AWS Certified CloudOps Engineer Associate Practice Test (SOA-C03)
Use the form below to configure your AWS Certified CloudOps Engineer Associate Practice Test (SOA-C03). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
AWS Certified CloudOps Engineer Associate SOA-C03 Information
The AWS Certified CloudOps Engineer – Associate certification validates your ability to deploy, operate, and manage cloud workloads on AWS. It’s designed for professionals who maintain and optimize cloud systems while ensuring they remain reliable, secure, and cost-efficient. This certification focuses on modern cloud operations and engineering practices, emphasizing automation, monitoring, troubleshooting, and compliance across distributed AWS environments. You’ll be expected to understand how to manage and optimize infrastructure using services like CloudWatch, CloudTrail, EC2, Lambda, ECS, EKS, IAM, and VPC.
The exam covers the full lifecycle of cloud operations through five key domains: Monitoring and Performance, Reliability and Business Continuity, Deployment and Automation, Security and Compliance, and Networking and Content Delivery. Candidates are tested on their ability to configure alerting and observability, apply best practices for fault tolerance and high availability, implement infrastructure as code, and enforce security policies across AWS accounts. You’ll also demonstrate proficiency in automating common operational tasks and handling incident response scenarios using AWS tools and services.
Earning this certification shows employers that you have the technical expertise to manage AWS workloads efficiently at scale. It’s ideal for CloudOps Engineers, Cloud Support Engineers, and Systems Administrators who want to prove their ability to keep AWS environments running smoothly in production. By earning this credential, you demonstrate the hands-on skills needed to ensure operational excellence and reliability in today’s fast-moving cloud environments.
Free AWS Certified CloudOps Engineer Associate SOA-C03 Practice Test
- 20 Questions
- Unlimited
- Monitoring, Logging, Analysis, Remediation, and Performance OptimizationReliability and Business ContinuityDeployment, Provisioning, and AutomationSecurity and ComplianceNetworking and Content Delivery
A company has identical web applications running in two AWS Regions: us-east-1 (primary) and us-west-2 (standby). All internet traffic must resolve to the primary endpoint, but if a health check on the primary fails, traffic must immediately shift completely to the standby endpoint without requiring users to change the DNS name. Which Amazon Route 53 routing policy should be used for the two A records?
Geoproximity routing policy configured by Region bias
Latency-based routing policy across the two Regions
Weighted routing policy with a weight of 100 for the primary and 0 for the standby
Failover routing policy with PRIMARY and SECONDARY records
Answer Description
Failover routing is designed specifically for active-passive architectures. You designate one record as PRIMARY and one as SECONDARY and associate a health check with the primary record. While the primary health check is healthy, Route 53 returns only the primary record. If the health check fails, Route 53 automatically returns the secondary record until the primary becomes healthy again. Latency-based, weighted, and geolocation policies can each attach health checks, but they continue to serve traffic according to latency metrics, weight values, or user location, meaning some requests could still go to an unhealthy endpoint. Only the failover policy guarantees an all-or-nothing switch to the standby endpoint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Amazon Route 53 failover routing policy?
How does an Amazon Route 53 health check work?
Why wouldn't latency-based routing work in this scenario?
An ecommerce company runs a MySQL 8.0 DB instance in one AZ. During flash sales, Amazon CloudWatch shows the DatabaseConnections metric spikes close to the instance limit and FreeableMemory falls sharply. Hundreds of short-lived Lambda invocations open new database sessions. The team wants to relieve memory pressure without changing application logic and would like to use IAM database authentication. Which solution meets these requirements with the least effort?
Create an Amazon RDS Proxy for the DB instance, enable IAM authentication, and update the Lambda functions to connect to the proxy endpoint.
Launch a larger DB instance class and increase the max_connections parameter in a custom parameter group.
Deploy an Amazon ElastiCache for Memcached cluster and cache connection objects for reuse across function invocations.
Add a read replica and configure the Lambda functions to spread writes and reads using Amazon Route 53 weighted records.
