AWS Certified CloudOps Engineer – Associate SOA-C03 Practice Exam

Exam Name	SOA-C03 Practice Exam – AWS Certified CloudOps Engineer Associate (2026 Updated)
Exam Provider	Amazon Web Services (AWS)
Certification Type	Associate-Level Certification (Cloud Operations, Monitoring & Automation)
Total Practice Questions	150 Advanced MCQs (Scenario-Based + Troubleshooting + Monitoring + Automation)
Exam Domains Covered	• Monitoring & Observability (CloudWatch, Logs, Metrics, Alarms, X-Ray) • Reliability & High Availability (Auto Scaling, ELB, Multi-AZ, Failover) • Deployment & Automation (CloudFormation, CodeDeploy, CodePipeline, Lambda) • Security & Compliance (IAM, GuardDuty, Config, Security Hub, Encryption) • Logging & Auditing (CloudTrail, VPC Flow Logs, Centralized Logging) • Cost & Performance Optimization (Trusted Advisor, Budgets, Scaling Strategies) • Incident Response & Troubleshooting (Root Cause Analysis, Automation)
Questions in Real Exam	• Total: ~65 Questions • Highly scenario-based with real operational challenges • Focus on troubleshooting, monitoring, and automation decisions
Exam Duration	• Total Time: 130 Minutes • Time-intensive scenarios requiring analysis and decision-making • Strong time management is critical
Passing Score	• Scaled Score: 720 / 1000 • Requires solid understanding of AWS operations and services • Emphasis on real-world problem-solving
Question Format	• Multiple Choice & Multiple Response • Scenario-Based Troubleshooting Questions • Monitoring & Alerting Configurations • Automation & Infrastructure as Code • Security & Compliance Decision-Making
Difficulty Level	Intermediate to Advanced (Real AWS Operations + Troubleshooting + Automation)
Key Knowledge Areas	• CloudWatch metrics, logs, alarms, and anomaly detection • CloudTrail vs Config (logging vs compliance tracking) • Automation tools (Lambda, EventBridge, Systems Manager) • Deployment services (CodeDeploy, CodePipeline, CloudFormation) • Security monitoring (GuardDuty, Security Hub, IAM best practices) • Scaling strategies (Auto Scaling policies, ELB health checks) • Log analysis (S3 + Athena, centralized logging patterns)
Common Exam Traps	• Confusing CloudWatch vs CloudTrail vs Config roles • Choosing manual solutions instead of automation (Lambda/SSM) • Ignoring root cause (fix app vs scaling infrastructure) • Misusing Auto Scaling vs scheduled scaling vs manual scaling • Overlooking security tools differences (GuardDuty vs Inspector vs Security Hub) • Not using multi-AZ for high availability scenarios • Forgetting cost optimization in operational decisions
Skills Developed	• Real-world AWS operations and troubleshooting • Monitoring and alerting configuration • Automation using serverless and managed services • Security and compliance enforcement • Performance optimization and cost management • Incident response and root cause analysis
Study Strategy	• Focus heavily on CloudWatch, CloudTrail, and Config differences • Practice scenario-based troubleshooting questions daily • Learn automation patterns (Lambda + EventBridge + SSM) • Understand scaling strategies and health checks deeply • Take timed mock exams to improve speed and accuracy • Review rationales carefully to identify common traps • Strengthen weak areas with targeted practice
Best For	• CloudOps Engineers and DevOps professionals • System administrators managing AWS environments • Engineers responsible for monitoring and automation • Candidates preparing for AWS associate-level certifications
Career Benefits	• Validates real-world AWS operations expertise • Opens roles in DevOps, CloudOps, and Site Reliability Engineering • Enhances troubleshooting and automation skills • Increases earning potential and career growth opportunities
Updated	2026 Latest Version – Based on AWS SOA-C03 Exam Guide & Real Exam Patterns

1.

A company needs to monitor CPU utilization of EC2 instances in real time. Which service should they use?

A. CloudTrail
B. CloudWatch
C. Config
D. Trusted Advisor

Answer: B
Rationale: Amazon CloudWatch provides real-time monitoring of AWS resources including EC2 metrics like CPU utilization, disk I/O, and network traffic. It also supports alarms and dashboards for proactive operations management.

---

2.

Which service records AWS API calls for auditing purposes?

A. CloudWatch
B. CloudTrail
C. Config
D. Inspector

Answer: B
Rationale: AWS CloudTrail logs API activity across AWS services, enabling auditing, compliance, and troubleshooting by tracking who did what and when.

---

3.

A company wants to automate instance recovery when an EC2 instance fails. What should they use?

A. Lambda
B. CloudWatch alarm + EC2 recovery
C. Auto Scaling only
D. Config

Answer: B
Rationale: CloudWatch alarms can trigger EC2 recovery actions automatically when instance health checks fail, ensuring minimal downtime without manual intervention.

---

4.

Which service tracks configuration changes of AWS resources?

A. CloudTrail
B. Config
C. CloudWatch
D. Trusted Advisor

Answer: B
Rationale: AWS Config records configuration changes and evaluates compliance, making it ideal for auditing and governance.

---

5.

Which service provides cost optimization recommendations?

A. CloudWatch
B. Trusted Advisor
C. Config
D. CloudTrail

Answer: B
Rationale: AWS Trusted Advisor provides best practice recommendations across cost, performance, security, and fault tolerance.

---

6.

Which AWS service helps automate operational tasks?

A. Lambda
B. EC2
C. S3
D. VPC

Answer: A
Rationale: AWS Lambda allows running code without managing servers, enabling automation of tasks such as log processing or resource cleanup.

---

7.

A company needs to ensure logs are stored long-term. What should they use?

A. CloudWatch Logs
B. S3
C. EBS
D. EC2

Answer: B
Rationale: Amazon S3 provides durable, cost-effective storage for long-term log retention, often used with lifecycle policies.

---

8.

Which service enables infrastructure as code?

A. CloudFormation
B. EC2
C. S3
D. Lambda

Answer: A
Rationale: AWS CloudFormation allows defining and provisioning infrastructure using templates, ensuring consistency and automation.

---

9.

Which service monitors compliance of resources?

A. Config
B. CloudTrail
C. CloudWatch
D. Inspector

Answer: A
Rationale: AWS Config evaluates resources against compliance rules and provides alerts for violations.

---

10.

Which service provides centralized logging?

A. CloudWatch Logs
B. S3
C. Lambda
D. EC2

Answer: A
Rationale: CloudWatch Logs centralizes logs from multiple services, enabling analysis and monitoring.

---

11.

Which AWS service helps detect vulnerabilities?

A. Inspector
B. GuardDuty
C. Config
D. Trusted Advisor

Answer: A
Rationale: AWS Inspector scans resources for vulnerabilities and security issues.

---

12.

Which service detects suspicious activity?

A. GuardDuty
B. Inspector
C. Config
D. CloudTrail

Answer: A
Rationale: GuardDuty uses ML and threat intelligence to detect anomalies and threats.

---

13.

Which service provides metrics and alarms?

A. CloudWatch
B. CloudTrail
C. Config
D. Inspector

Answer: A
Rationale: CloudWatch collects metrics and triggers alarms based on thresholds.

---

14.

Which service stores backups of EC2 volumes?

A. EBS Snapshots
B. S3
C. Glacier
D. Lambda

Answer: A
Rationale: EBS snapshots store backups of volumes for recovery.

---

15.

Which service helps manage patching of instances?

A. Systems Manager
B. Config
C. CloudTrail
D. Trusted Advisor

Answer: A
Rationale: AWS Systems Manager Patch Manager automates patching of EC2 instances.

---

16.

Which service helps manage EC2 instances remotely?

A. Systems Manager Session Manager
B. SSH
C. RDP
D. Lambda

Answer: A
Rationale: Session Manager enables secure access without opening ports.

---

17.

Which service provides automated scaling?

A. Auto Scaling
B. Lambda
C. S3
D. EC2

Answer: A
Rationale: Auto Scaling adjusts capacity based on demand.

---

18.

Which service manages DNS?

A. Route 53
B. CloudFront
C. ELB
D. VPC

Answer: A
Rationale: Route 53 provides DNS routing and health checks.

---

19.

Which service distributes traffic across instances?

A. ELB
B. CloudFront
C. Route 53
D. S3

Answer: A
Rationale: Elastic Load Balancing distributes incoming traffic.

---

20.

Which service provides object storage?

A. S3
B. EBS
C. EFS
D. EC2

Answer: A
Rationale: S3 provides scalable object storage.

---

21.

Which service provides shared file storage?

A. EFS
B. S3
C. EBS
D. Glacier

Answer: A
Rationale: EFS provides scalable shared file storage.

---

22.

Which service archives data cheaply?

A. Glacier
B. S3
C. EBS
D. EFS

Answer: A
Rationale: Glacier is low-cost archival storage.

---

23.

Which service monitors billing?

A. Cost Explorer
B. CloudWatch
C. Config
D. Inspector

Answer: A
Rationale: Cost Explorer tracks and analyzes AWS spending.

---

24.

Which service provides serverless compute?

A. Lambda
B. EC2
C. S3
D. VPC

Answer: A
Rationale: Lambda runs code without managing servers.

---

25.

Which service provides CDN?

A. CloudFront
B. Route 53
C. ELB
D. S3

Answer: A
Rationale: CloudFront delivers content globally.

---

26.

Which service manages IAM users and roles?

A. IAM
B. Config
C. CloudTrail
D. GuardDuty

Answer: A
Rationale: IAM manages access and permissions.

---

27.

Which service helps automate workflows?

A. Step Functions
B. Lambda
C. EC2
D. S3

Answer: A
Rationale: Step Functions orchestrates workflows.

---

28.

Which service provides monitoring dashboards?

A. CloudWatch
B. CloudTrail
C. Config
D. Inspector

Answer: A
Rationale: CloudWatch dashboards visualize metrics.

---

29.

Which service provides compliance checks?

A. Config
B. CloudTrail
C. CloudWatch
D. GuardDuty

Answer: A
Rationale: Config evaluates compliance.

---

30.

Which service provides threat detection?

A. GuardDuty
B. Inspector
C. Config
D. CloudTrail

Answer: A
Rationale: GuardDuty detects threats using ML.

31.

A company notices intermittent EC2 instance failures due to underlying hardware issues. What is the BEST solution?

A. Restart instance manually
B. Enable EC2 auto recovery via CloudWatch
C. Use Lambda
D. Replace instance type

Answer: B
Rationale: CloudWatch can monitor EC2 status checks and automatically trigger recovery actions when underlying hardware fails. This ensures minimal downtime and removes the need for manual intervention, aligning with operational best practices.

---

32.

A company needs to ensure all EC2 instances are tagged properly. What should they use?

A. CloudTrail
B. AWS Config rules
C. Trusted Advisor
D. CloudWatch

Answer: B
Rationale: AWS Config rules can enforce tagging policies and continuously evaluate resources for compliance. It can also trigger remediation actions, ensuring governance and proper resource organization across accounts.

---

33.

A company wants to automate stopping unused EC2 instances nightly. What is BEST?

A. Lambda + EventBridge
B. Auto Scaling
C. CloudFormation
D. Trusted Advisor

Answer: A
Rationale: EventBridge schedules events, and Lambda executes automation such as stopping instances. This combination enables serverless, cost-effective automation without managing infrastructure or scripts manually.

