⚡ Amazon CloudFront - SOA-C03 Practice Questions

Study distributions, cache policies, origins, OAC, signed URLs, invalidations, origin failover, logging, and edge performance operations.

21Questions Available
2Exam Domains

Practice CloudFront Questions Now

Start a timed practice session focusing on Amazon CloudFront topics from the SOA-C03 question bank.

Start SOA-C03 Practice Quiz →

SOA-C03 CloudFront Question Bank (21 Questions)

Browse all 21 practice questions covering Amazon CloudFront for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Networking & Content Delivery

    A SysOps Administrator needs to invalidate cached content on a CloudFront distribution after a deployment. The team deploys frequently and wants to minimize invalidation costs. Which approach is more cost-effective for frequent deployments?

    ACreate CloudFront invalidation requests for specific file paths after each deployment.
    BUse versioned URLs (e.g., `/app/style.v2.css` or `/app/script.js?v=2`) so that new deployments reference new URLs, making invalidation unnecessary.
    CReduce the CloudFront default TTL to 60 seconds so content expires quickly.
    DUse Lambda@Edge to intercept requests and return the latest version from the origin.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  2. Question 2Networking and Content Delivery

    A SysOps administrator uses Amazon CloudFront. They want to ensure that only the CloudFront distribution can access an ALB origin (not direct access). Which approach achieves this?

    ASet the ALB to be internet-facing only
    BConfigure the ALB security group to only allow traffic from CloudFront's managed prefix list, and use a custom origin header for verification
    CUse signed URLs for all CloudFront requests
    DUse CloudFront Origin Access Control (OAC)

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  3. Question 3Networking and Content Delivery

    A SysOps administrator uses a CloudFront distribution and notices that OPTIONS (preflight) requests are not being forwarded to the origin. The browser shows CORS errors. What should be configured?

    AAdd OPTIONS to the ALB listener
    BConfigure the CloudFront cache behavior to forward OPTIONS requests and cache based on Origin and Access-Control-Request-Method headers
    CDisable CloudFront caching for all requests
    DEnable CloudFront field-level encryption

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  4. Question 4Networking & Content Delivery

    A company serves static content through Amazon CloudFront with an S3 origin. During an S3 origin outage, the website returns 503 errors. The company wants CloudFront to automatically serve content from a secondary S3 bucket in a different region if the primary origin fails. Which CloudFront feature enables this?

    AConfigure CloudFront with multiple cache behaviors — one for each origin — and use Lambda@Edge to switch between them.
    BConfigure a CloudFront origin group with the primary S3 origin and a secondary S3 origin, with failover triggered on specific HTTP error codes (e.g., 500, 502, 503, 504).
    CEnable CloudFront Origin Shield in front of both origins to automatically route around failures.
    DCreate two separate CloudFront distributions and use Route 53 failover routing between them.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  5. Question 5Security & Compliance

    An organization with 30 AWS accounts wants to ensure that AWS WAF Web ACLs with specific rules are applied to all ALBs and CloudFront distributions across every account. The security team should manage this centrally. Which AWS service provides this capability?

    AAWS Organizations SCPs to enforce WAF attachment on all ALBs.
    BAWS Firewall Manager, which allows the security team to create WAF policies that are automatically applied across all member accounts in the Organization.
    CAWS CloudFormation StackSets to deploy WAF Web ACLs to all accounts.
    DAWS Config rules to detect ALBs without WAF associations and send alerts.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  6. Question 6Security & Compliance

    A company subscribes to AWS Shield Advanced to protect its public-facing ALBs, CloudFront distributions, and Elastic IPs. The SysOps Administrator wants to ensure that during a DDoS event, AWS experts are engaged automatically and that the company receives cost protection. Which Shield Advanced features provide these benefits?

    AAWS Shield Advanced provides access to the AWS Shield Response Team (SRT) who can assist during active DDoS events, and DDoS cost protection that provides credits for scaling charges incurred due to DDoS attacks on protected resources.
    BShield Advanced automatically blocks all DDoS traffic without any customer action and provides free WAF rules.
    CShield Advanced only provides enhanced detection metrics; manual engagement with AWS Support is required.
    DShield Advanced provides the SRT but cost protection is only available with the Enterprise Support plan.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  7. Question 7Select All That ApplyNetworking & Content Delivery

    A SysOps Administrator needs to serve a static website from an S3 bucket through CloudFront. The S3 bucket must NOT be publicly accessible. Only CloudFront should be able to read the objects. Which configuration secures the S3 origin? (Select TWO.)

    ACreate a CloudFront Origin Access Control (OAC) and associate it with the CloudFront distribution.
    BUpdate the S3 bucket policy to allow `s3:GetObject` only from the CloudFront distribution's OAC service principal.
    CEnable S3 static website hosting and use the website endpoint as the CloudFront origin.
    DMake the S3 bucket public and use CloudFront signed URLs to restrict access.
    EUse an Origin Access Identity (OAI) by creating a new CloudFront OAI — note that OAC is the recommended replacement for OAI, but OAI still works.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  8. Question 8Networking & Content Delivery

    A company wants to add security headers (such as `Strict-Transport-Security`, `X-Content-Type-Options`, and `X-Frame-Options`) to all responses served by CloudFront without modifying the origin application. Which CloudFront feature provides this?

    ACloudFront Response Headers Policy, which can add, override, or remove HTTP response headers globally for the distribution without requiring Lambda@Edge or CloudFront Functions.
    BCloudFront Functions that inject headers into every viewer response.
    CLambda@Edge on the origin-response event to add headers.
    DAn ALB listener rule that adds the headers before forwarding to CloudFront.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  9. Question 9Networking & Content Delivery

    A company serves a web application through Amazon CloudFront. The application's static assets are in S3 (origin 1) and dynamic API requests go to an ALB (origin 2). The team wants CloudFront to automatically fail over to a secondary S3 bucket in another region if the primary S3 origin returns 5xx errors. Which CloudFront feature provides this automatic failover?

    AConfigure CloudFront with multiple cache behaviors — one for the primary S3 origin and another for the secondary S3 origin.
    BCreate a CloudFront origin group that contains the primary S3 bucket as the primary origin and the secondary S3 bucket as the failover origin. Associate the origin group with the cache behavior.
    CUse Route 53 latency-based routing between the two S3 buckets and point CloudFront to the Route 53 DNS name.
    DUse Lambda@Edge to detect 5xx responses and redirect requests to the secondary S3 bucket.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  10. Question 10Networking & Content Delivery

    A company uses Amazon CloudFront to distribute content from an S3 origin. The administrator wants to restrict access so that users can only access the S3 content through CloudFront, not directly from the S3 URL. Which feature should the administrator configure?

    ACreate an S3 bucket policy that allows access only from the CloudFront distribution's IP ranges
    BConfigure an Origin Access Control (OAC) for the CloudFront distribution and update the S3 bucket policy
    CEnable S3 Block Public Access and use S3 presigned URLs in CloudFront
    DConfigure a CloudFront signed URL for all requests

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  11. Question 11Networking & Content Delivery

    A company uses CloudFront to serve a static website. The administrator enables CloudFront signed URLs to protect premium content. Users report that signed URLs work from desktop browsers but fail from the company's mobile app with a 403 Forbidden error. What is the most likely cause?

    AThe mobile app is not forwarding the required query string parameters in the signed URL, causing CloudFront to reject the request
    BThe mobile app's HTTP client is modifying the URL encoding of the signature, invalidating the signed URL
    CCloudFront signed URLs are not supported on mobile devices
    DThe mobile app is using HTTP instead of HTTPS and CloudFront requires HTTPS for signed URLs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  12. Question 12Networking and Content Delivery

    A SysOps administrator wants to reduce CloudFront cache miss rates. The origin is an S3 bucket. What should they configure?

    ADecrease the minimum TTL to 0
    BIncrease the default/maximum TTL and ensure origin Cache-Control headers have appropriate max-age values
    CEnable CloudFront origin shield
    DUse Lambda@Edge for all requests

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  13. Question 13Networking and Content Delivery

    A SysOps administrator wants to serve an S3 static website through CloudFront without making the bucket public. Which CloudFront feature enables private origin access?

    ACloudFront signed URLs
    BCloudFront Origin Access Control (OAC) with an S3 bucket policy allowing only CloudFront
    CCloudFront custom headers
    DS3 pre-signed URLs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  14. Question 14Networking and Content Delivery

    A SysOps administrator uses Amazon CloudFront with an S3 origin. They notice cache hit ratio is very low (15%). What is the most likely cause?

    AThe S3 bucket is in a different region than the CloudFront distribution
    BQuery strings or headers are being forwarded to the origin but vary across requests, causing unique cache keys
    CCloudFront is not supported for S3 origins
    DThe S3 bucket has versioning disabled

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  15. Question 15Cost and Performance Optimization

    A SysOps administrator uses CloudFront. They want to reduce CloudFront costs for a static S3 website with global users. Which CloudFront setting reduces origin fetch costs?

    ADecrease TTL to refresh content frequently
    BIncrease TTL and use versioned file names for cache invalidation instead of invalidations
    CEnable CloudFront Origin Shield to reduce redundant origin requests
    DBoth B and C

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  16. Question 16Networking and Content Delivery

    A SysOps administrator uses CloudFront with an ALB origin. The origin requires that requests include a custom header for verification. Which CloudFront feature adds a header to origin requests?

    ACloudFront response headers policy
    BCloudFront origin request policy with custom headers
    CLambda@Edge origin request trigger
    DBoth B and C

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  17. Question 17Networking and Content Delivery

    A SysOps administrator uses Amazon CloudFront and notices origin requests are increasing despite cache hit rate being high. What might explain this?

    ACloudFront's cache is not working properly
    BA high volume of unique URLs (e.g., unique query strings per user) are creating separate cache entries, each requiring an origin fetch on first hit
    CCloudFront does not cache responses from ALB origins
    DThe TTL is too high, causing cache entries to expire slowly

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  18. Question 18Reliability and Business Continuity

    A SysOps administrator uses CloudFront with S3 origin and wants to protect the application against DDoS attacks. Which AWS service integrates with CloudFront for DDoS protection?

    AAWS Shield Standard — automatically protects all CloudFront distributions at no extra cost
    BAWS Shield Advanced — provides enhanced DDoS protection and cost protection for CloudFront
    CAWS WAF — provides layer 7 protection
    DAll of the above provide complementary DDoS protection

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  19. Question 19Select All That ApplyCost & Performance Optimization

    A company distributes content globally via CloudFront but wants to reduce CDN costs. Most of the users are located in North America and Europe. The SysOps Administrator wants to exclude expensive edge locations in South America, Australia, and Asia (except Japan and India). Which CloudFront feature provides this cost control? (Select TWO.)

    ACloudFront Price Classes, which restrict the edge locations the distribution uses to specific geographic regions, lowering costs by avoiding more expensive regions.
    BSelect Price Class 100, which includes only North American and European edge locations, or Price Class 200, which adds additional regions like Japan, India, and the Middle East.
    CSet up a CloudFront Function that blocks requests from certain geographic regions.
    DUse Route 53 geolocation routing to prevent non-target regions from reaching CloudFront.
    EDisable caching in expensive edge locations via cache behaviors.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  20. Question 20Security & Compliance

    A SysOps administrator needs to restrict access to an S3 bucket so that only EC2 instances in a specific VPC can access it. The bucket should deny all requests that do not originate from that VPC. Which approach is correct?

    ACreate an S3 bucket policy with a `Deny` statement for all actions where `aws:SourceVpc` does not match the VPC ID, combined with a VPC gateway endpoint for S3
    BConfigure the S3 bucket ACL to allow access only from the VPC's CIDR range
    CCreate a security group that allows outbound traffic to S3 and attach it to all EC2 instances in the VPC
    DCreate an S3 access point with a VPC-restricted network origin and deny all access through the bucket's direct endpoint

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  21. Question 21Security & Compliance

    A company stores sensitive customer data in S3 and uses AWS KMS for encryption. The security team wants to ensure that a specific KMS key can only be used for cryptographic operations when the request originates from the company's VPC. Which approach achieves this?

    AAttach a VPC endpoint policy that allows KMS operations only from the VPC
    BAdd a condition in the KMS key policy using `aws:sourceVpce` or `aws:sourceVpc` condition keys
    CConfigure the S3 bucket policy to deny access from outside the VPC
    DUse a KMS grant with a VPC constraint

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz

Key CloudFront Concepts for SOA-C03

cloudfrontcdndistributionorigincache policyorigin access controloacsigned urlinvalidation

SOA-C03 CloudFront Exam Tips

Amazon CloudFront questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: cloudfront, cdn, distribution, origin, cache policy, origin access control.

What SOA-C03 Expects

  • Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
  • CloudFront scenarios for SOA-C03 are frequently mapped to Domain 1 (22%), Domain 5 (18%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where CloudFront interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value CloudFront Concepts

  • Know the core CloudFront building blocks cold: cloudfront, cdn, distribution, origin.
  • Review the edge-case features and limits for cache policy, origin access control; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how CloudFront pairs with S3, Route 53, WAF & Shield in real deployment patterns.
  • For SOA-C03, explain why the chosen CloudFront design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

  • Watch for answers that deploy quickly but are hard to monitor or recover.
  • Questions in Monitoring, Logging, Analysis, Remediation, and Performance Optimization often include distractors that look correct for CloudFront but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two CloudFront implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) outcomes for SOA-C03?
  • Can you explain security and access boundaries for CloudFront without relying on default-open assumptions?
  • Can you describe how CloudFront integrates with S3 and Route 53 during failure, scaling, and monitoring events?

Exam Domains Covering CloudFront

Domain 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%Domain 5Networking and Content Delivery18%

Related Resources

🎯 Free SOA-C03 Mock Exam S3 Questions Route 53 Questions WAF & Shield Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub30-Day Study PlanFull Practice Exam