SOA-C03 Amazon Web Services AWS Certified CloudOps Engineer - Associate Free Practice Exam Questions (2026 Updated)

The Instance Scheduler on AWS is an AWS-provided solution designed specifically to start and stop AWS resources such as Amazon RDS instances on a defined schedule. This directly aligns with the requirement to automatically manage RDS instances during predictable idle periods, such as weekends, to reduce costs.

RDS instances incur compute charges while running, even if idle. Stopping them during weekends eliminates those charges while retaining storage and backups. Instance Scheduler supports tag-based scheduling, centralized management, and automated start/stop workflows without custom scripting.

Option A introduces custom automation and ongoing maintenance overhead. Option C (Reserved Instances) is unsuitable because the databases are idle for long, predictable periods and Reserved Instances charge regardless of usage. Option D is incorrect because RDS does not support auto scaling of DB instance classes based on utilization.

Instance Scheduler is the most cost-effective and operationally efficient solution for this use case.

The AWS Cloud Operations and Compute documentation explains that placement groups control how EC2 instances are physically arranged within AWS data centers to optimize network performance.

Among the available placement strategies:

Cluster placement groups place instances physically close together within a single Availability Zone, connected through high-bandwidth, low-latency networking (ideal for tightly coupled, HPC, or distributed workloads).

Spread placement groups distribute instances across distinct racks or Availability Zones for fault tolerance, increasing latency.

Partition placement groups separate instances into partitions for isolation, not latency reduction.

Therefore, to minimize latency for workloads such as computational clusters, the CloudOps engineer should use a cluster placement group. This placement ensures single-digit microsecond latency and enhanced packet rate performance between instances.

Elastic IPs (Option B) do not influence internal networking. Jumbo frames (Option C) can marginally improve throughput but do not reduce propagation latency. Spread placement (Option D) increases distance, worsening latency.

Hence, Option A — using a cluster placement group — delivers the lowest possible network latency and is AWS’s best-practice design for HPC-style clusters.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The most operationally efficient solution is C because AWS Systems Manager Session Manager is purpose-built for secure, auditable interactive access to EC2 instances at scale—without managing bastion hosts or distributing SSH keys. Session Manager can be configured to log session activity, including commands and output, to durable destinations such as Amazon CloudWatch Logs (and optionally Amazon S3). This directly satisfies the requirement to record interactive sessions and store logs durably.

For automated notifications and alarms, CloudWatch Logs supports metric filters that transform matching log patterns into CloudWatch metrics. Those metrics can then drive CloudWatch alarms and notifications (for example, via Amazon SNS). This is a standard CloudOps pattern: centralize logs, derive metrics from security-relevant patterns, and alert automatically.

Option A and D require installing and operating agents and building a more complex analytics path (Athena queries for alerting), which is less efficient and introduces more moving parts across thousands of instances. Option B adds a bastion host dependency that becomes an operational burden (scaling, patching, hardening, HA) and a potential choke point. Session Manager reduces these burdens by using SSM Agent already installed, IAM-based access control, and centralized logging/monitoring integrations.

The reporting workload is read-heavy, and the database shows high Read IOPS even outside the report window, suggesting sustained read pressure from other workloads or inefficient read patterns. The requirement is to improve both performance and availability of the RDS for MySQL instance. An RDS read replica is designed specifically to offload read traffic from the primary database instance and to provide additional capacity for read-heavy use cases such as reporting, analytics queries, and dashboards.

By deploying one or more read replicas, the company can direct the reporting job to a replica (Option B). This reduces contention on the primary instance, lowers read I/O demand on the writer, and can improve overall query latency and throughput. In addition, read replicas can contribute to availability objectives: if the primary instance has issues, replicas can be promoted (manually or as part of certain DR patterns) to become a new standalone database, reducing recovery time for read availability and providing a practical resilience option.

Option A (ElastiCache) can help for highly cacheable and repetitive queries, but it requires application/query redesign and cache invalidation strategy, and it does not inherently improve database availability. Option C is not valid because CloudFront is a CDN for HTTP content and is not an appropriate layer for database queries. Option D (vertical scaling) can improve performance, but it does not offload reads and often involves higher cost; it also does not provide the same availability and read scaling benefits as replicas.

Therefore, adding an RDS read replica and pointing the reporting workload to the reader endpoint best meets the performance and availability requirements.

