SOA-C03 AWS Certified CloudOps Engineer - Associate Questions and Answers

Amazon S3 Object Lock in compliance mode provides immutable storage that prevents objects from being deleted or overwritten for a defined retention period. In compliance mode, even the root user cannot remove the retention or delete the object before the retention period expires. This makes it suitable for regulatory and strict data-protection requirements.

Because Object Lock must be enabled at bucket creation time, a new bucket is required. Setting a retention period of 3 months ensures that backups cannot be deleted before that time under any circumstances.

Option D (governance mode) allows privileged users to bypass retention, which violates the strict “must not be deleted” requirement. Option A relies on IAM policy changes, which are reversible and error-prone. Option C does not prevent deletion; versioning only retains previous versions if objects are deleted, but users can still delete versions unless additional controls are applied.

Therefore, S3 Object Lock in compliance mode is the correct and most secure solution.

An Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and supports advanced routing features, including HTTP-to-HTTPS redirection. To meet the requirement of protecting traffic with ACM certificates and automatically redirecting HTTP requests, the ALB must be configured with two listeners.

The correct design is to create an HTTP listener on port 80 and an HTTPS listener on port 443. The SSL/TLS certificate from AWS Certificate Manager is attached to the HTTPS listener. A listener rule on port 80 redirects incoming HTTP requests to HTTPS on port 443, ensuring all client connections are encrypted.

Option A is invalid because HTTPS cannot operate on port 80. Option C uses TCP listeners, which do not support HTTP-level redirects. Option D uses a Network Load Balancer, which operates at Layer 4 and does not support HTTP redirects.

Therefore, Option B is the only solution that satisfies all requirements using AWS-native features with minimal complexity.

AWS Systems Manager Run Command includes a built-in rate control feature that allows administrators to control the maximum number of concurrent executions across target instances. This directly addresses the requirement to limit downloads to 30 at a time without custom orchestration or additional services.

By targeting instances using tags, the solution automatically scales as new instances are added, which aligns with future growth expectations. Rate control ensures controlled concurrency and protects the private repository from overload.

Option A is manual and does not scale operationally. Option B introduces unnecessary complexity with Lambda and concurrency management that does not map cleanly to instance execution concurrency. Option D significantly increases architectural complexity without added value.

Run Command with rate control is the simplest, most native, and most scalable solution.

According to the AWS Cloud Operations and EC2 Connectivity documentation, EC2 Instance Connect Endpoint allows access to instances without internet exposure or open SSH ports. However, for successful connectivity, the EC2 instance must have Systems Manager permissions through an IAM instance profile.

If no IAM instance profile is attached, the instance cannot establish a control channel with the Systems Manager service, and EC2 Instance Connect cannot authenticate the session.

Opening port 22 (Option B) is unnecessary and contradicts the private subnet design. HTTPS rules (Option A) are irrelevant because EC2 Instance Connect communicates through AWS APIs, not direct HTTPS connections. Recreating the instance with a key pair (Option D) bypasses the intended keyless connection mechanism.

Therefore, Option C — attaching an IAM instance profile with Systems Manager permissions — enables secure, private access through EC2 Instance Connect Endpoint.

In this scenario, the EC2 instances pass their EC2 status checks, indicating that the operating system is responsive. However, the application hosted on the instance is failing intermittently, returning HTTP 500 errors. This demonstrates a discrepancy between the instance-level health and the application-level health.

According to AWS CloudOps best practices under Monitoring, Logging, Analysis, Remediation and Performance Optimization (SOA-C03 Domain 1), Auto Scaling groups should incorporate Elastic Load Balancing (ELB) health checks instead of relying solely on EC2 status checks. The ELB health check probes the application endpoint (for example, HTTP or HTTPS target group health checks), ensuring that the application itself is functioning correctly.

When an instance fails an ELB health check, Amazon EC2 Auto Scaling will automatically mark the instance as unhealthy and replace it with a new one, ensuring continuous availability and performance optimization.

Extract from AWS CloudOps (SOA-C03) Study Guide – Domain 1:

“Implement monitoring and health checks using ALB and EC2 Auto Scaling integration. Application Load Balancer health checks allow Auto Scaling to terminate and replace instances that fail application-level health checks, ensuring consistent application performance.”

Extract from AWS Auto Scaling Documentation:

“When you enable the ELB health check type for your Auto Scaling group, Amazon EC2 Auto Scaling considers both EC2 status checks and Elastic Load Balancing health checks to determine instance health. If an instance fails the ELB health check, it is automatically replaced.”

Therefore, the correct answer is B, as it ensures proper application-level monitoring and remediation using ALB-integrated ELB health checks—a core CloudOps operational practice for proactive incident response and availability assurance.

References (AWS CloudOps Verified Source Extracts):

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide: Domain 1 – Monitoring, Logging, and Remediation.

AWS Auto Scaling User Guide: Health checks for Auto Scaling instances (Elastic Load Balancing integration).

AWS Well-Architected Framework – Operational Excellence and Reliability Pillars.

AWS Elastic Load Balancing Developer Guide – Target group health checks and monitoring.

