Amazon Web Services SOA-C03 - AWS Certified CloudOps Engineer - Associate

According to the AWS Cloud Operations and Elastic Load Balancing documentation, Application Load Balancer (ALB) supports multiple routing algorithms to distribute requests among targets:

Round robin (default)

Least outstanding requests (LOR)

Weighted random

When applications require session affinity, AWS recommends using “least outstanding requests” as the load balancing algorithm because it reduces latency, distributes load evenly, and ensures consistent target responsiveness during high traffic.

Using weighted random routing with sticky sessions can cause sessions to be routed inconsistently if one target’s capacity fluctuates, leading to session mismatches and application errors — especially when user sessions rely on instance-specific state.

Disabling cross-zone balancing (Option C) or adjusting deregistration delay (Option D) does not address routing inconsistency. Anomaly mitigation (Option B) protects against target performance degradation, not sticky-session misrouting.

Therefore, the correct solution is Option A — changing the target group’s routing algorithm to least outstanding requests ensures smoother, predictable session handling and resolves random application errors.

Because all instances are already managed by AWS Systems Manager, the lowest-overhead approach is to use Systems Manager Patch Manager end-to-end. Patch Manager is built specifically to scan managed instances for missing patches and to apply operating system patches according to defined rules. By defining a patch baseline, the CloudOps engineer establishes which patches are approved (and how quickly critical patches are approved), plus any exclusions and compliance rules. A Patch Manager scan can then be run to determine which instances are noncompliant and therefore likely affected by the vulnerability, without the engineer needing to manually inventory hosts.

After identifying affected (noncompliant) instances through the scan results, Patch Manager can apply patches directly using Patch Now (or an equivalent on-demand patch operation) in each Region. This matches the multi-Region requirement while keeping operations simple: no custom code, no additional services, and no complex event orchestration. It also produces compliance visibility in Systems Manager, which helps track remediation status for incident response.

Option B adds AWS Config unnecessarily. AWS Config is useful for recording and evaluating configuration changes and can report compliance against configuration rules, but it is not the most direct tool for identifying missing OS patches on instances already under Systems Manager management. Option C introduces additional moving parts (EventBridge rules and event-driven automation). While it can be powerful, it is more complex than a straightforward Patch Manager scan-and-patch workflow, and it assumes the right compliance events exist for this scenario before remediation begins. Option D is the highest operational burden because it requires rebuilding AMIs, launching replacement instances, and coordinating replacements across two Regions. That approach aligns to immutable infrastructure patterns, but it is not the least overhead for rapid remediation of existing instances.

Therefore, using Patch Manager with a patch baseline, scanning to identify affected instances, and applying patches in each Region is the simplest and most operationally efficient solution.

=================

The least-effort, most scalable approach to ensure consistent software installation and ongoing updates across tagged Windows instances is to use AWS Systems Manager’s native software distribution and desired-state capabilities. Systems Manager Distributor lets you package third-party software as an “SSM package,” version it, and publish updates in a controlled way. This directly supports the requirement to install a third-party agent and deploy periodic updates when new versions are available.

State Manager Associations let you enforce configuration continuously or on a schedule across a fleet, targeting instances by tags (which the scenario explicitly says are in place). By creating an association that runs AWS-ConfigureAWSPackage, you instruct Systems Manager to install (and optionally update) a specific SSM package on all instances that match the Windows tag criteria. This provides ongoing compliance: newly launched instances that receive the tag will automatically get the agent installed, and existing instances will receive updates according to the association’s frequency and the package version strategy.

Option C (custom Lambda that logs in) is high operational overhead and poor practice (credentials, connectivity, error handling, scaling, and security concerns). Option D (RunRemoteScript) can work but is more brittle than ConfigureAWSPackage because it shifts lifecycle management (versioning, state, idempotency) into scripts. Option B (OpsItem + Inventory) is not an enforcement mechanism for installation/updating; it’s for operations tracking and visibility.

Therefore, Distributor (A) + State Manager association using AWS-ConfigureAWSPackage targeted by tags (E) is the cleanest and lowest-ops solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C because selective CloudFront invalidation ensures that only updated JavaScript files are refreshed across edge locations. AWS CloudOps documentation explains that invalidations remove cached objects so that CloudFront fetches the latest version from the origin on the next request.

Invalidating only changed files minimizes cost, reduces operational impact, and avoids unnecessary origin requests. This approach ensures users always receive the latest application assets without degrading backend performance.

Option A is incorrect because setting TTLs to 0 forces CloudFront to query the origin for every request, increasing load on the ALB and EC2 instances. Option B is inefficient and costly because invalidating all files is unnecessary. Option D removes the benefits of CloudFront caching and increases latency.

AWS CloudOps best practices recommend targeted invalidations during deployments to balance performance, cost, and correctness.

EC2 does not publish RAM utilization as a native CloudWatch metric by default. Memory metrics such as mem_used_percent are typically collected by the CloudWatch Agent, which runs on the instance and publishes custom metrics to CloudWatch. Because the requirement is RAM utilization at 5-minute intervals, the CloudWatch Agent can be configured to emit metrics at that cadence (or faster).

