Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

To handle temporary high workloads, Amazon RDS provisioned IOPS can be increased to meet the expected spike in database throughput.

Amazon EFS Elastic throughput mode is ideal for workloads with unpredictable or spiky traffic patterns. It automatically scales throughput based on the file system ' s size and activity, which is more effective than Bursting throughput during high sustained activity like a marketing campaign.

Multi-AZ improves availability but does not directly address performance. Migrating to PostgreSQL during a short campaign period introduces unnecessary complexity.

Amazon RDS Blue/Green Deploymentsis the best answer because AWS documents that it creates a synchronized staging environment from the production database so you canmake and test changesbefore switching traffic. AWS also specifically calls outmajor and minor engine version upgradesas a supported use case and notes that Blue/Green Deployments help reduce upgrade risk and minimize downtime. This is more operationally efficient than building a custom migration or relying only on snapshots and manual restore testing. Since the company wants a quick, low-overhead way to test the upgrade safely on critical data, Blue/Green Deployments is the strongest AWS-native solution.

============

To handle increased loads effectively, it ' s essential to implement Auto Scaling for both frontend and backend tiers:

Frontend Auto Scaling Group: Scaling based on incoming network traffic ensures that the application can handle increased user requests.

Backend Auto Scaling Group: Scaling based on the Amazon SQS queue backlog ensures that the backend can process messages as they arrive, preventing delays.

This approach allows each tier to scale independently based on its specific load, ensuring optimal resource utilization and performance.

Unpredictable Lambda traffic can create a “connection storm” against a relational database because each concurrent Lambda invocation may open its own database connection. Relational engines like PostgreSQL have finite connection capacity, and excessive connections can degrade performance, increase latency, and exhaust database resources. Amazon RDS Proxy is designed to address this by pooling and reusing database connections, multiplexing many application requests over a smaller number of established database connections. This helps keep database performance more predictable under spiky, highly concurrent workloads such as Lambda.

Because the database is a private RDS for PostgreSQL instance, the Lambda functions must run with network access to the VPC subnets and security groups that can reach the database and proxy. Therefore, deploying the Lambda functions inside a VPC and pointing the database client to the RDS Proxy endpoint is the correct operational pattern. RDS Proxy also provides benefits like improved failover behavior handling and centralizing credential management integration patterns (commonly with IAM authentication and/or Secrets Manager), further reducing operational risk.

Option A uses a custom endpoint, which does not solve the fundamental connection scaling problem; it’s not a connection pooler. Option C and D place Lambda outside the VPC, which will not work for a private database that has no public connectivity path. Even if connectivity were possible, D would still be incomplete because you’d need private networking to reach the proxy.

Therefore, B best meets the requirement by introducing managed connection pooling via RDS Proxy and ensuring private network reachability by running Lambda in the VPC.

AWS Fargate provides per-pod isolation for CPU, memory, storage, and networking, making it ideal for multi-tenant use cases.

AWS Documentation References:

EKS with Fargate

The key issue is repeated reads of identical data from an RDS MySQL database, which leads to unnecessary database load and degraded performance. The AWS-recommended solution for this pattern is to introduce an in-memory cache between the application and the database.

Amazon ElastiCache (Redis OSS) is purpose-built for caching frequently accessed data with microsecond-level latency. By caching identical query results, the backend EC2 instances can serve responses directly from memory instead of repeatedly querying the database. This significantly reduces read pressure on the RDS instance and improves overall application performance and scalability.

Option B is correct because Redis integrates cleanly with EC2-based applications and supports advanced caching patterns such as key expiration, eviction policies, and fine-grained control over cached objects. This approach also improves resilience during traffic spikes by offloading work from the database.

Option A is incorrect because SNS is a messaging service and does not cache or accelerate database queries. Option C is incorrect because DynamoDB Accelerator (DAX) works only with DynamoDB tables, not Amazon RDS. Option D is designed for streaming data ingestion and analytics, not for optimizing synchronous database access.

Therefore, B is the correct solution because it addresses the root cause of the performance problem by caching repeated database reads, following AWS best practices for high-performing application architectures.

