Last Updated on October 31, 2022 by InfraExam
SOA-C01 : AWS-SysOps : Part 33
A website uses Elastic Load Balancing (ELB) in front of several Amazon EC2 instances backed by an Amazon RDS database. The content is dynamically generated for visitors of a webpage based on their geographic location. and is updated daily. Some of the generated objects are large in size and are taking longer to download than they should, resulting in a poor user experience.
Which approach will improve the user experience?
- Implement Amazon ElastiCache to cache the content and reduce the load on the database.
- Enable an Amazon CloudFront distribution with Elastic Load Balancing as a custom origin.
- Use Amazon S3 to store and deliver the content.
- Enable Auto Scaling for the EC2 instances so that they can scale automatically.
While setting up an AWS managed VPN connection, a SysOPs Administrator creates a customer gateway resource in AWS. The customer gateway device resides in a data center with a NAT gateway in front of it.
What address should be used to create the customer gateway resource?
- The private IP address of the customer gateway device
- The MAC address of the NAT device in front of the customer gateway device
- The public IP address of the customer gateway device
- The public IP address of the NAT device in front of the customer gateway device
A SysOps Administrator attempting to delete an Amazon S3 bucket ran the following command: aws s3 rb s3://my bucket
The command failed and bucket still exists. The administrator validated that no files existed in the bucket by running aws s3 1s s3://mybucket and getting an empty response.
Why is the Administrator unable to delete the bucket, and what must be done to accomplish this task?
- The bucket has MFA Delete enabled, and the Administrator must turn it off.
- The bucket has versioning enabled, and the Administrator must permanently delete the objects’ delete markers.
- The bucket is storing files in Amazon Glacier, and the Administrator must wait 3-5 hours for the files to delete.
- The bucket has server-side encryption enabled, and the Administrator must run the aws s3 rb s3://my bucket — sse command.
A SysOps Administrator must provide data to show the overall usage of Amazon EC2 instances within each department, and must determine if the purchased Reserved Instances are being used effectively.
Which service should be used to provide the necessary information?
- AWS Personal Health Dashboard
- AWS Cost Explorer
- AWS Service Catalog
- AWS Application Discovery Service
A company has multiple web applications running on Amazon EC2 instances in private subnets. The EC2 instances require connectivity to the internet for patching purposes, but cannot be publicly accessible.
Which step will meet these requirements?
- Add an internet gateway and update the route tables.
- Add a NAT gateway to the VPC and update the route tables.
- Add an interface endpoint and update the route tables.
- Add a virtual gateway to the VPC and update the route tables.
A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC.
What is the SIMPLEST method to deploy and update the VPCs in each account?
- Create an AWS CloudFormation template defines the VPC. Log in to the AWS Management Console under each account and create a stack from the template.
- Create a shell script that configures the VPC using the AWS CLI. Provide a list of accounts to the script from a text file, then create the VPC in every account in the list.
- Create an AWS Lambda function that configures the VPC. Store the account information in Amazon DynamoDB, grant Lambda access to the DynamoDB table, then create the VPC in every account in the list.
- Create an AWS CloudFormation template that defines the VPC. Create an AWS CloudFormation StackSet based on the template, then deploy the template to all accounts using the stack set.
After a network change, application servers cannot connect to the corresponding Amazon RDS MySQL database.
What should the SysOps Administrator analyze?
- VPC Flow Logs
- Elastic Load Balancing logs
- Amazon CloudFront logs
- Amazon RDS MySQL error logs
A company wants to ensure that each department operates within their own isolated environment, and they are only able to use pre-approved services.
How can this requirement be met?
- Set up an AWS Organization to create accounts for each department, and apply service control policies to control access to AWS services.
- Create IAM roles for each department, and set policies that grant access to specific AWS services.
- Use the AWS Service Catalog to create catalogs of AWS services that are approved for use by each department.
- Request that each department create and manage its own AWS account and the resources within it.
A SysOps Administrator is receiving multiple reports from customers that they are unable to connect to the company’s website. which is being served through Amazon CloudFront. Customers are receiving HTTP response codes for both 4XX and 5XX errors.
Which metric can the Administrator use to monitor the elevated error rates in CloudFront?
A company is using AWS Organizations to manage all their accounts. The Chief Technology Officer wants to prevent certain services from being used within production accounts until the services have been internally certified. They are willing to allow developers to experiment with these uncertified services in development accounts but need a way to ensure that these services are not used within production accounts.
Which option ensures that services are not allowed within the production accounts, yet are allowed in separate development accounts within the LEAST administrative overhead?
- Use AWS Config to shut down non-compliant services found within the production accounts on a periodic basis, while allowing these same services to run in the development accounts.
- Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.
- Use IAM policies applied to the combination of user and account to prevent developers from using these services within the production accounts. Allow the services to run in development accounts.
- Use Amazon CloudWatch to report on the use of non-certified services within any account, triggering an AWS Lambda function to terminate only those non-certified services when found in a production account.
A SysOps Administrator has configured health checks a target group for an Application Load Balancer. An Amazon EC2 instance belonging to the target group fails the health check.
What will happen next? (Choose two.)
