AWS Certified CloudOps Engineer - Associate (SOA-C03) #15 Full-Scale Multiple-Choice Mock Exam — 50 Questions + Explanations

17 min read

This is the step that checks whether everything from #1 through #14 is locked into your head. You solve 50 questions at the same domain weights as the real exam.

How to Take It #

  • Solve within 90-100 minutes (the real exam is 65 questions/130 minutes, but this mock exam is based on 50 questions).
  • Don’t check each explanation immediately; solve all the way through, then score.
  • Getting 36 or more (72%) puts you safely in the passing range.
  • If a domain looks weak, go back to its post and review it.

Domain Distribution #

DomainWeightQuestions
Domain 1. Monitoring, Logging, Recovery, Performance22%11
Domain 2. Reliability and Business Continuity22%11
Domain 3. Deployment, Provisioning, Automation22%11
Domain 4. Networking and Content Delivery18%9
Domain 5. Security and Compliance16%8

Domain 1: Monitoring, Logging, Recovery, Performance #

Q1. You want to set an alarm on an EC2 instance’s memory utilization, but it doesn’t appear in the metric list. What’s the appropriate action?
Q2. An alarm fires too often because of transient CPU spikes. How do you make it fire only on genuine sustained load?
Q3. You want a notification when ERROR appears a certain number of times in application logs. What’s the standard implementation?
Q4. You want to quickly analyze a large volume of logs from the time of an incident after the fact to find the cause. What’s the appropriate tool?
Q5. A single instance stopped due to a hardware (system status check) failure, and you want to automatically bring the same instance back. Which is appropriate?
Q6. Too many notifications from individual single alarms have desensitized the operators. You want to alert only when both CPU is high and latency is high. Which is appropriate?
Q7. Daytime and nighttime traffic differ so much that a fixed threshold makes the alarm inaccurate. Which is appropriate?
Q8. You want to collect the local logs of a terminating ASG instance without losing them, then let it terminate. Which is appropriate?
Q9. A gp2 EBS volume has enough capacity but is slow due to its IOPS limit. How do you raise performance cost-effectively?
Q10. You want to cut cost while keeping performance by identifying over- and under-provisioned instances. Which is appropriate?
Q11. A Lambda function must run at a set time every day. What’s the appropriate trigger?

Domain 2: Reliability and Business Continuity #

Q12. You must retain a backup permanently even after deleting an RDS instance. Which is appropriate?
Q13. You must enforce backups across dozens of accounts and multiple services with a single standard policy and prove compliance. Which is appropriate?
Q14. You must make backups immutable (WORM) to guard against ransomware and accidental deletion. Which is appropriate?
Q15. Which DR strategy minimizes cost and is fine even if recovery takes several hours?
Q16. RTO must be short, on the order of minutes, and you can accept some cost. Which DR strategy is appropriate?
Q17. In a stateless web server group, you want to automatically discard unhealthy instances and replace them with new ones. How?
Q18. Some user requests get cut off on every deployment. How do you let in-flight requests finish when removing an instance from the target group?
Q19. Traffic predictably surges at 9 AM every day. What’s the most appropriate scaling?
Q20. On a full region failure, you must automatically fail over to another region. Which is appropriate?
Q21. Which statement about EBS snapshots is correct?
Q22. For most general workloads, what is the primary availability configuration to guard against an AZ failure?

Domain 3: Deployment, Provisioning, Automation #

Q23. Before updating a production CloudFormation stack, you want to preview which resources will be replaced or changed. Which is appropriate?
Q24. This environment was made with IaC, but it seems someone changed a resource directly in the console. How do you find the divergent resources?
Q25. The database and S3 bucket must remain even when the CloudFormation stack is deleted. Which is appropriate?
Q26. You want to consistently deploy standard security settings to all accounts in the organization and apply them automatically to new accounts too. Which is appropriate?
Q27. An instance doesn’t appear in the Systems Manager managed-instance list. What do you check first?
Q28. You must automatically rotate a DB password on a set schedule. Which is appropriate?
Q29. You want to connect to an instance in a private subnet without an SSH key or inbound port and leave an audit record of every session. Which is appropriate?
Q30. You must automatically apply monthly security patches to hundreds of instances at a set time and report on instances that aren’t patched. Which is appropriate?
Q31. You don’t strictly need the K8s standard and want to run containers while minimizing instance-management overhead. Which is appropriate?
Q32. You want to detect known vulnerabilities (CVEs) in a container image before deployment. Which is appropriate?
Q33. A container in an ECS task must call AWS APIs. What’s the standard way to grant least privilege?

Domain 4: Networking and Content Delivery #

Q34. You opened the security group inbound correctly, but the response still doesn’t come back. What do you check at the subnet level?
Q35. A private instance accesses S3, and you want to cut NAT Gateway data-processing cost. Which is appropriate?
Q36. A private instance with no internet,NAT must connect privately to SSM and ECR. Which is appropriate?
Q37. VPC A-B and B-C are each peered. Why can’t A communicate with C?
Q38. You want to confirm whether traffic is rejected by the security group or the NACL. Which is appropriate?
Q39. You want to verify in advance whether two resources can connect, without real traffic. Which is appropriate?
Q40. You want to connect a root domain (example.com) to an Application Load Balancer. What’s the appropriate record?
Q41. You’re trying to attach an ACM certificate to a CloudFront distribution, but the certificate doesn’t appear in the list. What’s the cause?
Q42. Using S3 as the origin, you want to block users from accessing the S3 URL directly and force them through CloudFront only. Which is appropriate?

Domain 5: Security and Compliance #

Q43. You want to check the access-key usage and MFA status of all IAM users at once. Which is appropriate?
Q44. You want to detect whether S3 buckets,IAM roles,KMS keys are unintentionally shared outside the account (externally). Which is appropriate?
Q45. You want a guardrail that forbids the use of a specific region across all accounts in the organization. Which is appropriate?
Q46. You must track “who deleted this resource.” Which is appropriate?
Q47. You want to continuously evaluate “unencrypted EBS volumes” and automatically remediate violations. Which is appropriate?
Q48. You want to automatically detect threats like communication with malicious IPs and abnormal API calls in the account, without setting up logs. Which is appropriate?
Q49. You want to gather the results of several security services like GuardDuty,Inspector,Config on one screen and see a best-practice compliance score. Which is appropriate?
Q50. You must control the encryption key directly and share it with another account. Which is appropriate?

Scoring and Wrap-up #

36 of 50 questions (72%) or more puts you safely in the passing range. Grouping the questions you missed by domain reveals your weak areas.

Domain missedPosts to revisit
Monitoring,Logging,Recovery,Performance#2,#3,#4
Reliability,Continuity#5,#6
Deployment,Provisioning,Automation#7,#8,#9
Networking,Delivery#10,#11
Security,Compliance#12,#13

Closing the Series #

Starting from #1, where we laid out the exam structure, we went through the five domains — monitoring,reliability,deployment automation,networking,security from an operations perspective — and wrapped up with #14’s exam tips and this mock exam. What SOA-C03 asks comes down to one thing: looking at symptoms in an already-running environment and choosing the most appropriate operational action. Once reading the constraint keywords, distinguishing similar services by keyword, and the instinct to eliminate manual intervention with automation becomes second nature, you’ll clear the passing line with room to spare.

I wish you good luck on the exam. Continuing with the hands-on track and the other certification tracks will make your AWS operations skills even more solid.

X