Amazon Web Services SOA-C03 - AWS Certified CloudOps Engineer - Associate

AWS Organizations Tag Policies provide a centralized, scalable governance mechanism to standardize tagging across accounts. Tag policies let an organization define tag keys, allowed values, and tagging expectations, helping teams apply consistent tagging conventions across many accounts without building custom logic. This matches the requirement for consistent tags “across multiple accounts” with minimal operational overhead, because the policy is managed centrally and applied at the organization/OUs level.

For cost tracking, user-defined tags must be activated as cost allocation tags in AWS Billing and Cost Management. Enabling cost allocation tags is the required step to make those tags usable in billing views (for example, Cost Explorer allocation and reporting). Combining Tag Policies (governance/consistency) with cost allocation tag activation (billing attribution) directly meets both parts of the requirement.

Option B (CloudTrail + Lambda auto-tagging) is higher operational overhead: it requires event processing, permissions, continuous maintenance, exception handling, and careful logic to avoid incorrect tag assignments. Option C is partially relevant for compliance detection, but AWS Budgets does not “apply tags” to resources; Budgets is for cost/usage alerts and budget tracking. Option D can enforce tagged provisioning paths, but it’s not comprehensive for all resource creation mechanisms and Trusted Advisor is not a global “tag enforcement” engine.

Therefore, A is the most native and least-ops approach for consistent tags across an organization and enabling cost allocation tracking.

Amazon S3 Cross-Region Replication is the managed feature for automatically replicating newly created objects from a source bucket in one Region to a destination bucket in another Region. This is the correct disaster recovery pattern because replication is handled by S3 without custom code or scheduled copy jobs. Versioning is required for replication, and in a complete production configuration, versioning must be enabled on both the source and destination buckets. Option A is therefore the best answer, even though the wording mentions only source-bucket versioning. CORS controls browser cross-origin access and has nothing to do with disaster recovery replication. Lambda and EventBridge can copy objects, but this creates more operational overhead and error handling. S3 Lifecycle policies transition or expire objects; they do not replicate new objects across Regions.

===============

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is preventative: stop users from launching from unapproved AMIs. The most scalable approach with 75 approved AMIs is to tag all approved AMIs (for example, ApprovedAMI=true) and enforce usage through an IAM policy condition that only allows ec2:RunInstances when the ec2:ImageId resource (the AMI) includes the required tag. This avoids maintaining long allow/deny lists of AMI IDs and supports continuous updates: as new approved AMIs are created, tagging them automatically brings them under the policy without policy rewrites.

Option B is incorrect because service-linked roles are used by AWS services, not assigned to users for interactive authorization enforcement in this way. Option C and D are detective/remedial controls that act after instances are already launched, which does not satisfy “must prevent.” They also increase operational overhead and risk disruptions.

The most secure solution is to remove the hardcoded password completely and let AWS Secrets Manager generate, store, and rotate the database password. The AWS::SecretsManager::Secret resource with GenerateSecretString avoids exposing a static password in templates, parameters, source control, or deployment logs. The AWS::SecretsManager::RotationSchedule resource automates the required 90-day password rotation. The application should retrieve the secret at runtime from Secrets Manager by using an IAM role with least-privilege access. Option B still accepts a human-provided password, which is weaker than automatic secret generation. Parameter Store can store secure values, but it does not provide the same native database credential rotation workflow as Secrets Manager. NoEcho only masks console output; it does not make user data or template handling sufficiently secure.

===============

When a CloudFormation stack is deleted, CloudFormation’s default behavior is to delete the resources it created, including EC2 instances and attached resources defined in the template. The requirement is explicit: the company must keep the instances and all of the instances’ data even if someone deletes the stack. The CloudFormation mechanism intended for this outcome is the DeletionPolicy attribute, which controls what happens to a resource when the stack is deleted or when the resource is replaced during an update.

Setting DeletionPolicy: Retain on the EC2 instance resource instructs CloudFormation to preserve that resource instead of deleting it during stack deletion. With Retain, CloudFormation removes the resource from stack management but leaves the instance running (and therefore keeps the data that remains on the instance and its configured storage). This directly satisfies the requirement because the instance is not terminated as part of stack deletion.

Option A is incorrect for EC2 instances because Snapshot is applicable to certain resource types (commonly storage and database resources where snapshot semantics exist), not as a general “keep my instance” control for EC2 instance resources. Options B and C (DLM and AWS Backup) are valuable for backup and recovery strategies, but they do not prevent CloudFormation from terminating the instances when the stack is deleted. Backups could help restore later, but the requirement is to keep the original instances and their data even after deletion of the stack.

