AWS Certified Solutions Architect Associate Practice Test (SAA-C03)

Granting s3:GetObject on the specific bucket path arn:aws:s3:::app-logs/* limits both the actions and the resource scope to exactly what the application needs, satisfying the least-privilege principle. The other options either grant broader actions (write or list), apply to every bucket in the account, or use a managed policy that provides read access to all buckets, all of which exceed the stated requirement.

The correct service is the one specifically designed to create, control, and manage encryption keys and policies. It enables administrators to define user permissions and outline the scope of actions that can be performed with these keys. This service is integral to managing the lifecycle of encryption keys and their accessibility, helping to uphold the principles of confidentiality and integrity in cloud data security.

The capability that allows users to append labels for detailed tracking and categorization of spending is known as cost allocation tags. These tags help users break down their cloud expenditures by project, department, environment, or other organizational dimensions, thereby enabling detailed cost analysis and improving spending visibility. Resource groups and AWS Organizations are used for managing and organizing resources and accounts, but they do not by themselves offer the functionality of categorizing spending through labeling. Spending alarms can notify you when your costs exceed a certain threshold but do not categorize or track costs like cost allocation tags do.

An Amazon RDS instance that has multiple read replicas is ideal for read-intensive workloads. It allows for the database to handle a large number of read requests by distributing them across several read replicas, thus improving the read throughput and offering high availability. Amazon RDS supports the creation and management of read replicas. Using a solution such as Amazon EFS for heavy read traffic scenarios might not offer the required database-like features like ACID properties and query support. While DynamoDB can also support high read rates, the context here points to the use of read replicas, a feature best associated with RDS in a high-read scenario. S3 is primarily an object storage service and, although it supports high read rates, it is not optimized in the way RDS with read replicas is for database-like read intensive workloads.

Batching files together before uploading to Amazon S3 is a cost-effective strategy when dealing with a large number of small files. It reduces the number of PUT requests, which can lower costs, especially because S3 charges for each request. Uploading files individually would generate a significant number of requests, increasing the cost disproportionately in comparison to the actual storage used. Although using S3 Transfer Acceleration might speed up the transfer process and S3 Intelligent-Tiering could help with cost savings over time, they do not address the main cost issue related to the sheer number of PUT requests.

The correct service for this use case is Amazon Macie, which leverages machine learning to automatically discover, classify, and protect sensitive data stored in object storage. It is designed to provide continuous protection, enabling compliance with privacy regulations. This contrasts with other services mentioned: Amazon GuardDuty does not classify or provide protection for data in storage but instead focuses on threat detection and monitoring. Amazon Cognito is not designed for data monitoring but for managing identities and access. AWS Shield protects against DDoS attacks and is not tailored for sensitive data classification or protection in storage services.

Attach a resource-based policy (bucket policy) to the S3 bucket that identifies the network administration team's AWS account as the principal and grants only the required permissions. A bucket policy is evaluated in the account that owns the resource and explicitly supports specifying an entire account in the Principal element, which cleanly limits access to that account.

IAM identity-based policies in the security engineers' account cannot by themselves grant principals from another account access to the bucket; a resource-based policy in the bucket owner's account is still required for cross-account access. Although legacy S3 ACLs can grant permissions to another AWS account via that account's canonical user ID, AWS now recommends disabling ACLs and using bucket policies for simpler management and finer-grained control. Restricting access by source IP address does not satisfy the requirement because any principal from any account could still reach the bucket if it originates from the allowed network range.

The correct service for the described scenario is Amazon RDS Proxy. It allows legacy applications to pool and share database connections, reducing the stress on the database's compute and memory resources when handling many simultaneous connections, which is particularly beneficial during traffic surges. Amazon RDS Proxy functions as a proxy layer between the application and the database layer, enhancing scalability and resilience. The other listed services do not offer proxy capabilities for relational databases, nor are they designed to handle database connections and related scalability in this context.

SNS evaluates each published message against the filter policy that is attached to the subscription. If the attributes (or payload fields) of the message satisfy the policy, the message is delivered to the subscribed SQS queue. If they do not, the message is filtered out and never delivered to that subscription. The publish call itself still succeeds, and other subscriptions without conflicting policies continue to receive the message.

Amazon S3 Standard-Infrequent Access (S3 Standard-IA) is designed for long-lived data that is not accessed often yet still needs rapid (millisecond) retrieval. It delivers the same low-latency performance as S3 Standard, with lower per-GB storage pricing and a retrieval fee. Glacier Flexible Retrieval and Glacier Deep Archive are lower-cost archival classes but require minutes to hours for retrieval, while S3 Standard targets frequently accessed data and has higher storage cost than Standard-IA.

