SOA-C01 : AWS-SysOps ​​​​​: Part 10

SOA-C01 : AWS-SysOps ​​​​​: Part 10

1. A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it?

   • The zone can only be modified using the AWS CLI
   • Create an AMI of the running instance and launch the instance in a separate AZ
   • Stop one of the instances and change the availability zone
   • From the AWS EC2 console, select the Actions – > Change zones and specify the new zone
   Explanation:
   With AWS EC2, when a user is launching an instance he can select the availability zone (AZ) at the time of launch. If the zone is not selected, AWS selects it on behalf of the user. Once the instance is launched, the user cannot change the zone of that instance unless he creates an AMI of that instance and launches a new instance from it.

2. An organization (account ID 123412341234) has configured the IAM policy to allow the user to modify his credentials. What will the below mentioned statement allow the user to perform?

   

   • The IAM policy will throw an error due to an invalid resource name
   • The IAM policy will allow the user to subscribe to any IAM group
   • Allow the IAM user to update the membership of the group called TestingGroup
   • Allow the IAM user to delete the TestingGroup
   Explanation:
   AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the organization (account ID 123412341234) wants their users to manage their subscription to the groups, they should create a relevant policy for that. The below mentioned policy allows the respective IAM user to update the membership of the group called MarketingGroup.

3. A user has configured ELB with two EBS backed instances. The user has stopped the instances for 1 week to save costs. The user restarts the instances after 1 week. Which of the below mentioned statements will help the user to understand the ELB and instance registration better?

   • There is no way to register the stopped instances with ELB
   • The user cannot stop the instances if they are registered with ELB
   • If the instances have the same Elastic IP assigned after reboot they will be registered with ELB
   • The instances will automatically get registered with ELB

4. A user is trying to connect to a running EC2 instance using SSH. However, the user gets a Host key not found error. Which of the below mentioned options is a possible reason for rejection?

   • The user has provided the wrong user name for the OS login
   • The instance CPU is heavily loaded
   • The security group is not configured properly
   • The access key to connect to the instance is wrong
   Explanation:
   If the user is trying to connect to a Linux EC2 instance and receives the Host Key not found error the probable reasons are:

   The private key pair is not right
   The user name to login is wrong

5. A user has hosted an application on EC2 instances. The EC2 instances are configured with ELB and Auto Scaling. The application server session time out is 2 hours. The user wants to configure connection draining to ensure that all in-flight requests are supported by ELB even though the instance is being deregistered. What time out period should the user specify for connection draining?

   • 5 minutes
   • 1 hour
   • 30 minutes
   • 2 hours
   Explanation:
   When you enable connection draining, you can specify a maximum time for the load balancer to keep connections alive before reporting the instance as de-registered. The maximum timeout value can be set between 1 and 3,600 seconds (the default is 300 seconds). When the maximum time limit is reached, the load balancer forcibly closes connections to the de-registering instance.

6. A user is using the AWS EC2. The user wants to make so that when there is an issue in the EC2 server, such as instance status failed, it should start a new instance in the user’s private cloud. Which AWS service helps to achieve this automation?

   • AWS CloudWatch + Cloudformation
   • AWS CloudWatch + AWS AutoScaling + AWS ELB
   • AWS CloudWatch + AWS VPC
   • AWS CloudWatch + AWS SNS
   Explanation:
   Amazon SNS can deliver notifications by SMS text message or email to the Amazon Simple Queue Service (SQS) queues or to any HTTP endpoint. The user can configure a web service (HTTP Endpoint|) in his data center which receives data and launches an instance in the private cloud. The user should configure the CloudWatch alarm to send a notification to SNS when the “StatusCheckFailed” metric is true for the EC2 instance. The SNS topic can be configured to send a notification to the user’s HTTP endpoint which launches an instance in the private cloud.

7. A sys admin has enabled logging on ELB. Which of the below mentioned fields will not be a part of the log file name?

   • Load Balancer IP
   • EC2 instance IP
   • S3 bucket name
   • Random string
   Explanation:
   Elastic Load Balancing access logs capture detailed information for all the requests made to the load balancer. Elastic Load Balancing publishes a log file from each load balancer node at the interval that the user has specified. The load balancer can deliver multiple logs for the same period. Elastic Load Balancing creates log file names in the following format:
   “{Bucket}/{Prefix}/AWSLogs/{AWS AccountID}/elasticloadbalancing/{Region}/{Year}/{Month}/{Day}/{AWS
   Account ID}_elasticloadbalancing_{Region}_{Load Balancer Name}_{End Time}_{Load Balancer IP}_{Random
   String}.log“

8. A user has created a queue named “awsmodule” with SQS. One of the consumers of queue is down for 3 days and then becomes available. Will that component receive message from queue?

   • Yes, since SQS by default stores message for 4 days
   • No, since SQS by default stores message for 1 day only
   • No, since SQS sends message to consumers who are available that time
   • Yes, since SQS will not delete message until it is delivered to all consumers
   Explanation:
   SQS allows the user to move data between distributed components of applications so they can perform different tasks without losing messages or requiring each component to be always available. Queues retain messages for a set period of time. By default, a queue retains messages for four days. However, the user can configure a queue to retain messages for up to 14 days after the message has been sent.

9. An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?

   • Create an IAM policy with the security group and use that security group for AWS console login
   • Create an IAM policy with a condition which denies access when the IP address range is not from the organization
   • Configure the EC2 instance security group which allows traffic only from the organization’s IP range
   • Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console
   Explanation:
   AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on many other parameters. If the organization wants the user to access only from a specific IP range, they should set an IAM policy condition which denies access when the IP is not in a certain range. E.g. The sample policy given below denies all traffic when the IP is not in a certain range.
   

   

10. An organization has created one IAM user and applied the below mentioned policy to the user. What entitlements do the IAM users avail with this policy?

    

    • The policy will allow the user to perform all read only activities on the EC2 services
    • The policy will allow the user to list all the EC2 resources except EBS
    • The policy will allow the user to perform all read and write activities on the EC2 services
    • The policy will allow the user to perform all read only activities on the EC2 services except load Balancing
    Explanation:
    AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If an organization wants to setup read only access to EC2 for a particular user, they should mention the action in the IAM policy which entitles the user for Describe rights for EC2, CloudWatch, Auto Scaling and ELB. In the policy shown below, the user will have read only access for EC2 and EBS, CloudWatch and Auto Scaling. Since ELB is not mentioned as a part of the list, the user will not have access to ELB.
    

    

11. A user has enabled session stickiness with ELB. The user does not want ELB to manage the cookie; instead he wants the application to manage the cookie. What will happen when the server instance, which is bound to a cookie, crashes?

    • The response will have a cookie but stickiness will be deleted
    • The session will not be sticky until a new cookie is inserted
    • ELB will throw an error due to cookie unavailability
    • The session will be sticky and ELB will route requests to another server as ELB keeps replicating the Cookie
    Explanation:
    With Elastic Load Balancer, if the admin has enabled a sticky session with application controlled stickiness, the load balancer uses a special cookie generated by the application to associate the session with the original server which handles the request. ELB follows the lifetime of the application-generated cookie corresponding to the cookie name specified in the ELB policy configuration. The load balancer only inserts a new stickiness cookie if the application response includes a new application cookie. The load balancer stickiness cookie does not update with each request. If the application cookie is explicitly removed or expires, the session stops being sticky until a new application cookie is issued.

12. A user is observing the EC2 CPU utilization metric on CloudWatch. The user has observed some interesting patterns while filtering over the 1 week period for a particular hour. The user wants to zoom that data point to a more granular period. How can the user do that easily with CloudWatch?

    • The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse
    • The user can zoom a particular period by double clicking on that period with the mouse
    • The user can zoom a particular period by specifying the aggregation data for that period
    • The user can zoom a particular period by specifying the period in the Time Range

13. A user has created an Auto Scaling group with default configurations from CLI. The user wants to setup the CloudWatch alarm on the EC2 instances, which are launched by the Auto Scaling group. The user has setup an alarm to monitor the CPU utilization every minute. Which of the below mentioned statements is true?

    • It will fetch the data at every minute but the four data points [corresponding to 4 minutes] will not have value since the EC2 basic monitoring metrics are collected every five minutes
    • It will fetch the data at every minute as detailed monitoring on EC2 will be enabled by the default launch configuration of Auto Scaling
    • The alarm creation will fail since the user has not enabled detailed monitoring on the EC2 instances
    • The user has to first enable detailed monitoring on the EC2 instances to support alarm monitoring at every minute
    Explanation:
    CloudWatch is used to monitor AWS as well as the custom services. To enable detailed instance monitoring for a new Auto Scaling group, the user does not need to take any extra steps. When the user creates an Auto Scaling launch config using CLI, each launch configuration contains a flag named InstanceMonitoring.Enabled. The default value of this flag is true. Thus, by default detailed monitoring will be enabled for Auto Scaling as well as for all the instances launched by that Auto Scaling group.

14. A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is not true in this scenario?

    • The VPC will create a routing instance and attach it with a public subnet
    • The VPC will create two subnets
    • The VPC will create one internet gateway and attach it to VPC
    • The VPC will launch one NAT instance with an elastic IP
    Explanation:
    A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance with an elastic IP. Wizard will also create two subnets with route tables. It will also create an internet gateway and attach it to the VPC.

