Free Amazon Web Services SOA-C03 Practice Exam with Questions & Answers

Amazon FSx for Lustre is designed for high-performance computing workloads that need a shared, durable, high-throughput file system. It supports Linux clients and is purpose-built for workloads such as machine learning, analytics, media processing, and HPC. The current use of separate st1 EBS volumes is not meeting performance needs and also does not provide a shared high-performance file system across the cluster. ElastiCache is an in-memory cache, not a durable POSIX-style HPC file store. Amazon S3 is durable object storage, but it is not a high-performance shared file system for Linux HPC applications that expect file-system semantics. S3 Transfer Acceleration improves long-distance data transfer to S3 but does not solve local HPC file I/O. Therefore, FSx for Lustre is the correct performance optimization choice.

===============

By default, when AWS CloudFormation encounters a failure during stack creation, it automatically rolls back and deletes any resources that were successfully created. This behavior makes troubleshooting difficult because the failed and partially created resources are no longer available for inspection.

CloudFormation provides the OnFailure parameter to control this behavior. Setting the parameter to DO_NOTHING instructs CloudFormation to stop stack creation when a failure occurs and retain all successfully created resources. This allows the CloudOps engineer to inspect the environment, review logs, and identify the root cause without redeploying resources.

The DisableRollback parameter controls rollback behavior but does not provide the same explicit behavior control during failure scenarios. Rollback triggers are used for monitoring-based rollback, not for preserving resources on failure. Setting OnFailure to ROLLBACK explicitly enforces deletion, which is the opposite of the requirement.

Therefore, setting the OnFailure parameter to DO_NOTHING is the correct solution.

Amazon EventBridge receives EC2 instance state-change events and can route matching events directly to a target such as an Amazon SNS topic. This is the most operationally efficient solution because it uses native event-driven integration and does not require scripts, agents, polling, or custom Lambda code. Option A is poor operational design because every instance would need script execution and maintenance. Option C adds an unnecessary Lambda function; EventBridge can publish to SNS directly. Option D misuses AWS Config, which is better suited to configuration compliance and resource-state evaluation, not simple near-real-time notification of every EC2 instance state transition. For CloudOps event monitoring, EventBridge rules are the standard approach for reacting to AWS service events and notifying operators.

===============

According to the AWS Cloud Operations and Elastic Load Balancing documentation, Application Load Balancer (ALB) supports multiple routing algorithms to distribute requests among targets:

Round robin (default)

Least outstanding requests (LOR)

Weighted random

When applications require session affinity, AWS recommends using “least outstanding requests” as the load balancing algorithm because it reduces latency, distributes load evenly, and ensures consistent target responsiveness during high traffic.

Using weighted random routing with sticky sessions can cause sessions to be routed inconsistently if one target’s capacity fluctuates, leading to session mismatches and application errors — especially when user sessions rely on instance-specific state.

Disabling cross-zone balancing (Option C) or adjusting deregistration delay (Option D) does not address routing inconsistency. Anomaly mitigation (Option B) protects against target performance degradation, not sticky-session misrouting.

Therefore, the correct solution is Option A — changing the target group’s routing algorithm to least outstanding requests ensures smoother, predictable session handling and resolves random application errors.

User-defined tags must be explicitly activated as cost allocation tags in the AWS Billing and Cost Management console before they can be used in Cost Explorer. Simply applying tags to resources is not sufficient.

Once activated, cost allocation tags can take up to 24 hours to appear in Cost Explorer, but they will not appear at all if activation is not performed. The 30-day delay applies only to historical reporting after activation, not to visibility itself.

Cost and Usage Reports and Budgets are not prerequisites for Cost Explorer filtering.

Therefore, the issue occurs because the tags were not activated for cost allocation.

The least-effort, most scalable approach to ensure consistent software installation and ongoing updates across tagged Windows instances is to use AWS Systems Manager’s native software distribution and desired-state capabilities. Systems Manager Distributor lets you package third-party software as an “SSM package,” version it, and publish updates in a controlled way. This directly supports the requirement to install a third-party agent and deploy periodic updates when new versions are available.

State Manager Associations let you enforce configuration continuously or on a schedule across a fleet, targeting instances by tags (which the scenario explicitly says are in place). By creating an association that runs AWS-ConfigureAWSPackage, you instruct Systems Manager to install (and optionally update) a specific SSM package on all instances that match the Windows tag criteria. This provides ongoing compliance: newly launched instances that receive the tag will automatically get the agent installed, and existing instances will receive updates according to the association’s frequency and the package version strategy.

