Last Updated on October 31, 2022 by InfraExam
SOA-C01 : AWS-SysOps : Part 37
What should a SysOps Administrator do to ensure a company has visibility into maintenance events performed by AWS?
- Run a script that queries AWS Systems Manager for upcoming maintenance events, and then push these events to an Amazon SNS topic to which the Operations team is subscribed.
- Query the AWS Health API for upcoming maintenance events and integrate the results with the company’s existing operations dashboard.
- Integrate the AWS Service Health Dashboard’s RSS feed into the company’s existing operations dashboard.
- Use Amazon Inspector to send notifications of upcoming maintenance events to the Operations team distribution list.
A SysOps Administrator manages a website running on Amazon EC2 instances behind an ELB Application Load Balancer. Users visiting the load balancer’s DNS address in a browser are reporting errors. The administrator has confirmed:
-The security groups and network ACLs are correctly configured.
-The load balancer target group shows no healthy instances.
What should the Administrator do to resolve this issue?
- Review the application’s logs for requests originating from the VPC DNS address.
- Review the load balancer access logs, looking for any issues or errors.
- Review the load balancer target group health check configuration.
- Review the load balancer listener configuration.
A company is running multiple AWS Lambda functions in a non-VPC environment. Most of the functions are application-specific; an operational function is invoked synchronously every hour.
Recently, the Applications team deployed new functions that are triggered based on an Amazon S3 event to process multiple files that are uploaded to an S3 bucket simultaneously. The SysOps Administrator notices that the operational function occasionally fails to execute due to throttling.
What step should the Administrator take to make sure that the operational function executes?
- Redeploy the operational function to a VPC.
- Increase the operational function timeout.
- Set the operational function concurrency to 1.
- Increase the operational function memory.
A SysOps Administrator must ensure all Amazon EBS volumes currently in use, and those created in the future, are encrypted with a specific AWS KMS customer master key (CMK).
What is the MOST efficient way for the Administrator to meet this requirement?
- Create an AWS Lambda function to run on a daily schedule, and have the function run the aws ec2 describe-volumes –filters encrypted command.
- Within AWS Config, configure the encrypted-volumes managed rule and specify the key ID of the CMK.
- Log in to the AWS Management Console on a daily schedule, then filter the list of volumes by encryption status, then export this list.
- Create an AWS Lambda function to run on a daily schedule, and have the function run the aws kms describe-key command.
A company has an application running on a fleet of Microsoft Windows instances. Patches to the operating system need to be applied each month. AWS Systems Manager Patch Manager is used to apply the patches on a schedule.
When the fleet is being patched, customers complain about delayed service responses.
What can be done to ensure patches are deployed with MINIMAL customer impact?
- Change the number of instances patched at any one time to 100%.
- Create a snapshot of each server in the fleet using a Systems Manager Automation document before starting the patch process.
- Configure the maintenance window to patch 10% of the instances in the patch group at a time.
- Create a patched Amazon Machine Image (AMI). Configure the maintenance window option to deploy the patched AMI on only 10% of the fleet at a time.
A local agency plans to deploy 500 Raspberry Pi devices throughout a city. All the devices need to be managed centrally, and their configurations need to be consistent.
What is the BEST service for managing these devices?
- AWS Service Catalog
- AWS Systems Manager
- Amazon Inspector
- AWS Service Catalog
A SysOps Administrator needs an Amazon EBS volume type for a big data application. The application data is accessed infrequently and stored sequentially.
What EBS volume type will be the MOST cost-effective solution?
- Provisioned IOPS SSD (io1)
- Cold HDD (sc1)
- Throughput Optimized HDD (st1)
- General Purpose SSD (gp2)
SC1 is backed by hard disk drives (HDDs) and provides the lowest cost per GB of all EBS volume types. It is ideal for less frequently accessed workloads with large, cold datasets. Similar to st1, sc1 provides a burst model: these volumes can burst up to 80 MB/s per TB, with a baseline throughput of 12 MB/s per TB and a maximum throughput of 250 MB/s per volume. For infrequently accessed data, sc1 provides extremely inexpensive storage. SC1 is designed to deliver the expected throughput performance 99% of the time and has enough I/O credits to support a full-volume scan at the burst rate.
A SysOps Administrator has created an AWS Service Catalog portfolio and has shared the portfolio with a second AWS account in the company. The second account is controlled by a different Administrator.
Which action will the Administrator of the second account be able to perform?
- Add a product from the imported portfolio to a local portfolio.
- Add new products to the imported portfolio.
- Change the launch role for the products contained in the imported portfolio.
- Customize the products in the imported portfolio.
A SysOps Administrator must secure AWS CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket.
Which practices will ensure that the log files are available and unaltered? (Choose two.)
- Enable the CloudTrail log file integrity check in AWS Config Rules.
- Use CloudWatch Events to scan log files hourly.
- Enable CloudTrail log file integrity validation.
- Turn on Amazon S3 MFA Delete for the CloudTrail bucket.
- Implement a DENY ALL bucket policy on the CloudTrail bucket.
The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time. CloudTrail log file integrity validation uses industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally unfeasible to modify, delete or forge CloudTrail log files without detection. T
Configuring multi-factor authentication (MFA) ensures that any attempt to change the versioning state of your bucket or permanently delete an object version requires additional authentication. This helps prevent any operation that could compromise the integrity of your log files, even if a user acquires the password of an IAM user that has permissions to permanently delete Amazon S3 objects.
A company runs a web application that users access using the domain name www.example.com. The company manages the domain name using Amazon Route 53. The company created an Amazon CloudFront distribution in front of the application and would like www.example.com to access the application through CloudFront.
What is the MOST cost-effective way to achieve this?
- Create a CNAME record in Amazon Route 53 that points to the CloudFront distribution URL.
- Create an ALIAS record in Amazon Route 53 that points to the CloudFront distribution URL.
- Create an A record in Amazon Route 53 that points to the public IP address of the web application.
- Create a PTR record in Amazon Route 53 that points to the public IP address of the web application.
A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.
What is the SIMPLEST approach the SysOps Administrator can take to ensure S3 buckets in those accounts can never be deleted?
- Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
- Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
- Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
- Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
A company uses multiple accounts for its applications. Account A manages the company’s Amazon Route 53 domains and hosted zones. Account B uses a load balancer fronting the company’s web servers.
How can the company use Route 53 to point to the load balancer in the MOST cost-effective and efficient manner?
- Create an Amazon EC2 proxy in Account A that forwards requests to Account B.
- Create a load balancer in Account A that points to the load balancer in Account B.
- Create a CNAME record in Account A pointing to an alias record for the load balancer in Account B.
- Create an alias record in Account A pointing to the DNS name for the load balancer in Account B.
A SysOps Administrator implemented the following bucket policy to allow only the corporate IP address range of 126.96.36.199/24 to access objects in an Amazon S3 bucket.
Some employees are reporting that they are able to access the S3 bucket from IP addresses outside the corporate IP address range.
How can the Administrator address this issue?
- Modify the Condition operator to include both NotIpAddress and IpAddress to prevent unauthorized access to the S3 bucket.
- Modify the Condition element from the IAM policy to aws:StringEquals instead of aws:SourceIp.
- Modify the IAM policy instead of the bucket policy to restrict users from accessing the bucket based on their source IP addresses.
- Change Effect from Allow to Deny in the second statement of the policy to deny requests not from the source IP range.
A SysOps Administrator is notified that a security vulnerability affects a version of MySQL that is being used with Amazon RDS MySQL.
Who is responsible for ensuring that the patch is applied to the MySQL cluster?
- The database vendor
- The Security department of the SysOps Administrator’s company
- The SysOps Administrator
A company’s web application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run in an EC2 Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon ElastiCache for Redis cluster and an Amazon RDS DB instance. Company policy requires all system patching to take place at midnight on Tuesday.
Which resources will need to have a maintenance window configured for midnight on Tuesday? (Choose two.)
- Elastic Load Balancer
- EC2 instances
- RDS instance
- ElastiCache cluster
- Auto Scaling group
A SysOps Administrator is deploying a website with dynamic content. Company policy requires that users from certain countries or regions cannot access the web content and should receive an error page.
Which of the following can be used to implement this policy? (Choose two.)
- Amazon CloudFront geo-restriction
- Amazon GuardDuty geo-blocking
- Amazon Route 53 geolocation routing
- AWS Shield geo-restriction
- Network access control list (NACL) restriction
A company stores thousands of non-critical log files in an Amazon S3 bucket. A set of reporting scripts retrieve these log files daily.
Which of the following storage options will be the MOST cost-efficient for the company’s use case?
- Amazon Glacier
- Amazon S3 Standard IA (infrequent access) storage
- Amazon S3 Standard Storage
- AWS Snowball
A SysOps Administrator receives a connection timeout error when attempting to connect to an Amazon EC2 instance from a home network using SSH. The Administrator was able to connect to this EC2 instance using from their office network in the past.
What caused the connection to time out?
- The IAM role associated with the EC2 instance does not allow SSH connections from the home network.
- The public key used by SSH located on the Administrator’s server does not have the required permissions.
- The route table contains a route that sends 0.0.0.0/0 to the internet gateway for the VPC.
- The security group is not allowing inbound traffic from the home network on the SSH port.
A company is deploying a web service to Amazon EC2 instances behind an Elastic Load Balancer. All resources will be defined and created in a single AWS CloudFormation stack using a template. The creation of each EC2 instance will not be considered complete until an initialization script has been run successfully on the EC2 instance. The Elastic Load Balancer cannot be created until all EC2 instances have been created.
Which CloudFormation resource will coordinate the Elastic Load Balancer creation in the CloudFormation stack template?
A company is concerned about a security vulnerability impacting its Linux operating system.
What should the SysOps Administrator do to alleviate this concern?
- Patch the vulnerability with Amazon Inspector.
- Provide an AWS Trusted Advisor report showing which Amazon EC2 instances have been patched.
- Redeploy the Amazon EC2 instances using AWS CloudFormation.
- Patch the Linux operating system using AWS Systems Manager.