AWS Certified Solutions Architect Associate Practice Test (SAA-C03)

The Frankfurt region (eu-central-1) supports GDPR compliance and offers multiple Availability Zones for high availability and redundancy. Low-latency access for European users is also ensured given the region's central placement within Europe. Conversely, using US regions would conflict with the EU data residency requirements, and deploying across multiple regions could lead to a complex architecture that unnecessarily increases costs without significant benefits to the users in Europe.

Implementing a cross-account access strategy by creating a role with the necessary permissions in the development environment that can be assumed by engineers from their existing accounts is in line with AWS best practices and securely facilitates the required access. This approach centralizes user management and allows for a streamlined permission model without creating additional users in multiple accounts. Assigning unique credentials for each development account would introduce unnecessary overhead and complicates credential management. Providing a service account is not a user-centric access solution and typically does not cater to individual permissions, risking over-privileged access. Lastly, restricting access entirely defeats the purpose of the requirement and does not provide a solution.

The Pilot Light strategy is correct because it involves having a minimal version of an environment always running in the cloud. This strategy allows a company to rapidly scale up this environment to handle full production load in the event of a disaster, ensuring minimum data loss and rapid recovery. The Warm Standby strategy is more costly as it involves a scaled-down but fully functional version of the environment. Both the Backup and Restore and Active-Active strategies do not fit the criteria as well as Pilot Light; Backup and Restore can involve more extensive data loss and longer recovery times, while Active-Active requires full production-scale environments in two locations, significantly increasing cost.

The correct answer is Amazon Cognito, which allows developers to add user sign-up, sign-in, and access control to their web and mobile applications quickly and easily. It also supports federated authentication with social identity providers, such as Facebook, Google, and Amazon, which is the functionality described in the question. The other services listed have different primary uses: AWS IAM is designed for secure AWS resource management, AWS Control Tower is for governance across multiple AWS accounts, and Amazon GuardDuty specializes in security threat detection and continuous monitoring.

Amazon S3 Glacier is specifically optimized for data archiving, providing secure and durable storage for data that is rarely accessed. It is a cost-effective solution for long-term data retention, such as for regulatory compliance, because it offers lower storage costs compared to other storage classes intended for more frequent access. Amazon S3 Standard is designed for general-purpose storage of frequently accessed data. Amazon S3 Intelligent-Tiering is designed to optimize costs by automatically moving data between access tiers based on changing access patterns. Amazon S3 One Zone-IA provides low-cost storage for infrequently accessed data, but unlike Amazon S3 Glacier, it does not target long-term archival storage needs and retains data in only one Availability Zone.

The correct service is the one specifically designed to create, control, and manage encryption keys and policies. It enables administrators to define user permissions and outline the scope of actions that can be performed with these keys. This service is integral to managing the lifecycle of encryption keys and their accessibility, helping to uphold the principles of confidentiality and integrity in cloud data security.

Auto Scaling is the correct choice because it automatically adjusts the number of EC2 instances in response to changing demand, ensuring that the number of instances scales up when needed during traffic peaks and scales down during low traffic to save costs. Spot Instances, while being cost-effective, are best for workloads with flexible start and end times and can be interrupted, potentially leading to application unavailability during traffic spikes if outbid. EC2 Hibernation saves the instance's state to EBS, which is useful for saving the session state for long-running processes, but does not help with scaling. Reserved Instances provide cost savings for consistent workloads with predictable usage, not unpredictable traffic patterns.

The correct answer is Amazon API Gateway because it securely manages API requests, supports developer access control, handles request transformations, and enforces rate limiting. It integrates with AWS services like Lambda and Cognito, making it ideal for managing web and mobile API traffic. The incorrect options lack full API management capabilities - AWS Direct Connect is for private networking, S3 is for storage, and Cognito only handles authentication. Step Functions is for workflow automation, and Lambda executes backend logic but lacks API request management. While some of these services complement API Gateway, none provide a complete solution on their own.

Amazon Elastic Kubernetes Service is a managed service that allows companies to run Kubernetes clusters on AWS without the need to manage the control plane components. It reduces operational overhead and provides high availability by distributing the control plane across multiple AZs. Deploying Kubernetes on EC2 instances would require the company to manage the control plane themselves, increasing operational effort. Amazon Elastic Container Service is a proprietary service that uses its own orchestration system, which may not be compatible with workloads designed for Kubernetes. AWS Fargate with Amazon ECS allows running containers without managing servers but uses Amazon ECS instead of an open-source orchestration system.

Lifecycle policies allow the automatic transition of objects between different storage classes. By setting up a policy, the financial records can remain in a standard storage class for immediate accessibility for two years, and then automatically transfer to a colder storage option such as Glacier or Glacier Deep Archive. This ensures compliance with access needs and cost optimization when the immediate access requirement expires.

An Application Load Balancer (ALB) is specifically designed to handle HTTP/HTTPS applications and offers advanced request routing capabilities, making it capable of distributing traffic based on the content of the request (such as URL path or host field). This would effectively manage the sudden spikes in traffic by distributing it across multiple EC2 instances, ensuring high availability and elasticity. Network Load Balancer is typically used for TCP, UDP, and TLS traffic where extreme performance and static IP is necessary for the load balancer. Classic Load Balancer is a legacy option that provides basic load balancing across multiple EC2 instances but with less advanced routing capabilities than ALB. A Global Accelerator primarily improves global application availability and performance by directing traffic to optimal endpoints over the AWS global network.

Storing the logs in Amazon S3 Standard is the most cost-effective and scalable solution. Amazon S3 offers durable, highly available storage with low latency access, ideal for storing large amounts of data that need to be accessed quickly. It can automatically scale to store the required amount (400 GB per day × 30 days) without upfront capacity provisioning, reducing costs compared to block or file storage options. Amazon EFS is a managed file system ideal for shared access and persistent file storage, but it is more expensive than S3 for large-scale log storage and not optimized for high-volume data storage with lifecycle management. Amazon EBS is a block storage service primarily used for EC2 instance storage. It's not ideal for large-scale, long-term log storage due to its higher cost and manual management overhead compared to S3.

For managing and automating the transformation of data collected in periodic batches, such as on a daily basis, an efficient service to employ is one that offers capabilities for serverless data integration. The correct service for such batch processing tasks excels at preparing and loading data for analytics and can automate these data preparation steps, which fits the requirements for daily batch ingestion and processing. Other services mentioned are more focused on real-time processing, object storage, and interactive querying, which do not inherently manage the data transformation process for daily batches.

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups operate at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups. Network Access Control Lists (NACLs) operate at the subnet level, so they are not the correct answer. Route tables direct network traffic, but do not control or filter traffic like a firewall. Subnet CIDRs are used for IP address allocation within a VPC and have no filtering capabilities.

By default, a newly created security group in a VPC denies all inbound traffic until you create inbound traffic rules allowing it. This security measure ensures that no unintended services are exposed unless explicitly allowed by the architect or administrator. The 'deny all' default helps in maintaining a secure network posture aligning with the principle of least privilege.