Amazon Web Services Updated SAA-C03 Exam Questions and Answers by crystal

According to AWS best practices, each tier’s security group must restrict inbound traffic to only the upstream trusted source. For the web tier, the Application Load Balancer must be the only entity allowed to send traffic. AWS documentation specifies: “Restrict the security groups associated with your targets to accept traffic only from the load balancer.” This confirms that the web tier security group should allow inbound HTTPS from the ALB security group (A).

For communication between the web and application tiers, AWS states: “You can specify a security group as the source or destination in a rule” and “Create rules only for the protocols and ports required by your application.” Therefore, the application tier security group must allow inbound HTTPS traffic from the web tier security group (E).

For the database tier, AWS guidance says: “Allow only the necessary ports for database communication.” Microsoft SQL Server listens on port 1433 by default, so the database tier security group must allow inbound SQL Server traffic from the application tier security group (C).

Outbound rules (options B, D, and F) are unnecessary because AWS specifies that “Security groups are stateful. Return traffic is automatically allowed.” This means once inbound rules are defined, the return path is automatically permitted without extra outbound configurations.

This combination (A, C, E) applies the principle of least privilege, ensures end-to-end secure communication across tiers, and follows AWS recommendations for ALB-to-target security group setups.

Option Ais the best solution as it leveragesAWS Lambdafor serverless, scalable, and highly available processing and enrichment of clickstream data. Lambda can process the data in real-time, join it with the Aurora database data, and write the enriched results to Amazon S3. FromS3,Amazon Redshift Spectrumcan directly query the enriched data without needing to load the data into Redshift, enabling cost efficiency and high availability.

Why Other Options Are Incorrect:

Option B:EC2 Spot Instances are not guaranteed to be highly available, as Spot Instances can be interrupted at any time. This does not align with the requirement for high availability.

Option C:While ECS with AWS Fargate provides scalability, using EC2 for the COPY command introduces operational overhead and compromises high availability.

Option D:Kinesis Data Firehose and Athena are suitable for querying raw data, but they do not directly support enriching the data by joining with Aurora. This solution fails to meet the requirement for data enrichment.

Key AWS Features Used:

AWS Lambda:Real-time serverless processing with integration capabilities for Aurora and S3.

Amazon S3:Cost-effective storage for enriched data.

Amazon Redshift Spectrum:Direct querying of data stored in S3 without loading it into Redshift.

AWS Documentation References:

AWS Lambda Function Overview

Amazon Redshift Spectrum

Processing Streaming Data with Kinesis Data Streams

AWS KMS automatic key rotationis the simplest and most operationally efficient solution. Enabling automatic key rotation ensures that KMS automatically generates new key material for the key every year without requiring manual intervention.

Option B:Configuring alerts to rotate keys introduces operational overhead as the actual rotation must still be managed manually.

Option C:Scheduling a Lambda function to rotate keys adds unnecessary complexity compared to enabling automatic key rotation.

Option D:Using a CloudFormation stack to run a Lambda function for key rotation increases operational overhead and complexity unnecessarily.

AWS Documentation References:

AWS KMS Key Rotation

Using Customer-Managed Keys with Amazon RDS

For near-real-time streaming workloads that are highly latency-sensitive, the network layer must provide ultra-low latency and high throughput between compute nodes. Elastic Fabric Adapter (EFA) is specifically designed to meet these requirements. EFA enables EC2 instances to communicate using a high-performance network interface that bypasses traditional TCP/IP networking, providing lower and more consistent latency. This is especially valuable for tightly coupled workloads that require fast inter-node communication.

Option B is the correct choice because EFA supports custom networking stacks and is optimized for applications such as real-time data processing, distributed computing, and high-performance workloads. EFA integrates directly with supported EC2 instance types and allows applications to take advantage of enhanced networking capabilities without requiring complex multi-VPC architectures.

Option A introduces additional network hops and latency due to VPC peering and is not suitable for ultra-low-latency workloads. Option C (spread placement groups) is designed to increase fault tolerance by placing instances on separate hardware, but it does not optimize for low-latency communication and may actually increase network distance between instances. Option D improves storage performance, not network performance, and does not affect inter-instance latency.

Therefore, B is the best solution because Elastic Fabric Adapter is the AWS-recommended approach for achieving the lowest possible network latency between EC2 instances in performance-critical streaming architectures.