SAA-C03 Amazon Web Services AWS Certified Solutions Architect - Associate (SAA-C03) Free Practice Exam Questions (2026 Updated)

The requirement is for workloads inside a VPC to resolve private DNS names that are hosted on-premises over a VPN connection. The most secure and AWS-recommended method to achieve this is to use Amazon Route 53 Resolver outbound endpoints with forwarding rules.

Option A enables DNS queries that originate in the VPC to be securely forwarded to on-premises DNS servers through the VPN connection. A Route 53 Resolver outbound endpoint provides elastic, managed DNS forwarding capability without exposing DNS services to the public internet. By creating a Resolver rule, the company can define which domain names (for example, internal corporate domains) should be forwarded to specific on-premises DNS IP addresses. Associating the rule with the VPC ensures only authorized VPCs can use this resolution path.

Option B is used for the opposite scenario: when on-premises systems need to resolve private DNS names hosted in AWS, not when AWS needs to resolve on-premises names. Option C is invalid because Route 53 private hosted zones can only be associated with VPCs, not directly with on-premises networks. Option D is insecure because it exposes internal service records publicly and violates the requirement for private DNS.

Therefore, A is the most secure solution because it keeps DNS resolution private, uses managed AWS infrastructure, integrates cleanly with VPN connectivity, and follows AWS hybrid DNS best practices.

The correct design is to useRoute 53 failover records, with theprimary record pointing to the ALB and associated with a health check, and thesecondary record pointing to the static website. Route 53 failover routing is designed to return the primary resource when it is healthy and automatically return the secondary resource when the primary becomes unhealthy. The health check is attached to the primary failover record so Route 53 knows when to fail over. You do not need a Lambda function to switch records manually, because Route 53 provides built-in DNS failover. The secondary record does not need its own health check for this pattern. That is whyC and Eare the right combination. (AWS Documentation)

============

The requirement is to route users to the nearest AWS Region where the application is deployed. The best solution is to use Amazon Route 53 with a geolocation routing policy, which routes traffic based on the geographic location of the user making the request.

Geolocation Routing: This routing policy ensures that users are directed to the resources (in this case, EC2 instances) that are geographically closest to them, thereby reducing latency and improving the user experience.

Application Load Balancer (ALB): Within each Region, an internet-facing Application Load Balancer (ALB) is used to distribute incoming traffic across multiple EC2 instances in different Availability Zones. ALBs are designed to handle HTTP/HTTPS traffic and provide advanced features like content-based routing, SSL termination, and user authentication.

Why Not Other Options?:

Option B (Geoproximity + NLB): Geoproximity routing is similar but more complex as it requires fine-tuning the proximity settings. A Network Load Balancer (NLB) is better suited for TCP/UDP traffic rather than HTTP/HTTPS.

Option C (Multivalue Answer Routing + ALB): Multivalue answer routing does not direct traffic based on user location but rather returns multiple values and lets the client choose. This does not meet the requirement for geographically routing users.

Option D (Weighted Routing + NLB): Weighted routing splits traffic based on predefined weights and does not consider the user ' s geographic location. NLB is not ideal for this scenario due to its focus on lower-level protocols.

AWS References:

Amazon Route 53 Routing Policies- Detailed explanation of the various routing policies available in Route 53, including geolocation.

Elastic Load Balancing- Information on the different types of load balancers in AWS and when to use them.

To ensure container images are secure and to notify administrators about vulnerabilities, the solution needs (1) a vulnerability scanning capability for container images and (2) a notification mechanism that alerts when findings occur. Amazon Inspector provides automated security assessments and can scan container images stored in Amazon ECR to identify software vulnerabilities and unintended network exposure patterns, producing findings that can be acted upon. Therefore, D addresses the core requirement of detecting vulnerabilities in container images.

