View SOA-C03 Exam Questions

Q: 11

A CloudOps engineer needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added. Which additional actions should the CloudOps engineer take to control access? (Select TWO.)

Options

Discussion

Morgan Mar 1, 2026 5:18 am

Probably A and E. You have to create an IAM policy with tag-based conditions (E) and attach it directly to users or groups needing SSM access (A). B is a common trap but that's for instance roles, not user session control.

Karan S. Feb 27, 2026 12:20 pm

A and E tbh

Reese A. Mar 4, 2026 11:23 pm

I don't think it's B, since that's more about the instance role itself, not user access. For controlling who can use Session Manager, you attach an IAM policy to users (A) and make it tag-based (E). Trap is confusing instance vs user access.

Maya V. Feb 27, 2026 11:59 pm

Probably A and E. You attach an IAM policy (A) to the user or group, then use a tag-based condition (E) to scope SSM access to those EC2 instances. Instance roles are for the instance, not user access. Makes sense to me but open to other takes.

EthanP Feb 23, 2026 3:34 pm

A E, saw a similar question on a practice test. IAM policy (A) for users, with tag-based conditions (E).

Hannah F. Mar 5, 2026 10:07 am

A and E tbh. Tag-based IAM policies (E) are what restrict which EC2s you can access, and attaching the policy to users/groups (A) enforces it. The other options aren't really about SSM access control. Pretty sure that's right.

Drew Mar 4, 2026 8:54 pm

C/D? If you're focused on restricting at the instance level instead of user permissions, C or D feels tempting since they relate to grouping or accounts. Not sure they're right here though, because Session Manager is mostly IAM-driven.

Liam E. Feb 26, 2026 12:50 am

A and E tbh. Controlling user access to SSM sessions needs an IAM policy with tag conditions plus attaching that policy to the right users/groups. Not totally sure if that's all the question wanted, but closest fit here.

CameronM Feb 21, 2026 6:55 am

AWS just loves to make this trickier than it needs to be, A and E.

Ravi F. Feb 22, 2026 9:09 am

A and E tbh, had something like this in a mock. You attach the IAM policy to users (A) and scope it to tagged instances via Condition (E). Attaching a role to the instance (B) just lets SSM connect, doesn't control user access directly. Agree?

Be respectful. No spam.

Correct Answer:

A, E

Explanation

To control user access to EC2 instances via AWS Systems Manager Session Manager based on tags, a two-step IAM configuration is required. First, an IAM policy must be created that explicitly grants the ssm:StartSession permission. This policy must include a Condition element that restricts the permission to only those EC2 instances matching a specific tag key and value. Second, this newly created IAM policy must be attached to the IAM users or groups that require this specific level of access. This combination ensures that only authorized users can initiate sessions and only on the intended, tagged instances.

Why Incorrect

B. An IAM role is attached to an EC2 instance to grant the instance permissions to other AWS services, not to control user access to the instance.

C. Placement groups are used to influence the physical placement of EC2 instances for performance or fault tolerance, not for managing access control.

D. "Service account" is not the standard AWS term for this context; the equivalent is an IAM role, which, as explained for option B, is incorrect for this use case.

References

1. AWS Systems Manager User Guide: Under "Limiting access to sessions using IAM policies

" the documentation states

"You can provide users with access to start sessions on managed nodes and limit that access based on tags that have been applied to the nodes... After you create an IAM policy... you can attach the policy to an IAM user

group

or role." This supports both creating a conditional policy (E) and attaching it to a principal (A).

Source: AWS Systems Manager User Guide

Section: "Limiting access to sessions using IAM policies".

2. AWS Identity and Access Management User Guide: This guide details how to use Condition elements in IAM policies to control access based on tags. It provides the syntax and logic for using condition keys like aws:ResourceTag to match tags on a resource. The example policy for Session Manager uses a condition key ssm:resourceTag/tag-key to achieve this.

Source: AWS Identity and Access Management User Guide

Section: "Controlling access to AWS resources using tags".

3. AWS Systems Manager User Guide: The documentation provides a specific example of an IAM policy that grants permission to start a session on any instance tagged with Finance for the Department key. This policy must then be attached to an IAM principal (user or group).

Source: AWS Systems Manager User Guide

Section: "Example 3: Limiting access to managed nodes based on tags".

Q: 12

A company that uses AWS Organizations recently implemented AWS Control Tower. The company now needs to centralize identity management. A CloudOps engineer must federate AWS IAM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all AWS accounts and cloud applications. Which prerequisites must the CloudOps engineer have so that the CloudOps engineer can connect to the external IdP? (Select TWO.)

