AWS Certified Solutions Architect Associate Practice Test (SAA-C03)

The service that enables logging of account actions and automatic detection of top-level user API activity is the correct answer, which is Amazon CloudTrail. It records events that are made within an account and can be set up to generate alerts when specific activities, including those by the top-level account user, are detected. The service known for configuration tracking is not suitable for monitoring account activities directly. The service responsible for identity management does not offer automated detection or alerting for specific user actions. The service focused on threat detection primarily monitors for unusual activity but is not specifically designed for tracking the usages of top-level user credentials.

Attach a resource-based policy (bucket policy) to the S3 bucket that identifies the network administration team's AWS account as the principal and grants only the required permissions. A bucket policy is evaluated in the account that owns the resource and explicitly supports specifying an entire account in the Principal element, which cleanly limits access to that account.

IAM identity-based policies in the security engineers' account cannot by themselves grant principals from another account access to the bucket; a resource-based policy in the bucket owner's account is still required for cross-account access. Although legacy S3 ACLs can grant permissions to another AWS account via that account's canonical user ID, AWS now recommends disabling ACLs and using bucket policies for simpler management and finer-grained control. Restricting access by source IP address does not satisfy the requirement because any principal from any account could still reach the bucket if it originates from the allowed network range.

Establishing groups for each department and assigning the corresponding policies necessary for their access needs would offer the best solution. This strategy enables clear role definition and privilege segregation. Users are allocated to their respective groups, simplifying the administration and modification of permissions in adherence to their roles. The incorrect choices involve strategies that either increase management complexity without providing additional value, mismatch the scenario's requirements, or fail to offer the precise control needed for departmental resource access within a common environment.

Using multiple Availability Zones provides high availability and fault tolerance for applications by distributing resources within a region across physically separated data centers. This ensures that if one Availability Zone becomes unavailable or compromised, others can continue to operate, reducing the potential impact on the application's users. The incorrect answers mention increasing performance and reducing latency, which are benefits related to edge locations and caching respectively, rather than the primary purpose of Availability Zones.

The correct answer is Amazon API Gateway because it securely manages API requests, supports developer access control, handles request transformations, and enforces rate limiting. It integrates with AWS services like Lambda and Cognito, making it ideal for managing web and mobile API traffic. The incorrect options lack full API management capabilities - AWS Direct Connect is for private networking, S3 is for storage, and Cognito only handles authentication. Step Functions is for workflow automation, and Lambda executes backend logic but lacks API request management. While some of these services complement API Gateway, none provide a complete solution on their own.

Using the selected service, enterprises can manage multiple environments by setting up a well-architected baseline, automating the provisioning of new environments, and uniformly applying policy controls across all environments for security and compliance. While the other options provide specific security features or advisory services, they do not offer the comprehensive solution needed for centralized governance and automated environment setup.

Implementing fine-grained access controls by assigning tailored IAM roles to each tier's respective EC2 instances ensures that each tier operates with only the permissions necessary for its duties. This strict adherence to the principle of least privilege prevents excessive permissions that could be exploited in case of a security breach. Providing overarching administrative credentials to all tiers, using root account access, or stripping all permissions contradict the security best practice of granting least privilege to perform required functions and are, therefore, incorrect.

Designing a microservice to be stateless allows any instance of the service to process any incoming request. All state information (for example, user sessions or shopping-cart data) is stored in an external, shared data store such as Amazon DynamoDB or Amazon ElastiCache. Because instances do not rely on locally held state, Auto Scaling groups or container orchestrators can freely add or remove instances, and an Application Load Balancer can route requests to any healthy instance. Approaches that keep state on the instance (sticky sessions, local file storage, or in-memory caches within the service) couple requests to specific instances and hinder horizontal scaling.

The process of federation involves the integration of an external directory service with IAM roles. By setting up federation, users authenticate with their local credentials on their existing directory system and then receive temporary security credentials to operate on the console or interact with services via APIs or CLI. This method honors the principle of least privilege and simplifies credential management while providing secure access. Manually creating IAM users is redundant and insecure for large enterprise environments. Assigning long-term credentials goes against security best practices, making them a poor choice. Lastly, developing a bespoke authentication portal partial to the corporation's internal system does not use AWS built-in mechanisms for secure access management and is less efficient and potentially less secure.

The question asks what can you do to maintain operational continuity if one data center in a region has an outage. Keep in mind that with AWS, one region is made of many data centers groups into availability zones. Therefor, a multi-AZ setup would help mitigate and prevent outages during a data center outage.

Choosing a Multi-AZ deployment for an RDS instance provides high availability by automatically maintaining a synchronous standby replica in a different data center, or Availability Zone. In case of an infrastructure failure, the database will fail over to the standby so that database operations can resume quickly without manual intervention. This choice is the most aligned with the requirement for operational continuity within a single region in the face of a data center outage. The other answers either describe strategies that introduce geographical redundancy, which goes beyond the scope of the question, or load balancing, which does not address the need for automatic failover at the data layer.

Granting s3:GetObject on the specific bucket path arn:aws:s3:::app-logs/* limits both the actions and the resource scope to exactly what the application needs, satisfying the least-privilege principle. The other options either grant broader actions (write or list), apply to every bucket in the account, or use a managed policy that provides read access to all buckets, all of which exceed the stated requirement.

Deploying identical stacks in multiple AWS Regions and using Amazon Route 53 latency-based (or geolocation) routing with health checks fulfills both goals. Each Region serves traffic from the closest users, reducing latency, and EU data can be stored exclusively in the EU Region (for example, eu-central-1) with cross-Region replication disabled, satisfying residency rules. CloudFront or Global Accelerator alone improve network performance but still route dynamic writes to the original Region, violating data-residency. Increasing instance size, placement groups, or dedicated network links also leave the workload single-Region and do not address compliance.

AWS is responsible for protecting the infrastructure that runs AWS services, which includes the physical security of data centers, network infrastructure, and managed service patching, like Amazon RDS. Customers are responsible for managing the security inside the database, such as the data itself, controlling who can access the data, and using encryption to protect the data. While AWS will patch database engines, the logical database schema is within the customer's control, thus the correct answer is 'Patching the underlying database software'.

The correct approach involves setting up trust relationships between accounts by creating roles that can be assumed as needed. The idea is to provide temporary credentials that can be used within certain security parameters defined by the role’s permission policy. This enables the enterprise to control access precisely without having to manage permanent credentials for each developer for each environment, adhering to the principle of least privilege. Generating dedicated user credentials or creating shared roles in both accounts doesn't follow the best practice of using temporary credentials for cross-account access and may not meet security and audit requirements. Enabling direct access by modifying resource policies could compromise security by making the role too permissive and is not aligned with recommended security practices.

An IAM user can enable an MFA device for their own user when their IAM policy grants the required permissions (such as iam:CreateVirtualMFADevice and iam:EnableMFADevice). The root user can enable MFA for the root user credentials, but it is not the only principal that can enable MFA. IAM roles cannot have MFA devices attached, and MFA can be configured through both the AWS Management Console and the AWS CLI.