SOA-C01 : AWS-SysOps : Part 45

SOA-C01 : AWS-SysOps : Part 45

1. A company is managing a website with a global user base hosted on Amazon EC2 with an Application Load Balancer (ALB). To reduce the load on the web servers, a SysOps administrator configures an Amazon CloudFront distribution with the ALB as the origin. After a week of monitoring the solution, the administrator notices that requests are still being served by the ALB and there is no change in the web server load.

   What are possible causes for this problem? (Choose two.)

   • CloudFront does not have the ALB configured as the origin access identity.
   • The DNS is still pointing to the ALB instead of the CloudFront distribution.
   • The ALB security group is not permitting inbound traffic from CloudFront.
   • The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution.
   • The target groups associated with the ALB are configured for sticky sessions.

2. A company is managing multiple AWS accounts using AWS Organizations. One of these accounts is used only for retaining logs in an Amazon S3 bucket. The company wants to make sure that compute resources cannot be used in the account.

   How can this be accomplished with the LEAST administrative effort?

   • Apply an IAM policy to all IAM entities in the account with a statement to explicitly deny NotAction: s3:*.
   • Configure AWS Config to terminate compute resources that have been created in the accounts.
   • Configure AWS CloudTrail to block any action where the event source is not s3:amazonaws.com.
   • Update the service control policy on the account to deny the unapproved services.

3. A company is evaluating solutions for connecting its data centers to a VPC in an AWS Region running a mission-critical application. A secondary Region has already been set up as a disaster recovery solution. The company needs a consistent, low-latency connection of at least 10 Gbps that must be highly resilient and fault tolerant.

   Which solution meets these requirements?

   • Set up a 10 Gbps AWS Direct Connect connection at two Direct Connect locations. Use two customer routers and dynamically routed, active/active connections.
   • Set up a 10 Gbps AWS Direct Connect connection. Use a Direct Connect gateway to support both Regions.
   • Establish an AWS Direct Connect connection for the primary connection to the VPC with an AWS-managed VPN connection as a backup.
   • Establish 10 VPN connections to the VPC. Enable the VPN Equal Cost Multipath (ECMP) feature to balance traffic over the active connections.

4. A company’s security policy states that connecting to Amazon EC2 instances is not permitted through SSH and RDP. If access is required, authorized staff can connect to instances by using AWS Systems Manager Session Manager.

   Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has AWS Systems Manager Agent (SSM Agent) pre-installed. These users are able to use Session Manager to connect to other instances in the same subnet, and they are in an IAM group that has Session Manager permission for all instances.

   What should a SysOps administrator do to resolve this issue?

   • Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.
   • Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
   • Configure the SSM Agent to log in with a user name of “ubuntu”.
   • Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.

5. A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53 should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes. All other traffic should be directed to the secondary passive server. The failover record type, set ID, and routing policy have been set appropriately for both primary and secondary servers.

   Which next step should be taken to configure Route 53?

   • Create an A record for each server. Associate the records with the Route 53 HTTP health check.
   • Create an A record for each server. Associate the records with the Route 53 TCP health check.
   • Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.
   • Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.

6. A company has a three-tier stateful web application. The application is served through an Amazon CloudFront distribution with default configuration options and an Application Load Balancer (ALB) as the origin. Logged-in users get intermittently logged out and see inconsistent content.

   Which action should the company take to ensure a stable user experience during a session?

   • Enable session affinity (sticky sessions) on the ALB. Configure CloudFront to forward all cookies to the origin.
   • Restrict viewer access to signed cookies in CloudFront. Enable session affinity (sticky sessions) on the ALB.
   • Switch from duration-based session affinity (sticky sessions) to application-controlled session affinity (sticky sessions) on the ALB.
   • Configure the CloudFront TTL to be equal to or less than the ALB session duration.

7. An application running on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones was deployed using an AWS CloudFormation template. The SysOps team has patched the Amazon Machine Image (AMI) version and must update all the EC2 instances to use the new AMI.

   How can the SysOps Administrator use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity?

   • Run the aws cloudfomation update-stack command with the – rollback-configuration option
   • Update the CloudFormation template with the new AMI ID, then reboot the EC2 instances
   • Deploy a second CloudFormation stack and use Amazon Route 53 to redirect traffic to the new stack
   • Set an AutoScalingRollingUpdate policy in the CloudFormation template to update the stack.

