Amazon Web Services AWS Certified CloudOps Engineer - Associate SOA-C03 Exam Dumps: Updated Questions & Answers (February 2026)

Per the AWS Cloud Operations and EventBridge documentation, when events are sent across AWS accounts — particularly from multiple accounts in an AWS Organization — the target event bus in the receiver account must include a resource-based policy that explicitly allows events:PutEvents API calls from the sender accounts or the organization ID.

Even if the sender accounts have IAM permissions to call PutEvents, the receiving event bus must trust those accounts via a resource policy. Without this configuration, EventBridge automatically rejects incoming cross-account events, and those events never reach the target Lambda function for processing.

AWS guidance states that “Cross-account event delivery requires a resource-based policy on the event bus that grants permissions to the source accounts or organization.” The policy can include either individual AWS account IDs or the organization’s root ID.

In this scenario, because the events originate from multiple accounts and there is no resource policy on the target event bus to authorize those sender accounts, the events are not delivered.

Therefore, the correct cause is C – the resource-based policy on the target event bus must be modified to allow PutEvents API calls from the sender accounts.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To ensure users can launch instances only from approved AMIs, the control must be enforced at authorization time, not after the fact. An IAM policy with a condition that evaluates the resource tags on the AMI is the correct method. By using an aws:ResourceTag/ApprovedAMI condition (paired with allowing ec2:RunInstances only when the chosen AMI has the required tag/value), the organization can prevent launches from untagged or unapproved images. This implements preventative control and aligns with least privilege.

Option A (Organizations tag policy) is not an enforcement mechanism for EC2 API authorization; tag policies primarily help standardize tagging and report compliance rather than block API calls. Option C (AWS Config required-tags) evaluates resources for compliance after creation and cannot reliably prevent a launch at the time of the API call. Option D is unrelated; GuardDuty detections do not enforce AMI usage policy.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct solution is B. Configure RDS Proxy, because RDS Proxy is specifically designed to manage and pool database connections for Amazon Aurora and Amazon RDS. AWS CloudOps documentation states that RDS Proxy reduces database load and prevents connection exhaustion by reusing existing connections and managing spikes in application demand.

In this scenario, the ecommerce application maintains many idle connections, which consume database connection slots even when not actively used. During peak traffic, new connections cannot be established, resulting in the “Too many connections” error. RDS Proxy sits between the application and the Aurora DB cluster, maintaining a smaller, efficient pool of database connections and multiplexing application requests over those connections.

Option A is incorrect because RCUs and WCUs apply to DynamoDB, not Aurora. Option C is incorrect because enhanced networking improves network throughput and latency but does not manage database connections. Option D is incorrect because changing instance types does not address idle connection buildup and can still result in connection exhaustion.

AWS CloudOps best practices recommend RDS Proxy for applications with connection-heavy workloads, unpredictable traffic patterns, or serverless components.

The AWS Cloud Operations and Systems Manager documentation states that to use Session Manager privately within a VPC (without internet access), three interface VPC endpoints must be configured:

com.amazonaws.<region>.ssm – enables Systems Manager core API communication.

com.amazonaws.<region>.ec2messages – allows the agent to send and receive messages between EC2 and Systems Manager.

com.amazonaws.<region>.ssmmessages – enables real-time interactive communication for Session Manager connections.

These endpoints ensure secure, private connectivity over the AWS network, eliminating the need for public internet routing.

Endpoints for S3, Step Functions, or EC2 API (Options C, E, F) are not required for Session Manager functionality.

Thus, the correct combination is A, B, and D, aligning with AWS CloudOps best practices for secure, private Systems Manager access.

According to AWS Cloud Operations and Systems Manager documentation, Session Manager requires that each managed instance be associated with an IAM instance profile that grants Systems Manager core permissions. The required permissions are provided by the AmazonSSMManagedInstanceCore AWS-managed policy.

If this policy is missing or misconfigured, the Systems Manager Agent (SSM Agent) cannot communicate with the Systems Manager service, causing connection failures even if the agent is installed and running. This explains why other instances work—those instances likely have the correct IAM role attached.

Enabling port 22 (Option A) violates the company’s security policy, while configuring user names (Option C) and key pairs (Option D) are irrelevant because Session Manager operates over secure API channels, not SSH keys.

