Free SAA-C03 Practice Questions

1. AWS Auto Scaling User Guide, Section: "Distribute instances across Availability Zones". The documentation states, "By launching your instances in separate Availability Zones, you can protect your applications from the failure of a single location... When one Availability Zone becomes unhealthy or unavailable, Amazon EC2 Auto Scaling launches new instances in an unaffected Availability Zone."

2. AWS Auto Scaling User Guide, Section: "Set scaling limits for your Auto Scaling group". This section explains the function of minimum capacity: "The minimum capacity is the minimum number of instances that you want in your Auto Scaling group." This directly supports setting the minimum to two to meet the requirement.

3. AWS Well-Architected Framework - Reliability Pillar (July 2023), Page 23, Section: "Deploy the workload to multiple locations". The framework advises, "For a regional service, you can increase availability by deploying the workload to multiple AZs within an AWS Region... If one AZ fails, the workload in other AZs can continue to operate."

4. Amazon EC2 User Guide, Section: "Instance purchasing options". This guide describes On-Demand Instances as suitable for "applications with short-term, spiky, or unpredictable workloads that cannot be interrupted," which aligns with the needs of a production application, unlike Spot Instances.

1. Amazon S3 User Guide, "Managing data access with Amazon S3 access points": "Amazon S3 access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations... Each access point has distinct permissions and network controls that S3 applies for any request that is made through that access point." This document explicitly details how access points simplify managing access for shared datasets.

2. Amazon S3 User Guide, "Should I use a bucket policy or an access point policy?": "For a shared dataset with hundreds of applications, creating and managing a single bucket policy can be challenging. With S3 Access Points, you can create and manage application-specific policies without having to change the bucket policy." This directly supports using access points for multiple applications accessing a single bucket.

3. Amazon S3 User Guide, "Access control list (ACL) overview": "We recommend using S3 bucket policies or IAM policies for access control. Amazon S3 ACLs is a legacy access control mechanism...". This confirms that using ACLs (as suggested in option B) is not the recommended best practice.

4. Amazon S3 User Guide, "Replication": While replication is a powerful feature for data redundancy and geographic distribution, using it for access control as suggested in options C and D is an anti-pattern that increases cost and operational complexity, contradicting the question's core requirement.

1. AWS Savings Plans User Guide, "What are Savings Plans?": This official guide provides a comparison table that explicitly states what each plan covers.

Compute Savings Plans apply to: "EC2 instances across regions, Fargate, and Lambda".

SageMaker Savings Plans apply to: "SageMaker instance usage".

EC2 Instance Savings Plans apply to: "EC2 instance family in a region".

This directly supports that a Compute SP covers EC2, Fargate, and Lambda, while a separate SageMaker SP is needed for SageMaker.

2. Amazon SageMaker Pricing, "SageMaker Savings Plans" section: "Amazon SageMaker Savings Plans offer a flexible, usage-based pricing model for Amazon SageMaker... These plans automatically apply to eligible SageMaker ML instance usage including SageMaker Studio notebooks, SageMaker On-Demand notebooks, SageMaker Processing, SageMaker Data Wrangler, SageMaker Training, SageMaker Real-Time Inference, and SageMaker Batch Transform." This confirms SageMaker requires its own dedicated savings plan.

3. AWS Compute Blog, "Introducing Compute Savings Plans": "Compute Savings Plans are a new and flexible pricing model that provide savings up to 66% on your AWS compute usage. These plans automatically apply to your Amazon EC2 instances, and your AWS Fargate and AWS Lambda usage." This source confirms the services covered by a Compute Savings Plan, notably excluding SageMaker.

1. Amazon EventBridge User Guide, "Transforming event content with input transformation": This document explicitly describes the Input Transformer feature. It states, "You can use input transformation to customize the text from an event before you send it to the target of a rule... you can create a custom payload that includes only the information you want to pass to the target." This directly supports the chosen answer (C).

2. AWS Lambda Developer Guide, "Invoking Lambda functions": This guide details invocation types. For synchronous invocation (RequestResponse), it states, "When you invoke a function synchronously, Lambda runs the function and waits for a response." This waiting process creates a dependency, or tight coupling, which is contrary to the question's requirements and makes option (D) incorrect.

3. Amazon Simple Notification Service Developer Guide, "Amazon SNS message filtering": This guide explains that filter policies are applied to message attributes. It states, "By default, a subscription receives every message published to the topic. To receive a subset of the messages, a subscriber must assign a filter policy to the subscription." The examples clearly show policies matching against key-value pairs in the attributes, not the message body, making option (B) incorrect.

4. AWS Well-Architected Framework, "Decouple components": This design principle, part of the Reliability Pillar, advocates for architectures where components are loosely coupled. It states, "The failure of a single component should not cascade to other components." The synchronous invocation in option (D) and the central transformer in option (A) create tighter coupling than the event-routing pattern of EventBridge.

1. AWS Backup Developer Guide: "What is AWS Backup?" - This section introduces AWS Backup as a "fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises." It explicitly lists Amazon EC2, Amazon RDS, and Amazon DynamoDB as supported services.

Source: AWS Backup Developer Guide, "What is AWS Backup?".

2. AWS Backup Product Page: "AWS Backup Features" - The documentation highlights "Centralized backup management" and "Policy-based backup" as key features, allowing users to "configure backup policies and monitor backup activity for your AWS resources in one place."

Source: AWS Backup official product page, "Features" section.

3. AWS Config Developer Guide: "What Is AWS Config?" - This guide states, "AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources." This confirms its purpose is configuration monitoring, not backup execution.

Source: AWS Config Developer Guide, "What Is AWS Config?".

4. AWS Systems Manager User Guide: "What is AWS Systems Manager?" - The documentation describes Systems Manager as the "operations hub for your AWS applications and resources," focusing on tasks like patch management and configuration management, not as a centralized data backup service.

Source: AWS Systems Manager User Guide, "What is AWS Systems Manager?".

1. AWS Lake Formation Developer Guide - Lake Formation tag-based access control: This document states, "Lake Formation tag-based access control (TBAC) is an authorization strategy that defines permissions based on attributes, which are called tags... This helps when you have a large number of data catalog resources and principals to manage." It also details how to grant cross-account permissions using tags. (See section: "Granting permissions on Data Catalog resources").

2. AWS Lake Formation Developer Guide - Sharing data across AWS accounts: This guide explains the two main methods for cross-account sharing: the Named Resource method and the Tag-Based Access Control (TBAC) method. It highlights TBAC as a scalable approach. (See section: "Cross-account data sharing in Lake Formation").

3. AWS Big Data Blog - Simplify and scale your data governance with AWS Lake Formation tag-based access control: This article provides a detailed walkthrough and states, "TBAC is a scalable way to manage permissions in AWS Lake Formation... With TBAC, you can grant permissions on Lake Formation resources to principals in the same account or other accounts..." (See section: "Cross-account sharing with TBAC").

1. AWS Key Management Service Developer Guide: Under "AWS KMS concepts," the guide distinguishes between key types. For customer managed keys, it states, "You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material..." In contrast, for AWS managed keys, it notes, "...you cannot change the properties of these KMS keys, rotate them, or change their key policies."

Source: AWS KMS Developer Guide, "AWS KMS concepts," Section: "KMS keys."

2. Amazon S3 User Guide: This guide details the different server-side encryption options. For SSE-KMS, it explains, "Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a KMS key that provides an additional layer of control as well as an audit trail." This highlights the control and minimal effort of the integrated service.

Source: Amazon S3 User Guide, "Protecting data using server-side encryption," Section: "Using server-side encryption with AWS KMS keys (SSE-KMS)."

3. Amazon S3 User Guide: When describing SSE-S3, the documentation clarifies the lack of customer control: "When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a root key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data." The management and rotation are handled entirely by AWS.

Source: Amazon S3 User Guide, "Protecting data using server-side encryption," Section: "Using server-side encryption with Amazon S3-managed keys (SSE-S3)."

1. Stopping an Amazon RDS DB instance temporarily: "While your DB instance is stopped, you are charged for provisioned storage... but not for DB instance hours."

Source: AWS Documentation, Amazon RDS User Guide, "Stopping an Amazon RDS DB instance temporarily", Section: "Billing for a stopped DB instance".

2. Instance Scheduler on AWS: "The Instance Scheduler on AWS is a solution that automates the starting and stopping of Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Relational Database Service (Amazon RDS) instances."

Source: AWS Solutions Library, Instance Scheduler on AWS, "Solution overview" section.

3. Amazon RDS Reserved Instances: "Amazon RDS Reserved Instances (RIs) give you the option to reserve a DB instance for a one- or three-year term and in turn receive a significant discount compared to the On-Demand Instance pricing for the DB instance." (This is ideal for steady-state usage).

Source: AWS Documentation, Amazon RDS User Guide, "Working with reserved DB instances", "Overview of reserved DB instances" section.

1. Static Content Hosting: AWS Documentation, Amazon S3 User Guide, "Hosting a static website using Amazon S3". This guide details the standard practice of using S3 for static assets. The addition of CloudFront is a best practice for performance and availability, as described in the Amazon CloudFront Developer Guide, "Using CloudFront with an Amazon S3 origin".

2. Application Hosting: AWS Documentation, Amazon ECS Developer Guide, "What is Amazon Elastic Container Service?". This section explains how ECS with Fargate allows you to run containers without managing servers, and the Elastic Load Balancing User Guide details how an Application Load Balancer distributes traffic across targets (like Fargate tasks) in multiple Availability Zones for high availability.

