SOA-C01 : AWS-SysOps : Part 36

SOA-C01 : AWS-SysOps : Part 36

1. A company has created an online retail application that is hosted on a fleet of Amazon EC2 instances behind an ELB Application Load Balancer. User authentication is handled at the individual EC2 instance level. Once a user is authenticated; all requests from that user must go to the same EC2 instance.

   What should the SysOps Administrator enable to meet these requirements?

   • ELB TCP listeners
   • ELB sticky sessions
   • ELB connection draining
   • ELB cross-zone load balancing

2. A SysOpsAdministrator is managing a large organization with multiple accounts on the Business Support plan all linked to a single payer account. The Administrator wants to be notified automatically of AWS Personal Health Dashboard events.

   In the main payer account, the Administrator configures Amazon CloudWatch Events triggered by AWS Health events triggered by AWS Health triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in the linked accounts failed to trigger.

   Why did the alerts fail?

   • Amazon SNS cannot be triggered from the AWS Personal Health Dashboard
   • The AWS Personal Health Dashboard only reports events from one account, not linked accounts.
   • The AWS Personal Health Dashboard must be configured from the payer account only; all events will then roll up into the payer account.
   • AWS Organizations must be used to monitor linked accounts.

3. A company is planning to expand into an additional AWS Region for disaster recovery purposes. The company uses AWS CloudFormation, and its infrastructure is well-defined as code. The company would like to reuse as much of its existing code as possible when deploying resources to additional Regions.

   A SysOps Administrator is reviewing how Amazon Machine Images (AMIs) are selected in AWS CloudFormation, but is having trouble making the same stack work in the new Region.

   Which action would make it easier to manage multiple Regions?

   • Name each AMI in the new Region exactly the same as the equivalent AMI in the first Region.
   • Duplicate the stack so unique AMI names can be coded into the appropriate stack.
   • Create an alias for each AMI so that an AMI can be referenced by a common name across Regions.
   • Create a Mappings section in the stack, and define the Region to AMI associations.

4. An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department, it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group membership.

   What is the BEST method to allow access using current LDAP credentials?

   • Create an AWS Directly Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
   • Create a Lambda function to read LDAP groups and automate the creation of IAM users.
   • Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server.
   • Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.

5. An organization stores sensitive customer in S3 buckets protected by bucket policies. Recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information.

   Which steps should a SysOps Administrator take to meet the CISO’s requirement? (Choose two.)

   • Enable Amazon S3 Analytics on all affected S3 buckets to obtain a report of which buckets are being accessed without authorization.
   • Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs.
   • Use Amazon Athena to query S3 Analytics report for HTTP 403 errors, and determine the IAM user or role making the requests.
   • Use Amazon Athena to query the S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests.
   • Use Amazon Athena to query the S3 Server Access Logs for HTTP 503 errors, and determine the IAM user or role making the requests.

6. A SysOps Administrator responsible for an e-commerce web application observes the application does not launch new Amazon EC2 instances at peak times, even though the maximum capacity of the Auto Scaling group has not been reached.

   What should the Administrator do to identify the underlying problem? (Choose two.)

   • Monitor service limits in AWS Trusted Advisor.
   • Analyze VPC Flow Logs.
   • Monitor limits in AWS Systems Manager.
   • Use Amazon Inspector to gather performance information.
   • Check the response for RunInstances requests in AWS CloudTrail logs.

7. A SysOps Administrator must generate a report that provides a breakdown of all API activity by a specific user over the course of a year. AWS CloudTrail has already been enabled.

   How should this report be generated?

   • Use the AWS Management Console to search for the user name in the CloudTrail history. Filter by API and download the report in CSV format.
   • Use the CloudTrail digest files stored in the company’s Amazon S3 bucket. Send the logs to Amazon QuickSight to create the report.
   • Locate the monthly reports that CloudTrail sends that are emailed to the account’s root user. Forward the reports to the auditor using a secure channel.
   • Access the CloudTrail logs stored in the Amazon S3 bucket tied to CloudTrail. Use Amazon Athena to extract the information needed to generate the report.

8. A company received its latest bill with a large increase in the number of requests against Amazon SQS as compared to the month prior. The company is not aware of any changes in its SQS usage. The company is concerned about the cost increase and who or what was making these calls.

   What should the SysOps Administrator use to validate the calls made to SQS?

   • AWS CloudTrail
   • Amazon CloudWatch
   • AWS Cost Explorer
   • Amazon S3 server access logs

9. An Amazon S3 bucket in a SysOps Administrator’s account can be accesses by users in other SWS accounts.

   How can the Administrator ensure that the bucket is only accessible to members of the Administrator’s AWS account?

   • Move the S3 bucket from a public subnet to a private subnet in the Amazon VPC.
   • Change the bucket access control list (ACL) to restrict access to the bucket owner.
   • Enable server-side encryption for all objects in the bucket.
   • Use only Amazon S3 presigned URLs for accessing objects in the bucket.

10. A company hosts its website on Amazon ECF2 instances behind an ELB Application Load Balancer. The company manages its DNS with Amazon Route 53, and wants to point its domain’s zone apex to the website.

    Which type of record should be used to meet these requirements?

    • An AAA record for the domain’s zone apex
    • An A record for the domain’s zone apex
    • A CNAME record for the domain’s zone apex
    • An alias record for the domain’s zone apex

11. A company has centralized all its logs into one Amazon CloudWatch Logs log group. The SysOps Administrator is to alert different teams of any issues relevant to them.

    What is the MOST efficient approach to accomplish this?