CloudFormation StackSets are designed specifically to deploy and manage the same CloudFormation stack across multiple AWS accounts and Regions from a centralized administration point. When accounts are managed under AWS Organizations, StackSets can integrate directly with Organizations to target Organizational Units (OUs) or specific accounts, which minimizes operational overhead. This removes the need to manually assume roles and deploy stacks one-by-one, and avoids building custom automation (Lambda + cross-account role assumption + account enumeration + error handling + retries + idempotency).

With StackSets, you define the template once and then create stack instances across many accounts in a controlled and consistent manner. StackSets provide built-in features for: (1) centralized rollout and updates, (2) drift detection, (3) automatic deployment to new accounts (when using Organizations integration), and (4) standardized execution roles. This is operationally simpler and safer than scripting because StackSets handle orchestration and track deployment state per account/Region.

Option A increases manual work and is error-prone at scale. Options B and C require custom Lambda orchestration, cross-account permissions, and ongoing maintenance for failure modes and change management. StackSets provide the native “least ops” approach to multi-account CloudFormation deployments under Organizations.

AWS Systems Manager provides a built-in capability to automatically update the SSM Agent on managed instances. Enabling Auto update SSM Agent ensures that instances receive the latest agent version without manual intervention or custom automation.

This setting is centrally managed and applies across the fleet, making it the most scalable and operationally efficient solution. It eliminates the need for external notifications, custom Lambda functions, or scheduled automation workflows.

Options B and D introduce unnecessary complexity and operational burden. Option C is incorrect because Patch Manager is designed for operating system patching, not for managing SSM Agent updates.

Therefore, enabling automatic SSM Agent updates is the best solution.

To analyze and visualize custom statistics such as the p90 latency (90th percentile), a CloudWatch metric must be generated from the log data. The correct method is to create a metric filter that extracts the latency value from each log event and publishes it as a CloudWatch metric. Once the metric is published, percentile statistics (p90, p95, etc.) can be displayed in CloudWatch dashboards or alarms.

AWS documentation states:

“You can use metric filters to extract numerical fields from log events and publish them as metrics in CloudWatch. CloudWatch supports percentile statistics such as p90 and p95 for these metrics.”

Contributor Insights (Option A) is for analyzing frequent contributors, not numeric distributions. Subscription filters (Option C) are used for log streaming, and Application Insights (Option D) provides monitoring of application health but not custom p90 statistics. Hence, Option B is the CloudOps-aligned, minimal-overhead solution for percentile latency monitoring.

The AWS Cloud Operations and Monitoring documentation states that Amazon CloudWatch Logs Insights provides a purpose-built query engine for analyzing and visualizing log data directly within CloudWatch. For Lambda, all invocation results (including errors) are automatically logged to CloudWatch Logs.

By querying these logs with CloudWatch Logs Insights, the CloudOps engineer can efficiently count the number of “ERROR” or “Exception” occurrences over the past 7 days using simple SQL-like commands. This method is serverless, cost-efficient, and real-time.

Athena (Options A and B) would require exporting data to Amazon S3, and OpenSearch (Option D) adds unnecessary operational complexity.

Thus, Option C provides the most efficient and native AWS CloudOps approach for rapid Lambda error analysis.

Amazon Machine Images (AMIs) are Region-specific. An AMI ID that exists in us-west-2 does not automatically exist in eu-west-1. If a CloudFormation template references a hardcoded AMI ID from one Region, stack creation in another Region will fail when that AMI cannot be found.

Additionally, not all AWS services or service features are available in every AWS Region. If the template includes a resource type or feature that is unsupported in eu-west-1, CloudFormation will fail during stack creation.

IAM users are global resources, not Region-specific, so Option A is incorrect. Permission issues would typically fail immediately and are not Region-dependent. Option E is incorrect because CloudFormation can both create and update resources.

Therefore, Region-specific AMIs and unavailable services are the valid reasons for failure.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is B because cross-account role assumption requires two explicit permissions. AWS CloudOps documentation states that the target role must trust the principal, and the principal must be allowed to call sts:AssumeRole.

In the member account, the role’s trust policy must list the IAM group ARN (or the identity account) as a trusted principal. In the identity account, the IAM group must have an inline or attached policy that allows the sts:AssumeRole action for the target role ARN. This dual configuration enables secure and controlled cross-account access.

Option A is incorrect because trust policies cannot be attached to IAM groups. Option C is incorrect because sts:PassRole is used for passing roles to AWS services, not for assuming roles. Option D is incorrect because roles do not grant permissions via inline policies to principals.

This approach aligns precisely with AWS CloudOps guidance for multi-account IAM design.

The AWS Cloud Operations and Security documentation specifies that for Amazon CloudFront, automatic certificate renewal is only supported for certificates issued by AWS Certificate Manager (ACM). When a certificate is managed by ACM and validated through DNS validation, ACM automatically renews the certificate before expiration without requiring manual intervention.

Option A ensures that the certificate is issued and managed by ACM, enabling full integration with CloudFront. Option E (DNS validation) is essential for automation; AWS performs revalidation automatically as long as the DNS validation record remains in place.

By contrast, email validation (Option D) requires manual user confirmation upon renewal, which prevents automatic renewals. Certificates issued by third-party certificate authorities (Option B) are manually managed and must be reimported into ACM after renewal. CloudFront does not have a direct feature (Option C) to renew certificates; it relies on ACM’s lifecycle management.

Thus, combining ACM-issued certificates (A) with DNS validation (E) ensures continuous, automated renewal with no downtime or human action required.

Per the AWS Cloud Operations, Networking, and Security documentation, the best practice for serving private S3 content securely to end users is to use Amazon CloudFront with Origin Access Control (OAC).

OAC enables CloudFront to access S3 buckets privately, even when Block Public Access settings are enabled at the account level. This allows content to be delivered globally and securely without making the S3 bucket public. The bucket policy explicitly allows access only from the CloudFront distribution, ensuring that users can retrieve PDF files only via CloudFront URLs.

This configuration offers:

Automatic scalability through CloudFront caching,

Improved security via private access control,

Minimal administration effort with fully managed services.

Other options require manual handling or make the bucket public, violating AWS security best practices.

Therefore, Option B—using CloudFront with Origin Access Control and a restrictive bucket policy—provides the most secure, efficient, and low-maintenance CloudOps solution.

According to AWS Cloud Operations and Networking documentation, Route 53 Resolver inbound endpoints allow DNS queries to originate from on-premises DNS servers and resolve private hosted zone records in AWS. The inbound endpoint provides DNS resolver IP addresses within the VPC, which the on-premises DNS servers can forward queries to over AWS Direct Connect or VPN connections.

The inbound endpoint must be associated with a security group that permits inbound traffic on TCP and UDP port 53 from the on-premises DNS server IP addresses. This ensures that DNS requests from the on-premises environment reach the VPC Resolver for resolution of private domains like example.com.

By contrast, outbound endpoints are used for the opposite direction—resolving external (on-premises or internet) DNS names from within AWS VPCs. Therefore, only an inbound endpoint correctly satisfies the direction of resolution in this scenario.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

AWS Lambda automatically publishes operational metrics to Amazon CloudWatch, including Duration, which represents the time a function invocation takes to run. To alert when processing time exceeds 10 seconds, the most direct and operationally efficient solution is to create a CloudWatch alarm on the Lambda Duration metric and configure the alarm action to publish to an SNS topic. This meets the monitoring requirement without requiring log parsing or additional query mechanisms.

Option B fits best because it uses the built-in metric stream for Lambda observability: CloudWatch metrics are near real-time, require minimal configuration, and alarms are a standard CloudOps practice for proactive notification. The alarm can be configured with the appropriate statistic (for example, Maximum or p99 via metric math where applicable) and a threshold of 10,000 milliseconds, ensuring the operations team is notified before performance degrades further.

Option A is incorrect because PostRuntimeExtensionsDuration is not the primary runtime metric for function execution time, and extracting runtime from logs is unnecessary. Option C changes the function timeout to 10 seconds, which would cause failures rather than simply notifying on slow executions. Option D is more operationally complex because it relies on log queries; CloudWatch alarms are more straightforward when a native metric exists.

The reporting workload is read-heavy, and the database shows high Read IOPS even outside the report window, suggesting sustained read pressure from other workloads or inefficient read patterns. The requirement is to improve both performance and availability of the RDS for MySQL instance. An RDS read replica is designed specifically to offload read traffic from the primary database instance and to provide additional capacity for read-heavy use cases such as reporting, analytics queries, and dashboards.

By deploying one or more read replicas, the company can direct the reporting job to a replica (Option B). This reduces contention on the primary instance, lowers read I/O demand on the writer, and can improve overall query latency and throughput. In addition, read replicas can contribute to availability objectives: if the primary instance has issues, replicas can be promoted (manually or as part of certain DR patterns) to become a new standalone database, reducing recovery time for read availability and providing a practical resilience option.

Option A (ElastiCache) can help for highly cacheable and repetitive queries, but it requires application/query redesign and cache invalidation strategy, and it does not inherently improve database availability. Option C is not valid because CloudFront is a CDN for HTTP content and is not an appropriate layer for database queries. Option D (vertical scaling) can improve performance, but it does not offload reads and often involves higher cost; it also does not provide the same availability and read scaling benefits as replicas.

Therefore, adding an RDS read replica and pointing the reporting workload to the reader endpoint best meets the performance and availability requirements.

According to the AWS Cloud Operations and Elastic Load Balancing documentation, Application Load Balancer (ALB) supports multiple routing algorithms to distribute requests among targets:

Round robin (default)

Least outstanding requests (LOR)

Weighted random

When applications require session affinity, AWS recommends using “least outstanding requests” as the load balancing algorithm because it reduces latency, distributes load evenly, and ensures consistent target responsiveness during high traffic.

Using weighted random routing with sticky sessions can cause sessions to be routed inconsistently if one target’s capacity fluctuates, leading to session mismatches and application errors — especially when user sessions rely on instance-specific state.

Disabling cross-zone balancing (Option C) or adjusting deregistration delay (Option D) does not address routing inconsistency. Anomaly mitigation (Option B) protects against target performance degradation, not sticky-session misrouting.

Therefore, the correct solution is Option A — changing the target group’s routing algorithm to least outstanding requests ensures smoother, predictable session handling and resolves random application errors.

IAM user groups allow permissions to be managed centrally and applied to multiple users simultaneously, making them ideal for scalable access management. Attaching policies to groups ensures that changes propagate automatically to all members.

A customer managed policy supports versioning, reuse, and centralized updates, which meets the requirement to modify policies and manage versions over time. AWS managed policies cannot be edited, and inline policies do not support reuse or versioning across multiple principals.

