Last Updated on October 31, 2022 by InfraExam
SOA-C01 : AWS-SysOps : Part 32
An Applications team has successfully deployed an AWS CloudFormation stack consisting of 30 t2-medium Amazon EC2 instances in the us-west-2 Region. When using the same template to launch a stack in us-east-2, the launch failed and rolled back after launching only 10 EC2 instances.
What is a possible cause of this failure?
- The IAM user did not have privileges to launch the CloudFormation template.
- The t2.medium EC2 instance service limit was reached.
- An AWS Budgets threshold was breached.
- The application’s Amazon Machine Image (AMI) is not available in us-east-2.
A SysOps Administrator stores crash dump files in Amazon S3. New security and privacy measures require that crash dumps older than 6 months be deleted.
Which approach meets this requirement?
- Use Amazon CloudWatch Events to delete objects older than 6 months.
- Implement lifecycle policies to delete objects older than 6 months.
- Use the Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage class to automatically delete objects older than 6 months.
- Create versioning rules to delete objects older than 6 months.
The Accounting department would like to receive billing updates more than once a month. They would like the updates to be in a format that can easily be viewed with a spreadsheet application.
How can this request be fulfilled?
- Use Amazon CloudWatch Events to schedule a billing inquiry on a bi-weekly basis. Use AWS Glue to convert the output to CSV.
- Set AWS Cost and Usage Reports to publish bills daily to an Amazon S3 bucket in CSV format.
- Use the AWS CLI to output billing data as JSON. Use Amazon SES to email bills on a daily basis.
- Use AWS Lambda, triggered by CloudWatch, to query billing data and push to Amazon RDS.
A SysOps Administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code:
AMI [ami-12345678] does not exist
How should the Administrator ensure that the AWS CloudFormation template is working in every region?
- Copy the source region’s Amazon Machine Image (AMI) to the destination region and assign it the same ID.
- Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID.
- Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS::EC2::AMI::ImageID control.
- Modify the AWS CloudFormation template by including the AMI IDs in the “Mappings” section. Refer to the proper mapping within the template for the proper AMI ID.
A SysOps Administrator needs to confirm that security best practices are being followed with the AWS account root user.
How should the Administrator ensure that this is done?
- Change the root user password by using the AWS CLI routinely.
- Periodically use the AWS CLI to rotate access keys and secret keys for the root user.
- Use AWS Trusted Advisor security checks to review the configuration of the root user.
- Periodically distribute the AWS compliance document from AWS Artifact that governs the root user configuration.
The networking team has created a VPC in an AWS account. The application team has asked for access to resources in another VPC in the same AWS account. The SysOps Administrator has created the VPC peering connection between both the accounts, but the resources in one VPC cannot communicate with the resources in the other VPC.
What could be causing this issue?
- One of the VPCs is not sized correctly for peering.
- There is no public subnet in one of the VPCs.
- The route tables have not been updated.
- One VPC has disabled the peering flag.
An organization has been running their website on several m2 Linux instances behind a Classic Load Balancer for more than two years. Traffic and utilization have been constant and predictable.
What should the organization do to reduce costs?
- Purchase Reserved Instances for the specific m2 instances.
- Change the m2 instances to equivalent m5 types, and purchase Reserved Instances for the specific m5 instances.
- Change the Classic Load Balancer to an Application Load Balancer, and purchase Reserved Instances for the specific m2 instances.
- Purchase Spot Instances for the specific m2 instances.
A company is storing monthly reports on Amazon S3. The company’s security requirement states that traffic from the client VPC to Amazon S3 cannot traverse the internet.
What should the SysOps Administrator do to meet this requirement?
- Use AWS Direct Connect and a public virtual interface to connect to Amazon S3.
- Use a managed NAT gateway to connect to Amazon S3.
- Deploy a VPC endpoint to connect to Amazon S3.
- Deploy an internet gateway to connect to Amazon S3.
An application resides on multiple EC2 instances in public subnets in two Availability Zones. To improve security, the Information Security team has deployed an Application Load Balancer (ALB) in separate subnets and pointed the DNS at the ALB instead of the EC2 instances.
After the change, traffic is not reaching the instances, and an error is being returned from the ALB.
What steps must a SysOps Administrator take to resolve this issue and improve the security of the application? (Choose two.)
- Add the EC2 instances to the ALB target group, configure the health check, and ensure that the instances report healthy.
- Add the EC2 instances to an Auto Scaling group, configure the health check to ensure that the instances report healthy, and remove the public IPs from the instances.
- Create a new subnet in which EC2 instances and ALB will reside to ensure that they can communicate, and remove the public IPs from the instances.
- Change the security group for the EC2 instances to allow access from only the ALB security group, and remove the public IPs from the instances.
- Change the security group to allow access from 0.0.0.0/0, which permits access from the ALB.
A SysOps Administrator is implementing SSL for a domain of an internet-facing application running behind an Application Load Balancer (ALB). The Administrator decides to use an SSL certificate from Amazon Certificate Manager (ACM) to secure it.
Upon creating a request for the ALB fully qualified domain name (FQDN), it fails, and the error message “Domain Not Allowed” is displayed.
How can the Administrator fix this issue?