3. Session Management: AWS Documentation, Amazon ElastiCache for Redis User Guide, "Minimizing downtime in ElastiCache with Multi-AZ". This document explains how enabling Multi-AZ provides enhanced high availability and automatic failover for the Redis cluster, making it suitable for critical session data.

4. Architectural Best Practices: AWS Whitepaper, AWS Well-Architected Framework, "Reliability Pillar". This whitepaper emphasizes designing for high availability by removing single points of failure and using managed services that offer built-in reliability, which aligns with the architecture proposed in option D.

1. AWS Lambda Developer Guide, "Using AWS Lambda with Amazon S3": This guide details the event-driven pattern. It states, "Amazon S3 can publish events... when an object is created... You can have S3 invoke a Lambda function when an event occurs." It also recommends a more robust architecture: "To ensure that events are processed successfully, you can configure S3 to send events to an Amazon Simple Queue Service (Amazon SQS) queue."

2. AWS Well-Architected Framework, Cost Optimization Pillar (July 2023): This whitepaper outlines the principle of "Adopt a consumption model" (p. 7). It advises, "Pay only for the computing resources that you require... For example, AWS Lambda is an event-driven compute service that you can use to run code for virtually any type of application or backend service, with zero administration and paying only for what you use." This directly supports choosing Lambda over a provisioned EC2 instance.

3. Amazon S3 User Guide, "Configuring Amazon S3 Event Notifications": This document confirms that S3 can be configured to send event notifications to destinations like an Amazon SQS queue, an Amazon SNS topic, or an AWS Lambda function. This validates the trigger mechanism proposed in the correct answer.

4. AWS Lambda Pricing: The official pricing page confirms the pay-per-use model. It states, "With AWS Lambda, you pay only for what you use. You are charged based on the number of requests for your functions and the duration... it takes for your code to execute." This is the core reason for its cost-effectiveness in this scenario.

1. AWS Documentation, VPC User Guide, "Gateway endpoints for Amazon S3": This document states, "A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to Amazon S3... There is no additional charge for using gateway endpoints." This confirms that option A is the most cost-effective solution.

Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html (See the introductory paragraphs and the "Pricing for gateway endpoints" section).

2. AWS Documentation, "Amazon VPC pricing": This official pricing page details the costs associated with different VPC components. It shows that NAT Gateways and AWS PrivateLink (Interface Endpoints) have both "per hour" and "per GB" data processing charges, while Gateway Endpoints do not have these charges.

Source: https://aws.amazon.com/vpc/pricing/ (See sections "NAT Gateway" and "AWS PrivateLink").

3. AWS Documentation, VPC User Guide, "Compare NAT gateways and NAT instances": This guide explains that a NAT gateway is used to "enable instances in a private subnet to connect to the internet or other AWS services". This implies traffic leaves the VPC, incurring data processing costs, unlike a gateway endpoint which keeps traffic on the AWS private network.

Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html (See the "NAT gateway" description).

1. AWS Documentation on Scheduled Scaling: "Scheduled scaling allows you to set your own scaling schedule for predictable load changes. For example, let's say that every week the traffic to your web application starts to increase on Wednesday, remains high on Thursday, and starts to decrease on Friday. You can plan your scaling actions based on the predictable traffic patterns of your web application."

Source: AWS Documentation, Scheduled scaling for Amazon EC2 Auto Scaling.

2. AWS Documentation on Dynamic Scaling: "With dynamic scaling, you define how to scale the capacity of your Auto Scaling group in response to changing demand. For example, you have a web application that currently runs on two instances and you want the CPU utilization of the Auto Scaling group to stay at around 50 percent when the load on the application changes." This highlights its reactive nature based on metrics.

Source: AWS Documentation, Dynamic scaling for Amazon EC2 Auto Scaling.

3. AWS Documentation on Application Load Balancer: "An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action." This confirms its role is traffic routing, not capacity scaling.

Source: AWS Documentation, What is an Application Load Balancer?.

1. Amazon SQS Developer Guide: "With FIFO queues, you don't have to worry about receiving duplicate messages. FIFO queues prevent duplicates from being sent by a producer or processed by a consumer... The queue makes a best effort to preserve the order of messages, and it delivers each message exactly once."

Source: AWS Documentation, Amazon SQS Developer Guide, Section: "Exactly-once processing".

2. AWS Lambda Developer Guide: "You can use an AWS Lambda function to process messages in an Amazon Simple Queue Service (Amazon SQS) queue... Lambda polls the queue and invokes your Lambda function synchronously with an event that contains queue messages. Lambda reads messages in batches and invokes your function once for each batch."

Source: AWS Documentation, AWS Lambda Developer Guide, Section: "Using AWS Lambda with Amazon SQS".

3. Amazon SQS Developer Guide: "Amazon SQS provides FIFO (First-In-First-Out) queues and standard queues. FIFO queues are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can't be tolerated."

Source: AWS Documentation, Amazon SQS Developer Guide, Section: "Amazon SQS message queues".

1. AWS Documentation: AWS WAF with Global Accelerator: "You can use AWS WAF to protect your applications by configuring an AWS WAF web ACL and associating it with your accelerator. A web ACL contains rules that inspect web requests and that specify what to do when a request matches the criteria in a rule: block the request, allow it, or count it." (AWS Global Accelerator Developer Guide, "AWS WAF with Global Accelerator" section).

2. AWS Documentation: Rate-based rule statement: "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action on IPs with rates that go over a limit. You can use this to put a temporary block on requests from an IP address that's sending a flood of requests." (AWS WAF Developer Guide, "Rule statements list", "Rate-based rule statement" section).

3. AWS Documentation: How AWS Shield works: "For protection against application layer attacks, you can use AWS WAF to define rules that provide you with fine-grained control over your web traffic... For higher levels of protection against DDoS attacks, AWS offers AWS Shield Advanced." (AWS Shield Developer Guide, "How AWS Shield works" section). This reference clarifies that WAF is the appropriate tool for application-layer (Layer 7) DDoS mitigation, which is what a website would face.

1. Amazon VPC User Guide, "Gateway endpoints": This document states, "A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service... We do not charge for gateway endpoints." It explicitly lists Amazon S3 as a supported service.

Source: AWS Documentation, Amazon Virtual Private Cloud User Guide, Section: "VPC endpoints", Subsection: "Gateway endpoints".

2. Amazon VPC Pricing: The official pricing page confirms the cost difference. Under the "VPC Endpoints" section, it states, "There are no additional charges for using gateway endpoints." In contrast, it lists both hourly and data processing charges for "Interface Endpoints".

Source: AWS Documentation, Amazon VPC Pricing, Section: "AWS PrivateLink" (which covers Interface Endpoints) and the note on Gateway Endpoints.

3. Amazon VPC User Guide, "Compare endpoint types": This section provides a direct comparison, highlighting that gateway endpoints are used by specifying the service in a route table, while interface endpoints use an Elastic Network Interface (ENI). This architectural difference underpins the pricing model.

Source: AWS Documentation, Amazon Virtual Private Cloud User Guide, Section: "VPC endpoints", Subsection: "Compare endpoint types".

1. AWS Organizations User Guide, "Service control policies (SCPs)": "SCPs are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization." This establishes SCPs as the tool for centralized permission management.

2. AWS Organizations User Guide, "Example service control policies": The section "Prevent Amazon EC2 instances from being launched with unapproved instance types" provides a direct example of an SCP that uses a Deny statement for the ec2:RunInstances action with a condition based on the ec2:InstanceType key. This confirms the exact mechanism described in the correct answer.

3. AWS Identity and Access Management User Guide, "Actions, resources, and condition keys for Amazon EC2": This document lists ec2:InstanceType as a valid condition key that can be used in IAM policies (and by extension, SCPs) to control the ec2:RunInstances action, confirming the technical viability of the policy logic.

4. AWS Resource Access Manager User Guide, "What is AWS Resource Access Manager?": The documentation states, "AWS Resource Access Manager (AWS RAM) helps you securely share your resources across AWS accounts...". This confirms that RAM's purpose is resource sharing, not policy enforcement.

1. AWS Documentation. (2023). Amazon EBS User Guide. "Attach a volume to multiple instances with Amazon EBS Multi-Attach". In the "Considerations and limitations" section, it explicitly states, "You can enable Multi-Attach for Provisioned IOPS SSD (io1 and io2) volumes." It also notes the requirement for "Nitro-based instances in the same Availability Zone."

2. AWS Documentation. (2023). Amazon EBS User Guide. "Amazon EBS volume types". The table detailing volume type features confirms that only io1 and io2/io2 Block Express are listed with "Multi-Attach" as a supported feature. The gp2, gp3, and st1 volume types are not listed as supporting Multi-Attach.

1. Amazon S3 User Guide, Replicating objects: "Amazon S3 Replication is an elastic, fully managed, low-cost feature that replicates objects between buckets... Cross-Region Replication (CRR) is used to copy objects across Amazon S3 buckets in different AWS Regions." This document establishes CRR as the primary, managed solution for this use case.

2. Amazon S3 User Guide, Using AWS Lambda with Amazon S3: This guide describes how to build event-driven architectures. While it shows the possibility of using Lambda for object manipulation, it is a more hands-on approach compared to the managed replication service. The existence of a dedicated feature (CRR) makes the Lambda option higher in operational effort.

