SaveMyCert
Log in
5 of 5 free questions left today·for unlimited practice
SOA-C03 practice

Free SOA-C03 practice questions

Drill exam-realistic AWS Certified CloudOps Engineer – Associate questions by domain, with an explanation on every option — not just the right one. 5 fully worked examples are further down this page, answers included.

Question bank
260
across 5 domains
Free, no account
5/day
sign up free to remove the cap
Real exam
65 Qs
130 min · pass 720
Explanations
Every option
right and wrong

Build a practice session

Domains

How many?

Mode

Ready when you are

10 fresh questions drawn across all domains, in Learn mode.

Focused review

Every question you answer incorrectly, and every question you flag while practising, is saved here automatically. Finish a session and you can come back to re-drill just those.

5 sample SOA-C03 questions, fully explained

Real questions from the SOA-C03 bank, with the answer key and the reasoning behind every option. Read them, then go back up the page and try the rest.

Question 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization

An on-call engineer is investigating a report of high memory usage on an EC2 instance, but the CloudWatch console shows CPUUtilization and NetworkIn for the instance and no memory metrics at all. What should the engineer do to make memory utilization available in CloudWatch?

Choose one.

  • a
    Enable detailed monitoring on the instance.

    Detailed monitoring only raises the frequency of the existing hypervisor metrics from 5 minutes to 1 minute. It adds no new metrics, so memory still would not appear.

  • b
    Install and configure the CloudWatch agent on the instance. Correct

    Memory is an in-guest metric that the hypervisor cannot see. The CloudWatch agent runs inside the operating system and publishes memory, disk-space, and swap metrics to CloudWatch.

  • c
    Create a metric filter on the instance's log group.

    Metric filters count pattern matches in log data that already exists. They cannot generate memory utilization measurements that nothing is collecting.

  • d
    Attach an IAM role with broader CloudWatch permissions to the instance.

    Permissions alone do not produce metrics. Without the agent installed, no process inside the OS is measuring or publishing memory usage.

The concept

Default EC2 metrics come from the hypervisor, which can only observe the instance from outside: CPU, network, disk I/O, and status checks. Memory utilization, disk-space utilization, and swap usage are internal to the guest OS, so they are never in the default metric set.

Why that’s the answer

Installing and configuring the CloudWatch agent is the only way to collect in-guest metrics such as memory, because the agent runs inside the operating system and publishes what the hypervisor cannot see. Detailed monitoring is tempting but only increases the frequency of the same hypervisor metrics; a metric filter works on logs, not OS measurements; and IAM changes grant permission without creating any data source.

How to reason it out
  1. Confirm the missing metric is an in-guest metric (memory, disk space, swap) rather than a hypervisor metric.
  2. Install the CloudWatch agent on the instance.
  3. Configure the agent's JSON configuration to collect the memory metrics required.
  4. Verify the new metrics arrive in CloudWatch and build alarms or dashboards on them.

Exam tip: Memory and disk-space metrics missing from CloudWatch always point to installing the CloudWatch agent — detailed monitoring never adds new metrics.

CloudWatch Metrics, Alarms, and Log Filters for SOA-C03 — the lesson that teaches this.

Question 2Reliability and Business Continuity

A CloudOps engineer manages a web application on an EC2 Auto Scaling group. Management requires that the fleet's average CPU utilization stay near 50% as traffic rises and falls throughout the day. Which scaling configuration meets this requirement with the LEAST operational overhead?

Choose one.

  • a
    A target tracking scaling policy with a target of 50% average CPU utilization Correct

    Target tracking is built for exactly this: you set the target value and AWS creates and manages the CloudWatch alarms, scaling out and in to hold the metric near 50% with no further configuration.

  • b
    Step scaling policies with CloudWatch alarms at 60%, 70%, and 80% CPU

    Step scaling requires the engineer to design and maintain the alarms and adjustment tiers, and it reacts to breaches rather than holding a metric near a value — more overhead for a worse fit.

  • c
    A simple scaling policy that adds one instance when CPU exceeds 50%

    Simple scaling is the legacy option: it makes one fixed adjustment and then waits out a cooldown before acting again, so it lags load changes and never manages capacity around a target.

  • d
    Scheduled scaling actions that add instances during business hours

    Scheduled scaling changes capacity at fixed times regardless of actual CPU, so it cannot keep the average near 50% when real traffic deviates from the schedule.

The concept

Target tracking scaling holds a chosen metric — such as average CPU utilization — at a target value by automatically creating and managing the CloudWatch alarms and scaling in both directions.

Why that’s the answer

The requirement 'keep a metric near a value' maps directly to target tracking, which needs only the metric and the target number — the least configuration of any policy type. Step scaling could approximate the behavior but demands hand-built alarms and tiered adjustments; simple scaling is legacy and makes only one adjustment per cooldown window; scheduled scaling follows the clock, not the metric.

How to reason it out
  1. Translate the requirement: 'keep average CPU near 50%' is a target-value goal, not a threshold or schedule.
  2. Create a target tracking policy on the Auto Scaling group with ASGAverageCPUUtilization as the metric and 50 as the target.
  3. Let AWS manage the generated alarms — do not edit or delete them.
  4. Set instance warmup so booting instances do not distort the aggregate metric.

Exam tip: When a requirement says keep a metric near a value, the answer is a target tracking policy — the modern default with the least operational overhead.

Auto Scaling and Elasticity: EC2, Caching, and Database Scaling — the lesson that teaches this.

Question 3Deployment, Provisioning, and Automation

A CloudOps engineer deregistered dozens of outdated AMIs during an account cleanup, but the next monthly bill still shows the same EBS snapshot storage charges. What is the cause?

Choose one.

  • a
    Deregistered AMIs are retained for 30 days before AWS automatically removes their snapshots.

    There is no automatic 30-day snapshot cleanup tied to AMI deregistration; the snapshots persist indefinitely until someone deletes them.

  • b
    Deregistering an AMI does not delete its backing EBS snapshots, so the engineer must delete the snapshots separately. Correct

    AMI deregistration only removes the ability to launch from the image; the underlying EBS snapshots remain and continue to accrue storage charges until they are deleted explicitly.

  • c
    The AMIs were shared with other accounts, which forces AWS to keep the snapshots billed to the owner.

    Sharing controls launch permissions, not snapshot lifecycle; the charges continue simply because the snapshots were never deleted, shared or not.

  • d
    EBS snapshot charges always continue until the source volumes are also deleted.

    Snapshots are billed independently of their source volumes; deleting or keeping the volume has no effect on snapshot storage charges.

The concept

Deregistering an AMI and deleting its backing EBS snapshots are two separate operations, so stale-image cleanup is always a two-step job.

Why that’s the answer

Deregistration only prevents new launches from the image; the EBS snapshots that back it stay in the account and keep billing until deleted. The 30-day retention answer invents a lifecycle that does not exist, the sharing answer confuses launch permissions with storage lifecycle, and the source-volume answer gets snapshot billing backwards — snapshots are independent of volumes.

How to reason it out
  1. Identify the snapshot IDs associated with each deregistered AMI (they are listed in the AMI's block device mappings before deregistration, or findable by description).
  2. Deregister the AMI so no new instances can launch from it.
  3. Delete the now-orphaned EBS snapshots explicitly.
  4. Confirm in billing or Cost Explorer that snapshot storage charges drop.

Exam tip: Deregistering an AMI never deletes its EBS snapshots — delete them separately or keep paying for them.

CloudFormation, StackSets, and golden images: provisioning for SOA-C03 — the lesson that teaches this.

Question 4Security and Compliance

A security audit requires that every IAM user in an AWS account authenticate with multi-factor authentication (MFA) before performing any actions. An administrator opens the account password policy settings but cannot find any option to require MFA. How should the administrator enforce the requirement?

Choose one.

  • a
    Enable the "Require MFA" option in the account password policy.

    No such option exists. The account password policy governs only console password rules — length, complexity, reuse, and expiry — and has no MFA setting.

  • b
    Attach an IAM policy to all users that denies every action except the MFA-management actions whenever the aws:MultiFactorAuthPresent condition key is not true. Correct

    This is the AWS-recommended enforcement pattern: a Deny using BoolIfExists on aws:MultiFactorAuthPresent locks users out of everything except registering an MFA device until they authenticate with MFA.

  • c
    Enable an AWS Config managed rule that checks whether IAM users have MFA enabled.

    AWS Config is detective — it reports users without MFA as noncompliant but cannot force anyone to authenticate with MFA before acting.

  • d
    Enable a Trusted Advisor security check that blocks sign-ins made without MFA.

    Trusted Advisor only flags findings, such as a root user without MFA; it never blocks any sign-in or API call.

The concept

The IAM account password policy cannot require MFA — it only controls console password rules. MFA is enforced with an IAM policy that denies actions when the request lacks MFA context.

Why that’s the answer

A Deny statement conditioned on aws:MultiFactorAuthPresent (using BoolIfExists so access-key requests, which never carry MFA context, are also denied) blocks every action except MFA registration until the user authenticates with MFA. The password policy has no MFA option, and AWS Config and Trusted Advisor are detective tools — they report problems but cannot prevent an unauthenticated action.

