SOA-C03 Exam Details

  • Exam Code
    :SOA-C03
  • Exam Name
    :AWS Certified CloudOps Engineer - Associate (SOA-C03)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :263 Q&As
  • Last Updated
    :Jul 14, 2026

Amazon SOA-C03 Online Questions & Answers

  • Question 11:

    A company's architecture team must receive immediate email notifications whenever new Amazon EC2 instances are launched in the company's main AWS production account.

    What should a CloudOps engineer do to meet this requirement?

    A. Create a user data script that sends an email message through a smart host connector. Include the architecture team's email address in the user data script as the recipient. Ensure that all new EC2 instances include the user data script as part of a standardized build process.
    B. Create an Amazon Simple Notification Service (Amazon SNS) topic and a subscription that uses the email protocol. Enter the architecture team's email address as the subscriber. Create an Amazon EventBridge rule that reacts when EC2 instances are launched. Specify the SNS topic as the rule's target.
    C. Create an Amazon Simple Queue Service (Amazon SQS) queue and a subscription that uses the email protocol. Enter the architecture team's email address as the subscriber. Create an Amazon EventBridge rule that reacts when EC2 instances are launched. Specify the SQS queue as the rule's target.
    D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure AWS Systems Manager to publish EC2 events to the SNS topic. Create an AWS Lambda function to poll the SNS topic. Configure the Lambda function to send any messages to the architecture team's email address.

  • Question 12:

    A company has a VPC that contains a public subnet and a private subnet. The company deploys an Amazon EC2 instance that uses an Amazon Linux Amazon Machine Image (AMI) and has the AWS Systems Manager Agent (SSM Agent) installed in the private subnet. The EC2 instance is in a security group that allows only outbound traffic.

    A CloudOps engineer needs to give a group of privileged administrators the ability to connect to the instance through SSH without exposing the instance to the internet.

    Which solution will meet this requirement?

    A. Create an EC2 Instance Connect endpoint in the private subnet. Update the security group to allow inbound SSH traffic. Create an IAM group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.
    B. Create a Systems Manager endpoint in the private subnet. Update the security group to allow SSH traffic from the private network where the Systems Manager endpoint is connected. Create an IA. group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.
    C. Create an EC2 Instance Connect endpoint in the public subnet. Update the security group to allow SSH traffic from the private network. Create an IAM group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.
    D. Create a Systems Manager endpoint in the public subnet. Create an IAM role that has the AmazonSSMManagedInstanceCore permission for the EC2 instance. Create an IAM group for privileged administrators. Assign the AmazonEC2ReadOnlyAccess IAM policy to the IAM group.

  • Question 13:

    A CloudOps engineer needs historical visibility into configuration changes for AWS resources.

    Which service provides this capability?

    A. AWS CloudTrail
    B. AWS Config
    C. Amazon CloudWatch
    D. Amazon GuardDuty

  • Question 14:

    A company must implement an audit trail for operational changes to AWS resources, including who made the change and the exact API parameters used.

    A CloudOps engineer needs a solution that can be queried efficiently for investigations without exporting logs to another service first.

    Which solution will meet these requirements?

    A. Use Amazon CloudWatch Logs and build dashboards for all API requests.
    B. Use AWS CloudTrail Lake to store events and run SQL-like queries for investigations.
    C. Use VPC Flow Logs to capture all AWS API activity.
    D. Use Amazon Inspector reports for operational change tracking.

  • Question 15:

    A company's application servers in AWS account 111122223333 use a security group sg-1234abcd. They need to access a database hosted in account 444455556666. The VPCs are connected using a VPC peering connection (pcx-b04deed9).

    A CloudOps engineer must configure the database's security group to allow new connections only from the application servers.

    What should the engineer do?

    A. Add an inbound rule to the database's security group. Reference 111122223333/sg-1234abcd as the source.
    B. Add an inbound rule to the database's security group. Reference pcx-b04deed9/sg-1234abcd as the source.
    C. Add an inbound rule to the database's security group. Reference sg-1234abcd as the source.
    D. Add an inbound rule to the database's security group. Reference 444455556666/sg-1234abcd as the source.

  • Question 16:

    A CloudOps engineer needs to ensure that only approved AMIs are used to launch EC2 instances.

    Which solution will enforce this?

    A. AWS Config rules
    B. IAM policies only
    C. AWS Trusted Advisor
    D. EC2 Auto Scaling

  • Question 17:

    A CloudOps engineer needs to automatically restart a failed application process when specific error patterns appear in application logs stored in CloudWatch Logs.

    Which architecture aligns with AWS recommended operational best practices?

    A. CloudWatch Logs subscription filter --- Lambda --- restart process
    B. CloudWatch metric filter --- alarm --- EventBridge --- Systems Manager Automation
    C. CloudTrail Insights --- Lambda remediation
    D. GuardDuty findings --- SNS notification

  • Question 18:

    A company deploys AWS infrastructure in a VPC that has an internet gateway. The VPC has public subnets and private subnets. An Amazon RDS for MySQL DB instance is deployed in a private subnet. An AWS Lambda function uses the same private subnet and connects to the DB instance to query data.

    A developer modifies the Lambda function to require the function to publish messages to an Amazon Simple Queue Service (Amazon SQS) queue. After these changes, the Lambda function times out when it tries to publish messages to the SQS queue.

    Which solutions will resolve this issue? (Select TWO.)

    A. Reconfigure the Lambda function so that the function is not connected to the VPC.
    B. Deploy an RDS proxy. Configure the Lambda function to connect to the DB instance through the proxy.
    C. Deploy a NAT gateway. Update the private subnet's route table to route all traffic to the NAT gateway.
    D. Create an interface VPC endpoint for Amazon SQS in the VPC.
    E. Create a gateway endpoint for Amazon SQS in the VPC.

  • Question 19:

    A company deploys an application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The company wants to protect the application from SQL injection attacks.

    Which solution will meet this requirement?

    A. Deploy AWS Shield Advanced in front of the ALB. Enable SQL injection filtering.
    B. Deploy AWS Shield Standard in front of the ALB. Enable SQL injection filtering.
    C. Deploy a vulnerability scanner on each EC2 instance. Continuously scan the application code.
    D. Deploy AWS WAF in front of the ALB. Subscribe to an AWS Managed Rule for SQL injection filtering.

  • Question 20:

    A company uses AWS Organizations to manage a set of AWS accounts. The company has set up organizational units (OUs) in the organization. An application OU supports various applications.

    A CloudOps engineer must prevent users from launching Amazon EC2 instances that do not have a CostCenter-Project tag into any account in the application OU. The restriction must apply only to accounts in the application OU.

    Which solution will meet these requirements?

    A. Create an IAM group that has a policy that allows the ec2:RunInstances action when the CostCenter- Project tag is present. Place all IAM users who need access to the application accounts in the IAM group.
    B. Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter- Project tag is missing. Attach the SCP to the application OU .
    C. Create an IAM role that has a policy that allows the ec2:RunInstances action when the CostCenter- Project tag is present. Attach the IAM role to the IAM users that are in the application OU accounts.
    D. Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter- Project tag is missing. Attach the SCP to the root OU .

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SOA-C03 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.