Therefore, the correct solution is to set DeletionPolicy to Retain for the EC2 instance resource in the CloudFormation template.

Per the AWS Cloud Operations, Networking, and Security documentation, the best practice for serving private S3 content securely to end users is to use Amazon CloudFront with Origin Access Control (OAC).

OAC enables CloudFront to access S3 buckets privately, even when Block Public Access settings are enabled at the account level. This allows content to be delivered globally and securely without making the S3 bucket public. The bucket policy explicitly allows access only from the CloudFront distribution, ensuring that users can retrieve PDF files only via CloudFront URLs.

This configuration offers:

Automatic scalability through CloudFront caching,

Improved security via private access control,

Minimal administration effort with fully managed services.

Other options require manual handling or make the bucket public, violating AWS security best practices.

Therefore, Option B—using CloudFront with Origin Access Control and a restrictive bucket policy—provides the most secure, efficient, and low-maintenance CloudOps solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The requirement is that traffic from a VPC-connected Lambda to Amazon S3 must not use public IP addresses. The AWS-native way to keep traffic private is to use VPC endpoints, which provide private connectivity to supported AWS services without traversing the public internet. Among the options, creating an S3 VPC endpoint is the only approach that satisfies “no public IP addresses” while allowing access to the bucket. Option D is the best match because it explicitly configures an S3 endpoint and directs the Lambda function to use the endpoint-specific DNS name for private routing.

Option C (NAT gateway) is incorrect for this requirement because NAT provides outbound internet access from private subnets and typically uses public IP addressing at the NAT gateway. That violates the intent to avoid public IP paths for S3 traffic. Option A is not applicable because S3 buckets are not placed “inside” a VPC and do not participate in VPC sharing in a way that provides private network paths. Option B (transit gateway) connects VPCs and on-prem networks, but it does not create private service connectivity to S3 by itself; you would still need the correct service endpoint solution for S3 access.

Using a VPC endpoint also aligns with CloudOps best practices: it reduces exposure, simplifies network egress controls, and supports least-privilege access via endpoint policies (where applicable) alongside IAM policies.

For encrypted RDS snapshots, cross-account sharing requires both sharing the snapshot and granting access to the KMS key used to encrypt it. By updating the KMS key policy to allow the migration account access, the encrypted snapshot can be restored in the migration account.

Option A uses native RDS snapshot sharing and minimal configuration changes, making it the least administrative overhead approach.

Options B, C, and D introduce unnecessary complexity, higher operational cost, or unsupported workflows.

The application is CPU-heavy, shows sustained high CPU utilization, and can only scale vertically. Therefore, the correct action is to move to a larger or more appropriate compute-optimized EC2 instance family. The current t3.large is a burstable general-purpose instance. Burstable instances can experience performance limitations if CPU credits are depleted after sustained high CPU usage, which matches the “after a few minutes” latency pattern. Provisioned IOPS helps storage-bound workloads, not CPU-bound workloads. Adding more t3.large instances is horizontal scaling, which the question explicitly says the application cannot use. Reserved Instances reduce cost commitment but do not improve performance. A compute-optimized instance provides stronger sustained CPU capacity and is the correct performance optimization for a vertically scaled CPU-heavy workload.

===============

CloudWatch Synthetics canaries require connectivity to both CloudWatch and Amazon S3 to function correctly. In a private VPC without internet access, AWS service access must be provided through VPC endpoints.

The canary needs to send metrics, logs, and execution data to CloudWatch, which requires an interface VPC endpoint for CloudWatch. It also needs to store artifacts such as screenshots and HAR files in Amazon S3, which requires a gateway VPC endpoint for S3. Without these endpoints, the canary cannot communicate with required AWS services and will fail to start.

DNS resolution and DNS hostnames must be enabled so the canary can resolve AWS service endpoints to the private IP addresses exposed by the VPC endpoints. This is a mandatory prerequisite for PrivateLink-based service access.

Option B and C incorrectly disable DNS functionality, which breaks service endpoint resolution. Option A includes invalid or irrelevant permissions and does not address private connectivity requirements.

Therefore, enabling DNS support and creating both the CloudWatch interface endpoint and the S3 gateway endpoint is the correct and complete solution.