Answer Description
Amazon RDS Proxy sits between an application and its database and maintains a pool of established connections that can be reused by short-lived clients such as Lambda functions. This dramatically reduces the total number of concurrent database sessions, which in turn lowers memory consumption on the DB instance. RDS Proxy natively supports IAM database authentication, so no credential management changes are required. Upgrading the DB instance class or increasing the max_connections parameter is costlier and only masks the symptom. Adding a read replica does not reduce the write-side connection load, and routing writes to multiple endpoints risks data inconsistency. Caching connection objects in ElastiCache does not help because each Lambda invocation would still create a new TCP session to MySQL. Therefore, creating and using an Amazon RDS Proxy is the most effective and least disruptive solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon RDS Proxy?
How does IAM database authentication with RDS Proxy work?
Why doesn't increasing the max_connections parameter solve memory pressure issues?
A company deploys an Auto Scaling group of Amazon EC2 instances in two Availability Zones. Each instance runs a Node.js application listening on port 8080. A SysOps administrator creates an Application Load Balancer with an HTTP listener that forwards to a target group by using all default settings. Within minutes CloudWatch shows TargetHealthyCount=0 and users receive HTTP 503 errors. Which configuration issue is the MOST likely cause?
Cross-zone load balancing is disabled, preventing the load balancer from probing targets in the second Availability Zone.
The target group is configured to use port 80, so the load balancer sends health checks to a port on which the application is not listening.
The deregistration delay is longer than the health check interval, causing every instance to be removed before it can pass the health check.
The listener should use the TCP protocol instead of HTTP, otherwise the health check probe is blocked.
Answer Description
When a target group is created with the default settings, its port is 80 and the health check uses the traffic port. Because the application listens on port 8080, the load balancer's health check requests sent to port 80 receive no response. The load balancer therefore marks every instance as unhealthy and returns HTTP 503 to clients. Changing the target group (and optionally the listener rules) to forward traffic and perform health checks on port 8080 will resolve the issue. The other options do not by themselves prevent a target from passing the health check: the HTTP protocol works across Availability Zones, cross-zone load balancing does not affect health probing, and the default deregistration delay occurs only after a target fails, not before it can become healthy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Application Load Balancer in AWS?
What is a target group in AWS and how is it used?
How do health checks work in AWS target groups?
An application runs in three isolated (private, no internet) subnets of a VPC. The instances reach Amazon S3 through a NAT gateway in a public subnet, generating high data-processing charges. You must ensure the instances continue to reach S3 but no longer traverse the NAT gateway, without exposing them to the internet. Which change to the route tables meets these requirements?
Replace the NAT gateway with an egress-only internet gateway and add a ::/0 IPv6 default route in the existing route tables.
Create an interface VPC endpoint for Amazon S3 and update the instances hosts files to resolve the endpoint's DNS name.
Associate the isolated subnets with the public route table that already has a 0.0.0.0/0 route to the internet gateway.
Add a route with the S3 prefix list destination that targets a newly created S3 gateway endpoint in the route table associated with the isolated subnets.
Answer Description
Creating a gateway VPC endpoint for Amazon S3 and adding its route to the isolated subnets' route table directs all S3 traffic to the endpoint. The route entry uses the AWS-provided S3 prefix list as the destination and the endpoint ID as the target. Because this route is more specific than the 0.0.0.0/0 NAT route, only S3 traffic is redirected, eliminating NAT data-processing charges while maintaining private connectivity. Pointing the subnets to an internet gateway would expose them publicly. Using an interface endpoint is unnecessary for S3 object access and incurs additional hourly and data charges. An egress-only internet gateway handles only IPv6 traffic and still sends traffic over the public internet, failing to meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a gateway VPC endpoint in AWS?
How does an S3 prefix list help in route table configuration?
What is the difference between a gateway endpoint and an interface VPC endpoint?
An operations team collects JVM heap usage as a custom CloudWatch metric from two Amazon EC2 instances that run a critical application. They must automatically restart the application service on the affected instance whenever average heap usage exceeds 80 % for 5 consecutive minutes. The solution must require the least operational overhead and allow administrators to view execution output in AWS. Which approach meets these requirements?
Create a CloudWatch alarm on the custom metric. Add an EventBridge rule that matches the alarm when it enters the ALARM state and targets a Systems Manager Automation runbook that restarts the service on the indicated EC2 instance.
Configure the alarm to initiate the EC2 recover action when the threshold is breached and review activity through CloudTrail logs.
Publish the alarm to an SNS topic that invokes a Lambda function. The function connects to the instance over SSH to restart the service and writes logs to CloudWatch Logs.
Attach a step scaling policy to the Auto Scaling group to launch an additional instance when the metric exceeds the threshold, relying on load balancer health checks to remove the busy instance.
Answer Description
A CloudWatch metric alarm can be configured to publish a state-change event automatically to Amazon EventBridge. An EventBridge rule that matches the alarm's ARN when the state transitions to ALARM can invoke an AWS Systems Manager Automation runbook. The runbook uses the Systems Manager agent already running on the instance to restart the application service and reports detailed execution output in the Automation console. This approach is completely managed, needs no custom code or manual SSH access, and keeps all operational data within AWS.
Using an SNS topic with a Lambda function introduces extra components to build and maintain. Auto Scaling policies or EC2 recovery actions do not restart the application process itself and therefore do not address the requirement. CloudTrail cannot trigger Automation directly; it only logs API calls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of an Amazon CloudWatch alarm?
What is an AWS Systems Manager Automation runbook?
How does Amazon EventBridge integrate with CloudWatch alarms?
A security engineer receives an audit request to identify which IAM principal terminated an Amazon EC2 instance 6 months ago. The company has an organization trail that stores all management events in an S3 bucket in a security account. No additional analytics services have been configured so far. What is the MOST straightforward, cost-effective way to find the required information?
Run an Amazon Athena SQL query against the CloudTrail log files stored in the S3 bucket.
Enable CloudTrail Lake and run a query for TerminateInstances after the lake channel is created.
Create a CloudWatch Logs group, configure the trail to stream logs to it, and use CloudWatch Logs Insights to search for the event.
Open CloudTrail Event History in each AWS Region and filter for the TerminateInstances API call.
Answer Description
The organization trail has already delivered the required management event to the S3 bucket. Amazon Athena can query those log files directly, with only a one-time table creation step and no additional data movement or recurring charges other than the small per-query cost. CloudTrail Event History retains events for only 90 days, so the 6-month-old record is no longer available there. CloudTrail Lake would not contain historical events that occurred before the lake was created and would introduce additional storage costs. Streaming the trail to CloudWatch Logs before performing a Logs Insights search would require new infrastructure and would still not include past events. Therefore, querying the existing logs in S3 with Athena is the simplest and least expensive option.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon Athena and how does it work?
How does CloudTrail logging work across multiple AWS accounts?
Why is CloudTrail Event History insufficient for older logs?
An operations team must choose shared storage for an on-demand genomics workflow running on Amazon EKS. Input data is in Amazon S3. The job needs sub-millisecond latency and hundreds of GB/s throughput, then pushes results back to S3 and discards the file system. Which solution best meets these needs with minimal administration?
Deploy Amazon FSx for Windows File Server in Multi-AZ mode and provide SMB shares to the containers.
Use Amazon Elastic File System in Provisioned Throughput mode and mount it in the pods.
Provision Amazon FSx for NetApp ONTAP with FlexCache volumes accessed through NFS.
Create an Amazon FSx for Lustre scratch file system linked to the S3 bucket and mount it on the EKS worker nodes.
Answer Description
Amazon FSx for Lustre is designed for compute-intensive, throughput-heavy workloads such as genomics or financial modeling. It provides sub-millisecond latencies, up to hundreds of gigabytes per second of aggregate throughput, and the ability to link to an S3 data repository so data can be imported at start-up and exported on completion. Creating the file system in scratch deployment mode lets the team delete it after each run with no persistent cost or additional management.
FSx for Windows File Server targets Windows SMB workloads and does not integrate directly with S3 or scale to the required throughput. FSx for NetApp ONTAP offers multiprotocol access and caching, but its per-file-system throughput is lower and the added data-management features are unnecessary overhead. Amazon EFS delivers regional durability and elasticity, but even in Provisioned Throughput mode cannot reach hundreds of GB/s and lacks native S3 integration required for efficient import and export.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is Amazon FSx for Lustre suitable for genomics workloads?
What is the difference between FSx for Lustre and Amazon EFS?
How does FSx for Lustre integrate with Amazon S3?
