Amazon SOA-C03 Online Practice Questions and Exam Preparation

Amazon SOA-C03 Online Questions & Answers

• Question 131:

  A CloudOps engineer needs to investigate which AWS API actions were performed on an Amazon S3 bucket during a suspected security incident last week.

  Which solution will provide this information?

  A. Analyze Amazon S3 server access logs.
  B. Query AWS CloudTrail event history for the bucket.
  C. Review Amazon CloudWatch Logs for the EC2 instances.
  D. Use Amazon GuardDuty findings.
  B. Query AWS CloudTrail event history for the bucket.

  ---

  Explanation

  AWS CloudTrail records all API-level activity across AWS services, including S3 actions such as PutObject, DeleteBucketPolicy, and GetObject. By filtering CloudTrail event history for the affected S3 bucket and timeframe, the CloudOps engineer can identify the exact actions, identities, and source IPs involved.

  S3 server access logs capture object-level requests but do not provide complete API governance visibility. GuardDuty detects threats but does not enumerate all API calls.

  AWS CloudTrail - Auditing S3 API Activity

• Question 132:

  A company wants to automatically restart a failed application process on EC2 instances.

  Which AWS service enables this with minimal configuration?

  A. AWS Lambda
  B. Systems Manager Automation
  C. CloudWatch alarms with EC2 recovery actions
  D. Amazon ECS
  C. CloudWatch alarms with EC2 recovery actions

  ---

  Explanation

  CloudWatch alarms can directly trigger EC2 recovery or reboot actions when metrics breach thresholds, enabling fast remediation.

  Amazon CloudWatch - EC2 Recovery Actions

• Question 133:

  A company is running an application on premises and wants to use AWS for data backup. All of the data must be available locally.

  The backup application can write only to block-based storage that is compatible with the Portable Operating System Interface (POSIX).

  Which backup solution will meet these requirements?

  A. Configure the backup software to use Amazon S3 as the target for the data backups.
  B. Configure the backup software to use Amazon S3 Glacier Flexible Retrieval as the target for the data backups.
  C. Use AWS Storage Gateway, and configure it to use gateway-cached volumes.
  D. Use AWS Storage Gateway, and configure it to use gateway-stored volumes.
  D. Use AWS Storage Gateway, and configure it to use gateway-stored volumes.

  ---

  Explanation

  The Storage Gateway service enables hybrid cloud backup by presenting local block storage that synchronizes with AWS cloud storage. For scenarios where all data must remain available locally while still backed up to AWS, the correct mode is gateway-stored volumes.

  AWS documentation defines:

  "Use stored volumes if you want to keep all your data locally while asynchronously backing up point-in- time snapshots to Amazon S3 for durable storage."

  These volumes expose an iSCSI interface compatible with POSIX file systems, allowing direct use by on- premises backup software.

  Gateway-cached volumes (Option C) store primary data in AWS with limited local cache, violating the "all data must be available locally" requirement. Options A and B are object-based storage solutions, not compatible with POSIX or block-based backup applications.

  Therefore, Option D fully satisfies CloudOps reliability and continuity best practices by ensuring local, and POSIX compatibility availability cloud durability for backups.

  References (AWS CloudOps Documents / Study Guide): AWS Certified CloudOps Engineer - Associate (SOA-C03) Exam Guide - Domain 2: Reliability and Business Continuity AWS Storage Gateway User Guide - Stored Volumes Overview AWS Well-Architected Framework - Reliability Pillar AWS Hybrid Cloud Storage Best Practices

• Question 134:

  A company that uses AWS Organizations recently implemented AWS Control Tower. The company now needs to centralize identity management. A CloudOps engineer must federate AWS IAM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all AWS accounts and cloud applications.

  Which prerequisites must the CloudOps engineer have so that the CloudOps engineer can connect to the external IdP? (Select TWO.)

  A. A copy of the IAM Identity Center SAML metadata
  B. The IdP metadata, including the public X.509 certificate
  C. The IP address of the IdP
  D. Root access to the management account
  E. Administrative permissions to the member accounts of the organization
  A. A copy of the IAM Identity Center SAML metadata
  B. The IdP metadata, including the public X.509 certificate

  ---

  Explanation

  AWS Cloud Operations and Identity Management documentation, when configuring federation between IAM Identity Center (formerly AWS SSO) and an external SAML 2.0 identity provider, two key prerequisites are required: The IAM Identity Center SAML metadata file - This is uploaded to the external IdP to establish trust, define SAML endpoints, and enable identity federation.

