Last Updated on October 31, 2022 by InfraExam
SOA-C01 : AWS-SysOps : Part 30
A SysOps Administrator discovers the organization’s tape archival system is no longer functioning in its on-premises data center.
What AWS service can be used to create a virtual tape interface to replace the physical tape system?
- AWS Snowball
- AWS SMS
- Amazon Glacier
- AWS Storage Gateway
A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times:
*** Error Establishing a Database Connection.
Which of the following may be causes of the connectivity problems? (Choose two.)
- The security group for the database does not have the appropriate egress rule from the database to the web server.
- The certificate used by the web server is not trusted by the RDS instance.
- The security group for the database does not have the appropriate ingress rule from the web server to the database.
- The database is still being created and is not available for connectivity.
A recent audit found that most resources belonging to the Development team were in violation of patch compliance standards. The resources were properly tagged.
Which service should be used to quickly remediate the issue and bring the resources back into compliance?
- AWS Config
- Amazon Inspector
- AWS Trusted Advisor
- AWS Systems Manager
A SysOps Administrator has been able to consolidate multiple, secure websites onto a single server, and each site is running on a different port. The Administrator now wants to start a duplicate server in a second Availability Zone and put both behind a load balancer for high availability.
What would be the command line necessary to deploy one of the sites’ certificates to the load balancer?
An Amazon EBS volume attached to an EC2 instance was recently modified. Part of the modification included increasing the storage capacity. The SysOps Administrator notices that the increased storage capacity is not reflected in the file system.
Which step should the Administrator complete to use the increased storage capacity?
- Restart the EC2 instance.
- Extend the volume’s file system.
- Detach the EBS volume, resize it, and attach it.
- Take an EBS snapshot and restore it to the bigger volume.
A SysOps Administrator is creating additional Amazon EC2 instances and receives an InstanceLimitExceeded error.
What is the cause of the issue and how can it be resolved?
- The Administrator has requested too many instances at once and must request fewer instances in batches.
- The concurrent running instance limit has been reached, and an EC2 limit increase request must be filed with AWS Support.
- AWS does not currently have enough available capacity and a different instance type must be used.
- The Administrator must specify the maximum number of instances to be created while provisioning EC2 instances.
A SysOps Administrator is troubleshooting Amazon EC2 connectivity issues to the internet. The EC2 instance is in a private subnet. Below is the route table that is applied to the subnet of the EC2 instance.
Destination – 10.2.0.0/16
Target – local
Status – Active
Propagated – No
Destination – 0.0.0.0/0
Target – nat-xxxxxxx
Status – Blackhole
Propagated – No
What has caused the connectivity issue?
- The NAT gateway no longer exists.
- There is no route to the internet gateway.
- The routes are no longer propagating.
- There is no route rule with a destination for the internet.
Malicious traffic is reaching company web servers. A SysOps Administrator is tasked with blocking this traffic. The malicious traffic is distributed over many IP addresses and represents much higher traffic than is typically seen from legitimate users.
How should the Administrator protect the web servers?
- Create a security group for the web servers and add deny rules for malicious sources.
- Set the network access control list for the web servers’ subnet and add deny entries.
- Place web servers behind AWS WAF and establish the rate limit to create a blacklist.
- Use Amazon CloudFront to cache all pages and remove the traffic from the web servers.
A SysOps Administrator must evaluate storage solutions to replace a company’s current user-shared drives infrastructure. Any solution must support security controls that enable Portable Operating System Interface (POSIX) permissions and Network File System protocols. Additionally, any solution must be accessible from multiple Amazon EC2 instances and on-premises servers connected to the Amazon VPC.
Which AWS service meets the user drive requirements?
- Amazon S3
- Amazon EFS
- Amazon EBS
- Amazon SQS
A Developer created an AWS Lambda function and has asked the SysOps Administrator to make this function run every 15 minutes.
What is the MOST efficient way to accomplish this request?
- Create an Amazon EC2 instance and schedule a cron to invoke the Lambda function.
- Create a Repeat Time variable inside the Lambda function to invoke the Lamdba function.
- Create a second Lambda function to monitor and invoke the first Lamdba function.
- Create an Amazon CloudWatch scheduled event to invoke the Lambda function.
A company’s auditor implemented a compliance requirement that all Amazon S3 buckets must have logging enabled. A SysOps administrator is tasked to ensure this compliance requirement is met, while still permitting developers to create and use new S3 buckets.
Which action should be taken to accomplish this?
- Add AWS CloudTrail logging for the S3 buckets.
- Implement IAM policies to allow only the storage team to create S3 buckets.
- Add the S3_BUCKET_LOGGING_ENABLED AWS Config managed rule.
- Create an AWS Lambda function to delete the S3 buckets if logging is not turned on.
An organization is concerned that its Amazon RDS databases are not protected. The solution to address this issue must be low cost, protect against table corruption that could be overlooked for several days, and must offer a 30-day window of protection.
How can these requirements be met?
- Enable Multi-AZ on the RDS instance to maintain the data in a second Availability Zone.
- Create a read replica of the RDS instance to maintain the data in a second region.
- Ensure that automated backups are enabled and set the appropriate retention period.
- Enable versioning in RDS to recover altered table data when needed.
An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps Administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy.
What is likely to be the problem?
- The Amazon Machine image used is not available in that region.
- The AWS CloudFormation template needs to be updated to the latest version.
- The VPC configuration parameters have changed and must be updated in the template.
- The account has reached the default limit for VPCs allowed.
Based on the AWS Shared Responsibility Model, which of the following actions are the responsibility of the customer for an Aurora database?
- Performing underlying OS updates
- Provisioning of storage for database
- Scheduling maintenance, patches, and other updates
- Executing maintenance, patches, and other updates
A web-commerce application stores its data in an Amazon Aurora DB cluster with an Aurora replica. The application displays shopping cart information by reading data from the reader endpoint. When monitoring the Aurora database, the SysOps Administrator sees that the AuroraReplicaLagMaximum metric for a single replica is high.
What behavior is the application MOST likely exhibiting to users?
- Users cannot add any items to the shopping cart.
- Users intermittently notice that the cart is not updated correctly.
- Users cannot remove any items from the shopping cart.
- Users cannot use the application because it is falling back to an error page.
A company would like to review each change in the infrastructure before deploying updates in its AWS CloudFormation stacks.
Which action will allow an Administrator to understand the impact of these changes before implementation?
- Implement a blue/green strategy using AWS Elastic Beanstalk.
- Perform a canary deployment using Application Load Balancers and target groups.
- Create a change set for the running stack.
- Submit the update using the UpdateStack API call.
A Systems Administrator is responsible for maintaining custom, approved AMIs for a company. These AMIs must be shared with each of the company’s AWS accounts.
How can the Administrator address this issue?
- Contact AWS Support for sharing AMIs with other AWS accounts.
- Modify the permissions on the AMIs so that they are publicly accessible.
- Modify the permissions on the IAM role that are associated with the AMI.
- Share the AMIs with each AWS account using the console or CLI.
A company’s data retention policy dictates that backups be stored for exactly two years. After that time, the data must be deleted.
How can Amazon EBS snapshots be managed to conform to this data retention policy?
- Use an Amazon S3 lifecycle policy to delete snapshots older than two years.
- Configure Amazon Inspector to find and delete old EBS snapshots.
- Schedule an AWS Lambda function using Amazon CloudWatch Events to periodically run a script to delete old snapshots.
- Configure an Amazon CloudWatch alarm to trigger the launch of an AWS CloudFormation template that will clean the older snapshots.
A SysOps Administrator must devise a strategy for enforcing tagging of all EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes.
What action can the Administrator take to implement this for real-time enforcement?
- Use the AWS Tag Editor to manually search for untagged resources and then tag them properly in the editor.
- Set up AWS Service Catalog with the TagOptions Library rule that enforces a tagging taxonomy proactively when instances and volumes are launched.
- In a PowerShell or shell script, check for untagged items by using the resource tagging GetResources API action, and then manually tag the reported items.
- Launch items by using the AWS API. Use the TagResources API action to apply the required tags when the instances and volumes are launched.
During a security investigation, it is determined that there is a coordinated attack on the web applications deployed on Amazon EC2. The attack is performed through malformed HTTP headers.
What AWS service of feature would prevent this traffic from reaching the EC2 instances?
- Amazon Inspector
- Amazon Security Groups
- AWS WAF
- Application Load Balancer (ALB)