λ AWS Lambda - SOA-C03 Practice Questions

SOA-C03 Lambda Question Bank (45 Questions)

Browse all 45 practice questions covering AWS Lambda for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

1. Question 1Monitoring, Logging & Remediation

   A company uses Lambda functions to process financial transactions. During peak hours, cold starts cause latency spikes that breach SLA requirements. The administrator enabled provisioned concurrency, but now wants to monitor whether the provisioned concurrency is being fully utilized or if additional capacity is needed. Which CloudWatch metric should the administrator monitor?

   A`ConcurrentExecutions` divided by `UnreservedConcurrentExecutions`

   B`ProvisionedConcurrencySpilloverInvocations` — which counts invocations that exceeded provisioned concurrency and used on-demand capacity

   C`ProvisionedConcurrencyUtilization` — which represents the fraction of allocated provisioned concurrency in use

   D`Throttles` — which indicates requests that were rejected due to concurrency limits

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
2. Question 2Cost & Performance Optimization

   A company runs a Lambda function with an average invocation duration of 200ms and processes 10 million invocations per month. During peak hours, cold starts add 2 seconds of latency. The administrator configured provisioned concurrency of 100. The finance team reports that the monthly Lambda bill increased by 40%. What should the administrator do to reduce costs while still mitigating cold starts?

   AReduce provisioned concurrency to a lower value that matches only the peak-hour baseline and use Application Auto Scaling to schedule provisioned concurrency scaling during peak hours

   BRemove provisioned concurrency entirely and optimize the function's initialization code to reduce cold start time

   CSwitch from provisioned concurrency to reserved concurrency, which also eliminates cold starts

   DIncrease the function's memory allocation to reduce duration and offset the provisioned concurrency cost

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
3. Question 3Cost & Performance Optimization

   A SysOps administrator wants to right-size AWS Lambda functions to reduce costs and improve performance. Which AWS service provides recommendations for Lambda function memory settings based on historical invocation data?

   AAWS Cost Explorer with right-sizing recommendations

   BAWS Compute Optimizer with Lambda function recommendations

   CAWS Trusted Advisor performance checks

   DCloudWatch Lambda Insights

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
4. Question 4Deployment, Provisioning & Automation

   A development team uses AWS Lambda for a critical API. They have deployed version 5 of the function and need to gradually shift 10% of traffic to a new version 6 while keeping 90% on version 5. If errors increase on version 6, they need to immediately roll back. Which Lambda feature supports this?

   ACreate a new Lambda function with the updated code and use Route 53 weighted routing to split traffic between the two function URLs.

   BPublish version 6, create or update a Lambda alias pointing to both version 5 (weight 0.9) and version 6 (weight 0.1), and configure the alias to shift traffic.

   CUpdate the Lambda function code directly and use API Gateway caching to serve the old version to 90% of requests.

   DDeploy version 6 as a separate Lambda function and use an ALB to distribute traffic between the two functions.

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
5. Question 5Cost & Performance Optimization

   A SysOps Administrator runs a Lambda function that processes images. The function is configured with 128 MB of memory and a 30-second timeout. The function frequently times out on larger images. Increasing the memory to 1024 MB resolves the timeouts and reduces the average duration from 25 seconds to 4 seconds. Despite the higher per-millisecond cost, the total cost per invocation decreases. Why does this happen?

   ALambda automatically applies Reserved Concurrency discounts when memory is increased.

   BLambda allocates CPU proportionally to memory; increasing memory from 128 MB to 1024 MB gives the function 8x more CPU, dramatically reducing execution time, and the shorter duration more than offsets the higher per-ms rate.

   CLambda charges are based only on the number of invocations, not duration, so more memory does not affect cost.

   DAWS applies a free tier discount for Lambda functions with higher memory allocations.

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
6. Question 6Deployment, Provisioning & Automation

   A SysOps Administrator must deploy an updated Lambda function using AWS CodeDeploy with the following requirement: shift 10% of traffic to the new version, wait 10 minutes, and then shift the remaining 90% if no alarms fire. Which CodeDeploy deployment configuration achieves this?

