Free Amazon Web Services SAA-C03 Practice Exam with Questions & Answers | Set: 11

AWS Compute Optimizerprovides detailed recommendations for optimizingAmazon EBS volumes, including insights into underutilized volumes, inefficient configurations, and potential cost savings. It analyzes usage patterns and provides recommendations based on historical data, making it the ideal tool for this use case.

Option A (Amazon Inspector): Amazon Inspector is for security assessments, not for cost optimization.

Option B (Systems Manager): Systems Manager does not specifically provide EBS optimization recommendations.

Option C (CloudWatch): CloudWatch metrics help monitor usage but do not offer optimization recommendations like Compute Optimizer.

AWS References:

AWS Compute Optimizer

This architecture uses ALB for routing, Auto Scaling for elasticity, SQS to buffer unprocessed orders and decouple services, and RDS Multi-AZ for high availability and durability of transactional data. This ensures resilience and fault tolerance even during traffic spikes.

Amazon DynamoDB supports both TTL (Time to Live) for automatic deletion and Point-in-Time Recovery (PITR) for backup and restore of table data. It's ideal for frequently updated data with short retention requirements and minimal operational overhead.

TTL attribute ensures expired items are automatically removed.

PITR enables recovery from accidental deletes or application errors.

AWS Key Management Service (AWS KMS) supports multi-Region keys, which are managed customer master keys that can be replicated to multiple Regions and treated as a single logical key. This allows applications in different Regions to encrypt and decrypt data using equivalent keys while AWS handles key replication, durability, and availability.

KMS is a fully managed key service, so the company does not need to operate hardware or manage low-level key storage. Tags combined with attribute-based access control (ABAC) let you enforce fine-grained access to keys by using IAM policies and condition keys, giving centralized and flexible access control with low operational overhead.

CloudHSM (Options C and D) requires managing HSM clusters, scaling, backups, and manual key operations, which significantly increases operational burden. Importing key material in KMS (Option B) adds lifecycle complexity and is unnecessary when native multi-Region keys exist.

Amazon Kinesis Data Streams is designed for low-latency ingestion of streaming data. Combined with Amazon Managed Service for Apache Flink, telemetry can be processed and aggregated in near real time. Processed metrics can be sent to Amazon CloudWatch, which natively supports creating dashboards, metrics visualization, and alarms. Firehose (B) is primarily for batch ingestion and delivery, not real-time analytics. EMR with Athena (C) introduces more complexity and is better for large-scale offline analytics. DynamoDB Streams (D) is not a fit because telemetry data is not stored in DynamoDB. Therefore, option A provides the most suitable and real-time analytics pipeline for telemetry data.

IAM Access Analyzer analyzes permissions granted using policies to determine what resources are shared with an external entity, and helps identify excessive permissions or least privilege violations across all accounts in an AWS Organization. It is specifically designed for reviewing and refining IAM permissions with minimal administrative effort.

AWS Documentation Extract:

“IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. You can also use Access Analyzer policy checks to refine permissions and implement least privilege.”

(Source: IAM Access Analyzer documentation)

A: Network Access Analyzer is for VPC network access analysis, not IAM permissions.

B: CloudWatch alarms are not suitable for detailed permission analysis.

D: Amazon Inspector is for security vulnerability assessment, not IAM policy review.

When AWS workloads must resolve DNS names from on-premises systems over a hybrid network (like VPN or Direct Connect), the best solution is to use Amazon Route 53 Resolver outbound endpoints.

The outbound endpoint enables DNS queries to be forwarded from your VPC to on-premises DNS servers.

You must also configure a Route 53 Resolver forwarding rule to define which domain names (e.g., corp.internal) should be forwarded to the specific on-premises DNS IPs.

This setup allows private DNS resolution from AWS to on-premises systems and is fully managed, eliminating the need to run and maintain EC2-based DNS proxies (as in option A).

Options C and D are incorrect:

C is not DNS-specific and doesn’t solve name resolution.

D misuses a public hosted zone for a private DNS domain.

???? Reference:

Route 53 Resolver Outbound Endpoints

Amazon RDS Proxy is a fully managed database proxy for RDS that makes applications more scalable, more resilient to database failures, and more secure. RDS Proxy pools and shares database connections, allowing applications to open and close connections as needed without overwhelming the database. This is the recommended solution when the application cannot be modified to use connection pooling itself.

AWS Documentation Extract:

"Amazon RDS Proxy helps manage database connections to improve application scalability and performance. It pools connections and shares them among application clients, which can mitigate issues caused by opening and closing many database connections."

(Source: Amazon RDS Proxy documentation)

A: Upgrading the instance does not solve connection inefficiency and can be cost-ineffective.

