A company is designing a microservice-based architecture for a new application on AWS. Each microservice will run on its own set of Amazon EC2 instances. Each microservice will need to interact with multiple AWS services.
The company wants to manage permissions for each EC2 instance according to the principle of least privilege.
Which solution will meet this requirement with the LEAST administrative overhead?
A. Assign an IAM user to each microservice. Use access keys that are stored within the application code to authenticate AWS service requests. B. Create a single IAM role that has permission to access all AWS services. Add the IAM role to an instance profile that is associated with the EC2 instances. C. Use AWS Organizations to create a separate account for each microservice. Manage permissions at the account level. D. Create individual IAM roles based on the specific needs of each microservice. Add each IAM role to an instance profile that is associated with the appropriate EC2 instance.
D. Create individual IAM roles based on the specific needs of each microservice. Add each IAM role to an instance profile that is associated with the appropriate EC2 instance.
Explanation
AWS best practice is to use IAM roles with instance profiles for EC2 instances so that applications obtain temporary credentials automatically and do not need to store access keys.
To honor the principle of least privilege, each microservice should have an IAM role that grants only the specific permissions it needs.
Therefore, creating individual IAM roles per microservice and attaching them via instance profiles (Option
D. both minimizes long-term credential management and applies least privilege cleanly. Why others are not correct: Option A: Using IAM users with access keys in code is insecure and high-overhead (key rotation, secret management). Option B: A single broad role violates least privilege because every microservice gets more permissions than it needs. Option C: Separate accounts per microservice is extreme over-segmentation and significantly increases operational complexity.
Question 1072:
A company stores a large volume of critical data in Amazon RDS for PostgreSQL tables. The company is developing several new features for an upcoming product launch. Some of the new features require many table alterations.
The company needs a solution to test the altered tables for several days. After testing, the solution must make the new features available to customers in production.
Which solution will meet these requirements with the HIGHEST availability?
A. Create a new instance of the database in RDS for PostgreSQL to test the new features. When the testing is finished, take a backup of the test database, and restore the test database to the production database. B. Create new database tables in the production database to test the new features. When the testing is finished, copy the data from the older tables to the new tables. Delete the older tables, and rename the new tables accordingly. C. Create an Amazon RDS read replica to deploy a new instance of the database. Make updates to the database tables in the replica instance. When the testing is finished, promote the replica instance to become the new production instance. D. Use an Amazon RDS blue/green deployment to deploy a new test instance of the database. Make database table updates in the test instance. When the testing is finished, promote the test instance to become the new production instance.
D. Use an Amazon RDS blue/green deployment to deploy a new test instance of the database. Make database table updates in the test instance. When the testing is finished, promote the test instance to become the new production instance.
Explanation
Amazon RDS Blue/Green Deployments provide a safe and straightforward way to make database changes with minimal downtime and risk. Blue/Green deployments create an exact copy ( " green " ) of your production environment ( " blue " ) where you can make schema changes and run tests. After validation, you can promote the green environment to production with a single click or API call, achieving near-zero downtime and maximum availability. This is the AWS-recommended method for deploying major database changes in a way that minimizes impact to users and maximizes uptime.
Reference Extract from AWS Documentation /
Study Guide:
" Amazon RDS Blue/Green Deployments enable you to make changes to your database environment safely. You can perform schema updates and feature testing in a fully managed staging environment and switch over with minimal downtime, ensuring the highest availability. "
Source: AWS Certified Solutions Architect?Official Study Guide, Database and Migration section; Amazon RDS Blue/Green Deployments Documentation.
Question 1073:
A company has separate AWS accounts for its finance, data analytics, and development departments.
Because of costs and security concerns, the company wants to control which services each AWS account can use.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS Systems Manager templates to control which AWS services each department can use. B. Create organization units (OUs) for each department in AWS Organizations. Attach service control policies (SCPs) to the OUs. C. Use AWS CloudFormation to automatically provision only the AWS services that each department can use. D. Set up a list of products in AWS Service Catalog in the AWS accounts to manage and control the usage of specific AWS services.
B. Create organization units (OUs) for each department in AWS Organizations. Attach service control policies (SCPs) to the OUs.
