SAA-C03 Premium Exam Questions

For application access to AWS services from ECS tasks, the correct identity is the ECS task role. AWS separates the task execution role, which is mainly for pulling images and sending logs, from the task role, which is used by the application code running inside the container. Because the application itself needs to read from S3, the least-effort and most secure design is to grant the necessary S3 permissions directly to the task role. Using IAM users and access keys would introduce unnecessary credential management and reduce security. Therefore, assigning the required S3 permissions to the task role is the proper AWS best-practice solution.

============

AWS Direct Connect: Provides a dedicated network connection from your on-premises data center to AWS, ensuring low latency and consistent network performance.

Direct Connect Gateway Association:

Direct Connect Gateway: Acts as a global network transit hub to connect VPCs across different AWS regions.

Association with Transit Gateway: Enables communication between on-premises data centers and multiple VPCs connected to the transit gateway.

Transit Virtual Interface (VIF):

Create Transit VIF: To connect Direct Connect with a transit gateway.

Setup Steps:

Establish a Direct Connect connection.

Create a transit VIF to the Direct Connect gateway.

Associate the Direct Connect gateway with the transit gateway attached to the VPCs.

Cost Efficiency: This combination avoids the recurring costs and potential performance variability of VPN connections, providing a robust, low-latency hybrid network solution.

The Lambda function already has an execution role, so the correct fix is toadd CloudWatch Logs permissions to that same role. AWS documentation lists the required permissions for a Lambda function to write logs: logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. A separate role for the S3 bucket would not help because Lambda uses its own execution role when it runs. An S3 bucket policy is unrelated to CloudWatch Logs logging. The logs:GetLogEvents permission is for reading logs, not writing them. Updating the existing execution role is the least-complex and correct solution.

============

Business-critical applications often require predictable, low-latency I/O and high durability. Provisioned IOPS SSD (io1 or io2) Amazon EBS volumes are specifically engineered for these workloads.

Option C provides consistent, high-performance storage with guaranteed IOPS and low latency. EBS volumes are network-attached and persist independently of the EC2 instance lifecycle, ensuring durability and data protection. Provisioned IOPS volumes are commonly used for databases, transactional systems, and latency-sensitive applications.

Option A (instance store) offers low latency but is ephemeral and loses data on instance stop or failure. Option B is in-memory caching and not durable storage. Option D is optimized for large, sequential workloads and does not provide consistent low latency.

Therefore, C is the correct choice because it delivers the required performance, durability, and reliability for mission-critical applications.