Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

The best practice for granting AWS resource access to EC2 instances is to use IAM roles, not users or long-lived access keys. You create an IAM role with a policy that grants the minimum permissions required, then attach that role to an instance profile associated with the EC2 instance. The instance then automatically receives temporary credentials for AWS service access.

AWS Documentation Extract:

" Attach an IAM role to your EC2 instances to securely grant permissions to AWS services according to the principle of least privilege. Never embed access keys in EC2 instances. "

(Source: AWS EC2 documentation, IAM Roles for EC2)

A, B: Using IAM users and embedding keys violates security best practices.

C: IAM role credentials are automatically managed and never need to be manually attached as keys.

AWS documents that Lambda@Edge can customize CloudFront behavior at the edge and that CloudFront can change the origin domain name based on the viewer-country header. AWS also documents that CloudFront can route to origins based on request headers and other request characteristics. That makes CloudFront with Lambda@Edge the best fit for selecting the Region-specific S3 origin closest to users in Asia and Europe. ALB is not the right service for S3-origin geolocation routing, and plain CloudFront cache behaviors alone do not perform this origin selection logic by viewer location without the edge customization. Therefore, Lambda@Edge plus CloudFront multi-origin selection is the correct design.

============

Amazon S3 uses gateway VPC endpoints, which enable private, secure access to S3 without traversing the internet, compatible with IPv6.

Amazon DynamoDB uses interface VPC endpoints (powered by AWS PrivateLink) for private connectivity within the VPC.

Therefore, for secure private communication without public internet, the correct solution is to implement a gateway VPC endpoint for S3 and an interface VPC endpoint for DynamoDB.

Option B is incorrect because S3 does not support interface endpoints; Option C is incorrect because DynamoDB does not support gateway endpoints. Option D reverses the correct endpoint types.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The requirements are straightforward: expose the Lambda microservice through an HTTPS endpoint and authenticate calls using IAM. Lambda function URLs are a built-in feature that provides a dedicated HTTPS endpoint for a Lambda function without requiring API Gateway, ALB, or CloudFront. When configured with the authentication type AWS_IAM, the endpoint requires requests to be signed with AWS Signature Version 4 and authorized by IAM policies. This directly satisfies the “must use IAM to authenticate calls” requirement with the least architectural complexity.

Option A can also secure an endpoint with IAM, but it proposes using a Lambda authorizer, which is typically used for custom authorizers (JWT/OAuth/Cognito/external identity). For IAM authentication in API Gateway, you generally use IAM authorization on the method, not an authorizer function. Also, API Gateway REST APIs introduce additional service configuration and per-request costs when a simpler managed option exists that meets the requirements.

Options C and D are not appropriate. Lambda@Edge and CloudFront Functions run at CloudFront edge locations with different programming and deployment models; they are designed for CDN request/response manipulation, not as the primary mechanism to expose a regional Lambda microservice endpoint with IAM authentication. CloudFront Functions in particular is for lightweight JavaScript at the edge and does not provide a native “AWS_IAM authentication type” for invoking an origin Lambda as a microservice endpoint.

Therefore, B is the cleanest and most secure fit: a native HTTPS endpoint backed by Lambda, protected with IAM-based SigV4 authentication.

To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the “owner” tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage. This approach is both scalable and operationally efficient.

This question focuses on scalability, operational overhead, and performance during unpredictable workloads.

API Gateway + AWS Lambda enables serverless compute, which scales automatically based on the number of requests. It requires no provisioning, maintenance, or patching of servers — eliminating operational overhead.

Amazon DynamoDB is a fully managed NoSQL database optimized for high-throughput workloads with single-digit millisecond latency.

Amazon S3 is designed for high availability and durability, and is ideal for storing unstructured content such as user-uploaded images.

By leveraging these fully managed and scalable services, the architecture meets the requirement of supporting rapid user growth while minimizing operational complexity. This solution aligns with the Performance Efficiency and Operational Excellence pillars in the AWS Well-Architected Framework.

