SOA-C01 : AWS-SysOps : Part 47

SOA-C01 : AWS-SysOps : Part 47

1. A company uses many Amazon Elastic Block Store (Amazon EBS) volumes. The company wants to use Amazon Data Lifecycle Manager (Amazon DLM) to manage the lifecycle of EBS snapshots that have tags of “Production” and “Compliance”.

   Which combination of the following are needed to turn on this feature? (Choose two.)

   • A minimum storage requirement of 5 GB
   • One IAM role for Amazon DLM and another IAM role for the users
   • Encryption of the EBS volumes
   • A minimum baseline performance of 3 IOPS/GB
   • Tagging of the EBS volumes

2. A company is creating an application that will keep records. The application will run on Amazon EC2 instances and will use an Amazon Aurora MySQL database as its data store. To maintain compliance, the application must not retain information that is determined to be sensitive.

   Which technique should a SysOps administrator use to detect if sensitive data is being stored in the application?

   • Export data from the database by using an AWS Lambda function. Store the data in Amazon S3. Use Amazon Macie to examine the stored data. Examine the report for any sensitive data that is discovered.
   • Install the Amazon GuardDuty plugin for Aurora. Configure GuardDuty to examine the database. Add the corresponding EC2 CIDR ranges to the trusted IP list in GuardDuty. Examine the report for any sensitive data that is discovered.
   • Deploy Amazon Inspector by installing the Amazon Inspector agent on all EC2 instances. Set the Amazon Inspector assessment type to HOST assessment. Include NETWORK communications with the Aurora DB cluster. Examine the report for any sensitive data that is discovered.
   • Use VPC Flow Logs to examine traffic between the EC2 instances and the Aurora DB cluster. Store the log files in Amazon S3. Use Amazon Detective to examine the extracted log files. Examine the report for any sensitive data that is discovered.

3. A SysOps administrator needs a secure way to connect to AWS Key Management Service (AWS KMS) within a VPC. The SysOps administrator must ensure that connections to AWS KMS do not traverse the internet.

   What is the MOST secure solution that meets these requirements?

   • Use a bastion host to connect to AWS KMS.
   • Use a NAT gateway to connect to AWS KMS.
   • Use a VPC gateway endpoint for Amazon S3 to connect to AWS KMS.
   • Use a VPC interface endpoint to connect to AWS KMS.

4. A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations.

   What should a SysOps administrator do to implement this requirement?

   • Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.
   • Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.
   • Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.
   • Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.

5. A company has an application that is running on an Amazon EC2 instance in one Availability Zone. A SysOps administrator needs to make the application highly available. The SysOps administrator has created a launch configuration from the running EC2 instance. The SysOps administrator also has properly configured a load balancer.

   What should the SysOps administrator do next to make the application highly available?

   • Create an Auto Scaling group by using the launch configuration across at least two Availability Zones. Configure a minimum capacity of 1, a desired capacity of 1, and a maximum capacity of 1.
   • Create an Auto Scaling group by using the launch configuration across at least three Availability Zones. Configure a minimum capacity of 2, a desired capacity of 2, and a maximum capacity of 2.
   • Create an Auto Scaling group by using the launch configuration across at least two AWS Regions. Configure a minimum capacity of 1, a desired capacity of 1, and a maximum capacity of 1.
   • Create an Auto Scaling group by using the launch configuration across at least three AWS Regions. Configure a minimum capacity of 2, a desired capacity of 2, and a maximum capacity of 2.

6. A SysOps administrator is testing a new batch job. The batch job will upload 20 GB of data from Amazon EC2 instances in a private subnet to an Amazon S3 bucket each day. After the first test is complete, a small cost is reported. The cost has the heading “NAT Gateway – Data Processed.”

   Which change can the SysOps administrator make to eliminate this cost for future tests?

