SOA-C03 Amazon Web Services AWS Certified CloudOps Engineer

AWS Certified CloudOps Engineer - Associate

Last Update 12 hours ago Total Questions : 219

The AWS Certified CloudOps Engineer - Associate content is now fully updated, with all current exam questions added 12 hours ago. Deciding to include SOA-C03 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SOA-C03 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SOA-C03 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified CloudOps Engineer - Associate practice test comfortably within the allotted time.

Question # 41

A company asks a SysOps administrator to provision an additional environment for an application in four additional AWS Regions. The application is running on more than 100 Amazon EC2 instances in the us-east-1 Region, using fully configured Amazon Machine Images (AMIs). The company has an AWS CloudFormation template to deploy resources in us-east-1.

What should the SysOps administrator do to provision the application in the MOST operationally efficient manner?

Copy the AMI to each Region by using the aws ec2 copy-image command. Update the CloudFormation template to include mappings for the copied AMIs.

Create a snapshot of the running instance. Copy the snapshot to the other Regions. Create an AMI from the snapshots. Update the CloudFormation template for each Region to use the new AMI.

Run the existing CloudFormation template in each additional Region based on the success of the template that is used currently in us-east-1.

Update the CloudFormation template to include the additional Regions in the Auto Scaling group. Update the existing stack in us-east-1.

Question # 42

A company made a configuration change to an Amazon EC2 Auto Scaling group that hosts a production application. The change affected the number of available EC2 instances and caused the application to be slow to respond. The company needs a solution to provide an email notification when a management change occurs to the Auto Scaling group. The company has already set up a trail in AWS CloudTrail to log management write changes. A CloudOps engineer creates an Amazon SNS topic that has the appropriate subscribers.

What should the CloudOps engineer do next to meet this requirement?

Use AWS Config to monitor the trail for changes to the Auto Scaling group. Configure AWS Config to publish a message to the SNS topic when a change is detected.

Use AWS Security Hub to monitor the trail for changes to the Auto Scaling group. Configure Security Hub to publish a message to the SNS topic when a change is detected.

Create an Amazon EventBridge rule to run in response to CloudTrail management write events that involve the Auto Scaling group. Configure the EventBridge rule to publish a message to the SNS topic when a change is detected.

Store all CloudTrail management events in an Amazon S3 bucket. Use S3 Event Notifications to publish a message to the SNS topic when a change to the Auto Scaling group is detected.

Question # 43

A CloudOps engineer launches two Amazon EC2 instances and creates a single public subnet for testing purposes in the same Availability Zone. The CloudOps engineer wants Amazon Route 53 to respond with a public IP address only if a test webpage on an instance is running. However, even when the test webpage is unavailable, Route 53 still responds with the public IP addresses from both instances.

How can the CloudOps engineer resolve this issue?

Create a Route 53 multivalue answer routing record. Associate a health check with the record.

Configure latency-based routing with a health check in Route 53.

Configure weighted routing in Route 53.

Create another public subnet in the same Availability Zone for one of the instances.

Question # 44

A company has a non-production application that runs on an Amazon EC2 instance. The Amazon CloudWatch agent is installed on the EC2 instance. The application includes a process that randomly overuses temporary disk space and fills disks to 100% capacity.

A CloudOps engineer needs to automate a reboot of the EC2 instance after the disks reach 100% capacity.

Which solution will meet this requirement in the MOST operationally efficient way?

Create a CloudWatch alarm for the EC2 instance. Create an Amazon EventBridge event rule that reacts to the CloudWatch alarm and reboots the EC2 instance.

Create a CloudWatch alarm for the EC2 instance. Create an Amazon SES notification that reacts to the CloudWatch alarm and reboots the EC2 instance.

Create an AWS Lambda function to reboot the EC2 instance. Create a CloudWatch alarm that uses Amazon EventBridge to invoke the Lambda function.

Create an AWS Lambda function to reboot the EC2 instance. Use EC2 health checks to invoke the Lambda function.

Question # 45

A CloudOps engineer needs to ensure that AWS resources across multiple AWS accounts are tagged consistently. The company uses an organization in AWS Organizations to centrally manage the accounts. The company wants to implement cost allocation tags to accurately track the costs that are allocated to each business unit.

Which solution will meet these requirements with the LEAST operational overhead?

Use Organizations tag policies to enforce mandatory tagging on all resources. Enable cost allocation tags in the AWS Billing and Cost Management console.

Configure AWS CloudTrail events to invoke an AWS Lambda function to detect untagged resources and to automatically assign tags based on predefined rules.

Use AWS Config to evaluate tagging compliance. Use AWS Budgets to apply tags for cost allocation.

Use AWS Service Catalog to provision only pre-tagged resources. Use AWS Trusted Advisor to enforce tagging across the organization.

Question # 46

A company has an application that runs on Amazon EC2 instances. The application stores data on an Amazon RDS for MySQL Single-AZ DB instance. Requests to the DB instance from the application include reads and writes.

A CloudOps engineer must implement a solution that provides failover for the DB instance. The solution must minimize application downtime.

Which solution will meet these requirements?

Modify the DB instance to be a Multi-AZ DB instance deployment.

Add a read replica in the same Availability Zone where the DB instance is deployed.

Add the DB instance to an Auto Scaling group that has a minimum capacity of 2 and a desired capacity of 2.

Use RDS Proxy to configure a proxy in front of the DB instance.

Question # 47

A company has deployed Amazon EC2 instances from custom AMIs in two AWS Regions. All instances are registered with AWS Systems Manager. The company discovers a critical zero-day OS exploit but does not know which instances are affected.

A CloudOps engineer must deploy operating system patches with the LEAST operational overhead.

Which solution will meet this requirement?

