🛠️ AWS Systems Manager - SOA-C03 Practice Questions

Study Session Manager, Run Command, Patch Manager, Automation, State Manager, Parameter Store, Inventory, and operational remediation workflows.

29Questions Available
3Exam Domains

Practice Systems Manager Questions Now

Start a timed practice session focusing on AWS Systems Manager topics from the SOA-C03 question bank.

Start SOA-C03 Practice Quiz →

SOA-C03 Systems Manager Question Bank (29 Questions)

Browse all 29 practice questions covering AWS Systems Manager for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Deployment, Provisioning & Automation

    A company requires that all EC2 instances in their fleet have the CloudWatch Agent installed, running, and configured with a specific configuration file from SSM Parameter Store. If an instance's agent stops or the configuration drifts, it must be automatically corrected within 30 minutes. Which Systems Manager feature provides this desired-state enforcement?

    ASSM Run Command executed manually whenever drift is detected.
    BSSM State Manager with an association that applies the CloudWatch Agent configuration document on a 30-minute schedule.
    CSSM Patch Manager with a custom patch baseline that includes the CloudWatch Agent.
    DSSM Inventory to detect which instances are missing the CloudWatch Agent, followed by manual remediation.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  2. Question 2Deployment, Provisioning & Automation

    A SysOps Administrator manages 200 Amazon Linux 2 instances across production and development environments. Production instances must receive only critical security patches, while development instances should receive all available patches. Patches must be applied according to each environment's schedule. Which Systems Manager Patch Manager configuration achieves this?

    ACreate two patch baselines (one for critical-only, one for all patches), assign each baseline to a patch group using tags (`PatchGroup: Production`, `PatchGroup: Development`), and configure separate maintenance windows for each group.
    BCreate a single patch baseline that includes all patches and use IAM policies to restrict which patches are applied to production instances.
    CUse SSM Run Command to manually execute `yum update --security` on production and `yum update` on development on their respective schedules.
    DCreate two SSM Automation documents — one that patches critical-only and one that patches all — and run them on a cron schedule using EventBridge.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  3. Question 3Deployment, Provisioning & Automation

    A SysOps Administrator uses Systems Manager Automation to patch a fleet of EC2 instances. The runbook should stop the instance, create an AMI, start the instance, and apply patches. If any step fails, the instance should be restored from the AMI. Which Systems Manager Automation feature supports this multi-step workflow with rollback?

    AUse a Systems Manager Automation runbook (document) with sequential steps for stop, create AMI, start, and patch, and define an `onFailure` action to roll back using the AMI.
    BCreate separate Systems Manager Run Command documents for each step and chain them using EventBridge rules.
    CUse AWS Step Functions to orchestrate the individual SSM Run Command calls.
    DCreate a maintenance window with multiple tasks assigned to separate task targets.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  4. Question 4Select All That ApplyDeployment, Provisioning & Automation

    A SysOps Administrator runs Systems Manager Patch Manager across a fleet of 200 EC2 instances. After the latest patching cycle, the administrator needs to generate a report showing which instances are compliant, which are non-compliant, and which patches are missing. Which approach provides this report? (Select TWO.)

    AUse the Systems Manager Compliance dashboard, which displays patch compliance status for all managed instances.
    BCreate a resource data sync in Systems Manager to export compliance data to an S3 bucket, then query with Amazon Athena for detailed compliance reports.
    CUse EC2 instance metadata to query the installed patch list on each instance.
    DCheck the CloudTrail event log for `InstallPatches` API calls.
    ERun `aws ssm list-compliance-items` for each individual instance manually.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  5. Question 5Deployment, Provisioning & Automation

    A company uses AWS Systems Manager Patch Manager to patch EC2 instances. Patch compliance reports show that several instances are non-compliant. The administrator needs to apply patches to only the non-compliant instances during the next maintenance window. Which approach should the administrator use?

    ACreate a patch baseline that targets only non-compliant instances
    BUse `AWS-RunPatchBaseline` with the `Scan` operation to identify then manually patch non-compliant instances
    CUse `AWS-RunPatchBaseline` with the `Install` operation — it will only install missing patches on each instance
    DCreate a new maintenance window task that filters instances by the `Patch compliance` tag

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  6. Question 6Deployment, Provisioning & Automation

    A SysOps administrator is using AWS Systems Manager Automation to patch a fleet of EC2 instances. The automation document needs to first create AMI backups of all instances, then apply patches, and finally verify patch compliance. If the patching step fails, the AMI backups should be used to restore the instances. Which Systems Manager Automation feature supports this workflow?

