A CloudOps engineer has created an AWS Service Catalog portfolio and shared it with a second AWS account in the company, managed by a different CloudOps engineer.
Which action can the CloudOps engineer in the second account perform?
A. Add a product from the imported portfolio to a local portfolio. B. Add new products to the imported portfolio. C. Change the launch role for the products contained in the imported portfolio. D. Customize the products in the imported portfolio.
A. Add a product from the imported portfolio to a local portfolio.
Explanation
Per the AWS Cloud Operations and Service Catalog documentation, when a portfolio is shared across AWS accounts, the recipient account imports the shared portfolio. The recipient CloudOps engineer cannot modify the original products or their configurations but can:
Add products from the imported portfolio into their local portfolios for deployment, Control end-user access in the recipient account, and Manage local constraints or permissions. However, the recipient cannot edit, delete, or reconfigure the shared products (Options B, C, and D). The source (owner) account retains full administrative control over products, launch roles, and lifecycle policies. This model aligns with AWS CloudOps principles of centralized governance with distributed self-service deployment across multiple accounts.
Thus, Option A is correct-imported portfolios allow the recipient to add products to a local portfolio but not alter the shared configuration.
AWS Cloud Operations & Governance Guide - Managing Shared AWS Service Catalog Portfolios Across Multiple Accounts
Question 212:
A CloudOps engineer needs to retain Amazon CloudWatch Logs for exactly 90 days.
Which configuration should be applied?
A. Export logs to Amazon S3 daily. B. Set the log group retention policy to 90 days. C. Archive logs using AWS Backup. D. Stream logs to Amazon OpenSearch Service.
B. Set the log group retention policy to 90 days.
Explanation
CloudWatch Logs retention policies automatically delete log events older than the specified period. This provides a simple, managed mechanism for compliance-driven retention control.
Amazon CloudWatch Logs - Retention Policies
Question 213:
A company hosts an FTP server on EC2 instances. AWS Security Hub sends findings to Amazon EventBridge when the FTP port becomes publicly exposed in attached security groups.
A CloudOps engineer needs an automated, event-driven remediation solution to remove public access from security groups.
Which solution will meet these requirements?
A. Configure the existing EventBridge event to stop the EC2 instances that have the exposed port. B. Create a cron job for the FTP server to invoke an AWS Lambda function. Configure the Lambda function to modify the security group of the identified EC2 instances and to remove the instances that allow public access. C. Create a cron job for the FTP server that invokes an AWS Lambda function. Configure the Lambda function to modify the server to use SFTP instead of FTP. D. Configure the existing EventBridge event to invoke an AWS Lambda function. Configure the function to remove the security group rule that allows public access.
D. Configure the existing EventBridge event to invoke an AWS Lambda function. Configure the function to remove the security group rule that allows public access.
Explanation
Per the AWS Cloud Operations and Security Automation documentation, Security Hub integrates with Amazon EventBridge to publish findings in real time. These events can trigger automated responses using AWS Lambda functions or AWS Systems Manager Automation runbooks. In this scenario, the correct CloudOps approach is to configure the existing EventBridge rule to invoke a Lambda function that inspects the event payload, identifies the affected security group, and removes the offending inbound rule (e.g., port 21 open to 0.0.0.0/0). This event-driven remediation provides continuous compliance and eliminates manual intervention. Cron jobs (Options B and C) contradict event-driven design and add operational overhead. Stopping instances (Option A) doesn't address the root cause - the insecure security group. Thus, Option D aligns with AWS best practices for automated security remediation through EventBridge and Lambda.
AWS Cloud Operations & Security Hub Guide - Automating Security Remediation Using EventBridge and Lambda
Question 214:
A CloudOps engineer needs to ensure that configuration drift on EC2 instances is detected continuously.
Which AWS service should be used?
A. AWS Config B. Amazon Inspector C. AWS CloudTrail D. AWS Trusted Advisor
A. AWS Config
Explanation
AWS Config continuously evaluates resource configuration against defined rules and records drift over time.