Define a patch baseline in Systems Manager Patch Manager. Run a scan to identify affected instances and use Patch Now in each Region.

Use AWS Config to identify affected instances and then patch them.

Use EventBridge to trigger patching automatically.

Update the AMIs and manually replace instances.

Question # 48

A company stores critical files in an Amazon S3 bucket in the us-east-1 AWS Region. To comply with disaster recovery requirements, all new objects in the bucket must automatically replicate to a bucket in the us-west-2 Region.

Which solution will meet this requirement with the LEAST operational overhead?

Enable Cross-Region Replication (CRR) on the source bucket. Specify the destination bucket in the us-west-2 Region. Enable versioning on the source bucket.

Enable Cross-Origin Resource Sharing (CORS) on both the us-east-1 bucket and the us-west-2 bucket.

Create an AWS Lambda function that copies the object to the destination bucket. Configure an Amazon EventBridge rule to run the Lambda function for each object that is created.

Enable S3 Lifecycle policies to transition objects to a different storage class in the us-west-2 Region.

Question # 49

A company moves workloads from public subnets to private subnets to improve security. During testing, the company discovers that servers in the private subnets cannot reach an external API. The VPC has a CIDR block of 10.0.0.0/16. The VPC contains two public subnets and two private subnets. The VPC has one internet gateway and has a NAT gateway in each of the private subnets.

The company must ensure that workloads that run in the private subnets can reach the external API.

Which solution will meet this requirement?

Deploy an outbound-only internet gateway to allow traffic from private subnets to the internet. Edit the route tables to direct outbound traffic through the outbound-only internet gateway.

Create and configure an Amazon API Gateway HTTP API as a proxy for the external API. Edit the route tables to direct outbound traffic to the HTTP API.

Deploy a new NAT gateway that has an Elastic IP address in each public subnet. Edit the route tables to direct outbound traffic through the NAT gateways.

Create a VPC interface endpoint. Edit the route tables to direct outbound traffic through the endpoint.

Answer:

Explanation:

Instances in private subnets do not have direct routes to an internet gateway, so they cannot reach public internet endpoints unless the VPC provides a managed egress path. The standard AWS architecture for private-subnet outbound internet access is to use a NAT device (typically a NAT gateway) placed in a public subnet, with an Elastic IP address and a route from the private subnet to that NAT gateway for 0.0.0.0/0 traffic. The NAT gateway then forwards traffic to the internet through the VPC’s internet gateway while preventing unsolicited inbound connections to the private instances.

The scenario states that the VPC has a NAT gateway in each private subnet. That placement prevents proper egress because a NAT gateway itself must be in a public subnet with a route to the internet gateway to function for internet-bound traffic. Without that, private instances will fail to reach external services such as a third-party API, exactly as observed.

Option C corrects the architecture by deploying NAT gateways in the public subnets with Elastic IPs and updating the private subnet route tables so that outbound internet traffic targets the NAT gateways. This enables private workloads to initiate outbound connections while remaining unreachable from the public internet directly, maintaining the intended security posture.

Option A is incorrect because an outbound-only internet gateway is designed for IPv6 egress, not IPv4 internet access. Option B misunderstands routing: API Gateway is an application-layer proxy service and is not a target for VPC route tables to provide generic internet access. Option D is not applicable because VPC interface endpoints provide private connectivity to supported AWS services via PrivateLink, not to arbitrary external public APIs.

Therefore, deploying NAT gateways in the public subnets and routing private subnet egress through them is the correct solution.

Question # 50

A company uses Amazon EC2 Auto Scaling across multiple Availability Zones. The company must ensure that EC2 instances are provisioned in private subnets.

The company recently optimized its cloud infrastructure by reducing the number of NAT gateways in the company ' s VPC to one. Some EC2 instances lost internet connectivity after the infrastructure update. A CloudOps engineer must resolve the connectivity issue.

Which solution will meet this requirement?

Replace the existing NAT gateway with a NAT instance in the same subnet.

Update VPC route tables to target the existing NAT gateway for internet traffic.

Update VPC route tables to target an internet gateway for internet traffic.

Add secondary IP addresses to the existing NAT gateway.

Answer:

Explanation:

EC2 instances in private subnets cannot send traffic directly to the internet gateway because private subnets do not have a direct 0.0.0.0/0 route to the internet gateway. Instead, outbound IPv4 internet access from private subnets is typically provided by a NAT gateway that is deployed in a public subnet. Private subnet route tables then send default internet-bound traffic (0.0.0.0/0) to the NAT gateway as the target. The NAT gateway uses its Elastic IP address and the public subnet’s route to the internet gateway to enable outbound connectivity while still preventing inbound internet-initiated connections to the private instances.

When the company reduced multiple NAT gateways to a single NAT gateway, the routing design likely became inconsistent across Availability Zones. In multi-AZ architectures, it is common to have one NAT gateway per AZ and have each private subnet route to the NAT gateway in the same AZ to maintain zonal resiliency and avoid cross-AZ dependencies. If NAT gateways were removed, some private subnets may still have route table entries that point to NAT gateways that no longer exist. Those subnets would immediately lose outbound internet connectivity. The fix is to update the route tables associated with the affected private subnets so that their 0.0.0.0/0 route targets the remaining NAT gateway.

Option C would violate the requirement that instances must be in private subnets; routing private subnet traffic directly to an internet gateway effectively makes the subnet public. Option A is unnecessary and adds operational burden; NAT instances require patching, scaling, and availability management. Option D does not address the routing target problem and is not how NAT gateway egress is restored for multiple subnets.

Therefore, correcting the private subnet route tables to send internet-bound traffic to the existing NAT gateway is the appropriate solution.

=================

Go to page: