Amazon SOA-C03 Exam Questions Instant Access

Question 1

A company has an application running on EC2 that stores data in an Amazon RDS for MySQL Single-AZ DB instance. The application requires both read and write operations, and the company needs failover capability with minimal downtime.

Which solution will meet these requirements?

AModify the DB instance to be a Multi-AZ DB instance deployment.

BAdd a read replica in the same Availability Zone where the DB instance is deployed.

CAdd the DB instance to an Auto Scaling group that has a minimum capacity of 2 and a desired capacity of 2.

DUse RDS Proxy to configure a proxy in front of the DB instance.

Answer : A

According to the AWS Cloud Operations and Database Reliability documentation, Amazon RDS Multi-AZ deployments provide high availability and automatic failover by maintaining a synchronous standby replica in a different Availability Zone.

In the event of instance failure, planned maintenance, or Availability Zone outage, Amazon RDS automatically promotes the standby to primary with minimal downtime (typically less than 60 seconds). The failover is transparent to applications because the DB endpoint remains the same.

By contrast, read replicas (Option B) are asynchronous and do not provide automated failover. Auto Scaling (Option C) applies to EC2, not RDS. RDS Proxy (Option D) improves connection management but does not add redundancy.

Thus, Option A --- converting the RDS instance into a Multi-AZ deployment --- delivers the required high availability and business continuity with minimal operational effort.

Question 2

Optimization]

A SysOps administrator monitors and maintains the availability of resources in an AWS environment. The SysOps administrator notices that the CPU utilization of an Amazon EC2 instance that runs web server software peaks above 80% at various times during each day. The CPU spikes correlate with peak daily loads. The high CPU load has resulted in performance issues for customers.

The SysOps administrator needs to resolve the system performance issue without causing any service disruptions. Which solution will meet these requirements?

AConfigure an Amazon CloudWatch alarm that invokes an AWS Systems Manager Automation runbook to vertically scale the EC2 instance when the CPU utilization exceeds 80%.

BConfigure an AWS Systems Manager Automation runbook to run a script that automatically restarts the application when CPU utilization exceeds 80%.

CConfigure an Amazon EventBridge rule that invokes an AWS Systems Manager Automation document. Configure the document to increase the EC2 instance size when CPU utilization exceeds 80%.

DSet up an Auto Scaling group with an Amazon CloudWatch alarm that triggers a scaling policy to launch additional EC2 instances when the CPU utilization exceeds 80%.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is to fix performance degradation from predictable peak CPU load without service disruptions. The most reliable and operationally standard approach is horizontal scaling with an Auto Scaling group driven by CloudWatch metrics/alarms (or target tracking). Launching additional instances and distributing traffic (typically behind a load balancer) increases capacity while keeping existing instances serving requests---no reboot or stop/start required.

Option D meets the requirement because Auto Scaling can add capacity when CPU exceeds a threshold and remove capacity when demand falls. This improves performance during peak periods and maintains availability. It is also operationally efficient: scaling actions are automated, consistent, and can be tuned with cooldowns/health checks.

Options A and C describe vertical scaling (instance resize). Resizing an EC2 instance type generally requires stopping the instance, changing the type, and starting it again---this is disruptive for a single-instance web server and often causes downtime. Option B (restarting the application) directly introduces disruption and does not address underlying capacity constraints; it can also worsen customer impact during peaks.

Amazon EC2 Auto Scaling User Guide -- Scaling policies and CloudWatch integration

Amazon CloudWatch User Guide -- Alarms triggering Auto Scaling actions

AWS Well-Architected Framework -- Performance Efficiency and Reliability guidance

Question 3

A company plans to run a public web application on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. The company's security team wants to protect the website by using AWS Certificate Manager (ACM) certificates. The load balancer must automatically redirect any HTTP requests to HTTPS.

Which solution will meet these requirements?

ACreate an Application Load Balancer that has one HTTPS listener on port 80. Attach an SSL/TLS certificate to port 80.