---

34.

A company needs to aggregate logs from multiple accounts. What is BEST?

A. CloudWatch Logs
B. S3 central bucket
C. CloudTrail only
D. Lambda

Answer: B
Rationale: Centralizing logs in an S3 bucket allows aggregation from multiple accounts and services. Combined with lifecycle policies and analytics tools, it provides scalable, durable, and cost-efficient log storage.

---

35.

A company wants to detect unauthorized API calls. What should they use?

A. CloudWatch
B. CloudTrail + GuardDuty
C. Config
D. Inspector

Answer: B
Rationale: CloudTrail logs API activity, while GuardDuty analyzes those logs for suspicious behavior. Together they provide detection of unauthorized or anomalous API usage, enhancing security monitoring.

---

36.

A company needs to automatically patch EC2 instances. What should they use?

A. CloudWatch
B. Systems Manager Patch Manager
C. Lambda
D. Config

Answer: B
Rationale: Patch Manager automates OS patching across EC2 instances, ensuring compliance and reducing operational overhead while maintaining security posture.

---

37.

A company wants to ensure encryption is enabled for all EBS volumes. What is BEST?

A. CloudTrail
B. Config rule
C. CloudWatch
D. Trusted Advisor

Answer: B
Rationale: AWS Config rules can evaluate whether EBS volumes are encrypted and flag non-compliant resources, ensuring continuous compliance and security enforcement across the environment.

---

38.

A company experiences sudden traffic spikes. What should they use?

A. Lambda
B. Auto Scaling
C. CloudTrail
D. Config

Answer: B
Rationale: Auto Scaling automatically adjusts the number of EC2 instances based on demand, ensuring performance and availability during traffic spikes without manual intervention.

---

39.

A company needs near real-time log analysis. What is BEST?

A. S3
B. CloudWatch Logs Insights
C. Glacier
D. EBS

Answer: B
Rationale: CloudWatch Logs Insights enables near real-time querying and analysis of logs, allowing quick troubleshooting and operational insights without exporting data elsewhere.

---

40.

A company wants to monitor unauthorized changes to IAM policies. What is BEST?

A. Config + CloudTrail
B. CloudWatch
C. Lambda
D. Trusted Advisor

Answer: A
Rationale: CloudTrail logs IAM changes, while Config tracks configuration states and compliance. Together, they provide visibility and alerting for unauthorized policy modifications.

---

41.

A company needs automated remediation for non-compliant resources. What is BEST?

A. Lambda only
B. Config + Systems Manager Automation
C. CloudTrail
D. EC2

Answer: B
Rationale: AWS Config detects non-compliance, and Systems Manager Automation executes remediation actions automatically, ensuring continuous compliance without manual effort.

---

42.

A company wants to prevent public access to S3 buckets. What is BEST?

A. CloudWatch
B. S3 Block Public Access + Config
C. Lambda
D. EC2

Answer: B
Rationale: S3 Block Public Access prevents exposure, while Config ensures compliance by detecting violations, providing both prevention and monitoring capabilities.

---

43.

A company wants to track changes to security groups. What is BEST?

A. CloudTrail
B. Config
C. Both A and B
D. CloudWatch

Answer: C
Rationale: CloudTrail logs API changes, while Config tracks configuration history. Using both provides complete visibility into security group changes and compliance status.

---

44.

A company needs centralized dashboards for metrics. What should they use?

A. CloudTrail
B. CloudWatch dashboards
C. Config
D. Inspector

Answer: B
Rationale: CloudWatch dashboards allow visualization of metrics across services, enabling centralized monitoring and operational insights.

---

45.

A company wants to reduce costs by identifying idle resources. What is BEST?

A. CloudWatch
B. Trusted Advisor
C. Config
D. Lambda

Answer: B
Rationale: Trusted Advisor provides recommendations for cost optimization, including identifying underutilized or idle resources.

---

46.

A company needs secure EC2 access without SSH. What is BEST?

A. VPN
B. Systems Manager Session Manager
C. RDP
D. Bastion host

Answer: B
Rationale: Session Manager enables secure access without opening ports, improving security and simplifying operations.

---

47.

A company needs to automate backups of EBS volumes. What is BEST?

A. Lambda
B. Data Lifecycle Manager
C. CloudWatch
D. Config

Answer: B
Rationale: Data Lifecycle Manager automates snapshot creation and retention, simplifying backup management.

---

48.

A company wants alerts for high CPU usage. What should they use?

A. CloudTrail
B. CloudWatch alarms
C. Config
D. Trusted Advisor

Answer: B
Rationale: CloudWatch alarms trigger notifications when metrics exceed thresholds, enabling proactive response.

---

49.

A company needs multi-account governance. What is BEST?

A. IAM
B. AWS Organizations
C. Lambda
D. Config

Answer: B
Rationale: AWS Organizations enables centralized governance, policy management, and account control.

---

50.

A company wants to automate infrastructure deployment. What is BEST?

A. Lambda
B. CloudFormation
C. EC2
D. S3

Answer: B
Rationale: CloudFormation enables infrastructure as code, ensuring repeatable and consistent deployments.

51.

A company needs real-time threat detection. What is BEST?

A. GuardDuty
B. Inspector
C. Config
D. CloudTrail

Answer: A
Rationale: GuardDuty analyzes logs and detects threats in real time using ML and threat intelligence.

---

52.

A company wants to track billing anomalies. What is BEST?

A. CloudWatch
B. Cost Explorer + Budgets
C. Config
D. Lambda

Answer: B
Rationale: AWS Budgets and Cost Explorer provide cost tracking and anomaly detection, enabling proactive financial management.

---

53.

A company needs to ensure high availability. What is BEST?

A. Single AZ
B. Multi-AZ deployment
C. Lambda
D. S3

Answer: B
Rationale: Multi-AZ deployments provide redundancy and fault tolerance, ensuring high availability.

---

54.

A company wants to automate scaling based on CPU. What is BEST?

A. Lambda
B. Auto Scaling with CloudWatch
C. Config
D. CloudTrail

Answer: B
Rationale: Auto Scaling uses CloudWatch metrics to adjust capacity automatically, ensuring performance and cost efficiency.

---

55.

A company needs centralized security monitoring. What is BEST?

A. GuardDuty + Security Hub
B. Config
C. CloudTrail
D. Lambda

Answer: A
Rationale: Security Hub aggregates findings, while GuardDuty detects threats, providing centralized visibility.

---

56.

A company wants to ensure compliance with standards. What is BEST?

A. Config
B. CloudTrail
C. CloudWatch
D. Lambda

Answer: A
Rationale: AWS Config evaluates resources against compliance rules and standards.

---

57.

A company needs automated incident response. What is BEST?

A. Lambda + EventBridge
B. EC2
C. S3
D. Config

Answer: A
Rationale: EventBridge triggers Lambda for automated responses to events, enabling real-time incident handling.

---

58.

A company wants to analyze logs centrally. What is BEST?

A. S3 + Athena
B. EC2
C. Lambda
D. Config

Answer: A
Rationale: S3 stores logs, and Athena enables querying, providing scalable log analysis.

---

59.

A company needs vulnerability scanning. What is BEST?

A. Inspector
B. GuardDuty
C. Config
D. CloudTrail

Answer: A
Rationale: Inspector scans for vulnerabilities and security issues.

---

60.

A company wants automated deployment pipelines. What is BEST?

A. CodePipeline
B. Lambda
C. EC2
D. S3

Answer: A
Rationale: CodePipeline automates CI/CD workflows, ensuring consistent deployments

61.

A company needs to automatically terminate EC2 instances that are not tagged correctly. What is the BEST solution?

A. CloudTrail
B. Config + Lambda remediation
C. Trusted Advisor
D. CloudWatch

Answer: B
Rationale: AWS Config rules can detect non-compliant resources such as missing tags. By integrating with Lambda, automated remediation actions like terminating instances can be triggered, ensuring governance and enforcing tagging policies consistently.

---

62.

A company wants to capture OS-level metrics (memory usage) from EC2 instances. What should they use?

A. CloudWatch default metrics
B. CloudWatch agent
C. CloudTrail
D. Config

Answer: B
Rationale: CloudWatch default metrics do not include OS-level data like memory usage. The CloudWatch agent must be installed to collect custom metrics such as memory and disk usage, enabling deeper monitoring and troubleshooting.

---

63.

A company needs near real-time alerting when application logs contain specific error patterns. What is BEST?

A. S3 event notifications
B. CloudWatch Logs metric filters + alarms
C. CloudTrail
D. Config

Answer: B
Rationale: CloudWatch Logs metric filters can detect specific log patterns and convert them into metrics. Alarms can then trigger alerts, enabling near real-time detection of application errors and faster incident response.

---

64.

A company wants to ensure all resources comply with company policies across multiple accounts. What is BEST?

A. IAM
B. AWS Organizations + SCPs + Config
C. Lambda
D. CloudWatch

Answer: B
Rationale: AWS Organizations with Service Control Policies (SCPs) enforce account-level restrictions, while Config monitors compliance. Together they provide centralized governance and continuous compliance across accounts.

---

65.

A company wants to automate patching and maintenance windows for EC2 instances. What should they use?

A. Lambda
B. Systems Manager Maintenance Windows
C. CloudTrail
D. Config

Answer: B
Rationale: Systems Manager Maintenance Windows allow scheduling tasks like patching during defined timeframes, ensuring minimal disruption while maintaining security compliance.

---

66.

A company needs to detect unusual login attempts across accounts. What is BEST?

A. CloudTrail only
B. GuardDuty
C. Config
D. CloudWatch

Answer: B
Rationale: GuardDuty analyzes CloudTrail logs and other data sources using machine learning to detect anomalies such as unusual login attempts, providing proactive threat detection across accounts.

67.

A company wants to enforce encryption for all new S3 buckets automatically. What is BEST?

A. Lambda only
B. Config rule + auto-remediation
C. CloudTrail
D. Trusted Advisor

Answer: B
Rationale: Config rules can detect unencrypted buckets, and auto-remediation can enforce encryption automatically, ensuring compliance without manual intervention.

---

68.

A company needs to troubleshoot latency issues in an application. What should they use?

A. CloudTrail
B. X-Ray
C. Config
D. Trusted Advisor

Answer: B
Rationale: AWS X-Ray provides distributed tracing, helping identify latency bottlenecks across services and microservices, enabling faster troubleshooting of performance issues.

---

69.

A company wants to store logs for 7 years at lowest cost. What is BEST?

A. S3 Standard
B. S3 Glacier Deep Archive
C. EBS
D. CloudWatch Logs

Answer: B
Rationale: Glacier Deep Archive provides the lowest-cost storage for long-term retention, making it ideal for compliance and archival requirements despite higher retrieval times.

---

70.

A company wants to ensure EC2 instances are not publicly accessible. What is BEST?

A. CloudTrail
B. Config rules
C. Lambda
D. CloudWatch

Answer: B
Rationale: Config rules can detect public IP assignments or open security groups, ensuring compliance with security policies and preventing exposure.

---

71.

A company needs to automate snapshot creation and retention for EBS volumes. What is BEST?