   A`CodeDeployDefault.LambdaCanary10Percent10Minutes`

   B`CodeDeployDefault.LambdaLinear10PercentEvery10Minutes`

   C`CodeDeployDefault.LambdaAllAtOnce`

   D`CodeDeployDefault.LambdaCanary10Percent5Minutes`

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
7. Question 7Monitoring, Logging & Remediation

   An operations team deployed a Lambda function that processes SQS messages, but they are unable to see per-invocation performance data such as memory usage, CPU time, and init duration in CloudWatch. The function already has the `CloudWatchLambdaInsightsExecutionRolePolicy` managed policy attached. What is the MOST likely reason?

   AThe Lambda function's execution role is missing the `logs:PutLogEvents` permission for the `/aws/lambda-insights` log group

   BThe Lambda Insights extension layer has not been added to the function configuration

   CLambda Insights only works with Lambda functions that use provisioned concurrency

   DThe function's CloudWatch Logs log group must be encrypted with a KMS key before Lambda Insights can publish data

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
8. Question 8Cost and Performance Optimization

   A SysOps administrator wants to identify which Lambda functions are over-provisioned (too much memory) and could be reduced. Which AWS service provides this recommendation?

   ACloudWatch Lambda Duration metric

   BAWS Compute Optimizer — provides Lambda memory and CPU utilization recommendations

   CAWS Lambda Power Tuning tool

   DBoth B and C

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
9. Question 9Networking and Content Delivery

   A SysOps administrator uses CloudFront with Lambda@Edge. What is the maximum memory and timeout for a Lambda@Edge function on viewer request/response events?

   AMemory: 128 MB, Timeout: 5 seconds

   BMemory: 10 GB, Timeout: 15 minutes

   CMemory: 128 MB, Timeout: 30 seconds

   DMemory: 1024 MB, Timeout: 5 seconds

   Answer hidden for practice.

   Use the interactive quiz to reveal the correct answer and explanation.

   Start SOA-C03 Quiz
10. Question 10Monitoring, Logging & Remediation

    A company uses Amazon EventBridge to route events from multiple AWS services to various targets. A SysOps administrator notices that some events from AWS Health are not reaching the intended Lambda function target. The administrator confirms the EventBridge rule pattern is correct. What should the administrator check next?

    AVerify that the Lambda function's resource-based policy allows `events.amazonaws.com` to invoke it.

    BVerify that the EventBridge rule is in the same Region where the AWS Health events are generated.

    CVerify that the Lambda function's execution role has permissions to read from EventBridge.

    DVerify that CloudTrail is enabled in the Region to capture EventBridge events.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
11. Question 11Monitoring, Logging & Remediation

    A development team deploys a microservices application that emits structured JSON logs from AWS Lambda functions. They want these logs to automatically generate CloudWatch metrics for business KPIs (e.g., order count, payment failures) without deploying additional infrastructure. Which approach should the administrator recommend?

    ACreate CloudWatch metric filters on each Lambda log group with pattern matching for each KPI

    BUse CloudWatch embedded metric format (EMF) in the Lambda function code to emit metrics within structured log entries

    CStream Lambda logs via Kinesis Data Firehose to S3, then use Athena for KPI reporting

    DDeploy a CloudWatch agent on a dedicated EC2 instance to parse Lambda logs and publish custom metrics

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
12. Question 12Select All That ApplySecurity & Compliance

    A SysOps administrator needs to grant a Lambda function in Account A permission to read objects from an S3 bucket in Account B. Which TWO configurations are required?

    ACreate an IAM role in Account A with `s3:GetObject` permission for the Account B bucket and assign it to the Lambda function

    BAdd a bucket policy on the Account B bucket that allows the Lambda function's role ARN to perform `s3:GetObject`

    CCreate an IAM role in Account B and configure the Lambda function to call `AssumeRole` for that role

    DEnable S3 cross-account access using S3 Access Points only

    EConfigure a VPC endpoint for S3 in Account A to route traffic to Account B's bucket

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
13. Question 13Monitoring, Logging & Remediation

    A company discovers that their EventBridge rules are failing to invoke a target Lambda function. The events are being published to a custom event bus, but the Lambda function is not being triggered. The Lambda function's resource-based policy only allows invocations from the default event bus. What is the root cause?

