Medium SOA-C03 practice questions
Applied — put a concept to work in a realistic situation. 143 medium questions available — no sign-up, always free.
A CloudOps engineer manages several Application Load Balancers that use TLS certificates issued by AWS Certificate Manager (ACM). Some certificates were imported into ACM from a third-party certificate authority, while others were requested directly from ACM. The security team wants proactive alerts at least 30 days before any certificate expires so they can renew in time. Which approach requires the LEAST ongoing operational effort to ensure the team is notified before expiration?
A CloudOps engineer is deploying a global web application that uses Amazon CloudFront as the CDN with a custom domain name. The engineer requests an ACM certificate in the eu-west-1 Region (where the origin ALB resides) and attempts to associate it with the CloudFront distribution, but the certificate does not appear as a selectable option in the CloudFront console. What is the correct action to resolve this?
A company runs internal microservices on EC2 instances within a private VPC. Security policy requires all service-to-service communication to use TLS with certificates issued from a trusted internal certificate authority. The certificates must not be publicly trusted, and the company wants to automate issuance and renewal without managing its own CA infrastructure on servers. Which solution meets these requirements with the least operational overhead?
A CloudOps engineer deploys an Application Load Balancer (ALB) across three Availability Zones, but each AZ contains a different number of registered targets: AZ-a has 8 instances, AZ-b has 4, and AZ-c has 2. Users report that instances in AZ-c are experiencing significantly higher CPU utilization than instances in the other zones. What is the most likely cause of this uneven load?
A CloudOps engineer manages a single Application Load Balancer that fronts three microservices running on separate Amazon ECS services. Requests to /api/orders must reach the orders service, /api/inventory must reach the inventory service, and all other requests must reach a default web frontend service. All three services are already registered in separate target groups. What is the correct way to configure the ALB to achieve this routing?
A company runs a stateless web application behind an Application Load Balancer (ALB) with an EC2 Auto Scaling group across three Availability Zones. During scale-in events, users occasionally report failed requests and reset connections. The CloudOps engineer confirms that instances are being terminated while still actively serving in-flight requests. Which configuration change will MOST directly prevent these dropped requests during scale-in?
A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. Recently, an instance's web server process crashed, returning HTTP 503 errors to users, but the Auto Scaling group did not replace the instance for a long time. The EC2 instance itself remained running and passed all EC2 system and instance status checks. What should the CloudOps engineer configure so that Auto Scaling replaces instances that fail the application-level check?
A CloudOps engineer manages an EC2 Auto Scaling group that uses a launch template. The security team releases a hardened AMI monthly, and the engineer updates the launch template by creating a new version each time with the new AMI ID. However, when the Auto Scaling group scales out, newly launched instances continue to use the older AMI from the previous month. The Auto Scaling group is configured to use the launch template with version set to a specific number. What is the MOST appropriate change to ensure new instances always launch with the newest hardened AMI without manual reconfiguration each month?
A company runs a stateful application on EC2 instances behind an Application Load Balancer in an Auto Scaling group. During scale-out events, new instances require about 4 minutes to download configuration files, warm a local cache, and register with an internal service registry before they can serve traffic. Currently, the ALB begins routing requests to instances as soon as they pass the EC2 status checks, causing intermittent errors from instances that are not yet fully initialized. Which approach best ensures instances only receive traffic after initialization completes?
A CloudOps engineer manages an EC2 Auto Scaling group spanning three Availability Zones behind an Application Load Balancer. After a recent AZ impairment, one AZ was temporarily removed and instances were relaunched in the two remaining AZs. Now that all three AZs are healthy again, the engineer notices the group has 8 instances in AZ-a, 8 in AZ-b, and only 2 in AZ-c, creating an uneven distribution. What is the MOST appropriate way to ensure the group automatically restores balanced capacity across all three AZs going forward?
A CloudOps engineer manages a stateless web tier running on an EC2 Auto Scaling group backed by a single launch template that specifies one instance type and 100% On-Demand capacity. During a regional capacity event, the group failed to launch replacement instances because the specified instance type was temporarily unavailable in two of the three subnets, causing reduced availability. The team wants to improve the group's resilience to capacity shortages while also lowering cost, without managing multiple Auto Scaling groups. What should the engineer do?
A CloudOps engineer manages an EC2 Auto Scaling group that processes long-running batch jobs. Each instance can take up to two hours to finish a job. During target-tracking scale-in events triggered by low average CPU, the ASG frequently terminates instances that are still mid-job, causing the batch work to be lost and reprocessed. The team wants scale-in to avoid terminating instances that are actively processing a job, while still allowing the group to shrink when instances become idle. What is the MOST appropriate solution?
