Amazon Web Services Updated SAA-C03 Exam Questions and Answers by lois

Step A:AWS WAF with managed rules protects the API against application-layer attacks, such as SQL injection and cross-site scripting (XSS).

Step C:Amazon Cognito provides secure authentication and supports federation with social IdPs using OIDC or SAML. It integrates seamlessly with API Gateway.

Option B:AWS Shield Advanced provides DDoS protection, which is not explicitly required in this scenario.

Option D:API keys provide identification, not authentication, and are insufficient for this use case.

Option E:IP filters in WAF are overly restrictive for federated authentication scenarios.

AWS Documentation References:

Amazon Cognito Federation

AWS WAF Managed Rules

Why Option C is Correct:

NAT Gateway: Allows private subnets to access the internet for outbound requests while preventing inbound connections.

High Availability: Deploying NAT gateways in both AZs ensures fault tolerance.

Shared Route Table: Simplifies routing configuration for private subnets.

Why Other Options Are Not Ideal:

Option A: Creating separate route tables for each subnet adds unnecessary complexity.

Option B: Internet gateways allow inbound access, violating the requirement to block public IPv4 access.

Option D: Egress-only internet gateways are designed for IPv6, not IPv4.

AWS References:

Amazon VPC NAT Gateway:AWS Documentation - NAT Gateway

To ensure container images are secure and to notify administrators about vulnerabilities, the solution needs (1) a vulnerability scanning capability for container images and (2) a notification mechanism that alerts when findings occur. Amazon Inspector provides automated security assessments and can scan container images stored in Amazon ECR to identify software vulnerabilities and unintended network exposure patterns, producing findings that can be acted upon. Therefore, D addresses the core requirement of detecting vulnerabilities in container images.

To notify administrators with minimal custom work, AWS Config can help by evaluating resources against desired configurations and integrating with notifications through AWS services (for example, via Amazon SNS using Config rules/conformance packs). Using the AWS Config conformance pack for Amazon ECS helps establish a managed set of compliance checks aligned to ECS-related best practices. While Inspector is the system that detects vulnerabilities, Config can be used to enforce and monitor governance controls around the container environment and can trigger notifications when noncompliance is detected. In exam patterns, pairing an Inspector detection capability with a managed governance/notification framework like Config is a common “two-part” answer.

The other options do not meet the requirement: A (privileged mode) can increase risk rather than improve image security; logging does not equal vulnerability detection. C is unrelated because AWS WAF protects web applications at the edge and does not scan container images for CVEs. E is incorrect because Parameter Store stores configuration data and secrets; it does not encrypt container images (ECR encryption at rest is handled by AWS-managed mechanisms and KMS integration, not Parameter Store).

So D provides scanning and B supports managed compliance/notification controls with low operational overhead.

Amazon DynamoDB is a serverless, NoSQL database that is fully managed, highly available, and scales automatically. It is ideal for data without a fixed schema and for use cases where fields can vary by user. DynamoDB Streams enables the capture of changes to table items in real time, which is ideal for triggering additional processing or workflows on data modifications.

Reference Extract from AWS Documentation / Study Guide:

"DynamoDB provides a scalable, highly available NoSQL database service for applications requiring flexible schema. DynamoDB Streams captures table activity for processing changes in real time."

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB and Serverless section.