Options

Discussion

Reese L. Mar 2, 2026 4:32 am

Option A and B make sense, you don't need root or admin to member accounts for just SAML federation. The IP address (C) is a distractor here, SAML trusts are all about metadata exchange and certificates. If I missed something let me know.

Riley W. Mar 3, 2026 4:35 pm

Yeah, for federation you really need both the AWS SSO (IAM Identity Center) SAML metadata and the IdP's metadata like the X.509 cert. So that's A and B. No need for IPs or access to all accounts here. Pretty sure that's what they're looking for, but shout if you see it differently!

Ivy T. Feb 15, 2026 8:48 am

A is wrong, B and A. You always have to exchange the SAML metadata files when connecting IAM Identity Center with an external IdP, since that's how both sides establish trust and configure endpoints. Stuff like IP address (C) or root/member account access (D/E) isn't needed for SSO federation. Pretty sure this is straight from AWS docs but happy if someone sees it differently.

Karan C. Feb 24, 2026 3:35 pm

Do you actually need D to just connect IAM Identity Center to a SAML IdP, or is org admin enough?

Ravi Feb 21, 2026 6:53 am

Not B, C's a common trap here. SAML federation relies on exchanging metadata files, so you need both the IAM Identity Center metadata (A) and the IdP's SAML metadata with cert (B). IP address isn't part of the SAML setup at all. I've seen similar on practice before but open to being corrected.

Ava Feb 19, 2026 5:47 pm

A/B for sure, tbh. Only the metadata exchange is needed to set up SAML federation, not IPs or root/member account access.

Avery W. Feb 23, 2026 12:35 pm

A B

Priya S. Mar 5, 2026 12:07 am

A/B? Pretty sure those are right, since SAML federation is all about exchanging metadata-not IP addresses or root/member admin access. C is a common trap, but you don't set up SAML with an IP. Someone correct me if that's off.

Riley C. Mar 3, 2026 12:10 pm

Yeah, for SAML 2.0 federation you definitely need the metadata files from both sides. So A and B are the way to go here. The IP address and root/admin access aren't part of this setup, just need the right metadata exchange. Pretty sure that's all there is to it, unless I'm missing some edge case.

DirectAuditor412 Mar 4, 2026 8:32 pm

A/B tbh, that's what you see in official guides and practice tests for SAML setup. Metadata files are always required to federate.

Be respectful. No spam.

Correct Answer:

A, B

Explanation

To establish a federated trust relationship using SAML 2.0 between AWS IAM Identity Center (acting as the Service Provider or SP) and an external Identity Provider (IdP), a two-way exchange of configuration data, known as metadata, is required. The CloudOps engineer needs the IdP's metadata file, which contains its sign-in URL and the public X.509 certificate used to verify SAML assertions. Conversely, the engineer must provide the IAM Identity Center's metadata (such as the Assertion Consumer Service URL and issuer URL) to the IdP administrator to configure the trust on their end. This metadata exchange is a fundamental prerequisite for SAML federation.

Why Incorrect

C. SAML federation relies on DNS-resolvable endpoint URLs specified in the metadata, not on static IP addresses, which are not a standard or reliable configuration method.

D. While administrative permissions are needed in the management account, root access is not required and violates the security best practice of least privilege. An IAM role with sufficient permissions is the correct approach.

E. The federation with the external IdP is configured centrally within IAM Identity Center in the management account. Administrative permissions in member accounts are not a prerequisite for this specific task.

References

1. AWS IAM Identity Center User Guide: In the section "Connect to your external identity provider

" the documentation outlines the prerequisites. It explicitly states

"Before you begin

you must obtain the SAML 2.0 metadata document from your IdP. This document is an XML file that includes the IdP's public key certificate

the entity ID

and the IdP's SSO sign-in URL." This directly supports option B.

Source: AWS IAM Identity Center User Guide

"Manage your identity source

" "Connect to your external identity provider."

2. AWS IAM Identity Center User Guide: The same guide details the information that must be provided to the external IdP. It states

"You can find the IAM Identity Center SAML metadata values that you need to provide to your IdP on the View details page... These values include the IAM Identity Center assertion consumer service (ACS) URL and the IAM Identity Center issuer URL." This confirms the necessity of having a copy of this metadata

supporting option A.

Source: AWS IAM Identity Center User Guide

"Manage your identity source

" "Connect to your external identity provider."

3. AWS Security Best Practices in IAM: This documentation emphasizes avoiding the use of the root user for administrative tasks. It states

"Don't use the AWS account root user for your everyday tasks... Instead

create an administrative user for yourself." This principle invalidates the requirement for root access as mentioned in option D.