3. Amazon S3 User Guide, Managing your storage lifecycle: "A lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects. There are two types of actions: Transition actions... [and] Expiration actions..." This confirms Lifecycle rules are for state changes and deletion, not replication.

4. Amazon S3 User Guide, Cross-origin resource sharing (CORS): "Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain." This source clarifies that CORS is for client-side web access control, not server-side data replication.

1. Amazon S3 User Guide, Storage classes: This document outlines the use cases for different S3 storage classes. S3 Standard is for "frequently accessed data," while S3 Glacier Flexible Retrieval is for "archive data that is accessed 1–2 times per year and is retrieved asynchronously," which aligns with the "backup purposes" requirement. (See: "Amazon S3 storage classes" section).

2. Amazon S3 User Guide, Managing your storage lifecycle: This guide explains how to create lifecycle policies. It states, "You define the rules for Amazon S3 to apply to a group of objects... The actions that you can define are transition actions and expiration actions." Option C correctly uses a transition action at 30 days and an expiration action at 90 days. (See: "Lifecycle configuration elements" section).

3. Amazon S3 User Guide, Lifecycle transition general considerations: This document details the transition paths. It confirms that transitioning from S3 Standard to S3 Glacier Flexible Retrieval is a valid and supported lifecycle action. (See: "Supported transitions and related constraints" table).

1. Amazon SQS Developer Guide, "Amazon SQS and interface VPC endpoints": This document explicitly states, "To allow your Amazon EC2 instances in your VPC to access Amazon SQS, you can create an interface VPC endpoint... With an interface endpoint, communication between your VPC and Amazon SQS is conducted entirely and securely within the AWS network." It also mentions associating security groups with the endpoint.

Source: AWS Documentation, docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-vpc-endpoints.html

2. AWS PrivateLink Guide, "Interface VPC endpoints": This guide details the functionality of interface endpoints, explaining that they create ENIs in the specified subnets. It clarifies, "For each subnet that you specify... we create an endpoint network interface... You can associate security groups with an endpoint network interface."

Source: AWS Documentation, docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html (See sections "Endpoint network interfaces" and "Security groups").

3. AWS PrivateLink Guide, "Control access to services using VPC endpoints": This document confirms the use of security groups for interface endpoints: "When you create an interface endpoint, you can associate security groups with the endpoint network interface. This security group controls the traffic to the endpoint from resources in your VPC."

Source: AWS Documentation, docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html (See section "Security groups").

1. AWS Documentation - VPC User Guide, "Gateway endpoints for Amazon S3": This document states, "A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service... Traffic between your VPC and the service does not leave the Amazon network." This supports the use of a gateway endpoint for private S3 access.

2. AWS Documentation - Direct Connect User Guide, "What is AWS Direct Connect?": This guide explains, "AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS." This confirms its role in creating a private link from the on-premises data center.

3. AWS Documentation - VPC User Guide, "What is a VPC endpoint?": In the section comparing endpoint types, it clarifies that Gateway Endpoints support Amazon S3 and DynamoDB, while Interface Endpoints use an elastic network interface for private access to other AWS services. This distinguishes the correct endpoint type for this scenario.

4. AWS Documentation - VPC User Guide, "NAT gateways": This source states, "You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet..." This confirms that using a NAT gateway would violate the requirement to avoid the public internet.

1. Amazon FSx for NetApp ONTAP User Guide: "You can use NetApp SnapMirror to replicate data between two Amazon FSx for NetApp ONTAP file systems. SnapMirror is a feature of the ONTAP software that you can use to replicate data at the volume level. A common use case for SnapMirror is for disaster recovery, by replicating data from your primary file system in one AWS Region to a secondary file system in another AWS Region." (AWS Documentation, Working with NetApp SnapMirror, Section: Replicating data with SnapMirror).

2. Amazon FSx for NetApp ONTAP User Guide: "For disaster recovery, you can use NetApp SnapMirror to replicate your data to another FSx for ONTAP file system in any AWS Region." (AWS Documentation, Disaster recovery, Section: Disaster recovery options for FSx for ONTAP).

3. AWS Backup Developer Guide: AWS Backup supports FSx for ONTAP, allowing you to "copy backups to other AWS Regions for disaster recovery." However, this is a backup-and-restore method, distinct from the native replication provided by SnapMirror. (AWS Documentation, Working with Amazon FSx, Section: Amazon FSx backup).

1. Amazon GuardDuty Documentation: "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation."

Source: AWS Documentation, What Is Amazon GuardDuty?, Introduction.

2. AWS Security Blog: A common security pattern is described: "This solution uses Amazon GuardDuty to detect suspicious activity... Amazon CloudWatch Events [now EventBridge] to detect the GuardDuty finding, and an AWS Lambda function to perform the remediation by updating the AWS WAF IP block list."

