Hard SOA-C02 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 21 hard questions available — no sign-up, always free.
A SysOps administrator manages a stateless web application behind an Application Load Balancer. Leadership wants to reduce compute costs by up to 70% while maintaining high availability across three Availability Zones. The application can tolerate individual instance interruptions but must always keep at least 40 instances running to serve baseline traffic. The current Auto Scaling group uses a single On-Demand instance type. Which configuration change BEST meets these requirements?
A SysOps administrator manages an EC2 Auto Scaling group behind an Application Load Balancer for a web tier. The group uses a target tracking scaling policy set to keep average CPU utilization at 50%. During a marketing event, traffic spiked and the group scaled out correctly. After the event, traffic dropped sharply, but the administrator notices the group is removing instances very slowly, keeping many instances running for a long time at low CPU. The administrator wants faster scale-in while still avoiding thrashing during brief traffic dips. What is the MOST appropriate action?
A financial services company runs a production workload on an Amazon Aurora MySQL cluster in us-east-1. The disaster recovery plan requires an RPO of less than 1 second and an RTO of under 5 minutes in a second Region. Management also wants the DR Region to serve low-latency read traffic for reporting users located there during normal operations. Which approach BEST meets all of these requirements?
A SysOps administrator manages an Auto Scaling group defined in a CloudFormation template. The team needs to deploy a new AMI by updating the launch template referenced in the stack. Business requirements state that during the update, at least 75% of instances must remain in service to handle live traffic, and CloudFormation should wait for each batch of replacement instances to signal successful application startup before proceeding. Which CloudFormation configuration meets these requirements?
A SysOps administrator manages a production application defined in an AWS CloudFormation stack. The stack includes an EC2 instance with an attached EBS data volume defined as a separate AWS::EC2::Volume resource, plus an AWS::EC2::VolumeAttachment. The team wants to change the EC2 instance type from t3.medium to m5.large by updating the template. During a change set review, they notice the instance will be replaced. The administrator must ensure that the data on the EBS data volume is NOT lost during this stack update. Which approach meets this requirement with the least risk?
A SysOps administrator configures a CloudFront distribution with a custom origin pointing to an Application Load Balancer that fronts a set of virtual-hosted websites on shared EC2 instances. The web servers use the incoming Host header to decide which site content to serve. After deployment, all requests through CloudFront return a generic default site instead of the intended site content, but requests made directly to the ALB DNS name return the correct pages. What is the MOST likely cause and fix?
A SysOps administrator publishes a high-resolution custom metric to CloudWatch with a storage resolution of 1 second to monitor a latency-sensitive trading application. After two weeks, a colleague reports that when querying the metric over a 90-day period, the 1-second data points are no longer available and only coarser aggregations appear. What is the reason for this behavior?
A SysOps administrator is investigating intermittent slowness on a production application running on a single EC2 instance backed by a General Purpose SSD (gp2) EBS volume. CloudWatch shows the instance's CPUUtilization is consistently below 40%, but users report the application stalls during peak hours. Which combination of EBS CloudWatch metrics should the administrator examine FIRST to confirm whether the volume is the bottleneck?
A SysOps administrator configures a CloudWatch alarm on the RequestCount metric of an Application Load Balancer to detect when a downstream application stops receiving traffic (a value of 0). During periods of very low activity, the ALB publishes no data points for RequestCount at all, and the administrator notices the alarm sits in INSUFFICIENT_DATA instead of alerting on the traffic drop. The alarm must reliably enter the ALARM state and notify an SNS topic when request traffic falls to zero. Which configuration change should the administrator make?
A SysOps administrator manages a fleet of EC2 instances running a custom application. Occasionally the application process hangs while the instance itself remains healthy (both EC2 status checks pass). The team publishes a custom CloudWatch metric named ApplicationHeartbeat every 60 seconds; a healthy process reports a value of 1, and no data point is published when the process hangs. The administrator needs an automated solution that restarts the application service on the affected instance without human intervention. Which approach meets this requirement?