Option A is invalid because service-linked roles are AWS-managed and not designed for user access. Option E lacks versioning and reusability. Option C does not allow customization.

Therefore, using IAM groups with a customer managed policy is the correct and secure solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To ensure video files are cached at CloudFront edge locations after migrating the files to Amazon S3, CloudFront must be able to fetch those video objects directly from S3 as an origin. The most operationally straightforward pattern is to add S3 as a second origin and create a separate cache behavior that routes requests for video paths (for example, /video/* or /*.mp4) to the S3 origin. With this configuration, CloudFront caches the S3-served objects at edge locations according to the cache policy/headers, while the existing ALB origin continues serving dynamic application paths. This isolates static media delivery from the application tier and improves performance by maximizing cache hits at the edge.

Option A is not how CloudFront origin selection works: CloudFront does not “redirect” to S3 based on headers; it selects an origin per behavior. Option C (signed URLs) is an access-control mechanism and does not, by itself, ensure the objects are retrieved from S3 or cached correctly. Option D (origin groups) is for origin failover (primary/secondary) and does not provide path-based routing to ensure videos come from S3.

AWS Global Accelerator provides static IP addresses (one per Availability Zone) and routes traffic over the AWS global network to optimal endpoints. It is designed for applications that require extremely high throughput, low latency, and rapid response to traffic spikes.

Global Accelerator automatically routes traffic to healthy endpoints and shifts traffic in response to failures or performance degradation. It supports sudden and volatile traffic patterns and integrates seamlessly with ALBs, NLBs, and EC2 instances.

ALBs and NLBs do not provide static IP addresses per AZ. SQS is not a traffic distribution service.

Therefore, AWS Global Accelerator is the correct solution.

As described in the AWS Cloud Operations and EC2 Management documentation, changing an instance type (e.g., from T3 to C5) requires that the instance be stopped first. Once stopped, the engineer can modify the instance type through the AWS Management Console, CLI, or API, then start the instance again to apply changes.

This process preserves the root volume, networking configuration, and data, making it an operationally safe and efficient way to upgrade to a different instance family.

Changing the instance type while running (Option D) is unsupported. VM Import/Export (Option A) is for external VM migration. Hibernation (Option B) does not apply to type changes.

Thus, Option C is correct — stopping the instance, changing its type, and restarting it meets AWS best practices.

EC2 does not publish RAM utilization as a native CloudWatch metric by default. Memory metrics such as mem_used_percent are typically collected by the CloudWatch Agent, which runs on the instance and publishes custom metrics to CloudWatch. Because the requirement is RAM utilization at 5-minute intervals, the CloudWatch Agent can be configured to emit metrics at that cadence (or faster).

“Detailed monitoring” for EC2 mainly affects EC2-provided metrics (like CPU) by changing the period from 5 minutes (basic) to 1 minute (detailed). It does not magically provide memory utilization. Therefore, the key requirement is installing/configuring the CloudWatch Agent and ensuring it has permissions to publish metrics (via an IAM role attached to the instance / instance profile).

Option C correctly combines: (1) basic monitoring (fine for the ask), (2) CloudWatch Agent to publish mem_used_percent, (3) IAM role permissions to allow publishing, and (4) Auto Scaling policy that scales based on the memory metric.

Option B incorrectly implies detailed monitoring provides mem_used_percent (it does not). Option D assumes a “standard” memory metric exists without the agent, which is not correct. Option A references mem_active, which is not the typical metric name exposed by CloudWatch Agent’s standard memory measurements for scaling policies, and also omits the IAM role requirement needed for publishing custom metrics.

Thus, C is the AWS-correct path for memory-based scaling using CloudWatch custom metrics.

The AWS Cloud Operations and Governance documentation defines that enabling Organizational View in AWS Health allows the management account in AWS Organizations to view and aggregate health events from all member accounts.

This feature provides a single-pane-of-glass view of service health issues, account-specific events, and planned maintenance across the organization — without requiring additional automation or data pipelines.

Alternative options (B, C, and D) require custom integration and ongoing maintenance. CloudTrail does not natively forward AWS Health events, and custom Lambda or DynamoDB approaches increase complexity.

Therefore, Option A — enabling the Organizational View feature in AWS Health — is the most operationally efficient and AWS-recommended solution.

The CloudWatch agent supports modular configuration using the append-config option, which allows additional log sources to be added without overwriting the existing baseline configuration. This makes it ideal for incremental log collection changes across large fleets.

By creating a separate configuration file specifically for DHCP logs and using Systems Manager Run Command, the CloudOps engineer can remotely update only the relevant instances in a scalable and automated manner. This approach avoids manual login and preserves the existing baseline configuration.

Options B and C require manual intervention on each instance, which is not scalable or operationally efficient. Option D captures additional logs indiscriminately and does not specifically target DHCP logs, potentially increasing noise and cost.

Therefore, Option A is the most efficient and AWS-recommended approach.

AWS Systems Manager Inventory is designed to collect metadata from managed instances, including installed software, applications, and patch information. It works asynchronously and does not require instances to be actively running a command at the time of collection, which is critical when instances may be busy or temporarily unavailable during patch windows.

