Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

Setting the RDS backup retention policy to 30 days forautomated backupsthrough AWS Backup allows the company to retain backups cost-effectively. Manual backups, however, are notautomatically managed by RDS's retention policy, so they need to be manually deleted if they are older than 30 days to avoid unnecessary storage costs.

Key AWS features:

Automated Backups: Can be configured with a retention policy of up to 35 days, ensuring that older automated backups are deleted automatically.

Manual Backups: These are not subject to the automated retention policy and must be manually managed to avoid extra costs.

AWS Documentation: AWS recommends using backup retention policies for automated backups while manually managing manual backups​.

Why Option A is Correct:

ElastiCache for Redis: Provides persistent, scalable caching for in-progress transactions and SQL queries. Redis supports data durability and advanced features, making it suitable for transactional workloads.

Integration with Aurora: Easily integrates with the Aurora cluster to improve query performance.

Why Other Options Are Not Ideal:

Option B: CloudFront and S3 are unsuitable for transactional caching. EC2 instance store volumes are ephemeral and lack persistence.

Option C: Memcached does not offer persistence or advanced transactional support, unlike Redis.

Option D: Combining Redis with EC2 instance store is unnecessary; Redis alone meets all caching requirements.

AWS References:

Amazon ElastiCache:AWS Documentation - ElastiCache

AWS Backup supports cross-Region backup for Amazon EFS, allowing automated, scheduled backups and replication to another Region. This managed service simplifies backup management and ensures data resilience without the need for custom scripts or manual processes

Amazon Aurora Serverless v2 provides cost-effective, on-demand, and auto-scaling database capacity. You pay only for actual usage, making it ideal for development and test environments that are not used continuously. It supports PostgreSQL and is suitable for variable and short-duration workloads, minimizing costs when databases are idle.

AWS Documentation Extract:

“Amazon Aurora Serverless v2 automatically adjusts database capacity based on application needs, ideal for development and test environments with intermittent usage.”

(Source: Aurora Serverless v2 documentation)

B: RDS instances run and accrue charges even when idle.

C, D: Aurora clusters/global databases are overkill and incur higher costs for dev/test.

AWS Lake Formation natively supports fine-grained access control, including:

Row-level security

Cell/column-level security

These are implemented through data filters and Lake Formation permissions on governed tables and views. This allows you to centrally define which users or groups can access which rows and which columns, including sensitive data fields, with minimal custom code or maintenance.

Why others are incorrect:

A: IAM alone does not provide row-level or cell-level data security inside Lake Formation tables.

C and D: Using Lambda to scrub or periodically remove sensitive data is complex, error-prone, and high overhead compared to built-in Lake Formation data filters.

Correct Approach:

AWS Security Groups:

Security groups operate at the instance level, making them the ideal tool for controlling access to specific resources such as an Amazon RDS database.

By default, security groups deny all incoming traffic. You can allow access by explicitly specifying another security group.

Associating an RDS database security group with the EC2 instances' security group ensures only the specified EC2 instances can access the RDS database.

Incorrect Options Analysis:

Option A: Using CIDR blocks for IP-based access is less secure and more difficult to manage. Additionally, Auto Scaling groups dynamically allocate IP addresses, making this approach impractical.

Option B: Network ACLs (NACLs) operate at the subnet level and are stateless. While NACLs can deny or allow traffic, they are not suited to application-specific access control.

Option D: Similar to Option B, using a NACL with CIDR ranges for EC2 IPs is difficult to manage and not application-specific.

Aurora I/O-Optimized: This storage configuration is designed to provide consistent high performance for Aurora databases. It automatically scales IOPS as the workload increases, without needing to provision IOPS separately.

Cost-Effectiveness: With Aurora I/O-Optimized, you only pay for the storage and I/O you use, making it a cost-effective solution for applications with varying and unpredictable I/O demands.

Implementation:

During the creation of the Aurora PostgreSQL Serverless v2 cluster, select the I/O-Optimized storage configuration.

The storage system will automatically handle scaling and performance optimization based on the application load.

Operational Efficiency: This configuration reduces the need for manual tuning and ensures optimal performance without additional administrative overhead.

For short, frequent daily spikes (15–20 minutes), the most cost-effective scaling behavior typically comes from target tracking scaling driven by a request-based metric, because it continuously adjusts capacity to maintain a chosen target value rather than adding/removing capacity in coarse steps. Option D uses a custom CloudWatch metric representing the number of GET requests (sourced from ALB access logs, application instrumentation, or request counting logic) and applies target tracking so the Auto Scaling group scales out and in proportionally to demand. This helps avoid both under-provisioning (bad performance during spikes) and over-provisioning (wasted cost between spikes), which is exactly what cost-optimized elasticity aims for.

