Amazon Web Services SOA-C03 - AWS Certified CloudOps Engineer - Associate

To analyze and visualize custom statistics such as the p90 latency (90th percentile), a CloudWatch metric must be generated from the log data. The correct method is to create a metric filter that extracts the latency value from each log event and publishes it as a CloudWatch metric. Once the metric is published, percentile statistics (p90, p95, etc.) can be displayed in CloudWatch dashboards or alarms.

AWS documentation states:

“You can use metric filters to extract numerical fields from log events and publish them as metrics in CloudWatch. CloudWatch supports percentile statistics such as p90 and p95 for these metrics.”

Contributor Insights (Option A) is for analyzing frequent contributors, not numeric distributions. Subscription filters (Option C) are used for log streaming, and Application Insights (Option D) provides monitoring of application health but not custom p90 statistics. Hence, Option B is the CloudOps-aligned, minimal-overhead solution for percentile latency monitoring.

CloudFormation StackSets are designed specifically to deploy and manage the same CloudFormation stack across multiple AWS accounts and Regions from a centralized administration point. When accounts are managed under AWS Organizations, StackSets can integrate directly with Organizations to target Organizational Units (OUs) or specific accounts, which minimizes operational overhead. This removes the need to manually assume roles and deploy stacks one-by-one, and avoids building custom automation (Lambda + cross-account role assumption + account enumeration + error handling + retries + idempotency).

With StackSets, you define the template once and then create stack instances across many accounts in a controlled and consistent manner. StackSets provide built-in features for: (1) centralized rollout and updates, (2) drift detection, (3) automatic deployment to new accounts (when using Organizations integration), and (4) standardized execution roles. This is operationally simpler and safer than scripting because StackSets handle orchestration and track deployment state per account/Region.

Option A increases manual work and is error-prone at scale. Options B and C require custom Lambda orchestration, cross-account permissions, and ongoing maintenance for failure modes and change management. StackSets provide the native “least ops” approach to multi-account CloudFormation deployments under Organizations.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To ensure video files are cached at CloudFront edge locations after migrating the files to Amazon S3, CloudFront must be able to fetch those video objects directly from S3 as an origin. The most operationally straightforward pattern is to add S3 as a second origin and create a separate cache behavior that routes requests for video paths (for example, /video/* or /*.mp4) to the S3 origin. With this configuration, CloudFront caches the S3-served objects at edge locations according to the cache policy/headers, while the existing ALB origin continues serving dynamic application paths. This isolates static media delivery from the application tier and improves performance by maximizing cache hits at the edge.

Option A is not how CloudFront origin selection works: CloudFront does not “redirect” to S3 based on headers; it selects an origin per behavior. Option C (signed URLs) is an access-control mechanism and does not, by itself, ensure the objects are retrieved from S3 or cached correctly. Option D (origin groups) is for origin failover (primary/secondary) and does not provide path-based routing to ensure videos come from S3.

As per AWS Cloud Operations, Bedrock, and Governance documentation, AWS CloudTrail is the authoritative service for capturing API activity and audit trails across AWS accounts. For Amazon Bedrock, CloudTrail records all user-initiated API calls, including interactions with agents, knowledge bases, and generative AI model parameters.

Using CloudTrail Lake, organizations can store, query, and analyze CloudTrail events directly without needing to export data. CloudTrail Lake supports SQL-like queries for generating audit and compliance reports, enabling the company to retrieve information such as user identity, API usage, timestamp, model or agent ID, and invocation parameters.

In contrast, CloudWatch focuses on operational metrics and log streaming, not API-level identity data. OpenSearch or Flink would add unnecessary complexity and cost for this use case.

Thus, the AWS-recommended CloudOps best practice is to leverage CloudTrail with CloudTrail Lake to maintain auditable, queryable API activity for Bedrock workloads, fulfilling governance and compliance requirements.