Source: AWS Security Blog, How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts, Solution overview section.

3. Amazon EventBridge Documentation: "An event bus receives events from a source and routes them to targets based on rules. A rule matches incoming events and sends them to targets for processing... When an event matches a rule, EventBridge sends the event to the specified targets. For example, you can create a rule that invokes a Lambda function..."

Source: AWS Documentation, Amazon EventBridge User Guide, "Amazon EventBridge event buses".

4. AWS Well-Architected Framework - Security Pillar: This framework emphasizes implementing detective controls and automating responses. "Implement detective controls to identify potential security threats or incidents... Automate response to events to reduce the time to react." The architecture in option A directly implements this principle.

Source: AWS Well-Architected Framework, Security Pillar, "SEC 07: How do you detect and investigate security events?", and "SEC 08: How do you protect your compute resources?".

1. Amazon Kinesis Data Firehose: "Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data lakes, data stores, and analytics services. It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration."

Source: AWS Documentation, Amazon Kinesis Data Firehose Developer Guide, "What Is Amazon Kinesis Data Firehose?".

2. AWS Lambda Limits: "Timeout - The amount of time that Lambda allows a function to run before stopping it. The default is 3 seconds. The maximum value is 900 seconds (15 minutes)."

Source: AWS Documentation, AWS Lambda Developer Guide, "Quotas", Lambda function configuration quotas table.

3. AWS Step Functions for Long-Running Workflows: "AWS Step Functions is a serverless orchestration service that lets you combine AWS Lambda functions and other AWS services to build business-critical applications... You can create long-running, automated workflows for applications that require human interaction, or workflows that can last for up to a year."

Source: AWS Documentation, AWS Step Functions Developer Guide, "What is AWS Step Functions?".

4. AWS Database Migration Service (DMS) Purpose: "AWS Database Migration Service (AWS DMS) is a managed migration and replication service that helps you move your database and analytics workloads to AWS quickly, securely, and with minimal downtime..."

Source: AWS Documentation, AWS DMS User Guide, "What is AWS Database Migration Service?".

1. AWS Certificate Manager User Guide, "Domain validation": This document compares DNS and email validation. It states, "We recommend that you use DNS validation instead of email validation. DNS validation has two main advantages over email validation...ACM can renew certificates automatically that you validated by using DNS...If you use Route 53 to manage your public DNS records, you can allow ACM to write the CNAME for you."

2. AWS Certificate Manager User Guide, "Managed renewal for ACM certificates": This guide explains the automated renewal process. For DNS-validated certificates, "ACM renews the certificate automatically as long as the certificate is in use and your CNAME record remains in place in your DNS configuration." This confirms the automation and efficiency of the DNS method.

3. AWS CloudFront Developer Guide, "Requirements for using SSL/TLS certificates with CloudFront": This document specifies the use of ACM for custom domains. It states, "To use an SSL/TLS certificate from AWS Certificate Manager (ACM), you must request or import the certificate in the US East (N. Virginia) Region (us-east-1)." This confirms ACM is the correct service to integrate with CloudFront.

4. AWS CloudFront Developer Guide, "Security policies": This section details the function of security policies: "A security policy determines...the SSL/TLS protocol that CloudFront uses to encrypt the content that it returns to viewers...[and] the ciphers that CloudFront uses." This confirms it is unrelated to certificate creation.

1. AWS Control Tower Documentation - Detect and resolve drift in AWS Control Tower: This document states, "Drift is a state in which the resources in your landing zone are not in conformance with the governance policies that AWS Control Tower has established for them... AWS Control Tower scans your landing zone OUs and accounts to detect drift." It also explains that notifications for drift events are sent to Amazon EventBridge. (Source: AWS Control Tower User Guide, "Detect and resolve drift in AWS Control Tower").

2. AWS Control Tower Documentation - How AWS Control Tower works: This guide explains that Control Tower creates a foundational OU structure as part of the landing zone setup. Any unauthorized modifications to this structure are considered drift. (Source: AWS Control Tower User Guide, "How AWS Control Tower works", Section: "Landing zone").

3. AWS Config Developer Guide - Supported AWS Resource Types: The official list of resource types supported by AWS Config does not include AWS::Organizations::OrganizationalUnit. This confirms that AWS Config is not the appropriate tool for directly monitoring the OU structure itself. (Source: AWS Config Developer Guide, Appendix: "Supported Resource Types").

1. Amazon EFS User Guide: "Amazon EFS is a file storage service... It's built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, so you don't need to manage storage. It's designed to provide massively parallel shared access for thousands of Amazon EC2 instances..."

