering or large message sizes.

For secure communication between Lambda and an RDS DB instance, AWS documentation recommends placing the Lambda functions inside the same VPC and controlling traffic using security groups.

Lambda should have a dedicated security group with outbound access to the VPC CIDR range, and the DB instance’s security group should explicitly allow inbound connections from the Lambda security group. This follows the " least privilege " principle while avoiding public exposure.

Options A and B expose the DB to unnecessary risk. Option D is insecure because it bypasses security groups.

For SQS-backed worker architectures, AWS recommends scaling consumers based on queue metrics (e.g., ApproximateNumberOfMessagesVisible, AgeOfOldestMessage). EC2 Auto Scaling can “scale out based on Amazon CloudWatch alarms” tied to SQS backlog, increasing worker capacity to reduce latency as demand grows. DAX (A) accelerates DynamoDB reads, not message processing. API Gateway (B) and CloudFront (C) optimize request ingress and content delivery, not the asynchronous email-sending application. The bottleneck is consumer throughput; scaling workers with an SQS-driven policy restores timely processing without downtime and follows Well-Architected patterns for decoupled, elastic systems.

Kinesis Data Streams is the right ingestion service for real-time streaming data, and AWS Lambda is the least-operations compute option for processing and transforming records from the stream. AWS documents that Lambda can process events from stream sources such as Kinesis without infrastructure management. Storing the transformed data in DynamoDB provides durable, scalable storage for later analysis. The EC2 option introduces server management overhead. SQS is useful for queued work, but the question specifically centers on streaming data. SNS with ElastiCache is also not a durable analysis store design. Therefore, Kinesis Data Streams plus Lambda plus DynamoDB is the lowest-overhead architecture among the choices.

============

This is a classic fanout pattern. AWS documentation states that Amazon SNS can fan out messages to multiple subscribers, including Amazon SQS queues. AWS also notes that using SQS with SNS gives each subscriber its own durable queue, which buffers events independently and allows consumers to process at their own pace. That directly satisfies the need for every consumer to receive each order event, to absorb bursts, and to let new consumers be added without changing the producer. A single SQS queue would distribute messages across consumers instead of delivering every event to every consumer. Direct EventBridge targets do not provide the same durable per-consumer buffering described in the question. SNS plus one SQS queue per consumer is the most flexible and resilient design.

============

The correct answers areA and D. The requirement is to replace third-party middleware with an AWS-native solution that supportsasynchronous communication,exactly-once delivery, and theleast infrastructure management.Amazon SQS FIFO queuesare the best messaging component because FIFO queues are designed for workloads that requireordered processingandexactly-once message deliverysemantics. That makes optionDthe correct messaging choice.

For the compute layer,AWS Lambdaprovides the least infrastructure management because it is a fully managed serverless compute service. Lambda removes the need to manage virtual machines, operating systems, or cluster infrastructure. It integrates naturally with queue-based asynchronous architectures and can be invoked to process messages from SQS while scaling automatically based on queue depth and workload demand. That makes optionAthe best choice for minimizing operational burden.

Option B is incorrect because EC2 instances would require the company to manage instance provisioning, patching, scaling, and availability. Option C is incorrect becauseAmazon SNSis a pub/sub messaging service and does not provide exactly-once delivery guarantees likeSQS FIFO. Option E is incorrect becauseAmazon EKSintroduces Kubernetes management overhead and is not the lowest-management compute option.

AWS best practices recommend using managed messaging and serverless compute to reduce undifferentiated operational work. For a migration that requires asynchronous processing with exactly-once delivery and minimal infrastructure management, the most appropriate architecture isAWS Lambda functionswithAmazon SQS FIFO queues.

AmazonS3 with the Standard storage classis the best solution:

Encryption: SSE-S3 ensures server-side encryption of the data, meeting compliance requirements.

Immediate access: The Standard storage class provides low-latency and high-throughput access to data.

Multi-location storage: Cross-Region replication ensures data is stored in multiple AWS Regions for redundancy.

Why Other Options Are Not Ideal:

Option B:

Amazon EFS is more costly and suited for file systems rather than object storage.Not cost-effective.

Option C:

Amazon EBS is block storage and not optimized for object storage like PDFs. Backup schedules do not ensure immediate availability.Not suitable.

Option D:

S3 Glacier Flexible Retrieval is designed for archival, not immediate access.Does not meet access requirements.

AWS References:

Amazon S3 Standard Storage:AWS Documentation - S3 Storage Classes

Amazon S3 Cross-Region Replication:AWS Documentation - Cross-Region Replication

AWS Encryption Options:AWS Documentation - S3 Encryption

The most cost-effective general solution isDynamoDB auto scaling. AWS recommends atarget utilization of 70%for provisioned throughput with auto scaling, which lets DynamoDB adjust capacity up or down based on sustained workload patterns. That improves both read and write performance while controlling cost better than manual scaling. A GSI is only useful for specific alternate query patterns and does not solve overall throughput management by itself. DAX helps only with read-heavy caching, not writes. A custom CloudWatch-plus-Lambda scaling solution adds unnecessary operational work compared to native auto scaling. Because the question asks broadly for read and write performance at the best cost, auto scaling with the recommended 70% target is the strongest answer.