- The load balancer will continue to perform the health check on the EC2 instance.
- The EC2 instance will be terminated based on the health check failure.
- The EC2 instance will be rebooted.
- The load balancer will stop sending traffic to the EC2 instance.
- A new EC2 instance will be deployed to replace the unhealthy instance.
An Application performs read-heavy operations on an Amazon Aurora DB instance. A SysOps Administrator monitors the CPUUtilization CloudWatch metric and has recently seen it increase to 90%. The Administrator would like to understand what is driving the CPU surge.
Which of the following should the Administrator additionally monitor to understand the CPU surge?
- FreeableMemory and DatabaseConnections to understand the amount of available RAM and number of connections to DB instance.
- FreeableMemory and EngineUptime to understand the amount of available RAM and the amount of time the instance has been up and running.
- DatabaseConnections and AuroraReplicaLag for the number of connections to the DB instance and the amount of lag when replicating updates from the primary instance.
- DatabaseConnections and InsertLatency for the number of connections to the DB instance and latency for insert queries.
A SysOps Administrator must use a bastion host to administer a fleet of Amazon EC2 instances. All access to the bastion host is managed by the Security team.
What is the MOST secure way for the Security team to provide the SysOps Administrator access to the bastion host?
- Assign the same IAM role to the Administrator that is assigned to the bastion host.
- Provide the Administrator with the SSH key that was used for the bastion host when it was originally launched.
- Create a new IAM role with the same permissions as the Security team, and assign it to the Administrator.
- Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.
A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted.
Which approach will resolve the encryption requirement?
- Log in to the RDS console and select the encryption box to encrypt the database.
- Create a new encrypted Amazon EBS volume and attach it to the instance.
- Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
- Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
- Add the instance to the security group for the SMTP server and ensure that is permitted to communicate over TCP port 25.
- Disable the iptables service on the SMTP server so that the instance can properly communicate over the network.
- Install an email client on the instance to ensure that it communicates correctly on TCP port 25 to the SMTP server.
- Add a rule to the security group for the instance to explicitly permit TCP port 25 outbound to any address.
A company’s use of AWS Cloud services is quickly growing, so a SysOps Administrator has been asked to generate details of daily spending to share with management.
Which method should the Administrator choose to produce this data?
- Share the monthly AWS bill with management.
- Use AWS CloudTrail Logs to access daily costs in JSON format.
- Set up a daily Cost and Usage Report and download the output from Amazon S3.
- Monitor AWS costs with Amazon CloudWatch and create billing alerts and notifications.
A company’s Security team wants to track data encryption events across all company AWS accounts. The team wants to capture all AWS KMS events related to deleting or rotating customer master keys (CMKs) from all production AWS accounts. The KMS events will be sent to the Security team’s AWS account for monitoring.
How can this be accomplished?
- Create an AWS Lambda function that will run every few minutes in each production account, parse the KMS log for KMS events, and sent the information to an Amazon SQS queue managed by the Security team.
- Create an event bus in the Security team’s account, create a new Amazon CloudWatch Events rule that matches the KMS events in each production account, and then add the Security team’s event bus as the target.
- Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team.
- Create an AWS Config rule that checks for KMS keys that are in a pending deletion or rotated state in every production account, then send Amazon SNS notifications of any non-compliant KMS resources to the Security team.
A workload has been moved from a data center to AWS. Previously, vulnerability scans were performed nightly by an external testing company. There is a mandate to continue the vulnerability scans in the AWS environment with third-party testing occurring at least once each month.
What solution allows the vulnerability scans to continue without violating the AWS Acceptable Use Policy?
- The existing nightly scan can continue with a few changes. The external testing company must be notified of the new IP address of the workload and the security group of the workload must be modified to allow scans from the external company’s IP range.
- If the external company is a vendor in the AWS Marketplace, notify them of the new IP address of the workload.
- Submit a penetration testing request every 90 days and have the external company test externally when the request is approved.
- AWS performs vulnerability testing behind the scenes daily and patches instances as needed. If a vulnerability cannot be automatically addressed, a notification email is distributed.
A SysOps Administrator is writing an AWS Lambda function in AWS Account A to put objects in an Amazon S3 bucket in AWS Account B. The Lambda function is able to successfully write new objects to the S3 bucket, but IAM users in Account B are unable to delete objects written to the bucket by Account A.
Which step will fix this issue?
- Add s3:DeleteObject permission to the IAM execution role of the AWS Lambda function in Account A.
- Change the bucket policy of the S3 bucket in Account B to allow s3:DeleteObject permission for Account A.
- Disable server-side encryption for objects written to the S3 bucket by the Lambda function.
- Modify the Lambda function to call the S3:PutObjectAcl API operation to specify bucket owner, full control.
An organization would like to set up an option for its Developers to receive an email whenever production Amazon EC2 instances are running over 80% CPU utilization.
How can this be accomplished using an Amazon CloudWatch alarm?
- Configure the alarm to send emails to subscribers using Amazon SES.
- Configure the alarm to send emails to subscribers using Amazon SNS.
- Configure the alarm to send emails to subscribers using Amazon Inspector.
- Configure the alarm to send emails to subscribers using Amazon Cognito.