Option A (simple scaling) is usually less cost-efficient for bursty traffic because it relies on fixed adjustments and alarm thresholds, often with cooldowns. With 15–20 minute spikes, simple scaling can react too slowly, overshoot, or oscillate, leaving extra instances running after the spike or failing to ramp fast enough at the start. Option B (predictive scaling) is intended for regular, forecastable demand patterns, but it’s not always the most cost-effective choice for repeated short spikes because it can pre-scale conservatively and may require more historical data and tuning; it is often paired with dynamic scaling anyway. Option C uses UnhealthyHostCount, which is a health signal—not a demand signal—and scaling on unhealthy hosts can increase cost without addressing request volume; it may also mask underlying application issues rather than scaling to meet load.

Because the requirement explicitly allows standard or custom metrics and focuses on scaling based on request volume, D best matches a cost-efficient, responsive approach that directly tracks incoming workload.

Why Option B is Correct:

HTTP Proxy Integration: Passes XML requests directly to the application, which already supports XML.

JSON Conversion: An AWS Lambda function converts JSON requests to XML and calls the application.

API Gateway: Acts as a front end to handle JSON requests and integrates seamlessly with Lambda for the transformation process.

Why Other Options Are Not Ideal:

Option A: Suggests using API Gateway mappings to convert JSON to XML. API Gateway mapping templates are limited in functionality and are not ideal for complex transformations.

Option C and D: Use HTTP custom integration unnecessarily, which adds complexity without additional benefits.

AWS References:

Amazon API Gateway Integration:AWS Documentation - API Gateway Integration

AWS Lambda:AWS Documentation - Lambda

To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the “owner” tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage. This approach is both scalable and operationally efficient.

AWS Certificate Manager (ACM) issues and automatically renews public TLS certificates used by Amazon CloudFront. With DNS validation, ACM creates CNAME records that prove domain control; once validated, renewals occur automatically without manual approval, providing the lowest operational effort. For CloudFront, ACM certificates must be in the US East (N. Virginia) Region. CloudFront security policies (A) configure protocol/cipher requirements, not certificate issuance. OAC (B) secures origin access and is unrelated to certificate management. Email validation (D) requires mailbox approvals and operational handling at issuance/renewal, which is less efficient than DNS validation. Thus, ACM with DNS validation delivers automated creation and renewal with minimal overhead.

Amazon Macieis purpose-built for detecting PII in S3.

Option Auses EventBridge to filter SensitiveData findings and notify via SNS, meeting the requirements.

Options B and Dinvolve GuardDuty, which is not designed for PII detection.

Option Cuses SQS, which is less suitable for immediate notifications.

D is the best match because AWS Lambda is a serverless compute service that runs code without provisioning or managing servers, which directly aligns with the requirement for minimal infrastructure and minimal operational support. Lambda supports Python runtimes, so the team can deploy the selected component as a microservice using the same language. For workloads with hundreds of requests per second, Lambda is designed to handle request-driven execution and automatically scales by running more concurrent instances of the function in response to incoming traffic, without the customer needing to pre-size or manage capacity.

The other options introduce significantly more operational responsibility. Option A still requires managing EC2 instances (AMI lifecycle, patching, capacity planning, scaling policies) and Spot interruptions can add complexity for a web microservice test. Option B (Elastic Beanstalk) reduces some management overhead but still relies on underlying instances and environment management (platform updates, scaling configuration, health monitoring), and it is not a serverless model. Option C (EKS with self-managed nodes) has the highest operational burden here: cluster and node management, scaling node groups, patching, and Kubernetes operations—this conflicts with “minimal operational support.”

Lambda fits the serverless microservices goal: deploy code as small independent services, integrate with other managed services (commonly API-driven invocation patterns), and rely on AWS-managed scaling and availability mechanisms rather than administering fleets or clusters.

Amazon S3 uses gateway VPC endpoints, which enable private, secure access to S3 without traversing the internet, compatible with IPv6.

Amazon DynamoDB uses interface VPC endpoints (powered by AWS PrivateLink) for private connectivity within the VPC.

Therefore, for secure private communication without public internet, the correct solution is to implement a gateway VPC endpoint for S3 and an interface VPC endpoint for DynamoDB.

Option B is incorrect because S3 does not support interface endpoints; Option C is incorrect because DynamoDB does not support gateway endpoints. Option D reverses the correct endpoint types.

Explanation (AWS Docs):

To allow private subnets to access the internet, deploy NAT gateways in a public subnet in each AZ for high availability. NAT instances are less scalable and less fault-tolerant.

“To create a highly available architecture, create a NAT gateway in each Availability Zone and configure your routing to use it.”

— NAT Gateway Overview