AWS SOA-C02: SysOps Administrator Associate Practice Exam

What the AWS SOA-C02 exam covers

• Monitoring, Logging, and Remediation50 questions
• Reliability and Business Continuity42 questions
• Deployment, Provisioning, and Automation51 questions
• Security and Compliance59 questions
• Networking and Content Delivery45 questions
• Cost and Performance Optimization53 questions

Free AWS SOA-C02 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

1. Question 1Monitoring, Logging, and Remediation

   Which service collects metrics and lets you set alarms that trigger actions when thresholds are breached?

   • AAWS IAM
   • BAmazon CloudWatchCorrect
   • CAmazon VPC
   • DAmazon S3
   ✓ Correct answer: B

   Amazon CloudWatch is a comprehensive monitoring service designed to collect metrics from AWS resources and user-defined applications, enabling operators to set alarms on these metrics that trigger automated actions when thresholds are breached. CloudWatch provides the foundation for operational visibility, alerting, and automated remediation workflows.

   Why the other options are wrong

   • AAWS IAM is incorrect because it manages identity and access control, not metrics collection or alarm configuration.
   • CAmazon VPC is incorrect because it is a networking service focused on virtual network configuration, not metrics collection.
   • DAmazon S3 is incorrect because it is an object storage service and does not provide monitoring or alarm capabilities.
2. Question 2Monitoring, Logging, and Remediation

   To collect OS-level metrics (memory, disk) and logs from EC2 instances, what do you install?

   • AThe CloudFront distribution
   • BA NAT gateway
   • CAn S3 lifecycle policy
   • DThe CloudWatch agent (unified agent)Correct
   ✓ Correct answer: D

   The CloudWatch agent is software that must be installed on EC2 instances to collect OS-level metrics such as memory utilization, disk space, and detailed process information, as well as custom application logs. The agent then ships this data to CloudWatch for centralized monitoring and alerting. Without the agent, EC2 instances only report basic hardware metrics like CPU utilization.

   Why the other options are wrong

   • AThe CloudFront distribution is incorrect because it is a content delivery network service unrelated to instance-level metric collection.
   • BA NAT gateway is incorrect because it is a networking component for enabling private subnet outbound access.
   • CAn S3 lifecycle policy is incorrect because it manages object retention and storage transitions, not log or metric collection.
3. Question 3Monitoring, Logging, and Remediation

   Which service routes events (e.g., from AWS services) to targets to drive automated remediation?

   • AAmazon EventBridgeCorrect
   • BAmazon RDS
   • CAmazon EBS
   • DAWS KMS
   ✓ Correct answer: A

   Amazon EventBridge is a serverless event bus service that ingests events from AWS services (and custom applications) and routes them to targets such as Lambda functions, SNS topics, SQS queues, or Systems Manager Automation, enabling event-driven workflows and automated remediation. When combined with Config rules or CloudWatch alarms, EventBridge can trigger remediation actions in response to detected problems.

   Why the other options are wrong

   • BAmazon RDS is incorrect because it is a managed database service, not an event routing platform.
   • CAmazon EBS is incorrect because it provides block storage volumes for EC2 instances.
   • DAWS KMS is incorrect because it is a key management service for encryption, not event routing.
4. Question 4Monitoring, Logging, and Remediation

   Which service records AWS API calls across the account for auditing and investigation?

   • AAmazon CloudFront
   • BAWS CloudTrailCorrect
   • CAmazon EFS
   • DAWS Lambda
   ✓ Correct answer: B

   AWS CloudTrail is an auditing service that records all API calls made across an AWS account, capturing details such as the calling principal, action, resources, timestamp, and source IP. CloudTrail logs provide the audit trail required for compliance investigations and forensic analysis of who performed what actions and when.

   Why the other options are wrong

   • AAmazon CloudFront is incorrect because it is a content delivery network, not an API auditing service.
   • CAmazon EFS is incorrect because it is an elastic file system service for shared file access.
   • DAWS Lambda is incorrect because it is a serverless compute service, not an auditing platform.
5. Question 5Monitoring, Logging, and Remediation

   Which CloudWatch feature converts a log pattern (e.g., 'ERROR') into a metric you can alarm on?

   • AA Route 53 record
   • BAn S3 lifecycle rule
   • CA CloudWatch Logs metric filterCorrect
   • DA security group
   ✓ Correct answer: C

   CloudWatch Logs metric filters scan log streams for specific patterns (e.g., 'ERROR', 'Failed', or custom regex) and automatically convert matching log entries into custom CloudWatch metrics, which can then trigger alarms and drive automated actions. This capability bridges CloudWatch Logs and CloudWatch metrics, enabling alerting based on log content without manual parsing.

   Why the other options are wrong

   • AA Route 53 record is incorrect because it is a DNS service unrelated to log filtering.
   • BAn S3 lifecycle rule is incorrect because it manages object retention policies, not log pattern detection.
   • DA security group is incorrect because it controls network traffic, not log filtering.
6. Question 6Networking and Content Delivery

   For routing HTTP/HTTPS traffic with path/host-based rules, which Elastic Load Balancer type is appropriate?

   • ANetwork Load Balancer (NLB, Layer 4) for HTTP routing rules
   • BA Classic Load Balancer is the only option
   • CApplication Load Balancer (ALB, Layer 7)Correct
   • DGateway Load Balancer for HTTP routing
   ✓ Correct answer: C

   The ALB operates at Layer 7 (Application layer) and is specifically designed for advanced routing rules based on path, hostname, headers, and query parameters. NLBs operate at Layer 4 and lack HTTP-level routing capabilities.

   Why the other options are wrong

   • ANetwork Load Balancer (NLB, Layer 4) for HTTP routing rules is incorrect because NLBs operate at the transport layer and cannot make routing decisions based on HTTP headers or URL paths. A Classic Load Balancer is the only option is incorrect because it predates the ALB and lacks comprehensive path/host-based routing. Gateway Load Balancer for HTTP routing is incorrect because GWLB is designed for security appliances.
   • BClassic Load Balancers have limited path/host-based routing.
   • DGateway Load Balancers are designed for security appliances.
7. Question 7Networking and Content Delivery

   You want to log every DNS query resolved for a Route 53 public hosted zone for security analysis. Which capability should you configure?

   • ARoute 53 query logging to CloudWatch LogsCorrect
   • BCloudTrail data events
   • CALB access logs
   • DVPC Flow Logs
   ✓ Correct answer: A

   Route 53 query logging captures DNS query metadata (query name, type, response code, etc.) for all queries resolved by a public hosted zone. This logging to CloudWatch Logs allows you to analyze all DNS activity for security purposes, audit compliance, and troubleshooting.

   Why the other options are wrong

   • BCloudTrail data events are incorrect because CloudTrail tracks API calls, not DNS query resolution.
   • CALB access logs are incorrect because ALB logs track HTTP requests, not DNS queries.
   • DVPC Flow Logs are incorrect because VPC Flow Logs track IP traffic, not DNS resolution.
8. Question 8Networking and Content Delivery

   During a phased migration you must transfer 500 TB of archival data to S3 over a network link that would take months to complete. Which AWS option physically ships the data instead?

   • AAWS Snowball EdgeCorrect
   • BAmazon CloudFront
   • CVPC peering
   • DAWS Global Accelerator
   ✓ Correct answer: A

   AWS Snowball Edge is a physical data transfer appliance designed to move large volumes of data (including up to 100 TB) between your on-premises location and AWS. For a 500 TB migration that would take months over a network link, Snowball Edge provides a cost-effective, faster alternative by physically shipping the data to AWS data centers for import into S3.

   Why the other options are wrong

   • BAmazon CloudFront is incorrect because CloudFront is a CDN for content delivery, not data migration.
   • CVPC peering is incorrect because VPC peering only connects VPCs, not for data transfer.
   • DAWS Global Accelerator is incorrect because Global Accelerator improves network performance, not for bulk data migration.
9. Question 9Networking and Content Delivery

   During migration you need a private, dedicated, consistent-bandwidth connection between your on-premises data center and AWS that does not traverse the public internet. Which service provides this?

   • AAn internet gateway
   • BA Site-to-Site VPN over the internet only
   • CAmazon CloudFront
   • DAWS Direct ConnectCorrect
   ✓ Correct answer: D

   AWS Direct Connect provides a dedicated, private network connection from your on-premises data center to AWS without traversing the public internet. It offers consistent, dedicated bandwidth, lower latency, and more predictable performance compared to VPN connections.

   Why the other options are wrong

   • AAn internet gateway is incorrect because internet gateways connect VPCs to the internet, not on-premises to AWS.
   • BA Site-to-Site VPN is incorrect because VPNs traverse the public internet.
   • CAmazon CloudFront is incorrect because CloudFront is a CDN, not a hybrid connectivity service.
10. Question 10Networking and Content Delivery

    After migrating a TCP-based, ultra-low-latency game backend to AWS you need a load balancer that handles millions of requests per second at Layer 4 and preserves the client source IP. Which load balancer fits?

    • AClassic Load Balancer (CLB)
    • BNetwork Load Balancer (NLB)Correct
    • CApplication Load Balancer (ALB)
    • DGateway Load Balancer (GWLB)
    ✓ Correct answer: B

    The NLB is optimized for handling ultra-high performance, low-latency protocols like TCP. It can handle millions of requests per second at Layer 4, preserve the client source IP when using instance ID targeting, and process both TCP and UDP traffic with minimal latency.

    Why the other options are wrong

    • AClassic Load Balancer is incorrect because CLB is older technology with lower performance.
    • CApplication Load Balancer is incorrect because ALBs operate at Layer 7 and introduce higher latency from application inspection.
    • DGateway Load Balancer is incorrect because GWLB is designed for security appliances, not general game backend traffic.

AWS SOA-C02 practice exam FAQ