Last Updated on October 31, 2022 by InfraExam
SOA-C01 : AWS-SysOps : Part 39
A SysOps Administrator is receiving alerts related to high CPU utilization of a Memcached-based Amazon ElastiCache cluster.
Which remediation steps should be taken to resolve this issue? (Choose two.)
- Add a larger Amazon EBS volume to the ElastiCache cluster nodes
- Add a load balancer to route traffic to the ElastiCache cluster
- Add additional worker nodes to the ElastiCache cluster
- Create an Auto Scaling group for the ElastiCache cluster
- Vertically scale the ElastiCache cluster by changing the node type
A SysOps Administrator manages an Amazon RDS MySQL DB instance in production. The database is accessed by several applications. The Administrator needs to ensure minimal downtime of the applications in the event the database suffers a failure. This change must not impact customer use during regular business hours.
Which action will make the database MORE highly available?
- Contact AWS Support to pre-warm the database to ensure that it can handle any unexpected spikes in traffic
- Create a new Multi-AZ RDS DB instance. Migrate the data to the new DB instance and delete the old one
- Create a read replica from the existing database outside of business hours
- Modify the DB instance to outside of business hours to be a Multi-AZ deployment
An enterprise is using federated Security Assertion Markup Language (SAML) to access the AWS Management Console.
How should the SAML assertion mapping be configured?
- Map the group attribute to an AWS group. The AWS group is assigned IAM policies that govern access to AWS resources.
- Map the policy attribute to IAM policies the federated user is assigned to. These policies govern access to AWS resources.
- Map the role attribute to an AWS role. The AWS role is assigned IAM policies that govern access to AWS resources.
- Map the user attribute to an AWS user. The AWS user is assigned specific IAM policies that govern access to AWS resources.
A SysOps Administrator is managing a web application that runs on Amazon EC2 instances behind an ELB Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group. The administrator wants to set an alarm for when all target instances associated with the ALB are unhealthy.
Which condition should be used with the alarm?
- AWS/ApplicationELB HealthyHostCount <= 0
- AWS/ApplicationELB UnhealthyHostCount >= 1
- AWS/EC2 StatusCheckFailed <= 0
- AWS/EC2 StatusCheckFailed >= 1
A company has deployed a NAT instance to allow web servers to obtain software updates from the internet. There is high latency on the NAT instance as the network grows. A SysOps Administrator needs to reduce latency on the instance in a manner that is efficient, cost-effective, and allows for scaling with future demand.
Which action should be taken to accomplish this?
- Add a second NAT instance and place both instances behind a load balancer
- Convert the NAT instance to a larger instance size
- Replace the NAT instance with a NAT gateway
- Replace the NAT instance with a virtual private gateway
A security researcher has published a new Common Vulnerabilities and Exposures (CVE) report that impacts a popular operating system. A SysOps Administrator is concerned with the new CVE report and wants to patch the company’s systems immediately. The administrator contacts AWS Support and requests the patch be applied to all Amazon EC2 instances.
How will AWS respond to this request?
- AWS will apply the patch during the next maintenance window, and will provide the Administrator with a report of all patched EC2 instances.
- AWS will relaunch the EC2 instances with the latest version of the Amazon Machine Image (AMI), and will provide the Administrator with a report of all patched EC2 instances.
- AWS will research the vulnerability to see if the Administrator’s operating system is impacted, and will patch the EC2 instances that are affected.
- AWS will review the shared responsibility model with the Administrator and advise them regarding how to patch the EC2 instances.
A Development team recently deployed a new version of a web application to production. After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data.
Which AWS service will mitigate this issue?
- AWS Shield Standard
- AWS WAF
- Elastic Load Balancing
- Amazon Cognito
A Development team is designing an application that processes sensitive information within a hybrid deployment. The team needs to ensure the application data is protected both in transit and at rest.
Which combination of actions should be taken to accomplish this? (Choose two.)
- Use a VPN to set up a tunnel between the on-premises data center and the AWS resources
- Use AWS Certificate Manager to create TLS/SSL certificates
- Use AWS CloudHSM to encrypt the data
- Use AWS KMS to create TLS/SSL certificates
- Use AWS KMS to manage the encryption keys used for data encryption
A company is using AWS Storage Gateway to create block storage volumes and mount them as Internet Small Computer Systems Interface (iSCSI) devices from on-premises servers. As the Storage Gateway has taken on several new projects, some of the Development teams report that the performance of the iSCSI drives has degraded. When checking the Amazon CloudWatch metrics, a SysOps Administrator notices that the CacheHitPercent metric is below 60% and the CachePercentUsed metric is above 90%.
What steps should the Administrator take to increase Storage Gateway performance?
- Change the default block size for the Storage Gateway from 64 KB to 128 KB, 256 KB, or 512 KB to improve I/O performance.
- Create a larger disk for the cached volume. In the AWS Management Console, edit the local disks, then select the new disk as the cached volume.
- Ensure that the physical disks for the Storage Gateway are in a RAID 1 configuration to allow higher throughput.
