SOA-C01 : AWS-SysOps ​​​​​: Part 12

SOA-C01 : AWS-SysOps ​​​​​: Part 12

1. An organization has configured Auto Scaling with ELB. There is a memory issue in the application which is causing CPU utilization to go above 90%. The higher CPU usage triggers an event for Auto Scaling as per the scaling policy. If the user wants to find the root cause inside the application without triggering a scaling activity, how can he achieve this?

   • Stop the scaling process until research is completed
   • It is not possible to find the root cause from that instance without triggering scaling
   • Delete Auto Scaling until research is completed
   • Suspend the scaling process until research is completed
   Explanation:
   Auto Scaling allows the user to suspend and then resume one or more of the Auto Scaling processes in the Auto Scaling group. This is very useful when the user wants to investigate a configuration problem or some other issue, such as a memory leak with the web application and then make changes to the application, without triggering the Auto Scaling process.

2. A sys admin is planning to subscribe to the RDS event notifications. For which of the below mentioned source categories the subscription cannot be configured?

   • DB security group
   • DB snapshot
   • DB options group
   • DB parameter group
   Explanation:
   Amazon RDS uses the Amazon Simple Notification Service (SNS. to provide a notification when an Amazon RDS event occurs. These events can be configured for source categories, such as DB instance, DB security group, DB snapshot and DB parameter group.

3. A user has launched an EC2 instance. The instance got terminated as soon as it was launched. Which of the below mentioned options is not a possible reason for this?

   • The user account has reached the maximum EC2 instance limit
   • The snapshot is corrupt
   • The AMI is missing. It is the required part
   • The user account has reached the maximum volume limit
   Explanation:
   When the user account has reached the maximum number of EC2 instances, it will not be allowed to launch an instance. AWS will throw an ‘InstanceLimitExceeded’ error. For all other reasons, such as “AMI is missing part”, “Corrupt Snapshot” or ”Volume limit has reached” it will launch an EC2 instance and then terminate it.

4. A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with CloudWatch?

   • AWS EMR
   • AWS RDS
   • AWS ELB
   • AWS Route53
   Explanation:
   CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed
   monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. Services, such as RDS, EC2, Auto Scaling, ELB, and Route 53 can provide the monitoring data every minute.

5. A user is measuring the CPU utilization of a private data center machine every minute. The machine provides the aggregate of data every hour, such as Sum of data”, “Min value”, “Max value, and “Number of Data points”.

   The user wants to send these values to CloudWatch. How can the user achieve this?

   • Send the data using the put-metric-data command with the aggregate-values parameter
   • Send the data using the put-metric-data command with the average-values parameter
   • Send the data using the put-metric-data command with the statistic-values parameter
   • Send the data using the put-metric-data command with the aggregate –data parameter
   Explanation:
   AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user can publish the data to CloudWatch as single data points or as an aggregated set of data points called a statistic set using the command put-metric-data. When sending the aggregate data, the user needs to send it with the parameter statistic-values:
   

   

6. A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better?

   • SNS will send data every minute after configuration
   • There is no need to enable since SNS provides data every minute
   • AWS CloudWatch does not support monitoring for SNS
   • SNS cannot provide data every minute
   Explanation:
   CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed
   monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. The AWS SNS service sends data every 5 minutes. Thus, it supports only the basic monitoring. The user cannot enable detailed monitoring with SNS.

7. A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24. and a public subnet (20.0.0.0/24.. The user’s data center has CIDR of 20.0.54.0/24 and 20.1.0.0/24. If the private subnet wants to communicate with the data center, what will happen?

   • It will allow traffic communication on both the CIDRs of the data center
   • It will not allow traffic with data center on CIDR 20.1.0.0/24 but allows traffic communication on 20.0.54.0/24
   • It will not allow traffic communication on any of the data center CIDRs
   • It will allow traffic with data center on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24
   Explanation:
   VPC allows the user to set up a connection between his VPC and corporate or home network data center. If the user has an IP address prefix in the VPC that overlaps with one of the networks’ prefixes, any traffic to the network’s prefix is dropped. In this case CIDR 20.0.54.0/24 falls in the VPC’s CIDR range of 20.0.0.0/16. Thus, it will not allow traffic on that IP. In the case of 20.1.0.0/24, it does not fall in the VPC’s CIDR range. Thus, traffic will be allowed on it.

8. A user wants to find the particular error that occurred on a certain date in the AWS MySQL RDS DB. Which of the below mentioned activities may help the user to get the data easily?