To notify administrators with minimal custom work, AWS Config can help by evaluating resources against desired configurations and integrating with notifications through AWS services (for example, via Amazon SNS using Config rules/conformance packs). Using the AWS Config conformance pack for Amazon ECS helps establish a managed set of compliance checks aligned to ECS-related best practices. While Inspector is the system that detects vulnerabilities, Config can be used to enforce and monitor governance controls around the container environment and can trigger notifications when noncompliance is detected. In exam patterns, pairing an Inspector detection capability with a managed governance/notification framework like Config is a common “two-part” answer.

The other options do not meet the requirement: A (privileged mode) can increase risk rather than improve image security; logging does not equal vulnerability detection. C is unrelated because AWS WAF protects web applications at the edge and does not scan container images for CVEs. E is incorrect because Parameter Store stores configuration data and secrets; it does not encrypt container images (ECR encryption at rest is handled by AWS-managed mechanisms and KMS integration, not Parameter Store).

So D provides scanning and B supports managed compliance/notification controls with low operational overhead.

S3 replication is the right service because it is the native mechanism for automatically copying objects to another bucket, including buckets in another AWS account. AWS documentation also states that to replicate SSE-KMS encrypted objects, you must grant additional permissions in the replication configuration, which aligns with the scenario’s KMS setup. The requirement for availability within several minutes points directly toS3 Replication Time Control, which AWS says replicates most objects in seconds and 99.9% within 15 minutes. The replicated objects remain in S3 and are immediately accessible in the destination bucket. AWS Backup and Batch Operations do not provide the same near-real-time replication behavior for newly written objects. Therefore, cross-account S3 replication with S3 RTC is the best answer. (AWS Documentation)

============

Here isQUESTION NO: 21 to 30in the sameTXT-only uniqueformat.

This workload has apredictable recurring traffic pattern, so the most operationally efficient solution isscheduled scalingin Amazon EC2 Auto Scaling. AWS documentation states that scheduled actions let you change desired capacity at specific times or on recurring schedules. That is a direct match for weekend peaks from 6 PM to 11 PM. EventBridge plus Lambda would work but adds unnecessary components. Target tracking is better for reactive scaling, while the question describes a predictable pattern that should be handled proactively. Therefore, a scheduled scaling action with recurrence is the best answer.

============

The best AWS-native design isAmazon Kinesis Data Streamsfor real-time ingestion andAmazon OpenSearch Servicefor near-real-time search and analytics. AWS describes OpenSearch Service as a managed search and analytics engine for real-time application monitoring and similar use cases, and AWS also provides architectures for delivering real-time data from Kinesis into OpenSearch. QuickSight is then appropriate for dashboards and visualizations. The other answers either introduce more operational overhead or use services that are not the best fit for real-time search workloads. For an on-premises search application moving to AWS, Kinesis plus OpenSearch is the most natural managed solution.

============

To track costs by department, you must activate the custom department tag as a cost allocation tag in the AWS Organizations management account. Once activated, Cost Explorer and cost and usage reports can group costs by this tag for all linked accounts. The most operationally efficient way is to activate only the relevant department tag and create a cost and usage report grouped by that tag.

AWS Documentation Extract:

“To use a tag for cost allocation, you must activate it in the AWS Billing and Cost Management console. After activation, you can use the tag to group costs in Cost Explorer and reports.”

(Source: AWS Cost Management documentation)

A, E: aws:createdBy is not related to department cost grouping and is unnecessary.

B: Applying extra filters is optional; D is more direct and operationally efficient.

The most cost-effective general solution isDynamoDB auto scaling. AWS recommends atarget utilization of 70%for provisioned throughput with auto scaling, which lets DynamoDB adjust capacity up or down based on sustained workload patterns. That improves both read and write performance while controlling cost better than manual scaling. A GSI is only useful for specific alternate query patterns and does not solve overall throughput management by itself. DAX helps only with read-heavy caching, not writes. A custom CloudWatch-plus-Lambda scaling solution adds unnecessary operational work compared to native auto scaling. Because the question asks broadly for read and write performance at the best cost, auto scaling with the recommended 70% target is the strongest answer.