- Contact the domain registrar and ask them to provide the verification required by AWS.
- Place a new request with the proper domain name instead of the ALB FQDN
- Select the certificate request in the ACM console and resend the validation email.
- Contact AWS Support and verify the request by answering security challenge questions.
A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of the application have been divided in a separate microservice running on a different Amazon EC2 instance. The Administrator has been tasked with reconfiguring the infrastructure to support this approach.
How can the Administrator accomplish this with the LEAST administrative overhead?
- Use Amazon CloudFront to log the URL and forward the request.
- Use Amazon CloudFront to rewrite the header based on the microservice and forward the request.
- Use an Application Load Balancer (ALB) and do path-based routing.
- Use a Network Load Balancer (NLB) and do path-based routing.
A company is running a popular social media site on EC2 instances. The application stores data in an Amazon RDS for MySQL DB instance and has implemented read caching by using an ElastiCache for Redis (cluster mode enabled) cluster to improve read times. A social event is happening over the weekend, and the SysOps Administrator expects website traffic to triple.
What can a SysOps Administrator do to ensure improved read times for users during the social event?
- Use Amazon RDS Multi-AZ.
- Add shards to the existing Redis cluster.
- Offload static data to Amazon S3.
- Launch a second Multi-AZ Redis cluster.
After a particularly high AWS bill, an organization wants to review the use of AWS services.
What AWS service will allow the SysOps Administrator to quickly view this information to share it, and will also forecast expenses for the current billing period?
- AWS Trusted Advisor
- Amazon QuickSight
- AWS Cost and Usage Report
- AWS Cost Explorer
A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances.
How can the SysOps Administrator ensure that all customer data stored on the EFS file system meets the new requirement?
- Update the EFS file system settings to enable server-side encryption using AES-256.
- Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system.
- Use AWS CloudHSM to encrypt the files directly before storing them in the EFS file system.
- Modify the EFS file system mount options to enable Transport Layer Security (TLS) on each of the EC2 instances.
The Database Administration team is interested in performing manual backups of an Amazon RDS Oracle DB instance.
What steps should be taken to perform the backups?
- Attach an Amazon EBS volume with Oracle RMAN installed to the RDS instance.
- Take a snapshot of the EBS volume that is attached to the DB instance.
- Install Oracle Secure Backup on the RDS instance and back up the Oracle database to Amazon S3.
- Take a snapshot of the DB instance.
An Auto Scaling group scales up and down based on Average CPU Utilization. The alarm is set to trigger a scaling event when the Average CPU Utilization exceeds 80% for 5 minutes. Currently, the Average CPU has been 95% for over two hours and new instances are not being added.
What could be the issue?
- A scheduled scaling action has not been defined.
- In the field Suspend Process, “ReplacesUnhealthy” has been selected.
- The maximum size of the Auto Scaling group is below or at the current group size.
- The Health Check Grace Period is set to less than 300 seconds.
An application running on Amazon EC2 instances needs to write files to an Amazon S3 bucket.
What is the MOST secure way to grant the application access to the S3 bucket?
- Create an IAM user with the necessary privileges. Generate an access key and embed the key in the code running on the EC2 instances.
- Install secure FTP (SFTP) software on the EC2 instances. Use an AWS Lambda function to copy the files from the EC2 instances to Amazon S3 using SFTP.
- Create an IAM role with the necessary privileges. Associate the role with the EC2 instances at launch.
- Use rsync and cron to set up the transfer of files from the EC2 instances to the S3 bucket. Enable AWS Shield to protect the data.
In configuring an Amazon Route 53 health check, a SysOps Administrator selects ‘Yes’ to the String Matching option in the Advanced Configuration section. In the Search String box, the Administrator types the following text: /html.
This is to ensure that the entire page is loading during the health check. Within 5 minutes of enabling the health check, the Administrator receives an alert stating that the check failed. However, when the Administrator navigates to the page, it loads successfully.
What is the MOST likely cause of this false alarm?
- The search string is not HTML-encoded.
- The search string must be put in quotes.
- The search string must be escaped with a backslash (\) before the forward slash (/).
- The search string is not in the first 5120 bytes of the tested page.
A company has created a separate AWS account for all development work to protect the production environment. In this development account, developers have permission to manipulate IAM policies and roles. Corporate policies require that developers are blocked from accessing some services.
What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies?
- Create a service control policy in AWS Organizations and apply it to the development account.
- Create a customer managed policy in IAM and apply it to all users within the development account.
- Create a job function policy in IAM and apply it to all users within the development account.
- Create an IAM policy and apply it in API Gateway to restrict the development account.
Company A purchases Company B and inherits three new AWS accounts. Company A would like to centralize billing and Reserved Instance benefits but wants to keep all other resources separate.
How can this be accomplished?
- Implement AWS Organizations and create a service control policy that defines the billing relationship with the new master account.
- Configure AWS Organizations Consolidated Billing and provide the finance team with IAM access to the billing console.
- Send Cost and Usage Reports files to a central Amazon S3 bucket, and load the data into Amazon Redshift. Use Amazon QuickSight to provide visualizations to the finance team.
- Link the Reserved Instances to the master payer account and use Amazon Redshift Spectrum to query Detailed Billing Report data across all accounts.