Amazon SOA-C03 Exam Dumps

AWS Certified CloudOps Engineer - Associate

805 Reviews

Exam Code	SOA-C03
Exam Name	AWS Certified CloudOps Engineer - Associate
Questions	165 Questions Answers With Explanation
Update Date	04, 14, 2026
Price	Was : $106.2 Today : $59 Was : $124.2 Today : $69 Was : $142.2 Today : $79

Add To Cart

Demo Questions

Question # 1

A company uses AWS Organizations to manage its AWS environment. The company implements a process that uses prebuilt Amazon Machine Images (AMIs) to launch instances as a security measure. All AMIs are tagged automatically with a key named ApprovedAMI. The company wants to ensure that employees can use only the approved prebuilt AMIs to launch new instances. Which solution will meet this requirement? 

A. Implement a tag policy for the company's organization to require users to set the ApprovedAMI tag to launch new EC2 instances. 
B. Implement an IAM policy that includes an aws:ResourceTag/ApprovedAMI condition. 
C. Set up an AWS Config required-tags rule to prevent users from launching any nonapproved AMIs. 
D. Use Amazon GuardDuty to constantly monitor DefenseEvasion:EC2/UnusualDoHActivity findings. 

Show Answer

Question # 2

A company has a microservice that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). A CloudOps engineer must use Amazon Route 53 to create a record that maps the ALB URL to example.com. Which type of Route 53 record will meet this requirement? 

A. An A record 
B. An AAAA record 
C. An alias record 
D. A CNAME record 

Show Answer

Question # 3

A CloudOps engineer has created an AWS Service Catalog portfolio and shared it with a second AWS account in the company, managed by a different CloudOps engineer. Which action can the CloudOps engineer in the second account perform? 

A. Add a product from the imported portfolio to a local portfolio. 
B. Add new products to the imported portfolio. 
C. Change the launch role for the products contained in the imported portfolio. 
D. Customize the products in the imported portfolio. 

Show Answer

Question # 4

A company has created a new video-on-demand (VOD) application. The application runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. Because of increasing application demand, the company wants to move all video files to a central Amazon S3 bucket. A SysOps administrator needs to ensure that video files can be cached at edge locations after the company migrates the files to Amazon S3. Which solution will meet this requirement? 

A. Configure CloudFront to send the X-Forwarded-For header to the origin and to redirect video requests to Amazon S3 instead of the ALB. 
B. Configure a new CloudFront cache behavior to route to Amazon S3 as a new origin, based on matching a URL path pattern. 
C. Configure URL signing in the CloudFront distribution by using a custom policy. Ensure that video files are accessed through signed URLs only. 
D. Configure a CloudFront origin group. Specify the required HTTP status codes to direct connection attempts to a secondary origin. 

Show Answer

Question # 5

A company uses a large number of Linux-based Amazon EC2 instances to run business operations. The company uses AWS Systems Manager to manage the EC2 instances. The company wants to ensure that the Systems Manager Agent (SSM Agent) is always up to date with the latest version. Which solution will meet this requirement in the MOST operationally efficient way? 

A. Enable the Auto update SSM Agent setting in Systems Manager Fleet Manager. 
B. Subscribe to SSM Agent GitHub notifications and use Lambda to update agents. 
C. Enable the Auto update SSM Agent setting in Systems Manager Patch Manager. 
D. Use GitHub notifications and a Systems Manager Automation document. 

Show Answer

Question # 6

A company uses an Amazon Simple Queue Service (Amazon SQS) queue and Amazon EC2 instances in an Auto Scaling group with target tracking for a web application. The company collects the ASGAverageNetworkIn metric but notices that instances do not scale fast enough during peak traffic. There are a large number of SQS messages accumulating in the queue. A CloudOps engineer must reduce the number of SQS messages during peak periods. Which solution will meet this requirement? 

A. Define and use a new custom Amazon CloudWatch metric based on the SQS ApproximateNumberOfMessagesDelayed metric in the target tracking policy. 
B. Define and use Amazon CloudWatch metric math to calculate the SQS queue backlog for each instance in the target tracking policy. 
C. Define and use step scaling by specifying a ChangeInCapacity value for the EC2 instances. 
D. Define and use simple scaling by specifying a ChangeInCapacity value for the EC2 instances. 

Show Answer

Question # 7

A company hosts an FTP server on EC2 instances. AWS Security Hub sends findings to Amazon EventBridge when the FTP port becomes publicly exposed in attached security groups. A CloudOps engineer needs an automated, event-driven remediation solution to remove public access from security groups. Which solution will meet these requirements?

