Amazon AWS Certified CloudOps Engineer - Associate SOA-C03 Exam Questions

Page: 1 / 14
Total 219 questions
Question 1

A company needs to monitor its website's availability to end users. The company needs a solution to provide an Amazon Simple Notification Service (Amazon SNS) notification if the website's uptime decreases to less than 99%. The monitoring must provide an accurate view of the user experience on the website.

Which solution will meet these requirements?



Answer : C

Amazon CloudWatch Synthetics heartbeat canaries actively test a website by sending periodic requests from AWS-managed locations, closely simulating real user access. This provides an accurate measurement of availability from an end-user perspective, which is a key requirement.

The SuccessPercent metric represents the percentage of successful executions over time and directly maps to website uptime. Creating a CloudWatch alarm on this metric allows the CloudOps engineer to receive SNS notifications when availability drops below the 99% threshold.

Log-based or anomaly-detection approaches do not reliably represent user experience, and broken link checkers focus on content integrity rather than availability. Therefore, a heartbeat canary is the correct solution.


Question 2

A company is preparing for a marketing campaign that will increase traffic to a new web application. The application uses Amazon API Gateway and AWS Lambda for the application logic. The application stores relevant user data in an Amazon Aurora MySQL DB cluster that has one Aurora Replica. Database queries for the application are 5% write and 95% read.

What should a CloudOps engineer do to scale the database when traffic increases?



Answer : A

Because the application workload is 95% reads, the best database scaling approach is to add or remove Aurora Replicas. Aurora Auto Scaling can automatically adjust the number of Aurora Replicas in a DB cluster based on metrics such as average CPU utilization or average connections across replicas. This allows the read tier to scale as campaign traffic increases while the primary writer continues to handle the smaller write workload. Option B is incorrect because Aurora Auto Scaling scales the number of replicas; it does not vertically resize existing replicas. Options C and D are worded around generic AWS Auto Scaling rather than Aurora Auto Scaling and use less appropriate metric relationships. Scaling based on replica CPU utilization directly addresses read pressure. Therefore, configure Aurora Auto Scaling for Aurora Replicas.


Question 3

A company's ecommerce application is running on Amazon EC2 instances that are behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. Customers report that the website is occasionally down. When the website is down, it returns an HTTP 500 (server error) status code to customer browsers.

The Auto Scaling group's health check is configured for EC2 status checks, and the instances appear healthy.

Which solution will resolve the problem?



Answer : B

In this scenario, the EC2 instances pass their EC2 status checks, indicating that the operating system is responsive. However, the application hosted on the instance is failing intermittently, returning HTTP 500 errors. This demonstrates a discrepancy between the instance-level health and the application-level health.

According to AWS CloudOps best practices under Monitoring, Logging, Analysis, Remediation and Performance Optimization (SOA-C03 Domain 1), Auto Scaling groups should incorporate Elastic Load Balancing (ELB) health checks instead of relying solely on EC2 status checks. The ELB health check probes the application endpoint (for example, HTTP or HTTPS target group health checks), ensuring that the application itself is functioning correctly.

When an instance fails an ELB health check, Amazon EC2 Auto Scaling will automatically mark the instance as unhealthy and replace it with a new one, ensuring continuous availability and performance optimization.

Extract from AWS CloudOps (SOA-C03) Study Guide -- Domain 1:

''Implement monitoring and health checks using ALB and EC2 Auto Scaling integration. Application Load Balancer health checks allow Auto Scaling to terminate and replace instances that fail application-level health checks, ensuring consistent application performance.''

Extract from AWS Auto Scaling Documentation:

''When you enable the ELB health check type for your Auto Scaling group, Amazon EC2 Auto Scaling considers both EC2 status checks and Elastic Load Balancing health checks to determine instance health. If an instance fails the ELB health check, it is automatically replaced.''

Therefore, the correct answer is B, as it ensures proper application-level monitoring and remediation using ALB-integrated ELB health checks---a core CloudOps operational practice for proactive incident response and availability assurance.

Reference (AWS CloudOps Verified Source Extracts):

AWS Certified CloudOps Engineer -- Associate (SOA-C03) Exam Guide: Domain 1 -- Monitoring, Logging, and Remediation.

AWS Auto Scaling User Guide: Health checks for Auto Scaling instances (Elastic Load Balancing integration).

AWS Well-Architected Framework -- Operational Excellence and Reliability Pillars.

AWS Elastic Load Balancing Developer Guide -- Target group health checks and monitoring.


Question 4

A company uses default settings to create an AWS Lambda function. The function needs to access an Amazon RDS database that is in a private subnet of a VPC. The function has the correct IAM permissions to access the database. The private subnet has appropriate routing configurations and is accessible from within the VPC. However, the Lambda function is unable to connect to the RDS instance.

What is the likely reason the Lambda function cannot connect to the RDS instance?



Answer : B

By default, a newly created AWS Lambda function is not attached to a customer VPC. In its default configuration, Lambda runs in an AWS-managed network environment and can reach public internet endpoints, but it does not automatically have network-level connectivity into private subnets within a VPC. Accessing an Amazon RDS instance that is placed in a private subnet requires the Lambda function to be configured for VPC access. This means selecting the target VPC, choosing subnets (typically private subnets with appropriate routing), and associating one or more security groups with the Lambda function's elastic network interfaces (ENIs). Once configured, Lambda creates ENIs in the selected subnets and uses them to communicate with resources such as RDS inside the VPC.