“Detailed monitoring” for EC2 mainly affects EC2-provided metrics (like CPU) by changing the period from 5 minutes (basic) to 1 minute (detailed). It does not magically provide memory utilization. Therefore, the key requirement is installing/configuring the CloudWatch Agent and ensuring it has permissions to publish metrics (via an IAM role attached to the instance / instance profile).

Option C correctly combines: (1) basic monitoring (fine for the ask), (2) CloudWatch Agent to publish mem_used_percent, (3) IAM role permissions to allow publishing, and (4) Auto Scaling policy that scales based on the memory metric.

Option B incorrectly implies detailed monitoring provides mem_used_percent (it does not). Option D assumes a “standard” memory metric exists without the agent, which is not correct. Option A references mem_active, which is not the typical metric name exposed by CloudWatch Agent’s standard memory measurements for scaling policies, and also omits the IAM role requirement needed for publishing custom metrics.

Thus, C is the AWS-correct path for memory-based scaling using CloudWatch custom metrics.

AWS Systems Manager Run Command includes a built-in rate control feature that allows administrators to control the maximum number of concurrent executions across target instances. This directly addresses the requirement to limit downloads to 30 at a time without custom orchestration or additional services.

By targeting instances using tags, the solution automatically scales as new instances are added, which aligns with future growth expectations. Rate control ensures controlled concurrency and protects the private repository from overload.

Option A is manual and does not scale operationally. Option B introduces unnecessary complexity with Lambda and concurrency management that does not map cleanly to instance execution concurrency. Option D significantly increases architectural complexity without added value.

Run Command with rate control is the simplest, most native, and most scalable solution.

Amazon Aurora backtracking allows a DB cluster to be rewound to a specific point in time without creating a new DB cluster. This feature is designed for fast recovery from logical errors, such as accidental data changes, within a configured backtrack window. Because backtracking operates directly on the existing cluster, it satisfies the requirement that the restore occur in the same production DB cluster.

Point-in-time recovery (Option D) restores data by creating a new DB cluster, which violates the requirement. Option A involves promoting a replica, which does not allow rolling back to an arbitrary historical point. Option B introduces unnecessary complexity and is not supported for restoring directly into the same cluster.

Backtracking provides near-instant rollback and minimal operational disruption, making it the correct solution.

The symptoms point to two common database pressure sources: inefficient queries (driving high CPU and latency) and excessive concurrent connections (driving connection management overhead, read contention, and timeouts). The most effective remediation is to address both the SQL workload and the connection surge behavior.

Amazon RDS Performance Insights (Option A) is designed to help identify which SQL statements and wait events contribute most to database load. It provides a database-centric view of performance that highlights top SQL, top waits, and the relative impact of sessions on CPU and other resources. By using Performance Insights to pinpoint the highest-impact SQL and then tuning those queries (for example, improving indexes, reducing full scans, and optimizing query patterns), the company can lower CPU utilization and reduce query latency during peak hours.

Connection surges are best addressed with a managed connection pooling layer. RDS Proxy (Option E) provides connection pooling and multiplexing between application connections and the database, which reduces the overhead of establishing and maintaining a large number of database connections. During spikes, the proxy can smooth bursty connection behavior, improve failover handling, and reduce the risk of overwhelming the database with too many concurrent connections. This directly targets the observed timeouts and read performance degradation tied to surges.

Option B is not the best fit because CloudWatch Logs Insights is a log analytics tool; it is not the primary mechanism for deep SQL performance attribution in RDS and typically requires extensive logging configurations that add overhead. Option C would reduce availability and does not improve performance. Option D would make the problem worse: disabling pooling increases connection churn and overhead, amplifying timeouts and latency during peak traffic.

Therefore, combining Performance Insights query analysis/tuning with RDS Proxy connection pooling best resolves both root causes.

=================

According to the AWS Cloud Operations and Networking documentation, instances in a private subnet do not have a direct route to the internet gateway and thus require a NAT gateway for outbound internet access.

The correct configuration is to create a NAT gateway in the public subnet, associate an Elastic IP address, and then update the private subnet’s route table to send all 0.0.0.0/0 traffic to the NAT gateway. This enables instances in the private subnet to initiate outbound connections while keeping inbound traffic blocked for security.

Placing the NAT gateway inside the private subnet (Options C or D) prevents connectivity because it would not have a route to the internet gateway. Configuring routes from the public subnet to the NAT gateway (Option B) does not serve private subnet traffic.

Hence, Option A follows AWS best practices for enabling secure, managed, outbound-only internet access from private resources.

Amazon EBS snapshots are stored in Amazon S3, and standard restores can experience higher latency until data blocks are fully retrieved. Fast Snapshot Restore (FSR) eliminates this latency by ensuring that all blocks are immediately available at full performance.

Because the production environment uses a General Purpose SSD (gp3) volume, creating the test database on the same volume type ensures performance characteristics are as similar as possible. Using FSR significantly reduces restore time and allows load testing to begin immediately.

Provisioned IOPS volumes would introduce different performance characteristics and unnecessary cost. Standard snapshot restore would delay testing due to gradual block hydration.

Therefore, using FSR with the same EBS volume type is the fastest and most accurate solution.