============

The correct answer isBbecause the company has apredictable baseline workloadthat will run forat least 1 year, plus atemporary 2-week increasein demand during a holiday period. The most cost-effective approach is to use a long-term discount option for the steady-state workload and a flexible pricing model for the short-term burst capacity.

AnEC2 Instance Savings Planis a strong fit for the existing workload because it provides cost savings for committed EC2 usage while matching a stable, predictable application footprint. Since the company is already using EC2 and the workload pattern is known, this is an efficient commitment for the baseline capacity. For the additional temporary holiday demand,On-Demand Instancesare appropriate because the extra capacity is needed only for a short duration. This avoids overcommitting to capacity that will not be used after the holiday period ends.

Option A is less cost-effective because it misses the savings opportunity for the predictable baseline workload. Option C is incorrect because the application is described asstateful, which makesSpot Instancesa poor fit due to potential interruption. Option D is incorrect because purchasing a 12-month commitment for both the normal workload and the temporary holiday increase would likely result in paying for excess committed usage after the 2-week peak ends.

AWS cost optimization guidance recommends usingdiscounted commitment models for steady-state usageandOn-Demandfor short-lived, temporary spikes. Therefore, the best answer is to use anEC2 Instance Savings Planfor the baseline andOn-Demand Instancesfor the seasonal increase.

To build a distributed, serverless, event-driven workflow with minimal operational overhead, AWS Step Functions orchestrating AWS Lambda is the best fit. Step Functions provides a managed state machine service that coordinates multiple steps, handles retries and error handling patterns, and maintains execution state without requiring the company to run orchestration servers. Lambda provides serverless compute for each workflow task, scaling automatically with demand and eliminating server management.

Option D directly matches “performing different aspects of the workflow” because Step Functions is specifically designed to model multi-step business processes and coordinate activities across services. It also aligns with “minimize operational overhead” because both Step Functions and Lambda are managed services: there are no instances to patch, no cluster management, and scaling is handled by the platform.

Option B contradicts the serverless goal by deploying the application on EC2 instances, increasing operational overhead (capacity management, patching, scaling, and availability concerns). Option C mixes eventing with scheduling: EventBridge can route events, but invoking Lambda “on a schedule” is not the same as orchestrating a multi-step workflow with branching, waiting, retries, compensation, and state tracking. EventBridge is excellent as an event bus, but Step Functions is the purpose-built workflow orchestrator. Option A is a mismatch because AWS Glue is primarily an ETL/data integration service; while it can run jobs and triggers, it is not the general workflow orchestrator for arbitrary application steps, and using it to invoke Lambda for a broad workflow is less direct and typically less operationally clean than a Step Functions state machine.

Therefore, D is the most aligned solution for serverless, distributed workflow orchestration with low operational burden.

To securely integrate Amazon S3 with an application that uses Amazon Cognito for user authentication, the following two steps are essential:

Step 1: Create an Amazon Cognito Identity Pool (Option A)

Amazon Cognito Identity Poolsallow users to obtain temporary AWS credentials to access AWS resources, such as Amazon S3, after successfully authenticating with the Cognito user pool. The identity pool bridges the gap between user authentication and AWS service access by generating temporary credentials using AWS Identity and Access Management (IAM).

Once a user logs in using theCognito User Pool, the identity pool providesIAM roles with specific permissionsthat the application can use to access S3 securely. This ensures that each user has appropriate access controls while accessing the S3 bucket.

This is a secure way to ensure that users only have temporary and least-privilege access to the S3 bucket for their documents.

Step 2: Create an Amazon S3 VPC Endpoint (Option C)

By creating anAmazon S3 VPC endpoint, the company ensures that communication between the application (which is hosted in a private subnet) and the S3 bucket occurs over theAWS private network, without the need to traverse the internet. This enhances security and prevents exposure of data to public networks.

