Practice EC2 Questions Now

Start a timed practice session focusing on Amazon Elastic Compute Cloud (EC2) topics from the SOA-C03 question bank.

SOA-C03 EC2 Question Bank (211 Questions)

Browse all 211 practice questions covering Amazon Elastic Compute Cloud (EC2) for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

Question 1Deployment, Provisioning & Automation
A SysOps Administrator manages EC2 instances launched from a launch template. The current default version is version 3. The administrator creates version 4 with an updated AMI. New Auto Scaling group instances should use version 4, but the administrator wants to retain the ability to quickly revert to version 3. How should this be configured?
AUpdate the Auto Scaling group to reference launch template version 4 explicitly.
BSet launch template version 4 as the default version; the Auto Scaling group already references `$Default`, so new launches automatically use version 4, and reverting requires only changing the default back to version 3.
CDelete launch template version 3 and keep only version 4.
DCreate a new launch template and update the Auto Scaling group to reference the new template.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 2Deployment, Provisioning & Automation
A SysOps Administrator needs to create an EC2 launch template that specifies the AMI, instance type, keypair, and a user-data script, but also needs to allow the Auto Scaling group to override the instance type with multiple types for Spot diversification. How should the launch template be structured?
ACreate the launch template with all parameters including the instance type; the ASG mixed instances policy overrides array will take precedence for instance type selection while using the template's other settings.
BCreate the launch template without specifying an instance type and define all instance types in the ASG configuration only.
CCreate multiple launch templates, one per instance type, and assign each to a separate ASG.
DUse a launch configuration instead, which supports instance type overrides natively.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 3Deployment, Provisioning & Automation
A SysOps Administrator uses Systems Manager Automation to patch a fleet of EC2 instances. The runbook should stop the instance, create an AMI, start the instance, and apply patches. If any step fails, the instance should be restored from the AMI. Which Systems Manager Automation feature supports this multi-step workflow with rollback?
AUse a Systems Manager Automation runbook (document) with sequential steps for stop, create AMI, start, and patch, and define an `onFailure` action to roll back using the AMI.
BCreate separate Systems Manager Run Command documents for each step and chain them using EventBridge rules.
CUse AWS Step Functions to orchestrate the individual SSM Run Command calls.
DCreate a maintenance window with multiple tasks assigned to separate task targets.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 4Deployment, Provisioning & Automation
A SysOps administrator is using AWS Systems Manager Automation to patch a fleet of EC2 instances. The automation document needs to first create AMI backups of all instances, then apply patches, and finally verify patch compliance. If the patching step fails, the AMI backups should be used to restore the instances. Which Systems Manager Automation feature supports this workflow?
AUse an Automation document with multiple steps and configure `onFailure: step:RestoreFromAMI` on the patching step
BUse a maintenance window with sequential tasks
CCreate separate automation documents for each step and chain them using EventBridge
DUse Step Functions to orchestrate the Systems Manager Run Command calls
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 5Reliability & Business Continuity
A SysOps administrator is configuring an Auto Scaling group that uses an Application Load Balancer. The administrator wants instances to be replaced only when they fail to respond to application-level health checks, not just EC2 status checks. What must the administrator configure?
ASet the Auto Scaling group health check type to `ELB` and ensure the ALB target group health check path returns HTTP 200 for healthy instances.
BSet the Auto Scaling group health check type to `EC2` and configure a custom CloudWatch alarm to terminate unhealthy instances.
CConfigure a Route 53 health check pointing to each instance and associate it with the Auto Scaling group.
DAdd a lifecycle hook that runs a health check script before marking the instance as healthy.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 6Select All That ApplyDeployment, Provisioning & Automation
A company's security policy requires all EC2 instances to use IMDSv2 (Instance Metadata Service Version 2) and prohibits the use of IMDSv1. The administrator needs to enforce this across all new instances. How should this be implemented? (Select TWO)
ASet `HttpTokens` to `required` in the launch template metadata options
BCreate an SCP that denies `ec2:RunInstances` unless the `ec2:MetadataHttpTokens` condition key is `required`
CConfigure the AWS Config rule `ec2-imdsv2-check` to detect non-compliant instances
DDisable IMDSv1 globally in the EC2 service settings for the Region
EUse a VPC endpoint policy to block IMDSv1 requests from instances
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 7Deployment, Provisioning & Automation
A SysOps administrator is writing a CloudFormation template that deploys an EC2 instance with a user data script. The script installs software and then signals CloudFormation that the instance setup is complete. The stack should fail if the signal is not received within 10 minutes. Which CloudFormation feature should the administrator use?
A`AWS::CloudFormation::WaitCondition` with a timeout of 600 seconds and `cfn-signal` in the user data
B`DependsOn` attribute with a sleep command in the user data script
CCloudFormation `CreationPolicy` on the EC2 resource with a timeout of `PT10M` and `cfn-signal` in the user data
DA custom resource Lambda function that polls the instance until the setup is complete
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 8Deployment, Provisioning & Automation
A SysOps Administrator wants to launch a group of EC2 instances for a high-performance computing (HPC) workload that requires low-latency, high-throughput network communication between instances. Which Launch Template configuration ensures the instances are placed for optimal network performance?
AConfigure the Launch Template with a `cluster` placement group, which places instances in a single Availability Zone on closely located hardware for the lowest network latency.
BConfigure the Launch Template with a `spread` placement group to distribute instances across distinct hardware.
CConfigure the Launch Template with a `partition` placement group to isolate groups of instances.
DSpecify a Dedicated Host in the Launch Template.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 9Monitoring, Logging & Remediation
A SysOps Administrator configures a CloudWatch alarm to automatically recover an EC2 instance when the `StatusCheckFailed_System` metric triggers. The instance is backed by an EBS volume. After a system status check failure, the alarm transitions to ALARM but the instance does not recover. What is the MOST LIKELY reason?
AThe alarm action was set to `Stop` instead of `Recover`.
BThe instance uses instance-store volumes, and the recover action only works with EBS-backed instances.
CThe IAM role attached to the instance does not include the `ec2:RecoverInstances` permission.
DThe alarm evaluation period is too long and the instance auto-healed before the action executed.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 10Select All That ApplyDeployment, Provisioning & Automation
A SysOps administrator is managing an Auto Scaling group (ASG) that uses a launch template. The administrator updates the launch template to version 2 with a new AMI. However, existing instances in the ASG continue to use the old AMI. What should the administrator do to update all existing instances to the new AMI? (Select TWO)
AUpdate the ASG to reference launch template version 2 (or `$Latest`)
BInitiate an instance refresh on the ASG
CTerminate all existing instances and let the ASG replace them
DUpdate the launch configuration instead of the launch template
EModify the running instances' AMI using the `ModifyInstanceAttribute` API
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 11Deployment, Provisioning & Automation
A company has an Auto Scaling group using a launch template. The administrator needs to update the AMI used by the group. After updating the launch template with a new AMI and creating a new version, the existing instances still run the old AMI. What should the administrator do to replace running instances with the new AMI?
ATerminate all instances and let the Auto Scaling group launch new ones
BStart an instance refresh on the Auto Scaling group
CUpdate the Auto Scaling group's desired capacity to 0 and then back to the original value
DDetach all instances from the Auto Scaling group and reattach them
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 12Monitoring, Logging, and Remediation
A SysOps administrator must be notified when an EC2 instance's status check fails. Which is the MOST direct approach?
ACreate a CloudWatch alarm on StatusCheckFailed metric → SNS topic → email
BUse AWS Config to detect status check failures
CEnable EC2 detailed monitoring and poll CloudTrail
DSet up an EventBridge rule for EC2 state changes
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 13Monitoring, Logging, and Remediation
A SysOps administrator wants CloudWatch to automatically recover an EC2 instance when a system status check fails. Which action should be configured on the alarm?
ASNS notification to trigger a Lambda remediation function
BEC2 auto-recovery action (recover) on the alarm
CAuto Scaling terminate and replace
DAWS Systems Manager Automation runbook
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 14Reliability and Business Continuity
A SysOps administrator wants to configure an Auto Scaling Group to replace instances when they fail EC2 status checks (not just ELB health checks). What must be enabled?
ASet the health check type to EC2 (default) — it already monitors status checks
BChange the ASG health check type from EC2 to ELB
CAdd a CloudWatch alarm to terminate unhealthy instances
DEnable detailed monitoring on the ASG
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 15Security and Compliance
A SysOps administrator needs to ensure EC2 instances use Instance Metadata Service v2 (IMDSv2) only. Which configuration enforces this?
ASet the HttpTokens metadata option to 'required' on the instance or launch template
BDisable the instance metadata service entirely
CUse a VPC endpoint for EC2 metadata
DApply an IAM policy restricting ec2:DescribeInstances
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 16Security and Compliance
A SysOps administrator wants to enforce that all new EC2 instances must use IMDSv2 (instance metadata service v2). How is this enforced at scale?
AConfigure the EC2 launch template to require IMDSv2 (HttpTokens: required)
BAWS Config rule ec2-imdsv2-check with auto-remediation
CSCP denying ec2:RunInstances when HttpTokens is optional
DAll of the above
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 17Select All That ApplyDeployment, Provisioning & Automation
A SysOps administrator uses AWS Systems Manager to manage a fleet of 200 EC2 instances. The administrator needs to ensure that all instances have a specific set of software packages installed and maintain that state continuously. If an instance drifts from the desired state, it should be automatically corrected. (Select TWO.)
AUse Systems Manager State Manager with an association that runs an SSM document defining the desired software packages.
BUse Systems Manager Patch Manager to define a custom patch baseline that includes the required software packages.
CConfigure the association to run on a schedule (e.g., every 30 minutes) to detect and correct drift automatically.
DUse Systems Manager Run Command to execute a one-time installation script across all instances.
EUse AWS Config rules to detect when packages are missing and trigger a Lambda function for remediation.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 18Cost & Performance Optimization
A company is running a large fleet of EC2 instances of various types and sizes. The SysOps administrator wants to identify instances that are consistently underutilized and get specific recommendations for right-sizing. Which AWS tool should the administrator use?
AAWS Compute Optimizer, which analyzes CloudWatch metrics and provides right-sizing recommendations with projected cost savings.
BAWS Cost Explorer's right-sizing recommendations based on instance utilization data.
CAWS Trusted Advisor performance checks that flag low-utilization instances.
DAmazon CloudWatch dashboards with custom metrics showing CPU and memory utilization for manual analysis.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 19Reliability & Business Continuity
A company's disaster recovery plan requires pre-built AMIs to be available in a secondary region (`eu-west-1`) so that EC2 instances can be launched within minutes if the primary region (`us-east-1`) fails. What must the SysOps Administrator configure?
ACreate an EBS snapshot in `us-east-1` and share it with the `eu-west-1` region using resource sharing.
BUse the `CopyImage` API or EC2 Image Builder to copy the AMI from `us-east-1` to `eu-west-1`, and automate this after each AMI update.
CStore the AMI in an S3 bucket with cross-region replication enabled.
DCreate a launch template in `eu-west-1` referencing the `us-east-1` AMI ID.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 20Deployment, Provisioning & Automation
A company requires that all EC2 instances in their fleet have the CloudWatch Agent installed, running, and configured with a specific configuration file from SSM Parameter Store. If an instance's agent stops or the configuration drifts, it must be automatically corrected within 30 minutes. Which Systems Manager feature provides this desired-state enforcement?
ASSM Run Command executed manually whenever drift is detected.
BSSM State Manager with an association that applies the CloudWatch Agent configuration document on a 30-minute schedule.
CSSM Patch Manager with a custom patch baseline that includes the CloudWatch Agent.
DSSM Inventory to detect which instances are missing the CloudWatch Agent, followed by manual remediation.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 21Monitoring, Logging & Remediation
A SysOps Administrator must configure the CloudWatch Agent on a fleet of Windows EC2 instances to collect the following: the `Memory % Committed Bytes In Use` performance counter, IIS request logs from `C:\inetpub\logs`, and custom application logs from `C:\AppLogs`. The configuration must be deployed consistently across all instances. Which approach should the administrator use?
AManually install the CloudWatch Agent on each instance and use the configuration wizard to set up counters and log paths.
BCreate the CloudWatch Agent configuration file (JSON) specifying the Windows performance counters and log file paths, store it in Systems Manager Parameter Store, then use a Systems Manager Run Command to install and configure the agent on all instances referencing the parameter.
CUse AWS Config to push the CloudWatch Agent configuration to each instance.
DCreate an AMI with the CloudWatch Agent pre-installed and hard-code the configuration in the user-data script.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 22Monitoring, Logging & Remediation
A SysOps Administrator must collect memory utilization and disk usage metrics from a fleet of Amazon Linux 2 EC2 instances. The team also needs to collect the `/var/log/messages` system log and the `/opt/app/logs/application.log` application log. Which solution achieves this with the LEAST setup effort?
AInstall the legacy CloudWatch Logs agent to ship the two log files or use a cron job with a custom script that calls the `PutMetricData` API for memory and disk.
BInstall the CloudWatch unified agent, create an agent configuration file that specifies the two log files and the `mem_used_percent` and `disk_used_percent` metrics, then deploy the configuration using SSM Parameter Store.
CEnable detailed monitoring on the instances to capture memory and disk metrics automatically, and use VPC Flow Logs to capture log file data.
DUse AWS X-Ray to instrument the application, which will capture memory, disk, and log data.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 23Select All That ApplyDeployment, Provisioning & Automation
A SysOps Administrator runs Systems Manager Patch Manager across a fleet of 200 EC2 instances. After the latest patching cycle, the administrator needs to generate a report showing which instances are compliant, which are non-compliant, and which patches are missing. Which approach provides this report? (Select TWO.)
AUse the Systems Manager Compliance dashboard, which displays patch compliance status for all managed instances.
BCreate a resource data sync in Systems Manager to export compliance data to an S3 bucket, then query with Amazon Athena for detailed compliance reports.
CUse EC2 instance metadata to query the installed patch list on each instance.
DCheck the CloudTrail event log for `InstallPatches` API calls.
ERun `aws ssm list-compliance-items` for each individual instance manually.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 24Select All That ApplySecurity & Compliance
A SysOps Administrator needs to allow a fleet of EC2 instances in a private subnet to access an S3 bucket without traversing the internet. The instances use an IAM instance profile for S3 access. The security team also requires that all S3 API requests are logged and that the endpoint does not incur per-hour or per-GB data processing charges. Which endpoint type should be used? (Select TWO.)
ACreate an S3 Gateway VPC endpoint and add it to the route table of the private subnet.
BGateway endpoints for S3 are free — there are no hourly or data processing charges, only standard S3 request charges apply.
CCreate an S3 Interface VPC endpoint (PrivateLink) with private DNS enabled.
DUse a NAT Gateway to route S3 traffic through the internet gateway.
EGateway endpoints do not support logging; use an Interface endpoint instead.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 25Cost & Performance Optimization
A company uses a fleet of T3 burstable EC2 instances for a development environment. The SysOps Administrator notices that several instances are running in `unlimited` mode and are incurring unexpected charges for surplus CPU credits. The team wants to monitor credit usage proactively. Which CloudWatch metric should the administrator monitor, and what action should be taken when credits are low?
AMonitor the `CPUCreditBalance` metric. When the balance approaches zero, the instance will use surplus credits in unlimited mode, incurring charges. The administrator should set a CloudWatch alarm on `CPUSurplusCreditsCharged` to detect when surplus charges begin accumulating, and consider right-sizing to a fixed-performance instance type.
BMonitor `CPUUtilization` only and scale out additional T3 instances when utilization is high.
CMonitor `NetworkIn` and `NetworkOut` to detect overutilization.
DSwitch all instances to `standard` mode, which eliminates any CPU credit monitoring needs.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 26Monitoring, Logging & Remediation
An operations team needs to stop a fleet of development EC2 instances every night at 8 PM UTC and start them again at 7 AM UTC to save costs. The schedule must work on weekdays only and require no self-managed infrastructure. Which solution meets these requirements?
ACreate two Amazon EventBridge Scheduler schedules — one with a cron expression for stop at 8 PM UTC weekdays targeting a Lambda function that calls `StopInstances`, and another for start at 7 AM UTC weekdays targeting a Lambda that calls `StartInstances`.
BCreate two CloudWatch alarms on a custom metric that always evaluates to ALARM at the scheduled times, with EC2 stop and start as alarm actions.
CUse AWS Systems Manager Maintenance Windows with a cron schedule to run `AWS-StopEC2Instance` and `AWS-StartEC2Instance` Automation documents.
