Free Practice Questions for Amazon Web Services SOA-C03 Exam

AWS Systems Manager Session Manager allows secure, auditable instance access without SSH keys or inbound ports. To control access based on instance tags, CloudOps best practices require two configurations:

Attach an IAM policy to users or groups granting ssm:StartSession, ssm:DescribeInstanceInformation, and ssm:DescribeSessions.

Include a Condition element in the IAM policy referencing instance tags, such as Condition: {"StringEquals": {"ssm:resourceTag/Environment": "Production"}}.

This ensures users can start sessions only with instances that have matching tags, providing fine-grained access control.

AWS CloudOps documentation under Security and Compliance states:

“Use IAM policies with resource tags in the Condition element to restrict which managed instances users can access using Session Manager.”

Options B and D incorrectly suggest attaching roles or service accounts that are not relevant to user-level access control. Option C (placement groups) pertains to networking and performance, not access management. Therefore, A and E together provide tag-based, least-privilege access as required.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is preventative: stop users from launching from unapproved AMIs. The most scalable approach with 75 approved AMIs is to tag all approved AMIs (for example, ApprovedAMI=true) and enforce usage through an IAM policy condition that only allows ec2:RunInstances when the ec2:ImageId resource (the AMI) includes the required tag. This avoids maintaining long allow/deny lists of AMI IDs and supports continuous updates: as new approved AMIs are created, tagging them automatically brings them under the policy without policy rewrites.

Option B is incorrect because service-linked roles are used by AWS services, not assigned to users for interactive authorization enforcement in this way. Option C and D are detective/remedial controls that act after instances are already launched, which does not satisfy “must prevent.” They also increase operational overhead and risk disruptions.

Per the AWS Cloud Operations and Service Catalog documentation, when a portfolio is shared across AWS accounts, the recipient account imports the shared portfolio.

The recipient CloudOps engineer cannot modify the original products or their configurations but can:

Add products from the imported portfolio into their local portfolios for deployment,

Control end-user access in the recipient account, and

Manage local constraints or permissions.

However, the recipient cannot edit, delete, or reconfigure the shared products (Options B, C, and D). The source (owner) account retains full administrative control over products, launch roles, and lifecycle policies.

This model aligns with AWS CloudOps principles of centralized governance with distributed self-service deployment across multiple accounts.

Thus, Option A is correct—imported portfolios allow the recipient to add products to a local portfolio but not alter the shared configuration.

According to AWS Cloud Operations and VPC Networking documentation, when VPCs are peered, security groups can reference peer account security groups directly to restrict traffic between them.

This feature allows specifying the security group ID (sg-1234abcd) from the source account (111122223333) in the target database’s security group inbound rule. AWS automatically validates that the VPCs are connected through an existing VPC peering connection and that mutual permissions are properly configured.

You do not prefix the security group ID with the account or peering connection (Options A and B), and using the destination account ID (Option D) is incorrect because it represents the database side, not the source.

Hence, the correct configuration is Option C, which references the application servers’ security group directly for precise, least-privilege access control.

AWS Trusted Advisor publishes service quota metrics to Amazon CloudWatch. These metrics can be monitored using CloudWatch alarms, which support threshold-based alerting. By creating a CloudWatch alarm for each service quota metric, the CloudOps engineer can trigger alerts when usage exceeds 60%.

Amazon SNS is the AWS-native service for email notifications. CloudWatch alarms integrate directly with SNS, making this the most straightforward solution. SNS supports email subscriptions without additional infrastructure.

Options B and C incorrectly use SQS for email notifications, which requires additional processing and does not natively send emails. Option D relies on the AWS Health Dashboard, which does not support configurable threshold-based alerts for service quotas.

