Free AWS SOA-C03 Actual Exam Questions

Option A makes sense because without enough CloudWatch data, instances won’t appear in the recommendations.

Maybe B here. Since some instances use brand-new types, Compute Optimizer might not support those yet, so they wouldn’t show up in the dashboard at all. It’s less about data availability and more about compatibility with those newer instance types. This fits since older types appear but the new ones are missing.

It’s D because Detective and GuardDuty don’t manage AMIs or software deployment, and Run Command just updates running instances without ensuring image consistency.

It’s D, since only Image Builder guarantees a clean, repeatable image with approved software.

Maybe A, since scripting rotation with Lambda and EventBridge works for any engine without extra config.

Good point on engine support, but D still beats B for built-in rotation ease. D

A imo, the ACCEPT on the incoming traffic means the initial packets are allowed through, so the security group must at least allow inbound on 8080. The REJECT on the return port usually points to something blocking outbound ephemeral ports, which sounds like a subnet NACL issue. If the NLB’s security group was the problem, the initial connection wouldn’t be accepted at all. So D makes more sense because NACLs are stateless and often cause issues with return traffic if ephemeral ports aren’t open.

The rejects on the return traffic hint it's not the security groups blocking but the subnet NACL. NACLs are stateless, so if ephemeral ports aren’t allowed outbound, the response gets dropped—so D fits best here.

This seems like it’s about permissions on the event bus itself, so I’m thinking option C. Just having IAM roles isn’t enough; the target event bus needs a resource policy that specifically allows those sender accounts to put events. Without that explicit permission, the events get blocked, even if everything else looks set up right.

B/C? Cross-region routing isn’t automatic, and bus needs explicit permission.

Option D and A make the most sense; direct ALB health checks fit failover better.

Good point about the alarms being indirect; monitoring the ALB directly makes more sense for failover. So, D for routing and A to monitor ALB health checks should work well here.

D imo, because deploying an EC2 instance profile with the right IAM policy via a CloudFormation stack set ensures all instances have the correct permissions, both current and future. Quick Setup might help with new setups, but it’s not clear if it updates existing instance roles automatically. Also, option B’s approach with Run Command feels a bit manual and scattered compared to D’s centralized deployment. Using a stack set for the instance profile seems cleaner and more scalable across multiple accounts in the organization.

Option C seems solid because using a CloudFormation stack set allows you to centrally deploy and update the necessary Systems Manager roles across all accounts, covering both current and future EC2 instances. Unlike Quick Setup, which might focus more on configuration than role management, this approach ensures the right parameter and role are consistently applied everywhere. Also, it scales well as new accounts or instances are added since the stack set can be redeployed or updated easily from the management account.

I’m thinking that option C might help since step scaling reacts more dynamically to changes in load by adjusting capacity in steps, which could speed up scaling when the queue backlog spikes. Target tracking can be a bit slow because it tries to maintain a steady state, but step scaling can respond in bigger jumps. But I wonder if that alone is enough without focusing on the right metric to trigger the scaling. Anyone know if changing to step scaling alone will really reduce the message buildup faster?

A The ApproximateNumberOfMessagesDelayed metric focuses on delayed messages, which might better reflect the queue’s buildup than network traffic. Using it in target tracking could trigger faster scaling during peaks.

Maybe C makes sense too since Control Tower automates governance at the org level and SCPs can effectively limit root user actions and region usage. It's a neat all-in-one solution for these requirements.

C/D? Control Tower is great for governance with SCPs that can block root user actions and restrict regions, so it covers two big requirements well. But I'm unsure if SCPs can fully stop root users from deleting CloudTrail logs since root can sometimes bypass permissions. Firewall Manager combined with Config conformance packs (D) seems to offer a more complete enforcement and detection approach, catching violations org-wide and protecting logs better. So if the CloudTrail deletion prevention is critical, D might edge out C here.

C S3 Event Notifications are built for this and trigger Lambda immediately on uploads. Using SNS or SQS adds extra steps that aren’t needed here, and CloudWatch alarms don’t track S3 object uploads directly.

Option A wouldn’t work because SNS isn’t directly triggered by S3 uploads without extra setup. S3 Event Notifications (C) are the simplest and most direct way to invoke Lambda here.

D, invalidation is the only way to immediately clear CloudFront cache for updated content.

D, invalidation clears cached files so users get the latest content immediately.

B/A? Need the IdP metadata to set up the trust, and you also have to provide IAM Identity Center’s SAML metadata to the IdP so they can talk. Permissions might matter, but those two are basic prerequisites.

Option B and A make sense since metadata exchanges establish the trust relationship needed.

C because it automates snapshot retention without manual intervention before stack deletion.

C The Snapshot Deletion Policy specifically tells CloudFormation to keep a snapshot when deleting the RDS resource, so it fits perfectly for preserving data automatically. Other options rely on manual or extra setup steps.

It’s A because cluster placement groups are designed for low-latency network performance by placing instances physically close. Spread groups (D) increase fault tolerance but cause more latency, so D’s no good here.

Totally agree, A is best since it physically groups instances to cut down latency.

Maybe D. Since the backup app needs block storage with full local data availability, gateway-stored volumes are the only Storage Gateway option that keeps everything on-premise and supports POSIX-compatible block storage.

C/D? Cached volumes (C) don’t keep all data local, so they don’t meet the requirement. Stored volumes (D) keep full data locally and support block storage, making D the solid choice here.