SOA-C03 Amazon Web Services AWS Certified CloudOps Engineer - Associate Free Practice Exam Questions (2026 Updated)

EC2 Instance Connect Endpoint (EICE) enables secure SSH access to instances in private subnets without requiring public IP addresses, bastion hosts, or inbound internet access. By deploying the endpoint in the private subnet, administrators can connect securely using IAM-based authentication.

The instance security group must allow inbound SSH (port 22) from the EICE security group. Access control is handled via IAM, which eliminates the need to distribute or manage SSH keys.

Option B incorrectly attempts to use Systems Manager for SSH, which is unnecessary when EICE is available. Option C incorrectly places the endpoint in a public subnet, which does not align with the requirement to keep access private. Option D is incorrect because Systems Manager Session Manager does not require SSH and AmazonEC2ReadOnlyAccess does not allow instance access.

EICE provides the least overhead and most secure SSH access path for private EC2 instances.

The errors occur during Auto Scaling replacement and scale-in events, which strongly indicates that instances are being terminated or recycled while they are still serving traffic. When an Auto Scaling group uses only EC2 status checks, the health evaluation is limited to instance-level signals (such as system reachability and instance reachability). Those checks do not validate whether the application process is healthy, whether the web server is still responding correctly, or whether the instance is safely able to continue serving requests while shutdown activities are underway. As a result, traffic can continue to reach an instance that is about to be terminated, or a newly launched instance can be marked healthy at the EC2 layer before the application is actually ready, producing spikes in 5xx responses.

Using Elastic Load Balancing health checks integrates the Auto Scaling group with the load balancer’s application-aware health evaluation. The load balancer can perform health checks against a specific endpoint (for example, /health) over HTTP/HTTPS and determine whether the application is responding successfully. Auto Scaling can then replace instances based on real service health rather than only infrastructure health. This approach improves resiliency because unhealthy or draining instances are removed from load balancing before they cause user-facing errors, and newly launched instances are kept out of rotation until they pass the ELB health checks.

Increasing cooldown (A) only slows scaling actions and does not ensure safe traffic draining. Increasing minimum capacity (C) can reduce impact but does not address the root cause of instances receiving traffic during lifecycle changes. Increasing grace period (D) helps initial warm-up, but it does not reliably protect users during scale-in and termination without application-level health integration. Therefore, ELB health checks are the best solution.

=================

The key requirements are daily patching, zero downtime, and least operational overhead. The most operationally efficient way to achieve frequent patch compliance in an Auto Scaling environment is to adopt an immutable infrastructure approach: bake patches into a new AMI and then roll the fleet to that AMI in a controlled, health-checked manner. AWS Systems Manager Automation can orchestrate patching steps reliably and repeatedly, producing a patched AMI on a schedule without engineers manually logging into instances. After the AMI is created, updating the Auto Scaling group launch template ensures that all newly launched instances use the patched image.

Auto Scaling instance refresh then performs the rollout across the group with guardrails: it replaces instances gradually, can respect minimum healthy percentages, and works with load balancer health checks so traffic remains served while instances are rotated. This satisfies “no downtime” because capacity stays available and requests are routed only to healthy instances during the replacement process.

Option B introduces unnecessary complexity by combining CloudFormation provisioning with patching and then relying on AWS Config to replace instances. AWS Config is a compliance and configuration tracking service, not a primary fleet-replacement mechanism for daily patching. Option C increases operational overhead by requiring custom Lambda logic and manual initiation of the rolling update, which is explicitly more work and more error-prone than a managed instance refresh workflow. Option D again uses AWS Config to replace instances, which does not align well with least overhead or the standard operational model for controlled rolling updates in Auto Scaling groups.

Therefore, the lowest-overhead, highly reliable solution is to use Systems Manager Automation to create a patched AMI, update the launch template, and run an Auto Scaling instance refresh.

