Amazon Web Services SOA-C03 - AWS Certified CloudOps Engineer - Associate

EC2 instances in private subnets cannot send traffic directly to the internet gateway because private subnets do not have a direct 0.0.0.0/0 route to the internet gateway. Instead, outbound IPv4 internet access from private subnets is typically provided by a NAT gateway that is deployed in a public subnet. Private subnet route tables then send default internet-bound traffic (0.0.0.0/0) to the NAT gateway as the target. The NAT gateway uses its Elastic IP address and the public subnet’s route to the internet gateway to enable outbound connectivity while still preventing inbound internet-initiated connections to the private instances.

When the company reduced multiple NAT gateways to a single NAT gateway, the routing design likely became inconsistent across Availability Zones. In multi-AZ architectures, it is common to have one NAT gateway per AZ and have each private subnet route to the NAT gateway in the same AZ to maintain zonal resiliency and avoid cross-AZ dependencies. If NAT gateways were removed, some private subnets may still have route table entries that point to NAT gateways that no longer exist. Those subnets would immediately lose outbound internet connectivity. The fix is to update the route tables associated with the affected private subnets so that their 0.0.0.0/0 route targets the remaining NAT gateway.

Option C would violate the requirement that instances must be in private subnets; routing private subnet traffic directly to an internet gateway effectively makes the subnet public. Option A is unnecessary and adds operational burden; NAT instances require patching, scaling, and availability management. Option D does not address the routing target problem and is not how NAT gateway egress is restored for multiple subnets.

Therefore, correcting the private subnet route tables to send internet-bound traffic to the existing NAT gateway is the appropriate solution.

=================

Blue/green deployment with AWS CodeDeploy is the correct strategy for Amazon ECS when zero downtime and fast rollback are required. In a blue/green deployment, the current production task set remains active while a new task set is created and validated. Traffic can then be shifted safely to the new version. If the new version causes performance degradation, CodeDeploy can roll back by redirecting traffic to the previous task set. AWS ECS documentation describes blue/green deployment as a method that reduces downtime and risk by running two production environments and validating revisions before routing production traffic. Rolling updates do not provide the same immediate one-step rollback. Canary or linear traffic shifting gradually moves traffic but does not match the requirement for immediate rollback as directly as blue/green. Manual scaling is operationally weak.

===============

Per the AWS Cloud Operations and Event Management documentation, Amazon EventBridge provides native scheduling capabilities that can trigger events at defined intervals—such as weekly, daily, or cron-based schedules.

Creating an EventBridge rule that runs every Saturday and publishes a message to an SNS topic fully automates the notification process without maintaining servers or manual jobs. This approach is serverless, highly reliable, and fully managed by AWS.

By contrast:

EC2 cron jobs (Option A) require instance management, patching, and cost overhead.

SNS subscriptions (Option C) handle message delivery, not scheduling.

Step Functions (Option D) are designed for complex workflows, not simple scheduled triggers.

Thus, Option B provides the most operationally efficient CloudOps solution by integrating EventBridge scheduled events with SNS topics for automated, recurring notifications.

According to the AWS Cloud Operations and Compute documentation, when workloads exhibit predictable traffic patterns, the best practice is to use scheduled scaling for Amazon EC2 Auto Scaling groups.

With scheduled scaling, administrators can predefine the desired capacity of an Auto Scaling group to increase before anticipated demand (in this case, before the 2-hour peak) and scale back down afterward. This ensures that sufficient compute capacity is provisioned proactively, avoiding performance degradation while maintaining cost efficiency.

AWS notes: “Scheduled actions enable scaling your Auto Scaling group at predictable times, allowing you to pre-warm instances before demand spikes.”

Manual scaling (Option D) adds operational overhead. Adjusting launch templates (Option B) doesn’t affect scaling behavior, and permanently increasing minimum capacity (Option A) wastes resources outside of peak hours.

Thus, Option C provides an automated, cost-effective, and operationally efficient CloudOps solution.

Standard Amazon Linux AMIs typically already include the Systems Manager Agent. If instances do not appear as managed nodes in Systems Manager, the most common missing requirement is the instance profile permissions that allow the SSM Agent to communicate with Systems Manager service endpoints. The AWS managed policy AmazonSSMManagedInstanceCore grants the required permissions for core Systems Manager functionality. Option A is unnecessary because the standard Amazon Linux AMI already includes SSM Agent in most supported versions. Option B is irrelevant; ACM certificates are not required for SSM Agent registration. Option C is also wrong because the ssm-user account is created and managed by Session Manager when needed; manually creating it does not register the instance. Therefore, attach an IAM instance profile with AmazonSSMManagedInstanceCore.

===============