SAA-C03 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

Because the workload follows apredictable business-hours schedule, the lowest-overhead solution is to usescheduled scalingwith EC2 Auto Scaling. AWS documentation states that scheduled actions let you scale an Auto Scaling group at specific times or on recurring schedules by changing desired, minimum, and maximum capacity. That directly matches a workload that needs instances during business hours and not at night. Manual start and stop actions add operational work, Spot Instances risk interruptions during business hours, and sizing for maximum load with Reserved Instances would overpay for idle time. Scheduled scaling automates the exact time-based pattern the question describes.

============

Amazon Aurora PostgreSQL with Babelfish allows SQL Server applications to run directly on Aurora PostgreSQL with minimal code changes. Babelfish adds a SQL Server-compatible endpoint, significantly lowering costs compared to running licensed SQL Server instances on RDS or EC2.

AWS Documentation Extract:

“Babelfish for Aurora PostgreSQL enables Aurora to understand T-SQL and SQL Server wire protocol, allowing you to run SQL Server applications on Amazon Aurora PostgreSQL with lower costs.”

(Source: Babelfish for Aurora PostgreSQL documentation)

A, D: SQL Server on EC2 or RDS incurs high Microsoft licensing costs.

C: Plain PostgreSQL would require more code refactoring than Babelfish.

The most secure and manageable way to provide developers with temporary, least-privilege access is by using AWS IAM Identity Center (formerly AWS SSO). IAM Identity Center allows assigning IAM roles with scoped permissions based on the developer’s team role. This ensures no permanent credentials are required and minimizes risk.

Option B enables role-based access with centralized identity and access management, making it the most secure and scalable solution for managing developer permissions.

AWS Compute Optimizerprovides detailed recommendations for optimizingAmazon EBS volumes, including insights into underutilized volumes, inefficient configurations, and potential cost savings. It analyzes usage patterns and provides recommendations based on historical data, making it the ideal tool for this use case.

Option A (Amazon Inspector): Amazon Inspector is for security assessments, not for cost optimization.

Option B (Systems Manager): Systems Manager does not specifically provide EBS optimization recommendations.

Option C (CloudWatch): CloudWatch metrics help monitor usage but do not offer optimization recommendations like Compute Optimizer.

AWS References:

AWS Compute Optimizer

Protecting an application from layer 7 (application layer) DDoS attacks is best achieved by using AWS WAF (Web Application Firewall), which provides customizable protection against common web exploits including DDoS attacks at the application layer. AWS WAF supports managed rule groups maintained by AWS, which offer robust, tested protections against OWASP top 10 vulnerabilities and common attack patterns without requiring extensive manual rule creation.

While AWS Shield Standard provides basic network-layer DDoS protection automatically at no additional charge, it does not offer application-layer filtering capabilities. Therefore, option A alone is insufficient.

Option B, involving only custom rules, requires significant operational overhead and expertise, whereas AWS managed rules offer a turnkey solution with ongoing updates from AWS security teams.

Option D, using CloudFront in front of the ALB, can provide additional protection benefits such as caching and geographic restrictions, but the question specifically asks for protecting against layer 7 DDoS on the ALB directly. CloudFront plus WAF is a valid enhanced solution, but the direct and recommended answer in AWS official documents is to use AWS WAF managed rules directly with ALB for application-level protection.

The correct answer isProvisioned IOPS SSD io2 Block Express. AWS documents that io2 Block Express is recommended for I/O-intensive, latency-sensitive workloads and is designed for consistent sub-millisecond latency with very high IOPS limits. AWS also notes that many instance types can achieve up to32,000 IOPS, which matches the baseline requirement in the question. S3 is object storage and not suitable for a transactional MySQL database. EFS is a shared file system, not the preferred low-latency block storage for this database pattern. gp3 is versatile and cost-effective, but it is not the targeted choice when the requirement explicitly emphasizes sustained, low-latency 32,000 IOPS performance. (AWS Documentation)

The workload isstateless,parallel, and each job runs for about20 minutes, which makes Lambda a poor fit because Lambda has a maximum execution time of 15 minutes. AWS Fargate is a strong match for event-driven container workloads because it removes server management overhead, andFargate Spotlowers cost for interruption-tolerant processing. AWS also provides patterns for runningevent-driven workloads at scale with Fargate, and EventBridge can be used to trigger container tasks from S3-originated events. Compared with EKS or EC2 On-Demand, ECS on Fargate Spot is the most cost-effective managed container approach here.

============

The correct answer isCbecause storing large binary objects such as documents directly in a relational database increases database size, raises storage cost, and can degrade performance over time.Amazon S3is a more appropriate service for storing large unstructured objects like documents, images, and media files. The application can store the actual document files in S3 and keep only the related metadata, object keys, and references in the existing Oracle database.

This design is more cost-effective because S3 storage is generally less expensive than expanding high-performance relational database storage for BLOB content. It also improves database performance because the database no longer needs to manage the overhead of storing and retrieving large document payloads. The database can focus on transactional and relational data, which is the workload it is designed to handle best.