An alias record is the recommended Route 53 record type to map domain names (e.g., example.com) to AWS-managed resources such as an Application Load Balancer. Alias records are extension types of A or AAAA records that support AWS resources directly, providing automatic DNS integration and no additional query costs.

AWS documentation states:

“Use alias records to map your domain or subdomain to an AWS resource such as an Application Load Balancer, CloudFront distribution, or S3 website endpoint.”

A and AAAA records are used for static IP addresses, not load balancers. CNAME records cannot be used at the root domain (e.g., example.com). Thus, Option C is correct as it meets CloudOps networking best practices for scalable, managed DNS resolution to ALBs.

Per the AWS Cloud Operations and Event Management documentation, Amazon EventBridge provides native scheduling capabilities that can trigger events at defined intervals—such as weekly, daily, or cron-based schedules.

Creating an EventBridge rule that runs every Saturday and publishes a message to an SNS topic fully automates the notification process without maintaining servers or manual jobs. This approach is serverless, highly reliable, and fully managed by AWS.

By contrast:

EC2 cron jobs (Option A) require instance management, patching, and cost overhead.

SNS subscriptions (Option C) handle message delivery, not scheduling.

Step Functions (Option D) are designed for complex workflows, not simple scheduled triggers.

Thus, Option B provides the most operationally efficient CloudOps solution by integrating EventBridge scheduled events with SNS topics for automated, recurring notifications.

AWS Systems Manager Run Command includes a built-in rate control feature that allows administrators to control the maximum number of concurrent executions across target instances. This directly addresses the requirement to limit downloads to 30 at a time without custom orchestration or additional services.

By targeting instances using tags, the solution automatically scales as new instances are added, which aligns with future growth expectations. Rate control ensures controlled concurrency and protects the private repository from overload.

Option A is manual and does not scale operationally. Option B introduces unnecessary complexity with Lambda and concurrency management that does not map cleanly to instance execution concurrency. Option D significantly increases architectural complexity without added value.

Run Command with rate control is the simplest, most native, and most scalable solution.

AWS Systems Manager Session Manager allows secure, auditable instance access without SSH keys or inbound ports. To control access based on instance tags, CloudOps best practices require two configurations:

Attach an IAM policy to users or groups granting ssm:StartSession, ssm:DescribeInstanceInformation, and ssm:DescribeSessions.

Include a Condition element in the IAM policy referencing instance tags, such as Condition: {"StringEquals": {"ssm:resourceTag/Environment": "Production"}}.

This ensures users can start sessions only with instances that have matching tags, providing fine-grained access control.

AWS CloudOps documentation under Security and Compliance states:

“Use IAM policies with resource tags in the Condition element to restrict which managed instances users can access using Session Manager.”

Options B and D incorrectly suggest attaching roles or service accounts that are not relevant to user-level access control. Option C (placement groups) pertains to networking and performance, not access management. Therefore, A and E together provide tag-based, least-privilege access as required.

By default, when AWS CloudFormation encounters a failure during stack creation, it automatically rolls back and deletes any resources that were successfully created. This behavior makes troubleshooting difficult because the failed and partially created resources are no longer available for inspection.

CloudFormation provides the OnFailure parameter to control this behavior. Setting the parameter to DO_NOTHING instructs CloudFormation to stop stack creation when a failure occurs and retain all successfully created resources. This allows the CloudOps engineer to inspect the environment, review logs, and identify the root cause without redeploying resources.

The DisableRollback parameter controls rollback behavior but does not provide the same explicit behavior control during failure scenarios. Rollback triggers are used for monitoring-based rollback, not for preserving resources on failure. Setting OnFailure to ROLLBACK explicitly enforces deletion, which is the opposite of the requirement.

Therefore, setting the OnFailure parameter to DO_NOTHING is the correct solution.

Amazon EBS snapshots are stored in Amazon S3, and standard restores can experience higher latency until data blocks are fully retrieved. Fast Snapshot Restore (FSR) eliminates this latency by ensuring that all blocks are immediately available at full performance.

Because the production environment uses a General Purpose SSD (gp3) volume, creating the test database on the same volume type ensures performance characteristics are as similar as possible. Using FSR significantly reduces restore time and allows load testing to begin immediately.