How to reason it out
  1. Create an IAM policy with a Deny on all actions, excepting the MFA-management actions users need to register a device.
  2. Add the condition BoolIfExists aws:MultiFactorAuthPresent is false, so both console and access-key requests without MFA are denied.
  3. Attach the policy to all IAM users, typically through a group.
  4. Verify a test user can only manage MFA until authenticating with a registered device.
  5. Enable MFA on the root user separately — it is not covered by IAM user policies.

Exam tip: The password policy cannot require MFA — enforce it with a Deny conditioned on aws:MultiFactorAuthPresent.

IAM, AWS Organizations, and Compliance Tools for CloudOps (SOA-C03) — the lesson that teaches this.

Question 5Networking and Content Delivery

A CloudOps engineer is designing subnets for a new VPC and allocates a 10.0.4.0/28 CIDR block to a small management subnet. How many usable IP addresses will be available for resources in this subnet?

Choose one.

  • a
    16

    A /28 contains 16 total addresses, but AWS reserves 5 of them in every subnet, so 16 are never all usable.

  • b
    14

    Subtracting only the network and broadcast addresses is traditional networking math; AWS reserves five addresses per subnet, not two.

  • c
    11 Correct

    AWS reserves 5 IPs in every subnet — the network address, VPC router, DNS resolver, one for future use, and the broadcast address — leaving 16 − 5 = 11 usable.

  • d
    13

    This assumes only three reserved addresses; AWS holds back five, including the +.3 future-use address and the broadcast address.

The concept

In every VPC subnet, AWS reserves five IP addresses that cannot be assigned to resources: the network address, the VPC router (+1), the Amazon DNS resolver (+2), a future-use address (+3), and the broadcast address (the last address, held back even though broadcast is not supported).

Why that’s the answer

A /28 block has 16 total addresses, and after AWS's five reservations, 11 remain assignable. The answer 14 applies traditional networking (network + broadcast reserved) but misses the three AWS-specific reservations, 16 ignores reservations entirely, and 13 undercounts the reserved set. This matters operationally because small subnets fill up fast — load balancer nodes and interface endpoints each consume addresses too.

How to reason it out
  1. Compute the total addresses in the CIDR: a /28 yields 2^(32−28) = 16.
  2. Subtract the five AWS-reserved addresses (network, router, DNS, future use, broadcast).
  3. Confirm the result: 16 − 5 = 11 usable addresses.
  4. When sizing subnets, add headroom for ENIs consumed by load balancers, endpoints, and NAT gateways.

Exam tip: Every AWS subnet loses exactly five IP addresses to reservations — a /28 gives 11 usable addresses, not 14 or 16.

VPC Networking and Private Connectivity for SOA-C03 — the lesson that teaches this.

The SOA-C03 question bank, by domain

The bank is built to the exam's own weighting, so the practice you get reflects the marks that are actually on offer — not whichever domain was easiest to write questions for.

Published SOA-C03 practice questions per exam domain
DomainExam weightTopicsQuestions
Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%360
Reliability and Business Continuity22%360
Deployment, Provisioning, and Automation22%240
Security and Compliance16%240
Networking and Content Delivery18%360
Total100%13260

How SOA-C03 questions are worded

Most SOA-C03 questions are not asking whether you can recall a definition. They describe a situation and ask which option satisfies it — so the skill being tested is reading the requirement precisely and eliminating options that fail it.

Single-response vs multiple-response

A single-response question has exactly one right answer. A multiple-response question tells you how many to pick ("Choose TWO") and there is no partial credit — getting one of the two right scores nothing. Read that instruction before you read the options.

Read the last line first

The final sentence is the actual question; everything before it is scenario. Read it first, then read the scenario knowing what you are looking for. It stops you from building an answer in your head that the question never asked for.

Hunt for the qualifier

Most scenarios turn on one word — MOST cost-effective, LEAST operational overhead, with the LEAST latency, without changing application code. Two options are frequently both technically correct, and the qualifier is the only thing separating them.

Eliminate, then choose

Distractors are almost always real AWS services doing a real job — just not this job. Rule out the ones that break a stated constraint before you compare what's left. On a question you truly don't know, eliminating two options turns a guess into a coin flip.

Beyond SOA-C03 practice

SOA-C03 practice questions: your questions

Yes. You can answer 5 questions a day with no account at all, and creating a free account removes the daily limit entirely — the full 260-question SOA-C03 bank, with an explanation on every option.