SAA-C03 Exam Dumps - AWS Certified Solutions Architect - Associate (SAA-C03)

The requirement is for immediate processing of uploaded videos and prompt notification to users. According to AWS best practices for event-driven architectures, using S3 event notifications to trigger a Lambda function upon an object creation (upload) is the optimal solution for real-time processing. Lambda can process the file as soon as it is uploaded, ensuring low latency. Once processing is complete, Lambda can save the processed file back to S3 and use Amazon SNS to notify the user.

This approach uses managed services with minimal operational overhead, is scalable, and ensures event-driven processing with instant user feedback. AWS Amplify primarily facilitates application development and hosting but does not natively provide direct push notification support for this backend workflow; instead, SNS is designed for such notification scenarios.

Reference Extract from AWS Documentation / Study Guide:

" Amazon S3 can publish events to AWS Lambda when objects are created. AWS Lambda runs code in response to events and can interact with other AWS services. Amazon SNS is a flexible, fully managed pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients. "

Source: AWS Certified Solutions Architect – Official Study Guide, Event-driven Architectures section; AWS Lambda Developer Guide (S3 triggers); Amazon SNS User Guide.

AWS provides EBS Block Public Access at the AWS Organizations level, which, when enabled, prevents EBS snapshots from being shared publicly across all member accounts. This is an organization-wide control that requires minimal configuration and no ongoing monitoring to prevent public sharing.

This directly satisfies the requirement:

Covers all accounts managed by Organizations.

Explicitly prevents public snapshot sharing.

Has the least operational overhead because it is a single centralized control.

AWS Config (Option A) only monitors and alerts, but does not prevent public sharing.

An IAM policy in the root account (Option C) is harder to enforce consistently across all accounts and may not cover all permission paths.

CloudTrail (Option D) only logs events and does not prevent public access.

AWS Shield Advanced provides:

Advanced DDoS detection and mitigation

24/7 access to the AWS DDoS Response Team (DRT)

Real-time metrics and alerts via CloudWatch

Integrated with CloudFront, ALB, Route 53, and Global Accelerator

“Shield Advanced provides enhanced detection and mitigation for more sophisticated DDoS attacks and gives you access to the AWS DDoS Response Team (DRT).”

— AWS Shield Advanced Overview

Incorrect Options:

A (AWS WAF): For application-layer filtering only.

B (Shield Standard): Basic protection, no DRT or attack visibility.

C (Macie): Used for discovering sensitive data in S3, unrelated to DDoS.

Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that makes it easy to build and run applications that use Apache Kafka to process streaming data. By using Amazon ECS with the AWS Fargate launch type, you can run containers without managing servers or clusters. This combination reduces operational overhead and provides scalability.

For a MySQL database experiencing high write operations, using Amazon RDS with Provisioned IOPS (io1 or io2) SSD storage is recommended to achieve consistent and low-latency performance. Provisioned IOPS allows you to specify a desired IOPS rate, which is crucial for write-intensive workloads.

Monitoring write operation metrics through Amazon CloudWatch enables you to observe performance and adjust the provisioned IOPS as needed to meet application demands.

According to AWS best practices, each tier’s security group must restrict inbound traffic to only the upstream trusted source. For the web tier, the Application Load Balancer must be the only entity allowed to send traffic. AWS documentation specifies: “Restrict the security groups associated with your targets to accept traffic only from the load balancer.” This confirms that the web tier security group should allow inbound HTTPS from the ALB security group (A).

For communication between the web and application tiers, AWS states: “You can specify a security group as the source or destination in a rule” and “Create rules only for the protocols and ports required by your application.” Therefore, the application tier security group must allow inbound HTTPS traffic from the web tier security group (E).

For the database tier, AWS guidance says: “Allow only the necessary ports for database communication.” Microsoft SQL Server listens on port 1433 by default, so the database tier security group must allow inbound SQL Server traffic from the application tier security group (C).

Outbound rules (options B, D, and F) are unnecessary because AWS specifies that “Security groups are stateful. Return traffic is automatically allowed.” This means once inbound rules are defined, the return path is automatically permitted without extra outbound configurations.

This combination (A, C, E) applies the principle of least privilege, ensures end-to-end secure communication across tiers, and follows AWS recommendations for ALB-to-target security group setups.

EC2 instances in private subnets cannot access the internet unless there is a NAT gateway or a NAT instance configured.

“To enable instances in a private subnet to connect to the internet or other AWS services, you can use a NAT gateway or NAT instance.”

— NAT Gateways – Amazon VPC

In this use case:

EC2 instances are in private subnets

They need to call external APIs (internet access)

The most operationally efficient and secure method is to place a NAT Gateway in a public subnet and update the route table for private subnets to route internet-bound traffic through it.

Incorrect Options:

A: Private subnets don’t support public IPs.

C: VPC peering doesn’t help reach the public internet.

D: Interface endpoints are for private connectivity to AWS services, not external APIs.

Amazon CloudWatch Container Insightsis designed for monitoring containerized environments like EKS. It provides native support for collecting and visualizing metrics and logs in a centralized location through CloudWatch dashboards, offering the most operationally efficient solution.

Option A:Using the CloudWatch agent provides basic metrics but lacks the specific insights required for containerized applications.

Option B:Kinesis Data Streams and Firehose add unnecessary complexity for this use case.

Option C:CloudTrail is for auditing API activity and is not designed for application metrics and log aggregation.

AWS Documentation References:

Amazon CloudWatch Container Insights