An operations team manages a DynamoDB table in provisioned mode with application auto scaling. During a viral marketing event, request traffic surges roughly 30 times within a few minutes. The table begins to throttle even though auto scaling is configured with generous maximum capacity. The team wants to stop throttling during sudden spikes without permanently over-provisioning. Which solution satisfies these requirements with the least operational effort?
Enable Amazon DynamoDB Accelerator (DAX) in front of the table.
Increase the maximum read and write capacity units in auto scaling to ten times the expected peak.
Switch the table to DynamoDB on-demand capacity mode.
Create a global secondary index with identical partition and sort keys to distribute load.
Answer Description
DynamoDB on-demand capacity mode adapts instantly to traffic changes and can accommodate thousands of requests per second without prior capacity planning. Because it automatically tracks and serves traffic based on the previous high-water mark, it prevents throttling during sudden spikes while scaling back during normal periods, eliminating manual intervention. Raising the maximum auto-scaling limits still incurs the several-minute ramp-up delay inherent to auto scaling, so short-lived spikes may continue to throttle. Adding a global secondary index with the same keys doubles write capacity consumption and does not address the underlying provisioning issue. Enabling DAX improves read latency and off-loads eventually consistent reads, but it does not help with write throttling, so traffic surges would still be limited by write throughput. Therefore, switching the table to on-demand capacity mode is the most effective and operationally simple choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DynamoDB on-demand capacity mode?
What is the difference between DynamoDB on-demand and provisioned capacity modes?
How does DynamoDB handle throttling, and why does on-demand mode help prevent it?
An operations team receives about 50 000 new objects per minute in an Amazon S3 bucket. A Lambda function must inspect each object's metadata and write an entry to DynamoDB. Some objects occasionally cause processing errors, but the team must ensure that every object is eventually processed without loss, even during traffic surges. Which architecture satisfies these requirements while minimizing operational overhead?
Configure an S3 ObjectCreated notification that directly invokes the Lambda function and increase the function's reserved concurrency.
Enable an S3 ObjectCreated notification to an SNS topic and subscribe the Lambda function to the topic.
Send S3 ObjectCreated events to Amazon EventBridge and set the Lambda function as a rule target with a dead-letter queue.
Send S3 ObjectCreated events to an Amazon SQS queue that has a dead-letter queue, and configure the Lambda function to poll the queue with a batch size of 10.
Answer Description
Sending S3 ObjectCreated events to an Amazon SQS queue provides durable, at-least-once delivery and effectively buffers sudden traffic spikes. Lambda polls the queue in batches and scales automatically with the backlog. If an invocation fails, the message becomes visible again after the visibility timeout, allowing multiple retry attempts. When the message's receive count exceeds the configured maxReceiveCount, SQS moves it to the dead-letter queue for later analysis, preventing data loss.
Directly invoking Lambda from S3 lacks this buffering and stops after three retries, risking dropped events under high load or persistent errors. Using SNS relies on its built-in retry policy (up to 23 days) but still offers no buffer against concurrency limits and requires additional configuration for a DLQ. EventBridge adds filtering and optional archiving, yet by default drops undelivered events after 24 hours unless a DLQ is configured. SQS therefore remains the simplest and most reliable approach with minimal operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Amazon SQS queue and how does it ensure durability during high traffic?
How does a dead-letter queue (DLQ) work in Amazon SQS?
Why is Lambda polling from SQS more reliable than direct invocation from Amazon S3?
A company runs a production MySQL 8.0 database on Amazon RDS. Performance Insights is already enabled with the default 7-day retention. Operations wants to receive an automated notification whenever the database load (average active sessions) stays above 8 for at least 5 consecutive minutes. The solution must use only managed AWS features and require the least administration. Which action will meet these requirements?
Create a CloudWatch alarm on the Performance Insights metric DBLoad with a 1-minute period, threshold of 8, and 5 evaluation periods, and configure the alarm to publish to an Amazon SNS topic.
Set up an RDS event subscription for a high-load Performance Insights event and have Amazon RDS send the event to an SNS topic.
Schedule an EventBridge rule that triggers an AWS Lambda function every minute to query the Performance Insights API, and have the function publish to SNS if DBLoad is greater than 8.
Enable Enhanced Monitoring and configure a CloudWatch alarm that notifies SNS when CPUUtilization exceeds 80 percent for 5 minutes.
