Free Practice Questions for Amazon Web Services SOA-C03 Exam

Amazon RDS Proxy improves application resiliency during database failovers by pooling and managing database connections. During failover, applications that connect through RDS Proxy generally recover faster because the proxy reduces the need for clients to repeatedly establish new database connections and handle DNS/cache timing issues directly. Increasing the DB instance size might improve capacity, but it does not directly reduce failover duration. Moving to a single Availability Zone would reduce availability and is the opposite of the requirement. A cross-Region read replica is useful for disaster recovery, but manual promotion is slower and changes the recovery model. The question asks to reduce failover time for the existing highly available RDS environment, so using RDS Proxy and updating the application endpoint is the best operational choice.

===============

An Auto Scaling warm pool keeps pre-initialized instances ready before they are placed into service. This is exactly what the scenario needs because cold starts during rolling updates are causing latency spikes. By using stopped instances that have already completed initialization, replacement capacity can join the Auto Scaling group faster and with less runtime warmup impact. Instance reuse also allows instances to return to the warm pool after scale-in or refresh waves, reducing repeated initialization overhead. Target tracking with instance warmup prevents scaling decisions from being distorted while new instances stabilize. Options B, C, and D do not directly pre-initialize application capacity. Predictive scaling forecasts demand, but it does not solve cold-start latency during controlled deployment waves. Warm pools are the purpose-built CloudOps feature for this requirement.

===============

AWS Systems Manager Inventory is designed to collect metadata from managed instances, including installed software, applications, and patch information. It works asynchronously and does not require instances to be actively running a command at the time of collection, which is critical when instances may be busy or temporarily unavailable during patch windows.

Inventory data is stored centrally and can be queried to generate reports showing the current patch level or installed patch versions across all managed instances. This makes it well-suited for large fleets that include both On-Demand and Spot Instances and that may scale dynamically.

Option B relies on Run Command, which requires instances to be online and available at execution time. This does not meet the requirement because some instances were already missed during patch operations due to being busy or down. Option C and Option D use AWS Config, which is primarily intended for configuration compliance and drift detection, not detailed patch version reporting. Creating custom or managed rules for patch status introduces unnecessary complexity and overhead compared to Inventory’s built-in capability.

Therefore, Systems Manager Inventory provides the most operationally efficient and reliable solution for collecting and reporting patch version data across all EC2 instances.

AMI IDs are Region-specific. An AMI ID that exists in us-east-1 does not automatically exist in us-west-2, and even copied AMIs receive different AMI IDs in the destination Region. The correct CloudFormation pattern is to define Region-specific AMI IDs in the Mappings section and use Fn::FindInMap with AWS::Region to select the correct AMI for the deployment Region. Option A is wrong because you cannot assign the same AMI ID in another Region. Option B is invalid because AMI IDs are not globally qualified by adding a Region code. Option C can help users select an AMI manually, but it does not ensure the template automatically works in every Region. Therefore, mappings are the correct infrastructure-as-code solution.

===============

The requirement is to produce cost optimization recommendations for EBS volumes based on IOPS and throughput, and to do so with the most operational efficiency across potentially many instances and volumes. AWS Compute Optimizer is the most suitable service because it analyzes historical utilization metrics and configuration characteristics to generate rightsizing recommendations. When enabled, Compute Optimizer evaluates EBS volume performance patterns (including throughput and IOPS consumption) and can recommend more appropriate volume types or settings to reduce cost while meeting performance needs.

Option C is operationally efficient because it centralizes analysis. Instead of manually inspecting per-volume graphs, Compute Optimizer aggregates and evaluates data over time, reducing human effort and improving consistency. After sufficient observation time, the CloudOps engineer can review the findings and translate them into concrete actions such as reducing provisioned IOPS on io1/io2, selecting gp3 with tuned IOPS/throughput, or resizing volumes that are over-provisioned relative to actual demand.

Option A is manual and does not directly address IOPS/throughput rightsizing; it also incorrectly focuses on consumed space versus provisioned space, which is more relevant to capacity than performance provisioning. Option B is unrelated: EBS-optimized is an EC2 feature for dedicated EBS bandwidth and does not rightsize EBS volume performance or reduce over-provisioned IOPS/throughput. Option D introduces significant operational overhead by installing benchmarking tools and running synthetic tests, which is not scalable, can affect production performance, and still may not reflect real workload patterns.