Option C (custom Lambda that logs in) is high operational overhead and poor practice (credentials, connectivity, error handling, scaling, and security concerns). Option D (RunRemoteScript) can work but is more brittle than ConfigureAWSPackage because it shifts lifecycle management (versioning, state, idempotency) into scripts. Option B (OpsItem + Inventory) is not an enforcement mechanism for installation/updating; it’s for operations tracking and visibility.

Therefore, Distributor (A) + State Manager association using AWS-ConfigureAWSPackage targeted by tags (E) is the cleanest and lowest-ops solution.

An Auto Scaling warm pool keeps pre-initialized instances in a stopped or running state, allowing them to be quickly attached to the Auto Scaling group when scaling events occur. This significantly reduces scale-out latency caused by long bootstrapping scripts.

Unlike increasing the minimum instance count, warm pools do not permanently overprovision resources. Predictive scaling improves timing but does not eliminate boot time delays.

Therefore, warm pools provide the fastest scale-out with minimal cost overhead.

EC2 instances in private subnets cannot send traffic directly to the internet gateway because private subnets do not have a direct 0.0.0.0/0 route to the internet gateway. Instead, outbound IPv4 internet access from private subnets is typically provided by a NAT gateway that is deployed in a public subnet. Private subnet route tables then send default internet-bound traffic (0.0.0.0/0) to the NAT gateway as the target. The NAT gateway uses its Elastic IP address and the public subnet’s route to the internet gateway to enable outbound connectivity while still preventing inbound internet-initiated connections to the private instances.

When the company reduced multiple NAT gateways to a single NAT gateway, the routing design likely became inconsistent across Availability Zones. In multi-AZ architectures, it is common to have one NAT gateway per AZ and have each private subnet route to the NAT gateway in the same AZ to maintain zonal resiliency and avoid cross-AZ dependencies. If NAT gateways were removed, some private subnets may still have route table entries that point to NAT gateways that no longer exist. Those subnets would immediately lose outbound internet connectivity. The fix is to update the route tables associated with the affected private subnets so that their 0.0.0.0/0 route targets the remaining NAT gateway.

Option C would violate the requirement that instances must be in private subnets; routing private subnet traffic directly to an internet gateway effectively makes the subnet public. Option A is unnecessary and adds operational burden; NAT instances require patching, scaling, and availability management. Option D does not address the routing target problem and is not how NAT gateway egress is restored for multiple subnets.

Therefore, correcting the private subnet route tables to send internet-bound traffic to the existing NAT gateway is the appropriate solution.

=================

For IPv4 traffic, private subnets require a NAT gateway in a public subnet to access the internet. NAT gateways must be deployed in public subnets and associated with an Elastic IP address. Private subnet route tables must direct 0.0.0.0/0 traffic to the NAT gateway.

The question states that NAT gateways are incorrectly placed in private subnets, which cannot provide internet access. Deploying NAT gateways in public subnets resolves this issue and restores outbound connectivity to external APIs.

Option A applies only to IPv6. Option B adds unnecessary complexity. Option D is not applicable because external APIs are not AWS services.

CloudFormation StackSets are designed specifically to deploy and manage the same CloudFormation stack across multiple AWS accounts and Regions from a centralized administration point. When accounts are managed under AWS Organizations, StackSets can integrate directly with Organizations to target Organizational Units (OUs) or specific accounts, which minimizes operational overhead. This removes the need to manually assume roles and deploy stacks one-by-one, and avoids building custom automation (Lambda + cross-account role assumption + account enumeration + error handling + retries + idempotency).

With StackSets, you define the template once and then create stack instances across many accounts in a controlled and consistent manner. StackSets provide built-in features for: (1) centralized rollout and updates, (2) drift detection, (3) automatic deployment to new accounts (when using Organizations integration), and (4) standardized execution roles. This is operationally simpler and safer than scripting because StackSets handle orchestration and track deployment state per account/Region.

Option A increases manual work and is error-prone at scale. Options B and C require custom Lambda orchestration, cross-account permissions, and ongoing maintenance for failure modes and change management. StackSets provide the native “least ops” approach to multi-account CloudFormation deployments under Organizations.