    ACustom event buses cannot invoke Lambda functions; only the default event bus supports Lambda targets.

    BThe Lambda function's resource-based policy must explicitly grant permission to the custom event bus to invoke it.

    CEventBridge custom event buses require a dead-letter queue to be configured before targets can be invoked.

    DThe events must include a `DetailType` field matching the Lambda function name.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
14. Question 14Deployment, Provisioning & Automation

    A company's CloudFormation template creates a Lambda function and an API Gateway. The Lambda function ARN must be passed to the API Gateway integration. However, a circular dependency occurs because the API Gateway also needs to grant invoke permissions referencing the Lambda function. How should the SysOps Administrator resolve this circular dependency?

    AUse `DependsOn` to explicitly order the resource creation and break the cycle.

    BSplit the resources into two stacks — one for Lambda and one for API Gateway — and use cross-stack references with `Fn::ImportValue`.

    CUse `Fn::GetAtt` with `Fn::Sub` and separate the permission resource, ensuring the Lambda function does not reference the API Gateway directly and the `AWS::Lambda::Permission` resource references both independently.

    DRemove the Lambda permission resource and grant API Gateway invoke access through the Lambda execution role instead.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
15. Question 15Select All That ApplySecurity & Compliance

    A SysOps Administrator needs to grant a Lambda function access to decrypt data using a KMS Customer Managed Key (CMK). The KMS key policy currently only allows the key administrator to manage the key. Which changes are required to allow the Lambda function to use the key for decryption? (Select TWO.)

    AAdd a statement to the KMS key policy that allows the Lambda function's execution role to perform `kms:Decrypt`.

    BAttach an IAM policy to the Lambda function's execution role that allows `kms:Decrypt` on the KMS key ARN.

    CAdd the Lambda function's execution role as a key administrator in the KMS key policy.

    DEnable KMS automatic key rotation, which grants all IAM roles decrypt access.

    EShare the KMS key using AWS Resource Access Manager (RAM) with the Lambda function's account.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
16. Question 16Monitoring, Logging & Remediation

    A company runs several AWS Lambda functions for order processing. The SysOps Administrator must be alerted immediately when any Lambda function's error rate exceeds 2% of invocations OR when the throttle count exceeds zero. A single alarm should represent this combined condition. Which approach should the administrator take?

    ACreate a CloudWatch Metric Math expression that calculates the error rate and throttle count, then create a single alarm on the expression.

    BCreate two separate CloudWatch alarms — one for error rate exceeding 2% and one for throttles greater than zero — then combine them using a CloudWatch Composite Alarm with an OR condition.

    CConfigure an EventBridge rule that matches Lambda error and throttle events and sends them to an SNS topic.

    DEnable AWS Lambda Insights and set a single anomaly detection alarm on the combined metric.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
17. Question 17Monitoring, Logging & Remediation

    A SysOps Administrator wants to use Amazon EventBridge to route EC2 instance state-change events to a Lambda function but needs to transform the event payload before delivery. The Lambda function expects a simplified JSON structure containing only the instance ID, state, and timestamp. Which EventBridge feature should the administrator use?

    AConfigure an EventBridge rule with an input transformer that defines an input path to extract the fields and an input template to format the output.

    BConfigure the EventBridge rule to route to an SQS queue, then have a second Lambda function read from the queue and transform the payload.

    CAdd a Lambda layer to the target function that strips unwanted fields from the event before the handler processes it.

    DUse EventBridge Schema Registry to define the simplified schema and enable automatic payload conversion.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
18. Question 18Select All That ApplySecurity & Compliance

    A SysOps Administrator needs to ensure that an IAM role for a Lambda function allows `s3:GetObject` only on a specific S3 bucket prefix (`data/reports/*`) and only during business hours (Monday–Friday, 08:00–18:00 UTC). Which IAM policy elements should be used? (Select TWO.)

    AA `Resource` element specifying `arn:aws:s3:::bucket-name/data/reports/*`.

    BA `Condition` element using `aws:CurrentTime` with `DateGreaterThan` and `DateLessThan` operators to restrict to business hours and `aws:CurrentTime` weekday conditions.

