Amazon Web Services Updated SAA-C03 Exam Questions and Answers by mitchell

The correct answer isAbecause the application must acceptTLS connections from IPv4 clients, provideoutbound internet access, present asingle entry point, and maintain thelowest possible attack surface. Placing the Amazon ECS tasks inprivate subnetsis the key security design decision because it prevents direct inbound access from the internet to the tasks themselves. The public-facing entry point is the load balancer, while outbound internet access for the private tasks is provided through aNAT gatewayin the public subnet.

ANetwork Load Balancer (NLB)is well suited for handlingTLSat Layer 4 and can expose a single public endpoint for client connections. Withawsvpcnetwork mode, each ECS task receives its own elastic network interface, making it straightforward to place tasks securely in private subnets while still registering them as targets behind the load balancer.

Option B is incorrect because anegress-only internet gatewayis forIPv6 outbound traffic only, while the requirement specifically mentionsIPv4 clients. Option C is incorrect because placing ECS tasks inpublic subnetsincreases the attack surface by exposing application infrastructure more directly to the internet. Option D is also incorrect for two reasons: it uses anegress-only internet gateway, which does not satisfy IPv4 outbound needs, and it places tasks inpublic subnets, which violates the goal of minimizing exposure.

AWS security design guidance emphasizes reducing exposure by placing application workloads in private subnets and exposing only the required front-end endpoint. Therefore, a publicNLBwith private ECS tasks and aNAT gatewayis the most secure and appropriate architecture.

AWS Key Management Service (AWS KMS) provides multi-Region keys, allowing the same key to be used across Regions without managing your own hardware or key replication.

Multi-Region keys are fully managed and support attribute-based access control (ABAC) using tags and condition keys.

CloudHSM (Options C and D) requires full key lifecycle management, synchronization, and hardware operations, resulting in significantly higher overhead.

Imported key material (Option B) increases key-management responsibility.

=====================================================

Creating a manual copy of the automated snapshot is the most operationally efficient option because it directly meets the requirement—retain a specific snapshot beyond the automated retention window—with the least added process and tooling. In Amazon RDS, automated backups and their snapshots are retained only for the configured backup retention period (up to the service maximum). When that retention period is exceeded, older automated snapshots are removed automatically. However, manual snapshots are retained until you explicitly delete them, so converting (copying) an automated snapshot to a manual snapshot is the standard operational approach to keep a point-in-time backup for long-term retention.

Option C is incorrect because you cannot extend automated snapshot retention beyond the maximum supported retention; also, setting “45 days” may still be within or beyond the service limits depending on the engine and configuration, and it doesn’t guarantee indefinite retention. Option B (export to S3) is not the most operationally efficient for the stated goal: exporting is a different workflow (often used for analytics, archiving in open formats, or cross-tool usage) and introduces extra steps, format considerations, and ongoing management in S3. Option D is also heavier operationally: native SQL Server backups require managing backup jobs, storage layout, restores, and permissions, and it shifts responsibility to the customer for operational correctness.

Therefore, A is the simplest and most AWS-native way to preserve an RDS snapshot long-term with minimal operational overhead.

AWS best practice is to use IAM roles with instance profiles for EC2 instances so that applications obtain temporary credentials automatically and do not need to store access keys.

To honor the principle of least privilege, each microservice should have an IAM role that grants only the specific permissions it needs.

Therefore, creating individual IAM roles per microservice and attaching them via instance profiles (Option D) both minimizes long-term credential management and applies least privilege cleanly.

Why others are not correct:

A: Using IAM users with access keys in code is insecure and high-overhead (key rotation, secret management).

B: A single broad role violates least privilege because every microservice gets more permissions than it needs.

C: Separate accounts per microservice is extreme over-segmentation and significantly increases operational complexity.