Free Practice Questions for Amazon Web Services SOA-C03 Exam

According to the AWS Cloud Operations and Cost Management documentation, AWS Budgets is the recommended service to track and alert on cost thresholds across all AWS accounts and resources. It allows users to define cost, usage, or reservation budgets, and configure notifications to trigger when usage or cost reaches defined percentages of the budgeted value (e.g., 75%, 90%, 100%).

The AWS Budgets system integrates natively with Amazon Simple Notification Service (SNS) to deliver alerts to an email distribution list or SNS topic subscribers. AWS Budgets supports granular cost filters, including specific service categories such as data transfer, regions, or linked accounts, ensuring precise visibility into inter-Region transfer costs.

By contrast, CloudWatch billing alarms (Option B) monitor total account charges only and do not allow detailed service-level filtering, such as data transfer between Regions. Cost and Usage Reports (Option A) are for detailed cost analysis, not real-time alerting, and VPC Flow Logs (Option D) capture traffic data, not billing or cost-based metrics.

Thus, using AWS Budgets with a 75% alert threshold best satisfies the operational and notification requirements.

The AWS Cloud Operations and Governance documentation specifies that AWS Config can be paired with AWS Systems Manager Automation runbooks for automatic remediation of noncompliant resources.

For SSH restrictions, the restricted-ssh managed rule detects any security group allowing inbound traffic on port 22. To automatically remediate these findings, AWS provides the AWS-DisableIncomingSSHOnPort22 runbook. This runbook programmatically removes inbound rules that allow port 22 traffic from affected security groups.

This approach achieves continuous compliance with minimal human intervention. By contrast, sending notifications (Option A) does not enforce remediation, API-based scripts (Option C) add operational overhead, and manual remediation (Option D) violates automation best practices.

Therefore, the most efficient CloudOps solution is Option B, using AWS Config with the AWS-DisableIncomingSSHOnPort22 automation runbook for automatic, scalable enforcement.

The AWS Cloud Operations and Monitoring documentation states that Amazon CloudWatch Logs Insights provides a purpose-built query engine for analyzing and visualizing log data directly within CloudWatch. For Lambda, all invocation results (including errors) are automatically logged to CloudWatch Logs.

By querying these logs with CloudWatch Logs Insights, the CloudOps engineer can efficiently count the number of “ERROR” or “Exception” occurrences over the past 7 days using simple SQL-like commands. This method is serverless, cost-efficient, and real-time.

Athena (Options A and B) would require exporting data to Amazon S3, and OpenSearch (Option D) adds unnecessary operational complexity.

Thus, Option C provides the most efficient and native AWS CloudOps approach for rapid Lambda error analysis.

The requirement is to produce cost optimization recommendations for EBS volumes based on IOPS and throughput, and to do so with the most operational efficiency across potentially many instances and volumes. AWS Compute Optimizer is the most suitable service because it analyzes historical utilization metrics and configuration characteristics to generate rightsizing recommendations. When enabled, Compute Optimizer evaluates EBS volume performance patterns (including throughput and IOPS consumption) and can recommend more appropriate volume types or settings to reduce cost while meeting performance needs.

Option C is operationally efficient because it centralizes analysis. Instead of manually inspecting per-volume graphs, Compute Optimizer aggregates and evaluates data over time, reducing human effort and improving consistency. After sufficient observation time, the CloudOps engineer can review the findings and translate them into concrete actions such as reducing provisioned IOPS on io1/io2, selecting gp3 with tuned IOPS/throughput, or resizing volumes that are over-provisioned relative to actual demand.

Option A is manual and does not directly address IOPS/throughput rightsizing; it also incorrectly focuses on consumed space versus provisioned space, which is more relevant to capacity than performance provisioning. Option B is unrelated: EBS-optimized is an EC2 feature for dedicated EBS bandwidth and does not rightsize EBS volume performance or reduce over-provisioned IOPS/throughput. Option D introduces significant operational overhead by installing benchmarking tools and running synthetic tests, which is not scalable, can affect production performance, and still may not reflect real workload patterns.

Therefore, enabling AWS Compute Optimizer and using its EBS volume recommendations is the most operationally efficient approach.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is that traffic from a VPC-connected Lambda to Amazon S3 must not use public IP addresses. The AWS-native way to keep traffic private is to use VPC endpoints, which provide private connectivity to supported AWS services without traversing the public internet. Among the options, creating an S3 VPC endpoint is the only approach that satisfies “no public IP addresses” while allowing access to the bucket. Option D is the best match because it explicitly configures an S3 endpoint and directs the Lambda function to use the endpoint-specific DNS name for private routing.

Option C (NAT gateway) is incorrect for this requirement because NAT provides outbound internet access from private subnets and typically uses public IP addressing at the NAT gateway. That violates the intent to avoid public IP paths for S3 traffic. Option A is not applicable because S3 buckets are not placed “inside” a VPC and do not participate in VPC sharing in a way that provides private network paths. Option B (transit gateway) connects VPCs and on-prem networks, but it does not create private service connectivity to S3 by itself; you would still need the correct service endpoint solution for S3 access.

