Amazon SOA-C03 Exam Questions Instant Access

Question 1

A company uses hundreds of Amazon EC2 On-Demand Instances and Spot Instances to run production and non-production workloads. The company installs and configures the AWS Systems Manager Agent (SSM Agent) on the EC2 instances.

During a recent instance patch operation, some instances were not patched because the instances were either busy or down. The company needs to generate a report that lists the current patch version of all instances.

Which solution will meet these requirements in the MOST operationally efficient way?

AUse Systems Manager Inventory to collect patch versions. Generate a report of all instances.

BUse Systems Manager Run Command to remotely collect patch version information. Generate a report of all instances.

CUse AWS Config to track EC2 instance configuration changes by using output from the SSM Agents. Create a custom rule to check for patch versions. Generate a report of all unpatched instances.

DUse AWS Config to monitor the patch status of the EC2 instances by using output from the SSM Agents. Create a configuration compliance rule to check whether patches are installed. Generate a report of all instances.

Answer : A

Comprehensive Explanation (250--350 words):

AWS Systems Manager Inventory is designed to collect metadata from managed instances, including installed software, applications, and patch information. It works asynchronously and does not require instances to be actively running a command at the time of collection, which is critical when instances may be busy or temporarily unavailable during patch windows.

Inventory data is stored centrally and can be queried to generate reports showing the current patch level or installed patch versions across all managed instances. This makes it well-suited for large fleets that include both On-Demand and Spot Instances and that may scale dynamically.

Option B relies on Run Command, which requires instances to be online and available at execution time. This does not meet the requirement because some instances were already missed during patch operations due to being busy or down. Option C and Option D use AWS Config, which is primarily intended for configuration compliance and drift detection, not detailed patch version reporting. Creating custom or managed rules for patch status introduces unnecessary complexity and overhead compared to Inventory's built-in capability.

Therefore, Systems Manager Inventory provides the most operationally efficient and reliable solution for collecting and reporting patch version data across all EC2 instances.

Question 2

A company's security policy requires incoming SSH traffic to be restricted to a defined set of addresses. The company is using an AWS Config rule to check whether security groups allow unrestricted incoming SSH traffic.

A CloudOps engineer discovers a noncompliant resource and fixes the security group manually. The CloudOps engineer wants to automate the remediation of other noncompliant resources.

What is the MOST operationally efficient solution that meets these requirements?

ACreate a CloudWatch alarm for the AWS Config rule and invoke a Lambda function to remediate.

BConfigure an automatic remediation action on the AWS Config rule using AWS-DisableIncomingSSHOnPort22.

CCreate an EventBridge rule for AWS Config events and invoke a Lambda function.

DRun a scheduled Lambda function to inspect and remediate security groups.

Answer : B

Comprehensive Explanation (250--350 words):

AWS Config supports automatic remediation for both managed and custom rules. When a resource is found noncompliant, AWS Config can automatically invoke an AWS Systems Manager Automation document to remediate the issue. The managed automation document AWS-DisableIncomingSSHOnPort22 is specifically designed to remove unrestricted SSH access (0.0.0.0/0) from security group inbound rules.

This approach is the most operationally efficient because it requires no custom code, no event orchestration, and no ongoing maintenance. The remediation runs immediately when AWS Config detects noncompliance and ensures consistent enforcement of security policy across all applicable resources.

Options A, C, and D rely on Lambda functions and event-driven glue logic, which significantly increase operational overhead, complexity, and long-term maintenance costs. These approaches are unnecessary when AWS provides a fully managed remediation capability.

Therefore, configuring an automatic remediation action directly on the AWS Config rule is the correct and most efficient solution.

Question 3

A company uses multiple Amazon RDS databases to support an application. The application receives all its traffic during weekdays and is idle during weekends. The company wants a solution to automatically manage the RDS DB instances during idle periods to optimize costs.

Which solution will meet these requirements?

AUse a cron job to automatically scale down the RDS DB instance type during weekends.

BConfigure Instance Scheduler on AWS to stop the RDS DB instances at the beginning of each weekend and to start the instances at the end of each weekend.

CPurchase Reserved Instances for the RDS DB instances.

DUse the auto scaling feature of Amazon RDS to automatically adjust the DB instance type based on CPU utilization.

Answer : B

Comprehensive Explanation (250--350 words):

The Instance Scheduler on AWS is an AWS-provided solution designed specifically to start and stop AWS resources such as Amazon RDS instances on a defined schedule. This directly aligns with the requirement to automatically manage RDS instances during predictable idle periods, such as weekends, to reduce costs.

RDS instances incur compute charges while running, even if idle. Stopping them during weekends eliminates those charges while retaining storage and backups. Instance Scheduler supports tag-based scheduling, centralized management, and automated start/stop workflows without custom scripting.

Option A introduces custom automation and ongoing maintenance overhead. Option C (Reserved Instances) is unsuitable because the databases are idle for long, predictable periods and Reserved Instances charge regardless of usage. Option D is incorrect because RDS does not support auto scaling of DB instance classes based on utilization.

Instance Scheduler is the most cost-effective and operationally efficient solution for this use case.

