AWS Certified CloudOps Engineer - Associate (SOA-C03) - AWS Actual Exam Questions
Last updated on April 11, 2026
A company’s security policy prohibits connecting to Amazon EC2 instances through SSH and RDP. Instead, staff must use AWS Systems Manager Session Manager. Users report they cannot connect to one Ubuntu instance, even though they can connect to others. What should a CloudOps engineer do to resolve this issue?
Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.
Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
Configure the SSM Agent to log in with a user name of "ubuntu".
Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
A company runs a website on Amazon EC2 instances. Users can upload images to an Amazon S3 bucket and publish the images to the website. The company wants to deploy a serverless image- processing application that uses an AWS Lambda function to resize the uploaded images. The company's development team has created the Lambda function. A CloudOps engineer must implement a solution to invoke the Lambda function when users upload new images to the S3 bucket. Which solution will meet this requirement?
Configure an Amazon Simple Notification Service (Amazon SNS) topic to invoke the Lambda function when a user uploads a new image to the S3 bucket.
Configure an Amazon CloudWatch alarm to invoke the Lambda function when a user uploads a new image to the S3 bucket.
Configure S3 Event Notifications to invoke the Lambda function when a user uploads a new image to the S3 bucket.
Configure an Amazon Simple Queue Service (Amazon SQS) queue to invoke the Lambda function when a user uploads a new image to the S3 bucket.
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
A company's website runs on an Amazon EC2 Linux instance. The website needs to serve PDF files from an Amazon S3 bucket. All public access to the S3 bucket is blocked at the account level. The company needs to allow website users to download the PDF files. Which solution will meet these requirements with the LEAST administrative effort?
Create an IAM role that has a policy that allows s3:list* and s3:get* permissions. Assign the role to the EC2 instance. Assign a company employee to download requested PDF files to the EC2 instance and deliver the files to website users. Create an AWS Lambda function to periodically delete local files.
Create an Amazon CloudFront distribution that uses an origin access control (OAC) that points to the S3 bucket. Apply a bucket policy to the bucket to allow connections from the CloudFront distribution. Assign a company employee to provide a download URL that contains the distribution URL and the object path to users when users request PDF files.
Change the S3 bucket permissions to allow public access on the source S3 bucket. Assign a company employee to provide a PDF file URL to users when users request the PDF files.
Deploy an EC2 instance that has an IAM instance profile to a public subnet. Use a signed URL from the EC2 instance to provide temporary access to the S3 bucket for website users.
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
A company deploys an application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The company wants to protect the application from SQL injection attacks. Which solution will meet this requirement?
Deploy AWS Shield Advanced in front of the ALB. Enable SQL injection filtering.
Deploy AWS Shield Standard in front of the ALB. Enable SQL injection filtering.
Deploy a vulnerability scanner on each EC2 instance. Continuously scan the application code.
Deploy AWS WAF in front of the ALB. Subscribe to an AWS Managed Rule for SQL injection filtering.
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
A CloudOps engineer has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC, and all security groups allow outbound traffic. Which solution will provide the EC2 instances in the private subnet with access to the internet?
Create a NAT gateway in the public subnet. Create a route from the private subnet to the NAT gateway.
Create a NAT gateway in the public subnet. Create a route from the public subnet to the NAT gateway.
Create a NAT gateway in the private subnet. Create a route from the public subnet to the NAT gateway.
Create a NAT gateway in the private subnet. Create a route from the private subnet to the NAT gateway.
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
Finish Practice?
Are you sure you want to finish? This will end your practice session.