TheVPC endpointallows the application to access the S3 bucket privately and securely within the VPC. It also ensures that traffic stays within the AWS network, reducing attack surface and improving overall security.

Why the Other Options Are Incorrect:

Option B: This is incorrect becauseAmazon Cognito User Poolsare used for user authentication, not for generating S3 access tokens. To provide S3 access, you need to useAmazon Cognito Identity Pools, which offer AWS credentials.

Option D: ANAT gatewayis unnecessary in this scenario. Using aVPC endpointfor S3 access provides a more secure and cost-effective solution by keeping traffic within AWS.

Option E: Attaching a policy to restrict access based on IP addresses is not scalable or efficient. It would require managing users’ dynamic IP addresses, which is not an effective security measure for this use case.

AWS References:

Amazon Cognito Identity Pools

Amazon VPC Endpoints for S3

Predictive scaling automatically analyzes historical workload patterns, forecasts future capacity needs, and launches instances ahead of time. AWS documentation states that predictive scaling is designed for workloads with recurring, cyclical patterns—such as scheduled weekly batch jobs.

It also supports " pre-launching " capacity before peak demand. This eliminates manual trend analysis and delivers the lowest operational overhead.

Scheduled scaling (Option B) works but requires manual calculation of capacity numbers and updating if patterns change. Predictive scaling removes this burden entirely.

=====================================================

Amazon FSx for Lustreis a high-performance, fully managed file system that is ideal for applications requiring low-latency access to shared storage, especially in use cases like gaming where high throughput and low latency are essential. It integrates easily with EC2 instances, providing fast and scalable shared storage, and supports custom protocols for specific application needs.

Option A (FSx File Gateway): FSx File Gateway is designed for hybrid cloud storage and is not suited for high-performance gaming workloads.

Option B (EC2 Windows instance): Setting up a file share on a Windows instance would introduce additional administrative overhead and would not provide the necessary performance.

Option C (EFS with Lustre): While Lustre is integrated with FSx, EFS does not natively support Lustre.

AWS References:

Amazon FSx for Lustre

The requirement is to provide granular, scalable access to thousands of tables and columns in a data lake across many users and departments, with the least operational overhead.

AWS Lake Formation supports tag-based access control (TBAC) using LF-tags (Lake Formation tags), which allows you to assign tags to tables, columns, and databases. You can then define permissions on resources by specifying tags rather than managing permissions for individual resources. This approach is highly scalable and efficient when dealing with a growing number of tables and columns. By associating IAM roles to departments and granting access based on LF-tags, you dramatically reduce the operational burden as new tables or columns are added; you only need to assign the appropriate tags.

Amazon Athena can directly query data in S3 with Lake Formation providing fine-grained access control.

AWS Documentation Extract:

" With LF-tag-based access control, you can grant permissions to resources based on tags, making it easy to manage access at scale, especially in environments with large and dynamic numbers of resources. "

" LF-tags provide a scalable way to manage permissions for large numbers of resources without having to define permissions individually for each table or column. "

(Source: AWS Lake Formation documentation, Access Control, Tag-Based Access Control)

Other options:

A: Would require managing explicit permissions for each table and column as the environment grows, increasing operational overhead.

B & D: Involve significant duplication of resources (clusters) and do not scale as efficiently as a centralized data lake with tag-based access.

Key Requirements:

Handle traffic spikes efficiently and reduce latency caused by cold starts.

Optimize costs during low traffic periods.

Analysis of Options:

Option A:

Provisioned Concurrency:Reduces cold start latency by pre-warming Lambda environments for the required number of concurrent executions.

AWS Application Auto Scaling:Automatically adjusts provisioned concurrency based on demand, ensuring cost optimization by scaling down during low traffic.

Correct Approach:Provides a balance between performance during traffic spikes and cost optimization during idle periods.

Option B:

Using EC2 instances with Auto Scaling introduces unnecessary complexity for a serverless architecture. It requires additional management and does not address the issue of cold starts for Lambda.

