Home/ Practice/ SOA-C03 Questions/ Page 1

AWS SOA-C03 Free Practice Questions — Page 1

AWS Certified CloudOps Engineer - Associate • 4 questions • Answers & explanations included

Question 2

A CloudOps administrator launches an Amazon EC2 instance in a private subnet of a VPC. When the CloudOps administrator attempts a curl command from the command line of the EC2 instance, the CloudOps administrator cannot connect to https:www.example.com. What should the CloudOps administrator do to resolve this issue?

A. Ensure that there is an outbound security group for port 443 to 0.0.0.0/0.
B. Ensure that there is an inbound security group for port 443 from 0.0.0.0/0.
C. Ensure that there is an outbound network ACL for ephemeral ports 1024-66535 to 0.0.0.0/0.
D. Ensure that there is an outbound network ACL for port 80 to 0.0.0.0/0.
Show Answer & Explanation

Correct Answer: A. Ensure that there is an outbound security group for port 443 to 0.0.0.0/0.

The curl command to https://www.example.com uses HTTPS protocol on port 443, requiring outbound connectivity from the EC2 instance. Security groups are stateful, meaning if outbound traffic is allowed, the return traffic is automatically permitted regardless of inbound rules. For the instance to initiate an HTTPS connection, the security group must have an outbound rule allowing port 443 to 0.0.0.0/0 (or at minimum to the destination). The inbound security group rule for port 443 is incorrect because the instance is initiating the connection outbound, not receiving inbound HTTPS requests. The outbound NACL for ephemeral ports would handle return traffic in a stateless NACL configuration, but security groups are the first layer to check and are stateful, making this answer less relevant to the immediate issue. The outbound NACL for port 80 is incorrect because HTTPS uses port 443, not port 80 (which is HTTP). Note: This answer assumes the private subnet already has proper routing (via NAT Gateway/Instance) to reach the internet; without that infrastructure, even correct security group rules won't resolve connectivity issues.

Question 3

A company's public website is hosted in an Amazon S3 bucket in the us-east-1 Region behind an Amazon CloudFront distribution. The company wants to ensure that the website is protected from DDoS attacks. A CloudOps administrator needs to deploy a solution that gives the company the ability to maintain control over the rate limit at which DDoS protections are applied. Which solution will meet these requirements?

A. Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution.
B. Deploy an AWS WAF web ACL with an allow default action in us-east-1. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the S3 bucket.
C. Deploy a global-scoped AWS WAF web ACL with a block default action. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the CloudFront distribution.
D. Deploy an AWS WAF web ACL with a block default action in us-east-1. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the S3 bucket.
Show Answer & Explanation

Correct Answer: A. Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution.

WS WAF associated with CloudFront must be deployed in the global scope (CloudFront is a global service), and rate-based rules provide granular control over rate limits for DDoS protection. The correct approach uses an allow default action, meaning normal traffic is permitted, while the rate-based rule specifically blocks traffic that exceeds the configured threshold (e.g., 2,000 requests per 5 minutes from a single IP). Associating the web ACL with the CloudFront distribution is correct because CloudFront sits in front of the S3 bucket and is the entry point for public traffic. The second option is incorrect because AWS WAF cannot be directly associated with an S3 bucket; WAF integrates with CloudFront, Application Load Balancer, API Gateway, or AppSync. The third and fourth options have inverted logic with a block default action and allow rate-based rules, which would block all legitimate traffic by default and only allow traffic matching the rate rule—the opposite of DDoS protection. Additionally, option four incorrectly attempts to associate WAF directly with S3, which is not supported.

Question 4

A company hosts an online shopping portal in the AWS Cloud. The portal provides HTTPS security by using a TLS certificate on an Elastic Load Balancer (ELB). Recently, the portal suffered an outage because the TLS certificate expired. A CloudOps administrator must create a solution to automatically renew certificates to avoid this issue in the future. What is the MOST operationally efficient solution that meets these requirements?

A. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. Write a scheduled AWS Lambda function to renew the certificate every 18 month
B. Register a certificate with a third-party certificate authority (CA). Configure the ELB to import the certificate directly from the CA. Set the certificate refresh cycle on the ELB to refresh when the certificate is within 3 months of the expiration date.
C. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
D. Register a certificate with a third-party certificate authority (CA). Import this certificate into AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
Show Answer & Explanation

Correct Answer: C. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.

AWS Certificate Manager (ACM) automatically manages certificate renewal for public certificates at no additional cost. When you associate an ACM certificate with an ELB, ACM handles the entire renewal process automatically, including deploying the renewed certificate. This is the most operationally efficient solution with zero manual intervention required. Option A is incorrect because ACM handles renewal automatically—writing a Lambda function is unnecessary and creates operational overhead. Option B is incorrect because ELBs cannot import certificates directly from third-party CAs, and this manual process still requires intervention. Option D is incorrect because ACM does not automatically renew third-party certificates imported into ACM—you must manually re-import renewed certificates before expiration.

Question 5

With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?

A. Deny Post, Put, and Delete on the bucket
B. Enable server-side encryption on the bucket
C. Enable Amazon S3 versioning on the bucket
D. Enable snapshots on the bucket
Show Answer & Explanation

Correct Answer: C. Enable Amazon S3 versioning on the bucket

Amazon S3 versioning is the most effective protection against ransomware because it preserves, retrieves, and restores every version of every object stored in the bucket, including deleted objects. If ransomware encrypts or deletes files, versioning allows recovery of previous unencrypted versions, providing a rollback mechanism. This creates a recovery point that ransomware cannot easily eliminate unless it has specific permissions to delete object versions. Denying Post, Put, and Delete operations would prevent the bucket from being modified, but it would also block all legitimate business operations, making the bucket essentially read-only and unusable for normal workflows. Server-side encryption protects data at rest from unauthorized access but does not protect against ransomware that operates with legitimate credentials—ransomware would simply encrypt already-encrypted data or replace objects. The "enable snapshots on the bucket" option is incorrect because snapshots are an EBS (Elastic Block Store) feature, not an S3 feature. For comprehensive ransomware protection, combine S3 versioning with MFA Delete, Object Lock (WORM), and proper IAM permissions to prevent unauthorized version deletion.

Ready for the Full SOA-C03 Experience?

Access all 59 pages of practice questions, track your progress, and simulate the real exam with timed mode.

Start Interactive Quiz →