    AUse an Automation document with multiple steps and configure `onFailure: step:RestoreFromAMI` on the patching step
    BUse a maintenance window with sequential tasks
    CCreate separate automation documents for each step and chain them using EventBridge
    DUse Step Functions to orchestrate the Systems Manager Run Command calls

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  7. Question 7Monitoring, Logging, and Remediation

    A SysOps administrator uses Systems Manager Patch Manager. They want to see a report of patch compliance across all managed instances. Where is this visible?

    ASystems Manager Patch Manager compliance dashboard and AWS Config aggregated view
    BCloudTrail event history
    CAmazon Inspector vulnerability report
    DAWS Security Hub only

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  8. Question 8Deployment, Provisioning, and Automation

    A SysOps administrator uses AWS Systems Manager State Manager. What is State Manager's primary use case?

    ADeploy new EC2 instances from AMIs
    BContinuously apply and maintain desired configuration state on EC2 instances (e.g., ensure agents are installed and running)
    CAutomate CloudFormation deployments
    DManage S3 bucket policies

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  9. Question 9Deployment, Provisioning, and Automation

    A SysOps administrator uses Systems Manager Automation. What is an Automation runbook?

    AA bash script stored in S3
    BA YAML/JSON document defining steps for automated operations (e.g., restart, patch, AMI creation)
    CA CloudFormation template for automation
    DAn IAM policy for automation permissions

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  10. Question 10Security and Compliance

    A SysOps administrator uses AWS Systems Manager Parameter Store. Which parameter type encrypts the value at rest using KMS?

    AString
    BStringList
    CSecureString
    DEncryptedString

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  11. Question 11Monitoring, Logging, and Remediation

    A SysOps administrator uses AWS Systems Manager Inventory. What does Inventory collect?

    AFinancial cost data for managed instances
    BInstance metadata including installed applications, OS patches, running services, and network configuration
    CCloudTrail API call logs
    DAMI and snapshot inventory

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  12. Question 12Deployment, Provisioning, and Automation

    A SysOps administrator uses Systems Manager Parameter Store. They want different Lambda functions in different environments to use different parameter values without code changes. How is this achieved?

    AStore parameters with environment-specific paths (e.g., /prod/db/password, /dev/db/password) and use the path prefix as an environment variable in Lambda
    BUse different Parameter Store accounts per environment
    CHard-code environment-specific values in Lambda
    DUse AWS Config to differentiate environments

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  13. Question 13Monitoring, Logging, and Remediation

    A SysOps administrator uses AWS Systems Manager Patch Manager. Instances are patching successfully but the compliance report shows 'Missing patches'. What is the cause?

    AThe patch baseline is too restrictive
    BThe patch baseline includes patches not yet approved — they are listed as 'Missing' until approved and applied
    CThe SSM agent is not running on the instances
    DThe Maintenance Window did not run

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  14. Question 14Deployment, Provisioning, and Automation

    A SysOps administrator uses Systems Manager Patch Manager with a custom patch baseline. They want to exclude a specific patch (CVE-2024-XXXXX) that conflicts with the application. How is this done?

    AAdd the patch to the Rejected Patches list in the patch baseline
    BRemove the patch from the AWS patch repository
    CSet the Patch Compliance Level to UNSPECIFIED for that patch
    DPatches cannot be excluded from baselines

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  15. Question 15Deployment, Provisioning & Automation

    An auditor requires proof that all managed EC2 instances have the latest SSM Agent version and the required antivirus software installed. Which Systems Manager feature provides a unified compliance view against these requirements?

    ASystems Manager Inventory
    BSystems Manager Compliance
    CSystems Manager Patch Manager
    DSystems Manager Session Manager audit logs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  16. Question 16Select All That ApplyMonitoring, Logging & Remediation

    A company has a CloudWatch alarm configured for an RDS instance's `FreeStorageSpace` metric. The alarm should notify the DBA team via email AND automatically execute an SSM Automation document that increases the allocated storage. Which configuration supports BOTH actions from a single alarm? (Select TWO.)

    AAdd an alarm action that publishes to an SNS topic subscribed by the DBA team's email addresses.
    BAdd an alarm action that triggers the SSM Automation document `AWS-ResizeRDSInstance` directly.
    CCreate an EventBridge rule that matches the CloudWatch alarm state change to ALARM and targets the SSM Automation document.
    DConfigure the alarm to invoke a Lambda function that sends the email and runs the Automation document.
    EAdd a second alarm action pointing to a second SNS topic that triggers an SSM Automation execution via an EventBridge rule.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  17. Question 17Deployment, Provisioning & Automation

    A SysOps Administrator needs to reference an SSM Parameter Store parameter containing a database password in a CloudFormation template, so the password is resolved at stack creation time without hardcoding it. Which CloudFormation feature should be used?

