SOA-C03 Amazon Web Services AWS Certified CloudOps Engineer - Associate Free Practice Exam Questions (2026 Updated)

AWS Systems Manager provides a built-in capability to automatically update the SSM Agent on managed instances. Enabling Auto update SSM Agent ensures that instances receive the latest agent version without manual intervention or custom automation.

This setting is centrally managed and applies across the fleet, making it the most scalable and operationally efficient solution. It eliminates the need for external notifications, custom Lambda functions, or scheduled automation workflows.

Options B and D introduce unnecessary complexity and operational burden. Option C is incorrect because Patch Manager is designed for operating system patching, not for managing SSM Agent updates.

Therefore, enabling automatic SSM Agent updates is the best solution.

According to the AWS Cloud Operations and Deployment documentation, EC2 Image Builder is the AWS-managed service for automating the creation, maintenance, validation, and deployment of secure and compliant Amazon Machine Images (AMIs).

It allows CloudOps teams to define image pipelines that include only approved software modules and configuration scripts. EC2 Image Builder automatically tests and verifies these AMIs for compliance before deployment.

This process ensures configuration consistency, eliminates manual installation errors, and simplifies ongoing patch management. The service integrates with AWS Systems Manager, Amazon Inspector, and AWS CloudFormation for end-to-end automation.

In contrast:

Amazon Detective and GuardDuty (Options A & B) are security monitoring tools, not image management solutions.

Run Command (Option C) applies ad-hoc updates but does not create standard, reusable AMIs.

Therefore, Option D is correct—EC2 Image Builder provides the most operationally efficient and compliant way to create an approved baseline AMI for future deployments.

When an AWS Lambda function is configured to run inside a VPC, it loses default internet access. All outbound traffic must be explicitly routed. In this scenario, the Lambda function resides in a private subnet and successfully connects to Amazon RDS, but it times out when attempting to publish messages to Amazon SQS. This indicates a lack of network connectivity to the SQS service endpoint.

There are two valid AWS-supported ways to restore connectivity. The first is to deploy a NAT gateway in a public subnet and update the private subnet route table to send outbound internet-bound traffic (0.0.0.0/0) to the NAT gateway. This allows the Lambda function to reach public AWS service endpoints, including SQS.

The second option is to create an interface VPC endpoint (AWS PrivateLink) for Amazon SQS. This enables private, secure connectivity to SQS directly within the AWS network without traversing the internet. This approach is often preferred for security-sensitive workloads and removes dependency on NAT gateways.

Option A would break database connectivity because the Lambda function must remain in the VPC to access the private RDS instance. Option B does not address outbound connectivity to SQS. Option E is incorrect because Amazon SQS does not support gateway endpoints; only interface endpoints are supported.

Therefore, deploying a NAT gateway or creating an SQS interface endpoint resolves the timeout issue.

For Amazon RDS for MySQL, a Multi-AZ DB instance deployment provides synchronous standby replication to another Availability Zone and supports automatic failover if the primary DB instance or Availability Zone fails. This directly meets the requirement for failover while minimizing application downtime. A read replica in the same Availability Zone does not provide the same automatic high-availability failover path and is mainly used for read scaling. Auto Scaling groups apply to EC2 instances, not RDS DB instances. RDS Proxy can improve application connection handling and failover behavior, but it does not by itself create a standby database for a Single-AZ instance. The database must first have a high-availability deployment. Therefore, modifying the DB instance to Multi-AZ is the correct reliability solution.

===============

When mapping one domain name to another domain name that is hosted outside AWS, a CNAME record is the correct DNS record type. CNAME records map an alias name (www.company.com) to a canonical domain name (app.example.com).

Alias records cannot be used to point to non-AWS resources. A and PTR records map IP addresses, not domain names, and are therefore not appropriate.

Because www.company.com is not the zone apex, a CNAME record is valid and supported. This solution requires no additional infrastructure and is the standard DNS approach for this scenario.

Network ACLs are stateless, meaning both inbound and outbound rules must explicitly allow traffic. While inbound HTTP traffic (port 80) was allowed, the return traffic from the EC2 instance uses ephemeral ports (typically 1024–65535). If outbound rules do not allow this ephemeral port range, the response traffic is dropped, preventing the website from loading.

Security groups are stateful and automatically allow return traffic, but network ACLs do not. This commonly causes connectivity issues when custom ACLs are applied without matching outbound rules.

Option B is incorrect because security groups allow all outbound traffic by default. Option C is irrelevant. Option D is incorrect because only one network ACL can be associated with a subnet at a time.

Thus, the missing outbound ephemeral port rule in the network ACL is the root cause.

The AWS Cloud Operations and Governance documentation specifies that AWS Config can be paired with AWS Systems Manager Automation runbooks for automatic remediation of noncompliant resources.

For SSH restrictions, the restricted-ssh managed rule detects any security group allowing inbound traffic on port 22. To automatically remediate these findings, AWS provides the AWS-DisableIncomingSSHOnPort22 runbook. This runbook programmatically removes inbound rules that allow port 22 traffic from affected security groups.

This approach achieves continuous compliance with minimal human intervention. By contrast, sending notifications (Option A) does not enforce remediation, API-based scripts (Option C) add operational overhead, and manual remediation (Option D) violates automation best practices.

Therefore, the most efficient CloudOps solution is Option B, using AWS Config with the AWS-DisableIncomingSSHOnPort22 automation runbook for automatic, scalable enforcement.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

VPC Flow Logs show the request arriving and being ACCEPTed on dstport 8080 and the corresponding response being REJECTed on the return path to the client’s ephemeral port (59003). AWS networking guidance states that security groups are stateful (return traffic is automatically allowed) while network ACLs are stateless and require explicit inbound and outbound rules for both directions. CloudOps operational guidance for VPC networking further notes that when you allow an inbound request (for example, TCP 8080) through a subnet’s network ACL, you must also allow the outbound ephemeral port range (typically 1024–65535) for the response traffic; otherwise, the return packets are dropped and appear as REJECT in flow logs. The observed pattern—request accepted to 8080, response rejected to 59003—matches a missing outbound ephemeral-range allow on the subnet’s NACL. Therefore, the cause is the subnet NACL, not security groups or on-premises ACLs. The remediation is to add an outbound ALLOW rule on the NACL for the appropriate ephemeral TCP port range back to the on-premises CIDR (and the corresponding inbound rule if asymmetric).

Per the AWS Cloud Operations and Service Catalog documentation, when a portfolio is shared across AWS accounts, the recipient account imports the shared portfolio.

The recipient CloudOps engineer cannot modify the original products or their configurations but can:

Add products from the imported portfolio into their local portfolios for deployment,

Control end-user access in the recipient account, and

Manage local constraints or permissions.

However, the recipient cannot edit, delete, or reconfigure the shared products (Options B, C, and D). The source (owner) account retains full administrative control over products, launch roles, and lifecycle policies.

This model aligns with AWS CloudOps principles of centralized governance with distributed self-service deployment across multiple accounts.

Thus, Option A is correct—imported portfolios allow the recipient to add products to a local portfolio but not alter the shared configuration.

The requirement is to produce cost optimization recommendations for EBS volumes based on IOPS and throughput, and to do so with the most operational efficiency across potentially many instances and volumes. AWS Compute Optimizer is the most suitable service because it analyzes historical utilization metrics and configuration characteristics to generate rightsizing recommendations. When enabled, Compute Optimizer evaluates EBS volume performance patterns (including throughput and IOPS consumption) and can recommend more appropriate volume types or settings to reduce cost while meeting performance needs.

Option C is operationally efficient because it centralizes analysis. Instead of manually inspecting per-volume graphs, Compute Optimizer aggregates and evaluates data over time, reducing human effort and improving consistency. After sufficient observation time, the CloudOps engineer can review the findings and translate them into concrete actions such as reducing provisioned IOPS on io1/io2, selecting gp3 with tuned IOPS/throughput, or resizing volumes that are over-provisioned relative to actual demand.

Option A is manual and does not directly address IOPS/throughput rightsizing; it also incorrectly focuses on consumed space versus provisioned space, which is more relevant to capacity than performance provisioning. Option B is unrelated: EBS-optimized is an EC2 feature for dedicated EBS bandwidth and does not rightsize EBS volume performance or reduce over-provisioned IOPS/throughput. Option D introduces significant operational overhead by installing benchmarking tools and running synthetic tests, which is not scalable, can affect production performance, and still may not reflect real workload patterns.

Therefore, enabling AWS Compute Optimizer and using its EBS volume recommendations is the most operationally efficient approach.

According to the AWS Cloud Operations and Compute Optimizer documentation, Compute Optimizer provides right-sizing recommendations by analyzing Amazon CloudWatch metrics and instance configuration data. However, AWS explicitly notes that only supported instance types are included in Compute Optimizer analyses. If an EC2 instance type is newly released or not yet supported by Compute Optimizer, it will not appear in the Compute Optimizer dashboard until official support is added.

The documentation explains that “Compute Optimizer analyses only supported resource types and instance families. Instances using unsupported or newly launched instance types will not appear in the Compute Optimizer console.” This ensures the service provides accurate recommendations based on sufficient performance history and benchmark data.

While CloudWatch metrics are required for analysis, the complete absence of instances from the dashboard — rather than “insufficient metric data” notifications — indicates unsupported instance types. Compute Optimizer would normally still display those with limited metrics but would flag them as “insufficient data,” not remove them entirely.

Therefore, the most accurate cause of missing instances in this case is that Compute Optimizer does not support the newly released instance types, making option B correct.

The application is CPU-heavy, shows sustained high CPU utilization, and can only scale vertically. Therefore, the correct action is to move to a larger or more appropriate compute-optimized EC2 instance family. The current t3.large is a burstable general-purpose instance. Burstable instances can experience performance limitations if CPU credits are depleted after sustained high CPU usage, which matches the “after a few minutes” latency pattern. Provisioned IOPS helps storage-bound workloads, not CPU-bound workloads. Adding more t3.large instances is horizontal scaling, which the question explicitly says the application cannot use. Reserved Instances reduce cost commitment but do not improve performance. A compute-optimized instance provides stronger sustained CPU capacity and is the correct performance optimization for a vertically scaled CPU-heavy workload.

