Free Amazon Web Services SOA-C03 Practice Exam with Questions & Answers | Set: 6

CloudTrail records management write events, and Amazon EventBridge can match those events in near real time. The correct solution is to create an EventBridge rule that filters for Auto Scaling management write events, then sends matching events to the SNS topic for email notification. This is direct, event-driven, and operationally efficient. AWS Config is useful for resource configuration history and compliance evaluation, but it is not the simplest way to notify on specific CloudTrail write API activity. Security Hub aggregates security findings and is not intended for general Auto Scaling configuration-change alerting. S3 Event Notifications on the CloudTrail log bucket are indirect and would trigger based on log file delivery, not cleanly on the specific management event. Therefore, EventBridge plus SNS is the right CloudOps monitoring and remediation pattern.

===============

The Instance Scheduler on AWS is an AWS-provided solution designed specifically to start and stop AWS resources such as Amazon RDS instances on a defined schedule. This directly aligns with the requirement to automatically manage RDS instances during predictable idle periods, such as weekends, to reduce costs.

RDS instances incur compute charges while running, even if idle. Stopping them during weekends eliminates those charges while retaining storage and backups. Instance Scheduler supports tag-based scheduling, centralized management, and automated start/stop workflows without custom scripting.

Option A introduces custom automation and ongoing maintenance overhead. Option C (Reserved Instances) is unsuitable because the databases are idle for long, predictable periods and Reserved Instances charge regardless of usage. Option D is incorrect because RDS does not support auto scaling of DB instance classes based on utilization.

Instance Scheduler is the most cost-effective and operationally efficient solution for this use case.

Instances in a private subnet do not have direct internet-routable access, even if the VPC has an internet gateway. To allow outbound internet access while preventing inbound internet-initiated access, deploy a NAT gateway in a public subnet and route the private subnet’s default route, 0.0.0.0/0, to that NAT gateway. The NAT gateway then uses the public subnet’s route to the internet gateway. Option A is wrong because NAT gateways must be placed in public subnets to reach the internet. Option C would require the instances to have public IP addresses and would make the subnet effectively public, which violates the private subnet model. Option D is invalid because a VPC can have only one internet gateway attached, and internet gateways are attached to VPCs, not individual subnets.

===============

AWS Transit Gateway supports security group referencing across VPCs, but this feature must be explicitly enabled on each transit gateway attachment. Once enabled, security groups in one VPC can reference security groups in another VPC attached to the same transit gateway, simplifying rule management and improving security posture.

Enabling the feature on the transit gateway itself is not sufficient; it must be enabled per attachment to allow traffic evaluation based on security group IDs. This approach avoids brittle CIDR-based rules and allows dynamic scaling without rule updates.

Option A removes the transit gateway, which contradicts the existing architecture. Option B is incomplete. Option D does not address security group referencing.

Thus, enabling security group referencing on each transit gateway attachment is the correct solution.

DynamoDB point-in-time recovery continuously backs up table data and can restore the table to a selected second within the recovery window. AWS documentation states that a PITR restore restores the data to a new table, not in place on the existing table. Therefore, the correct process is to restore the table to the timestamp two minutes before the corruption and then update the application to use the newly restored table. Option A is wrong because PITR does not update the existing table in place. Option C uses an on-demand snapshot, which might not meet the 2-minute RPO. Option D is unsafe because DynamoDB Streams are not a managed reverse-transaction rollback mechanism. PITR to a new table is the reliable recovery method.

===============

Standard Amazon Linux AMIs typically already include the Systems Manager Agent. If instances do not appear as managed nodes in Systems Manager, the most common missing requirement is the instance profile permissions that allow the SSM Agent to communicate with Systems Manager service endpoints. The AWS managed policy AmazonSSMManagedInstanceCore grants the required permissions for core Systems Manager functionality. Option A is unnecessary because the standard Amazon Linux AMI already includes SSM Agent in most supported versions. Option B is irrelevant; ACM certificates are not required for SSM Agent registration. Option C is also wrong because the ssm-user account is created and managed by Session Manager when needed; manually creating it does not register the instance. Therefore, attach an IAM instance profile with AmazonSSMManagedInstanceCore.

===============

Amazon S3 Cross-Region Replication is the managed feature for automatically replicating newly created objects from a source bucket in one Region to a destination bucket in another Region. This is the correct disaster recovery pattern because replication is handled by S3 without custom code or scheduled copy jobs. Versioning is required for replication, and in a complete production configuration, versioning must be enabled on both the source and destination buckets. Option A is therefore the best answer, even though the wording mentions only source-bucket versioning. CORS controls browser cross-origin access and has nothing to do with disaster recovery replication. Lambda and EventBridge can copy objects, but this creates more operational overhead and error handling. S3 Lifecycle policies transition or expire objects; they do not replicate new objects across Regions.

===============

Amazon FSx for Windows File Server is a fully managed native Windows file system that supports SMB, Windows authentication, and Windows ACLs. The Multi-AZ deployment option automatically replicates data synchronously across Availability Zones and provides automatic failover with minimal downtime.

This architecture ensures continuous availability during AZ failures or maintenance events without manual intervention. Users experience consistent access and permissions through SMB, fully meeting the stated requirements.

Storage Gateway introduces on-premises dependencies. DFS Replication increases complexity and recovery time. Therefore, FSx for Windows Multi-AZ is the correct solution.

CloudWatch Synthetics canaries require connectivity to both CloudWatch and Amazon S3 to function correctly. In a private VPC without internet access, AWS service access must be provided through VPC endpoints.

The canary needs to send metrics, logs, and execution data to CloudWatch, which requires an interface VPC endpoint for CloudWatch. It also needs to store artifacts such as screenshots and HAR files in Amazon S3, which requires a gateway VPC endpoint for S3. Without these endpoints, the canary cannot communicate with required AWS services and will fail to start.

DNS resolution and DNS hostnames must be enabled so the canary can resolve AWS service endpoints to the private IP addresses exposed by the VPC endpoints. This is a mandatory prerequisite for PrivateLink-based service access.

Option B and C incorrectly disable DNS functionality, which breaks service endpoint resolution. Option A includes invalid or irrelevant permissions and does not address private connectivity requirements.

Therefore, enabling DNS support and creating both the CloudWatch interface endpoint and the S3 gateway endpoint is the correct and complete solution.

When mapping one domain name to another domain name that is hosted outside AWS, a CNAME record is the correct DNS record type. CNAME records map an alias name (www.company.com) to a canonical domain name (app.example.com).

Alias records cannot be used to point to non-AWS resources. A and PTR records map IP addresses, not domain names, and are therefore not appropriate.

Because www.company.com is not the zone apex, a CNAME record is valid and supported. This solution requires no additional infrastructure and is the standard DNS approach for this scenario.