Amazon Web Services Updated SAA-C03 Exam Questions and Answers by cece

The requirement explicitly states that the solution must not involve training a machine learning model, which immediately eliminates options that require custom ML development. Amazon Rekognition is a fully managed computer vision service that can analyze images and detect inappropriate or unwanted content using pretrained models provided by AWS.

Option B correctly uses Amazon Rekognition’s image moderation capabilities to analyze uploaded photos and identify unsafe or unwanted content categories. By invoking Rekognition from an AWS Lambda function, the solution remains serverless, automatically scalable, and operationally efficient. The Lambda function URL provides a secure HTTPS endpoint that the web application can call synchronously during uploads.

Option A violates the requirement because SageMaker Autopilot is designed to build and train ML models. Option C is incorrect because Amazon Comprehend is a natural language processing service for text analysis, not image moderation. CloudFront Functions also do not support calling external AWS services like Rekognition. Option D uses Rekognition Video, which is intended for analyzing video streams, not static images.

Using Lambda and Rekognition together ensures minimal operational overhead, no ML training effort, and immediate enforcement of content moderation policies. The architecture also allows easy extension, such as logging moderation results or blocking uploads based on confidence thresholds.

Therefore, B is the correct solution because it meets the content moderation requirement using AWS-managed ML services without requiring model training.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

Routing requests to the “appropriate microservices” implies Layer 7 (HTTP/HTTPS) routing such as host-based or path-based rules (for example, /customers to one service and /orders to another). In EKS, the most direct and cost-efficient way to provide this style of routing is to use Kubernetes Ingress with the AWS Load Balancer Controller to provision an Application Load Balancer (ALB). An ALB natively supports HTTP/HTTPS request routing features (paths, hosts, headers), which map cleanly to microservices patterns and reduce the need for additional infrastructure components.

A Network Load Balancer (NLB) (Option A) is primarily Layer 4 and is best for TCP/UDP/TLS pass-through and ultra-high performance. It does not provide the same native HTTP path-based routing behavior required to steer requests between microservices based on URL structure, so it often forces you to add another routing layer (like an in-cluster ingress gateway), which can increase cost and operational complexity.

Option C is not an appropriate request routing mechanism; Lambda is compute, not an ingress/routing layer for EKS. Option D (API Gateway) can front services, but for simple microservice routing into EKS it typically adds per-request costs and additional configuration compared with using an ALB that is purpose-built for HTTP load balancing and routing. API Gateway is a great fit for API management features (throttling, usage plans, keys, transformations), but those are not requirements here.

Therefore, B is the most cost-effective and architecturally aligned solution for HTTP routing across EKS-hosted microservices using managed AWS-native ingress integration.

Using an Application Load Balancer (ALB) allows for integration with AWS WAF to inspect all incoming traffic. Running the application on Amazon ECS provides a scalable and managed container orchestration service. Utilizing Amazon Aurora Serverless for the PostgreSQL database offers automatic scaling based on application demand, which is cost-effective for workloads with variable traffic patterns, such as higher traffic on weekdays and lower traffic on weekends.

AWS Secrets Manager is purpose-built to securely store, manage, and rotate sensitive credentials such as database user names and passwords. Option A is the most operationally efficient solution because it eliminates manual password rotation, reduces human error, and centralizes secret lifecycle management. Secrets Manager integrates natively with Amazon Aurora, enabling automated credential rotation using AWS-managed or custom Lambda rotation logic. Once rotation is enabled, Secrets Manager updates the database credentials and stores the new values securely without requiring administrators to manually update files on EC2 instances.

By assigning IAM permissions to the secret, access can be tightly controlled using least-privilege principles. The application retrieves credentials at runtime, removing the need to store passwords locally on disk, which significantly improves security posture. Secrets Manager also provides auditing capabilities through AWS CloudTrail, allowing visibility into secret access and changes.

Option B (Systems Manager Parameter Store) can securely store secrets, but automated rotation is not natively supported in the same way as Secrets Manager. Implementing rotation with Parameter Store would require additional custom automation, increasing operational complexity. Option C stores credentials in S3, which is not designed for frequent credential rotation or secure secret access patterns, even when encrypted. Option D only encrypts credentials at rest on individual instances and does not address rotation, distribution, or centralized management, resulting in high operational overhead.

Therefore, A best meets the requirements by providing secure storage, automated monthly rotation, fine-grained access control, and minimal operational effort, aligning with AWS security and operational excellence best practices.