Source: AWS Documentation, Amazon EFS User Guide, "What is Amazon Elastic File System?", Section: "How Amazon EFS works".

2. AWS Whitepaper - "Storage for Your Web Applications": This paper explicitly discusses the use case of EFS for content management systems. "For web serving and content management, you need a durable, highly available storage solution that can be shared across a fleet of web servers... Amazon EFS is a file storage service for Amazon EC2 instances. Amazon EFS is easy to use and provides a simple interface that allows you to create and configure file systems quickly and easily."

Source: AWS Whitepapers & Guides, Storage for Your Web Applications, Page 4, Section: "Web Serving and Content Management".

3. Amazon EBS User Guide: "An EBS volume is an off-instance storage device that can be attached to your instances. After you attach a volume to an instance, you can use it as you would use a physical hard drive... An Amazon EBS volume can only be attached to a single instance at a time."

Source: AWS Documentation, Amazon EBS User Guide, "Amazon EBS volumes", Section: "Volume attachment and detachment".

1. AWS Savings Plans User Guide, "What are Savings Plans?": This document states, "Compute Savings Plans provide the most flexibility and help to reduce your costs by up to 66%... These plans automatically apply to EC2 instance usage regardless of instance family, size, AZ, Region, OS or tenancy." This directly supports the choice of a Compute Savings Plan for maximum flexibility.

2. AWS Savings Plans User Guide, "Choosing between Savings Plans and RIs": The guide explains, "If you want the flexibility to change instance families, Regions, operating systems, or tenancies, you should purchase a Compute Savings Plan." This confirms that for the scenario described, a Compute Savings Plan is superior to RIs.

3. AWS Savings Plans User Guide, "EC2 Instance Savings Plans": This section clarifies the limitation of this plan type: "EC2 Instance Savings Plans... provide the lowest prices, offering savings up to 72%... in exchange for commitment to usage of individual instance families in a chosen Region (for example, M5 usage in N. Virginia)." This highlights why it is the incorrect choice when family changes are required.

1. Babelfish for Aurora PostgreSQL: AWS Documentation, Working with Babelfish for Aurora PostgreSQL. "Babelfish for Aurora PostgreSQL is a capability of Amazon Aurora PostgreSQL-Compatible Edition that enables your Aurora cluster to understand database requests from applications written for Microsoft SQL Server... With Babelfish, applications that were originally written for SQL Server can work with Aurora with fewer code changes."

Source: AWS Documentation, Amazon Aurora User Guide, "Working with Babelfish for Aurora PostgreSQL".

2. AWS Schema Conversion Tool (SCT): AWS Documentation, What is the AWS Schema Conversion Tool?. "Use the AWS Schema Conversion Tool (AWS SCT) to convert your existing database schema from one database engine to another... You can convert relational OLTP schema or a data warehouse schema."

Source: AWS Documentation, AWS Schema Conversion Tool User Guide, "What is the AWS Schema Conversion Tool?".

3. AWS Database Migration Service (DMS): AWS Documentation, What is AWS Database Migration Service?. "AWS Database Migration Service (AWS DMS) is a web service that you can use to migrate data from a source data store to a target data store... For heterogeneous migrations, the source and target databases are of different types, such as an Oracle database to an Amazon Aurora database."

Source: AWS Documentation, AWS Database Migration Service User Guide, "What is AWS Database Migration Service?".

1. Amazon RDS User Guide - Backing up and restoring an Amazon RDS DB instance: "Amazon RDS creates and saves automated backups of your DB instance... during the backup window... You can set the backup retention period to a value from 0 to 35 days... To modify the backup retention period, you can use the AWS Management Console, the AWS CLI, or the RDS API." This confirms that modifying the retention period is the standard, built-in method.

2. Amazon RDS User Guide - Modifying an Amazon RDS DB instance: This section details the process of changing DB instance settings, including the BackupRetentionPeriod. The procedure is a simple modification of the instance properties, highlighting its low operational overhead. (See the "Modifying a DB instance" section in the console or the modify-db-instance command in the CLI documentation).

1. Amazon EFS Features: "Amazon EFS is built to scale on demand to petabytes without disrupting applications... It supports the Network File System version 4 (NFSv4.1 and NFSv4.0) protocol... With Amazon EFS, you can mount your file systems on your on-premises datacenter servers when connected to your Amazon VPC with AWS Direct Connect or AWS VPN."

Source: AWS Documentation, "What is Amazon Elastic File System?", Features section.

2. EFS High Availability and Durability: "Amazon EFS is designed to be highly available and durable. Amazon EFS Standard and One Zone storage classes are designed for 99.99% (4 nines) of availability... EFS Standard redundantly stores data and metadata across multiple geographically separated Availability Zones (AZs) within a Region."

Source: AWS Documentation, "Amazon EFS: How it works", Availability and durability section.