DDeploy an EC2 instance running a cron job with the AWS CLI to stop and start the fleet.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 27Select All That ApplyDeployment, Provisioning & Automation
A company uses AWS Systems Manager to manage a fleet of 200 EC2 instances. The administrator needs to understand the different types of SSM documents. Which statement correctly describes the three main document types? (Select TWO.)
A**Command documents** are used by SSM Run Command and State Manager to execute commands on managed instances (e.g., installing software, running scripts).
B**Automation documents** define multi-step workflows that can interact with AWS APIs (e.g., creating snapshots, restarting instances, approving changes).
C**Policy documents** define CloudWatch Agent configurations and are used exclusively by the CloudWatch Agent.
D**Command documents** can only run PowerShell scripts on Windows instances and cannot execute Bash scripts on Linux.
E**Automation documents** can only be run manually from the SSM console and do not support EventBridge or maintenance window triggers.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 28Cost & Performance Optimization
A company wants to reduce compute costs for a fleet of workloads that includes EC2 instances, Lambda functions, and Fargate tasks. The workloads run in multiple regions and may change instance types over time. Which Savings Plans type provides the broadest coverage across these compute services?
AEC2 Instance Savings Plans, which offer the highest discount but are locked to a specific instance family and region.
BCompute Savings Plans, which apply to any EC2 instance (regardless of family, size, OS, tenancy, or region), Lambda, and Fargate usage.
CSageMaker Savings Plans, which cover SageMaker, Lambda, and Fargate.
DReserved Instances for EC2 combined with separate Lambda and Fargate reservations.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 29Monitoring, Logging & Remediation
A company runs a fleet of EC2 instances that must have the CloudWatch agent installed and running at all times. The SysOps administrator needs a solution that automatically detects when the agent stops and restarts it. Which solution requires the LEAST operational effort?
ACreate a cron job on each instance to check the agent status every minute
BUse AWS Systems Manager State Manager to create an association that ensures the CloudWatch agent is running
CWrite a Lambda function that uses SSM Run Command every 5 minutes to check agent status
DConfigure an Auto Scaling group health check that terminates instances with a stopped agent
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 30Deployment, Provisioning & Automation
A company requires that all Amazon EC2 instances launched in their AWS account must use a specific approved AMI. The SysOps administrator needs to enforce this policy. Which approach provides automated enforcement?
ACreate an IAM policy that denies `ec2:RunInstances` unless the `imageId` condition matches the approved AMI
BUse AWS Config with a custom rule that checks the AMI ID and automatically terminates non-compliant instances
CCreate an SCP in AWS Organizations that restricts `ec2:RunInstances` to the approved AMI using a condition key
DUse Amazon Inspector to scan for instances not using the approved AMI
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 31Deployment, Provisioning & Automation
A SysOps administrator needs to ensure that EC2 instances in a specific fleet always have a particular set of software packages installed. If any package is missing, it should be automatically installed. Which Systems Manager feature should be used?
ARun Command with a scheduled CloudWatch Events rule
BState Manager with an association using `AWS-RunPowerShellScript` or `AWS-RunShellScript`
CState Manager with an association using the `AWS-ConfigureAWSPackage` document
DPatch Manager with a custom patch baseline
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 32Cost & Performance Optimization
A SysOps administrator is using AWS Compute Optimizer and notices that several EC2 instances are classified as "over-provisioned." The instances are running memory-intensive workloads but are using compute-optimized instance types (C5 family). What should the administrator do?
ASwitch the instances to memory-optimized instance types (R5 or R6i family) as recommended by Compute Optimizer
BAdd more instances of the same type to distribute the memory load
CEnable EC2 Auto Scaling to dynamically adjust instance sizes
DAttach additional EBS volumes to use as swap space
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 33Monitoring, Logging & Remediation
A company uses CloudWatch anomaly detection on the CPUUtilization metric for a fleet of EC2 instances. The team observes that each Monday morning the anomaly detection band does not account for the weekly traffic spike and raises false alarms. What should the administrator do to resolve this?
AIncrease the anomaly detection band width threshold to 3 standard deviations
BExclude Monday data from the anomaly detection model by specifying an exclusion period
CDelete the anomaly detection model and recreate it after collecting at least 14 days of data
DCreate a separate anomaly detection model that only evaluates Monday metrics
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 34Monitoring, Logging & Remediation
A SysOps administrator has separate CloudWatch alarms for CPU utilization, memory utilization, and disk I/O on a fleet of production EC2 instances. The team wants a single alarm that enters ALARM state only when both the CPU alarm and the memory alarm are in ALARM state, regardless of the disk I/O alarm. Which approach should the administrator take?
ACreate a metric math expression that adds the CPU and memory metrics together, then alarm on the combined metric
BCreate a CloudWatch composite alarm with an alarm rule expression using AND logic for the CPU and memory alarms
CUse an EventBridge rule to capture both alarm state changes and trigger a Lambda function that evaluates the combined state
DConfigure a CloudWatch anomaly detection model that monitors both metrics simultaneously
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 35Select All That ApplyReliability & Business Continuity
A company wants to validate that their pilot light DR setup in us-west-2 can meet a 4-hour RTO. The pilot light environment has a cross-Region RDS read replica and AMIs copied to us-west-2 but no running EC2 instances. What should the administrator include in the failover test plan? (Select TWO.)
APromote the cross-Region RDS read replica to a standalone instance and verify the application can connect to the new database endpoint
BLaunch EC2 instances from the copied AMIs in us-west-2, verify they pass health checks, and register them with the load balancer
CFail over the Route 53 DNS records from us-east-1 to us-west-2 during the actual production failover only; do not test DNS changes
DScale the pilot light EC2 instances to match production capacity by modifying the existing instance types
ERestore the RDS database from the latest automated snapshot in us-east-1 instead of promoting the read replica
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 36Deployment, Provisioning & Automation
A SysOps administrator manages a fleet of EC2 instances using SSM State Manager. An association is configured to apply a security baseline document to all instances tagged `Environment=Production`. A new instance was launched with the correct tags 30 minutes ago but the association has not yet applied. What is the MOST likely reason?
AState Manager associations with tag-based targets can take up to 1 hour to detect newly launched instances through periodic target resolution
BThe instance's SSM agent version is too old to support State Manager associations
CState Manager only applies associations at the scheduled time; newly launched instances must wait for the next scheduled execution
DThe instance must be manually registered as a managed instance before State Manager can apply associations
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 37Deployment, Provisioning, and Automation
A SysOps administrator needs to create an AMI from a running EC2 instance. What happens to the instance during AMI creation?
AThe instance is automatically stopped before the AMI is created
BThe AMI is created while the instance is running (no-reboot option), which may cause file system inconsistency
CThe instance is terminated after AMI creation
DThe instance is paused for the duration of the snapshot
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 38Deployment, Provisioning, and Automation
A SysOps administrator wants to automatically replace EC2 instances when a new AMI is available in an Auto Scaling Group. What is the recommended approach?
AManually update the launch template and force terminate instances
BUpdate the ASG launch template with the new AMI ID and use instance refresh to gradually replace instances
CCreate a new ASG with the new AMI and switch the load balancer
DUse SSM Automation to update all instances in place
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 39Security and Compliance
A SysOps administrator needs to ensure all EC2 instances in an account are using approved AMIs. Which AWS service detects and reports non-compliant instances?
AAmazon Inspector
BAWS Config rule (approved-amis-by-id or approved-amis-by-tag)
CAWS Security Hub
DCloudTrail
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 40Cost and Performance Optimization
A SysOps administrator uses EC2 Reserved Instances and wants to change the instance type within the same family. Which RI feature allows this?
AOnly Convertible Reserved Instances can be exchanged for a different instance type
BStandard Reserved Instances can be modified (AZ, scope, instance size within the same family on Linux)
CReserved Instances cannot be modified once purchased
DBoth A and B apply
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 41Cost and Performance Optimization
A SysOps administrator has many EC2 instances of different families. They want a single commitment that covers all of them with flexibility. Which option is BEST?
AMultiple Standard Reserved Instances (one per instance family)
BCompute Savings Plans — flexible across instance families, sizes, and regions
COn-Demand capacity reservations
DSpot instances for all workloads
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 42Monitoring, Logging, and Remediation
A SysOps administrator monitors a fleet of EC2 instances and wants to identify which instance has the highest CPU utilization at any given time. Which CloudWatch feature shows this?
ACloudWatch Contributor Insights analyzing EC2 CPU metrics
BCloudWatch Metrics Insights query: SELECT MAX(CPUUtilization) FROM EC2 GROUP BY InstanceId ORDER BY MAX DESC
CCloudWatch dashboards with individual instance widgets
DBoth B and C show this data
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 43Deployment, Provisioning, and Automation
A SysOps administrator needs to create an AMI from a running EC2 instance. The instance runs a database that must be consistent. Which option ensures data consistency?
AStop the instance, create the AMI, restart the instance
BCreate the AMI with no-reboot=false (allow reboot) or stop writes before creating AMI
CTake an EBS snapshot first, then create an AMI from the snapshot
DUse EC2 Image Builder to create a consistent AMI
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 44Monitoring, Logging & Remediation
A SysOps administrator notices that an Amazon EC2 instance's CPU utilization has been spiking unpredictably over the past week. The administrator needs to be alerted only when the CPU stays above 85% for at least three consecutive 5-minute evaluation periods, to avoid false alarms from brief spikes. Which approach should the administrator take?
ACreate a CloudWatch alarm with a threshold of 85%, a period of 5 minutes, and set the datapoints to alarm to 3 out of 3.
BCreate a CloudWatch alarm with a threshold of 85%, a period of 15 minutes, and set the datapoints to alarm to 1 out of 1.
CCreate a CloudWatch anomaly detection alarm on CPU utilization and set the band width to 2.
DCreate a CloudWatch composite alarm that combines three separate CPU alarms each with a different evaluation period.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 45Monitoring, Logging & Remediation
A SysOps administrator needs to automatically remediate Amazon EC2 instances that have a specific required tag missing. The administrator wants to use AWS Config to detect non-compliant resources and automatically add the missing tag. Which combination of AWS Config features should the administrator use?
AUse the `required-tags` managed rule and configure automatic remediation with an SSM Automation document that calls the `ec2:CreateTags` API.
BUse a custom AWS Config rule backed by a Lambda function, and have the Lambda function directly tag the instance within the evaluation logic.
CUse the `required-tags` managed rule and configure an EventBridge rule that triggers an SNS notification to the operations team.
DUse AWS Config conformance packs with a custom remediation script embedded in the conformance pack template.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 46Monitoring, Logging & Remediation
A company uses Amazon CloudWatch Logs to store application logs from several EC2 instances. The operations team needs to create a metric that counts the number of `ERROR` log entries per minute and triggers an alarm when the count exceeds 50. Which approach should the team use?
ACreate a CloudWatch Logs metric filter that matches the pattern `ERROR`, publish it as a custom metric, and create a CloudWatch alarm on that metric.
BUse CloudWatch Logs Insights to run a scheduled query every minute that counts ERROR entries and sends the results to an SNS topic.
CConfigure the CloudWatch agent to parse ERROR entries and publish them as EMF (Embedded Metric Format) logs, then create an alarm on the extracted metric.
DEnable CloudWatch Logs anomaly detection on the log group and set the anomaly threshold to 50.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 47Select All That ApplyMonitoring, Logging & Remediation
A SysOps administrator is troubleshooting an issue where an EC2 instance's custom memory and disk metrics are not appearing in CloudWatch. The CloudWatch agent is installed and running on the instance. (Select TWO.)
AThe EC2 instance's IAM role is missing the `cloudwatch:PutMetricData` permission.
BThe CloudWatch agent configuration file does not include the `metrics` section for memory and disk.
CDetailed monitoring has not been enabled on the EC2 instance.
DThe CloudWatch agent is configured to send metrics to a different AWS Region than the one being viewed.
EThe EC2 instance does not have the `AmazonSSMManagedInstanceCore` policy attached.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 48Reliability & Business Continuity
A company runs a stateful application on EC2 instances behind an Application Load Balancer in an Auto Scaling group. During a scale-in event, users connected to a terminating instance lose their in-progress work. The administrator needs to allow the instance to complete active requests before termination. What should the administrator configure?
AEnable connection draining on the ALB target group and increase the deregistration delay.
BAdd a lifecycle hook for the `autoscaling:EC2_INSTANCE_TERMINATING` event and configure it to send a notification to an SQS queue that the instance monitors.
CConfigure the Auto Scaling group's default cooldown period to a longer value.
DSet the health check grace period on the Auto Scaling group to allow more time for active connections to finish.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 49Deployment, Provisioning & Automation
A SysOps administrator is deploying an EC2 instance via CloudFormation. The instance needs to download and install packages, create files, and start services during launch. The administrator wants CloudFormation to wait for a success signal before marking the resource as `CREATE_COMPLETE`. Which combination of CloudFormation helper scripts should the administrator use?
AUse `cfn-init` to process the metadata configuration and `cfn-signal` to send a success or failure signal back to CloudFormation's `CreationPolicy`.
BUse `cfn-init` to process the metadata and `cfn-hup` to signal CloudFormation when the initialization is complete.
CUse `cfn-get-metadata` to download the configuration and `cfn-signal` to send the completion status.
DInclude all initialization commands in the `UserData` script and rely on CloudFormation's default timeout to determine success.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 50Deployment, Provisioning & Automation
A SysOps administrator needs to patch all Amazon Linux 2 EC2 instances in the production environment during a specific 4-hour maintenance window on Sunday nights. The administrator wants to approve patches within 7 days of their release and exclude kernel patches. Which Systems Manager features should the administrator configure?
ACreate a custom patch baseline with auto-approval set to 7 days and a kernel patch exception list. Create a maintenance window scheduled for Sunday night, and register a Run Command task using `AWS-RunPatchBaseline` targeting the production instances.
BUse the default AWS-provided patch baseline and create a Systems Manager Automation document that runs patching commands during the maintenance window.
CUse Patch Manager's "Patch Now" feature with a custom patch baseline and schedule it to run only on Sundays.
DConfigure AWS Config's `ec2-managedinstance-patch-compliance-status-check` rule and set up automatic remediation using Patch Manager.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 51Deployment, Provisioning & Automation
A SysOps administrator is managing application deployments using AWS CodeDeploy with an in-place deployment to EC2 instances. The new deployment is causing HTTP 500 errors. The administrator needs CodeDeploy to automatically detect the failure and roll back to the previous version. What should the administrator configure?
AEnable automatic rollback on deployment failure in the CodeDeploy deployment group configuration, and configure CloudWatch alarms for HTTP 500 errors as alarm-based rollback triggers.
BCreate a Lambda function that monitors the deployment and calls the CodeDeploy `StopDeployment` API if errors are detected.
CConfigure the deployment group with a minimum healthy hosts threshold of 100% so the deployment stops if any instance fails.
DUse a Blue/Green deployment type instead, which automatically rolls back if health checks fail.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 52Select All That ApplyDeployment, Provisioning & Automation
A SysOps administrator needs to run an interactive shell session on an EC2 instance in a private subnet with no internet access. The instance has the SSM Agent installed. SSH is not permitted by the security policy. (Select TWO.)
AUse Systems Manager Session Manager to start a session to the instance.
BConfigure VPC endpoints for `ssm`, `ssmmessages`, and `ec2messages` services in the VPC.
CAttach an Elastic IP to the instance temporarily to allow SSM connectivity.
DOpen port 22 in the security group temporarily and use SSH through a bastion host.
EConfigure a NAT Gateway in the VPC so the instance can reach the Systems Manager endpoints.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 53Deployment, Provisioning & Automation
A SysOps administrator is deploying a CloudFormation stack that includes an EC2 instance and an RDS database. The EC2 instance depends on the RDS database being available first. However, CloudFormation is launching the EC2 instance before the RDS instance is ready. How should the administrator fix this?
AAdd a `DependsOn` attribute on the EC2 resource pointing to the RDS resource in the CloudFormation template.
BAdd a `CreationPolicy` on the RDS instance with a timeout to ensure it is ready before the EC2 instance starts.
CPut the RDS instance in a nested stack that is deployed before the main stack.
DUse the `Fn::GetAtt` function in the EC2 resource to reference an attribute of the RDS instance, which implicitly creates a dependency.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 54Security & Compliance
A SysOps administrator needs to restrict IAM users in a development account from creating EC2 instances larger than `t3.medium`. The administrator wants this enforced account-wide regardless of any permissions granted by IAM policies. Which approach should the administrator use?
AAttach a Service Control Policy (SCP) to the development account's OU that denies `ec2:RunInstances` when the `ec2:InstanceType` condition key does not match allowed types.
BCreate a permission boundary that restricts EC2 instance launches to `t3.medium` and smaller, and attach it to all IAM users.
CModify the default VPC security group to reject traffic from instances larger than `t3.medium`.
DCreate an AWS Config rule that terminates any EC2 instances larger than `t3.medium` after launch.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 55Security & Compliance
A SysOps administrator discovers that Amazon GuardDuty has generated a finding of type `UnauthorizedAccess:EC2/MaliciousIPCaller.Custom`. This indicates that an EC2 instance is communicating with a known malicious IP address. What should the administrator do as an immediate remediation step?
AIsolate the EC2 instance by changing its security group to one that denies all inbound and outbound traffic except for forensic access, and take an EBS snapshot for investigation.
BImmediately terminate the EC2 instance to stop the malicious communication.
CAdd the malicious IP address to a WAF IP block list and monitor for further activity.
DDisable the instance's IAM role and revoke all active sessions to prevent further unauthorized access.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 56Select All That ApplySecurity & Compliance
A SysOps administrator is setting up Amazon Inspector to assess EC2 instances for software vulnerabilities. The administrator wants Inspector to continuously scan instances whenever new CVEs are published and whenever new instances are launched. (Select TWO.)
AEnable Amazon Inspector and activate EC2 scanning, which provides continuous automated scanning.
BEnsure that the SSM Agent is installed and running on all EC2 instances, as Inspector uses it for software inventory.
CCreate a scheduled Inspector assessment template that runs daily to check for new vulnerabilities.
DInstall the Amazon Inspector agent manually on each instance.
EConfigure an EventBridge rule to trigger an Inspector scan whenever a new EC2 instance enters the running state.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 57Networking & Content Delivery
A SysOps administrator needs to allow EC2 instances in a private subnet to access Amazon S3 without sending traffic over the internet. The solution should also ensure that traffic stays within the AWS network and does not incur NAT Gateway data processing charges for S3 traffic. What should the administrator configure?
ACreate an S3 Gateway VPC endpoint and add a route to the private subnet's route table pointing to the endpoint.
BCreate an S3 Interface VPC endpoint (powered by PrivateLink) in the private subnet.
CConfigure the NAT Gateway to route S3 traffic over the AWS backbone using an optimized path.
DSet up VPC peering with the S3 service VPC in the same Region.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 58Networking & Content Delivery
A SysOps administrator is troubleshooting connectivity issues between an EC2 instance in a public subnet and the internet. The instance has a public IP address assigned, but outbound internet connections are timing out. The security group allows all outbound traffic. What should the administrator check?
AVerify that the subnet's route table has a route to `0.0.0.0/0` pointing to an internet gateway, and check that the network ACL allows outbound traffic and the corresponding inbound ephemeral port range.
BVerify that the internet gateway is attached to the VPC and that the instance has an Elastic IP instead of an auto-assigned public IP.
CCheck that the VPC has DNS resolution and DNS hostnames enabled.
DVerify that the instance's IAM role has permissions to make outbound network connections.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 59Cost & Performance Optimization
A company runs a batch processing workload that can tolerate interruptions and has flexible execution times. The workload typically takes 3-4 hours to complete. The SysOps administrator wants to reduce the cost of the EC2 instances used for this workload by at least 60% compared to On-Demand pricing. Which purchasing option should the administrator choose?
ASpot Instances with a diversified fleet strategy across multiple instance types and Availability Zones, using Spot Instance interruption handling.
BReserved Instances with a 1-year Standard term for the instance types used in the batch processing.
COn-Demand Instances with Savings Plans that provide a 60% discount.
DDedicated Hosts with a 1-year reservation for guaranteed capacity.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 60Monitoring, Logging & Remediation
A company has configured AWS Health Dashboard notifications. The operations team wants to automatically create Jira tickets when AWS posts a scheduled maintenance event affecting their EC2 instances. Which approach should the administrator implement?
ASubscribe to the AWS Health RSS feed and use a polling script to detect new events
BCreate an EventBridge rule matching AWS Health events for EC2 scheduled maintenance and target a Lambda function that creates Jira tickets via API
CConfigure SNS topic subscriptions with email notifications and have the team manually create tickets
DUse CloudWatch alarms on the `StatusCheckFailed_System` metric to trigger a Lambda function
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 61Monitoring, Logging & Remediation
A SysOps administrator needs to identify all EC2 instances across five accounts that have not sent metrics to CloudWatch in the last 24 hours, indicating potentially stopped or unhealthy agents. Which approach is MOST operationally efficient?
AWrite a Lambda function in each account that queries EC2 and CloudWatch APIs, then aggregates results in a central S3 bucket
BUse Systems Manager Explorer to view managed instance compliance and filter for instances missing CloudWatch agent inventory
CUse CloudWatch cross-account search to query EC2 metrics and identify instances with no recent data points
DCreate AWS Config rules in each account that check for the CloudWatch agent running and aggregate with a Config Aggregator
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 62Reliability & Business Continuity
A SysOps administrator needs to update the AMI for an Auto Scaling group running 20 instances behind an ALB. The update must replace all instances with the new AMI while maintaining at least 90% capacity throughout the process. Which approach is MOST efficient?
ACreate a new launch template version with the new AMI and start an instance refresh with `MinHealthyPercentage` set to 90
BDouble the desired capacity, wait for new instances to pass health checks, then terminate old instances manually
CCreate a new Auto Scaling group with the new AMI and use Route 53 weighted routing to shift traffic
DTerminate instances one at a time and let the Auto Scaling group launch replacements with the new launch template
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 63Deployment, Provisioning & Automation
A SysOps administrator needs to install a third-party monitoring agent on 500 EC2 instances across multiple accounts and Regions. The agent package is distributed as an RPM and MSI and must be kept up to date automatically. Which Systems Manager capability should the administrator use?
ASystems Manager Run Command with a custom document
BSystems Manager Distributor with a custom package
CSystems Manager Patch Manager with a custom patch baseline
DSystems Manager State Manager with a shell script association
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 64Deployment, Provisioning & Automation
An auditor requires proof that all managed EC2 instances have the latest SSM Agent version and the required antivirus software installed. Which Systems Manager feature provides a unified compliance view against these requirements?
ASystems Manager Inventory
BSystems Manager Compliance
CSystems Manager Patch Manager
DSystems Manager Session Manager audit logs
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 65Deployment, Provisioning & Automation
A company uses AWS CodeDeploy to deploy a web application to EC2 instances behind an ALB. The deployment must allow rolling back quickly if errors are detected, and the team wants zero downtime. Which deployment configuration should the administrator use?
AIn-place deployment with `AllAtOnce` configuration
BIn-place deployment with `OneAtATime` configuration
CBlue/green deployment with traffic shifting using `CodeDeployDefault.AllAtOnce` on the replacement group
DBlue/green deployment with traffic shifting using `CodeDeployDefault.Linear10PercentEvery1Minute`
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 66Deployment, Provisioning & Automation
An EC2 instance launched by an Auto Scaling group repeatedly fails the ELB health check and is terminated, causing a cycle of launch-fail-terminate. The administrator needs to troubleshoot. Which action should the administrator take FIRST?
ATemporarily suspend the `ReplaceUnhealthy` process on the Auto Scaling group to keep the failing instance for investigation
BIncrease the health check grace period to give the instance more time to become healthy
CChange the Auto Scaling group health check type from ELB to EC2
DRemove the instance from the target group and investigate manually
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 67Security & Compliance
A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no account in the "Production" OU can launch EC2 instances in any Region other than `eu-west-1` and `eu-central-1`. Which SCP strategy should the administrator apply?
AAttach an SCP to the Production OU that explicitly allows `ec2:RunInstances` only in `eu-west-1` and `eu-central-1` and denies all other actions
BAttach an SCP to the Production OU that denies `ec2:RunInstances` with a condition `StringNotEquals` on `aws:RequestedRegion` for `eu-west-1` and `eu-central-1`
CRemove the `FullAWSAccess` SCP from the Production OU to deny all actions by default
DCreate IAM policies in each account that restrict Region usage
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 68Select All That ApplyMonitoring, Logging & Remediation
An on-call engineer receives an AWS Health notification that a hardware degradation event is scheduled for one of their EC2 instances in 14 days. They need to determine the recommended remediation action and whether any other instances in the account are also affected. Which steps should the engineer take? (Select TWO.)
ACheck the AWS Personal Health Dashboard (AWS Health Dashboard — Your account) to see the affected resources and AWS-recommended actions for the specific event.
BCheck the AWS Service Health Dashboard to see if there is a region-wide outage affecting the instance's Availability Zone.
CUse the AWS Health API or EventBridge integration to programmatically list all resources affected by the same event ID.
DRun an Amazon Inspector assessment on the instance to check for hardware-related vulnerabilities.
ECheck AWS Trusted Advisor for the "Amazon EC2 Scheduled Maintenance" check.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 69Reliability & Business Continuity
A company uses an Auto Scaling group with a lifecycle hook at the `pending:wait` state. Instances take 8 minutes to complete initialization before being placed in service. During a scale-out event, the ASG launches cold instances from the AMI, causing slow response to traffic spikes. The company wants instances to be pre-initialized and ready to serve traffic within 30 seconds of a scale-out. Which ASG feature achieves this?
AIncrease the ASG maximum capacity to always keep extra running instances.
BConfigure an ASG Warm Pool with instances in the `Stopped` state, combined with the existing lifecycle hook.
CUse Predictive Scaling to launch instances before the traffic spike occurs.
DReplace the lifecycle hook with a more efficient user data script.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 70Deployment, Provisioning & Automation
A SysOps Administrator wants to ensure that users deploying a CloudFormation stack can only select approved EC2 instance types (t3.micro, t3.small, t3.medium) and that the environment name parameter matches the pattern `env-[a-z]{3,10}`. Which CloudFormation parameter properties enforce these constraints?
AUse `AllowedValues` for the instance type parameter to restrict choices, and `AllowedPattern` with a regex on the environment name parameter.
BUse a `Condition` in the template that checks if the instance type is in an approved list and fails the stack if not.
CUse a CloudFormation Stack Policy that denies creation of non-approved instance types.
DUse an SCP that restricts the `ec2:RunInstances` API to the approved instance types.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 71Deployment, Provisioning & Automation
A CloudFormation template includes an `AWS::EC2::Instance` resource that must only be created when the `EnableBastion` parameter is set to `true`. If the parameter is `false`, the instance should not be created. Which CloudFormation construct implements this?
AUse `DeletionPolicy: Retain` on the instance resource so it persists regardless of the parameter.
BDefine a condition `CreateBastion` using `Fn::Equals: [!Ref EnableBastion, "true"]`, then add `Condition: CreateBastion` to the EC2 instance resource.
CUse a `Mappings` section keyed by the `EnableBastion` parameter value that returns the instance type or `AWS::NoValue`.
DUse an `Fn::If` in the template's `Resources` section root level that wraps the entire resource definition.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 72Deployment, Provisioning & Automation
A SysOps Administrator needs to apply a standard set of tags (Project, Owner, CostCenter) to all new EC2 and RDS instances at launch. If an instance is launched without these tags, it must be tagged automatically within minutes. Which Systems Manager feature enforces this?
ASSM Patch Manager with a custom patch that applies tags.
BSSM State Manager with an association running an Automation document that checks and applies required tags on a schedule.
CSSM Inventory with a custom inventory type for tags.
DSSM Compliance Manager with a tag compliance rule.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 73Deployment, Provisioning & Automation
A company uses AWS CodeDeploy with an in-place deployment configuration for their EC2 instances. During the last deployment, all 20 instances were updated simultaneously and a bug in the new version caused a complete outage. The company wants to limit the blast radius so that if a deployment fails, at least 75% of instances remain on the working version. Which CodeDeploy deployment configuration achieves this?
A`CodeDeployDefault.OneAtATime` — deploys to one instance at a time.
B`CodeDeployDefault.HalfAtATime` — deploys to up to 50% of instances at a time.
CCreate a custom deployment configuration with a minimum healthy hosts value of 75%.
DSwitch to a Blue/Green deployment type, which maintains the original fleet until the new fleet is validated.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 74Security & Compliance
A company uses AWS Security Hub across 5 accounts. When Security Hub detects a critical GuardDuty finding (e.g., cryptocurrency mining on an EC2 instance), the security team wants to automatically isolate the affected instance by replacing its security group with an empty one. Which integration enables this automated response?
AConfigure Security Hub to directly invoke an SSM Automation document when a critical finding is generated.
BCreate an EventBridge rule that matches Security Hub findings with critical severity, targeting a Lambda function that replaces the instance's security group.
CEnable AWS Config auto-remediation with a custom SSM document for GuardDuty findings.
DConfigure GuardDuty to directly modify security groups when a cryptocurrency mining finding is detected.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 75Select All That ApplySecurity & Compliance
Amazon Inspector identifies a finding indicating that an EC2 instance has a network path that allows unrestricted inbound access from the internet on port 3389 (RDP), even though the application does not require RDP access. The security team wants to remediate this. Which actions should be taken? (Select TWO.)
ARemove the inbound rule allowing port 3389 from `0.0.0.0/0` in the instance's security group.
BCheck the Network ACL for the instance's subnet and ensure it does not allow inbound traffic on port 3389 from `0.0.0.0/0`.
CDisable Amazon Inspector network reachability analysis to suppress the finding.
DMigrate the instance to a private subnet without an internet gateway.
EEnable AWS Shield Advanced to block RDP brute-force attacks.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 76Networking & Content Delivery
An EC2 instance in a VPC cannot resolve public DNS hostnames for other EC2 instances in the same VPC. The instance can reach the internet and resolve external domains. Which VPC settings must be enabled to allow EC2 instances to have public DNS hostnames that can be resolved within the VPC?
AEnable `enableDnsSupport` (DNS resolution) only.
BEnable both `enableDnsSupport` (DNS resolution) AND `enableDnsHostnames` (DNS hostnames) on the VPC.
CCreate a Route 53 Private Hosted Zone and associate it with the VPC.
DModify the VPC's DHCP option set to include a custom DNS server.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 77Networking & Content Delivery
A company runs Active Directory domain controllers on-premises. They want all EC2 instances in their VPC to use the on-premises AD DNS servers (10.0.1.10, 10.0.1.11) for DNS resolution instead of the default AWS-provided DNS. Which VPC configuration change enables this?
AModify the VPC's route table to route DNS traffic (port 53) to the on-premises network via the VPN gateway.
BCreate a custom DHCP option set with the on-premises DNS server IPs in the `domain-name-servers` field, and associate it with the VPC.
CConfigure each EC2 instance's `/etc/resolv.conf` to point to the on-premises DNS servers.
DCreate Route 53 Resolver forwarding rules that forward all queries to the on-premises DNS servers.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 78Networking & Content Delivery
A company created a VPC gateway endpoint for S3. They want to restrict the endpoint so that EC2 instances in the VPC can only access a specific S3 bucket (`arn:aws:s3:::my-data-bucket` and `arn:aws:s3:::my-data-bucket/*`) through this endpoint. Where should this restriction be applied?
AIn the S3 bucket policy using the `aws:sourceVpce` condition key.
BIn the VPC endpoint policy attached to the gateway endpoint, specifying the allowed bucket ARNs.
CIn the security group associated with the gateway endpoint.
DIn the route table by adding specific routes only for the S3 bucket's IP addresses.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 79Cost & Performance Optimization
A company purchases multiple EC2 Reserved Instances but suspects some are underutilized — the RI coverage report shows high coverage, but the billing team notices that some RIs are attached to instances that run only 8 hours a day. Which AWS tool provides a detailed view of Reserved Instance utilization percentage to identify underused reservations?
AAWS Cost Explorer RI Coverage report.
BAWS Cost Explorer RI Utilization report, which shows the percentage of purchased RI hours actually used.
CAWS Trusted Advisor Reserved Instance Optimization check.
DAWS Budgets with an RI utilization alert.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 80Select All That ApplyCost & Performance Optimization
A company runs data-intensive analytics workloads on EC2 instances using EBS volumes. The team experiences two types of bottlenecks: some workloads are limited by random read/write operations (IOPS), while others are limited by sequential large-block data transfer speed (throughput). Which approach should the SysOps Administrator take to optimize EBS volume selection? (Select TWO.)
AFor IOPS-intensive workloads (e.g., transactional databases), select io2 Block Express volumes which support up to 256,000 IOPS per volume.