Question 1074:
A company is planning to migrate a TCP-based application into the company's VPC. The application is publicly accessible on a nonstandard TCP port through a hardware appliance in the company's data center. This public endpoint can process up to 3 million requests per second with low latency. The company requires the same level of performance for the new public endpoint in AWS.
What should a solutions architect recommend to meet this requirement?
A. Deploy a Network Load Balancer (NLB). Configure the NLB to be publicly accessible over the TCP port that the application requires. B. Deploy an Application Load Balancer (ALB). Configure the ALB to be publicly accessible over the TCP port that the application requires. C. Deploy an Amazon CloudFront distribution that listens on the TCP port that the application requires. Use an Application Load Balancer as the origin. D. Deploy an Amazon API Gateway API that is configured with the TCP port that the application requires. Configure AWS Lambda functions with provisioned concurrency to process the requests.
A. Deploy a Network Load Balancer (NLB). Configure the NLB to be publicly accessible over the TCP port that the application requires.
Explanation
Question 1075:
A company has resources across multiple AWS Regions and accounts. A newly hired solutions architect discovers a previous employee did not provide details about the resources inventory. The solutions architect needs to build and map the relationship details of the various workloads across all accounts.
Which solution will meet these requirements in the MOST operationally efficient way?
A. Use AWS Systems Manager Inventory to generate a map view from the detailed view report. B. Use AWS Step Functions to collect workload details. Build architecture diagrams of the workloads manually. C. Use Workload Discovery on AWS to generate architecture diagrams of the workloads. D. Use AWS X-Ray to view the workload details. Build architecture diagrams with relationships.
C. Use Workload Discovery on AWS to generate architecture diagrams of the workloads.
Question 1076:
A company plans to migrate to AWS and use Amazon EC2 On-Demand Instances for its application.
During the migration testing phase, a technical team observes that the application takes a long time to launch and load memory to become fully productive.
Which solution will reduce the launch time of the application during the next testing phase?
A. Launch two or more EC2 On-Demand Instances. Turn on auto scaling features and make the EC2 On-Demand Instances available during the next testing phase. B. Launch EC2 Spot Instances to support the application and to scale the application so it is available during the next testing phase. C. Launch the EC2 On-Demand Instances with hibernation turned on. Configure EC2 Auto Scaling warm pools during the next testing phase. D. Launch EC2 On-Demand Instances with Capacity Reservations. Start additional EC2 instances during the next testing phase.
C. Launch the EC2 On-Demand Instances with hibernation turned on. Configure EC2 Auto Scaling warm pools during the next testing phase.
Question 1077:
A company wants to create an application to store employee data in a hierarchical structured relationship.
The company needs a minimum-latency response to high-traffic queries for the employee data and must protect any sensitive data.
The company also needs to receive monthly email messages if any financial information is present in the employee data.
Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)
A. Use Amazon Redshift to store the employee data in hierarchies. Unload the data to Amazon S3 every month. B. Use Amazon DynamoDB to store the employee data in hierarchies. Export the data to Amazon S3 every month. C. Configure Amazon Macie for the AWS account. Integrate Macie with Amazon EventBridge to send monthly events to AWS Lambda. D. Use Amazon Athena to analyze the employee data in Amazon S3. Integrate Athena with Amazon QuickSight to publish analysis dashboards and share the dashboards with users. E. Configure Amazon Macie for the AWS account. Integrate Macie with Amazon EventBridge to send monthly notifications through an Amazon Simple Notification Service (Amazon SNS) subscription.
B. Use Amazon DynamoDB to store the employee data in hierarchies. Export the data to Amazon S3 every month. E. Configure Amazon Macie for the AWS account. Integrate Macie with Amazon EventBridge to send monthly notifications through an Amazon Simple Notification Service (Amazon SNS) subscription.
Question 1078:
An application uses an Amazon SQS queue and two AWS Lambda functions. One of the Lambda functions pushes messages to the queue, and the other function polls the queue and receives queued messages.
A solutions architect needs to ensure that only the two Lambda functions can write to or read from the queue.
Which solution will meet these requirements?
