New Year Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

AWS Certified CloudOps Engineer - Associate Question and Answers

AWS Certified CloudOps Engineer - Associate

Last Update Jan 14, 2026
Total Questions : 91

We are offering FREE SOA-C03 Amazon Web Services exam questions. All you do is to just go and sign up. Give your details, prepare SOA-C03 free exam questions and then go for complete pool of AWS Certified CloudOps Engineer - Associate test questions that will help you more.

SOA-C03 pdf

SOA-C03 PDF

$36.75  $104.99
 Add to Cart
SOA-C03 Engine

SOA-C03 Testing Engine

$43.75  $124.99
 Add to Cart
SOA-C03 PDF + Engine

SOA-C03 PDF + Testing Engine

$57.75  $164.99
 Add to Cart
Questions 1

A company is performing deployments of an application at regular intervals. Users report that the application sometimes does not work properly. The company discovers that some users' browsers are fetching previous versions of the JavaScript files. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution.

A SysOps administrator must implement a solution to ensure that CloudFront serves the latest version of the JavaScript files. The solution must not affect application server performance.

Which solution will meet these requirements?

Options:

A.  

Reduce the maximum TTL and default TTL of the CloudFront distribution behavior to 0.

B.  

Add a final step in the deployment process to invalidate all files in the CloudFront distribution.

C.  

Add a final step in the deployment process to invalidate only the changed JavaScript files in the CloudFront distribution.

D.  

Remove CloudFront from the path of serving JavaScript files. Serve the JavaScript files directly through the ALB.

Discussion 0
Questions 2

A company needs to upload gigabytes of files daily to Amazon S3 and requires higher throughput and faster upload speeds.

Which action should a CloudOps engineer take?

Options:

A.  

Create an Amazon CloudFront distribution with the GET HTTP method allowed and the S3 bucket as an origin.

B.  

Create an Amazon ElastiCache cluster and enable caching for the S3 bucket.

C.  

Set up AWS Global Accelerator and configure it with the S3 bucket.

D.  

Enable S3 Transfer Acceleration and use the acceleration endpoint when uploading files.

Discussion 0
Questions 3

A company's developers manually install software modules on Amazon EC2 instances to deploy new versions of a service. A security audit finds that instances contain inconsistent and unapproved modules.

A CloudOps engineer must create a new instance image that contains only approved software.

Which solution will meet these requirements?

Options:

A.  

Use Amazon Detective to continuously find and uninstall unauthorized modules from the instances.

B.  

Use Amazon GuardDuty to create and deploy an Amazon Machine Image (AMI) that includes only the approved modules.

C.  

Use AWS Systems Manager Run Command to install the approved modules on all running instances during an in-place update.

D.  

Use EC2 Image Builder to create and test an Amazon Machine Image (AMI) that includes only the approved modules. Update the deployment workflow to use the new AMI.

Discussion 0
Questions 4

A CloudOps engineer has created an AWS Service Catalog portfolio and shared it with a second AWS account in the company, managed by a different CloudOps engineer.

Which action can the CloudOps engineer in the second account perform?

Options:

A.  

Add a product from the imported portfolio to a local portfolio.

B.  

Add new products to the imported portfolio.

C.  

Change the launch role for the products contained in the imported portfolio.

D.  

Customize the products in the imported portfolio.

Discussion 0
Questions 5

A company uses an AWS Lambda function to process user uploads to an Amazon S3 bucket. The Lambda function runs in response to Amazon S3 PutObject events.

A SysOps administrator needs to set up monitoring for the Lambda function. The SysOps administrator wants to receive a notification through an Amazon Simple Notification Service (Amazon SNS) topic if the function takes more than 10 seconds to process an event.

Which solution will meet this requirement?

Options:

A.  

Collect Amazon CloudWatch logs for the Lambda function. Create a metric filter to extract the PostRuntimeExtensionsDuration metric from the logs. Create a CloudWatch alarm to publish a notification to the SNS topic when the function runtime exceeds 10 seconds.

B.  

Collect Amazon CloudWatch metrics for the Lambda function to extract the function runtime. Create a CloudWatch alarm to publish a notification to the SNS topic when the runtime exceeds 10 seconds.

C.  

Configure an Amazon CloudWatch metric filter to capture the runtime of the Lambda function. Set the function's timeout setting to 10 seconds. Create an SNS subscription to alert the SysOps administrator if the function times out.

D.  

Use Amazon CloudWatch Logs Insights to query Lambda logs for the function runtime. Set up a CloudWatch alarm based on the query result. Configure Amazon SNS to send notifications when function runtime exceeds 10 seconds.

