Exactprep SOA-C03 Questions

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answers are B and D. AWS CloudOps documentation clearly states that AWS Secrets Manager is the recommended service for storing and managing database credentials securely. Secrets Manager integrates natively with Amazon RDS and supports automatic, scheduled secret rotation.

To rotate credentials weekly, Secrets Manager requires a Lambda rotation function. AWS provides managed rotation templates for Amazon RDS for MySQL that update the database password and the stored secret atomically. This combination ensures credentials are protected, rotated automatically, and audited with minimal operational effort.

Option A is incorrect because RDS Proxy does not store or rotate credentials; it only retrieves them from Secrets Manager. Option C is incorrect because Systems Manager Parameter Store does not support native automatic rotation. Option E is incorrect because Automation runbooks are not the recommended mechanism for secrets rotation and add unnecessary complexity.

AWS CloudOps best practices strongly recommend Secrets Manager with Lambda-based rotation for database credential protection and compliance.

An alias record is the recommended Route 53 record type to map domain names (e.g., example.com) to AWS-managed resources such as an Application Load Balancer. Alias records are extension types of A or AAAA records that support AWS resources directly, providing automatic DNS integration and no additional query costs.

AWS documentation states:

“Use alias records to map your domain or subdomain to an AWS resource such as an Application Load Balancer, CloudFront distribution, or S3 website endpoint.”

A and AAAA records are used for static IP addresses, not load balancers. CNAME records cannot be used at the root domain (e.g., example.com). Thus, Option C is correct as it meets CloudOps networking best practices for scalable, managed DNS resolution to ALBs.

According to AWS Cloud Operations and Governance documentation, AWS Trusted Advisor provides automated checks for security group rules across all accounts, including identifying ports open to 0.0.0.0/0.

When viewed in organizational mode, Trusted Advisor integrates with AWS Organizations, allowing administrators to access organization-wide security findings from a central management account. This approach requires no custom code, additional infrastructure, or manual inspection, providing immediate visibility and the lowest operational overhead.

AWS CLI scripts (Option A) or Lambda automation (Option C) introduce additional maintenance, and Amazon Inspector (Option D) is focused on instance-level vulnerabilities, not network access rules.

Therefore, Option B is the AWS-recommended CloudOps best practice for centralized and low-effort open-port auditing.

According to the AWS Cloud Operations and EC2 Connectivity documentation, EC2 Instance Connect Endpoint allows access to instances without internet exposure or open SSH ports. However, for successful connectivity, the EC2 instance must have Systems Manager permissions through an IAM instance profile.

If no IAM instance profile is attached, the instance cannot establish a control channel with the Systems Manager service, and EC2 Instance Connect cannot authenticate the session.

Opening port 22 (Option B) is unnecessary and contradicts the private subnet design. HTTPS rules (Option A) are irrelevant because EC2 Instance Connect communicates through AWS APIs, not direct HTTPS connections. Recreating the instance with a key pair (Option D) bypasses the intended keyless connection mechanism.

Therefore, Option C — attaching an IAM instance profile with Systems Manager permissions — enables secure, private access through EC2 Instance Connect Endpoint.