Near-Right Architecture — AWS Solutions Architect (SAA-C03)
Two options were architecturally valid — you picked the one that violates a constraint buried in the scenario. Read constraints before evaluating answers.
Correct service, wrong tradeoff applied
The scenario presents a workload with a clear governing constraint — cost, latency, compliance, or operational overhead. The distractor satisfies the functional requirement but ignores that constraint once you apply it strictly. Candidates who evaluate options by service name rather than by which constraint is dominant will eliminate the right answer and keep the wrong one. The exam always has one constraint that outweighs the others.
The Scenario
A company needs a real-time analytics dashboard querying petabytes of log data. The question offers Athena with S3 and Redshift Serverless. Both query structured data at scale. But the scenario says "sub-second response times for repeated queries" — Athena scans S3 on every query (seconds to minutes), while Redshift caches results and returns sub-second on repeats. The constraint is latency on repeated queries, not raw query capability. You picked Athena because it is serverless and cheaper per query, but the access pattern eliminates it.
How to Spot It
- •When both answers use real AWS services that address the primary use case, re-read for the performance constraint. "Sub-second," "real-time," "single-digit millisecond" each eliminate different services. Athena is not sub-second. DynamoDB is not for complex joins. Aurora is not for petabyte-scale analytics.
- •Look for protocol-level constraints. If the scenario says TCP traffic with client IP preservation, that eliminates CloudFront (HTTP/HTTPS only) and points to Global Accelerator + NLB. If it says HTTP with caching, that eliminates Global Accelerator.
- •If you find yourself thinking "both could work," the exam is testing constraint reading. Check for: latency target, protocol, data volume, ordering requirement, or compliance region restriction.
Decision Rules
Whether to externalize session state to a shared cache (ElastiCache) or reroute sessions via ALB sticky sessions — the correct choice removes instance-level state affinity entirely and enables true stateless horizontal scaling; the wrong choice masks the symptom while reintroducing tight coupling per user session.
Which health check type must be set on the EC2 Auto Scaling group so that application-layer failures—not just host-level failures—trigger automatic instance replacement?
Select Amazon CloudFront for global read/download distribution because it caches objects at edge PoPs and reduces origin GET load; reject S3 Transfer Acceleration because it accelerates only the upload path and adds no caching or read-side benefit.
Which S3 storage class satisfies a millisecond retrieval SLA at minimum cost for objects that become infrequently accessed after approximately 60 days?
Whether the automatic managed rotation requirement for RDS credentials selects AWS Secrets Manager over Parameter Store SecureString, because Secrets Manager provides a native RDS rotation Lambda integration while Parameter Store requires the architect to author, deploy, and maintain a custom rotation function.
Whether gp3's independently configurable IOPS ceiling — up to 16,000 IOPS decoupled from volume size — fully satisfies the stated workload requirement, making io2's provisioned-IOPS pricing model unnecessary and more expensive.
When exactly one downstream consumer must process each message with buffering and retention guarantees, SQS is the correct point-to-point primitive; SNS is disqualified because its push-based fan-out model provides no message buffering and is not designed for single-consumer delivery.
Attach an IAM role to the EC2 instance via an instance profile so that AWS STS automatically issues rotating temporary credentials to the application at runtime, rather than provisioning an IAM user and storing its long-term access key in the instance environment or configuration file.
Select preventive org-level guardrail (SCP via AWS Organizations) over detective or aggregation controls (Macie, Security Hub) when the stated requirement explicitly demands member accounts cannot override or disable the enforcement mechanism.
Which Route 53 routing policy natively couples endpoint health-check status to automatic cross-region traffic cutover, satisfying an RTO measured in seconds rather than minutes?
Select between Amazon FSx for Lustre and Amazon EFS for a compute-intensive HPC cluster where the explicit sustained-throughput magnitude and latency SLA, not the shared-access requirement alone, determine the correct service.
Whether external end-user authentication should be delegated to Amazon Cognito User Pools (federated identity boundary) or handled via IAM roles — the decision turns on whether the callers are AWS account principals or external human identities.
When a Linux workload requires shared NFS-compatible file storage, select Amazon EFS; disqualify Amazon FSx for Windows File Server on protocol incompatibility (SMB/Windows-only) before applying any cost comparison.
Does the workload require shared filesystem semantics — NFS mounts, POSIX permissions, or concurrent multi-instance file access — or only sequential object-level reads and writes? If no filesystem protocol is stated, S3 dominates on cost and fit; EFS is near-right but imposes shared-filesystem infrastructure the workload does not need.
Domain Coverage
Difficulty Breakdown
Related Patterns