Discussion 0
Questions 6

A company asks a SysOps administrator to provision an additional environment for an application in four additional AWS Regions. The application is running on more than 100 Amazon EC2 instances in the us-east-1 Region, using fully configured Amazon Machine Images (AMIs). The company has an AWS CloudFormation template to deploy resources in us-east-1.

What should the SysOps administrator do to provision the application in the MOST operationally efficient manner?

Options:

A.  

Copy the AMI to each Region by using the aws ec2 copy-image command. Update the CloudFormation template to include mappings for the copied AMIs.

B.  

Create a snapshot of the running instance. Copy the snapshot to the other Regions. Create an AMI from the snapshots. Update the CloudFormation template for each Region to use the new AMI.

C.  

Run the existing CloudFormation template in each additional Region based on the success of the template that is used currently in us-east-1.

D.  

Update the CloudFormation template to include the additional Regions in the Auto Scaling group. Update the existing stack in us-east-1.

Discussion 0
Questions 7

A CloudOps engineer needs to set up alerting and remediation for a web application. The application consists of Amazon EC2 instances that have AWS Systems Manager Agent (SSM Agent) installed. Each EC2 instance runs a custom web server. The EC2 instances run behind a load balancer and write logs locally.

The CloudOps engineer must implement a solution that restarts the web server software automatically if specific web errors are detected in the logs.

Which combination of steps will meet these requirements? (Select THREE.)

Options:

A.  

Install the Amazon CloudWatch agent on the EC2 instances.

B.  

Create an AWS CloudTrail metric filter for the web logs. Configure an alarm for the specific errors.

C.  

Create an Amazon CloudWatch metric filter for the web logs. Configure an alarm for the specific errors.

D.  

Publish alarm findings to Amazon Simple Email Service (Amazon SES). Invoke an AWS Lambda function to restart the web server software.

E.  

Create an Amazon EventBridge rule that responds to the alarm. Configure the rule to invoke an AWS Systems Manager Automation runbook to restart the web server software.

F.  

Create an Amazon Simple Notification Service (Amazon SNS) notification that responds to the alarm. Configure the notification to invoke an AWS Systems Manager Automation runbook to restart the web server software.

Discussion 0
Questions 8

A SysOps administrator creates a custom Amazon Machine Image (AMI) in the eu-west-2 Region and uses the AMI to launch Amazon EC2 instances. The SysOps administrator needs to use the same AMI to launch EC2 instances in two other Regions: us-east-1 and us-east-2.

What must the SysOps administrator do to use the custom AMI in the additional Regions?

Options:

A.  

Copy the AMI to the additional Regions

B.  

Make the AMI public in the Community AMIs section of the AWS Management Console

C.  

Share the AMI to the additional Regions. Assign the required access permissions.

D.  

Copy the AMI to a new Amazon S3 bucket. Assign access permissions to the AMI for the additional Regions

Discussion 0
Questions 9

A company hosts a static website in Amazon S3 behind an Amazon CloudFront distribution. When new versions are deployed, users sometimes do not see updated content immediately.

Which solution will meet this requirement?

Options:

A.  

Configure the CloudFront distribution to add a custom Cache-Control header to requests for content from the S3 bucket.

B.  

Modify the distribution settings to specify the protocol as HTTPS only.

C.  

Attach the CachingOptimized managed cache policy to the distribution.

D.  

Create a CloudFront invalidation.

Discussion 0
Questions 10

A company has a microservice that runs on a set of Amazon EC2 instances. The EC2 instances run behind an Application Load Balancer (ALB).

A CloudOps engineer must use Amazon Route 53 to create a record that maps the ALB URL to example.com.

Which type of record will meet this requirement?

Options:

A.  

An A record

B.  

An AAAA record

C.  

An alias record

D.  

A CNAME record

Discussion 0
Questions 11

A user working in the Amazon EC2 console increased the size of an Amazon Elastic Block Store (Amazon EBS) volume attached to an Amazon EC2 Windows instance. The change is not reflected in the file system.

What should a CloudOps engineer do to resolve this issue?

Options:

A.  

Extend the file system with operating system-level tools to use the new storage capacity.

B.  

Reattach the EBS volume to the EC2 instance.

C.  

Reboot the EC2 instance that is attached to the EBS volume.

D.  

Take a snapshot of the EBS volume. Replace the original volume with a volume that is created from the snapshot.

Discussion 0
Questions 12

A CloudOps engineer is configuring an Amazon CloudFront distribution to use an SSL/TLS certificate. The CloudOps engineer must ensure automatic certificate renewal.

