SOA-C03 AWS Certified CloudOps Engineer - Associate Question and Answers

CloudWatch Logs data protection provides native redaction/masking of sensitive data at ingestion and query. AWS documentation states it can “detect and protect sensitive data in logs” using data identifiers, and that authorized users can “use the unmask action to view the original data.” Creating a data protection policy on the log group masks PII by default for all viewers, satisfying the requirement to redact personal information. Granting only the security team permission to invoke the unmask API operation ensures that unredacted content is restricted. Option B (KMS) encrypts at rest but does not redact fields; encryption alone does not prevent plaintext visibility to authorized readers. Options A and D add complexity and latency, move data out of CloudWatch, and do not provide default inline redaction/unmask controls in CloudWatch itself. Therefore, the CloudOps-aligned, managed solution is to use CloudWatch Logs data protection with appropriate data identifiers and unmask permissions limited to the security team.

According to the AWS Cloud Operations and Cost Management documentation, AWS Budgets is the recommended service to track and alert on cost thresholds across all AWS accounts and resources. It allows users to define cost, usage, or reservation budgets, and configure notifications to trigger when usage or cost reaches defined percentages of the budgeted value (e.g., 75%, 90%, 100%).

The AWS Budgets system integrates natively with Amazon Simple Notification Service (SNS) to deliver alerts to an email distribution list or SNS topic subscribers. AWS Budgets supports granular cost filters, including specific service categories such as data transfer, regions, or linked accounts, ensuring precise visibility into inter-Region transfer costs.

By contrast, CloudWatch billing alarms (Option B) monitor total account charges only and do not allow detailed service-level filtering, such as data transfer between Regions. Cost and Usage Reports (Option A) are for detailed cost analysis, not real-time alerting, and VPC Flow Logs (Option D) capture traffic data, not billing or cost-based metrics.

Thus, using AWS Budgets with a 75% alert threshold best satisfies the operational and notification requirements.

The AWS Cloud Operations and Governance documentation specifies that AWS Config can be paired with AWS Systems Manager Automation runbooks for automatic remediation of noncompliant resources.

For SSH restrictions, the restricted-ssh managed rule detects any security group allowing inbound traffic on port 22. To automatically remediate these findings, AWS provides the AWS-DisableIncomingSSHOnPort22 runbook. This runbook programmatically removes inbound rules that allow port 22 traffic from affected security groups.

This approach achieves continuous compliance with minimal human intervention. By contrast, sending notifications (Option A) does not enforce remediation, API-based scripts (Option C) add operational overhead, and manual remediation (Option D) violates automation best practices.

Therefore, the most efficient CloudOps solution is Option B, using AWS Config with the AWS-DisableIncomingSSHOnPort22 automation runbook for automatic, scalable enforcement.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

Amazon Machine Images (AMIs) are Region-specific resources. AWS CloudOps documentation explicitly states that an AMI created in one Region cannot be used to launch instances in another Region unless it is copied to the target Region. Therefore, the SysOps administrator must copy the AMI to both us-east-1 and us-east-2.

The AMI copy process creates a new AMI in each destination Region and automatically copies the underlying snapshots. Once the AMIs exist in the target Regions, they can be referenced in launch templates, Auto Scaling groups, or AWS CloudFormation templates for consistent multi-Region deployments.

Option B is incorrect because making an AMI public does not replicate it across Regions. Option C is incorrect because sharing an AMI only grants account-level access within the same Region. Option D is incorrect because AMIs cannot be launched from Amazon S3 directly.

This approach aligns with AWS CloudOps automation practices for multi-Region application deployment and disaster recovery readiness.

In this scenario, the EC2 instances pass their EC2 status checks, indicating that the operating system is responsive. However, the application hosted on the instance is failing intermittently, returning HTTP 500 errors. This demonstrates a discrepancy between the instance-level health and the application-level health.

According to AWS CloudOps best practices under Monitoring, Logging, Analysis, Remediation and Performance Optimization (SOA-C03 Domain 1), Auto Scaling groups should incorporate Elastic Load Balancing (ELB) health checks instead of relying solely on EC2 status checks. The ELB health check probes the application endpoint (for example, HTTP or HTTPS target group health checks), ensuring that the application itself is functioning correctly.

When an instance fails an ELB health check, Amazon EC2 Auto Scaling will automatically mark the instance as unhealthy and replace it with a new one, ensuring continuous availability and performance optimization.

Extract from AWS CloudOps (SOA-C03) Study Guide – Domain 1:

“Implement monitoring and health checks using ALB and EC2 Auto Scaling integration. Application Load Balancer health checks allow Auto Scaling to terminate and replace instances that fail application-level health checks, ensuring consistent application performance.”

Extract from AWS Auto Scaling Documentation:

“When you enable the ELB health check type for your Auto Scaling group, Amazon EC2 Auto Scaling considers both EC2 status checks and Elastic Load Balancing health checks to determine instance health. If an instance fails the ELB health check, it is automatically replaced.”

Therefore, the correct answer is B, as it ensures proper application-level monitoring and remediation using ALB-integrated ELB health checks—a core CloudOps operational practice for proactive incident response and availability assurance.

References (AWS CloudOps Verified Source Extracts):

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide: Domain 1 – Monitoring, Logging, and Remediation.

AWS Auto Scaling User Guide: Health checks for Auto Scaling instances (Elastic Load Balancing integration).

AWS Well-Architected Framework – Operational Excellence and Reliability Pillars.

AWS Elastic Load Balancing Developer Guide – Target group health checks and monitoring.

According to AWS Cloud Operations and Networking documentation, Route 53 Resolver inbound endpoints allow DNS queries to originate from on-premises DNS servers and resolve private hosted zone records in AWS. The inbound endpoint provides DNS resolver IP addresses within the VPC, which the on-premises DNS servers can forward queries to over AWS Direct Connect or VPN connections.

The inbound endpoint must be associated with a security group that permits inbound traffic on TCP and UDP port 53 from the on-premises DNS server IP addresses. This ensures that DNS requests from the on-premises environment reach the VPC Resolver for resolution of private domains like example.com.

By contrast, outbound endpoints are used for the opposite direction—resolving external (on-premises or internet) DNS names from within AWS VPCs. Therefore, only an inbound endpoint correctly satisfies the direction of resolution in this scenario.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

With the Managed-CachingDisabled policy, CloudFront is configured to minimize edge caching, so the remaining caching behavior users experience often comes from browser (client-side) caching. If users refresh and still see old content, it typically indicates the browser is allowed to reuse a cached copy without revalidating. The correct fix is to control client caching using HTTP response headers on the S3 object.

Adding a Cache-Control: max-age=0 header instructs browsers that the object becomes stale immediately and should be revalidated on subsequent requests (often resulting in conditional requests using If-Modified-Since or ETag behavior). This preserves correctness—users will fetch or revalidate the latest file—without requiring heavier operational actions like frequent CloudFront invalidations or changing to an optimized caching policy that may increase edge caching.

Option B can worsen the issue by increasing caching if object headers permit it. Option C is unrelated; versioning affects object history and recovery, not browser cache behavior. Option D affects payload size transfer (gzip/brotli), not cache freshness.

According to the AWS Cloud Operations and ElastiCache documentation, cache evictions occur when the cache runs out of memory and must remove items to make space for new data.

To reduce evictions and retain frequently accessed items, AWS recommends increasing the total available memory — either by scaling up to larger node types or scaling out by adding shards/nodes. Migrating to a cluster with larger nodes is the simplest and most efficient solution because it immediately expands capacity without architectural changes.

Adjusting TTL (Options B and C) controls expiration timing, not memory allocation. Adding a single node (Option A) may help, but redistributing data requires resharding, introducing more complexity.

Thus, Option D provides the lowest operational overhead and ensures high cache hit rates by increasing total cache memory.

To analyze and visualize custom statistics such as the p90 latency (90th percentile), a CloudWatch metric must be generated from the log data. The correct method is to create a metric filter that extracts the latency value from each log event and publishes it as a CloudWatch metric. Once the metric is published, percentile statistics (p90, p95, etc.) can be displayed in CloudWatch dashboards or alarms.

AWS documentation states:

“You can use metric filters to extract numerical fields from log events and publish them as metrics in CloudWatch. CloudWatch supports percentile statistics such as p90 and p95 for these metrics.”

Contributor Insights (Option A) is for analyzing frequent contributors, not numeric distributions. Subscription filters (Option C) are used for log streaming, and Application Insights (Option D) provides monitoring of application health but not custom p90 statistics. Hence, Option B is the CloudOps-aligned, minimal-overhead solution for percentile latency monitoring.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is preventative: stop users from launching from unapproved AMIs. The most scalable approach with 75 approved AMIs is to tag all approved AMIs (for example, ApprovedAMI=true) and enforce usage through an IAM policy condition that only allows ec2:RunInstances when the ec2:ImageId resource (the AMI) includes the required tag. This avoids maintaining long allow/deny lists of AMI IDs and supports continuous updates: as new approved AMIs are created, tagging them automatically brings them under the policy without policy rewrites.

Option B is incorrect because service-linked roles are used by AWS services, not assigned to users for interactive authorization enforcement in this way. Option C and D are detective/remedial controls that act after instances are already launched, which does not satisfy “must prevent.” They also increase operational overhead and risk disruptions.

Per the AWS Cloud Operations, Networking, and Security documentation, the best practice for serving private S3 content securely to end users is to use Amazon CloudFront with Origin Access Control (OAC).

OAC enables CloudFront to access S3 buckets privately, even when Block Public Access settings are enabled at the account level. This allows content to be delivered globally and securely without making the S3 bucket public. The bucket policy explicitly allows access only from the CloudFront distribution, ensuring that users can retrieve PDF files only via CloudFront URLs.

This configuration offers:

Automatic scalability through CloudFront caching,

Improved security via private access control,

Minimal administration effort with fully managed services.

Other options require manual handling or make the bucket public, violating AWS security best practices.

Therefore, Option B—using CloudFront with Origin Access Control and a restrictive bucket policy—provides the most secure, efficient, and low-maintenance CloudOps solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct solution is B. Configure RDS Proxy, because RDS Proxy is specifically designed to manage and pool database connections for Amazon Aurora and Amazon RDS. AWS CloudOps documentation states that RDS Proxy reduces database load and prevents connection exhaustion by reusing existing connections and managing spikes in application demand.

In this scenario, the ecommerce application maintains many idle connections, which consume database connection slots even when not actively used. During peak traffic, new connections cannot be established, resulting in the “Too many connections” error. RDS Proxy sits between the application and the Aurora DB cluster, maintaining a smaller, efficient pool of database connections and multiplexing application requests over those connections.

Option A is incorrect because RCUs and WCUs apply to DynamoDB, not Aurora. Option C is incorrect because enhanced networking improves network throughput and latency but does not manage database connections. Option D is incorrect because changing instance types does not address idle connection buildup and can still result in connection exhaustion.

AWS CloudOps best practices recommend RDS Proxy for applications with connection-heavy workloads, unpredictable traffic patterns, or serverless components.

Tagging is essential for governance, cost management, and automation in CloudOps operations. The AWS Organizations tag policies feature allows centralized definition and enforcement of required tag keys and accepted values across all accounts in an organization. According to the AWS CloudOps study guide under Deployment, Provisioning, and Automation, tag policies enable automatic validation of tags, ensuring consistency with minimal manual overhead.

Once tagging consistency is enforced, enabling cost allocation tags in the AWS Billing and Cost Management console allows accurate cost distribution per business unit. AWS documentation states:

“Use AWS Organizations tag policies to standardize tags across accounts. You can activate cost allocation tags in the Billing console to track and allocate costs.”

Option B introduces unnecessary complexity with Lambda automation. Option C detects but does not enforce tagging. Option D limits flexibility to Service Catalog resources only. Therefore, Option A provides a centrally managed, automated, and low-overhead solution that meets CloudOps tagging and cost-tracking requirements.

As described in the AWS Cloud Operations and EC2 Management documentation, changing an instance type (e.g., from T3 to C5) requires that the instance be stopped first. Once stopped, the engineer can modify the instance type through the AWS Management Console, CLI, or API, then start the instance again to apply changes.

This process preserves the root volume, networking configuration, and data, making it an operationally safe and efficient way to upgrade to a different instance family.

Changing the instance type while running (Option D) is unsupported. VM Import/Export (Option A) is for external VM migration. Hibernation (Option B) does not apply to type changes.