A. Lambda
B. Data Lifecycle Manager
C. CloudWatch
D. Config

Answer: B
Rationale: Data Lifecycle Manager automates snapshot scheduling and retention, simplifying backup management.

---

72.

A company wants alerts when disk space is low on EC2 instances. What is BEST?

A. CloudWatch default metrics
B. CloudWatch agent + alarms
C. CloudTrail
D. Config

Answer: B
Rationale: Disk usage requires custom metrics via CloudWatch agent, which can trigger alarms when thresholds are exceeded.

---

73.

A company needs centralized security findings across accounts. What is BEST?

A. GuardDuty only
B. Security Hub
C. Config
D. CloudTrail

Answer: B
Rationale: Security Hub aggregates findings from multiple services, providing centralized visibility.

---

74.

A company wants to automate scaling based on queue length. What is BEST?

A. Lambda
B. Auto Scaling + CloudWatch metrics
C. Config
D. CloudTrail

Answer: B
Rationale: CloudWatch metrics from SQS can trigger Auto Scaling, ensuring capacity matches demand.

---

75.

A company wants to audit changes to S3 bucket policies. What is BEST?

A. CloudWatch
B. CloudTrail
C. Config
D. Lambda

Answer: B
Rationale: CloudTrail logs API changes, enabling auditing of policy changes.

---

76.

A company wants to enforce least privilege access. What is BEST?

A. IAM policies
B. Config
C. CloudTrail
D. Lambda

Answer: A
Rationale: IAM policies define permissions, enabling least privilege.

---

77.

A company needs automated rollback for failed deployments. What is BEST?

A. Lambda
B. CodeDeploy
C. CloudTrail
D. Config

Answer: B
Rationale: CodeDeploy supports automatic rollback on deployment failures.

---

78.

A company needs real-time monitoring dashboards. What is BEST?

A. CloudWatch dashboards
B. CloudTrail
C. Config
D. Lambda

Answer: A
Rationale: CloudWatch dashboards provide real-time visualization.

---

79.

A company wants to detect configuration drift. What is BEST?

A. CloudTrail
B. Config
C. CloudWatch
D. Lambda

Answer: B
Rationale: Config tracks configuration changes and detects drift.

---

80.

A company needs to automate incident response. What is BEST?

A. Lambda + EventBridge
B. EC2
C. S3
D. Config

Answer: A
Rationale: EventBridge triggers Lambda for automated responses.

---

81.

A company wants to optimize EC2 costs. What is BEST?

A. CloudWatch
B. Trusted Advisor
C. Config
D. Lambda

Answer: B
Rationale: Trusted Advisor provides cost optimization recommendations.

---

82.

A company needs to ensure logs are immutable. What is BEST?

A. S3 with versioning + MFA delete
B. CloudWatch
C. EBS
D. EC2

Answer: A
Rationale: S3 versioning and MFA delete prevent deletion or modification.

---

83.

A company wants to monitor API errors. What is BEST?

A. CloudWatch metrics
B. CloudTrail
C. Config
D. Lambda

Answer: A
Rationale: CloudWatch tracks API error metrics and enables alerting.

---

84.

A company needs automated infrastructure deployment. What is BEST?

A. CloudFormation
B. EC2
C. Lambda
D. S3

Answer: A
Rationale: CloudFormation enables infrastructure as code.

---

85.

A company wants to analyze logs at scale. What is BEST?

A. S3 + Athena
B. EC2
C. Lambda
D. Config

Answer: A
Rationale: Athena queries logs stored in S3 efficiently.

---

86.

A company needs vulnerability scanning. What is BEST?

A. Inspector
B. GuardDuty
C. Config
D. CloudTrail

Answer: A
Rationale: Inspector identifies vulnerabilities in workloads.

---

87.

A company wants to ensure compliance automatically. What is BEST?

A. Config
B. CloudTrail
C. CloudWatch
D. Lambda

Answer: A
Rationale: Config continuously evaluates compliance.

---

88.

A company needs centralized account management. What is BEST?

A. IAM
B. AWS Organizations
C. Lambda
D. Config

Answer: B
Rationale: Organizations centralizes account management.

---

89.

A company wants to monitor network traffic patterns. What is BEST?

A. VPC Flow Logs
B. CloudTrail
C. Config
D. Lambda

Answer: A
Rationale: VPC Flow Logs capture network traffic metadata.

---

90.

A company needs automated CI/CD pipelines. What is BEST?

A. CodePipeline
B. Lambda
C. EC2
D. S3

Answer: A
Rationale: CodePipeline automates CI/CD workflows.

91.

A company notices that EC2 instances in an Auto Scaling group are repeatedly failing health checks due to application errors. What is the BEST solution?

A. Replace instance type
B. Increase instance size
C. Fix application and use ELB health checks
D. Disable health checks

Answer: C
Rationale: Auto Scaling replaces unhealthy instances based on health checks. If failures are due to application issues, simply replacing instances won’t help. Using ELB health checks ensures traffic is only routed to healthy instances while fixing the root cause.

---

92.

A company needs to ensure that logs from all accounts are centrally stored and immutable. What is BEST?

A. CloudWatch Logs only
B. S3 with versioning + Object Lock
C. EBS snapshots
D. Lambda

Answer: B
Rationale: S3 Object Lock with versioning ensures logs cannot be deleted or modified, meeting compliance requirements. Centralizing logs in S3 allows aggregation across accounts with strong durability and security controls.

---

93.

A company wants to trigger automated remediation when a security group allows SSH from 0.0.0.0/0. What is BEST?

A. CloudTrail
B. Config + Lambda
C. CloudWatch
D. Trusted Advisor

Answer: B
Rationale: AWS Config detects non-compliant security group rules, and Lambda can automatically remediate by removing open SSH access. This combination enforces security policies in near real time.

