SAA-C03 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

AWS Snowball Edge is specifically designed for use cases that involve limited or unreliable network connectivity. It enables data transfer and local compute processing at edge locations.

It comes in two options: Snowball Edge Storage Optimized and Snowball Edge Compute Optimized.

The Compute Optimized model allows the disaster response team to both store images locally and process data on the device using Amazon EC2-compatible compute resources.

This removes the need for constant network connectivity. After processing, the device can be shipped back to AWS, where data is uploaded to S3.

Other options fail due to:

SQS not being suitable for large binary image data (Option B)

Kinesis Data Firehose needing steady connectivity (Option C)

Storage Gateway is for hybrid cloud environments with ongoing connection, not rugged field use (Option D)

???? References:

AWS Snowball Edge Overview

Snowball Edge Use Cases

Amazon RDS Performance Insights is a “database performance tuning and monitoring feature” that can be enabled with a few clicks and “helps you quickly assess the load on your database” and identify bottlenecks. It surfaces key metrics, including DB load, top SQL, waits, and host metrics such as CPU utilization, which are commonly used indicators for right-sizing (up or down). This provides the lowest operational effort compared to building log pipelines or querying CloudTrail (which does not capture SQL workload characteristics). AWS X-Ray traces application requests, not database internals, and CloudWatch Logs aggregation requires custom ingestion and analysis. Enabling Performance Insights directly on the RDS instance provides actionable utilization data to right-size with minimal setup.

Compute Savings Plansoffer the most flexible and cost-effective solution for the production instances, as they provide significant savings (up to 66%) for both EC2 and AWS Lambda usage, while allowing flexibility in the type of instance family, size, and even region. For nonproduction instances, usingOn-Demand Instancesensures you only pay for the instances when they are running, and shutting them down during off-hours further optimizes cost.

Key AWS features:

Compute Savings Plans: Provide savings based on consistent usage, making it ideal for production environments with steady load.

On-Demand Instances: Suitable for nonproduction environments that are used intermittently. Shutting them down when not in use avoids unnecessary costs.

AWS Documentation: According to AWS ' s cost optimization best practices, using a combination of Savings Plans for production and On-Demand Instances for nonproduction environments that are used sparingly results in optimal cost savings​​.

Amazon S3 File Gateway (AWS Storage Gateway) exposes an on-premises NFS/SMB file share that durably stores files as S3 objects with local caching, enabling low-latency writes on-premises and asynchronous, near-real-time ingestion into Amazon S3 for analytics. It is purpose-built to “present a file interface backed by Amazon S3” and to “store files as objects in your S3 buckets,” so existing applications writing to a network share can transparently land data in S3 without custom scripts or job orchestration. Compared with scheduled transfers (e.g., end-of-day DataSync), S3 File Gateway continuously uploads new/changed files, better meeting the near-real-time requirement. Transfer Family (SFTP) would require custom polling and client changes, increasing operational burden. DataSync is excellent for bulk or periodic migrations/synchronizations but is not as seamless for continuous ingestion from a live file share. Therefore, updating the application to point to an S3 File Gateway share provides the simplest, performant path to near-real-time delivery into S3 for downstream analytics.

Amazon RDS does not support enabling encryption at rest on an existing unencrypted DB instance. To encrypt an existing RDS instance’s data at rest, the recommended method is to:

Take a snapshot of the unencrypted DB instance.

Create an encrypted copy of the snapshot using AWS KMS. This encrypted snapshot contains the existing data encrypted at rest.

Restore a new DB instance from the encrypted snapshot. This new instance will have encryption at rest enabled.

Additionally, to manage encryption keys securely, companies can use customer managed keys (CMKs) in AWS Key Management Service (KMS). CMKs provide greater control over key management policies, rotation, and usage permissions compared to default AWS managed keys. Using a CMK allows customization of access control and auditability.

Option A is incorrect because you cannot enable encryption directly on a snapshot; you must create an encrypted copy. Option C is invalid because encryption cannot be enabled by modifying an existing instance’s configuration. Option D refers to the default AWS managed key, which is less flexible than customer managed keys.

The problem is scale-out latency: when traffic spikes, new instances take time to launch, initialize, and pass health checks. This can temporarily degrade user experience even if Auto Scaling eventually adds enough capacity. The goal is to improve responsiveness to sudden spikes cost-effectively.

A key Auto Scaling feature for this situation is an EC2 Auto Scaling warm pool. A warm pool maintains a set of pre-initialized instances (stopped or running, depending on configuration) that Auto Scaling can rapidly transition into service. This reduces the time needed for instance launch and initialization, enabling faster scale-out during unexpected surges.

Option B is best because it supports the application’s peak needs by ensuring Auto Scaling can scale up to the required maximum capacity and keeps warm capacity ready. While a warm pool has some cost (especially if instances are kept running), it is typically more cost-effective than permanently running peak capacity all the time. It improves user experience by minimizing cold start delays during spikes.

Option A is counterproductive: lowering minimum capacity increases the likelihood of scale-out delays. Option C is illogical as written (“increase maximum to meet normal demand”); maximum should reflect peak potential, and a warm pool without sufficient max headroom will not solve the spike problem. Option D uses scheduled scaling, but the spike is unexpected, and increasing instance sizes increases cost and does not address launch delay; it may also reduce horizontal scaling flexibility.

Therefore, B is the most cost-effective way to improve scale-out performance and protect user experience during unexpected bursts.

Amazon API Gateway supports multiple API types: REST, HTTP, WebSocket, and gRPC. HTTP APIs are a newer, lightweight option that support JWT authorizers natively, enabling secure, scalable authentication for APIs with JSON Web Tokens.

HTTP APIs can integrate with ALBs as a backend target, providing direct connectivity and simplified API management with JWT authentication built in.

REST APIs support JWT but are more feature-rich and complex, often used for legacy or more complex use cases, and have higher costs and latency. WebSocket APIs are for real-time, bidirectional communication, which is not requested here. gRPC APIs support RPC calls but are less common for public HTTP-based APIs with JWT auth.

Therefore, HTTP API with JWT authorizers is the best fit for this use case.

Predictive scaling automatically analyzes historical workload patterns, forecasts future capacity needs, and launches instances ahead of time. AWS documentation states that predictive scaling is designed for workloads with recurring, cyclical patterns—such as scheduled weekly batch jobs.

It also supports " pre-launching " capacity before peak demand. This eliminates manual trend analysis and delivers the lowest operational overhead.

Scheduled scaling (Option B) works but requires manual calculation of capacity numbers and updating if patterns change. Predictive scaling removes this burden entirely.

=====================================================

Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large numbers of encrypted objects. Switching to AWS managed keys (A) does not reduce the frequency of API calls. Removing encryption (B) would violate compliance/security requirements. Using CloudHSM (C) adds cost and operational burden. Therefore, the correct solution is D — enabling S3 Bucket Keys with SSE-KMS, which significantly reduces decryption costs while maintaining secure encryption.

The correct answer is C because the company already uses Amazon FSx for NetApp ONTAP and requires a disaster recovery solution in a secondary Region that preserves access through the same protocols , specifically CIFS and NFS . The most appropriate solution is to deploy a second FSx for ONTAP file system in the secondary Region and use NetApp SnapMirror to replicate data between Regions. SnapMirror is built for ONTAP-based replication and is the native mechanism for efficient, storage-level disaster recovery.

This option provides the least operational overhead because it uses the capabilities already integrated into FSx for ONTAP rather than introducing another storage platform or custom replication tooling. It also preserves protocol compatibility, so applications in the recovery Region can continue to access data through CIFS and NFS without architectural changes.