Which combination of steps will meet this requirement? (Select TWO.)

Options:

A.  

Use a certificate issued by AWS Certificate Manager (ACM).

B.  

Use a certificate issued by a third-party certificate authority (CA).

C.  

Configure CloudFront to automatically renew the certificate when the certificate expires.

D.  

Configure email validation for the certificate.

E.  

Configure DNS validation for the certificate.

Discussion 0
Questions 13

A web application runs on Amazon EC2 instances in the us-east-1 Region and the us-west-2 Region. The instances run behind an Application Load Balancer (ALB) in each Region. An Amazon Route 53 hosted zone controls DNS records.

The instances in us-east-1 are production resources. The instances in us-west-2 are for disaster recovery. EC2 Auto Scaling groups are configured based on the ALBRequestCountPerTarget metric in both Regions.

A SysOps administrator must implement a solution that provides failover from us-east-1 to us-west-2. The instances in us-west-2 must be used only for failover.

Which solution will meet these requirements?

Options:

A.  

Implement a Route 53 health check and a failover routing policy for the hosted zone. Configure the failover routing policy to automatically redirect traffic to the resources in us-west-2.

B.  

Implement a Route 53 health check and a latency routing policy for the hosted zone. Configure the latency routing policy to automatically redirect traffic to the resources in us-west-2.

C.  

In us-east-1, create an Amazon CloudWatch alarm that enters ALARM state when an EC2 instance is terminated. In us-west-2, create an AWS Lambda function that modifies the Route 53 hosted zone records to send traffic to us-west-2. Configure the CloudWatch alarm to invoke the Lambda function.

D.  

In us-west-2, create an Amazon CloudWatch alarm that enters ALARM state when resources in us-east-1 cannot be resolved. In us-west-2, create an AWS Lambda function that modifies the Route 53 hosted zone records to send traffic to us-west-2. Configure the CloudWatch alarm to invoke the Lambda function.

Discussion 0
Questions 14

A company requires the rotation of administrative credentials for production workloads on a regular basis. A CloudOps engineer must implement this policy for an Amazon RDS DB instance's master user password.

Which solution will meet this requirement with the LEAST operational effort?

Options:

A.  

Create an AWS Lambda function to change the RDS master user password. Create an Amazon EventBridge scheduled rule to invoke the Lambda function.

B.  

Create a new SecureString parameter in AWS Systems Manager Parameter Store. Encrypt the parameter with an AWS Key Management Service (AWS KMS) key. Configure automatic rotation.

C.  

Create a new String parameter in AWS Systems Manager Parameter Store. Configure automatic rotation.

D.  

Create a new RDS database secret in AWS Secrets Manager. Apply the secret to the RDS DB instance. Configure automatic rotation.

Discussion 0
Questions 15

A company uses AWS Organizations to manage its AWS environment. The company implements a process that uses prebuilt Amazon Machine Images (AMIs) to launch instances as a security measure. All AMIs are tagged automatically with a key named ApprovedAMI.

The company wants to ensure that employees can use only the approved prebuilt AMIs to launch new instances.

Which solution will meet this requirement?

Options:

A.  

Implement a tag policy for the company's organization to require users to set the ApprovedAMI tag to launch new EC2 instances.

B.  

Implement an IAM policy that includes an aws:ResourceTag/ApprovedAMI condition.

C.  

Set up an AWS Config required-tags rule to prevent users from launching any nonapproved AMIs.

D.  

Use Amazon GuardDuty to constantly monitor DefenseEvasion:EC2/UnusualDoHActivity findings.

Discussion 0
Questions 16

A company has a VPC that contains a public subnet and a private subnet. The company deploys an Amazon EC2 instance that uses an Amazon Linux Amazon Machine Image (AMI) and has the AWS Systems Manager Agent (SSM Agent) installed in the private subnet. The EC2 instance is in a security group that allows only outbound traffic.

A CloudOps engineer needs to give a group of privileged administrators the ability to connect to the instance through SSH without exposing the instance to the internet.

Which solution will meet this requirement?

Options:

A.  

Create an EC2 Instance Connect endpoint in the private subnet. Update the security group to allow inbound SSH traffic. Create an IAM group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.

B.  

Create a Systems Manager endpoint in the private subnet. Update the security group to allow SSH traffic from the private network where the Systems Manager endpoint is connected. Create an IAM group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.

C.  

Create an EC2 Instance Connect endpoint in the public subnet. Update the security group to allow SSH traffic from the private network. Create an IAM group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.

