Pass the Amazon Web Services AWS Certified Associate SOA-C03 Questions and answers with ExamsMirror

The Storage Gateway service enables hybrid cloud backup by presenting local block storage that synchronizes with AWS cloud storage. For scenarios where all data must remain available locally while still backed up to AWS, the correct mode is gateway-stored volumes.

AWS documentation defines:

“Use stored volumes if you want to keep all your data locally while asynchronously backing up point-in-time snapshots to Amazon S3 for durable storage.”

These volumes expose an iSCSI interface compatible with POSIX file systems, allowing direct use by on-premises backup software.

Gateway-cached volumes (Option C) store primary data in AWS with limited local cache, violating the “all data must be available locally” requirement. Options A and B are object-based storage solutions, not compatible with POSIX or block-based backup applications.

Therefore, Option D fully satisfies CloudOps reliability and continuity best practices by ensuring local availability, cloud durability, and POSIX compatibility for backups.

References (AWS CloudOps Documents / Study Guide):

• AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide – Domain 2: Reliability and Business Continuity

• AWS Storage Gateway User Guide – Stored Volumes Overview

• AWS Well-Architected Framework – Reliability Pillar

• AWS Hybrid Cloud Storage Best Practices

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

EC2 Instance Connect Endpoint (EIC Endpoint) enables SSH to instances in private subnets without public IPs and without needing to traverse the public internet. CloudOps guidance explains that you deploy the endpoint in the same VPC/subnet as the targets, then allow inbound SSH on the instance security group from the endpoint’s security group. Access is governed by IAM—administrators must have Instance Connect permissions; while the example uses a broad policy, the key mechanism is EIC in the private subnet plus SG rules scoped to the endpoint. Systems Manager Session Manager can provide shell access without SSH, but the requirement explicitly states “connect through SSH,” making EIC the purpose-built solution. Options B and D misuse Systems Manager for SSH and propose unnecessary SG changes or incorrect endpoint placement; Option C places the endpoint in a public subnet, which is not required for private SSH access. Therefore, creating an EC2 Instance Connect endpoint in the private subnet and updating SGs accordingly meets the requirement while keeping the instance non-internet-exposed.

References (AWS CloudOps Documents / Study Guide):

• AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide – Security and Compliance

• Amazon EC2 – Instance Connect Endpoint (Private SSH Access)

• AWS Well-Architected Framework – Security Pillar (Least Privilege Network Access)

According to the AWS Cloud Operations and ElastiCache documentation, cache evictions occur when the cache runs out of memory and must remove items to make space for new data.

To reduce evictions and retain frequently accessed items, AWS recommends increasing the total available memory — either by scaling up to larger node types or scaling out by adding shards/nodes. Migrating to a cluster with larger nodes is the simplest and most efficient solution because it immediately expands capacity without architectural changes.

Adjusting TTL (Options B and C) controls expiration timing, not memory allocation. Adding a single node (Option A) may help, but redistributing data requires resharding, introducing more complexity.

Thus, Option D provides the lowest operational overhead and ensures high cache hit rates by increasing total cache memory.

According to the AWS Cloud Operations and Networking documentation, instances in a private subnet do not have a direct route to the internet gateway and thus require a NAT gateway for outbound internet access.

The correct configuration is to create a NAT gateway in the public subnet, associate an Elastic IP address, and then update the private subnet’s route table to send all 0.0.0.0/0 traffic to the NAT gateway. This enables instances in the private subnet to initiate outbound connections while keeping inbound traffic blocked for security.

Placing the NAT gateway inside the private subnet (Options C or D) prevents connectivity because it would not have a route to the internet gateway. Configuring routes from the public subnet to the NAT gateway (Option B) does not serve private subnet traffic.

Hence, Option A follows AWS best practices for enabling secure, managed, outbound-only internet access from private resources.

The AWS Cloud Operations and Security documentation specifies that for Amazon CloudFront, automatic certificate renewal is only supported for certificates issued by AWS Certificate Manager (ACM). When a certificate is managed by ACM and validated through DNS validation, ACM automatically renews the certificate before expiration without requiring manual intervention.

Option A ensures that the certificate is issued and managed by ACM, enabling full integration with CloudFront. Option E (DNS validation) is essential for automation; AWS performs revalidation automatically as long as the DNS validation record remains in place.

By contrast, email validation (Option D) requires manual user confirmation upon renewal, which prevents automatic renewals. Certificates issued by third-party certificate authorities (Option B) are manually managed and must be reimported into ACM after renewal. CloudFront does not have a direct feature (Option C) to renew certificates; it relies on ACM’s lifecycle management.

Thus, combining ACM-issued certificates (A) with DNS validation (E) ensures continuous, automated renewal with no downtime or human action required.