---

94.

A company needs to monitor application latency across microservices. What should they use?

A. CloudWatch metrics
B. X-Ray
C. CloudTrail
D. Config

Answer: B
Rationale: AWS X-Ray provides distributed tracing across microservices, helping identify latency bottlenecks and performance issues across service boundaries.

---

95.

A company wants to ensure that IAM roles are not overly permissive. What is BEST?

A. CloudTrail
B. IAM Access Analyzer
C. Config
D. Lambda

Answer: B
Rationale: IAM Access Analyzer identifies overly permissive policies and unintended access, helping enforce least privilege and improve security posture.

---

96.

A company needs to automatically scale based on custom application metrics. What is BEST?

A. Lambda
B. CloudWatch custom metrics + Auto Scaling
C. Config
D. CloudTrail

Answer: B
Rationale: Custom metrics can be published to CloudWatch and used to trigger Auto Scaling policies, enabling scaling based on application-specific conditions rather than default metrics.

---

97.

A company wants to track configuration changes and maintain a history of resources. What is BEST?

A. CloudTrail
B. Config
C. CloudWatch
D. Inspector

Answer: B
Rationale: AWS Config maintains a detailed history of resource configurations, enabling tracking, auditing, and compliance evaluation over time.

---

98.

A company needs to ensure high availability for a database. What is BEST?

A. Single AZ
B. Multi-AZ deployment
C. Lambda
D. S3

Answer: B
Rationale: Multi-AZ deployments provide automatic failover and redundancy, ensuring database availability during failures.

---

99.

A company wants to detect unusual network traffic patterns. What is BEST?

A. VPC Flow Logs + GuardDuty
B. CloudTrail
C. Config
D. Lambda

Answer: A
Rationale: VPC Flow Logs capture network metadata, while GuardDuty analyzes it for anomalies and threats using ML, enabling proactive security monitoring.

---

100.

A company wants to automate infrastructure rollback on failure. What is BEST?

A. Lambda
B. CloudFormation rollback
C. EC2
D. S3

Answer: B
Rationale: CloudFormation automatically rolls back failed deployments, ensuring infrastructure consistency and preventing partial deployments.

---

101.

A company wants to monitor billing anomalies in real time. What is BEST?

A. CloudWatch
B. AWS Budgets + alerts
C. Config
D. Lambda

Answer: B
Rationale: AWS Budgets allows setting thresholds and alerts for spending anomalies, helping control costs proactively.

---

102.

A company needs to securely access EC2 instances without opening ports. What is BEST?

A. SSH
B. Bastion host
C. Systems Manager Session Manager
D. VPN

Answer: C
Rationale: Session Manager provides secure access without requiring open inbound ports, improving security and simplifying management.

---

103.

A company wants to detect unauthorized changes to resources. What is BEST?

A. CloudWatch
B. CloudTrail + Config
C. Lambda
D. Trusted Advisor

Answer: B
Rationale: CloudTrail logs API activity, while Config tracks resource states. Together they provide comprehensive visibility into unauthorized changes.

---

104.

A company wants to automate deployment pipelines with approvals. What is BEST?

A. Lambda
B. CodePipeline
C. EC2
D. S3

Answer: B
Rationale: CodePipeline supports CI/CD workflows with approval steps, ensuring controlled deployments.

---

105.

A company needs to analyze logs for troubleshooting at scale. What is BEST?

A. S3 + Athena
B. EC2
C. Lambda
D. Config

Answer: A
Rationale: Athena allows querying large log datasets stored in S3 efficiently without managing infrastructure.

---

106.

A company wants to enforce encryption across all services. What is BEST?

A. CloudTrail
B. Config rules
C. CloudWatch
D. Lambda

Answer: B
Rationale: Config rules can evaluate encryption settings and ensure compliance across services.

---

107.

A company needs automated incident response workflows. What is BEST?

A. Lambda + EventBridge
B. EC2
C. S3
D. Config

Answer: A
Rationale: EventBridge triggers Lambda functions for automated responses to events, enabling real-time incident handling.

---

108.

A company wants to ensure resource tagging compliance. What is BEST?

A. CloudTrail
B. Config
C. CloudWatch
D. Lambda

Answer: B
Rationale: Config rules can enforce tagging policies and identify non-compliant resources.

---

109.

A company needs to monitor application logs in real time. What is BEST?

A. CloudWatch Logs
B. S3
C. Glacier
D. EBS

Answer: A
Rationale: CloudWatch Logs enables real-time ingestion, monitoring, and analysis of logs.

---

110.

A company wants to detect vulnerabilities in EC2 instances. What is BEST?

A. GuardDuty
B. Inspector
C. Config
D. CloudTrail

Answer: B
Rationale: Inspector scans EC2 instances for vulnerabilities and security issues.

---

111.

A company wants centralized security findings across services. What is BEST?

A. GuardDuty
B. Security Hub
C. Config
D. CloudTrail

Answer: B
Rationale: Security Hub aggregates findings from multiple services, providing centralized visibility.

---

112.

A company needs automated scaling based on traffic. What is BEST?

A. Lambda
B. Auto Scaling
C. Config
D. CloudTrail

Answer: B
Rationale: Auto Scaling adjusts capacity based on demand automatically.

---

113.

A company wants to ensure backups are retained automatically. What is BEST?

A. Lambda
B. Data Lifecycle Manager
C. CloudWatch
D. Config

Answer: B
Rationale: Data Lifecycle Manager automates backup scheduling and retention.

---

114.

A company needs to monitor API usage. What is BEST?

A. CloudWatch
B. CloudTrail
C. Config
D. Lambda

Answer: B
Rationale: CloudTrail logs API calls, enabling monitoring and auditing.

