Last Updated on October 31, 2022 by InfraExam
SOA-C01 : AWS-SysOps : Part 38
A SysOps Administrator is configuring AWS SSO for the first time. The Administrator has already created a directory in the master account using AWS Directory Service and enabled full access in AWS Organizations.
What should the Administrator do next to configure the service?
- Create IAM roles in each account to be used by AWS SSO, and associate users with these roles using AWS SSO.
- Create IAM users in the master account, and use AWS SSO to associate the users with the accounts they will access.
- Create permission sets in AWS SSO, and associate the permission sets with Directory Service users or groups.
- Create service control policies (SCPs) in Organizations, and associate the SCPs with Directory Service users or groups.
A web application runs on Amazon EC2 instances and accesses external services. The external services require authentication credentials. The application is deployed using AWS CloudFormation to three separate environments: development, test, and production. Each environment requires unique credentials for external services.
What option securely provides the application with the needed credentials while requiring MINIMAL administrative overhead?
- Pass the credentials for the target environment to the CloudFormation template as parameters. Use the user data script to insert the parameterized credentials into the EC2 instances.
- Store the credentials as secure strings in AWS Systems Manager Parameter Store. Pass an environment tag as a parameter to the CloudFormation template. Use the user data script to insert the environment tag in the EC2 instances. Access the credentials from the application.
- Create a separate CloudFormation template for each environment. In the Resources section, include a user data script for each EC2 instance. Use the user data script to insert the proper credentials for the environment into the EC2 instances.
- Create separate Amazon Machine Images (AMIs) with the required credentials for each environment. Pass the environment tag as a parameter to the CloudFormation template. In the Mappings section of the CloudFormation template, map the environment tag to the proper AMI, then use that AMI when launching the EC2 instances.
A SysOps Administrator created an AWS CloudFormation template and launched it for the first time. The stack failed with a status of ROLLBACK_COMPLETE. The Administrator identified and resolved the template issue causing the failure.
How should the Administrator continue with the stack deployment?
- Relaunch the template to create a new stack.
- Execute a change set on the failed stack.
- Perform an update-stack action on the failed stack.
- Run a validate-template command.
A SysOps Administrator is building a process for sharing Amazon RDS database snapshots between different accounts associated with different business units within the same company. All data must be encrypted at rest.
How should the Administrator implement this process?
- Write a script to download the encrypted snapshot, decrypt it using the AWS KMS encryption key used to encrypt the snapshot, then create a new volume in each account.
- Update the key policy to grant permission to the AWS KMS encryption key used to encrypt the snapshot with all relevant accounts, then share the snapshot with those accounts.
- Create an Amazon EC2 instance based on the snapshot, then save the instance’s Amazon EBS volume as a snapshot and share it with the other accounts. Require each account owner to create a new volume from that snapshot and encrypt it.
- Create a new unencrypted RDS instance from the encrypted snapshot, connect to the instance using SSH/RDP, export the database contents into a file, then share this file with the other accounts.
A SysOps Administrator has been notified that some Amazon EC2 instances in the company’s environment might have a vulnerable software version installed.
What should be done to check all of the instances in the environment with the LEAST operational overhead?
- Create and run an Amazon Inspector assessment template.
- Manually SSH into each instance and check the software version.
- Use AWS CloudTrail to verify Amazon EC2 activity in the account.
- Write a custom script and use AWS CodeDeploy to deploy to Amazon EC2 instances.
Development teams are maintaining several workloads on AWS. Company management is concerned about rising costs and wants the SysOps Administrator to configure alerts so teams are notified when spending approaches preset limits.
Which AWS service will satisfy these requirements?
- AWS Budgets
- AWS Cost Explorer
- AWS Trusted Advisor
- AWS Cost and Usage report
A SysOps Administrator is tasked with deploying and managing a single CloudFormation template across multiple AWS accounts.
What feature of AWS CloudFormation will accomplish this?
