Amazon Web Services SOA-C03 - AWS Certified CloudOps Engineer - Associate

According to CloudOps automation and monitoring best practices, CloudWatch dashboards should be provisioned as infrastructure-as-code (IaC) resources using AWS CloudFormation to ensure consistency, repeatability, and version control. AWS CloudFormation supports the AWS::CloudWatch::Dashboard resource, where the DashboardBody property accepts a JSON object describing widgets, metrics, and layout.

By exporting the existing dashboard configuration as JSON and embedding it into the CloudFormation template, every deployment of the application automatically creates its corresponding dashboard. This method aligns with the CloudOps requirement for automated deployment and operational visibility within the same stack lifecycle.

AWS documentation explicitly states:

“Use the AWS::CloudWatch::Dashboard resource to create a dashboard from your template. You can include the same JSON you use to define a dashboard in the console.”

Option A requires manual execution. Options C and D incorrectly reference or reuse existing dashboards, failing to produce unique, deployment-specific dashboards.

AWS Secrets Manager natively supports credential management and automatic rotation for Amazon RDS master user passwords. When a secret is associated with an RDS instance, Secrets Manager automatically updates the password both in the secret and on the database, without downtime or manual scripting.

AWS documentation confirms:

“AWS Secrets Manager can automatically rotate the master user password for Amazon RDS databases. Rotation is fully managed and integrated, requiring no custom code or maintenance.”

Option A introduces unnecessary Lambda automation. Option B and C use Parameter Store, which does not provide direct RDS password rotation. Therefore, Option D achieves secure, automatic credential rotation with least operational effort, fully aligned with CloudOps security automation principles.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is D because Amazon S3 Express One Zone with directory buckets and zonal endpoints is specifically designed for single–Availability Zone, high-performance workloads such as HPC, machine learning, and analytics applications running on Amazon EC2. AWS CloudOps documentation states that S3 Express One Zone delivers single-digit millisecond latency and up to 10x higher request performance compared to general purpose S3 buckets when data is accessed from the same Availability Zone.

An S3 directory bucket is required to use the S3 Express One Zone storage class. These buckets are explicitly associated with a single Availability Zone and use zonal endpoints, which eliminate cross-AZ network hops and significantly reduce latency. Importing the data from the existing general purpose bucket ensures compatibility while achieving maximum throughput and lowest latency.

Option A is incorrect because S3 Transfer Acceleration is optimized for long-distance, internet-based transfers, not for in-Region HPC workloads. Option B is incorrect because lifecycle policies cannot move objects into S3 Express One Zone, and S3 Express One Zone does not use Regional endpoints. Option C is incorrect because general purpose buckets do not support zonal endpoints and therefore cannot achieve the same performance benefits.

AWS CloudOps performance optimization guidance clearly identifies S3 directory buckets with S3 Express One Zone and zonal endpoints as the optimal architecture for high-throughput, low-latency workloads in a single Availability Zone.

The most secure pattern is to use an IAM role for Amazon EC2 with the minimum required permissions. AWS guidance states: “Use roles for applications that run on Amazon EC2 instances” and “grant least privilege by allowing only the actions required to perform a task.” By attaching a role to the instance, short-lived credentials are automatically provided through the instance metadata service; this removes the need to create long-term access keys or embed secrets. Granting only sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage against the specific SQS queues enforces least privilege and aligns with CloudOps security controls. Options A and B rely on IAM user access keys, which contravene best practices for workloads on EC2 and increase credential-management risk. Option C uses a role but grants sqs:*, violating least-privilege principles. Therefore, Option D meets the security requirement with scoped, temporary credentials and precise permissions.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C because selective CloudFront invalidation ensures that only updated JavaScript files are refreshed across edge locations. AWS CloudOps documentation explains that invalidations remove cached objects so that CloudFront fetches the latest version from the origin on the next request.

Invalidating only changed files minimizes cost, reduces operational impact, and avoids unnecessary origin requests. This approach ensures users always receive the latest application assets without degrading backend performance.

Option A is incorrect because setting TTLs to 0 forces CloudFront to query the origin for every request, increasing load on the ALB and EC2 instances. Option B is inefficient and costly because invalidating all files is unnecessary. Option D removes the benefits of CloudFront caching and increases latency.

