SOA-C03 Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

Use Amazon S3 Event Notifications with AWS Lambda to trigger image processing on object creation. S3 natively supports invoking Lambda for events such as s3:ObjectCreated:*, providing a serverless, low-latency pipeline without managing additional services. AWS operational guidance states that “Amazon S3 can directly invoke a Lambda function in response to object-created events,” allowing you to pass event metadata (bucket/key) to the function for resizing and writing results back to S3. This approach minimizes operational overhead, scales automatically with upload volume, and integrates with standard retry semantics. SNS or SQS can be added for fan-out or buffering patterns, but they are not required when the requirement is simply “invoke the Lambda function on upload.” CloudWatch alarms do not detect individual S3 object uploads and cannot directly satisfy per-object triggers. Therefore, configuring S3 → Lambda event notifications meets the requirement most directly and aligns with CloudOps best practices for event-driven, serverless automation.

The AWS Cloud Operations and Systems Manager documentation states that to use Session Manager privately within a VPC (without internet access), three interface VPC endpoints must be configured:

com.amazonaws.<region>.ssm – enables Systems Manager core API communication.

com.amazonaws.<region>.ec2messages – allows the agent to send and receive messages between EC2 and Systems Manager.

com.amazonaws.<region>.ssmmessages – enables real-time interactive communication for Session Manager connections.

These endpoints ensure secure, private connectivity over the AWS network, eliminating the need for public internet routing.

Endpoints for S3, Step Functions, or EC2 API (Options C, E, F) are not required for Session Manager functionality.

Thus, the correct combination is A, B, and D, aligning with AWS CloudOps best practices for secure, private Systems Manager access.

The combination of geoproximity routing and DNS failover health checks provides global low-latency routing with high availability.

Geoproximity routing in Route 53 routes users to the AWS Region closest to their geographic location, optimizing latency. For automatic failover, Route 53 health checks can monitor CloudWatch alarms tied to the health of the ALB in each Region. When a Region becomes unhealthy, Route 53 reroutes traffic to the next available Region automatically.

AWS documentation states:

“Use geoproximity routing to direct users to resources based on geographic location, and configure health checks to provide DNS failover for high availability.”

Option B incorrectly monitors EC2 instances directly, which is not efficient at scale. Option C uses private IPs, which cannot be globally health-checked. Option E (simple routing) does not support geographic or failover routing. Hence, A and D together meet both the proximity and failover requirements.

In this scenario, the EC2 instances pass their EC2 status checks, indicating that the operating system is responsive. However, the application hosted on the instance is failing intermittently, returning HTTP 500 errors. This demonstrates a discrepancy between the instance-level health and the application-level health.

According to AWS CloudOps best practices under Monitoring, Logging, Analysis, Remediation and Performance Optimization (SOA-C03 Domain 1), Auto Scaling groups should incorporate Elastic Load Balancing (ELB) health checks instead of relying solely on EC2 status checks. The ELB health check probes the application endpoint (for example, HTTP or HTTPS target group health checks), ensuring that the application itself is functioning correctly.

When an instance fails an ELB health check, Amazon EC2 Auto Scaling will automatically mark the instance as unhealthy and replace it with a new one, ensuring continuous availability and performance optimization.

Extract from AWS CloudOps (SOA-C03) Study Guide – Domain 1:

“Implement monitoring and health checks using ALB and EC2 Auto Scaling integration. Application Load Balancer health checks allow Auto Scaling to terminate and replace instances that fail application-level health checks, ensuring consistent application performance.”

Extract from AWS Auto Scaling Documentation:

“When you enable the ELB health check type for your Auto Scaling group, Amazon EC2 Auto Scaling considers both EC2 status checks and Elastic Load Balancing health checks to determine instance health. If an instance fails the ELB health check, it is automatically replaced.”

Therefore, the correct answer is B, as it ensures proper application-level monitoring and remediation using ALB-integrated ELB health checks—a core CloudOps operational practice for proactive incident response and availability assurance.

References (AWS CloudOps Verified Source Extracts):

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide: Domain 1 – Monitoring, Logging, and Remediation.

AWS Auto Scaling User Guide: Health checks for Auto Scaling instances (Elastic Load Balancing integration).

AWS Well-Architected Framework – Operational Excellence and Reliability Pillars.

AWS Elastic Load Balancing Developer Guide – Target group health checks and monitoring.

As per the AWS Cloud Operations and Content Delivery documentation, CloudFront determines cache behavior by evaluating both origin headers (e.g., Cache-Control and Expires) and distribution-level TTL settings.

When Cache-Control max-age conflicts with the Maximum TTL configured in CloudFront, the shorter TTL value takes precedence. This results in CloudFront caching content for only 5 minutes instead of 1 hour, despite the origin headers suggesting a longer duration.

