Practice questions · IT & Cloud
AWS SysOps Administrator Associate (SOA-C02): Practice Questions
Original concept-check questions for the AWS SysOps Administrator Associate, spanning the exam domains. Each answer is explained, including why the others are wrong. Filter by domain or difficulty. These are concept checks, not real exam questions.
Answered 0 · Correct 0
-
Amazon CloudWatch is used to:
Correct answer: D. CloudWatch provides monitoring, logs and alarms for AWS resources. Running containers is ECS/EKS, managing DNS is Route 53, and storing objects is S3. -
A CloudWatch Alarm:
Correct answer: D. An alarm watches a metric and acts when a threshold is breached. Building images is done by EC2 Image Builder, storing backups is AWS Backup, and routing traffic is a load balancer or Route 53. -
To collect application logs from EC2 instances into CloudWatch you use:
Correct answer: B. The CloudWatch agent (or Logs agent) ships instance and application logs to CloudWatch Logs. Route 53 is DNS, an SCP is an Organizations permission guardrail, and a NAT gateway provides outbound internet for private subnets. -
Amazon EventBridge is used to:
Correct answer: B. EventBridge is an event bus that routes events to targets and triggers automation. Provisioning VPCs is networking, storing secrets is Secrets Manager, and encrypting disks is EBS encryption with KMS. -
To automatically remediate an issue when an alarm fires you can:
Correct answer: D. An alarm can trigger an action such as an SNS notification, a Lambda function or a Systems Manager automation document to fix the issue. Disabling logging, deleting the metric or doing nothing leave the problem unaddressed. -
A 'custom metric' in CloudWatch is:
Correct answer: A. A custom metric is application-defined data you publish yourself to CloudWatch. A log file is stored in CloudWatch Logs, an alarm watches a metric, and a built-in EC2 metric (like CPUUtilization) is published automatically by AWS, not by you. -
AWS CloudFormation provides:
Correct answer: A. CloudFormation is infrastructure as code that provisions resources declaratively from templates. A CDN is CloudFront, a database is RDS/DynamoDB, and threat detection is GuardDuty. -
AWS Systems Manager is used to:
Correct answer: C. Systems Manager operates and automates fleets of resources (patching, run commands, parameters). Routing DNS is Route 53, serving web content is CloudFront/S3, and storing objects is S3. -
To patch a fleet of EC2 instances at scale you use:
Correct answer: C. Systems Manager Patch Manager automates OS patching across instances. CloudFront is a CDN, Route 53 is DNS, and SQS is a message queue. -
CloudFormation 'drift detection' identifies:
Correct answer: D. Drift detection finds resources that were changed outside the template, diverging from its expected state. DNS records, billing errors and network latency are not what drift detection inspects. -
A CloudFormation 'stack' is:
Correct answer: C. A stack is a deployed collection of resources created and managed together from one template. A log group is a CloudWatch Logs container, and a stack is broader than a single VPC or a single EC2 instance. -
An Amazon VPC is:
Correct answer: D. A VPC is a logically isolated virtual network in AWS. A managed database is RDS, a monitoring tool is CloudWatch, and a CDN is CloudFront. -
A security group is a firewall that is:
Correct answer: A. Security groups are stateful and attach to instances; NACLs are stateless at the subnet level. -
A network ACL (NACL) is a firewall that is:
Correct answer: C. NACLs are stateless and operate at the subnet boundary, unlike stateful security groups. -
Amazon Route 53 provides:
Correct answer: B. Route 53 is AWS's DNS and domain registration service. Object storage is S3, container orchestration is ECS/EKS, and encryption keys are managed by KMS. -
To serve content to users worldwide with low latency you use:
Correct answer: B. CloudFront is the global CDN that caches content at edge locations near users. EBS is per-instance block storage, SQS is a message queue, and IAM is access control. -
Instances in a private subnet need which resource to reach the internet for updates without being publicly reachable?
Correct answer: B. A NAT gateway allows outbound internet from private subnets. An Internet gateway alone would make them reachable. -
AWS Auto Scaling:
Correct answer: C. Auto Scaling adjusts capacity automatically to match demand. Storing logs is CloudWatch Logs, encrypting data is KMS, and managing DNS is Route 53. -
An Elastic Load Balancer (ELB):
Correct answer: B. An ELB distributes incoming traffic across healthy targets using health checks. Storing backups is AWS Backup, routing DNS is Route 53, and encrypting disks is EBS encryption. -
Enabling Multi-AZ on Amazon RDS provides:
Correct answer: D. Multi-AZ creates a standby for automatic failover (availability). Read replicas serve reads, a separate feature. -
To recover data after accidental deletion you:
Correct answer: B. Restoring from a snapshot or backup brings the data back to a point in time. Changing DNS, adding a NAT gateway or restarting the instance do not recover deleted data. -
An ELB health check ensures that:
Correct answer: D. Health checks ensure traffic is only sent to healthy targets, routing around failures. They do not force equal traffic to every target, run backups, or lower costs. -
Applying least privilege with IAM means:
Correct answer: A. Least privilege means granting only the permissions each role needs. Giving everyone admin, disabling MFA and sharing root keys are insecure and violate the principle. -
AWS KMS is used to:
Correct answer: D. KMS creates and manages encryption keys. Serving content is CloudFront, balancing load is ELB, and monitoring metrics is CloudWatch. -
To securely store and automatically rotate database credentials you use:
Correct answer: A. Secrets Manager stores and automatically rotates secrets like database credentials. A public S3 bucket exposes data, a security group is a firewall, and CloudFront is a CDN. -
AWS Config helps with security and compliance by:
Correct answer: D. Config tracks resource configuration history and evaluates it against compliance rules. Encrypting disks is EBS/KMS, routing DNS is Route 53, and serving content is CloudFront. -
To require an extra verification factor for sensitive AWS access you enable:
Correct answer: C. Multi-factor authentication (MFA) via IAM adds a second verification factor beyond the password. A NAT gateway, a CDN and a snapshot have nothing to do with authentication. -
AWS Cost Explorer is used to:
Correct answer: A. Cost Explorer analyses and visualises AWS spending over time. Encrypting data is KMS, provisioning servers is EC2, and managing DNS is Route 53. -
'Right-sizing' in cost optimisation means:
Correct answer: C. Right-sizing means matching instance size to actual need to reduce cost. Deleting all instances removes the workload, always using the largest instance wastes money, and buying more storage does not address compute sizing. -
To reduce cost for steady, predictable long-term usage you choose:
Correct answer: C. A 1- or 3-year commitment (Reserved/Savings Plans) gives the deepest steady-state discount. On-Demand is pricier; Spot suits interruptible work.
Practice questions FAQ
- Are these real SOA-C02 exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.