AWS SOA-C03 Free Practice Questions — Page 3

Correct Answer: C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.

An Auto Scaling group with a target tracking scaling policy automatically adjusts the number of EC2 instances based on specified metrics such as average CPU utilization, request count per target, or ALB target response time, making it ideal for handling unpredictable traffic spikes. Target tracking policies continuously monitor the specified metric and add or remove instances to maintain the target value, providing dynamic and automated scaling without manual intervention. Attaching the ALB to the Auto Scaling group ensures new instances are automatically registered with the load balancer and receive traffic. The first option is incorrect because increasing instance size (vertical scaling) requires stopping instances, changing instance types, and restarting them, which causes downtime and doesn't provide the elasticity needed for variable traffic patterns. The second option is incorrect because EventBridge rules are not designed for continuous metric monitoring and automated scaling—they're better suited for event-driven workflows, and manually adding instances doesn't provide the automated scaling capabilities of Auto Scaling groups. The fourth option with scheduled scaling is incorrect because the traffic increases are random and unpredictable, not following a predictable schedule that could be anticipated with time-based scaling policies. Target tracking provides the responsive, automatic scaling needed for this use case.

Correct Answer: A. Create a new EFS file system that uses Max I/O performance mode. Use AWS DataSync to migrate data to the new EFS file system.

The PercentIOLimit metric at 100% indicates that the file system is hitting the I/O limits of its performance mode, causing performance degradation. Amazon EFS offers two performance modes: General Purpose (default) and Max I/O. Max I/O performance mode is designed for applications requiring higher aggregate throughput and IOPS, supporting thousands of concurrent EC2 instances, though it comes with slightly higher latencies. The critical limitation is that performance mode cannot be changed after file system creation—it's an immutable setting. Therefore, you must create a new EFS file system with Max I/O mode and migrate data using AWS DataSync, which efficiently transfers data between EFS file systems. The second option is incorrect because moving files to Infrequent Access storage class is for cost optimization, not performance improvement—IA storage actually has lower performance characteristics. The third option is incorrect because you cannot modify the performance mode of an existing EFS file system; this setting is fixed at creation. The fourth option addresses throughput mode (Bursting vs. Provisioned), not performance mode—while Provisioned Throughput can help with throughput limits, it doesn't resolve I/O limit constraints indicated by PercentIOLimit at 100%, which specifically requires Max I/O performance mode.

Correct Answer: B. Create a VPC endpoint for the S3 bucket, and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

A VPC endpoint for S3 (gateway endpoint) enables private connectivity between the VPC and S3 without traversing the public internet, keeping all traffic on the AWS private network. To restrict access exclusively to EC2 instances in the VPC, you must create an S3 bucket policy with a condition that uses the aws:SourceVpce or aws:SourceVpc condition key to allow access only from the specific VPC endpoint. This ensures that requests not originating from the VPC endpoint are denied, preventing access from outside the VPC even with valid credentials. The first option is less effective because IAM policies are identity-based and apply to specific principals (users/roles), but don't provide the same resource-level enforcement as bucket policies—you would need to apply IAM policies to every EC2 instance role, which is more complex and less centralized. The third option is incorrect because service-linked roles and IAM policies alone don't restrict network path or enforce private network requirements—traffic could still go over the internet, and it doesn't limit access to the VPC only. The fourth option is incorrect because NAT gateways are for outbound internet access from private subnets and don't provide the VPC endpoint's private connection to S3—traffic would still traverse the public internet, violating the "AWS private network" requirement. Additionally, bucket policies provide centralized access control at the resource level.

Correct Answer: D. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.

Cross-account IAM roles provide secure, temporary access without sharing long-term credentials, adhering to the principle of least privilege. By creating a read-only IAM policy (such as using AWS managed policies like AmazonVPCReadOnlyAccess) attached to a role in each developer account, and configuring the trust relationship to allow the security engineer's account to assume the role, the engineer can review VPC configurations without permanent access or shared credentials. This approach is auditable through CloudTrail, allows centralized identity management, and can be easily revoked. The first option is incorrect because sharing IAM user credentials violates security best practices—credentials can be compromised, reused, and it's difficult to audit who performed which actions. The second option is incorrect because it grants excessive administrator access when only read-only access is needed, violating least privilege principles and creating unnecessary security risk. The third option is incorrect because it grants administrator access to VPC resources when the requirement is only to review (read) configurations, not modify them. Cross-account roles with read-only permissions provide the most secure, auditable, and manageable solution for this cross-account access scenario.