SAA-C03 Exam Dumps - AWS Certified Solutions Architect - Associate (SAA-C03)

For improving availability and performance of the hybrid application, the following solutions are optimal:

AWS Global Accelerator (Option A): Global Accelerator provides high availability and improves performance by using the AWS global network to route user traffic to the nearest healthy endpoint (across AWS Regions). By adding the Network Load Balancers as endpoints, Global Accelerator ensures that traffic is routed efficiently to the closest endpoint, improving both availability and performance.

Network Load Balancer (Option D): Thestateful TCP-based workloadhosted on Amazon EC2 instances and thestateless UDP-based workloadhosted on-premises are best served by Network Load Balancers (NLBs). NLBs are designed to handle TCP and UDP traffic with ultra-low latency and can route traffic to both EC2 and on-premises endpoints.

Option B (CloudFront and Route 53): CloudFront is better suited for HTTP/HTTPS workloads, not for TCP/UDP-based applications.

Option C (ALB): Application Load Balancers do not support the stateless UDP-based workload, making NLBs the better choice for both TCP and UDP.

AWS References:

AWS Global Accelerator

Network Load Balancer

Comprehensive and Detailed Explanation (from AWS Solutions Architect documentation):

Amazon DynamoDB is a fully managed NoSQL database engineered for extremely high throughput and millisecond-level response times at any scale. It can automatically scale to support millions of requests per second and requires no management of infrastructure, storage provisioning, or server maintenance.

AWS documentation specifically highlights DynamoDB as the optimal solution for ecommerce workloads that require consistent low-latency performance, massive scalability, and near-zero operational overhead.

Aurora and RDS cannot support millions of requests per second, and Redshift is a data warehouse not intended for transactional workloads.

Why Option C is Correct:

S3 Access Points: Provide scalable management of access to large datasets with specific permissions for individual prefixes.

Dynamic Prefixes: Access points simplify managing access to a growing number of prefixes without relying solely on a single bucket policy.

Fine-Grained Control: Resource-based permissions on access points enforce prefix-level isolation effectively.

Why Other Options Are Not Ideal:

Option A: Using deny/allow bucket policies introduces complexity and is less scalable for dynamic prefixes.

Option B: Encryption ensures data security but does not address access management.

Option D: Pre-signed URLs are temporary and not suitable for managing access at scale.

AWS References:

Amazon S3 Access Points:AWS Documentation - S3 Access Points

S3 Block Public Access only blocks public access—not explicitly allowed access.

An S3 bucket policy can explicitly permit access only from specific source IP addresses using the aws:SourceIp condition. This allows secure, direct HTTP access to the S3 object from known firewall IP addresses.

Static website hosting (Option A) requires the bucket to be public and is blocked by the enabled S3 Block Public Access setting.

CloudFront with OAC (Option C) is unnecessary and adds cost and complexity.

Lambda (Option D) introduces operational overhead and is not needed since S3 policies can enforce IP restrictions directly.

AWS Backup is a fully managed backup service that can create backup plans for EC2 instances, including both instance configurations and attached EBS volumes, with scheduled and cross-Region copy capabilities. By adding the EC2 instances to the resource assignment in the backup plan, AWS Backup automatically backs up all configurations and attached EBS volumes, and can copy backups to a secondary Region for disaster recovery, providing the highest operational efficiency with the least manual effort.

AWS Documentation Extract:

“AWS Backup provides fully managed backup for EC2 instances and attached EBS volumes, with scheduling, retention, and cross-Region copy built in. By adding the EC2 instance as a resource, the backup includes both configuration and attached volumes.”

(Source: AWS Backup documentation)

A, D: Custom Lambda scripts increase operational overhead and are not as integrated or robust as AWS Backup.

C: Assigning only EBS volumes does not include the EC2 instance configuration, which is needed for full recovery.

AWS Outposts brings native AWS services (including Amazon EMR) on-premises, ideal when data residency or latency constraints require local processing.

You benefit from AWS’s managed services while meeting the requirement to keep data processing local.

The best solution to enforce encryption at rest for Amazon EBS volumes is to use anIAM policyto restrict the creation of unencrypted volumes. To automatically identify and remediate unencryptedvolumes, you can useAWS Configrules, which continuously monitor the compliance of resources, andAWS Systems Managerto automate the remediation by encrypting existing unencrypted volumes. This setup requires minimal administrative overhead while ensuring compliance.

Option B (KMS): KMS is for managing encryption keys, but Config and Systems Manager provide a better solution for automatic detection and enforcement.

Option C (Macie): Macie is for data classification and is not suitable for this use case.

Option D (Inspector): Inspector is used for security vulnerabilities, not encryption compliance.

AWS References:

AWS Config Rules

AWS Systems Manager