  The IdP metadata (including the public X.509 certificate) - This information is imported into IAM Identity Center to validate authentication assertions and encryption signatures. IAM Identity Center and the IdP exchange this metadata to mutually establish secure, bidirectional federation.

  Network-level details such as IP addresses (Option C) are unnecessary. Root access (Option D) or permissions to member accounts (Option E) are not required; only Control Tower or IAM administrative permissions in the management account are needed for setup. Thus, the correct answer is A and B - the SAML metadata from both sides is required for federation.

  AWS Cloud Operations & Identity Management Guide - Federating IAM Identity Center with an External SAML 2.0 Provider

• Question 135:

  A company wants to reduce latency for users accessing global content.

  Which AWS service should be used?

  A. Amazon Route 53
  B. Amazon CloudFront
  C. AWS Direct Connect
  D. Application Load Balancer
  B. Amazon CloudFront

  ---

  Explanation

  CloudFront caches content at edge locations globally, significantly reducing latency for end users.

  Amazon CloudFront - Global Content Delivery

• Question 136:

  A company runs applications on Amazon EC2 instances. The company wants to ensure that SSH ports on the EC2 instances are never open. The company has enabled AWS Config and has set up the restricted- ssh AWS managed rule.

  A CloudOps engineer must implement a solution to remediate SSH port access for noncompliant security groups.

  What should the engineer do to meet this requirement with the MOST operational efficiency?

  A. Configure the AWS Config rule to identify noncompliant security groups. Configure the rule to use the AWS-PublishSNSNotification AWS Systems Manager Automation runbook to send notifications about noncompliant resources.
  B. Configure the AWS Config rule to identify noncompliant security groups. Configure the rule to use the AWS-DisableIncomingSSHOnPort22 AWS Systems Manager Automation runbook to remediate noncompliant resources.
  C. Make an AWS Config API call to search for noncompliant security groups. Disable SSH access for noncompliant security groups by using a Deny rule.
  D. Configure the AWS Config rule to identify noncompliant security groups. Manually update each noncompliant security group to remove the Allow rule.
  B. Configure the AWS Config rule to identify noncompliant security groups. Configure the rule to use the AWS-DisableIncomingSSHOnPort22 AWS Systems Manager Automation runbook to remediate noncompliant resources.

  ---

  Explanation

  The AWS Cloud Operations and Governance documentation specifies that AWS Config can be paired with AWS Systems Manager Automation runbooks for automatic remediation of noncompliant resources. For SSH restrictions, the restricted-ssh managed rule detects any security group allowing inbound traffic on port 22. To automatically remediate these findings, AWS provides the AWS- DisableIncomingSSHOnPort22 runbook. This runbook programmatically removes inbound rules that allow port 22 traffic from affected security groups.

  This approach achieves continuous compliance with minimal human intervention. By contrast, sending notifications (Option A) does not enforce remediation, API-based scripts (Option C) add operational overhead, and manual remediation (Option D) violates automation best practices. Therefore, the most efficient CloudOps solution is Option B, using AWS Config with the AWS- DisableIncomingSSHOnPort22 automation runbook for automatic, scalable enforcement.

  AWS Cloud Operations & Governance Guide - Automated Security Remediation Using Config Managed Rules and Systems Manager Runbooks

• Question 137:

  A company has created a new video-on-demand (VOD) application. The application runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. Because of increasing application demand, the company wants to move all video files to a central Amazon S3 bucket.

  A SysOps administrator needs to ensure that video files can be cached at edge locations after the company migrates the files to Amazon S3.

  Which solution will meet this requirement?

  A. Configure CloudFront to send the X-Forwarded-For header to the origin and to redirect video requests to Amazon S3 instead of the ALB.
  B. Configure a new CloudFront cache behavior to route to Amazon S3 as a new origin, based on matching a URL path pattern.
  C. Configure URL signing in the CloudFront distribution by using a custom policy. Ensure that video files are accessed through signed URLs only.
  D. Configure a CloudFront origin group. Specify the required HTTP status codes to direct connection attempts to a secondary origin.
  B. Configure a new CloudFront cache behavior to route to Amazon S3 as a new origin, based on matching a URL path pattern.

  ---

  Explanation

  To ensure video files are cached at CloudFront edge locations after migrating the files to Amazon S3, CloudFront must be able to fetch those video objects directly from S3 as an origin. The most operationally straightforward pattern is to add S3 as a second origin and create a separate cache behavior that routes requests for video paths (for example, /video/* or /*.mp4) to the S3 origin. With this configuration, CloudFront caches the S3-served objects at edge locations according to the cache policy/headers, while the existing ALB origin continues serving dynamic application paths. This isolates static media delivery from the application tier and improves performance by maximizing cache hits at the edge.

  Option A is not how CloudFront origin selection works: CloudFront does not "redirect" to S3 based on headers; it selects an origin per behavior. Option C (signed URLs) is an access-control mechanism and does not, by itself, ensure the objects are retrieved from S3 or cached correctly. Option D (origin groups) is for origin failover (primary/secondary) and does not provide path-based routing to ensure videos come from S3.

• Question 138:

  A CloudOps engineer needs to investigate which AWS API actions were performed on an Amazon S3 bucket during a suspected security incident last week.

  Which solution will provide this information?

  A. Analyze Amazon S3 server access logs.
  B. Query AWS CloudTrail event history for the bucket.
  C. Review Amazon CloudWatch Logs for the EC2 instances.
  D. Use Amazon GuardDuty findings.
  B. Query AWS CloudTrail event history for the bucket.

  ---

  Explanation

  AWS CloudTrail records all API-level activity across AWS services, including S3 actions such as PutObject, DeleteBucketPolicy, and GetObject. By filtering CloudTrail event history for the affected S3 bucket and timeframe, the CloudOps engineer can identify the exact actions, identities, and source IPs involved.

  S3 server access logs capture object-level requests but do not provide complete API governance visibility. GuardDuty detects threats but does not enumerate all API calls.

  AWS CloudTrail - Auditing S3 API Activity

• Question 139:

  A company requires that all Amazon S3 objects remain immutable for regulatory reasons. Even the root user must not be able to delete objects during the retention period.

  Which solution satisfies this requirement?

  A. Enable S3 Versioning and MFA Delete.
  B. Enable S3 Object Lock in governance mode.
  C. Enable S3 Object Lock in compliance mode.
  D. Apply a bucket policy denying s3:DeleteObject.
  C. Enable S3 Object Lock in compliance mode.

  ---

  Explanation

  S3 Object Lock in compliance mode enforces WORM protection that cannot be bypassed by any user, including the root user, until the retention period expires. Governance mode allows privileged overrides. Versioning and IAM policies can be bypassed or modified, making them unsuitable for strict regulatory enforcement.

  Amazon S3 - Object Lock Compliance Mode

• Question 140:

  An ecommerce company uses Amazon ElastiCache (Redis OSS) for caching product queries. The CloudOps engineer observes a large number of cache evictions in Amazon CloudWatch metrics and needs to reduce evictions while retaining popular data in cache.

  Which solution meets these requirements with the least operational overhead?

  A. Add another node to the ElastiCache cluster.
  B. Increase the ElastiCache TTL value.
  C. Decrease the ElastiCache TTL value.
  D. Migrate to a new ElastiCache cluster with larger nodes.
  D. Migrate to a new ElastiCache cluster with larger nodes.

  ---

  Explanation

  AWS Cloud Operations and ElastiCache documentation cache evictions occur when the cache runs out of memory and must remove items to make space for new data. To reduce evictions and retain frequently accessed items, AWS recommends increasing the total available memory - either by scaling up to larger node types or scaling out by adding shards/nodes. Migrating to a cluster with larger nodes is the simplest and most efficient solution because it immediately expands capacity without architectural changes.

  Adjusting TTL (Options B and C) controls expiration timing, not memory allocation. Adding a single node (Option A) may help, but redistributing data requires resharding, introducing more complexity. Thus, Option D provides the lowest operational overhead and ensures high cache hit rates by increasing total cache memory.

  AWS Cloud Operations & Performance Optimization Guide - Reducing Evictions and Scaling Amazon ElastiCache Clusters