8. A company has an application that is hosted on two Amazon EC2 instances in different Availability Zones. Both instances contain data that is critical for the company’s business. Backups need to be retained for 7 days and need to be updated every 12 hours.

   Which solution will meet these requirements with the LEAST amount of effort?

   • Use an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule to create snapshots of the Amazon Elastic Block Store (Amazon EBS) volumes.
   • Use Amazon Data Lifecycle Manager (Amazon DLM) to create a snapshot lifecycle policy for both instances.
   • Create a batch job to generate automated snapshots of the Amazon Elastic Block Store (Amazon EBS) volumes.
   • Create an AWS Lambda function to copy the data to Amazon S3 Glacier.

9. A SysOps administrator is re-architecting an application. The SysOps administrator has moved the database from a public subnet, where the database used a public endpoint, into a private subnet to restrict access from the public network. After this change, an AWS Lambda function that requires read access to the database cannot connect to the database. The SysOps administrator must resolve this issue without compromising security.

   Which solution meets these requirements?

   • Create an AWS PrivateLink interface endpoint for the Lambda function. Connect to the database using its private endpoint.
   • Connect the Lambda function to the database VPC. Connect to the database using its private endpoint.
   • Attach an IAM role to the Lambda function with read permissions to the database.
   • Move the database to a public subnet. Use security groups for secure access.

10. A company that hosts a multi-tier ecommerce web application on AWS has been alerted to suspicious application traffic. The architecture consists of Amazon EC2 instances deployed across multiple Availability Zones behind an Application Load Balancer (ALB). After examining the instance logs, a SysOps administrator determines that the suspicious traffic is an attempted SQL injection attack.

    What should the SysOps administrator do to prevent similar attacks?

    • Create an Amazon CloudFront distribution with the ALB as the origin. Enable AWS Shield Advanced to protect from SQL injection attacks at edge locations.
    • Create an AWS WAF web ACL, and configure a SQL injection rule to add to the web ACL. Associate the WAF web ACL with the ALB.
    • Enable Amazon GuardDuty. Use Amazon EventBridge (Amazon CloudWatch Events) to trigger an AWS Lambda function every time GuardDuty detects SQL injection.
    • Install Amazon Inspector on the EC2 instances, and configure a rules package. Use the findings reports to identify and block SQL injection attacks.

11. A company is migrating its exchange server from its on-premises location to a VPC in the AWS Cloud. Users working from home connect using a secure, encrypted channel over the internet to the exchange server. However, after the migration to AWS, users are having trouble receiving email.

    The VPC flow log records display the following.

    

    

    What is the root cause of the problem?

    • SMTP traffic from the network interface was blocked by an outbound network ACL.
    • SMTP traffic from the network interface was blocked by an outbound security group.
    • SMTP traffic to the network interface was blocked by an inbound network ACL.
    • SMTP traffic to the network interface was blocked by an inbound security group.

12. An Amazon EC2 instance has a secondary Amazon Elastic Block Store (EBS) volume attached that contains sensitive data. A new company policy requires the secondary volume to be encrypted at rest.

    Which solution will meet this requirement?

    • Create a snapshot of the volume. Create a new volume from the snapshot with the Encrypted parameter set to true. Detach the original volume and attach the new volume to the instance.
    • Create an encrypted Amazon Machine Image (AMI) of the EC2 instance. Launch a new instance with the encrypted AMI. Terminate the original instance.
    • Stop the EC2 instance. Encrypt the volume with AWS CloudHSM. Start the instance and verify encryption.
    • Stop the EC2 instance. Modify the instance properties and set the Encrypted parameter to true. Start the instance and verify encryption.

13. A SysOps administrator recently launched an application consisting of web servers running on Amazon EC2 instances, an Amazon ElastiCache cluster communicating on port 6379, and an Amazon RDS for PostgreSQL DB instance communicating on port 5432. The web servers are in the security group web-sg, the ElastiCache cluster is in the security group cache-sg, and the DB instance is in the security group database-sg.

    The application fails on start, with the error message “Unable to connect to the database”.

    The rules in web-sg are as follows.

    

    Which change should the SysOps administrator make to web-sg to correct the issue without compromising security?

    • Add a new inbound rule:
      database-sg TCP 5432
    • Add a new outbound rule:
      database-sg TCP 5432
    • Add a new outbound rule:
      0.0.0.0/0 All Traffic 0-65535
    • Change the outbound rule to:
      cache-sg TCP 5432

14. A kernel patch for AWS Linux has been released, and systems need to be updated to the new version. A SysOps administrator must apply an in-place update to an existing Amazon EC2 instance without replacing the instance.