Therefore, enabling AWS Compute Optimizer and using its EBS volume recommendations is the most operationally efficient approach.

Stateful applications require session persistence to ensure that subsequent requests from the same user are routed to the same backend instance. When CloudFront is used in front of an ALB, session-related cookies must be forwarded correctly; otherwise, CloudFront can route requests to different targets, causing session loss and random logouts.

Configuring cookie forwarding in the CloudFront cache behavior ensures that session cookies (such as authentication tokens) are forwarded to the ALB and not stripped or cached incorrectly. Without this configuration, CloudFront may serve cached responses that do not align with the user’s active session state, leading to authentication issues.

On the ALB side, sticky sessions (session affinity) must be enabled on the target group to ensure that requests with the same session cookie are consistently routed to the same EC2 instance. ALB stickiness uses application cookies to bind a user session to a specific target, which is critical for stateful applications that store session data in memory.

Option A affects load distribution efficiency but does not address session persistence. Option C (header forwarding) is unnecessary unless the application explicitly stores session state in headers, which is uncommon. Option D applies only when using multiple target groups and listener rules, which is not the case here.

Together, enabling cookie forwarding in CloudFront and sticky sessions at the ALB target group resolves the logout issue by maintaining consistent session routing from the user through CloudFront to the same backend instance.

CloudWatch Logs metric filters allow log data to be converted into CloudWatch metrics in near real time. This enables continuous monitoring without custom code or scheduled queries. Metric filters are ideal when log events have a consistent structure and specific patterns, such as HTTP response codes.

By defining a metric filter that matches HTTP 404 responses, CloudWatch can increment a metric each time a 404 occurs. This metric can then be used for dashboards, alarms, and trend analysis. This approach is fully managed, scalable, and requires minimal operational effort.

Options B, C, and D rely on subscription filters or periodic queries, which introduce unnecessary complexity, latency, and maintenance overhead. Therefore, metric filters are the most efficient solution.

Amazon RDS encryption at rest cannot be enabled directly on an existing unencrypted DB instance. AWS guidance states that encryption for an RDS DB instance is enabled when the DB instance is created, not after creation. To convert an unencrypted RDS database to encrypted, the CloudOps engineer must take a snapshot, copy the snapshot while enabling encryption with an AWS KMS key, and then restore a new DB instance from the encrypted snapshot. Restoring from a snapshot creates a new DB instance; it does not overwrite the existing DB instance. Option C is invalid because Multi-AZ standby replicas cannot be independently encrypted and promoted for this purpose. Therefore, creating an encrypted snapshot copy and restoring it as a new DB instance is correct.

===============

AWS Systems Manager Run Command includes a built-in rate control feature that allows administrators to control the maximum number of concurrent executions across target instances. This directly addresses the requirement to limit downloads to 30 at a time without custom orchestration or additional services.

By targeting instances using tags, the solution automatically scales as new instances are added, which aligns with future growth expectations. Rate control ensures controlled concurrency and protects the private repository from overload.

Option A is manual and does not scale operationally. Option B introduces unnecessary complexity with Lambda and concurrency management that does not map cleanly to instance execution concurrency. Option D significantly increases architectural complexity without added value.

Run Command with rate control is the simplest, most native, and most scalable solution.

AWS CloudOps governance best practices emphasize centralized account management and preventive guardrails. AWS Control Tower integrates directly with AWS Organizations and provides “Region deny controls” and “Service Control Policies (SCPs)” that apply automatically to all existing and newly created member accounts. SCPs are organization-wide guardrails that define the maximum permissions for accounts. They can explicitly deny actions such as launching EC2 instances in a specific Region, or block root user access.

To prevent CloudTrail log deletion, SCPs can also include denies on cloudtrail:DeleteTrail and s3:DeleteObject actions targeting the CloudTrail log S3 bucket. These SCPs ensure that no user, including administrators, can violate the compliance requirements.

AWS documentation under the Security and Compliance domain for CloudOps states:

“Use AWS Control Tower to establish a secure, compliant, multi-account environment with preventive guardrails through service control policies and detective controls through AWS Config.”

This approach meets all stated needs: centralized enforcement, automatic propagation to new accounts, region-based restrictions, and immutable audit logs. Options A, B, and D either detect violations reactively or lack complete enforcement and automation across future accounts.