Thus, Option C is correct — stopping the instance, changing its type, and restarting it meets AWS best practices.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

VPC Flow Logs show the request arriving and being ACCEPTed on dstport 8080 and the corresponding response being REJECTed on the return path to the client’s ephemeral port (59003). AWS networking guidance states that security groups are stateful (return traffic is automatically allowed) while network ACLs are stateless and require explicit inbound and outbound rules for both directions. CloudOps operational guidance for VPC networking further notes that when you allow an inbound request (for example, TCP 8080) through a subnet’s network ACL, you must also allow the outbound ephemeral port range (typically 1024–65535) for the response traffic; otherwise, the return packets are dropped and appear as REJECT in flow logs. The observed pattern—request accepted to 8080, response rejected to 59003—matches a missing outbound ephemeral-range allow on the subnet’s NACL. Therefore, the cause is the subnet NACL, not security groups or on-premises ACLs. The remediation is to add an outbound ALLOW rule on the NACL for the appropriate ephemeral TCP port range back to the on-premises CIDR (and the corresponding inbound rule if asymmetric).

The AWS Cloud Operations and Infrastructure-as-Code documentation specifies that when using AWS CloudFormation, resources are created in parallel by default unless explicitly ordered using DependsOn.

If a custom resource (Lambda) depends on another resource (like an EC2 instance) to exist before execution, a DependsOn attribute must be added to enforce creation order. This ensures the EC2 instance is launched and available before the custom resource executes its automation logic.

Updating the service token (Option B) doesn’t affect order of execution. The cfn-response module (Option C) handles callback communication but not sequencing. Fn::If (Option D) is for conditional creation, not dependency control.

Therefore, Option A is correct — adding a DependsOn attribute guarantees that CloudFormation provisions the EC2 instance before executing the Lambda custom resource.

The Storage Gateway service enables hybrid cloud backup by presenting local block storage that synchronizes with AWS cloud storage. For scenarios where all data must remain available locally while still backed up to AWS, the correct mode is gateway-stored volumes.

AWS documentation defines:

“Use stored volumes if you want to keep all your data locally while asynchronously backing up point-in-time snapshots to Amazon S3 for durable storage.”

These volumes expose an iSCSI interface compatible with POSIX file systems, allowing direct use by on-premises backup software.

Gateway-cached volumes (Option C) store primary data in AWS with limited local cache, violating the “all data must be available locally” requirement. Options A and B are object-based storage solutions, not compatible with POSIX or block-based backup applications.

Therefore, Option D fully satisfies CloudOps reliability and continuity best practices by ensuring local availability, cloud durability, and POSIX compatibility for backups.

According to the AWS Cloud Operations, Governance, and Compliance documentation, AWS Config provides managed rules that automatically evaluate resource configurations for compliance. The “required-tags” managed rule allows CloudOps teams to specify mandatory tags (e.g., Environment, Owner, CostCenter) and automatically detect non-compliant resources such as DynamoDB tables.

Furthermore, AWS Config supports automatic remediation through AWS Systems Manager Automation runbooks, enabling correction actions (for example, adding missing tags) without manual intervention. This automation minimizes operational overhead and ensures continuous compliance across multiple accounts.

Using a custom Lambda function (Options A or B) introduces unnecessary management complexity, while EventBridge rules alone (Option D) do not provide resource compliance tracking or historical visibility.

Therefore, Option C provides the most efficient, fully managed, and compliant CloudOps solution.

Per the AWS Cloud Operations and Event Management documentation, Amazon EventBridge provides native scheduling capabilities that can trigger events at defined intervals—such as weekly, daily, or cron-based schedules.

Creating an EventBridge rule that runs every Saturday and publishes a message to an SNS topic fully automates the notification process without maintaining servers or manual jobs. This approach is serverless, highly reliable, and fully managed by AWS.

By contrast:

EC2 cron jobs (Option A) require instance management, patching, and cost overhead.

SNS subscriptions (Option C) handle message delivery, not scheduling.

Step Functions (Option D) are designed for complex workflows, not simple scheduled triggers.

Thus, Option B provides the most operationally efficient CloudOps solution by integrating EventBridge scheduled events with SNS topics for automated, recurring notifications.

