Practice Free SAA-C03 Exam Online Questions
A company needs a data encryption solution for a machine learning (ML) process. The solution must use an AWS managed service. The ML process currently reads a large number of objects in Amazon S3 that are encrypted by a customer managed AWS KMS key. The current process incurs significant costs because of excessive calls to AWS Key Management Service (AWS KMS) to decrypt S3 objects. The company wants to reduce the costs of API calls to decrypt S3 objects.
- A . Switch from a customer managed KMS key to an AWS managed KMS key.
- B . Remove the AWS KMS encryption from the S3 bucket. Use a bucket policy to encrypt the data instead.
- C . Recreate the KMS key in AWS Cloud HSM.
- D . Use S3 Bucket Keys to perform server-side encryption with AWS KMS keys (SSE-KMS) to encrypt and decrypt objects from Amazon S3.
D
Explanation:
Amazon S3 Bucket Keys reduce the cost of AWS KMS API requests by generating a data key at the bucket level instead of individually calling KMS for every object read or written. This approach is particularly effective when workloads, such as ML pipelines, involve reading large numbers of encrypted objects. Switching to AWS managed keys (A) does not reduce the frequency of API calls. Removing encryption (B) would violate compliance/security requirements. Using Cloud HSM (C) adds cost and operational burden. Therefore, the correct solution is D ― enabling S3 Bucket Keys with SSE-KMS, which significantly reduces decryption costs while maintaining secure encryption.
Reference:
• Amazon S3 User Guide ― Using S3 Bucket Keys for SSE-KMS
• AWS KMS Developer Guide ― Cost optimization for KMS encryption
A company runs a web application that uses Amazon RDS for MySQL to store relational dat a. Data in the database does not change frequently.
A solutions architect notices that during peak usage times, the database has performance issues when it serves the data. The company wants to improve the performance of the database.
Which combination of steps will meet these requirements? (Select TWO.)
- A . Integrate AWS WAF with the application.
- B . Create a read replica for the database. Redirect read traffic to the read replica.
- C . Create an Amazon ElastiCache (Memcached) cluster. Configure the application and the database to integrate with the cluster.
- D . Use the Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) storage class to store the data that changes infrequently.
- E . Migrate the database to Amazon DynamoDB. Configure the application to use the DynamoDB database.
B, C
Explanation:
To improve read performance for a MySQL-based RDS database under load, you can:
Use Read Replicas: Amazon RDS supports MySQL read replicas, which help offload read operations from the primary database, improving performance during high traffic.
Use ElastiCache (Memcached): Adding an in-memory cache layer using Amazon ElastiCache reduces the load on the RDS instance by serving frequent queries directly from memory, especially when data is not updated often.
Option A (AWS WAF) is for web security, not database performance.
Option D relates to storage optimization, not query latency.
Option E would require re-architecting from relational to NoSQL, which is unnecessary and disruptive.
A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year.
Which solution meets these requirements and is the MOST operationally efficient?
- A . Server-side encryption with customer-provided keys (SSE-C)
- B . Server-side encryption with Amazon S3 managed keys (SSE-S3)
- C . Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation
- D . Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation
D
Explanation:
SSE-KMS: Server-side encryption with AWS Key Management Service (SSE-KMS) provides robust encryption of data at rest, integrated with AWS KMS for key management and auditing.
Automatic Key Rotation: By enabling automatic rotation for the KMS keys, the system ensures that keys are rotated annually without manual intervention, meeting compliance requirements.
Logging and Auditing: AWS KMS automatically logs all key usage and management actions in AWS CloudTrail, providing the necessary audit logs.
Implementation:
Create a KMS key with automatic rotation enabled.
Configure the S3 bucket to use SSE-KMS with the created KMS key.
Ensure CloudTrail is enabled for logging KMS key usage.
Operational Efficiency: This solution provides encryption, automatic key management, and auditing in a seamless, fully managed way, reducing operational overhead.
Reference: AWS KMS Automatic Key Rotation
Amazon S3 Server-Side Encryption
A company has primary and secondary data centers that are 500 miles (804.7 km) apart and interconnected with high-speed fiber-optic cable. The company needs a highly available and secure network connection between its data centers and a VPC on AWS for a mission-critical workload. A solutions architect must choose a connection solution that provides maximum resiliency.
Which solution meets these requirements?
- A . Two AWS Direct Connect connections from the primary data center terminating at two Direct Connect locations on two separate devices
- B . A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on the same device
- C . Two AWS Direct Connect connections from each of the primary and secondary data centers terminating at two Direct Connect locations on two separate devices
- D . A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on two separate devices
C
Explanation:
For maximum resiliency and fault tolerance in a mission-critical scenario, AWS recommends redundant Direct Connect connections from multiple data centers to multiple AWS Direct Connect locations.
This protects against:
Data center failure
Device failure
Location outages
“For workloads that require high availability, we recommend that you use multiple Direct Connect connections at multiple Direct Connect locations.” ― AWS Direct Connect Resiliency Recommendations
Option C follows AWS maximum resiliency model.
Reference: AWS Direct Connect Resiliency Models
High Availability Using AWS Direct Connect