A financial services company runs a production application backed by an Amazon Aurora MySQL-compatible cluster in us-east-1. The compliance team requires a disaster recovery solution in us-west-2 with an RPO of under 1 second and an RTO of a few minutes, with minimal impact on the primary database's write performance. Which approach best meets these requirements?
A CloudOps engineer must ensure that any S3 bucket created without default encryption is automatically remediated within minutes, with no human intervention. AWS Config already has a managed rule (s3-bucket-server-side-encryption-enabled) evaluating bucket compliance. The team wants a low-maintenance, event-driven solution that applies default encryption to noncompliant buckets. Which approach best meets these requirements?
A CloudOps engineer manages an AWS Organization with 40 member accounts. Compliance requires that all EBS volumes and RDS databases across every account be backed up on a consistent schedule, with backups stored centrally and protected from deletion by individual account administrators. The team wants to enforce this centrally without deploying scripts into each account. Which approach best meets these requirements?
A financial services company runs a production Amazon RDS for PostgreSQL database in the us-east-1 Region. Compliance requires that, in the event of a full Regional outage, the company must be able to restore the database in us-west-2 with a Recovery Point Objective (RPO) of no more than 1 hour and a Recovery Time Objective (RTO) of a few hours. The CloudOps team wants a managed, centrally governed solution that requires minimal custom scripting. Which approach best meets these requirements?
A CloudOps engineer manages a production Amazon RDS for PostgreSQL database that supports an order-processing application. The business requires the ability to recover the database to any specific second within the last 5 days in case of accidental data corruption from a bad application deployment. The team currently relies only on daily automated snapshots taken at 2 AM. During a recent incident, a faulty batch job corrupted data at 3 PM, and the team could only restore to the previous night's snapshot, losing 13 hours of transactions. Which action best meets the recovery requirement going forward?
A financial services company uses AWS Backup to protect its RDS databases, EBS volumes, and EFS file systems across multiple accounts. Auditors require documented proof that backups can actually be restored within the defined 4-hour RTO. The CloudOps team currently performs manual restores quarterly, but this is time-consuming and inconsistent. Which approach provides an automated, repeatable way to validate that backups are recoverable and meet RTO expectations?
A financial services company must ensure that its RDS and EBS backups cannot be deleted or altered before their retention period expires, even by administrators with full IAM permissions. This is a regulatory requirement to protect against accidental deletion and ransomware. The team already centralizes backups using AWS Backup. Which action best satisfies this requirement?
A company runs a batch analytics application in a single AWS Region. The workload is only used for monthly reporting and is not customer-facing. Leadership has approved a disaster recovery plan with an RTO of 24 hours and an RPO of 24 hours, and they want the lowest possible ongoing cost. The application data is stored in Amazon S3 and an Amazon RDS database. Which DR strategy best meets these requirements?
A CloudOps engineer is deploying a fleet of EC2 web servers using an AWS CloudFormation template. The requirement is that after each instance launches, it must install packages, write configuration files, and start services in a defined order, and the CloudFormation stack must not report CREATE_COMPLETE until the instances have finished their configuration and signaled success. Which approach best meets these requirements?
A CloudOps engineer manages a production application using a single AWS CloudFormation stack that includes an RDS instance, an EC2 Auto Scaling group, and several security groups. Before applying an update to the template that modifies the RDS parameter group and instance class, the team wants to know exactly which resources will be modified, replaced, or deleted so they can avoid an unexpected database replacement during the deployment. What should the engineer do?
A CloudOps engineer uses AWS CloudFormation to launch a single EC2 instance that runs a lengthy application installation script via UserData. Currently CloudFormation marks the stack as CREATE_COMPLETE as soon as the instance launches, but before the application finishes installing, causing downstream resources to fail because the app is not yet ready. The engineer needs the stack to wait until the application setup completes successfully before reporting the resource as created. What is the MOST appropriate way to achieve this?
A CloudOps engineer manages infrastructure using multiple CloudFormation stacks. A networking stack creates a VPC and subnets, and several application stacks need to reference the subnet IDs from the networking stack. The engineer wants a solution where application stacks can consume these values by name, and CloudFormation prevents the networking stack from being deleted or its exported values from being changed while they are still in use. Which approach meets these requirements?
A CloudOps team maintains a single CloudFormation template that provisions an application stack. They must deploy it to dev, staging, and production, where each environment uses a different EC2 instance type and a different number of instances, but the underlying resource structure is identical across environments. The team wants to keep one template file and avoid hardcoding environment-specific values inside the resource definitions. Which approach best meets these requirements?