SOA-C02 : AWS Certified SysOps Administrator – Associate : Part 02

SOA-C02 : AWS Certified SysOps Administrator – Associate : Part 02

SOA-C02 : AWS Certified SysOps Administrator – Associate : Part 02

  1. A SysOps Administrator is managing a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group. The administrator wants to set an alarm for when all target instances associated with the ALB are unhealthy.

    Which condition should be used with the alarm?

    • AWS/ApplicationELB HealthyHostCount <= 0
    • AWS/ApplicationELB UnhealthyHostCount >= 1
    • AWS/EC2 StatusCheckFailed <= 0
    • AWS/EC2 StatusCheckFailed >= 1

  2. A SysOps administrator has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC, and all security groups allow all outbound traffic:

    Which solution will provide the EC2 instances in the private subnet with access to the internet?

    • Create a NAT gateway in the public subnet. Create a route from the private subnet to the NAT gateway.
    • Create a NAT gateway in the public subnet. Create a route from the public subnet to the NAT gateway.
    • Create a NAT gateway in the private subnet. Create a route from the public subnet to the NAT gateway.
    • Create a NAT gateway in the private subnet. Create a route from the private subnet to the NAT gateway.

  3. A company uses an Amazon Elastic File System (Amazon EFS) file system to share files across many Linux Amazon EC2 instances. A SysOps administrator notices that the file system’s PercentIOLimit metric is consistently at 100% for 15 minutes or longer. The SysOps administrator also notices that the application that reads and writes to that file system is performing poorly. They application requires high throughput and IOPS while accessing the file system.

    What should the SysOps administrator do to remediate the consistently high PercentIOLimit metric?

    • Create a new EFS file system that uses Max I/O performance mode. Use AWS DataSync to migrate data to the new EFS file system.
    • Create an EFS lifecycle policy to transition future files to the Infrequent Access (IA) storage class to improve performance. Use AWS DataSync to migrate existing data to IA storage.
    • Modify the existing EFS file system and activate Max I/O performance mode.
    • Modify the existing EFS file system and activate Provisioned Throughput mode.

  4. A data storage company provides a service that gives users the ability to upload and download files as needed. The files are stored in Amazon S3 Standard and must be immediately retrievable for 1 year. Users access files frequently during the first 30 days after the files are stored. Users rarely access files after 30 days.

    The company’s SysOps administrator must use S3 Lifecycle policies to implement a solution that maintains object availability and minimizes cost.

    Which solution will meet these requirements?

    • Move objects to S3 Glacier after 30 days.
    • Move objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
    • Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
    • Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) immediately.

  5. A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.

    What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?

    • Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
    • Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
    • Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
    • Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.

  6. A company uses Amazon Route 53 to manage the public DNS records for the domain example.com. The company deploys an Amazon CloudFront distribution to deliver static assets for a new corporate website. The company wants to create a subdomain that is named “static” and must route traffic for the subdomain to the CloudFront distribution.

    How should a SysOps administrator create a new record for the subdomain in Route 53?

    • Create a CNAME record. Enter static.cloudfront.net as the record name. Enter the CloudFront distribution’s public IP address as the value.
    • Create a CNAME record. Enter static.example.com as the record name. Enter the CloudFront distribution’s private IP address as the value.
    • Create an A record. Enter static.cloudfront.net as the record name. Enter the CloudFront distribution’s ID as an alias target.
    • Create an A record. Enter static.example.com as the record name. Enter the CloudFront distribution’s domain name as an alias target.

  7. A company wants to be alerted through email when IAM CreateUser API calls are made within its AWS account.

    Which combination of actions should a SysOps administrator take to meet this requirement? (Choose two.)