    How should the SysOps administrator apply the new software version to the instance?

    • Add the instance to a patch group and patch baseline containing the desired patch by using AWS Systems Manager Patch Manager.
    • Develop a new version of the instance’s Amazon Machine Image (AMI). Apply that new AMI to the instance.
    • Develop a new user data script containing the patch. Configure the instance with the new script.
    • Run commands on the instance remotely using the AWS CLI.

15. A company needs to implement a system for object-based storage in a write-once, read-many (WORM) model. Objects cannot be deleted or changed after they are stored, even by an AWS account root user or administrators.

    Which solution will meet these requirements?

    • Set up Amazon S3 Cross-Region Replication and run daily updates.
    • Set up Amazon S3 Object Lock in governance mode with S3 Versioning enabled.
    • Set up Amazon S3 Object Lock in compliance mode with S3 Versioning enabled.
    • Set up an Amazon S3 Lifecycle policy to move the objects to Amazon S3 Glacier.

16. A company runs a multi-tier web application with two Amazon EC2 instances in one Availability Zone in the us-east-1 Region. A SysOps administrator must migrate one of the EC2 instances to a new Availability Zone.

    Which solution will accomplish this?

    • Copy the EC2 instance to a different Availability Zone. Terminate the original instance.
    • Create an Amazon Machine Image (AMI) from the EC2 instance and launch it in a different Availability Zone. Terminate the original instance.
    • Move the EC2 instance to a different Availability Zone using the AWS CLI.
    • Stop the EC2 instance, modify the Availability Zone, and start the instance.

17. A company’s application infrastructure was deployed using AWS CloudFormation and is composed of Amazon EC2 instances behind an Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. When releasing a new version of the application, the update deployment must avoid DNS changes and allow rollback.

    Which solution should a SysOps administrator use to meet the deployment requirements for this new release?

    • Configure the Auto Scaling group to use lifecycle hooks. Deploy new instances with the new application version. Complete the lifecycle hook action once healthy.
    • Create a new Amazon Machine Image (AMI) containing the updated code. Create a launch configuration with the AMI. Update the Auto Scaling group to use the new launch configuration.
    • Deploy a second CloudFormation stack. Wait for the application to be available. Cut over to the new Application Load Balancer.
    • Modify the CloudFormation template to use an AutoScalingReplacingUpdate policy. Update the stack. Perform a second update with the new release.

18. A company wants to launch a group of Amazon EC2 instances that need to communicate with each other with the lowest possible latency.

    Which combination of actions should a SysOps administrator take when launching these instances? (Choose two.)

    • Launch instances in different VPCs with a VPN tunnel.
    • Launch instances in different VPCs with VPC peering enabled.
    • Launch instances in a cluster placement group.
    • Launch instances in a spread placement group.
    • Launch instances with enhanced networking enabled.

19. A company has multiple AWS accounts. The company uses AWS Organizations with an organizational unit (OU) for the production account and another OU for the development account. Corporate policies state that developers may use only approved AWS services in the production account.

    What is the MOST operationally efficient solution to control the production account?

    • Create a customer managed policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production account.
    • Create a job function policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production OU.
    • Create a service control policy (SCP). Apply the SCP to the production OU.
    • Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.

20. A company’s data processing workflow uses AWS Lambda to interact with other AWS services, including AWS Step Functions, Amazon DynamoDB, and Amazon S3. The Lambda functions make several API calls to these services as a part of the workflow. AWS CloudTrail has been enabled in the AWS Region and is logging to Amazon CloudWatch Logs. The Lambda functions are also logging to CloudWatch Logs.

    A SysOps administrator notices that a specific Lambda function in the workflow is taking longer to run than it did last month. The SysOps administrator needs to determine the parts of the Lambda function that are experiencing higher-than-normal response times.

    What solution will accomplish this?

    • Analyze logs in CloudWatch Logs for the timestamps at which the API calls are made while the Lambda function is running. Compare with the logs from the previous month.
    • Enable AWS X-Ray for the function. Analyze the service map and traces to help identify the API calls with anomalous response times.
    • Search CloudTrail logs for the calls from the Lambda function. Compare the observed and expected times of API calls relative to the time when the function starts.
    • Use CloudWatch to monitor the Duration metric of function invocations for the Lambda function. Compare with the measurements from the previous month.