Answer Description
Performance Insights automatically publishes the DBLoad metric to Amazon CloudWatch for each DB instance. Creating a standard CloudWatch alarm on that metric with a 1-minute period and a threshold of 8 that must be breached for 5 consecutive datapoints generates an alarm state after five minutes of sustained load. Associating the alarm with an Amazon SNS topic delivers the required notification, and no custom code or non-AWS service is needed.
RDS event subscriptions do not emit a high-load event, so that option cannot alert on DBLoad. An alarm on CPUUtilization might miss database-specific waits and does not directly monitor average active sessions. Polling the Performance Insights API from a Lambda function would work but introduces custom code and ongoing operational overhead, violating the "least administration" constraint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the DBLoad metric in Amazon RDS Performance Insights?
How does a CloudWatch alarm monitor metrics like DBLoad effectively?
What role does the Amazon SNS topic play in conjunction with a CloudWatch alarm?
An organization has three AWS accounts (Dev, Test, Prod), each containing a VPC with non-overlapping CIDR ranges. The teams need full bidirectional private connectivity between all VPCs and expect to add more VPCs and an on-premises data center next quarter. They want to minimize the number of connections and simplify route management while avoiding exposure to the internet. Which solution best meets these requirements?
Expose required services through AWS PrivateLink by creating an endpoint service in each VPC and configuring interface endpoints in the other VPCs.
Establish full-mesh VPC peering connections among the existing VPCs and create additional peering links as new VPCs are created.
Create an AWS Transit Gateway in one account, share it with the other accounts using AWS RAM, and attach each VPC; later attach the on-premises network with Direct Connect.
Deploy virtual private gateways in every VPC and build site-to-site VPN tunnels between each pair of VPCs and to the on-premises network.
Answer Description
A single AWS Transit Gateway provides a hub-and-spoke topology that enables transitive routing between any number of attached VPCs. It can be shared across accounts with AWS Resource Access Manager, so each VPC needs only one attachment, greatly reducing the total connections and route entries compared with a VPC-peering mesh or many VPN tunnels. The gateway can later attach to a Direct Connect gateway for on-premises connectivity without redesign. PrivateLink exposes only specific services and does not allow full VPC-to-VPC traffic. Therefore, attaching all VPCs to an AWS Transit Gateway is the most scalable and operationally simple choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Transit Gateway and why is it used?
What is AWS Resource Access Manager (RAM) and how does it work with Transit Gateway?
How does Direct Connect integrate with AWS Transit Gateway for on-premises connectivity?
A company uses a single AWS CloudFormation template to deploy a three-tier application that includes Auto Scaling groups and a production Amazon RDS instance. During routine maintenance, an operations engineer must update the stack to patch the application servers. Company policy states that the update must never replace or delete the existing RDS instance. If the template change would cause a replacement, the operation must immediately fail before any resources are modified so the engineer can investigate. Which approach meets these requirements with the least operational effort?
Add the DeletionPolicy and UpdateReplacePolicy attributes with a value of Retain to the RDS resource before updating the stack.
Manually create an RDS snapshot and proceed with the stack update; restore from the snapshot if the database is replaced.
Attach a stack policy that denies all Update:* actions on the RDS resource and then update the stack.
Generate a change set, review it for replacement actions on the RDS resource, and execute the change set only if none are found.
Answer Description
Applying a stack policy that denies all Update actions on the RDS resource blocks CloudFormation from creating a replacement DB instance. When an update would trigger a Replace action on that resource, CloudFormation detects the policy violation, cancels the operation, and rolls the stack back before it touches other resources. This satisfies the requirement automatically and does not require manual review.
Previewing a change set still relies on a human to cancel execution, so a replacement could proceed by mistake. Setting DeletionPolicy or UpdateReplacePolicy to Retain only preserves the old DB instance after a replacement; it does not stop the replacement from occurring. Creating manual snapshots adds operational overhead and likewise does not prevent replacement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a stack policy in AWS CloudFormation?
How does AWS CloudFormation handle a policy violation during a stack update?
What is the difference between DeletionPolicy and UpdateReplacePolicy in AWS CloudFormation?
A development team runs an application on Amazon EC2 instances in Account A. The application must upload daily log files to a private Amazon S3 bucket that is owned by Account B. Security mandates removal of all long-term credentials on the instances and wants access restricted only to writing objects to that specific bucket. Which solution meets these requirements while following AWS IAM best practices?
Create an IAM user in Account B with programmatic access, store the user's access keys in AWS Systems Manager Parameter Store, and have the EC2 instances read the keys at runtime.
In Account B, create an IAM role that allows s3:PutObject only on the log bucket and trusts Account A. Allow the EC2 instance profile in Account A to assume this role with STS, and have the application use the temporary credentials to upload logs.
Attach the AmazonS3FullAccess managed policy to the existing EC2 instance profile in Account A and add a bucket policy in Account B that grants the role permission to write objects.
Enable S3 cross-region replication from a new bucket in Account A to the target bucket in Account B so logs are copied automatically without additional IAM configuration.
Answer Description
The recommended pattern for cross-account access is to create a role in the resource-owning account and allow the calling account to assume it. A role in Account B can be given a least-privilege policy that permits only s3:PutObject on the target bucket. Its trust policy lists Account A, so the EC2 instance profile in Account A can assume the role through AWS STS. No long-term keys are stored, and the permissions are scoped to a single operation on one bucket. Creating users with access keys retains long-term credentials. Granting AmazonS3FullAccess to the instance profile violates least-privilege. S3 replication or anonymous writes do not satisfy the requirement or security controls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS STS, and how does it facilitate cross-account access?
What is the principle of least privilege in the context of IAM roles?
What is the difference between IAM role trust policies and permission policies?
A financial startup stores critical transactional data in a single-Region DynamoDB table using provisioned capacity. Compliance now requires the team to restore the table to any minute in the last 24 hours with an RTO under 15 minutes while minimizing cost and effort. They currently run one nightly on-demand backup through AWS Backup. Which change meets the new requirements most cost-effectively?
Enable DynamoDB Point-in-Time Recovery (PITR) on the table and discontinue the nightly on-demand backups.
Convert the table to a global table spanning two Regions and use the replica table for point-in-time restores.
Keep the existing backup plan but schedule on-demand backups every hour instead of once per day.
Enable DynamoDB Streams, deliver updates to Amazon S3 through AWS DMS, and restore the table by replaying the change logs when needed.
Answer Description
Enabling DynamoDB Point-in-Time Recovery (PITR) provides continuous backups that let administrators restore the table to any second in the preceding 35 days. Restores create a new table in minutes, easily meeting a 15-minute RTO without manual backup scheduling or additional infrastructure. Hourly on-demand backups would still leave gaps of up to 59 minutes and would increase storage and API costs. Streaming table updates to S3 and replaying them would require building and operating custom pipelines and would not guarantee the target RTO. Creating a global table offers high availability but does not give the ability to roll back to an arbitrary point in the past; it also incurs additional write-replication costs. Therefore, enabling PITR is the most economical and operationally simple solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DynamoDB Point-in-Time Recovery (PITR)?
Why is PITR more cost-effective than on-demand backups?
How does PITR meet the 15-minute RTO requirement?
An application is deployed in two AWS Regions. Each Region has an identical stack of Amazon EC2 instances behind an Application Load Balancer (ALB). The public zone in Amazon Route 53 contains two A (alias) failover records that point to the Regional ALB DNS names. No health checks are associated with either record. During a complete outage in the primary Region (us-east-1), users still receive time-out errors instead of being routed to the secondary Region (us-west-2). Which configuration change will enable Route 53 to automatically direct traffic to the secondary Region when the primary ALB becomes unavailable?
Lower the TTL of both failover records to 0 seconds to force clients to re-query DNS more frequently.
Enable cross-zone load balancing on both ALBs to allow Route 53 to fail over when one AZ goes down.
Edit the primary alias record and set Evaluate target health to Yes so Route 53 can monitor the ALB's status.
Attach a CloudWatch alarm on the ALB's UnHealthyHostCount metric and associate that alarm with the primary record.
Answer Description
For failover routing, Route 53 must be able to determine when the primary endpoint is unhealthy. When an alias record targets an ALB, Route 53 can automatically evaluate the load balancer's own health by enabling the Evaluate target health setting. If this flag is set to Yes on the primary failover record, Route 53 monitors the ALB's overall state; when the ALB becomes unhealthy (for example, all targets are unhealthy or the load balancer is unreachable), Route 53 stops returning that record and instead serves the secondary record. Creating an external health check, changing target group ports, or adjusting TTLs does not give Route 53 the information it needs to detect a Regional outage, and cross-zone load balancing affects traffic distribution inside a Region, not DNS failover across Regions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the 'Evaluate target health' setting in Route 53?
How does Route 53 evaluate the health of an ALB?
Why doesn't lowering the TTL of DNS records enable failover in Route 53?
An on-premises data center connects to a VPC by a Site-to-Site VPN with two IPSec tunnels. After a firewall firmware upgrade, users can reach the VPC only when Tunnel 2 is active; CloudWatch metrics show TunnelState=Down for Tunnel 1. The VPN logs display repeated Phase 1 failures with the error message "NO_PROPOSAL_CHOSEN." Which firewall change will MOST likely restore stable connectivity through Tunnel 1?
Enable NAT Traversal (UDP 4500) for both tunnels on the firewall.
Set the firewall's IKE Phase 1 policy to use AES-256 encryption, SHA-256 integrity, and Diffie-Hellman group 14.
Change Tunnel 1's inside tunnel CIDR to 169.254.100.0/30 so it differs from Tunnel 2.
Lower the Dead Peer Detection (DPD) interval on the firewall from 30 seconds to 10 seconds.
Answer Description
The error NO_PROPOSAL_CHOSEN indicates that the IKE Phase 1 proposals offered by one peer do not match any proposal accepted by the other. AWS's default Phase 1 parameters for new VPN connections are AES-256 encryption, SHA-256 hashing, and Diffie-Hellman group 14 (2048-bit). After the firmware upgrade, the on-premises firewall is probably proposing a different cipher or DH group, preventing Tunnel 1 from establishing. Aligning its Phase 1 policy with AES-256, SHA-256, and DH 14 allows the proposal exchange to succeed, bringing the tunnel up. Adjusting DPD timers, inside tunnel IP ranges, or enabling NAT-T do not address a proposal mismatch and would leave the tunnel down.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IKE Phase 1 in a Site-to-Site VPN?
What is the significance of Diffie-Hellman group 14 in VPN setup?
What does the 'NO_PROPOSAL_CHOSEN' error mean in VPN logs?
An Auto Scaling group launches Amazon Linux 2 instances that run a Java application. Operations needs to collect memory utilization and the application's /var/log/app.log file, and they want to be able to change the collection settings without baking a new AMI or manually connecting to instances. What is the MOST maintainable way to deploy and manage the CloudWatch agent across all current and future instances?
Add the agent's configuration file to user data and run amazon-cloudwatch-agent-ctl in the Auto Scaling group launch template.
Bake the agent and its configuration into a custom AMI that the Auto Scaling group uses for all launches.
Store the agent's JSON configuration as a Systems Manager Parameter and use a State Manager association with the AmazonCloudWatch-ManageAgent document to install and start the agent on all instances.
Rely on default EC2 metrics and create a CloudWatch Logs subscription filter that streams /var/log/app.log to CloudWatch Logs.
Answer Description
Storing the CloudWatch agent JSON configuration as a Systems Manager Parameter allows a single, centrally managed source of truth. A State Manager association that targets the Auto Scaling group's instance profile can install or update the agent by invoking the AWS-provided AmazonCloudWatch-ManageAgent document and passing the Parameter name. When the association runs at launch or on a schedule, every new or existing instance retrieves the latest configuration, starts the agent, and publishes memory metrics and log files without any manual intervention. Embedding the file in user data or an AMI would require redeployment for every change, and the default EC2 metrics or the older CloudWatch Logs agent cannot publish memory utilization.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the AWS Systems Manager Parameter Store?
What is a State Manager association in AWS Systems Manager?
How does the AmazonCloudWatch-ManageAgent document function?
An Auto Scaling group runs in private subnet 10.0.20.0/24 behind an Application Load Balancer in 10.0.10.0/24. The subnet's network ACL has only the following rules: inbound allow TCP 80 from 10.0.10.0/24 and TCP 22 from 203.0.113.0/24; outbound allow TCP 0-1023 to 0.0.0.0/0. Users see ALB timeouts. What NACL update fixes connectivity with least privilege?