---

115.

A company wants to detect anomalies in metrics. What is BEST?

A. CloudWatch anomaly detection
B. Config
C. Lambda
D. CloudTrail

Answer: A
Rationale: CloudWatch anomaly detection uses ML to identify unusual patterns in metrics.

---

116.

A company needs centralized account management. What is BEST?

A. IAM
B. AWS Organizations
C. Lambda
D. Config

Answer: B
Rationale: Organizations centralizes account management and governance.

---

117.

A company wants to automate patch compliance reporting. What is BEST?

A. Systems Manager
B. CloudTrail
C. Config
D. Lambda

Answer: A
Rationale: Systems Manager provides patch compliance reporting and automation.

---

118.

A company needs to track changes to security configurations. What is BEST?

A. CloudTrail
B. Config
C. Both A and B
D. Lambda

Answer: C
Rationale: CloudTrail logs changes, while Config tracks configuration states, providing full visibility.

---

119.

A company wants to monitor network traffic logs. What is BEST?

A. VPC Flow Logs
B. CloudTrail
C. Config
D. Lambda

Answer: A
Rationale: VPC Flow Logs capture network traffic metadata for analysis.

---

120.

A company needs automated CI/CD pipelines. What is BEST?

A. CodePipeline
B. Lambda
C. EC2
D. S3

Answer: A
Rationale: CodePipeline automates deployment workflows and integrates with other AWS services.

121.

A company needs to ensure that all EC2 instances use approved AMIs. What is the BEST solution?

A. CloudTrail
B. Config rule + approved AMI list
C. CloudWatch
D. Lambda

Answer: B
Rationale: AWS Config can enforce rules that restrict EC2 instances to approved AMIs. This ensures compliance and prevents unauthorized or insecure images from being used, improving governance and security posture.

---

122.

A company wants to automatically restart unhealthy containers in ECS. What should they use?

A. Lambda
B. ECS service with health checks
C. CloudTrail
D. Config

Answer: B
Rationale: ECS services monitor container health and automatically restart unhealthy tasks. This ensures application availability without manual intervention and aligns with best practices for container orchestration.

---

123.

A company needs to detect unusual spikes in application errors. What is BEST?

A. CloudTrail
B. CloudWatch anomaly detection
C. Config
D. Lambda

Answer: B
Rationale: CloudWatch anomaly detection uses machine learning to identify unusual metric patterns, such as spikes in error rates, enabling proactive alerting and faster incident response.

---

124.

A company wants to ensure all RDS instances are encrypted. What is BEST?

A. CloudTrail
B. Config rules
C. Lambda
D. Trusted Advisor

Answer: B
Rationale: AWS Config rules can evaluate encryption settings for RDS instances and flag non-compliant resources, ensuring consistent enforcement of security policies across the environment.

---

125.

A company needs to automatically clean up unused EBS volumes. What is BEST?

A. Lambda scheduled task
B. CloudTrail
C. Config
D. Trusted Advisor

Answer: A
Rationale: Lambda combined with EventBridge can periodically identify unattached EBS volumes and delete them, reducing costs and improving resource efficiency without manual effort.

---

126.

A company wants to ensure EC2 instances are launched only in specific regions. What is BEST?

A. IAM policy
B. SCP in AWS Organizations
C. CloudWatch
D. Lambda

Answer: B
Rationale: Service Control Policies (SCPs) restrict actions across accounts, enforcing region-based governance centrally and preventing resource creation in unauthorized regions.

---

127.

A company needs to audit changes to S3 object data. What is BEST?

A. CloudTrail data events
B. Config
C. CloudWatch
D. Lambda

Answer: A
Rationale: CloudTrail data events track object-level operations such as PUT and DELETE in S3, providing detailed auditing capabilities beyond standard API logging.

---

128.

A company wants to monitor application performance and visualize metrics. What is BEST?

A. CloudTrail
B. CloudWatch dashboards
C. Config
D. Trusted Advisor

Answer: B
Rationale: CloudWatch dashboards provide real-time visualization of metrics, enabling teams to monitor performance trends and identify issues quickly.

---

129.

A company needs to ensure EC2 instances are patched regularly. What is BEST?

A. Lambda
B. Systems Manager Patch Manager
C. CloudTrail
D. Config

Answer: B
Rationale: Patch Manager automates patching schedules and ensures compliance, reducing manual effort and improving security.

---

130.

A company wants to detect unauthorized changes to security groups in real time. What is BEST?

A. CloudTrail + EventBridge + Lambda
B. Config only
C. CloudWatch
D. Trusted Advisor

Answer: A
Rationale: CloudTrail logs changes, EventBridge detects events, and Lambda can trigger alerts or remediation in near real time, enabling automated security responses.

---

131.

A company wants to ensure EC2 instances automatically scale down during low demand. What is BEST?

A. Lambda
B. Auto Scaling with scheduled scaling
C. Config
D. CloudTrail

Answer: B
Rationale: Scheduled scaling allows predictable scaling actions based on time, ensuring cost optimization during low demand periods.

---

132.

A company needs to monitor container-level logs in ECS. What is BEST?

A. S3
B. CloudWatch Logs
C. CloudTrail
D. Config

Answer: B
Rationale: CloudWatch Logs integrates with ECS to collect and monitor container logs in real time, enabling troubleshooting and analysis.

---

133.

A company wants to enforce MFA for all IAM users. What is BEST?

A. IAM policy + Config rule
B. CloudTrail
C. Lambda
D. Trusted Advisor

Answer: A
Rationale: IAM policies enforce MFA usage, while Config ensures compliance by detecting users without MFA enabled, providing both enforcement and monitoring.

---

134.

