Amazon Web Services SOA-C03 - AWS Certified CloudOps Engineer - Associate

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The most operationally efficient solution is C because AWS Systems Manager Session Manager is purpose-built for secure, auditable interactive access to EC2 instances at scale—without managing bastion hosts or distributing SSH keys. Session Manager can be configured to log session activity, including commands and output, to durable destinations such as Amazon CloudWatch Logs (and optionally Amazon S3). This directly satisfies the requirement to record interactive sessions and store logs durably.

For automated notifications and alarms, CloudWatch Logs supports metric filters that transform matching log patterns into CloudWatch metrics. Those metrics can then drive CloudWatch alarms and notifications (for example, via Amazon SNS). This is a standard CloudOps pattern: centralize logs, derive metrics from security-relevant patterns, and alert automatically.

Option A and D require installing and operating agents and building a more complex analytics path (Athena queries for alerting), which is less efficient and introduces more moving parts across thousands of instances. Option B adds a bastion host dependency that becomes an operational burden (scaling, patching, hardening, HA) and a potential choke point. Session Manager reduces these burdens by using SSM Agent already installed, IAM-based access control, and centralized logging/monitoring integrations.

User-defined tags must be explicitly activated as cost allocation tags in the AWS Billing and Cost Management console before they can be used in Cost Explorer. Simply applying tags to resources is not sufficient.

Once activated, cost allocation tags can take up to 24 hours to appear in Cost Explorer, but they will not appear at all if activation is not performed. The 30-day delay applies only to historical reporting after activation, not to visibility itself.

Cost and Usage Reports and Budgets are not prerequisites for Cost Explorer filtering.

Therefore, the issue occurs because the tags were not activated for cost allocation.

According to the AWS Cloud Operations and EC2 Connectivity documentation, EC2 Instance Connect Endpoint allows access to instances without internet exposure or open SSH ports. However, for successful connectivity, the EC2 instance must have Systems Manager permissions through an IAM instance profile.

If no IAM instance profile is attached, the instance cannot establish a control channel with the Systems Manager service, and EC2 Instance Connect cannot authenticate the session.

Opening port 22 (Option B) is unnecessary and contradicts the private subnet design. HTTPS rules (Option A) are irrelevant because EC2 Instance Connect communicates through AWS APIs, not direct HTTPS connections. Recreating the instance with a key pair (Option D) bypasses the intended keyless connection mechanism.

Therefore, Option C — attaching an IAM instance profile with Systems Manager permissions — enables secure, private access through EC2 Instance Connect Endpoint.

Systems Manager Inventory is configured through State Manager associations that run inventory collection documents such as AWS-GatherSoftwareInventory. AWS documentation states that configuring inventory collection starts by creating a Systems Manager State Manager association, and Systems Manager collects inventory data when the association runs. Inventory data can be synchronized to an Amazon S3 bucket for auditing and reporting. This directly meets the requirement to collect software inventory every day and store the results in S3. Distributor packages and distributes software; it is not the primary inventory collection mechanism. Patch Manager manages patching, not daily software inventory exports. Session Manager and Fleet Manager are useful for access and fleet visibility but do not provide the scheduled inventory-to-S3 workflow. Therefore, a scheduled Systems Manager association is correct.

===============

AWS Systems Manager supports hybrid and multicloud managed nodes through managed-instance activations. The CloudOps engineer creates an activation in Systems Manager, installs SSM Agent on the on-premises servers, and registers the servers by using the activation code and activation ID. This allows Systems Manager to manage those servers without storing long-term IAM user credentials on each machine. Option A is wrong because IAM instance profiles attach to EC2 instances, not on-premises servers. Option C misunderstands IAM policies; policies are permission documents, not credentials that can be downloaded to servers. Option D violates the requirement because IAM access keys are long-term credentials and should not be installed on servers. Managed-instance activation is the secure and operationally correct hybrid management approach.

===============

According to the AWS Cloud Operations and Identity Management documentation, when configuring federation between IAM Identity Center (formerly AWS SSO) and an external SAML 2.0 identity provider, two key prerequisites are required:

The IAM Identity Center SAML metadata file — This is uploaded to the external IdP to establish trust, define SAML endpoints, and enable identity federation.

The IdP metadata (including the public X.509 certificate) — This information is imported into IAM Identity Center to validate authentication assertions and encryption signatures.

IAM Identity Center and the IdP exchange this metadata to mutually establish secure, bidirectional federation.

Network-level details such as IP addresses (Option C) are unnecessary. Root access (Option D) or permissions to member accounts (Option E) are not required; only Control Tower or IAM administrative permissions in the management account are needed for setup.

Thus, the correct answer is A and B — the SAML metadata from both sides is required for federation.

CloudFormation drift detection compares the actual configuration of stack resources with the expected configuration defined in the CloudFormation template. This directly satisfies the requirement to find resources that do not match the expected configuration. Scheduling drift detection with Amazon EventBridge automates the audit and avoids manual CLI checks or repository reviews. Repository reviews only validate desired template code, not the real deployed state. EventBridge notifications about resource creation do not prove that resources remain compliant after deployment. AWS CLI scripts could work, but they would require custom logic and ongoing maintenance. For CloudOps, the best approach is to use the native drift detection capability and automate it on a schedule, then capture the drift results for operational review and remediation planning.

===============

AWS Backup is the managed service for backing up and restoring Amazon EFS file systems. It supports backup vaults and restore workflows without requiring a second live EFS file system. This is more cost-effective than maintaining a duplicate EFS file system in another Region. AWS documentation explains that AWS Backup performs incremental backups of EFS file systems, reducing duplicate backup storage and improving cost efficiency. For file-level recovery, a partial restore job can restore selected files or directories rather than restoring the entire file system. Amazon DLM is primarily used for EBS snapshots, not EFS file-level backup management. S3 Glacier retrieval is not the best fit for rapid individual file recovery because retrieval latency and restore workflow are unsuitable for quick operational recovery. Therefore, AWS Backup with partial restore is the right answer.

===============

AWS Resource Groups Tag Editor is the correct tool for finding and applying tags to AWS resources across services and Regions. Cost Explorer can show cost allocation gaps, including “No Tagkey,” but it is not the tool used to apply tags to resources. Service control policies can enforce permission boundaries, but they do not retroactively tag resources. AWS Config can detect missing required tags and can support remediation workflows, but terminating resources is clearly destructive and does not solve the financial reporting requirement. In CloudOps cost governance, the clean approach is to use Tag Editor to locate untagged or incorrectly tagged resources and apply the appropriate business-unit tags. After tagging, the company should activate cost allocation tags so future Cost Explorer reports correctly allocate spending.

===============

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To meet the requirement to log and audit any principal that publishes to SNS topics and interacts with SQS queues, the correct service is AWS CloudTrail, because CloudTrail records API activity (who did what, when, and from where). Enabling data events (where supported/required for deeper visibility) provides detailed records for operations such as publishing messages and sending/receiving messages. Delivering CloudTrail logs to Amazon S3 provides durable retention and supports querying workflows.

To ensure that communication uses VPC endpoints, the company should configure VPC endpoints for SNS and SQS and then validate usage by inspecting CloudTrail event records. CloudTrail includes endpoint-related context fields (for example, a VPC endpoint identifier) that allow auditors to confirm that the request path used a VPC endpoint rather than traversing the public internet. This directly addresses the “must use VPC endpoints” control with auditable evidence.

The other options do not satisfy both requirements. CloudWatch Logs does not automatically capture SNS/SQS API caller identity for publish/send/receive operations in the same authoritative way CloudTrail does. EventBridge can capture service events but is not the primary audit log of API calls and does not inherently prove VPC endpoint usage per request. Inspecting a VPC endpoint field in CloudWatch Logs is not the standard audit mechanism for these API calls.