Therefore, CloudWatch alarms combined with SNS provide the correct and most efficient solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

Use Amazon S3 Event Notifications with AWS Lambda to trigger image processing on object creation. S3 natively supports invoking Lambda for events such as s3:ObjectCreated:*, providing a serverless, low-latency pipeline without managing additional services. AWS operational guidance states that “Amazon S3 can directly invoke a Lambda function in response to object-created events,” allowing you to pass event metadata (bucket/key) to the function for resizing and writing results back to S3. This approach minimizes operational overhead, scales automatically with upload volume, and integrates with standard retry semantics. SNS or SQS can be added for fan-out or buffering patterns, but they are not required when the requirement is simply “invoke the Lambda function on upload.” CloudWatch alarms do not detect individual S3 object uploads and cannot directly satisfy per-object triggers. Therefore, configuring S3 → Lambda event notifications meets the requirement most directly and aligns with CloudOps best practices for event-driven, serverless automation.

EC2 Instance Connect Endpoint (EICE) enables secure SSH access to instances in private subnets without requiring public IP addresses, bastion hosts, or inbound internet access. By deploying the endpoint in the private subnet, administrators can connect securely using IAM-based authentication.

The instance security group must allow inbound SSH (port 22) from the EICE security group. Access control is handled via IAM, which eliminates the need to distribute or manage SSH keys.

Option B incorrectly attempts to use Systems Manager for SSH, which is unnecessary when EICE is available. Option C incorrectly places the endpoint in a public subnet, which does not align with the requirement to keep access private. Option D is incorrect because Systems Manager Session Manager does not require SSH and AmazonEC2ReadOnlyAccess does not allow instance access.

EICE provides the least overhead and most secure SSH access path for private EC2 instances.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

Amazon EFS encryption at rest is a file system creation attribute; an unencrypted EFS file system cannot be “turned on” for encryption in place. Therefore, meeting the requirement (“encrypt an existing EFS using an existing KMS customer managed key”) requires creating a new encrypted file system and migrating data.

Option A is the most operationally efficient because EFS replication is a managed mechanism that continuously copies data and metadata from a source file system to a destination file system. By specifying the existing KMS customer managed key for the destination, the new file system is encrypted at rest under the required key. After replication has caught up, the administrator can perform a controlled cutover (failover) so applications mount the encrypted destination instead of the original source. This reduces manual copying effort, supports ongoing synchronization during migration, and simplifies the cutover window.

Option B is not possible because encryption-at-rest settings for EFS cannot be modified after creation. Option C is irrelevant because TLS certificates relate to encryption in transit and are not configured as part of EFS replication in the manner described. Option D can work functionally, but it requires building and operating a copy workflow, which is more manual and error-prone than managed replication.

The key requirements are daily patching, zero downtime, and least operational overhead. The most operationally efficient way to achieve frequent patch compliance in an Auto Scaling environment is to adopt an immutable infrastructure approach: bake patches into a new AMI and then roll the fleet to that AMI in a controlled, health-checked manner. AWS Systems Manager Automation can orchestrate patching steps reliably and repeatedly, producing a patched AMI on a schedule without engineers manually logging into instances. After the AMI is created, updating the Auto Scaling group launch template ensures that all newly launched instances use the patched image.

Auto Scaling instance refresh then performs the rollout across the group with guardrails: it replaces instances gradually, can respect minimum healthy percentages, and works with load balancer health checks so traffic remains served while instances are rotated. This satisfies “no downtime” because capacity stays available and requests are routed only to healthy instances during the replacement process.

Option B introduces unnecessary complexity by combining CloudFormation provisioning with patching and then relying on AWS Config to replace instances. AWS Config is a compliance and configuration tracking service, not a primary fleet-replacement mechanism for daily patching. Option C increases operational overhead by requiring custom Lambda logic and manual initiation of the rolling update, which is explicitly more work and more error-prone than a managed instance refresh workflow. Option D again uses AWS Config to replace instances, which does not align well with least overhead or the standard operational model for controlled rolling updates in Auto Scaling groups.

Therefore, the lowest-overhead, highly reliable solution is to use Systems Manager Automation to create a patched AMI, update the launch template, and run an Auto Scaling instance refresh.

=================