SOA-C03 Exam Questions 2026 – Real Practice Test with Verified Answers

Home / Amazon / SOA-C03

Latest SOA-C03 Exam Practice Questions

The practice questions for SOA-C03 exam was last updated on 2026-06-22 .

Viewing page 1 out of 4 pages.

Viewing questions 1 out of 22 questions.

Question#1

A company must retain all Amazon S3 objects for 90 days for compliance reasons. Additionally, the company must retain all changes to objects for 90 days. Therefore, the company enables S3 Versioning on the bucket. The company does not delete S3 objects even after the retention period ends. The company notices that S3 costs are increasing. The company wants to reduce storage costs.
Which solution will meet these requirements with the LEAST operational overhead?

A. Write an AWS Lambda function that checks S3 object version age. Create a delete marker for any object older than 90 days.
B. Set an S3 Lifecycle rule to automatically delete S3 object versions older than 90 days.
C. Use AWS Backup to migrate objects out of the S3 bucket after 90 days.
D. Use Amazon EventBridge to watch for S3 object creation events. Schedule an AWS Lambda function to run in 90 days to delete the object.

Explanation:
Because S3 Versioning is enabled, each object update creates additional object versions. If old versions are never removed, storage costs keep increasing even when only the latest version is needed operationally. The lowest-overhead solution is to configure an S3 Lifecycle rule to expire noncurrent object versions after the required 90-day compliance retention period. This preserves object changes for the required window and then automatically removes older versions to reduce cost.
Option A is not ideal because creating delete markers affects current object visibility and does not clean up old noncurrent versions efficiently.
Option C adds unnecessary backup complexity.
Option D creates excessive event scheduling and Lambda management overhead. S3 Lifecycle is the native cost-optimization control for versioned-object retention.

Question#2

A company uses an IAM policy to ensure that all AWS resources are deployed and managed by AWS CloudFormation. A CloudOps engineer must periodically audit all AWS resources and provide a list of resources that do not match the expected configuration.
Which solution will meet this requirement with the LEAST effort?

A. Configure an Amazon EventBridge rule that sends a notification to the company when any resource is created by CloudFormation. Audit the event notifications for any incorrect configurations.
B. Audit code repositories where CloudFormation code is stored to look for any deviations from the expected configuration.
C. Use the AWS CLI to check all resources to ensure consistency with the intended configuration.
D. Use Amazon EventBridge to schedule periodic invocations of CloudFormation drift detection. Capture findings for review.

Explanation:
CloudFormation drift detection compares the actual configuration of stack resources with the expected configuration defined in the CloudFormation template. This directly satisfies the requirement to find resources that do not match the expected configuration. Scheduling drift detection with Amazon EventBridge automates the audit and avoids manual CLI checks or repository reviews. Repository reviews only validate desired template code, not the real deployed state. EventBridge notifications about resource creation do not prove that resources remain compliant after deployment. AWS CLI scripts could work, but they would require custom logic and ongoing maintenance. For CloudOps, the best approach is to use the native drift detection capability and automate it on a schedule, then capture the drift results for operational review and remediation planning.

Question#3

A CloudOps engineer is preparing to deploy an application to Amazon EC2 instances that are in an Auto Scaling group. The application requires dependencies to be installed. Application updates are issued weekly.
The CloudOps engineer needs to implement a solution to incorporate the application updates on a regular basis. The solution also must conduct a vulnerability scan during Amazon Machine Image (AMI) creation.
What is the MOST operationally efficient solution that meets these requirements?

A. Create a script that uses Packer and schedule a cron job.
B. Install the application and dependencies on an EC2 instance and create an AM
C. Use EC2 Image Builder with a custom recipe to install the application and dependencies.
D. Invoke the EC2 CreateImage API operation by using an EventBridge scheduled rule.

Explanation:
EC2 Image Builder is a managed service that automates the creation, testing, vulnerability scanning, and distribution of AMIs. It supports scheduled image pipelines, which makes it ideal for weekly application updates.
Image Builder integrates with Amazon Inspector to perform vulnerability scans during image creation, fulfilling the security requirement. Custom image recipes define application dependencies and installation steps, ensuring consistency across deployments.
Manual AMI creation, cron-based scripts, or direct API calls require ongoing maintenance and do not natively support vulnerability scanning.
Therefore, EC2 Image Builder is the most operationally efficient solution.

