SAA-C03 Exam Dumps - AWS Certified Solutions Architect - Associate (SAA-C03)

Amazon CloudFront is a highly cost-effective CDN that caches content like images and videos at edge locations globally. This reduces latency and the load on the origin S3 bucket. It is ideal for static content that is accessed by many users.

The most effective and AWS-recommended way to mitigate unwanted traffic at the edge is to use AWS WAF integrated with CloudFront. Option D allows the architect to block or throttle malicious traffic before it reaches the ALB or EC2 instances.

Rate-based rules automatically block IP addresses that exceed a defined request threshold, making them ideal for mitigating abusive traffic patterns. This reduces load on backend resources and improves performance for legitimate users.

Options A, B, and C are less effective or introduce unnecessary cost and complexity. Shield does not provide granular rate control, Auto Scaling increases cost, and NACLs are difficult to manage dynamically.

Therefore, D is the correct and most secure solution.

Detailed Explanation:

A. ECS + API Gateway:Overly complex and costly for an on-demand, intermittent workload.

B. EventBridge + SNS:EventBridge schedules are unnecessary for on-demand generation.

C. EKS + API Gateway:Overkill for this use case, with high operational overhead.

D. Lambda + SES:Most cost-effective and efficient solution for generating and emailing reports on demand.

Option Auses an IAM role attached to the EC2 instance profile, enabling secure and automated access to Secrets Manager. This is the recommended approach.

Option Buses IAM users, which is less secure and harder to manage.

Option Cis not practical for accessing secrets programmatically.

Option Dviolates best practices by granting direct access to the EC2 instance.

The question asks for the most cost savings while not affecting application performance, and it explicitly calls out both compute costs and storage costs increasing. The best answer is the option that optimizes both cost drivers without reducing capacity needed for peak performance. Option D accomplishes this by combining two well-established cost optimization mechanisms: a Compute Savings Plan for baseline compute usage and S3 Lifecycle policies for lower-cost storage of older receipt images.

A Compute Savings Plan is best applied to the steady, always-needed portion of compute capacity. In an Auto Scaling group, there is typically a predictable minimum footprint that runs continuously. Purchasing a Savings Plan for that baseline delivers substantial discounts compared with On-Demand pricing while keeping performance unchanged. For traffic spikes, continuing to use On-Demand Instances is operationally simple and preserves scaling behavior and customer experience. This avoids the risk that reducing minimum capacity could introduce slower scale-out or insufficient resources during sudden load.

On the storage side, raw receipt images are stored in Amazon S3, and many applications access the newest objects most frequently. Using S3 Lifecycle policies to transition objects after 30 days to lower-cost tiers (such as infrequent access or archival tiers as appropriate for retrieval needs) reduces storage spend without changing how new uploads are handled or processed. It also keeps the application fast for recent receipts, where performance typically matters most.

Options A and B move storage to EFS, which is generally more expensive than S3 for object storage patterns and does not align with “stored as objects.” Option C reduces the maximum Auto Scaling capacity, which can directly harm performance during demand surges. Therefore, D provides the largest cost reduction while preserving performance and scaling characteristics.

To handle increased loads effectively, it ' s essential to implement Auto Scaling for both frontend and backend tiers:

Frontend Auto Scaling Group: Scaling based on incoming network traffic ensures that the application can handle increased user requests.

Backend Auto Scaling Group: Scaling based on the Amazon SQS queue backlog ensures that the backend can process messages as they arrive, preventing delays.

This approach allows each tier to scale independently based on its specific load, ensuring optimal resource utilization and performance.

To manage EC2 instances with AWS Systems Manager (SSM), the EC2 instance must be configured as a managed instance by attaching an IAM role that has the AmazonSSMManagedInstanceCore managed policy.

This policy allows:

SSM agent to register the instance with SSM

Perform actions like patching, automation, session management, inventory collection, etc.

Access to SSM endpoints (via internet or VPC endpoint if needed)

Since the EC2 instance already has an IAM role, the least operational overhead option is to attach the required policy to the existing role (Option C). No need to create new IAM roles or users, which simplifies management and adheres to the principle of least privilege.

Patching can then be automated via SSM Patch Manager, ensuring consistency, compliance, and operational efficiency.

🔗 References:

SSM Managed Instance Setup

AmazonSSMManagedInstanceCore Policy

Patching EC2 with SSM