Crucial Exams

AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

An operations team must ensure that EC2 instances in a production VPC cannot resolve domains that the security team lists as malicious. The solution must record every blocked DNS query in Amazon CloudWatch Logs and require minimal ongoing maintenance. Which approach meets these requirements?

  • Deploy a Route 53 Resolver inbound endpoint and forward queries to an EC2-based DNS proxy that filters the malicious domains using an open-source blacklist.

  • Create a Route 53 Resolver DNS Firewall rule group that blocks the malicious domains, associate the group with the VPC for outbound DNS traffic, and enable Resolver DNS Firewall logging to CloudWatch Logs.

  • Attach an AWS WAF web ACL to the application's load balancer with rules that block requests whose Host header matches the malicious domains.

  • Add deny entries to the VPC's network ACL that block outbound TCP and UDP traffic on port 53 to the IP addresses of the malicious domains.

AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot