SOA-C03 Questions and Answers

According to AWS Cloud Operations and Systems Manager documentation, Session Manager requires that each managed instance be associated with an IAM instance profile that grants Systems Manager core permissions. The required permissions are provided by the AmazonSSMManagedInstanceCore AWS-managed policy.

If this policy is missing or misconfigured, the Systems Manager Agent (SSM Agent) cannot communicate with the Systems Manager service, causing connection failures even if the agent is installed and running. This explains why other instances work—those instances likely have the correct IAM role attached.

Enabling port 22 (Option A) violates the company’s security policy, while configuring user names (Option C) and key pairs (Option D) are irrelevant because Session Manager operates over secure API channels, not SSH keys.

Therefore, the correct resolution is to attach or update the instance profile with the AmazonSSMManagedInstanceCore policy, restoring Session Manager connectivity.

CloudWatch Logs data protection provides native redaction/masking of sensitive data at ingestion and query. AWS documentation states it can “detect and protect sensitive data in logs” using data identifiers, and that authorized users can “use the unmask action to view the original data.” Creating a data protection policy on the log group masks PII by default for all viewers, satisfying the requirement to redact personal information. Granting only the security team permission to invoke the unmask API operation ensures that unredacted content is restricted. Option B (KMS) encrypts at rest but does not redact fields; encryption alone does not prevent plaintext visibility to authorized readers. Options A and D add complexity and latency, move data out of CloudWatch, and do not provide default inline redaction/unmask controls in CloudWatch itself. Therefore, the CloudOps-aligned, managed solution is to use CloudWatch Logs data protection with appropriate data identifiers and unmask permissions limited to the security team.

AWS Systems Manager Session Manager allows secure, auditable instance access without SSH keys or inbound ports. To control access based on instance tags, CloudOps best practices require two configurations:

Attach an IAM policy to users or groups granting ssm:StartSession, ssm:DescribeInstanceInformation, and ssm:DescribeSessions.

Include a Condition element in the IAM policy referencing instance tags, such as Condition: {"StringEquals": {"ssm:resourceTag/Environment": "Production"}}.

This ensures users can start sessions only with instances that have matching tags, providing fine-grained access control.

AWS CloudOps documentation under Security and Compliance states:

“Use IAM policies with resource tags in the Condition element to restrict which managed instances users can access using Session Manager.”

Options B and D incorrectly suggest attaching roles or service accounts that are not relevant to user-level access control. Option C (placement groups) pertains to networking and performance, not access management. Therefore, A and E together provide tag-based, least-privilege access as required.

EC2 does not publish RAM utilization as a native CloudWatch metric by default. Memory metrics such as mem_used_percent are typically collected by the CloudWatch Agent, which runs on the instance and publishes custom metrics to CloudWatch. Because the requirement is RAM utilization at 5-minute intervals, the CloudWatch Agent can be configured to emit metrics at that cadence (or faster).

“Detailed monitoring” for EC2 mainly affects EC2-provided metrics (like CPU) by changing the period from 5 minutes (basic) to 1 minute (detailed). It does not magically provide memory utilization. Therefore, the key requirement is installing/configuring the CloudWatch Agent and ensuring it has permissions to publish metrics (via an IAM role attached to the instance / instance profile).

Option C correctly combines: (1) basic monitoring (fine for the ask), (2) CloudWatch Agent to publish mem_used_percent, (3) IAM role permissions to allow publishing, and (4) Auto Scaling policy that scales based on the memory metric.

Option B incorrectly implies detailed monitoring provides mem_used_percent (it does not). Option D assumes a “standard” memory metric exists without the agent, which is not correct. Option A references mem_active, which is not the typical metric name exposed by CloudWatch Agent’s standard memory measurements for scaling policies, and also omits the IAM role requirement needed for publishing custom metrics.

Thus, C is the AWS-correct path for memory-based scaling using CloudWatch custom metrics.

Per the AWS Cloud Operations and Security Automation documentation, Security Hub integrates with Amazon EventBridge to publish findings in real time. These events can trigger automated responses using AWS Lambda functions or AWS Systems Manager Automation runbooks.

In this scenario, the correct CloudOps approach is to configure the existing EventBridge rule to invoke a Lambda function that inspects the event payload, identifies the affected security group, and removes the offending inbound rule (e.g., port 21 open to 0.0.0.0/0).

This event-driven remediation provides continuous compliance and eliminates manual intervention. Cron jobs (Options B and C) contradict event-driven design and add operational overhead. Stopping instances (Option A) doesn’t address the root cause — the insecure security group.

Thus, Option D aligns with AWS best practices for automated security remediation through EventBridge and Lambda.

CloudFormation StackSets are designed specifically to deploy and manage the same CloudFormation stack across multiple AWS accounts and Regions from a centralized administration point. When accounts are managed under AWS Organizations, StackSets can integrate directly with Organizations to target Organizational Units (OUs) or specific accounts, which minimizes operational overhead. This removes the need to manually assume roles and deploy stacks one-by-one, and avoids building custom automation (Lambda + cross-account role assumption + account enumeration + error handling + retries + idempotency).

With StackSets, you define the template once and then create stack instances across many accounts in a controlled and consistent manner. StackSets provide built-in features for: (1) centralized rollout and updates, (2) drift detection, (3) automatic deployment to new accounts (when using Organizations integration), and (4) standardized execution roles. This is operationally simpler and safer than scripting because StackSets handle orchestration and track deployment state per account/Region.

Option A increases manual work and is error-prone at scale. Options B and C require custom Lambda orchestration, cross-account permissions, and ongoing maintenance for failure modes and change management. StackSets provide the native “least ops” approach to multi-account CloudFormation deployments under Organizations.

Per the AWS Cloud Operations, Networking, and Security documentation, the best practice for serving private S3 content securely to end users is to use Amazon CloudFront with Origin Access Control (OAC).

OAC enables CloudFront to access S3 buckets privately, even when Block Public Access settings are enabled at the account level. This allows content to be delivered globally and securely without making the S3 bucket public. The bucket policy explicitly allows access only from the CloudFront distribution, ensuring that users can retrieve PDF files only via CloudFront URLs.

This configuration offers:

Automatic scalability through CloudFront caching,

Improved security via private access control,

Minimal administration effort with fully managed services.

Other options require manual handling or make the bucket public, violating AWS security best practices.

Therefore, Option B—using CloudFront with Origin Access Control and a restrictive bucket policy—provides the most secure, efficient, and low-maintenance CloudOps solution.

Amazon Route 53 Resolver outbound endpoints enable Amazon VPC resources to forward DNS queries to DNS servers that are outside of AWS, such as on-premises DNS servers. Because the company already has AWS Direct Connect in place, DNS queries can be routed privately from the VPC to the on-premises DNS infrastructure without using the public internet.

By creating an outbound endpoint and configuring forwarding rules for the on-premises domains, EC2 instances in the VPC can resolve DNS names dynamically using the existing authoritative DNS servers. This approach requires minimal ongoing maintenance because DNS records continue to be managed centrally in the on-premises DNS system.

Manually populating a private hosted zone or /etc/hosts files would require constant updates and does not scale. Reverse DNS forwarding alone does not solve forward name resolution.

Therefore, using Route 53 Resolver outbound endpoints is the correct solution.

According to CloudOps automation and monitoring best practices, CloudWatch dashboards should be provisioned as infrastructure-as-code (IaC) resources using AWS CloudFormation to ensure consistency, repeatability, and version control. AWS CloudFormation supports the AWS::CloudWatch::Dashboard resource, where the DashboardBody property accepts a JSON object describing widgets, metrics, and layout.

By exporting the existing dashboard configuration as JSON and embedding it into the CloudFormation template, every deployment of the application automatically creates its corresponding dashboard. This method aligns with the CloudOps requirement for automated deployment and operational visibility within the same stack lifecycle.

AWS documentation explicitly states:

“Use the AWS::CloudWatch::Dashboard resource to create a dashboard from your template. You can include the same JSON you use to define a dashboard in the console.”

Option A requires manual execution. Options C and D incorrectly reference or reuse existing dashboards, failing to produce unique, deployment-specific dashboards.

The AWS Cloud Operations and Security documentation specifies that for Amazon CloudFront, automatic certificate renewal is only supported for certificates issued by AWS Certificate Manager (ACM). When a certificate is managed by ACM and validated through DNS validation, ACM automatically renews the certificate before expiration without requiring manual intervention.

Option A ensures that the certificate is issued and managed by ACM, enabling full integration with CloudFront. Option E (DNS validation) is essential for automation; AWS performs revalidation automatically as long as the DNS validation record remains in place.

By contrast, email validation (Option D) requires manual user confirmation upon renewal, which prevents automatic renewals. Certificates issued by third-party certificate authorities (Option B) are manually managed and must be reimported into ACM after renewal. CloudFront does not have a direct feature (Option C) to renew certificates; it relies on ACM’s lifecycle management.

Thus, combining ACM-issued certificates (A) with DNS validation (E) ensures continuous, automated renewal with no downtime or human action required.

AWS Config is designed to continuously evaluate AWS resource configurations and detect noncompliance. The s3-bucket-logging-enabled managed rule specifically checks whether server access logging is enabled on S3 buckets. This directly meets the detection requirement for both current and future buckets.

To satisfy the remediation requirement, AWS Config supports automatic remediation actions. Using the AWS-provided AWS-ConfigureS3BucketLogging Systems Manager Automation runbook enables logging without custom code. This reduces operational overhead, avoids Lambda function maintenance, and aligns with AWS best practices.

