Amazon SOA-C03 Online Practice Questions and Exam Preparation

Amazon SOA-C03 Online Questions & Answers

• Question 181:

  A company needs centralized visibility into security findings from GuardDuty, Inspector, and IAM Access Analyzer.

  Which service provides this aggregation natively?

  A. AWS Config
  B. AWS Security Hub
  C. Amazon Detective
  D. AWS CloudTrail
  B. AWS Security Hub

  ---

  Explanation

  AWS Security Hub aggregates and normalizes findings from multiple AWS security services into a centralized view with compliance scoring.

  AWS Security Hub - Centralized Findings

• Question 182:

  A company runs an application on an Amazon EC2 instance. The application uses a MySQL database. The EC2 instance has a General Purpose SSD (gp3) Amazon EBS volume attached. The company wants to perform load testing using a new MySQL database created from an EBS snapshot of the production instance. The new database must perform as similarly as possible to production.

  Which solution will meet these requirements in the LEAST amount of time?

  A. Use Amazon EBS fast snapshot restore (FSR) to create a new General Purpose SSD volume from the production snapshot.
  B. Use Amazon EBS fast snapshot restore (FSR) to create a new Provisioned IOPS SSD volume from the production snapshot.
  C. Use Amazon EBS standard snapshot restore to create a new General Purpose SSD volume from the production snapshot.
  D. Use Amazon EBS standard snapshot restore to create a new Provisioned IOPS SSD volume from the production snapshot.
  A. Use Amazon EBS fast snapshot restore (FSR) to create a new General Purpose SSD volume from the production snapshot.

  ---

  Explanation

  Amazon EBS snapshots are stored in Amazon S3, and standard restores can experience higher latency until data blocks are fully retrieved. Fast Snapshot Restore (FSR) eliminates this latency by ensuring that all blocks are immediately available at full performance.

  Because the production environment uses a General Purpose SSD (gp3) volume, creating the test database on the same volume type ensures performance characteristics are as similar as possible. Using FSR significantly reduces restore time and allows load testing to begin immediately.

  Provisioned IOPS volumes would introduce different performance characteristics and unnecessary cost. Standard snapshot restore would delay testing due to gradual block hydration.

  Therefore, using FSR with the same EBS volume type is the fastest and most accurate solution.

• Question 183:

  A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application's performance.

  A CloudOps engineer must scale the application to meet the increased traffic.

  Which solution meets these requirements?

  A. Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance if the desired threshold is reached.
  B. Create an Amazon EventBridge rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.
  C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.
  D. Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy. Attach the ALB to the Auto Scaling group.
  C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.

  ---

  Explanation

  Auto Scaling groups with target tracking scaling policies automatically adjust capacity based on real-time demand. This solution is ideal for handling unpredictable and random traffic spikes.

  Target tracking scaling maintains a metric, such as average CPU utilization or request count per target, at a defined target value. The Auto Scaling group automatically launches or terminates instances as traffic fluctuates.

  Manual scaling, EventBridge-based scaling, or scheduled scaling do not respond dynamically to random traffic patterns.

  Therefore, an Auto Scaling group with a target tracking scaling policy is the correct solution.

• Question 184:

  A company uses Amazon EC2 instances for a stateful application. The company needs a disaster recovery plan that can restore the application environment in a different AWS Region with minimal manual steps.

  Which solution will meet these requirements?

  A. Use AWS CloudFormation to define the infrastructure and use AMIs and snapshots copied to the DR Region.
  B. Use AWS Trusted Advisor to generate a DR report.
  C. Use Amazon CloudWatch dashboards to rebuild the environment in the DR Region.
  D. Use VPC Flow Logs to replicate the application state across Regions.
  A. Use AWS CloudFormation to define the infrastructure and use AMIs and snapshots copied to the DR Region.

  ---

  Explanation

  A reliable DR strategy requires both infrastructure reproducibility and data/compute artifacts in the target Region. Using CloudFormation provides infrastructure as code to recreate networking, compute, security groups, and dependencies consistently. Copying required AMIs and EBS snapshots to the DR Region ensures that the compute images and storage data needed for recovery are available. This reduces manual steps and supports repeatable recovery procedures. Trusted Advisor and CloudWatch dashboards do not rebuild infrastructure. VPC Flow Logs capture traffic metadata and cannot replicate application state.

  AWS CloudFormation + EC2 AMI/EBS snapshot copy - Repeatable DR patterns

• Question 185:

  A company wants to protect its web application from common application-layer attacks such as SQL injection.

  Which AWS service provides this capability?

  A. AWS Shield Standard
  B. AWS WAF
  C. Amazon Inspector
  D. AWS Firewall Manager
  B. AWS WAF

  ---

  Explanation

  AWS WAF is designed to protect web applications from OWASP Top 10 threats, including SQL injection and cross-site scripting.

  Shield protects against DDoS attacks, not application-layer exploits.

  AWS WAF - Application Layer Protection

• Question 186:

  A SysOps administrator needs to implement a solution that protects credentials for an Amazon RDS for MySQL DB instance. The solution must rotate the credentials automatically one time every week.

  Which combination of steps will meet these requirements? (Select TWO.)

  A. Configure an RDS proxy to store the credentials.
  B. Add the credentials to AWS Secrets Manager.
  C. Add the credentials to AWS Systems Manager Parameter Store.
  D. Create an AWS Lambda function to rotate the credentials.
  E. Create an AWS Systems Manager Automation runbook to rotate the credentials.
  B. Add the credentials to AWS Secrets Manager.
  D. Create an AWS Lambda function to rotate the credentials.

  ---

  Explanation

  The correct answers are B and D. AWS CloudOps documentation clearly states that AWS Secrets Manager is the recommended service for storing and managing database credentials securely. Secrets Manager integrates natively with Amazon RDS and supports automatic, scheduled secret rotation.

  To rotate credentials weekly, Secrets Manager requires a Lambda rotation function. AWS provides managed rotation templates for Amazon RDS for MySQL that update the database password and the stored secret atomically. This combination ensures credentials are protected, rotated automatically, and audited with minimal operational effort.

  Option A is incorrect because RDS Proxy does not store or rotate credentials; it only retrieves them from Secrets Manager. Option C is incorrect because Systems Manager Parameter Store does not support native automatic rotation. Option E is incorrect because Automation runbooks are not the recommended mechanism for secrets rotation and add unnecessary complexity.

  AWS CloudOps best practices strongly recommend Secrets Manager with Lambda-based rotation for database credential protection and compliance.

• Question 187:

  A company wants DNS-based routing to send users to the closest AWS Region and automatically fail over during regional outages.

  Which Route 53 configuration is REQUIRED?

  A. Latency-based routing only
  B. Geolocation routing only
  C. Geoproximity routing with health checks
  D. Simple routing with weighted records
  C. Geoproximity routing with health checks

  ---

  Explanation

  Geoproximity routing directs traffic based on geographic distance, while health checks enable automated failover. Both are required to meet proximity and availability requirements.

  Amazon Route 53 - Geoproximity Routing

• Question 188:

  A global company runs a critical primary workload in the us-east-1 Region. The company wants to ensure business continuity with minimal downtime in case of a workload failure. The company wants to replicate the workload to a second AWS Region.

  A CloudOps engineer needs a solution that achieves a recovery time objective (RTO) of less than 10 minutes and a zero recovery point objective (RPO) to meet service level agreements.

  Which solution will meet these requirements?

  A. Implement a pilot light architecture that provides real-time data replication in the second Region. Configure Amazon Route 53 health checks and automated DNS failover.
  B. Implement a warm standby architecture that provides regular data replication in a second Region. Configure Amazon Route 53 health checks and automated DNS failover.
  C. Implement an active-active architecture that provides real-time data replication across two Regions. Use Amazon Route 53 health checks and a weighted routing policy.
  D. Implement a custom script to generate a regular backup of the data and store it in an S3 bucket that is in a second Region. Use the backup to launch the application in the second Region in the event of a workload failure.
  C. Implement an active-active architecture that provides real-time data replication across two Regions. Use Amazon Route 53 health checks and a weighted routing policy.

  ---

  Explanation

  AWS Cloud Operations and Disaster Recovery documentation, the active-active multi-Region architecture provides the lowest possible RTO and RPO among all disaster recovery strategies. In this approach, workloads are deployed and actively running in multiple AWS Regions simultaneously. All data is continuously replicated in real time between Regions using fully managed replication services, ensuring zero data loss (zero RPO).

