Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSOA-C02Exam Questions

Amazon Web Services · Free Practice Questions · Last reviewed May 2026

SOA-C02 Exam Questions and Answers

36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

65 exam questions
180 min time limit
Pass: 720/1000 / 1000
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Monitoring, Logging, and Remediation2. Reliability and Business Continuity3. Deployment, Provisioning, and Automation4. Security and Compliance5. Networking and Content Delivery6. Cost and Performance Optimization
1

Domain 1: Monitoring, Logging, and Remediation

All Monitoring, Logging, and Remediation questions
Q1
mediumFull explanation →

A company uses AWS CloudTrail to log API calls across all regions. The SysOps administrator notices that logs for a specific region are missing from the centralized S3 bucket. What is the most likely cause?

A

The CloudTrail trail is not enabled for that region.

Correct. CloudTrail must be explicitly enabled for each region or a multi-region trail must be used. Missing logs for a specific region strongly suggests the trail is not applied there.

B

The S3 bucket policy denies write access from CloudTrail for that region.

C

CloudTrail log file validation is disabled.

D

The IAM role for CloudTrail does not have permissions to write logs from that region.

Why: CloudTrail trails can be configured to log API calls from specific regions or all regions. If logs for a particular region are missing from the centralized S3 bucket, the most likely cause is that the trail was not enabled for that region during trail creation or update. By default, a trail applied to all regions will automatically log activity from every region, but if the trail is configured for a single region or a subset, other regions will not have their logs delivered.
Q2
hardFull explanation →

A SysOps team needs to monitor application logs in Amazon CloudWatch Logs for specific error codes and automatically invoke an AWS Lambda function for remediation within 5 minutes of an error occurring. Which solution involves the least operational overhead?

A

Create a CloudWatch Logs subscription filter to stream logs directly to an AWS Lambda function.

B

Create a CloudWatch metric filter on the log group, create a CloudWatch alarm on the metric, and configure the alarm to post to an SNS topic that triggers the Lambda function.

Correct. This uses native CloudWatch features with minimal overhead, meeting the 5-minute requirement through alarm evaluation intervals.

C

Use a third-party log aggregation tool that sends webhook notifications to an API Gateway endpoint to invoke the Lambda function.

D

Write a custom script that runs on an EC2 instance to poll CloudWatch Logs every minute and invoke the Lambda function.

Why: Option B is correct because it uses CloudWatch metric filters and alarms to detect error codes in logs and trigger remediation via SNS and Lambda, all within a fully managed AWS pipeline. This approach requires no custom code or infrastructure to maintain, and the alarm can be configured to evaluate logs within a 1-minute period, easily meeting the 5-minute requirement with minimal operational overhead.
Q3
mediumFull explanation →

A company uses an Amazon S3 bucket to store sensitive data. The SysOps administrator needs to be notified within 15 minutes if any object in the bucket becomes publicly accessible. Which solution will meet this requirement with the least operational overhead?

A

Configure an S3 event notification for all object creation events and publish to an Amazon SNS topic that sends an email alert.

B

Use an AWS Config managed rule to detect 's3-bucket-public-read-prohibited' and trigger an SNS notification via Amazon EventBridge.

C

Enable Amazon CloudTrail data events for the S3 bucket and create a CloudWatch Logs metric filter for PutObjectAcl (or PutObject with public ACL) and set an alarm.

D

Configure S3 event notifications for 's3:ObjectCreated:Put' and 's3:ObjectCreated:PutObjectAcl' with a suffix/prefix filter for public grants, sending to an SNS topic.

Correct. This allows real-time notification specifically when objects are created with public ACLs, meeting the requirement with minimal overhead.

Why: Option D is correct because S3 event notifications can be configured specifically for `s3:ObjectCreated:Put` and `s3:ObjectCreated:PutObjectAcl` events, and you can filter by prefix/suffix to detect public grants (e.g., `public-read` or `public-read-write`). This directly triggers an SNS topic for near-real-time notification within seconds, meeting the 15-minute requirement with minimal overhead, as no additional services or complex configurations are needed.
Q4
mediumFull explanation →

A SysOps administrator is troubleshooting an application that runs on AWS Lambda. The application occasionally fails with timeout errors. The administrator needs to identify the exact lines of code that are causing the delays. Which AWS service or feature should be used to gather this information?

A

Enable detailed CloudWatch Logs and search for 'timeout' strings.

B

Use AWS X-Ray to trace the Lambda function and view segment details.

Correct. X-Ray traces function executions and can be instrumented to capture subsegments for each function call, helping identify which lines or api calls are slow.

C

Set a CloudWatch Metric Filter for 'Duration' and create an alarm.

D

Enable AWS CloudTrail data events for the Lambda function.

Why: AWS X-Ray provides end-to-end tracing for Lambda functions, capturing segment details and subsegments that pinpoint the exact lines of code causing delays. By analyzing the trace timeline and annotations, the administrator can identify which specific function calls or operations exceed the timeout threshold, unlike CloudWatch Logs which only show aggregate duration or error strings without code-level granularity.
Q5
mediumFull explanation →

A SysOps administrator needs to monitor the CPU utilization of an Amazon EC2 instance fleet and send an alert when the average CPU utilization exceeds 80% for 10 consecutive minutes. The administrator also wants to automatically stop the instance if the CPU utilization remains above 90% for 30 minutes to prevent runaway costs. Which combination of AWS services should be used?

A

Amazon CloudWatch alarm + AWS Lambda + AWS Systems Manager Automation

B

Amazon CloudWatch alarm + Amazon Simple Notification Service (SNS) + AWS Lambda

A CloudWatch alarm monitors the CPU metric and publishes to an SNS topic when the threshold is breached. The SNS topic triggers a Lambda function that calls the EC2 StopInstances API to stop the instance. This is a clean, low-overhead solution.

C

Amazon CloudWatch Logs + Amazon EventBridge + AWS Step Functions

D

AWS CloudTrail + Amazon EventBridge + AWS CodePipeline

Why: Option B is correct because it uses Amazon CloudWatch alarms to monitor CPU utilization metrics and trigger an SNS topic, which then invokes an AWS Lambda function. The Lambda function can execute the logic to stop the EC2 instance when the alarm state indicates CPU utilization above 90% for 30 minutes, providing automated cost control without manual intervention.
Q6
mediumFull explanation →

A SysOps administrator manages an application that runs on Amazon EC2 instances and stores critical data in Amazon Elastic Block Store (EBS) volumes. The administrator needs to monitor the EBS volumes for any performance bottlenecks. The key metric of interest is the average number of I/O operations per second (IOPS) that are waiting to be completed. Which Amazon CloudWatch metric should the administrator examine?

A

VolumeQueueLength

This metric shows the number of pending I/O operations waiting to be serviced. A high value indicates a bottleneck.

B

VolumeReadOps

C

VolumeIdleTime

D

VolumeTotalReadTime

Why: The VolumeQueueLength metric measures the number of pending I/O requests waiting to be serviced by an EBS volume. A high value indicates that the volume is unable to keep up with the I/O demand, which is the direct indicator of a performance bottleneck related to IOPS waiting. This makes it the correct metric for the administrator's stated goal.

Want more Monitoring, Logging, and Remediation practice?

Practice this domain
2

Domain 2: Reliability and Business Continuity

All Reliability and Business Continuity questions
Q1
mediumFull explanation →

An application uses an Amazon DynamoDB table with on-demand capacity. The SysOps administrator needs to ensure the table remains available during an AWS regional outage. Which strategy should be used?

A

Enable DynamoDB Accelerator (DAX).

B

Create a read replica in another region.

C

Use DynamoDB global tables.

Correct. Global tables replicate data across multiple AWS Regions and provide automatic failover for high availability.

D

Increase read and write capacity units.

Why: DynamoDB global tables provide multi-region, multi-active replication, ensuring the table remains available during an AWS regional outage by automatically replicating data across selected AWS Regions. This is the only option that addresses regional fault tolerance by design, as it uses DynamoDB's built-in replication to maintain availability and data durability across regions.
Q2
mediumFull explanation →

A SysOps administrator is testing the failover of an Amazon RDS for PostgreSQL Multi-AZ DB instance. The application currently writes to the primary instance in us-east-1a. Which action will manually trigger a failover to the standby instance in us-east-1b?

A

Reboot the DB instance and select 'Reboot with failover'.

Correct. This explicitly triggers a failover to the standby instance.

B

Modify the DB instance to Single-AZ and then back to Multi-AZ.

C

Reboot the DB instance without selecting any failover option.

D

Promote the standby instance using the Amazon RDS console.

Why: Option A is correct because the 'Reboot with failover' option in the Amazon RDS console explicitly triggers a failover by rebooting the primary DB instance and forcing the Multi-AZ configuration to promote the standby instance in us-east-1b to become the new primary. This is the designed method for manually testing or initiating a failover in a Multi-AZ deployment.
Q3
easyFull explanation →

A company runs a web application on Amazon EC2 instances in a single Availability Zone. The SysOps administrator wants to increase the availability of the application so that it can survive an Availability Zone failure. Which action is the most effective?

A

Deploy an additional EC2 instance in the same Availability Zone.

B

Launch EC2 instances in two different Availability Zones and place them behind an Application Load Balancer.

Correct. Spreading instances across AZs with a load balancer ensures continued availability if one AZ becomes unavailable.

C

Enable termination protection on all EC2 instances.

D

Use an Amazon RDS Multi-AZ deployment for the database tier.

