Free Amazon Web Services SAA-C03 Practice Exam with Questions & Answers | Set: 11

Given the large size (180 TB) of the database and the time constraint,AWS Snowball Edge Storage Optimizedis the best solution. Snowball Edge allows for the physical transfer of large datasets to AWS efficiently without relying on slow internet connections.AWS DMSandSCTcan be used to perform ongoing replication of any changes made during the migration, ensuring minimal downtime.

Option B (VPN): Using a 100 Mbps internet connection would take far too long to transfer 180 TB.

Option C (Direct Connect): Establishing a 10 Gbps Direct Connect link might not be feasible within the 2-week timeframe.

Option D (DataSync over internet): With the existing internet connection, DataSync would also take too long.

AWS References:

AWS Snowball Edge

AWS DMS

The company is looking for a solution that provides single sign-on (SSO) across multiple AWS accounts while continuing to manage users and groups in their on-premises Active Directory (AD). AWS IAM Identity Center (formerly AWS SSO) is the recommended solution for this type of requirement.

AWS IAM Identity Centerprovides a centralized identity management solution, enabling single sign-on across multiple AWS accounts and other cloud applications. It can integrate with on-premises Active Directory to leverage existing users and groups.

By configuring a two-way forest trust relationship between AWS Directory Service for Microsoft Active Directory and the company's on-premises Active Directory, users can be authenticated by their on-premises AD and still access AWS resources through IAM Identity Center. This solution allows centralized management of AWS accounts within AWS Organizations.

The two-way trust allows mutual access between the on-premises AD and the AWS Directory Service. This means that users and groups in the on-premises AD can be used for authentication in AWS IAM Identity Center while maintaining the existing identity management system.

AWS References:

AWS IAM Identity Center Documentation

AWS Directory Service for Microsoft Active Directory Trust Relationships

AWS Directory Service Integration with IAM Identity Center

Why the other options are incorrect:

A. Create an Enterprise Edition Active Directory in AWS Directory Service: This would require setting up a new directory and managing it in AWS, which adds unnecessary overhead. The requirement is to continue using the existing on-premises AD, making this option unsuitable.

C. Use AWS Directory Service and create a two-way trust relationship: While this approach establishes a trust between on-premises AD and AWS Directory Service, it does not address the single sign-on (SSO) requirements across multiple AWS accounts through IAM Identity Center.

D. Deploy an identity provider (IdP) on Amazon EC2: This is more complex than necessary and introduces more management overhead. AWS IAM Identity Center natively supports integration with on-premises Active Directory without requiring a custom IdP.

AWS Glue Crawler: AWS Glue is a fully managed ETL (Extract, Transform, Load) service that makes it easy to prepare and load data for analytics. A Glue crawler can automatically discover new data and schema in Amazon S3, making it easy to keep the data catalog up-to-date.

Crawling the Data:

Set up an AWS Glue crawler to scan the S3 bucket containing the clickstream data.

The crawler will automatically detect the schema and create/update the tables in the AWS Glue Data Catalog.

Amazon Athena:

Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

Once the data catalog is updated by the Glue crawler, use Athena to query the clickstream data directly in S3.

Operational Efficiency: This solution leverages fully managed services, reducing operational overhead. Glue crawlers automate data cataloging, and Athena provides a serverless, pay-per-query model for quick data analysis without the need to set up or manage infrastructure.

To handle temporary high workloads, Amazon RDS provisioned IOPS can be increased to meet the expected spike in database throughput.

Amazon EFS Elastic throughput mode is ideal for workloads with unpredictable or spiky traffic patterns. It automatically scales throughput based on the file system's size and activity, which is more effective than Bursting throughput during high sustained activity like a marketing campaign.

Multi-AZ improves availability but does not directly address performance. Migrating to PostgreSQL during a short campaign period introduces unnecessary complexity.

A VPC gateway endpoint for Amazon S3 enables private connectivity to S3 without routing traffic through a NAT gateway or over the internet, eliminating NAT gateway costs. This solution is secure and redundant, as S3 endpoints are highly available by design.

AWS Documentation Extract:

"A gateway VPC endpoint enables you to privately connect your VPC to supported AWS services without requiring a NAT gateway or internet gateway."

(Source: Amazon VPC documentation, Gateway Endpoints)

A: NAT instances still incur operational overhead and costs.

B: Internet gateway exposes resources and does not provide private access.

D: Direct Connect is for hybrid networking, not for cost-efficient S3 access.

To send data privately from on-premises to S3 buckets across multiple AWS accounts:

A: Using AWS Direct Connect with a private virtual interface (VIF) enables private connectivity from on-premises into the VPC.

E: After establishing the central VPC in a networking account, use VPC peering to allow access to S3 buckets across multiple AWS accounts.

“Direct Connect private virtual interface (VIF) allows private IP connectivity to VPC resources.”

“VPC Peering enables routing of traffic between VPCs using private IP addresses.”