Network ACLs are stateless, meaning both inbound and outbound rules must explicitly allow traffic. While inbound HTTP traffic (port 80) was allowed, the return traffic from the EC2 instance uses ephemeral ports (typically 1024–65535). If outbound rules do not allow this ephemeral port range, the response traffic is dropped, preventing the website from loading.

Security groups are stateful and automatically allow return traffic, but network ACLs do not. This commonly causes connectivity issues when custom ACLs are applied without matching outbound rules.

Option B is incorrect because security groups allow all outbound traffic by default. Option C is irrelevant. Option D is incorrect because only one network ACL can be associated with a subnet at a time.

Thus, the missing outbound ephemeral port rule in the network ACL is the root cause.

AWS Trusted Advisor publishes service quota metrics to Amazon CloudWatch. These metrics can be monitored using CloudWatch alarms, which support threshold-based alerting. By creating a CloudWatch alarm for each service quota metric, the CloudOps engineer can trigger alerts when usage exceeds 60%.

Amazon SNS is the AWS-native service for email notifications. CloudWatch alarms integrate directly with SNS, making this the most straightforward solution. SNS supports email subscriptions without additional infrastructure.

Options B and C incorrectly use SQS for email notifications, which requires additional processing and does not natively send emails. Option D relies on the AWS Health Dashboard, which does not support configurable threshold-based alerts for service quotas.

Therefore, CloudWatch alarms combined with SNS provide the correct and most efficient solution.

The CloudWatch agent supports modular configuration using the append-config option, which allows additional log sources to be added without overwriting the existing baseline configuration. This makes it ideal for incremental log collection changes across large fleets.

By creating a separate configuration file specifically for DHCP logs and using Systems Manager Run Command, the CloudOps engineer can remotely update only the relevant instances in a scalable and automated manner. This approach avoids manual login and preserves the existing baseline configuration.

Options B and C require manual intervention on each instance, which is not scalable or operationally efficient. Option D captures additional logs indiscriminately and does not specifically target DHCP logs, potentially increasing noise and cost.

Therefore, Option A is the most efficient and AWS-recommended approach.

The AWS Cloud Operations and Security documentation confirms that AWS WAF (Web Application Firewall) is designed to protect web applications from application-layer threats, including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.

When integrated with an Application Load Balancer, AWS WAF inspects incoming traffic using rule groups. The AWS Managed Rules for SQL Injection Protection provide preconfigured, continuously updated filters that detect and block malicious SQL patterns.

AWS Shield (Standard or Advanced) defends against DDoS attacks, not application-layer SQL attacks, and vulnerability scanners (Option C) only detect, not prevent, exploitation.

Thus, Option D provides the correct, managed, and automated protection aligned with AWS best practices.

AWS Security Hub is the native AWS service that provides continuous compliance checks against security standards, including the CIS AWS Foundations Benchmark. When integrated with AWS Organizations, Security Hub can automatically enroll existing and newly created accounts, eliminating manual invitations and scripts.

By designating a Security Hub administrator account and enabling automatic account onboarding, the organization ensures consistent security posture monitoring across all accounts. CIS benchmark checks are run continuously, and findings are aggregated centrally, simplifying governance and remediation workflows.

Amazon Inspector focuses on vulnerability scanning for EC2, container images, and Lambda functions—not CIS compliance. GuardDuty is a threat detection service and does not run CIS benchmarks.

Therefore, using AWS Security Hub with automatic organization-wide enrollment is the most efficient solution.

The important clue is that the new Lambda function and its IAM role are already correctly configured. When S3 validates event notification configurations, it can validate not only the newly added destination but also existing destinations on the bucket. If the bucket already has a stale notification that points to a deleted Lambda function, deleted queue, deleted topic, or destination without the correct resource policy, the validation can fail with “Unable to validate the following destination configurations.” Option C would be plausible if the new Lambda permission were missing, but the question rules out a problem with the new function configuration. Option A is not the best cause because the error refers to destination validation, not a quota breach. Therefore, the stale existing event notification is the likely root cause.

===============