    CA `NotResource` element excluding all other S3 prefixes.

    DA `Principal` element specifying the Lambda function's ARN.

    EAn SCP that restricts `s3:GetObject` to business hours across the organization.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
19. Question 19Monitoring, Logging & Remediation

    A SysOps Administrator configures a CloudWatch alarm that publishes to an SNS topic when the RDS `FreeStorageSpace` metric crosses a threshold. The team requires that the same alarm notification is sent simultaneously to an email distribution list, a PagerDuty HTTPS endpoint, and an AWS Lambda function that runs automated remediation. Which SNS configuration achieves this?

    ACreate three separate SNS topics, each with one subscription type (email, HTTPS, Lambda), and configure the CloudWatch alarm to publish to all three topics.

    BUse a single SNS topic with three subscriptions: one email subscription for the distribution list, one HTTPS subscription for PagerDuty, and one Lambda subscription for the remediation function.

    CCreate one SNS topic with an email subscription and use EventBridge to route the alarm state-change event to PagerDuty and Lambda separately.

    DCreate one SQS queue subscribed to the SNS topic and have PagerDuty and Lambda poll the queue.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
20. Question 20Monitoring, Logging & Remediation

    A development team deploys an AWS Lambda function that processes orders. The team wants the function to emit custom business metrics (e.g., `OrderValue`, `ProcessingTime`) to CloudWatch without making explicit `PutMetricData` API calls, to avoid the overhead and additional IAM permissions. Which approach should the SysOps Administrator recommend?

    AWrite the metrics to the function's standard output as structured JSON using the CloudWatch Embedded Metric Format (EMF) specification, which CloudWatch Logs automatically extracts as custom metrics.

    BUse the AWS SDK to call `PutMetricData` asynchronously after each invocation, which avoids blocking the main function logic.

    CPublish the metrics to an SNS topic, and configure a CloudWatch Logs subscription filter to parse and create metrics.

    DEnable Lambda Insights, which automatically captures custom business metrics alongside performance metrics.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
21. Question 21Select All That ApplyMonitoring, Logging & Remediation

    A SysOps Administrator is troubleshooting latency issues in a distributed application composed of an API Gateway, three Lambda functions, and a DynamoDB table. The team needs an end-to-end trace showing time spent in each service. Which steps must the administrator take? (Select TWO.)

    AEnable active tracing on the API Gateway stage and on each Lambda function by setting the tracing configuration to `Active` mode.

    BInstall the X-Ray daemon on each Lambda function's execution environment manually by including it as a Lambda layer.

    CInstrument the application code using the AWS X-Ray SDK to create subsegments for DynamoDB calls and any downstream HTTP requests.

    DEnable VPC Flow Logs to capture the latency between API Gateway and Lambda.

    EConfigure CloudWatch ServiceLens, which replaces X-Ray and requires no code changes.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
22. Question 22Deployment, Provisioning & Automation

    A SysOps Administrator needs to deploy a CloudFormation template that provisions a Lambda function along with its code stored in an S3 bucket. The template uses the `AWS::Serverless::Function` resource type from SAM. Which `Transform` declaration must be included in the template?

    A`Transform: AWS::Include`

    B`Transform: AWS::Serverless-2016-10-31`

    C`Transform: AWS::CodeDeployBlueGreen`

    D`Transform: AWS::LanguageExtensions`

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
23. Question 23Monitoring, Logging & Remediation

    A developer reports that an AWS Lambda function invoked asynchronously by an S3 event notification occasionally fails. The team wants failed invocations to be sent to an SQS queue for later investigation without modifying the function code. Which feature should the SysOps Administrator configure?

    AA dead-letter queue (DLQ) configured on the Lambda function.

    BA Lambda Destination configured for the `OnFailure` condition pointing to an SQS queue.

    CAn S3 event notification that also publishes to SQS as a fallback.

    DA CloudWatch alarm on the Lambda `Errors` metric that triggers a Lambda function to forward failed event payloads to SQS.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
24. Question 24Select All That ApplyMonitoring, Logging & Remediation

    An application team wants to set up a CloudWatch dashboard that automatically refreshes and shows the P99 latency for their Application Load Balancer alongside the `Invocations` count of a Lambda function. They also want to overlay deployment markers. Which CloudWatch dashboard features support this? (Select TWO.)