Therefore, the correct resolution is to attach or update the instance profile with the AmazonSSMManagedInstanceCore policy, restoring Session Manager connectivity.

When an Amazon EBS volume is resized, the new storage capacity is immediately available to the attached EC2 instance. However, EBS does not automatically extend the file system. The CloudOps engineer must manually extend the file system within the operating system to utilize the additional space.

AWS documentation for EC2 and EBS specifies:

“After you increase the size of an EBS volume, use file system–specific tools to extend the file system so that the operating system can use the new storage capacity.”

On Windows instances, this can be achieved through Disk Management or diskpart commands. On Linux systems, utilities such as growpart and resize2fs are used.

Options B and C do not modify file system metadata and are ineffective. Option D unnecessarily replaces the volume, which adds risk and downtime. Thus, Option A aligns with the Monitoring and Performance Optimization practices of AWS CloudOps by properly extending the file system to recognize the new capacity.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answers are B and D. AWS CloudOps documentation clearly states that AWS Secrets Manager is the recommended service for storing and managing database credentials securely. Secrets Manager integrates natively with Amazon RDS and supports automatic, scheduled secret rotation.

To rotate credentials weekly, Secrets Manager requires a Lambda rotation function. AWS provides managed rotation templates for Amazon RDS for MySQL that update the database password and the stored secret atomically. This combination ensures credentials are protected, rotated automatically, and audited with minimal operational effort.

Option A is incorrect because RDS Proxy does not store or rotate credentials; it only retrieves them from Secrets Manager. Option C is incorrect because Systems Manager Parameter Store does not support native automatic rotation. Option E is incorrect because Automation runbooks are not the recommended mechanism for secrets rotation and add unnecessary complexity.

AWS CloudOps best practices strongly recommend Secrets Manager with Lambda-based rotation for database credential protection and compliance.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

EC2 Instance Connect Endpoint (EIC Endpoint) enables SSH to instances in private subnets without public IPs and without needing to traverse the public internet. CloudOps guidance explains that you deploy the endpoint in the same VPC/subnet as the targets, then allow inbound SSH on the instance security group from the endpoint’s security group. Access is governed by IAM—administrators must have Instance Connect permissions; while the example uses a broad policy, the key mechanism is EIC in the private subnet plus SG rules scoped to the endpoint. Systems Manager Session Manager can provide shell access without SSH, but the requirement explicitly states “connect through SSH,” making EIC the purpose-built solution. Options B and D misuse Systems Manager for SSH and propose unnecessary SG changes or incorrect endpoint placement; Option C places the endpoint in a public subnet, which is not required for private SSH access. Therefore, creating an EC2 Instance Connect endpoint in the private subnet and updating SGs accordingly meets the requirement while keeping the instance non-internet-exposed.

Per the AWS Cloud Operations, Networking, and Security documentation, the best practice for serving private S3 content securely to end users is to use Amazon CloudFront with Origin Access Control (OAC).

OAC enables CloudFront to access S3 buckets privately, even when Block Public Access settings are enabled at the account level. This allows content to be delivered globally and securely without making the S3 bucket public. The bucket policy explicitly allows access only from the CloudFront distribution, ensuring that users can retrieve PDF files only via CloudFront URLs.

This configuration offers:

Automatic scalability through CloudFront caching,

Improved security via private access control,

Minimal administration effort with fully managed services.

Other options require manual handling or make the bucket public, violating AWS security best practices.

Therefore, Option B—using CloudFront with Origin Access Control and a restrictive bucket policy—provides the most secure, efficient, and low-maintenance CloudOps solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is B because cross-account role assumption requires two explicit permissions. AWS CloudOps documentation states that the target role must trust the principal, and the principal must be allowed to call sts:AssumeRole.

In the member account, the role’s trust policy must list the IAM group ARN (or the identity account) as a trusted principal. In the identity account, the IAM group must have an inline or attached policy that allows the sts:AssumeRole action for the target role ARN. This dual configuration enables secure and controlled cross-account access.

Option A is incorrect because trust policies cannot be attached to IAM groups. Option C is incorrect because sts:PassRole is used for passing roles to AWS services, not for assuming roles. Option D is incorrect because roles do not grant permissions via inline policies to principals.

This approach aligns precisely with AWS CloudOps guidance for multi-account IAM design.