BFor throughput-intensive workloads (e.g., big data analytics with large sequential reads), select st1 (Throughput Optimized HDD) volumes which provide up to 500 MiB/s throughput at lower cost.
CUse gp2 volumes for all workloads and rely on burst credits to handle peak IOPS.
DIncrease the EC2 instance type rather than changing the volume type, as EBS performance is entirely determined by the instance.
EUse EBS Multi-Attach with io2 volumes for all workloads to double the available IOPS.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 81Cost & Performance Optimization
A company's EC2 instances in a private subnet use a NAT Gateway to access the internet. The majority of outbound traffic goes to Amazon S3, and the NAT Gateway data processing charges represent a significant portion of the monthly bill. Which architecture change reduces these costs the MOST?
AReplace the NAT Gateway with a NAT instance on a smaller EC2 instance type.
BCreate an S3 gateway VPC endpoint, which routes S3 traffic through the AWS network at no additional data processing charge, bypassing the NAT Gateway.
CEnable S3 Transfer Acceleration to reduce the time data spends traversing the NAT Gateway.
DMove the EC2 instances to a public subnet with an Internet Gateway to avoid NAT Gateway charges entirely.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 82Monitoring, Logging & Remediation
A SysOps Administrator wants to use Amazon EventBridge to route EC2 instance state-change events to a Lambda function but needs to transform the event payload before delivery. The Lambda function expects a simplified JSON structure containing only the instance ID, state, and timestamp. Which EventBridge feature should the administrator use?
AConfigure an EventBridge rule with an input transformer that defines an input path to extract the fields and an input template to format the output.
BConfigure the EventBridge rule to route to an SQS queue, then have a second Lambda function read from the queue and transform the payload.
CAdd a Lambda layer to the target function that strips unwanted fields from the event before the handler processes it.
DUse EventBridge Schema Registry to define the simplified schema and enable automatic payload conversion.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 83Monitoring, Logging & Remediation
A CloudWatch alarm on an EC2 instance's `StatusCheckFailed_System` metric has been in the `INSUFFICIENT_DATA` state since creation. The instance is running and healthy. What is the MOST likely cause?
AThe alarm evaluation period is longer than the metric's reporting interval, causing gaps.
BThe IAM role attached to the instance does not have permission to publish CloudWatch metrics.
CThe alarm was created with an incorrect namespace or dimension, so CloudWatch cannot find matching data points.
DDetailed monitoring is not enabled, so the metric is only published every 5 minutes.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 84Select All That ApplyMonitoring, Logging & Remediation
A SysOps Administrator is troubleshooting why a CloudWatch Agent on an EC2 instance is not publishing custom metrics. The agent process is running, and the instance has internet connectivity. Which two items should the administrator verify FIRST? (Select TWO.)
AThe IAM instance profile attached to the EC2 instance includes the `CloudWatchAgentServerPolicy` managed policy.
BThe CloudWatch Agent configuration file specifies the correct metrics namespace and collection interval.
CThe EC2 instance has detailed monitoring enabled in the console.
DThe security group allows outbound traffic on port 443 to the CloudWatch API endpoint.
EThe instance is launched in a public subnet with an Internet Gateway.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 85Reliability & Business Continuity
A company wants to ensure that no EC2 instance in an Auto Scaling group runs for longer than 7 days, to enforce patching and configuration freshness. The replacement should be rolling — not all instances at once. Which ASG feature achieves this?
ACreate a scheduled scaling action that sets the desired capacity to 0 and back every 7 days.
BConfigure the ASG maximum instance lifetime to 7 days (604800 seconds); the ASG will gradually replace instances as they exceed the lifetime.
CUse an ASG instance refresh with a 7-day recurring schedule.
DCreate a Lambda function triggered by CloudWatch Events on a 7-day schedule to terminate and replace instances one at a time.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 86Deployment, Provisioning & Automation
A SysOps Administrator deploys an EC2 instance using CloudFormation. The instance must signal CloudFormation that it has finished bootstrapping (installing packages and starting services) before CloudFormation marks the resource as `CREATE_COMPLETE`. The administrator wants CloudFormation to wait up to 15 minutes for the signal. Which CloudFormation feature should be used?
AAdd a `CreationPolicy` attribute with a `ResourceSignal` timeout of PT15M on the EC2 instance resource, and use `cfn-signal` in the UserData script to send a success signal.
BAdd a `WaitCondition` resource and a `WaitConditionHandle` that the instance signals after bootstrapping.
CAdd a `DependsOn` attribute that references a Lambda-backed custom resource which polls the instance health.
DSet the stack timeout to 15 minutes so that CloudFormation waits for all resources to signal.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 87Deployment, Provisioning & Automation
A SysOps Administrator's Elastic Beanstalk environment has become corrupted — the underlying EC2 instances are failing health checks and cannot be repaired through rolling updates. The administrator wants to recreate all the environment's resources (instances, load balancer, security groups) from scratch while keeping the environment name, URL, and configuration. Which action should the administrator take?
ATerminate the environment and create a new one with the same name and saved configuration.
BUse the Elastic Beanstalk "Rebuild Environment" action, which terminates all existing resources and recreates them using the current configuration.
CPerform a blue/green deployment by cloning the environment and swapping URLs.
DManually terminate all EC2 instances through the EC2 console and let Elastic Beanstalk auto-heal.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 88Deployment, Provisioning & Automation
A company uses AWS Service Catalog to provide approved products to development teams. A new compliance requirement mandates that all launched EC2 instances must use encrypted EBS volumes. How should the SysOps Administrator enforce this through Service Catalog?
AAdd a launch constraint to the Service Catalog product that uses an IAM role with permission to create only encrypted volumes.
BUpdate the CloudFormation template in the Service Catalog product to specify `Encrypted: true` on all EBS volume resources and add a template constraint that prevents users from changing it.
CCreate an SCP that denies `ec2:CreateVolume` if the encryption flag is not set to true.
DUse AWS Config rules to detect unencrypted volumes after launch and terminate non-compliant instances.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 89Deployment, Provisioning & Automation
A SysOps Administrator uses CloudFormation to manage infrastructure. A stack update changes the `AvailabilityZone` property of an EC2 instance. According to CloudFormation, changing this property requires replacement. What happens during this update?
ACloudFormation stops the instance, moves it to the new AZ, and starts it again with the same instance ID.
BCloudFormation creates a new EC2 instance in the new AZ, waits for it to be healthy, then terminates the old instance; the physical resource ID changes.
CCloudFormation fails the update because the AZ property cannot be changed after creation.
DCloudFormation applies the AZ change with some interruption — a brief downtime while the instance migrates.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 90Security & Compliance
An organization has an AWS Organization with a root OU, a "Production" OU nested under the root, and a "Team-A" OU nested under "Production." An SCP attached to the root denies `ec2:TerminateInstances`, while the Production OU has an SCP that allows all EC2 actions. Can an IAM user in Team-A's account terminate EC2 instances?
AYes — the Production OU SCP explicitly allows EC2 actions, which overrides the root deny.
BNo — SCPs are evaluated as an intersection; the deny at the root OU blocks `ec2:TerminateInstances` regardless of the allow at the Production OU level.
CYes — child OU SCPs take precedence over parent OU SCPs.
DIt depends on the IAM policy attached to the user; SCPs only set the maximum permissions boundary.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 91Security & Compliance
A SysOps Administrator needs to allow an EC2 instance to access an S3 bucket and a DynamoDB table. The administrator does not want to store long-term credentials on the instance. Which approach should the administrator use?
ACreate an IAM user, generate an access key, and store it in the instance's `~/.aws/credentials` file.
BCreate an IAM role with policies for S3 and DynamoDB access, and attach the role to the EC2 instance via an instance profile.
CStore the access key and secret key in AWS Systems Manager Parameter Store and have the application retrieve them at startup.
DEnable the EC2 metadata service v1 (IMDSv1) to automatically provide credentials without any IAM role.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 92Security & Compliance
A company wants to implement Attribute-Based Access Control (ABAC) so that developers can only manage EC2 instances that are tagged with their department. For example, a developer in the "Engineering" department should only be able to start/stop EC2 instances tagged `Department=Engineering`. Which IAM policy approach implements this?
ACreate separate IAM policies for each department and attach them to the corresponding IAM groups.
BCreate a single IAM policy with a condition that uses `aws:PrincipalTag/Department` matches `ec2:ResourceTag/Department`, and tag each IAM user/role with their department.
CUse an SCP that restricts EC2 actions based on resource tags.
DConfigure resource-based policies on each EC2 instance to allow actions only from principals with matching tags.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 93Security & Compliance
A SysOps Administrator has an AWS Config rule that checks whether all EC2 instances have a specific tag (`CostCenter`). When an instance is found non-compliant, it should be automatically tagged with a default value of `Unknown` without manual intervention. Which approach achieves this?
AConfigure the AWS Config rule with automatic remediation using an SSM Automation document (`AWS-SetRequiredTags`) that tags non-compliant instances.
BCreate a CloudWatch Events rule that detects Config compliance state changes and invokes a Lambda function to apply the tag.
CUse an SCP to deny `ec2:RunInstances` unless the `CostCenter` tag is provided.
DConfigure AWS Config to terminate non-compliant instances and relaunch them with the correct tag.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 94Select All That ApplyCost & Performance Optimization
A SysOps Administrator receives a Cost Explorer recommendation to rightsize several EC2 instances from `m5.2xlarge` to `m5.xlarge` based on low CPU and memory utilization. Before implementing, what should the administrator verify? (Select TWO.)
AThe instances' network throughput requirements, as downsizing may reduce the available network bandwidth.
BThe Cost Explorer rightsizing recommendation accounts for peak usage patterns, not just average utilization.
CWhether the application running on the instance is memory-bound, as CloudWatch default metrics do not include memory utilization — the recommendation may not account for memory usage.
DWhether the instances are Reserved Instances, in which case downsizing would waste the existing reservation.
EWhether the instances are in a placement group, which prevents instance type changes.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 95Cost & Performance Optimization
A company runs a batch processing workload using a Spot Fleet. Occasionally, all Spot Instances are terminated simultaneously due to capacity reclaim, causing job failures. Which Spot Fleet allocation strategy minimizes the risk of simultaneous interruptions?
A`lowestPrice` — launches instances from the cheapest Spot pool.
B`diversified` — distributes instances across multiple Spot pools (instance types and AZs), reducing the likelihood that all instances are reclaimed at the same time.
C`capacityOptimized` — launches instances from the pool with the most available capacity.
D`InstancePoolsToUseCount` set to 1 — focuses on a single pool with the best price.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 96Monitoring, Logging & Remediation
A SysOps Administrator configures a CloudWatch alarm that monitors the `CPUUtilization` metric for an EC2 instance. The alarm fires unexpectedly during a brief spike that lasts only 1 minute, even though the intended threshold is a sustained high-CPU condition. The alarm uses a Period of 60 seconds and an Evaluation Period of 1 datapoint. Which change will ensure the alarm only fires during sustained CPU spikes?
AChange the statistic from Average to Maximum.
BIncrease the Evaluation Periods to 5 and set Datapoints to Alarm to 3 of 5.
CChange the Period to 300 seconds while keeping Evaluation Periods at 1.
DAdd an anomaly detection band instead of a static threshold.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 97Monitoring, Logging & Remediation
A SysOps Administrator enables CloudWatch Application Insights for a Windows EC2 instance running a .NET web application backed by SQL Server. After setup, the administrator notices that Application Insights is not detecting issues related to SQL Server query performance. What is the MOST likely reason?
AApplication Insights does not support SQL Server — only .NET application-level metrics are collected.
BThe resource group used for Application Insights does not include the RDS or EC2 instance running SQL Server, or the SQL Server Performance Counters are not enabled on the instance.
CThe CloudWatch unified agent is not installed; Application Insights requires the legacy Logs agent.
DApplication Insights only operates in Linux environments.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 98Reliability & Business Continuity
A company uses Amazon FSx for Windows File Server for shared storage across a fleet of Windows instances. The compliance team requires daily backups with a retention period of 90 days and the ability to restore to a specific point in time. Which approach meets these requirements?
AConfigure automatic daily backups on the FSx file system with a 90-day retention period using the FSx console or API.
BUse AWS Backup to create a backup plan that schedules daily FSx backups with a 90-day retention lifecycle rule.
CCreate a Windows scheduled task on one of the EC2 instances that runs `robocopy` to back up the file share to S3 daily.
DEnable Shadow Copies on the FSx volume, which automatically retains 90 days of file versions.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 99Deployment, Provisioning & Automation
A company has a scheduled product launch and needs to guarantee that 50 `m6i.xlarge` instances are available in `us-east-1a` starting next Monday for 7 days. The team wants to ensure capacity is reserved even if the Availability Zone becomes constrained. Which EC2 feature should the SysOps Administrator use?
AOn-Demand Capacity Reservations that target `us-east-1a` for `m6i.xlarge`, matching the required instance count.
BA Savings Plan for `m6i.xlarge` in `us-east-1`.
CSpot Fleet with a diversified allocation strategy.
DA scheduled Reserved Instance.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 100Networking & Content Delivery
A SysOps Administrator is configuring a VPC that must support both IPv4 and IPv6 traffic. EC2 instances in public subnets need both IPv4 and IPv6 internet access, while instances in private subnets need outbound-only IPv6 internet access without being reachable from the internet. Which configuration meets these requirements?
AAssign an IPv6 CIDR block to the VPC and subnets. For private subnets, create an egress-only internet gateway and add a route for `::/0` pointing to it. For public subnets, use the standard internet gateway for both IPv4 and IPv6.
BCreate a separate VPC for IPv6 traffic and peer it with the IPv4 VPC.
CUse a NAT Gateway for IPv6 outbound traffic from private subnets.
DAssign IPv6 addresses only to public subnets; private subnets cannot use IPv6.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 101Networking & Content Delivery
A company needs to inspect all traffic flowing to and from EC2 instances using a third-party network virtual appliance (e.g., a firewall) deployed as EC2 instances. The appliance should be transparent to the application and should not require modifying IP addresses. Which AWS service is designed for this use case?
AGateway Load Balancer (GWLB) with GENEVE encapsulation, which routes traffic through the third-party appliance instances transparently and returns it to the original destination.
BNetwork Load Balancer with TCP listeners on all ports.
CApplication Load Balancer with a fixed-response action for blocked traffic.
DAWS Network Firewall, which only supports AWS-native rule groups.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 102Cost & Performance Optimization
A company runs a stateless web application on EC2 Spot Instances behind an Auto Scaling group. The SysOps Administrator needs to handle Spot Instance interruptions gracefully. Which approach ensures minimal user impact when an instance receives a Spot interruption notice?
AConfigure the ASG to use a mixed instances policy with multiple instance types and Availability Zones. Enable Capacity Rebalancing, which proactively launches replacement instances when Spot interruption risk increases. Use the 2-minute interruption notice to drain connections from the instance being terminated.
BUse Reserved Instances as a fallback within the same ASG.
CSet the Spot maximum price to the On-Demand price to prevent interruptions entirely.
DStore session state on the instance's local disk and restore it after relaunch.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 103Select All That ApplyMonitoring, Logging & Remediation
A company runs a high-frequency trading application on EC2 instances and needs CloudWatch metrics at 1-second granularity so the team can detect CPU spikes within seconds. The default CloudWatch metrics report at 5-minute intervals. Which steps must the administrator take? (Select TWO.)
AInstall and configure the unified CloudWatch Agent on the EC2 instances with the `metrics_collection_interval` set to 1 second for the desired metrics.
BEnable detailed monitoring on the EC2 instances to switch from 5-minute to 1-minute resolution.
CPublish custom metrics to CloudWatch using the `PutMetricData` API with a `StorageResolution` of 1 (high-resolution).
DChange the EC2 instance type to a compute-optimized instance, which automatically publishes high-resolution metrics.
EUpgrade the AWS account to the CloudWatch Premium plan to unlock sub-minute metric resolution.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 104Monitoring, Logging & Remediation
A SysOps Administrator receives frequent CloudWatch alarms from SSM OpsCenter about patch compliance failures across 50 EC2 instances. The team wants OpsCenter to automatically run a remediation runbook that re-applies the missing patches whenever an OpsItem is created for this alarm. Which configuration achieves this?
ACreate an EventBridge rule that matches OpsItem creation events with the source `aws.ssm` and target an SSM Automation document `AWS-RunPatchBaseline`.
BConfigure the OpsItem to include an associated SSM Automation runbook. When an operator approves the OpsItem, OpsCenter executes the runbook automatically.
CUse AWS Config auto-remediation with the `AWS-RunPatchBaseline` Automation document triggered by the `ec2-managedinstance-patch-compliance-status-check` Config rule.
DCreate a CloudWatch alarm action that directly invokes an SSM Run Command to apply patches.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 105Reliability & Business Continuity