    AUse a CloudWatch Metrics widget with the ALB `TargetResponseTime` metric and select the `p99` statistic.

    BUse a CloudWatch Logs Insights widget to calculate P99 latency from ALB access logs.

    CAdd vertical annotations to the dashboard at deployment timestamps to create deployment markers.

    DUse a CloudWatch Contributor Insights widget to calculate P99 latency.

    EEmbed an external Grafana iframe in the CloudWatch dashboard for deployment markers.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
25. Question 25Cost & Performance Optimization

    A company wants to reduce compute costs for a fleet of workloads that includes EC2 instances, Lambda functions, and Fargate tasks. The workloads run in multiple regions and may change instance types over time. Which Savings Plans type provides the broadest coverage across these compute services?

    AEC2 Instance Savings Plans, which offer the highest discount but are locked to a specific instance family and region.

    BCompute Savings Plans, which apply to any EC2 instance (regardless of family, size, OS, tenancy, or region), Lambda, and Fargate usage.

    CSageMaker Savings Plans, which cover SageMaker, Lambda, and Fargate.

    DReserved Instances for EC2 combined with separate Lambda and Fargate reservations.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
26. Question 26Monitoring, Logging & Remediation

    A SysOps administrator is configuring Amazon EventBridge to trigger a Lambda function whenever an IAM policy is changed. The rule has been created but the Lambda function is not being invoked. Which of the following is the MOST LIKELY cause?

    AThe EventBridge rule's event pattern does not match the IAM API calls

    BCloudTrail is not enabled in the region where the EventBridge rule was created

    CThe Lambda function does not have a resource-based policy allowing EventBridge to invoke it

    DThe IAM role attached to EventBridge does not have permission to invoke Lambda

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
27. Question 27Monitoring, Logging & Remediation

    An administrator creates an EventBridge rule to capture EC2 instance state-change notifications and trigger a Lambda function when any instance enters the "stopped" state. The rule is not triggering. The event pattern is shown below: ```json { "source": ["aws.ec2"], "detail-type": ["EC2 Instance State-change Notification"], "detail": { "state": ["Stopped"] } } ``` What is the cause of the issue?

    AThe event pattern is missing the `region` field

    BThe `state` value should be lowercase `stopped` because EventBridge event fields are case-sensitive

    CThe `detail-type` should be `EC2 Instance State Change`

    DEventBridge cannot directly capture EC2 state change events; CloudTrail must be enabled first

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
28. Question 28Monitoring, Logging & Remediation

    An administrator needs to create a CloudWatch alarm that triggers when the total number of errors across three Lambda functions exceeds 100 in a 5-minute period. The metric name is `Errors` under the `AWS/Lambda` namespace, one per function. What is the most efficient approach?

    ACreate three separate alarms and use a CloudWatch composite alarm with an OR condition

    BUse metric math to create an expression `SUM(METRICS("m"))` referencing all three function Errors metrics, then alarm on the expression

    CPublish a custom metric that aggregates errors from all three functions using a Lambda function, then alarm on the custom metric

    DUse CloudWatch Contributor Insights to aggregate the error counts and create an alarm on the insight rule

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
29. Question 29Select All That ApplyDeployment, Provisioning & Automation

    A team needs to store database connection strings that include passwords for multiple environments (dev, staging, prod). The connection strings must be encrypted at rest, support automatic rotation, and be accessible from Lambda functions. (Select TWO.)

    AStore the connection strings in AWS Secrets Manager with automatic rotation enabled using a Lambda rotation function

    BStore the connection strings in SSM Parameter Store SecureString parameters with a KMS key

    CUse Secrets Manager resource-based policies to grant the Lambda execution role access to the secrets

    DStore the connection strings in an encrypted S3 object and use S3 event notifications to handle rotation

    EUse SSM Parameter Store advanced parameters with a TTL policy to force periodic updates

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
30. Question 30Deployment, Provisioning & Automation

    A company uses AWS CDK to deploy a Lambda function. After updating the function code and running `cdk deploy`, the Lambda function's code does not update in AWS. The CDK output shows no changes detected. What is the most likely cause?

