SOA-C03 Amazon Web Services AWS Certified CloudOps Engineer - Associate Free Practice Exam Questions (2026 Updated)

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is D because Amazon S3 Express One Zone with directory buckets and zonal endpoints is specifically designed for single–Availability Zone, high-performance workloads such as HPC, machine learning, and analytics applications running on Amazon EC2. AWS CloudOps documentation states that S3 Express One Zone delivers single-digit millisecond latency and up to 10x higher request performance compared to general purpose S3 buckets when data is accessed from the same Availability Zone.

An S3 directory bucket is required to use the S3 Express One Zone storage class. These buckets are explicitly associated with a single Availability Zone and use zonal endpoints, which eliminate cross-AZ network hops and significantly reduce latency. Importing the data from the existing general purpose bucket ensures compatibility while achieving maximum throughput and lowest latency.

Option A is incorrect because S3 Transfer Acceleration is optimized for long-distance, internet-based transfers, not for in-Region HPC workloads. Option B is incorrect because lifecycle policies cannot move objects into S3 Express One Zone, and S3 Express One Zone does not use Regional endpoints. Option C is incorrect because general purpose buckets do not support zonal endpoints and therefore cannot achieve the same performance benefits.

AWS CloudOps performance optimization guidance clearly identifies S3 directory buckets with S3 Express One Zone and zonal endpoints as the optimal architecture for high-throughput, low-latency workloads in a single Availability Zone.

The number of AWS Trusted Advisor checks available to an account depends on the AWS Support plan associated with the account. The Basic and Developer support plans provide access to a limited set of Trusted Advisor checks, primarily focused on security and service limits.

The Business and Enterprise support plans provide full access to all Trusted Advisor checks, including cost optimization, performance, fault tolerance, and security categories.

Running EC2 instances, SCPs, or MFA settings do not affect the availability of Trusted Advisor checks.

Therefore, the AWS Support plan determines the quantity of available Trusted Advisor checks.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

For high availability and fast failover, ElastiCache for Redis supports replication groups with Multi-AZ and automatic failover. CloudOps guidance states that a primary node can be paired with one or more replicas across multiple Availability Zones; if the primary fails, Redis automatically promotes a replica to primary in seconds, thereby minimizing RTO. This architecture maintains in-memory data continuity without waiting for backup restore operations. Backups (Options B and D) provide durability but require restore and re-warm procedures that increase RTO and may impact application latency. Switching engines (Option A) to Memcached does not provide Redis replication/failover semantics and would not inherently improve resilience for this use case. Therefore, creating a read replica in a different AZ and enabling Multi-AZ with automatic failover is the prescribed CloudOps pattern to increase resilience and achieve the lowest practical RTO for Redis caches.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To meet the requirement to log and audit any principal that publishes to SNS topics and interacts with SQS queues, the correct service is AWS CloudTrail, because CloudTrail records API activity (who did what, when, and from where). Enabling data events (where supported/required for deeper visibility) provides detailed records for operations such as publishing messages and sending/receiving messages. Delivering CloudTrail logs to Amazon S3 provides durable retention and supports querying workflows.

To ensure that communication uses VPC endpoints, the company should configure VPC endpoints for SNS and SQS and then validate usage by inspecting CloudTrail event records. CloudTrail includes endpoint-related context fields (for example, a VPC endpoint identifier) that allow auditors to confirm that the request path used a VPC endpoint rather than traversing the public internet. This directly addresses the “must use VPC endpoints” control with auditable evidence.

The other options do not satisfy both requirements. CloudWatch Logs does not automatically capture SNS/SQS API caller identity for publish/send/receive operations in the same authoritative way CloudTrail does. EventBridge can capture service events but is not the primary audit log of API calls and does not inherently prove VPC endpoint usage per request. Inspecting a VPC endpoint field in CloudWatch Logs is not the standard audit mechanism for these API calls.