- Take point-in-time snapshots of all the volumes in Storage Gateway, flush the cache completely, then restore the volumes from the clean snapshots.
A SysOps Administrator observes a large number of rogue HTTP requests on an Application Load Balancer (ALB). The requests originate from various IP addresses.
Which action should be taken to block this traffic?
- Use Amazon CloudFront to cache the traffic and block access to the web servers
- Use Amazon GuardDuty to protect the web servers from bots and scrapers
- Use AWS Lambda to analyze the web server logs, detect bot traffic, and block the IP address in the security groups
- Use AWS WAF rate-based blacklisting to block this traffic when it exceeds a defined threshold
A company issued SSL certificates to its users, and needs to ensure the private keys that are used to sign the certificates are encrypted. The company needs to be able to store the private keys and perform cryptographic signing operations in a secure environment.
Which service should be used to meet these requirements?
- AWS CloudHSM
- AWS KMS
- AWS Certificate Manager
- Amazon Connect
A SysOps Administrator is trying to set up an Amazon Route 53 domain name to route traffic to a website hosted on Amazon S3. The domain name of the website is www.anycompany.com and the S3 bucket name is anycompany-static. After the record set is set up in Route 53, the domain name www.anycompany.com does not seem to work, and the static website is not displayed in the browser.
Which of the following is a cause of this?
- The S3 bucket must be configured with Amazon CloudFront first
- The Route 53 record set must have an IAM role that allows access to the S3 bucket
- The Route 53 record set must be in the same region as the S3 bucket
- The S3 bucket name must match the record set name in Route 53
A SysOps Administrator at an ecommerce company discovers that several 404 errors are being sent to one IP address every minute. The Administrator suspects a bot is collecting information about products listed on the company’s website.
Which service should be used to block this suspected malicious activity?
- AWS CloudTrail
- Amazon Inspector
- AWS Shield Standard
- AWS WAF
A company wants to reduce costs across the entire company after discovering that several AWS accounts were using unauthorized services and incurring extremely high costs.
Which AWS service enables the company to reduce costs by controlling access to AWS services for all AWS accounts?
- AWS Cost Explorer
- AWS Config
- AWS Organizations
- AWS Budgets
A company has an application database on Amazon RDS that runs a resource-intensive reporting job. This is causing other applications using the database to run slowly.
What should the SysOps Administrator do to resolve this issue?
- Create Amazon RDS backups
- Create Amazon RDS read replicas to run the report
- Enable Multi-AZ mode on Amazon RDS
- Use Amazon RDS automatic host replacement
A company wants to increase the availability and durability of a critical business application. The application currently uses a MySQL database running on an Amazon EC2 instance. The company wants to minimize application changes.
How should the company meet these requirements?
- Shut down the EC2 instance. Enable multi-AZ replication within the EC2 instance, then restart the instance.
- Launch a secondary EC2 instance running MySQL. Configure a cron job that backs up the database on the primary EC2 instance and copies it to the secondary instance every 30 minutes.
- Migrate the database to an Amazon RDS Aurora DB instance and create a Read Replica in another Availability Zone.
- Create an Amazon RDS Microsoft SQL DB instance and enable multi-AZ replication. Back up the existing data and import it into the new database.
A SysOps Administrator has an AWS CloudFormation template of the company’s existing infrastructure in us-west-2. The Administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back.
Why would this template fail to deploy? (Choose two.)
- The template referenced an IAM user that is not available in eu-west-1
- The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1
- The template did not have the proper level of permissions to deploy the resources
- The template requested services that do not exist in eu-west-1
- CloudFormation templates can be used only to update existing services
A SysOps Administrator has been asked to configure user-defined cost allocation tags for a new AWS account. The company is using AWS Organizations for account management.
What should the Administrator do to enable user-defined cost allocation tags?
- Log in to the AWS Billing and Cost Management console of the new account, and use the Cost Allocation Tags manager to create the new user-defined cost allocation tags.
- Log in to the AWS Billing and Cost Management console of the payer account, and use Cost Allocation Tags manager to create the new user-defined cost allocation tags.
- Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the new account to mark the tags as cost allocation tags.
- Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the payer account to mark the tags as cost allocation tags.
A company developed and now runs a memory-intensive application on multiple Amazon EC2 Linux instances. The memory utilization metrics of the EC2 Linux instances must be monitored every minute.
How should the SysOps Administrator publish the memory metrics? (Choose two.)
- Enable detailed monitoring on the instance within Amazon CloudWatch
- Publish the memory metrics to Amazon CloudWatch Events
- Publish the memory metrics using the Amazon CloudWatch agent
- Publish the memory metrics using Amazon CloudWatch Logs
- Set metrics_collection_interval to 60 seconds
A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded; however, upon navigating to the site, the following error message is received:
403 Forbidden – Access Denied
What change should be made to fix this error?
- Add a bucket policy that grants everyone read access to the bucket
- Add a bucket policy that grants everyone read access to the bucket objects
- Remove the default bucket policy that denies read access to the bucket
- Configure cross-origin resource sharing (CORS) on the bucket