Why: Option B is correct because deploying EC2 instances across two different Availability Zones and placing them behind an Application Load Balancer (ALB) provides fault isolation. If one AZ fails, the ALB automatically routes traffic to the healthy instances in the other AZ, ensuring the application remains available. This architecture directly addresses the goal of surviving an AZ failure by eliminating the single point of failure at the AZ level.
Q4
mediumFull explanation →

A company runs a stateful web application on a single Amazon EC2 instance with an Elastic IP address. The SysOps administrator needs to increase availability so that if the instance fails, a new instance can be launched quickly with the same configuration and the same IP address. The administrator also needs to ensure data is not lost. Which solution meets these requirements with the least operational overhead?

A

Use an Application Load Balancer with an Auto Scaling group and a launch configuration that includes the Elastic IP

B

Create an AMI from the instance, store data on an Amazon EFS file system, and use an Auto Scaling group with a lifecycle hook to associate the Elastic IP

The AMI provides a pre-configured launch template. EFS provides durable, shared storage for application data. The Auto Scaling group automatically launches a new instance if the current one fails, and the lifecycle hook script associates the Elastic IP to the new instance, ensuring continuity with the same IP.

C

Create a CloudFormation template that launches a new instance and associates the Elastic IP

D

Place the instance in an Auto Scaling group with a minimum of 1 and a maximum of 1, and set the health check to replace unhealthy instances

Why: Option B is correct because it separates the stateful data (stored on Amazon EFS) from the compute instance, ensuring data persistence even if the instance fails. Creating an AMI from the instance captures the configuration, and an Auto Scaling group with a lifecycle hook can associate the Elastic IP to the new instance automatically, providing a quick failover with minimal operational overhead.
Q5
mediumFull explanation →

A company runs a critical production database on Amazon RDS for MySQL with a Multi-AZ deployment. The database experiences a primary instance failure. The SysOps administrator needs to understand exactly how the failover process worked and why the application experienced a longer-than-expected downtime. Which AWS service or feature should the administrator use to review detailed events and actions during the failover?

A

AWS Personal Health Dashboard

The Personal Health Dashboard shows relevant events and notifications specific to the customer's RDS Multi-AZ failover, including timing and causes.

B

Amazon RDS Performance Insights

C

Amazon CloudWatch Logs

D

AWS CloudTrail

Why: AWS Personal Health Dashboard provides a personalized view of the health of AWS services and resources, including detailed event logs for RDS Multi-AZ failovers. It surfaces the exact sequence of actions (e.g., DNS record update, failover initiation, completion) and any underlying AWS infrastructure issues that caused the extended downtime, such as degraded hardware or network latency. This is the correct tool because it gives the administrator a chronological, AWS-side account of the failover process, which is not available through other services.
Q6
mediumFull explanation →

A company runs a stateless web application on Amazon EC2 instances in an Auto Scaling group with a minimum of 2 and maximum of 10 instances. The instances are behind an Application Load Balancer (ALB). The SysOps administrator needs to ensure that the application can survive the failure of an entire AWS Availability Zone (AZ) in the region. Which configuration is necessary?

A

Configure the Auto Scaling group with subnets in at least two Availability Zones and ensure the ALB has subnets in the same AZs.

This distributes instances across multiple AZs, so if one AZ fails, the other AZ continues serving traffic.

B

Increase the Auto Scaling group minimum to 10 instances to absorb the failure.

C

Use larger instance types to handle the load of a failed AZ.

D

Use multiple Application Load Balancers in different AZs.

Why: Option A is correct because deploying the Auto Scaling group across multiple Availability Zones (AZs) and ensuring the ALB has subnets in the same AZs allows the application to continue serving traffic even if one entire AZ fails. The ALB can route requests to healthy instances in the remaining AZs, and the Auto Scaling group will replace failed instances in other AZs as needed, maintaining the minimum instance count. This architecture is a fundamental pattern for high availability in AWS.

Want more Reliability and Business Continuity practice?

Practice this domain
3

Domain 3: Deployment, Provisioning, and Automation

All Deployment, Provisioning, and Automation questions
Q1
hardFull explanation →

A team uses AWS CodeDeploy with a deployment configuration of CodeDeployDefault.OneAtATime to deploy a web application to an Auto Scaling group. Instances are behind an Application Load Balancer. The deployment fails with 'The overall deployment failed because too many individual instances failed deployment.' What is the most likely cause?

A

The health check grace period on the Auto Scaling group is too short.

Correct. A short grace period causes instances to be considered unhealthy before the deployment finishes, triggering Auto Scaling to replace them and causing repeated failures.

B

The target group deregistration delay is too long.

C

The CodeDeploy agent is not installed on the instances.

D

The deployment group is configured to skip the ELB health check.

Why: The deployment fails because the health check grace period on the Auto Scaling group is too short. When CodeDeploy deploys one instance at a time (CodeDeployDefault.OneAtATime), the instance is taken out of service, updated, and then returned to the load balancer. If the grace period expires before the instance passes its health checks, the Auto Scaling group marks it as unhealthy and terminates it, causing the deployment to fail with 'too many individual instances failed.'
Q2
easyFull explanation →

A development team uses AWS CloudFormation to deploy infrastructure. They want to update a stack but first need to review how the changes will impact existing resources before applying them. Which CloudFormation feature should they use?

A

Change sets

Correct. Change sets provide a preview of the changes that will be made to the stack, enabling review before execution.

B

Stack policies

C

Condition functions

D

Custom resources

Why: Change sets allow you to preview how proposed changes to a CloudFormation stack will affect your running resources before you apply them. They generate a summary of the changes (additions, modifications, deletions) based on the new template and parameters, enabling you to assess impact such as resource replacement or updates without executing the changes. This directly addresses the team's requirement to review changes before applying them.
Q3
mediumFull explanation →

A company uses AWS CodeDeploy to deploy a new version of an application to EC2 instances in an Auto Scaling group behind an Application Load Balancer. The company requires zero downtime during the deployment. Which deployment configuration should be used?

A

CodeDeployDefault.AllAtOnce

B

CodeDeployDefault.OneAtATime

C

CodeDeployDefault.EC2/OnPremises: BlueGreenDeployment

D

Create a blue/green deployment by configuring CodeDeploy to launch new instances and shift traffic after validation.

Correct. Blue/green deployment with CodeDeploy allows routing traffic to new instances and cutting over after validation, ensuring zero downtime.

Why: Option D is correct because a blue/green deployment with CodeDeploy, where new instances are launched and traffic is shifted only after validation, ensures zero downtime by keeping the old environment (blue) fully serving traffic until the new environment (green) is verified healthy. This approach avoids any in-place updates that could temporarily reduce capacity or cause service disruption, meeting the requirement for zero downtime during deployment.
Q4
easyFull explanation →

A company uses AWS CloudFormation to deploy a three-tier web application. The SysOps administrator wants to update a critical parameter, such as the instance type, and ensure that the change is applied without recreating the EC2 instance, if possible. Which CloudFormation stack update feature should be used to achieve this?

A

Change sets

Change sets allow you to preview how changes will affect your resources, including whether an update will cause replacement or in-place modification, giving you control to avoid unnecessary recreation.

B

Stack policy

C

Update with drift detection

D

Directly edit the stack template and use the update stack action

Why: Change sets allow you to preview the changes that will be made to your stack resources before executing them. For an update that modifies an instance type, CloudFormation will attempt to perform an update without replacement if the resource supports it (e.g., AWS::EC2::Instance supports in-place updates for the InstanceType property). By using a change set, you can confirm that the update will not recreate the EC2 instance before applying it.
Q5
hardFull explanation →

A company uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment strategy is set to CodeDeployDefault.HalfAtATime. The lifecycle hooks for the Auto Scaling group include a test hook that runs during instance launch. During a recent deployment, the deployment failed because the new instances failed the test hook and were not marked as healthy. The SysOps administrator needs to ensure that failed instances are automatically terminated and replaced with new ones from the Auto Scaling group. Which configuration change should the administrator make?

A

Modify the Auto Scaling group's health check type to ELB

When the health check type is set to ELB, the Auto Scaling group uses the Application Load Balancer's health checks. If the test hook fails, the instance will be marked unhealthy by the ALB, and the Auto Scaling group will terminate and replace it, ensuring only healthy instances remain.

B

Modify the CodeDeploy deployment configuration to use an increased minimum healthy instance count

C

Modify the Auto Scaling group's health check grace period to a lower value

D

Modify the CodeDeploy deployment to ignore the lifecycle hook failure

Why: Option A is correct because setting the Auto Scaling group's health check type to ELB (Elastic Load Balancer) ensures that the Auto Scaling group uses the ELB's health check status to determine instance health. When the test lifecycle hook fails, the new instances are not marked as healthy by the ELB, causing the Auto Scaling group to automatically terminate and replace them. This aligns with the requirement to automatically replace failed instances, as the default EC2 health check only considers instance status (e.g., running vs. stopped) and does not reflect application-level health.
Q6
easyFull explanation →

A company uses AWS CloudFormation to deploy a web application. The template currently hard-codes the EC2 instance type (e.g., t3.medium). The SysOps administrator wants to make the instance type configurable so that different environments (dev, test, prod) can use different instance types without modifying the template each time. Which CloudFormation feature enables this?

A

Parameters

Parameters allow users to input values when creating or updating a stack, making the template reusable for different environments.

B

Mappings

C

Conditions

D

Outputs

Why: Option A is correct because CloudFormation Parameters allow you to pass custom values into a template at stack creation or update time. By defining a parameter for the instance type (e.g., with allowed values like t3.micro, t3.medium, t3.large), you can reuse the same template across dev, test, and prod environments without editing the template file itself.

Want more Deployment, Provisioning, and Automation practice?

Practice this domain
4

Domain 4: Security and Compliance

All Security and Compliance questions
Q1
mediumFull explanation →

An organization requires that all Amazon S3 buckets be encrypted at rest by default. A SysOps administrator needs to enforce this using AWS Config. Which AWS Config managed rule should be used?

A

s3-bucket-encryption-enabled

Correct. This rule evaluates whether default encryption is configured on the bucket, meeting the requirement for encryption at rest.

B

s3-bucket-ssl-requests-only

C

s3-bucket-public-read-prohibited

D

s3-bucket-logging-enabled

Why: The AWS Config managed rule `s3-bucket-encryption-enabled` checks whether S3 buckets have default encryption enabled (SSE-S3, SSE-KMS, or SSE-C). This directly enforces the requirement that all buckets are encrypted at rest by default, as it evaluates each bucket's encryption configuration and flags non-compliant resources.
Q2
mediumFull explanation →

A SysOps administrator needs to ensure that all traffic to an Application Load Balancer (ALB) uses encryption. How can this be enforced?

A

Configure the security group to allow only HTTPS traffic (port 443).

B

Create a listener that redirects HTTP requests (port 80) to HTTPS (port 443).

Correct. An ALB listener rule can redirect HTTP to HTTPS, ensuring clients use encrypted connections.

C

Use AWS WAF to block HTTP requests.

D

Configure the ALB to use a custom SSL certificate.

Why: Option B is correct because an Application Load Balancer can be configured with a listener rule that redirects incoming HTTP (port 80) requests to HTTPS (port 443). This ensures that all traffic to the ALB is encrypted in transit, as any unencrypted HTTP request is automatically redirected to the secure HTTPS protocol. The redirect action is a native ALB feature and does not require additional services or complex configurations.
Q3
mediumFull explanation →

An organization requires that all Amazon S3 buckets block public access entirely. A SysOps administrator needs to ensure that no bucket can be made public, even accidentally. Which approach enforces this control at the organizational level?

A

Apply an S3 Bucket Policy on each bucket that denies public access.

B

Use an AWS Config managed rule 's3-bucket-public-read-prohibited' to detect and remediate public buckets.

C

Enable S3 Block Public Access at the account level and attach an SCP to deny changes to it.

Correct. Account-level block public access prevents all public access, and an SCP prevents users from disabling it.

D

Create an IAM policy that denies s3:PutBucketPolicy for all users.

Why: Option C is correct because S3 Block Public Access at the account level provides a centralized, immutable control that prevents any bucket in the account from being made public, regardless of bucket policies or ACLs. Attaching an SCP (Service Control Policy) to deny changes to these settings ensures that even administrators with full IAM permissions cannot disable the block, enforcing the control at the organizational level across all accounts in the organization.
Q4
mediumFull explanation →

A company's security team requires that all Amazon EC2 instances in a specific AWS account must have the tag 'Environment' set to either 'Production' or 'Test'. Any instance that is launched without this tag or with an invalid value must be automatically terminated within five minutes. Which combination of AWS services can enforce this requirement with minimal manual intervention?

A

AWS Config with a custom rule and AWS Lambda

A custom AWS Config rule can evaluate EC2 instances when they are created (configuration change trigger) and invoke an AWS Lambda function to terminate instances lacking the required tag or having an invalid value. This provides continuous compliance enforcement.

B

AWS CloudTrail and Amazon CloudWatch Events

C

AWS Service Catalog and AWS Organizations

D

Amazon Inspector and AWS Systems Manager

Why: AWS Config with a custom rule can evaluate EC2 instances for the required 'Environment' tag with valid values. When a non-compliant instance is detected, AWS Config triggers an AWS Lambda function that terminates the instance within the required five-minute window. This combination provides automated, event-driven enforcement with minimal manual intervention.
Q5
mediumFull explanation →

A company has an AWS account that contains multiple Amazon S3 buckets with sensitive data. A SysOps administrator needs to ensure that all S3 buckets in the account have versioning enabled to protect against accidental deletions. The administrator wants to automatically remediate any bucket that is created without versioning enabled. Which solution should be used?

A

Use AWS Config with a managed rule (s3-bucket-versioning-enabled) and an automatic remediation action that uses an AWS Systems Manager Automation document to enable versioning

AWS Config evaluates resources against the rule. When a noncompliant bucket is detected (whether newly created or changed), the automatic remediation using Systems Manager Automation enables versioning on the bucket, ensuring continuous compliance.

B

Use Amazon CloudWatch Events to detect CreateBucket API calls and trigger an AWS Lambda function to enable versioning

C

Use AWS CloudTrail to monitor CreateBucket events and send an alert to the SysOps administrator for manual action

D

Use AWS Service Catalog to enforce versioning on all buckets provisioned through it

Why: AWS Config with the managed rule `s3-bucket-versioning-enabled` continuously evaluates S3 buckets against the desired configuration. When a noncompliant bucket is detected, an automatic remediation action can be configured to invoke an AWS Systems Manager Automation document that enables versioning on the bucket. This provides a fully automated, event-driven remediation without manual intervention, ensuring all buckets—including those created outside of AWS Config's initial evaluation—are brought into compliance.
Q6
hardFull explanation →

An organization requires that all Amazon EC2 instances must be launched only with approved Amazon Machine Images (AMIs) that have been pre-approved by the security team. The SysOps administrator needs to enforce this policy for all current and future instances in the AWS account. Unapproved AMIs should be prevented from launching. Which solution meets these requirements with the least operational overhead?