   • It is not possible to get the log files for MySQL RDS
   • Find all the transaction logs and query on those records
   • Direct the logs to the DB table and then query that table
   • Download the log file to DynamoDB and search for the record
   Explanation:
   The user can view, download, and watch the database logs using the Amazon RDS console, the Command Line Interface (CLI. or the Amazon RDS API. For the MySQL RDS, the user can view the error log, slow query log, and general logs. The user can also view the MySQL logs easily by directing the logs to a database table in the main database and querying that table.

9. A user is trying to send custom metrics to CloudWatch using the PutMetricData APIs. Which of the below mentioned points should the user needs to take care while sending the data to CloudWatch?

   • The size of a request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests
   • The size of a request is limited to 128KB for HTTP GET requests and 64KB for HTTP POST requests
   • The size of a request is limited to 40KB for HTTP GET requests and 8KB for HTTP POST requests
   • The size of a request is limited to 16KB for HTTP GET requests and 80KB for HTTP POST requests
   Explanation:
   With AWS CloudWatch, the user can publish data points for a metric that share not only the same time stamp, but also the same namespace and dimensions. CloudWatch can accept multiple data points in the same PutMetricData call with the same time stamp. The only thing that the user needs to take care of is that the size of a PutMetricData request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests.

10. An AWS account owner has setup multiple IAM users. One IAM user only has CloudWatch access. He has setup the alarm action which stops the EC2 instances when the CPU utilization is below the threshold limit. What will happen in this case?

    • It is not possible to stop the instance using the CloudWatch alarm
    • CloudWatch will stop the instance when the action is executed
    • The user cannot set an alarm on EC2 since he does not have the permission
    • The user can setup the action but it will not be executed if the user does not have EC2 rights
    Explanation:
    Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup an action which stops the instances when their CPU utilization is below a certain threshold for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action. If the IAM user has read/write permissions for Amazon CloudWatch but not for Amazon EC2, he can still create an alarm. However, the stop or terminate actions will not be performed on the Amazon EC2 instance.

11. A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling terminate process only for a while. What will happen to the availability zone rebalancing process (AZRebalance. during this period?

    • Auto Scaling will not launch or terminate any instances
    • Auto Scaling will allow the instances to grow more than the maximum size
    • Auto Scaling will keep launching instances till the maximum instance size
    • It is not possible to suspend the terminate process while keeping the launch active
    Explanation:
    Auto Scaling performs various processes, such as Launch, Terminate, Availability Zone Rebalance (AZRebalance) etc. The AZRebalance process type seeks to maintain a balanced number of instances across Availability Zones within a region. If the user suspends the Terminate process, the AZRebalance process can cause the Auto Scaling group to grow up to ten percent larger than the maximum size. This is because Auto Scaling allows groups to temporarily grow larger than the maximum size during rebalancing activities. If Auto Scaling cannot terminate instances, the Auto Scaling group could remain up to ten percent larger than the maximum size until the user resumes the Terminate process type.

12. A user has created a mobile application which makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

    • The user should create a separate IAM user for each mobile application and provide DynamoDB access with it
    • The user should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2 and route all calls from the mobile through EC2
    • The application should use an IAM role with web identity federation which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook
    • Create an IAM Role with DynamoDB access and attach it with the mobile application
    Explanation:
    With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests to AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should not create an IAM user and pass the user’s credentials to the application or embed those credentials inside the application. If the user is creating an app that runs on a mobile phone and makes requests to AWS, the user should not create an IAMuser and distribute the user’s access key with the app. Instead, he should use an identity provider, such as Login with Amazon, Facebook, or Google to authenticate the users, and then use that identity to get temporary security credentials.

13. A user is configuring the Multi AZ feature of an RDS DB. The user came to know that this RDS DB does not use the AWS technology, but uses server mirroring to achieve HA. Which DB is the user using right now?

    • My SQL
    • Oracle
    • MS SQL
    • PostgreSQL
    Explanation:
    Amazon RDS provides high availability and failover support for DB instances using Multi AZ deployments. In a Multi AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. Multi AZ deployments for Oracle, PostgreSQL, and MySQL DB instances use Amazon technology, while SQL Server (MS SQL. DB instances use SQL Server Mirroring.

14. A user is receiving a notification from the RDS DB whenever there is a change in the DB security group. The user does not want to receive these notifications for only a month. Thus, he does not want to delete the notification. How can the user configure this?

