Amazon Web Services SOA-C03 - AWS Certified CloudOps Engineer - Associate

An Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and supports advanced routing features, including HTTP-to-HTTPS redirection. To meet the requirement of protecting traffic with ACM certificates and automatically redirecting HTTP requests, the ALB must be configured with two listeners.

The correct design is to create an HTTP listener on port 80 and an HTTPS listener on port 443. The SSL/TLS certificate from AWS Certificate Manager is attached to the HTTPS listener. A listener rule on port 80 redirects incoming HTTP requests to HTTPS on port 443, ensuring all client connections are encrypted.

Option A is invalid because HTTPS cannot operate on port 80. Option C uses TCP listeners, which do not support HTTP-level redirects. Option D uses a Network Load Balancer, which operates at Layer 4 and does not support HTTP redirects.

Therefore, Option B is the only solution that satisfies all requirements using AWS-native features with minimal complexity.

For cross-account access, the Lambda function in Account A needs an execution role that permits it to call sts:AssumeRole on a role in Account B. The role in Account B must trust the Lambda execution role from Account A and must have permissions to read the target S3 bucket objects. This follows the standard AWS cross-account access model: the resource-owning account creates a role with permissions to the resource, and the external workload assumes that role. Option B is incomplete because permissions granted only in Account A do not automatically grant access to resources in Account B. Options C and D reverse the trust relationship incorrectly. The secure CloudOps model is cross-account role assumption with least privilege: Lambda execution role in Account A assumes a read-only S3 access role in Account B.

===============

To detect CPU utilization issues within a 2-minute window, detailed monitoring is required. Basic monitoring publishes metrics at 5-minute intervals, which is too coarse to reliably detect a condition lasting only 2 minutes. Detailed monitoring publishes metrics at 1-minute granularity, allowing precise detection.

Amazon CloudWatch alarms support EC2 reboot actions directly, eliminating the need for custom Lambda functions. This minimizes administrative overhead and leverages native AWS integrations.

Options C and D introduce unnecessary complexity and delay. Option A cannot meet the timing requirement due to metric granularity.

Therefore, using a CloudWatch alarm with detailed monitoring and an EC2 reboot action is the correct solution.

High availability for an EC2-based web application behind an ALB is primarily achieved by eliminating single points of failure at the infrastructure layer. A single Availability Zone (AZ) deployment is vulnerable to AZ-level impairment (power/network issues, facility events, or service disruptions). The most direct and standard AWS approach is to distribute the Auto Scaling group across multiple AZs within the same Region.

Updating the Auto Scaling group to use subnets in at least two AZs allows instances to be launched across AZs automatically. The ALB is built to route traffic across targets in multiple AZs, and Auto Scaling can replace unhealthy instances in any enabled AZ. This provides resilience without the complexity of multi-Region architectures.

Options A and B address capacity for peak load but do not address the core availability requirement. Even with more instances, a full AZ outage would still take the entire application down if all instances are in the same AZ.

Option D (multi-Region) can improve resilience further, but it introduces significantly more operational overhead: cross-Region traffic routing, data replication, DNS failover strategy, application state handling, and potentially active-active or active-passive designs. For “make the application highly available” from a single-AZ baseline, multi-AZ in the same Region is the standard, least-overhead improvement.

For Amazon RDS for MySQL, a Multi-AZ DB instance deployment provides synchronous standby replication to another Availability Zone and supports automatic failover if the primary DB instance or Availability Zone fails. This directly meets the requirement for failover while minimizing application downtime. A read replica in the same Availability Zone does not provide the same automatic high-availability failover path and is mainly used for read scaling. Auto Scaling groups apply to EC2 instances, not RDS DB instances. RDS Proxy can improve application connection handling and failover behavior, but it does not by itself create a standby database for a Single-AZ instance. The database must first have a high-availability deployment. Therefore, modifying the DB instance to Multi-AZ is the correct reliability solution.

===============

The number of AWS Trusted Advisor checks available to an account depends on the AWS Support plan associated with the account. The Basic and Developer support plans provide access to a limited set of Trusted Advisor checks, primarily focused on security and service limits.