  Because both Regions are active and capable of handling requests, failover between them is instantaneous, meeting the RTO of less than 10 minutes. Amazon Route 53 is used with weighted or latency-based routing policies and health checks to automatically route traffic away from an impaired Region to the healthy Region without manual intervention.

  In contrast:

  Pilot Light Architecture maintains only a minimal copy of the environment in the secondary Region. It requires time to scale up infrastructure during a disaster, resulting in longer RTO and potential data loss (non-zero RPO).

  Warm Standby Architecture keeps partially running infrastructure in the secondary Region. Although faster than pilot light, it still requires scaling and synchronization, resulting in higher RTO and RPO compared to active-active.

  Backup and Restore (option D) relies on periodic backups and restores data when needed. This approach has the highest RTO and RPO, unsuitable for mission-critical workloads demanding high availability and zero data loss.

  Therefore, based on AWS-recommended disaster recovery strategies outlined in the AWS Cloud Operations and Disaster Recovery Guide, the Active-Active Multi-Region architecture (Option C) is the only approach that guarantees RTO <10 minutes and RPO = 0, achieving continuous availability and business continuity across Regions.

  AWS Cloud Operations and Disaster Recovery Whitepaper - Section: Disaster Recovery Strategies - Multi-Site (Active-Active) Approach; AWS CloudOps Best Practices for Reliability and Business Continuity.

• Question 189:

  A company moves workloads from public subnets to private subnets to improve security. During testing, servers in the private subnets cannot reach an external API. The VPC has a CIDR block of 10.0.0.0/16, two public subnets, two private subnets, one internet gateway, and a NAT gateway in each private subnet.

  The company must ensure that workloads in the private subnets can reach the external API.

  Which solution will meet this requirement?

  A. Deploy an outbound-only internet gateway and update route tables.
  B. Create an Amazon API Gateway HTTP API as a proxy.
  C. Deploy a NAT gateway in each public subnet and update private subnet route tables.
  D. Create a VPC interface endpoint and update route tables.
  C. Deploy a NAT gateway in each public subnet and update private subnet route tables.

  ---

  Explanation

  For IPv4 traffic, private subnets require a NAT gateway in a public subnet to access the internet. NAT gateways must be deployed in public subnets and associated with an Elastic IP address. Private subnet route tables must direct 0.0.0.0/0 traffic to the NAT gateway.

  The question states that NAT gateways are incorrectly placed in private subnets, which cannot provide internet access. Deploying NAT gateways in public subnets resolves this issue and restores outbound connectivity to external APIs.

  Option A applies only to IPv6. Option B adds unnecessary complexity. Option D is not applicable because external APIs are not AWS services.

• Question 190:

  A company hosts a static website on Amazon S3. An Amazon CloudFront distribution presents this site to global users. The company uses the Managed-CachingDisabled CloudFront cache policy. The company's developers confirm that they frequently update a file in Amazon S3 with new information.

  Users report that the website presents correct information when the website first loads the file. However, the users' browsers do not retrieve the updated file after a refresh.

  What should a SysOps administrator recommend to fix this issue?

  A. Add a Cache-Control header field with max-age=0 to the S3 object.
  B. Change the CloudFront cache policy to Managed-CachingOptimized.
  C. Disable bucket versioning in the S3 bucket configuration.
  D. Enable content compression in the CloudFront configuration.
  A. Add a Cache-Control header field with max-age=0 to the S3 object.

  ---

  Explanation

  With the Managed-CachingDisabled policy, CloudFront is configured to minimize edge caching, so the remaining caching behavior users experience often comes from browser (client-side) caching. If users refresh and still see old content, it typically indicates the browser is allowed to reuse a cached copy without revalidating. The correct fix is to control client caching using HTTP response headers on the S3 object.

  Adding a Cache-Control: max-age=0 header instructs browsers that the object becomes stale immediately and should be revalidated on subsequent requests (often resulting in conditional requests using If- Modified-Since or ETag behavior). This preserves correctness--users will fetch or revalidate the latest file-- without requiring heavier operational actions like frequent CloudFront invalidations or changing to an optimized caching policy that may increase edge caching.

  Option B can worsen the issue by increasing caching if object headers permit it. Option C is unrelated; versioning affects object history and recovery, not browser cache behavior. Option D affects payload size transfer (gzip/brotli), not cache freshness.