Free Access Amazon Web Services SAA-C03 New Release

The ALB must be in a public subnet to receive internet traffic. The EC2 instances and the RDS database should be in private subnets to prevent direct internet access, minimizing the attack surface. This aligns with AWS security best practices for web application architectures.

Reference Extract:

" Internet-facing ALBs should be placed in public subnets; EC2 instances and RDS databases should be in private subnets to restrict direct internet access. "

Source: AWS Certified Solutions Architect – Official Study Guide, Network Security and Design section.

The requirements emphasize high availability across multiple Availability Zones, automatic recovery, and least operational overhead. The simplest way to achieve this for containerized microservices is to use a fully managed container orchestration service with serverless compute. Amazon ECS with the Fargate launch type provides exactly that.

With ECS Fargate, AWS manages the underlying compute infrastructure (no EC2 instances to provision, patch, scale, or secure at the OS level). You define task definitions and services, and ECS schedules tasks across Availability Zones based on your networking configuration (multiple subnets in different AZs). If a container fails, ECS service scheduling automatically replaces it, fulfilling the “recover from failures” requirement. Fargate also integrates with load balancing, CloudWatch logging, and scaling policies, reducing the operational burden of keeping the platform healthy.

Option A (ECS on EC2) is still managed orchestration, but it requires managing the EC2 capacity layer: AMI updates, instance patching, cluster capacity planning, and instance scaling. Option B (EKS with self-managed nodes) typically carries even more operational responsibility because you manage node groups, upgrades, and Kubernetes operational complexity in addition to the underlying instances. Option D is the highest operational overhead because it lacks managed scheduling and self-healing; you would need to build and maintain your own process manager and failover mechanisms.

Therefore, C is the best answer because it provides a managed, multi-AZ capable, self-healing container platform with minimal infrastructure management—matching the operational efficiency goal while maintaining high availability.

Big data workloads that need to process terabytes of data in memory requirememory-optimized instancesfor the core and task nodes to ensure sufficient memory for processing data efficiently.

Primary Node:Ageneral purpose instanceis suitable because it manages cluster operations, including coordination and monitoring, and does not process data directly.

Core and Task Nodes:These nodes handle data storage and processing.Memory-optimized instancesare ideal because they provide high memory-to-CPU ratios, which is critical for in-memory big data workloads.

Why Other Options Are Incorrect:

Option A:Storage optimized and compute optimized instances are not suitable for workloads that rely heavily on in-memory processing.

Option B:A memory-optimized primary node is unnecessary because the primary node does not process data.

Option D:General purpose instances for all nodes will not provide sufficient memory for processing terabytes of data in memory.

AWS Documentation References:

Amazon EMR Instance Types

Memory-Optimized Instances

When an application is fronted by an Application Load Balancer (ALB) and malicious traffic is detected from a specific IP, the correct way to block the IP is by using AWS WAF (Web Application Firewall).

With AWS WAF, you can create an IP Set to include the offending IP address or range.

Then create a Web ACL (Access Control List) with a rule set to BLOCK requests from that IP set.

Finally, associate the Web ACL with the ALB.

Security groups (Option A) cannot deny specific IPs because they are stateful and allow-only rules.

Amazon Detective (Option B) is a security analysis and investigation tool; it doesn’t block traffic.

AWS RAM (Option C) is for resource sharing across accounts, not for blocking IPs.

This approach aligns with AWS’s Security Pillar of the Well-Architected Framework and is fully managed, with minimal operational effort.

???? Reference:

Using AWS WAF with an Application Load Balancer

Block IPs with AWS WAF