Free Practice Questions for Amazon Web Services SOA-C03 Exam

CloudWatch Logs Insights is purpose-built for interactive querying and analysis across log data that is stored in CloudWatch Logs. It supports selecting multiple log groups at once (including many Lambda log groups), filtering events to match error patterns, extracting fields, and aggregating results. The requirement is to produce a count of application errors grouped by type across all log groups, which aligns directly with Logs Insights capabilities.

With Logs Insights, a CloudOps engineer can query all relevant Lambda log groups, parse or extract an “error type” field from structured JSON logs (or use pattern parsing for unstructured logs), and then aggregate using the stats command with count() grouped by the parsed error type field. This approach is fast to implement, requires no data pipeline, and scales well for large volumes because Logs Insights is optimized for CloudWatch Logs data. It also supports time-range selection so the security team can request daily or incident-window reporting.

Option B is incorrect because CloudWatch Logs “search” is a basic filtering feature and does not provide the same structured aggregation and grouping features as Logs Insights for large-scale, cross-log-group analytics. Option C (Athena) would require exporting logs to Amazon S3 (for example, via subscription filters, Kinesis Data Firehose, or scheduled exports) and maintaining a schema and partitions, which adds operational overhead not required here. Option D is not applicable because CloudWatch log data is not queried through Amazon RDS, and using an RDS database for log analytics would introduce significant ingestion and operational complexity.

Therefore, running a CloudWatch Logs Insights query using stats and count() to group errors by type across all Lambda log groups is the correct solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

CloudFront is a global edge network service, and its performance (latency and data transfer behavior) depends heavily on the geographic location of viewers and the edge locations that serve them. Therefore, a valid load test must generate traffic from multiple geographic regions to reflect real user distribution and to measure end-to-end latency across diverse network paths.

Additionally, CloudFront uses DNS to return multiple possible edge IP addresses and can direct clients to different edge locations based on resolver behavior and network conditions. For a realistic test, each client should make an independent DNS request and distribute traffic across the returned IP addresses, rather than pinning all load to a single IP. Spreading requests across the returned set avoids biasing the test to one edge path and better represents how real browsers and applications resolve and connect to CloudFront.

Options A and B fail to model global viewer behavior because they test from only one region. Option C introduces an unrealistic constraint by forcing identical DNS resolution and concentrating load on a single IP address, which can distort latency and throughput results. Option D best matches CloudOps guidance for performance validation of CDN workloads: multi-region testing with realistic DNS resolution and traffic distribution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is to alert before throttling occurs. For a DynamoDB table in provisioned capacity mode, throttling happens when demand approaches or exceeds provisioned throughput. CloudWatch provides direct table metrics such as ConsumedReadCapacityUnits and ProvisionedReadCapacityUnits (and related utilization signals). Creating an alarm on ConsumedReadCapacityUnits with a threshold set close to the table’s provisioned read capacity provides an early warning that the table is nearing its limit—before actual throttling prevents reads. The alarm can publish directly to the existing SNS topic so the operations team is notified proactively.

Option C and D focus on detecting throttling after it occurs by matching throttling exceptions in logs. That is reactive and violates “before throttled.” Option B (auto scaling) may reduce the likelihood of throttling, but it does not directly satisfy the alerting requirement and “scaling events” notifications are not a reliable proxy for “approaching throttle” (and may not fire early enough depending on scaling configuration). The simplest, most direct CloudOps approach is a CloudWatch alarm on consumption nearing provisioned capacity.

AWS CloudOps governance best practices emphasize centralized account management and preventive guardrails. AWS Control Tower integrates directly with AWS Organizations and provides “Region deny controls” and “Service Control Policies (SCPs)” that apply automatically to all existing and newly created member accounts. SCPs are organization-wide guardrails that define the maximum permissions for accounts. They can explicitly deny actions such as launching EC2 instances in a specific Region, or block root user access.

To prevent CloudTrail log deletion, SCPs can also include denies on cloudtrail:DeleteTrail and s3:DeleteObject actions targeting the CloudTrail log S3 bucket. These SCPs ensure that no user, including administrators, can violate the compliance requirements.

AWS documentation under the Security and Compliance domain for CloudOps states:

“Use AWS Control Tower to establish a secure, compliant, multi-account environment with preventive guardrails through service control policies and detective controls through AWS Config.”

This approach meets all stated needs: centralized enforcement, automatic propagation to new accounts, region-based restrictions, and immutable audit logs. Options A, B, and D either detect violations reactively or lack complete enforcement and automation across future accounts.

According to the AWS Cloud Operations and Deployment documentation, EC2 Image Builder is the AWS-managed service for automating the creation, maintenance, validation, and deployment of secure and compliant Amazon Machine Images (AMIs).

