SOA-C01 : AWS-SysOps : Part 46

SOA-C01 : AWS-SysOps : Part 46

1. Developers are using IAM access keys to manage AWS resources using AWS CLI. Company policy requires that access keys are automatically disabled when the access key age is greater than 90 days.

   Which solution will accomplish this?

   • Configure an Amazon CloudWatch alarm to trigger an AWS Lambda function that disables keys older than 90 days.
   • Configure AWS Trusted Advisor to identify and disable keys older than 90 days.
   • Set a password policy on the account with a 90-day expiration.
   • Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation.

2. A company wants to store sensitive data in Amazon S3. The S3 bucket and its contents must be accessible only from the on-premises corporate network.

   What should a SysOps administrator do to configure the S3 bucket policy statement?

   • Use a Deny effect with a condition based on the aws:sourceVpc key.
   • Use a Deny effect with a condition based on the NotIpAddress key.
   • Use an Allow effect with a condition based on the IpAddress key.
   • Use an Allow effect with a condition based on the s3:LocationConstraint key.

3. A SysOps administrator wants to encrypt an existing Amazon RDS DB instance with AWS Key Management Service (AWS KMS).

   How should the SysOps administrator accomplish this goal?

   • Copy the data volumes of the unencrypted instance. Apply the KMS key to the copied data volumes. Start the instance with the encrypted volumes.
   • Create a read replica of the unencrypted instance. Encrypt the read replica with the KMS key. Promote the read replica to become the primary instance.
   • Take a snapshot of the unencrypted instance. Apply the KMS key to the existing instance using the modify-db-instance command. Restart the instance.
   • Take a snapshot of the unencrypted instance. Create an encrypted copy of the snapshot with the KMS key. Restore the instance from the encrypted snapshot.

4. A company needs to deploy a web application on two Amazon EC2 instances behind an Application Load Balancer (ALB). Two EC2 instances will also be deployed to host the database. The infrastructure needs to be designed across Availability Zones (AZs) for high availability and must limit public access to the instances as much as possible.

   How should this be achieved within a VPC?

   • Use two AZs and create a public subnet in each AZ for the Application Load Balancer, a private subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.
   • Use two AZs and create a public subnet in each AZ for the Application Load Balancer, a public subnet in each AZ for the web servers, and a public subnet in each AZ for the database servers.
   • Use two AZs and create one public subnet for the Application Load Balancer, a private subnet in each AZ for the web servers, and a public subnet in each AZ for the database servers.
   • Use two AZs and create one public subnet for the Application Load Balancer, a public subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.

5. A SysOps administrator is responsible for managing a fleet of Amazon EC2 instances. These EC2 instances upload build artifacts to a third-party service. The third-party service recently implemented strict IP whitelisting that requires all build uploads to come from a single IP address.

   What change should the systems administrator make to the existing build fleet to comply with this new requirement?

   • Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service.
   • Move all of the EC2 instances behind an internet gateway and provide the gateway IP address to the service.
   • Move all of the EC2 instances into a single Availability Zone and provide the Availability Zone IP address to the service.
   • Move all of the EC2 instances to a peered VPC and provide the VPC IP address to the service.

6. A SysOps administrator manages an AWS CloudFormation template that provisions Amazon EC2 instances, an Elastic Load Balancer, and Amazon RDS instances. As part of an ongoing transformation project, CloudFormation stacks are being created and deleted continuously. The administrator needs to ensure that the RDS instances continue running after a stack has been deleted.

   Which action should be taken to meet these requirements?

   • Edit the template to remove the RDS resources and update the stack.
   • Enable termination protection on the stack.
   • Set the DeletionPolicy attribute for RDS resources to Retain in the template.
   • Set the deletion-protection parameter on RDS resources.

7. A streaming company is using AWS resources in the us-east-1 Region for its production environment. The web tier of the streaming site runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group is configured to scale when the CPU utilization of the instances is greater than 75%. The user database is hosted on an Amazon RDS MySQL cluster, and video content is stored within an Amazon S3 bucket. Amazon CloudWatch metrics show that the RDS MySQL Multi-AZ DB instance has around 16 GB of memory free and an average CPU utilization of 70%. It is taking users in Asia several seconds longer to access the streaming website.

   Which combination of actions will improve the access load times? (Choose two.)

   • Configure RDS MySQL Multi-AZ to reduce RDS CPU and RAM utilization and distribute queries to multiple Availability Zones.
   • Modify the EC2 Auto Scaling group so it will scale horizontally when CPU utilization is 50%.
   • Provision a second production environment in the Asia Pacific Region and use an ALB to distribute cross-Region access.
   • Provision a second production environment in the Asia Pacific Region and use Amazon Route 53 latency-based routing.
   • Set up an Amazon CloudFront distribution to handle static content for users accessing it from different geographic locations.

8. A large company has multiple AWS accounts that are assigned to each department. A SysOps administrator needs to help the company reduce overhead and manage its AWS resources more easily. The SysOps administrator also must ensure that department users, including AWS account root users, have access only to AWS services that are essential for their job function.

   Which solution will meet these requirements?

   • Enable AWS Directory Service. Enforce Group Policy Objects (GPOs) on each department to restrict access.
   • Migrate all the accounts to a central account. Create IAM groups for each department with only the necessary permissions.
   • Use AWS Organizations and implement service control policies (SCPs) to ensure accounts use only essential AWS services.
   • Use AWS Single Sign-On and configure it to limit access to only essential AWS services.

9. A security officer has requested that internet access be removed from subnets in a VPC. The subnets currently route internet-bound traffic to a NAT gateway. A SysOps administrator needs to remove this access while allowing access to Amazon S3.

   Which solution will meet these requirements?

   • Set up an internet gateway. Update the route table on the subnets to use the internet gateway to route traffic to Amazon S3.
   • Set up an S3 VPC gateway endpoint. Update the route table on the subnets to use the gateway endpoint to route traffic to Amazon S3.
   • Set up additional NAT gateways in each Availability Zone. Update the route table on the subnets to use the NAT gateways to route traffic to Amazon S3.
   • Set up an egress-only internet gateway. Update the route table on the subnets to use the egress-only internet gateway to route traffic to Amazon S3.

10. An application is running on Amazon EC2 instances and storing all application data in Amazon S3. The company wants to archive all files older than 30 days to reduce costs. Archived files are used for auditing purposes only; however, the audit team may need to retrieve files in under a minute.

    How should the SysOps administrator implement these requirements?

    • Configure an S3 bucket policy to move all objects older than 30 days to S3 Standard-Infrequent Access (S3 Standard-IA).
    • Create a lifecycle rule to move all objects older than 30 days to S3 Glacier.
    • Create a lifecycle rule to move all objects older than 30 days to S3 Standard-Infrequent Access (S3 Standard-IA).
    • Use S3 Intelligent-Tiering to move files older than 30 days to S3 Glacier Deep Archive.

11. A company has developed a new memory-intensive application that is deployed to a large Amazon EC2 Linux fleet. The company is concerned about potential memory exhaustion, so the development team wants to monitor memory usage by using Amazon CloudWatch.

    What is the MOST operationally efficient way to accomplish this goal?

    • Create an AWS Lambda function to capture memory utilization of the EC2 instances. Schedule the Lambda function with Amazon EventBridge (Amazon CloudWatch Events).
    • Deploy the application to memory optimized EC2 instances. Use the CloudWatch MemoryUtilization metric.
    • Install the CloudWatch agent on the EC2 instances to collect and send metrics to CloudWatch.
    • Install the CloudWatch monitoring scripts on the EC2 instances to collect and send metrics to CloudWatch.

12. A company uses LDAP-based credentials and has a Security Assertion Markup Language (SAML) 2.0 identity provider. A SysOps administrator has configured various federated roles in a new AWS account to provide AWS Management Console access for groups of users that use the existing LDAP-based credentials. Several groups want to use the AWS CLI on their workstations to automate daily tasks. To enable them to do so, the SysOps administrator has created an application that authenticates a user and generates a SAML assertion

    Which API call should be used to retrieve credentials for federated programmatic access?

    • sts:AssumeRole
    • sts:AssumeRoleWithSAML
    • sts:AssumeRoleWithWebIdentity
    • sts:GetFederationToken

13. A SysOps administrator is implementing automated I/O load performance testing as part of the continuous integration/continuous delivery (CI/CD) process for an application. The application uses an Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS volume for each instance that is restored from a snapshot and requires consistent I/O performance. During the initial tests, the I/O performance results are sporadic. The SysOps administrator must ensure that the tests yield more consistent results.

    Which actions could the SysOps administrator take to accomplish this goal? (Choose two.)

    • Restore the EBS volume from the snapshot with fast snapshot restore enabled.
    • Restore the EBS volume from the snapshot using the cold HDD volume type.
    • Restore the EBS volume from the snapshot and pre-warm the volume by reading all of the blocks.
    • Restore the EBS volume from the snapshot and configure encryption.
    • Restore the EBS volume from the snapshot and configure I/O block size at random.

14. A streaming services company has a three-tier web application hosted on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). When the Auto Scaling group scales in, a deregistration delay occurs and the delay is sometimes longer than the time required to terminate the EC2 instance. A SysOps administrator must ensure that the latest logs are delivered to an external system before the EC2 instance is terminated.

    Which solution will solve this problem?

    • Add a lifecycle hook to the Auto Scaling group to put the EC2 instance in a wait state until the log files have been delivered.
    • Configure a fixed response for the ALB to use custom error messages to respond to incoming requests with HTTP error response codes.
    • Create an Amazon CloudWatch alarm based on the RequestCountPerTarget metric for the Auto Scaling group. Modify the cooldown period to wait until the EC2 instance is terminated.
    • Update the launch configuration to enable scale-in protection for the Auto Scaling group and detach the EC2 instance protected for termination.

15. A SysOps administrator needs to register targets for a Network Load Balancer (NLB) using IP addresses.

    Which prerequisite should the SysOps administrator validate to perform this task?

    • Ensure the NLB listener security policy is set to ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-1-2-Res-2019-08, or ELBSecurityPolicy-TLS-1-0-2015-04.
    • Ensure the health check setting on the NLB for the Matcher configuration is between 200 and 399.
    • Ensure the targets are within any of these CIDR blocks: 10.0.0.0/8 (RFC 1918), 100.64.0.0/10 (RFC 6598), 172.16.0.0/12 (RFC 1918), or 192.168.0.0/16 (RFC 1918).
    • Ensure the NLB is exposed as an endpoint service before registering the targets using IP addresses.

16. A company has a web application that is deployed in a VPC. Inbound traffic to this web application comes in through an internet gateway and arrives at a Network Load Balancer (NLB). From there, the traffic travels to multiple Amazon EC2 instances in two private subnets. The company wants to perform deep packet inspection on the inbound traffic to identify potential hacking attempts.

    Which solution meets these requirements?

    • Configure AWS Shield for the VPC.
    • Use AWS Network Firewall on the VPC. Configure Network Firewall to perform deep packet inspection.
    • Use AWS Network Firewall on the subnets. Configure Network Firewall to perform deep packet inspection.
    • Set up Traffic Mirroring on an inbound port of the NLB.

17. A SysOps administrator has set up a new public Application Load Balancer (ALB) in front of a pair of private web servers in multiple Availability Zones. After deploying an updated AWS CloudFormation template with many changes, user traffic now goes to one web server only.

    What is the MOST likely reason that the traffic is not being balanced between both servers?

    • The faulty server is returning HTTP 200 codes and has been removed.
    • Sticky sessions have been disabled in the ALB for the working server.
    • The ALB is using a custom ping path that is not found on the faulty server.
    • The web clients are using HTTP/2, which is terminated at the ALB.

18. A company’s AWS account users are launching Amazon EC2 instances without required cost allocation tags. A SysOps administrator needs to prevent users within an organization in AWS Organizations from launching new EC2 instances that do not have the required tags. The solution must require the least possible operational overhead.

    Which solution meets these requirements?

    • Set up an AWS Lambda function that will initiate a run instance event and check for the required tags. Configure the function to prevent the launch of EC2 instances if the tags are missing.
    • Set up an AWS Config rule to monitor for EC2 instances that lack the required tags.
    • Set up a service control policy (SCP) that prevents the launch of EC2 instances that lack the required tags. Attach the SCP to the organization root.
    • Set up an Amazon CloudWatch alarm to stop any EC2 instances that lack the required tags.

19. A company recently migrated its three-tier web application to AWS. The application runs on Amazon EC2 instances that are in an Auto Scaling group. A SysOps administrator must create a monitoring dashboard to watch CPU and network utilization for each instance at 1-minute intervals.

    How can the SysOps administrator meet this requirement?

    • Create an Amazon CloudWatch dashboard with basic monitoring.
    • Set up AWS CloudTrail with a dashboard on Amazon QuickSight.
    • Create an Amazon CloudWatch dashboard, and enable detailed monitoring.
    • Use the AWS Personal Health Dashboard.

20. A company is hosting backend web services across Amazon EC2 Linux instances in public subnets in a VPC. A SysOps administrator tries to connect to the instance by using SSH but is unable to connect.

    What could be the cause of the failed connection?

    • The security group does not allow inbound traffic on port 22.
    • The network ACL does not allow outbound traffic on port 80.
    • The security group does not allow outbound traffic on port 3389.
    • The network ACL does not allow inbound traffic on port 443.