SOA-C03 Amazon Web Services AWS Certified CloudOps Engineer - Associate Free Practice Exam Questions (2026 Updated)

Because the application workload is 95% reads, the best database scaling approach is to add or remove Aurora Replicas. Aurora Auto Scaling can automatically adjust the number of Aurora Replicas in a DB cluster based on metrics such as average CPU utilization or average connections across replicas. This allows the read tier to scale as campaign traffic increases while the primary writer continues to handle the smaller write workload. Option B is incorrect because Aurora Auto Scaling scales the number of replicas; it does not vertically resize existing replicas. Options C and D are worded around generic AWS Auto Scaling rather than Aurora Auto Scaling and use less appropriate metric relationships. Scaling based on replica CPU utilization directly addresses read pressure. Therefore, configure Aurora Auto Scaling for Aurora Replicas.

===============

Aurora Auto Scaling can automatically add or remove Aurora Replicas based on target metrics, including average connections across Aurora Replicas. AWS documentation lists “Average connections of Aurora Replicas” as a target metric when adding an auto scaling policy to an Aurora DB cluster. Because performance degrades above 200 connections and baseline usage is around 180, setting a target near 195 allows scaling to begin before the connection count crosses the problem threshold. Option A is vertical scaling and does not automatically respond to fluctuating demand. Option B is not how Aurora switches between provisioned and serverless modes during spikes. Option C is unnecessary and does not address read scaling with replicas. Therefore, an Aurora auto scaling policy using the database connections metric is correct.

===============

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

For high availability and fast failover, ElastiCache for Redis supports replication groups with Multi-AZ and automatic failover. CloudOps guidance states that a primary node can be paired with one or more replicas across multiple Availability Zones; if the primary fails, Redis automatically promotes a replica to primary in seconds, thereby minimizing RTO. This architecture maintains in-memory data continuity without waiting for backup restore operations. Backups (Options B and D) provide durability but require restore and re-warm procedures that increase RTO and may impact application latency. Switching engines (Option A) to Memcached does not provide Redis replication/failover semantics and would not inherently improve resilience for this use case. Therefore, creating a read replica in a different AZ and enabling Multi-AZ with automatic failover is the prescribed CloudOps pattern to increase resilience and achieve the lowest practical RTO for Redis caches.

The AWS Cloud Operations and Compute documentation explains that placement groups control how EC2 instances are physically arranged within AWS data centers to optimize network performance.

Among the available placement strategies:

Cluster placement groups place instances physically close together within a single Availability Zone, connected through high-bandwidth, low-latency networking (ideal for tightly coupled, HPC, or distributed workloads).

Spread placement groups distribute instances across distinct racks or Availability Zones for fault tolerance, increasing latency.

Partition placement groups separate instances into partitions for isolation, not latency reduction.

Therefore, to minimize latency for workloads such as computational clusters, the CloudOps engineer should use a cluster placement group. This placement ensures single-digit microsecond latency and enhanced packet rate performance between instances.

Elastic IPs (Option B) do not influence internal networking. Jumbo frames (Option C) can marginally improve throughput but do not reduce propagation latency. Spread placement (Option D) increases distance, worsening latency.

Hence, Option A — using a cluster placement group — delivers the lowest possible network latency and is AWS’s best-practice design for HPC-style clusters.

IAM user groups allow permissions to be managed centrally and applied to multiple users simultaneously, making them ideal for scalable access management. Attaching policies to groups ensures that changes propagate automatically to all members.

A customer managed policy supports versioning, reuse, and centralized updates, which meets the requirement to modify policies and manage versions over time. AWS managed policies cannot be edited, and inline policies do not support reuse or versioning across multiple principals.

Option A is invalid because service-linked roles are AWS-managed and not designed for user access. Option E lacks versioning and reusability. Option C does not allow customization.

Therefore, using IAM groups with a customer managed policy is the correct and secure solution.

A NAT gateway uses an Elastic IP address for outbound internet access from private subnets. By creating one NAT gateway in a public subnet in each Availability Zone and routing private subnet outbound traffic through the NAT gateway in the same Availability Zone, the company gets a small, stable list of public source IP addresses to give to the third party. This is also highly available because each Availability Zone has its own NAT gateway path. Option B is impossible because a single Elastic IP address cannot be associated with hundreds of instances simultaneously. Option C is wrong because Network Load Balancers handle inbound traffic distribution, not outbound internet NAT for API calls. Option D is operationally poor and does not provide a scalable centralized static egress pattern.

===============

AWS Security Hub is the native AWS service that provides continuous compliance checks against security standards, including the CIS AWS Foundations Benchmark. When integrated with AWS Organizations, Security Hub can automatically enroll existing and newly created accounts, eliminating manual invitations and scripts.

By designating a Security Hub administrator account and enabling automatic account onboarding, the organization ensures consistent security posture monitoring across all accounts. CIS benchmark checks are run continuously, and findings are aggregated centrally, simplifying governance and remediation workflows.

Amazon Inspector focuses on vulnerability scanning for EC2, container images, and Lambda functions—not CIS compliance. GuardDuty is a threat detection service and does not run CIS benchmarks.

Therefore, using AWS Security Hub with automatic organization-wide enrollment is the most efficient solution.

The ALB target group metric HTTPCode_Target_5XX_Count records HTTP 5XX responses generated by targets behind the load balancer. A CloudWatch alarm can monitor this metric and enter the ALARM state when the error count crosses the defined threshold. CloudWatch alarms can directly invoke a Lambda function as an alarm action, which makes this the simplest reliable automation path for custom recovery. AWS documentation states that invoking a Lambda function is an alarm action and is used to automate custom actions on alarm state changes. Option B uses log polling, which adds latency and operational overhead. CloudTrail does not capture application HTTP 500 responses from EC2 instances. EventBridge does not receive every ALB request as an event. Therefore, CloudWatch alarm plus Lambda action is correct.

===============

An alias record is the recommended Route 53 record type to map domain names (e.g., example.com) to AWS-managed resources such as an Application Load Balancer. Alias records are extension types of A or AAAA records that support AWS resources directly, providing automatic DNS integration and no additional query costs.

AWS documentation states:

“Use alias records to map your domain or subdomain to an AWS resource such as an Application Load Balancer, CloudFront distribution, or S3 website endpoint.”

A and AAAA records are used for static IP addresses, not load balancers. CNAME records cannot be used at the root domain (e.g., example.com). Thus, Option C is correct as it meets CloudOps networking best practices for scalable, managed DNS resolution to ALBs.

The symptoms point to two common database pressure sources: inefficient queries (driving high CPU and latency) and excessive concurrent connections (driving connection management overhead, read contention, and timeouts). The most effective remediation is to address both the SQL workload and the connection surge behavior.

Amazon RDS Performance Insights (Option A) is designed to help identify which SQL statements and wait events contribute most to database load. It provides a database-centric view of performance that highlights top SQL, top waits, and the relative impact of sessions on CPU and other resources. By using Performance Insights to pinpoint the highest-impact SQL and then tuning those queries (for example, improving indexes, reducing full scans, and optimizing query patterns), the company can lower CPU utilization and reduce query latency during peak hours.

Connection surges are best addressed with a managed connection pooling layer. RDS Proxy (Option E) provides connection pooling and multiplexing between application connections and the database, which reduces the overhead of establishing and maintaining a large number of database connections. During spikes, the proxy can smooth bursty connection behavior, improve failover handling, and reduce the risk of overwhelming the database with too many concurrent connections. This directly targets the observed timeouts and read performance degradation tied to surges.

Option B is not the best fit because CloudWatch Logs Insights is a log analytics tool; it is not the primary mechanism for deep SQL performance attribution in RDS and typically requires extensive logging configurations that add overhead. Option C would reduce availability and does not improve performance. Option D would make the problem worse: disabling pooling increases connection churn and overhead, amplifying timeouts and latency during peak traffic.

Therefore, combining Performance Insights query analysis/tuning with RDS Proxy connection pooling best resolves both root causes.

=================

According to the AWS Cloud Operations and Database Reliability documentation, Amazon RDS Multi-AZ deployments provide high availability and automatic failover by maintaining a synchronous standby replica in a different Availability Zone.

In the event of instance failure, planned maintenance, or Availability Zone outage, Amazon RDS automatically promotes the standby to primary with minimal downtime (typically less than 60 seconds). The failover is transparent to applications because the DB endpoint remains the same.

By contrast, read replicas (Option B) are asynchronous and do not provide automated failover. Auto Scaling (Option C) applies to EC2, not RDS. RDS Proxy (Option D) improves connection management but does not add redundancy.

Thus, Option A — converting the RDS instance into a Multi-AZ deployment — delivers the required high availability and business continuity with minimal operational effort.

AWS Secrets Manager rotation is an API-driven activity that is recorded as an audit event. When the secret rotation workflow is initiated, AWS API activity is captured by AWS CloudTrail, which provides an authoritative source of “who did what and when” for compliance evidence. By creating an Amazon EventBridge rule that matches the relevant CloudTrail event for the rotation operation, the company can automatically detect rotation activity and trigger downstream actions without building a polling system. EventBridge can route matched events directly to Amazon SNS, which then fan-outs the notification to email, SMS, chat integrations, or incident tooling used by the database team.

Option A fits the requirement because it creates an event-driven compliance notification path specifically tied to the rotation operation. It also allows more precise filtering than log scanning: the rule can match the event name and include conditions that reflect successful completion, reducing noise and false positives. EventBridge rules are managed, highly available, and require minimal operational work once configured.

Option B is not the best fit because Secrets Manager does not rely on a “native SNS rotation notification toggle” as a primary mechanism for compliance notifications in the way described; the standard event-driven pattern is to use EventBridge/CloudTrail signals rather than expecting Secrets Manager to publish directly to SNS for every rotation outcome. Options C and D propose filtering CloudWatch Logs, which adds operational overhead (log ingestion, metric filters or subscription filters, and parsing) and is less direct than matching structured API events. CloudWatch Logs filtering is also more brittle because it depends on log formats and correct log routing for the relevant services.

Therefore, using EventBridge to match CloudTrail rotation events and forward them to SNS is the most reliable and low-maintenance solution.

=================

Because S3 Versioning is enabled, each object update creates additional object versions. If old versions are never removed, storage costs keep increasing even when only the latest version is needed operationally. The lowest-overhead solution is to configure an S3 Lifecycle rule to expire noncurrent object versions after the required 90-day compliance retention period. This preserves object changes for the required window and then automatically removes older versions to reduce cost. Option A is not ideal because creating delete markers affects current object visibility and does not clean up old noncurrent versions efficiently. Option C adds unnecessary backup complexity. Option D creates excessive event scheduling and Lambda management overhead. S3 Lifecycle is the native cost-optimization control for versioned-object retention.

For SQS-backed worker fleets, the most useful scaling signal is backlog per instance, calculated as the approximate number of visible messages divided by the number of running instances. This metric shows whether each worker instance has too much work to process and is therefore a strong target tracking metric. Target tracking scaling is better than simple scaling for this pattern because it continuously adjusts capacity to keep the selected metric near the desired value. Option A uses the age of the oldest message, which can indicate delay but does not directly express workload per instance. Options C and D are wrong because an ALB request metric applies to HTTP request routing, not SQS message processing. Scheduled scaling is also unsuitable because the spikes are random and unpredictable. Therefore, option B is the correct performance optimization solution.

===============

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

Amazon EFS encryption at rest is a file system creation attribute; an unencrypted EFS file system cannot be “turned on” for encryption in place. Therefore, meeting the requirement (“encrypt an existing EFS using an existing KMS customer managed key”) requires creating a new encrypted file system and migrating data.

Option A is the most operationally efficient because EFS replication is a managed mechanism that continuously copies data and metadata from a source file system to a destination file system. By specifying the existing KMS customer managed key for the destination, the new file system is encrypted at rest under the required key. After replication has caught up, the administrator can perform a controlled cutover (failover) so applications mount the encrypted destination instead of the original source. This reduces manual copying effort, supports ongoing synchronization during migration, and simplifies the cutover window.

Option B is not possible because encryption-at-rest settings for EFS cannot be modified after creation. Option C is irrelevant because TLS certificates relate to encryption in transit and are not configured as part of EFS replication in the manner described. Option D can work functionally, but it requires building and operating a copy workflow, which is more manual and error-prone than managed replication.

The AWS Cloud Operations and Content Delivery documentation explains that Amazon CloudFront caches objects in edge locations for a defined time based on TTL settings or origin headers. When new content is deployed to the S3 origin, previously cached versions remain in edge caches until they expire.

To immediately serve the new version, CloudOps engineers must initiate a CloudFront invalidation, which removes cached objects from all edge locations. This forces CloudFront to fetch the latest version from the origin (S3).

Invalidations can target individual objects (e.g., /index.html) or wildcard paths (e.g., /*) and are the AWS-recommended approach for dynamic content refresh after static site updates.

Changing headers (Option A), enforcing HTTPS (Option B), or applying caching policies (Option C) do not directly refresh outdated cache content.

Thus, Option D — issuing a CloudFront invalidation — ensures users receive the latest website content immediately after deployment.

Amazon S3 Cross-Region Replication is the managed feature for automatically replicating newly created objects from a source bucket in one Region to a destination bucket in another Region. This is the correct disaster recovery pattern because replication is handled by S3 without custom code or scheduled copy jobs. Versioning is required for replication, and in a complete production configuration, versioning must be enabled on both the source and destination buckets. Option A is therefore the best answer, even though the wording mentions only source-bucket versioning. CORS controls browser cross-origin access and has nothing to do with disaster recovery replication. Lambda and EventBridge can copy objects, but this creates more operational overhead and error handling. S3 Lifecycle policies transition or expire objects; they do not replicate new objects across Regions.

===============

AWS Systems Manager Session Manager allows secure, auditable instance access without SSH keys or inbound ports. To control access based on instance tags, CloudOps best practices require two configurations:

Attach an IAM policy to users or groups granting ssm:StartSession, ssm:DescribeInstanceInformation, and ssm:DescribeSessions.

Include a Condition element in the IAM policy referencing instance tags, such as Condition: { " StringEquals " : { " ssm:resourceTag/Environment " : " Production " }}.

This ensures users can start sessions only with instances that have matching tags, providing fine-grained access control.

AWS CloudOps documentation under Security and Compliance states:

“Use IAM policies with resource tags in the Condition element to restrict which managed instances users can access using Session Manager.”

Options B and D incorrectly suggest attaching roles or service accounts that are not relevant to user-level access control. Option C (placement groups) pertains to networking and performance, not access management. Therefore, A and E together provide tag-based, least-privilege access as required.

High availability for an EC2-based web application behind an ALB is primarily achieved by eliminating single points of failure at the infrastructure layer. A single Availability Zone (AZ) deployment is vulnerable to AZ-level impairment (power/network issues, facility events, or service disruptions). The most direct and standard AWS approach is to distribute the Auto Scaling group across multiple AZs within the same Region.

Updating the Auto Scaling group to use subnets in at least two AZs allows instances to be launched across AZs automatically. The ALB is built to route traffic across targets in multiple AZs, and Auto Scaling can replace unhealthy instances in any enabled AZ. This provides resilience without the complexity of multi-Region architectures.

Options A and B address capacity for peak load but do not address the core availability requirement. Even with more instances, a full AZ outage would still take the entire application down if all instances are in the same AZ.

Option D (multi-Region) can improve resilience further, but it introduces significantly more operational overhead: cross-Region traffic routing, data replication, DNS failover strategy, application state handling, and potentially active-active or active-passive designs. For “make the application highly available” from a single-AZ baseline, multi-AZ in the same Region is the standard, least-overhead improvement.