SAA-C03 Exam Dumps - AWS Certified Solutions Architect - Associate (SAA-C03)

The correct answer isBbecause the company needs order processing to beginimmediatelywhen new orders arrive and also needs ahistory of all order processing attemptsin themost cost-effectiveway. Amazon EventBridge is a serverless event bus that can respond to events as they occur, which makes it a strong fit for near real-time order processing. By using anEventBridge event patternand a rule that invokesAWS Lambdawhen a new order event is received, the solution avoids polling and processes orders only when there is actual work to perform.

This event-driven design is more cost-effective than running scheduled checks or maintaining EC2 instances.AWS Lambdaprovides fully managed compute with automatic scaling and charges based on actual execution time.Amazon DynamoDBis a highly scalable and fully managed NoSQL database that is well suited for storing order-processing results and maintaining a durable history of processing attempts with low operational overhead.

Option A is incorrect because invoking Lambda every minute to check for new orders is a polling model, which introduces delay and unnecessary invocations. Option C is incorrect because using an EC2 instance to poll for events creates higher operational cost and overhead. Option D is less appropriate becauseAmazon EFSis not the best storage choice for durable event history or structured tracking of order-processing attempts.

AWS architectural guidance favorsevent-driven, serverless patternsfor asynchronous order processing when immediate response, scalability, and low cost are required. Therefore,EventBridge + Lambda + DynamoDBis the best solution.

AWS Batch supports Windows-based jobs and automates provisioning and scaling of compute environments. Paired with AWS Fargate, it removes the need to manage infrastructure. This solution requires the least operational overhead and is cloud-native, providing flexibility and scalability.

Amazon RDS supports encryption at rest by using AWS KMS keys backed by AWS CloudHSM. This allows use of dedicated FIPS 140-2 Level 3 validated hardware modules to manage encryption keys, meeting compliance for sensitive data such as PII.

From AWS Documentation:

“You can use AWS KMS with keys that are backed by AWS CloudHSM to control the encryption of RDS databases. This provides dedicated HSM-backed key storage and management.”

(Source: Amazon RDS User Guide – Encrypting Amazon RDS Resources)

Why B is correct:

Meets the requirement for dedicated HSM hardware.

Fully integrates with RDS for transparent encryption at rest.

Satisfies compliance standards for healthcare and regulated data.

Why others are incorrect:

A: Keys in CloudHSM directly are not used by RDS; they must be managed through KMS integration.

C: EC2 instance stores are ephemeral, not suitable for RDS databases.

D: SSE-S3 applies to S3 objects, not databases.

To decouple distributed workloads and improve scalability and resiliency, Amazon SQS should be used as a reliable job queue. The compute nodes (workers) can poll the SQS queue for tasks, and EC2 Auto Scaling can dynamically scale instances based on the ApproximateNumberOfMessages metric.

From AWS Documentation:

“Amazon SQS enables you to decouple application components, allowing each part to scale independently. You can scale EC2 instances automatically based on the number of messages in the queue.”

(Source: Amazon SQS Developer Guide – Scaling Consumers with Auto Scaling)

Why B is correct:

Eliminates the single point of failure (the primary coordinator).

Enables event-driven scaling based on queue depth.

Provides durability and resiliency since messages are stored redundantly.

Fully managed and integrates seamlessly with Auto Scaling policies.

Why other options are incorrect:

A: Scheduled scaling does not respond to variable workloads.

C & D: Misuse of CloudTrail/EventBridge; not intended for workload coordination.

Amazon SQS FIFO queues support deduplication and ordering. AWS documents thatMessageDeduplicationIdis used with FIFO queues to prevent duplicate delivery within a5-minute deduplication window, which matches this requirement exactly. Standard queues do not provide this deduplication guarantee, and SNS filter policies are not a deduplication mechanism for this use case. Because the company wants the least development effort, using API Gateway to place messages directly on an SQS FIFO queue with a deduplication token is the cleanest approach.

============

AWSDirect Connectis the best solution for establishing a consistent, low-latency connection from an on-premises data center to AWS without using the public internet. Direct Connect offers dedicated, high-throughput, and low-latency network connections, which are ideal for performance-sensitive applications like a trading platform that processes high volumes of market data and stock trades.

Direct Connect provides a private connection to your AWS VPC, ensuring that data doesn ' t traverse the public internet, which enhances both security and performance consistency.

AWS References:

AWS Direct Connectprovides a dedicated network connection to AWS services with consistent, low-latency performance.

Best Practices for High Performance on AWSfor performance-sensitive workloads like trading platforms.

Why the other options are incorrect:

A. AWS Client VPN: While this offers secure connectivity, it ' s over the public internet and is not designed for the low-latency, high-performance needs of a trading platform.

C. AWS PrivateLink: PrivateLink is used for connecting VPCs and services within AWS, but it is not designed for connecting on-premises data centers to AWS.

D. AWS Site-to-Site VPN: Although this provides secure connectivity, it uses the public internet, which can introduce latency and doesn ' t meet the low-latency requirements of the use case.

Amazon RDS does not support enabling encryption at rest on an existing unencrypted DB instance. To encrypt an existing RDS instance’s data at rest, the recommended method is to:

Take a snapshot of the unencrypted DB instance.

Create an encrypted copy of the snapshot using AWS KMS. This encrypted snapshot contains the existing data encrypted at rest.

Restore a new DB instance from the encrypted snapshot. This new instance will have encryption at rest enabled.

Additionally, to manage encryption keys securely, companies can use customer managed keys (CMKs) in AWS Key Management Service (KMS). CMKs provide greater control over key management policies, rotation, and usage permissions compared to default AWS managed keys. Using a CMK allows customization of access control and auditability.

Option A is incorrect because you cannot enable encryption directly on a snapshot; you must create an encrypted copy. Option C is invalid because encryption cannot be enabled by modifying an existing instance’s configuration. Option D refers to the default AWS managed key, which is less flexible than customer managed keys.