Provisioned IOPS volumes would introduce different performance characteristics and unnecessary cost. Standard snapshot restore would delay testing due to gradual block hydration.

Therefore, using FSR with the same EBS volume type is the fastest and most accurate solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is classic active-passive (production in us-east-1, DR in us-west-2 “only for failover”). The most operationally efficient and purpose-built solution is Route 53 failover routing combined with health checks. With failover routing, Route 53 designates one record as PRIMARY (us-east-1) and another as SECONDARY (us-west-2). Route 53 continuously evaluates the health check associated with the primary endpoint (commonly the ALB DNS name or a specific health-check path). If the primary fails, Route 53 automatically returns the secondary record, directing client DNS resolution to the DR region. This ensures us-west-2 is used only when us-east-1 is unhealthy, directly matching the requirement.

Latency routing (Option B) is designed to route users to the region with the lowest latency, which can actively send traffic to us-west-2 even when us-east-1 is healthy—violating the “DR only” constraint. Options C and D introduce custom automation (CloudWatch + Lambda + DNS record updates) that increases operational overhead, adds failure modes, and is unnecessary because Route 53 already provides managed health-check-based failover. Additionally, “EC2 instance terminated” is not a reliable proxy for full application availability, and DNS modification automation is more complex than using native Route 53 failover policies.

For encrypted RDS snapshots, cross-account sharing requires both sharing the snapshot and granting access to the KMS key used to encrypt it. By updating the KMS key policy to allow the migration account access, the encrypted snapshot can be restored in the migration account.

Option A uses native RDS snapshot sharing and minimal configuration changes, making it the least administrative overhead approach.

Options B, C, and D introduce unnecessary complexity, higher operational cost, or unsupported workflows.

An Auto Scaling warm pool keeps pre-initialized instances in a stopped or running state, allowing them to be quickly attached to the Auto Scaling group when scaling events occur. This significantly reduces scale-out latency caused by long bootstrapping scripts.

Unlike increasing the minimum instance count, warm pools do not permanently overprovision resources. Predictive scaling improves timing but does not eliminate boot time delays.

Therefore, warm pools provide the fastest scale-out with minimal cost overhead.

In this scenario, the EC2 instances pass their EC2 status checks, indicating that the operating system is responsive. However, the application hosted on the instance is failing intermittently, returning HTTP 500 errors. This demonstrates a discrepancy between the instance-level health and the application-level health.

According to AWS CloudOps best practices under Monitoring, Logging, Analysis, Remediation and Performance Optimization (SOA-C03 Domain 1), Auto Scaling groups should incorporate Elastic Load Balancing (ELB) health checks instead of relying solely on EC2 status checks. The ELB health check probes the application endpoint (for example, HTTP or HTTPS target group health checks), ensuring that the application itself is functioning correctly.

When an instance fails an ELB health check, Amazon EC2 Auto Scaling will automatically mark the instance as unhealthy and replace it with a new one, ensuring continuous availability and performance optimization.

Extract from AWS CloudOps (SOA-C03) Study Guide – Domain 1:

“Implement monitoring and health checks using ALB and EC2 Auto Scaling integration. Application Load Balancer health checks allow Auto Scaling to terminate and replace instances that fail application-level health checks, ensuring consistent application performance.”

Extract from AWS Auto Scaling Documentation:

“When you enable the ELB health check type for your Auto Scaling group, Amazon EC2 Auto Scaling considers both EC2 status checks and Elastic Load Balancing health checks to determine instance health. If an instance fails the ELB health check, it is automatically replaced.”

Therefore, the correct answer is B, as it ensures proper application-level monitoring and remediation using ALB-integrated ELB health checks—a core CloudOps operational practice for proactive incident response and availability assurance.

References (AWS CloudOps Verified Source Extracts):

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide: Domain 1 – Monitoring, Logging, and Remediation.

AWS Auto Scaling User Guide: Health checks for Auto Scaling instances (Elastic Load Balancing integration).

AWS Well-Architected Framework – Operational Excellence and Reliability Pillars.

AWS Elastic Load Balancing Developer Guide – Target group health checks and monitoring.

Amazon Aurora backtracking allows a DB cluster to be rewound to a specific point in time without creating a new DB cluster. This feature is designed for fast recovery from logical errors, such as accidental data changes, within a configured backtrack window. Because backtracking operates directly on the existing cluster, it satisfies the requirement that the restore occur in the same production DB cluster.

Point-in-time recovery (Option D) restores data by creating a new DB cluster, which violates the requirement. Option A involves promoting a replica, which does not allow rolling back to an arbitrary historical point. Option B introduces unnecessary complexity and is not supported for restoring directly into the same cluster.

Backtracking provides near-instant rollback and minimal operational disruption, making it the correct solution.

CloudFront caches content at edge locations to reduce origin requests and improve performance. When a static website is updated by overwriting existing object keys (for example, updating index.html in the same S3 path), CloudFront may continue to serve the cached versions of those objects until the cache’s time-to-live (TTL) expires. This behavior commonly produces a delay where some viewers still receive the old site version, sometimes for many hours, depending on the configured TTLs and any cache headers that CloudFront is honoring.

A CloudFront invalidation (Option D) is designed to address exactly this situation: it removes cached objects from CloudFront edge caches so that the next request for those objects forces CloudFront to retrieve the latest versions from the S3 origin and cache them again. By invalidating key objects such as /index.html (and potentially additional paths if needed), the company can ensure users see the newest deployment quickly without waiting for TTL expiration.

Option A is not the best answer because “adding a Cache-Control header to requests” does not immediately clear content already cached at edge locations; it primarily influences caching behavior for future fetches and can still leave existing cached objects in place until they expire. Option B only enforces HTTPS and does not affect cache freshness or object replacement visibility. Option C (CachingOptimized) is intended to improve caching efficiency and performance for typical workloads; it does not provide immediate propagation of updated objects and can result in CloudFront serving cached responses until TTLs expire.

Therefore, the most direct solution to display the updated website as quickly as possible is to create a CloudFront invalidation.

According to AWS Cloud Operations and Governance documentation, AWS Trusted Advisor provides automated checks for security group rules across all accounts, including identifying ports open to 0.0.0.0/0.

When viewed in organizational mode, Trusted Advisor integrates with AWS Organizations, allowing administrators to access organization-wide security findings from a central management account. This approach requires no custom code, additional infrastructure, or manual inspection, providing immediate visibility and the lowest operational overhead.

AWS CLI scripts (Option A) or Lambda automation (Option C) introduce additional maintenance, and Amazon Inspector (Option D) is focused on instance-level vulnerabilities, not network access rules.

Therefore, Option B is the AWS-recommended CloudOps best practice for centralized and low-effort open-port auditing.

The AWS Cloud Operations and Content Delivery documentation explains that Amazon CloudFront caches objects in edge locations for a defined time based on TTL settings or origin headers. When new content is deployed to the S3 origin, previously cached versions remain in edge caches until they expire.

To immediately serve the new version, CloudOps engineers must initiate a CloudFront invalidation, which removes cached objects from all edge locations. This forces CloudFront to fetch the latest version from the origin (S3).

Invalidations can target individual objects (e.g., /index.html) or wildcard paths (e.g., /*) and are the AWS-recommended approach for dynamic content refresh after static site updates.

Changing headers (Option A), enforcing HTTPS (Option B), or applying caching policies (Option C) do not directly refresh outdated cache content.

Thus, Option D — issuing a CloudFront invalidation — ensures users receive the latest website content immediately after deployment.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is to alert before throttling occurs. For a DynamoDB table in provisioned capacity mode, throttling happens when demand approaches or exceeds provisioned throughput. CloudWatch provides direct table metrics such as ConsumedReadCapacityUnits and ProvisionedReadCapacityUnits (and related utilization signals). Creating an alarm on ConsumedReadCapacityUnits with a threshold set close to the table’s provisioned read capacity provides an early warning that the table is nearing its limit—before actual throttling prevents reads. The alarm can publish directly to the existing SNS topic so the operations team is notified proactively.

Option C and D focus on detecting throttling after it occurs by matching throttling exceptions in logs. That is reactive and violates “before throttled.” Option B (auto scaling) may reduce the likelihood of throttling, but it does not directly satisfy the alerting requirement and “scaling events” notifications are not a reliable proxy for “approaching throttle” (and may not fire early enough depending on scaling configuration). The simplest, most direct CloudOps approach is a CloudWatch alarm on consumption nearing provisioned capacity.