Option A is incorrect because Trusted Advisor does not support automatic remediation. Option B cannot enforce logging at creation time through bucket policies alone. Option C works but introduces unnecessary Lambda maintenance compared to using an AWS-managed automation runbook.

Thus, combining AWS Config managed rules with Systems Manager Automation provides continuous compliance with minimal operational effort.

CloudWatch Logs Insights is purpose-built for interactive querying and analysis across log data that is stored in CloudWatch Logs. It supports selecting multiple log groups at once (including many Lambda log groups), filtering events to match error patterns, extracting fields, and aggregating results. The requirement is to produce a count of application errors grouped by type across all log groups, which aligns directly with Logs Insights capabilities.

With Logs Insights, a CloudOps engineer can query all relevant Lambda log groups, parse or extract an “error type” field from structured JSON logs (or use pattern parsing for unstructured logs), and then aggregate using the stats command with count() grouped by the parsed error type field. This approach is fast to implement, requires no data pipeline, and scales well for large volumes because Logs Insights is optimized for CloudWatch Logs data. It also supports time-range selection so the security team can request daily or incident-window reporting.

Option B is incorrect because CloudWatch Logs “search” is a basic filtering feature and does not provide the same structured aggregation and grouping features as Logs Insights for large-scale, cross-log-group analytics. Option C (Athena) would require exporting logs to Amazon S3 (for example, via subscription filters, Kinesis Data Firehose, or scheduled exports) and maintaining a schema and partitions, which adds operational overhead not required here. Option D is not applicable because CloudWatch log data is not queried through Amazon RDS, and using an RDS database for log analytics would introduce significant ingestion and operational complexity.

Therefore, running a CloudWatch Logs Insights query using stats and count() to group errors by type across all Lambda log groups is the correct solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is preventative: stop users from launching from unapproved AMIs. The most scalable approach with 75 approved AMIs is to tag all approved AMIs (for example, ApprovedAMI=true) and enforce usage through an IAM policy condition that only allows ec2:RunInstances when the ec2:ImageId resource (the AMI) includes the required tag. This avoids maintaining long allow/deny lists of AMI IDs and supports continuous updates: as new approved AMIs are created, tagging them automatically brings them under the policy without policy rewrites.

Option B is incorrect because service-linked roles are used by AWS services, not assigned to users for interactive authorization enforcement in this way. Option C and D are detective/remedial controls that act after instances are already launched, which does not satisfy “must prevent.” They also increase operational overhead and risk disruptions.

Per the AWS Cloud Operations and S3 Data Management documentation, Cross-Region Replication (CRR) automatically replicates new objects between S3 buckets across Regions. However, CRR alone does not retroactively replicate existing objects created before replication configuration. To include such objects, AWS introduced S3 Batch Replication.

S3 Batch Replication scans the source bucket and replicates all existing objects that were not copied previously. Additionally, it can retry failed replication tasks automatically, ensuring regulatory compliance for complete dataset replication.

S3 Replication Time Control (S3 RTC) guarantees predictable replication times for new objects only—it does not cover previously stored data. S3 Lifecycle rules (Option D) move or transition objects between storage classes or buckets, but not in a replication context.

Therefore, the correct solution is to use S3 Cross-Region Replication (CRR) combined with S3 Batch Replication to ensure all current and future data is synchronized across Regions with retry capability.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C because selective CloudFront invalidation ensures that only updated JavaScript files are refreshed across edge locations. AWS CloudOps documentation explains that invalidations remove cached objects so that CloudFront fetches the latest version from the origin on the next request.

Invalidating only changed files minimizes cost, reduces operational impact, and avoids unnecessary origin requests. This approach ensures users always receive the latest application assets without degrading backend performance.

Option A is incorrect because setting TTLs to 0 forces CloudFront to query the origin for every request, increasing load on the ALB and EC2 instances. Option B is inefficient and costly because invalidating all files is unnecessary. Option D removes the benefits of CloudFront caching and increases latency.

AWS CloudOps best practices recommend targeted invalidations during deployments to balance performance, cost, and correctness.

The AWS Cloud Operations and Compute documentation explains that placement groups control how EC2 instances are physically arranged within AWS data centers to optimize network performance.

Among the available placement strategies:

Cluster placement groups place instances physically close together within a single Availability Zone, connected through high-bandwidth, low-latency networking (ideal for tightly coupled, HPC, or distributed workloads).

Spread placement groups distribute instances across distinct racks or Availability Zones for fault tolerance, increasing latency.

Partition placement groups separate instances into partitions for isolation, not latency reduction.

Therefore, to minimize latency for workloads such as computational clusters, the CloudOps engineer should use a cluster placement group. This placement ensures single-digit microsecond latency and enhanced packet rate performance between instances.

Elastic IPs (Option B) do not influence internal networking. Jumbo frames (Option C) can marginally improve throughput but do not reduce propagation latency. Spread placement (Option D) increases distance, worsening latency.

Hence, Option A — using a cluster placement group — delivers the lowest possible network latency and is AWS’s best-practice design for HPC-style clusters.

AWS Systems Manager Run Command includes a built-in rate control feature that allows administrators to control the maximum number of concurrent executions across target instances. This directly addresses the requirement to limit downloads to 30 at a time without custom orchestration or additional services.

By targeting instances using tags, the solution automatically scales as new instances are added, which aligns with future growth expectations. Rate control ensures controlled concurrency and protects the private repository from overload.

Option A is manual and does not scale operationally. Option B introduces unnecessary complexity with Lambda and concurrency management that does not map cleanly to instance execution concurrency. Option D significantly increases architectural complexity without added value.

Run Command with rate control is the simplest, most native, and most scalable solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

Use Amazon S3 Event Notifications with AWS Lambda to trigger image processing on object creation. S3 natively supports invoking Lambda for events such as s3:ObjectCreated:*, providing a serverless, low-latency pipeline without managing additional services. AWS operational guidance states that “Amazon S3 can directly invoke a Lambda function in response to object-created events,” allowing you to pass event metadata (bucket/key) to the function for resizing and writing results back to S3. This approach minimizes operational overhead, scales automatically with upload volume, and integrates with standard retry semantics. SNS or SQS can be added for fan-out or buffering patterns, but they are not required when the requirement is simply “invoke the Lambda function on upload.” CloudWatch alarms do not detect individual S3 object uploads and cannot directly satisfy per-object triggers. Therefore, configuring S3 → Lambda event notifications meets the requirement most directly and aligns with CloudOps best practices for event-driven, serverless automation.

As described in the AWS Cloud Operations and EC2 Management documentation, changing an instance type (e.g., from T3 to C5) requires that the instance be stopped first. Once stopped, the engineer can modify the instance type through the AWS Management Console, CLI, or API, then start the instance again to apply changes.

This process preserves the root volume, networking configuration, and data, making it an operationally safe and efficient way to upgrade to a different instance family.

Changing the instance type while running (Option D) is unsupported. VM Import/Export (Option A) is for external VM migration. Hibernation (Option B) does not apply to type changes.

Thus, Option C is correct — stopping the instance, changing its type, and restarting it meets AWS best practices.

Because all instances are already managed by AWS Systems Manager, the lowest-overhead approach is to use Systems Manager Patch Manager end-to-end. Patch Manager is built specifically to scan managed instances for missing patches and to apply operating system patches according to defined rules. By defining a patch baseline, the CloudOps engineer establishes which patches are approved (and how quickly critical patches are approved), plus any exclusions and compliance rules. A Patch Manager scan can then be run to determine which instances are noncompliant and therefore likely affected by the vulnerability, without the engineer needing to manually inventory hosts.

After identifying affected (noncompliant) instances through the scan results, Patch Manager can apply patches directly using Patch Now (or an equivalent on-demand patch operation) in each Region. This matches the multi-Region requirement while keeping operations simple: no custom code, no additional services, and no complex event orchestration. It also produces compliance visibility in Systems Manager, which helps track remediation status for incident response.

Option B adds AWS Config unnecessarily. AWS Config is useful for recording and evaluating configuration changes and can report compliance against configuration rules, but it is not the most direct tool for identifying missing OS patches on instances already under Systems Manager management. Option C introduces additional moving parts (EventBridge rules and event-driven automation). While it can be powerful, it is more complex than a straightforward Patch Manager scan-and-patch workflow, and it assumes the right compliance events exist for this scenario before remediation begins. Option D is the highest operational burden because it requires rebuilding AMIs, launching replacement instances, and coordinating replacements across two Regions. That approach aligns to immutable infrastructure patterns, but it is not the least overhead for rapid remediation of existing instances.

Therefore, using Patch Manager with a patch baseline, scanning to identify affected instances, and applying patches in each Region is the simplest and most operationally efficient solution.

=================

According to the AWS Cloud Operations and EC2 Connectivity documentation, EC2 Instance Connect Endpoint allows access to instances without internet exposure or open SSH ports. However, for successful connectivity, the EC2 instance must have Systems Manager permissions through an IAM instance profile.

If no IAM instance profile is attached, the instance cannot establish a control channel with the Systems Manager service, and EC2 Instance Connect cannot authenticate the session.

Opening port 22 (Option B) is unnecessary and contradicts the private subnet design. HTTPS rules (Option A) are irrelevant because EC2 Instance Connect communicates through AWS APIs, not direct HTTPS connections. Recreating the instance with a key pair (Option D) bypasses the intended keyless connection mechanism.

Therefore, Option C — attaching an IAM instance profile with Systems Manager permissions — enables secure, private access through EC2 Instance Connect Endpoint.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

Amazon Aurora supports up to 15 Aurora Replicas that share the same storage volume and provide read scaling and improved availability. Official guidance states that replicas “offload read traffic from the writer” and that you should direct read-only workloads to the reader endpoint, reducing CPU pressure and connection counts on the primary. Aurora also supports Replica Auto Scaling through Application Auto Scaling policies using metrics such as CPU utilization or connections to add or remove replicas automatically. This design addresses both high CPU and maximum connections by moving reporting traffic to read replicas while keeping a single write primary for OLTP. Option B creates a separate cluster with independent storage, increasing operational overhead and data synchronization complexity. Options C and D introduce application-layer caching changes that may not guarantee data freshness or relieve the write node directly. Therefore, adding read replicas and routing reporting to the reader endpoint, with auto scaling based on load, is the least intrusive, CloudOps-aligned way to stabilize performance.

As per AWS Cloud Operations, Bedrock, and Governance documentation, AWS CloudTrail is the authoritative service for capturing API activity and audit trails across AWS accounts. For Amazon Bedrock, CloudTrail records all user-initiated API calls, including interactions with agents, knowledge bases, and generative AI model parameters.

Using CloudTrail Lake, organizations can store, query, and analyze CloudTrail events directly without needing to export data. CloudTrail Lake supports SQL-like queries for generating audit and compliance reports, enabling the company to retrieve information such as user identity, API usage, timestamp, model or agent ID, and invocation parameters.

In contrast, CloudWatch focuses on operational metrics and log streaming, not API-level identity data. OpenSearch or Flink would add unnecessary complexity and cost for this use case.

Thus, the AWS-recommended CloudOps best practice is to leverage CloudTrail with CloudTrail Lake to maintain auditable, queryable API activity for Bedrock workloads, fulfilling governance and compliance requirements.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To meet the requirement to log and audit any principal that publishes to SNS topics and interacts with SQS queues, the correct service is AWS CloudTrail, because CloudTrail records API activity (who did what, when, and from where). Enabling data events (where supported/required for deeper visibility) provides detailed records for operations such as publishing messages and sending/receiving messages. Delivering CloudTrail logs to Amazon S3 provides durable retention and supports querying workflows.

To ensure that communication uses VPC endpoints, the company should configure VPC endpoints for SNS and SQS and then validate usage by inspecting CloudTrail event records. CloudTrail includes endpoint-related context fields (for example, a VPC endpoint identifier) that allow auditors to confirm that the request path used a VPC endpoint rather than traversing the public internet. This directly addresses the “must use VPC endpoints” control with auditable evidence.

The other options do not satisfy both requirements. CloudWatch Logs does not automatically capture SNS/SQS API caller identity for publish/send/receive operations in the same authoritative way CloudTrail does. EventBridge can capture service events but is not the primary audit log of API calls and does not inherently prove VPC endpoint usage per request. Inspecting a VPC endpoint field in CloudWatch Logs is not the standard audit mechanism for these API calls.

Amazon S3 Object Lock in compliance mode provides immutable storage that prevents objects from being deleted or overwritten for a defined retention period. In compliance mode, even the root user cannot remove the retention or delete the object before the retention period expires. This makes it suitable for regulatory and strict data-protection requirements.

Because Object Lock must be enabled at bucket creation time, a new bucket is required. Setting a retention period of 3 months ensures that backups cannot be deleted before that time under any circumstances.

Option D (governance mode) allows privileged users to bypass retention, which violates the strict “must not be deleted” requirement. Option A relies on IAM policy changes, which are reversible and error-prone. Option C does not prevent deletion; versioning only retains previous versions if objects are deleted, but users can still delete versions unless additional controls are applied.

Therefore, S3 Object Lock in compliance mode is the correct and most secure solution.

According to the AWS Cloud Operations and Auto Scaling documentation, scaling applications that consume Amazon SQS messages should be driven by queue backlog per instance, not by general system metrics such as network traffic or CPU.

The correct approach is to calculate a custom metric using CloudWatch metric math that divides the SQS metric ApproximateNumberOfMessagesVisible by the number of active EC2 instances in the Auto Scaling group. This “backlog per instance” value represents the average number of messages waiting to be processed by each instance.

Then, the CloudOps engineer can create a target tracking policy that automatically scales out or in based on maintaining a desired backlog threshold. This approach ensures dynamic, workload-driven scaling behavior that reacts in near real time to message volume.

Step and simple scaling (Options C and D) require manual thresholds and do not automatically balance the load per instance.

Thus, Option B—using CloudWatch metric math to define queue backlog per instance for target tracking—is the most effective and AWS-recommended CloudOps practice.

The AWS Cloud Operations and Monitoring documentation states that Amazon CloudWatch Logs Insights provides a purpose-built query engine for analyzing and visualizing log data directly within CloudWatch. For Lambda, all invocation results (including errors) are automatically logged to CloudWatch Logs.

By querying these logs with CloudWatch Logs Insights, the CloudOps engineer can efficiently count the number of “ERROR” or “Exception” occurrences over the past 7 days using simple SQL-like commands. This method is serverless, cost-efficient, and real-time.