    AUse `Fn::ImportValue` to import the parameter from another stack's exports.
    BUse a CloudFormation dynamic reference with the `ssm-secure` resolve syntax: `{{resolve:ssm-secure:parameter-name}}`.
    CUse a `Fn::GetAtt` intrinsic function to retrieve the parameter value from SSM.
    DPass the database password as a `NoEcho` parameter in the CloudFormation template.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  18. Question 18Select All That ApplyDeployment, Provisioning & Automation

    A company uses AWS Systems Manager to manage a fleet of 200 EC2 instances. The administrator needs to understand the different types of SSM documents. Which statement correctly describes the three main document types? (Select TWO.)

    A**Command documents** are used by SSM Run Command and State Manager to execute commands on managed instances (e.g., installing software, running scripts).
    B**Automation documents** define multi-step workflows that can interact with AWS APIs (e.g., creating snapshots, restarting instances, approving changes).
    C**Policy documents** define CloudWatch Agent configurations and are used exclusively by the CloudWatch Agent.
    D**Command documents** can only run PowerShell scripts on Windows instances and cannot execute Bash scripts on Linux.
    E**Automation documents** can only be run manually from the SSM console and do not support EventBridge or maintenance window triggers.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  19. Question 19Deployment, Provisioning & Automation

    A SysOps Administrator needs to run the `AWS-RunPatchBaseline` document on 500 instances simultaneously using SSM Run Command. To avoid overwhelming the fleet, the administrator wants to limit execution to 50 instances at a time with a maximum failure threshold of 10%. Which Run Command parameters should be configured?

    ASet `MaxConcurrency` to `50` and `MaxErrors` to `10%`.
    BSet `TimeoutSeconds` to 50 and `RetryAttempts` to 10.
    CSet `Targets` to 50 instances per batch using multiple Run Command invocations.
    DSet `RateControl` to `50/minute` and `ErrorThreshold` to `10%`.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  20. Question 20Deployment, Provisioning & Automation

    A SysOps administrator needs to configure SSM Patch Manager to automatically patch Amazon Linux 2 instances every Tuesday at 2:00 AM UTC. Patches should only include security updates rated Critical and Important. Which configuration is correct?

    ACreate a custom patch baseline with approval rules filtering by classification "Security" and severity "Critical" and "Important", associate it with the instances' patch group, then create a maintenance window scheduled for every Tuesday at 2:00 AM UTC with an `AWS-RunPatchBaseline` task
    BModify the default AWS-AmazonLinux2DefaultPatchBaseline to only include Critical and Important security patches, then schedule SSM State Manager to run patching every Tuesday
    CCreate a custom patch baseline and use an EventBridge scheduled rule to trigger a Lambda function that runs `aws ssm send-command` with `AWS-RunPatchBaseline` every Tuesday
    DUse the AWS-AmazonLinux2DefaultPatchBaseline, which already filters for Critical and Important patches, and create a maintenance window for weekly execution

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  21. Question 21Deployment, Provisioning & Automation

    A SysOps administrator is configuring SSM Parameter Store and needs to decide between standard and advanced parameters for a set of configuration values. One parameter must store a value that is 12 KB in size. Which statement is correct?

    AStandard parameters support values up to 4 KB; the administrator must use an advanced parameter for the 12 KB value
    BStandard parameters support values up to 8 KB; the administrator must use an advanced parameter for the 12 KB value
    CStandard parameters have no size limit; advanced parameters are only needed for parameter policies
    DBoth standard and advanced parameters support up to 64 KB values; the choice depends only on throughput needs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  22. Question 22Select All That ApplyDeployment, Provisioning & Automation

    A SysOps administrator needs to migrate application secrets from SSM Parameter Store SecureString parameters to AWS Secrets Manager for automatic rotation support. What considerations should the administrator account for? (Select TWO.)

    ASecrets Manager secrets have a different ARN format and API than SSM parameters, so application code referencing the parameters must be updated
    BSecrets Manager natively supports automatic rotation for Amazon RDS, Amazon Redshift, and Amazon DocumentDB credentials using built-in Lambda rotation functions
    CSecrets Manager secrets cannot be encrypted with customer-managed KMS keys, only the AWS-managed key
    DSSM Parameter Store SecureString parameters can be directly converted to Secrets Manager secrets using an AWS CLI command
    ESecrets Manager charges per secret stored and per 10,000 API calls, whereas SSM Parameter Store standard parameters are free

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  23. Question 23Deployment, Provisioning & Automation

    An administrator is using SSM Patch Manager and discovers that some instances are showing as "Non-Compliant" even though all patches have been applied. The non-compliant patches are listed as "Installed Rejected." What does this status indicate?

