Amazon Web Services SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

Amazon EFS allows automatic transitions to Infrequent Access (IA) and back to Standard when accessed again using the lifecycle policy.

By specifying the bursting throughput mode, throughput scales automatically with file system size.

“With EFS Lifecycle Management, you can automatically move files to EFS Infrequent Access storage and automatically return them to Standard storage when accessed.”

“The Bursting Throughput mode scales with your file system size.”

— Amazon EFS Lifecycle Management

This option matches all requirements:

Auto transition to IA after 30 days.

Auto transition back to Standard on access.

Bursting throughput for scaling with file system size.

Requirement Analysis: Need secure, direct connectivity from an on-premises client to an RDS cluster, accessible only when in the office.

VPC with Private Subnets: Ensures the RDS cluster is not publicly accessible, enhancing security.

Site-to-Site VPN: Provides secure, encrypted connection between on-premises office and AWS VPC.

Implementation:

Create a VPC with two private subnets.

Launch the RDS cluster in the private subnets.

Set up a Site-to-Site VPN connection with a customer gateway in the office.

Conclusion: This setup ensures secure and direct connectivity with minimal exposure, meeting the requirement for secure access from the office.

References

AWS Site-to-Site VPN:AWS Site-to-Site VPN Documentation

Amazon RDS:Amazon RDS Documentation

Securing the root user account requires setting a strong password and enabling multi-factor authentication (MFA). AWS recommends never sharing the root user credentials, setting up individual IAM users for everyday operations, and always protecting the root user with MFA for maximum security.

Reference Extract:

" AWS recommends securing the root user with a strong password and enabling multi-factor authentication (MFA). Do not use or share root credentials for everyday tasks. "

Source: AWS Certified Solutions Architect – Official Study Guide, IAM and Security Best Practices section.

AWS Transit Gateway is purpose-built for large-scale, hub-and-spoke network architectures. It simplifies connectivity between multiple VPCs and on-premises environments, which is ideal for managing hundreds of VPCs.

“AWS Transit Gateway enables you to connect your VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships.”

— Transit Gateway Documentation

Features:

Scales to thousands of VPCs.

Integrates with AWS Direct Connect via Direct Connect Gateway.

Centralized routing control.

Incorrect Options:

A: VPC endpoints are for private access to AWS services—not VPC-to-VPC connectivity.

C: Route 53 is DNS, not a network transport layer.

D: Secrets Manager is for secret storage, not networking.

AWS Secrets Manager is a fully managed service specifically designed to securely store and automatically rotate database credentials, API keys, and other secrets. Secrets Manager provides built-in integration with Amazon RDS for automatic credential rotation on a configurable schedule without requiring downtime. It also manages the secure distribution of the credentials to authorized services, such as your web servers, using IAM policies. Manual solutions (S3, files, cron jobs) do not provide the same level of automation, audit, or security.

Reference Extract from AWS Documentation / Study Guide:

" AWS Secrets Manager enables you to rotate, manage, and retrieve database credentials securely. It supports automatic rotation of secrets for supported AWS databases without requiring application downtime. "

Source: AWS Certified Solutions Architect – Official Study Guide, Security and Secrets Management section.

As the number of VPCs grows, managing individual VPC connections becomes complex and unscalable. AWS Transit Gateway is specifically designed to act as a central hub that connects multiple VPCs and on-premises networks through Direct Connect.

Option B simplifies network architecture by allowing hundreds or thousands of VPCs to connect through a single gateway, reducing routing complexity and operational overhead. Transit Gateway supports scalable routing, centralized inspection, and simplified expansion.

The other options do not address network connectivity or scaling challenges. Therefore, B is the correct solution.

AWS DataSync provides a fully managed, secure, and high-performance service for transferring large amounts of data between on-premises storage and Amazon S3. It uses TLS encryption in transit and automates data validation, scheduling, and monitoring.

From AWS Documentation:

“AWS DataSync securely and efficiently transfers large amounts of data online between on-premises storage and AWS services. All data is encrypted in transit using TLS.”

(Source: AWS DataSync User Guide – How DataSync Works)

Why B is correct:

Encrypts all data in transit automatically.

Optimized for high-throughput WAN environments (100 Mbps to multi-Gbps).

Fully managed, with no need to provision additional infrastructure.

Integrates natively with S3 and supports incremental syncs.

Why others are incorrect:

A: DMS is designed for database migration, not unstructured data.

C: Snowball is for offline migrations, not needed given available connectivity.

D: Direct Connect is costly for temporary data transfers and unnecessary here.

To meet the requirements for tagging and preventing instance creation or deletion without proper tags, the company can use a combination of AWS Organizations tag policies and service control policies (SCPs).

Tag Policies: These enforce specific tag values across resources. Creating a tag policy with required values (e.g., sensitive, non-sensitive) and attaching it to the appropriate organizational unit (OU) ensures consistency in tagging.