    • Write an AWS Lambda function that will query the logs every minute and contain the logic of which team to notify on which patterns and issues.
    • Set up different metric filters for each team based on patterns and alerts. Each alarm will notify the appropriate notification list.
    • Redesign the aggregation of logs so that each team’s relevant parts are sent to a separate log group, then subscribe each team to its respective log group.
    • Create an AWS Auto Scaling group of Amazon EC2 instances that will scale based on the amount of ingested log entries. This group will pull log streams, look for patterns, and send notifications to relevant teams.

12. A company website hosts patches for software that is sold globally. The website runs in AWS and performs well until a large software patch is released. The flood of downloads puts a strain on the web servers and leads to a poor customer experience.

    What can the Sysops Administrator propose to enhance customer experience, create a more available web platform, and keep costs low?

    • Use an Amazon CloudFront distribution to cache static content, including software patches.
    • Increase the size of the NAT instance to improve throughput.
    • Scale out the web servers in advance of patch releases to reduce Auto Scaling delays.
    • Move the content to IO1 and provision additional IOPS to the volume that contains the software patches.

13. A SysOps Administrator created an Application Load balancer (ALB) and placed two Amazon EC2 instances in the same subnet behind the ALB. During monitoring, the Administrator observes HealthyHostCount drop to 1 in Amazon CloudWatch.

    What is MOST likely causing this issue?

    • The EC2 instances are in the same Availability Zone, causing contention between the two.
    • The route tables are not updated to allow traffic to flow between the ALB and the EC2 instances.
    • The ALB health check has failed, and the ALB has taken EC2 instances out of service.
    • The Amazon Route 53 health check has failed, and the ALB has taken EC2 instances out of service.

14. A SysOps Administrator is managing an AWS account where Developers are authorized to launch Amazon EC2 instances to test new code. To limit costs, the Administrator must ensure that the EC2 instances in the account are terminated 24 hours after launch.

    How should the Administrator meet these requirements?

    • Create an Amazon CloudWatch alarm based on the CPUUtilization metric. When the metric is 0% for 24 hours, trigger an action to terminate the EC2 instance when the alarm is triggered.
    • Create an AWS Lambda function to check all EC2 instances and terminate instances running more than 24 hours. Trigger the function with an Amazon CloudWatch Events event every 15 minutes.
    • Add an action to AWS Trusted Advisor to turn off EC2 instances based on the Low Utilization Amazon EC2 Instances check, terminating instances identified by Trusted Advisor as running for more than 24 hours.
    • Install the unified Amazon CloudWatch agent on every EC2 instance. Configure the agent to terminate instances after they have been running for 24 hours.

15. An AWS CodePipeline in us-east-1 returns “InternalError” with the code “JobFailed” when launching a deployment using an artifact from an Amazon S3 bucket in us-west-1.

    What is causing this error?

    • S3 Transfer Acceleration is not enabled.
    • The S3 bucket is not in the appropriate region.The S3 bucket is not in the appropriate region.
    • The S3 bucket is being throttled.
    • There are insufficient permissions on the artifact in Amazon S3.

16. An application running on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones was deployed using an AWS CloudFormation template. The SysOps team has patched the Amazon Machine Image (AMI) version and must update all the EC2 instances to use the new AMI.

    How can the SysOps Administrator use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity?

    • Run the aws cloudfomation update-stack command with the – rollback-configuration option
    • Update the CloudFormation template with the new AMI ID, then reboot the EC2 instances
    • Deploy a second CloudFormation stack and use Amazon Route 53 to redirect traffic to the new stack
    • Set an AutoScalingUpdate policy in the CloudFormation template to update the stack.

17. A SysOps Administrator is responsible for a legacy, CPU-heavy application. The application can only be scaled vertically. Currently, the application is deployed on a single t2.large Amazon EC2 instance. The system is showing 90% CPU usage and significant performance latency after a few minutes.

    What change should be made to alleviate the performance problem?

    • Change the Amazon EBS volume to Provisioned IOPs.
    • Upgrade to a compute-optimized instance.
    • Add additional t2.large instances to the application.
    • Purchase Reserved Instances.

18. A company recently implemented an Amazon S3 lifecycle rule that accidentally deleted objects from one of its S3 buckets. The bucket has S3 versioning enabled.

    Which actions will restore the objects? (Choose two.)

    • Use the AWS Management Console to delete the object delete markers.
    • Create a new lifecycle rule to delete the object delete markers that were created.
    • Use the AWS CLI to delete the object delete markers while specifying the version IDs of the delete markers.
    • Modify the existing lifecycle rule to delete the object delete markers that were created.
    • Use the AWS CLI to delete the object delete markers while specifying the name of the objects only.

19. A company uses AWS CloudFormation to deploy its application infrastructure. Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application. A SysOps Administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources.

    Which solution will meet these requirements?

    • Set up an AWS Config rule to alert based on changes to any CloudFormation stack. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
    • Set up an Amazon CloudWatch Events event with a rule to trigger based on any CloudFormation API call. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
    • Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*.
    • Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource names (ARNs) of the protected resources.

20. A SysOps Administrator is analyzing how Reserved Instance discounts are allocated to Amazon EC2 instances across accounts in the company’s consolidated bill.

    Which AWS tool will provide the details necessary to understand the billing charges?

    • AWS Budgets
    • AWS Cost and Usage report
    • AWS Trusted Advisor
    • AWS Organizations

    Explanation:
    Consolidated billing has the following benefits:
    -One bill – You get one bill for multiple accounts.
    -Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data.
    -Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts and Reserved Instance discounts. This can result in a lower charge for your project, department, or company than with individual standalone accounts. For more information, see Volume Discounts.
    -No extra fee – Consolidated billing is offered at no additional cost.