SOA-C01 : AWS-SysOps ​​​​​: Part 17

SOA-C01 : AWS-SysOps ​​​​​: Part 17

1. You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database.

   Which configuration will allow you to securely serve private content to your users?

   • Generate pre-signed URLs for each user as they request access to protected S3 content
   • Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
   • Create an S3 bucket policy that limits access to your private content to only your subscribed users’ credentials
   • Create a CloudFront Origin Identity user for your subscribed users and assign the GetObject permission to this user
   Explanation:
   “You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn’t required to use signed URLs, but we recommend it.”

2. In AWS, which security aspects are the customer’s responsibility? (Choose four.)

   • Controlling physical access to compute resources
   • Patch management on the EC2 instance s operating system
   • Encryption of EBS (Elastic Block Storage) volumes
   • Life-cycle management of IAM credentials
   • Decommissioning storage devices
   • Security Group and ACL (Access Control List) settings

3. An application you maintain consists of multiple EC2 instances in a default tenancy VPC. This application has undergone an internal audit and has been determined to require dedicated hardware for one instance. Your compliance team has given you a week to move this instance to single-tenant hardware.

   Which process will have minimal impact on your application while complying with this requirement?

   • Create a new VPC with tenancy=dedicated and migrate to the new VPC
   • Use ec2-reboot-instances command line and set the parameter “dedicated=true”
   • Right click on the instance, select properties and check the box for dedicated tenancy
   • Stop the instance, create an AMI, launch a new instance with tenancy=dedicated, and terminate the old instance
   Explanation:
   You cannot change the tenancy of a default instance after you’ve launched it.
   You can change the tenancy of an instance from “dedicated” to “host” after you’ve launched it, and vice versa.

4. A .NET application that you manage is running in Elastic Beanstalk. Your developers tell you they will need access to application log files to debug issues that arise. The infrastructure will scale up and down.

   How can you ensure the developers will be able to access only the log files?

   • Access the log files directly from Elastic Beanstalk
   • Enable log file rotation to S3 within the Elastic Beanstalk configuration
   • Ask your developers to enable log file rotation in the applications web.config file
   • Connect to each Instance launched by Elastic Beanstalk and create a Windows Scheduled task to rotate the log files to S3.

5. Your mission is to create a lights-out datacenter environment, and you plan to use AWS OpsWorks to accomplish this. First you created a stack and added an App Server layer with an instance running in it. Next you added an application to the instance, and now you need to deploy a MySQL RDS database instance.

   Which of the following answers accurately describe how to add a backend database server to an OpsWorks stack? (Choose three.)

   • Add a new database layer and then add recipes to the deploy actions of the database and App Server layers.
   • Use OpsWorks’ “Clone Stack” feature to create a second RDS stack in another Availability Zone for redundancy in the event of a failure in the Primary AZ. To switch to the secondary RDS instance, set the [:database] attributes to values that are appropriate for your server which you can do by using custom JSON.
   • The variables that characterize the RDS database connection—host, user, and so on—are set using the corresponding values from the deploy JSON’s [:depioy][:app_name][:database] attributes.
   • Cookbook attributes are stored in a repository, so OpsWorks requires that the “password”: “your_password” attribute for the RDS instance must be encrypted using at least a 256-bit key.
   • Set up the connection between the app server and the RDS layer by using a custom recipe. The recipe configures the app server as required, typically by creating a configuration file. The recipe gets the connection data such as the host and database name from a set of attributes in the stack configuration and deployment JSON that AWS OpsWorks installs on every instance.

6. A user needs to put sensitive data in an Amazon S3 bucket that can be accessed through an S3 VPC endpoint only. The user must ensure that resources in the VPC can only access the single S3 bucket.

   Which combination of actions will meet the requirements? (Choose two.)

   • Configure the bucket policy to only allow access through the S3 Private Endpoint.
   • Modify the VPC endpoint policy on the bucket to only allow the VPC to access it.
   • Modify the VPC peering configuration to only allow access to the S3 private Endpoint.
   • Configure the VPC endpoint policy to only allow the VPC to access the specific S3 bucket.
   • Configure the IAM policy attached to the S3 bucket to only allow access from the specific VPC.

7. A corporate website is hosted on several Amazon EC2 instances across multiple regions around the globe.

   How should an Administrator configure the website to maintain high availability with minimal downtime if one of the regions has network connectivity congestion for an extended period of time?

   • Create an Elastic Load Balancer in front of all the Amazon EC2 instances.
   • Create an Elastic Load Balancer that fails over to the secondary site when the primary site is not reachable.
   • Create an Amazon Route 53 Latency Based Routing Record Set that resolves to an Elastic Load Balancer in each region. Set an appropriate health check on each ELB.
   • Create an Amazon Route 53 latency Based Routing Record Set that resolves to Elastic Load Balancers I each region and has the Evaluate Target Health flag set to “true”.

8. A database running on Amazon EC2 requires sustained IOPS performance.

   Which kind of Amazon EBS volume should an Administrator choose for this solution?

   • Cloud HDD
   • General Purpose SSD
   • Provisioned IOPS SSD
   • Throughput Optimized HDD

9. What does the “configure” command allow an Administrator to do when setting up the AWS CLI? (Choose two.)

   • Decide which VPC to create instances in.
   • Designate the format of the response to CLI commands.
   • Choose the default EC2 instance.
   • Encrypt the CLI commands.
   • Designate the default region.