Source: AWS Identity and Access Management User Guide

"Security best practices in IAM

" "Secure your AWS account root user."

Q: 13

A company is migrating a legacy application to AWS. The application runs on EC2 instances across multiple Availability Zones behind an Application Load Balancer (ALB). The target group routing algorithm is set to weighted random, and the application requires session affinity (sticky sessions). After deployment, users report random application errors that were not present before migration, even though target health checks are passing. Which solution will meet this requirement?

Options

Discussion

Sara K. Feb 16, 2026 2:24 am

Option A is the way to go. Weighted random doesn't work with sticky sessions, so users can get routed to different EC2s mid-session, causing errors. Least outstanding requests works better with session affinity. Pretty sure that's the fix-let me know if anyone's seen otherwise.

Mia D. Feb 26, 2026 4:03 am

Definitely check the official AWS study guide and practice tests, this scenario lines up with Option A.

Mia W. Feb 23, 2026 6:32 pm

I don't think D is right for strict session affinity. Random routing breaks sticky sessions, so it's A.

Jordan Mar 3, 2026 6:35 am

If "session affinity" was only crucial for a specific subset, like admin users, maybe D would be ok. But as it's stated for the whole app, have to say A.

FriendlyArchitect9533 Mar 1, 2026 8:33 am

I don't think D fixes sticky session problems, that's a trap here. It's A.

Nathan H. Feb 26, 2026 12:59 pm

Looks a lot like scenarios from the official AWS practice tests. A is correct since least outstanding requests supports sticky sessions, unlike weighted random. I think this matches what you'd see in the study guide too. Disagree?

Karan T. Feb 21, 2026 12:16 pm

Not B, it's A. Weighted random breaks sticky sessions so users bounce between targets and lose session state. Least outstanding requests works with stickiness. Option B's more for dealing with traffic anomalies, not session affinity issues.

PracticalEngineer6995 Mar 1, 2026 1:35 pm

C/D? Not fully sold on either, but sticky sessions definitely need supported routing. Still, deregistration delay (D) sometimes helps clean up errors in transition phases. I think A is right but curious if anyone made D work here.

Meera L. Feb 16, 2026 3:54 am

Official guide says sticky sessions don't work with weighted random routing. Switching to least outstanding requests (A) is what fixes it. Pretty sure this matches AWS docs and I've seen similar in practice tests. Disagree?

Skyler Feb 22, 2026 5:07 am

I feel like D could help since increasing the deregistration delay gives connections more time to finish, maybe fixing some errors. Not totally convinced it's the real fix for sticky sessions though, but worth a try if that's the issue.

Be respectful. No spam.

Correct Answer:

Explanation

The root cause of the random errors is the incompatibility between the selected routing algorithm and the requirement for session affinity. The weighted random routing algorithm does not support sticky sessions. When both are configured, the load balancer cannot guarantee that subsequent requests from the same user will be sent to the same target instance. This breaks session state for the application, leading to unpredictable behavior and errors.

By changing the routing algorithm to least outstanding requests, the Application Load Balancer can properly implement sticky sessions. This algorithm is compatible with session affinity and will ensure that once a user's session is established with a target, all subsequent requests from that user are routed to the same target, preserving session state and eliminating the errors.

Why Incorrect

B. Anomaly mitigation is a sub-feature of the least outstanding requests algorithm; it is not a standalone setting and does not address the core routing incompatibility.

C. Disabling cross-zone load balancing alters how traffic is distributed across Availability Zones but does not resolve the conflict between the routing algorithm and sticky sessions.

D. Deregistration delay is relevant for handling in-flight requests when an instance is being deregistered, not for routing errors during normal operation with healthy targets.

References

1. AWS Documentation: Elastic Load Balancing User Guide - Routing algorithm.

This document explicitly states the compatibility of different routing algorithms with sticky sessions. It notes: "The round robin and least outstanding requests routing algorithms can be used with sticky sessions

while the weighted random routing algorithm cannot." This directly supports the conclusion that the weighted random algorithm is the cause of the issue.

2. AWS Documentation: Elastic Load Balancing User Guide - Sticky sessions for your Application Load Balancer.

This guide explains how sticky sessions work. It states

"Sticky sessions are a mechanism to route requests from the same client to the same target... This is useful for servers that maintain state information in order to provide a continuous experience to clients." This confirms that failing to maintain stickiness would cause the state-related errors described in the question. The choice of a compatible routing algorithm is fundamental to this mechanism.

Q: 14

Application A runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2 instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB. Other applications from an on-premises environment cannot communicate with Application A on port 8080. To troubleshoot the issue, a CloudOps engineer analyzes the flow logs. The flow logs include the following records: ACCEPT from 192.168.0.13:59003 → 172.31.16.139:8080 REJECT from 172.31.16.139:8080 → 192.168.0.13:59003 What is the reason for the rejected traffic?

Options

Discussion

Sam I. Feb 23, 2026 3:17 pm

Option D not B. Trap is thinking security groups block it, but it's the stateless NACL blocking outbound ephemeral.

Mia F. Feb 25, 2026 4:38 pm

encountered exactly similar question in my exam. in practice exams, it's D

SteadySec6492 Feb 19, 2026 10:27 am

Pretty sure it's D. The flow log shows the outbound (response) traffic to the client's ephemeral port gets rejected, which is classic when the subnet's NACL doesn't allow that outbound range. Security groups are stateful so wouldn't block the reply like this. Let me know if I'm missing something.

LaylaU Feb 26, 2026 1:47 pm

Maybe D. Saw almost the same setup in a practice test, and it was an outbound NACL rule missing for ephemeral ports.

Nathan L. Feb 25, 2026 6:57 pm

Looks like D, since NACLs are stateless and you need explicit outbound rules for return traffic to those ephemeral ports. Security groups would allow the response back automatically so pretty sure it’s not B. Anyone disagree?

Ryan R. Feb 23, 2026 1:20 am

Option B Had something like this in a mock and picked B because I thought the NLB security group might be blocking on-prem traffic, not realizing it's stateless. Not totally sure though, feel free to correct me.

RaviI Feb 23, 2026 11:55 am

Its B, not D. I think the NLB’s security group is a common trap in these questions.

Luke Mar 1, 2026 7:33 am

C/D? Nothing in the flow log suggests security group issues, so pretty sure it's D.

SteadySec5296 Feb 27, 2026 1:35 pm

A is wrong, D. Security groups allow response traffic automatically since they're stateful, but NACLs need explicit outbound rules for those return ephemeral ports. I think D fits best but open to other views.

SteadySec1590 Feb 23, 2026 12:54 am

Call it D. Security groups are stateful so return traffic is automatically allowed, but NACLs need explicit outbound rules for those ephemeral ports.

Be respectful. No spam.

Correct Answer:

Explanation

The VPC Flow Logs provide critical information. The ACCEPT record for inbound traffic (192.168.0.13 → 172.31.16.139:8080) confirms that both the Network ACL (NACL) and the EC2 instance's security group are correctly configured to allow the initial request.

However, the REJECT record for the return traffic (172.31.16.139:8080 → 192.168.0.13:59003) indicates the response is being blocked. Security groups are stateful, meaning if inbound traffic is allowed, the return traffic is automatically permitted. In contrast, NACLs are stateless and require explicit rules for both inbound and outbound traffic. The rejection of the response packet, destined for the client's ephemeral port (59003), points directly to a missing or incorrect outbound rule in the NACL associated with the instance's subnet.

Why Incorrect

A. The inbound traffic is ACCEPTed, which would not be possible if the security group were blocking traffic from the NLB's targets.

B. Network Load Balancers do not have security groups. Security groups are associated with the target EC2 instances, not the NLB itself.

C. The initial traffic from the on-premises environment was ACCEPTed by the AWS VPC, indicating the on-premises ACL is not the source of the block.

References

1. AWS Documentation - VPC Flow Logs: "If the traffic is permitted by both the security groups and the network ACLs

the record shows ACCEPT. If the traffic is denied by a security group or a network ACL

the record shows REJECT." (Source: AWS Documentation

VPC User Guide

"Log file format"

section on the action field).

2. AWS Documentation - Network ACLs: "Network ACLs are stateless

which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)." (Source: AWS Documentation

VPC User Guide

"Network ACLs"

section "Network ACL basics").

3. AWS Documentation - Ephemeral Ports: "When a client connects to a server

a random port from the ephemeral port range... becomes the client's source port. The response from the server is sent to this ephemeral port on the client... The network ACL for the subnet... must have an outbound rule to allow traffic destined for the ephemeral ports." (Source: AWS Documentation

VPC User Guide

"Network ACLs"

section "Ephemeral ports").

4. AWS Documentation - Security Groups: "Security groups are stateful. If you send a request from your instance

the response traffic for that request is allowed to flow in

regardless of inbound security group rules." (Source: AWS Documentation

VPC User Guide

"Security groups"

section "Security group basics").

