Spring Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free Amazon Web Services SOA-C03 Practice Exam with Questions & Answers | Set: 5

Questions 41

A global gaming company is preparing to launch a new game on AWS. The game runs in multiple AWS Regions on a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group behind an Application Load Balancer (ALB) in each Region. The company plans to use Amazon Route 53 for DNS services. The DNS configuration must direct users to the Region that is closest to them and must provide automated failover.

Which combination of steps should a CloudOps engineer take to configure Route 53 to meet these requirements? (Select TWO.)

Options:
A.

Create Amazon CloudWatch alarms that monitor the health of the ALB in each Region. Configure Route 53 DNS failover by using a health check that monitors the alarms.

B.

Create Amazon CloudWatch alarms that monitor the health of the EC2 instances in each Region. Configure Route 53 DNS failover by using a health check that monitors the alarms.

C.

Configure Route 53 DNS failover by using a health check that monitors the private IP address of an EC2 instance in each Region.

D.

Configure Route 53 geoproximity routing. Specify the Regions that are used for the infrastructure.

E.

Configure Route 53 simple routing. Specify the continent, country, and state or province that are used for the infrastructure.

Amazon Web Services SOA-C03 Premium Access
Questions 42

An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A CloudOps engineer must ensure that the application can read, write, and delete messages from the SQS queues.

Which solution will meet these requirements in the MOST secure manner?

Options:
A.

Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user's credentials in the application's configuration.

B.

Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.

C.

Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.

D.

Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.

Questions 43

A company has two AWS accounts connected by a transit gateway. Each account has one VPC in the same AWS Region. The company wants to simplify inbound and outbound rules in security groups by referencing security group IDs instead of IP CIDR blocks.

Which solution will meet this requirement?

Options:
A.

Create VPC peering connections and remove the transit gateway.

B.

Enable security group referencing support on the transit gateway.

C.

Enable security group referencing support on each transit gateway attachment.

D.

Deploy private NAT gateways in each VPC.

Questions 44

A company’s security policy prohibits connecting to Amazon EC2 instances through SSH and RDP. Instead, staff must use AWS Systems Manager Session Manager. Users report they cannot connect to one Ubuntu instance, even though they can connect to others.

What should a CloudOps engineer do to resolve this issue?

Options:
A.

Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.

B.

Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.

C.

Configure the SSM Agent to log in with a user name of "ubuntu".

D.

Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.

Questions 45

A SysOps administrator creates a custom Amazon Machine Image (AMI) in the eu-west-2 Region and uses the AMI to launch Amazon EC2 instances. The SysOps administrator needs to use the same AMI to launch EC2 instances in two other Regions: us-east-1 and us-east-2.

What must the SysOps administrator do to use the custom AMI in the additional Regions?

Options:
A.

Copy the AMI to the additional Regions

B.

Make the AMI public in the Community AMIs section of the AWS Management Console

C.

Share the AMI to the additional Regions. Assign the required access permissions.

D.

Copy the AMI to a new Amazon S3 bucket. Assign access permissions to the AMI for the additional Regions

Questions 46

A company hosts an FTP server on EC2 instances. AWS Security Hub sends findings to Amazon EventBridge when the FTP port becomes publicly exposed in attached security groups.

A CloudOps engineer needs an automated, event-driven remediation solution to remove public access from security groups.

Which solution will meet these requirements?

Options:
A.

Configure the existing EventBridge event to stop the EC2 instances that have the exposed port.

B.

Create a cron job for the FTP server to invoke an AWS Lambda function. Configure the Lambda function to modify the security group of the identified EC2 instances and to remove the instances that allow public access.

C.

Create a cron job for the FTP server that invokes an AWS Lambda function. Configure the Lambda function to modify the server to use SFTP instead of FTP.

D.

Configure the existing EventBridge event to invoke an AWS Lambda function. Configure the function to remove the security group rule that allows public access.

Questions 47

A company uses AWS Organizations to manage a set of AWS accounts. The company has set up organizational units (OUs) in the organization. An application OU supports various applications.

A CloudOps engineer must prevent users from launching Amazon EC2 instances that do not have a CostCenter-Project tag into any account in the application OU. The restriction must apply only to accounts in the application OU.

Which solution will meet these requirements?

Options:
A.

Create an IAM group that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Place all IAM users who need access to the application accounts in the IAM group.

B.

Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU.

C.

Create an IAM role that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Attach the IAM role to the IAM users that are in the application OU accounts.

D.

Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the root OU.

Questions 48

A company's website runs on an Amazon EC2 Linux instance. The website needs to serve PDF files from an Amazon S3 bucket. All public access to the S3 bucket is blocked at the account level. The company needs to allow website users to download the PDF files.

Which solution will meet these requirements with the LEAST administrative effort?

Options:
A.

Create an IAM role that has a policy that allows s3:list* and s3:get* permissions. Assign the role to the EC2 instance. Assign a company employee to download requested PDF files to the EC2 instance and deliver the files to website users. Create an AWS Lambda function to periodically delete local files.

B.

Create an Amazon CloudFront distribution that uses an origin access control (OAC) that points to the S3 bucket. Apply a bucket policy to the bucket to allow connections from the CloudFront distribution. Assign a company employee to provide a download URL that contains the distribution URL and the object path to users when users request PDF files.

C.

Change the S3 bucket permissions to allow public access on the source S3 bucket. Assign a company employee to provide a PDF file URL to users when users request the PDF files.

D.

Deploy an EC2 instance that has an IAM instance profile to a public subnet. Use a signed URL from the EC2 instance to provide temporary access to the S3 bucket for website users.

Questions 49

A finance company uses AWS Secrets Manager to store Amazon RDS credentials that are periodically rotated. A database team must receive a notification when the credentials are rotated to ensure compliance with security policies. The database team creates an Amazon Simple Notification Service (Amazon SNS) topic for the notifications.

Which solution will meet these requirements?

Options:
A.

Create an Amazon EventBridge rule to match AWS CloudTrail events for the RotateSecret API call with a RotationSucceeded result. Configure the rule to route matching events to the SNS topic.

B.

Enable notifications for secret rotation in AWS Secrets Manager. Configure Secrets Manager to publish notifications to the SNS topic when secrets are rotated.

C.

Use Amazon EventBridge to filter Amazon CloudWatch Logs for RotationSucceeded events. Route notifications for all matches to the SNS topic.

D.

Use Amazon CloudWatch Logs to filter for RotationSucceeded events. Route notifications for all matches to the SNS topic.

Exam Code: SOA-C03
Certification Provider: Amazon Web Services
Exam Name: AWS Certified CloudOps Engineer - Associate
Last Update: Feb 25, 2026
Questions: 165