=================

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is that traffic from a VPC-connected Lambda to Amazon S3 must not use public IP addresses. The AWS-native way to keep traffic private is to use VPC endpoints, which provide private connectivity to supported AWS services without traversing the public internet. Among the options, creating an S3 VPC endpoint is the only approach that satisfies “no public IP addresses” while allowing access to the bucket. Option D is the best match because it explicitly configures an S3 endpoint and directs the Lambda function to use the endpoint-specific DNS name for private routing.

Option C (NAT gateway) is incorrect for this requirement because NAT provides outbound internet access from private subnets and typically uses public IP addressing at the NAT gateway. That violates the intent to avoid public IP paths for S3 traffic. Option A is not applicable because S3 buckets are not placed “inside” a VPC and do not participate in VPC sharing in a way that provides private network paths. Option B (transit gateway) connects VPCs and on-prem networks, but it does not create private service connectivity to S3 by itself; you would still need the correct service endpoint solution for S3 access.

Using a VPC endpoint also aligns with CloudOps best practices: it reduces exposure, simplifies network egress controls, and supports least-privilege access via endpoint policies (where applicable) alongside IAM policies.

The traffic pattern described is a linear deployment: shift a fixed percentage of traffic at fixed time intervals until the new version receives 100% of traffic. AWS CodeDeploy for Amazon ECS includes a predefined deployment configuration named CodeDeployDefault.ECSLinear10PercentEvery3Minutes, which shifts 10% of traffic every 3 minutes until all traffic is shifted. A canary deployment sends an initial small percentage to the new version and then shifts the remaining traffic after a bake period, not in equal repeated increments. A rolling deployment replaces tasks in batches but does not express ALB traffic shifting percentages in this way. Blue/green is the broader deployment model used by CodeDeploy, but the specific release strategy requested is linear. Therefore, option D is correct.

===============

AWS Systems Manager Run Command includes a built-in rate control feature that allows administrators to control the maximum number of concurrent executions across target instances. This directly addresses the requirement to limit downloads to 30 at a time without custom orchestration or additional services.

By targeting instances using tags, the solution automatically scales as new instances are added, which aligns with future growth expectations. Rate control ensures controlled concurrency and protects the private repository from overload.

Option A is manual and does not scale operationally. Option B introduces unnecessary complexity with Lambda and concurrency management that does not map cleanly to instance execution concurrency. Option D significantly increases architectural complexity without added value.

Run Command with rate control is the simplest, most native, and most scalable solution.

The AWS Cloud Operations and Governance documentation defines that enabling Organizational View in AWS Health allows the management account in AWS Organizations to view and aggregate health events from all member accounts.

This feature provides a single-pane-of-glass view of service health issues, account-specific events, and planned maintenance across the organization — without requiring additional automation or data pipelines.

Alternative options (B, C, and D) require custom integration and ongoing maintenance. CloudTrail does not natively forward AWS Health events, and custom Lambda or DynamoDB approaches increase complexity.

Therefore, Option A — enabling the Organizational View feature in AWS Health — is the most operationally efficient and AWS-recommended solution.

An Auto Scaling warm pool keeps pre-initialized instances in a stopped or running state, allowing them to be quickly attached to the Auto Scaling group when scaling events occur. This significantly reduces scale-out latency caused by long bootstrapping scripts.

Unlike increasing the minimum instance count, warm pools do not permanently overprovision resources. Predictive scaling improves timing but does not eliminate boot time delays.

Therefore, warm pools provide the fastest scale-out with minimal cost overhead.

Route 53 multivalue answer routing can return multiple IP addresses and can be combined with health checks so only healthy records are returned. AWS documentation states that when a health check is associated with a multivalue answer record, Route 53 responds with the corresponding IP address only when the health check is healthy. The current problem occurs because Route 53 is returning both IPs even when the webpage is down, which indicates that health checks are not being used correctly. Latency-based routing is used to route users to lower-latency endpoints across Regions, not to return multiple tested instance IPs in the same subnet. Weighted routing distributes traffic based on weights but does not solve this specific “return only healthy IPs” requirement unless paired with health checks. Another subnet is irrelevant.

===============

Layer 7 (application-layer) HTTP status codes such as 200, 404, and 500 are generated by web-facing services that process HTTP requests. In this architecture, both CloudFront and the Application Load Balancer (ALB) operate at Layer 7 and record HTTP response information in their access logs.

ALB access logs include detailed request and response data such as client IP address, request path, target response status code, and latency. These logs are essential for analyzing how backend EC2 instances respond to client requests.

CloudFront access logs record viewer requests and responses at the edge locations. These logs also include HTTP status codes returned to the client, making them critical for understanding end-user experience and edge-level behavior.

VPC Flow Logs capture network-level (Layer 3 and 4) traffic metadata such as source IP, destination IP, ports, and protocol. They do not contain HTTP status codes. AWS CloudTrail logs API calls to AWS services and does not capture application response codes. RDS logs contain database-related information, not HTTP responses.

Therefore, the correct sources for HTTP Layer 7 status codes are ALB access logs and CloudFront access logs.

CloudWatch Synthetics canaries require connectivity to both CloudWatch and Amazon S3 to function correctly. In a private VPC without internet access, AWS service access must be provided through VPC endpoints.

The canary needs to send metrics, logs, and execution data to CloudWatch, which requires an interface VPC endpoint for CloudWatch. It also needs to store artifacts such as screenshots and HAR files in Amazon S3, which requires a gateway VPC endpoint for S3. Without these endpoints, the canary cannot communicate with required AWS services and will fail to start.

DNS resolution and DNS hostnames must be enabled so the canary can resolve AWS service endpoints to the private IP addresses exposed by the VPC endpoints. This is a mandatory prerequisite for PrivateLink-based service access.

Option B and C incorrectly disable DNS functionality, which breaks service endpoint resolution. Option A includes invalid or irrelevant permissions and does not address private connectivity requirements.

Therefore, enabling DNS support and creating both the CloudWatch interface endpoint and the S3 gateway endpoint is the correct and complete solution.

User-defined tags must be explicitly activated as cost allocation tags in the AWS Billing and Cost Management console before they can be used in Cost Explorer. Simply applying tags to resources is not sufficient.

Once activated, cost allocation tags can take up to 24 hours to appear in Cost Explorer, but they will not appear at all if activation is not performed. The 30-day delay applies only to historical reporting after activation, not to visibility itself.

Cost and Usage Reports and Budgets are not prerequisites for Cost Explorer filtering.

Therefore, the issue occurs because the tags were not activated for cost allocation.

AWS X-Ray is the correct service for distributed tracing across microservices. It tracks individual requests as they travel through application components and provides a service map that visually shows dependencies, latency, errors, and bottlenecks. For Amazon ECS, the X-Ray daemon can run as a sidecar container, and the application can be instrumented with the X-Ray SDK. This requires less effort than building custom transaction tracing and gives the CloudOps engineer request-level visibility across services. CloudWatch agents and Container Insights provide metrics and logs, but they do not trace individual user transactions across multiple services. VPC Flow Logs capture network metadata, not application-level request traces or service dependency maps. Therefore, X-Ray with a sidecar daemon and SDK instrumentation is the correct CloudOps monitoring solution.

===============

AMI IDs are Region-specific. An AMI ID that exists in us-east-1 does not automatically exist in us-west-2, and even copied AMIs receive different AMI IDs in the destination Region. The correct CloudFormation pattern is to define Region-specific AMI IDs in the Mappings section and use Fn::FindInMap with AWS::Region to select the correct AMI for the deployment Region. Option A is wrong because you cannot assign the same AMI ID in another Region. Option B is invalid because AMI IDs are not globally qualified by adding a Region code. Option C can help users select an AMI manually, but it does not ensure the template automatically works in every Region. Therefore, mappings are the correct infrastructure-as-code solution.

===============

Per the AWS Cloud Operations, Networking, and Security documentation, the best practice for serving private S3 content securely to end users is to use Amazon CloudFront with Origin Access Control (OAC).