The job runs for about 1 hour and must not be interrupted, so Lambda is not suitable because AWS Lambda has a maximum execution time of 15 minutes. Fargate Spot is also not appropriate because the workload explicitly cannot tolerate interruption. The most cost-effective remaining design is to run the Python script on an EC2 On-Demand instance only during the nightly processing window and automate instance start/stop around the schedule. That avoids paying for compute all day while preserving uninterrupted execution during the job. The Step Functions Express option is not the natural fit for a single long-running Python job of this type. Therefore, an EC2 instance scheduled to run only when needed is the most economical answer among the choices.

============

Using S3 gateway endpoints allows private and cost-free access to S3 without routing traffic through a NAT gateway. NAT gateway traffic incurs charges, especially when used across multiple Availability Zones.

By using an S3 gateway endpoint, EC2 instances in private subnets can access S3 directly without needing internet access, reducing both data transfer and NAT gateway costs.

Interface endpoints are more expensive and typically used for services like API Gateway or Systems Manager.

This workload has apredictable recurring traffic pattern, so the most operationally efficient solution isscheduled scalingin Amazon EC2 Auto Scaling. AWS documentation states that scheduled actions let you change desired capacity at specific times or on recurring schedules. That is a direct match for weekend peaks from 6 PM to 11 PM. EventBridge plus Lambda would work but adds unnecessary components. Target tracking is better for reactive scaling, while the question describes a predictable pattern that should be handled proactively. Therefore, a scheduled scaling action with recurrence is the best answer.

============

Using an Application Load Balancer (ALB) allows for integration with AWS WAF to inspect all incoming traffic. Running the application on Amazon ECS provides a scalable and managed container orchestration service. Utilizing Amazon Aurora Serverless for the PostgreSQL database offers automatic scaling based on application demand, which is cost-effective for workloads with variable traffic patterns, such as higher traffic on weekdays and lower traffic on weekends.

AWS Lambda is not a good fit here because AWS documents that a standard Lambda invocation can run forup to 15 minutes, while this workload can takeup to 30 minutes. That makes the Lambda-based answers unsuitable. AnSQS standard queueis a good match for decoupling uploads from processing and for allowing multiple jobs to run in parallel. Running the processors onAmazon ECS with AWS Fargateminimizes operational overhead because the company does not have to manage EC2 hosts. ECS service scaling can also be driven from queue-backed metrics, allowing the processing fleet to expand as the queue grows. Therefore, S3 notifications to SQS with Fargate-based processing is the most appropriate low-overhead design.

============

In Amazon EKS, Kubernetes stores objects such as Secrets in the cluster’s etcd key-value store. By default, Kubernetes Secrets are base64-encoded and are not automatically encrypted at the application object level unless encryption is configured. Amazon EKS provides a managed capability to encrypt Kubernetes Secrets at rest in etcd using AWS Key Management Service (KMS). The requirement explicitly states that “all secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store,” which maps directly to enabling EKS secrets encryption with a customer-managed KMS key.

Option B is exactly this: create a KMS key and enable EKS KMS secrets encryption on the cluster. With this enabled, EKS uses envelope encryption so that Secrets are encrypted when stored in etcd, and decrypt operations are controlled through KMS permissions. This is the standard, AWS-native method that fulfills the requirement without requiring application changes or external secret stores for the encryption-at-rest requirement in etcd.

Option A (Secrets Manager) is a strong service for secret lifecycle management and rotation, but it does not by itself guarantee that Kubernetes Secrets stored in etcd are encrypted unless EKS secrets encryption is also enabled or the cluster avoids storing secrets in etcd entirely. The question specifically targets etcd encryption. Option C is unrelated: the EBS CSI driver concerns persistent volumes, not etcd secret encryption. Option D concerns EBS volume encryption and a specific AWS-managed key alias used for EBS; it also does not address etcd encryption for Kubernetes Secrets.

Therefore, B is the correct solution because it directly enables encryption of Kubernetes Secrets within etcd using KMS.

For globally distributed consumers of REST APIs, API Gateway edge-optimized endpoints “route requests to the nearest CloudFront edge location, which then forwards them to your API in the [home] Region,” reducing latency for users worldwide and scaling automatically for unknown or spiky traffic. By contrast, Regional endpoints are intended for clients within the same or nearby Region and do not provide global edge acceleration. AWS Lambda provides automatic scaling for serverless backends; latency can be further reduced by right-sizing memory (which also increases CPU) and, when needed, enabling provisioned concurrency to keep functions initialized and eliminate cold starts for critical paths. Using NLBs across Regions is not serverless and adds operational complexity without CloudFront edge acceleration. Therefore, combining API Gateway edge-optimized REST APIs with Lambda meets the requirements of minimal global latency and unknown initial traffic.

For latency-sensitive, globally distributed applications such as online gaming, minimizing network latency between users and application endpoints is critical. AWS Global Accelerator is designed specifically for this purpose. It uses the AWS global network and Anycast IP addresses to route user traffic to the closest healthy endpoint, reducing latency and improving performance for users worldwide.

Option C is the best solution because Global Accelerator directs traffic over the AWS backbone network instead of the public internet, which significantly reduces jitter and latency. It also provides built-in health checks and automatic failover, improving availability as the service expands globally. Importantly, Global Accelerator works seamlessly with existing Application Load Balancers, allowing the company to enhance performance without redesigning the application stack.

Option A (CloudFront) is optimized for caching static and cacheable content and is not ideal for real-time, stateful gaming traffic. Option B adds unnecessary API abstraction and additional latency. Option D introduces regional duplication and DNS-based routing, which is slower to react to network conditions and does not provide the same low-latency routing as Global Accelerator.

Therefore, C meets the requirement for global expansion with the least possible latency while maintaining a simple and highly performant architecture.

Dead-letter queues (DLQs) with Amazon SQS allow Lambda functions to offload failed events for later inspection or retry. Using retry logic with exponential backoff ensures resilience and compliance with best practices for fault-tolerant serverless architectures. This guarantees no data is lost due to transient errors.

The best answer isAPI Gateway + SQS + DLQ + Lambdabecause it combines API ingestion with durable queuing and asynchronous processing. AWS guidance for event-driven serverless architectures specifically recommends usingAmazon SQSto decouple components and durably persist messages when downstream processing is slower or bursty. AWS also documents thatdead-letter queueshelp isolate messages that fail processing, which supports the requirement to avoid losing requests. API Gateway can integrate with AWS services, including SQS, to accept requests from mobile and web clients. The ALB options do not provide the same durable buffering, and the SNS option is less appropriate because the key requirement is loose coupling with durable request preservation. Therefore,Bis the strongest design. (AWS Documentation)

The Kubernetes Horizontal Pod Autoscaler (HPA) scales pods, not nodes. When the cluster runs out of node capacity, the HPA cannot schedule more pods.

On Amazon EKS, AWS recommends using the Kubernetes Cluster Autoscaler to automatically adjust the number of nodes in the cluster’s underlying Auto Scaling group based on pending pods.

Cluster Autoscaler watches for pods that cannot be scheduled because of insufficient resources and then scales out nodes automatically with minimal administrative overhead. It also scales in nodes when they are underutilized.

Why others are not correct:

A: Just tracking memory usage does not automatically scale nodes or integrate with Kubernetes scheduling.

C: A custom Lambda-based resizer is unnecessary undifferentiated heavy lifting compared to the native Cluster Autoscaler.

D: An Auto Scaling group is already typically used under EKS, but by itself it does not respond to pod scheduling pressure without Cluster Autoscaler.

Amazon FSx for Lustre: Lustre is a high-performance file system designed for workloads that require fast storage with sustained high throughput and low latency. It integrates with Amazon S3, making it suitable for HPC environments.

Persistent File Systems:

Persistent Storage: Suitable for long-term storage and recurrent use, providing durability and availability.

High Throughput and Low Latency: Persistent Lustre file systems can handle large amounts of data with sub-millisecond latency, meeting the needs of high-performance computing workloads.

Simultaneous Access: FSx for Lustre allows thousands of compute instances to access and process large datasets concurrently, ensuring that the high volume of data is handled efficiently.

Highly Available: FSx for Lustre is designed to provide high availability and is managed by AWS, reducing the operational burden.

AWS Lambda supports encrypting environment variables at rest using AWS KMS. You can use encryption helpers (or Lambda’s built-in support) to encrypt sensitive environment variable values using a KMS key. These encrypted variables are not visible in plaintext to developers, either in the console or when running the code.

AWS Documentation Extract:

" AWS Lambda automatically encrypts environment variables at rest. For additional security, you can use AWS KMS keys and encryption helpers to encrypt environment variables, ensuring they are never exposed in plaintext. "

(Source: AWS Lambda documentation, Environment Variables Security)

A: Does not address the issue (and adds more management overhead).

B, C: There is no native support for environment variable encryption via CloudHSM or ACM.