AWS documentation explicitly states: “When both origin cache headers and CloudFront TTL settings are defined, CloudFront uses the most restrictive caching period.” This mismatch causes the perceived performance drop, as CloudFront frequently revalidates content.

Therefore, Option D is correct — cache-duration settings conflict with each other, leading to unexpected caching behavior.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

Amazon EFS encryption at rest is a file system creation attribute; an unencrypted EFS file system cannot be “turned on” for encryption in place. Therefore, meeting the requirement (“encrypt an existing EFS using an existing KMS customer managed key”) requires creating a new encrypted file system and migrating data.

Option A is the most operationally efficient because EFS replication is a managed mechanism that continuously copies data and metadata from a source file system to a destination file system. By specifying the existing KMS customer managed key for the destination, the new file system is encrypted at rest under the required key. After replication has caught up, the administrator can perform a controlled cutover (failover) so applications mount the encrypted destination instead of the original source. This reduces manual copying effort, supports ongoing synchronization during migration, and simplifies the cutover window.

Option B is not possible because encryption-at-rest settings for EFS cannot be modified after creation. Option C is irrelevant because TLS certificates relate to encryption in transit and are not configured as part of EFS replication in the manner described. Option D can work functionally, but it requires building and operating a copy workflow, which is more manual and error-prone than managed replication.

Per the AWS Cloud Operations and Data Protection documentation, S3 Object Lock enforces write-once-read-many (WORM) protection on objects for a defined retention period.

There are two modes:

Compliance mode: Even the root user cannot delete or modify objects during the retention period.

Governance mode: Privileged users with special permissions can override lock settings.

For regulatory or audit requirements that prohibit deletion, Compliance mode is the correct choice. When configured with a 3-month retention period, all backup objects are protected from deletion until expiration, ensuring compliance with data retention mandates.

Versioning (Option C) alone does not prevent deletion. IAM-based restrictions (Option A) lack time-based enforcement and require manual intervention. Governance mode (Option D) is less strict and unsuitable for regulatory retention.

Thus, Option B is the correct CloudOps solution for immutable S3 backups.

The AWS Cloud Operations and Storage documentation confirms that S3 Transfer Acceleration is designed to increase upload speed for objects transferred to S3 buckets over long distances.

It uses AWS Global Edge Network and Amazon CloudFront edge locations to route data through optimized network paths, reducing latency and achieving higher throughput compared to standard S3 uploads.

After enabling Transfer Acceleration on the bucket, users upload files to the accelerated endpoint (e.g., bucketname.s3-accelerate.amazonaws.com). This feature requires no changes to application logic besides endpoint modification and provides immediate performance improvement.

CloudFront (Option A) is for content delivery, not uploads. ElastiCache (Option B) and Global Accelerator (Option C) are unrelated to S3 upload performance.

Thus, Option D is correct — enable S3 Transfer Acceleration for faster, optimized file uploads.

The AWS Cloud Operations and Compute documentation explains that placement groups control how EC2 instances are physically arranged within AWS data centers to optimize network performance.

Among the available placement strategies:

Cluster placement groups place instances physically close together within a single Availability Zone, connected through high-bandwidth, low-latency networking (ideal for tightly coupled, HPC, or distributed workloads).

Spread placement groups distribute instances across distinct racks or Availability Zones for fault tolerance, increasing latency.

Partition placement groups separate instances into partitions for isolation, not latency reduction.

Therefore, to minimize latency for workloads such as computational clusters, the CloudOps engineer should use a cluster placement group. This placement ensures single-digit microsecond latency and enhanced packet rate performance between instances.

Elastic IPs (Option B) do not influence internal networking. Jumbo frames (Option C) can marginally improve throughput but do not reduce propagation latency. Spread placement (Option D) increases distance, worsening latency.

Hence, Option A — using a cluster placement group — delivers the lowest possible network latency and is AWS’s best-practice design for HPC-style clusters.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

AWS Lambda automatically publishes operational metrics to Amazon CloudWatch, including Duration, which represents the time a function invocation takes to run. To alert when processing time exceeds 10 seconds, the most direct and operationally efficient solution is to create a CloudWatch alarm on the Lambda Duration metric and configure the alarm action to publish to an SNS topic. This meets the monitoring requirement without requiring log parsing or additional query mechanisms.

Option B fits best because it uses the built-in metric stream for Lambda observability: CloudWatch metrics are near real-time, require minimal configuration, and alarms are a standard CloudOps practice for proactive notification. The alarm can be configured with the appropriate statistic (for example, Maximum or p99 via metric math where applicable) and a threshold of 10,000 milliseconds, ensuring the operations team is notified before performance degrades further.

Option A is incorrect because PostRuntimeExtensionsDuration is not the primary runtime metric for function execution time, and extracting runtime from logs is unnecessary. Option C changes the function timeout to 10 seconds, which would cause failures rather than simply notifying on slow executions. Option D is more operationally complex because it relies on log queries; CloudWatch alarms are more straightforward when a native metric exists.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

AWS CloudFormation supports the DeletionPolicy attribute to control what happens to a resource when a stack is deleted. For Amazon RDS DB instances, setting DeletionPolicy: Snapshot instructs CloudFormation to retain a final DB snapshot automatically at stack deletion. CloudOps best practice recommends using this native mechanism for data retention and auditability, avoiding manual scripts or out-of-band processes. Options A, B, and D introduce operational overhead and potential human error. With DeletionPolicy set to Snapshot, the environment can be repeatedly created and torn down while preserving data states for later restoration with minimal manual steps. This aligns with IaC principles—declarative, repeatable, and reliable—and supports efficient lifecycle management of ephemeral development stacks.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

With simple scaling policies, an Auto Scaling group performs one scaling activity when the alarm condition is met, then observes a default cooldown period (300 seconds) before another scaling activity of the same type can begin. CloudOps guidance explains that cooldown prevents rapid successive scale-outs by allowing time for the newly launched instance(s) to register with the load balancer and impact the metric. Even if the alarm breaches multiple times during the cooldown window, the group waits until the cooldown completes before evaluating and acting again. In this case, although RequestCountPerTarget exceeded the threshold twice within 180 seconds, the group will launch a single instance and then wait for cooldown before any additional scale-out can occur. Options A, C, and D do not reflect the behavior of simple scaling with cooldowns; A describes step/target-tracking-like behavior, and C/D are not Auto Scaling mechanics.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is A because AWS Systems Manager Patch Manager natively supports tag-based targeting, which automatically includes both existing and future instances that match specified tag criteria. AWS CloudOps documentation states that patch policies can target managed nodes by instance tags, allowing administrators to dynamically scope patching operations without additional automation.

By defining the patch policy target as instances with an environment tag value of “Prod,” Patch Manager automatically applies patch baselines to all matching instances. Any new EC2 instance launched with the same tag is included automatically, requiring no manual intervention or additional services. This approach delivers the least operational overhead while remaining fully scalable and compliant.

Options B, C, and D are incorrect because they introduce unnecessary complexity by adding AWS Lambda functions, resource groups, or EventBridge rules. AWS CloudOps best practices emphasize using native Systems Manager capabilities whenever possible to reduce operational burden and failure points.

According to the AWS Cloud Operations and Identity Management documentation, when configuring federation between IAM Identity Center (formerly AWS SSO) and an external SAML 2.0 identity provider, two key prerequisites are required:

The IAM Identity Center SAML metadata file — This is uploaded to the external IdP to establish trust, define SAML endpoints, and enable identity federation.

The IdP metadata (including the public X.509 certificate) — This information is imported into IAM Identity Center to validate authentication assertions and encryption signatures.

IAM Identity Center and the IdP exchange this metadata to mutually establish secure, bidirectional federation.

Network-level details such as IP addresses (Option C) are unnecessary. Root access (Option D) or permissions to member accounts (Option E) are not required; only Control Tower or IAM administrative permissions in the management account are needed for setup.

Thus, the correct answer is A and B — the SAML metadata from both sides is required for federation.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

For users in eu-west-2 transferring large files to/from an S3 bucket in ap-southeast-2 over the public internet, S3 Transfer Acceleration is designed to improve performance by leveraging the AWS global edge network. With Transfer Acceleration enabled, users access the bucket via the acceleration endpoint. Requests enter AWS at the nearest edge location and then traverse the AWS backbone network to the bucket’s Region, which typically reduces latency variability and can improve throughput for long-distance transfers.

Option A is incorrect because access points do not “replicate destinations” in the way described, and an access point in another Region does not move data closer by itself. Option B is incorrect because Route 53 DNS routing does not accelerate data transfers; it only resolves names and (in this case) also incorrectly references S3 website endpoints (not appropriate for general large file transfer APIs). Option C is not valid as written because a single S3 access point cannot be “associated with both buckets,” and maintaining two buckets introduces synchronization/consistency overhead; it’s not the least-friction acceleration approach for direct internet users.

Per the AWS Cloud Operations and S3 Data Management documentation, Cross-Region Replication (CRR) automatically replicates new objects between S3 buckets across Regions. However, CRR alone does not retroactively replicate existing objects created before replication configuration. To include such objects, AWS introduced S3 Batch Replication.

S3 Batch Replication scans the source bucket and replicates all existing objects that were not copied previously. Additionally, it can retry failed replication tasks automatically, ensuring regulatory compliance for complete dataset replication.

S3 Replication Time Control (S3 RTC) guarantees predictable replication times for new objects only—it does not cover previously stored data. S3 Lifecycle rules (Option D) move or transition objects between storage classes or buckets, but not in a replication context.

Therefore, the correct solution is to use S3 Cross-Region Replication (CRR) combined with S3 Batch Replication to ensure all current and future data is synchronized across Regions with retry capability.

The AWS Cloud Operations and Monitoring documentation specifies that the Amazon CloudWatch Agent is the recommended tool for collecting system and application logs from EC2 instances. The agent pushes these logs into a centralized CloudWatch Logs group, providing durable storage and real-time monitoring.

Once the logs are centralized, a CloudWatch Metric Filter can be configured to search for specific error keywords (for example, “ERROR” or “FAILURE”). This filter transforms matching log entries into custom metrics. From there, a CloudWatch Alarm can monitor the metric threshold and publish notifications to an Amazon SNS topic, which can send email or SMS alerts to subscribed recipients.

This combination provides a fully automated, managed, and serverless solution for log aggregation and error alerting. It eliminates the need for manual cron jobs (Option B), custom scripts (Option D), or Lambda-based log streaming (Option C).

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C because selective CloudFront invalidation ensures that only updated JavaScript files are refreshed across edge locations. AWS CloudOps documentation explains that invalidations remove cached objects so that CloudFront fetches the latest version from the origin on the next request.

Invalidating only changed files minimizes cost, reduces operational impact, and avoids unnecessary origin requests. This approach ensures users always receive the latest application assets without degrading backend performance.

Option A is incorrect because setting TTLs to 0 forces CloudFront to query the origin for every request, increasing load on the ALB and EC2 instances. Option B is inefficient and costly because invalidating all files is unnecessary. Option D removes the benefits of CloudFront caching and increases latency.

AWS CloudOps best practices recommend targeted invalidations during deployments to balance performance, cost, and correctness.

According to the AWS Cloud Operations and Networking documentation, instances in a private subnet do not have a direct route to the internet gateway and thus require a NAT gateway for outbound internet access.

The correct configuration is to create a NAT gateway in the public subnet, associate an Elastic IP address, and then update the private subnet’s route table to send all 0.0.0.0/0 traffic to the NAT gateway. This enables instances in the private subnet to initiate outbound connections while keeping inbound traffic blocked for security.

Placing the NAT gateway inside the private subnet (Options C or D) prevents connectivity because it would not have a route to the internet gateway. Configuring routes from the public subnet to the NAT gateway (Option B) does not serve private subnet traffic.

Hence, Option A follows AWS best practices for enabling secure, managed, outbound-only internet access from private resources.

The AWS Cloud Operations and Infrastructure-as-Code documentation specifies that when using AWS CloudFormation, resources are created in parallel by default unless explicitly ordered using DependsOn.

If a custom resource (Lambda) depends on another resource (like an EC2 instance) to exist before execution, a DependsOn attribute must be added to enforce creation order. This ensures the EC2 instance is launched and available before the custom resource executes its automation logic.

Updating the service token (Option B) doesn’t affect order of execution. The cfn-response module (Option C) handles callback communication but not sequencing. Fn::If (Option D) is for conditional creation, not dependency control.

Therefore, Option A is correct — adding a DependsOn attribute guarantees that CloudFormation provisions the EC2 instance before executing the Lambda custom resource.

Per the AWS Cloud Operations and Security Automation documentation, Security Hub integrates with Amazon EventBridge to publish findings in real time. These events can trigger automated responses using AWS Lambda functions or AWS Systems Manager Automation runbooks.

In this scenario, the correct CloudOps approach is to configure the existing EventBridge rule to invoke a Lambda function that inspects the event payload, identifies the affected security group, and removes the offending inbound rule (e.g., port 21 open to 0.0.0.0/0).

This event-driven remediation provides continuous compliance and eliminates manual intervention. Cron jobs (Options B and C) contradict event-driven design and add operational overhead. Stopping instances (Option A) doesn’t address the root cause — the insecure security group.

Thus, Option D aligns with AWS best practices for automated security remediation through EventBridge and Lambda.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

EC2 Instance Connect Endpoint (EIC Endpoint) enables SSH to instances in private subnets without public IPs and without needing to traverse the public internet. CloudOps guidance explains that you deploy the endpoint in the same VPC/subnet as the targets, then allow inbound SSH on the instance security group from the endpoint’s security group. Access is governed by IAM—administrators must have Instance Connect permissions; while the example uses a broad policy, the key mechanism is EIC in the private subnet plus SG rules scoped to the endpoint. Systems Manager Session Manager can provide shell access without SSH, but the requirement explicitly states “connect through SSH,” making EIC the purpose-built solution. Options B and D misuse Systems Manager for SSH and propose unnecessary SG changes or incorrect endpoint placement; Option C places the endpoint in a public subnet, which is not required for private SSH access. Therefore, creating an EC2 Instance Connect endpoint in the private subnet and updating SGs accordingly meets the requirement while keeping the instance non-internet-exposed.