A company needs to attach a single Amazon EBS volume to multiple EC2 instances simultaneously in the same Availability Zone so that a clustered application can perform concurrent read/write operations. Which EBS configuration supports this?
ACreate a `gp3` volume and attach it to multiple instances using the `--multi-attach` flag.
BCreate an `io2` volume with Multi-Attach enabled and attach it to up to 16 Nitro-based instances in the same AZ.
CCreate an EFS file system instead, as EBS does not support multi-attach.
DCreate an `io1` volume and use NFS sharing from one instance to the others.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 106Reliability & Business Continuity
A SysOps Administrator configures an Auto Scaling group (ASG) with a lifecycle hook on the `autoscaling:EC2_INSTANCE_LAUNCHING` event. The hook has a heartbeat timeout of 300 seconds. During a scale-out event, the instance takes 10 minutes to complete its configuration script. What happens when the heartbeat timeout expires before the script completes?
AThe ASG automatically extends the timeout by another 300 seconds.
BThe lifecycle action uses the default result, which is `ABANDON` unless overridden, and the instance is terminated.
CThe instance continues launching normally because the timeout only applies to terminating lifecycle hooks.
DThe ASG pauses and waits indefinitely until the administrator manually completes the lifecycle action.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 107Reliability & Business Continuity
After an Auto Scaling group scales out and launches a new EC2 instance, the instance fails the ELB health check after 60 seconds but the ASG does not terminate it. The ASG uses ELB health checks. What is the MOST LIKELY reason the unhealthy instance is not being replaced?
AThe ASG health check grace period is set to a value greater than 60 seconds, so the ASG ignores health check failures during the grace period.
BELB health checks are not supported with Auto Scaling groups.
CThe instance is in a `Standby` state and ASG does not perform health checks on standby instances.
DThe ASG has suspended the `ReplaceUnhealthy` process.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 108Deployment, Provisioning & Automation
A SysOps Administrator is creating a CloudFormation stack that includes an EC2 instance and an RDS database. The application on the EC2 instance requires the RDS endpoint to be available at boot time. However, the EC2 instance launches before the RDS instance finishes creating. Which CloudFormation resource attribute ensures the EC2 instance waits for the RDS instance to complete?
AAdd a `CreationPolicy` attribute to the EC2 instance resource.
BAdd a `DependsOn` attribute to the EC2 instance resource referencing the RDS resource logical ID.
CAdd a `Metadata` attribute to the EC2 instance with the RDS endpoint value.
DAdd an `UpdateReplacePolicy: Retain` attribute to the RDS resource.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 109Deployment, Provisioning & Automation
A company uses CloudFormation to deploy an Auto Scaling group. When the stack is updated with a new AMI, the administrator wants the ASG to perform a rolling update — replacing instances in batches while maintaining minimum capacity — rather than replacing the entire ASG resource. Which CloudFormation attribute should be configured on the ASG resource?
A`UpdatePolicy` with `AutoScalingRollingUpdate` settings specifying `MinInstancesInService`, `MaxBatchSize`, and `PauseTime`.
B`UpdateReplacePolicy: Retain` to keep the old ASG while the new one is created.
C`DependsOn` referencing the launch template so the ASG waits for the new template version.
D`DeletionPolicy: Retain` on the old ASG resource to prevent deletion during the update.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 110Deployment, Provisioning & Automation
A SysOps Administrator needs to run the `AWS-RunPatchBaseline` document on 500 instances simultaneously using SSM Run Command. To avoid overwhelming the fleet, the administrator wants to limit execution to 50 instances at a time with a maximum failure threshold of 10%. Which Run Command parameters should be configured?
ASet `MaxConcurrency` to `50` and `MaxErrors` to `10%`.
BSet `TimeoutSeconds` to 50 and `RetryAttempts` to 10.
CSet `Targets` to 50 instances per batch using multiple Run Command invocations.
DSet `RateControl` to `50/minute` and `ErrorThreshold` to `10%`.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 111Deployment, Provisioning & Automation
A company uses AWS CodeDeploy to deploy an application to EC2 instances. The instances are in an Auto Scaling group and are also tagged with `Environment=Production`. The deployment group should include ONLY instances that are both in the ASG AND have the `Environment=Production` tag. How should the deployment group be configured?
AAdd the Auto Scaling group AND a tag group with `Environment=Production` to the deployment group. CodeDeploy targets the intersection (instances matching both criteria).
BAdd only the Auto Scaling group to the deployment group; CodeDeploy automatically filters by tags.
CCreate two separate deployment groups — one for the ASG and one for the tagged instances — and run the deployment on both.
DUse an EC2 tag group with two tags: the ASG name and `Environment=Production`.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 112Deployment, Provisioning & Automation
A CloudFormation template uses `Metadata: AWS::CloudFormation::Init` on an EC2 instance to install packages and configure files. The instance launches but the application is not configured. The `cfn-init` log shows no errors. What is the MOST LIKELY reason the CloudFormation Init metadata was not processed?
AThe `cfn-init` helper script was not called in the instance's `UserData` script.
BThe IAM instance profile does not have permission to call `cloudformation:DescribeStackResource`.
CThe `Metadata` section has a syntax error that was silently ignored.
DCloudFormation Init only works on Amazon Linux AMIs, not on other operating systems.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 113Networking & Content Delivery
A SysOps Administrator needs to allow EC2 instances in a private subnet to access Amazon S3 without traversing the internet or a NAT gateway. The instances should also access DynamoDB privately. Which type of VPC endpoint should be created for S3 and DynamoDB?
ACreate VPC interface endpoints (powered by AWS PrivateLink) for both S3 and DynamoDB.
BCreate VPC gateway endpoints for both S3 and DynamoDB. Gateway endpoints are free and add a route to the VPC route table.
CCreate a VPC gateway endpoint for S3 and an interface endpoint for DynamoDB.
DNo endpoint is needed; private-subnet instances automatically use AWS's internal network for S3 and DynamoDB.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 114Networking & Content Delivery
Two VPCs are peered: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). An application in VPC-A needs to connect to an EC2 instance in VPC-B. The security group on the VPC-B instance references the security group ID of the VPC-A instance in its inbound rule. The connection fails. What is the MOST LIKELY cause?
ASecurity group cross-referencing works only within the same VPC. For peered VPCs, the inbound rule must use the CIDR block of VPC-A instead of a security group ID.
BThe VPC peering connection's route table entries are missing.
CSecurity group cross-referencing across peered VPCs is supported only in the same Region. The VPCs are in different Regions.
DThe VPC peering connection does not allow DNS resolution across VPCs.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 115Networking & Content Delivery
A company migrates to a new Application Load Balancer. After adding existing EC2 instances to the target group, the team observes that the new targets immediately receive full traffic and some requests are failing due to cold caches. Which ALB feature gradually increases traffic to newly registered targets?
AConnection draining (deregistration delay).
BALB slow start mode, which linearly increases the share of requests sent to a newly registered target over a configured duration (30-900 seconds).
CTarget group stickiness.
DCross-zone load balancing.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 116Networking & Content Delivery
A SysOps Administrator suspects that an EC2 instance cannot reach an RDS database in another subnet. The administrator wants to verify whether the VPC configuration (route tables, security groups, NACLs) permits the connection without sending actual traffic. Which AWS tool performs this analysis?
AVPC Flow Logs analyzed with CloudWatch Logs Insights.
BVPC Reachability Analyzer, which analyzes the network path between a source and destination and identifies configuration issues without sending packets.
CAWS Network Access Analyzer, which identifies unintended network access.
DTraceroute from the EC2 instance to the RDS endpoint.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 117Cost & Performance Optimization
A company wants to automatically enforce cost controls. If monthly spending exceeds a budget threshold, the system should automatically stop non-critical EC2 instances and apply an SCP to prevent new resource creation. Which AWS service provides this automated response?
AAWS Cost Anomaly Detection with SNS notification.
BAWS Budgets with Budget Actions, which can automatically apply an IAM policy, apply an SCP, or stop specific EC2 instances when a budget threshold is breached.
CCloudWatch billing alarms with SNS notifications and a Lambda function.
DAWS Trusted Advisor cost optimization checks.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 118Monitoring, Logging & Remediation
A SysOps administrator notices that an Amazon EC2 instance's `StatusCheckFailed_System` metric is showing a value of 1 in CloudWatch. The instance is running a stateless web application behind an Application Load Balancer. What should the administrator do to resolve this with MINIMAL effort?
AStop and start the instance to migrate it to a new host
BReboot the instance from the EC2 console
CCreate a CloudWatch alarm that triggers an EC2 `recover` action on the metric
DTerminate the instance and launch a new one manually
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 119Reliability & Business Continuity
A company runs a critical application on Amazon EC2 instances in a single Availability Zone. The application uses an Amazon RDS Multi-AZ DB instance. The company wants to improve the application tier availability. Which architecture change provides the highest availability with MINIMAL application changes?
ADeploy EC2 instances across two Availability Zones behind an Application Load Balancer with an Auto Scaling group
BDeploy the application on AWS Lambda with an API Gateway
CCreate an AMI and launch instances in another region with Route 53 failover
DConvert to a single large EC2 instance with enhanced networking
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 120Reliability & Business Continuity
A SysOps administrator needs to create automated backups for Amazon EBS volumes attached to production EC2 instances. The backups must be retained for 30 days and older snapshots must be automatically deleted. Which solution meets these requirements with the LEAST operational overhead?
ACreate a Lambda function triggered by CloudWatch Events to create snapshots daily and delete snapshots older than 30 days
BUse Amazon Data Lifecycle Manager (DLM) to create a lifecycle policy with a 30-day retention rule
CUse AWS Backup to create a backup plan with a 30-day retention period
DWrite a script using the AWS CLI that runs as a cron job on an EC2 instance
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 121Deployment, Provisioning & Automation
A company uses AWS Systems Manager Patch Manager to patch EC2 instances. Patch compliance reports show that several instances are non-compliant. The administrator needs to apply patches to only the non-compliant instances during the next maintenance window. Which approach should the administrator use?
ACreate a patch baseline that targets only non-compliant instances
BUse `AWS-RunPatchBaseline` with the `Scan` operation to identify then manually patch non-compliant instances
CUse `AWS-RunPatchBaseline` with the `Install` operation — it will only install missing patches on each instance
DCreate a new maintenance window task that filters instances by the `Patch compliance` tag
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 122Deployment, Provisioning & Automation
A CloudFormation template contains an Amazon EC2 instance resource that requires software to be installed and configured before the stack creation is considered complete. The administrator has added a `cfn-signal` call at the end of the UserData script. What else must be added to the template to make CloudFormation wait for the signal?
AA `CreationPolicy` attribute on the EC2 instance resource with a `ResourceSignal` timeout
BA `WaitCondition` resource with a custom Lambda-backed signal handler
CA `DependsOn` attribute referencing a wait condition handle
DA `Metadata` attribute with `AWS::CloudFormation::Init` configuration
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 123Security & Compliance
A company uses AWS Organizations with several organizational units (OUs). The security team requires that no AWS account in the `Production` OU can launch EC2 instances in any region other than `eu-west-1` and `eu-central-1`. Which approach should the administrator implement?
ACreate an SCP attached to the Production OU that denies all EC2 actions unless the `aws:RequestedRegion` is `eu-west-1` or `eu-central-1`
BCreate an IAM policy in each account that restricts EC2 actions to the specified regions
CUse AWS Config in each account to terminate instances launched in unapproved regions
DConfigure VPC settings in each account to only allow resources in the specified regions
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 124Select All That ApplySecurity & Compliance
A SysOps administrator needs to grant an EC2 instance temporary access to a secret stored in AWS Secrets Manager. The secret is encrypted with a customer-managed KMS key. What permissions must the EC2 instance's IAM role have? (Select TWO)
A`secretsmanager:GetSecretValue` on the specific secret ARN
B`kms:Decrypt` on the KMS key used to encrypt the secret
C`secretsmanager:DescribeSecret` on all secrets in the account
D`kms:GenerateDataKey` on the KMS key used to encrypt the secret
E`sts:AssumeRole` on the Secrets Manager service role
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 125Networking & Content Delivery
A SysOps administrator is configuring a VPC with public and private subnets. EC2 instances in the private subnet need to download software updates from the internet but must not be directly accessible from the internet. Which architecture component is required?
AAn Internet Gateway attached to the VPC with a route from the private subnet
BA NAT Gateway deployed in a public subnet with a route from the private subnet to the NAT Gateway
CA VPC peering connection to a VPC with internet access
DAn Elastic IP address attached to each private instance
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 126Networking & Content Delivery
A SysOps administrator notices that an Application Load Balancer (ALB) is returning HTTP 502 (Bad Gateway) errors. The target group contains healthy EC2 instances. What is the MOST LIKELY cause?
AThe security group on the ALB does not allow inbound traffic from the internet
BThe target instances are returning responses larger than the ALB maximum response size
CThe target instances are closing the connection to the ALB before sending a response, or the response is malformed
DThe ALB's idle timeout is set too high
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 127Networking & Content Delivery
A SysOps administrator needs to configure a Network Load Balancer (NLB) to preserve the client's source IP address when forwarding traffic to target EC2 instances. Which target type and configuration should be used?
AUse instance ID targets — NLB preserves the client source IP by default for instance targets
BUse IP address targets — NLB always preserves the client source IP regardless of target type
CEnable the `X-Forwarded-For` header on the NLB to pass the client IP
DConfigure proxy protocol v2 on the NLB and targets to pass client IP information
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 128Monitoring, Logging & Remediation
An administrator creates an EventBridge rule to capture EC2 instance state-change notifications and trigger a Lambda function when any instance enters the "stopped" state. The rule is not triggering. The event pattern is shown below: ```json { "source": ["aws.ec2"], "detail-type": ["EC2 Instance State-change Notification"], "detail": { "state": ["Stopped"] } } ``` What is the cause of the issue?
AThe event pattern is missing the `region` field
BThe `state` value should be lowercase `stopped` because EventBridge event fields are case-sensitive
CThe `detail-type` should be `EC2 Instance State Change`
DEventBridge cannot directly capture EC2 state change events; CloudTrail must be enabled first
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 129Monitoring, Logging & Remediation
A company has configured a CloudWatch anomaly detection model on the `NetworkIn` metric for a group of EC2 instances. After a planned migration increased average traffic by 40%, the anomaly detection band is consistently flagging normal traffic as anomalous. What is the BEST approach to resolve this quickly?
ADelete the existing anomaly detection model and create a new one; it will automatically retrain on the new traffic pattern within 3 hours
BIncrease the number of standard deviations in the anomaly detection band to accommodate the higher traffic
CWait for the anomaly detection model to retrain automatically; the model adapts continuously and will adjust within 1-2 weeks
DCreate an exclusion window covering the migration period so the model ignores the old baseline for that timeframe
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 130Reliability & Business Continuity
A company requires that all EBS volumes attached to production EC2 instances have a snapshot taken immediately before any instance termination. What is the BEST way to automate this?
ACreate an EventBridge rule matching EC2 instance state-change events to "shutting-down" state and trigger a Lambda function that creates EBS snapshots
BCreate an ASG lifecycle hook for instance termination that triggers a Lambda function via EventBridge to snapshot all attached EBS volumes before completing the lifecycle action
CEnable DLM with a 1-hour snapshot schedule to ensure recent snapshots always exist
DConfigure the instances with a shutdown script that calls the AWS CLI to create EBS snapshots
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 131Select All That ApplySecurity & Compliance
A company's security team needs to respond to AWS Security Hub critical findings by automatically isolating affected EC2 instances. (Select TWO.)
ACreate a Security Hub custom action that sends the finding to EventBridge when manually triggered by an analyst
BCreate an EventBridge rule matching Security Hub findings with severity "CRITICAL" that triggers a Lambda function to replace the instance's security group with a forensics isolation group
CConfigure Security Hub to directly invoke a Lambda function when a critical finding is generated
DUse AWS Config auto-remediation to change the security group of non-compliant EC2 instances
EConfigure GuardDuty to automatically quarantine instances, since Security Hub aggregates GuardDuty findings
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 132Networking & Content Delivery
A company has a VPC endpoint (gateway type) for S3. The administrator needs to restrict the endpoint so that EC2 instances in the VPC can only access a specific S3 bucket through the endpoint. How should this be configured?
AAttach a VPC endpoint policy to the S3 gateway endpoint that allows `s3:*` actions only on the specific bucket ARN
BModify the S3 bucket policy to include a condition limiting access to the VPC endpoint ID using `aws:sourceVpce`
CConfigure the route table associated with the endpoint to only route traffic for the specific bucket's IP range
