AWS Certified Associate SAA-C03 Reddit Questions

Amazon CloudWatch Container Insightsis designed for monitoring containerized environments like EKS. It provides native support for collecting and visualizing metrics and logs in a centralized location through CloudWatch dashboards, offering the most operationally efficient solution.

Option A:Using the CloudWatch agent provides basic metrics but lacks the specific insights required for containerized applications.

Option B:Kinesis Data Streams and Firehose add unnecessary complexity for this use case.

Option C:CloudTrail is for auditing API activity and is not designed for application metrics and log aggregation.

AWS Documentation References:

Amazon CloudWatch Container Insights

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The requirement is an automated notification 30 days before an imported ACM certificate expires, delivered to the security team via an existing SNS topic with email subscription. The most operationally efficient approach is to use Amazon EventBridge with the managed event type for ACM certificate expiration. ACM publishes an event when a certificate is approaching expiration, and EventBridge can match that event and route it directly to a target service without custom polling logic.

Option D uses an EventBridge rule for the ACM Certificate Approaching Expiration event and sets the SNS topic as the target. This directly delivers an alert to the existing notification channel (email via SNS) and requires minimal code and minimal ongoing maintenance. It also avoids building and scheduling a scanner that must enumerate certificates, calculate dates, handle pagination, and manage failures.

Option C sends the event to SQS. While SQS is useful for decoupling and buffering, the requirement is to notify the security team, and SNS is already configured for email delivery. Using SQS would add an extra consumer component to read from the queue and publish notifications, which is additional operational overhead.

Options A and B require a custom Lambda-based scanning solution. That introduces scheduling (for example, EventBridge schedule), logic to detect “30 days remaining,” error handling, and ongoing maintenance. Since ACM already emits a purpose-built event for expiring certificates, polling is unnecessary and less efficient.

Therefore, D is the best solution: it uses a native event from ACM, routes it through EventBridge, and notifies the security team through the existing SNS topic with the least operational effort.

Amazon S3 is the most scalable and cost-optimized object storage for large amounts of data. It integrates natively with Amazon SageMaker, which allows direct access to S3 data for machine learning training jobs without the need to copy data elsewhere. The S3 Intelligent-Tiering storage class further optimizes storage costs for data with unknown or changing access patterns, while maintaining immediate availability for ML training.

Copying to FSx for Lustre or EFS adds unnecessary complexity and cost unless ultra-high throughput POSIX file access is specifically required, which is not mentioned here.

AWS Documentation Extract:

" Amazon S3 provides cost-effective storage for ML data sets, and Amazon SageMaker can directly access data in S3. S3 Intelligent-Tiering automatically moves data between frequent and infrequent access tiers, optimizing costs for changing data access patterns. "

(Source: AWS S3 and SageMaker documentation)

A, D: FSx for Lustre or EFS may be used in specialized cases but are not cost-optimized for general large-scale ML data storage.

C: SageMaker notebook instance storage is not designed for large-scale data ingestion or long-term storage.

AWS provides EBS Block Public Access at the AWS Organizations level, which, when enabled, prevents EBS snapshots from being shared publicly across all member accounts. This is an organization-wide control that requires minimal configuration and no ongoing monitoring to prevent public sharing.

This directly satisfies the requirement:

Covers all accounts managed by Organizations.

Explicitly prevents public snapshot sharing.

Has the least operational overhead because it is a single centralized control.

AWS Config (Option A) only monitors and alerts, but does not prevent public sharing.

An IAM policy in the root account (Option C) is harder to enforce consistently across all accounts and may not cover all permission paths.

CloudTrail (Option D) only logs events and does not prevent public access.