Inventory data is stored centrally and can be queried to generate reports showing the current patch level or installed patch versions across all managed instances. This makes it well-suited for large fleets that include both On-Demand and Spot Instances and that may scale dynamically.

Option B relies on Run Command, which requires instances to be online and available at execution time. This does not meet the requirement because some instances were already missed during patch operations due to being busy or down. Option C and Option D use AWS Config, which is primarily intended for configuration compliance and drift detection, not detailed patch version reporting. Creating custom or managed rules for patch status introduces unnecessary complexity and overhead compared to Inventory’s built-in capability.

Therefore, Systems Manager Inventory provides the most operationally efficient and reliable solution for collecting and reporting patch version data across all EC2 instances.

The most secure way for an EC2 instance to access AWS services is by using an IAM role attached to the instance. IAM roles eliminate the need for long-term credentials, which reduces the risk of credential leakage and simplifies credential rotation.

Following the principle of least privilege, the IAM policy attached to the role should grant only the permissions required: sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage. Granting broader permissions such as sqs:* violates least privilege and increases security risk.

Options A and B rely on IAM users and static credentials, which are not recommended for applications running on EC2. Option C grants excessive permissions.

Therefore, attaching an EC2 IAM role with only the required SQS permissions is the most secure solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is D because Amazon S3 Express One Zone with directory buckets and zonal endpoints is specifically designed for single–Availability Zone, high-performance workloads such as HPC, machine learning, and analytics applications running on Amazon EC2. AWS CloudOps documentation states that S3 Express One Zone delivers single-digit millisecond latency and up to 10x higher request performance compared to general purpose S3 buckets when data is accessed from the same Availability Zone.

An S3 directory bucket is required to use the S3 Express One Zone storage class. These buckets are explicitly associated with a single Availability Zone and use zonal endpoints, which eliminate cross-AZ network hops and significantly reduce latency. Importing the data from the existing general purpose bucket ensures compatibility while achieving maximum throughput and lowest latency.

Option A is incorrect because S3 Transfer Acceleration is optimized for long-distance, internet-based transfers, not for in-Region HPC workloads. Option B is incorrect because lifecycle policies cannot move objects into S3 Express One Zone, and S3 Express One Zone does not use Regional endpoints. Option C is incorrect because general purpose buckets do not support zonal endpoints and therefore cannot achieve the same performance benefits.

AWS CloudOps performance optimization guidance clearly identifies S3 directory buckets with S3 Express One Zone and zonal endpoints as the optimal architecture for high-throughput, low-latency workloads in a single Availability Zone.

By default, a newly created AWS Lambda function is not attached to a customer VPC. In its default configuration, Lambda runs in an AWS-managed network environment and can reach public internet endpoints, but it does not automatically have network-level connectivity into private subnets within a VPC. Accessing an Amazon RDS instance that is placed in a private subnet requires the Lambda function to be configured for VPC access. This means selecting the target VPC, choosing subnets (typically private subnets with appropriate routing), and associating one or more security groups with the Lambda function’s elastic network interfaces (ENIs). Once configured, Lambda creates ENIs in the selected subnets and uses them to communicate with resources such as RDS inside the VPC.

In this scenario, the RDS database is in a private subnet and is reachable from within the VPC, but the Lambda function cannot connect. The most likely cause is that the function was created with default settings and therefore was not deployed into the VPC that contains the database. IAM permissions are not sufficient for network connectivity; IAM controls authorization to call AWS APIs, while VPC attachment and security groups control the network path.

Option A is incorrect because Lambda does not require an “RDS destination” setting; connectivity is established through VPC networking and the database endpoint. Option C is not supported by the prompt; there is no indication that the database is in a different VPC, and the default issue is usually “not in a VPC at all.” Option D is less likely because Lambda security groups allow all outbound traffic by default unless explicitly restricted; the more common default failure is lack of VPC configuration.

Therefore, the likely reason is that the Lambda function was not configured to run in the same VPC as the RDS instance.

AWS Organizations Tag Policies provide a centralized, scalable governance mechanism to standardize tagging across accounts. Tag policies let an organization define tag keys, allowed values, and tagging expectations, helping teams apply consistent tagging conventions across many accounts without building custom logic. This matches the requirement for consistent tags “across multiple accounts” with minimal operational overhead, because the policy is managed centrally and applied at the organization/OUs level.

For cost tracking, user-defined tags must be activated as cost allocation tags in AWS Billing and Cost Management. Enabling cost allocation tags is the required step to make those tags usable in billing views (for example, Cost Explorer allocation and reporting). Combining Tag Policies (governance/consistency) with cost allocation tag activation (billing attribution) directly meets both parts of the requirement.

Option B (CloudTrail + Lambda auto-tagging) is higher operational overhead: it requires event processing, permissions, continuous maintenance, exception handling, and careful logic to avoid incorrect tag assignments. Option C is partially relevant for compliance detection, but AWS Budgets does not “apply tags” to resources; Budgets is for cost/usage alerts and budget tracking. Option D can enforce tagged provisioning paths, but it’s not comprehensive for all resource creation mechanisms and Trusted Advisor is not a global “tag enforcement” engine.

Therefore, A is the most native and least-ops approach for consistent tags across an organization and enabling cost allocation tracking.

In the AWS Cloud Operations and Aurora documentation, when data loss occurs due to human error such as dropped tables, Point-in-Time Recovery (PITR) is the recommended method for restoration. PITR creates a new Aurora cluster restored to a specific time before the failure.