===============

AWS Secrets Manager natively supports credential management and automatic rotation for Amazon RDS master user passwords. When a secret is associated with an RDS instance, Secrets Manager automatically updates the password both in the secret and on the database, without downtime or manual scripting.

AWS documentation confirms:

“AWS Secrets Manager can automatically rotate the master user password for Amazon RDS databases. Rotation is fully managed and integrated, requiring no custom code or maintenance.”

Option A introduces unnecessary Lambda automation. Option B and C use Parameter Store, which does not provide direct RDS password rotation. Therefore, Option D achieves secure, automatic credential rotation with least operational effort, fully aligned with CloudOps security automation principles.

For cross-account access, the Lambda function in Account A needs an execution role that permits it to call sts:AssumeRole on a role in Account B. The role in Account B must trust the Lambda execution role from Account A and must have permissions to read the target S3 bucket objects. This follows the standard AWS cross-account access model: the resource-owning account creates a role with permissions to the resource, and the external workload assumes that role. Option B is incomplete because permissions granted only in Account A do not automatically grant access to resources in Account B. Options C and D reverse the trust relationship incorrectly. The secure CloudOps model is cross-account role assumption with least privilege: Lambda execution role in Account A assumes a read-only S3 access role in Account B.

===============

Amazon S3 event notifications are the native mechanism for invoking processing when objects are uploaded to an S3 bucket. The CloudOps engineer can configure the bucket to send ObjectCreated events to an AWS Lambda function, and the Lambda function can process each new log file by using the bucket name and object key from the event payload. This is serverless, event-driven, and has the least operational overhead. CodePipeline is intended for software delivery workflows, not generic log-file processing. Step Functions is useful for orchestrating multi-step workflows, but polling or waiting for S3 uploads is unnecessary here. EventBridge can receive some S3 events, but the direct S3 event notification to Lambda is simpler and more targeted for this requirement.

As per AWS Cloud Operations, Bedrock, and Governance documentation, AWS CloudTrail is the authoritative service for capturing API activity and audit trails across AWS accounts. For Amazon Bedrock, CloudTrail records all user-initiated API calls, including interactions with agents, knowledge bases, and generative AI model parameters.

Using CloudTrail Lake, organizations can store, query, and analyze CloudTrail events directly without needing to export data. CloudTrail Lake supports SQL-like queries for generating audit and compliance reports, enabling the company to retrieve information such as user identity, API usage, timestamp, model or agent ID, and invocation parameters.

In contrast, CloudWatch focuses on operational metrics and log streaming, not API-level identity data. OpenSearch or Flink would add unnecessary complexity and cost for this use case.

Thus, the AWS-recommended CloudOps best practice is to leverage CloudTrail with CloudTrail Lake to maintain auditable, queryable API activity for Bedrock workloads, fulfilling governance and compliance requirements.

Per the AWS Cloud Operations and S3 Data Management documentation, Cross-Region Replication (CRR) automatically replicates new objects between S3 buckets across Regions. However, CRR alone does not retroactively replicate existing objects created before replication configuration. To include such objects, AWS introduced S3 Batch Replication.

S3 Batch Replication scans the source bucket and replicates all existing objects that were not copied previously. Additionally, it can retry failed replication tasks automatically, ensuring regulatory compliance for complete dataset replication.

S3 Replication Time Control (S3 RTC) guarantees predictable replication times for new objects only—it does not cover previously stored data. S3 Lifecycle rules (Option D) move or transition objects between storage classes or buckets, but not in a replication context.

Therefore, the correct solution is to use S3 Cross-Region Replication (CRR) combined with S3 Batch Replication to ensure all current and future data is synchronized across Regions with retry capability.

S3 Lifecycle policies are the correct managed mechanism for automatically expiring objects after a defined age. Because the company never accesses data older than 30 days, an expiration rule can delete objects after 30 days and reduce storage growth without custom code. This has the least operational overhead because S3 performs the expiration automatically. Option A introduces Lambda code, scheduling, permissions, retries, and edge-case handling, which is unnecessary. S3 Storage Lens can identify usage trends and aging objects, but it does not itself delete objects or enforce retention. Option C is vague and not an AWS-managed configuration as written. For CloudOps cost optimization, lifecycle expiration is the standard approach when objects have a predictable retention period and no long-term access requirement.

===============

Amazon Aurora backtracking allows a DB cluster to be rewound to a specific point in time without creating a new DB cluster. This feature is designed for fast recovery from logical errors, such as accidental data changes, within a configured backtrack window. Because backtracking operates directly on the existing cluster, it satisfies the requirement that the restore occur in the same production DB cluster.

Point-in-time recovery (Option D) restores data by creating a new DB cluster, which violates the requirement. Option A involves promoting a replica, which does not allow rolling back to an arbitrary historical point. Option B introduces unnecessary complexity and is not supported for restoring directly into the same cluster.

Backtracking provides near-instant rollback and minimal operational disruption, making it the correct solution.