A. Attach an IAM policy to the SQS queue that grants the Lambda function principals read and write access. Attach an IAM policy to the execution role of each Lambda function that denies all access to the SQS queue except for the principal of each function. B. Attach a resource-based policy to the SQS queue to deny read and write access to the queue for any entity except the principal of each Lambda function. Attach an IAM policy to the execution role of each Lambda function that allows read and write access to the queue. C. Attach a resource-based policy to the SQS queue that grants the Lambda function principals read and write access to the queue. Attach an IAM policy to the execution role of each Lambda function that allows read and write access to the queue. D. Attach a resource-based policy to the SQS queue to deny all access to the queue. Attach an IAM policy to the execution role of each Lambda function that grants read and write access to the queue.
C. Attach a resource-based policy to the SQS queue that grants the Lambda function principals read and write access to the queue. Attach an IAM policy to the execution role of each Lambda function that allows read and write access to the queue.
Explanation
To ensure that only specific AWS Lambda functions can read from or write to an Amazon SQS queue, useresource-based policiesattached directly to the SQS queue. These policies explicitly grant permissions to the IAM roles used by the Lambda functions. Additionally, the Lambda execution roles must also have IAM policies that permit SQS access. This dual-layer approach follows the AWS security best practice of granting least privilege access and ensures that no other service or entity can interact with the queue.
This is a common and supported pattern documented in theAmazon SQS Developer Guide, where resource-based policies restrict access at the queue level while IAM roles control permissions at the function level.
References:
AWS Documentation?Amazon SQS Access Control, Lambda Permissions, and Resource-Based Policies
Question 1079:
A rapidly growing ecommerce company is running its workloads in a single AWS Region. A solutions architect must create a disaster recovery (DR) strategy that includes a different AWS Region. The company wants its database to be up to date in the DR Region with the least possible latency. The remaining infrastructure in the DR Region needs to run at reduced capacity and must be able to scale up if necessary.
Which solution will meet these requirements with the LOWEST recovery time objective (RTO)?
A. Use an Amazon Aurora global database with a pilot light deployment. B. Use an Amazon Aurora global database with a warm standby deployment. C. Use an Amazon RDS Multi-AZ DB instance with a pilot light deployment. D. Use an Amazon RDS Multi-AZ DB instance with a warm standby deployment.
B. Use an Amazon Aurora global database with a warm standby deployment.
Question 1080:
A company runs an application on Amazon EC2 instances that have instance store volumes attached. The application uses Amazon Elastic File System (Amazon EFS) to store files that are shared across a cluster of Linux servers. The shared files are at least 1 GB in size.
The company accesses the files often for the first 7 days after creation. The files must remain readily available after the first 7 days.
The company wants to optimize costs for the application.
Which solution will meet these requirements?
A. Configure an AWS Storage Gateway Amazon S3 File Gateway to cache frequently accessed files locally. Store older files in Amazon S3. B. Move the files from Amazon EFS, and store the files locally on each EC2 instance. C. Configure a lifecycle policy to move the files to the EFS Infrequent Access (IA) storage class after 7 days. D. Deploy AWS DataSync to automatically move files older than 7 days to Amazon S3 Glacier Deep Archive.
C. Configure a lifecycle policy to move the files to the EFS Infrequent Access (IA) storage class after 7 days.
Explanation
Amazon EFS Lifecycle Management enables automatic cost optimization by transitioning files that haven't been accessed for a defined period (e.g., 7 days) from EFS Standard to EFS Infrequent Access (IA).
"Amazon EFS Lifecycle Management automatically moves files that haven't been accessed for a set period to the EFS Infrequent Access storage class, reducing storage costs for infrequently accessed files."
-- Amazon EFS Documentation Key Points:
EFS IA is ideal for files larger than 128 KB and accessed less frequently.
It's seamless -- no code or tools needed.
Meets requirement for cost optimization and high availability.
Incorrect Options:
Option A: File Gateway adds unnecessary complexity and does not use EFS.
Option B: Storing files locally breaks shared access and resiliency.
Option D: Glacier Deep Archive is cold storage -- not " readily available. "
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.