Amazon Web Services Updated SAA-C03 Exam Questions and Answers by teddy-james

To secure data in transit, the company should use AWS Certificate Manager (ACM) to provide SSL/TLS certificates for the Application Load Balancer. ACM allows easy provisioning, management, and renewal of public and private certificates, ensuring secure communication between users and applications.

To secure data at rest, AWS Key Management Service (KMS) is used to manage encryption keys for Amazon EBS volumes. EBS integrates with AWS KMS, allowing for server-side encryption using KMS-managed keys (SSE-KMS), thus meeting the encryption at rest requirement.

Other options:

GuardDuty (A) is for threat detection, not encryption.

AWS Shield (B) protects against DDoS attacks, not encryption.

Secrets Manager (D) manages credentials, not general data encryption.

This solution follows the AWS Well-Architected Framework – Security Pillar.

???? References:

Encrypting EBS volumes with KMS

Using ACM with ALB

AWS Global Accelerator provides static anycast IP addresses that are announced from AWS edge locations. Traffic sent to these IPs is routed over the AWS global network to the nearest healthy endpoint (for example, an ALB or NLB) in any Region. Because clients connect to static IPs instead of DNS names that change, failover does not depend on DNS TTLs or client cache expiry, which avoids stale DNS entries.

You can register endpoints in multiple Regions and let Global Accelerator automatically fail over when health checks fail, all behind a single global endpoint.

CloudFront (Option A) is primarily for HTTP/HTTPS content caching and still uses DNS; it is not intended as a generic multi-Region failover solution for arbitrary applications.

Route 53 (Options B and D) relies on DNS; clients can cache DNS responses and may keep sending traffic to an unhealthy Region until TTLs expire, which does not meet the “avoid stale DNS client caches” requirement.

For a MySQL database experiencing high write operations, using Amazon RDS with Provisioned IOPS (io1 or io2) SSD storage is recommended to achieve consistent and low-latency performance. Provisioned IOPS allows you to specify a desired IOPS rate, which is crucial for write-intensive workloads.

Monitoring write operation metrics through Amazon CloudWatch enables you to observe performance and adjust the provisioned IOPS as needed to meet application demands.

AWS X-Ray is the AWS service designed for distributed tracing, giving end-to-end visibility into how requests flow through microservices, APIs, and serverless components. It provides service maps, latency breakdowns, and performance insight per service, which is exactly what is required.

To use X-Ray effectively, each application stack must be instrumented. For infrastructure deployed through AWS CloudFormation, best practice is to enable and configure X-Ray in the CloudFormation templates (for Lambda, API Gateway, ECS, etc.). That way, all teams and stacks have consistent tracing enabled as part of their IaC.

Control Tower (Option B) cannot “turn on” X-Ray tracing inside applications; it only helps with account setup and guardrails.

CloudTrail (Option A) is for audit logging of API calls, not performance tracing.

CloudWatch (Option C) provides metrics and logs, but not request-level distributed tracing across multiple services.