🔗 References:

Serverless Web Application Architecture

Using DynamoDB with Lambda

Best Practices for API Gateway

The best AWS-native design isAmazon Kinesis Data Streamsfor real-time ingestion andAmazon OpenSearch Servicefor near-real-time search and analytics. AWS describes OpenSearch Service as a managed search and analytics engine for real-time application monitoring and similar use cases, and AWS also provides architectures for delivering real-time data from Kinesis into OpenSearch. QuickSight is then appropriate for dashboards and visualizations. The other answers either introduce more operational overhead or use services that are not the best fit for real-time search workloads. For an on-premises search application moving to AWS, Kinesis plus OpenSearch is the most natural managed solution.

============

Amazon SQS provides durable, decoupled message storage for distributed systems. Using SQS as a job queue enables each EC2 instance to process a message independently. Scaling the Auto Scaling group based on the SQS queue length ensures parallelism and elasticity, aligning compute resources with workload volume.

A. EventBridge rule:Triggers an event whenever there is a change in CloudFront distribution, ensuring real-time monitoring.

B. ALB with WAF:Focuses on application-level security, not CloudFront logging.

C. Lambda + SNS:Provides notifications upon detection of changes in logging configuration.

D. GuardDuty:Monitors anomalies but does not specifically address CloudFront logging changes.

E. Private API + WAF:Irrelevant to CloudFront logging changes.

The most cost-effective solution for serving video content with different bitrates is to store multiple versions of each video inAmazon S3. S3 provides scalable and cost-effective storage for largemedia files. Serving the videos from a single Amazon EC2 instance ensures low-latency delivery, and S3 storage helps minimize costs.

Option A (ElastiCache): Caching large video files in memory would be prohibitively expensive and unnecessary.

Option B (Auto Scaling group): Using Auto Scaling groups to serve video is less cost-effective compared to leveraging S3 for static storage.

Option D (Kinesis Video Streams): Kinesis Video Streams is designed for real-time video streaming and is not suitable for storing and serving pre-recorded videos.

AWS References:

Amazon S3 for Media Storage

Amazon Kinesis Data Streams in on-demand mode is purpose-built for real-time ingestion of streaming data and scales automatically with traffic, which is ideal for fluctuating workloads like clickstream data.

Combined with AWS Lambda, which scales concurrently based on incoming events, this setup ensures efficient, real-time processing with minimal configuration and cost overhead.

Option B involves Firehose, which is not optimal for low-latency processing. Option C is incorrect as Kinesis Video Streams is designed for video data, not clickstream. Option D introduces Flink, which adds unnecessary complexity when Lambda suffices.

For encryption in transit, AWS Certificate Manager ACM is the correct service because it provisions and manages TLS certificates for HTTPS connections. For encryption at rest, AWS KMS is the right service because it manages encryption keys used by services such as Amazon EBS. AWS documentation and whitepapers consistently position ACM for certificate-based transport encryption and KMS for at-rest encryption key management across AWS services. GuardDuty and Shield are security detection and DDoS protection services, not encryption services. Secrets Manager stores and rotates secrets, but it is not the service used to encrypt all application data at rest or TLS sessions in transit.

============

Amazon CloudFront uses a globally distributed network of edge locations that cache content close to users. When Outposts servers around the world download large software packages, CloudFront provides significantly reduced latency due to edge caching. This is the AWS-recommended solution for accelerating downloads of static files at scale and across global locations.

S3 Transfer Acceleration optimizes uploads and downloads to a single Region but does not provide edge caching. Multi-Region replication with failover does not reduce latency globally because requests still must reach the regional origins. Therefore, CloudFront with caching enabled is the correct design for improving download speed worldwide.

=====================================================

AWS Global Accelerator provides static anycast IP addresses that are announced from AWS edge locations. Traffic sent to these IPs is routed over the AWS global network to the nearest healthy endpoint (for example, an ALB or NLB) in any Region. Because clients connect to static IPs instead of DNS names that change, failover does not depend on DNS TTLs or client cache expiry, which avoids stale DNS entries.