3. EFS Storage Classes and Cost Optimization: "Amazon EFS offers two storage classes: Amazon EFS Standard and Amazon EFS Infrequent Access (EFS IA)... EFS IA provides price/performance that is cost-optimized for files that are not accessed every day... You can use EFS Lifecycle Management to automatically move files from EFS Standard to EFS IA."

Source: AWS Documentation, "Amazon EFS storage classes".

1. Amazon Aurora User Guide, "Using Amazon Aurora Serverless v2": "Aurora Serverless v2 is an on-demand, automatic scaling configuration for Amazon Aurora... It's suitable for a broad set of applications. For example, it can be a good choice for workloads that have infrequent or intermittent activity and also for workloads that have regular cycles of high and low usage."

2. Amazon Aurora User Guide, "How Aurora Serverless v2 works": "With Aurora Serverless v2, you don't have to provision, scale, and manage any database servers. Instead, you create an Aurora Serverless v2 DB cluster... The database capacity automatically scales up and down based on your application's needs."

3. AWS Documentation, "Amazon Aurora FAQs", Section: Amazon Aurora Serverless: "Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora... It enables you to run your database in the cloud without managing any database capacity. You can specify the desired database capacity range, and Aurora Serverless automatically scales to meet your application’s needs."

1. Amazon SQS Pricing – “Standard Queue: $0.40 per 1 M requests; FIFO Queue: $0.50 per 1 M requests.” (https://aws.amazon.com/sqs/pricing, section “Pricing”)

2. AWS Key Management Service Pricing – “$0.03 per 10 000 requests” for Encrypt/Decrypt. (https://aws.amazon.com/kms/pricing, “Request Charges”)

3. Amazon SQS Developer Guide – “SSE-SQS uses an AWS-owned key at no additional cost; SSE-KMS uses a customer master key and incurs KMS charges.” (Server-Side Encryption, 2023-10-25, para 4)

4. Amazon SQS Developer Guide – “Standard queues provide at-least-once delivery… FIFO queues provide exactly-once processing.” (Introduction, “Queue Types”, para 2–3)

5. AWS Lambda Developer Guide – “When you configure an SQS queue as an event source, Lambda processes messages at least once.” (Using AWS Lambda with Amazon SQS, 2023-09-14, para 1)

1. AWS Compute Optimizer User Guide, "What is AWS Compute Optimizer?": "AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of your AWS resources. It reports whether your resources are optimal, and generates optimization recommendations to reduce the cost and improve the performance of your workloads."

2. AWS Compute Optimizer User Guide, "Supported resources and requirements": This section explicitly lists "EC2 instances," "Auto Scaling groups," and "Amazon EBS volumes" as supported resource types for which Compute Optimizer provides recommendations.

3. AWS Cost and Usage Reports User Guide, "What are AWS Cost and Usage Reports?": "The AWS Cost and Usage Reports (AWS CUR) contains the most comprehensive set of AWS cost and usage data available... The report lists AWS usage for each service category... in hourly, daily, or monthly line items." This highlights that CUR is a data source, not a recommendation engine.

4. Amazon CloudWatch User Guide, "Using Amazon CloudWatch alarms," "Creating a billing alarm to monitor your estimated AWS charges": This documentation explains that billing alarms are used to "send you an email message when the estimated charges on your AWS bill exceed a certain level (threshold) that you define." This confirms their purpose is budget monitoring, not resource optimization.

1. AWS Documentation - Amazon SQS Developer Guide: "Amazon SQS offers a secure, durable, and available hosted queue that lets you integrate and decouple distributed software systems and components... SQS provides a generic web services API that you can access using any programming language that the AWS SDK supports."

Source: AWS Documentation, What is Amazon SQS?, Retrieved from https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html

2. AWS Well-Architected Framework - Reliability Pillar: The framework recommends decoupling components to improve reliability. "A common pattern for this is to use a queue. The service that creates the work puts a message on a queue. A separate service can then read the message from the queue, do the work, and then delete the message." This directly describes the solution in option C.

Source: AWS Well-Architected Framework, Reliability Pillar, Page 26, "Decouple components". Retrieved from https://d1.awsstatic.com/whitepapers/architecture/AWSWell-ArchitectedFramework.pdf

3. AWS Documentation - Decoupling applications for scalability and resilience: "By decoupling your application's components, you can build more resilient and scalable applications... Amazon SQS provides a message queue that can be used to buffer requests and decouple different components of your application."

Source: AWS Prescriptive Guidance, Decoupling applications for scalability and resilience with Amazon SQS and Amazon SNS. Retrieved from https://aws.amazon.com/prescriptive-guidance/patterns/decouple-applications-for-scalability-and-resilience-with-amazon-sqs-and-amazon-sns/