Amazon Web Services Updated SAA-C03 Exam Questions and Answers by katie

Aurora global database is specifically designed for cross-Region disaster recovery and low-latency global reads.

It provides:

Physical storage-level replication between Regions, typically with lag of under 1 second, easily satisfying RPO 1 minute.

Fast cross-Region failover capabilities, often within minutes or less, which meets the RTO 5 minutes requirement.

You configure the primary Region as the writer cluster and additional Regions (such as us-west-1) as secondary clusters with reader endpoints. In a disaster, you promote the secondary to be the new writer.

Why others are not correct:

A: Standard cross-Region read replicas for Aurora PostgreSQL do not provide automatic multi-Region failover with the same guarantees as Aurora global database and may not meet strict RTO/RPO requirements.

C: Logical replication and custom EventBridge failover is complex, error-prone, and higher overhead compared to the managed global database feature.

D: Restoring from snapshots plus cross-Region replication is too slow to meet RTO 5 minutes and certainly cannot maintain RPO 1 minute.

The most secure and AWS-recommended way for EC2 instances to access AWS services is by using IAM roles attached through instance profiles. Option C correctly implements this pattern.

IAM roles provide temporary credentials via the EC2 metadata service, eliminating the need for long-term access keys. Using CloudFormation ensures consistent, repeatable deployments across Regions while maintaining security best practices.

All other options expose long-term credentials, increasing the risk of compromise and violating AWS security guidance. Therefore, C is the correct and most secure solution.

Durable storage of incoming orders with buffering and ability to handle surges is exactly what Amazon SQS is designed for. SQS provides highly durable, scalable queues that decouple producers from consumers.

Centrally tracking workflow steps is a core use case of AWS Step Functions, which gives a visual workflow and state machine, tracks the state of each order, and can orchestrate calls to multiple microservices (in this case, Lambda functions).

Combining SQS + Step Functions + Lambda gives:

Durable queueing for orders (SQS).

Loose coupling and surge handling (SQS decoupling + auto-scaling Lambda).

Central orchestration and tracking of order-processing steps (Step Functions).

Why the other options are not correct:

A: SNS is a pub/sub service, not a durable work queue, and is not designed for “store-and-retry until processed” workloads in the same way SQS is.

C: SQS + EventBridge provides decoupling but no central, stateful workflow tracking; EventBridge is event routing, not workflow orchestration.

D: SNS + EventBridge still lacks durable order storage and explicit centralized workflow/state tracking.

AWS guidance for NAT Gateway recommends deploying “a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.” This provides “zone-independent architecture” and avoids cross-AZ data processing charges and single-AZ failures. Option B creates a single point of failure and incurs cross-AZ egress charges when private subnets in other AZs traverse a centralized NAT. NAT instances (C) are legacy, require manual scaling/failover/patching, and are not recommended for production HA. Option D is not supported (NLB cannot front a NAT Gateway as a target). With steady, uniform load, per-AZ NAT Gateways deliver high availability with predictable cost; routing each private subnet to its local NAT Gateway maintains security (no inbound initiated connections) and resilience. This meets the requirement for cost-effective, secure outbound connectivity across multiple AZs while preserving availability.