- Change sets
- Nested stacks
- Stack policies
A company runs an application that uses Amazon RDS for MySQL. During load testing of equivalent production volumes, the Development team noticed a significant increase in query latency. A SysOps Administrator concludes from investigating Amazon CloudWatch Logs that the CPU utilization on the RDS MySQL instance was at 100%.
Which action will resolve this issue?
- Configure AWS Database Migration Service (AWS DMS) to allow Amazon RDS for MySQL to scale and accept more requests.
- Configure RDS for MySQL to scale horizontally by adding additional nodes to offload write requests.
- Enable the Multi-AZ feature for the RDS instance.
- Modify the RDS MySQL instance so it is a larger instance type.
A SysOps Administrator is using AWS KMS with AWS-generated key material to encrypt an Amazon EBS volume in a company’s AWS environment. The Administrator wants to rotate the KMS keys using automatic key rotation, and needs to ensure that the EBS volume encrypted with the current key remains readable.
What should be done to accomplish this?
- Back up the current KMS key and enable automatic key rotation.
- Create a new key in AWS KMS and assign the key to Amazon EBS.
- Enable automatic key rotation of the EBS volume key in AWS KMS.
- Upload new key material to the EBS volume key in AWS KMS to enable automatic key rotation for the volume.
A SysOps Administrator deployed an AWS Elastic Beanstalk worker node environment that reads messages from an auto-generated Amazon Simple Queue Service (Amazon SQS) queue and deletes them from the queue after processing. Amazon EC2 Auto Scaling scales in and scales out the number of worker nodes based on CPU utilization. After some time, the Administrator notices that the number of messages in the SQS queue are increasing significantly.
Which action will remediate this issue?
- Change the scaling policy to scale based upon the number of messages in the queue.
- Decouple the queue from the Elastic Beanstalk worker node and create it as a separate resource.
- Increase the number of messages in the queue.
- Increase the retention period of the queue.
Amazon SQS automatically deletes messages that have been in a queue for longer than the configured RetentionPeriod.n
A security team is concerned that intellectual property might leak to the internet. A SysOps administrator must identify controls to address the potential problem. The instances in question operate in a VPC and cannot be allowed to send traffic to the internet.
What should the SysOps administrator do to meet these requirements?
- Add the following route to a route table for the subnets used by the instances:
- Ensure that the instances do not have Elastic IP addresses. Move the instances to a private subnet.
- Enable enhanced networking on the instances. Move the instances to a private subnet.
- Remove any routes that allow internet traffic from the route table associated with the instance’s subnets.
- Add the following route to a route table for the subnets used by the instances:
A company is setting up a VPC peering connection between its VPC and a customer’s VPC. The company VPC is an IPv4 CIDR block of 172.16.0.0/16, and the customer’s is an IPv4 CIDR block of 10.0.0.0/16. The SysOps Administrator wants to be able to ping the customer’s database private IP address from one of the company’s Amazon EC2 instances.
What action should be taken to meet the requirements?
- Ensure that both accounts are linked and are part of consolidated billing to create a file sharing network, and then enable VPC peering.
- Ensure that both VPC owners manually add a route to the VPC route tables that points to the IP address range of the other VPC.
- Instruct the customer to set up a VPC with the same IPv4 CIDR block as that of the source VPC: 172.16.0.0/16.
- Instruct the customer to create a virtual private gateway to link the two VPCs.
A company is concerned about its ability to recover from a disaster because all of its Amazon EC2 instances are located in a single Amazon VPC in us-east-1. A second Amazon VPC has been configured in eu-west-1 to act as a backup VPC in case of an outage. Data will be replicated from the primary region to the secondary region. The Information Security team’s compliance requirements specify that all data must be encrypted and must not traverse the public internet.
How should the SysOps Administrator connect the two VPCs while meeting the compliance requirements?
- Configure EC2 instances to act as VPN appliances, then configure route tables.
- Configure inter-region VPC peering between the two VPCs, then configure route tables.
- Configure NAT gateways in both VPCs, then configure route tables.
- Configure an internet gateway in each VPC, and use these as the targets for the VPC route tables.
Two companies will be working on several development projects together. Each company has an AWS account with a single VPC in us-east-1. Two companies would like to access one another’s development servers. The IPv4 CIDR blocks in the two VPCs does not overlap.
What can the SysOps Administrators for each company do to set up network routing?
- Each Administrator should create a custom routing table that points to the other company’s internet gateway public IP address.
- Both Administrators should set up a NAT gateway in a public subnet in their respective VPCs. Then. using the public IP address from the NAT gateway, the Administrators should enable routing between the two VPCs.
- Both Administrators should install a 1 Gbps AWS Direct Connect circuit in their respective environments. Then, using the AWS Management Console, the Administrators should create an AWS Direct Connect routing requests to enable connectivity.
- One Administrator should create a VPC peering request and send it to the other Administrator’s account. Once the other Administrator accepts the request, update the routing tables to enable traffic.
A SysOps Administrator is responsible for maintaining an Amazon EC2 instance that acts as a bastion host. The Administrator can successfully connect to the instance using SSH, but attempts to ping the instance result in a timeout.
What is one reason for the issue?
- The instance does not have an Elastic IP address
- The instance has a security group that does not allow Internet Control Message Protocol (ICMP) traffic
- The instance is not set up in a VPC using AWS Direct Connect
- The instance is running in a peered VPC
An enterprise company has discovered that a number of Amazon EC2 instances in a VPC are marked as high risk according to a Common Vulnerabilities and Exposures (CVE) report. The Security team requests that all these instances be upgraded.
Who is responsible for upgrading the EC2 instances?
- The AWS Security team
- The Amazon EC2 team
- The AWS Premium Support team
- The company’s Systems Administrator
A SysOps Administrator is maintaining a web application using an Amazon CloudFront web distribution, an Application Load Balancer (ALB), Amazon RDS, and Amazon EC2 in a VPC. All services have logging enabled. The Administrator needs to investigate HTTP Layer 7 status codes from the web application.
Which log sources contain the status codes? (Choose two.)
- VPC Flow Logs
- AWS CloudTrail logs
- ALB access logs
- CloudFront access logs
- RDS logs
A company needs to ensure that all IAM users rotate their passwords on a regular basis.
Which action should be taken take to implement this?
- Configure multi-factor authentication for all IAM users
- Deactivate existing users and re-create new users every time a credential rotation is required
- Re-create identity federation with new identity providers every time a credential rotation is required
- Set up a password policy to enable password expiration for IAM users
An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group that terminates unhealthy instances. The Auto Scaling group is configured to determine the health status of EC2 instances using both EC2 status checks and ALB health checks. The Development team wants to analyze the unhealthy instances before termination.
What should the SysOps Administrator do to accomplish this?
- Configure the ALB health check to restart instances instead of terminating them.
- Configure an AWS Lambda function to take a snapshot of all instances before they are terminated.
- Implement Amazon CloudWatch Events to capture lifecycle events and trigger an AWS Lambda function for remediation.
- Use an Amazon EC2 Auto Scaling lifecycle hook to pause instance termination after the instance has been removed from service.
An application running on Amazon EC2 needs login credentials to access a database. The login credentials are stored in AWS Systems Manager Parameter Store as secure string parameters.
What is the MOST secure way to grant the application access to the credentials?
- Create an IAM EC2 role for the EC2 instances and grant the role permission to read the Systems Manager parameters
- Create an IAM group for the application and grant the group permissions to read the Systems Manager parameters
- Create an IAM policy for the application and grant the policy permission to read the Systems Manager parameters
- Create an IAM user for the application and grant the user permission to read the Systems Manager parameters