AWS Config - Continuous Compliance
Question 215:
A company has a VPC that contains a public subnet and a private subnet. The company deploys an Amazon EC2 instance that uses an Amazon Linux AMI and has the AWS Systems Manager Agent (SSM Agent) installed in the private subnet. The EC2 instance is in a security group that allows only outbound traffic.
A CloudOps engineer needs to give a group of privileged administrators the ability to connect to the instance through SSH without exposing the instance to the internet.
Which solution will meet this requirement?
A. Create an EC2 Instance Connect endpoint in the private subnet. Update the security group to allow inbound SSH traffic. Assign PowerUserAccess to administrators. B. Create a Systems Manager endpoint in the private subnet. Update the security group to allow SSH traffic from the endpoint network. Assign PowerUserAccess. C. Create an EC2 Instance Connect endpoint in the public subnet. Update the security group to allow SSH traffic from the private network. Assign PowerUserAccess. D. Create a Systems Manager endpoint in the public subnet. Create an IAM role with AmazonSSMManagedInstanceCore for the EC2 instance. Assign AmazonEC2ReadOnlyAccess to administrators.
B. Create a Systems Manager endpoint in the private subnet. Update the security group to allow SSH traffic from the endpoint network. Assign PowerUserAccess.
Explanation
AWS Systems Manager Session Manager allows secure shell access to EC2 instances without opening inbound SSH ports or exposing the instance to the internet. A Systems Manager VPC endpoint enables private connectivity to the SSM service. This approach avoids exposing port 22 and satisfies the security requirement.
Question 216:
A company uses an AWS Lambda function to process user uploads to an Amazon S3 bucket. The Lambda function runs in response to Amazon S3 PutObject events.
A SysOps administrator needs to set up monitoring for the Lambda function. The SysOps administrator wants to receive a notification through an Amazon Simple Notification Service (Amazon SNS) topic if the function takes more than 10 seconds to process an event.
Which solution will meet this requirement?
A. Collect Amazon CloudWatch logs for the Lambda function. Create a metric filter to extract the PostRuntimeExtensionsDuration metric from the logs. Create a CloudWatch alarm to publish a notification to the SNS topic when the function runtime exceeds 10 seconds. B. Collect Amazon CloudWatch metrics for the Lambda function to extract the function runtime. Create a CloudWatch alarm to publish a notification to the SNS topic when the runtime exceeds 10 seconds. C. Configure an Amazon CloudWatch metric filter to capture the runtime of the Lambda function. Set the function's timeout setting to 10 seconds. Create an SNS subscription to alert the SysOps administrator if the function times out. D. Use Amazon CloudWatch Logs Insights to query Lambda logs for the function runtime. Set up a CloudWatch alarm based on the query result. Configure Amazon SNS to send notifications when function runtime exceeds 10 seconds.
B. Collect Amazon CloudWatch metrics for the Lambda function to extract the function runtime. Create a CloudWatch alarm to publish a notification to the SNS topic when the runtime exceeds 10 seconds.
Explanation
AWS Lambda automatically publishes operational metrics to Amazon CloudWatch, including Duration, which represents the time a function invocation takes to run. To alert when processing time exceeds 10 seconds, the most direct and operationally efficient solution is to create a CloudWatch alarm on the Lambda Duration metric and configure the alarm action to publish to an SNS topic. This meets the monitoring requirement without requiring log parsing or additional query mechanisms. Option B fits best because it uses the built-in metric stream for Lambda observability: CloudWatch metrics are near real-time, require minimal configuration, and alarms are a standard CloudOps practice for proactive notification. The alarm can be configured with the appropriate statistic (for example, Maximum or p99 via metric math where applicable) and a threshold of 10,000 milliseconds, ensuring the operations team is notified before performance degrades further.
Option A is incorrect because PostRuntimeExtensionsDuration is not the primary runtime metric for function execution time, and extracting runtime from logs is unnecessary. Option C changes the function timeout to 10 seconds, which would cause failures rather than simply notifying on slow executions. Option D is more operationally complex because it relies on log queries; CloudWatch alarms are more straightforward when a native metric exists.
Question 217:
A CloudOps engineer notices that EC2 instances behind a Network Load Balancer receive traffic, but responses fail intermittently. Security groups are correctly configured.
What is the MOST LIKELY cause?
A. Missing inbound rule on the NLB security group B. Missing outbound ephemeral port rule in the subnet NACL C. Incorrect target group health check port D. Disabled cross-zone load balancing
B. Missing outbound ephemeral port rule in the subnet NACL
Explanation
Network ACLs are stateless. If inbound traffic is allowed but outbound ephemeral ports are not, response traffic is dropped, causing intermittent failures.
Security groups are stateful and do not require explicit return rules.
Amazon VPC - Network ACL Behavior
Question 218:
A CloudOps engineer wants to ensure EC2 instances can be accessed securely without SSH keys or inbound ports, while maintaining full auditability.
Which solution is MOST appropriate?
A. Bastion hosts B. EC2 Instance Connect C. Systems Manager Session Manager D. Client VPN
C. Systems Manager Session Manager
Explanation
Session Manager provides keyless, port-less access with full CloudTrail and CloudWatch logging, aligning with AWS security best practices.
AWS Systems Manager - Session Manager
Question 219:
A company uses Amazon EventBridge to route operational events. A CloudOps engineer creates a rule to match specific AWS service events, but events are not arriving at the target in the same account.
The engineer confirms the target has correct permissions and is healthy.
Which action is MOST likely to identify the root cause quickly?
A. Use the EventBridge rule "Test event pattern" feature with a sample event and verify matching results. B. Enable AWS Config to record EventBridge configuration changes. C. Create a NAT gateway to allow EventBridge to reach the target. D. Enable Amazon Inspector to scan the EventBridge rule.
A. Use the EventBridge rule "Test event pattern" feature with a sample event and verify matching results.
Explanation
When EventBridge rules do not trigger, the most common cause is an event pattern mismatch (wrong source, detail-type, missing fields, incorrect value matching, or Region/event-bus mismatch). The fastest operational troubleshooting step is to validate the rule's event pattern against representative events using built-in testing and then confirm the event bus and rule are in the correct Region. This directly validates whether events should match before investigating deeper delivery mechanics. AWS Config provides historical configuration visibility but does not immediately confirm pattern matching logic. NAT gateways are not required for EventBridge service-to-service routing. Inspector is unrelated to EventBridge rule matching.
Amazon EventBridge - Rule event patterns and troubleshooting
Question 220:
A CloudOps engineer created a VPC with a private subnet, a security group allowing all outbound traffic, and an endpoint for EC2 Instance Connect in the private subnet.
The EC2 instance was launched without an SSH key pair, using the same subnet and security group. However, the engineer cannot connect via EC2 Instance Connect endpoint.
How can the CloudOps engineer connect to the instance?
A. Create an inbound rule in the security group to allow HTTPS traffic on port 443 from the private subnet. B. Create an inbound rule in the security group to allow SSH traffic on port 22 from the private subnet. C. Create an IAM instance profile that allows AWS Systems Manager Session Manager to access the EC2 instance. Associate the instance profile with the instance. D. Recreate the EC2 instance. Associate an SSH key pair with the instance.
C. Create an IAM instance profile that allows AWS Systems Manager Session Manager to access the EC2 instance. Associate the instance profile with the instance.
Explanation
AWS Cloud Operations and EC2 Connectivity documentation EC2 Instance Connect Endpoint allows access to instances without internet exposure or open SSH ports. However, for successful connectivity, the EC2 instance must have Systems Manager permissions through an IAM instance profile. If no IAM instance profile is attached, the instance cannot establish a control channel with the Systems Manager service, and EC2 Instance Connect cannot authenticate the session. Opening port 22 (Option B) is unnecessary and contradicts the private subnet design. HTTPS rules (Option A) are irrelevant because EC2 Instance Connect communicates through AWS APIs, not direct HTTPS connections. Recreating the instance with a key pair (Option D) bypasses the intended keyless connection mechanism.
Therefore, Option C - attaching an IAM instance profile with Systems Manager permissions - enables secure, private access through EC2 Instance Connect Endpoint.
AWS Cloud Operations & EC2 Connectivity Guide - Enabling EC2 Instance Connect Endpoint Access via Systems Manager Permissions
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SOA-C03 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.