AWS Certified Associate Changed SAA-C03 Questions

The correct answer is A because the application must accept TLS connections from IPv4 clients , provide outbound internet access , present a single entry point , and maintain the lowest possible attack surface . Placing the Amazon ECS tasks in private subnets is the key security design decision because it prevents direct inbound access from the internet to the tasks themselves. The public-facing entry point is the load balancer, while outbound internet access for the private tasks is provided through a NAT gateway in the public subnet.

A Network Load Balancer (NLB) is well suited for handling TLS at Layer 4 and can expose a single public endpoint for client connections. With awsvpc network mode, each ECS task receives its own elastic network interface, making it straightforward to place tasks securely in private subnets while still registering them as targets behind the load balancer.

Option B is incorrect because an egress-only internet gateway is for IPv6 outbound traffic only , while the requirement specifically mentions IPv4 clients . Option C is incorrect because placing ECS tasks in public subnets increases the attack surface by exposing application infrastructure more directly to the internet. Option D is also incorrect for two reasons: it uses an egress-only internet gateway , which does not satisfy IPv4 outbound needs, and it places tasks in public subnets , which violates the goal of minimizing exposure.

AWS security design guidance emphasizes reducing exposure by placing application workloads in private subnets and exposing only the required front-end endpoint. Therefore, a public NLB with private ECS tasks and a NAT gateway is the most secure and appropriate architecture.

EC2 Auto Scaling warm pools allow you to pre-initialize instances, reducing the delay in scale-out events. This results in significantly faster response times during demand surges while remaining cost-effective compared to always running at peak capacity.

AWS Spot best practices recommend diversifying capacity across multiple instance types and Availability Zones and using the capacity-optimized (price-capacity-optimized) allocation strategy to choose pools with the deepest capacity for higher availability. Adding a small On-Demand base in the Auto Scaling group maintains steady, uninterrupted baseline processing while keeping costs low and absorbing Spot interruptions. Option C (lowest price) increases interruption risk. Capacity Reservations (B) target On-Demand capacity guarantees and add cost, not needed for Spot-based elasticity. Option E is redundant; diversification is already achieved with (D). This combination maximizes resiliency of Spot workloads while preserving strong cost efficiency and aligns with AWS guidance for fault-tolerant, stateless applications on Spot.

Amazon QuickSight includes built-in ML-powered forecasting capabilities, allowing you to create, visualize, and interact with time series forecasts directly within the BI dashboard, with no ML experience or infrastructure management required. This is the lowest management overhead solution.

AWS Documentation Extract:

" Amazon QuickSight provides built-in ML-powered forecasting, allowing business users to forecast future trends with a few clicks and no machine learning expertise required. "

(Source: Amazon QuickSight documentation)

A, C, D: Require additional setup, management, or ML knowledge.