Free Practice Questions for Amazon Web Services SOA-C03 Exam

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

AWS Lambda automatically publishes operational metrics to Amazon CloudWatch, including Duration, which represents the time a function invocation takes to run. To alert when processing time exceeds 10 seconds, the most direct and operationally efficient solution is to create a CloudWatch alarm on the Lambda Duration metric and configure the alarm action to publish to an SNS topic. This meets the monitoring requirement without requiring log parsing or additional query mechanisms.

Option B fits best because it uses the built-in metric stream for Lambda observability: CloudWatch metrics are near real-time, require minimal configuration, and alarms are a standard CloudOps practice for proactive notification. The alarm can be configured with the appropriate statistic (for example, Maximum or p99 via metric math where applicable) and a threshold of 10,000 milliseconds, ensuring the operations team is notified before performance degrades further.

Option A is incorrect because PostRuntimeExtensionsDuration is not the primary runtime metric for function execution time, and extracting runtime from logs is unnecessary. Option C changes the function timeout to 10 seconds, which would cause failures rather than simply notifying on slow executions. Option D is more operationally complex because it relies on log queries; CloudWatch alarms are more straightforward when a native metric exists.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answers are B and D. AWS CloudOps documentation clearly states that AWS Secrets Manager is the recommended service for storing and managing database credentials securely. Secrets Manager integrates natively with Amazon RDS and supports automatic, scheduled secret rotation.

To rotate credentials weekly, Secrets Manager requires a Lambda rotation function. AWS provides managed rotation templates for Amazon RDS for MySQL that update the database password and the stored secret atomically. This combination ensures credentials are protected, rotated automatically, and audited with minimal operational effort.

Option A is incorrect because RDS Proxy does not store or rotate credentials; it only retrieves them from Secrets Manager. Option C is incorrect because Systems Manager Parameter Store does not support native automatic rotation. Option E is incorrect because Automation runbooks are not the recommended mechanism for secrets rotation and add unnecessary complexity.

AWS CloudOps best practices strongly recommend Secrets Manager with Lambda-based rotation for database credential protection and compliance.

Blue/green deployment with AWS CodeDeploy is the correct strategy for Amazon ECS when zero downtime and fast rollback are required. In a blue/green deployment, the current production task set remains active while a new task set is created and validated. Traffic can then be shifted safely to the new version. If the new version causes performance degradation, CodeDeploy can roll back by redirecting traffic to the previous task set. AWS ECS documentation describes blue/green deployment as a method that reduces downtime and risk by running two production environments and validating revisions before routing production traffic. Rolling updates do not provide the same immediate one-step rollback. Canary or linear traffic shifting gradually moves traffic but does not match the requirement for immediate rollback as directly as blue/green. Manual scaling is operationally weak.

===============

AWS Config is designed to continuously evaluate AWS resource configurations and detect noncompliance. The s3-bucket-logging-enabled managed rule specifically checks whether server access logging is enabled on S3 buckets. This directly meets the detection requirement for both current and future buckets.

To satisfy the remediation requirement, AWS Config supports automatic remediation actions. Using the AWS-provided AWS-ConfigureS3BucketLogging Systems Manager Automation runbook enables logging without custom code. This reduces operational overhead, avoids Lambda function maintenance, and aligns with AWS best practices.

Option A is incorrect because Trusted Advisor does not support automatic remediation. Option B cannot enforce logging at creation time through bucket policies alone. Option C works but introduces unnecessary Lambda maintenance compared to using an AWS-managed automation runbook.

Thus, combining AWS Config managed rules with Systems Manager Automation provides continuous compliance with minimal operational effort.

Route 53 multivalue answer routing can return multiple IP addresses and can be combined with health checks so only healthy records are returned. AWS documentation states that when a health check is associated with a multivalue answer record, Route 53 responds with the corresponding IP address only when the health check is healthy. The current problem occurs because Route 53 is returning both IPs even when the webpage is down, which indicates that health checks are not being used correctly. Latency-based routing is used to route users to lower-latency endpoints across Regions, not to return multiple tested instance IPs in the same subnet. Weighted routing distributes traffic based on weights but does not solve this specific “return only healthy IPs” requirement unless paired with health checks. Another subnet is irrelevant.

===============

Cluster placement groups are specifically designed for workloads that require extremely low latency and high network throughput, such as HPC applications. Instances are placed physically close together within the same Availability Zone, enabling high-bandwidth, low-latency networking.

Partition placement groups are optimized for fault isolation, not network performance. Spread placement groups prioritize availability by distributing instances across distinct hardware, which increases latency.

Because the requirement is performance rather than fault isolation or high availability, a cluster placement group is the optimal choice.

The CloudWatch agent can publish custom disk usage metrics from the EC2 instance. A CloudWatch alarm can monitor the disk usage metric and enter the ALARM state when disk usage reaches 100%. The most operationally efficient approach is to connect the alarm state change to an Amazon EventBridge rule and use the rule to trigger an EC2 reboot action. This avoids custom polling and reduces manual intervention. Option B is wrong because Amazon SES sends email and does not reboot EC2 instances. Option C can work, but it adds unnecessary Lambda code and maintenance when EventBridge can directly react to CloudWatch alarm state changes. Option D is wrong because EC2 health checks do not detect application-level temporary disk exhaustion in this way. Therefore, CloudWatch alarm plus EventBridge automation is the cleanest CloudOps solution.

===============

As per AWS Cloud Operations, Bedrock, and Governance documentation, AWS CloudTrail is the authoritative service for capturing API activity and audit trails across AWS accounts. For Amazon Bedrock, CloudTrail records all user-initiated API calls, including interactions with agents, knowledge bases, and generative AI model parameters.

Using CloudTrail Lake, organizations can store, query, and analyze CloudTrail events directly without needing to export data. CloudTrail Lake supports SQL-like queries for generating audit and compliance reports, enabling the company to retrieve information such as user identity, API usage, timestamp, model or agent ID, and invocation parameters.

In contrast, CloudWatch focuses on operational metrics and log streaming, not API-level identity data. OpenSearch or Flink would add unnecessary complexity and cost for this use case.

Thus, the AWS-recommended CloudOps best practice is to leverage CloudTrail with CloudTrail Lake to maintain auditable, queryable API activity for Bedrock workloads, fulfilling governance and compliance requirements.

An alias record is the recommended Route 53 record type to map domain names (e.g., example.com) to AWS-managed resources such as an Application Load Balancer. Alias records are extension types of A or AAAA records that support AWS resources directly, providing automatic DNS integration and no additional query costs.

AWS documentation states:

“Use alias records to map your domain or subdomain to an AWS resource such as an Application Load Balancer, CloudFront distribution, or S3 website endpoint.”

A and AAAA records are used for static IP addresses, not load balancers. CNAME records cannot be used at the root domain (e.g., example.com). Thus, Option C is correct as it meets CloudOps networking best practices for scalable, managed DNS resolution to ALBs.

According to AWS Cloud Operations and VPC Networking documentation, when VPCs are peered, security groups can reference peer account security groups directly to restrict traffic between them.

This feature allows specifying the security group ID (sg-1234abcd) from the source account (111122223333) in the target database’s security group inbound rule. AWS automatically validates that the VPCs are connected through an existing VPC peering connection and that mutual permissions are properly configured.

You do not prefix the security group ID with the account or peering connection (Options A and B), and using the destination account ID (Option D) is incorrect because it represents the database side, not the source.

Hence, the correct configuration is Option C, which references the application servers’ security group directly for precise, least-privilege access control.