Free Amazon Web Services SOA-C03 Practice Exam with Questions & Answers | Set: 5

In cross-account S3 replication, a common cause of “Access Denied” when reading replicated objects is object ownership. By default, the replicated objects can remain owned by the source account (the account that originally wrote the objects). Even though the objects are physically stored in the destination bucket, the destination account’s users can be blocked from accessing them unless the correct ACLs or ownership controls are in place. This becomes especially visible in disaster recovery or nonproduction copy scenarios where the destination account expects to independently read and manage replicated data.

Amazon S3 provides an option in replication configuration to change the replica object ownership to the destination bucket owner. When enabled, the destination account becomes the owner of the replicated objects, which aligns access control with the bucket ownership and the destination account’s IAM policies. This removes the common cross-account ownership mismatch and resolves Access Denied errors for legitimate users in the destination account who have permissions on the destination bucket.

Option B relates to which objects are included in replication (prefix scoping). If replication were scoped incorrectly, the symptom would typically be missing objects rather than Access Denied on objects that are present. Option C (S3 RTC) is about replication time guarantees and monitoring; elapsed time does not change ownership or permissions and therefore does not resolve Access Denied. Option D (storage class changes) affects cost and retrieval characteristics, not authorization; it would not typically produce Access Denied for standard reads solely because the storage class differs.

Therefore, updating the replication configuration to ensure replicated objects are owned by the destination bucket owner is the correct fix to restore access.

=================

The most secure way for an EC2 instance to access AWS services is by using an IAM role attached to the instance. IAM roles eliminate the need for long-term credentials, which reduces the risk of credential leakage and simplifies credential rotation.

Following the principle of least privilege, the IAM policy attached to the role should grant only the permissions required: sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage. Granting broader permissions such as sqs:* violates least privilege and increases security risk.

Options A and B rely on IAM users and static credentials, which are not recommended for applications running on EC2. Option C grants excessive permissions.

Therefore, attaching an EC2 IAM role with only the required SQS permissions is the most secure solution.

CloudWatch Logs metric filters allow log data to be converted into CloudWatch metrics in near real time. This enables continuous monitoring without custom code or scheduled queries. Metric filters are ideal when log events have a consistent structure and specific patterns, such as HTTP response codes.

By defining a metric filter that matches HTTP 404 responses, CloudWatch can increment a metric each time a 404 occurs. This metric can then be used for dashboards, alarms, and trend analysis. This approach is fully managed, scalable, and requires minimal operational effort.

Options B, C, and D rely on subscription filters or periodic queries, which introduce unnecessary complexity, latency, and maintenance overhead. Therefore, metric filters are the most efficient solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

Amazon EFS encryption at rest is a file system creation attribute; an unencrypted EFS file system cannot be “turned on” for encryption in place. Therefore, meeting the requirement (“encrypt an existing EFS using an existing KMS customer managed key”) requires creating a new encrypted file system and migrating data.

Option A is the most operationally efficient because EFS replication is a managed mechanism that continuously copies data and metadata from a source file system to a destination file system. By specifying the existing KMS customer managed key for the destination, the new file system is encrypted at rest under the required key. After replication has caught up, the administrator can perform a controlled cutover (failover) so applications mount the encrypted destination instead of the original source. This reduces manual copying effort, supports ongoing synchronization during migration, and simplifies the cutover window.

Option B is not possible because encryption-at-rest settings for EFS cannot be modified after creation. Option C is irrelevant because TLS certificates relate to encryption in transit and are not configured as part of EFS replication in the manner described. Option D can work functionally, but it requires building and operating a copy workflow, which is more manual and error-prone than managed replication.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The most operationally efficient approach is A: copy the AMI to each target Region using copy-image and update the CloudFormation template to reference the correct AMI IDs per Region (commonly via Mappings or parameters). AMIs are regional resources, so an AMI built in us-east-1 cannot be launched directly in other Regions without copying. The copy-image operation is the standard, supported method to replicate an AMI across Regions while preserving the image configuration and backing snapshots in the destination Region.

Once AMIs exist in each Region, CloudFormation can be executed in each Region using the same template logic. Adding mappings for AMI IDs keeps the deployment consistent and repeatable, aligning with Infrastructure as Code practices and minimizing manual steps.

Option B is more work than necessary because copying snapshots and re-creating AMIs adds extra steps and increases the chance of inconsistency. Option C is incomplete because the template will fail or launch incorrect resources if it references an AMI ID that does not exist in the target Region. Option D is not feasible because an Auto Scaling group is a regional construct and cannot span multiple Regions from a single stack update in us-east-1.

AWS CloudOps automation best practices recommend using AWS Systems Manager Quick Setup for organization-wide management and configuration of EC2 instances. The Default Host Management Configuration Quick Setup automatically enables Systems Manager capabilities such as Patch Manager, Inventory, Session Manager, and Automation across all managed instances within the organization.

When deployed from the management account, Quick Setup automatically integrates with AWS Organizations to propagate configuration and permissions to existing and future accounts. This meets the requirement for organization-wide management with no manual configuration or SSH access. AWS documentation notes:

“You can use Quick Setup in the management account of an organization in AWS Organizations to configure Systems Manager capabilities for all accounts and Regions. Quick Setup automatically keeps configurations up to date.”

Options B, C, and D require custom deployments or manual IAM updates, lacking centralized automation. Therefore, Option A fully satisfies CloudOps standards for automated provisioning and ongoing management of EC2 instances across an organization.

The AWS Cloud Operations and Governance documentation specifies that AWS Config can be paired with AWS Systems Manager Automation runbooks for automatic remediation of noncompliant resources.

For SSH restrictions, the restricted-ssh managed rule detects any security group allowing inbound traffic on port 22. To automatically remediate these findings, AWS provides the AWS-DisableIncomingSSHOnPort22 runbook. This runbook programmatically removes inbound rules that allow port 22 traffic from affected security groups.

This approach achieves continuous compliance with minimal human intervention. By contrast, sending notifications (Option A) does not enforce remediation, API-based scripts (Option C) add operational overhead, and manual remediation (Option D) violates automation best practices.

Therefore, the most efficient CloudOps solution is Option B, using AWS Config with the AWS-DisableIncomingSSHOnPort22 automation runbook for automatic, scalable enforcement.

AWS Backup is the correct centrally managed service for backup policies across AWS accounts. When integrated with AWS Organizations, AWS Backup can apply backup policies from a management or delegated administrator account to member accounts. This provides centralized scheduling, lifecycle configuration, monitoring, and compliance visibility without deploying custom Lambda code into every account. AWS documentation describes AWS Backup as a fully managed service that centralizes and automates data protection across AWS services and removes the need for custom scripts and manual processes. CloudFormation StackSets can deploy tags or supporting resources, but tagging alone does not create a complete backup strategy. SCPs define permission guardrails; they do not run backup jobs or snapshots. Therefore, AWS Backup organization-wide policies are the most operationally efficient solution.

===============

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is A because AWS Systems Manager Patch Manager natively supports tag-based targeting, which automatically includes both existing and future instances that match specified tag criteria. AWS CloudOps documentation states that patch policies can target managed nodes by instance tags, allowing administrators to dynamically scope patching operations without additional automation.

By defining the patch policy target as instances with an environment tag value of “Prod,” Patch Manager automatically applies patch baselines to all matching instances. Any new EC2 instance launched with the same tag is included automatically, requiring no manual intervention or additional services. This approach delivers the least operational overhead while remaining fully scalable and compliant.

Options B, C, and D are incorrect because they introduce unnecessary complexity by adding AWS Lambda functions, resource groups, or EventBridge rules. AWS CloudOps best practices emphasize using native Systems Manager capabilities whenever possible to reduce operational burden and failure points.

As per the AWS Cloud Operations and Event Monitoring documentation, the most efficient method for event-driven notification is to use Amazon EventBridge to detect specific EC2 API events and trigger a Simple Notification Service (SNS) alert.

EventBridge continuously monitors AWS service events, including RunInstances, which signals the creation of new EC2 instances. When such an event occurs, EventBridge sends it to an SNS topic, which then immediately emails subscribed recipients — in this case, the architecture team.

This combination provides real-time, serverless notifications with minimal management. SQS (Option C) is designed for queue-based processing, not direct user alerts. User data scripts (Option A) and custom polling with Lambda (Option D) introduce unnecessary operational complexity and latency.

Hence, Option B is the correct and AWS-recommended CloudOps design for immediate launch notifications.