Amazon Web Services Updated SAA-C03 Exam Questions and Answers by ralphie

Service control policies (SCPs) in AWS Organizations apply to the accounts or OUs to which they are attached:

To restrict only nonproduction accounts, you can:

Attach the SCP directly to those specific member accounts (Option B), or

Create a dedicated OU for the nonproduction accounts and attach the SCP to that OU (Option E).

Both methods ensure that the deny policy affects only the nonproduction accounts and does not impact the production account.

Why the others are incorrect:

A: Attaching the SCP to the root OU would apply the deny to all accounts, including production, which does not meet the requirement.

C: SCPs attached to the management account only affect that account, not all member accounts.

D: Creating an OU for the production account and attaching the deny SCP there would block the prohibited instance types in production, which is the opposite of what is required.

AWS Lake Formation provides centralized data access control, including fine-grained (column-level) permissions for data stored in S3 and accessed through services like Amazon Athena.

Using a Lake Formation blueprint to ingest data from Aurora MySQL into the data lake keeps ingestion and governance integrated. When QuickSight uses Athena as the data source, Athena enforces Lake Formation’s column-level permissions automatically. This allows the marketing team to see only the authorized subset of columns without custom access-control logic.

Options A, B, and C rely on manually limiting columns at ingestion time or using IAM or S3 bucket policies, which do not provide true column-level authorization for SQL queries and require significantly more manual work and maintenance.

Amazon API Gateway supports multiple API types: REST, HTTP, WebSocket, and gRPC. HTTP APIs are a newer, lightweight option that support JWT authorizers natively, enabling secure, scalable authentication for APIs with JSON Web Tokens.

HTTP APIs can integrate with ALBs as a backend target, providing direct connectivity and simplified API management with JWT authentication built in.

REST APIs support JWT but are more feature-rich and complex, often used for legacy or more complex use cases, and have higher costs and latency. WebSocket APIs are for real-time, bidirectional communication, which is not requested here. gRPC APIs support RPC calls but are less common for public HTTP-based APIs with JWT auth.

Therefore, HTTP API with JWT authorizers is the best fit for this use case.

For an application requiring TCP communication and high availability:

Network Load Balancer (NLB)is the best choice for load balancing TCP traffic because it is designed for handling high-throughput, low-latency connections.

Auto Scaling groupensures that the application can automatically scale based on demand, adding or removing EC2 instances as needed, which is crucial for handling user growth.

Option C (Application Load Balancer): ALB is primarily for HTTP/HTTPS traffic, not ideal for TCP.

Option D (Manual scaling): Manually adding instances does not provide the automation or scalability required.

Option E (Gateway Load Balancer): GLB is used for third-party virtual appliances, not for direct application load balancing.

AWS References:

Network Load Balancer

Auto Scaling Group