SOA-C01 : AWS-SysOps : Part 41

SOA-C01 : AWS-SysOps : Part 41

1. A company’s Marketing department generates gigabytes of assets each day and stores them locally. They would like to protect the files by backing them up to AWS. All the assets should be stored on the cloud, but the most recent assets should be available locally for low latency access.

   Which AWS service meets the requirements?

   • Amazon EBS
   • Amazon EFS
   • Amazon S3
   • AWS Storage Gateway

2. A SysOps Administrator is attempting to use AWS Systems Manager Session Manager to initiate a SSH session with an Amazon EC2 instance running on a custom Linux Amazon Machine Image (AMI). The Administrator cannot find the target instance in the Session Manager console.

   Which combination of actions will solve this issue? (Choose two.)

   • Add Systems Manager permissions to the instance profile.
   • Configure the bucket used by Session Manager logs to allow write access.
   • Install Systems Manager Agent on the instance.
   • Modify the instance security group to allow inbound traffic on SSH port 22.
   • Reboot the instance with a new SSH key pair named ssm-user.

3. A Storage team wants all data transfers to an Amazon S3 bucket to remain within the AWS network. The team makes all changes to the AWS network infrastructure manually. An S3 VPC endpoint is created, and an endpoint policy with the proper permissions is set up. However, the application running on Amazon EC2 instances in the VPC is still unable to access the S3 bucket endpoint.

   What is one cause of this issue?

   • Request metrics for the S3 bucket need to be enabled.
   • S3 access logs need to be disabled for the VPC endpoints to function.
   • The subnet does not have the VPC endpoint as a target in the route table.
   • The EC2 instances need to have an Elastic Network Adapter enabled.

4. As part of a federated identity configuration, an IAM policy is created and attached to an IAM role.

   Who is responsible for creating the IAM policy and attaching it to the IAM role, according to the shared responsibility model?

   • AWS is responsible for creating and attaching the IAM policy to the role.
   • AWS is responsible for creating the role, and a SysOps Administrator is responsible for attaching the policy to the role.
   • A SysOps Administrator is responsible for creating and attaching the IAM policy to the role.
   • A SysOps Administrator is responsible for creating the role, and AWS is responsible for attaching the policy to the role.

5. An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. The Information Security team wants to track application requests by the originating IP and the EC2 instance that processes the request.

   Which of the following tools or services provides this information?

   • Amazon CloudWatch
   • AWS CloudTrail
   • Elastic Load Balancing access logs
   • VPC Flow Logs

6. An Amazon EC2 instance in a private subnet needs to copy data to an Amazon S3 bucket. For security reasons, the connection from the EC2 instance to Amazon S3 must not traverse across the Internet.

   What action should the SysOps Administrator take to accomplish this?

   • Create a NAT instance and route traffic destined to Amazon S3 through it.
   • Create a VPN connection between the EC2 instance and Amazon S3.
   • Create an S3 VPC endpoint in the VPC where the EC2 instance resides.
   • Use AWS Direct Connect to maximize throughput and keep the traffic private.

7. A SysOps Administrator is in the process of setting up a new AWS Storage Gateway. The Storage Gateway activation is failing when the Administrator attempts to activate the Storage Gateway from the Storage Gateway console.

   What are the potential causes of this error? (Choose two.)

   • The Storage Gateway does not have an upload buffer configured.
   • The Storage Gateway does not have a backing Amazon S3 bucket configured.
   • The Storage Gateway does not have a cache volume configured.
   • The Storage Gateway does not have the correct time.
   • The Storage Gateway is not accessible from the Administrator’s client over port 80.

8. A SysOps Administrator needs to monitor all the object upload and download activity of a single Amazon S3 bucket. Monitoring must include tracking the AWS account of the caller, the IAM user role of the caller, the time of the API call, and the IP address of the API.

   Where can the Administrator find this information?

   • AWS CloudTrail data event logging
   • AWS CloudTrail management event logging
   • Amazon Inspector bucket event logging
   • Amazon Inspector user event logging

9. A company’s website went down for several hours. The root cause was a full disk on one of the company’s Amazon EC2 instances.

   Which steps should the SysOps Administrator take to prevent this from happening in the future?

   • Configure Amazon CloudWatch Events to filter and forward AWS Health events for disk space utilization to an Amazon SNS topic to notify the Administrator.
   • Create an AWS Lambda function to describe the volume status for each EC2 instance. Post a notification to an Amazon SNS topic when a volume status is impaired.
   • Enable detailed monitoring for the EC2 instances. Create an Amazon CloudWatch alarm to notify the Administrator when disk space is running low.
   • Use the Amazon CloudWatch agent on the EC2 instances to collect disk metrics. Create a CloudWatch alarm to notify the Administrator when disk space is running low.

10. A SysOps Administrator needs to retrieve a file from the GLACIER storage class of Amazon S3. The Administrator wants to receive an Amazon SNS notification when the file is available for access.

    What action should be taken to accomplish this?

    • Create an Amazon CloudWatch Events event for file restoration from Amazon S3 Glacier using the GlacierJobDescription API and send the event to an SNS topic the Administrator has subscribed to.
    • Create an AWS Lambda function that performs a HEAD request on the object being restored and checks the storage class of the object. Then send a notification to an SNS topic the Administrator has subscribed to when the storage class changes to STANDARD.
    • Enable an Amazon S3 event notification for the s3:ObjectCreated:Post event that sends a notification to an SNS topic the Administrator has subscribed to.
    • Enable S3 event notification for the s3:ObjectCreated:Completed event that sends a notification to an SNS topic the Administrator has subscribed to.

11. A company has received a notification in its AWS Personal Health Dashboard that one of its Amazon EBS-backed Amazon EC2 instances is on hardware that is scheduled for maintenance. The instance runs a critical production workload that must be available during normal business hours.

    Which steps will ensure that the instance maintenance does not produce an outage?

    • Configure an Amazon Lambda function to automatically start the instance if it is stopped.
    • Create an Amazon Machine Image (AMI) of the instance and use the AMI to launch a new instance once the existing instance is retired.
    • Enable termination protection on the EC2 instance.
    • Stop and start the EC2 instance during a maintenance window outside of normal business hours.

12. Security has identified an IP address that should be explicitly denied for both ingress and egress requests for all services in an Amazon VPC immediately.

    Which feature can be used to meet this requirement?

    • Host-based firewalls
    • NAT Gateway
    • Network access control lists
    • Security Groups

13. An Application Load Balancer (ALB) is configured in front of Amazon EC2 instances. The current target group health check configuration is:

    -Interval: 30 seconds
    -Unhealthy threshold: 10
    -Healthy threshold: 5

    Which steps should a SysOps Administrator take to reduce the amount of time needed to remove unhealthy instances? (Choose two.)

    • Change the healthy threshold configuration to 1.
    • Change the interval configuration to 15.
    • Change the interval configuration to 60.
    • Change the unhealthy threshold configuration to 15.
    • Change the unhealthy threshold configuration to 5.

14. A company has a web application that is used across all company divisions. Each application request contains a header that includes the name of the division making the request. The SysOps Administrator wants to identify and count the requests from each division.

    Which condition should be added to the web ACL of the AWS WAF to accomplish this?

    • Cross-site scripting
    • Geo match
    • IP match
    • String match

15. A SysOps Administrator is deploying an Amazon EC2 instance and is using third-party VPN software to route traffic to an on-premises data center.

    Based on the shared responsibility model, AWS is responsible for managing which element of this deployment?

    • Configuring IPsec tunnels for the VPN.
    • Ensuring high availability of the EC2 instance.
    • Ensuring high availability of the VPN connection.
    • Managing the health of the underlying EC2 host.

16. A SysOps Administrator is notified that an automated failover of an Amazon RDS database has occurred.

    What are possible causes for this? (Choose two.)

    • A read contention on the database.
    • A storage failure on the primary database.
    • A write contention on the database.
    • Database corruption errors.
    • The database instance type was changed.

17. A recent AWS CloudFormation stack update has failed and returned the error UPDATE_ROLLBACK_FAILED. A SysOps Administrator is tasked with returning the CloudFormation stack to its previous working state.

    What must be done to accomplish this?

    • Fix the error that caused the rollback to fail, then select the Continue Update Rollback action in the console.
    • Select the Update Stack action with a working template in the console.
    • Update the password of the IAM user, then select the Continue Update Rollback action in the console.
    • Use the AWS CLI to manually change the stack status to UPDATE_COMPLETE, then continue updating the stack with a working template.

18. A company needs to run a distributed application that processes large amount of data across multiple Amazon EC2 instances. The application is designed to tolerate processing interruptions.

    What is the MOST cost-effective Amazon EC2 pricing model for these requirements?

    • Dedicated Hosts
    • On-Demand Instances
    • Reserved Instances
    • Spot Instances

19. A SysOps Administrator working on an Amazon EC2 instance has misconfigured the clock by one hour. The EC2 instance is sending data to Amazon CloudWatch through the CloudWatch agent. The timestamps on the logs are 45 minutes in the future.

    What will be the result of this configuration?

    • Amazon CloudWatch will not capture the data because it is in the future.
    • Amazon CloudWatch will accept the custom metric data and record it.
    • The Amazon CloudWatch agent will check the Network Time Protocol (NTP) server before sending the data, and the agent will correct the time.
    • The Amazon CloudWatch agent will check the Network Time Protocol (NTP) server, and the agent will not send the data because it is more than 30 minutes in the future.

20. A company recently performed a security audit of all its internal applications developed in house. Certain business-critical applications that handle sensitive data were flagged because they use Amazon ES clusters that are open for read/write to a wider user group that intended.

    Who is responsible for correcting the issue?

    • AWS Premium Support
    • the Amazon ES team
    • the AWS IAM team
    • a SysOps Administrator