A. Configure the existing EventBridge event to stop the EC2 instances that have the exposed port. 
B. Create a cron job for the FTP server to invoke an AWS Lambda function. Configure the Lambda function to modify the security group of the identified EC2 instances and to remove the instances that allow public access. 
C. Create a cron job for the FTP server that invokes an AWS Lambda function. Configure the Lambda function to modify the server to use SFTP instead of FTP. 
D. Configure the existing EventBridge event to invoke an AWS Lambda function. Configure the function to remove the security group rule that allows public access. 

Show Answer

Question # 8

A CloudOps engineer has successfully deployed a VPC with an AWS CloudFormation template. The CloudOps engineer wants to deploy the same template across multiple accounts that are managed through AWS Organizations. Which solution will meet this requirement with the LEAST operational overhead? 

A. Assume the OrganizationAccountAccessRole IAM role from the management account. Deploy the template in each of the accounts. 
B. Create an AWS Lambda function to assume a role in each account. Deploy the template by using the AWS CloudFormation CreateStack API call. 
C. Create an AWS Lambda function to query for a list of accounts. Deploy the template by using the AWS CloudFormation CreateStack API call. 
D. Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts. 

Show Answer

Question # 9

A CloudOps engineer wants to share a copy of a production database with a migration account. The production database is hosted on an Amazon RDS DB instance and is encrypted at rest with an AWS Key Management Service (AWS KMS) key that has an alias of production-rds-key. What must the CloudOps engineer do to meet these requirements with the LEAST administrative overhead? 

A. Take a snapshot of the RDS DB instance. Update the KMS key policy to allow access for the migration account root user. Share the snapshot with the migration account. 
B. Create an RDS read replica in the migration account. Replicate the KMS key. 
C. Take a snapshot and create a new KMS key in the migration account with the same alias. 
D. Export the database to Amazon S3 and import it into a new RDS instance. 

Show Answer

Question # 10

A company's AWS accounts are in an organization in AWS Organizations. The organization has all features enabled. The accounts use Amazon EC2 instances to host applications. The company manages the EC2 instances manually by using the AWS Management Console. The company applies updates to the EC2 instances by using an SSH connection to each EC2 instance. The company needs a solution that uses AWS Systems Manager to manage all the organization's current and future EC2 instances. The latest version of Systems Manager Agent (SSM Agent) is running on the EC2 instances. Which solution will meet these requirements? 

A. Configure a home AWS Region in Systems Manager Quick Setup in the organization's management account. Deploy the Systems Manager Default Host Management Configuration Quick Setup from the management account. 
B. Configure a home AWS Region in Systems Manager Quick Setup in the organization's management account. Create a Systems Manager Run Command that attaches the AmazonSSMServiceRolePolicy IAM policy to every IAM role that the EC2 instances use. Invoke the command in every account in the organization. 
C. Create an AWS CloudFormation stack set that contains a Systems Manager parameter to define the Default Host Management Configuration role. Use the organization's management account to deploy the stack set to every account in the organization. 
D. Create an AWS CloudFormation stack set that contains an EC2 instance profile with the AmazonSSMManagedEC2InstanceDefaultPolicy IAM policy attached. Use the organization's management account to deploy the stack set to every account in the organization. 

Show Answer

Question # 11

A company needs to upload gigabytes of files daily to Amazon S3 and requires higher throughput and faster upload speeds. Which action should a CloudOps engineer take? 

A. Create an Amazon CloudFront distribution with the GET HTTP method allowed and the S3 bucket as an origin. 
B. Create an Amazon ElastiCache cluster and enable caching for the S3 bucket. 
C. Set up AWS Global Accelerator and configure it with the S3 bucket. 
D. Enable S3 Transfer Acceleration and use the acceleration endpoint when uploading files. 

Show Answer

Question # 12

A company requires the rotation of administrative credentials for production workloads on a regular basis. A CloudOps engineer must implement this policy for an Amazon RDS DB instance's master user password. Which solution will meet this requirement with the LEAST operational effort? 

A. Create an AWS Lambda function to change the RDS master user password. Create an Amazon EventBridge scheduled rule to invoke the Lambda function. 
B. Create a new SecureString parameter in AWS Systems Manager Parameter Store. Encrypt the parameter with an AWS Key Management Service (AWS KMS) key. Configure automatic rotation. 
C. Create a new String parameter in AWS Systems Manager Parameter Store. Configure automatic rotation. 
D. Create a new RDS database secret in AWS Secrets Manager. Apply the secret to the RDS DB instance. Configure automatic rotation. 

Show Answer

Question # 13

A company hosts a static website on Amazon S3. An Amazon CloudFront distribution presents this site to global users. The company uses the Managed-CachingDisabled CloudFront cache policy. The company's developers confirm that they frequently update a file in Amazon S3 with new information. Users report that the website presents correct information when the website first loads the file. However, the users' browsers do not retrieve the updated file after a refresh. What should a SysOps administrator recommend to fix this issue? 

