Deployment, Provisioning, and Automation
Drill 20 practice questions focused entirely on Deployment, Provisioning, and Automation for the AWS SOA-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A CloudOps engineer is deploying a fleet of EC2 web servers using an AWS CloudFormation template. The requirement is that after each instance launches, it must install packages, write configuration files, and start services in a defined order, and the CloudFormation stack must not report CREATE_COMPLETE until the instances have finished their configuration and signaled success. Which approach best meets these requirements?
A CloudOps engineer manages a production application using a single AWS CloudFormation stack that includes an RDS instance, an EC2 Auto Scaling group, and several security groups. Before applying an update to the template that modifies the RDS parameter group and instance class, the team wants to know exactly which resources will be modified, replaced, or deleted so they can avoid an unexpected database replacement during the deployment. What should the engineer do?
A CloudOps engineer uses AWS CloudFormation to launch a single EC2 instance that runs a lengthy application installation script via UserData. Currently CloudFormation marks the stack as CREATE_COMPLETE as soon as the instance launches, but before the application finishes installing, causing downstream resources to fail because the app is not yet ready. The engineer needs the stack to wait until the application setup completes successfully before reporting the resource as created. What is the MOST appropriate way to achieve this?
A CloudOps engineer manages infrastructure using multiple CloudFormation stacks. A networking stack creates a VPC and subnets, and several application stacks need to reference the subnet IDs from the networking stack. The engineer wants a solution where application stacks can consume these values by name, and CloudFormation prevents the networking stack from being deleted or its exported values from being changed while they are still in use. Which approach meets these requirements?
A CloudOps engineer manages a production RDS database that was provisioned as part of a CloudFormation stack. The company has a policy requiring that database data must never be lost when infrastructure is decommissioned or when stacks are updated in ways that would replace the database. During a recent stack update, a change to the DB instance identifier caused CloudFormation to replace the resource, and the original data was deleted. What should the engineer configure to ensure the database and its data are preserved even if the resource is removed or replaced?
A CloudOps team maintains a single CloudFormation template that provisions an application stack. They must deploy it to dev, staging, and production, where each environment uses a different EC2 instance type and a different number of instances, but the underlying resource structure is identical across environments. The team wants to keep one template file and avoid hardcoding environment-specific values inside the resource definitions. Which approach best meets these requirements?
A CloudOps engineer manages production infrastructure using an AWS CloudFormation stack. During a recent incident, another team member modified a security group's inbound rules directly in the EC2 console instead of updating the template. The engineer needs to identify all resources in the stack whose actual configuration no longer matches the template definition, without modifying or redeploying any resources. Which action should the engineer take?
A CloudOps engineer applies a stack update to a production CloudFormation stack that provisions an RDS database and application tier. During the update, one resource fails to create and CloudFormation begins rolling back. The rollback also fails because a security group cannot be deleted (it is still referenced by a resource created outside the template). The stack is now in UPDATE_ROLLBACK_FAILED state. What is the correct way to recover the stack so future updates can proceed?
A CloudOps team maintains a large CloudFormation template that has grown to over 400 resources, including a VPC, subnets, security groups, an RDS database, and an ECS cluster. Deployments now frequently fail because the template exceeds resource limits and is hard to maintain. The team wants to break the template into reusable, independently testable components while keeping a single deployment entry point that provisions everything together. Which approach best meets these requirements?
A CloudOps team maintains a large CloudFormation template that provisions a standardized logging configuration (a CloudWatch log group, an IAM role, and a subscription filter) reused across dozens of separate application stacks. When they update the logging pattern, they must currently copy the revised resource definitions into every application template and redeploy each one. They want a way to define the logging pattern once, version it in a registry, and reference it as a reusable building block inside each application template so updates propagate through normal stack updates. Which approach best meets this requirement?
A CloudOps engineer manages a web application deployed via a CloudFormation stack that includes an Auto Scaling group and an Application Load Balancer. During stack updates, the team has occasionally deployed a bad application version that passes CloudFormation resource creation but causes elevated HTTP 5xx errors in production. The engineer wants CloudFormation to automatically roll back a stack update if the application's error rate spikes during and shortly after the update completes. Which approach meets this requirement with the least custom code?
A CloudOps engineer manages an Auto Scaling group of 12 EC2 instances defined in a CloudFormation template. When a new launch configuration with an updated AMI is deployed, the team requires that no more than 3 instances be replaced at a time, that each batch wait for a success signal from the application before continuing, and that the deployment roll back automatically if any batch fails. Which CloudFormation configuration meets these requirements?
A CloudOps engineer is writing a CloudFormation template to provision an Amazon RDS MySQL instance. Company policy prohibits storing database credentials in plaintext anywhere in the template or in source control, and the master password must be generated automatically and stored securely. Which approach meets these requirements with the least operational effort?
A CloudOps engineer manages a production environment using a single CloudFormation stack that includes an Aurora database and several stateless application resources. During routine stack updates to modify the application tier, the team is worried that an accidental change to the template could cause a replacement of the database resource and destroy production data. They still need to allow updates to all other resources in the stack. What is the MOST appropriate way to prevent updates to the database resource while permitting normal updates elsewhere?
A company manages its AWS accounts through AWS Organizations. The CloudOps team uses a CloudFormation StackSet with service-managed permissions to deploy a baseline security configuration (IAM roles, Config rules, and a logging bucket) to all accounts in a specific organizational unit (OU). New accounts are frequently created and added to this OU. The team wants the baseline StackSet to be deployed automatically to any new account added to the OU, without manual intervention. Which action meets this requirement?
A CloudOps engineer manages a security baseline (AWS Config rules, IAM roles, and CloudTrail configuration) deployed to 40 member accounts using a CloudFormation StackSet with service-managed permissions across an AWS Organization. Compliance auditors report that some member accounts have had resources manually modified outside of CloudFormation. The engineer needs to identify which stack instances no longer match the StackSet template's expected configuration, with the least operational effort. What should the engineer do?
A CloudOps engineer must deploy a standardized IAM role and a logging configuration to 40 AWS accounts spread across three Regions. The accounts are all members of an AWS Organizations organization. The engineer wants a repeatable, centrally managed way to deploy and update these resources across all accounts and Regions with the least ongoing administrative effort. Which approach should the engineer use?
A CloudOps engineer maintains a Systems Manager Automation runbook that resizes production EC2 instances during scheduled changes. Company policy requires that a senior operator manually approve the resize before it executes, and the approval request must pause the automation until a response is received. The team wants to implement this control within the existing runbook without building custom Lambda functions. Which approach meets these requirements?
A company runs about 200 non-production EC2 instances used only during business hours (08:00-18:00, Monday to Friday). The CloudOps team wants an automated, low-maintenance solution to stop these instances outside business hours and start them each morning to reduce costs, without deploying or managing any additional compute resources. Which approach best meets these requirements?
A CloudOps engineer manages a centralized 'shared services' AWS account that builds a hardened, monthly golden AMI using an SSM Automation runbook. The organization has 40 workload accounts that must be able to launch EC2 instances from the newest golden AMI. The AMI is currently only available in the shared services account, and each workload team must manually copy the AMI ID. The engineer needs an automated, repeatable way to make the latest AMI ID discoverable across all workload accounts without granting broad AMI-sharing permissions each cycle. Which approach best meets these requirements?
More SOA-C03 practice
Keep going with the other AWS Certified CloudOps Engineer - Associate domains, or take a full timed mock exam.
← Back to SOA-C03 overview