Athena (Options A and B) would require exporting data to Amazon S3, and OpenSearch (Option D) adds unnecessary operational complexity.

Thus, Option C provides the most efficient and native AWS CloudOps approach for rapid Lambda error analysis.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To ensure users can launch instances only from approved AMIs, the control must be enforced at authorization time, not after the fact. An IAM policy with a condition that evaluates the resource tags on the AMI is the correct method. By using an aws:ResourceTag/ApprovedAMI condition (paired with allowing ec2:RunInstances only when the chosen AMI has the required tag/value), the organization can prevent launches from untagged or unapproved images. This implements preventative control and aligns with least privilege.

Option A (Organizations tag policy) is not an enforcement mechanism for EC2 API authorization; tag policies primarily help standardize tagging and report compliance rather than block API calls. Option C (AWS Config required-tags) evaluates resources for compliance after creation and cannot reliably prevent a launch at the time of the API call. Option D is unrelated; GuardDuty detections do not enforce AMI usage policy.

When a CloudFormation stack is deleted, CloudFormation’s default behavior is to delete the resources it created, including EC2 instances and attached resources defined in the template. The requirement is explicit: the company must keep the instances and all of the instances’ data even if someone deletes the stack. The CloudFormation mechanism intended for this outcome is the DeletionPolicy attribute, which controls what happens to a resource when the stack is deleted or when the resource is replaced during an update.

Setting DeletionPolicy: Retain on the EC2 instance resource instructs CloudFormation to preserve that resource instead of deleting it during stack deletion. With Retain, CloudFormation removes the resource from stack management but leaves the instance running (and therefore keeps the data that remains on the instance and its configured storage). This directly satisfies the requirement because the instance is not terminated as part of stack deletion.

Option A is incorrect for EC2 instances because Snapshot is applicable to certain resource types (commonly storage and database resources where snapshot semantics exist), not as a general “keep my instance” control for EC2 instance resources. Options B and C (DLM and AWS Backup) are valuable for backup and recovery strategies, but they do not prevent CloudFormation from terminating the instances when the stack is deleted. Backups could help restore later, but the requirement is to keep the original instances and their data even after deletion of the stack.

Therefore, the correct solution is to set DeletionPolicy to Retain for the EC2 instance resource in the CloudFormation template.

In this scenario, the EC2 instances pass their EC2 status checks, indicating that the operating system is responsive. However, the application hosted on the instance is failing intermittently, returning HTTP 500 errors. This demonstrates a discrepancy between the instance-level health and the application-level health.

According to AWS CloudOps best practices under Monitoring, Logging, Analysis, Remediation and Performance Optimization (SOA-C03 Domain 1), Auto Scaling groups should incorporate Elastic Load Balancing (ELB) health checks instead of relying solely on EC2 status checks. The ELB health check probes the application endpoint (for example, HTTP or HTTPS target group health checks), ensuring that the application itself is functioning correctly.

When an instance fails an ELB health check, Amazon EC2 Auto Scaling will automatically mark the instance as unhealthy and replace it with a new one, ensuring continuous availability and performance optimization.

Extract from AWS CloudOps (SOA-C03) Study Guide – Domain 1:

“Implement monitoring and health checks using ALB and EC2 Auto Scaling integration. Application Load Balancer health checks allow Auto Scaling to terminate and replace instances that fail application-level health checks, ensuring consistent application performance.”

Extract from AWS Auto Scaling Documentation:

“When you enable the ELB health check type for your Auto Scaling group, Amazon EC2 Auto Scaling considers both EC2 status checks and Elastic Load Balancing health checks to determine instance health. If an instance fails the ELB health check, it is automatically replaced.”

Therefore, the correct answer is B, as it ensures proper application-level monitoring and remediation using ALB-integrated ELB health checks—a core CloudOps operational practice for proactive incident response and availability assurance.

References (AWS CloudOps Verified Source Extracts):

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide: Domain 1 – Monitoring, Logging, and Remediation.

AWS Auto Scaling User Guide: Health checks for Auto Scaling instances (Elastic Load Balancing integration).

AWS Well-Architected Framework – Operational Excellence and Reliability Pillars.

AWS Elastic Load Balancing Developer Guide – Target group health checks and monitoring.

Cluster placement groups are specifically designed for workloads that require extremely low latency and high network throughput, such as HPC applications. Instances are placed physically close together within the same Availability Zone, enabling high-bandwidth, low-latency networking.

Partition placement groups are optimized for fault isolation, not network performance. Spread placement groups prioritize availability by distributing instances across distinct hardware, which increases latency.

Because the requirement is performance rather than fault isolation or high availability, a cluster placement group is the optimal choice.

Per the AWS Cloud Operations and Event Management documentation, Amazon EventBridge provides native scheduling capabilities that can trigger events at defined intervals—such as weekly, daily, or cron-based schedules.