S3 also provides high durability, scalability, and resilience. These characteristics satisfy the requirement for a highly available and resilient solution while avoiding unnecessary expansion of the RDS storage layer. Keeping metadata in the existing database minimizes the application changes compared with a full database migration.

Option A is incorrect because Magnetic storage would significantly reduce performance and is not appropriate for this workload. Option B would improve performance, but it would be much more expensive and does not address the root cause of storing large BLOBs in a relational database. Option D is incorrect because moving the relational Oracle workload to DynamoDB would require a major redesign and is not the most cost-effective solution for the stated problem.

The best architectural pattern is to useAmazon S3 for document storageand the relational database for metadata and transactional records.

Amazon Aurora PostgreSQL with Babelfish allows Aurora to understand SQL Server T-SQL and the SQL Server wire protocol. This enables applications to continue using SQL Server drivers, minimizing code changes (Option B).

Migration of schema and data is performed using AWS Schema Conversion Tool (SCT) and AWS Database Migration Service (DMS) (Option C), which is the AWS-recommended migration pattern for heterogeneous database migrations.

AWS DMS (Option E) does not rewrite application SQL.

RDS Proxy (Option D) does not translate SQL Server protocols.

Option A requires rewriting application queries, which contradicts the “minimal changes” requirement.

The company wants to reduce end-to-end load time for its global customer base.AWS Global Acceleratorprovides a network optimization service that reduces latency by routing traffic to the nearest AWS edge locations, improving the user experience for globally distributed customers.

AWS Global Accelerator:

Global Acceleratorimproves the performance of your applications by routing traffic through AWS’s global network infrastructure. This reduces the number of hops and latency compared to using the public internet.

By creating astandard acceleratorand configuring the existing NLBs as target endpoints, Global Accelerator ensures that traffic from users around the world is routed to the nearest AWS edge location and then through optimized paths to the NLBs in each region. This significantly improves end-to-end load time for global customers.

Why Not the Other Options?:

Option A (ALBs instead of NLBs): ALBs are designed for HTTP/HTTPS traffic and provide layer 7 features, but they wouldn’t solve the latency issue for a global customer base. The key problem here is latency, and Global Accelerator is specifically designed to address that.

Option B (Route 53 weighted routing): Route 53 can route traffic to different regions, but it doesn’t optimize network performance. It simply balances traffic between endpoints without improving latency.

Option C (Additional NLBs in more regions): This could potentially improve latency but would require setting up infrastructure in multiple regions. Global Accelerator is a simpler and more efficient solution that leverages AWS’s existing global network.

AWS References:

AWS Global Accelerator

By usingAWS Global Acceleratorwith the existing NLBs, the company can optimize global traffic routing and improve the customer experience by minimizing latency. Therefore,Option Dis the correct answer.

Amazon SQS supports Interface VPC endpoints (AWS PrivateLink), enabling private connectivity from your VPC to SQS without using public IPs, traversing the public Internet, or requiring NAT/IGW. You can restrict access by attaching a queue resource policy that allows only the specific VPC endpoint and denies all other principals/paths, enforcing that all traffic stays on the AWS network. SSE-SQS (B) encrypts data at rest but does not influence network pathing. STS temporary credentials (C) handle authentication/authorization, not routing. VPC Flow Logs (D) are monitoring/visibility and do not prevent public egress. Creating an SQS VPC endpoint and tightening the queue policy satisfies the requirement of no public IP usage while maintaining secure, private access from serverless components in VPC subnets.

The most cost-effective way to provide consistent SQL query performance on a heavily structured dataset, where some data is accessed more frequently, is to use Amazon Redshift as your main data warehouse for hot data and Amazon Redshift Spectrum to query cold data that remains in S3. With this approach, frequently queried data is loaded into Redshift for fast, consistent querying, while infrequently accessed data is left in S3 and accessed on demand via Spectrum, avoiding unnecessary data warehousing costs. Amazon Kinesis Data Firehose provides an easy and scalable way to ingest streaming data directly to both S3 and Redshift.

AWS Documentation Extract:

" Amazon Redshift Spectrum allows you to run queries against exabytes of data in Amazon S3 without loading or transforming the data. Load hot data into Redshift for fast access and query cold data in S3 with Spectrum, optimizing both cost and performance. "

(Source: Amazon Redshift documentation, Spectrum)

A: Athena is good for ad hoc queries but not for consistent, high-performance SQL workloads.

B, C: Loading all data into Redshift is not cost-effective if some data is infrequently accessed.

The lowest-overhead centralized access model is to connect the existingon-premises Active Directoryby usingAD Connectorand then manage AWS account access throughIAM Identity Center permission sets. AWS documentation explains that IAM Identity Center providesone place to assign permissions to multiple AWS accounts, and AD Connector is specifically designed to let AWS services use an existing directory without storing directory information in AWS. This approach preserves the company’s current authentication source and adds centralized authorization across the organization. Creating IAM users or scripting cross-account role assignments would add significant administrative work and weaken the identity model.

============

Aservice control policyattached at the organization root is the right preventive control because SCPs define the maximum permissions for principals in member accounts across the organization. AWS documentation states that SCPs restrict permissions for IAM users and roles in member accounts and that an explicit deny overrides allows from other policies. That makes an SCP the cleanest centralized way to block creation of IAM users and access keys everywhere. Inline user policies would be harder to maintain, and GuardDuty or Config would be detective or corrective controls rather than the preventive control the question asks for.

============

Amazon S3 Glacier Flexible Retrieval is a low-cost archival storage class that supports retrieval of data within minutes (expedited access ~1–5 minutes), making it ideal for audit scenarios where occasional, quick access to archived data is required. In contrast, Glacier Deep Archive takes hours to retrieve.

AWS recommends using AWS IAM Identity Center (formerly AWS SSO) for centralized authentication and access control across multiple accounts in an AWS Organization, especially when integrating with an external IdP.

From AWS Documentation:

“Use IAM Identity Center to provide centralized access to multiple AWS accounts or applications. You can integrate with an external IdP via SAML 2.0. Assign users permissions through permission sets that define the roles users can assume.”

(Source: AWS IAM Identity Center User Guide)

Why B and E are correct:

E enables centralized identity federation using IAM Identity Center with your external IdP.

B uses permission sets to apply least-privilege access roles to users and groups across accounts, in alignment with the principle of least privilege.

Why others are incorrect:

Option A: IAM users in each account break centralized access model and are hard to manage at scale.

Option C: Managing individual IAM roles and inline policies across accounts is not scalable.

Option D: Per-account SAML providers are redundant when using IAM Identity Center, which provides centralized federation.

This workload is a strong candidate forAWS Batch with EC2 Spot Instancesbecause the jobs can tolerate interruptions and resume after restart. AWS documents that Spot Instances are a cost-saving option for interruption-tolerant workloads, and AWS Batch is built to manage batch jobs efficiently across EC2 capacity. AWS Batch guidance also notes that Spot is well suited when jobs can be retried or resumed, which matches the scenario. On-Demand Capacity Reservations do not optimize cost, and Savings Plans still cost more than Spot for an interruption-tolerant batch pattern. Therefore, AWS Batch with Spot gives the best balance of automation and lower compute cost.

============

For maximum resiliency and fault tolerance in a mission-critical scenario, AWS recommends redundant Direct Connect connections from multiple data centers to multiple AWS Direct Connect locations.

This protects against:

Data center failure

Device failure

Location outages

“For workloads that require high availability, we recommend that you use multiple Direct Connect connections at multiple Direct Connect locations.”

— AWS Direct Connect Resiliency Recommendations

Option C follows AWS maximum resiliency model.

Amazon QLDB is the most cost-effective and suitable service for maintainingimmutable, cryptographically verifiable logsof data changes. QLDB provides a fully managed ledgerdatabase with a built-in cryptographic hash chain, making it ideal for recording changes to accounting records, ensuring data integrity and security.

QLDB reduces operational overhead by offering fully managed services, so there’s no need for server management, and it’s built specifically to ensure immutability and verifiability, making it the best fit for the given requirements.

Option A (Redshift): Redshift is designed for analytics and not for immutable, cryptographically verifiable logs.

Option B (Neptune): Neptune is a graph database, which is not suitable for this use case.

Option C (Timestream): Timestream is a time series database optimized for time-stamped data, but it does not provide immutable or cryptographically verifiable logs.

AWS References:

Amazon QLDB

How QLDB Works

Analysis:

The company ' s requirements are to migrate 5 PB of data from physical tapes to AWS within 6 months, preserve the data for 10 years, and ensure cost efficiency.AWS Storage Gateway Tape Gatewayis purpose-built for such use cases, as it seamlessly integrates with backup applications and provides virtual tape storage in Amazon S3 Glacier Deep Archive.

Why Option D is Correct:

Tape Gateway: Enables the migration of physical tapes to virtual tapes. Virtual tapes are stored in Amazon S3 and can later be archived in Amazon S3 Glacier Deep Archive for long-term storage.

Cost Efficiency: Amazon S3 Glacier Deep Archive is the lowest-cost storage class for long-term data preservation.

Operational Simplicity: Tape Gateway integrates with existing on-premises backup software, reducing the need for additional tools or manual processes.

Scalability: Can handle the migration of large datasets, such as 5 PB, within the required timeframe.

Why Other Options Are Not Ideal:

Option A:

AWS DataSync is not designed for reading data directly from physical tapes. Staging the data on local storage adds unnecessary complexity and cost.Not suitable.

Option B:

Using backup applications to write directly to S3 Glacier Deep Archive may not leverage AWS-native services optimally. Tape Gateway simplifies the workflow significantly.Less efficient.

Option C:

Snowball Edge is ideal for environments without high-bandwidth connectivity. However, the company already has a 10 Gbps Direct Connect, making Tape Gateway a better choice.Not cost-effective.

AWS References:

AWS Storage Gateway - Tape Gateway:AWS Documentation - Tape Gateway

Amazon S3 Glacier Deep Archive:AWS Documentation - Glacier Deep Archive