Back to AWS Certified SysOps Administrator Associate SOA-C02 questions

Scenario-based practice

Hard Difficulty Questions

Practise AWS Certified SysOps Administrator Associate SOA-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SOA-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SOA-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A company runs a critical application on Amazon EC2 instances across multiple Availability Zones. The application stores state data on a shared Amazon EFS file system. The SysOps administrator needs to ensure that the file system remains available if an entire Availability Zone fails. The file system must also provide low-latency access from all instances. Which configuration meets these requirements?

Question 2hardmultiple choice
Full question →

A company manages multiple AWS accounts using AWS Organizations. The security team wants to restrict the use of Amazon EC2 instance types to only those that are approved for production workloads (e.g., m5.large, m5.xlarge). The policy should be applied to all member accounts in the organization, and it should prevent any non-approved instance type from being launched. The SysOps administrator should implement this with minimal operational overhead. Which solution should be used?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a multi-tier application that uses an Amazon RDS for PostgreSQL database. The SysOps administrator needs to monitor the database for performance anomalies, such as sudden spikes in connections or query latencies. The administrator wants to receive alerts when metrics deviate from their expected baseline. The solution must automatically adjust to changes in normal behavior over time, such as seasonal patterns. Which AWS service or feature should the administrator use?

Question 4hardmultiple choice
Full question →

A company runs a critical MySQL database on an Amazon RDS DB instance in a single Availability Zone. The SysOps administrator needs to implement a disaster recovery solution with a Recovery Point Objective (RPO) of 5 minutes and a Recovery Time Objective (RTO) of 1 hour, while minimizing costs. Which solution meets these requirements?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical stateful web application on Amazon EC2 instances in a single AWS region. The application stores user session data in an Amazon ElastiCache for Redis cluster. The SysOps administrator must design a disaster recovery (DR) strategy that can survive a complete regional outage with a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The application must be able to redirect users to the DR region with minimal manual effort. Which combination of actions meets these requirements?

Question 6hardmultiple choice
Full question →

A company uses AWS Organizations and has multiple accounts. The security team requires that all Amazon S3 buckets across all accounts must be encrypted at rest with AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect non-compliant buckets and remediate them by enabling SSE-KMS. The solution must work across all existing and future accounts. Which AWS service should be used?

Question 7hardmultiple choice
Full question →

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to restrict access to a specific AWS service (Amazon EC2) in all accounts except for the 'production' account. The SysOps administrator needs to implement this restriction centrally. Which approach should the administrator use?

Question 8hardmulti select
Full question →

A SysOps administrator needs to detect unauthorized changes to security groups and automatically notify the operations team. Which two AWS services should be part of the solution? (Choose 2.)

Question 9hardmulti select
Full question →

A company uses CloudWatch Logs to store application logs. The logs must be retained for 3 years for compliance. Which TWO steps should be taken to achieve this? (Choose TWO.)

Question 10hardmulti select
Full question →

Which TWO options are valid ways to send custom metrics to Amazon CloudWatch?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator is managing a fleet of EC2 instances that run a batch processing job. The job is completed when a certain metric in CloudWatch reaches a value. Currently, the administrator manually checks the metric and terminates the instances. Which AWS service can automate the termination of the instances when the metric threshold is breached?

Question 12hardmultiple choice
Full question →

An organization has a CloudWatch dashboard that displays metrics for multiple AWS services. The dashboard is shared with the operations team. Recently, some team members reported that the dashboard is not loading for them. Which action should the SysOps administrator take to troubleshoot the issue?

Question 13hardmulti select
Read the full NAT/PAT explanation →

A SysOps administrator is tasked with setting up a solution that automatically terminates EC2 instances that have been running for more than 24 hours. Which steps should the administrator take? (Select THREE.)

Question 14hardmultiple choice
Review the full subnetting walkthrough →

A company has an EC2 instance that needs to access an S3 bucket. The instance is launched in a private subnet with no internet gateway. What is the most secure way to provide access to S3 without traversing the internet?

Question 15hardmultiple choice
Full question →

A company runs a critical application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application requires very low latency and high availability. The SysOps administrator notices that the application experiences increased latency during traffic spikes even though the Auto Scaling group is scaling out. Which solution would MOST effectively reduce latency?

Question 16hardmulti select
Full question →

A company uses AWS CloudTrail to log API activity. The security team wants to be alerted when an IAM user creates a new access key. Which THREE steps should the SysOps administrator take to meet this requirement?

Question 17hardmulti select
Full question →

A company uses AWS KMS to encrypt EBS volumes. Which TWO statements about using KMS with EBS are correct? (Choose two.)

Question 18hardmultiple choice
Full question →

A company has an AWS account with multiple VPCs connected via a transit gateway. The SysOps administrator needs to ensure that all traffic between VPCs is encrypted in transit. Which solution should the administrator implement?

Question 19hardmulti select
Full question →

A company is using AWS Organizations and wants to delegate administration of a specific member account to a user in the management account. Which TWO steps are required?

Question 20hardmultiple choice
Full question →

Refer to the exhibit. A SysOps administrator applies this bucket policy to an S3 bucket. What is the effect of this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

These SOA-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SOA-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.