Incorrect Approach:Contradicts the serverless design philosophy and increases operational overhead.

Option C:

Setting a fixed concurrency level ensures performance during spikes but does not optimize costs during low traffic. This approach would maintain provisioned instances unnecessarily.

Incorrect Approach:Lacks cost optimization.

Option D:

Using EventBridge Scheduler for periodic invocations may reduce cold starts but does not dynamically scale based on traffic demand. It also leads to unnecessary invocations during idle times.

Incorrect Approach:Suboptimal for high traffic fluctuations and cost control.

AWS Solution Architect References:

AWS Lambda Provisioned Concurrency

AWS Application Auto Scaling with Lambda

To grant cross-account access to an Amazon S3 bucket, you can use a bucket policy that specifies the AWS account ID of the account you want to grant access to. This method allows Account B to access the S3 bucket in Account A without the need for additional services or configurations.

To improve the performance of the primary RDS PostgreSQL database during business hours and reduce the load, the best solution is to create aread replicain the same region (us-east-1). This will offload the read-heavy operations (like generating reports) to the replica, reducing the burden on the primary instance, which improves overall performance. Additionally, read replicas provide near real-time replication, making them ideal for real-time reporting use cases.

Option A (cross-Region read replica): This adds unnecessary latency for real-time reporting and increased costs due to cross-region data transfer.

Option B (Multi-AZ): Multi-AZ deployments are for high availability and disaster recovery but won’t offload the read traffic, as the standby database cannot serve read requests.

Option C (AWS DMS replication): This adds complexity and is not as cost-effective as using an RDS read replica for the same region.

AWS References:

Amazon RDS Read Replicas

Amazon RDS Performance Best Practices

Amazon ECS on AWS Fargate with Amazon EFS is the best match because it combines managed container orchestration with shared persistent storage. AWS documentation explains that Amazon EFS volumes can be used with Amazon ECS so tasks can access the same persistent file system regardless of where they run. AWS also notes that EFS volumes are useful for horizontally scaled containerized applications that need shared storage, low latency, and high throughput. Lambda is a poor fit here because Lambda invocations have a maximum timeout of 15 minutes, while the question states processing can take up to 1 hour. Instance store volumes on ECS EC2 are local to the host and do not provide the centralized persistent repository the workload needs. Fargate plus EFS best satisfies performance, duration, and operational efficiency.

============

AWS Certificate Manager (ACM) issues and automatically renews public TLS certificates used by Amazon CloudFront. With DNS validation, ACM creates CNAME records that prove domain control; once validated, renewals occur automatically without manual approval, providing the lowest operational effort. For CloudFront, ACM certificates must be in the US East (N. Virginia) Region. CloudFront security policies (A) configure protocol/cipher requirements, not certificate issuance. OAC (B) secures origin access and is unrelated to certificate management. Email validation (D) requires mailbox approvals and operational handling at issuance/renewal, which is less efficient than DNS validation. Thus, ACM with DNS validation delivers automated creation and renewal with minimal overhead.

Option Bensures the use of S3 Object Lock and Versioning to meet compliance for immutability. CloudFront enhances performance while a bucket policy ensures secure access.

Option Alacks immutability safeguards.

Option Cintroduces unnecessary complexity.

Option Dmisses out on additional security benefits offered by CloudFront.

The job runs for about 1 hour and must not be interrupted, so Lambda is not suitable because AWS Lambda has a maximum execution time of 15 minutes. Fargate Spot is also not appropriate because the workload explicitly cannot tolerate interruption. The most cost-effective remaining design is to run the Python script on an EC2 On-Demand instance only during the nightly processing window and automate instance start/stop around the schedule. That avoids paying for compute all day while preserving uninterrupted execution during the job. The Step Functions Express option is not the natural fit for a single long-running Python job of this type. Therefore, an EC2 instance scheduled to run only when needed is the most economical answer among the choices.