B: Increasing IOPS only helps if storage is a bottleneck, not if connections are the issue.

D: Multi-AZ improves availability, not connection management.

Amazon RDSBlue/Green Deploymentsis the ideal solution for upgrading the database version with minimal operational overhead and no data loss. Blue/Green Deployments allows you to create a separate, fully managed "green" environment with the upgraded database version. You can test the new version in the green environment while the "blue" environment continuesserving production traffic. Once testing is complete, you can seamlessly switch traffic to the green environment without downtime.

This solution provides:

Fast, non-disruptive upgrade: Traffic is only switched to the new environment after testing, ensuring zero data loss.

Minimal operational overhead: AWS handles the infrastructure management, reducing manual intervention.

Option A (Manual snapshot): This requires manual intervention and involves more operational overhead.

Option B (Native backup/restore): This approach is more labor-intensive and slower than Blue/Green Deployments.

Option C (DMS): AWS DMS adds unnecessary complexity for a simple version upgrade when Blue/Green Deployments can handle the task more efficiently.

AWS References:

Amazon RDS Blue/Green Deployments

To optimize costs for both Amazon EC2 and AWS Fargate, the best option is a Compute Savings Plan because it offers flexibility across instance families, Regions, and compute options including EC2, AWS Fargate, and AWS Lambda.

Unlike EC2 Instance Savings Plans, which apply only to specific instance families, Compute Savings Plans apply across multiple services.

Since the company does not want to commit to multi-year contracts or large upfront payments, the 1-year No Upfront Compute Savings Plan provides the greatest flexibility with no upfront capital commitment, while still offering cost savings over On-Demand pricing.

This option also aligns with cost-optimization best practices by allowing for scalability and service mix flexibility.

???? Reference:

AWS Compute Savings Plans

AWS Pricing Models

To restrict S3 access to a specific VPC, AWS documentation specifies using a Deny policy with aws:SourceVpc for all unmatched VPCs:

Deny if aws:SourceVpc != vpc-11aabb22

This ensures only that VPC can reach the bucket via a VPC endpoint.

Allow policies (Options B and C) are incorrectly structured or use the wrong condition logic.

Option D limits by account, not VPC, and does not enforce VPC-level access.

=====================================================

This question focuses on scalability, operational overhead, and performance during unpredictable workloads.

API Gateway + AWS Lambda enables serverless compute, which scales automatically based on the number of requests. It requires no provisioning, maintenance, or patching of servers — eliminating operational overhead.

Amazon DynamoDB is a fully managed NoSQL database optimized for high-throughput workloads with single-digit millisecond latency.

Amazon S3 is designed for high availability and durability, and is ideal for storing unstructured content such as user-uploaded images.

By leveraging these fully managed and scalable services, the architecture meets the requirement of supporting rapid user growth while minimizing operational complexity. This solution aligns with the Performance Efficiency and Operational Excellence pillars in the AWS Well-Architected Framework.

???? References:

Serverless Web Application Architecture

Using DynamoDB with Lambda

Best Practices for API Gateway

Amazon S3 is designed for durability, scalability, and millisecond access. For small monthly data volumes (300 MB), S3 Standard is cost-effective and provides immediate access. To meet 30-day retention, Lifecycle policies can automatically expire objects after the required time. For disaster recovery, S3 Cross-Region Replication (CRR) copies objects across Regions to a backup bucket, ensuring data resiliency. OpenSearch (A) is not needed because the requirement is storage and retrieval, not indexing. Aurora or RDS options (C, D) add unnecessary complexity and cost, as a relational database is not required for JSON storage and millisecond retrieval. Therefore, option B provides the simplest, most resilient, and cost-optimized solution.

Amazon RDS supports encryption at rest by using AWS KMS keys backed by AWS CloudHSM. This allows use of dedicated FIPS 140-2 Level 3 validated hardware modules to manage encryption keys, meeting compliance for sensitive data such as PII.

From AWS Documentation:

“You can use AWS KMS with keys that are backed by AWS CloudHSM to control the encryption of RDS databases. This provides dedicated HSM-backed key storage and management.”

(Source: Amazon RDS User Guide – Encrypting Amazon RDS Resources)

Why B is correct:

Meets the requirement for dedicated HSM hardware.

Fully integrates with RDS for transparent encryption at rest.

Satisfies compliance standards for healthcare and regulated data.

Why others are incorrect:

A: Keys in CloudHSM directly are not used by RDS; they must be managed through KMS integration.

C: EC2 instance stores are ephemeral, not suitable for RDS databases.

D: SSE-S3 applies to S3 objects, not databases.