Amazon Web Services Updated SAA-C03 Exam Questions and Answers by tillie

The correct answer isBbecause the company already runs the application onKubernetes, and the application usesAMQPto communicate with a message queue. Amazon EKS is the AWS managed Kubernetes service, so migrating the containerized workload toAmazon EKSallows the company to preserve its existing Kubernetes-based deployment model while reducing the operational burden of managing the Kubernetes control plane. This is the most straightforward migration path for a Kubernetes application and avoids the need for significant re-architecture.

The messaging requirement is equally important. Because the application specifically usesAMQP, the best AWS managed service isAmazon MQ, which supports industry-standard messaging protocols including AMQP. This means the company can migrate the application with minimal code changes and without replacing the messaging pattern already built into the application.

Option A is incorrect becauseAmazon SQSdoes not support AMQP and would require application changes. Option C is incorrect because running the application on EC2 instances creates more infrastructure management overhead than using a managed container orchestration service. Option D is incorrect because AWS Lambda is not a natural fit for an existing containerized Kubernetes application that depends on AMQP-based messaging, and SQS again does not satisfy the AMQP requirement.

AWS architectural best practices favor managed services that minimize undifferentiated operational work.Amazon EKSreduces Kubernetes control plane management, andAmazon MQpreserves protocol compatibility. Together, they provide the required scalability on AWS with the least operational overhead while supporting the company’s current architecture.

Field-level encryption in Amazon CloudFront provides end-to-end encryption for specific data fields (e.g., credit card numbers, social security numbers). It ensures that sensitive fields are encrypted at the edge before being forwarded to the origin, and only the authorized application with the private key can decrypt them.

This adds a layer of protection beyond HTTPS, which encrypts the whole payload but not individual fields. Signed URLs and cookies are for access control, not encryption. Setting HTTPS Only is a good practice but does not satisfy the field-specific encryption requirement.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

To capture traffic metadata to and from network interfaces in a VPC, the correct telemetry source is VPC Flow Logs. Flow Logs can publish records to destinations such as CloudWatch Logs, which is a natural first landing zone for near-real-time log ingestion and centralized retention/permissions. The next requirement is to stream that data to Amazon OpenSearch Service for analysis with minimal operational overhead.

Amazon Data Firehose is purpose-built for fully managed delivery of streaming data to destinations including OpenSearch. Firehose handles buffering, batching, retry behavior, and optional transformations, and it minimizes the need to build and operate custom consumers. Therefore, sending VPC Flow Logs to CloudWatch Logs and then using Firehose to deliver to OpenSearch is an operationally efficient and scalable pattern.

Option A uses Kinesis Data Streams, which would require building/operating consumers (or additional integration components) to read from the stream and load into OpenSearch, adding operational complexity compared with Firehose’s managed delivery. Options C and D are incorrect because CloudTrail records API activity and governance events, not VPC network flow records; VPC Flow Logs do not publish to CloudTrail trails.

Thus, B best meets the requirement: Flow Logs capture the network interface traffic metadata; CloudWatch Logs provides near-real-time log collection; and Firehose provides managed streaming delivery into OpenSearch for indexing and analytics with minimal operational effort.

AWS Backup is a fully managed backup service designed to centralize and automate data protection across AWS services including EC2 and RDS. It allows users to define backup schedules (backup plans) and automatically create and retain backups. AWS Backup also offers restore testing plans, allowing users to automate the validation of backups by restoring them in a controlled manner. This service is built to minimize operational overhead by removing the need to manage custom scripts, manual processes, or additional orchestration services. This aligns with AWS best practices for resilience, automation, and operational excellence.

Reference Extract from AWS Documentation / Study Guide:

" AWS Backup enables you to centralize and automate data protection across AWS services. You can create backup plans, schedule backups, and set lifecycle policies. AWS Backup also enables restore testing to verify your backup integrity, with minimal manual intervention. "

Source: AWS Certified Solutions Architect – Official Study Guide, Resiliency and Disaster Recovery section; AWS Backup User Guide.