AWS Certified Solutions Architect Associate Practice Test (SAA-C03)

AWS PrivateLink establishes private connections between the internal network of the cloud environment and specific services or applications. This is cost-effective because it keeps the data within the Amazon network, avoiding the public internet which can incur additional costs. Although AWS Direct Connect helps reduce costs for on-premises to cloud data transfer, it's not the primary service for connecting to individual applications within the cloud environment. VPC Peering is used for interconnecting networks, but does not address application-specific routing needs. Internet Gateways and NAT Gateways facilitate public internet access and are contrary to the purpose of minimizing costs through avoidance of public routes.

Amazon Simple Queue Service (SQS) is designed for decoupling producers and consumers with a fully managed message queue. Standard queues provide at-least-once delivery and automatically scale to virtually any throughput, allowing independent scaling of microservices .

Amazon Kinesis Data Streams is optimized for real-time analytics of large, ordered data streams and requires shard management; it is more complex than needed for simple message hand-off and may lose data if consumers fall behind shard retention.

Amazon EventBridge offers at-least-once event delivery but is optimized for routing events to multiple targets and has soft throughput quotas that can throttle extreme burst traffic.

AWS Step Functions orchestrates stateful workflows rather than providing a high-throughput message buffer between microservices.

Therefore, SQS is the most appropriate choice.

The correct approach is to establish the application in multiple AWS Regions near the primary user bases, using an Amazon Route 53 latency-based routing policy. This architecture directly addresses the two main requirements:

• Global Low Latency: By deploying the application's resources (compute and database) in regions close to users in Europe, North America, and Asia, and using latency-based routing, user requests are sent to the region with the lowest network latency.
• High Availability: A multi-region deployment ensures that the application can withstand a complete regional outage, which far exceeds the requirement of surviving a single data center (Availability Zone) failure.

The other options are incorrect for the following reasons:

• Deploying in a single region across multiple Availability Zones provides high availability for failures within that region but fails to provide low latency for a global user base.
• Implementing only a global database cluster or using cross-region read replicas are incomplete solutions. They only address the data layer. A complete solution requires deploying the application and compute resources in multiple regions as well. Furthermore, for a 'highly transactional' application, simply having read replicas in other regions does not solve for write latency, as writes must still travel to the primary database instance.

AWS customer-managed KMS keys give the security team full control over the key policies, aliases, and rotation settings. Automatic rotation can be enabled (default 365 days, or a custom period from 90 - 2560 days), so the keys are refreshed on a schedule without manual effort. AWS-managed keys also rotate automatically every year, but the organization cannot view the key policies, attach custom policies, or adjust the rotation schedule; therefore they do not satisfy the requirement for centralized key management. Manually rotating keys through scripts or developer processes introduces operational overhead and potential error, and does not leverage KMS's built-in automation.

Implementing a gateway that directly connects the isolated environment to the object storage service via private networking ensures that the data does not traverse the public internet, thereby maintaining a high security posture. This gateway referred to as an endpoint specific to a service, allows for private communication between the network where the instances are hosted and the object storage service. Utilizing public IP addresses, NAT devices, or VPN connections would not satisfy the condition of keeping all traffic within the private network infrastructure.

A bucket policy is a resource-based policy evaluated in the bucket's account. Option A adds an explicit Deny for the delete APIs when the request comes from any account other than 111111111111, so it blocks every cross-account principal while allowing in-account operations. Identity-based policies in other accounts (Option B) cannot override permissions in the production account. S3 Block Public Access (Option C) affects public (anonymous) access, not authenticated cross-account principals. ACLs (Option D) can only grant permissions; they cannot explicitly deny or scope by account, so they do not meet the requirement.

Cost allocation tags enable detailed tracking of cloud resource costs by tagging resources with key-value pairs, such as tagging them with the respective department's name. This facilitates detailed cost attribution to each department, based on their actual resource use, thus aiding in accurate internal chargebacks and financial governance. Using tags can make it easier to organize and visualize spending on cost management dashboards and reports. AWS Budgets is more about setting limits and forecasting, without assigning costs to specific entities. Multi-account billing consolidates payment across accounts, but does not attribute costs. Savings Plans offer discounted prices for committed usage and do not attribute costs to individual users or departments.

