Last Updated on October 31, 2022 by InfraExam
SOA-C01 : AWS-SysOps : Part 44
A company’s application running on Amazon EC2 Linux recently crashed because it ran out of available memory. Management wants to be alerted if this ever happens again.
Which combination of steps will accomplish this? (Choose two.)
- Create an Amazon CloudWatch dashboard to monitor the memory usage metrics on the instance over time.
- Create an alarm on the dashboard that publishes an Amazon SNS notification to alert the CIO when a threshold is passed.
- Create an alarm on the metric that publishes an Amazon SNS notification to alert the CIO when a threshold is passed.
- Create an alarm on the AWS Personal Health Dashboard that publishes an Amazon SNS notification to alert the CIO when the system is out of memory.
- Configure the Amazon CloudWatch agent to collect and push memory usage metrics on the instance.
A popular auctioning platform requires near-real-time access to dynamic bidding information. The platform must be available at all times. The current Amazon RDS instance often reaches 100% CPU utilization during the weekend auction and can no longer be resized. To improve application performance, a sysops administrator is evaluating Amazon ElastiCache, and has chosen Redis (cluster mode enabled) instead of Memcached.
What are reasons for making this choice? (Choose two.)
- Data partitioning
- Multi-threaded processing
- Multi-AZ with automatic failover
- Multi-region with automatic failover
- Online resharding
A financial service company is running distributed computing software to manage a fleet of 20 servers for their calculations. There are 2 control nodes and 18 worker nodes to run the calculations. Worker nodes can be automatically started by the control nodes when required. Currently, all nodes are running on demand, and the worker nodes are used for approximately 4 hours each day.
Which combination of actions will be MOST cost-effective? (Choose two.)
- Use Dedicated Hosts for the control nodes.
- Use Reserved Instances for the control nodes.
- Use Reserved Instances for the worker nodes.
- Use Spot Instances for the control nodes and On-Demand Instances if there is no Spot availability.
- Use Spot Instances for the worker nodes and On-Demand Instances if there is no Spot availability.
A SysOps administrator must monitor a fleet of Amazon EC2 Linux instances with the constraint that no agents be installed. The administrator chooses Amazon CloudWatch as the monitoring tool.
Which metrics can be measured given the constraints? (Choose three.)
- CPU Utilization
- Disk Read Operations
- Memory Utilization
- Network Packets In
- Network Packets Dropped
- CPU Ready Time
A sysops administrator set up an Amazon ElastiCache for Memcached cluster for an application. During testing, the application experiences increased latency. Amazon CloudWatch metrics for the Memcached cluster show CPUUtilization is consistently above 95% and FreeableMemory is consistently under 1 MB.
Which action will solve the problem?
- Configure ElastiCache automatic scaling for the Memcached cluster. Set the CPUUtilization metrics as a scaling trigger above 75% and FreeableMemory below 10 MB.
- Configure ElastiCache read replicas for each Memcached node in different Availability Zones to distribute the workload.
- Deploy an Application Load Balancer to distribute the workload to Memcached cluster nodes.
- Replace the Memcached cluster and select a node type that has a higher CPU and memory.
A security audit revealed that the security groups in a VPC have ports 22 and 3389 open to all, introducing a possible threat that instances can be stopped or configurations can be modified. A sysops administrator needs to automate remediation.
What should the sysops administrator do to meet these requirements?
- Create an IAM managed policy to deny access to ports 22 and 3389 on any security groups in a VPC.
- Define an AWS Config rule and remediation action with AWS Systems Manager automation documents.
- Enable AWS Trusted Advisor to remediate public port access.
- Use AWS Systems Manager configuration compliance to remediate public port access.
A company recently migrated from a third-party security application to Amazon Inspector. A sysops administrator discovered that a list of security findings is missing for some Amazon EC2 instances.
Which action will resolve this problem?
- Generate the missing security findings list manually by logging in to the affected EC2 instances and running CLI commands.
- Log in to the affected EC2 instances. Download and install the Amazon Inspector agent from AWS Marketplace on each instance.
