This is the step that checks whether everything from #1 through #14 is locked into your head. You solve 50 questions at the same domain weights as the real exam.
Q1. You want to set an alarm on an EC2 instance’s memory utilization, but it doesn’t appear in the metric list. What’s the appropriate action?
ExplanationEC2 standard metrics don’t include OS-internal memory,disk utilization. You must install the CloudWatch Agent and publish it as a custom metric to set an alarm.
Q2. An alarm fires too often because of transient CPU spikes. How do you make it fire only on genuine sustained load?
ExplanationAdjusting Datapoints to Alarm so it only alarms when M of the last N periods breach lets you filter out transient spikes.
Q3. You want a notification when ERROR appears a certain number of times in application logs. What’s the standard implementation?
ExplanationCloudWatch alarms only apply to metrics. The standard is to turn a log pattern into a metric with a metric filter, then alarm on that metric.
Q4. You want to quickly analyze a large volume of logs from the time of an incident after the fact to find the cause. What’s the appropriate tool?
ExplanationLogs Insights is a troubleshooting tool that analyzes large volumes of logs on the spot with SQL-like queries. It can query multiple log groups at once.
Q5. A single instance stopped due to a hardware (system status check) failure, and you want to automatically bring the same instance back. Which is appropriate?
ExplanationEC2 auto-recovery recovers the same instance on new hardware while keeping its ID,IP. It suits cases where the instance holds state and replacement is difficult.
Q6. Too many notifications from individual single alarms have desensitized the operators. You want to alert only when both CPU is high and latency is high. Which is appropriate?
ExplanationA composite alarm combines the states of multiple alarms with logic (AND,OR,NOT). Combining with AND only alerts when both conditions are met simultaneously, reducing noise.
Q7. Daytime and nighttime traffic differ so much that a fixed threshold makes the alarm inaccurate. Which is appropriate?
ExplanationAnomaly Detection learns past patterns to build a normal-range band and alerts when a value falls outside it. It suits workloads with large time-of-day variation.
Q8. You want to collect the local logs of a terminating ASG instance without losing them, then let it terminate. Which is appropriate?
ExplanationA termination lifecycle hook holds the instance in a wait state just before termination, so you can finish cleanup like log collection,connection draining before it terminates.
Q9. A gp2 EBS volume has enough capacity but is slow due to its IOPS limit. How do you raise performance cost-effectively?
Explanationgp3 lets you set IOPS,throughput independently of capacity, making it the cost-effective answer when capacity is enough but IOPS is lacking.
Q10. You want to cut cost while keeping performance by identifying over- and under-provisioned instances. Which is appropriate?
ExplanationCompute Optimizer analyzes past metrics to recommend over- and under-provisioning for instances,ASG,EBS,Lambda. It’s a tool for right-sizing cost and performance together.
Q11. A Lambda function must run at a set time every day. What’s the appropriate trigger?
ExplanationLambda itself has no scheduler. Periodic execution is triggered by an EventBridge scheduled rule (cron,rate).
Q12. You must retain a backup permanently even after deleting an RDS instance. Which is appropriate?
ExplanationAutomated backups disappear with the instance and are retained for at most 35 days. If you need permanent retention, take a manual snapshot, which remains until you delete it yourself.
Q13. You must enforce backups across dozens of accounts and multiple services with a single standard policy and prove compliance. Which is appropriate?
ExplanationAWS Backup centrally manages backups for multiple services with backup plans, targets resources in bulk by tag, and integrates with Organizations to enforce and report a standard across all accounts.
Q14. You must make backups immutable (WORM) to guard against ransomware and accidental deletion. Which is appropriate?
ExplanationBackup Vault Lock locks backups so they can’t be modified or deleted, guarding against compliance requirements and ransomware,accidental deletion.
Q15. Which DR strategy minimizes cost and is fine even if recovery takes several hours?
ExplanationBackup & Restore has the lowest steady-state cost and the longest RTO. It suits cases where slow recovery is acceptable and cost is the top priority.
Q16. RTO must be short, on the order of minutes, and you can accept some cost. Which DR strategy is appropriate?
ExplanationWarm Standby keeps a scaled-down full environment always on and scales it up quickly during a failure. It matches an RTO requirement of minutes.
Q17. In a stateless web server group, you want to automatically discard unhealthy instances and replace them with new ones. How?
ExplanationAuto Scaling terminates instances that fail health checks and replaces them with new ones. To catch application-level failures too, base the health check on ELB.
Q18. Some user requests get cut off on every deployment. How do you let in-flight requests finish when removing an instance from the target group?
ExplanationDeregistration delay (connection draining) lets in-flight requests finish for a set time when an instance is removed or terminated.
Q19. Traffic predictably surges at 9 AM every day. What’s the most appropriate scaling?
ExplanationA predictable surge suits Scheduled Scaling, which secures capacity ahead of time at the scheduled time. For unpredictable load, run Target Tracking alongside it.
Q20. On a full region failure, you must automatically fail over to another region. Which is appropriate?
ExplanationEndpoint,region-level automatic failover is configured with Route 53 Failover routing and health checks. Lower the DNS TTL to make the switch fast.
Q21. Which statement about EBS snapshots is correct?
ExplanationEBS snapshots are incremental. Only the first snapshot is full, after which only changed blocks are stored, and cross-region,cross-account copy and encryption are possible.
Q22. For most general workloads, what is the primary availability configuration to guard against an AZ failure?
ExplanationThe basic associate-level availability answer is Multi-AZ. Multi-region is chosen when there’s an explicit requirement like region failure,regulation.
Q23. Before updating a production CloudFormation stack, you want to preview which resources will be replaced or changed. Which is appropriate?
ExplanationA change set shows what changes and which resources will be replaced before applying a stack update.
Q24. This environment was made with IaC, but it seems someone changed a resource directly in the console. How do you find the divergent resources?
ExplanationDrift detection compares the template with the actual resources and reports the divergent resources and properties. It’s a tool for finding manual changes.
Q25. The database and S3 bucket must remain even when the CloudFormation stack is deleted. Which is appropriate?
ExplanationSetting DeletionPolicy to Retain preserves those resources (DB,S3, etc.) even when the stack is deleted.
Q26. You want to consistently deploy standard security settings to all accounts in the organization and apply them automatically to new accounts too. Which is appropriate?
ExplanationStackSets deploys,manages one template across multiple accounts,regions in bulk, and integrates with Organizations to automatically apply the standard stack to new accounts too.
Q27. An instance doesn’t appear in the Systems Manager managed-instance list. What do you check first?
ExplanationSSM presumes the SSM Agent and an instance IAM Role. A missing managed-list entry is almost always a missing IAM Role (or an endpoint,network) problem.
Q28. You must automatically rotate a DB password on a set schedule. Which is appropriate?
ExplanationBuilt-in automatic rotation of secrets is a Secrets Manager feature. Parameter Store has no automatic rotation, so you must update it yourself.
Q29. You want to connect to an instance in a private subnet without an SSH key or inbound port and leave an audit record of every session. Which is appropriate?
ExplanationSession Manager provides shell access without inbound ports or SSH keys and records every session to CloudTrail,S3,CloudWatch Logs.
Q30. You must automatically apply monthly security patches to hundreds of instances at a set time and report on instances that aren’t patched. Which is appropriate?
ExplanationPatch Manager applies patches automatically in bulk with patch baselines,patch groups,maintenance windows and provides compliance (unpatched) reporting.
Q31. You don’t strictly need the K8s standard and want to run containers while minimizing instance-management overhead. Which is appropriate?
ExplanationWhen you don’t specifically need Kubernetes and want to minimize operational overhead, the combination of ECS and the serverless compute Fargate is a good fit.
Q32. You want to detect known vulnerabilities (CVEs) in a container image before deployment. Which is appropriate?
ExplanationECR image scan scans images for vulnerabilities on push or continuously. Inspector also covers instance,image OS vulnerabilities more broadly.
Q33. A container in an ECS task must call AWS APIs. What’s the standard way to grant least privilege?
ExplanationSince multiple tasks share an instance, the instance role would be over-privileged. The standard is to grant least privilege per task via a Task Role.
Q34. You opened the security group inbound correctly, but the response still doesn’t come back. What do you check at the subnet level?
ExplanationNACLs are stateless, so response traffic also needs a rule. Even if inbound is allowed, the response can’t return if the outbound ephemeral ports are blocked.
Q35. A private instance accesses S3, and you want to cut NAT Gateway data-processing cost. Which is appropriate?
ExplanationS3,DynamoDB use Gateway endpoints to add a private route to the route table. It’s free, and traffic doesn’t go through the internet,NAT, cutting cost.
Q36. A private instance with no internet,NAT must connect privately to SSM and ECR. Which is appropriate?
ExplanationMost services like SSM,ECR connect without the internet via an Interface endpoint (PrivateLink), which assigns a private IP to an ENI.
Q37. VPC A-B and B-C are each peered. Why can’t A communicate with C?
ExplanationVPC peering is not transitive. For A-C, peer them directly, or for many VPCs, connect them as a hub with Transit Gateway.
Q38. You want to confirm whether traffic is rejected by the security group or the NACL. Which is appropriate?
ExplanationVPC Flow Logs record ENI,subnet,VPC traffic with ACCEPT,REJECT, giving a clue to where traffic was blocked.
Q39. You want to verify in advance whether two resources can connect, without real traffic. Which is appropriate?
ExplanationReachability Analyzer statically analyzes what on the path blocks the connection once you specify the source and destination.
Q40. You want to connect a root domain (example.com) to an Application Load Balancer. What’s the appropriate record?
ExplanationYou can’t use a CNAME at the zone apex (root domain). Connect to the ALB with a Route 53 Alias record. Alias is free and automatically tracks target IP changes.
Q41. You’re trying to attach an ACM certificate to a CloudFront distribution, but the certificate doesn’t appear in the list. What’s the cause?
ExplanationAn ACM certificate for CloudFront must be issued in us-east-1 (N. Virginia). A certificate from another region can’t be attached to CloudFront.
Q42. Using S3 as the origin, you want to block users from accessing the S3 URL directly and force them through CloudFront only. Which is appropriate?
ExplanationWith OAC, you keep the S3 bucket private and allow read only to CloudFront, blocking users’ direct S3 access.
Q43. You want to check the access-key usage and MFA status of all IAM users at once. Which is appropriate?
ExplanationThe Credential Report provides all IAM users’ password,access key,MFA status in bulk as a CSV.
Q44. You want to detect whether S3 buckets,IAM roles,KMS keys are unintentionally shared outside the account (externally). Which is appropriate?
ExplanationIAM Access Analyzer analyzes resource policies to identify resources shared externally. It’s a tool for finding unintended exposure.
Q45. You want a guardrail that forbids the use of a specific region across all accounts in the organization. Which is appropriate?
ExplanationAn SCP is a permission ceiling applied to OUs,accounts. It suits guardrails like forbidding region,service use across all accounts. Note that it doesn’t grant permissions.
Q46. You must track “who deleted this resource.” Which is appropriate?
ExplanationCloudTrail is an audit log that records who called which API and when. It’s the basic tool for tracking actions.
Q47. You want to continuously evaluate “unencrypted EBS volumes” and automatically remediate violations. Which is appropriate?
ExplanationConfig evaluates resource configuration with rules and auto-remediates violations with SSM Automation. It’s a tool for viewing state (configuration compliance).
Q48. You want to automatically detect threats like communication with malicious IPs and abnormal API calls in the account, without setting up logs. Which is appropriate?
ExplanationGuardDuty analyzes CloudTrail,VPC Flow Logs,DNS logs without you turning them on directly to detect threats. Its role is active threat detection.
Q49. You want to gather the results of several security services like GuardDuty,Inspector,Config on one screen and see a best-practice compliance score. Which is appropriate?
ExplanationSecurity Hub consolidates,standardizes the results of multiple security services and provides a score against CIS,AWS best practices. It doesn’t detect directly.
Q50. You must control the encryption key directly and share it with another account. Which is appropriate?
ExplanationA customer-managed key (CMK) lets you control the policy,rotation,deletion and configure cross-account sharing with the key policy.
Starting from #1, where we laid out the exam structure, we went through the five domains — monitoring,reliability,deployment automation,networking,security from an operations perspective — and wrapped up with #14’s exam tips and this mock exam. What SOA-C03 asks comes down to one thing: looking at symptoms in an already-running environment and choosing the most appropriate operational action. Once reading the constraint keywords, distinguishing similar services by keyword, and the instinct to eliminate manual intervention with automation becomes second nature, you’ll clear the passing line with room to spare.
I wish you good luck on the exam. Continuing with the hands-on track and the other certification tracks will make your AWS operations skills even more solid.