SOA-C01 : AWS-SysOps ​​​​​: Part 09

SOA-C01 : AWS-SysOps ​​​​​: Part 09

1. A user has setup an EBS backed instance and attached 2 EBS volumes to it. The user has setup a CloudWatch alarm on each volume for the disk data. The user has stopped the EC2 instance and detached the EBS volumes. What will be the status of the alarms on the EBS volume?

   • OK
   • Insufficient Data
   • Alarm
   • The EBS cannot be detached until all the alarms are removed
   Explanation:
   Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. Alarms invoke actions only for sustained state changes. There are three states of the alarm: OK, Alarm and Insufficient data. In this case since the EBS is detached and inactive the state will be Insufficient.

2. A user has launched an EC2 instance from an instance store backed AMI. The infrastructure team wants to create an AMI from the running instance. Which of the below mentioned credentials is not required while creating the AMI?

   • AWS account ID
   • X.509 certificate and private key
   • AWS login ID to login to the console
   • Access key and secret access key
   Explanation:
   When the user has launched an EC2 instance from an instance store backed AMI and the admin team wants to create an AMI from it, the user needs to setup the AWS AMI or the API tools first. Once the tool is setup the user will need the following credentials:

   AWS account ID;
   AWS access and secret access key;
   X.509 certificate with private key.

3. A user has configured an SSL listener at ELB as well as on the back-end instances. Which of the below mentioned statements helps the user understand ELB traffic handling with respect to the SSL listener?

   • It is not possible to have the SSL listener both at ELB and back-end instances
   • ELB will modify headers to add requestor details
   • ELB will intercept the request to add the cookie details if sticky session is enabled
   • ELB will not modify the headers
   Explanation:
   When the user has configured Transmission Control Protocol (TCP. or Secure Sockets Layer (SSL. for both front-end and back-end connections of the Elastic Load Balancer, the load balancer forwards the request to the back-end instances without modifying the request headers unless the proxy header is enabled. SSL does not support sticky sessions. If the user has enabled a proxy protocol it adds the source and destination IP to the header.

4. A user has created a Cloudformation stack. The stack creates AWS services, such as EC2 instances, ELB, AutoScaling, and RDS. While creating the stack it created EC2, ELB and AutoScaling but failed to create RDS. What will Cloudformation do in this scenario?

   • Cloudformation can never throw an error after launching a few services since it verifies all the steps before launching
   • It will warn the user about the error and ask the user to manually create RDS
   • Rollback all the changes and terminate all the created services
   • It will wait for the user’s input about the error and correct the mistake after the input
   Explanation:
   AWS Cloudformation is an application management tool which provides application modelling, deployment, configuration, management and related activities. The AWS Cloudformation stack is a collection of AWS resources which are created and managed as a single unit when AWS CloudFormation instantiates a template. If any of the services fails to launch, Cloudformation will rollback all the changes and terminate or delete all the created services.

5. A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve encryption of the EBS volume. How can the user encrypt the data at rest?

   • Use AWS EBS encryption to encrypt the data at rest
   • The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool
   • The user has to select the encryption enabled flag while launching the EC2 instance
   • Encryption of volume is not available as a part of the free usage tier
   Explanation:
   AWS EBS supports encryption of the volume while creating new volumes. It supports encryption of the data at rest, the I/O as well as all the snapshots of the EBS volume. The EBS supports encryption for the selected instance type and the newer generation instances, such as m3, c3, cr1, r3, g2. It is not supported with a micro instance.

6. A user has created a VPC with public and private subnets using the VPC wizard. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario?

   • It will not allow to delete the VPC as it has subnets with route tables
   • It will not allow to delete the VPC since it has a running route instance
   • It will terminate the VPC along with all the instances launched by the wizard
   • It will not allow to delete the VPC since it has a running NAT instance
   Explanation:
   A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance with an elastic IP. If the user is trying to delete the VPC it will not allow as the NAT instance is still running.

7. An organization is measuring the latency of an application every minute and storing data inside a file in the JSON format. The organization wants to send all latency data to AWS CloudWatch. How can the organization achieve this?

   • The user has to parse the file before uploading data to CloudWatch
   • It is not possible to upload the custom data to CloudWatch
   • The user can supply the file as an input to the CloudWatch command
   • The user can use the CloudWatch Import command to import data from the file to CloudWatch
   Explanation:
   AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user always has to include the namespace as part of the request. If the user wants to upload the custom data from a file, he can supply file name along with the parameter — metric-data to command put-metric-data.

8. A user has launched an EBS backed instance with EC2-Classic. The user stops and starts the instance. Which of the below mentioned statements is not true with respect to the stop/start action?

   • The instance gets new private and public IP addresses
   • The volume is preserved
   • The Elastic IP remains associated with the instance
   • The instance may run on a new host computer
   Explanation:
   A user can always stop/start an EBS backed EC2 instance. When the user stops the instance, it first enters the stopping state, and then the stopped state. AWS does not charge the running cost but charges only for the EBS storage cost. If the instance is running in EC2-Classic, it receives a new private IP address; as the Elastic IP address (EIP. associated with the instance is no longer associated with that instance.

9. A user has launched an RDS postgreSQL DB with AWS. The user did not specify the maintenance window during creation. The user has configured RDS to update the DB instance type from micro to large. If the user wants to have it during the maintenance window, what will AWS do?

   • AWS will not allow to update the DB until the maintenance window is configured
   • AWS will select the default maintenance window if the user has not provided it
   • AWS will ask the user to specify the maintenance window during the update
   • It is not possible to change the DB size from micro to large with RDS
   Explanation:
   AWS RDS has a compulsory maintenance window which by default is 30 minutes. If the user does not specify the maintenance window during the creation of RDS then AWS will select a 30-minute maintenance window randomly from an 8-hour block of time per region. In this case, Amazon RDS assigns a 30-minute maintenance window on a randomly selected day of the week.

10. A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. The user has 3 elastic IPs and is trying to assign one of the Elastic IPs to the VPC instance from the console. The console does not show any instance in the IP assignment screen. What is a possible reason that the instance is unavailable in the assigned IP console?

    • The IP address may be attached to one of the instances
    • The IP address belongs to a different zone than the subnet zone
    • The user has not created an internet gateway
    • The IP addresses belong to EC2 Classic; so they cannot be assigned to VPC
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. When the user is launching an instance he needs to select an option which attaches a public IP to the instance. If the user has not selected the option to attach the public IP, then it will only have a private IP when launched. If the user wants to connect to an instance from the Internet, he should create an elastic IP with VPC. If the elastic IP is a part of EC2 Classic, it cannot be assigned to a VPC instance.

11. A user has launched multiple EC2 instances for the purpose of development and testing in the same region. The user wants to find the separate cost for the production and development instances. How can the user find the cost distribution?

    • The user should download the activity report of the EC2 services as it has the instance ID wise data
    • It is not possible to get the AWS cost usage data of single region instances separately
    • The user should use Cost Distribution Metadata and AWS detailed billing
    • The user should use Cost Allocation Tags and AWS billing reports
    Explanation:
    AWS provides cost allocation tags to categorize and track the AWS costs. When the user applies tags to his AWS resources (such as Amazon EC2 instances or Amazon S3 buckets), AWS generates a cost allocation report as a comma-separated value (CSV file) with the usage and costs aggregated by those tags. The user can apply tags which represent business categories (such as cost centers, application names, or instance type – Production/Dev. to organize usage costs across multiple services.

12. A user has created a VPC with CIDR 20.0.0.0/16 using VPC Wizard. The user has created a public CIDR (20.0.0.0/24) and a VPN only subnet CIDR (20.0.1.0/24) along with the hardware VPN access to connect to the user’s data center. Which of the below mentioned components is not present when the VPC is setup with the wizard?

    • Main route table attached with a VPN only subnet
    • A NAT instance configured to allow the VPN subnet instances to connect with the internet
    • Custom route table attached with a public subnet
    • An internet gateway for a public subnet
    Explanation:
    The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data center, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data center. When the user has configured this setup with Wizard, it will update the main route table used with the VPN-only subnet, create a custom route table and associate it with the public subnet. It also creates an internet gateway for the public subnet. The wizard does not create a NAT instance by default. The user can create it manually and attach it with a VPN only subnet.

13. A user has created a VPC with the public subnet. The user has created a security group for that VPC. Which of the below mentioned statements is true when a security group is created?

    • It can connect to the AWS services, such as S3 and RDS by default
    • It will have all the inbound traffic by default
    • It will have all the outbound traffic by default
    • It will allow by default traffic to the internet gateway
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. AWS provides two features the user can use to increase security in VPC: security groups and network ACLs. Security groups work at the instance level while ACLs work at the subnet level. When a user creates a security group with AWS VPC, by default it will allow all the outbound traffic but block all inbound traffic.

14. A user has setup an Auto Scaling group. The group has failed to launch a single instance for more than 24 hours. What will happen to Auto Scaling in this condition?