Question 4

A company runs an application on an Amazon EC2 instance. The application uses a MySQL database. The EC2 instance has a General Purpose SSD (gp3) Amazon EBS volume attached. The company wants to perform load testing using a new MySQL database created from an EBS snapshot of the production instance. The new database must perform as similarly as possible to production.

Which solution will meet these requirements in the LEAST amount of time?

AUse Amazon EBS fast snapshot restore (FSR) to create a new General Purpose SSD volume from the production snapshot.

BUse Amazon EBS fast snapshot restore (FSR) to create a new Provisioned IOPS SSD volume from the production snapshot.

CUse Amazon EBS standard snapshot restore to create a new General Purpose SSD volume from the production snapshot.

DUse Amazon EBS standard snapshot restore to create a new Provisioned IOPS SSD volume from the production snapshot.

Answer : A

Comprehensive Explanation (250--350 words):

Amazon EBS snapshots are stored in Amazon S3, and standard restores can experience higher latency until data blocks are fully retrieved. Fast Snapshot Restore (FSR) eliminates this latency by ensuring that all blocks are immediately available at full performance.

Because the production environment uses a General Purpose SSD (gp3) volume, creating the test database on the same volume type ensures performance characteristics are as similar as possible. Using FSR significantly reduces restore time and allows load testing to begin immediately.

Provisioned IOPS volumes would introduce different performance characteristics and unnecessary cost. Standard snapshot restore would delay testing due to gradual block hydration.

Therefore, using FSR with the same EBS volume type is the fastest and most accurate solution.

Question 5

A company has two AWS accounts connected by a transit gateway. Each account has one VPC in the same AWS Region. The company wants to simplify inbound and outbound rules in security groups by referencing security group IDs instead of IP CIDR blocks.

Which solution will meet this requirement?

ACreate VPC peering connections and remove the transit gateway.

BEnable security group referencing support on the transit gateway.

CEnable security group referencing support on each transit gateway attachment.

DDeploy private NAT gateways in each VPC.

Answer : C

Comprehensive Explanation (250--350 words):

AWS Transit Gateway supports security group referencing across VPCs, but this feature must be explicitly enabled on each transit gateway attachment. Once enabled, security groups in one VPC can reference security groups in another VPC attached to the same transit gateway, simplifying rule management and improving security posture.

Enabling the feature on the transit gateway itself is not sufficient; it must be enabled per attachment to allow traffic evaluation based on security group IDs. This approach avoids brittle CIDR-based rules and allows dynamic scaling without rule updates.

Option A removes the transit gateway, which contradicts the existing architecture. Option B is incomplete. Option D does not address security group referencing.

Thus, enabling security group referencing on each transit gateway attachment is the correct solution.

Question 6

A company uses AWS Organizations to manage a set of AWS accounts. The company has set up organizational units (OUs) in the organization. An application OU supports various applications.

A CloudOps engineer must prevent users from launching Amazon EC2 instances that do not have a CostCenter-Project tag into any account in the application OU. The restriction must apply only to accounts in the application OU.

Which solution will meet these requirements?

ACreate an IAM group that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Place all IAM users who need access to the application accounts in the IAM group.

BCreate a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU.

CCreate an IAM role that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Attach the IAM role to the IAM users that are in the application OU accounts.

DCreate a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the root OU.

Answer : B

AWS Organizations service control policies (SCPs) are designed to enforce permission guardrails across accounts. SCPs define the maximum available permissions for IAM principals in member accounts, regardless of the permissions granted by IAM policies. Because the requirement is to prevent EC2 instance launches without a required tag and to apply the restriction only to accounts within a specific organizational unit, SCPs are the correct control mechanism.

By creating an SCP that denies the ec2:RunInstances action when the CostCenter-Project tag is missing, the CloudOps engineer ensures that no EC2 instance can be launched without the required tag. Attaching the SCP directly to the application OU limits the scope of enforcement to only the accounts that belong to that OU, which satisfies the requirement precisely.

IAM-based solutions such as user groups or roles cannot enforce controls across multiple accounts consistently and can be bypassed by users with sufficient permissions. Attaching the SCP to the root OU would incorrectly apply the restriction to all accounts in the organization, which violates the requirement.

Therefore, attaching a tag-enforcing SCP to the application OU is the correct and least operationally complex solution.

Question 7

A company runs an application on Amazon EC2 instances in an Auto Scaling group. Scale-out actions take a long time because of long-running boot scripts. The CloudOps engineer must reduce scale-out time without overprovisioning.

Which solution will meet these requirements?

AChange the launch configuration to use a larger instance size.

BIncrease the minimum number of instances in the Auto Scaling group.

CAdd a predictive scaling policy to the Auto Scaling group.

DAdd a warm pool to the Auto Scaling group.

Answer : D

Comprehensive Explanation (250--350 words):

An Auto Scaling warm pool keeps pre-initialized instances in a stopped or running state, allowing them to be quickly attached to the Auto Scaling group when scaling events occur. This significantly reduces scale-out latency caused by long bootstrapping scripts.

Unlike increasing the minimum instance count, warm pools do not permanently overprovision resources. Predictive scaling improves timing but does not eliminate boot time delays.

Therefore, warm pools provide the fastest scale-out with minimal cost overhead.

Amazon AWS Certified CloudOps Engineer - Associate SOA-C03 Exam Questions