Using a VPC endpoint also aligns with CloudOps best practices: it reduces exposure, simplifies network egress controls, and supports least-privilege access via endpoint policies (where applicable) alongside IAM policies.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C. Create a store image task. Specify the image ID and the destination S3 bucket, because this is the only AWS-supported solution that allows an AMI to be backed up to Amazon S3 and later restored while preserving the original AMI ID. This capability is essential for regulatory and compliance requirements where immutable identifiers must be retained.

According to AWS CloudOps documentation for Amazon EC2 AMI lifecycle management, the AMI store and restore feature is specifically designed for long-term retention, audit, and compliance scenarios. When an AMI is stored using a store image task, AWS packages the AMI’s configuration, metadata, and associated snapshots and saves them as encrypted objects in an Amazon S3 bucket. When the AMI is restored, AWS explicitly states that the restored AMI retains the same AMI ID as the original image, ensuring continuity for compliance tracking and operational dependencies.

Option A is incorrect because copying an AMI always results in a new AMI ID, even when copied within the same AWS Region. Option B is incorrect because archiving snapshots to Amazon S3 does not preserve AMI metadata or identity; restoring from snapshots requires creating a new AMI with a different ID. Option D is incorrect because the copy-image command is intended for cross-Region or cross-account AMI duplication and also generates a new AMI ID.

AWS CloudOps best practices clearly identify store image tasks as the correct mechanism when AMI identity preservation is required for governance, auditability, and compliance controls.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

VPC Flow Logs show the request arriving and being ACCEPTed on dstport 8080 and the corresponding response being REJECTed on the return path to the client’s ephemeral port (59003). AWS networking guidance states that security groups are stateful (return traffic is automatically allowed) while network ACLs are stateless and require explicit inbound and outbound rules for both directions. CloudOps operational guidance for VPC networking further notes that when you allow an inbound request (for example, TCP 8080) through a subnet’s network ACL, you must also allow the outbound ephemeral port range (typically 1024–65535) for the response traffic; otherwise, the return packets are dropped and appear as REJECT in flow logs. The observed pattern—request accepted to 8080, response rejected to 59003—matches a missing outbound ephemeral-range allow on the subnet’s NACL. Therefore, the cause is the subnet NACL, not security groups or on-premises ACLs. The remediation is to add an outbound ALLOW rule on the NACL for the appropriate ephemeral TCP port range back to the on-premises CIDR (and the corresponding inbound rule if asymmetric).

By default, when AWS CloudFormation encounters a failure during stack creation, it automatically rolls back and deletes any resources that were successfully created. This behavior makes troubleshooting difficult because the failed and partially created resources are no longer available for inspection.

CloudFormation provides the OnFailure parameter to control this behavior. Setting the parameter to DO_NOTHING instructs CloudFormation to stop stack creation when a failure occurs and retain all successfully created resources. This allows the CloudOps engineer to inspect the environment, review logs, and identify the root cause without redeploying resources.

The DisableRollback parameter controls rollback behavior but does not provide the same explicit behavior control during failure scenarios. Rollback triggers are used for monitoring-based rollback, not for preserving resources on failure. Setting OnFailure to ROLLBACK explicitly enforces deletion, which is the opposite of the requirement.

Therefore, setting the OnFailure parameter to DO_NOTHING is the correct solution.

AWS Global Accelerator provides static IP addresses (one per Availability Zone) and routes traffic over the AWS global network to optimal endpoints. It is designed for applications that require extremely high throughput, low latency, and rapid response to traffic spikes.

Global Accelerator automatically routes traffic to healthy endpoints and shifts traffic in response to failures or performance degradation. It supports sudden and volatile traffic patterns and integrates seamlessly with ALBs, NLBs, and EC2 instances.

ALBs and NLBs do not provide static IP addresses per AZ. SQS is not a traffic distribution service.

Therefore, AWS Global Accelerator is the correct solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The most operationally efficient solution is C because AWS Systems Manager Session Manager is purpose-built for secure, auditable interactive access to EC2 instances at scale—without managing bastion hosts or distributing SSH keys. Session Manager can be configured to log session activity, including commands and output, to durable destinations such as Amazon CloudWatch Logs (and optionally Amazon S3). This directly satisfies the requirement to record interactive sessions and store logs durably.

For automated notifications and alarms, CloudWatch Logs supports metric filters that transform matching log patterns into CloudWatch metrics. Those metrics can then drive CloudWatch alarms and notifications (for example, via Amazon SNS). This is a standard CloudOps pattern: centralize logs, derive metrics from security-relevant patterns, and alert automatically.

Option A and D require installing and operating agents and building a more complex analytics path (Athena queries for alerting), which is less efficient and introduces more moving parts across thousands of instances. Option B adds a bastion host dependency that becomes an operational burden (scaling, patching, hardening, HA) and a potential choke point. Session Manager reduces these burdens by using SSM Agent already installed, IAM-based access control, and centralized logging/monitoring integrations.