============

IAM Roles for Service Accounts (IRSA) is the AWS-recommended mechanism to grant fine-grained, pod-level AWS permissions in Amazon EKS. IRSA avoids the security risks of granting permissions to the entire node and aligns with the principle of least privilege.

To implement IRSA, two core components are required. First, an IAM role must be created with a trust policy that references an OIDC identity provider associated with the EKS cluster. This is why Option E is required. The OIDC provider allows AWS STS to authenticate Kubernetes service accounts and issue temporary credentials. Without this trust relationship, service accounts cannot assume IAM roles securely.

Second, the Kubernetes service account must be explicitly annotated with the ARN of the IAM role it is allowed to assume. This is provided by Option D. The annotation creates a direct mapping between a specific service account and a specific IAM role, ensuring granular access control at the pod level.

Option A is incorrect because attaching policies to the node IAM role grants permissions to all pods on the node, which violates least-privilege principles. Option B addresses network-level access but does not control AWS API authorization. Option C is incorrect because IAM roles should not be overloaded with permissions for multiple service accounts, and there is no direct one-to-one mapping between IAM roles and Kubernetes roles in this way.

Therefore, D and E together form the correct and secure IRSA configuration, enabling granular, auditable, and secure access to AWS resources from EKS workloads.

AWS documentation states that Amazon Macie is the managed service designed to automatically identify and classify sensitive data stored in Amazon S3, including PII and healthcare-related identifiers.

Storing logs in Amazon S3 provides scalable, durable storage, and Amazon Athena can directly query JSON data stored in S3 using SQL.

Amazon Inspector (Option D) is for vulnerability scanning and does not identify sensitive data. DynamoDB with KMS (Option C) cannot detect sensitive information. EBS (Option B) requires custom tooling and does not support serverless SQL querying.

=====================================================

The requirement is to route users to the nearest AWS Region where the application is deployed. The best solution is to use Amazon Route 53 with a geolocation routing policy, which routes traffic based on the geographic location of the user making the request.

Geolocation Routing: This routing policy ensures that users are directed to the resources (in this case, EC2 instances) that are geographically closest to them, thereby reducing latency and improving the user experience.

Application Load Balancer (ALB): Within each Region, an internet-facing Application Load Balancer (ALB) is used to distribute incoming traffic across multiple EC2 instances in different Availability Zones. ALBs are designed to handle HTTP/HTTPS traffic and provide advanced features like content-based routing, SSL termination, and user authentication.

Why Not Other Options?:

Option B (Geoproximity + NLB): Geoproximity routing is similar but more complex as it requires fine-tuning the proximity settings. A Network Load Balancer (NLB) is better suited for TCP/UDP traffic rather than HTTP/HTTPS.

Option C (Multivalue Answer Routing + ALB): Multivalue answer routing does not direct traffic based on user location but rather returns multiple values and lets the client choose. This does not meet the requirement for geographically routing users.

Option D (Weighted Routing + NLB): Weighted routing splits traffic based on predefined weights and does not consider the user ' s geographic location. NLB is not ideal for this scenario due to its focus on lower-level protocols.

AWS References:

Amazon Route 53 Routing Policies- Detailed explanation of the various routing policies available in Route 53, including geolocation.

Elastic Load Balancing- Information on the different types of load balancers in AWS and when to use them.

Because the workload follows apredictable business-hours schedule, the lowest-overhead solution is to usescheduled scalingwith EC2 Auto Scaling. AWS documentation states that scheduled actions let you scale an Auto Scaling group at specific times or on recurring schedules by changing desired, minimum, and maximum capacity. That directly matches a workload that needs instances during business hours and not at night. Manual start and stop actions add operational work, Spot Instances risk interruptions during business hours, and sizing for maximum load with Reserved Instances would overpay for idle time. Scheduled scaling automates the exact time-based pattern the question describes.

============

Service control policies (SCPs) in AWS Organizations apply to the accounts or OUs to which they are attached:

To restrict only nonproduction accounts, you can:

Attach the SCP directly to those specific member accounts (Option B), or

Create a dedicated OU for the nonproduction accounts and attach the SCP to that OU (Option E).

Both methods ensure that the deny policy affects only the nonproduction accounts and does not impact the production account.

Why the others are incorrect:

A: Attaching the SCP to the root OU would apply the deny to all accounts, including production, which does not meet the requirement.

C: SCPs attached to the management account only affect that account, not all member accounts.

D: Creating an OU for the production account and attaching the deny SCP there would block the prohibited instance types in production, which is the opposite of what is required.

To enforce that IAM users can only access Amazon RDS and no other AWS services, the recommended approach is to use a Deny statement with NotAction. This ensures that all actions are denied except RDS actions. Options A and B do not fully achieve the restriction: A only allows RDS but does not explicitly deny access to other services if another policy grants access; B’s explicit Deny for “*” would override all other permissions, including the intended RDS Allow, which would result in no access at all. Option D with permissions boundaries still allows other attached policies to grant access outside RDS. Therefore, C is the correct approach to enforce RDS-only access.