Free Practice Questions for Amazon Web Services SOA-C03 Exam

In this scenario, the EC2 instances pass their EC2 status checks, indicating that the operating system is responsive. However, the application hosted on the instance is failing intermittently, returning HTTP 500 errors. This demonstrates a discrepancy between the instance-level health and the application-level health.

According to AWS CloudOps best practices under Monitoring, Logging, Analysis, Remediation and Performance Optimization (SOA-C03 Domain 1), Auto Scaling groups should incorporate Elastic Load Balancing (ELB) health checks instead of relying solely on EC2 status checks. The ELB health check probes the application endpoint (for example, HTTP or HTTPS target group health checks), ensuring that the application itself is functioning correctly.

When an instance fails an ELB health check, Amazon EC2 Auto Scaling will automatically mark the instance as unhealthy and replace it with a new one, ensuring continuous availability and performance optimization.

Extract from AWS CloudOps (SOA-C03) Study Guide – Domain 1:

“Implement monitoring and health checks using ALB and EC2 Auto Scaling integration. Application Load Balancer health checks allow Auto Scaling to terminate and replace instances that fail application-level health checks, ensuring consistent application performance.”

Extract from AWS Auto Scaling Documentation:

“When you enable the ELB health check type for your Auto Scaling group, Amazon EC2 Auto Scaling considers both EC2 status checks and Elastic Load Balancing health checks to determine instance health. If an instance fails the ELB health check, it is automatically replaced.”

Therefore, the correct answer is B, as it ensures proper application-level monitoring and remediation using ALB-integrated ELB health checks—a core CloudOps operational practice for proactive incident response and availability assurance.

References (AWS CloudOps Verified Source Extracts):

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide: Domain 1 – Monitoring, Logging, and Remediation.

AWS Auto Scaling User Guide: Health checks for Auto Scaling instances (Elastic Load Balancing integration).

AWS Well-Architected Framework – Operational Excellence and Reliability Pillars.

AWS Elastic Load Balancing Developer Guide – Target group health checks and monitoring.

According to the AWS Cloud Operations and Disaster Recovery documentation, the active-active multi-Region architecture provides the lowest possible RTO and RPO among all disaster recovery strategies. In this approach, workloads are deployed and actively running in multiple AWS Regions simultaneously. All data is continuously replicated in real time between Regions using fully managed replication services, ensuring zero data loss (zero RPO).

Because both Regions are active and capable of handling requests, failover between them is instantaneous, meeting the RTO of less than 10 minutes. Amazon Route 53 is used with weighted or latency-based routing policies and health checks to automatically route traffic away from an impaired Region to the healthy Region without manual intervention.

In contrast:

Pilot Light Architecture maintains only a minimal copy of the environment in the secondary Region. It requires time to scale up infrastructure during a disaster, resulting in longer RTO and potential data loss (non-zero RPO).

Warm Standby Architecture keeps partially running infrastructure in the secondary Region. Although faster than pilot light, it still requires scaling and synchronization, resulting in higher RTO and RPO compared to active-active.

Backup and Restore (option D) relies on periodic backups and restores data when needed. This approach has the highest RTO and RPO, unsuitable for mission-critical workloads demanding high availability and zero data loss.

Therefore, based on AWS-recommended disaster recovery strategies outlined in the AWS Cloud Operations and Disaster Recovery Guide, the Active-Active Multi-Region architecture (Option C) is the only approach that guarantees RTO <10 minutes and RPO = 0, achieving continuous availability and business continuity across Regions.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

AWS Lambda automatically publishes operational metrics to Amazon CloudWatch, including Duration, which represents the time a function invocation takes to run. To alert when processing time exceeds 10 seconds, the most direct and operationally efficient solution is to create a CloudWatch alarm on the Lambda Duration metric and configure the alarm action to publish to an SNS topic. This meets the monitoring requirement without requiring log parsing or additional query mechanisms.

Option B fits best because it uses the built-in metric stream for Lambda observability: CloudWatch metrics are near real-time, require minimal configuration, and alarms are a standard CloudOps practice for proactive notification. The alarm can be configured with the appropriate statistic (for example, Maximum or p99 via metric math where applicable) and a threshold of 10,000 milliseconds, ensuring the operations team is notified before performance degrades further.

Option A is incorrect because PostRuntimeExtensionsDuration is not the primary runtime metric for function execution time, and extracting runtime from logs is unnecessary. Option C changes the function timeout to 10 seconds, which would cause failures rather than simply notifying on slow executions. Option D is more operationally complex because it relies on log queries; CloudWatch alarms are more straightforward when a native metric exists.

AWS Secrets Manager rotation is an API-driven activity that is recorded as an audit event. When the secret rotation workflow is initiated, AWS API activity is captured by AWS CloudTrail, which provides an authoritative source of “who did what and when” for compliance evidence. By creating an Amazon EventBridge rule that matches the relevant CloudTrail event for the rotation operation, the company can automatically detect rotation activity and trigger downstream actions without building a polling system. EventBridge can route matched events directly to Amazon SNS, which then fan-outs the notification to email, SMS, chat integrations, or incident tooling used by the database team.

Option A fits the requirement because it creates an event-driven compliance notification path specifically tied to the rotation operation. It also allows more precise filtering than log scanning: the rule can match the event name and include conditions that reflect successful completion, reducing noise and false positives. EventBridge rules are managed, highly available, and require minimal operational work once configured.

Option B is not the best fit because Secrets Manager does not rely on a “native SNS rotation notification toggle” as a primary mechanism for compliance notifications in the way described; the standard event-driven pattern is to use EventBridge/CloudTrail signals rather than expecting Secrets Manager to publish directly to SNS for every rotation outcome. Options C and D propose filtering CloudWatch Logs, which adds operational overhead (log ingestion, metric filters or subscription filters, and parsing) and is less direct than matching structured API events. CloudWatch Logs filtering is also more brittle because it depends on log formats and correct log routing for the relevant services.

Therefore, using EventBridge to match CloudTrail rotation events and forward them to SNS is the most reliable and low-maintenance solution.

=================

AWS Secrets Manager is designed to securely store and automatically rotate database credentials. It integrates natively with Amazon RDS and supports scheduled credential rotation without application changes.

RDS Proxy manages database connections by pooling and reusing connections, which is critical for write-intensive workloads with sudden spikes in client connections. It improves scalability and reduces database resource exhaustion.

KMS rotates encryption keys, not database credentials. Read replicas do not help with write scaling or connection spikes.

Therefore, Secrets Manager combined with RDS Proxy is the correct solution.

According to AWS Cloud Operations and Governance documentation, AWS Trusted Advisor provides automated checks for security group rules across all accounts, including identifying ports open to 0.0.0.0/0.

When viewed in organizational mode, Trusted Advisor integrates with AWS Organizations, allowing administrators to access organization-wide security findings from a central management account. This approach requires no custom code, additional infrastructure, or manual inspection, providing immediate visibility and the lowest operational overhead.

AWS CLI scripts (Option A) or Lambda automation (Option C) introduce additional maintenance, and Amazon Inspector (Option D) is focused on instance-level vulnerabilities, not network access rules.

Therefore, Option B is the AWS-recommended CloudOps best practice for centralized and low-effort open-port auditing.

Tagging is essential for governance, cost management, and automation in CloudOps operations. The AWS Organizations tag policies feature allows centralized definition and enforcement of required tag keys and accepted values across all accounts in an organization. According to the AWS CloudOps study guide under Deployment, Provisioning, and Automation, tag policies enable automatic validation of tags, ensuring consistency with minimal manual overhead.

Once tagging consistency is enforced, enabling cost allocation tags in the AWS Billing and Cost Management console allows accurate cost distribution per business unit. AWS documentation states:

“Use AWS Organizations tag policies to standardize tags across accounts. You can activate cost allocation tags in the Billing console to track and allocate costs.”

Option B introduces unnecessary complexity with Lambda automation. Option C detects but does not enforce tagging. Option D limits flexibility to Service Catalog resources only. Therefore, Option A provides a centrally managed, automated, and low-overhead solution that meets CloudOps tagging and cost-tracking requirements.

The PrivateDnsName attribute of an EC2 instance is automatically assigned by AWS at launch time and is a read-only property. CloudFormation does not allow users to specify this value manually.

Including PrivateDnsName in the EC2 instance properties causes validation to fail during stack creation. Outputs and Parameters sections are optional, and the VPC is implicitly defined through the subnet ID.

Therefore, attempting to set PrivateDnsName results in stack creation failure.

As per the AWS Cloud Operations and Event Monitoring documentation, the most efficient method for event-driven notification is to use Amazon EventBridge to detect specific EC2 API events and trigger a Simple Notification Service (SNS) alert.

EventBridge continuously monitors AWS service events, including RunInstances, which signals the creation of new EC2 instances. When such an event occurs, EventBridge sends it to an SNS topic, which then immediately emails subscribed recipients — in this case, the architecture team.

This combination provides real-time, serverless notifications with minimal management. SQS (Option C) is designed for queue-based processing, not direct user alerts. User data scripts (Option A) and custom polling with Lambda (Option D) introduce unnecessary operational complexity and latency.

Hence, Option B is the correct and AWS-recommended CloudOps design for immediate launch notifications.

Amazon Machine Images (AMIs) are Region-specific. An AMI ID that exists in us-west-2 does not automatically exist in eu-west-1. If a CloudFormation template references a hardcoded AMI ID from one Region, stack creation in another Region will fail when that AMI cannot be found.

Additionally, not all AWS services or service features are available in every AWS Region. If the template includes a resource type or feature that is unsupported in eu-west-1, CloudFormation will fail during stack creation.

IAM users are global resources, not Region-specific, so Option A is incorrect. Permission issues would typically fail immediately and are not Region-dependent. Option E is incorrect because CloudFormation can both create and update resources.

Therefore, Region-specific AMIs and unavailable services are the valid reasons for failure.