7.1. How to Approach SOA-C03 Scenario Questions
š” First Principle: Every SOA-C03 question has a correct answer and several plausible answers. The plausible answers are designed to catch candidates who recognize a service name but don't understand when to use it. The correct answer is always the most operationally sound solution for the specific constraints stated in the question.
The Four-Step Question Framework:
-
Identify the constraint words. Before anything else, find the words that narrow the answer space: "without downtime," "lowest cost," "automatically," "within 5 minutes," "existing application with no code changes," "minimum operational overhead." Each constraint eliminates answer choices.
-
Identify the operational context. Is this a greenfield design or an existing system? Is it multi-account or single-account? Is there a compliance requirement? These set the solution space.
-
Map the scenario to the operations loop. Is this a detection question (what CloudWatch alarm/Config rule catches it)? A routing question (how does the event reach the right handler)? An action question (SSM Automation vs. Lambda vs. Config remediation)?
-
Eliminate by constraint violation. For each answer choice, ask: "Does this violate any stated constraint?" Eliminate violators; choose from what remains.
Constraint Decoder ā Common Phrases and What They Mean:
| Exam Phrase | What It Rules Out | What It Points To |
|---|---|---|
| "No downtime" | In-place replacement, cold standby | Blue/green, rolling, Multi-AZ failover |
| "Lowest cost" | Shield Advanced, NAT gateways, Multiple regions | S3 gateway endpoints, Spot, right-sizing |
| "Automatically remediate" | Manual console steps, human approval | Config auto-remediation, Lambda, SSM Automation |
| "No SSH / no bastion host" | Key pairs, port 22 | Session Manager |
| "Audit trail required" | No logging | CloudTrail, CloudWatch Logs, S3 access logs |
| "Existing credentials" | Creating new IAM users | IAM Identity Center, federation |
| "Minimum code changes" | Full rewrite | RDS Proxy (drops in before DB), CloudFront (DNS change only) |
| "Across all accounts" | Per-account configuration | StackSets, Organizations, SCPs |
| "PII / sensitive data in S3" | GuardDuty, Inspector | Macie |
| "Malware / unusual API calls" | Macie, Inspector | GuardDuty |
| "Software vulnerabilities" | GuardDuty, Macie | Inspector |
| "Near-zero RTO" | Backup and Restore, Pilot Light | Multi-site active-active, Aurora Global |