    AThe patches were installed but are on the patch baseline's rejection list, indicating they should be uninstalled
    BThe patches failed to install and were rejected by the operating system
    CThe patches were installed successfully but the patch baseline approval rules have not been met
    DThe patches are pending a reboot before they can be reported as compliant

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  24. Question 24Deployment, Provisioning & Automation

    A SysOps administrator manages 500 EC2 instances across multiple accounts using AWS Systems Manager. The team needs to ensure that all instances have a specific set of packages installed and a configuration file updated daily at 2 AM UTC. Which SSM feature is the BEST fit?

    ACreate an SSM Run Command document and schedule it with a CloudWatch Events cron rule
    BCreate an SSM State Manager association with the desired document, apply it to targets using resource groups, and configure a cron schedule expression for daily 2 AM UTC execution
    CCreate an SSM Maintenance Window with a daily 2 AM UTC schedule and register the instances as targets with the Run Command task
    DDeploy a Lambda function on a 2 AM schedule that iterates over all instances and invokes SSM Run Command for each one

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  25. Question 25Deployment, Provisioning & Automation

    A SysOps administrator manages a fleet of EC2 instances using SSM State Manager. An association is configured to apply a security baseline document to all instances tagged `Environment=Production`. A new instance was launched with the correct tags 30 minutes ago but the association has not yet applied. What is the MOST likely reason?

    AState Manager associations with tag-based targets can take up to 1 hour to detect newly launched instances through periodic target resolution
    BThe instance's SSM agent version is too old to support State Manager associations
    CState Manager only applies associations at the scheduled time; newly launched instances must wait for the next scheduled execution
    DThe instance must be manually registered as a managed instance before State Manager can apply associations

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  26. Question 26Deployment, Provisioning & Automation

    A SysOps administrator has an SSM State Manager association that runs a shell script on Linux instances every 6 hours. Some instances report association compliance status as "Non-Compliant." What does this mean?

    AThe instances failed to execute the script, or the script exited with a non-zero exit code during the last association execution
    BThe SSM agent on those instances is running an outdated version and needs to be updated
    CThe instances are not included in the association targets and are receiving the association in error
    DThe instances executed the script successfully but the output did not match an expected compliance pattern defined in the document

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  27. Question 27Deployment, Provisioning, and Automation

    A SysOps administrator uses AWS Config and wants to automatically remediate S3 buckets that have server-side encryption disabled. Which SSM Automation document is used?

    AAWS-EnableS3BucketEncryption
    BAWS-ConfigureS3BucketVersioning
    CAWS-SetS3BucketPublicAccessBlock
    DCustom Lambda function required

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  28. Question 28Deployment, Provisioning, and Automation

    A SysOps administrator uses SSM Session Manager. What are the security advantages over traditional SSH bastion hosts?

    ASession Manager requires no open inbound ports (no SSH port 22), uses IAM authentication, logs sessions to CloudWatch/S3, and works without a bastion host
    BSession Manager is faster than SSH
    CSession Manager supports only Windows instances
    DSession Manager requires VPN access

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz
  29. Question 29Deployment, Provisioning, and Automation

    A SysOps administrator uses Systems Manager and needs to execute a shell command on 500 instances simultaneously. Which SSM capability handles this at scale?

    ASSM Session Manager
    BSSM Run Command with a Rate Control (Max Concurrency and Max Error configuration)
    CSSM State Manager
    DSSM Automation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SOA-C03 Quiz

Key Systems Manager Concepts for SOA-C03

systems managerssmsession managerrun commandpatch managerautomationstate managerparameter storeinventory

SOA-C03 Systems Manager Exam Tips

AWS Systems Manager questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: systems manager, ssm, session manager, run command, patch manager, automation.

What SOA-C03 Expects

  • Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
  • Systems Manager scenarios for SOA-C03 are frequently mapped to Domain 1 (22%), Domain 3 (22%), Domain 4 (16%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Systems Manager interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Systems Manager Concepts

  • Know the core Systems Manager building blocks cold: systems manager, ssm, session manager, run command.
  • Review the edge-case features and limits for patch manager, automation; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Systems Manager pairs with EC2, EventBridge, IAM, AWS Config in real deployment patterns.
  • For SOA-C03, explain why the chosen Systems Manager design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

  • Watch for answers that deploy quickly but are hard to monitor or recover.
  • Questions in Monitoring, Logging, Analysis, Remediation, and Performance Optimization often include distractors that look correct for Systems Manager but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Systems Manager implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) outcomes for SOA-C03?
  • Can you explain security and access boundaries for Systems Manager without relying on default-open assumptions?
  • Can you describe how Systems Manager integrates with EC2 and EventBridge during failure, scaling, and monitoring events?

Exam Domains Covering Systems Manager

Domain 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%Domain 3Deployment, Provisioning, and Automation22%Domain 4Security and Compliance16%

Related Resources

🎯 Free SOA-C03 Mock Exam EC2 Questions EventBridge Questions IAM Questions AWS Config Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub30-Day Study PlanFull Practice Exam