D.  

Create a Systems Manager endpoint in the public subnet. Create an IAM role that has the AmazonSSMManagedInstanceCore permission for the EC2 instance. Create an IAM group for privileged administrators. Assign the AmazonEC2ReadOnlyAccess IAM policy to the IAM group.

Discussion 0
Questions 17

A CloudOps engineer needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added.

Which additional actions should the CloudOps engineer take to control access? (Select TWO.)

Options:

A.  

Attach an IAM policy to the users or groups that require access to the EC2 instances.

B.  

Attach an IAM role to control access to the EC2 instances.

C.  

Create a placement group for the EC2 instances and add a specific tag.

D.  

Create a service account and attach it to the EC2 instances that need to be controlled.

E.  

Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.

Discussion 0
Questions 18

A SysOps administrator is configuring an Auto Scaling group of Amazon EC2 instances for an application. The average CPU utilization of the instances in the Auto Scaling group must remain at approximately 40% when the load on the application changes.

Which solution will meet this requirement in the MOST operationally efficient manner?

Options:

A.  

Create a scheduled scaling action. Configure the action to run at times when the application typically experiences an increase in traffic.

B.  

Configure a simple scaling policy. Create an Amazon CloudWatch alarm that enters ALARM state when CPU utilization is greater than 40%. Associate the alarm with the scaling policy.

C.  

Configure a step scaling policy. Create an Amazon CloudWatch alarm that enters ALARM state when CPU utilization is greater than 40%. Associate the alarm with the scaling policy.

D.  

Configure a target tracking scaling policy. Specify a target value of 40 for average CPU utilization.

Discussion 0
Questions 19

A company runs applications on Amazon EC2 instances. Many of the instances are not patched. The company has a tagging policy. All the instances are tagged with details about the owners, application, and environment. AWS Systems Manager Agent (SSM Agent) is installed on all the instances.

A SysOps administrator must implement a solution to automatically patch all existing and future instances that have "Prod" in the environment tag. The SysOps administrator plans to create a patch policy in Systems Manager Patch Manager.

Which solution will meet the patching requirements with the LEAST operational overhead?

Options:

A.  

Define targets of the patch policy by specifying node tags that match the company's tagging strategy.

B.  

Configure an AWS Lambda function to scan for new instances and to add the instances to the targets of the patch policy.

C.  

Create resource groups. Add the existing instances to the resource groups. Configure an AWS Lambda function to scan for new instances and to add the instances to the resource groups at regular intervals. Attach the resource groups to the patch policy.

D.  

Create resource groups. Add the existing instances to the resource groups. Create an Amazon EventBridge rule that uses an appropriately defined filter to add new instances to the resource groups. Attach the resource groups to the patch policy.

Discussion 0
Questions 20

A company uses AWS Organizations to manage multiple AWS accounts. A CloudOps engineer must identify all IPv4 ports open to 0.0.0.0/0 across the organization’s accounts.

Which solution will meet this requirement with the LEAST operational effort?

Options:

A.  

Use the AWS CLI to print all security group rules for review.

B.  

Review AWS Trusted Advisor findings in an organizational view for the Security Groups – Specific Ports Unrestricted check.

C.  

Create an AWS Lambda function to gather security group rules from all accounts. Aggregate the findings in an Amazon S3 bucket.

D.  

Enable Amazon Inspector in each account. Run an automated workload discovery job.

Discussion 0
Questions 21

A company has an AWS CloudFormation template that includes an AWS::EC2::Instance resource and a custom resource (Lambda function). The Lambda function fails because it runs before the EC2 instance is launched.

Which solution will resolve this issue?

Options:

A.  

Add a DependsOn attribute to the custom resource. Specify the EC2 instance in the DependsOn attribute.

B.  

Update the custom resource's service token to point to a valid Lambda function.

C.  

Update the Lambda function to use the cfn-response module to send a response to the custom resource.

D.  

Use the Fn::If intrinsic function to check for the EC2 instance before the custom resource runs.

Discussion 0
Questions 22

A company uses an Amazon Simple Queue Service (Amazon SQS) queue and Amazon EC2 instances in an Auto Scaling group with target tracking for a web application. The company collects the ASGAverageNetworkIn metric but notices that instances do not scale fast enough during peak traffic. There are a large number of SQS messages accumulating in the queue.

A CloudOps engineer must reduce the number of SQS messages during peak periods.

Which solution will meet this requirement?

Options:

A.  

Define and use a new custom Amazon CloudWatch metric based on the SQS ApproximateNumberOfMessagesDelayed metric in the target tracking policy.