    • Auto Scaling will keep trying to launch the instance for 72 hours
    • Auto Scaling will suspend the scaling process
    • Auto Scaling will start an instance in a separate region
    • The Auto Scaling group will be terminated automatically
    Explanation:
    If Auto Scaling is trying to launch an instance and if the launching of the instance fails continuously, it will suspend the processes for the Auto Scaling groups since it repeatedly failed to launch an instance. This is known as an administrative suspension. It commonly applies to the Auto Scaling group that has no running instances which is trying to launch instances for more than 24 hours, and has not succeeded in that to do so.

15. A user is planning to set up the Multi AZ feature of RDS. Which of the below mentioned conditions won’t take advantage of the Multi AZ feature?

    • Availability zone outage
    • A manual failover of the DB instance using Reboot with failover option
    • Region outage
    • When the user changes the DB instance’s server type
    Explanation:
    Amazon RDS when enabled with Multi AZ will handle failovers automatically. Thus, the user can resume database operations as quickly as possible without administrative intervention. The primary DB instance switches over automatically to the standby replica if any of the following conditions occur:
    An Availability Zone outage
    The primary DB instance fails
    The DB instance’s server type is changed
    The DB instance is undergoing software patching
    A manual failover of the DB instance was initiated using Reboot with failover

16. An organization has configured Auto Scaling with ELB. One of the instance health check returns the status as Impaired to Auto Scaling. What will Auto Scaling do in this scenario?

    • Perform a health check until cool down before declaring that the instance has failed
    • Terminate the instance and launch a new instance
    • Notify the user using SNS for the failed state
    • Notify ELB to stop sending traffic to the impaired instance
    Explanation:
    The Auto Scaling group determines the health state of each instance periodically by checking the results of the Amazon EC2 instance status checks. If the instance status description shows any other state other than “running” or the system status description shows impaired, Auto Scaling considers the instance to be unhealthy. Thus, it terminates the instance and launches a replacement.

17. A user is using Cloudformation to launch an EC2 instance and then configure an application after the instance is launched. The user wants the stack creation of ELB and AutoScaling to wait until the EC2 instance is launched and configured properly. How can the user configure this?

    • It is not possible that the stack creation will wait until one service is created and launched
    • The user can use the HoldCondition resource to wait for the creation of the other dependent resources
    • The user can use the DependentCondition resource to hold the creation of the other dependent resources
    • The user can use the WaitCondition resource to hold the creation of the other dependent resources
    Explanation:
    AWS Cloudformation is an application management tool which provides application modelling, deployment, configuration, management and related activities. AWS CloudFormation provides a WaitCondition resource which acts as a barrier and blocks the creation of other resources until a completion signal is received from an external source, such as a user application or management system.

18. An organization has configured two single availability zones. The Auto Scaling groups are configured in separate zones. The user wants to merge the groups such that one group spans across multiple zones. How can the user configure this?

    • Run the command as-join-auto-scaling-group to join the two groups
    • Run the command as-update-auto-scaling-group to configure one group to span across zones and delete the other group
    • Run the command as-copy-auto-scaling-group to join the two groups
    • Run the command as-merge-auto-scaling-group to merge the groups
    Explanation:
    If the user has configured two separate single availability zone Auto Scaling groups and wants to merge them then he should update one of the groups and delete the other one. While updating the first group it is recommended that the user should increase the size of the minimum, maximum and desired capacity as a summation of both the groups.

19. An AWS account wants to be part of the consolidated billing of his organization’s payee account. How can the owner of that account achieve this?

    • The payee account has to request AWS support to link the other accounts with his account
    • The owner of the linked account should add the payee account to his master account list from the billing console
    • The payee account will send a request to the linked account to be a part of consolidated billing
    • The owner of the linked account requests the payee account to add his account to consolidated billing
    Explanation:
    AWS consolidated billing enables the organization to consolidate payments for multiple Amazon Web Services (AWS. accounts within a single organization by making a single paying account. To add a particular account (linked) to the master (payee) account, the payee account has to request the linked account to join consolidated billing. Once the linked account accepts the request henceforth all charges incurred by the linked account will be paid by the payee account.

20. A sysadmin has created the below mentioned policy on an S3 bucket named cloudacademy. What does this policy define?

    

     

    • It will make the cloudacademy bucket as well as all its objects as public
    • It will allow everyone to view the ACL of the bucket
    • It will give an error as no object is defined as part of the policy while the action defines the rule about the object
    • It will make the cloudacademy bucket as public
    Explanation:
    Tested and got an error while saving the above S3 bucket policy:
    ” Action does not apply to any resource(s) in statement – Action “s3:GetObject” in Statement “Stmt123456788” “