SOA-C01 : AWS-SysOps : Part 34

SOA-C01 : AWS-SysOps : Part 34

1. Which of the following steps are required to configure SAML 2.0 for federated access to AWS? (Choose two.)

   • Create IAM users for each identity provider (IdP) user to allow access to the AWS environment.
   • Define assertions that map the company’s identity provider (IdP) users to IAM roles.
   • Create IAM roles with a trust policy that lists the SAML provider as the principal.
   • Create IAM users, place them in a group named SAML, and grant them necessary IAM permissions.
   • Grant identity provider (IdP) users the necessary IAM permissions to be able to log in to the AWS environment.

2. A SysOps Administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet.

   

   What should be added to the private subnet’s route table in order to address this issue, given the information provided.

   • 0.0.0.0/0 IGW
   • 0.0.0.0/0 NAT
   • 10.0.1.0/24 IGW
   • 10.0.1.0/24 NAT

3. A SysOps Administrator is responsible for a large fleet of EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance.

   Which option would provide this information with the LEAST administrative overhead?

   • Monitor AWS CloudTrail for StopInstances API calls related to upcoming maintenance.
   • Review the Personal Health Dashboard for any scheduled maintenance.
   • From the AWS Management Console, list any instances with failed system status checks.
   • Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring.

4. An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted.

   How can this be resolved?

   • Enable encryption on each host’s connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect.
   • Enable encryption on the existing EFS volume by using the AWS Command Line Interface.
   • Enable encryption on each host’s local drive. Restart each host to encrypt the drive.
   • Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.

5. An organization finds that a high number of gp2 Amazon EBS volumes are running out of space.

   Which solution will provide the LEAST disruption with MINIMAL effort?

   • Create a snapshot and restore it to a larger gp2 volume.
   • Create a RAID 0 with another new gp2 volume to increase capacity.
   • Leverage the Elastic Volumes feature of EBS to increase gp2 volume size.
   • Write a script to migrate data to a larger gp2 volume.

6. An e-commerce company wants to lower costs on its nightly jobs that aggregate the current day’s sales and store the results in Amazon S3. The jobs are currently run using multiple on-demand instances and the jobs take just under 2 hours to complete. If a job fails for any reason, it needs to be restarted from the beginning.

   What method is the MOST cost effective based on these requirements?

   • Use a mixture of On-Demand and Spot Instances for job execution.
   • Submit a request for a Spot block to be used for job execution.
   • Purchase Reserved Instances to be used for job execution.
   • Submit a request for a one-time Spot Instance for job execution.

7. An existing data management application is running on a single Amazon EC2 instance and needs to be moved to a new AWS Region in another AWS account.

   How can a SysOps Administrator achieve this while maintaining the security of the application?

   • Create an encrypted Amazon Machine Image (AMI) of the instance and make it public to allow the other account to search and launch an instance from it.
   • Create an AMI of the instance, add permissions for the AMI to the other AWS account, and start a new instance in the new region by using that AMI.
   • Create an AMI of the instance, copy the AMI to the new region, add permissions for the AMI to the other AWS account, and start new instance.
   • Create an encrypted snapshot of the instance and make it public. Provide only permissions to decrypt to the other AWS account.

8. A SysOps Administrator manages an application that stores object metadata in Amazon S3. There is a requirement to have S2 server-side encryption enabled on all new objects in the bucket.

   How can the Administrator ensure that all new objects to the bucket satisfy this requirement?

   • Create an S3 lifecycle rule to automatically encrypt all new objects.
   • Enable default bucket encryption to ensure that all new objects are encrypted.
   • Use put-object-acl to allow objects to be encrypted with S2 server-side encryption.
   • Apply the authorization header to S3 requests for S3 server-side encryption.

9. A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.

   What is the process to rotate the key?

   • Enable automatic key rotation for the CMK, and specify a period of 6 months.
   • Create a new CMK with new imported material, and update the key alias to point to the new CMK.
   • Delete the current key material, and import new material into the existing CMK.
   • Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.

   Explanation:
   Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your AWS Key Management Service (AWS KMS) customer master keys (CMKs), you can create new CMKs, and then change your applications or aliases to use the new CMKs. Or, you can enable automatic key rotation for an existing CMK.

   When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK’s older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK.

10. The Security team has decided that there will be no public internet access to HTTP (TCP port 80) because it is moving to HTTPS for all incoming web traffic. The team has asked a SysOps Administrator to provide a report on any security groups that are not compliant.

    What should the SysOps Administrator do to provide near real-time compliance reporting?

    • Enable AWS Trusted Advisor and show the Security team that the Security Groups unrestricted access check will alarm.
    • Schedule an AWS Lambda function to run hourly to scan and evaluate all security groups, and send a report to the Security team.
    • Use AWS Config to enable the restricted-common-ports rule, and add port 80 to the parameters.
    • Use Amazon Inspector to evaluate the security groups during scans, and send the completed reports to the Security team.

11. A SysOps Administrator has configured a CloudWatch agent to send custom metrics to Amazon CloudWatch and is now assembling a CloudWatch dashboard to display these metrics.

    What steps should the Administrator take to complete this task?

    • Select the AWS Namespace, filter by metric name, then add to the dashboard.
    • Add a text widget, select the appropriate metric from the custom namespace, then add to the dashboard.
    • Select the appropriate widget and metrics from the custom namespace, then add to the dashboard.
    • Open the CloudWatch console, from the CloudWatch Events, add all custom metrics.

12. An application is running on multiple EC2 instances. As part of an initiative to improve overall infrastructure security, the EC2 instances were moved to a private subnet. However, since moving, the EC2 instances have not been able to automatically update, and a SysOps Administrator has not been able to SSH into them remotely.

    Which two actions could the Administrator take to securely resolve these issues? (Choose two.)

    • Set up a bastion host in a public subnet, and configure security groups and route tables accordingly.
    • Set up a bastion host in the private subnet, and configure security groups accordingly.
    • Configure a load balancer in a public subnet, and configure the route tables accordingly.
    • Set up a NAT gateway in a public subnet, and change the private subnet route tables accordingly.
    • Set up a NAT gateway in a private subnet, and ensure that the route tables are configured accordingly.

13. A SysOps Administrator has been tasked with deploying a company’s infrastructure as code. The Administrator wants to write a single template that can be reused for multiple environments in a safe, repeatable manner.

    What is the recommended way to use AWS CloudFormation to meet this requirement?

    • Use parameters to provision the resources.
    • Use nested stacks to provision the resources.
    • Use Amazon EC2 user data to provision the resources.
    • Use stack policies to provision the resources.

14. An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application.

    What is the MOST scalable storage solution to fulfill the requirement?

    • Connect a large Amazon EBS volume to multiple instances and schedule snapshots.
    • Deploy Amazon EFS is in the VPC and create mount targets in multiple subnets.
    • Launch an EC2 instance and share data using SMB/CIFS or NFS.
    • Deploy an AWS Storage Gateway cached volume on Amazon EC2.

15. A company has Sales department and Marketing department. The company uses one AWS account. There is a need to determine what charges are incurred on the AWS platform by each department. There is also a need to receive notifications when a specified cost level is approached or exceeded.

    Which two actions must a SysOps Administrator take to achieve both requirements with the LEAST amount of administrative overhead? (Choose two.)

    • Use AWS Trusted Advisor to obtain a report containing the checked items in the Cost Optimization pillar.
    • Download the detailed billing report, upload it to a database, and match the line items with a list of known resources by department.
    • Create a script by using the AWS CLI to automatically apply tags to existing resources to each department. Schedule the script to run weekly.
    • Use AWS Organizations to create a department Organizational Unit and allow only authorized personnel in each department to create resources.
    • Create a Budget from the Billing and Cost Management console. Specify the budget type a Cost, assign tags for each department, define notifications, and specify any other options as required.

16. A company has two AWS accounts: development and production. All applications send logs to a specific Amazon S3 bucket for each account, and the Developers are requesting access to the production account S3 buckets to view the logs.

    Which is the MOST efficient way to provide the Developers with access?

    • Create an AWS Lambda function with an IAM role attached to it that has access to both accounts’ S3 buckets. Pull the logs from the production S3 bucket to the development S3 bucket.
    • Create IAM users for each Developer on the production account, and add the Developers to an IAM group that provides read-only access to the S3 log bucket.
    • Create an Amazon EC2 bastion host with an IAM role attached to it that has access to the production S3 log bucket, and then provision access for the Developers on the host.
    • Create a resource-based policy for the S3 bucket on the production account that grants access to the development account, and then delegate access in the development account.

17. A company’s application stores documents within an Amazon S3 bucket. The application is running on Amazon EC2 in a VPC. A recent change in security requirements states that traffic between the company’s application and the S3 bucket must never leave the Amazon network.

    What AWS feature can provide this functionality?

    • Security groups
    • NAT gateways
    • Virtual private gateway
    • Gateway VPC endpoints
    Explanation
    When using VPC with S3, use VPC S3 endpoints as
    are horizontally scaled, redundant, and highly available VPC components
    help establish a private connection between VPC and S3 and the traffic never leaves the Amazon network

18. A SysOps Administrator is running an automatically scaled application behind an Application Load Balancer. Scaling out is triggered when the CPUUtilization instance metric is more than 75% across the Auto Scaling group. The Administrator noticed aggressive scaling out. Developers suspect an application memory leak that is causing aggressive garbage collection cycles.

    How can the Administrator troubleshoot the application without triggering the scaling process?

    • Suspend the scaling process before troubleshooting.
    • Delete the Auto Scaling group and recreate it when troubleshooting is complete.
    • Remove impacted instances from the Application Load Balancer.
    • Create a scale down trigger when the CPUUtilization instance metric is at 70%.

19. A company backs up data from its data center using a tape gateway on AWS Storage Gateway. The SysOps Administrator needs to reboot the virtual machine running Storage Gateway.

    What process will protect data integrity?

    • Stop Storage Gateway and reboot the virtual machine, then restart Storage Gateway.
    • Reboot the virtual machine, then restart Storage Gateway.
    • Reboot the virtual machine.
    • Shut down the virtual machine and stop Storage Gateway, then turn on the virtual machine.

20. An organization has decided to consolidate storage and move all of its backups and archives to Amazon S3. With all of the data gathered into a hierarchy under a single directory, the organization determines there is 70 TB of data that needs to be uploaded. The organization currently has a 150-Mbps connection with 10 people working at the location.

    Which service would be the MOST efficient way to transfer this data to Amazon S3?

    • AWS Snowball
    • AWS Direct Connect
    • AWS Storage Gateway
    • Amazon S3 Transfer Acceleration