A company wants to automate rollback if deployment health checks fail. What is BEST?

A. Lambda
B. CodeDeploy
C. EC2
D. S3

Answer: B
Rationale: CodeDeploy supports automatic rollback when health checks fail, ensuring application stability and minimizing downtime during deployments.

---

135.

A company needs to monitor disk I/O performance on EC2. What is BEST?

A. CloudWatch default metrics
B. CloudWatch agent
C. CloudTrail
D. Config

Answer: B
Rationale: While some disk metrics are available by default, detailed OS-level metrics require the CloudWatch agent, enabling deeper performance insights.

---

136.

A company wants to analyze large-scale logs efficiently. What is BEST?

A. S3 + Athena
B. EC2
C. Lambda
D. Config

Answer: A
Rationale: Athena enables serverless querying of logs stored in S3, allowing scalable and cost-effective analysis without managing infrastructure.

---

137.

A company needs centralized alerting for security findings. What is BEST?

A. GuardDuty
B. Security Hub
C. Config
D. CloudTrail

Answer: B
Rationale: Security Hub aggregates findings from multiple AWS services, providing centralized visibility and alerting for security issues.

---

138.

A company wants to track resource usage trends over time. What is BEST?

A. CloudWatch metrics
B. CloudTrail
C. Config
D. Lambda

Answer: A
Rationale: CloudWatch metrics provide historical data and trends, enabling analysis of resource usage and capacity planning.

---

139.

A company wants to enforce tagging policies at scale. What is BEST?

A. IAM
B. Config + SCP
C. CloudTrail
D. Lambda

Answer: B
Rationale: SCPs enforce tagging requirements at account level, while Config monitors compliance, ensuring consistent tagging across environments.

---

140.

A company needs to monitor and alert on failed login attempts. What is BEST?

A. CloudTrail + CloudWatch alarms
B. Config
C. Lambda
D. Trusted Advisor

Answer: A
Rationale: CloudTrail logs login attempts, and CloudWatch alarms can trigger alerts based on specific patterns, enabling proactive security monitoring.

141.

A company wants to automatically quarantine EC2 instances suspected of compromise by removing network access. What is the BEST solution?

A. CloudWatch only
B. Lambda triggered by GuardDuty findings
C. Config
D. Trusted Advisor

Answer: B
Rationale: GuardDuty detects suspicious activity and can trigger EventBridge events. Lambda can then modify security groups or isolate the instance, enabling automated incident response and reducing potential damage quickly.

---

142.

A company needs to ensure all logs are encrypted at rest and in transit. What is BEST?

A. CloudWatch only
B. S3 encryption + TLS + Config
C. Lambda
D. EC2

Answer: B
Rationale: S3 encryption ensures data at rest is protected, while TLS secures data in transit. Config can enforce compliance by checking encryption settings, ensuring continuous security enforcement.

---

143.

A company wants to monitor and alert on sudden drops in application traffic. What is BEST?

A. CloudTrail
B. CloudWatch alarms
C. Config
D. Lambda

Answer: B
Rationale: CloudWatch alarms can monitor metrics such as request count and trigger alerts when thresholds are breached, enabling quick detection of outages or traffic issues.

---

144.

A company needs to automate cleanup of unused IAM roles. What is BEST?

A. Lambda scheduled cleanup
B. CloudTrail
C. Config
D. Trusted Advisor

Answer: A
Rationale: Lambda combined with EventBridge can periodically identify unused IAM roles and remove them, improving security posture by eliminating unnecessary permissions and reducing attack surface.

---

145.

A company wants to detect configuration changes that violate compliance policies and immediately revert them. What is BEST?

A. CloudTrail
B. Config + auto-remediation
C. CloudWatch
D. Trusted Advisor

Answer: B
Rationale: AWS Config detects non-compliant changes and can trigger automated remediation actions, such as reverting configurations, ensuring continuous compliance without manual intervention.

---

146.

A company needs to ensure application logs are searchable in near real time and retained long term. What is BEST?

A. CloudWatch Logs + S3 export
B. S3 only
C. Glacier only
D. EBS

Answer: A
Rationale: CloudWatch Logs provides real-time ingestion and search, while exporting logs to S3 ensures durable, cost-effective long-term storage, combining performance and cost optimization.

---

147.

A company wants to enforce least privilege across all accounts and continuously detect violations. What is BEST?

A. IAM only
B. IAM + Access Analyzer + Config
C. CloudTrail
D. Lambda

Answer: B
Rationale: IAM defines permissions, Access Analyzer identifies overly permissive access, and Config ensures compliance. Together they provide a complete least-privilege enforcement and monitoring solution.

---

148.

A company needs to monitor application health and automatically route traffic away from unhealthy instances. What is BEST?

A. CloudTrail
B. ELB health checks
C. Config
D. Lambda

Answer: B
Rationale: Elastic Load Balancing health checks detect unhealthy instances and stop routing traffic to them, ensuring high availability and fault tolerance without manual intervention.

---

149.

A company wants to detect unusual spikes in API activity across accounts. What is BEST?

A. CloudTrail + CloudWatch + anomaly detection
B. Config
C. Lambda
D. Trusted Advisor

Answer: A
Rationale: CloudTrail logs API activity, CloudWatch aggregates metrics, and anomaly detection identifies unusual patterns, enabling proactive detection of abnormal behavior.

---

150.

A company needs a fully automated, event-driven architecture for operational tasks like scaling, remediation, and notifications. What is BEST?

A. EC2
B. Lambda + EventBridge + CloudWatch
C. S3
D. Config

Answer: B
Rationale: EventBridge captures events, Lambda executes logic, and CloudWatch monitors metrics and triggers alerts, forming a fully serverless, event-driven operations framework.