Free Practice Questions for Amazon Web Services SOA-C03 Exam

The AWS Cloud Operations and Systems Manager documentation states that to use Session Manager privately within a VPC (without internet access), three interface VPC endpoints must be configured:

com.amazonaws. < region > .ssm – enables Systems Manager core API communication.

com.amazonaws. < region > .ec2messages – allows the agent to send and receive messages between EC2 and Systems Manager.

com.amazonaws. < region > .ssmmessages – enables real-time interactive communication for Session Manager connections.

These endpoints ensure secure, private connectivity over the AWS network, eliminating the need for public internet routing.

Endpoints for S3, Step Functions, or EC2 API (Options C, E, F) are not required for Session Manager functionality.

Thus, the correct combination is A, B, and D, aligning with AWS CloudOps best practices for secure, private Systems Manager access.

CloudFormation StackSets are designed specifically to deploy and manage the same CloudFormation stack across multiple AWS accounts and Regions from a centralized administration point. When accounts are managed under AWS Organizations, StackSets can integrate directly with Organizations to target Organizational Units (OUs) or specific accounts, which minimizes operational overhead. This removes the need to manually assume roles and deploy stacks one-by-one, and avoids building custom automation (Lambda + cross-account role assumption + account enumeration + error handling + retries + idempotency).

With StackSets, you define the template once and then create stack instances across many accounts in a controlled and consistent manner. StackSets provide built-in features for: (1) centralized rollout and updates, (2) drift detection, (3) automatic deployment to new accounts (when using Organizations integration), and (4) standardized execution roles. This is operationally simpler and safer than scripting because StackSets handle orchestration and track deployment state per account/Region.

Option A increases manual work and is error-prone at scale. Options B and C require custom Lambda orchestration, cross-account permissions, and ongoing maintenance for failure modes and change management. StackSets provide the native “least ops” approach to multi-account CloudFormation deployments under Organizations.

The number of AWS Trusted Advisor checks available to an account depends on the AWS Support plan associated with the account. The Basic and Developer support plans provide access to a limited set of Trusted Advisor checks, primarily focused on security and service limits.

The Business and Enterprise support plans provide full access to all Trusted Advisor checks, including cost optimization, performance, fault tolerance, and security categories.

Running EC2 instances, SCPs, or MFA settings do not affect the availability of Trusted Advisor checks.

Therefore, the AWS Support plan determines the quantity of available Trusted Advisor checks.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C. Create a store image task. Specify the image ID and the destination S3 bucket, because this is the only AWS-supported solution that allows an AMI to be backed up to Amazon S3 and later restored while preserving the original AMI ID. This capability is essential for regulatory and compliance requirements where immutable identifiers must be retained.

According to AWS CloudOps documentation for Amazon EC2 AMI lifecycle management, the AMI store and restore feature is specifically designed for long-term retention, audit, and compliance scenarios. When an AMI is stored using a store image task, AWS packages the AMI’s configuration, metadata, and associated snapshots and saves them as encrypted objects in an Amazon S3 bucket. When the AMI is restored, AWS explicitly states that the restored AMI retains the same AMI ID as the original image, ensuring continuity for compliance tracking and operational dependencies.

Option A is incorrect because copying an AMI always results in a new AMI ID, even when copied within the same AWS Region. Option B is incorrect because archiving snapshots to Amazon S3 does not preserve AMI metadata or identity; restoring from snapshots requires creating a new AMI with a different ID. Option D is incorrect because the copy-image command is intended for cross-Region or cross-account AMI duplication and also generates a new AMI ID.

AWS CloudOps best practices clearly identify store image tasks as the correct mechanism when AMI identity preservation is required for governance, auditability, and compliance controls.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is that traffic from a VPC-connected Lambda to Amazon S3 must not use public IP addresses. The AWS-native way to keep traffic private is to use VPC endpoints, which provide private connectivity to supported AWS services without traversing the public internet. Among the options, creating an S3 VPC endpoint is the only approach that satisfies “no public IP addresses” while allowing access to the bucket. Option D is the best match because it explicitly configures an S3 endpoint and directs the Lambda function to use the endpoint-specific DNS name for private routing.

Option C (NAT gateway) is incorrect for this requirement because NAT provides outbound internet access from private subnets and typically uses public IP addressing at the NAT gateway. That violates the intent to avoid public IP paths for S3 traffic. Option A is not applicable because S3 buckets are not placed “inside” a VPC and do not participate in VPC sharing in a way that provides private network paths. Option B (transit gateway) connects VPCs and on-prem networks, but it does not create private service connectivity to S3 by itself; you would still need the correct service endpoint solution for S3 access.

Using a VPC endpoint also aligns with CloudOps best practices: it reduces exposure, simplifies network egress controls, and supports least-privilege access via endpoint policies (where applicable) alongside IAM policies.

The intended ordered-delivery architecture is to use a FIFO-capable intermediary and then deliver messages to the SQS FIFO queue. Amazon SNS FIFO topics support ordered message delivery to subscribed SQS FIFO queues. However, be careful: AWS documentation states that Amazon S3 event notifications are not directly compatible with SQS FIFO queues, and S3 native event notifications allow standard SNS destinations, not SNS FIFO destinations. So the cleanest real-world architecture would normally use Amazon EventBridge or Lambda to publish into a FIFO path with an appropriate MessageGroupId. From the provided choices, C is the best conceptual answer because it is the only option that preserves FIFO semantics through SNS FIFO to SQS FIFO. Option B is explicitly invalid for S3-to-SQS FIFO direct delivery. Option A is operationally heavy and unreliable for event detection.

===============

AWS Compute Optimizer analyzes historical utilization metrics and provides rightsizing recommendations for EBS volumes, including IOPS and throughput. It is fully managed, continuously updated, and requires minimal operational effort.

Manual reviews and benchmarking do not scale. Changing instance types does not address EBS overprovisioning.

Therefore, AWS Compute Optimizer is the best solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

With simple scaling policies, an Auto Scaling group performs one scaling activity when the alarm condition is met, then observes a default cooldown period (300 seconds) before another scaling activity of the same type can begin. CloudOps guidance explains that cooldown prevents rapid successive scale-outs by allowing time for the newly launched instance(s) to register with the load balancer and impact the metric. Even if the alarm breaches multiple times during the cooldown window, the group waits until the cooldown completes before evaluating and acting again. In this case, although RequestCountPerTarget exceeded the threshold twice within 180 seconds, the group will launch a single instance and then wait for cooldown before any additional scale-out can occur. Options A, C, and D do not reflect the behavior of simple scaling with cooldowns; A describes step/target-tracking-like behavior, and C/D are not Auto Scaling mechanics.

The correct design is to use a VPC endpoint/private connectivity model for Quick Suite access and grant the service controlled access to the S3 source data. The requirement is not only to access S3 privately; it says all data access and connections to Quick Suite must remain within the VPC network boundary. Option A best satisfies that by using an interface VPC endpoint with AWS PrivateLink for private service connectivity and a manifest that points Quick Suite to the S3 data. Option C covers only private access to S3 through a gateway endpoint, but it does not address private connectivity to Quick Suite itself. Option D sends traffic through a NAT gateway, which still uses public internet egress semantics. Option B adds an unnecessary EC2 proxy and increases operational risk.

===============