OAC enables CloudFront to access S3 buckets privately, even when Block Public Access settings are enabled at the account level. This allows content to be delivered globally and securely without making the S3 bucket public. The bucket policy explicitly allows access only from the CloudFront distribution, ensuring that users can retrieve PDF files only via CloudFront URLs.

This configuration offers:

Automatic scalability through CloudFront caching,

Improved security via private access control,

Minimal administration effort with fully managed services.

Other options require manual handling or make the bucket public, violating AWS security best practices.

Therefore, Option B—using CloudFront with Origin Access Control and a restrictive bucket policy—provides the most secure, efficient, and low-maintenance CloudOps solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

AWS Lambda automatically publishes operational metrics to Amazon CloudWatch, including Duration, which represents the time a function invocation takes to run. To alert when processing time exceeds 10 seconds, the most direct and operationally efficient solution is to create a CloudWatch alarm on the Lambda Duration metric and configure the alarm action to publish to an SNS topic. This meets the monitoring requirement without requiring log parsing or additional query mechanisms.

Option B fits best because it uses the built-in metric stream for Lambda observability: CloudWatch metrics are near real-time, require minimal configuration, and alarms are a standard CloudOps practice for proactive notification. The alarm can be configured with the appropriate statistic (for example, Maximum or p99 via metric math where applicable) and a threshold of 10,000 milliseconds, ensuring the operations team is notified before performance degrades further.

Option A is incorrect because PostRuntimeExtensionsDuration is not the primary runtime metric for function execution time, and extracting runtime from logs is unnecessary. Option C changes the function timeout to 10 seconds, which would cause failures rather than simply notifying on slow executions. Option D is more operationally complex because it relies on log queries; CloudWatch alarms are more straightforward when a native metric exists.

Per the AWS Cloud Operations, Monitoring, and Automation documentation, the correct workflow for automated operational remediation is:

Amazon CloudWatch Agent is installed on each EC2 instance (Option A) to collect local log data and push it to Amazon CloudWatch Logs.

A CloudWatch Metric Filter (Option C) is then defined to identify specific error strings or patterns within those logs (e.g., “HTTP 5xx” or “Service Unavailable”). When such an event occurs, CloudWatch Alarms are triggered.

Upon alarm activation, Amazon EventBridge rules (Option E) are configured to respond automatically by invoking an AWS Systems Manager Automation runbook, which executes an action to restart the web server process on the affected instance via SSM Agent.

This approach aligns directly with AWS’s recommended CloudOps remediation pattern, known as event-driven automation, which ensures minimal downtime and eliminates manual intervention.

Options involving CloudTrail (B) or SES notifications (D) are incorrect because they are unrelated to log-based application monitoring and automated remediation workflows.

Systems Manager Inventory is configured through State Manager associations that run inventory collection documents such as AWS-GatherSoftwareInventory. AWS documentation states that configuring inventory collection starts by creating a Systems Manager State Manager association, and Systems Manager collects inventory data when the association runs. Inventory data can be synchronized to an Amazon S3 bucket for auditing and reporting. This directly meets the requirement to collect software inventory every day and store the results in S3. Distributor packages and distributes software; it is not the primary inventory collection mechanism. Patch Manager manages patching, not daily software inventory exports. Session Manager and Fleet Manager are useful for access and fleet visibility but do not provide the scheduled inventory-to-S3 workflow. Therefore, a scheduled Systems Manager association is correct.

===============

The most secure way for an EC2 instance to access AWS services is by using an IAM role attached to the instance. IAM roles eliminate the need for long-term credentials, which reduces the risk of credential leakage and simplifies credential rotation.

Following the principle of least privilege, the IAM policy attached to the role should grant only the permissions required: sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage. Granting broader permissions such as sqs:* violates least privilege and increases security risk.

Options A and B rely on IAM users and static credentials, which are not recommended for applications running on EC2. Option C grants excessive permissions.

Therefore, attaching an EC2 IAM role with only the required SQS permissions is the most secure solution.