Crucial Exams

AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A company has associated a Route 53 Resolver DNS Firewall rule group with several production VPCs to block known malware domains. An auditor requires proof that the blocking rules are enforced and insists that the DNS log records be retained for at least 5 years at the lowest possible cost. Which solution meets these requirements with the least operational overhead?

  • Turn on Route 53 Resolver query logging to CloudWatch Logs and create a subscription filter that forwards the logs to an S3 bucket.

  • Enable AWS CloudTrail Lake and periodically join CloudTrail management events with VPC Flow Logs to infer blocked DNS requests.

  • Enable Route 53 Resolver query logging for the production VPCs and write the logs directly to an Amazon S3 bucket that has a lifecycle policy to transition objects to the S3 Glacier Flexible Retrieval storage class after 30 days.

  • Configure Amazon GuardDuty DNS Malware Protection and export its findings to AWS Security Hub for long-term retention.

AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot