SOA-C01 : AWS-SysOps : Part 40

SOA-C01 : AWS-SysOps : Part 40

1. A company runs an Amazon RDS MySQL DB instance. Corporate policy requires that a daily backup of the database must be copied to a separate security account.

   What is the MOST cost-effective way to meet this requirement?

   • Copy an automated RDS snapshot to the security account using the copy-db-snapshot command with the AWS CLI.
   • Create an RDS MySQL Read Replica for the critical database in the security account, then enable automatic backups for the Read Replica.
   • Create an RDS snapshot with the AWS CLI create-db-snapshot command, share it with the security account, then create a copy of the shared snapshot in the security account.
   • Use AWS DMS to replicate data from the critical database to another RDS MySQL instance in the security account, then use an automated backup for the RDS instance.

2. A SysOps Administrator must set up notifications for whenever combined billing exceeds a certain threshold for all AWS accounts within a company. The Administrator has set up AWS Organizations and enabled Consolidated Billing.

   Which additional steps must the Administrator perform to set up the billing alerts?

   • In the payer account: Enable billing alerts in the Billing and Cost Management console; publish an Amazon SNS message when the billing alert triggers.
   • In each account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers.
   • In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in the Billing and Cost Management console to publish an SNS message when the alarm triggers.
   • In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers.

3. A VPC is connected to a company data center by a VPN. An Amazon EC2 instance with the IP address 172.31.16.139 is within a private subnet of the VPC. A SysOps Administrator issued a ping command to the EC2 instance from an on-premises computer with the IP address 203.0.113.12 and did not receive an acknowledgment. VPC Flow Logs were enabled and showed the following:

   

   What action will resolve the issue?

   • Modify the EC2 security group rules to allow inbound traffic from the on-premises computer
   • Modify the EC2 security group rules to allow outbound traffic to the on-premises computer
   • Modify the VPC network ACL rules to allow inbound traffic from the on-premises computer
   • Modify the VPC network ACL rules to allow outbound traffic to the on-premises computer

4. A web application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. Amazon Route 53 is used for DNS and points to the load balancer. A SysOps Administrator has launched a new Auto Scaling group with a new version of the application, and wants to gradually shift traffic to the new version.

   How can this be accomplished?

   • Create an Auto Scaling target tracking scaling policy to gradually move traffic from the old version to the new one
   • Change the Application Load Balancer to a Network Load Balancer, then add both Auto Scaling groups as targets
   • Use an Amazon Route 53 weighted routing policy to gradually move traffic from the old version to the new one
   • Deploy Amazon Redshift to gradually move traffic from the old version to the new one using a set of predefined values

5. A company uses federation to authenticate users and grant AWS permissions. The SysOps Administrator has been asked to determine who made a request to AWS Organizations for a new AWS account.

   What should the Administrator review to determine who made the request?

   • AWS CloudTrail for the federated identity user name
   • AWS IAM Access Advisor for the federated user name
   • AWS Organizations access log for the federated identity user name
   • Federated identity provider logs for the user name

6. A serverless application running on AWS Lambda is expected to receive a significant increase in traffic. A SysOps Administrator needs to ensure that the Lambda function is configured to scale so the application can process the increased traffic.

   What should the Administrator do to accomplish this?

   • Attach additional elastic network interfaces to the Lambda function
   • Configure AWS Application Auto Scaling based on the Amazon CloudWatch Lambda metric for the number of invocations
   • Ensure the concurrency limit for the Lambda function is higher than the expected simultaneous function executions
   • Increase the memory available to the Lambda function

7. A SysOps Administrator is notified that an Amazon EC2 instance has stopped responding. The AWS Management Console indicates that the system checks are failing.

   What should the SysOps Administrator do first to resolve this issue?

   • Reboot the EC2 instance so it can be launched on a new host.
   • Stop and then start the EC2 instance so that it can be launched on a new host.
   • Terminate the EC2 instance and relaunch it.
   • View the AWS CloudTrail log to investigate what changed on the EC2 instance.

8. An ecommerce site is using Amazon ElastiCache with Memcached to store session state for a web application and to cache frequently used data. For the last month, users have been complaining about performance. The metric data for the Amazon EC2 instances and the Amazon RDS instance appear normal, but the eviction count metrics are high.

   What should be done to address this issue and improve performance?

   • Scale the cluster by adding additional nodes
   • Scale the cluster by adding read replicas
   • Scale the cluster by increasing CPU capacity
   • Scale the web layer by adding additional EC2 instances

9. A company needs to migrate an on-premises asymmetric key management system into AWS.

   Which AWS service should be used to accomplish this?

   • AWS Certificate Manager
   • AWS CloudHSM
   • AWS KMS
   • AWS Secrets Manager

10. A SysOps Administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the Internet.

    Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)

    • Add a NAT gateway to a public subnet
    • Attach a private address to the elastic network interface on the EC2 instance
    • Attach an Elastic IP address to the internet gateway
    • Add an entry to the route table for the subnet that points to an internet gateway
    • Create an internet gateway and attach it to a VPC

11. A Security and Compliance team is reviewing Amazon EC2 workloads for unapproved AMI usage.

    Which action should a SysOps Administrator recommend?

    • Create a custom report using AWS Systems Manager Inventory to identify unapproved AMIs
    • Run Amazon Inspector on all EC2 instances and flag instances using unapproved AMIs
    • Use an AWS Config rule to identify unapproved AMIs
    • Use AWS Trusted Advisor to identify EC2 workloads using unapproved AMIs

12. A company needs to have real-time access to image data while seamlessly maintaining a copy of the images in an offsite location for disaster recovery purposes.

    Which solution meets the requirement?

    • Create an AWS Storage Gateway volume gateway configured as a stored volume. Mount it from clients using Internet Small Computer System Interface (iSCSI).
    • Mount an Amazon EFS volume on a local server. Share this volume with employees who need access to the images.
    • Store the images in Amazon S3, and use AWS Data Pipeline to allow for caching of S3 data on local workstations.
    • Use Amazon S3 for file storage, and enable S3 Transfer Acceleration to maintain a cache for frequently used files to increase local performance.

13. A SysOps Administrator needs to create a replica of a company’s existing AWS infrastructure in a new AWS account. Currently, an AWS Service Catalog portfolio is used to create and manage resources.

    What is the MOST efficient way to accomplish this?

    • Create an AWS CloudFormation template to use the AWS Service Catalog portfolio in the new AWS account.
    • Manually create an AWS Service Catalog portfolio in the new AWS account that duplicates the original portfolio.
    • Run an AWS Lambda function to create a new AWS Service Catalog portfolio based on the output of the DescribePortfolio API operation.
    • Share the AWS Service Catalog portfolio with the other AWS accounts and import the portfolio into the other AWS accounts.

14. A company is operating a multi-account environment under a single organization using AWS Organizations. The Security team discovers that some employees are using AWS services in ways that violate company policies. A SysOps Administrator needs to prevent all users of an account, including the root user, from performing certain restricted actions.

    What should be done to accomplish this?

    • Apply service control policies (SCPs) to allow approved actions only
    • Apply service control policies (SCPs) to prevent restricted actions
    • Define permissions boundaries to allow approved actions only
    • Define permissions boundaries to prevent restricted actions

15. An application is running on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are configured in an Amazon EC2 Auto Scaling group. A SysOps Administrator must configure the application to scale based on the number of incoming requests.

    Which solution accomplishes this with the LEAST amount of effort?

    • Use a simple scaling policy based on a custom metric that measures the average active requests of all EC2 instances
    • Use a simple scaling policy based on the Auto Scaling group GroupDesiredCapacity metric
    • Use a target tracking scaling policy based on the ALB’s ActiveConnectionCount metric
    • Use a target tracking scaling policy based on the ALB’s RequestCountPerTarget metric

16. A SysOps Administrator has created an Amazon EC2 instance using an AWS CloudFormation template in the us-east-1 Region. The Administrator finds that this template has failed to create an EC2 instance in the us-west-2 Region.

    What is one cause for this failure?

    • Resource tags defined in the CloudFormation template are specific to the us-east-1 Region.
    • The Amazon Machine Image (AMI) ID referenced in the CloudFormation template could not be found in the us-west-2 Region.
    • The cfn-init script did not run during resource provisioning in the us-west-2 Region.
    • The IAM user was not created in the specified Region.

17. Users are struggling to connect to a single public-facing development web server using its public IP address on a unique port number of 8181. The security group is correctly configured to allow access on that port, and the network ACLs are using the default configuration.

    Which log type will confirm whether users are trying to connect to the correct port?

    • AWS CloudTrail logs
    • Elastic Load Balancer access logs
    • VPC Flow Logs
    • Amazon S3 access logs

18. The Security team at AnyCompany discovers that some employees have been using individual AWS accounts that are not under the control of AnyCompany. The team has requested that those individual accounts be linked to the central organization using AWS Organizations.

    Which action should a SysOps Administrator take to accomplish this?

    • Add each existing account to the central organization using AWS IAM.
    • Create a new organization in each account and join them to the central organization.
    • Log in to each existing account and add them to the central organization.
    • Send each existing account an invitation from the central organization.

19. A SysOps Administrator has received a request to enable access logging for a Network Load Balancer and is setting up an Amazon S3 bucket to store the logs.

    What are the MINIMUM requirements for the S3 bucket? (Choose two.)

    • The bucket must be in the same Region as the Network Load Balancer.
    • The bucket must have a bucket policy that grants Elastic Load Balancing permissions to write the access logs to the bucket.
    • The bucket must have encryption enabled.
    • The bucket must have lifecycle policies set.
    • The bucket must have public access disabled.

20. An application is running on an Amazon EC2 instance. A SysOps Administrator is tasked with allowing the application access to an Amazon S3 bucket.

    What should be done to ensure optimal security?

    • Apply an S3 bucket policy to allow access from all EC2 instances.
    • Create an IAM user and create a script to inject the credentials on boot.
    • Create and assign an IAM role for Amazon S3 access to the EC2 instance.
    • Embed an AWS credentials file for an IAM user inside the Amazon Machine Image (AMI).