Creating an EventBridge rule that runs every Saturday and publishes a message to an SNS topic fully automates the notification process without maintaining servers or manual jobs. This approach is serverless, highly reliable, and fully managed by AWS.

By contrast:

EC2 cron jobs (Option A) require instance management, patching, and cost overhead.

SNS subscriptions (Option C) handle message delivery, not scheduling.

Step Functions (Option D) are designed for complex workflows, not simple scheduled triggers.

Thus, Option B provides the most operationally efficient CloudOps solution by integrating EventBridge scheduled events with SNS topics for automated, recurring notifications.

The Instance Scheduler on AWS is an AWS-provided solution designed specifically to start and stop AWS resources such as Amazon RDS instances on a defined schedule. This directly aligns with the requirement to automatically manage RDS instances during predictable idle periods, such as weekends, to reduce costs.

RDS instances incur compute charges while running, even if idle. Stopping them during weekends eliminates those charges while retaining storage and backups. Instance Scheduler supports tag-based scheduling, centralized management, and automated start/stop workflows without custom scripting.

Option A introduces custom automation and ongoing maintenance overhead. Option C (Reserved Instances) is unsuitable because the databases are idle for long, predictable periods and Reserved Instances charge regardless of usage. Option D is incorrect because RDS does not support auto scaling of DB instance classes based on utilization.

Instance Scheduler is the most cost-effective and operationally efficient solution for this use case.

Stateful applications require session persistence to ensure that subsequent requests from the same user are routed to the same backend instance. When CloudFront is used in front of an ALB, session-related cookies must be forwarded correctly; otherwise, CloudFront can route requests to different targets, causing session loss and random logouts.

Configuring cookie forwarding in the CloudFront cache behavior ensures that session cookies (such as authentication tokens) are forwarded to the ALB and not stripped or cached incorrectly. Without this configuration, CloudFront may serve cached responses that do not align with the user’s active session state, leading to authentication issues.

On the ALB side, sticky sessions (session affinity) must be enabled on the target group to ensure that requests with the same session cookie are consistently routed to the same EC2 instance. ALB stickiness uses application cookies to bind a user session to a specific target, which is critical for stateful applications that store session data in memory.

Option A affects load distribution efficiency but does not address session persistence. Option C (header forwarding) is unnecessary unless the application explicitly stores session state in headers, which is uncommon. Option D applies only when using multiple target groups and listener rules, which is not the case here.

Together, enabling cookie forwarding in CloudFront and sticky sessions at the ALB target group resolves the logout issue by maintaining consistent session routing from the user through CloudFront to the same backend instance.

The most secure way for an EC2 instance to access AWS services is by using an IAM role attached to the instance. IAM roles eliminate the need for long-term credentials, which reduces the risk of credential leakage and simplifies credential rotation.

Following the principle of least privilege, the IAM policy attached to the role should grant only the permissions required: sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage. Granting broader permissions such as sqs:* violates least privilege and increases security risk.

Options A and B rely on IAM users and static credentials, which are not recommended for applications running on EC2. Option C grants excessive permissions.

Therefore, attaching an EC2 IAM role with only the required SQS permissions is the most secure solution.

According to AWS Cloud Operations and Networking documentation, Route 53 Resolver inbound endpoints allow DNS queries to originate from on-premises DNS servers and resolve private hosted zone records in AWS. The inbound endpoint provides DNS resolver IP addresses within the VPC, which the on-premises DNS servers can forward queries to over AWS Direct Connect or VPN connections.

The inbound endpoint must be associated with a security group that permits inbound traffic on TCP and UDP port 53 from the on-premises DNS server IP addresses. This ensures that DNS requests from the on-premises environment reach the VPC Resolver for resolution of private domains like example.com.

By contrast, outbound endpoints are used for the opposite direction—resolving external (on-premises or internet) DNS names from within AWS VPCs. Therefore, only an inbound endpoint correctly satisfies the direction of resolution in this scenario.

AWS Systems Manager provides a built-in capability to automatically update the SSM Agent on managed instances. Enabling Auto update SSM Agent ensures that instances receive the latest agent version without manual intervention or custom automation.

This setting is centrally managed and applies across the fleet, making it the most scalable and operationally efficient solution. It eliminates the need for external notifications, custom Lambda functions, or scheduled automation workflows.

Options B and D introduce unnecessary complexity and operational burden. Option C is incorrect because Patch Manager is designed for operating system patching, not for managing SSM Agent updates.

Therefore, enabling automatic SSM Agent updates is the best solution.

According to the AWS Cloud Operations and ElastiCache documentation, cache evictions occur when the cache runs out of memory and must remove items to make space for new data.

To reduce evictions and retain frequently accessed items, AWS recommends increasing the total available memory — either by scaling up to larger node types or scaling out by adding shards/nodes. Migrating to a cluster with larger nodes is the simplest and most efficient solution because it immediately expands capacity without architectural changes.