— AWS Direct Connect Documentation

— VPC Peering Guide

Why not others:

B: Public VIF sends traffic over public AWS services—not fully private.

C: Interface endpoint is useful within a single account/VPC context.

D: Gateway endpoint doesn't solve inter-account routing.

Amazon S3 Intelligent-Tiering automatically moves objects between frequent and infrequent access tiers based on access patterns, which minimizes cost without performance impact. Storing photo metadata in Amazon DynamoDB provides fast and scalable lookup by user or tag.

From AWS Documentation:

“The S3 Intelligent-Tiering storage class automatically optimizes storage costs by moving data between frequent and infrequent access tiers when access patterns change.”

(Source: Amazon S3 User Guide – Intelligent-Tiering)

Why B is correct:

S3 Intelligent-Tiering optimizes storage automatically for cost without lifecycle management overhead.

DynamoDB stores small metadata items and S3 URLs, enabling efficient queries and photo lookups.

This architecture scales globally, integrates seamlessly with applications, and minimizes operational cost.

Why other options are incorrect:

A & D: DynamoDB is not intended for storing binary objects like images.

C: Lifecycle rules are static and don’t adapt dynamically to unpredictable access patterns.

Using SQS as a buffer between S3 and the Lambda function ensures durability and allows for retries in case of processing failures. Messages in the queue can be retried by Lambda, and failed processing can be directed to a dead-letter queue for further inspection. This guarantees reliable and scalable message-driven processing.

The SELECT INTO OUTFILE S3 feature allows you to export Amazon Aurora MySQL data directly to Amazon S3 with minimal operational overhead. This method is efficient and cost-effective for archiving historical data.

You can configure S3 Lifecycle rules to transition the exported data to lower-cost storage (e.g., S3 Glacier or S3 Standard-IA) and eventually delete it after 5 years.

No need for additional ETL tools like Glue or DataBrew unless complex transformations are required.

EC2 instances in private subnets cannot access the internet unless there is a NAT gateway or a NAT instance configured.

“To enable instances in a private subnet to connect to the internet or other AWS services, you can use a NAT gateway or NAT instance.”

— NAT Gateways – Amazon VPC

In this use case:

EC2 instances are in private subnets

They need to call external APIs (internet access)

The most operationally efficient and secure method is to place a NAT Gateway in a public subnet and update the route table for private subnets to route internet-bound traffic through it.

Incorrect Options:

A: Private subnets don’t support public IPs.

C: VPC peering doesn’t help reach the public internet.

D: Interface endpoints are for private connectivity to AWS services, not external APIs.

AWS Storage Gateway stored volume gateway is designed for use cases where:

The primary data set remains on premises.

You want to maintain full local access to data with low latency.

You need asynchronous, secure replication and backup to AWS.

With stored volumes, you:

Map gateway storage volumes to local on-premises disks.

Present these volumes as iSCSI block devices to on-prem systems.

Storage Gateway then asynchronously backs up snapshots to Amazon S3, providing secure, durable offsite backup automatically.

Cached volume gateway (Option C) keeps the primary copy in AWS and only a subset cached locally, which does not meet the requirement to maintain full local access to all data.

Snowball and Snowball Edge (Options A and B) are primarily for bulk, one-time or periodic offline data transfer and do not provide an ongoing backup solution with continuous local access.

Amazon Kinesis allows real-time ingestion of game events at scale, while Amazon DynamoDB provides millisecond-latency access to user data, automatically scaling with demand. This combination ensures real-time processing and fast data retrieval without managing infrastructure.

Amazon CloudFront is a content delivery network (CDN) service that distributes content with low latency and high transfer speeds. Placing CloudFront in front of the S3 bucket ensures globalusers download content from the nearest edge location, reducing latency significantly.

The requirement is to provide granular, scalable access to thousands of tables and columns in a data lake across many users and departments, with the least operational overhead.

AWS Lake Formation supports tag-based access control (TBAC) using LF-tags (Lake Formation tags), which allows you to assign tags to tables, columns, and databases. You can then define permissions on resources by specifying tags rather than managing permissions for individual resources. This approach is highly scalable and efficient when dealing with a growing number of tables and columns. By associating IAM roles to departments and granting access based on LF-tags, you dramatically reduce the operational burden as new tables or columns are added; you only need to assign the appropriate tags.

Amazon Athena can directly query data in S3 with Lake Formation providing fine-grained access control.

AWS Documentation Extract:

"With LF-tag-based access control, you can grant permissions to resources based on tags, making it easy to manage access at scale, especially in environments with large and dynamic numbers of resources."

"LF-tags provide a scalable way to manage permissions for large numbers of resources without having to define permissions individually for each table or column."

(Source: AWS Lake Formation documentation, Access Control, Tag-Based Access Control)

Other options:

A: Would require managing explicit permissions for each table and column as the environment grows, increasing operational overhead.

B & D: Involve significant duplication of resources (clusters) and do not scale as efficiently as a centralized data lake with tag-based access.