    • Change the Disable button for notification to “Yes” in the RDS console
    • Set the send mail flag to false in the DB event notification console
    • The only option is to delete the notification from the console
    • Change the Enable button for notification to “No” in the RDS console
    Explanation:
    Amazon RDS uses the Amazon Simple Notification Service to provide a notification when an Amazon RDS event occurs. Event notifications are sent to the addresses that the user has provided while creating the subscription. The user can easily turn off the notification without deleting a subscription by setting the Enabled radio button to No in the Amazon RDS console or by setting the Enabled parameter to false using the CLI or Amazon RDS API.

15. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.0.1/24. How can the user create the second subnet?

    • There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet based on the second subnet’s CIDR
    • The user can modify the first subnet CIDR from the console
    • It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created
    • The user can modify the first subnet CIDR with AWS CLI
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside the subnet. The user can create a subnet with the same size of VPC. However, he cannot create any other subnet since the CIDR of the second subnet will conflict with the first subnet. The user cannot modify the CIDR of a subnet once it is created. Thus, in this case if required, the user has to delete the subnet and create new subnets.

16. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the web server security group (WebSecGrp)?

    • Configure Destination as DB Security group ID (DbSecGrp) for port 3306 Outbound
    • 80 for Destination 0.0.0.0/0 Outbound
    • Configure port 3306 for source 20.0.0.0/24 InBound
    • Configure port 80 InBound for source 20.0.0.0/16
    Explanation:
    A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the public subnet can receive inbound traffic directly from the internet. Thus, the user should configure port 80 with source 0.0.0.0/0 in InBound. The user should configure that the instance in the public subnet can send traffic to the private subnet instances on the DB port. Thus, the user should configure the DB security group of the private subnet (DbSecGrp) as the destination for port 3306 in Outbound.

17. A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services provides detailed monitoring with CloudWatch without charging the user extra?

    • AWS Auto Scaling
    • AWS Route 53
    • AWS EMR
    • AWS SNS
    Explanation:
    CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. Services, such as RDS, ELB, OpsWorks, and Route 53 can provide the monitoring data every minute without charging the user.

18. A user is trying to understand the CloudWatch metrics for the AWS services. It is required that the user should first understand the namespace for the AWS services. Which of the below mentioned is not a valid namespace for the AWS services?

    • AWS/StorageGateway
    • AWS/CloudTrail
    • AWS/ElastiCache
    • AWS/SWF
    Explanation:
    Amazon CloudWatch is basically a metrics repository. The AWS product puts metrics into this repository, and the user can retrieve the data or statistics based on those metrics. To distinguish the data for each service, the CloudWatch metric has a namespace. Namespaces are containers for metrics. All AWS services that provide the Amazon CloudWatch data use a namespace string, beginning with “AWS/”. All the services which are supported by CloudWatch will have some namespace. CloudWatch does not monitor CloudTrail. Thus, the namespace “AWS/CloudTrail” is incorrect.

19. A system admin is planning to encrypt all objects being uploaded to S3 from an application. The system admin does not want to implement his own encryption algorithm; instead he is planning to use server side encryption by supplying his own key (SSE-C). Which parameter is not required while making a call for SSE-C?

    • x-amz-server-side-encryption-customer-key-AES-256
    • x-amz-server-side-encryption-customer-key
    • x-amz-server-side-encryption-customer-algorithm
    • x-amz-server-side-encryption-customer-key-MD5
    Explanation:
    AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key (SSE-C). When the user is supplying his own encryption key, the user has to send the below mentioned parameters as a part of the API calls:
    x-amz-server-side-encryption-customer-algorithm: Specifies the encryption algorithm
    x-amz-server-side-encryption-customer-key: To provide the base64-encoded encryption key
    x-amz-server-side-encryption-customer-key-MD5: To provide the base64-encoded 128-bit MD5 digest of the encryption key

20. A user is using the AWS SQS to decouple the services. Which of the below mentioned operations is not supported by SQS?

    • SendMessageBatch
    • DeleteMessageBatch
    • CreateQueue
    • DeleteMessageQueue
    Explanation:
    Amazon Simple Queue Service (SQS. is a fast, reliable, scalable, and fully managed message queuing service. SQS provides a simple and cost-effective way to decouple the components of an application. The user can perform the following set of operations using the Amazon SQS: CreateQueue, ListQueues, DeleteQueue, SendMessage, SendMessageBatch, ReceiveMessage, DeleteMessage, DeleteMessageBatch, ChangeMessageVisibility, ChangeMessageVisibilityBatch, SetQueueAttributes, GetQueueAttributes, GetQueueUrl, AddPermission and RemovePermission. Operations can be performed only by the AWS account owner or an AWS account that the account owner has delegated to.