The restored cluster has a new endpoint that must be reconfigured in the application to resume normal operations. AWS does not support performing PITR directly on an existing production database because that would overwrite current data.

Aurora Backtrack (Option A) applies only to Aurora MySQL, not PostgreSQL. Option B is incorrect because PITR cannot be executed in place. Option D refers to an import process from S3, which is unrelated to time-based recovery.

Hence, Option C is correct and follows the AWS CloudOps standard recovery pattern for PostgreSQL workloads.

CloudWatch Synthetics canaries require connectivity to both CloudWatch and Amazon S3 to function correctly. In a private VPC without internet access, AWS service access must be provided through VPC endpoints.

The canary needs to send metrics, logs, and execution data to CloudWatch, which requires an interface VPC endpoint for CloudWatch. It also needs to store artifacts such as screenshots and HAR files in Amazon S3, which requires a gateway VPC endpoint for S3. Without these endpoints, the canary cannot communicate with required AWS services and will fail to start.

DNS resolution and DNS hostnames must be enabled so the canary can resolve AWS service endpoints to the private IP addresses exposed by the VPC endpoints. This is a mandatory prerequisite for PrivateLink-based service access.

Option B and C incorrectly disable DNS functionality, which breaks service endpoint resolution. Option A includes invalid or irrelevant permissions and does not address private connectivity requirements.

Therefore, enabling DNS support and creating both the CloudWatch interface endpoint and the S3 gateway endpoint is the correct and complete solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

Amazon Aurora supports up to 15 Aurora Replicas that share the same storage volume and provide read scaling and improved availability. Official guidance states that replicas “offload read traffic from the writer” and that you should direct read-only workloads to the reader endpoint, reducing CPU pressure and connection counts on the primary. Aurora also supports Replica Auto Scaling through Application Auto Scaling policies using metrics such as CPU utilization or connections to add or remove replicas automatically. This design addresses both high CPU and maximum connections by moving reporting traffic to read replicas while keeping a single write primary for OLTP. Option B creates a separate cluster with independent storage, increasing operational overhead and data synchronization complexity. Options C and D introduce application-layer caching changes that may not guarantee data freshness or relieve the write node directly. Therefore, adding read replicas and routing reporting to the reader endpoint, with auto scaling based on load, is the least intrusive, CloudOps-aligned way to stabilize performance.

AWS Secrets Manager rotation is an API-driven activity that is recorded as an audit event. When the secret rotation workflow is initiated, AWS API activity is captured by AWS CloudTrail, which provides an authoritative source of “who did what and when” for compliance evidence. By creating an Amazon EventBridge rule that matches the relevant CloudTrail event for the rotation operation, the company can automatically detect rotation activity and trigger downstream actions without building a polling system. EventBridge can route matched events directly to Amazon SNS, which then fan-outs the notification to email, SMS, chat integrations, or incident tooling used by the database team.

Option A fits the requirement because it creates an event-driven compliance notification path specifically tied to the rotation operation. It also allows more precise filtering than log scanning: the rule can match the event name and include conditions that reflect successful completion, reducing noise and false positives. EventBridge rules are managed, highly available, and require minimal operational work once configured.

Option B is not the best fit because Secrets Manager does not rely on a “native SNS rotation notification toggle” as a primary mechanism for compliance notifications in the way described; the standard event-driven pattern is to use EventBridge/CloudTrail signals rather than expecting Secrets Manager to publish directly to SNS for every rotation outcome. Options C and D propose filtering CloudWatch Logs, which adds operational overhead (log ingestion, metric filters or subscription filters, and parsing) and is less direct than matching structured API events. CloudWatch Logs filtering is also more brittle because it depends on log formats and correct log routing for the relevant services.

Therefore, using EventBridge to match CloudTrail rotation events and forward them to SNS is the most reliable and low-maintenance solution.

=================

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C. Create a store image task. Specify the image ID and the destination S3 bucket, because this is the only AWS-supported solution that allows an AMI to be backed up to Amazon S3 and later restored while preserving the original AMI ID. This capability is essential for regulatory and compliance requirements where immutable identifiers must be retained.

According to AWS CloudOps documentation for Amazon EC2 AMI lifecycle management, the AMI store and restore feature is specifically designed for long-term retention, audit, and compliance scenarios. When an AMI is stored using a store image task, AWS packages the AMI’s configuration, metadata, and associated snapshots and saves them as encrypted objects in an Amazon S3 bucket. When the AMI is restored, AWS explicitly states that the restored AMI retains the same AMI ID as the original image, ensuring continuity for compliance tracking and operational dependencies.

Option A is incorrect because copying an AMI always results in a new AMI ID, even when copied within the same AWS Region. Option B is incorrect because archiving snapshots to Amazon S3 does not preserve AMI metadata or identity; restoring from snapshots requires creating a new AMI with a different ID. Option D is incorrect because the copy-image command is intended for cross-Region or cross-account AMI duplication and also generates a new AMI ID.

AWS CloudOps best practices clearly identify store image tasks as the correct mechanism when AMI identity preservation is required for governance, auditability, and compliance controls.

