🏢 AWS Organizations - SOA-C03 Practice Questions

Understand multi-account operations with service control policies, delegated administration, consolidated trails, backup policies, and governance.

13Questions Available
2Exam Domains

Practice Organizations Questions Now

Start a timed practice session focusing on AWS Organizations topics from the SOA-C03 question bank.

Start SOA-C03 Practice Quiz →

SOA-C03 Organizations Question Bank (13 Questions)

Browse all 13 practice questions covering AWS Organizations for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Security & Compliance

    A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no account in the "Production" OU can launch EC2 instances in any Region other than `eu-west-1` and `eu-central-1`. Which SCP strategy should the administrator apply?

    AAttach an SCP to the Production OU that explicitly allows `ec2:RunInstances` only in `eu-west-1` and `eu-central-1` and denies all other actions
    BAttach an SCP to the Production OU that denies `ec2:RunInstances` with a condition `StringNotEquals` on `aws:RequestedRegion` for `eu-west-1` and `eu-central-1`
    CRemove the `FullAWSAccess` SCP from the Production OU to deny all actions by default
    DCreate IAM policies in each account that restrict Region usage

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  2. Question 2Security & Compliance

    An organization wants to prevent any member account in AWS Organizations from creating S3 buckets without server-side encryption. Which SCP most effectively enforces this?

    AAn SCP that denies `s3:CreateBucket` when the condition `s3:x-amz-server-side-encryption` is not present
    BAn SCP that denies `s3:PutObject` when `s3:x-amz-server-side-encryption` is not present, applied to the root OU
    CAn SCP that denies `s3:CreateBucket` unless the requesting principal is the management account
    DAn SCP that denies `s3:PutBucketEncryption` to prevent users from disabling encryption after bucket creation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  3. Question 3Security and Compliance

    A SysOps administrator wants to use AWS Organizations SCPs to prevent any EC2 instance from running without a specific tag (CostCenter). What SCP condition achieves this?

    ASCP Deny on ec2:RunInstances with Condition: StringNotEquals aws:RequestTag/CostCenter to any value
    BSCP Deny on ec2:CreateTags
    CSCP Allow on ec2:RunInstances for all instances
    DConfig rule for required tags with auto-remediation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  4. Question 4Select All That ApplyMonitoring, Logging & Remediation

    An organization has multiple AWS accounts under AWS Organizations. The central operations team needs a single CloudWatch dashboard in the management account that displays EC2 CPU utilization metrics from five workload accounts. What must the administrator configure? (Select TWO)

    AEnable CloudWatch cross-account observability by creating a monitoring account link in each source account
    BCreate an IAM role in each workload account that trusts the management account and allows `cloudwatch:GetMetricData`
    CIn the management account, configure the CloudWatch console to add the source accounts as linked accounts
    DReplicate all metrics to the management account using Kinesis Data Firehose
    EEnable sharing of CloudWatch data in each source account through the CloudWatch settings for cross-account

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  5. Question 5Security & Compliance

    A company uses AWS Organizations with several organizational units (OUs). The security team requires that no AWS account in the `Production` OU can launch EC2 instances in any region other than `eu-west-1` and `eu-central-1`. Which approach should the administrator implement?

    ACreate an SCP attached to the Production OU that denies all EC2 actions unless the `aws:RequestedRegion` is `eu-west-1` or `eu-central-1`
    BCreate an IAM policy in each account that restricts EC2 actions to the specified regions
    CUse AWS Config in each account to terminate instances launched in unapproved regions
    DConfigure VPC settings in each account to only allow resources in the specified regions

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  6. Question 6Deployment, Provisioning & Automation

    A company manages 15 AWS accounts under AWS Organizations. The operations team needs to deploy a standardized VPC with specific CIDR ranges, subnets, and route tables to all accounts in the "Production" OU. Which approach requires the LEAST operational overhead?

    ACreate a CloudFormation StackSet targeting the Production OU with automatic deployment enabled, using a service-managed permission model
    BWrite a script that assumes a role in each account and runs `aws cloudformation create-stack` in a loop
    CUse AWS Service Catalog to create a VPC product and share the portfolio with the Production OU accounts
    DDeploy the VPC in the management account and use AWS Resource Access Manager (RAM) to share subnets with member accounts

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  7. Question 7Security & Compliance

    A SysOps administrator is setting up AWS IAM Identity Center (AWS SSO) for a multi-account organization. The security team requires that developers in the `Development` OU have read-only access to all AWS services, while infrastructure engineers in the same OU have full EC2 and S3 access but no IAM permissions. How should the administrator configure this?

    ACreate two permission sets: one with the `ViewOnlyAccess` AWS managed policy and one with custom policies granting EC2/S3 full access but explicitly denying IAM actions; assign each permission set to the appropriate groups
    BCreate a single permission set with both policies and use session tags to differentiate access between developers and infrastructure engineers
    CCreate two separate AWS accounts within the Development OU and assign different IAM policies in each account
    DAssign the `PowerUserAccess` managed policy permission set to both groups and use an SCP to restrict IAM access for infrastructure engineers

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  8. Question 8Security & Compliance

    A SysOps administrator enabled GuardDuty in a multi-account organization setup. The administrator account receives findings from all member accounts. A member account reports a `Recon:EC2/PortProbeUnprotectedPort` finding for an internet-facing EC2 instance running a public-facing web application. This is expected behavior. The administrator wants to suppress this finding type only for this specific instance. What is the correct approach?

    ACreate a GuardDuty suppression rule in the administrator account with a filter for the finding type `Recon:EC2/PortProbeUnprotectedPort` and the instance ID of the specific EC2 instance
    BAdd the EC2 instance's public IP to the GuardDuty trusted IP list in the member account
    CDisable the `Recon:EC2/PortProbeUnprotectedPort` detector in GuardDuty for the member account
    DCreate an EventBridge rule in the member account to auto-archive findings matching this type and instance

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  9. Question 9Networking & Content Delivery

    A company has a centralized networking account and multiple application accounts in AWS Organizations. The networking team wants to share specific subnets of a VPC with application accounts so that EC2 instances launched by application teams reside in the shared VPC. Which service should the networking team use?

    AVPC peering between the networking account and each application account
    BAWS Resource Access Manager (RAM) to share VPC subnets
    CAWS Transit Gateway with VPC attachments from each account
    DAWS PrivateLink to create interface endpoints in each application account

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  10. Question 10Security and Compliance

    A SysOps administrator uses AWS Organizations and wants to prevent member accounts from leaving the organization. Which control enforces this?

    ASCP denying organizations:LeaveOrganization
    BIAM policy in each member account
    CAWS Config rule
    DAWS Control Tower guardrail

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  11. Question 11Security and Compliance

    A SysOps administrator uses AWS Organizations. They want to see a consolidated compliance view of all Config rule evaluations across all accounts. Which service provides this?

    AAWS Security Hub
    BAWS Config Aggregator
    CAWS Trusted Advisor
    DCloudFormation StackSets compliance view

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  12. Question 12Security and Compliance

    A SysOps administrator uses AWS Organizations and wants to restrict access to specific AWS services in member accounts. Which control achieves this?

    AIAM policies in each member account
    BService Control Policies (SCPs) at the OU or account level
    CAWS Config rules
    DSecurity Hub standards

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  13. Question 13Security & Compliance

    An organization has an AWS Organization with a root OU, a "Production" OU nested under the root, and a "Team-A" OU nested under "Production." An SCP attached to the root denies `ec2:TerminateInstances`, while the Production OU has an SCP that allows all EC2 actions. Can an IAM user in Team-A's account terminate EC2 instances?

    AYes — the Production OU SCP explicitly allows EC2 actions, which overrides the root deny.
    BNo — SCPs are evaluated as an intersection; the deny at the root OU blocks `ec2:TerminateInstances` regardless of the allow at the Production OU level.
    CYes — child OU SCPs take precedence over parent OU SCPs.
    DIt depends on the IAM policy attached to the user; SCPs only set the maximum permissions boundary.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz

Key Organizations Concepts for SOA-C03

organizationsorganizationscpservice control policydelegated administratormulti-accountou

SOA-C03 Organizations Exam Tips

AWS Organizations questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: organizations, organization, scp, service control policy, delegated administrator, multi-account.

What SOA-C03 Expects

  • Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
  • Organizations scenarios for SOA-C03 are frequently mapped to Domain 1 (22%), Domain 4 (16%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Organizations interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Organizations Concepts

  • Know the core Organizations building blocks cold: organizations, organization, scp, service control policy.
  • Review the edge-case features and limits for delegated administrator, multi-account; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Organizations pairs with IAM, CloudTrail, AWS Config in real deployment patterns.
  • For SOA-C03, explain why the chosen Organizations design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

  • Watch for answers that deploy quickly but are hard to monitor or recover.
  • Questions in Monitoring, Logging, Analysis, Remediation, and Performance Optimization often include distractors that look correct for Organizations but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Organizations implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) outcomes for SOA-C03?
  • Can you explain security and access boundaries for Organizations without relying on default-open assumptions?
  • Can you describe how Organizations integrates with IAM and CloudTrail during failure, scaling, and monitoring events?

Exam Domains Covering Organizations

Domain 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%Domain 4Security and Compliance16%

Related Resources

🎯 Free SOA-C03 Mock Exam IAM Questions CloudTrail Questions AWS Config Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub30-Day Study PlanFull Practice Exam