The Business and Enterprise support plans provide full access to all Trusted Advisor checks, including cost optimization, performance, fault tolerance, and security categories.

Running EC2 instances, SCPs, or MFA settings do not affect the availability of Trusted Advisor checks.

Therefore, the AWS Support plan determines the quantity of available Trusted Advisor checks.

According to the AWS Cloud Operations and Deployment documentation, EC2 Image Builder is the AWS-managed service for automating the creation, maintenance, validation, and deployment of secure and compliant Amazon Machine Images (AMIs).

It allows CloudOps teams to define image pipelines that include only approved software modules and configuration scripts. EC2 Image Builder automatically tests and verifies these AMIs for compliance before deployment.

This process ensures configuration consistency, eliminates manual installation errors, and simplifies ongoing patch management. The service integrates with AWS Systems Manager, Amazon Inspector, and AWS CloudFormation for end-to-end automation.

In contrast:

Amazon Detective and GuardDuty (Options A & B) are security monitoring tools, not image management solutions.

Run Command (Option C) applies ad-hoc updates but does not create standard, reusable AMIs.

Therefore, Option D is correct—EC2 Image Builder provides the most operationally efficient and compliant way to create an approved baseline AMI for future deployments.

AWS Backup provides managed backup plans and supports cross-account and cross-Region backup copy workflows for supported AWS resources, including database backup scenarios. This is the least operationally intensive approach because scheduling, retention, copy operations, and monitoring are handled by AWS Backup instead of custom scripts. Option B can work but requires Lambda code, credentials, retries, error handling, and maintenance. Option C exports data to S3 and then replicates files, which is not the same as a managed Aurora backup copy and adds unnecessary complexity. AWS Application Migration Service is intended for server migration and lift-and-shift replication, not daily Aurora database backup copying. Therefore, an AWS Backup plan with the second account and second Region as the destination best matches automated disaster recovery and operational efficiency.

===============

Amazon Aurora backtracking allows a DB cluster to be rewound to a specific point in time without creating a new DB cluster. This feature is designed for fast recovery from logical errors, such as accidental data changes, within a configured backtrack window. Because backtracking operates directly on the existing cluster, it satisfies the requirement that the restore occur in the same production DB cluster.

Point-in-time recovery (Option D) restores data by creating a new DB cluster, which violates the requirement. Option A involves promoting a replica, which does not allow rolling back to an arbitrary historical point. Option B introduces unnecessary complexity and is not supported for restoring directly into the same cluster.

Backtracking provides near-instant rollback and minimal operational disruption, making it the correct solution.

Instances in private subnets do not have direct routes to an internet gateway, so they cannot reach public internet endpoints unless the VPC provides a managed egress path. The standard AWS architecture for private-subnet outbound internet access is to use a NAT device (typically a NAT gateway) placed in a public subnet, with an Elastic IP address and a route from the private subnet to that NAT gateway for 0.0.0.0/0 traffic. The NAT gateway then forwards traffic to the internet through the VPC’s internet gateway while preventing unsolicited inbound connections to the private instances.

The scenario states that the VPC has a NAT gateway in each private subnet. That placement prevents proper egress because a NAT gateway itself must be in a public subnet with a route to the internet gateway to function for internet-bound traffic. Without that, private instances will fail to reach external services such as a third-party API, exactly as observed.

Option C corrects the architecture by deploying NAT gateways in the public subnets with Elastic IPs and updating the private subnet route tables so that outbound internet traffic targets the NAT gateways. This enables private workloads to initiate outbound connections while remaining unreachable from the public internet directly, maintaining the intended security posture.

Option A is incorrect because an outbound-only internet gateway is designed for IPv6 egress, not IPv4 internet access. Option B misunderstands routing: API Gateway is an application-layer proxy service and is not a target for VPC route tables to provide generic internet access. Option D is not applicable because VPC interface endpoints provide private connectivity to supported AWS services via PrivateLink, not to arbitrary external public APIs.

Therefore, deploying NAT gateways in the public subnets and routing private subnet egress through them is the correct solution.