SAA-C03 Exam Dumps - AWS Certified Solutions Architect - Associate (SAA-C03)

Amazon S3 Intelligent-Tiering is the most cost-effective solution for this scenario, providing both high availability and durability while adjusting automatically to changing access patterns. It moves data across two access tiers: one optimized for frequent access and another for infrequent access, based on usage patterns. This tiering ensures that the company avoids paying for unused storage while also keeping frequently accessed data in a more accessible tier.

Key AWS references and benefits ofS3 Intelligent-Tiering:

High Durability and Availability: Amazon S3 offers 99.999999999% durability and 99.9% availability for objects stored, ensuring data is always protected.

Automatic Tiering: Data is automatically moved between tiers based on access patterns, making it ideal for workloads with unpredictable or variable access patterns.

No Retrieval Fees: Unlike S3 One Zone-IA or Glacier, there are no retrieval fees, making this more cost-effective in scenarios where access patterns vary over time.

AWS Documentation: According to the AWS Well-Architected Framework under theCost Optimization Pillar, S3 Intelligent-Tiering is recommended for storage when access patterns change over time, as it minimizes costs while maintaining availability​.

You cannot encrypt an existing unencrypted RDS DB instance in place. AWS guidance for encrypting an existing RDS PostgreSQL instance is totake a snapshot, create an encrypted copy of that snapshot, and restore a new DB instance from the encrypted snapshot. AWS also documents that encryption uses AWS KMS keys and that customer managed keys are the appropriate choice when you want explicit control over the key used for the new encrypted instance. That makesBthe required migration step andEthe correct key-management step. Option C is invalid because encryption cannot simply be turned on for the existing instance, and option D is not how you create a new AWS-managed default key.

============

Amazon ECS on AWS Fargate with Amazon EFS is the best match because it combines managed container orchestration with shared persistent storage. AWS documentation explains that Amazon EFS volumes can be used with Amazon ECS so tasks can access the same persistent file system regardless of where they run. AWS also notes that EFS volumes are useful for horizontally scaled containerized applications that need shared storage, low latency, and high throughput. Lambda is a poor fit here because Lambda invocations have a maximum timeout of 15 minutes, while the question states processing can take up to 1 hour. Instance store volumes on ECS EC2 are local to the host and do not provide the centralized persistent repository the workload needs. Fargate plus EFS best satisfies performance, duration, and operational efficiency.

============

This solution usesCloudFrontto serve the website securely over HTTPS usingAWS Certificate Manager (ACM)for SSL certificates.Origin Access Control (OAC)ensures that only CloudFront can access the S3 bucket directly.AWS WAFwith an IP set rule restricts access to the website, allowing only the on-premises IP address.Route 53is used to create an alias record pointing to the CloudFront distribution. This setup ensures secure, private access to the website with low administrative overhead.

Option A and B: S3 bucket policies and access points do not provide HTTPS support, nor do they offer the same level of security as CloudFront with WAF.

Option D: Signed URLs are more suitable for temporary, expiring access rather than a permanent solution for on-premises employees.

AWS References:

Amazon CloudFront with Origin Access Control

The correct answer isBbecause the requirement explicitly calls for awrite once, read many (WORM)approach and a mandatory retention period of1 year.Amazon S3 Object Lock in compliance modeis the AWS feature designed specifically for this purpose. It prevents objects from being deleted or overwritten for a fixed retention period, even by privileged users. That directly satisfies the need to preserve confidential medical results for at least one year after creation.

Usingcompliance modeis important because it enforces retention in a way that cannot be bypassed by users or administrators. This is appropriate for regulated workloads such as medical records, where strong immutability controls are required. The company can then useIAM policiesto allow only a small set of approved users to upload new files while granting other authorized users read-only access.

Option A is incorrect becauseMFA Deletehelps protect against accidental deletion, but it does not provide a full WORM retention model and does not prevent overwrites in the same way as Object Lock. Option C is not sufficient because IAM and bucket policies can be changed by administrators with enough permissions and therefore do not provide the same immutable retention guarantee. Option D is overly complex and does not enforce WORM behavior; tracking object hashes only detects changes after the fact.

AWS best practices for immutable retention on S3 recommendS3 Object Lockwhen legal hold or retention requirements exist. For least implementation effort and proper WORM enforcement,S3 Object Lock in compliance modeis the most appropriate solution.

Background Jobs with Event Invocation Type:

The Event invocation type is asynchronous, meaning the Lambda function does not send an immediate result to the API Gateway and processes the request in the background. This is ideal for video encoding tasks that take time.

REST API vs. HTTP API:

REST APIs support advanced features like API keys, request validation, and throttling that HTTP APIs do not support fully.

Since the developer needs API keys and request validations, a REST API is the correct choice.

Integration with Lambda:

AWS Lambda integration is seamless with REST APIs, and using the Event invocation ensures asynchronous processing.

Incorrect Options Analysis:

Option A: HTTP API lacks full support for API keys and validation.

Option CandD: RequestResponse invocation type requires immediate responses, unsuitable for background jobs.

The most secure and manageable way to provide developers with temporary, least-privilege access is by using AWS IAM Identity Center (formerly AWS SSO). IAM Identity Center allows assigning IAM roles with scoped permissions based on the developer’s team role. This ensures no permanent credentials are required and minimizes risk.

Option B enables role-based access with centralized identity and access management, making it the most secure and scalable solution for managing developer permissions.

IAM Access Analyzeris the correct service because AWS documents that it helps identify and reviewunused accessfor IAM users and roles across AWS accounts and organizations. It can generate findings that show where permissions are broader than necessary and can recommend narrower policies when applicable. Network Access Analyzer focuses on network reachability, not IAM over-permission. CloudWatch alarms on user activity do not analyze granted permissions, and Amazon Inspector is not the service for IAM permission-rightsizing. Since the company wants the least administrative overhead across multiple accounts managed with AWS Organizations, IAM Access Analyzer is the AWS-native service purpose-built for this kind of access review. (AWS Documentation)

============