You can register endpoints in multiple Regions and let Global Accelerator automatically fail over when health checks fail, all behind a single global endpoint.

CloudFront (Option A) is primarily for HTTP/HTTPS content caching and still uses DNS; it is not intended as a generic multi-Region failover solution for arbitrary applications.

Route 53 (Options B and D) relies on DNS; clients can cache DNS responses and may keep sending traffic to an unhealthy Region until TTLs expire, which does not meet the “avoid stale DNS client caches” requirement.

The correct approach is to attach anIAM roleto the EC2 instance profile and grant that role permission to read the secret fromAWS Secrets Manager. AWS documentation states that Secrets Manager uses IAM for authentication and authorization, and EC2 instance profiles are the supported mechanism for providing temporary credentials to applications running on EC2 instances. This avoids hardcoded credentials and removes the need for long-term access keys on the server. The other options either misuse IAM users, rely on the wrong access mechanism, or do not reflect how Secrets Manager permissions are normally granted to workloads.

============

BothAmazon KinesisandSQS FIFOqueues ensure the sequential processing of messages. By using the payment ID as the partition key in Kinesis or as the message group in the SQS FIFOqueue, messages are processed in order. Both solutions also allow for long-term retention (up to 10 days) of messages, making them suitable for this payment processing use case.

Option A (DynamoDB): DynamoDB does not guarantee message ordering for real-time processing.

Option C (ElastiCache): ElastiCache is for caching, not suitable for sequential message processing.

Option D (Standard SQS queue): A standard SQS queue does not guarantee ordering of messages.

AWS References:

Amazon Kinesis

Amazon SQS FIFO Queues

AWS Step Functions supports long-running workflows and error retries, making it ideal for a job composed of many tasks. Integration with EventBridge allows automatic triggering from S3 events. This setup is resilient and supports up to 1-year execution duration.

Amazon CloudWatch Container Insightsis designed for monitoring containerized environments like EKS. It provides native support for collecting and visualizing metrics and logs in a centralized location through CloudWatch dashboards, offering the most operationally efficient solution.

Option A:Using the CloudWatch agent provides basic metrics but lacks the specific insights required for containerized applications.

Option B:Kinesis Data Streams and Firehose add unnecessary complexity for this use case.

Option C:CloudTrail is for auditing API activity and is not designed for application metrics and log aggregation.

AWS Documentation References:

Amazon CloudWatch Container Insights

Application Load Balancer (ALB): ALB is suitable for routing HTTP/HTTPS traffic to the application servers. It provides advanced routing features and integrates well with Auto Scaling groups.

Target Group Configuration:

Create a target group for the application servers and register the Auto Scaling group with this target group.

Configure the ALB to forward requests from the web servers to the application servers.

Security Group Setup:

Configure the security group of the application servers to only allow traffic from the web servers ' security group.

This ensures that only the web servers can access the application servers, meeting the requirement to limit access.

Benefits:

Security: Using security groups to restrict access ensures a secure environment where only intended traffic is allowed.

Scalability: ALB works seamlessly with Auto Scaling groups, ensuring the application can handle varying loads efficiently.

Amazon RDS Proxy: RDS Proxy is a fully managed, highly available database proxy that makes applications more resilient to database failures by pooling and sharing connections, and it can automatically handle database failovers.

Reduced Failover Time: By using RDS Proxy, the connection management between the application and the database is improved, reducing failover times significantly. RDS Proxy maintains connections in a connection pool and reduces the time required to re-establish connections during a failover.

Configuration:

Create an RDS Proxy instance.

Configure the proxy to connect to the RDS for PostgreSQL DB instance.

Modify the application configuration to use the RDS Proxy endpoint instead of the direct database endpoint.

Operational Benefits: This solution provides high availability and reduces application timeouts during failovers with minimal changes to the application code.