To analyze and visualize custom statistics such as the p90 latency (90th percentile), a CloudWatch metric must be generated from the log data. The correct method is to create a metric filter that extracts the latency value from each log event and publishes it as a CloudWatch metric. Once the metric is published, percentile statistics (p90, p95, etc.) can be displayed in CloudWatch dashboards or alarms.

AWS documentation states:

“You can use metric filters to extract numerical fields from log events and publish them as metrics in CloudWatch. CloudWatch supports percentile statistics such as p90 and p95 for these metrics.”

Contributor Insights (Option A) is for analyzing frequent contributors, not numeric distributions. Subscription filters (Option C) are used for log streaming, and Application Insights (Option D) provides monitoring of application health but not custom p90 statistics. Hence, Option B is the CloudOps-aligned, minimal-overhead solution for percentile latency monitoring.

According to the AWS Cloud Operations and Deployment documentation, EC2 Image Builder is the AWS-managed service for automating the creation, maintenance, validation, and deployment of secure and compliant Amazon Machine Images (AMIs).

It allows CloudOps teams to define image pipelines that include only approved software modules and configuration scripts. EC2 Image Builder automatically tests and verifies these AMIs for compliance before deployment.

This process ensures configuration consistency, eliminates manual installation errors, and simplifies ongoing patch management. The service integrates with AWS Systems Manager, Amazon Inspector, and AWS CloudFormation for end-to-end automation.

In contrast:

Amazon Detective and GuardDuty (Options A & B) are security monitoring tools, not image management solutions.

Run Command (Option C) applies ad-hoc updates but does not create standard, reusable AMIs.

Therefore, Option D is correct—EC2 Image Builder provides the most operationally efficient and compliant way to create an approved baseline AMI for future deployments.

Amazon CloudWatch Application Signals is designed to provide built-in observability for containerized workloads, including Amazon EKS. It automatically collects golden signals such as latency, traffic, errors, and saturation without requiring complex instrumentation.

Application Signals supports SLO definition and SLI monitoring and correlates metrics, logs, and traces within CloudWatch. This significantly reduces operational overhead compared to manually configuring OpenTelemetry pipelines, Prometheus, and Grafana.

CloudWatch RUM and Synthetics focus on frontend monitoring, not backend service observability. Application Insights does not provide full SLO/SLI support for EKS workloads.

Therefore, CloudWatch Application Signals is the correct and least-effort solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To secure inbound web traffic over HTTPS when using an Application Load Balancer, AWS CloudOps best practices recommend terminating TLS at the load balancer. This is achieved by attaching an SSL/TLS certificate directly to the ALB listener. Therefore, option B is required. By terminating HTTPS at the ALB, traffic between clients and the load balancer is encrypted, and the ALB can then forward traffic to backend EC2 instances using HTTP or HTTPS based on design requirements.

The certificate used for a public-facing retail website must be trusted by internet browsers. AWS Certificate Manager (ACM) public certificates are specifically designed for this purpose and are trusted by common browsers and operating systems. Therefore, option D is required. ACM manages certificate provisioning, renewal, and deployment automatically, which significantly reduces operational overhead.

Option A is incorrect because attaching certificates to each EC2 instance is unnecessary and does not scale well. Option C is incorrect because private certificates are intended for internal use cases and are not trusted by public browsers. Option E is incorrect because ACM-managed public certificates cannot be exported; they must be attached directly to supported AWS services such as ALBs.

This approach aligns with AWS CloudOps guidance for secure, scalable, and highly available HTTPS architectures.

AWS Secrets Manager rotation is an API-driven activity that is recorded as an audit event. When the secret rotation workflow is initiated, AWS API activity is captured by AWS CloudTrail, which provides an authoritative source of “who did what and when” for compliance evidence. By creating an Amazon EventBridge rule that matches the relevant CloudTrail event for the rotation operation, the company can automatically detect rotation activity and trigger downstream actions without building a polling system. EventBridge can route matched events directly to Amazon SNS, which then fan-outs the notification to email, SMS, chat integrations, or incident tooling used by the database team.

Option A fits the requirement because it creates an event-driven compliance notification path specifically tied to the rotation operation. It also allows more precise filtering than log scanning: the rule can match the event name and include conditions that reflect successful completion, reducing noise and false positives. EventBridge rules are managed, highly available, and require minimal operational work once configured.

Option B is not the best fit because Secrets Manager does not rely on a “native SNS rotation notification toggle” as a primary mechanism for compliance notifications in the way described; the standard event-driven pattern is to use EventBridge/CloudTrail signals rather than expecting Secrets Manager to publish directly to SNS for every rotation outcome. Options C and D propose filtering CloudWatch Logs, which adds operational overhead (log ingestion, metric filters or subscription filters, and parsing) and is less direct than matching structured API events. CloudWatch Logs filtering is also more brittle because it depends on log formats and correct log routing for the relevant services.

Therefore, using EventBridge to match CloudTrail rotation events and forward them to SNS is the most reliable and low-maintenance solution.

=================

Amazon CloudWatch Synthetics heartbeat canaries actively test a website by sending periodic requests from AWS-managed locations, closely simulating real user access. This provides an accurate measurement of availability from an end-user perspective, which is a key requirement.

The SuccessPercent metric represents the percentage of successful executions over time and directly maps to website uptime. Creating a CloudWatch alarm on this metric allows the CloudOps engineer to receive SNS notifications when availability drops below the 99% threshold.

Log-based or anomaly-detection approaches do not reliably represent user experience, and broken link checkers focus on content integrity rather than availability. Therefore, a heartbeat canary is the correct solution.

IAM user groups allow permissions to be managed centrally and applied to multiple users simultaneously, making them ideal for scalable access management. Attaching policies to groups ensures that changes propagate automatically to all members.

A customer managed policy supports versioning, reuse, and centralized updates, which meets the requirement to modify policies and manage versions over time. AWS managed policies cannot be edited, and inline policies do not support reuse or versioning across multiple principals.

Option A is invalid because service-linked roles are AWS-managed and not designed for user access. Option E lacks versioning and reusability. Option C does not allow customization.

Therefore, using IAM groups with a customer managed policy is the correct and secure solution.

High availability for an EC2-based web application behind an ALB is primarily achieved by eliminating single points of failure at the infrastructure layer. A single Availability Zone (AZ) deployment is vulnerable to AZ-level impairment (power/network issues, facility events, or service disruptions). The most direct and standard AWS approach is to distribute the Auto Scaling group across multiple AZs within the same Region.

Updating the Auto Scaling group to use subnets in at least two AZs allows instances to be launched across AZs automatically. The ALB is built to route traffic across targets in multiple AZs, and Auto Scaling can replace unhealthy instances in any enabled AZ. This provides resilience without the complexity of multi-Region architectures.

Options A and B address capacity for peak load but do not address the core availability requirement. Even with more instances, a full AZ outage would still take the entire application down if all instances are in the same AZ.

Option D (multi-Region) can improve resilience further, but it introduces significantly more operational overhead: cross-Region traffic routing, data replication, DNS failover strategy, application state handling, and potentially active-active or active-passive designs. For “make the application highly available” from a single-AZ baseline, multi-AZ in the same Region is the standard, least-overhead improvement.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

With simple scaling policies, an Auto Scaling group performs one scaling activity when the alarm condition is met, then observes a default cooldown period (300 seconds) before another scaling activity of the same type can begin. CloudOps guidance explains that cooldown prevents rapid successive scale-outs by allowing time for the newly launched instance(s) to register with the load balancer and impact the metric. Even if the alarm breaches multiple times during the cooldown window, the group waits until the cooldown completes before evaluating and acting again. In this case, although RequestCountPerTarget exceeded the threshold twice within 180 seconds, the group will launch a single instance and then wait for cooldown before any additional scale-out can occur. Options A, C, and D do not reflect the behavior of simple scaling with cooldowns; A describes step/target-tracking-like behavior, and C/D are not Auto Scaling mechanics.

An Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and supports advanced routing features, including HTTP-to-HTTPS redirection. To meet the requirement of protecting traffic with ACM certificates and automatically redirecting HTTP requests, the ALB must be configured with two listeners.

The correct design is to create an HTTP listener on port 80 and an HTTPS listener on port 443. The SSL/TLS certificate from AWS Certificate Manager is attached to the HTTPS listener. A listener rule on port 80 redirects incoming HTTP requests to HTTPS on port 443, ensuring all client connections are encrypted.

Option A is invalid because HTTPS cannot operate on port 80. Option C uses TCP listeners, which do not support HTTP-level redirects. Option D uses a Network Load Balancer, which operates at Layer 4 and does not support HTTP redirects.

Therefore, Option B is the only solution that satisfies all requirements using AWS-native features with minimal complexity.

Cluster placement groups are specifically designed for workloads that require extremely low latency and high network throughput, such as HPC applications. Instances are placed physically close together within the same Availability Zone, enabling high-bandwidth, low-latency networking.

Partition placement groups are optimized for fault isolation, not network performance. Spread placement groups prioritize availability by distributing instances across distinct hardware, which increases latency.

Because the requirement is performance rather than fault isolation or high availability, a cluster placement group is the optimal choice.

Amazon ElastiCache for Redis supports Multi-AZ replication groups, which provide high availability by automatically promoting a replica in another Availability Zone if the primary node fails. This architecture significantly reduces recovery time because failover occurs automatically without manual intervention.

Creating a read replica in a second AZ ensures redundancy and resilience against AZ-level failures. Enabling Multi-AZ allows Redis to maintain availability during infrastructure issues or maintenance events.

Option A removes persistence and high availability features. Options B and D rely on backups, which increase RTO because restore operations take time and require manual steps.

Therefore, Multi-AZ Redis with replicas provides the best combination of resilience and minimal RTO.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

Use Amazon S3 Event Notifications with AWS Lambda to trigger image processing on object creation. S3 natively supports invoking Lambda for events such as s3:ObjectCreated:*, providing a serverless, low-latency pipeline without managing additional services. AWS operational guidance states that “Amazon S3 can directly invoke a Lambda function in response to object-created events,” allowing you to pass event metadata (bucket/key) to the function for resizing and writing results back to S3. This approach minimizes operational overhead, scales automatically with upload volume, and integrates with standard retry semantics. SNS or SQS can be added for fan-out or buffering patterns, but they are not required when the requirement is simply “invoke the Lambda function on upload.” CloudWatch alarms do not detect individual S3 object uploads and cannot directly satisfy per-object triggers. Therefore, configuring S3 → Lambda event notifications meets the requirement most directly and aligns with CloudOps best practices for event-driven, serverless automation.

EC2 Image Builder is a managed service that automates the creation, testing, vulnerability scanning, and distribution of AMIs. It supports scheduled image pipelines, which makes it ideal for weekly application updates.

Image Builder integrates with Amazon Inspector to perform vulnerability scans during image creation, fulfilling the security requirement. Custom image recipes define application dependencies and installation steps, ensuring consistency across deployments.

Manual AMI creation, cron-based scripts, or direct API calls require ongoing maintenance and do not natively support vulnerability scanning.

Therefore, EC2 Image Builder is the most operationally efficient solution.

AWS Systems Manager provides a built-in capability to automatically update the SSM Agent on managed instances. Enabling Auto update SSM Agent ensures that instances receive the latest agent version without manual intervention or custom automation.

This setting is centrally managed and applies across the fleet, making it the most scalable and operationally efficient solution. It eliminates the need for external notifications, custom Lambda functions, or scheduled automation workflows.

Options B and D introduce unnecessary complexity and operational burden. Option C is incorrect because Patch Manager is designed for operating system patching, not for managing SSM Agent updates.

Therefore, enabling automatic SSM Agent updates is the best solution.