Amazon Web Services Updated SAA-C03 Exam Questions and Answers by harris

To track costs associated with different teams within a single AWS account, the company should implement user-defined cost allocation tags.

Tagging Resources with CostCenter: Assign the CostCenter tag to all resources, specifying the appropriate value for each team. This practice enables the organization to categorize and track AWS costs effectively.

Activating the CostCenter Tag: After tagging resources, activate the CostCenter tag in the AWS Billing and Cost Management console. Activation is necessary for the tags to appear in cost allocation reports and AWS Cost Explorer.

By following these steps, the company can generate detailed billing reports that break down costs by team, facilitating better cost management and accountability.

Amazon RDS Multi-AZ deployments provide automatic failover for relational databases such as MySQL, ensuring high availability and durability. The feature maintains synchronous replication between a primary DB instance and a standby in a separate Availability Zone. AWS guarantees that failover typically completes within minutes, ensuring an RTO and RPO of less than 2 minutes. Option A requires manual promotion of replicas, which cannot meet the strict RTO/RPO requirement. Option C depends on custom scripts and manual synchronization, introducing operational risk. Option D creates active-active EC2-based databases, which do not provide synchronous replication or automated failover. Therefore, Multi-AZ RDS (B) is the managed, resilient, and operationally efficient solution that meets the business requirements.

AWS Lambda supports encrypting environment variables at rest using AWS KMS. You can use encryption helpers (or Lambda’s built-in support) to encrypt sensitive environment variable values using a KMS key. These encrypted variables are not visible in plaintext to developers, either in the console or when running the code.

AWS Documentation Extract:

"AWS Lambda automatically encrypts environment variables at rest. For additional security, you can use AWS KMS keys and encryption helpers to encrypt environment variables, ensuring they are never exposed in plaintext."

(Source: AWS Lambda documentation, Environment Variables Security)

A: Does not address the issue (and adds more management overhead).

B, C: There is no native support for environment variable encryption via CloudHSM or ACM.

AWS Security Hub provides a centralized view of security findings across AWS accounts and services. It integrates natively with AWS Config conformance packs, which evaluate compliance against industry standards such as CIS and PCI-DSS.

From AWS Documentation:

“AWS Security Hub aggregates, organizes, and prioritizes security alerts and compliance status across AWS accounts. Use AWS Config conformance packs to assess compliance with security frameworks.”

(Source: AWS Security Hub User Guide – Managing Findings and Compliance)

Why C is correct:

Security Hub provides a centralized dashboard for compliance visibility.

Conformance packs in AWS Config automate compliance checks across accounts.

Fully managed, minimal maintenance, and integrates natively with AWS services.

Why others are incorrect:

A: Conformance packs are not a feature of Amazon Inspector.

B: Third-party tools on EC2 require management and add operational overhead.

D: Systems Manager is not designed for compliance aggregation.