🔍 AWS CloudTrail - SOA-C03 Practice Questions

Review account activity auditing, organization trails, data events, management events, log file validation, and central log retention.

29Questions Available
2Exam Domains

Practice CloudTrail Questions Now

Start a timed practice session focusing on AWS CloudTrail topics from the SOA-C03 question bank.

Start SOA-C03 Practice Quiz →

SOA-C03 CloudTrail Question Bank (29 Questions)

Browse all 29 practice questions covering AWS CloudTrail for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Security & Compliance

    A SysOps Administrator must ensure that all AWS API calls across 5 accounts are encrypted at rest and cannot be tampered with. The existing CloudTrail organization trail delivers logs to a central S3 bucket. Which additional configurations ensure integrity and encryption?

    AEnable CloudTrail log file integrity validation, which generates a digest file with hashes for each log file, and enable SSE-KMS encryption on the trail using a customer managed KMS key.
    BEnable S3 versioning on the destination bucket and use server-side encryption with S3-managed keys (SSE-S3) only.
    CUse S3 Object Lock in Compliance mode on the trail bucket without integrity validation.
    DEnable CloudTrail Insights for tamper detection.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  2. Question 2Security & Compliance

    A security team needs to investigate who deleted a specific S3 object on a particular date. The bucket contains millions of objects. CloudTrail is enabled for management events only. The security team finds no record of the `DeleteObject` API call. What must be changed to capture `DeleteObject` events?

    AEnable S3 server access logging on the bucket.
    BConfigure CloudTrail event selectors to include **data events** for the S3 bucket, since `DeleteObject` is a data event not captured by default management event logging.
    CEnable S3 versioning so that deletes create delete markers instead of removing objects.
    DEnable CloudTrail Insights to detect unusual deletion patterns.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  3. Question 3Select All That ApplySecurity & Compliance

    A SysOps administrator needs to ensure that all API calls made in an AWS account are logged, including read-only management events and data events for S3 and Lambda. The trail must be tamper-proof. Which configuration is required? (Select TWO)

    ACreate a CloudTrail trail with management events (read and write) and data events for S3 and Lambda enabled
    BEnable log file integrity validation on the trail
    CConfigure CloudTrail to deliver logs to CloudWatch Logs instead of S3
    DEnable AWS Config to supplement CloudTrail with resource configuration history
    ECreate a separate trail for each AWS service to isolate the logs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  4. Question 4Select All That ApplyMonitoring, Logging & Remediation

    A SysOps administrator needs to identify all AWS API calls made by a specific IAM user over the past 90 days, including write actions to S3 and EC2. The organization trail stores logs in a central S3 bucket. (Select TWO.)

    AUse the CloudTrail Event history console to search for the IAM user's activity over the past 90 days.
    BUse Amazon Athena to query the CloudTrail logs stored in S3, filtering by the user's ARN and event sources for S3 and EC2.
    CUse CloudWatch Logs Insights to query CloudTrail logs, assuming CloudTrail is configured to deliver logs to a CloudWatch Logs group.
    DUse AWS Config to search for all configuration changes made by the user.
    EEnable CloudTrail Insights to detect unusual write API activity by the user.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  5. Question 5Security & Compliance

    A security team wants to log all S3 object-level API activity (GetObject, PutObject, DeleteObject) for a specific bucket to detect unauthorized data access. They already have a CloudTrail trail capturing management events. What additional configuration is required?

    AEnable CloudTrail S3 data events for the specific bucket in the existing trail; data events are not captured by default.
    BEnable S3 server access logging on the bucket, which captures all object-level activity.
    CNo additional configuration — CloudTrail captures all S3 data events by default when a trail is active.
    DEnable Amazon Macie on the bucket to monitor data access patterns.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  6. Question 6Monitoring, Logging & Remediation

    An administrator sets up an EventBridge rule with the following event pattern to capture IAM policy changes: ```json { "source": ["aws.iam"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventName": [{ "prefix": "Put" }, { "prefix": "Delete" }, { "prefix": "Attach" }, { "prefix": "Detach" }] } } ``` The rule is triggering for events such as `PutObject` from S3. What is the problem?

    AThe prefix matching on `eventName` matches across all AWS services, not just IAM; the administrator should add a filter on `detail.eventSource` equal to `iam.amazonaws.com`
    BThe `source` field for IAM events should be `aws.cloudtrail` instead of `aws.iam`
    CEventBridge does not support prefix matching on the `eventName` field
    DThe rule should use `detail.userIdentity.type` to scope events to IAM operations

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  7. Question 7Security & Compliance

    A SysOps administrator enabled CloudTrail in all regions for an AWS account. The security team asks the administrator to identify unusual API call patterns, such as a spike in calls from an IAM principal that does not normally make those calls. Which CloudTrail feature provides this analysis?

    ACloudTrail Lake, which allows SQL-based queries on CloudTrail events
    BCloudTrail Insights, which automatically detects unusual API call volume and error rate patterns and generates insight events
    CCloudTrail event history, which stores the last 90 days of management events for manual review
    DCloudTrail log file integrity validation, which detects if log files have been tampered with

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  8. Question 8Security & Compliance

    A SysOps administrator notices that a CloudTrail Insights event was generated for unusually high `RunInstances` API calls. Upon investigation, the calls originated from an IAM role used by an Auto Scaling group. What should the administrator do FIRST?

    AImmediately revoke the IAM role's permissions to stop the instance launches
    BReview the Auto Scaling group's scaling policies and recent CloudWatch alarms to determine if the scaling activity is expected behavior caused by a legitimate traffic spike
    CEnable GuardDuty and scan for compromised credentials
    DDelete the CloudTrail Insights event to prevent false alarms in the future

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  9. Question 9Monitoring, Logging, and Remediation

    A SysOps administrator uses AWS CloudTrail. They notice management events are not logged for a specific region. What is the MOST likely cause?

    ACloudTrail is a global service and does not log regional events
    BThe trail is configured as a single-region trail for a different region
    CCloudTrail requires explicit resource ARNs to log events
    DManagement events are not supported by CloudTrail

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  10. Question 10Security and Compliance

    A SysOps administrator uses CloudTrail and discovers that API calls are being made from an unknown IP address using a specific IAM role. What should be done?

    AImmediately revoke all active sessions for the IAM role
    BInvestigate the role's trust policy and recent assumption events; if compromised, revoke active sessions by attaching a deny-all policy with a time condition
    CDelete the IAM role
    DChange the IAM role's permissions to read-only

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  11. Question 11Security and Compliance

    A SysOps administrator uses CloudTrail. An incident investigation requires analysis of API calls from 2 years ago. What must be configured to retain CloudTrail data beyond 90 days?

    AEnable CloudTrail event history (automatically retains 90 days)
    BConfigure a trail to deliver to S3 with an S3 lifecycle policy for long-term retention
    CUse CloudTrail Lake with a retention period up to 7 years
    DBoth B and C

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  12. Question 12Monitoring, Logging & Remediation

    An organization's security team notices unusual spikes in `RunInstances` API calls during off-hours. They want an automated mechanism that detects anomalous patterns in management event volume — without writing custom code or setting static thresholds — and generates a finding. Which service should the SysOps Administrator enable?

    AAmazon GuardDuty with default threat detection.
    BAWS CloudTrail Insights events, which automatically detect unusual write management event activity.
    CAWS Config rule to detect `RunInstances` calls exceeding a threshold.
    DAmazon Detective, which visualizes API call patterns over time.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  13. Question 13Monitoring, Logging & Remediation

    A security team wants to run SQL-based queries across 90 days of CloudTrail events to investigate suspicious IAM activity patterns such as access key creation followed by privilege escalation. The data should be queryable without managing additional infrastructure. Which service should the administrator use?

    AExport CloudTrail logs to S3 and query with Amazon Athena
    BUse CloudTrail Lake to create an event data store and run SQL queries
    CStream CloudTrail logs to CloudWatch Logs and use Logs Insights
    DUse Amazon OpenSearch Service with a CloudTrail log ingestion pipeline

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  14. Question 14Select All That ApplySecurity & Compliance

    A SysOps administrator must ensure that all CloudTrail log files are encrypted, tamper-evident, and stored in a centralized S3 bucket. Which combination of configurations should the administrator enable? (Select TWO)

    AEnable SSE-KMS encryption on the CloudTrail trail configuration using a customer-managed KMS key
    BEnable S3 default encryption with SSE-S3 on the destination bucket
    CEnable CloudTrail log file integrity validation
    DConfigure S3 server access logging on the CloudTrail destination bucket
    EEnable CloudTrail Insights events

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  15. Question 15Monitoring, Logging & Remediation

    An operations team needs CloudTrail to detect when an IAM user creates access keys for another user, specifically when `CreateAccessKey` is called by one principal for a different user. The event should trigger an EventBridge rule. How should the administrator distinguish this from a user creating keys for themselves?

    AEnable CloudTrail Insights and filter for unusual `CreateAccessKey` activity patterns.
    BCreate an EventBridge rule that matches CloudTrail events where `eventName` is `CreateAccessKey` and uses an input transformer to compare the `userIdentity.arn` with the `requestParameters.userName`.
    CUse a CloudWatch Logs metric filter on the CloudTrail log group that extracts both the caller identity and target username, then alarm when they differ.
    DConfigure an AWS Config custom rule that evaluates IAM key creation events.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  16. Question 16Security & Compliance

    A company uses AWS CloudTrail and wants to detect when a root user logs into any account in the Organization. Which configuration captures and alerts on root user sign-in events?

    ACreate a CloudWatch Logs metric filter on the CloudTrail log group that matches events where `userIdentity.type` is `Root` and `eventName` is `ConsoleLogin`, then create a CloudWatch alarm.
    BEnable AWS Config rule `root-account-mfa-enabled` which sends an alert when root logs in.
    CEnable GuardDuty, which automatically generates a finding for all root user activity.
    DCreate an SCP that denies root user login across all member accounts.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  17. Question 17Monitoring, Logging & Remediation

    A company uses AWS CloudTrail to log API activity across all regions. The security team reports that CloudTrail log files stored in Amazon S3 may have been tampered with. Which feature should the administrator enable to detect unauthorized modifications to CloudTrail log files?

    AEnable S3 server access logging on the CloudTrail bucket
    BEnable CloudTrail log file integrity validation
    CEnable S3 Object Lock in governance mode on the CloudTrail bucket
    DEnable AWS Config rules to monitor the CloudTrail bucket

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  18. Question 18Security & Compliance

    An organization requires cross-account access from a security audit account (Account S) to read CloudTrail logs stored in a centralized S3 bucket in the logging account (Account L). The security team in Account S must not be able to modify or delete any objects. What is the MOST secure way to configure this?

    ACreate an IAM role in Account L with a policy allowing only `s3:GetObject` and `s3:ListBucket` on the log bucket, with a trust policy allowing Account S to assume the role, and add a condition restricting the source IP to the security team's VPN range
    BCreate a bucket policy on the log bucket granting `s3:GetObject` directly to the IAM users in Account S
    CEnable public access on the bucket with a presigned URL generator that creates short-lived read-only URLs
    DReplicate the CloudTrail logs to an S3 bucket in Account S using cross-region replication

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  19. Question 19Security & Compliance

    A SysOps administrator wants to ensure that all CloudTrail log files are encrypted at rest using a customer-managed KMS key. After configuring the trail to use a CMK, the administrator notices that some users can no longer read the log files from the S3 bucket. What is the MOST likely cause?

    AThe users' IAM policies do not include `kms:Decrypt` permission for the CMK used to encrypt the CloudTrail log files
    BThe S3 bucket policy was automatically updated to deny read access when CMK encryption was enabled
    CCloudTrail requires a separate IAM role for encrypted log delivery, which was not configured
    DThe KMS key policy does not allow the S3 service principal to use the key for encryption

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  20. Question 20Deployment, Provisioning & Automation

    A SysOps administrator needs to deploy a standardized security baseline (AWS Config rules, CloudTrail, and GuardDuty) across 50 AWS accounts. The deployment must be centrally managed and automatically applied to new accounts joining the organization. Which approach is MOST suitable?

    AUse CloudFormation StackSets with service-managed permissions and automatic deployment enabled, targeting the organization root
    BCreate a CloudFormation nested stack and manually deploy it in each account
    CUse AWS Control Tower Account Factory to apply the baseline
    DWrite an AWS Lambda function triggered by the CreateAccountResult CloudTrail event to deploy templates

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  21. Question 21Security & Compliance

    A security team has configured AWS Audit Manager to collect evidence for a SOC 2 assessment. The assessment generates evidence from AWS Config rules, CloudTrail logs, and Security Hub findings. After one month, the team needs to generate an assessment report for the auditor. What should they do?

    AExport the evidence from Audit Manager to an S3 bucket and compile a manual report
    BGenerate an assessment report directly from the Audit Manager console, which assembles all collected evidence
    CUse Amazon Athena to query the evidence stored in S3 and create a custom report
    DRequest the report from AWS Artifact

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  22. Question 22Monitoring, Logging, and Remediation

    A SysOps administrator wants to trace a user API call that caused a configuration change in AWS. Which service provides the full audit trail?

    ACloudWatch Logs
    BAWS CloudTrail — event history or CloudTrail Lake
    CAWS Config timeline
    DVPC Flow Logs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  23. Question 23Security and Compliance

    A SysOps administrator uses CloudTrail and needs to verify that log files have not been tampered with since they were delivered to S3. Which CloudTrail feature provides this?

    ACloudTrail log encryption
    BCloudTrail log file integrity validation with digest files
    CS3 object versioning
    DCloudTrail event source verification

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  24. Question 24Monitoring, Logging, and Remediation

    A SysOps administrator uses AWS CloudTrail Lake. How does CloudTrail Lake differ from standard CloudTrail trails?

    ACloudTrail Lake stores events in S3 while trails store them in DynamoDB
    BCloudTrail Lake provides a managed event data store with SQL-based query capability, eliminating the need to set up Athena over S3
    CCloudTrail Lake only captures data events, not management events
    DCloudTrail Lake is available only in us-east-1

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  25. Question 25Select All That ApplySecurity and Compliance

    A SysOps administrator wants to ensure that an S3 bucket used for CloudTrail logs cannot be deleted or have its logging disabled. Which policies enforce this?

    AS3 bucket policy denying s3:DeleteBucket and cloudtrail:StopLogging for all principals except the root
    BS3 Object Lock on CloudTrail log files
    CAWS Config rule for CloudTrail enabled
    DSCP denying cloudtrail:StopLogging

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  26. Question 26Security and Compliance

    A SysOps administrator needs to ensure that CloudTrail logging cannot be disabled in any account in an AWS Organization. Which control prevents this?

    ASCP with Deny on cloudtrail:StopLogging and cloudtrail:DeleteTrail
    BAWS Config rule to re-enable CloudTrail when disabled
    CS3 bucket policy preventing deletion of CloudTrail logs
    DCloudTrail log file integrity validation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  27. Question 27Security and Compliance

    A SysOps administrator is reviewing a CloudTrail event and wants to determine if the action was taken by an IAM role assumed via cross-account access. Which CloudTrail field indicates this?

    AuserIdentity.type: Root
    BuserIdentity.type: AssumedRole with roleArn from a different account ID
    CsourceIPAddress field
    DrequestParameters field

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  28. Question 28Security and Compliance

    A SysOps administrator discovers that CloudTrail is not logging events for a newly created S3 bucket. What is the most likely cause?

    AS3 data events are not enabled in the trail configuration
    BCloudTrail does not support S3 logging
    CThe S3 bucket is in a different region than the trail
    DManagement events require a separate trail

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  29. Question 29Monitoring, Logging, and Remediation

    A SysOps administrator uses AWS CloudTrail and wants to ensure that all CloudTrail events are delivered to a centralized S3 bucket in a security account. Which approach ensures this from ALL accounts?

    ACreate an organization trail in CloudTrail from the management account
    BCreate individual trails in each member account pointing to the central S3 bucket
    CUse EventBridge cross-account event bus
    DUse CloudWatch Logs cross-account subscription filters

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz

Key CloudTrail Concepts for SOA-C03

cloudtrailtrailorganization trailmanagement eventdata eventapi calllog file validation

SOA-C03 CloudTrail Exam Tips

AWS CloudTrail questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: cloudtrail, trail, organization trail, management event, data event, api call.

What SOA-C03 Expects

  • Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
  • CloudTrail scenarios for SOA-C03 are frequently mapped to Domain 1 (22%), Domain 4 (16%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where CloudTrail interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value CloudTrail Concepts

  • Know the core CloudTrail building blocks cold: cloudtrail, trail, organization trail, management event.
  • Review the edge-case features and limits for data event, api call; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how CloudTrail pairs with CloudWatch, AWS Config, IAM in real deployment patterns.
  • For SOA-C03, explain why the chosen CloudTrail design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

  • Watch for answers that deploy quickly but are hard to monitor or recover.
  • Questions in Monitoring, Logging, Analysis, Remediation, and Performance Optimization often include distractors that look correct for CloudTrail but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two CloudTrail implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) outcomes for SOA-C03?
  • Can you explain security and access boundaries for CloudTrail without relying on default-open assumptions?
  • Can you describe how CloudTrail integrates with CloudWatch and AWS Config during failure, scaling, and monitoring events?

Exam Domains Covering CloudTrail

Domain 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%Domain 4Security and Compliance16%

Related Resources

🎯 Free SOA-C03 Mock Exam CloudWatch Questions AWS Config Questions IAM Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub30-Day Study PlanFull Practice Exam