15. A user has configured ELB with a TCP listener at ELB as well as on the back-end instances. The user wants to enable a proxy protocol to capture the source and destination IP information in the header. Which of the below mentioned statements helps the user understand a proxy protocol with TCP configuration?

    • If the end user is requesting behind a proxy server then the user should not enable a proxy protocol on ELB
    • ELB does not support a proxy protocol when it is listening on both the load balancer and the back-end instances
    • Whether the end user is requesting from a proxy server or directly, it does not make a difference for the proxy protocol
    • If the end user is requesting behind the proxy, then the user should add the “isproxy” flag to the ELB Configuration
    Explanation:
    When the user has configured Transmission Control Protocol (TCP. or Secure Sockets Layer (SSL) for both front-end and back-end connections of the Elastic Load Balancer, the load balancer forwards the request to the back-end instances without modifying the request headers unless the proxy header is enabled. If the end user is requesting from a Proxy Protocol enabled proxy server, then the ELB admin should not enable the Proxy Protocol on the load balancer. If the Proxy Protocol is enabled on both the proxy server and the load balancer, the load balancer will add another header to the request which already has a header from the proxy server. This duplication may result in errors.

16. A user has launched 5 instances in EC2-CLASSIC and attached 5 elastic IPs to the five different instances in the US East region. The user is creating a VPC in the same region. The user wants to assign an elastic IP to the VPC instance. How can the user achieve this?

    • The user has to request AWS to increase the number of elastic IPs associated with the account
    • AWS allows 10 EC2 Classic IPs per region; so it will allow to allocate new Elastic IPs to the same region
    • The AWS will not allow to create a new elastic IP in VPC; it will throw an error
    • The user can allocate a new IP address in VPC as it has a different limit than EC2

    Explaination:

    Section: (none)
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. A user can have 5 IP addresses per region with EC2 Classic. The user can have 5 separate IPs with VPC in the same region as it has a separate limit than EC2 Classic.

     

17. A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. Which of the below mentioned statements is true with respect to this scenario?

    • The instance will always have a public DNS attached to the instance by default
    • The user can directly attach an elastic IP to the instance
    • The instance will never launch if the public IP is not assigned
    • The user would need to create an Internet gateway and then attach an elastic IP to the instance to connect from internet
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. When the user is launching an instance he needs to select an option which attaches a public IP to the instance. If the user has not selected the option to attach the public IP, then it will only have a private IP when launched. The user cannot connect to the instance from the internet. If the user wants an elastic IP to connect to the instance from the Internet, he should create an internet gateway and assign an elastic IP to instance.

18. An organization has applied the below mentioned policy on an IAM group which has selected the IAM users. What entitlements do the IAM users avail with this policy?

    

    • The policy is not created correctly. It will throw an error for wrong resource name
    • The policy is for the group. Thus, the IAM user cannot have any entitlement to this
    • It allows full access to all AWS services for the IAM users who are a part of this group
    • If this policy is applied to the EC2 resource, the users of the group will have full access to the EC2 Resources
    Explanation:
    AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. The IAM group allows the organization to specify permissions for a collection of users. With the below mentioned policy, it will allow the group full access (Admin to all AWS services).

19. A user is configuring a CloudWatch alarm on RDS to receive a notification when the CPU utilization of RDS is higher than 50%. The user has setup an alarm when there is some inactivity on RDS, such as RDS unavailability. How can the user configure this?

    • Setup the notification when the CPU is more than 75% on RDS
    • Setup the notification when the state is Insufficient Data
    • Setup the notification when the CPU utilization is less than 10%
    • It is not possible to setup the alarm on RDS
    Explanation:
    Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The alarm has three states: Alarm, OK and Insufficient data. The Alarm will change to Insufficient Data when any of the three situations arise: when the alarm has just started, when the metric is not available or when enough data is not available for the metric to determine the alarm state. If the user wants to find that RDS is not available, he can setup to receive the notification when the state is in Insufficient data.

20. George has shared an EC2 AMI created in the US East region from his AWS account with Stefano. George copies the same AMI to the US West region. Can Stefano access the copied AMI of George’s account from the US West region?

    • No, copy AMI does not copy the permission
    • It is not possible to share the AMI with a specific account
    • Yes, since copy AMI copies all private account sharing permissions
    • Yes, since copy AMI copies all the permissions attached with the AMI
    Explanation:
    Within EC2, when the user copies an AMI, the new AMI is fully independent of the source AMI; there is no link to the original (source) AMI. AWS does not copy launch the permissions, user-defined tags or the Amazon S3 bucket permissions from the source AMI to the new AMI. Thus, in this case by default Stefano will not have access to the AMI in the US West region.