DUse security groups on the VPC endpoint to restrict access to the specific bucket
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 133Networking & Content Delivery
A company needs to ensure that all DNS queries from EC2 instances in their VPC for `partner.example.com` are forwarded to a partner-operated DNS server at 10.0.5.53, which is reachable through a VPN connection. How should this be configured?
ACreate a Route 53 Resolver outbound endpoint, then create a forwarding rule for `partner.example.com` that directs queries to 10.0.5.53
BCreate a Route 53 Resolver inbound endpoint with the partner's DNS server as the target
CModify the VPC's DHCP options set to include 10.0.5.53 as a secondary DNS server
DCreate a private hosted zone for `partner.example.com` and add records pointing to 10.0.5.53
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 134Cost & Performance Optimization
A company runs a large I/O-intensive PostgreSQL database on an EC2 instance using a 2 TB gp2 EBS volume. The database team reports inconsistent read latency during peak hours. The current volume provides a baseline of 6,000 IOPS. Which change would provide the MOST cost-effective performance improvement?
AMigrate from gp2 to gp3 and configure 10,000 IOPS and 400 MB/s throughput, since gp3 allows independent IOPS provisioning at lower cost than gp2
BMigrate to an io2 Block Express volume with 16,000 IOPS provisioned
CAdd a second gp2 volume and configure RAID 0 for increased IOPS
DIncrease the gp2 volume size to 4 TB to double the baseline IOPS to 12,000
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 135Cost & Performance Optimization
AWS Compute Optimizer flags an EC2 instance as "over-provisioned" and recommends downsizing from m5.2xlarge to m5.xlarge. Before making the change, what should the SysOps administrator verify to ensure the recommendation is valid?
AReview the Compute Optimizer recommendation details to check that the analysis period covers at least 14 days of data and that peak CPU and memory utilization are within the recommended instance type's capacity
BConfirm that the instance has the CloudWatch agent installed reporting memory metrics, since Compute Optimizer uses only CPU utilization by default
CVerify that the instance is not part of an Auto Scaling group, as Compute Optimizer does not support ASG instances
DCheck that the instance was running continuously during the analysis period without any stopped intervals
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 136Deployment, Provisioning & Automation
A SysOps administrator manages 500 EC2 instances across multiple accounts using AWS Systems Manager. The team needs to ensure that all instances have a specific set of packages installed and a configuration file updated daily at 2 AM UTC. Which SSM feature is the BEST fit?
ACreate an SSM Run Command document and schedule it with a CloudWatch Events cron rule
BCreate an SSM State Manager association with the desired document, apply it to targets using resource groups, and configure a cron schedule expression for daily 2 AM UTC execution
CCreate an SSM Maintenance Window with a daily 2 AM UTC schedule and register the instances as targets with the Run Command task
DDeploy a Lambda function on a 2 AM schedule that iterates over all instances and invokes SSM Run Command for each one
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 137Deployment, Provisioning & Automation
A SysOps administrator needs to update the instance type of a running EC2 instance managed by CloudFormation from `t3.medium` to `t3.large`. Before executing the update, the administrator creates a change set. What will the change set show for this modification?
AReplacement: True — the instance will be terminated and a new instance with the new type will be created
BReplacement: Conditional — the instance may be replaced depending on whether it is in a stopped state
CReplacement: False — the instance will be stopped, the instance type modified, and then restarted (an update with no replacement)
DThe change set will show an error because instance types cannot be modified for running instances
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 138Deployment, Provisioning & Automation
A SysOps administrator needs to ensure that all newly launched EC2 instances SSM-managed in a specific organizational unit automatically join a domain controller within 10 minutes of launch. Which SSM capability should be used?
ACreate an SSM Automation document that runs on a schedule every 10 minutes to detect new instances and join them to the domain
BCreate an SSM State Manager association targeting the OU's instances with the `AWS-JoinDirectoryServiceDomain` document and associate it with a rate expression of 10 minutes
CConfigure SSM Distributor to push the domain join agent package to all new instances
DCreate an EventBridge rule that triggers when new EC2 instances enter the "running" state and invokes SSM Run Command with the domain join document
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 139Security & Compliance
A SysOps administrator needs to restrict access to an S3 bucket so that only EC2 instances in a specific VPC can access it. The bucket should deny all requests that do not originate from that VPC. Which approach is correct?
ACreate an S3 bucket policy with a `Deny` statement for all actions where `aws:SourceVpc` does not match the VPC ID, combined with a VPC gateway endpoint for S3
BConfigure the S3 bucket ACL to allow access only from the VPC's CIDR range
CCreate a security group that allows outbound traffic to S3 and attach it to all EC2 instances in the VPC
DCreate an S3 access point with a VPC-restricted network origin and deny all access through the bucket's direct endpoint
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 140Security & Compliance
A SysOps administrator enabled GuardDuty in a multi-account organization setup. The administrator account receives findings from all member accounts. A member account reports a `Recon:EC2/PortProbeUnprotectedPort` finding for an internet-facing EC2 instance running a public-facing web application. This is expected behavior. The administrator wants to suppress this finding type only for this specific instance. What is the correct approach?
ACreate a GuardDuty suppression rule in the administrator account with a filter for the finding type `Recon:EC2/PortProbeUnprotectedPort` and the instance ID of the specific EC2 instance
BAdd the EC2 instance's public IP to the GuardDuty trusted IP list in the member account
CDisable the `Recon:EC2/PortProbeUnprotectedPort` detector in GuardDuty for the member account
DCreate an EventBridge rule in the member account to auto-archive findings matching this type and instance
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 141Networking & Content Delivery
A SysOps administrator is setting up DNS resolution for a hybrid environment. On-premises servers need to resolve AWS private hosted zone records, and EC2 instances need to resolve on-premises DNS domains. Which configuration supports bidirectional DNS resolution?
AConfigure the VPC DHCP options set with the on-premises DNS server addresses and forward all DNS traffic through a VPN connection
BCreate Route 53 Resolver inbound endpoints (for on-premises to resolve AWS records) and outbound endpoints with forwarding rules (for AWS to resolve on-premises records)
CEnable DNS hostnames and DNS resolution on the VPC and configure the on-premises DNS server to forward queries to the VPC's .2 resolver IP address
DDeploy a custom BIND DNS server in the VPC that conditionally forwards to both Route 53 and the on-premises DNS server
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 142Networking & Content Delivery
A SysOps administrator wants to monitor and log all DNS queries made by EC2 instances within a VPC, including queries to private hosted zones and external domains. Which service should be used?
AEnable VPC Flow Logs with a custom format that includes DNS fields
BEnable Route 53 Resolver query logging for the VPC, which logs all DNS queries to CloudWatch Logs, S3, or Kinesis Data Firehose
CConfigure CloudTrail to capture Route 53 DNS query events
DInstall the CloudWatch agent on all EC2 instances and configure it to capture DNS query logs from the local resolver
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 143Cost & Performance Optimization
A company transfers large amounts of data between Amazon EC2 instances in us-east-1 and an S3 bucket in us-west-2. The monthly data transfer bill is significant. What change would reduce data transfer costs the MOST?
AEnable S3 Transfer Acceleration on the us-west-2 bucket to reduce transfer time and costs
BCreate a replica of the S3 bucket in us-east-1 using S3 Cross-Region Replication and have the EC2 instances read from the local replica
CSwitch to using S3 Glacier for all data to reduce per-GB costs
DUse a VPC gateway endpoint for S3, which eliminates inter-Region data transfer charges
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 144Monitoring, Logging & Remediation
A company's operations team notices that an AWS Health Dashboard event shows a hardware degradation affecting one of their EC2 instances. The event indicates the instance will be retired in 14 days. What should the SysOps administrator do to minimize downtime?
AWait for AWS to automatically migrate the instance with no action required
BStop and start the instance to migrate it to new underlying hardware before the retirement date
CCreate an AMI and terminate the instance; AWS will restore it automatically after the retirement
DContact AWS Support to request an extension of the retirement date
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 145Monitoring, Logging & Remediation
A SysOps administrator needs to monitor the memory utilization of EC2 instances. The default CloudWatch metrics do not include memory. After installing and configuring the CloudWatch agent, the administrator still does not see memory metrics in the CloudWatch console. What should the administrator check FIRST?
AThe CloudWatch agent configuration file does not include the mem_used_percent metric
BThe EC2 instance does not have an IAM role with the CloudWatchAgentServerPolicy attached
CThe CloudWatch agent is running but publishing metrics to a different AWS Region
DThe instance type does not support detailed monitoring
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 146Deployment, Provisioning & Automation
A SysOps administrator needs to install a custom monitoring agent on hundreds of EC2 instances across multiple accounts. The agent package is stored as an RPM in an S3 bucket. The administrator wants to use a managed, declarative approach. Which Systems Manager capability should the administrator use?
ASSM Run Command with an AWS-RunShellScript document
BSSM State Manager with an association
CSSM Distributor with a custom package
DSSM Automation with a custom runbook
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 147Select All That ApplySecurity & Compliance
A SysOps administrator needs to implement tag-based access control (ABAC) for an organization where developers should only be able to start and stop EC2 instances that have a `Project` tag matching the developer's own `Project` tag value. Which TWO components are required for this ABAC implementation? (Select TWO.)
AAn IAM policy with a condition comparing `aws:ResourceTag/Project` to `aws:PrincipalTag/Project`
BAn SCP that enforces tag values on EC2 instances
CIAM user or role tags with the `Project` key set to the developer's assigned project value
DA separate IAM policy for each project specifying the project's EC2 instance ARNs
EAn AWS Config rule that validates EC2 instance tags
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 148Networking & Content Delivery
A company has a centralized networking account and multiple application accounts in AWS Organizations. The networking team wants to share specific subnets of a VPC with application accounts so that EC2 instances launched by application teams reside in the shared VPC. Which service should the networking team use?
AVPC peering between the networking account and each application account
BAWS Resource Access Manager (RAM) to share VPC subnets
CAWS Transit Gateway with VPC attachments from each account
DAWS PrivateLink to create interface endpoints in each application account
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 149Networking & Content Delivery
A SysOps administrator needs to share a VPC subnet with another account using AWS RAM. The administrator shares the subnet, but the participant account cannot see the shared subnet when launching an EC2 instance. What should the administrator verify?
AThe participant account has accepted the RAM resource share invitation
BThe VPC has been peered with the participant account's VPC
CThe participant account has created an identical subnet with the same CIDR
DThe shared subnet has a tag granting access to the participant account
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 150Cost & Performance Optimization
A company runs a batch processing workload that is fault-tolerant and can be interrupted. The workload requires a mix of instance types. The team wants to minimize costs while maximizing the availability of Spot Instances. Which Spot Fleet allocation strategy should the SysOps administrator configure?
AlowestPrice
BcapacityOptimized
Cdiversified
DpriceCapacityOptimized
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 151Monitoring, Logging, and Remediation
A SysOps administrator wants to monitor the CPU utilization of all EC2 instances across multiple regions from a single dashboard. Which CloudWatch feature enables cross-region metrics aggregation?
ACloudWatch cross-account observability
BCloudWatch cross-region dashboards
CCloudWatch Contributor Insights
DAWS Health Dashboard
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 152Monitoring, Logging, and Remediation
A SysOps administrator receives an alert that an EC2 instance is running at 95% CPU for 10 minutes. They want to automatically execute an SSM document to diagnose the issue. Which service orchestrates this?
AAWS Lambda triggered by SNS
BEventBridge rule → SSM Automation runbook
CAWS Config auto-remediation
DCloudWatch dashboards
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 153Monitoring, Logging, and Remediation
A SysOps administrator needs to collect custom application metrics (e.g., queue depth) from EC2 instances. Which tool ships these metrics to CloudWatch?
ACloudWatch built-in EC2 agent
BCloudWatch agent (amazon-cloudwatch-agent) with custom metrics configuration
CAWS X-Ray daemon
DAmazon Inspector agent
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 154Reliability and Business Continuity
A SysOps administrator configures an ALB with multiple EC2 instances. A health check is failing for one instance. What does the ALB do?
ASends all traffic to the healthy instances and stops sending traffic to the unhealthy one
BTerminates the unhealthy instance
CReturns 503 to all requests
DRoutes a reduced percentage of traffic to the unhealthy instance
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 155Deployment, Provisioning, and Automation
A SysOps administrator wants to automate patching of EC2 instances on a schedule with zero manual intervention. Which Systems Manager feature provides this?
ASystems Manager Run Command
BSystems Manager Patch Manager with a Maintenance Window
CSystems Manager Session Manager
DAWS Config auto-remediation
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 156Deployment, Provisioning, and Automation
A SysOps administrator needs to run an ad-hoc command on 100 EC2 instances simultaneously without SSH access. Which Systems Manager feature enables this?
ASystems Manager Session Manager
BSystems Manager Run Command
CSystems Manager Patch Manager
DSystems Manager Parameter Store
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 157Deployment, Provisioning, and Automation
A SysOps administrator needs to provision EC2 instances that join an Active Directory domain automatically on launch. Which Systems Manager feature achieves this?
ASystems Manager State Manager with a domain-join document
BEC2 user data script
CAWS Directory Service connector
DBoth A and B
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 158Deployment, Provisioning, and Automation
A SysOps administrator uses EC2 Auto Scaling and wants instances to register with a load balancer only after passing a custom health check (e.g., application started). Which lifecycle hook is used?
AEC2_INSTANCE_TERMINATING lifecycle hook
BEC2_INSTANCE_LAUNCHING lifecycle hook with a wait period for the application to start
CALB health check with a longer health check grace period
DAuto Scaling warm pools
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 159Security and Compliance
A SysOps administrator discovers that an EC2 instance has an open security group rule allowing inbound traffic from 0.0.0.0/0 on port 22. Which AWS service detects and can auto-remediate this?
AVPC Flow Logs
BAWS Config rule (restricted-ssh) with auto-remediation via SSM Automation
CAmazon GuardDuty
DAWS Inspector network assessment
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 160Security and Compliance
A SysOps administrator needs to scan EC2 instances for OS-level vulnerabilities and exposed ports. Which AWS service performs this assessment?
AAWS Config
BAmazon Inspector
CAWS Security Hub
DAWS GuardDuty
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 161Security and Compliance
A SysOps administrator needs to ensure that EBS volumes are encrypted for all new EC2 instances launched in an account. Which setting enforces this?
AIAM policy denying ec2:RunInstances without encryption
BEnable EBS encryption by default at the account/region level
CUse AWS Config to detect and auto-remediate unencrypted volumes
DCreate a launch template with encrypted volumes
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 162Cost and Performance Optimization
A SysOps administrator reviews the AWS Cost Explorer and notices unexpectedly high EC2 costs. Which Cost Explorer feature identifies the specific EC2 instances driving the cost?
ACost Explorer resource-level granularity (hourly, resource-level)
BAWS Trusted Advisor cost checks
CAWS Budgets alerts
DAWS Cost Anomaly Detection
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 163Cost and Performance Optimization
A SysOps administrator wants to reduce costs for EC2 instances running predictable batch workloads that run 8 hours per day, 5 days a week. Which purchasing option provides the BEST cost reduction?
AOn-Demand instances
BReserved Instances (1-year, All Upfront)
CSpot Instances
DScheduled Reserved Instances or Savings Plans
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 164Cost and Performance Optimization
A SysOps administrator wants to automatically scale down EC2 instances during non-business hours to save costs. Which Auto Scaling feature implements this?
ATarget tracking scaling policy
BScheduled scaling actions (scale down at 6 PM, scale up at 8 AM on weekdays)
CStep scaling policy
DPredictive scaling
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 165Cost and Performance Optimization
A SysOps administrator reviews Trusted Advisor and sees several EC2 instances flagged as 'underutilized'. What does this mean and what action reduces cost?
AThe instances have low CPU/network utilization; right-size them to smaller instance types or terminate unused ones
BThe instances are in unhealthy states and need replacement
CThe instances should be moved to a different AZ
DThe instances lack detailed monitoring
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 166Cost and Performance Optimization
A SysOps administrator uses Amazon EC2 Savings Plans. What flexibility does Compute Savings Plans provide compared to EC2 Instance Savings Plans?
ACompute Savings Plans apply to any EC2 instance regardless of region, instance family, OS, and tenancy
BEC2 Instance Savings Plans apply to all AWS compute services
CCompute Savings Plans provide a higher discount than EC2 Instance Savings Plans
DCompute Savings Plans also cover RDS costs
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 167Cost and Performance Optimization
A SysOps administrator wants to reduce data transfer costs between an EC2 instance and S3 in the same region. Which configuration eliminates the data transfer cost?
AUse S3 Transfer Acceleration
