Last Updated on October 31, 2022 by InfraExam
SOA-C01 : AWS-SysOps : Part 43
A company designed a specialized Amazon EC2 instance configuration for its Data Scientists. The Data Scientists want to create and delete EC2 instances on their own, but are not comfortable with configuring all the settings for EC2 instances without assistance. The configuration runs proprietary software that must be kept private within the company’s AWS accounts, and should be available to the Data Scientists, but no other users within the accounts.
Which solution should a SysOps Administrator use to allow the Data Scientists to deploy their workloads with MINIMAL effort?
- Create an Amazon Machine Image (AMI) of the EC2 instance. Share the AMI with authorized accounts owned by the company. Allow the Data Scientists to create EC2 instances with this AMI.
- Distribute an AWS CloudFormation template containing the EC2 instance configuration to the Data Scientists from an Amazon S3 bucket. Set the S3 template object to be readable from the AWS Organizations orgId.
- Publish the instance configuration to the Private Marketplace. Share the Private Marketplace with the company’s AWS accounts. Allow the Data Scientists to subscribe and launch the product from the Private Marketplace.
- Upload an AWS CloudFormation template to AWS Service Catalog. Allow the Data Scientists to provision and deprovision products from the company’s AWS Service Catalog portfolio.
A company developed and now runs a memory-intensive application on multiple Amazon EC2 Linux instances. The memory utilization metrics of the EC2 Linux instances must be monitored.
Which combination of actions must be taken to accomplish this? (Choose two.)
- Enable detailed monitoring on the instance within Amazon CloudWatch.
- Implement an AWS Lambda function to track memory metrics.
- Install Amazon CloudWatch agent to track memory metrics.
- Publish the memory metrics to Amazon CloudWatch Events.
- Publish the memory metrics using Amazon CloudWatch Logs.
An Application team has asked a SysOps Administrator to provision an additional environment for an application in four additional regions. The application is running on more than 100 instances in us-east-1, using fully baked AMIs. An AWS CloudFormation template has been created to deploy resources in us-east-1.
What must the SysOps Administrator do to provision the application quickly?
- Copy the AMI to each region using aws ec2 copy-image. Update the CloudFormation mapping to include mappings for the copied AMIs.
- Create a snapshot of the running instance and copy the snapshot to the other regions. Create an AMI from the snapshots. Update the CloudFormation template for each region to use the new AMI.
- Run the existing CloudFormation template in each additional region based on the success of the template used currently in us-east-1.
- Update the CloudFormation template to include the additional regions in the Auto Scaling group. Update the existing stack in us-east-1.
A company wants to identify specific Amazon EC2 instances that are underutilized and the estimated cost savings for each instance.
How can this be done with MINIMAL effort?
- Use AWS Budgets to report on low utilization of EC2 instances.
- Run an AWS Systems Manager script to check for low memory utilization of EC2 instances.
- Run Cost Explorer to look for low utilization of EC2 instances.
- Use Amazon CloudWatch metrics to identify EC2 instances with low utilization.
A SysOps Administrator needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added.
Which additional actions should the Administrator take to control access? (Choose two.)
- Attach an IAM policy to the users or groups that require access to the EC2 instances.
- Attach an IAM role to control access to the EC2 instances.
- Create a placement group for the EC2 instances and add a specific tag.
- Create a service account and attach it to the EC2 instances that need to be controlled.
- Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.
A company is planning to deploy multiple ecommerce websites across the eu-west-1, ap-east-1, and us-west-1 Regions. The websites consist of Amazon S3 buckets, Amazon EC2 instances, Amazon RDS databases, and Elastic Load Balancers.
Which method will accomplish the deployment with the LEAST amount of effort?
- Configure deployment automation using AWS OpsWorks
- Configure S3 cross-Region replication
- Use AWS CloudFormation stack sets to deploy the application
- Use AWS Elastic Beanstalk to deploy the application
A company manages multiple AWS accounts and wants to provide access to AWS from a single management account using an existing on-premises Microsoft Active Directory domain.
Which solution will meet these requirements with the LEAST amount of effort?
- Create an Active Directory connector using AWS Directory Service. Create IAM users in the target accounts with the appropriate trust policy.
- Create an Active Directory connector using AWS Directory Service. Associate the directory with AWS Single Sign-On (AWS SSO). Configure user access to target accounts through AWS SSO.
- Create an Amazon Cognito federated identity pool. Associate the pool identity with the on-premises directory. Configure the IAM roles with the appropriate trust policy.
- Create an identity provider in AWS IAM associated with the on-premises directory. Create IAM roles in the target accounts with the appropriate trust policy.
A company has an AWS account for each department and wants to consolidate billing and reduce overhead. The company wants to make sure that the finance team is denied from accessing services other than Amazon EC2, the security team is denied from accessing services other than AWS CloudTrail, and IT can access any resource.
Which solution meets these requirements with the LEAST amount of operational overhead?
- Create a role for each department within AWS IAM and assign each role the necessary permissions.
- Create a user for each department within AWS IAM and assign each user the necessary permissions.
- Implement service control policies within AWS Organizations to determine which resources each department can access.
- Place each department into an organizational unit (OU) within AWS Organizations and use IAM policies to determine which resources they can access.
A company runs an image-processing application on a serverless infrastructure. Each processing job runs in a single AWS Lambda execution. A sysops administrator is tasked with ensuring there is enough capacity to run 500 simultaneous jobs even if other Lambda functions are being run for other applications. The administrator has already increased service limits within the Region.
Which action should be taken?
- Configure a dead-letter queue to retry any throttled executions
- Modify the memory settings on the Lambda function to allow for 500 parallel executions
- Move the image-processing logic to AWS Step Functions
- Set the reserved concurrency for the image-processing Lambda function to 500
A sysops administrator has an AWS Lambda function that performs maintenance on various AWS resources. This function must be run nightly.
Which is the MOST cost-effective solution?
- Launch a single t2.nano Amazon EC2 instance and create a Linux cron job to invoke the Lambda function at the same time every night.
- Set up an Amazon CloudWatch metrics alarm to invoke the Lambda function at the same time every night.
- Schedule an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function at the same time every night.
- Implement a Chef recipe in AWS OpsWorks stack to invoke the Lambda function at the same time every night.
A sysops administrator is managing an application on AWS that uses Amazon EC2 instances and Amazon Aurora MySQL. The EC2 instances and Aurora instances are in two different subnets. The application servers running in EC2 cannot connect to the Aurora database.
The EC2 subnet is 192.168.87.0/24 and has a security group named sg-123456 with the following configuration.
The Aurora subnet is 192.168.88.0/24 and has a security group named sg-abcdef with the following configuration.
Which action should the sysops administrator take to allow the EC2 instances to connect to the Aurora database?
- In the inbound rules table of the Aurora security group, add an inbound TCP rule with the MySQL port and sg-123456 as the traffic source.
- In the inbound rules table of the EC2 security group, add an inbound TCP rule with the MySQL port and 192.168.88.0/24 as the traffic source.
- In the outbound rules table of the Aurora security group, add an outbound TCP rule with the MySQL port and 192.168.87.0/24 as the destination.
- In the outbound rules table of the EC2 security group, add an outbound TCP rule with the MySQL port and sg-abcdef as the destination.
A company has a multi-tier web application. In the web tier, all the servers are in private subnets inside a VPC. The development team wants to make changes to the application that requires access to Amazon S3.
What should be done to accomplish this?
- Create a customer gateway to connect to Amazon S3. Modify the route table of the private subnets to use the customer gateway.
- Create a gateway VPC endpoint for Amazon S3. Modify the route table of the private subnets to use the gateway VPC endpoint.
- Create a NAT gateway in the private subnets. Modify the route table of the subnets to use the NAT gateway.
- Create an S3 bucket policy to allow connections from the private subnets. Modify the route table.
A sysops administrator is managing a VPC network consisting of public and private subnets. Instances in the private subnets access the Internet through a NAT gateway. A recent AWS bill shows that the NAT gateway charges have doubled. The administrator wants to identify which instances are creating the most network traffic.
How should this be accomplished?
- Enable flow logs on the NAT gateway elastic network interface and use Amazon CloudWatch insights to filter data based on the source IP addresses.
- Run an AWS Cost and Usage report and group the findings by instance ID.
- Use the VPC traffic mirroring feature to send traffic to Amazon QuickSight.
- Use Amazon CloudWatch metrics generated by the NAT gateway for each individual instance.
When performing an audit on an S3 bucket, a SysOps Administrator discovered that Amazon CloudWatch reports that there are 12,345,678 objects in the bucket, whereas the AWS CLI reports that there are 98,765,432 objects in the same bucket.
Which Amazon S3 feature can the SysOps Administrator use to obtain the definitive answer to the number of objects in the bucket?
- Amazon S3 analytics
- Amazon S3 inventory
- AWS Management Console
- Object tags
An organization recently faced a network outage while uploading data into one of their S3 buckets. This outage generated many incomplete multipart uploads in that S3 bucket. A sysops administrator wants to delete the incomplete multipart uploads and ensure that the incomplete multipart uploads are deleted automatically the next time such an event occurs.
How should this be done?
- Create an Amazon S3 Event Notification to trigger an AWS Lambda function that deletes incomplete multipart uploads.
- Create an Amazon S3 lifecycle rule to abort incomplete multipart uploads so that they are deleted this time and in the future.
- Use the AWS CLI to list all the multipart uploads, and abort all the incomplete uploads from the day of the event so that they are deleted.
- Use the AWS Management Console to abort all the incomplete uploads from the day of the event so that they are deleted.
A company’s finance department wants to receive a monthly report showing AWS resource usage by department.
Which solution should be used to meet the requirements?
- Configure AWS Cost and Usage reports for each department. Run the reports monthly.
- Schedule a monthly report for each department using AWS Budgets.
- Run a monthly AWS CloudTrail report of resource usage by tag using department codes.
- Tag all resources with department codes. Generate a monthly cost allocation report.
A SysOps Administrator maintains several Amazon EC2 instances that do not have access to the public internet. To patch operating systems, the instances require outbound internet connectivity. For security reasons, the instances should not be reachable from the public Internet.
The Administrator deploys a NAT instance, updates the security groups, and configures the appropriate routes within the route table. However, the instances are still unable to reach the Internet.
What should be done to resolve the issue?
- Assign Elastic IP addresses to the instances and create a route from the private subnets to the internet gateway
- Delete the NAT instance and replace it with AWS WAF
- Disable source/destination checks on the NAT instance
- Start/stop the NAT instance so it is launched on a different host
A SysOps Administrator using AWS KMS needs to rotate all customer master keys (CMKs) every week to meet Information Security guidelines.
Which option would meet the requirement?
- Create a new CMK every 7 days to manually rotate the encryption keys.
- Enable key rotation on the CMKs and set the rotation period to 7 days.
- Switch to using AWS CloudHSM as AWS KMS does not support key rotation.
- Use data keys for each encryption task to avoid the need to rotate keys.
A SysOps Administrator is maintaining an application running on Amazon EBS-backed Amazon EC2 instances in an Amazon EC2 Auto Scaling group. The application is set to automatically terminate unhealthy instances. The Administrator wants to preserve application logs from these instances for future analysis.
Which action will accomplish this?
- Change the storage type from EBS to instance store.
- Configure an Amazon CloudWatch Events rule to transfer the logs to Amazon S3 upon an EC2 state change to terminated.
- Configure the unified CloudWatch agent to stream the logs to Amazon CloudWatch Logs.
- Configure VPC Flow Logs for the subnet hosting the EC2 instance.
A SysOps Administrator must remove public IP addresses from all Amazon EC2 instances to prevent exposure to the internet. However, many corporate applications running on those EC2 instances need to access Amazon S3 buckets. The Administrator is tasked with allowing the EC2 instances to continue to access the S3 buckets.
Which solutions can be used? (Choose two.)
- Deploy a NAT gateway, and configure the route tables accordingly in the VPC where the EC2 instances are running.
- Modify the network ACLs with private IP addresses in the routes to connect to Amazon S3.
- Modify the security groups on the EC2 instances with private IP addresses in the routes to connect to Amazon S3.
- Set up AWS Direct Connect, and configure a virtual interface between the EC2 instances and the S3 buckets.
- Set up a VPC endpoint in the VPC where the EC2 instances are running, and configure the route tables accordingly.