A

Use AWS Config with the 'approved-amis-by-id' managed rule to evaluate and automatically remediate noncompliant instances.

AWS Config can continuously monitor and automatically remediate instances launched with unapproved AMIs, requiring minimal manual effort.

B

Use an AWS Service Control Policy (SCP) to deny ec2:RunInstances if the AMI ID is not in an approved list.

C

Create an IAM policy that denies ec2:RunInstances for any AMI not on an approved list and attach it to all IAM users and roles.

D

Use AWS Systems Manager Patch Manager to approve AMIs and configure the fleet to use only approved images.

Why: AWS Config with the 'approved-amis-by-id' managed rule continuously evaluates EC2 instances against a list of approved AMI IDs. When a noncompliant instance is detected, you can configure automatic remediation (e.g., using AWS Systems Manager Automation to stop or terminate the instance). This approach enforces the policy for both existing and future instances with minimal operational overhead, as it requires no custom code or manual policy updates.

Want more Security and Compliance practice?

Practice this domain
5

Domain 5: Networking and Content Delivery

All Networking and Content Delivery questions
Q1
easyFull explanation →

A company wants to establish a dedicated, low-latency, private connection between its on-premises data center and an AWS VPC. The company does not want to use the public internet. Which AWS service should be used to meet this requirement?

A

AWS Direct Connect

Correct. AWS Direct Connect provides a dedicated private connection between on-premises and AWS, avoiding the public internet.

B

AWS Virtual Private Gateway

C

AWS Transit Gateway

D

VPC Peering

Why: AWS Direct Connect is the correct service because it provides a dedicated, private, low-latency network connection from an on-premises data center to AWS, bypassing the public internet entirely. It uses industry-standard 802.1Q VLANs to create a private virtual interface (VIF) that connects directly to a VPC, ensuring consistent network performance and reduced latency.
Q2
hardFull explanation →

A company has two VPCs in different AWS regions (us-east-1 and eu-west-1) that are peered. Applications in both VPCs need to communicate using private IP addresses. The ping tests are successful, but the latency is significantly higher than expected. Which change is most likely to improve the latency between the VPCs?

A

Enable DNS resolution for the VPC peering connection.

Correct. When DNS resolution is enabled, instances can resolve private DNS names of instances in the peered VPC, ensuring traffic stays within the AWS backbone and avoids unnecessary hops or public internet routing.

B

Use a Transit Gateway instead of VPC Peering for cross-region connectivity.

C

Increase the MTU on the instances' network interfaces to 9001.

D

Configure ECMP (Equal-Cost Multi-Path) routing on the VPC peering connection.

Why: Option A is correct because enabling DNS resolution for the VPC peering connection allows instances to resolve public DNS hostnames to the private IP addresses of the peered VPC. Without this, DNS queries may return public IP addresses, forcing traffic to traverse the internet or NAT gateways, which adds significant latency. By resolving to private IPs, traffic stays within the AWS backbone, reducing latency.
Q3
mediumFull explanation →

A company has deployed a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application's IP addresses are used by a third-party service to allowlist traffic. The EC2 instances are part of an Auto Scaling group that may scale up and down. The SysOps administrator needs to ensure that the third-party service always has the current IP addresses of the ALB without requiring manual updates. Which solution should the administrator implement?

A

Use AWS Global Accelerator and provide the static IP addresses to the third party

Global Accelerator provides two static IP addresses that serve as a fixed entry point. You can add the ALB as an endpoint, and traffic will be directed to the ALB's current healthy instances, while the static IPs remain unchanged.

B

Use Amazon Route 53 with a simple routing policy pointing to the ALB DNS name

C

Use an Amazon CloudFront distribution with the ALB as the origin and provide the CloudFront IP addresses

D

Use an AWS Network Load Balancer (NLB) with static IP addresses in front of the ALB

Why: AWS Global Accelerator provides two static anycast IP addresses that serve as a fixed entry point for traffic. By pointing the ALB as an endpoint behind Global Accelerator, the third-party service can allowlist these static IPs, and any changes to the underlying EC2 instances (due to Auto Scaling) are handled transparently without requiring updates to the allowlist.
Q4
easyFull explanation →

A company has an on-premises data center connected to an AWS VPC via an AWS Direct Connect connection. The company's SysOps administrator wants to ensure that traffic from the VPC destined for the on-premises network uses the Direct Connect connection instead of the internet. Which configuration should be used?

A

Add a route in the VPC route table pointing to the on-premises network via a virtual private gateway (VGW)

The VGW is attached to the VPC and is the entry/exit point for Direct Connect. By adding a route with the on-premises destination and the VGW as the target, traffic is forced through the Direct Connect connection.

B

Add a route in the VPC route table pointing to the on-premises network via a NAT gateway

C

Add a route in the VPC route table pointing to the on-premises network via an internet gateway

D

Add a route in the VPC route table pointing to the on-premises network via a VPC peering connection

Why: Option A is correct because a virtual private gateway (VGW) is the AWS-side endpoint for an AWS Direct Connect connection when using a private virtual interface. By adding a route in the VPC route table that points the on-premises network CIDR to the VGW, all traffic destined for the on-premises network is forced over the Direct Connect link, bypassing the internet. This ensures private, low-latency, and consistent connectivity as required.
Q5
easyFull explanation →

A company has two VPCs in the same AWS region. VPC A hosts a web application, and VPC B hosts a database. The SysOps administrator needs to enable private IP communication between the two VPCs without using the public internet. The administrator wants a simple, low-cost solution that uses the AWS network backbone. Which AWS service should be used?

A

VPC Peering

VPC Peering directly connects two VPCs using private IPs over the AWS network, simple and cost-effective for a pair of VPCs.

B

AWS Transit Gateway

C

AWS Direct Connect

D

AWS Site-to-Site VPN

Why: VPC Peering allows direct, private IP connectivity between two VPCs using the AWS network backbone without traversing the public internet. It is the simplest and most cost-effective solution for connecting exactly two VPCs in the same region, as there are no additional hourly charges beyond data transfer costs, and no intermediate devices or bandwidth limitations are introduced.
Q6
mediumFull explanation →

A company hosts a web application behind an Application Load Balancer (ALB) in us-east-1. Users in Europe report high latency. The SysOps administrator decides to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. However, the application logs require the original client IP addresses of users. The ALB currently provides the client IP via the X-Forwarded-For header, but the development team warns that Global Accelerator may change the source IP. Which configuration should the administrator choose to meet both performance and logging requirements?

A

Configure Global Accelerator with an endpoint group that points directly to the ALB. The ALB will continue to receive the original client IP in the X-Forwarded-For header.

B

Place a Network Load Balancer (NLB) in front of the ALB, and configure Global Accelerator to point to the NLB. The NLB preserves the client IP, and the ALB can still see it in the X-Forwarded-For header.

Global Accelerator preserves the client source IP when the endpoint is an NLB. The NLB passes traffic to the ALB, which can see the original client IP in the X-Forwarded-For header. This satisfies both performance (using Global Accelerator) and logging requirements.

C

Enable Proxy Protocol v2 on the ALB to ensure client IP addresses are preserved through Global Accelerator.

D

Use Amazon CloudFront instead of Global Accelerator and configure it to forward the client IP in a custom header.

Why: Option B is correct because placing a Network Load Balancer (NLB) in front of the ALB allows Global Accelerator to terminate the TCP connection at the edge, then forward traffic to the NLB. The NLB preserves the original client IP address by default (since it operates at Layer 4 and does not terminate the connection), and the ALB can still read the client IP from the X-Forwarded-For header. This setup meets both the performance requirement (via Global Accelerator's edge routing) and the logging requirement (preserving the original client IP).

Want more Networking and Content Delivery practice?

Practice this domain
6

Domain 6: Cost and Performance Optimization

All Cost and Performance Optimization questions
Q1
mediumFull explanation →

A SysOps administrator manages an Amazon RDS for MySQL instance that experiences high CPU utilization during business hours. The application is read-heavy. Which action will most effectively improve performance and reduce cost?

A

Enable Multi-AZ deployment.

B

Scale up the instance size to a larger instance class.

C

Add a read replica.

Correct. Read replicas handle read traffic, reducing load on the primary instance and improving performance cost-effectively.

D

Enable automated backups.

Why: Adding a read replica offloads read traffic from the primary RDS for MySQL instance, directly addressing the read-heavy workload and high CPU utilization. This improves performance by distributing SELECT queries to the replica, and reduces cost because you can use a smaller primary instance and only pay for the replica's resources when needed, rather than scaling up the entire instance.
Q2
easyFull explanation →

A SysOps administrator manages a web application running on Amazon EC2 instances that run 24/7 for the next 12 months. The workload is steady and predictable. Which EC2 purchasing option provides the highest cost savings for this use case?

A

Standard Reserved Instances

Correct. Standard Reserved Instances offer the highest discount for a steady, predictable 24/7 workload with a 1-year or 3-year term.

B

Spot Instances

C

On-Demand Instances

D

Savings Plans (Compute)

Why: Standard Reserved Instances provide the highest cost savings for a steady, predictable 24/7 workload over a 12-month period because they offer a significant discount (up to 72% compared to On-Demand) in exchange for a commitment to a specific instance family, region, and term length. Since the workload runs continuously without interruption, the upfront payment or partial upfront payment for a 1-year term maximizes savings without the risk of interruption or the need for flexibility.
Q3
hardFull explanation →

A company runs a large number of EC2 instances across multiple accounts and regions. The finance team needs to track costs per project and department. Each EC2 instance must be tagged with a ProjectID and Department tag. A SysOps administrator needs to ensure that all newly launched EC2 instances are tagged automatically before they can be used, and that existing untagged instances are retroactively tagged. The tags must be propagated to cost reports in AWS Cost Explorer. Which combination of steps will achieve this with the least operational overhead?

A

Use AWS Config with auto-remediation to tag new instances, and activate the tags as cost allocation tags. For existing instances, run the Tag Editor with a CSV import.

Correct. AWS Config auto-remediation tags non-compliant new instances; Tag Editor bulk-tags existing instances; activation in Billing console propagates tags to cost reports.

B

Create an AWS Lambda function that tags instances at launch via CloudTrail events, and use AWS Budgets to enforce tagging.

C

Use AWS Cost Categories to automatically group costs based on resource tags.

D

Ensure all AMIs used have tags that propagate to instances, and enable cost allocation tags.

Why: Option A is correct because AWS Config with auto-remediation can automatically tag newly launched EC2 instances using a custom Lambda function or SSM document triggered by a Config rule (e.g., 'required-tags'), ensuring compliance before instances are used. Activating the tags as cost allocation tags in AWS Cost Explorer allows the tags to appear in cost reports. For existing untagged instances, the Tag Editor with a CSV import provides a bulk, low-overhead method to retroactively apply tags across accounts and regions.
Q4
easyFull explanation →

A company runs a batch processing application on Amazon EC2 that runs for 2 hours every night. The workload can tolerate interruptions. Which EC2 purchasing option provides the lowest cost for this use case?

A

On-Demand Instances

B

Reserved Instances

C

Spot Instances

Spot Instances allow you to use spare EC2 capacity at up to 90% discount compared to On-Demand. The workload is interruption-tolerant and fits the nightly batch window well, making this the most cost-effective option.

D

Dedicated Hosts

Why: Spot Instances are the correct choice because the workload is fault-tolerant, runs for a fixed 2-hour window nightly, and can tolerate interruptions. Spot Instances offer significant cost savings (up to 90% off On-Demand) by using spare EC2 capacity, which aligns perfectly with a batch job that can be retried if interrupted.
Q5
hardFull explanation →

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application reads data from an Amazon RDS for MySQL database. During peak hours, the database CPU utilization is consistently high, and the application experiences increased latency. The SysOps administrator observes that 90% of database queries are read-only. Which combination of actions will both improve performance and optimize costs?

A

Enable Multi-AZ for the RDS instance and scale up the instance size

B

Implement a read replica for the RDS instance and modify the application to route read queries to the read replica

Read replicas can handle read traffic, reducing load on the primary instance. This improves performance and, by avoiding unnecessary scale-up, can be more cost-effective. Only the primary instance needs to be sized for writes.

C

Enable Amazon RDS Performance Insights and increase the storage allocation

D

Implement Amazon ElastiCache for Memcached in front of the database and migrate read-heavy queries to cache

Why: Option B is correct because implementing a read replica offloads read-heavy (90%) queries from the primary RDS instance, reducing CPU utilization and latency. Modifying the application to route read queries to the replica distributes the workload, improving performance while avoiding costly vertical scaling. This optimizes costs by using a smaller primary instance and paying only for the replica's resources.
Q6
mediumFull explanation →

A company runs a web application on Amazon EC2 instances that are part of an Auto Scaling group. The application's traffic is predictable with regular peaks during business hours and low traffic at night. The SysOps administrator wants to optimize costs while ensuring that performance meets demand. The administrator also needs to minimize manual intervention. Which scaling policy should be used?

A

Scheduled scaling

Scheduled scaling adjusts capacity at predefined times, matching predictable patterns with no manual effort after setup.

B

Target tracking scaling

C

Simple scaling

D

Manual scaling

Why: Scheduled scaling is the correct choice because the traffic pattern is predictable with regular peaks during business hours and low traffic at night. This policy allows the administrator to define specific times to increase or decrease the desired capacity of the Auto Scaling group, matching capacity to demand without manual intervention and optimizing costs by reducing instances during off-peak hours.

Want more Cost and Performance Optimization practice?

Practice this domain

Frequently asked questions

How many questions are on the SOA-C02 exam?

The SOA-C02 exam has 65 questions and must be completed in 180 minutes. The passing score is 720/1000.

What types of questions appear on the SOA-C02 exam?

Operations scenario questions and hands-on lab tasks covering monitoring, deployment, security, storage, and cost management on AWS. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are SOA-C02 questions organised by domain?

The exam covers 6 domains: Monitoring, Logging, and Remediation, Reliability and Business Continuity, Deployment, Provisioning, and Automation, Security and Compliance, Networking and Content Delivery, Cost and Performance Optimization. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SOA-C02 exam questions?

No. These are original exam-style practice questions written against the official Amazon Web Services SOA-C02 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 65 SOA-C02 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SOA-C02 questionsTake a timed practice test