Free Practice Questions for Amazon Web Services SOA-C03 Exam

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is A because AWS Systems Manager Patch Manager natively supports tag-based targeting, which automatically includes both existing and future instances that match specified tag criteria. AWS CloudOps documentation states that patch policies can target managed nodes by instance tags, allowing administrators to dynamically scope patching operations without additional automation.

By defining the patch policy target as instances with an environment tag value of “Prod,” Patch Manager automatically applies patch baselines to all matching instances. Any new EC2 instance launched with the same tag is included automatically, requiring no manual intervention or additional services. This approach delivers the least operational overhead while remaining fully scalable and compliant.

Options B, C, and D are incorrect because they introduce unnecessary complexity by adding AWS Lambda functions, resource groups, or EventBridge rules. AWS CloudOps best practices emphasize using native Systems Manager capabilities whenever possible to reduce operational burden and failure points.

The AWS Cloud Operations and Infrastructure-as-Code documentation specifies that when using AWS CloudFormation, resources are created in parallel by default unless explicitly ordered using DependsOn.

If a custom resource (Lambda) depends on another resource (like an EC2 instance) to exist before execution, a DependsOn attribute must be added to enforce creation order. This ensures the EC2 instance is launched and available before the custom resource executes its automation logic.

Updating the service token (Option B) doesn’t affect order of execution. The cfn-response module (Option C) handles callback communication but not sequencing. Fn::If (Option D) is for conditional creation, not dependency control.

Therefore, Option A is correct — adding a DependsOn attribute guarantees that CloudFormation provisions the EC2 instance before executing the Lambda custom resource.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The most operationally efficient solution is C because AWS Systems Manager Session Manager is purpose-built for secure, auditable interactive access to EC2 instances at scale—without managing bastion hosts or distributing SSH keys. Session Manager can be configured to log session activity, including commands and output, to durable destinations such as Amazon CloudWatch Logs (and optionally Amazon S3). This directly satisfies the requirement to record interactive sessions and store logs durably.

For automated notifications and alarms, CloudWatch Logs supports metric filters that transform matching log patterns into CloudWatch metrics. Those metrics can then drive CloudWatch alarms and notifications (for example, via Amazon SNS). This is a standard CloudOps pattern: centralize logs, derive metrics from security-relevant patterns, and alert automatically.

Option A and D require installing and operating agents and building a more complex analytics path (Athena queries for alerting), which is less efficient and introduces more moving parts across thousands of instances. Option B adds a bastion host dependency that becomes an operational burden (scaling, patching, hardening, HA) and a potential choke point. Session Manager reduces these burdens by using SSM Agent already installed, IAM-based access control, and centralized logging/monitoring integrations.

According to the AWS Cloud Operations and ElastiCache documentation, cache evictions occur when the cache runs out of memory and must remove items to make space for new data.

To reduce evictions and retain frequently accessed items, AWS recommends increasing the total available memory — either by scaling up to larger node types or scaling out by adding shards/nodes. Migrating to a cluster with larger nodes is the simplest and most efficient solution because it immediately expands capacity without architectural changes.

Adjusting TTL (Options B and C) controls expiration timing, not memory allocation. Adding a single node (Option A) may help, but redistributing data requires resharding, introducing more complexity.

Thus, Option D provides the lowest operational overhead and ensures high cache hit rates by increasing total cache memory.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To secure inbound web traffic over HTTPS when using an Application Load Balancer, AWS CloudOps best practices recommend terminating TLS at the load balancer. This is achieved by attaching an SSL/TLS certificate directly to the ALB listener. Therefore, option B is required. By terminating HTTPS at the ALB, traffic between clients and the load balancer is encrypted, and the ALB can then forward traffic to backend EC2 instances using HTTP or HTTPS based on design requirements.

The certificate used for a public-facing retail website must be trusted by internet browsers. AWS Certificate Manager (ACM) public certificates are specifically designed for this purpose and are trusted by common browsers and operating systems. Therefore, option D is required. ACM manages certificate provisioning, renewal, and deployment automatically, which significantly reduces operational overhead.

Option A is incorrect because attaching certificates to each EC2 instance is unnecessary and does not scale well. Option C is incorrect because private certificates are intended for internal use cases and are not trusted by public browsers. Option E is incorrect because ACM-managed public certificates cannot be exported; they must be attached directly to supported AWS services such as ALBs.

This approach aligns with AWS CloudOps guidance for secure, scalable, and highly available HTTPS architectures.

Per the AWS Cloud Operations and Security Automation documentation, Security Hub integrates with Amazon EventBridge to publish findings in real time. These events can trigger automated responses using AWS Lambda functions or AWS Systems Manager Automation runbooks.

In this scenario, the correct CloudOps approach is to configure the existing EventBridge rule to invoke a Lambda function that inspects the event payload, identifies the affected security group, and removes the offending inbound rule (e.g., port 21 open to 0.0.0.0/0).

This event-driven remediation provides continuous compliance and eliminates manual intervention. Cron jobs (Options B and C) contradict event-driven design and add operational overhead. Stopping instances (Option A) doesn’t address the root cause — the insecure security group.

Thus, Option D aligns with AWS best practices for automated security remediation through EventBridge and Lambda.

AWS Secrets Manager natively supports credential management and automatic rotation for Amazon RDS master user passwords. When a secret is associated with an RDS instance, Secrets Manager automatically updates the password both in the secret and on the database, without downtime or manual scripting.

AWS documentation confirms:

“AWS Secrets Manager can automatically rotate the master user password for Amazon RDS databases. Rotation is fully managed and integrated, requiring no custom code or maintenance.”

Option A introduces unnecessary Lambda automation. Option B and C use Parameter Store, which does not provide direct RDS password rotation. Therefore, Option D achieves secure, automatic credential rotation with least operational effort, fully aligned with CloudOps security automation principles.