Question#4

A company hosts a static website on an Amazon S3 bucket behind an Amazon CloudFront distribution. When the company deploys a new version of the website, users sometimes do not see the new content until the next day.
A CloudOps engineer must implement a solution to display updates to the website as quickly as possible.
Which solution will meet this requirement?

A. Configure the CloudFront distribution to add a custom Cache-Control header to requests for content from the S3 bucket.
B. Modify the distribution settings to specify the protocol as HTTPS only.
C. Attach the CachingOptimized managed cache policy to the distribution.
D. Create a CloudFront invalidation.

Explanation:
CloudFront caches content at edge locations to reduce origin requests and improve performance. When a static website is updated by overwriting existing object keys (for example, updating index.html in the same S3 path), CloudFront may continue to serve the cached versions of those objects until the cache’s time-to-live (TTL) expires. This behavior commonly produces a delay where some viewers still receive the old site version, sometimes for many hours, depending on the configured TTLs and any cache headers that CloudFront is honoring.
A CloudFront invalidation (Option D) is designed to address exactly this situation: it removes cached objects from CloudFront edge caches so that the next request for those objects forces CloudFront to retrieve the latest versions from the S3 origin and cache them again. By invalidating key objects such as /index.html (and potentially additional paths if needed), the company can ensure users see the newest deployment quickly without waiting for TTL expiration.
Option A is not the best answer because “adding a Cache-Control header to requests” does not immediately clear content already cached at edge locations; it primarily influences caching behavior for future fetches and can still leave existing cached objects in place until they expire.
Option B only enforces HTTPS and does not affect cache freshness or object replacement visibility.
Option C (CachingOptimized) is intended to improve caching efficiency and performance for typical workloads; it does not provide immediate propagation of updated objects and can result in CloudFront serving cached responses until TTLs expire.
Therefore, the most direct solution to display the updated website as quickly as possible is to create
a CloudFront invalidation.

Question#5

A company uses AWS Systems Manager Session Manager to manage EC2 instances in the eu-west-1 Region. The company wants private connectivity using VPC endpoints.
Which VPC endpoints are required to meet these requirements? (Select THREE.)

A. com.amazonaws.eu-west-1.ssm
B. com.amazonaws.eu-west-1.ec2messages
C. com.amazonaws.eu-west-1.ec2
D. com.amazonaws.eu-west-1.ssmmessages
E. com.amazonaws.eu-west-1.s3
F. com.amazonaws.eu-west-1.states

Explanation:
The AWS Cloud Operations and Systems Manager documentation states that to use Session Manager privately within a VPC (without internet access), three interface VPC endpoints must be configured:
com.amazonaws.<region>.ssm C enables Systems Manager core API communication.
com.amazonaws.<region>.ec2messages C allows the agent to send and receive messages between EC2 and Systems Manager.
com.amazonaws.<region>.ssmmessages C enables real-time interactive communication for Session Manager connections.
These endpoints ensure secure, private connectivity over the AWS network, eliminating the need for public internet routing.
Endpoints for S3, Step Functions, or EC2 API (Options C, E, F) are not required for Session Manager functionality.
Thus, the correct combination is A, B, and D, aligning with AWS CloudOps best practices for secure, private Systems Manager access.
Reference: AWS Cloud Operations & Systems Manager Guide C Configuring VPC Endpoints for Session Manager Private Connectivity

Disclaimer

This page is for educational and exam preparation reference only. It is not affiliated with Amazon, Certified CloudOps Engineer - Associate, or the official exam provider. Candidates should refer to official documentation and training for authoritative information.

Exam Code: SOA-C03Q & A:  219  Q&As Updated:  2026-06-22

  Get All SOA-C03 Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Payment Methods

Payment Methods

Copyright © 2026 Hong Kong UniLearn Limited. All Rights Reserved.