According to the AWS Cloud Operations and Deployment documentation, EC2 Image Builder is the AWS-managed service for automating the creation, maintenance, validation, and deployment of secure and compliant Amazon Machine Images (AMIs).

It allows CloudOps teams to define image pipelines that include only approved software modules and configuration scripts. EC2 Image Builder automatically tests and verifies these AMIs for compliance before deployment.

This process ensures configuration consistency, eliminates manual installation errors, and simplifies ongoing patch management. The service integrates with AWS Systems Manager, Amazon Inspector, and AWS CloudFormation for end-to-end automation.

In contrast:

Amazon Detective and GuardDuty (Options A & B) are security monitoring tools, not image management solutions.

Run Command (Option C) applies ad-hoc updates but does not create standard, reusable AMIs.

Therefore, Option D is correct—EC2 Image Builder provides the most operationally efficient and compliant way to create an approved baseline AMI for future deployments.

AWS CloudOps governance best practices emphasize centralized account management and preventive guardrails. AWS Control Tower integrates directly with AWS Organizations and provides “Region deny controls” and “Service Control Policies (SCPs)” that apply automatically to all existing and newly created member accounts. SCPs are organization-wide guardrails that define the maximum permissions for accounts. They can explicitly deny actions such as launching EC2 instances in a specific Region, or block root user access.

To prevent CloudTrail log deletion, SCPs can also include denies on cloudtrail:DeleteTrail and s3:DeleteObject actions targeting the CloudTrail log S3 bucket. These SCPs ensure that no user, including administrators, can violate the compliance requirements.

AWS documentation under the Security and Compliance domain for CloudOps states:

“Use AWS Control Tower to establish a secure, compliant, multi-account environment with preventive guardrails through service control policies and detective controls through AWS Config.”

This approach meets all stated needs: centralized enforcement, automatic propagation to new accounts, region-based restrictions, and immutable audit logs. Options A, B, and D either detect violations reactively or lack complete enforcement and automation across future accounts.

References (AWS CloudOps Documents / Study Guide):

• AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide – Domain 4: Security and Compliance

• AWS Control Tower – Preventive and Detective Guardrails

• AWS Organizations – Service Control Policies (SCPs)

• AWS Well-Architected Framework – Security Pillar (Governance and Centralized Controls)

According to AWS Cloud Operations and VPC Networking documentation, when VPCs are peered, security groups can reference peer account security groups directly to restrict traffic between them.

This feature allows specifying the security group ID (sg-1234abcd) from the source account (111122223333) in the target database’s security group inbound rule. AWS automatically validates that the VPCs are connected through an existing VPC peering connection and that mutual permissions are properly configured.

You do not prefix the security group ID with the account or peering connection (Options A and B), and using the destination account ID (Option D) is incorrect because it represents the database side, not the source.

Hence, the correct configuration is Option C, which references the application servers’ security group directly for precise, least-privilege access control.

According to the AWS Cloud Operations and Compute Optimizer documentation, Compute Optimizer provides right-sizing recommendations by analyzing Amazon CloudWatch metrics and instance configuration data. However, AWS explicitly notes that only supported instance types are included in Compute Optimizer analyses. If an EC2 instance type is newly released or not yet supported by Compute Optimizer, it will not appear in the Compute Optimizer dashboard until official support is added.

The documentation explains that “Compute Optimizer analyses only supported resource types and instance families. Instances using unsupported or newly launched instance types will not appear in the Compute Optimizer console.” This ensures the service provides accurate recommendations based on sufficient performance history and benchmark data.

While CloudWatch metrics are required for analysis, the complete absence of instances from the dashboard — rather than “insufficient metric data” notifications — indicates unsupported instance types. Compute Optimizer would normally still display those with limited metrics but would flag them as “insufficient data,” not remove them entirely.

Therefore, the most accurate cause of missing instances in this case is that Compute Optimizer does not support the newly released instance types, making option B correct.

According to the AWS Cloud Operations and Security documentation, AWS CloudTrail is the authoritative service for recording API activity across all AWS services within an account.

When an access key is compromised, CloudTrail logs all API requests made using that key, including details such as:

The user identity (access key ID) that made the request,

The service, operation, resource, and timestamp affected, and

The source IP address and region of the request.

By searching the CloudTrail event history for the specific access key ID, the CloudOps engineer can identify every action performed by that key during the suspected breach window.

Other options are incorrect:

EventBridge (A) is event-driven, not historical.

CloudWatch Logs (B) monitors system logs, not AWS API activity.

VPC Flow Logs (D) track network-level traffic, not API calls.

Therefore, the correct solution is Option C — using AWS CloudTrail event history to audit and trace all actions executed via the compromised access key.