Using a fully managed database proxy service allows ephemeral compute instances, like AWS Lambda functions, to efficiently manage database connections. This service can absorb the variability in concurrent connections, smoothing out spikes in traffic and preserving backend database stability. It achieves this through connection pooling and multiplexing, which enhances application scalability and resilience without exhausting connections. While other options may improve availability (Multi-AZ) or read performance (Read Replica), they do not offer the specific benefits of a managed proxy service when it comes to connection pooling. Scaling the compute engine vertically would not directly solve the problem of efficiently managing a large number of connections and could lead to resource exhaustion under high traffic conditions.

Assigning an IAM role to the EC2 instance with the required permissions is the most secure method. IAM roles provide temporary security credentials that applications can use to access AWS services without the need to store credentials in the instance. The instance profile associated with the IAM role supplies these credentials securely through the instance metadata service.

Hardcoding AWS access keys or storing them in the instance, even in encrypted files or environment variables, poses a risk of credential exposure if the instance or the source code is compromised. IAM roles eliminate the need to manage long-term credentials, enhancing the overall security of the application.

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. For applications requiring daily ETL jobs to process transactional data, especially from Amazon RDS, AWS Glue offers a serverless environment which scales automatically to meet the job’s processing demands. Unlike other services mentioned, AWS Glue is purpose-built for ETL operations, providing an array of tools and integration options for ETL purposes which make it the best choice among the options presented.

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups operate at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups. Network Access Control Lists (NACLs) operate at the subnet level, so they are not the correct answer. Route tables direct network traffic, but do not control or filter traffic like a firewall. Subnet CIDRs are used for IP address allocation within a VPC and have no filtering capabilities.

Amazon S3 Glacier Deep Archive is purpose-built for long-term archival and digital preservation. AWS positions it for customers in highly regulated industries that must keep data 7-10 years or longer for compliance. It provides the lowest cost of all S3 classes, with retrieval in hours, making it ideal when immediate access is not required.

• Amazon S3 Glacier Flexible Retrieval (formerly S3 Glacier) is also archival but costs more and targets use cases that may need retrieval in minutes.
• S3 Intelligent-Tiering automatically moves data among tiers but is not optimized for multi-year compliance archives.
• S3 One Zone-IA stores data in a single AZ and is unsuitable for long-term compliance retention because of its lower resilience.

Amazon S3 (Simple Storage Service) is ideal for storing large amounts of static content like images and videos. It is highly scalable, cost-effective, and designed for web-scale computing, allowing direct access over HTTP(S). This makes it perfect for delivering content to customers via websites and mobile apps.

Amazon EFS (Elastic File System) is meant for file storage accessible by EC2 instances using NFS, not directly over the Internet. Amazon EBS (Elastic Block Store) provides block-level storage for EC2 instances and isn't suitable for serving files directly to users. Amazon ElastiCache is an in-memory data store used for caching, not for persistent storage of files accessible over HTTP(S).

Amazon S3 with Amazon CloudFront is the best choice for serving content at scale with low latency. S3 provides durable storage and easy scalability for storing product images, while CloudFront, a content delivery network (CDN), caches the images close to the users at edge locations, thus reducing latency when accessing these assets during high traffic events. Amazon EBS is not designed for serving static content directly to users and does not integrate with a CDN. Amazon EFS is tailored for file system use cases and not optimized for delivering static content over the internet. Amazon EFS when connected to one or more EC2 instances could potentially handle large workloads, but it is not the most efficient choice when directly serving content at scale to many users compared to using Amazon S3 with CloudFront.

Creating individual roles with precise permissions tailored for each stakeholder equips them with exclusive access to their information, championing the principle of least privilege. This technique is key in preventing inter-stakeholder access and is congruent with established guidelines for safeguarding cloud resources. Arranging stakeholders into groups does not offer the required detail for segregation within a multi-tenant model and service control policies are more fitting for broad organizational constraints rather than fine-grained resource distinction. While integrating a directory with role-based access is a viable security measure, it does not inherently address the segregation of stakeholder data at the architecture level.

Control Tower is designed to manage multi-account environments by providing an automated way to set up a baseline environment with governance and compliance checks against best practices. While it incorporates elements of account management and identity services, it is distinct in providing automated orchestration for a secure and compliant multi-account setup. Organizations is primarily for account management and billing aggregation, does not automate the setup of a secure environment. Identity and Access Management is critical for defining users and permissions, but does not govern multi-account structures. Security Hub focuses on compiling security findings and does not manage account setup or enforce compliance policies.

An Application Load Balancer (ALB) operates at OSI Layer 7 and supports content-based routing rules that inspect host headers, paths, HTTP headers, query strings, and source IP addresses. Network Load Balancer (NLB) and Gateway Load Balancer (GLB) operate at Layer 4 and cannot inspect request content. A Classic Load Balancer offers limited Layer 7 features but lacks modern rule-based routing. Therefore, using an ALB avoids the need to deploy and manage custom proxy tiers, making it the most cost-effective solution when advanced request routing is required.