A. Add a Cache-Control header field with max-age=0 to the S3 object. 
B. Change the CloudFront cache policy to Managed-CachingOptimized. 
C. Disable bucket versioning in the S3 bucket configuration. 
D. Enable content compression in the CloudFront configuration. 

Show Answer

Question # 14

A CloudOps engineer is maintaining a web application that uses an Amazon CloudFront web distribution, an Application Load Balancer (ALB), Amazon RDS, and Amazon EC2 in a VPC. All services have logging enabled. The CloudOps engineer needs to investigate HTTP Layer 7 status codes from the web application. Which log sources contain the status codes? (Select TWO.) 

A. VPC Flow Logs 
B. AWS CloudTrail logs 
C. ALB access logs 
D. CloudFront access logs 
E. RDS logs 

Show Answer

Question # 15

A company’s Amazon EC2 instance with high CPU utilization is a t3.large instance running a test web app. The company determines the app would run better on a compute-optimized large instance. What should the CloudOps engineer do? 

A. Migrate the EC2 instance to a compute optimized instance by using AWS VM Import/Export. 
B. Enable hibernation on the EC2 instance. Change the instance type to a compute optimized instance. Disable hibernation on the EC2 instance. 
C. Stop the EC2 instance. Change the instance type to a compute optimized instance. Start the EC2 instance. 
D. Change the instance type to a compute optimized instance while the EC2 instance is running. 

Show Answer

Question # 16

A SysOps administrator needs to implement a solution that protects credentials for an Amazon RDS for MySQL DB instance. The solution must rotate the credentials automatically one time every week. Which combination of steps will meet these requirements? (Select TWO.) 

A. Configure an RDS proxy to store the credentials. 
B. Add the credentials to AWS Secrets Manager. 
C. Add the credentials to AWS Systems Manager Parameter Store. 
D. Create an AWS Lambda function to rotate the credentials. 
E. Create an AWS Systems Manager Automation runbook to rotate the credentials. 

Show Answer

Question # 17

A company maintains a list of 75 approved Amazon Machine Images (AMIs) that can be used across an organization in AWS Organizations. The company's development team has been launching Amazon EC2 instances from unapproved AMIs. A SysOps administrator must prevent users from launching EC2 instances from unapproved AMIs. Which solution will meet this requirement? 

A. Add a tag to the approved AMIs. Create an IAM policy that includes a tag condition that allows users to launch EC2 instances from only the tagged AMIs. 
B. Create a service-linked role. Attach a policy that denies the ability to launch EC2 instances from a list of unapproved AMIs. Assign the role to users. 
C. Use AWS Config with an AWS Lambda function to check for EC2 instances that are launched from unapproved AMIs. Program the Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the SysOps administrator to terminate those EC2 instances. 
D. Use AWS Trusted Advisor to check for EC2 instances that are launched from unapproved AMIs. Configure Trusted Advisor to invoke an AWS Lambda function to terminate those EC2 instances. 

Show Answer

Question # 18

A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals sudden increases in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A CloudOps engineer must find the process ID (PID) of the service or process that is consuming more CPU. What should the CloudOps engineer do to collect the process utilization information with the LEAST amount of effort? 

A. Configure the Amazon CloudWatch agent procstat plugin to capture CPU process metrics. 
B. Configure an AWS Lambda function to run every minute to capture the PID and send a notification. 
C. Log in to the EC2 instance each night and run the top command. 
D. Use the default Amazon CloudWatch CPUUtilization metric. 

Show Answer

Question # 19

A SysOps administrator needs to encrypt an existing Amazon Elastic File System (Amazon EFS) file system by using an existing AWS KMS customer managed key. Which solution will meet these requirements? 

A. Use Amazon EFS replication to create a new file system. Copy the data and metadata from the existing file system to the new file system. Specify the KMS customer managed key in the replication configuration. When the replication process finishes, fail over to the new encrypted file system. 
B. Directly modify the file system to use encryption. Specify the KMS customer managed key. 
C. Use Amazon EFS replication to create a new file system. Copy the data and metadata from the existing file system to the new file system. Generate a new TLS certificate. Specify the TLS certificate in the replication configuration. When the replication process finishes, fail over to the new encrypted file system. 
D. Create a new EFS file system that is encrypted with the KMS customer managed key. Create an Amazon EC2 instance to copy the files. Mount the encrypted file system and unencrypted file system on the instance. Copy all data from the unencrypted file system to the encrypted file system. Unmount the unencrypted file system and remove the temporary instance. 

Show Answer

Question # 20

A company runs applications on Amazon EC2 instances. Many of the instances are not patched. The company has a tagging policy. All the instances are tagged with details about the owners, application, and environment. AWS Systems Manager Agent (SSM Agent) is installed on all the instances. A SysOps administrator must implement a solution to automatically patch all existing and future instances that have "Prod" in the environment tag. The SysOps administrator plans to create a patch policy in Systems Manager Patch Manager. Which solution will meet the patching requirements with the LEAST operational overhead?

A. Define targets of the patch policy by specifying node tags that match the company's tagging strategy. 
B. Configure an AWS Lambda function to scan for new instances and to add the instances to the targets of the patch policy. 
C. Create resource groups. Add the existing instances to the resource groups. Configure an AWS Lambda function to scan for new instances and to add the instances to the resource groups at regular intervals. Attach the resource groups to the patch policy. 
D. Create resource groups. Add the existing instances to the resource groups. Create an Amazon EventBridge rule that uses an appropriately defined filter to add new instances to the resource groups. Attach the resource groups to the patch policy. 

Show Answer

Question # 21

A CloudOps engineer has an AWS CloudFormation template of the company’s existing infrastructure in us-west-2. The CloudOps engineer attempts to use the template to launch a new stack in eu-west-1, but the stack partially deploys, receives an error message, and then rolls back. Why would this template fail to deploy? (Select TWO.) 

A. The template referenced an IAM user that is not available in eu-west-1. 
B. The template referenced an Amazon Machine Image (AMI) that is not available in euwest-1. 
C. The template did not have the proper level of permissions to deploy the resources. 
D. The template requested services that do not exist in eu-west-1. 
E. CloudFormation templates can be used only to update existing services. 

Show Answer

Question # 22

A company runs a high performance computing (HPC) data-processing application on Amazon EC2 instances in one Availability Zone within a development environment. The application uses a dataset that the company stores on an Amazon S3 general purpose bucket in the same AWS Region as the EC2 instances. A SysOps administrator must improve the application's performance for retrieval of objects from Amazon S3. Which solution will meet these requirements? 

A. Enable S3 Transfer Acceleration for the S3 bucket. Create an S3 access point for the bucket. Update the application to use the access point. 
B. Create an S3 Lifecycle configuration for the S3 bucket to move all objects to the S3 Express One Zone storage class. Update the application to use an S3 Regional endpoint. 
C. Create a second general purpose S3 bucket in the same Region. Copy the objects from the original bucket to the new bucket. Use the S3 Express One Zone storage class to store the objects in the new bucket. Update the application to use an S3 Regional endpoint. 
D. Create an S3 directory bucket in the same Availability Zone. Import objects from the original bucket to the new bucket. Use the S3 Express One Zone storage class to store the objects in the new bucket. Update the application to use an S3 Zonal endpoint. 

Show Answer

Question # 23

A company deploys AWS infrastructure in a VPC that has an internet gateway. The VPC has public subnets and private subnets. An Amazon RDS for MySQL DB instance is deployed in a private subnet. An AWS Lambda function uses the same private subnet and connects to the DB instance to query data. A developer modifies the Lambda function to require the function to publish messages to an Amazon Simple Queue Service (Amazon SQS) queue. After these changes, the Lambda function times out when it tries to publish messages to the SQS queue. Which solutions will resolve this issue? (Select TWO.) 

A. Reconfigure the Lambda function so that the function is not connected to the VPC. 
B. Deploy an RDS proxy. Configure the Lambda function to connect to the DB instance through the proxy. 
C. Deploy a NAT gateway. Update the private subnet's route table to route all traffic to the NAT gateway. 
D. Create an interface VPC endpoint for Amazon SQS in the VPC. 
E. Create a gateway endpoint for Amazon SQS in the VPC. 

Show Answer

Question # 24

A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application. Which combination of actions should a CloudOps engineer take to resolve this problem? (Select TWO.)

A. Change to the least outstanding requests algorithm on the ALB target group. 
B. Configure cookie forwarding in the CloudFront distribution cache behavior. 
C. Configure header forwarding in the CloudFront distribution cache behavior. 
D. Enable group-level stickiness on the ALB listener rule. 
E. Enable sticky sessions on the ALB target group. 

Show Answer

Question # 25

A CloudOps engineer needs to track the costs of data transfer between AWS Regions. The CloudOps engineer must implement a solution to send alerts to an email distribution list when transfer costs reach 75% of a specific threshold. What should the CloudOps engineer do to meet these requirements? 

A. Create an AWS Cost and Usage Report. Analyze the results in Amazon Athena. Configure an alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when costs reach 75% of the threshold. Subscribe the email distribution list to the topic. 
B. Create an Amazon CloudWatch billing alarm to detect when costs reach 75% of the threshold. Configure the alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the email distribution list to the topic. 
C. Use AWS Budgets to create a cost budget for data transfer costs. Set an alert at 75% of the budgeted amount. Configure the budget to send a notification to the email distribution list when costs reach 75% of the threshold. 
D. Set up a VPC flow log. Set up a subscription filter to an AWS Lambda function to analyze data transfer. Configure the Lambda function to send a notification to the email distribution list when costs reach 75% of the threshold. 

Show Answer