BCreate an Application Load Balancer that has one HTTP listener on port 80 and one HTTPS listener on port 443. Attach an SSL/TLS certificate to port 443. Create a rule to redirect requests from port 80 to port 443.

CCreate an Application Load Balancer that has two TCP listeners on ports 80 and 443. Attach an SSL/TLS certificate to port 443.

DCreate a Network Load Balancer with TCP listeners on ports 80 and 443. Attach an SSL/TLS certificate to port 443.

Answer : B

An Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and supports advanced routing features, including HTTP-to-HTTPS redirection. To meet the requirement of protecting traffic with ACM certificates and automatically redirecting HTTP requests, the ALB must be configured with two listeners.

The correct design is to create an HTTP listener on port 80 and an HTTPS listener on port 443. The SSL/TLS certificate from AWS Certificate Manager is attached to the HTTPS listener. A listener rule on port 80 redirects incoming HTTP requests to HTTPS on port 443, ensuring all client connections are encrypted.

Option A is invalid because HTTPS cannot operate on port 80. Option C uses TCP listeners, which do not support HTTP-level redirects. Option D uses a Network Load Balancer, which operates at Layer 4 and does not support HTTP redirects.

Therefore, Option B is the only solution that satisfies all requirements using AWS-native features with minimal complexity.

Question 4

A CloudOps engineer is creating a simple, public-facing website running on Amazon EC2. The CloudOps engineer created the EC2 instance in an existing public subnet and assigned an Elastic IP address. The CloudOps engineer created a new security group that allows incoming HTTP traffic from 0.0.0.0/0. The CloudOps engineer also created a new network ACL and applied it to the subnet to allow incoming HTTP traffic from 0.0.0.0/0. However, the website cannot be reached from the internet.

What is the cause of this issue?

AThe CloudOps engineer did not create an outbound rule that allows ephemeral port return traffic in the new network ACL.

BThe CloudOps engineer did not create an outbound rule in the security group that allows HTTP traffic from port 80.

CThe Elastic IP address assigned to the EC2 instance has changed.

DThere is an additional network ACL associated with the subnet that denies inbound HTTP traffic.

Answer : A

Network ACLs are stateless, meaning both inbound and outbound rules must explicitly allow traffic. While inbound HTTP traffic (port 80) was allowed, the return traffic from the EC2 instance uses ephemeral ports (typically 1024--65535). If outbound rules do not allow this ephemeral port range, the response traffic is dropped, preventing the website from loading.

Security groups are stateful and automatically allow return traffic, but network ACLs do not. This commonly causes connectivity issues when custom ACLs are applied without matching outbound rules.

Option B is incorrect because security groups allow all outbound traffic by default. Option C is irrelevant. Option D is incorrect because only one network ACL can be associated with a subnet at a time.

Thus, the missing outbound ephemeral port rule in the network ACL is the root cause.

Question 5

A CloudOps engineer creates a new VPC that includes a public subnet and a private subnet. The CloudOps engineer successfully launches 11 Amazon EC2 instances in the private subnet. The CloudOps engineer attempts to launch one more EC2 instance in the same subnet but receives an error stating that not enough free IP addresses are available.

What must the CloudOps engineer do to deploy more EC2 instances?

AEdit the private subnet to change the CIDR block to /27.

BEdit the private subnet to extend across a second Availability Zone.

CAssign additional Elastic IP addresses to the private subnet.

DCreate a new private subnet to hold the required EC2 instances.

Answer : D

Each subnet in a VPC has a fixed CIDR range that determines how many private IP addresses are available. AWS reserves five IP addresses per subnet, reducing the usable address count. Once the available IP addresses are exhausted, no more instances can be launched in that subnet.

AWS does not allow changing the CIDR block of an existing subnet. Therefore, Option A is invalid. Option B does not increase the number of IP addresses; Availability Zones are properties of subnets, not expansions of their CIDR ranges. Option C is incorrect because Elastic IP addresses are public IPs and do not increase the number of private IP addresses available in a subnet.

The only viable solution is to create a new subnet with a larger or additional CIDR range and deploy additional EC2 instances there. This approach aligns with AWS VPC design principles and is the standard method for handling IP exhaustion.

Question 6

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs to send specific events from all the accounts in the organization to a new receiver account, where an AWS Lambda function will process the events.

A CloudOps engineer configures Amazon EventBridge to route events to a target event bus in the us-west-2 Region in the receiver account. The CloudOps engineer creates rules in both the sender and receiver accounts that match the specified events. The rules do not specify an account parameter in the event pattern. IAM roles are created in the sender accounts to allow PutEvents actions on the target event bus.

However, the first test events from the us-east-1 Region are not processed by the Lambda function in the receiving account.

What is the likely reason the events are not processed?

AInterface VPC endpoints for EventBridge are required in the sender accounts and receiver accounts.

BThe target Lambda function is in a different AWS Region, which is not supported by EventBridge.

CThe resource-based policy on the target event bus must be modified to allow PutEvents API calls from the sender accounts.

DThe rule in the receiving account must specify {'account': ['sender-account-id']} in its event pattern and must include the receiving account ID.

Answer : C

Per the AWS Cloud Operations and EventBridge documentation, when events are sent across AWS accounts --- particularly from multiple accounts in an AWS Organization --- the target event bus in the receiver account must include a resource-based policy that explicitly allows events:PutEvents API calls from the sender accounts or the organization ID.

Even if the sender accounts have IAM permissions to call PutEvents, the receiving event bus must trust those accounts via a resource policy. Without this configuration, EventBridge automatically rejects incoming cross-account events, and those events never reach the target Lambda function for processing.

AWS guidance states that ''Cross-account event delivery requires a resource-based policy on the event bus that grants permissions to the source accounts or organization.'' The policy can include either individual AWS account IDs or the organization's root ID.

In this scenario, because the events originate from multiple accounts and there is no resource policy on the target event bus to authorize those sender accounts, the events are not delivered.

Therefore, the correct cause is C -- the resource-based policy on the target event bus must be modified to allow PutEvents API calls from the sender accounts.

Question 7

A company's developers manually install software modules on Amazon EC2 instances to deploy new versions of a service. A security audit finds that instances contain inconsistent and unapproved modules.

A CloudOps engineer must create a new instance image that contains only approved software.

Which solution will meet these requirements?

AUse Amazon Detective to continuously find and uninstall unauthorized modules from the instances.

BUse Amazon GuardDuty to create and deploy an Amazon Machine Image (AMI) that includes only the approved modules.

CUse AWS Systems Manager Run Command to install the approved modules on all running instances during an in-place update.

DUse EC2 Image Builder to create and test an Amazon Machine Image (AMI) that includes only the approved modules. Update the deployment workflow to use the new AMI.

Answer : D

According to the AWS Cloud Operations and Deployment documentation, EC2 Image Builder is the AWS-managed service for automating the creation, maintenance, validation, and deployment of secure and compliant Amazon Machine Images (AMIs).

It allows CloudOps teams to define image pipelines that include only approved software modules and configuration scripts. EC2 Image Builder automatically tests and verifies these AMIs for compliance before deployment.

This process ensures configuration consistency, eliminates manual installation errors, and simplifies ongoing patch management. The service integrates with AWS Systems Manager, Amazon Inspector, and AWS CloudFormation for end-to-end automation.

In contrast:

Amazon Detective and GuardDuty (Options A & B) are security monitoring tools, not image management solutions.

Run Command (Option C) applies ad-hoc updates but does not create standard, reusable AMIs.

Therefore, Option D is correct---EC2 Image Builder provides the most operationally efficient and compliant way to create an approved baseline AMI for future deployments.

Amazon AWS Certified CloudOps Engineer - Associate SOA-C03 Exam Questions