It allows CloudOps teams to define image pipelines that include only approved software modules and configuration scripts. EC2 Image Builder automatically tests and verifies these AMIs for compliance before deployment.

This process ensures configuration consistency, eliminates manual installation errors, and simplifies ongoing patch management. The service integrates with AWS Systems Manager, Amazon Inspector, and AWS CloudFormation for end-to-end automation.

In contrast:

Amazon Detective and GuardDuty (Options A & B) are security monitoring tools, not image management solutions.

Run Command (Option C) applies ad-hoc updates but does not create standard, reusable AMIs.

Therefore, Option D is correct—EC2 Image Builder provides the most operationally efficient and compliant way to create an approved baseline AMI for future deployments.

According to the AWS Cloud Operations and Networking documentation, instances in a private subnet do not have a direct route to the internet gateway and thus require a NAT gateway for outbound internet access.

The correct configuration is to create a NAT gateway in the public subnet, associate an Elastic IP address, and then update the private subnet’s route table to send all 0.0.0.0/0 traffic to the NAT gateway. This enables instances in the private subnet to initiate outbound connections while keeping inbound traffic blocked for security.

Placing the NAT gateway inside the private subnet (Options C or D) prevents connectivity because it would not have a route to the internet gateway. Configuring routes from the public subnet to the NAT gateway (Option B) does not serve private subnet traffic.

Hence, Option A follows AWS best practices for enabling secure, managed, outbound-only internet access from private resources.

AWS Transit Gateway supports security group referencing across VPCs, but this feature must be explicitly enabled on each transit gateway attachment. Once enabled, security groups in one VPC can reference security groups in another VPC attached to the same transit gateway, simplifying rule management and improving security posture.

Enabling the feature on the transit gateway itself is not sufficient; it must be enabled per attachment to allow traffic evaluation based on security group IDs. This approach avoids brittle CIDR-based rules and allows dynamic scaling without rule updates.

Option A removes the transit gateway, which contradicts the existing architecture. Option B is incomplete. Option D does not address security group referencing.

Thus, enabling security group referencing on each transit gateway attachment is the correct solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is A because AWS Systems Manager Patch Manager natively supports tag-based targeting, which automatically includes both existing and future instances that match specified tag criteria. AWS CloudOps documentation states that patch policies can target managed nodes by instance tags, allowing administrators to dynamically scope patching operations without additional automation.

By defining the patch policy target as instances with an environment tag value of “Prod,” Patch Manager automatically applies patch baselines to all matching instances. Any new EC2 instance launched with the same tag is included automatically, requiring no manual intervention or additional services. This approach delivers the least operational overhead while remaining fully scalable and compliant.

Options B, C, and D are incorrect because they introduce unnecessary complexity by adding AWS Lambda functions, resource groups, or EventBridge rules. AWS CloudOps best practices emphasize using native Systems Manager capabilities whenever possible to reduce operational burden and failure points.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is classic active-passive (production in us-east-1, DR in us-west-2 “only for failover”). The most operationally efficient and purpose-built solution is Route 53 failover routing combined with health checks. With failover routing, Route 53 designates one record as PRIMARY (us-east-1) and another as SECONDARY (us-west-2). Route 53 continuously evaluates the health check associated with the primary endpoint (commonly the ALB DNS name or a specific health-check path). If the primary fails, Route 53 automatically returns the secondary record, directing client DNS resolution to the DR region. This ensures us-west-2 is used only when us-east-1 is unhealthy, directly matching the requirement.

Latency routing (Option B) is designed to route users to the region with the lowest latency, which can actively send traffic to us-west-2 even when us-east-1 is healthy—violating the “DR only” constraint. Options C and D introduce custom automation (CloudWatch + Lambda + DNS record updates) that increases operational overhead, adds failure modes, and is unnecessary because Route 53 already provides managed health-check-based failover. Additionally, “EC2 instance terminated” is not a reliable proxy for full application availability, and DNS modification automation is more complex than using native Route 53 failover policies.

AWS Config is designed to continuously evaluate AWS resource configurations and detect noncompliance. The s3-bucket-logging-enabled managed rule specifically checks whether server access logging is enabled on S3 buckets. This directly meets the detection requirement for both current and future buckets.

To satisfy the remediation requirement, AWS Config supports automatic remediation actions. Using the AWS-provided AWS-ConfigureS3BucketLogging Systems Manager Automation runbook enables logging without custom code. This reduces operational overhead, avoids Lambda function maintenance, and aligns with AWS best practices.

Option A is incorrect because Trusted Advisor does not support automatic remediation. Option B cannot enforce logging at creation time through bucket policies alone. Option C works but introduces unnecessary Lambda maintenance compared to using an AWS-managed automation runbook.

Thus, combining AWS Config managed rules with Systems Manager Automation provides continuous compliance with minimal operational effort.