AWS CloudOps best practices recommend targeted invalidations during deployments to balance performance, cost, and correctness.

High availability requires removing single-AZ risk and eliminating manual recovery. The AWS Reliability best practices state to design for multi-AZ and automatic healing: Auto Scaling “helps maintain application availability and allows you to automatically add or remove EC2 instances” (AWS Auto Scaling User Guide). The Reliability Pillar recommends to “distribute workloads across multiple Availability Zones” and to “automate recovery from failure” (AWS Well-Architected Framework – Reliability Pillar). Attaching the Auto Scaling group to an ALB target group enables health-based replacement: instances failing load balancer health checks are replaced and traffic is routed only to healthy targets. Using an AMI in a launch template ensures consistent, repeatable instance configuration (AWS EC2 Launch Templates). Options A and C keep all instances in a single Availability Zone and rely on manual or ad-hoc restarts, which do not meet high-availability or resiliency goals. Option B only scales vertically and adds a restart rule; it neither removes the single-AZ failure domain nor provides automated replacement. Therefore, creating a multi-AZ EC2 Auto Scaling group with a launch template and attaching it to the ALB target group (Option D) is the CloudOps-aligned solution for resilience and business continuity.

Per the AWS Cloud Operations and EventBridge documentation, when events are sent across AWS accounts — particularly from multiple accounts in an AWS Organization — the target event bus in the receiver account must include a resource-based policy that explicitly allows events:PutEvents API calls from the sender accounts or the organization ID.

Even if the sender accounts have IAM permissions to call PutEvents, the receiving event bus must trust those accounts via a resource policy. Without this configuration, EventBridge automatically rejects incoming cross-account events, and those events never reach the target Lambda function for processing.

AWS guidance states that “Cross-account event delivery requires a resource-based policy on the event bus that grants permissions to the source accounts or organization.” The policy can include either individual AWS account IDs or the organization’s root ID.

In this scenario, because the events originate from multiple accounts and there is no resource policy on the target event bus to authorize those sender accounts, the events are not delivered.

Therefore, the correct cause is C – the resource-based policy on the target event bus must be modified to allow PutEvents API calls from the sender accounts.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C. Create a store image task. Specify the image ID and the destination S3 bucket, because this is the only AWS-supported solution that allows an AMI to be backed up to Amazon S3 and later restored while preserving the original AMI ID. This capability is essential for regulatory and compliance requirements where immutable identifiers must be retained.

According to AWS CloudOps documentation for Amazon EC2 AMI lifecycle management, the AMI store and restore feature is specifically designed for long-term retention, audit, and compliance scenarios. When an AMI is stored using a store image task, AWS packages the AMI’s configuration, metadata, and associated snapshots and saves them as encrypted objects in an Amazon S3 bucket. When the AMI is restored, AWS explicitly states that the restored AMI retains the same AMI ID as the original image, ensuring continuity for compliance tracking and operational dependencies.

Option A is incorrect because copying an AMI always results in a new AMI ID, even when copied within the same AWS Region. Option B is incorrect because archiving snapshots to Amazon S3 does not preserve AMI metadata or identity; restoring from snapshots requires creating a new AMI with a different ID. Option D is incorrect because the copy-image command is intended for cross-Region or cross-account AMI duplication and also generates a new AMI ID.

AWS CloudOps best practices clearly identify store image tasks as the correct mechanism when AMI identity preservation is required for governance, auditability, and compliance controls.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is D because target tracking scaling policies are designed to automatically maintain a specific metric at a desired target value with the least administrative effort. AWS CloudOps documentation states that target tracking works like a thermostat, continuously adjusting capacity to keep the selected metric close to the defined target.

By specifying a target value of 40% average CPU utilization, the Auto Scaling group automatically scales out or in based on real-time demand without requiring manual thresholds, multiple alarms, or predefined scaling steps. This approach is fully managed by AWS and is the most operationally efficient option.

Option A is incorrect because scheduled scaling is based on predictable traffic patterns and cannot respond dynamically to real-time load changes. Option B is incorrect because simple scaling reacts only after an alarm is triggered and does not continuously maintain a target value. Option C is less efficient because step scaling requires additional configuration and tuning of scaling steps.

AWS CloudOps best practices clearly recommend target tracking scaling policies for maintaining steady performance metrics with minimal operational overhead.