SOA-C03 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To ensure video files are cached at CloudFront edge locations after migrating the files to Amazon S3, CloudFront must be able to fetch those video objects directly from S3 as an origin. The most operationally straightforward pattern is to add S3 as a second origin and create a separate cache behavior that routes requests for video paths (for example, /video/* or /*.mp4) to the S3 origin. With this configuration, CloudFront caches the S3-served objects at edge locations according to the cache policy/headers, while the existing ALB origin continues serving dynamic application paths. This isolates static media delivery from the application tier and improves performance by maximizing cache hits at the edge.

Option A is not how CloudFront origin selection works: CloudFront does not “redirect” to S3 based on headers; it selects an origin per behavior. Option C (signed URLs) is an access-control mechanism and does not, by itself, ensure the objects are retrieved from S3 or cached correctly. Option D (origin groups) is for origin failover (primary/secondary) and does not provide path-based routing to ensure videos come from S3.

As described in the AWS Cloud Operations and EC2 Management documentation, changing an instance type (e.g., from T3 to C5) requires that the instance be stopped first. Once stopped, the engineer can modify the instance type through the AWS Management Console, CLI, or API, then start the instance again to apply changes.

This process preserves the root volume, networking configuration, and data, making it an operationally safe and efficient way to upgrade to a different instance family.

Changing the instance type while running (Option D) is unsupported. VM Import/Export (Option A) is for external VM migration. Hibernation (Option B) does not apply to type changes.

Thus, Option C is correct — stopping the instance, changing its type, and restarting it meets AWS best practices.

The AWS Cloud Operations and Infrastructure-as-Code documentation specifies that when using AWS CloudFormation, resources are created in parallel by default unless explicitly ordered using DependsOn.

If a custom resource (Lambda) depends on another resource (like an EC2 instance) to exist before execution, a DependsOn attribute must be added to enforce creation order. This ensures the EC2 instance is launched and available before the custom resource executes its automation logic.

Updating the service token (Option B) doesn’t affect order of execution. The cfn-response module (Option C) handles callback communication but not sequencing. Fn::If (Option D) is for conditional creation, not dependency control.

Therefore, Option A is correct — adding a DependsOn attribute guarantees that CloudFormation provisions the EC2 instance before executing the Lambda custom resource.

AWS Secrets Manager natively supports credential management and automatic rotation for Amazon RDS master user passwords. When a secret is associated with an RDS instance, Secrets Manager automatically updates the password both in the secret and on the database, without downtime or manual scripting.

AWS documentation confirms:

“AWS Secrets Manager can automatically rotate the master user password for Amazon RDS databases. Rotation is fully managed and integrated, requiring no custom code or maintenance.”

Option A introduces unnecessary Lambda automation. Option B and C use Parameter Store, which does not provide direct RDS password rotation. Therefore, Option D achieves secure, automatic credential rotation with least operational effort, fully aligned with CloudOps security automation principles.

According to the AWS Cloud Operations and Compute Optimizer documentation, Compute Optimizer provides right-sizing recommendations by analyzing Amazon CloudWatch metrics and instance configuration data. However, AWS explicitly notes that only supported instance types are included in Compute Optimizer analyses. If an EC2 instance type is newly released or not yet supported by Compute Optimizer, it will not appear in the Compute Optimizer dashboard until official support is added.

The documentation explains that “Compute Optimizer analyses only supported resource types and instance families. Instances using unsupported or newly launched instance types will not appear in the Compute Optimizer console.” This ensures the service provides accurate recommendations based on sufficient performance history and benchmark data.

While CloudWatch metrics are required for analysis, the complete absence of instances from the dashboard — rather than “insufficient metric data” notifications — indicates unsupported instance types. Compute Optimizer would normally still display those with limited metrics but would flag them as “insufficient data,” not remove them entirely.

Therefore, the most accurate cause of missing instances in this case is that Compute Optimizer does not support the newly released instance types, making option B correct.

The Instance Scheduler on AWS is an AWS-provided solution designed specifically to start and stop AWS resources such as Amazon RDS instances on a defined schedule. This directly aligns with the requirement to automatically manage RDS instances during predictable idle periods, such as weekends, to reduce costs.

RDS instances incur compute charges while running, even if idle. Stopping them during weekends eliminates those charges while retaining storage and backups. Instance Scheduler supports tag-based scheduling, centralized management, and automated start/stop workflows without custom scripting.

Option A introduces custom automation and ongoing maintenance overhead. Option C (Reserved Instances) is unsuitable because the databases are idle for long, predictable periods and Reserved Instances charge regardless of usage. Option D is incorrect because RDS does not support auto scaling of DB instance classes based on utilization.

Instance Scheduler is the most cost-effective and operationally efficient solution for this use case.

AWS Systems Manager Run Command includes a built-in rate control feature that allows administrators to control the maximum number of concurrent executions across target instances. This directly addresses the requirement to limit downloads to 30 at a time without custom orchestration or additional services.

By targeting instances using tags, the solution automatically scales as new instances are added, which aligns with future growth expectations. Rate control ensures controlled concurrency and protects the private repository from overload.

Option A is manual and does not scale operationally. Option B introduces unnecessary complexity with Lambda and concurrency management that does not map cleanly to instance execution concurrency. Option D significantly increases architectural complexity without added value.

Run Command with rate control is the simplest, most native, and most scalable solution.

AWS Secrets Manager is designed to securely store and automatically rotate database credentials. It integrates natively with Amazon RDS and supports scheduled credential rotation without application changes.

RDS Proxy manages database connections by pooling and reusing connections, which is critical for write-intensive workloads with sudden spikes in client connections. It improves scalability and reduces database resource exhaustion.

KMS rotates encryption keys, not database credentials. Read replicas do not help with write scaling or connection spikes.

Therefore, Secrets Manager combined with RDS Proxy is the correct solution.

AWS Systems Manager Session Manager allows secure, auditable instance access without SSH keys or inbound ports. To control access based on instance tags, CloudOps best practices require two configurations:

Attach an IAM policy to users or groups granting ssm:StartSession, ssm:DescribeInstanceInformation, and ssm:DescribeSessions.

Include a Condition element in the IAM policy referencing instance tags, such as Condition: {"StringEquals": {"ssm:resourceTag/Environment": "Production"}}.

This ensures users can start sessions only with instances that have matching tags, providing fine-grained access control.

AWS CloudOps documentation under Security and Compliance states:

“Use IAM policies with resource tags in the Condition element to restrict which managed instances users can access using Session Manager.”

Options B and D incorrectly suggest attaching roles or service accounts that are not relevant to user-level access control. Option C (placement groups) pertains to networking and performance, not access management. Therefore, A and E together provide tag-based, least-privilege access as required.

An Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and supports advanced routing features, including HTTP-to-HTTPS redirection. To meet the requirement of protecting traffic with ACM certificates and automatically redirecting HTTP requests, the ALB must be configured with two listeners.

The correct design is to create an HTTP listener on port 80 and an HTTPS listener on port 443. The SSL/TLS certificate from AWS Certificate Manager is attached to the HTTPS listener. A listener rule on port 80 redirects incoming HTTP requests to HTTPS on port 443, ensuring all client connections are encrypted.

Option A is invalid because HTTPS cannot operate on port 80. Option C uses TCP listeners, which do not support HTTP-level redirects. Option D uses a Network Load Balancer, which operates at Layer 4 and does not support HTTP redirects.

Therefore, Option B is the only solution that satisfies all requirements using AWS-native features with minimal complexity.