    AThe CDK is using an asset hash to detect code changes, and the asset directory was not modified (e.g., only changed files inside a symlinked directory)

    BThe CDK requires `cdk destroy` before redeploying updated Lambda code

    CThe Lambda function was deployed with a reserved concurrency of 0, preventing updates

    DCDK does not support in-place updates of Lambda function code; a new function must be created

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
31. Question 31Security & Compliance

    A SysOps administrator needs to use IAM Access Analyzer to validate that no Lambda function execution roles in the account grant permissions broader than a specific reference policy. Which Access Analyzer feature should be used?

    AAccess Analyzer policy validation to check IAM policies against AWS best practices

    BAccess Analyzer custom policy checks to validate policies against a reference permission set

    CAccess Analyzer finding details to identify Lambda roles with cross-account access

    DAccess Analyzer unused access findings to identify Lambda roles with unused permissions

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
32. Question 32Monitoring, Logging & Remediation

    A SysOps administrator configured Lambda Insights on a function, but the `/aws/lambda-insights` log group shows no data. The function's execution role has the `CloudWatchLambdaInsightsExecutionRolePolicy` attached, and the Lambda Insights extension layer is added. What is the MOST likely cause?

    AThe Lambda Insights layer version is incompatible with the function's runtime version

    BThe function's timeout is set to less than 3 seconds, which is insufficient for the extension to report metrics

    CThe function is running in a VPC without a NAT gateway or VPC endpoint for CloudWatch Logs, so the extension cannot send data

    DLambda Insights requires X-Ray tracing to be enabled on the function

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
33. Question 33Deployment, Provisioning & Automation

    A SysOps administrator has a CloudFormation custom resource backed by a Lambda function. During stack creation, the stack is stuck in `CREATE_IN_PROGRESS` for over an hour. The Lambda function's CloudWatch Logs show successful execution. What is the MOST likely cause?

    AThe Lambda function does not have permission to call CloudFormation APIs

    BThe Lambda function completed execution but did not send a SUCCESS or FAILED response to the CloudFormation pre-signed S3 URL

    CThe CloudFormation custom resource has a `DependsOn` attribute pointing to a resource that has not finished creating

    DThe Lambda function's timeout is set too high, and CloudFormation is waiting for the function to complete

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
34. Question 34Deployment, Provisioning & Automation

    A SysOps administrator is creating a CloudFormation template that provisions a Lambda function and an S3 bucket. The bucket needs a notification configuration that triggers the Lambda function when new objects are created. Creating the stack fails with a circular dependency error. How should this be resolved?

    AAdd a `DependsOn` attribute on the S3 bucket resource referencing the Lambda function

    BSplit the bucket notification configuration into a separate `AWS::S3::BucketNotificationConfiguration` custom resource that depends on both the bucket and the Lambda permission

    CUse a CloudFormation macro to inject the notification configuration after both resources are created

    DRemove the inline notification configuration from the S3 bucket resource and instead use an `AWS::Lambda::Permission` resource along with a separate `AWS::S3::BucketNotification` resource to break the circular dependency

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
35. Question 35Monitoring, Logging & Remediation

    An operations team has configured CloudWatch alarms using metric math expressions. An alarm evaluates `METRICS("m1")/METRICS("m2") * 100` where m1 is error count and m2 is invocation count for a Lambda function. The alarm frequently enters INSUFFICIENT_DATA state even during normal operation. What is the most likely cause?

    AMetric math expressions are not supported in CloudWatch alarms

    BOne or both of the underlying metrics have periods with no data points, and the alarm treat-missing-data setting is configured as "missing"

    CThe Lambda function has not been invoked frequently enough to generate high-resolution metrics

    DThe IAM role for CloudWatch does not have permission to perform metric math calculations

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
36. Question 36Deployment, Provisioning & Automation

    A developer has a CloudFormation template that provisions an Amazon RDS instance, a Lambda function, and an SNS topic. The developer wants to break this monolithic template into smaller, reusable components. Which CloudFormation feature enables this composition while maintaining a single parent stack for lifecycle management?