- Use a network reachability package to analyze network configurations to find security vulnerabilities on the affected EC2 instances.
- Verify that the Amazon Inspector agent is installed and running on the affected instances. Restart the Amazon Inspector agent.
A medical imaging company needs to process large amounts of imaging data in real time using a specific instance type. The company wants to guarantee sufficient resource capacity for 1 year.
Which action will meet these requirements in the MOST cost-effective manner?
- Create 1-year On-Demand Capacity Reservations in the specific Availability Zones.
- Launch Amazon EC2 instances with termination protection enabled.
- Purchase 1-year Reserved Instances in the specific Availability Zones.
- Use a Spot Fleet across multiple Availability Zones.
On-demand capacity reservation in AZ is the only logical way to guarante resource capacity for a specific period of time. You cannot use spot fleet since it can terminate anytime. Reserved instances are also not a viable option because the images need resource capacity continuously.
A sysops administrator is trying to deploy a new Amazon EC2 instance using the AWS Management Console, but the instance is failing to launch.
What could be causing this problem? (Choose two.)
- The AWS account has reached EC2 limits for the Region.
- The AWS account has reached EC2 limits for the Availability Zone.
- An EC2 key pair has not been specified.
- The EC2 instance is missing an instance profile with ec2:RunInstances permissions.
- The subnet being used has no more usable private IP addresses.
A company has several accounts between different teams and wants to increase its auditing and compliance capabilities. The accounts are managed through AWS Organizations. Management wants to provide the security team with secure access to the account logs while also restricting the possibility for the logs to be modified.
How can a SysOps administrator achieve this is with the LEAST amount of operational overhead?
- Store AWS CloudTrail logs in Amazon S3 in each account. Create a new account to store compliance data and replicate the objects into the newly created account.
- Store AWS CloudTrail logs in Amazon S3 in each account. Create an IAM user with read-only access to the CloudTrail logs.
- From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions. Use IAM roles to restrict access.
- Use an AWS CloudFormation stack set to create an AWS CloudTrail trail in every account and restrict permissions to modify the logs.
A company in a highly regulated industry has just migrated an Amazon EC2 based application to AWS. For compliance reasons, all network traffic data between the servers must be captured and retained.
Which solution will accomplish this with the LEAST amount of effort?
- Set up AWS CloudTrail on the VPC. Configure Amazon CloudWatch Logs as the destination.
- Set up AWS CloudTrail on the VPC. Configure Amazon S3 as the destination.
- Set up flow logs at the elastic network interface level. Configure Amazon S3 as the destination.
- Set up flow logs at the VPC level. Configure Amazon S3 as the destination.
A company is expanding its use of AWS services across its portfolios. The company wants to provision AWS accounts for each team to ensure a separation of business processes for security, compliance, and billing. Account creation and bootstrapping should be completed in a scalable and efficient way so new accounts are created with a defined baseline and governance guardrails in place. A SysOps administrator needs to design a provisioning process that saves time and resources.
Which action should be taken to meet these requirements?
- Automate using AWS Elastic Beanstalk to provision the AWS accounts, set up infrastructure, and integrate with AWS Organizations.
- Create bootstrapping scripts in AWS OpsWorks and combine them with AWS CloudFormation templates to provision accounts and infrastructure.
- Use AWS Config to provision accounts and deploy instances using AWS Service Catalog.
- Use AWS Control Tower to create a template in Account Factory and use the template to provision new accounts.
A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals spikes in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A SysOps administrator is tasked with finding the process ID (PID) of the service or process that is consuming more CPU.
How can the administrator accomplish this with the LEAST amount of effort?
- Configure an AWS Lambda function in Python 3.7 to run every minute to capture the PID and send a notification.
- Configure the procstat plugin to collect and send CPU metrics for the running processes.
- Log in to the EC2 Linux instance using a .pem key each night and then run the top command.
- Use the default Amazon CloudWatch CPU utilization metric to capture the PID in the CloudWatch dashboard.
A company is using an Amazon ElastiCache for Redis cluster in a production environment. To align with the company’s technical requirements, a SysOps administrator needs to select a deployment to provide increased availability and fault tolerance.
Which action should the SysOps administrator take to accomplish this goal?
- Deploy the ElastiCache cluster with Memcached as the engine.
- Deploy the Redis cluster within an Auto Scaling group to launch replicas across multiple Availability Zones.
- Verify that cluster mode is disabled. Increase the number of shards.
- Verify that Multi-AZ with automatic failover is enabled. Place replicas in multiple Availability Zones.
The chief financial officer (CFO) of an organization has seen a spike in Amazon S3 storage costs over the last few months. A SysOps administrator suspects that these costs are related to storage for older versions of S3 objects from one of its S3 buckets.
What can the administrator do to confirm this suspicion?
- Enable Amazon S3 inventory and then query the inventory to identify the total storage of previous object versions.
- Use object-level cost allocation tags to identify the total storage of previous object versions.
- Enable the Amazon S3 analytics feature for the bucket to identify the total storage of previous object versions.
- Use Amazon CloudWatch storage metrics for the S3 bucket to identify the total storage of previous object versions.
A company manages more than 1,000 Amazon EC2 instances running Amazon Linux 2 in multiple VPCs. A SysOps administrator must change the statically configured DNS server IP address on all the EC2 instances.
Which solution will require the LEAST amount of effort?
- Develop an AWS Lambda function to update the corporate DNS IP address on all the EC2 instances.
- Run a shell script to update the corporate DNS IP address on each EC2 instance.
- Update the Amazon Machine Images (AMIs) of the EC2 instances to configure the updated corporate DNS IP address.
- Use the AWS Systems Manager Run Command to update the corporate DNS IP address on all the EC2 instances.
A company wants to reduce costs on jobs that can be completed at any time. The jobs are currently run using multiple On-Demand Instances, and the jobs take just under 2 hours to complete. If a job fails for any reason, it can be restarted from the beginning.
Which method is the MOST cost-effective based on these requirements?
- Purchase Reserved Instances to be used for job execution.
- Submit a request for a one-time Spot Instance for job execution.
- Submit a request for a Spot block to be used for job execution.
- Use a mixture of On-Demand and Spot Instances for job execution.
A company has a multi-account AWS environment that includes the following:
-A central identity account that contains all IAM users and groups
-Several member accounts that contain IAM roles
A SysOps administrator must grant permissions for a particular IAM group to assume a role in one of the member accounts.
How should the SysOps administrator accomplish this task?
- In the member account, add sts:AssumeRole permissions to the role’s policy. In the identity account, add a trust policy to the group that specifies the account number of the member account.
- In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:AssumeRole permissions.
- In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:PassRole permissions.
- In the member account, add the group Amazon Resource Name (ARN) to the role’s inline policy. In the identity account, add a trust policy to the group with sts:AssumeRole permissions.
An image processing system runs asynchronously on AWS Lambda. A SysOps administrator is configuring a Lambda function to notify developers when an image falls to process after three attempts. The SysOps administrator has created an Amazon Simple Notification Service (Amazon SNS) topic to notify the developers.
Which additional action should the SysOps administrator take to meet this requirement?
- Configure an Amazon CloudWatch alarm for errors from the Lambda function, which notifies the Amazon SNS topic.
- Implement a dead-letter queue targeting the Amazon SNS topic.
- Modify the Lambda function code to publish failed orders to the Amazon SNS topic before exiting.
- Subscribe to Lambda function error notifications from the AWS Personal Health Dashboard.
A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance.
Which of the following are possible causes of this issue? (Choose two.)
- A network ACL associated with the bastion’s subnet is blocking the network traffic.
- The instance does not have a private IP address.
- The route table associated with the bastion’s subnet does not have a route to the internet gateway.
- The security group for the instance does not have an inbound rule on port 22.
- The security group for the instance does not have an outbound rule on port 3389.