SOA-C01 : AWS-SysOps : Part 29
-
A company has an asynchronous nightly process that feeds the results to a data warehouse system for weekly and monthly reporting. The process is running on a fleet of Amazon EC2 instances. A SysOps Administrator has been asked to identify ways to reduce the cost of running this process.
What is the MOST cost-effective solution?
- Use On-Demand EC2 instances in an Auto Scaling group
- Use Spot Instances to bid for the EC2 instances
- Use Reserved Instances to ensure the capacity
- Put the EC2 instances in a placement group
-
A new website will run on Amazon EC2 instances behind an Application Load Balancer. Amazon Route 53 will be used to manage DNS records.
What type of record should be set in Route 53 to point the website’s apex domain name (for example, “company.com”) to the Application Load Balancer?
- CNAME
- SOA
- TXT
- ALIAS
-
An application running on Amazon EC2 allows users to launch batch jobs for data analysis. The jobs are run asynchronously, and the user is notified when they are complete. While multiple jobs can run concurrently, a user’s request need not be fulfilled for up to 24 hours. To run a job, the application launches an additional EC2 instance that performs all the analytics calculations. A job takes between 75 and 110 minutes to complete and cannot be interrupted.
What is the MOST cost-effective way to run this workload?
- Run the application on On-Demand EC2 instances. Run the jobs on Spot Instances with a specified duration.
- Run the application on Reserved Instance EC2 instances. Run the jobs on AWS Lambda.
- Run the application on On-Demand EC2 instances. Run the jobs on On-Demand EC2 instances.
- Run the application on Reserved Instance EC2 instances. Run the jobs on Spot Instances with a specified duration.
-
A developer deploys an application running on Amazon EC2 by using an AWS CloudFormation template. The developer launches the stack from the console logged in as an AWS Identity and Access Management (IAM) user. When a SysOps Administrator attempts to run the same AWS CloudFormation template in the same AWS account from the console, it fails and returns the error:
“The image id ‘[ami-2a69aa47]’ does not exist”
What is the MOST likely cause of the failure?
- The Administrator does not have the same IAM permissions as the developer.
- The Administrator used a different SSH key from that of the developer.
- The Administrator is running the template in a different region.
- The Administrator’s Amazon EC2 service limits have been exceeded
-
A company has configured a library of IAM roles that grant access to various AWS resources. Each employee has an AWS IAM user, some of which have the permission to launch Amazon EC2 instances. The SysOps Administrator has attached the following policy to those users:
SOA-C01 AWS-SysOps Part29 Q05 024 What would be the result of this policy?
- Users are able to switch only to a role name that begins with “InfraTeam” followed by any other combination of characters.
- Users with the role of InfraTeamLinux are able to launch an EC2 instance and attach that role to it.
- “InfraTeam” role is being passed to a user who has full EC2 access.
- EC2 instances that are launched by these users have full AWS permissions.
-
Application developers are reporting Access Denied errors when trying to list the contents of an Amazon S3 bucket by using the IAM user “arn:aws:iam::111111111111:user/application”. The following S3 bucket policy is in use:
SOA-C01 AWS-SysOps Part29 Q06 025 How should a SysOps Administrator modify the S3 bucket policy to fix the issue?
- Change the “Effect” from “Allow” to “Deny”
- Change the “Action” from “s3:List*” to “s3:ListBucket”
- Change the “Resource” from “arn:aws:s3:::bucketname/*” to “arn:aws:s3:::bucketname”
- Change the “Principal” from “arn:aws:iam::111111111111:user/application” to “arn:aws:iam::111111111111:role/application”
-
An organization has hired an external firm to audit unauthorized changes on the company’s AWS environment, the external auditor needs appropriate access.
How can this be accomplished?
- Create an IAM user and assign them a new policy with GetResources access on AWS Artifact
- Create an IAM user and add them to the existing “Administrator” IAM group
- Create an IAM user and assign them a new IAM policy with read access to the AWS CloudTrail logs in Amazon S3
- Create an IAM user and assign them a new policy with ListFindings access on Amazon Inspector
-
A SysOps Administrator wants to automate the process of configuration, deployment, and management of Amazon EC2 instances using Chef or Puppet.
Which AWS service will satisfy the requirement?
- AWS Elastic Beanstalk
- AWS CloudFormation
- AWS OpsWorks
- AWS Config
-
A photo-sharing site delivers content worldwide from a library on Amazon S3 using Amazon CloudFront. Users are trying to access photos that either do not exist or they are not authorized to view.
What should be monitored to better understand the extent of this issue?
- GetRequests S3 metric on Amazon CloudWatch
- 4XXErrorRate CloudFront metric on CloudWatch
- 5XXErrorRate CloudFront metric on CloudWatch
- PostRequests S3 metric on CloudWatch
-
A company must share monthly report files that are uploaded to Amazon S3 with a third party. The third-party user list is dynamic, is distributed, and changes frequently. The least amount of access must be granted to the third party. Administrative overhead must be low for the internal teams who manage the process.
How can this be accomplished while providing the LEAST amount of access to the third party?
- Allow only specified IP addresses to access the S3 buckets which will host files that need to be provided to the third party.
- Create an IAM role with the appropriate access to the S3 bucket, and grant login permissions to the console for the third party to access the S3 bucket.
- Create a pre-signed URL that can be distributed by email to the third party, allowing it to download specific S3 filed.
- Have the third party sign up for an AWS account, and grant it cross-account access to the appropriate S3 bucket in the source account.
-
An administrator is responding to an alarm that reports increased application latency. Upon review, the Administrator notices that the Amazon RDS Aurora database frequently runs at 100% CPU utilization. The application is read heavy and does frequent lookups of a product table.