   • Configure and use a VPC endpoint.
   • Write an S3 bucket policy to enforce encryption in transit for the uploads.
   • Configure the S3 bucket to use the S3 Intelligent-Tiering storage class.
   • Disable cross-origin resource sharing (CORS) for the S3 bucket.

7. A SysOps administrator is deploying a fleet of over 100 Amazon EC2 instances in an Amazon VPC. After the instances are set up and serving clients, a new DNS server needs to be added to the instances for DNS resolution.

   What is the MOST efficient way to make this change?

   • Update the DHCP options set for the Amazon VPC.
   • Use AWS OpsWorks to update the DNS server configuration for each instance.
   • Use AWS Systems Manager to update the DMS server configuration for each instance.
   • Write a script to update the DNS server configuration for each instance.

8. A company wants to track Amazon EC2 usage charges that are based on the value of a tag that is named Business-Unit. Company leaders instruct developers to update all EC2 resources with the tag. The developers notify the leaders that they have completed this task.

   Later that week, a finance team member checks Cost Explorer. The finance team member sees EC2 costs in the different accounts but cannot find the Business-Unit tag to filter by or group by.

   What is the MOST likely reason that the Business-Unit tag is absent?

   • The Business-Unit tag is not activated as a cost allocation tag in the AWS Billing and Cost Management console.
   • The Business-Unit tag is not valid because tag key names do not support dashes (-).
   • The instances have been rebooted, and the developers neglected to re-add the Business-Unit tag after the reboot.
   • The IAM user does not have permission to view the tags in Cost Explorer.

9. A developer created a new application that uses Spot Fleet for a variety of instance families across multiple Availability Zones.

   What should the developer do to ensure that the Spot Fleet is configured for cost optimization?

   • Deploy a capacityOptimized allocation strategy for provisioning Spot Instances.
   • Ensure instance capacity by specifying the desired target capacity and how much of that capacity must be On-Demand.
   • Use the lowestPrice allocation strategy with InstancePoolsToUseCount in the Spot Fleet request.
   • Launch instances up to the Spot Fleet target capacity or the maximum acceptable payment amount.

10. A SysOps administrator must run a script on production servers to fix an issue. The company has a policy to block all remote interactive access to production servers.

    Based on this situation, how should the administrator run the script?

    • Share and use the Amazon EC2 key pairs to gain access to the servers and run the script.
    • Put the script into the user data of the instances.
    • Configure the script to run as a cron job or scheduled task on the EC2 instances.
    • Use AWS Systems Manager to run the script.

11. A company is hosting a website on an Amazon EC2 instance that runs in a public subnet inside a VPC. The company uses Amazon CloudWatch Logs for web server log analysis.

    A SysOps administrator has installed and configured the CloudWatch Logs agent on the EC2 instance and has confirmed that the agent is running. However, logs are not showing up in CloudWatch Logs.

    Which solution will resolve this issue?

    • Modify the EC2 instance security group rules to allow inbound traffic on port 80.
    • Create an IAM user that has the proper permissions for CloudWatch logs. Create an IAM instance profile, and associate it with the IAM user. Associate the instance profile with the EC2 instance.
    • Create an IAM role that has the proper permissions for CloudWatch logs. Create an IAM instance profile, and associate it with the IAM role. Associate the instance profile with the EC2 instance.
    • Modify the VPC’s network ACL rules for the public subnet to allow inbound traffic on port 80.

12. A company’s audit shows that users have been changing cost-related tags on Amazon EC2 instances after deployment. The company has an organization in AWS Organizations with many AWS accounts.

    The company needs a solution to detect the EC2 instances automatically. The solution must require the least possible operational overhead.

    Which solution meets these requirements?

    • Use service control policies (SCPs) to track EC2 instances that do not have the required tags.
    • Use Amazon Inspector to run a report to identify EC2 instances that do not have the required tags.
    • Use an AWS Config rule to track EC2 instances that do not have the required tags.
    • Use AWS Well-Architected Tool (AWS WA Tool) to run a report to identify EC2 instances that do not have the required tags.