SAA-C03 Exam Dumps - AWS Certified Solutions Architect - Associate (SAA-C03)

Amazon S3 Express One Zone provides single-digit millisecond latency and high throughput, making it ideal for ML workloads that require multiple compute nodes and fast access. It is also more cost-effective than traditional file or block storage for temporary, high-speed needs.

To grant the ECS application the least privilege, you create an IAM policy that explicitly lists the ARNs of the specific S3 buckets the task should access. You then attach this policy to the task role (not the instance role), ensuring only that task has the necessary permissions. This approach avoids granting permissions to other EC2 instances or services and restricts access strictly to the required buckets.

AWS Documentation Extract:

"Attach an IAM policy granting access to specific resources to the ECS task role, not to the instance role, to ensure that only the container has access according to the principle of least privilege."

"Use explicit ARNs to control access only to specified S3 buckets."

(Source: Amazon ECS documentation, IAM Roles for Tasks)

A: Tag-based access control for S3 buckets is possible but less direct and commonly used for identity-based access.

C: Attaching the policy to the instance role could grant unintended permissions to all containers or services running on the instance.

D: Wildcard ARNs grant broader access than necessary.

AWS CloudFormationallows for the automated, repeatable setup of infrastructure, reducing human error and ensuring consistency.AWS Configprovides the ability to track changes in the infrastructure, ensuring that all changes are logged and auditable, which satisfies the requirement for tracking incremental changes.

Option A and C (AWS Organizations): AWS Organizations manage multiple accounts, but they are not designed for infrastructure setup or change tracking.

Option D (Service Catalog): Service Catalog is used for deploying products, not for setting up infrastructure or tracking changes.

AWS References:

AWS Config

AWS CloudFormation

TheAWS WAF Bot Control managed ruleis designed to automatically detect and mitigate bot traffic. This feature is particularly useful for addressing malicious traffic and conserving compute resources by filtering unnecessary requests at the ALB level.

Option A:Blocking IP addresses manually introduces significant operational overhead and is not scalable against dynamic, worldwide malicious traffic.

Option C:AWS Shield provides DDoS protection, but the scenario does not describe a DDoS attack. WAF is better suited for managing application-layer threats like bot traffic.

Option D:The AWS WAF IP reputation rule helps block traffic from known bad IPs but may not address bot traffic effectively.

AWS Documentation References:

AWS WAF Bot Control

AWS WAF Managed Rules

Option Censures dynamic scaling based on demand using a target tracking scaling policy, optimizing costs.

Option Aresults in over-provisioning, leading to higher costs.

Option Bincreases costs by using larger instances.

Option Dis not feasible as instance store volumes are ephemeral and unsuitable for shared storage like EFS.

To access an EFS file system across accounts and VPCs, the EFS must be mounted using VPC peering or AWS Transit Gateway, and the EC2 instances must use the amazon-efs-utils package with the correct mount target or access point.

Using an EFS access point simplifies access management, especially across accounts, by providing a POSIX identity and access policy layer.

VPC sharing doesn’t support EFS directly unless the subnet and resources are shared properly, which requires redeployment. Therefore, option D is the most complete and correct.

Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large numbers of encrypted objects. Switching to AWS managed keys (A) does not reduce the frequency of API calls. Removing encryption (B) would violate compliance/security requirements. Using CloudHSM (C) adds cost and operational burden. Therefore, the correct solution is D — enabling S3 Bucket Keys with SSE-KMS, which significantly reduces decryption costs while maintaining secure encryption.

This solution offers the least operational overhead while meeting the security and global availability requirements:

Amazon CloudFront and S3: Hosting the static frontend on S3 and serving it via CloudFront provides low-latency global distribution, high availability, and security. S3 is a cost-effective and serverless option for hosting static assets, and CloudFront ensures that the application is cached closer to the users, reducing latency globally.

AWS Lambda and API Gateway: Refactoring the microservices to use Lambda functions with API Gateway allows for a fully serverless, scalable, and highly available backend. This reduces the need for managing EC2 instances, as Lambda automatically scales to meet demand and only charges for the actual usage.

RDS for MySQL: Migrating the MySQL database from an EC2 instance to Amazon RDS significantly reduces operational overhead. RDS manages backups, patching, and scaling, and it offers high availability options (e.g., Multi-AZ).

Option AandDinvolve using EC2 Reserved Instances for the database, which requires more operational maintenance than using RDS.

Option Csuggests using a Network Load Balancer with Lambda, which adds unnecessary complexity for this use case.

AWS References:

Amazon S3 and CloudFront Integration

AWS Lambda with API Gateway

Amazon RDS for MySQL