A development team runs a high-volume order-processing function on AWS Lambda. They want to publish custom business metrics (such as orders processed and payment failures) to CloudWatch without adding synchronous PutMetricData API calls that increase function duration and cost. The metrics must also remain queryable alongside the detailed structured log context that produced them. What is the MOST efficient way to meet these requirements?
A SysOps administrator manages an EC2 Auto Scaling group behind an Application Load Balancer for a Java application. Each instance takes about 12 minutes to fully bootstrap because it downloads dependencies, warms a large cache, and initializes the JVM before it can serve traffic. During sudden traffic spikes, target tracking scaling launches new instances, but customers experience elevated latency and errors for several minutes while the new instances complete initialization. The administrator must reduce the time it takes for scaled-out instances to begin serving requests while minimizing ongoing cost. What should the administrator do?
A SysOps administrator must allow a team of application developers to create new IAM roles for their Lambda functions. Security policy requires that any role the developers create must never be able to grant permissions beyond a defined set of services (Lambda, DynamoDB, and CloudWatch Logs), even if the developer attaches broader policies. The developers should still be able to create and manage roles independently. What is the MOST effective way to enforce this constraint?
A SysOps administrator is configuring an IAM role that a third-party SaaS monitoring vendor will assume to read CloudWatch metrics in the company's AWS account. The vendor manages a single AWS account that they use to access many of their customers' accounts. The security team is concerned that another of the vendor's customers could trick the vendor into accessing this company's account. Which configuration best mitigates this confused deputy risk?
A SysOps administrator must prove to auditors that a specific Lambda function is the only workload decrypting sensitive records with a customer managed KMS key, and that each decryption request can be tied to a particular tenant. The team currently uses a shared symmetric CMK. Which approach best meets these requirements with the least custom code?
A media company must serve users in Germany from an EU-based origin to comply with data residency regulations, regardless of which endpoint offers the lowest network latency. Users everywhere else should be directed to the nearest of three regional endpoints for the best performance. Which Route 53 configuration meets both requirements?
A SysOps administrator manages a multi-account AWS Organization. The security team requires that developers in a member account can create IAM roles for their applications, but those created roles must never be able to modify billing, leave the organization, or access CloudTrail settings. Additionally, the developers themselves must never be able to grant more permissions than a defined maximum, even when creating new roles. Which combination of controls correctly enforces these requirements?
A SysOps administrator deploys an EC2 web server in a public subnet. The security group allows inbound TCP 443 from 0.0.0.0/0 but has NO outbound rules configured (all outbound rules were removed). The associated network ACL uses the default allow-all rules. Users report they cannot receive responses when connecting to the web server over HTTPS. What is the MOST likely cause and the correct fix?
A company runs 12 VPCs across a single AWS Region, all attached to a Transit Gateway. To reduce cost and management overhead, the networking team deployed a single 'egress' VPC containing a NAT gateway and an internet gateway, and they want all private subnets in the 12 spoke VPCs to reach the internet through this shared egress VPC. Instances in the spoke VPCs currently cannot reach the internet. The Transit Gateway attachments and association/propagation appear correct. Which additional configuration is required to make centralized internet egress work?
A company connects three VPCs (Production, Development, and Shared-Services) to a single AWS Transit Gateway. The requirement is that Production and Development must NOT be able to reach each other, but both must be able to communicate with Shared-Services. A SysOps administrator has attached all three VPCs to the Transit Gateway. Which configuration meets the requirement?
A SysOps administrator is troubleshooting an application server in a private subnet that intermittently fails to complete requests to a third-party payment API over the internet. The instance's outbound path uses a NAT gateway. VPC Flow Logs for the instance's ENI show records with ACCEPT for the outbound TCP connections to the API's IP, but there are NO corresponding inbound ACCEPT or REJECT records for the return traffic. The security group is stateful and allows all outbound traffic. What is the MOST likely cause of the missing return traffic?