    ACloudFormation StackSets

    BCloudFormation nested stacks

    CCloudFormation change sets

    DCloudFormation stack imports

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
37. Question 37Deployment, Provisioning & Automation

    A SysOps administrator needs to deploy a Lambda function and an API Gateway endpoint. The administrator wants to define the infrastructure as code and include the Lambda source code inline. The deployment must use a single CLI command. Which tool should the administrator use?

    AAWS CDK with `cdk deploy`

    BAWS SAM with `sam deploy`

    CAWS CloudFormation with `aws cloudformation deploy`

    DAWS Elastic Beanstalk with `eb deploy`

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
38. Question 38Monitoring, Logging, and Remediation

    A SysOps administrator configures a CloudWatch Logs subscription filter to stream logs to Lambda in real time. The Lambda function is not receiving all log events. What is a likely cause?

    ASubscription filters have a throughput limit and logs may be dropped if the filter rate exceeds the Lambda concurrency

    BLambda cannot process CloudWatch Logs subscription events

    CSubscription filters only work with Kinesis, not Lambda

    DCloudWatch Logs delivery to Lambda has 15-minute latency

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
39. Question 39Monitoring, Logging, and Remediation

    A SysOps administrator wants to measure the p99 latency of API calls across multiple Lambda functions. Which CloudWatch feature computes percentile statistics from metric data?

    ACloudWatch metric math

    BCloudWatch percentile statistics (p99) on metric data

    CCloudWatch Contributor Insights

    DX-Ray service map

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
40. Question 40Deployment, Provisioning, and Automation

    A SysOps administrator uses Systems Manager Parameter Store. They want different Lambda functions in different environments to use different parameter values without code changes. How is this achieved?

    AStore parameters with environment-specific paths (e.g., /prod/db/password, /dev/db/password) and use the path prefix as an environment variable in Lambda

    BUse different Parameter Store accounts per environment

    CHard-code environment-specific values in Lambda

    DUse AWS Config to differentiate environments

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
41. Question 41Reliability and Business Continuity

    A SysOps administrator needs to ensure that a critical Lambda function can still execute if one AZ becomes unavailable. What configuration provides AZ resilience?

    ADeploy Lambda to multiple regions

    BLambda automatically executes across all AZs in a region; no configuration needed

    CConfigure Lambda with a multi-AZ VPC configuration with subnets in at least 2 AZs

    DEnable Lambda provisioned concurrency

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
42. Question 42Deployment, Provisioning, and Automation

    A SysOps administrator uses CloudFormation. The template includes a custom resource. What happens when the custom resource's Lambda function returns FAILED?

    ACloudFormation continues deployment ignoring the failure

    BCloudFormation fails the operation and rolls back the stack

    CCloudFormation retries the Lambda function 3 times

    DCloudFormation marks the resource as DELETE_FAILED

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
43. Question 43Security and Compliance

    A SysOps administrator needs to ensure that a Lambda function can only be invoked from within a specific VPC. Which mechanism achieves this?

    ALambda resource policy with VPC condition

    BLambda function URL with auth type AWS_IAM and VPC endpoint restriction

    CVPC endpoint policy for Lambda

    DSecurity group on the Lambda function

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
44. Question 44Monitoring, Logging, and Remediation

    A SysOps administrator needs to monitor the latency of Lambda function invocations and trigger an alert if p99 latency exceeds 5 seconds. Which CloudWatch configuration achieves this?

    ACloudWatch alarm on Lambda Duration metric with AVERAGE statistic

    BCloudWatch alarm on Lambda Duration metric with p99 extended statistic, threshold 5000 ms

    CX-Ray alarm on p99 latency

    DLambda concurrency alarm

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
45. Question 45Security and Compliance

    A SysOps administrator needs to allow a Lambda function in Account B to read from an S3 bucket in Account A. What configuration is needed?

    ACreate an IAM role in Account A and have the Lambda function in Account B assume it

    BAdd a bucket policy in Account A allowing the Lambda function's execution role ARN from Account B

    CBoth A and B work for cross-account S3 access

    DCross-account S3 access is not possible

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz