A company wants to use AWS Direct Connect to connect on-premises networks to AWS. The company runs many VPCs in a single Region and plans to scale to hundreds of VPCs.
Which service will simplify and scale the network architecture?
A. VPC endpoints B. AWS Transit Gateway C. Amazon Route 53 D. AWS Secrets Manager
B. AWS Transit Gateway
Explanation
As the number of VPCs grows, managing individual VPC connections becomes complex and unscalable.
AWS Transit Gateway is specifically designed to act as a central hub that connects multiple VPCs and on-premises networks through Direct Connect.
Option B simplifies network architecture by allowing hundreds or thousands of VPCs to connect through a single gateway, reducing routing complexity and operational overhead. Transit Gateway supports scalable routing, centralized inspection, and simplified expansion.
The other options do not address network connectivity or scaling challenges. Therefore, B is the correct solution.
Question 1132:
A company hosts a multi-tier web application that uses an Amazon Aurora MySQL DB cluster for storage.
The application tier is hosted on Amazon EC2 instances. The company's IT security guidelines mandate that the database credentials be encrypted and rotated every 14 days.
What should a solutions architect do to meet this requirement with the LEAST operational effort?
A. Create a new AWS Key Management Service (AWS KMS) encryption key. Use AWS Secrets Manager to create a new secret that uses the KMS key with the appropriate credentials. Associate the secret with the Aurora DB cluster. Configure a custom rotation period of 14 days. B. Create two parameters in AWS Systems Manager Parameter Store: one for the user name as a string parameter and one that uses the SecureString type for the password. Select AWS Key Management Service (AWS KMS) encryption for the password parameter, and load these parameters in the application tier. Implement an AWS Lambda function that rotates the password every 14 days. C. Store a file that contains the credentials in an AWS Key Management Service (AWS KMS) encrypted Amazon Elastic File System (Amazon EFS) file system. Mount the EFS file system in all EC2 instances of the application tier. Restrict the access to the file on the file system so that the application can read the file and that only super users can modify the file. Implement an AWS Lambda function that rotates the key in Aurora every 14 days and writes new credentials into the file. D. Store a file that contains the credentials in an AWS Key Management Service (AWS KMS) encrypted Amazon S3 bucket that the application uses to load the credentials. Download the file to the application regularly to ensure that the correct credentials are used. Implement an AWS Lambda function that rotates the Aurora credentials every 14 days and uploads these credentials to the file in the S3 bucket.
A. Create a new AWS Key Management Service (AWS KMS) encryption key. Use AWS Secrets Manager to create a new secret that uses the KMS key with the appropriate credentials. Associate the secret with the Aurora DB cluster. Configure a custom rotation period of 14 days.
Question 1133:
A company is building a gaming application that needs to send unique events to multiple leaderboards, player matchmaking systems, and authentication services concurrently. The company requires an AWS-based event-driven system that delivers events in order and supports a publish-subscribe model. The gaming application must be the publisher, and the leaderboards, matchmaking systems, and authentication services must be the subscribers.
Which solution will meet these requirements?
A. Amazon EventBridge event buses B. Amazon Simple Notification Service (Amazon SNS) FIFO topics C. Amazon Simple Notification Service (Amazon SNS) standard topics D. Amazon Simple Queue Service (Amazon SQS) FIFO queues
B. Amazon Simple Notification Service (Amazon SNS) FIFO topics
Explanation
The requirement is an event-driven pub/sub system that guarantees ordered delivery of events.
Amazon SNS FIFO topics provide the publish-subscribe model along with FIFO (First-In-First-Out) delivery and exactly-once message processing, ensuring ordered delivery to multiple subscribers.
Option A, EventBridge, provides event buses but does not guarantee event ordering across multiple subscribers.
Option C (SNS standard topics) provides pub/sub but without ordering guarantees.
Option D (SQS FIFO queues) guarantees order but are point-to-point queues, not pub/sub.
Thus, Amazon SNS FIFO topics meet the requirements for ordered pub/sub messaging.
Question 1134:
A company is building a data analysis platform on AWS by using AWS Lake Formation. The platform will ingest data from different sources such as Amazon S3 and Amazon RDS. The company needs a secure solution to prevent access to portions of the data that contain sensitive information.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an IAM role that includes permissions to access Lake Formation tables. B. Create data filters to implement row-level security and cell-level security. C. Create an AWS Lambda function that removes sensitive information before Lake Formation ingests the data. D. Create an AWS Lambda function that periodically queries and removes sensitive information from Lake Formation tables.
B. Create data filters to implement row-level security and cell-level security.
Question 1135:
A company runs a multi-tier application on premises by using virtual machines (VMs). The application tiers communicate asynchronously through third-party middleware that guarantees exactly-once delivery. The company is planning to migrate the application to AWS and needs to replace the middleware solution. The solution must provide exactly-once delivery for messages from the application.
Which combination of actions will meet these requirements with the LEAST infrastructure management? (Choose Two.)
A. Use AWS Lambda functions to provide compute layers in the architecture. B. Use Amazon EC2 instances to provide compute layers in the architecture. C. Use Amazon SNS as a messaging component between the compute layers. D. Use Amazon SQS FIFO queues as a messaging component between the compute layers. E. Run containers on Amazon EKS to provide compute layers in the architecture.
A. Use AWS Lambda functions to provide compute layers in the architecture. D. Use Amazon SQS FIFO queues as a messaging component between the compute layers.
Explanation
The correct answers are A and D. The requirement is to replace third-party middleware with an AWS-native solution that supports asynchronous communication exactly-once delivery,, and the least infrastructure management Amazon SQS FIFO queues. are the best messaging component because FIFO queues are designed for workloads that require ordered processing and exactly-once message delivery semantics. That makes option D the correct messaging choice.
For the compute layer, AWS Lambda provides the least infrastructure management because it is a fully managed serverless compute service. Lambda removes the need to manage virtual machines, operating systems, or cluster infrastructure. It integrates naturally with queue-based asynchronous architectures and can be invoked to process messages from SQS while scaling automatically based on queue depth and workload demand. That makes option A the best choice for minimizing operational burden.
Option B is incorrect because EC2 instances would require the company to manage instance provisioning, patching, scaling, and availability.
Option C is incorrect because Amazon SNS is a pub/sub messaging service and does not provide exactly-once delivery guarantees like SQS FIFO.
Option E is incorrect because Amazon EKS introduces Kubernetes management overhead and is not the lowest-management compute option.
AWS best practices recommend using managed messaging and serverless compute to reduce undifferentiated operational work. For a migration that requires asynchronous processing with exactly-once delivery and minimal infrastructure management, the most appropriate architecture is AWS Lambda functions with Amazon SQS FIFO queues.
Question 1136:
A company decides to use AWS Key Management Service (AWS KMS) for data encryption operations.
The company must create a KMS key and automate the rotation of the key. The company also needs the ability to deactivate the key and schedule the key for deletion.
Which solution will meet these requirements?
A. Create an asymmetric customer managed KMS key. Enable automatic key rotation. B. Create a symmetric customer managed KMS key. Disable the envelope encryption option. C. Create a symmetric customer managed KMS key. Enable automatic key rotation. D. Create an asymmetric customer managed KMS key. Disable the envelope encryption option.
C. Create a symmetric customer managed KMS key. Enable automatic key rotation.
Explanation
To meet the requirements, the key must support automatic rotation, and the company must be able to disable (deactivate) the key and schedule deletion. In AWS KMS, these lifecycle controls are available for customer managed keys. Automatic key rotation is supported for symmetric customer managed KMS keys used for encryption and decryption operations. When automatic rotation is enabled, AWS KMS generates new cryptographic material for the key on a regular schedule while the key ID remains the same, helping organizations meet compliance and security best practices without manual operational work.
Option C is the only choice that explicitly combines a symmetric customer managed key with automatic rotation enabled, which directly satisfies the rotation requirement. As a customer managed key, it can also be disabled (to prevent use) and scheduled for deletion (with a waiting period), meeting the rest of the lifecycle needs.
Option A is incorrect because automatic rotation is not generally available for asymmetric KMS keys in the same way; asymmetric keys are used for specialized use cases such as signing or asymmetric encryption, and rotation behavior differs. Options B and D mention "disabling envelope encryption," which is not a configurable "option" you turn off in KMS; envelope encryption is a recommended pattern where KMS protects data keys, and services commonly use it under the hood. Those options therefore do not describe a valid configuration that meets the requirement.
Therefore, the correct solution is to create a symmetric customer managed KMS key and enable automatic rotation, while using standard KMS controls to disable and schedule deletion when required.
Question 1137:
A company uses AWS to host a public website. The load on the webservers recently increased.
The company wants to learn more about the traffic flow and traffic sources. The company also wants to increase the overall security of the website.
Which solution will meet these requirements?
A. Deploy AWS WAF and set up logging. Use Amazon Data Firehose to deliver the log files to an Amazon S3 bucket for analysis. B. Deploy Amazon API Gateway and set up logging. Use Amazon Kinesis Data Streams to deliver the log files to an Amazon S3 bucket for analysis. C. Deploy a Network Load Balancer and set up logging. Use Amazon Data Firehose to deliver the log files to an Amazon S3 bucket for analysis. D. Deploy an Application Load Balancer and set up logging. Use Amazon Kinesis Data Streams to deliver the log files to an Amazon S3 bucket for analysis.
A. Deploy AWS WAF and set up logging. Use Amazon Data Firehose to deliver the log files to an Amazon S3 bucket for analysis.
Explanation
AWS WAF (Web Application Firewall) is designed to protect public-facing web applications from common web exploits and allows for deep inspection of HTTP and HTTPS requests. By enabling logging on AWS WAF, you can gain insights into traffic flow, request sources, and blocked requests, which improves both security visibility and posture. Integrating AWS WAF logging with Amazon Kinesis Data Firehose allows automatic, near-real-time delivery of log data to Amazon S3 for analysis, reporting, or integration with analytics tools. This solution not only secures the website but also enables comprehensive traffic analysis, satisfying both requirements efficiently.
Reference Extract from AWS Documentation /
Study Guide: " AWS WAF provides detailed logs of web requests, which can be delivered to Amazon S3 via Amazon Kinesis Data Firehose. This logging enables analysis of web traffic and sources, supporting both security and operational monitoring. "
Source: AWS Certified Solutions Architect?Official Study Guide, Security and Compliance section; AWS WAF Developer Guide (Logging and Monitoring).
Question 1138:
An online education platform experiences lag and buffering during peak usage hours, when thousands of students access video lessons concurrently. A solutions architect needs to improve the performance of the education platform.
The platform needs to handle unpredictable traffic surges without losing responsiveness. The platform must provide smooth video playback performance at all times. The platform must create multiple copies of each video lesson and store the copies in various bitrates to serve users who have different internet speeds. The smallest video size is 7 GB.
Which solution will meet these requirements MOST cost-effectively?
A. Use Amazon ElastiCache to cache videos in all the required bitrates. Use AWS Lambda functions to process the videos and to convert the videos to the required bitrates. B. Create an Auto Scaling group that includes Amazon EC2 instances that are sized to meet peak loads. Use the Auto Scaling group to serve videos. Use the Auto Scaling group to convert the videos to the required bitrates. C. Store a copy of every video in every required bitrate in an Amazon S3 bucket. Use a single Amazon EC2 instance to serve the videos. D. Use Amazon Kinesis Video Streams to store and serve the videos. Use AWS Lambda functions to process the videos and to convert the videos to the required bitrates.
C. Store a copy of every video in every required bitrate in an Amazon S3 bucket. Use a single Amazon EC2 instance to serve the videos.
Explanation
The most cost-effective solution for serving video content with different bitrates is to store multiple versions of each video inAmazon S3. S3 provides scalable and cost-effective storage for largemedia files. Serving the videos from a single Amazon EC2 instance ensures low-latency delivery, and S3 storage helps minimize costs.
Option A (ElastiCache): Caching large video files in memory would be prohibitively expensive and unnecessary.
Option B (Auto Scaling group): Using Auto Scaling groups to serve video is less cost-effective compared to leveraging S3 for static storage.
Option D (Kinesis Video Streams): Kinesis Video Streams is designed for real-time video streaming and is not suitable for storing and serving pre-recorded videos.