B.  

Define and use Amazon CloudWatch metric math to calculate the SQS queue backlog for each instance in the target tracking policy.

C.  

Define and use step scaling by specifying a ChangeInCapacity value for the EC2 instances.

D.  

Define and use simple scaling by specifying a ChangeInCapacity value for the EC2 instances.

Discussion 0
Questions 23

A company’s application servers in AWS account 111122223333 use a security group sg-1234abcd. They need to access a database hosted in account 444455556666. The VPCs are connected using a VPC peering connection (pcx-b04deed9).

A CloudOps engineer must configure the database’s security group to allow new connections only from the application servers.

What should the engineer do?

Options:

A.  

Add an inbound rule to the database's security group. Reference 111122223333/sg-1234abcd as the source.

B.  

Add an inbound rule to the database's security group. Reference pcx-b04deed9/sg-1234abcd as the source.

C.  

Add an inbound rule to the database's security group. Reference sg-1234abcd as the source.

D.  

Add an inbound rule to the database's security group. Reference 444455556666/sg-1234abcd as the source.

Discussion 0
Questions 24

A company’s security policy prohibits connecting to Amazon EC2 instances through SSH and RDP. Instead, staff must use AWS Systems Manager Session Manager. Users report they cannot connect to one Ubuntu instance, even though they can connect to others.

What should a CloudOps engineer do to resolve this issue?

Options:

A.  

Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.

B.  

Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.

C.  

Configure the SSM Agent to log in with a user name of "ubuntu".

D.  

Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.

Discussion 0
Questions 25

A company maintains a list of 75 approved Amazon Machine Images (AMIs) that can be used across an organization in AWS Organizations. The company's development team has been launching Amazon EC2 instances from unapproved AMIs.

A SysOps administrator must prevent users from launching EC2 instances from unapproved AMIs.

Which solution will meet this requirement?

Options:

A.  

Add a tag to the approved AMIs. Create an IAM policy that includes a tag condition that allows users to launch EC2 instances from only the tagged AMIs.

B.  

Create a service-linked role. Attach a policy that denies the ability to launch EC2 instances from a list of unapproved AMIs. Assign the role to users.

C.  

Use AWS Config with an AWS Lambda function to check for EC2 instances that are launched from unapproved AMIs. Program the Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the SysOps administrator to terminate those EC2 instances.

D.  

Use AWS Trusted Advisor to check for EC2 instances that are launched from unapproved AMIs. Configure Trusted Advisor to invoke an AWS Lambda function to terminate those EC2 instances.

Discussion 0
Questions 26

A company runs a high performance computing (HPC) data-processing application on Amazon EC2 instances in one Availability Zone within a development environment. The application uses a dataset that the company stores on an Amazon S3 general purpose bucket in the same AWS Region as the EC2 instances.

A SysOps administrator must improve the application's performance for retrieval of objects from Amazon S3.

Which solution will meet these requirements?

Options:

A.  

Enable S3 Transfer Acceleration for the S3 bucket. Create an S3 access point for the bucket. Update the application to use the access point.

B.  

Create an S3 Lifecycle configuration for the S3 bucket to move all objects to the S3 Express One Zone storage class. Update the application to use an S3 Regional endpoint.

C.  

Create a second general purpose S3 bucket in the same Region. Copy the objects from the original bucket to the new bucket. Use the S3 Express One Zone storage class to store the objects in the new bucket. Update the application to use an S3 Regional endpoint.

D.  

Create an S3 directory bucket in the same Availability Zone. Import objects from the original bucket to the new bucket. Use the S3 Express One Zone storage class to store the objects in the new bucket. Update the application to use an S3 Zonal endpoint.

Discussion 0
Questions 27

A company needs to enforce tagging requirements for Amazon DynamoDB tables in its AWS accounts. A CloudOps engineer must implement a solution to identify and remediate all DynamoDB tables that do not have the appropriate tags.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.  

Create a custom AWS Lambda function to evaluate and remediate all DynamoDB tables. Create an Amazon EventBridge scheduled rule to invoke the Lambda function.

B.  

Create a custom AWS Lambda function to evaluate and remediate all DynamoDB tables. Create an AWS Config custom rule to invoke the Lambda function.

C.  

Use the required-tags AWS Config managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure an automatic remediation action that uses an AWS Systems Manager Automation custom runbook.

D.  

Create an Amazon EventBridge managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure the EventBridge rule to run an AWS Systems Manager Automation custom runbook for remediation.

Discussion 0