Amazon Comprehend is a fully managed natural language processing (NLP) service that can discover topics in a collection of documents (topic modeling) and perform real-time sentiment analysis, key-phrase extraction, and other NLP tasks without requiring any machine-learning expertise. It converts unstructured text such as lecture transcripts into structured data for downstream analytics. Amazon Polly (text-to-speech), AWS Elemental MediaConvert (media transcoding), and Amazon Translate (machine translation) do not provide topic discovery or sentiment analysis capabilities on text.

With AWS Fargate you specify only the vCPU and memory each task needs and are billed per-second for those resources. There are no EC2 instances to manage, so you avoid paying for idle cluster capacity. This makes AWS Fargate the most cost-effective choice for highly variable, bursty container workloads. EC2-based options (whether On-Demand, Spot, or Reserved) require running EC2 instances that may sit idle between spikes, while EKS on self-managed nodes has similar instance costs and management overhead.

Macie is designed to automatically discover, classify, and protect sensitive data stored in AWS, particularly in S3 buckets. It uses machine learning to recognize PII such as names, addresses, and credit card numbers. This makes it the best choice for the company's requirement to identify and protect PII in their data. GuardDuty is a threat intelligence service that monitors traffic for malicious activity and unauthorized behavior but does not provide data classification capabilities. WAF (Web Application Firewall) helps protect web applications from common web exploits but is not used for data discovery or classification. Shield provides protection against Distributed Denial of Service (DDoS) attacks but does not offer data classification or PII detection.

AWS Budgets allows users to set custom cost and usage budgets and receive alerts when costs or usage exceed (or are forecasted to exceed) those budgets. This helps in proactive cost management by notifying users before unexpected charges occur. AWS Cost Explorer helps visualize and analyze costs over time but does not provide alerting on budget thresholds. AWS Cost Anomaly Detection monitors spending patterns and alerts on unusual cost spikes but does not allow setting predefined budget limits. AWS Cost and Usage Report provides detailed reports on usage and costs but lacks budgeting alerts.

Using a serverless compute service such as AWS Lambda that runs code in response to events is the best fit for these requirements. Serverless computing allows developers to focus on writing code without managing servers, and charges are incurred when the code is running. This is ideal for intermittent tasks like image processing triggered by user uploads. Virtual servers with auto-scaling and container orchestration platforms still require infrastructure management and incur costs even when idle. Managing applications in dedicated virtual machines involves the most overhead and does not align with minimizing management and paying for execution time.

Amazon S3 is an object storage service. Objects are stored in buckets with a key and optional metadata, and there is no requirement to define tables, columns, or other rigid relational structures before storing data. Because of this schemaless design, S3 is not used as the primary storage engine for traditional relational database workloads that rely on fixed schemas and SQL relationships. Relational data is better hosted on services such as Amazon RDS or Amazon Aurora, while S3 remains ideal for unstructured or semistructured data, backups, and data-lake use cases.

Configure an S3 Lifecycle rule that transitions the objects to S3 Standard-Infrequent Access (Standard-IA) 60 days after upload. Standard-IA offers the same millisecond latency and 11-nines durability as S3 Standard at a lower storage cost, with a 30-day minimum-storage duration that the workload already satisfies. Add a second transition to move the objects to S3 Glacier Flexible Retrieval (formerly "S3 Glacier") after they are 365 days old. Glacier Flexible Retrieval provides the lowest-cost archive tier that still allows retrieval in minutes to hours-adequate for the client's occasional access needs. S3 One Zone-IA is not chosen because, although it has the same durability as Standard-IA, it stores data in a single Availability Zone and offers lower availability (99.5%), making it less suitable for a primary copy that must remain available. Leaving the data in S3 Standard or moving it directly to Glacier after 60 days would either cost more or slow access during the high-access period.

Implementing read replicas in various data center facilities (Availability Zones) not only spreads the load of customer queries across multiple sources but also ensures that the application can failover to other replicas in case of an outage. This is the most effective solution to address both read traffic performance and availability concerns without changing the primary data source configuration. Adding indexes may improve query performance but will not address the potential for an outage. Making the database instance larger will increase overall capacity but is a less targeted solution for read scalability and does not provide multi-facility resilience. Enabling cross-region replication adds geographical distribution but could introduce additional latency for the reads and doesn't address the immediate need to spread the read load.