============

Option Auses an IAM role attached to the EC2 instance profile, enabling secure and automated access to Secrets Manager. This is the recommended approach.

Option Buses IAM users, which is less secure and harder to manage.

Option Cis not practical for accessing secrets programmatically.

Option Dviolates best practices by granting direct access to the EC2 instance.

The correct answer isDbecause the application peak hours occur at thesame time each day, and the performance issue happens specifically at thestart of peak hours. This indicates that the company knows in advance when additional capacity will be needed. Ascheduled scaling policyis the most appropriate solution because it allows the Auto Scaling group to increase capacitybeforedemand rises, ensuring that instances are already launched and available when users begin accessing the application.

Dynamic scaling based on CPU or memory reacts onlyafterutilization increases. Because launching EC2 instances takes time, reactive scaling can lead to delays and degraded user experience at the beginning of peak periods. That directly matches the problem described in the question, where performance is slow at the start but normalizes later once capacity catches up. Scheduled scaling solves this by making capacity available proactively.

Option A is incorrect because an Application Load Balancer distributes traffic among existing instances but does not add capacity ahead of predictable demand. Option B is incorrect because Auto Scaling does not natively scale on memory utilization unless a custom metric is configured, and even then it would still be reactive rather than proactive. Option C is also incorrect because CPU-based dynamic scaling reacts after demand increases and therefore may not prevent the startup lag during peak traffic.

AWS design guidance recommends usingscheduled scalingwhen traffic patterns are predictable and occur at known times. This approach improves application responsiveness and user experience by making sure enough EC2 capacity is available before the workload surge begins.

Amazon Macie: Detects sensitive data such as PII in S3 buckets using machine learning.

EventBridge Rule: Filters Macie findings for specific sensitive data events (e.g., SensitiveData).

SNS Notification: Provides real-time alerts to the security team for immediate action.

Amazon Macie Documentation,Amazon EventBridge Documentation

The correct answer isBbecause the application isMicrosoft Windows-based, requiresshared storage, must use theSMB protocol, and needs to beresilient.Amazon FSx for Windows File Serveris the AWS managed file storage service built specifically for Windows workloads. It provides nativeSMB access, integration with Windows environments, and managed shared file storage for multiple application servers.

AMulti-AZ deploymentis the key feature that satisfies the resilience requirement. Multi-AZ FSx for Windows File Server stores data synchronously across Availability Zones and can automatically fail over to a standby file server in another Availability Zone if the primary becomes unavailable. This ensures high availability for shared file access and reduces the risk of application disruption.

Option A is incorrect becauseAmazon S3is object storage and does not natively provide SMB shared file semantics in the way required by Windows applications. Option C is incorrect becauseAmazon EBSvolumes are block storage volumes that are generally attached to a single instance and are not the standard solution for resilient multi-instance shared SMB storage. Option D is incorrect becauseAmazon FSx File Gatewayis used to provide on-premises access to Amazon FSx file systems and is not the primary shared storage service required for this cloud-native application design.

AWS storage guidance recommendsAmazon FSx for Windows File Serverfor Windows applications that need managed file shares over SMB. When resilience is required, aMulti-AZ deploymentis the most appropriate architecture.

Amazon EFS is the best fit because it is a fully managed, elastic file storage service for Linux workloads, and it scales automatically without pre-provisioning capacity. AWS documentation states thatElastic throughputautomatically scales throughput up or down for spiky or unpredictable workloads, which matches the varying access pattern in the question. AWS also documents thatEFS lifecycle managementandEFS Intelligent-Tieringautomatically transition files between storage classes based on access patterns, which provides the native tiering requirement. FSx for Windows is not the right operating-system fit, and using EC2 plus EBS would require more manual storage management. Therefore,EFS with Elastic throughput and Intelligent-Tieringis the most cost-effective managed design. (AWS Documentation)

============

Auto Scalingis the most effective solution for ensuring seamless scalability of a stateless application. Key points:

Dleverages Auto Scaling with a Spot Fleet for cost efficiency and attaches an ALB to distribute traffic.