SCPs: SCPs can be used to enforce compliance by preventing instance creation without a tag and preventing tag deletion. These policies control actions at the account level across the organization.

Key AWS features:

Tag Policieshelp standardize tags across accounts, andSCPsenforce governance by restricting actions that violate the policies.

AWS Documentation: AWS best practices recommend using tag policies and SCPs to enforce compliance across multiple accounts within AWS Organizations​.

AWS Lake Formationis designed for managing fine-grained access control to data in an efficient manner:

Granular Permissions: Lake Formation allows column-level, row-level, and table-level access controls, which can precisely define access to PII data.

Integration with AWS Glue Catalog: Lake Formation natively integrates with AWS Glue for seamless data cataloging and access control.

Operational Efficiency: Centralized access control policies minimize the need for separate IAM roles or policies.

Why Other Options Are Not Ideal:

Option A:

Creating multiple IAM policies introduces complexity and lacks column-level access control.Not efficient.

Option B:

Managing multiple IAM roles for granular access is operationally complex.Not efficient.

Option D:

Creating views in Glue adds unnecessary complexity and may not provide the level of granularity that Lake Formation offers.Not the best choice.

AWS References:

AWS Lake Formation:AWS Documentation - Lake Formation

Fine-Grained Permissions with Lake Formation:AWS Documentation - Fine-Grained Permissions

AWS Secrets Manager natively supports automatic rotation of RDS for Oracle credentials, fully integrating with Amazon RDS. Rotation workflows are managed automatically by the service, eliminating custom scripting and reducing operational effort.

Migrating to EC2 (Option C) requires custom rotation logic. Converting to DynamoDB or Neptune (Options A and D) would require complete database redesign and do not fulfill the requirement to run Oracle.

According to the AWS Well-Architected Framework – Security Pillar and the AWS Identity and Access Management (IAM) User Guide, the root user account in an AWS account is extremely powerful and should be protected with strict security measures.

From AWS documentation:

“We recommend that you not use the root user for everyday tasks, even administrative ones. Instead, create IAM users and grant them only the permissions they need. To help protect your AWS account, enable multi-factor authentication (MFA) for the root user.”

(Source: AWS Identity and Access Management User Guide – Securing the Root User)

The correct and recommended action is to create IAM users with specific permissions for daily operations and enable MFA on the root user to provide an additional layer of security. The root user cannot be disabled, so Option A is technically incorrect. AWS also explicitly advises against using root access keys (Option C) or sharing root credentials (Option D), both of which violate the principle of least privilege.

Best practices summarized from AWS official documentation:

Do not use root user for routine tasks

Enable MFA for root user immediately

Create individual IAM users and assign least privilege

Avoid creating or using root user access keys

These recommendations are foundational to securing any new AWS account and are consistently emphasized in the AWS Certified Solutions Architect – Official Study Guide and the AWS Security Best Practices whitepaper.

AWS Transfer Family (SFTP) allows clients to use standard SFTP clients and SSH keys without changes. By enabling service-managed users, clients can continue uploading files with their existing tools.

The service delivers the files directly into S3, reducing latency between upload and processing. This removes the need for EC2, custom scripts, and periodic transfers. It fully meets the requirement for a managed solution with minimal disruption to client processes.

When on-premises DNS servers need to resolve private DNS names in a VPC, the correct pattern is to create a Route 53 Resolver inbound endpoint. The inbound endpoint allows DNS queries to flow from the on-premises environment into the VPC, where Route 53 can resolve VPC-specific names (such as private hosted zones or private resource records). Outbound endpoints (C) are for sending VPC DNS queries to on-premises, not the reverse. Verified Access (A) is unrelated to DNS resolution. Direct Connect (B) provides network connectivity but does not provide DNS forwarding capabilities. Therefore, option D is the correct design.

The requirement is for immediate processing of uploaded videos and prompt notification to users. According to AWS best practices for event-driven architectures, using S3 event notifications to trigger a Lambda function upon an object creation (upload) is the optimal solution for real-time processing. Lambda can process the file as soon as it is uploaded, ensuring low latency. Once processing is complete, Lambda can save the processed file back to S3 and use Amazon SNS to notify the user.

This approach uses managed services with minimal operational overhead, is scalable, and ensures event-driven processing with instant user feedback. AWS Amplify primarily facilitates application development and hosting but does not natively provide direct push notification support for this backend workflow; instead, SNS is designed for such notification scenarios.

Reference Extract from AWS Documentation / Study Guide:

" Amazon S3 can publish events to AWS Lambda when objects are created. AWS Lambda runs code in response to events and can interact with other AWS services. Amazon SNS is a flexible, fully managed pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients. "

Source: AWS Certified Solutions Architect – Official Study Guide, Event-driven Architectures section; AWS Lambda Developer Guide (S3 triggers); Amazon SNS User Guide.