In this scenario, the RDS database is in a private subnet and is reachable from within the VPC, but the Lambda function cannot connect. The most likely cause is that the function was created with default settings and therefore was not deployed into the VPC that contains the database. IAM permissions are not sufficient for network connectivity; IAM controls authorization to call AWS APIs, while VPC attachment and security groups control the network path.

Option A is incorrect because Lambda does not require an ''RDS destination'' setting; connectivity is established through VPC networking and the database endpoint. Option C is not supported by the prompt; there is no indication that the database is in a different VPC, and the default issue is usually ''not in a VPC at all.'' Option D is less likely because Lambda security groups allow all outbound traffic by default unless explicitly restricted; the more common default failure is lack of VPC configuration.

Therefore, the likely reason is that the Lambda function was not configured to run in the same VPC as the RDS instance.


Question 5

A company hosts a static website on an Amazon S3 bucket behind an Amazon CloudFront distribution. When the company deploys a new version of the website, users sometimes do not see the new content until the next day.

A CloudOps engineer must implement a solution to display updates to the website as quickly as possible.

Which solution will meet this requirement?



Answer : D

CloudFront caches content at edge locations to reduce origin requests and improve performance. When a static website is updated by overwriting existing object keys (for example, updating index.html in the same S3 path), CloudFront may continue to serve the cached versions of those objects until the cache's time-to-live (TTL) expires. This behavior commonly produces a delay where some viewers still receive the old site version, sometimes for many hours, depending on the configured TTLs and any cache headers that CloudFront is honoring.

A CloudFront invalidation (Option D) is designed to address exactly this situation: it removes cached objects from CloudFront edge caches so that the next request for those objects forces CloudFront to retrieve the latest versions from the S3 origin and cache them again. By invalidating key objects such as /index.html (and potentially additional paths if needed), the company can ensure users see the newest deployment quickly without waiting for TTL expiration.

Option A is not the best answer because ''adding a Cache-Control header to requests'' does not immediately clear content already cached at edge locations; it primarily influences caching behavior for future fetches and can still leave existing cached objects in place until they expire. Option B only enforces HTTPS and does not affect cache freshness or object replacement visibility. Option C (CachingOptimized) is intended to improve caching efficiency and performance for typical workloads; it does not provide immediate propagation of updated objects and can result in CloudFront serving cached responses until TTLs expire.

Therefore, the most direct solution to display the updated website as quickly as possible is to create a CloudFront invalidation.


Question 6

An ecommerce company runs a microservices application on Amazon ECS. Customers sometimes experience high latency when they attempt to complete a purchase through the application. A CloudOps engineer needs a solution to track individual transactions across multiple services to identify where latency is occurring. The solution must require minimal code changes and must provide a visual representation of service dependencies.

Which solution will meet these requirements?



Answer : A

AWS X-Ray is the correct service for distributed tracing across microservices. It tracks individual requests as they travel through application components and provides a service map that visually shows dependencies, latency, errors, and bottlenecks. For Amazon ECS, the X-Ray daemon can run as a sidecar container, and the application can be instrumented with the X-Ray SDK. This requires less effort than building custom transaction tracing and gives the CloudOps engineer request-level visibility across services. CloudWatch agents and Container Insights provide metrics and logs, but they do not trace individual user transactions across multiple services. VPC Flow Logs capture network metadata, not application-level request traces or service dependency maps. Therefore, X-Ray with a sidecar daemon and SDK instrumentation is the correct CloudOps monitoring solution.


Question 7

A company runs applications on Amazon EC2 instances. Many of the instances are not patched. The company has a tagging policy. All the instances are tagged with details about the owners, application, and environment. AWS Systems Manager Agent (SSM Agent) is installed on all the instances.

A SysOps administrator must implement a solution to automatically patch all existing and future instances that have "Prod" in the environment tag. The SysOps administrator plans to create a patch policy in Systems Manager Patch Manager.

Which solution will meet the patching requirements with the LEAST operational overhead?



Answer : A

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is A because AWS Systems Manager Patch Manager natively supports tag-based targeting, which automatically includes both existing and future instances that match specified tag criteria. AWS CloudOps documentation states that patch policies can target managed nodes by instance tags, allowing administrators to dynamically scope patching operations without additional automation.

By defining the patch policy target as instances with an environment tag value of ''Prod,'' Patch Manager automatically applies patch baselines to all matching instances. Any new EC2 instance launched with the same tag is included automatically, requiring no manual intervention or additional services. This approach delivers the least operational overhead while remaining fully scalable and compliant.

Options B, C, and D are incorrect because they introduce unnecessary complexity by adding AWS Lambda functions, resource groups, or EventBridge rules. AWS CloudOps best practices emphasize using native Systems Manager capabilities whenever possible to reduce operational burden and failure points.


AWS Systems Manager User Guide -- Patch Manager Tag-Based Targeting

AWS SysOps Administrator Study Guide -- Automation and Patch Management

AWS Well-Architected Framework -- Operational Excellence

Page:    1 / 14   
Total 219 questions