References:
Amazon S3 for Media Storage
Question 1139:
A company runs an order management application on AWS. The application allows customers to place orders and pay with a credit card. The company uses an Amazon CloudFront distribution to deliver the application. A security team has set up logging for all incoming requests. The security team needs a solution to generate an alert if any user modifies the logging configuration.
Which combination of solutions will meet these requirements? (Choose Two.)
A. Configure an Amazon EventBridge rule that is invoked when a user creates or modifies a CloudFront distribution. Add the AWS Lambda function as a target of the EventBridge rule. B. Create an Application Load Balancer (ALB). Enable AWS WAF rules for the ALB. Configure an AWS Config rule to detect security violations. C. Create an AWS Lambda function to detect changes in CloudFront distribution logging. Configure the Lambda function to use Amazon Simple Notification Service (Amazon SNS) to send notifications to the security team. D. Set up Amazon GuardDuty. Configure GuardDuty to monitor findings from the CloudFront distribution. Create an AWS Lambda function to address the findings. E. Create a private API in Amazon API Gateway. Use AWS WAF rules to protect the private API from common security problems.
A. Configure an Amazon EventBridge rule that is invoked when a user creates or modifies a CloudFront distribution. Add the AWS Lambda function as a target of the EventBridge rule. C. Create an AWS Lambda function to detect changes in CloudFront distribution logging. Configure the Lambda function to use Amazon Simple Notification Service (Amazon SNS) to send notifications to the security team.
Explanation
Option A: EventBridge rule:Triggers an event whenever there is a change in CloudFront distribution, ensuring real-time monitoring.
Option B: ALB with WAF:Focuses on application-level security, not CloudFront logging.
Option C: Lambda + SNS:Provides notifications upon detection of changes in logging configuration.
Option D: GuardDuty:Monitors anomalies but does not specifically address CloudFront logging changes.
Option E: Private API + WAF:Irrelevant to CloudFront logging changes.
References:
Amazon EventBridge,AWS Lambda
Question 1140:
A company hosts a public web application on AWS with a three-tier architecture: a frontend Auto Scaling group, an application Auto Scaling group, and an Amazon RDS database. During unexpected traffic spikes, the company notices long delays in startup time when the frontend and application tiers scale out.
The company needs to improve scaling performance without negatively affecting user experience.
Which solution will meet these requirements MOST cost-effectively?
A. Decrease the minimum number of EC2 instances for both Auto Scaling groups. Increase the desired number of instances to meet peak demand. B. Configure the maximum number of instances for both Auto Scaling groups to the number required for peak demand. Create a warm pool. C. Increase the maximum number of EC2 instances for both Auto Scaling groups to meet normal demand. Create a warm pool. D. Use scheduled scaling. Increase EC2 and RDS instance sizes.
B. Configure the maximum number of instances for both Auto Scaling groups to the number required for peak demand. Create a warm pool.
Explanation
The problem is scale-out latency: when traffic spikes, new instances take time to launch, initialize, and pass health checks. This can temporarily degrade user experience even if Auto Scaling eventually adds enough capacity. The goal is to improve responsiveness to sudden spikes cost-effectively.
A key Auto Scaling feature for this situation is an EC2 Auto Scaling warm pool. A warm pool maintains a set of pre-initialized instances (stopped or running, depending on configuration) that Auto Scaling can rapidly transition into service. This reduces the time needed for instance launch and initialization, enabling faster scale-out during unexpected surges.
Option B is best because it supports the application's peak needs by ensuring Auto Scaling can scale up to the required maximum capacity and keeps warm capacity ready. While a warm pool has some cost (especially if instances are kept running), it is typically more cost-effective than permanently running peak capacity all the time. It improves user experience by minimizing cold start delays during spikes.
Option A is counterproductive: lowering minimum capacity increases the likelihood of scale-out delays.
Option C is illogical as written ("increase maximum to meet normal demand"); maximum should reflect peak potential, and a warm pool without sufficient max headroom will not solve the spike problem. Option
D uses scheduled scaling, but the spike is unexpected, and increasing instance sizes increases cost and does not address launch delay; it may also reduce horizontal scaling flexibility.
Therefore, B is the most cost-effective way to improve scale-out performance and protect user experience during unexpected bursts.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.