| PDF + Test Engine |
|
||
| Test Engine |
|
||
|
|
Here are Amazon SOA-C03 PDF available features:
| 219 questions with answers | Updation Date : 16 Jul, 2026 |
| 1 day study required to pass exam | 100% Passing Assurance |
| 100% Money Back Guarantee | Free 3 Months Updates |
Application A runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2 instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB. Other applications from an on-premises environment cannot communicate with Application A on port 8080. To troubleshoot the issue, a CloudOps engineer analyzes the flow logs. The flow logs include the following records: ACCEPT from 192.168.0.13:59003 172.31.16.139:8080 REJECT from 172.31.16.139:8080 192.168.0.13:59003 What is the reason for the rejected traffic?
A. The security group of the EC2 instances has no Allow rule for the traffic from the NLB.
B. The security group of the NLB has no Allow rule for the traffic from the on-premises environment.
C. The ACL of the on-premises environment does not allow traffic to the AWS environment.
D. The network ACL that is associated with the subnet does not allow outbound traffic for the ephemeral port range.
A SysOps administrator needs to give an existing AWS Lambda function access to an existing Amazon S3 bucket. Traffic between the Lambda function and the S3 bucket must not use public IP addresses. The Lambda function has been configured to run in a VPC. Which solution will meet these requirements?
A. Configure VPC sharing between the Lambda VPC and the S3 bucket.
B. Attach a transit gateway to the Lambda VPC to allow the Lambda function to connect to the S3 bucket.
C. Create a NAT gateway. Associate the NAT gateway with the subnet where the Lambda function is configured to run.
D. Create an S3 interface endpoint. Change the Lambda function to use the new S3 DNS name.
A CloudOps engineer wants to provide access to AWS services by attaching an IAM policy to multiple IAM users. The CloudOps engineer also wants to be able to change the policy and create new versions. Which combination of actions will meet these requirements? (Select TWO.)
A. Add the users to an IAM service-linked role. Attach the policy to the role.
B. Add the users to an IAM user group. Attach the policy to the group.
C. Create an AWS managed policy.
D. Create a customer managed policy.
E. Create an inline policy.
A CloudOps engineer is troubleshooting an implementation of Amazon CloudWatch Synthetics. The CloudWatch Synthetics results must be sent to an Amazon S3 bucket. The CloudOps engineer has copied the configuration of an existing canary that runs on a VPC that has an internet gateway attached. However, the CloudOps engineer cannot get the canary to successfully start on a private VPC that has no internet access. What should the CloudOps engineer do to successfully run the canary on the private VPC?
A. Ensure that the DNS resolution option and the DNS hostnames option are turned on in the VPC. Add the synthetics:GetCanaryRuns permission to the VPC. On the S3 bucket, add the IgnorePublicAcls permission to the CloudWatch Synthetics role.
B. Ensure that the DNS resolution option and the DNS hostnames option are turned off in the VPC. Create a gateway VPC endpoint for Amazon S3. Add the permissions to allow CloudWatch Synthetics to use the S3 endpoint.
C. Ensure that the DNS resolution option and the DNS hostnames option are turned off in the VPC. Add a security group to the canary to allow outbound traffic on the DNS port. Add the permissions to allow CloudWatch Synthetics to write to the S3 bucket.
D. Ensure that the DNS resolution option and the DNS hostnames option are turned on in the VPC. Create an interface VPC endpoint for CloudWatch. Create a gateway VPC endpoint for Amazon S3. Add the permissions to allow CloudWatch Synthetics to use both endpoints.
A company runs a retail website on multiple Amazon EC2 instances behind an Application Load Balancer (ALB). The company must secure traffic to the website over an HTTPS connection. Which combination of actions should a SysOps administrator take to meet these requirements? (Select TWO.)
A. Attach the certificate to each EC2 instance.
B. Attach the certificate to the ALB.
C. Create a private certificate in AWS Certificate Manager (ACM).
D. Create a public certificate in AWS Certificate Manager (ACM).
E. Export the certificate, and attach it to the website.
A global company runs a critical primary workload in the us-east-1 Region. The company wants to ensure business continuity with minimal downtime in case of a workload failure. The company wants to replicate the workload to a second AWS Region. A CloudOps engineer needs a solution that achieves a recovery time objective (RTO) of less than 10 minutes and a zero recovery point objective (RPO) to meet service level agreements. Which solution will meet these requirements?