Adjusting TTL (Options B and C) controls expiration timing, not memory allocation. Adding a single node (Option A) may help, but redistributing data requires resharding, introducing more complexity.

Thus, Option D provides the lowest operational overhead and ensures high cache hit rates by increasing total cache memory.

In the AWS Cloud Operations and Aurora documentation, when data loss occurs due to human error such as dropped tables, Point-in-Time Recovery (PITR) is the recommended method for restoration. PITR creates a new Aurora cluster restored to a specific time before the failure.

The restored cluster has a new endpoint that must be reconfigured in the application to resume normal operations. AWS does not support performing PITR directly on an existing production database because that would overwrite current data.

Aurora Backtrack (Option A) applies only to Aurora MySQL, not PostgreSQL. Option B is incorrect because PITR cannot be executed in place. Option D refers to an import process from S3, which is unrelated to time-based recovery.

Hence, Option C is correct and follows the AWS CloudOps standard recovery pattern for PostgreSQL workloads.

When an Amazon EBS volume is resized, the new storage capacity is immediately available to the attached EC2 instance. However, EBS does not automatically extend the file system. The CloudOps engineer must manually extend the file system within the operating system to utilize the additional space.

AWS documentation for EC2 and EBS specifies:

“After you increase the size of an EBS volume, use file system–specific tools to extend the file system so that the operating system can use the new storage capacity.”

On Windows instances, this can be achieved through Disk Management or diskpart commands. On Linux systems, utilities such as growpart and resize2fs are used.

Options B and C do not modify file system metadata and are ineffective. Option D unnecessarily replaces the volume, which adds risk and downtime. Thus, Option A aligns with the Monitoring and Performance Optimization practices of AWS CloudOps by properly extending the file system to recognize the new capacity.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is B because cross-account role assumption requires two explicit permissions. AWS CloudOps documentation states that the target role must trust the principal, and the principal must be allowed to call sts:AssumeRole.

In the member account, the role’s trust policy must list the IAM group ARN (or the identity account) as a trusted principal. In the identity account, the IAM group must have an inline or attached policy that allows the sts:AssumeRole action for the target role ARN. This dual configuration enables secure and controlled cross-account access.

Option A is incorrect because trust policies cannot be attached to IAM groups. Option C is incorrect because sts:PassRole is used for passing roles to AWS services, not for assuming roles. Option D is incorrect because roles do not grant permissions via inline policies to principals.

This approach aligns precisely with AWS CloudOps guidance for multi-account IAM design.

Amazon Aurora backtracking allows a DB cluster to be rewound to a specific point in time without creating a new DB cluster. This feature is designed for fast recovery from logical errors, such as accidental data changes, within a configured backtrack window. Because backtracking operates directly on the existing cluster, it satisfies the requirement that the restore occur in the same production DB cluster.

Point-in-time recovery (Option D) restores data by creating a new DB cluster, which violates the requirement. Option A involves promoting a replica, which does not allow rolling back to an arbitrary historical point. Option B introduces unnecessary complexity and is not supported for restoring directly into the same cluster.

Backtracking provides near-instant rollback and minimal operational disruption, making it the correct solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The most operationally efficient approach is A: copy the AMI to each target Region using copy-image and update the CloudFormation template to reference the correct AMI IDs per Region (commonly via Mappings or parameters). AMIs are regional resources, so an AMI built in us-east-1 cannot be launched directly in other Regions without copying. The copy-image operation is the standard, supported method to replicate an AMI across Regions while preserving the image configuration and backing snapshots in the destination Region.

Once AMIs exist in each Region, CloudFormation can be executed in each Region using the same template logic. Adding mappings for AMI IDs keeps the deployment consistent and repeatable, aligning with Infrastructure as Code practices and minimizing manual steps.

Option B is more work than necessary because copying snapshots and re-creating AMIs adds extra steps and increases the chance of inconsistency. Option C is incomplete because the template will fail or launch incorrect resources if it references an AMI ID that does not exist in the target Region. Option D is not feasible because an Auto Scaling group is a regional construct and cannot span multiple Regions from a single stack update in us-east-1.

The most secure pattern is to use an IAM role for Amazon EC2 with the minimum required permissions. AWS guidance states: “Use roles for applications that run on Amazon EC2 instances” and “grant least privilege by allowing only the actions required to perform a task.” By attaching a role to the instance, short-lived credentials are automatically provided through the instance metadata service; this removes the need to create long-term access keys or embed secrets. Granting only sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage against the specific SQS queues enforces least privilege and aligns with CloudOps security controls. Options A and B rely on IAM user access keys, which contravene best practices for workloads on EC2 and increase credential-management risk. Option C uses a role but grants sqs:*, violating least-privilege principles. Therefore, Option D meets the security requirement with scoped, temporary credentials and precise permissions.