A and Bdo not provide automated scaling and would require manual intervention to add more instances.

Cchanges the instance type but does not scale out horizontally, which is required here.

AWS Documentation Reference:

Amazon EC2 Auto Scaling

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The key constraint is no application code changes, while the observed failure mode during spikes is heavy write load on the database that makes the site unresponsive. Scaling the web tier alone (Option B) may not help if the database is the bottleneck; in fact, adding more EC2 instances can increase concurrent write pressure and worsen the database overload. Caching (Option A) would require modifying the application to use Redis for query caching, which violates the no-code-change requirement. Option C is not a fit: CloudFront caching is effective for cacheable content, but authenticated, personalized pages are typically not cacheable without application changes, and “write throttle” is not a standard CloudFront feature to protect the database.

Migrating from RDS for MySQL to Amazon Aurora Serverless is a managed approach designed to automatically adjust database capacity to match workload demand, which is well suited to “low baseline traffic with occasional sudden spikes.” By setting an appropriate maximum capacity, Aurora Serverless can scale to handle bursts more gracefully than a fixed-size RDS instance, improving availability during unpredictable demand. This reduces operational overhead because capacity management is largely handled by the service rather than by manual instance resizing or complex scaling scripts.

The final step—configuring EC2 instances to connect to the new Aurora endpoint—is an infrastructure configuration change, not an application code rewrite. The application continues to speak the same MySQL-compatible protocol (Aurora MySQL-compatible), preserving compatibility while improving resilience to spikes.

Therefore, D best meets the requirement to improve availability during sudden traffic increases driven by heavy database writes, with minimal operational effort and no application code changes.

The correct approach is to attach anIAM roleto the EC2 instance profile and grant that role permission to read the secret fromAWS Secrets Manager. AWS documentation states that Secrets Manager uses IAM for authentication and authorization, and EC2 instance profiles are the supported mechanism for providing temporary credentials to applications running on EC2 instances. This avoids hardcoded credentials and removes the need for long-term access keys on the server. The other options either misuse IAM users, rely on the wrong access mechanism, or do not reflect how Secrets Manager permissions are normally granted to workloads.

============

Amazon RDS Multi-AZ deployment provides automated failover and increased availability for MySQL databases. In case of infrastructure failure or power outage in one Availability Zone, RDS automatically fails over to a standby replica in another AZ, minimizing downtime. This is the AWS-recommended way to achieve high availability for relational databases.

AWS Documentation Extract:

" Amazon RDS Multi-AZ deployments provide high availability, failover support, and data redundancy for database instances. In the event of infrastructure failure, Amazon RDS performs an automatic failover to the standby. "

(Source: Amazon RDS documentation, High Availability)

A: An ALB does not increase availability for a single database instance.

B: EC2 instance recovery does not move the instance across Availability Zones.

D: Termination protection prevents accidental deletion, not availability issues.

Amazon RDS Performance Insights is a “database performance tuning and monitoring feature” that can be enabled with a few clicks and “helps you quickly assess the load on your database” and identify bottlenecks. It surfaces key metrics, including DB load, top SQL, waits, and host metrics such as CPU utilization, which are commonly used indicators for right-sizing (up or down). This provides the lowest operational effort compared to building log pipelines or querying CloudTrail (which does not capture SQL workload characteristics). AWS X-Ray traces application requests, not database internals, and CloudWatch Logs aggregation requires custom ingestion and analysis. Enabling Performance Insights directly on the RDS instance provides actionable utilization data to right-size with minimal setup.

AWS Control Tower provides automatic account governance, centralized logging, CloudTrail aggregation, and integrates directly with AWS Security Hub, which evaluates compliance against FSBP standards. This is the lowest operational overhead AWS-native solution.

AWS Global Accelerator is designed to improve the availability and performance of applications with global users by using the AWS global network. It provides static anycast IP addresses and routes user traffic over the AWS edge network to the optimal AWS Region and endpoint based on health, geography, and routing policies. Global Accelerator supports both TCP and UDP traffic and can have Network Load Balancers as endpoints.

For latency-sensitive workloads such as multiplayer gaming, Global Accelerator reduces latency and jitter compared to internet-based routing and handles Regional failover quickly.

CloudFront (Option A) is optimized for HTTP/HTTPS content caching and is not appropriate for arbitrary TCP/UDP gaming traffic. Application Load Balancers (Option B) do not support UDP traffic. API Gateway (Option D) is for HTTP APIs and is not suitable for raw TCP/UDP game traffic.

Amazon S3 File Gateway (AWS Storage Gateway) exposes an on-premises NFS/SMB file share that durably stores files as S3 objects with local caching, enabling low-latency writes on-premises and asynchronous, near-real-time ingestion into Amazon S3 for analytics. It is purpose-built to “present a file interface backed by Amazon S3” and to “store files as objects in your S3 buckets,” so existing applications writing to a network share can transparently land data in S3 without custom scripts or job orchestration. Compared with scheduled transfers (e.g., end-of-day DataSync), S3 File Gateway continuously uploads new/changed files, better meeting the near-real-time requirement. Transfer Family (SFTP) would require custom polling and client changes, increasing operational burden. DataSync is excellent for bulk or periodic migrations/synchronizations but is not as seamless for continuous ingestion from a live file share. Therefore, updating the application to point to an S3 File Gateway share provides the simplest, performant path to near-real-time delivery into S3 for downstream analytics.

Tape Gateway is purpose-built for organizations that want tokeep their existing tape backup workflowswhile moving the tape infrastructure to AWS. AWS documentation states that Tape Gateway provides cloud-backed virtual tape storage and can archive tapes toS3 Glacier Flexible Retrieval or S3 Glacier Deep Archive. Because the company needs 10-year retention and wants the most cost-effective archive tier,Glacier Deep Archiveis the best fit. This approach also avoids redesigning the backup process, which is one of the explicit requirements. Snowball can move data in bulk, but it changes the workflow and the storage-class target in option C is not the lowest-cost long-term archive. Tape Gateway aligns directly with both operational continuity and archival economics.

============

Amazon EFS requires a mount target in each Availability Zone where EC2 instances access the file system. This is because each mount target provides an elastic network interface in the subnet and AZ, reducing network latency by allowing EC2 instances to communicate locally with the EFS mount target. Creating a mount target in each AZ optimizes file system access performance and availability. Instances mount the EFS file system via the mount target in their respective AZ, which provides the lowest possible latency and avoids cross-AZ traffic.

Option A, with only a single mount target in the VPC, will cause cross-AZ traffic for instances in other AZs, increasing latency and potentially incurring data transfer costs. Option B is incomplete and introduces complexity with sharing directories across instances. Option C is invalid because mount targets are per AZ and per subnet, not per instance.

AWS WAF (Web Application Firewall) is designed to protect public-facing web applications from common web exploits and allows for deep inspection of HTTP and HTTPS requests. By enabling logging on AWS WAF, you can gain insights into traffic flow, request sources, and blocked requests, which improves both security visibility and posture. Integrating AWS WAF logging with Amazon Kinesis Data Firehose allows automatic, near-real-time delivery of log data to Amazon S3 for analysis, reporting, or integration with analytics tools. This solution not only secures the website but also enables comprehensive traffic analysis, satisfying both requirements efficiently.

Reference Extract from AWS Documentation / Study Guide:

" AWS WAF provides detailed logs of web requests, which can be delivered to Amazon S3 via Amazon Kinesis Data Firehose. This logging enables analysis of web traffic and sources, supporting both security and operational monitoring. "

Source: AWS Certified Solutions Architect – Official Study Guide, Security and Compliance section; AWS WAF Developer Guide (Logging and Monitoring).