Per the AWS Cloud Operations and Security Automation documentation, Security Hub integrates with Amazon EventBridge to publish findings in real time. These events can trigger automated responses using AWS Lambda functions or AWS Systems Manager Automation runbooks.

In this scenario, the correct CloudOps approach is to configure the existing EventBridge rule to invoke a Lambda function that inspects the event payload, identifies the affected security group, and removes the offending inbound rule (e.g., port 21 open to 0.0.0.0/0).

This event-driven remediation provides continuous compliance and eliminates manual intervention. Cron jobs (Options B and C) contradict event-driven design and add operational overhead. Stopping instances (Option A) doesn’t address the root cause — the insecure security group.

Thus, Option D aligns with AWS best practices for automated security remediation through EventBridge and Lambda.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is to fix performance degradation from predictable peak CPU load without service disruptions. The most reliable and operationally standard approach is horizontal scaling with an Auto Scaling group driven by CloudWatch metrics/alarms (or target tracking). Launching additional instances and distributing traffic (typically behind a load balancer) increases capacity while keeping existing instances serving requests—no reboot or stop/start required.

Option D meets the requirement because Auto Scaling can add capacity when CPU exceeds a threshold and remove capacity when demand falls. This improves performance during peak periods and maintains availability. It is also operationally efficient: scaling actions are automated, consistent, and can be tuned with cooldowns/health checks.

Options A and C describe vertical scaling (instance resize). Resizing an EC2 instance type generally requires stopping the instance, changing the type, and starting it again—this is disruptive for a single-instance web server and often causes downtime. Option B (restarting the application) directly introduces disruption and does not address underlying capacity constraints; it can also worsen customer impact during peaks.

According to the AWS Cloud Operations and Identity Management documentation, when configuring federation between IAM Identity Center (formerly AWS SSO) and an external SAML 2.0 identity provider, two key prerequisites are required:

The IAM Identity Center SAML metadata file — This is uploaded to the external IdP to establish trust, define SAML endpoints, and enable identity federation.

The IdP metadata (including the public X.509 certificate) — This information is imported into IAM Identity Center to validate authentication assertions and encryption signatures.

IAM Identity Center and the IdP exchange this metadata to mutually establish secure, bidirectional federation.

Network-level details such as IP addresses (Option C) are unnecessary. Root access (Option D) or permissions to member accounts (Option E) are not required; only Control Tower or IAM administrative permissions in the management account are needed for setup.

Thus, the correct answer is A and B — the SAML metadata from both sides is required for federation.

The most secure pattern is to use an IAM role for Amazon EC2 with the minimum required permissions. AWS guidance states: “Use roles for applications that run on Amazon EC2 instances” and “grant least privilege by allowing only the actions required to perform a task.” By attaching a role to the instance, short-lived credentials are automatically provided through the instance metadata service; this removes the need to create long-term access keys or embed secrets. Granting only sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage against the specific SQS queues enforces least privilege and aligns with CloudOps security controls. Options A and B rely on IAM user access keys, which contravene best practices for workloads on EC2 and increase credential-management risk. Option C uses a role but grants sqs:*, violating least-privilege principles. Therefore, Option D meets the security requirement with scoped, temporary credentials and precise permissions.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The most operationally efficient solution is C because AWS Systems Manager Session Manager is purpose-built for secure, auditable interactive access to EC2 instances at scale—without managing bastion hosts or distributing SSH keys. Session Manager can be configured to log session activity, including commands and output, to durable destinations such as Amazon CloudWatch Logs (and optionally Amazon S3). This directly satisfies the requirement to record interactive sessions and store logs durably.

For automated notifications and alarms, CloudWatch Logs supports metric filters that transform matching log patterns into CloudWatch metrics. Those metrics can then drive CloudWatch alarms and notifications (for example, via Amazon SNS). This is a standard CloudOps pattern: centralize logs, derive metrics from security-relevant patterns, and alert automatically.

Option A and D require installing and operating agents and building a more complex analytics path (Athena queries for alerting), which is less efficient and introduces more moving parts across thousands of instances. Option B adds a bastion host dependency that becomes an operational burden (scaling, patching, hardening, HA) and a potential choke point. Session Manager reduces these burdens by using SSM Agent already installed, IAM-based access control, and centralized logging/monitoring integrations.