10. An Administrator has an Amazon EC2 instance with an IPv6 address. The Administrator needs to prevent direct access to this instance from the Internet.

    The Administrator should place the EC2 instance in a:

    • Private Subnet with an egress-only Internet Gateway attached to the subnet and placed in the subnet Route Table.
    • Public subnet with an egress-only Internet Gateway attached to the VPC and placed in the VPC Route Table.
    • Private subnet with an egress-only Internet Gateway attached to the VPC and placed in the subnet Route Table.
    • Public subnet and a security group that blocks inbound IPv6 traffic attached to the interface.

11. As part of an operational audit, an Administrator is tasked with showing that all security responsibilities under the customer’s control are properly executed.

    Which of the following items is the customer responsible for providing to the auditor? (Choose two.)

    • Physical data center access logs
    • AWS CloudTrail logs showing API calls
    • Amazon EC2 instance system logs
    • Storage device destruction records
    • Xen Hypervisor system logs

12. A colleague is attempting to launch several new CloudFormation stacks, and receives the following error response:

    

    What should be done to address the error?

    • Add a Pause to the CloudFormation templates.
    • Add an exponential backoff between CreateStack API calls.
    • Run the CloudFormation API calls from a larger Amazon EC2 instance.
    • Combine stack templates into one, and retry the CreateStack API call.

13. A security policy allows instances in the Production and Development accounts to write application logs to an Amazon S3 bucket belonging to the Security team’s account. Only the Security team should be allowed to delete logs from the S3 bucket.

    Using the “myAppRole” EC2 role, the production and development teams report that the application servers are not able to write to the S3 bucket.

    Which changes need to be made to the policy to allow the application logs to be written to the S3 bucket?

    Production Account: 111111111111
    Dev Account: 222222222222
    Security Account: 555555555555

    

    • Update the Action for the Allow policy from “s3:*” to “s3:PutObject”
    • Change the order of the statements in the bucket policy, moving the Deny policy above the Allow policy.
    • Update the Action for the Deny policy from “s3:*” to “s3: Delete*”.
    • Remove the bucket policy, because the default security behavior will not allow objects to be deleted by non bucket owners.

14. A company is auditing their infrastructure to obtain a compliance certification.

    Which of the following options are the company’s responsibility within the Shared Responsibility Model? (Choose two.)

    • AWS API endpoint SSL Certificates
    • EC2 Instance Operating System updates
    • EBS Encryption-at-result algorithms
    • IAM user password policies
    • AWS Hypervisor software updates

15. Which instance characteristics are required if an Administrator wants to ensure use of the Amazon EC2 auto-recovery option? (Choose two.)

    • The instance only has EBS volumes.
    • The instance has EC2 Instance Store root volumes.
    • The tenancy attribute is set to “default” (shred tenancy).
    • The tenancy attribute is set to “Dedicated”.
    • The instance type belongs to the d2, i2 or i3 instance type.

16. Which two steps are required to generate a report detailing specific cost allocation tags when creating a Monthly Cost Allocation report? (Choose two.)

    • Use AWS CloudTrail to export the events for the specified resources.
    • Use an AWS Lambda function to read the resources’ metadata, and write the specified tags to a DynamoDB table.
    • Activate the “requested” tags by clicking Manage report tags on the Billing Preferences page.
    • Select the checkbox for Cost Allocation Report in the AWS account’s Billing Management Console.
    • Create a new Budget using the Billing Management Console, use the “Include costs related to Tags” feature, and select the requested tags.

17. A company has a fleet of EC2 instances, and needs to remotely execute scripts for all of the instances.

    Which Amazon EC2 Systems Manager feature allows this?

    • System Manager Automation
    • System Manager Run Command
    • System Manager Parameter Store
    • System Manager Inventory

18. A corporate policy requires all new infrastructure deployments to use scalable and reusable resources to improve resources delivery times. The policy also restricts resource configuration management to the systems operations team. The development team requests the ability to deploy resources on demand in an effort to streamline their software development lifecycle.

    What can the systems operations team do to ensure company policy is followed while also meeting the development team’s requests?

    • Create an AWS CloudFormation on template with the requested resources, and give it to the development team to adjust as needed.
    • Provision the resources using the CLI, and create the necessary IAM permissions to allow the development team to modify them as needed.
    • Create the AWS Service Catalog product and share with the development team through the Service Catalog.
    • Grant the development team access to the AWS CloudFormation Design Template Editor to specify the needed resources and configurations. Once the templates are complete, the system operations team will launch the resources.

19. An application hosted on AWS is going through an external compliance assessment. An Administrator has been tasked with providing proof of physical security at the facilities that are hosting the application.

    What should the Administrator do?

    • Work with AWS support to schedule a tour for the auditors.
    • Send a copy of the AWS Security whitepaper to the auditors.
    • Obtain a relevant report from AWS Artifact and share it with the auditors.
    • Find the address for the AWS Direct Connect facility on the AWS Website.

20. What can an Administrator do to monitor whether an organization’s instances are compliant with corporate policies and guidelines?

    • Check the instances’ metadata to determine what software is running.
    • Use AWS CloudTrail logs to identify the applications running on the instances.
    • Set CloudWatch alarms that are triggered with any software change on the instances.
    • Using Config Rules in the AWS Config service to check the instance’s configuration and applications.