VPC Flow Logs require permissions to create log groups and log streams in Amazon CloudWatch Logs. If the IAM role associated with the flow log lacks the logs:CreateLogGroup permission, CloudWatch Logs cannot be created and no logs will appear.

Option B is unrelated because CreateExportTask is used for exporting logs, not publishing them. IPv6 configuration and VPC peering do not prevent flow logs from being delivered.

Ensuring the IAM role has the correct CloudWatch Logs permissions resolves the issue.

Amazon EventBridge supports custom event buses for application-specific events. EventBridge archives allow events to be retained and replayed later based on time ranges or event patterns, directly meeting the replay requirement.

Creating a custom event bus provides isolation and governance for application events. The archive preserves events automatically, and EventBridge rules route events to AWS Lambda for processing without custom code.

Options B and C do not properly align with custom event use cases or supported archive behavior. Option D lacks native replay functionality.

Therefore, a custom event bus with an archive and rule is the correct solution.

CloudWatch Logs data protection provides native redaction/masking of sensitive data at ingestion and query. AWS documentation states it can “detect and protect sensitive data in logs” using data identifiers, and that authorized users can “use the unmask action to view the original data.” Creating a data protection policy on the log group masks PII by default for all viewers, satisfying the requirement to redact personal information. Granting only the security team permission to invoke the unmask API operation ensures that unredacted content is restricted. Option B (KMS) encrypts at rest but does not redact fields; encryption alone does not prevent plaintext visibility to authorized readers. Options A and D add complexity and latency, move data out of CloudWatch, and do not provide default inline redaction/unmask controls in CloudWatch itself. Therefore, the CloudOps-aligned, managed solution is to use CloudWatch Logs data protection with appropriate data identifiers and unmask permissions limited to the security team.

Amazon CloudWatch Application Signals is designed to provide built-in observability for containerized workloads, including Amazon EKS. It automatically collects golden signals such as latency, traffic, errors, and saturation without requiring complex instrumentation.

Application Signals supports SLO definition and SLI monitoring and correlates metrics, logs, and traces within CloudWatch. This significantly reduces operational overhead compared to manually configuring OpenTelemetry pipelines, Prometheus, and Grafana.

CloudWatch RUM and Synthetics focus on frontend monitoring, not backend service observability. Application Insights does not provide full SLO/SLI support for EKS workloads.

Therefore, CloudWatch Application Signals is the correct and least-effort solution.

An alias record is the recommended Route 53 record type to map domain names (e.g., example.com) to AWS-managed resources such as an Application Load Balancer. Alias records are extension types of A or AAAA records that support AWS resources directly, providing automatic DNS integration and no additional query costs.

AWS documentation states:

“Use alias records to map your domain or subdomain to an AWS resource such as an Application Load Balancer, CloudFront distribution, or S3 website endpoint.”

A and AAAA records are used for static IP addresses, not load balancers. CNAME records cannot be used at the root domain (e.g., example.com). Thus, Option C is correct as it meets CloudOps networking best practices for scalable, managed DNS resolution to ALBs.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

AWS CloudFormation supports the DeletionPolicy attribute to control what happens to a resource when a stack is deleted. For Amazon RDS DB instances, setting DeletionPolicy: Snapshot instructs CloudFormation to retain a final DB snapshot automatically at stack deletion. CloudOps best practice recommends using this native mechanism for data retention and auditability, avoiding manual scripts or out-of-band processes. Options A, B, and D introduce operational overhead and potential human error. With DeletionPolicy set to Snapshot, the environment can be repeatedly created and torn down while preserving data states for later restoration with minimal manual steps. This aligns with IaC principles—declarative, repeatable, and reliable—and supports efficient lifecycle management of ephemeral development stacks.

According to the AWS Cloud Operations and Disaster Recovery documentation, the active-active multi-Region architecture provides the lowest possible RTO and RPO among all disaster recovery strategies. In this approach, workloads are deployed and actively running in multiple AWS Regions simultaneously. All data is continuously replicated in real time between Regions using fully managed replication services, ensuring zero data loss (zero RPO).

Because both Regions are active and capable of handling requests, failover between them is instantaneous, meeting the RTO of less than 10 minutes. Amazon Route 53 is used with weighted or latency-based routing policies and health checks to automatically route traffic away from an impaired Region to the healthy Region without manual intervention.

In contrast:

Pilot Light Architecture maintains only a minimal copy of the environment in the secondary Region. It requires time to scale up infrastructure during a disaster, resulting in longer RTO and potential data loss (non-zero RPO).

Warm Standby Architecture keeps partially running infrastructure in the secondary Region. Although faster than pilot light, it still requires scaling and synchronization, resulting in higher RTO and RPO compared to active-active.

Backup and Restore (option D) relies on periodic backups and restores data when needed. This approach has the highest RTO and RPO, unsuitable for mission-critical workloads demanding high availability and zero data loss.

Therefore, based on AWS-recommended disaster recovery strategies outlined in the AWS Cloud Operations and Disaster Recovery Guide, the Active-Active Multi-Region architecture (Option C) is the only approach that guarantees RTO <10 minutes and RPO = 0, achieving continuous availability and business continuity across Regions.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

With simple scaling policies, an Auto Scaling group performs one scaling activity when the alarm condition is met, then observes a default cooldown period (300 seconds) before another scaling activity of the same type can begin. CloudOps guidance explains that cooldown prevents rapid successive scale-outs by allowing time for the newly launched instance(s) to register with the load balancer and impact the metric. Even if the alarm breaches multiple times during the cooldown window, the group waits until the cooldown completes before evaluating and acting again. In this case, although RequestCountPerTarget exceeded the threshold twice within 180 seconds, the group will launch a single instance and then wait for cooldown before any additional scale-out can occur. Options A, C, and D do not reflect the behavior of simple scaling with cooldowns; A describes step/target-tracking-like behavior, and C/D are not Auto Scaling mechanics.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

Use Amazon S3 Event Notifications with AWS Lambda to trigger image processing on object creation. S3 natively supports invoking Lambda for events such as s3:ObjectCreated:*, providing a serverless, low-latency pipeline without managing additional services. AWS operational guidance states that “Amazon S3 can directly invoke a Lambda function in response to object-created events,” allowing you to pass event metadata (bucket/key) to the function for resizing and writing results back to S3. This approach minimizes operational overhead, scales automatically with upload volume, and integrates with standard retry semantics. SNS or SQS can be added for fan-out or buffering patterns, but they are not required when the requirement is simply “invoke the Lambda function on upload.” CloudWatch alarms do not detect individual S3 object uploads and cannot directly satisfy per-object triggers. Therefore, configuring S3 → Lambda event notifications meets the requirement most directly and aligns with CloudOps best practices for event-driven, serverless automation.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To secure inbound web traffic over HTTPS when using an Application Load Balancer, AWS CloudOps best practices recommend terminating TLS at the load balancer. This is achieved by attaching an SSL/TLS certificate directly to the ALB listener. Therefore, option B is required. By terminating HTTPS at the ALB, traffic between clients and the load balancer is encrypted, and the ALB can then forward traffic to backend EC2 instances using HTTP or HTTPS based on design requirements.

The certificate used for a public-facing retail website must be trusted by internet browsers. AWS Certificate Manager (ACM) public certificates are specifically designed for this purpose and are trusted by common browsers and operating systems. Therefore, option D is required. ACM manages certificate provisioning, renewal, and deployment automatically, which significantly reduces operational overhead.

Option A is incorrect because attaching certificates to each EC2 instance is unnecessary and does not scale well. Option C is incorrect because private certificates are intended for internal use cases and are not trusted by public browsers. Option E is incorrect because ACM-managed public certificates cannot be exported; they must be attached directly to supported AWS services such as ALBs.

This approach aligns with AWS CloudOps guidance for secure, scalable, and highly available HTTPS architectures.

The errors occur during Auto Scaling replacement and scale-in events, which strongly indicates that instances are being terminated or recycled while they are still serving traffic. When an Auto Scaling group uses only EC2 status checks, the health evaluation is limited to instance-level signals (such as system reachability and instance reachability). Those checks do not validate whether the application process is healthy, whether the web server is still responding correctly, or whether the instance is safely able to continue serving requests while shutdown activities are underway. As a result, traffic can continue to reach an instance that is about to be terminated, or a newly launched instance can be marked healthy at the EC2 layer before the application is actually ready, producing spikes in 5xx responses.

Using Elastic Load Balancing health checks integrates the Auto Scaling group with the load balancer’s application-aware health evaluation. The load balancer can perform health checks against a specific endpoint (for example, /health) over HTTP/HTTPS and determine whether the application is responding successfully. Auto Scaling can then replace instances based on real service health rather than only infrastructure health. This approach improves resiliency because unhealthy or draining instances are removed from load balancing before they cause user-facing errors, and newly launched instances are kept out of rotation until they pass the ELB health checks.

Increasing cooldown (A) only slows scaling actions and does not ensure safe traffic draining. Increasing minimum capacity (C) can reduce impact but does not address the root cause of instances receiving traffic during lifecycle changes. Increasing grace period (D) helps initial warm-up, but it does not reliably protect users during scale-in and termination without application-level health integration. Therefore, ELB health checks are the best solution.

=================

The least-effort, most scalable approach to ensure consistent software installation and ongoing updates across tagged Windows instances is to use AWS Systems Manager’s native software distribution and desired-state capabilities. Systems Manager Distributor lets you package third-party software as an “SSM package,” version it, and publish updates in a controlled way. This directly supports the requirement to install a third-party agent and deploy periodic updates when new versions are available.

State Manager Associations let you enforce configuration continuously or on a schedule across a fleet, targeting instances by tags (which the scenario explicitly says are in place). By creating an association that runs AWS-ConfigureAWSPackage, you instruct Systems Manager to install (and optionally update) a specific SSM package on all instances that match the Windows tag criteria. This provides ongoing compliance: newly launched instances that receive the tag will automatically get the agent installed, and existing instances will receive updates according to the association’s frequency and the package version strategy.

Option C (custom Lambda that logs in) is high operational overhead and poor practice (credentials, connectivity, error handling, scaling, and security concerns). Option D (RunRemoteScript) can work but is more brittle than ConfigureAWSPackage because it shifts lifecycle management (versioning, state, idempotency) into scripts. Option B (OpsItem + Inventory) is not an enforcement mechanism for installation/updating; it’s for operations tracking and visibility.

Therefore, Distributor (A) + State Manager association using AWS-ConfigureAWSPackage targeted by tags (E) is the cleanest and lowest-ops solution.