What should the Administrator do to reduce the application latency?
- Move the product table to Amazon Redshift and use an interleaved sort key
- Add Aurora Replicas and use a Reader Endpoint for product table lookups
- Move the product table to Amazon CloudFront and set the cache-control headers to public
- Use Auto Scaling to add extra Aurora nodes and set a trigger based on CPU utilization
-
A company is running a new promotion that will result in a massive spike in traffic for a single application. The SysOps Administrator must prepare the application and ensure that the customers have a great experience. The application is heavy on memory and is running behind an AWS Application Load Balancer (ALB). The ALB has been pre-warmed, and the application is in an Auto Scaling group.
What built-in metric should be used to control the Auto Scaling group’s scaling policy?
- RejectedConnection Count
- Request CountPerTarget
- CPUUtilization
- MemoryUtilization
-
A SysOps Administrator is reviewing AWS Trusted Advisor warnings and encounters a warning for an S3 bucket policy that has open access permissions. While discussing the issue the bucket owner, the Administrator realizes the S3 bucket is an origin for an Amazon CloudFront web distribution.
Which action should the Administrator take to ensure that users access objects in Amazon S3 by using only CloudFront URLs?
- Encrypt the S3 bucket content with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
- Create an origin access identity and grant it permissions to read objects in the S3 bucket
- Assign an IAM user to the CoudFront distribution and whitelist the IAM user in the S3 bucket policy
- Assign an IAM role to the CloudFront distribution and whitelist the IAM role in the S3 bucket policy
-
An e-commerce company hosts its website on the AWS us-west-1 region. It plans to create a special site for a promotion that should be visible only to shoppers from Canada.
What change should the SysOps Administrator make to the company’s existing AWS setup to achieve this result?
- Update the Amazon Route 53 record set to use a latency routing policy for the new site
- Update the Application Load Balancer with a new host-based routing rule for the new site
- Update the Amazon Route 53 record set to use a geolocation routing policy for the new site
- Update the Application Load Balancer with a new path-based routing rule for the new site
-
A company currently has a single AWS account used by all project teams. The company is migrating to a multi-account strategy, where each project team will have its own account. The AWS IAM configuration must have the same roles and policies for each of the accounts.
What is the MOST efficient way to implement and manage these new requirements?
- Create a portfolio in the AWS Service Catalog for the IAM roles and policies. Have a specific product in the portfolio for each environment, project, and team that can be launched independently by each user.
- Use AWS Organizations to create organizational units (OUs) for each group of projects and each team. Then leverage service control policies at the account level to restrict what services can used and what actions the users, groups, and roles can perform in those accounts.
- Create an AWS Lambda script that leverages cross-account access to each AWS account, and create all the roles and policies needed using the IAM API and JSON documents stored in Amazon S3.
- Create a single AWS CloudFormation template. Use CloudFormation StackSets to launch the CloudFormation template into each target account from the Administrator account.
Explanation:
Service control policies (SCPs) are one type of policy that you can use to manage your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features. -
A SysOps Administrator is creating an Amazon EC2 instance and has received an InsufficientInstanceCapacity error.
What is the cause of the error and how can it be corrected?
- AWS does not currently have enough capacity to service the request for that instance type. A different Availability Zone or instance type must be used.
- The account has reached its concurrent running instance limit. An EC2 limit increase request must be filed with AWS Support.
- The APIs that service the EC2 requests have received too many requests and capacity has been reached. The request should be attempted again in a few minutes.
- The Administrator did not specify the correct size of the instance to support the capacity requirements of the workload. Select a bigger instance.
-
A web application runs on Amazon EC2 instances with public IPs assigned behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS Multi-AZ DB instance. The Application Load Balancer, EC2 instances, and RDS DB instance all run in separate sets of subnets. The EC2 instances can communicate with the DB instance, but cannot connect with external services.
What is the MOST likely solution?
- Assign a public IP address to the database server and restart the database engine.
- Create and attach an Internet gateway to the VPC. Create a route table for the EC2 instance’s subnets that sends Internet traffic to the gateway.
- Create and attach a virtual private gateway to the VPC. Create a route table for the EC2 instances’ subnets that sends Internet traffic to the gateway.
- Create a VPC peering connection to a VPC that has an Internet gateway attached. Create a route table for the EC2 instances’ subnets that sends Internet traffic to the peered VPC.
-
A company has deployed a new application running on Amazon EC2 instances. The application team must verify for the Security team that all common vulnerabilities and exposures have been addressed, both now and regularly throughout the application’s lifespan.
How can the Application team satisfy the Security team’s requirement?
- Perform regular assessments with Amazon Inspector
- Perform regular assessments with AWS Trusted Advisor
- Integrate AWS Personal Health Dashboard with Amazon CloudWatch events to get security notifications
- Grant the Administrator and Security team access to AWS Artifact
-
InfoSec is concerned that an employee may expose sensitive data in an Amazon S3 bucket.
How can this concern be addressed without putting undue restrictions on users?
- Apply an IAM policy on all users that denies the action s3:PutBucketPolicy
- Restrict S3 bucket access to specific IAM roles managed using federated access
- Activate an AWS Config rule to identify public buckets and alert InfoSec using Amazon SNS
- Email the findings of AWS Personal Health Dashboard to InfoSec daily
-
A SysOps Administrator is using AWS CloudFormation to deploy resources but would like to manually address any issues that the template encounters.
What should the Administrator add to the template to support the requirement?
- Enable Termination Protection on the stack
- Set the OnFailure parameter to “DO_NOTHING”
- Restrict the IAM permissions for CloudFormation to delete resources
- Set the DeleteStack API action to “No”
Subscribe
0 Comments
Newest