Q: 15

A CloudOps engineer creates an AWS CloudFormation template to define an application stack that can be deployed in multiple AWS Regions. The CloudOps engineer also creates an Amazon CloudWatch dashboard by using the AWS Management Console. Each deployment of the application requires its own CloudWatch dashboard. How can the CloudOps engineer automate the creation of the CloudWatch dashboard each time the application is deployed?

Options

Discussion

Ryan J. Feb 14, 2026 7:24 pm

Makes sense to go with B here. CloudFormation lets you automate dashboard creation per deployment that way.

IshaanJ Feb 25, 2026 11:27 am

I get why B is best since using AWS::CloudWatch::Dashboard in the template lets every stack create its own dashboard automatically, with all the config you want. The CLI script (A) could work, but it’s not as integrated or hands-off, so pretty sure B lines up with AWS best practices here. Disagree?

Ajay U. Feb 19, 2026 2:53 am

B no contest

PreciseReviewer3751 Feb 28, 2026 9:50 pm

D imo. If CloudFormation keeps the dashboard name static then each deployment would just update the existing dashboard right?

Ravi G. Feb 28, 2026 8:09 am

B is the one I'd pick here since CloudFormation can provision a new CloudWatch dashboard each time using the exported JSON. That's the only way every stack gets its own copy, which matches "each deployment" in the question. Pretty sure this is what AWS expects for automation.

Maya P. Feb 16, 2026 5:38 pm

B for sure, exporting the dashboard JSON and using AWS::CloudWatch::Dashboard in your template lets CloudFormation handle it all. No need for manual CLI steps. Pretty standard practice here I think, unless I'm missing something.

Ivy Feb 16, 2026 3:46 pm

B tbh. CloudFormation can create the dashboard each deploy using the exported JSON. No manual steps.

Mia Feb 17, 2026 11:13 am

A had something like this in a mock and that's what I picked.

Mia B. Mar 1, 2026 9:19 pm

B not D. D would just overwrite the same dashboard every time, which isn't what you want if each deployment needs its own. B lets CloudFormation handle creating a new dashboard per stack, pretty sure that's what's needed in this scenario.

Layla G. Feb 17, 2026 6:27 am

Option B makes sense, but I hesitate a bit since you have to export the dashboard JSON and paste it into the template. Still, that's the method that actually creates a new dashboard per stack automatically using CloudFormation. Not 100% sure since some folks mention scripting with CLI (A), but B feels like what AWS wants here. Agree?

Be respectful. No spam.

Correct Answer:

Explanation

The most effective and automated method to provision a CloudWatch dashboard with an application stack is to define it as a resource within the AWS CloudFormation template. The AWS::CloudWatch::Dashboard resource type is designed for this purpose. An existing dashboard's configuration can be viewed and copied as a JSON object from the AWS Management Console. This JSON is then provided as a string to the DashboardBody property of the AWS::CloudWatch::Dashboard resource in the template. This approach ensures that a new, correctly configured dashboard is created automatically every time the CloudFormation stack is deployed, and its lifecycle is managed with the stack.

Why Incorrect

A. This is not the most integrated approach. It requires a separate, post-deployment step, making the process less atomic and more complex to manage than defining the dashboard directly within the CloudFormation template.

C. The Ref intrinsic function is used to reference parameters or the logical IDs of other resources within the same stack, not to import or reference pre-existing resources created outside of the stack.

D. The DashboardName property specifies the name for the new dashboard being created. Simply providing the name of an existing dashboard without the required DashboardBody property would be an incomplete definition and would cause a creation failure if the name already exists.

References

1. AWS CloudFormation User Guide

AWS::CloudWatch::Dashboard resource: This official documentation specifies the syntax for creating a CloudWatch dashboard. It states that the DashboardBody property is required and "is a string that specifies the dashboard body text in JSON format."

Source: AWS CloudFormation User Guide

Resource and property reference

AWS::CloudWatch::Dashboard.

2. Amazon CloudWatch User Guide

Creating a CloudWatch dashboard: This guide explains how to work with dashboards

including how to view the source of an existing dashboard. In the dashboard actions menu

selecting "View/edit source" displays the dashboard's JSON definition

which can be copied for use in the DashboardBody property.

Source: Amazon CloudWatch User Guide

Using Amazon CloudWatch dashboards

Creating a CloudWatch dashboard.

3. AWS CloudFormation User Guide

Intrinsic function reference - Ref: This document clarifies that Ref returns the value of the specified parameter or resource. It is used for composing properties of resources within a template

not for referencing external

pre-existing resources.

Source: AWS CloudFormation User Guide

Template anatomy

Intrinsic function reference

Ref.

Question 11 of 20 · Page 2 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE