Amazon Web Services Updated SOA-C03 Exam Questions and Answers by francisco

AWS Systems Manager provides a built-in capability to automatically update the SSM Agent on managed instances. Enabling Auto update SSM Agent ensures that instances receive the latest agent version without manual intervention or custom automation.

This setting is centrally managed and applies across the fleet, making it the most scalable and operationally efficient solution. It eliminates the need for external notifications, custom Lambda functions, or scheduled automation workflows.

Options B and D introduce unnecessary complexity and operational burden. Option C is incorrect because Patch Manager is designed for operating system patching, not for managing SSM Agent updates.

Therefore, enabling automatic SSM Agent updates is the best solution.

According to the AWS Cloud Operations and Security documentation, AWS CloudTrail is the authoritative service for recording API activity across all AWS services within an account.

When an access key is compromised, CloudTrail logs all API requests made using that key, including details such as:

The user identity (access key ID) that made the request,

The service, operation, resource, and timestamp affected, and

The source IP address and region of the request.

By searching the CloudTrail event history for the specific access key ID, the CloudOps engineer can identify every action performed by that key during the suspected breach window.

Other options are incorrect:

EventBridge (A) is event-driven, not historical.

CloudWatch Logs (B) monitors system logs, not AWS API activity.

VPC Flow Logs (D) track network-level traffic, not API calls.

Therefore, the correct solution is Option C — using AWS CloudTrail event history to audit and trace all actions executed via the compromised access key.

AWS Secrets Manager natively supports credential management and automatic rotation for Amazon RDS master user passwords. When a secret is associated with an RDS instance, Secrets Manager automatically updates the password both in the secret and on the database, without downtime or manual scripting.

AWS documentation confirms:

“AWS Secrets Manager can automatically rotate the master user password for Amazon RDS databases. Rotation is fully managed and integrated, requiring no custom code or maintenance.”

Option A introduces unnecessary Lambda automation. Option B and C use Parameter Store, which does not provide direct RDS password rotation. Therefore, Option D achieves secure, automatic credential rotation with least operational effort, fully aligned with CloudOps security automation principles.

EC2 Instance Connect Endpoint (EICE) enables secure SSH access to instances in private subnets without requiring public IP addresses, bastion hosts, or inbound internet access. By deploying the endpoint in the private subnet, administrators can connect securely using IAM-based authentication.

The instance security group must allow inbound SSH (port 22) from the EICE security group. Access control is handled via IAM, which eliminates the need to distribute or manage SSH keys.

Option B incorrectly attempts to use Systems Manager for SSH, which is unnecessary when EICE is available. Option C incorrectly places the endpoint in a public subnet, which does not align with the requirement to keep access private. Option D is incorrect because Systems Manager Session Manager does not require SSH and AmazonEC2ReadOnlyAccess does not allow instance access.

EICE provides the least overhead and most secure SSH access path for private EC2 instances.