BUse a VPC Gateway Endpoint for S3, routing S3 traffic through AWS's private network (no data transfer charge)
CEnable S3 Cross-Region Replication to the same region
DUse CloudFront as an intermediary
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 168Cost and Performance Optimization
A SysOps administrator wants to identify EC2 instances that have been running for months without any significant traffic. Which tool provides this utilization report?
AAWS Trusted Advisor — low utilization EC2 instances check
BAWS Compute Optimizer — underprovisioning/overprovisioning recommendations
CCloudWatch metric anomaly detection
DAWS Cost Anomaly Detection
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 169Monitoring, Logging, and Remediation
A SysOps administrator needs to monitor memory utilization of EC2 instances. The CloudWatch console does not show memory metrics. Why?
AMemory metrics require a paid CloudWatch subscription
BEC2 hypervisor does not have access to guest OS memory; the CloudWatch agent must be installed on the instance
CMemory metrics are only available for Windows instances
DCloudWatch metrics for memory are delayed by 24 hours
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 170Monitoring, Logging, and Remediation
A SysOps administrator needs to alert the on-call team within 1 minute of an EC2 instance becoming unreachable. Which monitoring setup achieves this?
ACloudWatch alarm on StatusCheckFailed with 1 evaluation period of 1 minute → SNS → PagerDuty
BCloudTrail event for instance state change
CEventBridge rule for instance termination only
DAWS Health event for EC2 status
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 171Monitoring, Logging, and Remediation
A SysOps administrator wants to track configuration changes to an EC2 instance (e.g., instance type changes, security group modifications) over time. Which service provides this history?
AAWS CloudTrail (API call history)
BAWS Config configuration item history for the EC2 instance
CBoth A and B
DCloudWatch metrics for instance configuration
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 172Deployment, Provisioning, and Automation
A SysOps administrator needs to deploy application configuration files to EC2 instances during launch using CloudFormation. Which CloudFormation helper script handles this?
Acfn-signal
Bcfn-init
Ccfn-hup
Dcfn-get-metadata
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 173Deployment, Provisioning, and Automation
A SysOps administrator wants EC2 instances in an Auto Scaling Group to signal CloudFormation when they are fully bootstrapped. Which helper script sends this signal?
Acfn-init
Bcfn-signal
Ccfn-hup
Dcfn-get-metadata
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 174Deployment, Provisioning, and Automation
A SysOps administrator needs to install a security agent on every new EC2 instance automatically, regardless of how the instance is launched. Which approach achieves this at scale?
AAdd installation instructions to each launch template
BUse EC2 Image Builder to bake the agent into the base AMI, then enforce approved AMIs via Config
CUse Systems Manager State Manager to install the agent after launch
DBoth B and C
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 175Select All That ApplyDeployment, Provisioning, and Automation
A SysOps administrator wants to provision EC2 instances with specific tags enforced at launch (e.g., 'CostCenter' tag required). Which service enforces tag policies?
AAWS Config rule (required-tags)
BAWS Organizations Tag Policies
CAWS Service Catalog launch constraints
DIAM condition key aws:RequestTag
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 176Deployment, Provisioning, and Automation
A SysOps administrator needs to ensure that all EC2 instances are compliant with CIS OS benchmarks. Which AWS service continuously assesses and reports on this compliance?
AAWS Config
BAmazon Inspector with CIS Benchmarks assessment template
CAWS Trusted Advisor
DSystems Manager Patch Manager
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 177Security and Compliance
A SysOps administrator uses VPC Flow Logs and identifies a large amount of REJECT traffic from an EC2 instance to port 443. What does this indicate?
AThe instance is being attacked
BA security group or NACL is blocking outbound HTTPS traffic from the instance
CThe instance is attempting a DDoS attack
DThe VPC has no Internet Gateway
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 178Security and Compliance
A SysOps administrator wants to ensure that EC2 instances in a private subnet can only connect to AWS services (S3, DynamoDB) without internet access. What enables this?
ANAT Gateway for AWS services
BVPC Gateway Endpoints for S3 and DynamoDB
CDirect Connect to AWS services
DVPC Interface Endpoints for all AWS services
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 179Security and Compliance
A SysOps administrator uses AWS Security Hub and wants to suppress false-positive findings for a specific EC2 instance that has a known-safe security group configuration. What should be done?
ADelete the finding from Security Hub
BCreate a suppression rule or suppress the specific finding with a note
CDisable the Security Hub standard for that check
DExclude the EC2 instance from Config evaluation
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 180Security and Compliance
A SysOps administrator receives an AWS Abuse report for an EC2 instance sending spam. What is the immediate recommended action?
ATerminate the instance immediately
BIsolate the instance by modifying its security group to deny all outbound traffic, then investigate for compromise
CContact the ISP of the destination IPs
DIgnore it and monitor for more reports
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 181Networking and Content Delivery
A SysOps administrator notices that EC2 instances in a private subnet are failing to resolve DNS names. What should be verified?
ADNS resolution and DNS hostnames are enabled in the VPC settings
BThe NAT Gateway is correctly configured
CThe NACL allows UDP port 53 traffic to the VPC DNS server
DBoth A and C
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 182Networking and Content Delivery
A SysOps administrator has an ALB in front of EC2 instances. The backend instances receive all traffic from the ALB's private IP, not the clients' IPs. How do instances determine the original client IP?
AEnable NLB instead of ALB to preserve client IPs
BALB adds the X-Forwarded-For header containing the original client IP
CEnable Proxy Protocol on the ALB
DUse VPC Flow Logs to trace original client IP
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 183Cost and Performance Optimization
A SysOps administrator wants to allocate costs by department for multi-tenant EC2 instances. Which AWS feature enables this?
AEC2 dedicated hosts for each department
BCost allocation tags (e.g., Department:Finance) applied to EC2 instances
CSeparate AWS accounts per department
DBoth B and C
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 184Cost and Performance Optimization
A SysOps administrator uses Amazon EC2 Auto Scaling. Which instance type purchasing option provides the highest discount for stateless, fault-tolerant workloads?
AReserved Instances
BOn-Demand Instances
CSpot Instances (up to 90% discount)
DDedicated Instances
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 185Monitoring, Logging, and Remediation
A SysOps administrator wants to detect when an EC2 instance type is changed (e.g., from t3.small to t3.large) using event-based monitoring. Which service detects this?
ACloudWatch metric alarm on CPU
BEventBridge rule matching the EC2 ModifyInstanceAttribute CloudTrail event
CAWS Config rule
DVPC Flow Logs
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 186Monitoring, Logging, and Remediation
A SysOps administrator wants to continuously audit the configuration of all EC2 instances in an account against a security baseline. Which service provides continuous configuration recording?
AAmazon Inspector — one-time assessment
BAWS Config — continuous recording of resource configurations
CCloudTrail — API call recording
DSystems Manager Inventory — periodic scan
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 187Reliability and Business Continuity
A SysOps administrator wants to ensure that EC2 instances are evenly distributed across 3 AZs. Which Auto Scaling feature enables this?
ATarget tracking scaling policy
BAvailability Zone rebalancing (AZ rebalancing) — enabled by default in Auto Scaling
CInstance placement groups
DLaunch template AZ configuration
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 188Deployment, Provisioning, and Automation
A SysOps administrator uses EC2 Auto Scaling and wants to drain connections from an instance before terminating it. Which lifecycle hook is used?
AEC2_INSTANCE_LAUNCHING
BEC2_INSTANCE_TERMINATING
CALB target deregistration delay
DBoth B and C
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 189Deployment, Provisioning, and Automation
A SysOps administrator uses AWS CodeDeploy to deploy to EC2. The deployment is failing during the BeforeInstall lifecycle event. Where are the agent logs located on the instance?
A/var/log/aws/codedeploy-agent/codedeploy-agent.log
B/var/log/codedeploy/deployment.log
C/tmp/codedeploy-agent.log
DCloudWatch Logs automatically
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 190Deployment, Provisioning, and Automation
A SysOps administrator manages hundreds of EC2 instances and wants to inventory all installed software without SSHing into each instance. Which service enables this at scale?
ACloudTrail
BAWS Systems Manager Inventory with a resource data sync to S3/Athena
CAWS Config
DAmazon Inspector
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 191Security and Compliance
A SysOps administrator needs to ensure that all EC2 instances use an encrypted EBS volume and cannot have unencrypted volumes attached after launch. Which control prevents attaching unencrypted volumes?
AEnable EBS encryption by default at the account level
BIAM policy denying ec2:AttachVolume for unencrypted volumes
CAWS Config rule ec2-encrypted-volumes with auto-remediation
DBoth A and B
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 192Networking and Content Delivery
A SysOps administrator uses an NLB and target EC2 instances fail health checks even though the application is running. What is the likely cause?
ANLB health checks always fail for Linux instances
BThe security group on the EC2 instances blocks NLB health check traffic from the NLB's IP addresses or VPC CIDR
CNLB requires HTTPS health checks
DThe NLB's cross-zone load balancing is disabled
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 193Cost and Performance Optimization
A SysOps administrator has EC2 instances running 24/7 for 3 years. What is the MOST cost-effective Reserved Instance commitment for this workload?
A1-year Standard RI, No Upfront
B3-year Standard RI, All Upfront
C3-year Convertible RI, All Upfront
DOn-Demand instances
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 194Cost and Performance Optimization
A SysOps administrator uses EC2 and wants to track the per-instance cost for a project. Tags have been applied but costs are not appearing in Cost Explorer. Why?
ATags are case-sensitive and the tag key has inconsistent capitalization
BCost allocation tags must be activated in the AWS Billing console before they appear in Cost Explorer
CCost Explorer only shows costs at the service level, not per instance
DResource-level cost tracking requires Enterprise Support
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 195Monitoring, Logging, and Remediation
A SysOps administrator uses AWS Trusted Advisor. Which Trusted Advisor category checks for underutilized EC2 instances and idle RDS instances?
ASecurity
BCost Optimization
CPerformance
DFault Tolerance
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 196Reliability and Business Continuity
A SysOps administrator uses EC2 Auto Scaling with On-Demand and Spot instances. The ASG is configured to have a minimum of 2 On-Demand instances. Why?
ASpot instances cannot be used in Auto Scaling Groups
BMaintaining a base of On-Demand capacity ensures the application continues functioning even if all Spot capacity is reclaimed
COn-Demand instances are required for ALB health checks
DSpot instances are slower than On-Demand
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 197Reliability and Business Continuity
A SysOps administrator uses VPC endpoint Gateway for S3. The traffic fails to reach S3 from private EC2 instances. What is likely misconfigured?
AThe S3 bucket policy doesn't allow VPC endpoint access
BThe route table for the private subnet does not have a route to the S3 Gateway endpoint
CThe security group on the EC2 instance blocks S3 traffic
DBoth A and B are possible causes
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 198Reliability and Business Continuity
A SysOps administrator uses EC2 Auto Scaling. An instance launched by ASG failed health checks immediately after launch (before the application started). What should be adjusted?
AReduce the health check interval
BIncrease the health check grace period to allow the application bootstrap time before health check evaluation begins
CUse a simpler health check endpoint
DIncrease the instance size to speed up bootstrapping
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 199Deployment, Provisioning, and Automation
A SysOps administrator uses CloudFormation. They want to ensure that an EC2 instance completes its startup scripts before CloudFormation marks the instance as CREATE_COMPLETE. Which mechanism achieves this?
AUse a CloudFormation DependsOn attribute
BUse a CloudFormation CreationPolicy with ResourceSignal and cfn-signal in the user data script
CUse a CloudFormation WaitCondition with a Lambda timeout
DCloudFormation automatically waits for instances to be healthy
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 200Deployment, Provisioning, and Automation
A SysOps administrator uses CloudFormation and wants to ensure that existing EC2 instances are not accidentally terminated during a stack update. Which feature protects specific resources?
ACloudFormation stack termination protection
BCloudFormation StackPolicy — deny Update:Replace or Update:Delete on the EC2 resource
CEC2 instance termination protection
DDeletionPolicy: Retain on the EC2 resource
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 201Security and Compliance
A SysOps administrator uses EC2 instances that need access to S3 and DynamoDB. What is the MOST secure method for providing this access?
AStore IAM access keys in the application configuration file
BAttach an IAM instance profile (role) with least-privilege permissions for S3 and DynamoDB
CUse the root account's access keys
DCreate a shared IAM user with S3 and DynamoDB permissions
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 202Security and Compliance
A SysOps administrator wants to use AWS Organizations SCPs to prevent any EC2 instance from running without a specific tag (CostCenter). What SCP condition achieves this?
ASCP Deny on ec2:RunInstances with Condition: StringNotEquals aws:RequestTag/CostCenter to any value
BSCP Deny on ec2:CreateTags
CSCP Allow on ec2:RunInstances for all instances
DConfig rule for required tags with auto-remediation
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 203Security and Compliance
A SysOps administrator wants to prevent data exfiltration from EC2 instances by restricting which S3 buckets they can access. Which VPC endpoint policy achieves this?
ASecurity group rule blocking S3 traffic
BVPC endpoint policy for S3 that restricts access to specific company-owned bucket ARNs
CS3 bucket policy requiring VPC endpoint access
DNACL rule blocking non-company S3 buckets
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 204Networking and Content Delivery
A SysOps administrator manages an application on EC2 and needs the instances to always have the same IP address. Which feature supports this for internal traffic?
AEC2 Elastic Network Interface (ENI) — a static private IP can be assigned and moved between instances
BRoute 53 CNAME records pointing to EC2 public IPs
CNAT Gateway with a fixed IP
DElastic Load Balancer provides a static IP
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 205Networking and Content Delivery
A SysOps administrator sets up a VPC with public and private subnets. EC2 instances in the private subnet need to communicate with the internet for OS updates. Which component enables outbound-only internet access?
AInternet Gateway — bidirectional internet access
BNAT Gateway in the public subnet — allows outbound-initiated connections, blocks inbound unsolicited traffic
CVPC Endpoint — private access to AWS services only
DTransit Gateway — for inter-VPC routing only
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 206Cost and Performance Optimization
A SysOps administrator uses ECS on EC2 and wants to optimize EC2 instance costs. The ECS cluster has variable container workloads. Which combination of features optimizes costs?
AECS Capacity Providers with managed scaling and Spot instances for the EC2 Auto Scaling Group
BReserved Instances for all ECS cluster EC2 instances
COn-Demand instances only
DECS Fargate eliminates the EC2 cost
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 207Cost and Performance Optimization
A SysOps administrator uses Amazon EC2 Spot Instances. What is the recommended practice for handling Spot interruptions?
AUse Spot blocks (defined duration instances) to avoid interruptions
BSubscribe to the Spot instance interruption notice (2-minute warning via instance metadata/EventBridge) and checkpoint or drain connections gracefully
CUse On-Demand instances instead of Spot for production workloads
DSpot interruptions can be disabled in the launch configuration
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 208Deployment, Provisioning & Automation
A company uses EC2 Image Builder to create hardened AMIs for production workloads. The security team requires that every AMI passes CIS Benchmark tests before it is distributed to production accounts. Where in the Image Builder pipeline should this validation be configured?
AIn the build stage as the last build component
BIn the test stage by adding a CIS Benchmark test component that runs after the image is created but before distribution
CIn the distribution settings as a post-distribution validation step
DIn a separate Lambda function triggered by an EventBridge event when the AMI creation completes
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 209Deployment, Provisioning & Automation
A company uses EC2 Image Builder with a pipeline triggered on a weekly schedule. The pipeline builds an AMI and distributes it to three target Regions. Last week, the AMI was built successfully but distribution to one Region failed. What is the MOST likely cause?
AThe Image Builder service-linked role does not have `ec2:CopyImage` permissions in the target Region
BThe target Region has an opt-in status that is not enabled for the account, or the distribution configuration's target account does not have the necessary permissions
CEC2 Image Builder does not support cross-Region distribution; a separate pipeline is needed per Region
DThe weekly schedule caused a timeout before distribution could complete
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 210Deployment, Provisioning, and Automation
A SysOps administrator uses EC2 Image Builder to create AMIs. After the build pipeline runs, the new AMI must be shared with 5 other AWS accounts. Which Image Builder feature automates this?
AManually share the AMI after each build
BConfigure the Image Builder distribution settings to share the AMI with target account IDs
CUse AWS RAM to share the AMI after creation
DCreate a Lambda function triggered by EventBridge after the build
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 211Deployment, Provisioning, and Automation
A SysOps administrator uses EC2 Image Builder. What is the recommended way to keep AMIs up to date with the latest OS patches?
AManually update AMIs when patches are released
BConfigure an Image Builder pipeline with a schedule to rebuild the AMI regularly (e.g., weekly)
CApply patches to running instances using Patch Manager
DUse AWS-managed AMIs which auto-update
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz

Key EC2 Concepts for SOA-C03

ec2instanceamilaunch templateuser datastatus checkinstance metadatafleet

SOA-C03 EC2 Exam Tips

Amazon Elastic Compute Cloud (EC2) questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: ec2, instance, ami, launch template, user data, status check.

What SOA-C03 Expects

Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
EC2 scenarios for SOA-C03 are frequently mapped to Domain 1 (22%), Domain 2 (22%), Domain 3 (22%), Domain 4 (16%), Domain 5 (18%), so read the objective carefully before picking controls or architecture.
Expect multi-topic scenarios where EC2 interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value EC2 Concepts

Know the core EC2 building blocks cold: ec2, instance, ami, launch template.
Review the edge-case features and limits for user data, status check; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how EC2 pairs with Auto Scaling, EBS, VPC, Systems Manager in real deployment patterns.
For SOA-C03, explain why the chosen EC2 design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

Watch for answers that deploy quickly but are hard to monitor or recover.
Questions in Monitoring, Logging, Analysis, Remediation, and Performance Optimization often include distractors that look correct for EC2 but violate least-privilege, durability, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two EC2 implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) outcomes for SOA-C03?
Can you explain security and access boundaries for EC2 without relying on default-open assumptions?
Can you describe how EC2 integrates with Auto Scaling and EBS during failure, scaling, and monitoring events?

Exam Domains Covering EC2

Domain 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%Domain 2Reliability and Business Continuity22%Domain 3Deployment, Provisioning, and Automation22%Domain 4Security and Compliance16%Domain 5Networking and Content Delivery18%

Related Resources

🎯 Free SOA-C03 Mock Exam Auto Scaling Questions EBS Questions VPC Questions Systems Manager Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub 30-Day Study Plan Full Practice Exam

🖥️ Amazon Elastic Compute Cloud (EC2) - SOA-C03 Practice Questions