Add an inbound rule that allows TCP 1024-65535 from 0.0.0.0/0.
Replace the outbound rule with one that allows all traffic to 0.0.0.0/0.
Change the inbound rule to allow TCP 443 from 10.0.10.0/24 instead of TCP 80.
Add an outbound rule that allows TCP 1024-65535 to 10.0.10.0/24.
Answer Description
Network ACLs are stateless, so return traffic must be explicitly allowed in the opposite direction. When the ALB initiates a connection, it uses an ephemeral source port (1024-65535) and destination port 80 on the instance. The return packets from the instance therefore target the ALB on that same ephemeral port range. The existing outbound rule allows only ports 0-1023, so the responses are dropped. Allowing outbound TCP 1024-65535 to the ALB subnet permits the return traffic while exposing no additional destinations or ports. Adding a broad inbound rule, opening all outbound traffic, or switching to port 443 does not address the missing return-path rule or violates least-privilege principles.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why do Network ACLs need explicit return traffic rules?
What is the ephemeral port range and why is it important?
What is the principle of least privilege and how does it apply here?
A company runs a production Amazon RDS for PostgreSQL instance that handles both read and write traffic. At month end, CPU utilization exceeds 90% for several hours, degrading performance. The operations team wants a solution that automatically scales compute capacity up and down within minutes, maintains a single writer endpoint, and charges only for actual usage. Which approach meets these requirements with the least operational overhead?
Create AWS Lambda functions triggered by CloudWatch alarms to modify the DB instance class and revert it after the spike.
Add multiple Amazon RDS read replicas and distribute traffic through an Application Load Balancer to absorb the extra load.
Enable Amazon RDS Storage Auto Scaling on the existing instance to increase compute capacity when CPU exceeds a threshold.
Migrate the database to an Amazon Aurora Serverless v2 PostgreSQL-compatible cluster and use its built-in automatic scaling.
Answer Description
Migrating the database to an Amazon Aurora Serverless v2 PostgreSQL-compatible cluster satisfies every requirement. Aurora Serverless v2 automatically and rapidly adjusts the number of Aurora capacity units in fine-grained increments based on workload, so it can react within seconds to the month-end spike and then scale back when demand subsides. The cluster presents a single writer endpoint, so application connectivity does not change, and billing is based on the capacity actually consumed. Storage Auto Scaling only adds storage, not compute. Manually changing the DB instance class (even through automation) incurs downtime and maintenance effort. Adding read replicas or placing them behind a load balancer can relieve read pressure but does not increase write throughput or CPU capacity on the primary instance, and it introduces replication lag and additional management.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon Aurora Serverless v2?
How does Aurora Serverless v2 maintain a single writer endpoint?
Why doesn't enabling Amazon RDS Storage Auto Scaling meet the requirements?
An organization with AWS Organizations wants every existing and future member account in two Regions to run a standard set of IAM roles and AWS Lambda functions. The CloudOps engineer must implement this once and have the stacks automatically appear in any new accounts that join the same organizational unit (OU). Which approach meets these requirements with the least ongoing operational effort?
Create a self-managed CloudFormation StackSet in a delegated administrator account and manually add every member account ID to the target list when the account is created.
Build an AWS CDK pipeline that deploys the stack to each account and Region, triggered by an EventBridge rule that detects new AWS Organizations accounts.
Instruct each member account to run an AWS Systems Manager Automation runbook that invokes cloudformation deploy for the required templates in both Regions.
Create a service-managed CloudFormation StackSet in the management account, specify the two target Regions and the OU, and enable auto-deployment so that new accounts receive the stack automatically.
Answer Description
Using a service-managed CloudFormation StackSet that targets the desired OU meets all stated requirements. When trusted access is enabled, CloudFormation automatically assumes the required execution roles in each member account. By enabling the StackSet's auto-deployment feature, CloudFormation automatically creates stack instances in any account that is subsequently moved into or created within the target OU and deletes them if the account leaves the OU. Self-managed StackSets, manual scripts, or CDK pipelines would require manual additions or separate automation each time an account is created, resulting in higher operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CloudFormation StackSet?
What is the difference between service-managed and self-managed StackSets?
How does auto-deployment in service-managed StackSets work?
That's It!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.