A. Implement a pilot light architecture that provides real-time data replication in the second Region. Configure Amazon Route 53 health checks and automated DNS failover.
B. Implement a warm standby architecture that provides regular data replication in a second Region. Configure Amazon Route 53 health checks and automated DNS failover.
C. Implement an active-active architecture that provides real-time data replication across two Regions. Use Amazon Route 53 health checks and a weighted routing policy.
D. Implement a custom script to generate a regular backup of the data and store it in an S3 bucket that is in a second Region. Use the backup to launch the application in the second Region in the event of a workload failure.
A CloudOps engineer creates a new VPC that contains a private subnet, a security group that allows all outbound traffic, and an endpoint for Amazon EC2 Instance Connect in a private subnet. The CloudOps engineer associates the security group with EC2 Instance Connect. The CloudOps engineer launches an EC2 instance from an Amazon Linux Amazon Machine Image (AMI) in the private subnet. The CloudOps engineer launches the EC2 instance without an SSH key pair. The CloudOps engineer tries to connect to the instance by using the EC2 Instance Connect endpoint. However, the connection fails. How can the CloudOps engineer connect to the instance?
A. Create an inbound rule in the security group to allow HTTPS traffic on port 443 from the private subnet.
B. Create an inbound rule in the security group to allow SSH traffic on port 22 from the
private subnet.
C. Create an IAM instance profile that allows AWS Systems Manager Session Manager to access the EC2 instance. Associate the instance profile with the instance.
D. Recreate the EC2 instance. Associate an SSH key pair with the instance.
A company that uses AWS Organizations recently implemented AWS Control Tower. The company now needs to centralize identity management. A CloudOps engineer must federate AWS IAM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all AWS accounts and cloud applications. Which prerequisites must the CloudOps engineer have so that the CloudOps engineer can connect to the external IdP? (Select TWO.)
A. A copy of the IAM Identity Center SAML metadata
B. The IdP metadata, including the public X.509 certificate
C. The IP address of the IdP
D. Root access to the management account
E. Administrative permissions to the member accounts of the organization
A company hosts a critical legacy application on two Amazon EC2 instances that are in one Availability Zone. The instances run behind an Application Load Balancer (ALB). The company uses Amazon CloudWatch alarms to send Amazon Simple Notification Service (Amazon SNS) notifications when the ALB health checks detect an unhealthy instance. After a notification, the company's engineers manually restart the unhealthy instance. A CloudOps engineer must configure the application to be highly available and more resilient to failures. Which solution will meet these requirements?
A. Create an Amazon Machine Image (AMI) from a healthy instance. Launch additional instances from the AMI in the same Availability Zone. Add the new instances to the ALB target group.
B. Increase the size of each instance. Create an Amazon EventBridge rule. Configure the EventBridge rule to restart the instances if they enter a failed state.
C. Create an Amazon Machine Image (AMI) from a healthy instance. Launch an additional instance from the AMI in the same Availability Zone. Add the new instance to the ALB target group. Create an AWS Lambda function that runs when an instance is unhealthy. Configure the Lambda function to stop and restart the unhealthy instance.
D. Create an Amazon Machine Image (AMI) from a healthy instance. Create a launch template that uses the AMI. Create an Amazon EC2 Auto Scaling group that is deployed across multiple Availability Zones. Configure the Auto Scaling group to add instances to the ALB target group.
A company hosts a static website in Amazon S3 behind an Amazon CloudFront distribution. When new versions are deployed, users sometimes do not see updated content immediately. Which solution will meet this requirement?
A. Configure the CloudFront distribution to add a custom Cache-Control header to requests for content from the S3 bucket.
B. Modify the distribution settings to specify the protocol as HTTPS only.
C. Attach the CachingOptimized managed cache policy to the distribution.
D. Create a CloudFront invalidation.