Hard SOA-C03 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 14 hard questions available — no sign-up, always free.
A company runs a stateful web application behind an Application Load Balancer (ALB) with a target group of six EC2 instances across three Availability Zones. To keep user sessions on the same backend, the team enabled duration-based cookie stickiness on the target group. After a marketing campaign, users report slow response times, and CloudWatch shows two instances consistently at high CPU while the other four remain nearly idle. What is the MOST likely cause of the uneven load and the BEST corrective action?
A CloudOps engineer manages a production RDS database that was provisioned as part of a CloudFormation stack. The company has a policy requiring that database data must never be lost when infrastructure is decommissioned or when stacks are updated in ways that would replace the database. During a recent stack update, a change to the DB instance identifier caused CloudFormation to replace the resource, and the original data was deleted. What should the engineer configure to ensure the database and its data are preserved even if the resource is removed or replaced?
A CloudOps engineer applies a stack update to a production CloudFormation stack that provisions an RDS database and application tier. During the update, one resource fails to create and CloudFormation begins rolling back. The rollback also fails because a security group cannot be deleted (it is still referenced by a resource created outside the template). The stack is now in UPDATE_ROLLBACK_FAILED state. What is the correct way to recover the stack so future updates can proceed?
A CloudOps team maintains a large CloudFormation template that provisions a standardized logging configuration (a CloudWatch log group, an IAM role, and a subscription filter) reused across dozens of separate application stacks. When they update the logging pattern, they must currently copy the revised resource definitions into every application template and redeploy each one. They want a way to define the logging pattern once, version it in a registry, and reference it as a reusable building block inside each application template so updates propagate through normal stack updates. Which approach best meets this requirement?
A CloudOps engineer manages an Auto Scaling group of 12 EC2 instances defined in a CloudFormation template. When a new launch configuration with an updated AMI is deployed, the team requires that no more than 3 instances be replaced at a time, that each batch wait for a success signal from the application before continuing, and that the deployment roll back automatically if any batch fails. Which CloudFormation configuration meets these requirements?
A company allows developers in each project team to create IAM roles for their own applications so they can move quickly. Security is concerned that a developer could create a role with full administrative access and attach it to an application. The security team wants developers to retain the ability to create roles and attach policies, but wants to guarantee that any role they create can never obtain permissions beyond a defined set (such as S3, DynamoDB, and CloudWatch access). What is the MOST appropriate way to enforce this constraint?
A CloudOps engineer is troubleshooting access for a developer who cannot upload objects to an S3 bucket. The developer is a member of an IAM group that has an attached policy allowing s3:PutObject on the bucket. The bucket policy also allows the developer's IAM user to perform s3:PutObject. However, a permissions boundary attached to the IAM user allows only s3:GetObject and s3:ListBucket. What is the reason the upload is failing?
A financial services company must comply with a regulation that requires them to retain full control over the cryptographic key material used to encrypt sensitive data stored in Amazon S3. Their compliance policy mandates that the key material be generated in their on-premises hardware security module (HSM) and that they retain the ability to permanently delete the key material from AWS on demand. A CloudOps engineer must configure AWS KMS to meet these requirements. Which approach should the engineer take?
A CloudOps engineer is troubleshooting an application running on an EC2 instance that must decrypt objects in an S3 bucket encrypted with a customer managed KMS key. The EC2 instance role has an IAM policy granting kms:Decrypt on the key's ARN, but the application receives an AccessDenied error when calling Decrypt. The KMS key policy contains only the default statement granting the root account full access, plus a statement granting a separate administrator role kms:* permissions. What is the MOST likely cause and the correct fix?
A financial services company runs a customer-facing web application in us-east-1. The business requires a disaster recovery strategy with a near-zero RTO and RPO so that a full Regional outage causes almost no disruption. The application tier is stateless and already deployed behind an Application Load Balancer and Auto Scaling group. The team wants both Regions to actively serve production traffic and to keep the database synchronized bidirectionally with minimal replication lag. Which approach BEST meets these requirements?
A media company must serve users in Germany from an application stack hosted in eu-central-1 to comply with data-residency laws, while all other European users should be served from an application stack in eu-west-1. Users must never be routed to a region that violates residency rules, even if it means an error is returned. Which Amazon Route 53 configuration meets these requirements?
A CloudOps engineer manages a centralized 'shared services' AWS account that builds a hardened, monthly golden AMI using an SSM Automation runbook. The organization has 40 workload accounts that must be able to launch EC2 instances from the newest golden AMI. The AMI is currently only available in the shared services account, and each workload team must manually copy the AMI ID. The engineer needs an automated, repeatable way to make the latest AMI ID discoverable across all workload accounts without granting broad AMI-sharing permissions each cycle. Which approach best meets these requirements?
A CloudOps engineer manages three VPCs: VPC-A (10.0.0.0/16), VPC-B (10.1.0.0/16), and VPC-C (10.0.0.0/16). VPC-A is peered with VPC-B, and VPC-B is peered with VPC-C. An EC2 instance in VPC-A cannot reach an instance in VPC-C, even though route tables and security groups in both VPCs allow the traffic. What are the two underlying reasons this connectivity is failing? (The engineer must address both.)
A CloudOps engineer is troubleshooting connectivity for an EC2 instance in a private subnet running a web service on port 8080. Instances in the same subnet can reach the service, but a bastion host in a different subnet within the same VPC cannot connect. The instance's security group allows inbound TCP 8080 from the VPC CIDR. The subnet's network ACL has an inbound rule allowing TCP 8080 from the VPC CIDR, but its only outbound rule allows TCP 443 to 0.0.0.0/0. What is the most likely cause of the failure?