Amazon SOA-C03 Online Practice Questions and Exam Preparation

Amazon SOA-C03 Online Questions & Answers

• Question 161:

  A company wants DNS-based routing to send users to the closest AWS Region and automatically fail over during regional outages.

  Which Route 53 configuration is REQUIRED?

  A. Latency-based routing only
  B. Geolocation routing only
  C. Geoproximity routing with health checks
  D. Simple routing with weighted records
  C. Geoproximity routing with health checks

  ---

  Explanation

  Geoproximity routing directs traffic based on geographic distance, while health checks enable automated failover. Both are required to meet proximity and availability requirements.

  Amazon Route 53 - Geoproximity Routing

• Question 162:

  A company's security policy prohibits connecting to Amazon EC2 instances through SSH and RDP. Instead, staff must use AWS Systems Manager Session Manager. Users report they cannot connect to one Ubuntu instance, even though they can connect to others.

  What should a CloudOps engineer do to resolve this issue?

  A. Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.
  B. Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
  C. Configure the SSM Agent to log in with a user name of "ubuntu".
  D. Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.
  B. Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.

  ---

  Explanation

  AWS Cloud Operations and Systems Manager documentation, Session Manager requires that each managed instance be associated with an IAM instance profile that grants Systems Manager core permissions. The required permissions are provided by the AmazonSSMManagedInstanceCore AWS- managed policy.

  If this policy is missing or misconfigured, the Systems Manager Agent (SSM Agent) cannot communicate with the Systems Manager service, causing connection failures even if the agent is installed and running. This explains why other instances work-those instances likely have the correct IAM role attached. Enabling port 22 (Option A) violates the company's security policy, while configuring user names (Option C) and key pairs (Option D) are irrelevant because Session Manager operates over secure API channels, not SSH keys.

  Therefore, the correct resolution is to attach or update the instance profile with the AmazonSSMManagedInstanceCore policy, restoring Session Manager connectivity.

  AWS Cloud Operations & Systems Manager Guide - Instance Profile Requirements for Session Manager Connectivity

• Question 163:

  A CloudOps engineer needs organization-wide visibility into security best-practice violations.

  Which service should be used?

  A. Amazon GuardDuty
  B. AWS Security Hub
  C. AWS Config
  D. Amazon Inspector
  B. AWS Security Hub

  ---

  Explanation

  AWS Security Hub aggregates security findings from multiple AWS services and provides centralized visibility and compliance reporting.

  AWS Security Hub - Centralized Security

• Question 164:

  A company is storing backups in an Amazon S3 bucket. These backups must not be deleted for at least 3 months after creation.

  What should the CloudOps engineer do?

  A. Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.
  B. Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
  C. Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.
  D. Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
  B. Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.

  ---

  Explanation

  Per the AWS Cloud Operations and Data Protection documentation, S3 Object Lock enforces write-once- read-many (WORM) protection on objects for a defined retention period.

  There are two modes: Compliance mode: Even the root user cannot delete or modify objects during the retention period. Governance mode: Privileged users with special permissions can override lock settings.

  For regulatory or audit requirements that prohibit deletion, Compliance mode is the correct choice. When configured with a 3-month retention period, all backup objects are protected from deletion until expiration, ensuring compliance with data retention mandates.

  Versioning (Option C) alone does not prevent deletion. IAM-based restrictions (Option A) lack time-based enforcement and require manual intervention. Governance mode (Option D) is less strict and unsuitable for regulatory retention.

  Thus, Option B is the correct CloudOps solution for immutable S3 backups.

  AWS Cloud Operations & Storage Governance Guide - Implementing Retention with Amazon S3 Object Lock in Compliance Mode

• Question 165:

  A company wants to monitor the p95 latency of an application based on log data.

  Which CloudWatch feature should be used?

  A. Contributor Insights
  B. Metric filters
  C. Subscription filters
  D. Anomaly detection
  B. Metric filters

  ---

  Explanation

  Metric filters extract numerical values from logs and publish them as CloudWatch metrics, enabling percentile statistics such as p95.

  CloudWatch Logs - Metric Filters

• Question 166:

  A CloudOps engineer needs to trigger automated remediation when an Amazon CloudWatch alarm enters the ALARM state.

  Which AWS service should be used to route the alarm event?

  A. Amazon SNS
  B. Amazon EventBridge
  C. AWS Step Functions
  D. Amazon SQS
  B. Amazon EventBridge

  ---

  Explanation

  Amazon EventBridge can respond to CloudWatch alarm state changes and invoke remediation actions such as Lambda functions or Systems Manager Automation runbooks. This enables event-driven, automated operations without manual intervention.

  Amazon EventBridge - CloudWatch Integration

• Question 167:

  A CloudOps engineer uses AWS CloudTrail Lake to investigate an incident involving Amazon S3 data access.

  The engineer must identify which IAM role accessed a specific object and retrieve the request parameters used during the access.

  Which approach should the engineer use?

  A. Query S3 server access logs with Amazon Athena.
  B. Query CloudTrail Lake using SQL-like queries filtered by eventName and resource ARN.
  C. Review AWS Config configuration history for the S3 bucket.
  D. Use Amazon Macie findings for the object.
  B. Query CloudTrail Lake using SQL-like queries filtered by eventName and resource ARN.

  ---

  Explanation

  CloudTrail Lake stores immutable API event data and supports SQL-like queries that expose detailed request context, including IAM identity, eventName, requestParameters, and resource ARNs. S3 server access logs lack full IAM and API context. AWS Config tracks configuration changes, not object- level access. Macie focuses on data classification, not audit trails.

  AWS CloudTrail Lake - Querying API Activity

• Question 168:

  A company uses AWS Systems Manager to manage a fleet of Amazon EC2 instances across multiple AWS accounts in an organization.

  The CloudOps engineer needs to ensure that future EC2 instances are automatically managed by Systems Manager without manual IAM configuration.

  Which solution will meet this requirement?

  A. Attach the AmazonSSMManagedInstanceCore policy to each EC2 instance role manually.
  B. Enable AWS Organizations trusted access for Systems Manager and configure Default Host Management Configuration.
  C. Create a Systems Manager Run Command to attach IAM policies to instance profiles.
  D. Use AWS Config to identify unmanaged EC2 instances.
  B. Enable AWS Organizations trusted access for Systems Manager and configure Default Host Management Configuration.

  ---

  Explanation

  AWS Systems Manager supports organization-wide management by integrating with AWS Organizations. By enabling trusted access and configuring Default Host Management Configuration, Systems Manager automatically provisions the required IAM roles and permissions for all existing and future EC2 instances across member accounts.

  This approach eliminates the need for manual IAM role attachment and ensures consistent, scalable management.

  Options A and C require manual or scripted intervention, and Option D only provides detection, not remediation.

  AWS Systems Manager - Default Host Management Configuration

• Question 169:

  An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A CloudOps engineer must ensure that the application can read, write, and delete messages from the SQS queues.

  Which solution will meet these requirements in the MOST secure manner?

  A. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs: ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user's credentials in the application's configuration.
  B. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs: ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.
  C. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
  D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
  D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.

  ---

  Explanation

  The most secure pattern is to use an IAM role for Amazon EC2 with the minimum required permissions. AWS guidance states: "Use roles for applications that run on Amazon EC2 instances" and "grant least privilege by allowing only the actions required to perform a task." By attaching a role to the instance, short- lived credentials are automatically provided through the instance metadata service; this removes the need to create long-term access keys or embed secrets. Granting only, sqs:SendMessage sqs:ReceiveMessage, and sqs:DeleteMessage against the specific SQS queues enforces least privilege and aligns with CloudOps security controls. Options A and B rely on IAM user access keys, which contravene best practices for workloads on EC2 and increase credential-management risk. Option C uses a role but grants sqs:*, violating least-privilege principles. Therefore, Option D meets the security requirement with scoped, temporary credentials and precise permissions.

  References (AWS CloudOps Documents / Study Guide):

  AWS Certified CloudOps Engineer - Associate (SOA-C03) Exam Guide - Security & Compliance IAM Best Practices - "Use roles instead of long-term access keys," "Grant least privilege" IAM Roles for Amazon EC2 - Temporary credentials for applications on EC. Amazon SQS - Identity and access management for Amazon SQS

• Question 170:

  A company hosts a critical legacy application on two Amazon EC2 instances that are in one Availability Zone. The instances run behind an Application Load Balancer (ALB).

  The company uses Amazon CloudWatch alarms to send Amazon Simple Notification Service (Amazon SNS) notifications when the ALB health checks detect an unhealthy instance. After a notification, the company's engineers manually restart the unhealthy instance. A CloudOps engineer must configure the application to be highly available and more resilient to failures.

  Which solution will meet these requirements?

  A. Create an Amazon Machine Image (AMI) from a healthy instance. Launch additional instances from the AMI in the same Availability Zone. Add the new instances to the ALB target group.
  B. Increase the size of each instance. Create an Amazon EventBridge rule. Configure the EventBridge rule to restart the instances if they enter a failed state.
  C. Create an Amazon Machine Image (AMI) from a healthy instance. Launch an additional instance from the AMI in the same Availability Zone. Add the new instance to the ALB target group. Create an AWS Lambda function that runs when an instance is unhealthy. Configure the Lambda function to stop and restart the unhealthy instance.
  D. Create an Amazon Machine Image (AMI) from a healthy instance. Create a launch template that uses the AMI. Create an Amazon EC2 Auto Scaling group that is deployed across multiple Availability Zones. Configure the Auto Scaling group to add instances to the ALB target group.
  D. Create an Amazon Machine Image (AMI) from a healthy instance. Create a launch template that uses the AMI. Create an Amazon EC2 Auto Scaling group that is deployed across multiple Availability Zones. Configure the Auto Scaling group to add instances to the ALB target group.

  ---

  Explanation

  High availability requires removing single-AZ risk and eliminating manual recovery. The AWS Reliability best practices state to design for multi-AZ and automatic healing: Auto Scaling "helps maintain application availability and allows you to automatically add or remove EC2 instances" (AWS Auto Scaling User Guide). The Reliability Pillar recommends to "distribute workloads across multiple Availability Zones" and to "automate recovery from failure" (AWS Well-Architected Framework - Reliability Pillar).

  Attaching the Auto Scaling group to an ALB target group enables health-based replacement: instances failing load balancer health checks are replaced and traffic is routed only to healthy targets. Using an AMI in a launch template ensures consistent, repeatable instance configuration (AWS EC2 Launch Templates). Options A and C keep all instances in a single Availability Zone and rely on manual or ad-hoc restarts, which do not meet high-availability or resiliency goals. Option B only scales vertically and adds a restart rule; it neither removes the single-AZ failure domain nor provides automated replacement. Therefore, creating a multi-AZ EC2 Auto Scaling group with a launch template and attaching it to the ALB target group (Option D) is the CloudOps-aligned solution for resilience and business continuity.

  References (AWS CloudOps Documents / Study Guide):

  AWS Certified CloudOps Engineer -

  Associate (SOA-C03) Exam Guide: Domain 2 - Reliability and Business Continuity AWS Well-Architected Framework - Reliability Pillar Amazon EC2 Auto Scaling User Guide - Health checks and replacement Elastic Load Balancing User Guide - Target group health checks and ALB integration Amazon EC2 Launch Templates - Reproducible instance configuration