Changed SAA-C03 Exam Questions

Comprehensive and Detailed Explanation (paraphrased from AWS Solutions Architect guidance):

Amazon Route 53 latency-based routing is specifically designed to route users to the endpoint that provides the lowest latency, based on actual latency measurements between AWS Regions and users’ networks. This directly supports the goal of optimizing load times (performance).

For non-AWS endpoints (like an on-premises data center), Route 53 lets you create a latency routing record and associate it with the AWS Region that is closest to that endpoint. In this case, the on-premises data center is near us-west-1, so you associate that latency record with the us-west-1 Region.

Users for whom the eu-central-1 Region has lower latency will be routed to the AWS website in eu-central-1.

Users for whom the us-west-1–associated endpoint has lower latency will be routed to the on-premises website.

This matches AWS best practices for high-performance, low-latency architectures when you have multiple endpoints in different geographic locations, including a mix of AWS and on-premises resources.

Why the other options are not correct:

Option A (Failover routing):

Failover routing is designed for high availability and disaster recovery (active–passive), not for optimizing latency.

All traffic goes to the primary endpoint (eu-central-1) unless it is unhealthy. That does not choose the lowest-latency endpoint for each user, so it does not meet the “optimize load times as much as possible” requirement.

Option B (IP-based routing):

IP-based / geo-based policies are about directing users based on location information (IP/geo), not measured latency.

You would have to manually decide which IP ranges get which endpoint, which does not guarantee that each user goes to the lowest-latency endpoint. It’s less precise and less dynamic than latency-based routing.

Option D (Weighted routing):

Weighted routing splits traffic according to fixed weights (e.g., 50/50), regardless of user location or latency.

This is useful for testing, blue/green deployment, or gradual traffic shifting, but not for performance optimization per user.

Therefore, the only option that directly aligns with AWS guidance for performance optimization and latency-based traffic steering across Regions and on-premises endpoints is:

✅ C. Create a DNS record with a latency-based routing policy… associate the on-premises endpoint with us-west-1.

AWS Glue Crawler: AWS Glue is a fully managed ETL (Extract, Transform, Load) service that makes it easy to prepare and load data for analytics. A Glue crawler can automatically discover new data and schema in Amazon S3, making it easy to keep the data catalog up-to-date.

Crawling the Data:

Set up an AWS Glue crawler to scan the S3 bucket containing the clickstream data.

The crawler will automatically detect the schema and create/update the tables in the AWS Glue Data Catalog.

Amazon Athena:

Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

Once the data catalog is updated by the Glue crawler, use Athena to query the clickstream data directly in S3.

Operational Efficiency: This solution leverages fully managed services, reducing operational overhead. Glue crawlers automate data cataloging, and Athena provides a serverless, pay-per-query model for quick data analysis without the need to set up or manage infrastructure.

Apresigned URLallows temporary access to a specific object in an S3 bucket without needing to make the bucket public or creating and managing additional IAM users. The URL is time-limited, and permissions are granted only to the specific object (in this case, the annual report), making it a highly secure and operationally efficient solution.

With a presigned URL, the consultant can access the report for the specified duration (7 days), after which the URL will expire automatically, removing the need for manual intervention to revoke access.

AWS References:

Amazon S3 Presigned URLsexplain how to generate a presigned URL to grant temporary access to S3 objects.

Best Practices for S3 Securityemphasize using presigned URLs for sharing temporary access to S3 objects securely.

Why the other options are incorrect:

A. Public static website: This approach involves making the S3 bucket publicly accessible, which is unnecessary and insecure for sensitive data.

B. Enable public access: Granting public access to the entire bucket, even temporarily, is a security risk and violates best practices.

C. Create an IAM user: Creating an IAM user and managing credentials is unnecessary overhead and less secure compared to a presigned URL for this short-term need.

Application Load Balancer (ALB): ALB is suitable for routing HTTP/HTTPS traffic to the application servers. It provides advanced routing features and integrates well with Auto Scaling groups.

Target Group Configuration:

Create a target group for the application servers and register the Auto Scaling group with this target group.

Configure the ALB to forward requests from the web servers to the application servers.

Security Group Setup:

Configure the security group of the application servers to only allow traffic from the web servers' security group.

This ensures that only the web servers can access the application servers, meeting the requirement to limit access.

Benefits:

Security: Using security groups to restrict access ensures a secure environment where only intended traffic is allowed.

Scalability: ALB works seamlessly with Auto Scaling groups, ensuring the application can handle varying loads efficiently.