Option A is incorrect because replicating data to Amazon S3 does not preserve native CIFS and NFS file shares. Option B can support recovery, but backups and restores are not the best fit for an active DR strategy where the secondary Region needs accessible replicated storage with the same protocols and lower recovery effort. Option D is incorrect because Amazon EFS does not provide CIFS/SMB support in the same way as FSx for ONTAP and would require a platform change.

AWS guidance for FSx for ONTAP disaster recovery favors using SnapMirror replication to another FSx for ONTAP deployment. This approach is protocol-compatible, efficient, and operationally simpler than building a custom DR workflow.

AWS Shield Advanced provides:

• 24/7 access to the AWS DDoS Response Team (DRT)

• Near real-time attack visibility and metrics

• Protection for CloudFront, ALB, NLB, and Route 53

Shield Standard (Option B) does not include DDoS response team support.

WAF (Option A) provides rules-based filtering, not DDoS assistance.

Macie (Option C) is for PII discovery, not DDoS protection.

=====================================================

AWS Backup is a fully managed backup service that can create backup plans for EC2 instances, including both instance configurations and attached EBS volumes, with scheduled and cross-Region copy capabilities. By adding the EC2 instances to the resource assignment in the backup plan, AWS Backup automatically backs up all configurations and attached EBS volumes, and can copy backups to a secondary Region for disaster recovery, providing the highest operational efficiency with the least manual effort.

AWS Documentation Extract:

“AWS Backup provides fully managed backup for EC2 instances and attached EBS volumes, with scheduling, retention, and cross-Region copy built in. By adding the EC2 instance as a resource, the backup includes both configuration and attached volumes.”

(Source: AWS Backup documentation)

A, D: Custom Lambda scripts increase operational overhead and are not as integrated or robust as AWS Backup.

C: Assigning only EBS volumes does not include the EC2 instance configuration, which is needed for full recovery.

To ensure high availability and scalability, the web application should run in anAuto Scaling groupacross two Availability Zones behind anApplication Load Balancer (ALB). The database should be migrated toAmazon RDSwithMulti-AZ deployment, which ensures fault tolerance and automatic failover in case of an AZ failure. This setup minimizes administrative overhead while meeting the company ' s requirements for high availability and scalability.

Option A: Read replicas are typically used for scaling read operations, and Multi-AZ provides better availability for a transactional database.

Option B: Replicating across AWS Regions adds unnecessary complexity for a single web application.

Option D: EC2 instances across three Availability Zones add unnecessary complexity for this scenario.

AWS References:

Auto Scaling Groups

Amazon RDS Multi-AZ

AWS guidance for NAT Gateway recommends deploying “a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.” This provides “zone-independent architecture” and avoids cross-AZ data processing charges and single-AZ failures. Option B creates a single point of failure and incurs cross-AZ egress charges when private subnets in other AZs traverse a centralized NAT. NAT instances (C) are legacy, require manual scaling/failover/patching, and are not recommended for production HA. Option D is not supported (NLB cannot front a NAT Gateway as a target). With steady, uniform load, per-AZ NAT Gateways deliver high availability with predictable cost; routing each private subnet to its local NAT Gateway maintains security (no inbound initiated connections) and resilience. This meets the requirement for cost-effective, secure outbound connectivity across multiple AZs while preserving availability.

To track costs by department, you must activate the custom department tag as a cost allocation tag in the AWS Organizations management account. Once activated, Cost Explorer and cost and usage reports can group costs by this tag for all linked accounts. The most operationally efficient way is to activate only the relevant department tag and create a cost and usage report grouped by that tag.

AWS Documentation Extract:

“To use a tag for cost allocation, you must activate it in the AWS Billing and Cost Management console. After activation, you can use the tag to group costs in Cost Explorer and reports.”

(Source: AWS Cost Management documentation)

A, E: aws:createdBy is not related to department cost grouping and is unnecessary.

B: Applying extra filters is optional; D is more direct and operationally efficient.