SAA-C03 Exam Dumps - AWS Certified Solutions Architect - Associate (SAA-C03)

A. EventBridge rule:Triggers an event whenever there is a change in CloudFront distribution, ensuring real-time monitoring.

B. ALB with WAF:Focuses on application-level security, not CloudFront logging.

C. Lambda + SNS:Provides notifications upon detection of changes in logging configuration.

D. GuardDuty:Monitors anomalies but does not specifically address CloudFront logging changes.

E. Private API + WAF:Irrelevant to CloudFront logging changes.

To securely publish messages to an encrypted Amazon SNS topic, the following steps are required:

A. Resource policy for SNS topic:Ensures that the Lambda function is explicitly allowed to publish messages to the topic.

C. Resource policy for KMS key:Provides the necessary permissions to use the customer-managed key for encryption.

F. Lambda execution role:Grants the Lambda function the necessary IAM permissions to use the encryption key.

Other options:

Bis invalid because using SSE-KMS does not eliminate the need for resource policies.

Doverlaps with A, but specifying the ARN in the topic policy is covered by creating the resource policy.

Eis unrelated as API Gateway is not required for this setup.

AWS Documentation Reference:

Amazon SNS and KMS Permissions

Detailed Explanation:

A. ECS + API Gateway:Overly complex and costly for an on-demand, intermittent workload.

B. EventBridge + SNS:EventBridge schedules are unnecessary for on-demand generation.

C. EKS + API Gateway:Overkill for this use case, with high operational overhead.

D. Lambda + SES:Most cost-effective and efficient solution for generating and emailing reports on demand.

To optimize costs for both Amazon EC2 and AWS Fargate, the best option is a Compute Savings Plan because it offers flexibility across instance families, Regions, and compute options including EC2, AWS Fargate, and AWS Lambda.

Unlike EC2 Instance Savings Plans, which apply only to specific instance families, Compute Savings Plans apply across multiple services.

Since the company does not want to commit to multi-year contracts or large upfront payments, the 1-year No Upfront Compute Savings Plan provides the greatest flexibility with no upfront capital commitment, while still offering cost savings over On-Demand pricing.

This option also aligns with cost-optimization best practices by allowing for scalability and service mix flexibility.

🔗 Reference:

AWS Compute Savings Plans

AWS Pricing Models

Aurora Global Database is designed for low-latency cross-Region reads and disaster recovery for relational data.

Amazon S3 Cross-Region Replication (CRR) automatically replicates unstructured data to another Region, ensuring high availability and resilience.

“Aurora Global Database replicates your data with typical latency of less than 1 second to secondary AWS Regions.”

“Amazon S3 Cross-Region Replication automatically replicates every object uploaded to your bucket to a destination bucket in another AWS Region.”

— Aurora Global Database

— S3 Cross-Region Replication

This combination meets the multi-Region, high availability, fault-tolerant requirement for both relational and unstructured data.

AWS guidance is to cover steady baseline with commitments (Reserved Instances or Savings Plans) and use EC2 Spot Instances for burst capacity to minimize cost. Spot provides up to 90% discounts and is well-suited to fault-tolerant, queue-based workloads; interruptions are handled by replacing capacity automatically while messages remain durably in SQS. Using only Spot (A) risks capacity gaps; only RIs sized for peak (B) wastes cost during low demand. Option D scales on backlog but uses On-Demand for bursts, which is more expensive than Spot. With C, baseline capacity (RIs) keeps processing continuously (no downtime), and Spot adds cost-efficient throughput during spikes, aligning with Well-Architected cost and reliability patterns for queue workers.

Serving static content from Amazon S3 is highly cost-effective and scalable. By fronting the S3 bucket with Amazon CloudFront, you also enable global caching, reduced latency, and even lower costs by reducing direct S3 access. There is no need for EC2 or ALB, and no need to manage servers, further lowering operational burden and expenses. This pattern is the recommended AWS architecture for serving static web content.

Reference Extract from AWS Documentation / Study Guide:

" Hosting static websites on Amazon S3 with Amazon CloudFront reduces infrastructure costs and improves performance for global users by caching content at edge locations. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 and CloudFront section.

Amazon S3 presigned URLs are the most secure fit because they providetime-limited access to specific objectswithout requiring the external vendor to have AWS credentials or direct bucket permissions. AWS documentation states that presigned URLs grant temporary access to private S3 objects and can be used for downloads through a browser or program. This is stronger than creating an IAM user or sharing temporary keys because those methods still expose AWS credentials to a third party. A bucket policy based only on source IP is broader and less precise than object-level, time-bounded access. Presigned URLs let the company control exactlywhich objectcan be downloaded andfor how long, which is exactly what the scenario requires. (AWS Documentation)

============