    • Create an Amazon EventBridge (Amazon CloudWatch Events) rule with AWS CloudTrail as the event source and IAM CreateUser as the specific API call for the event pattern.
    • Create an Amazon EventBridge (Amazon CloudWatch Events) rule with Amazon CloudSearch as the event source and IAM CreateUser as the specific API call for the event pattern.
    • Create an Amazon EventBridge (Amazon CloudWatch Events) rule with AWS IAM Access Analyzer as the event source and IAM CreateUser as the specific API call for the event pattern.
    • Use an Amazon Simple Notification Service (Amazon SNS) topic as an event target with an email subscription.
    • Use an Amazon Simple Email Service (Amazon SES) notification as an event target with an email subscription.

  8. A company is running a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53 CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now being served the desktop version of the website.

    Which action should a SysOps administrator take to resolve this issue?

    • Configure the CloudFront distribution behavior to forward the User-Agent header.
    • Configure the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers.
    • Enable IPv6 on the ALB. Update the CloudFront distribution origin settings to use the dualstack endpoint.
    • Enable IPv6 on the CloudFront distribution. Update the Route 53 record to use the dualstack endpoint.

  9. A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53, and wants to point its domain’s zone apex to the website.

    Which type of record should be used to meet these requirements?

    • An AAAA record for the domain’s zone apex
    • An A record for the domain’s zone apex
    • A CNAME record for the domain’s zone apex
    • An alias record for the domain’s zone apex

  10. A SysOps administrator is maintaining a web application using an Amazon CloudFront web distribution, an Application Load Balancer (ALB), Amazon RDS, and Amazon EC2 in a VPC. All services have logging enabled. The administrator needs to investigate HTTP Layer 7 status codes from the web application.

    Which log sources contain the status codes? (Choose two.)

    • VPC Flow Logs
    • AWS CloudTrail logs
    • ALB access logs
    • CloudFront access logs
    • RDS logs

  11. A SysOps administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the internet.

    Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)

    • Add a NAT gateway to a public subnet.
    • Attach a private address to the elastic network interface on the EC2 instance.
    • Attach an Elastic IP address to the internet gateway.
    • Add an entry to the route table for the subnet that points to an internet gateway.
    • Create an internet gateway and attach it to a VPC.

  12. An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy.

    What is likely to be the problem?

    • The Amazon Machine image used is not available in that region.
    • The AWS CloudFormation template needs to be updated to the latest version.
    • The VPC configuration parameters have changed and must be updated in the template.
    • The account has reached the default limit for VPCs allowed.

  13. A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.

    Which parameters should be specified to accomplish this in the MOST efficient manner?

    • Specify “*” as the principal and PrincipalOrgId as a condition.
    • Specify all account numbers as the principal.
    • Specify PrincipalOrgId as the principal.
    • Specify the organization’s master account as the principal.

  14. An Amazon S3 Inventory report reveals that more than 1 million objects in an S3 bucket are not encrypted. These objects must be encrypted, and all future objects must be encrypted at the time they are written.

    Which combination of actions should a SysOps administrator take to meet these requirements? (Choose two.)

    • Create an AWS Config rule that runs evaluations against configuration changes to the S3 bucket. When an unencrypted object is found, run an AWS Systems Manager Automation document to encrypt the object in place.
    • Edit the properties of the S3 bucket to enable default server-side encryption.
    • Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted. Create an S3 Batch Operations job to copy each object in place with encryption enabled.
    • Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted. Send each object name as a message to an Amazon Simple Queue Service (Amazon SQS) queue. Use the SQS queue to invoke an AWS Lambda function to tag each object with a key of “Encryption” and a value of “SSE-KMS”.
    • Use S3 Event Notifications to invoke an AWS Lambda function on all new object-created events for the S3 bucket. Configure the Lambda function to check whether the object is encrypted and to run an AWS Systems Manager Automation document to encrypt the object in place when an unencrypted object is found.

  15. A company must ensure that any objects uploaded to an S3 bucket are encrypted.

    Which of the following actions will meet this requirement? (Choose two.)

    • Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.
    • Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.
    • Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.
    • Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.
    • Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.

  16. A SysOps administrator is notified that an Amazon EC2 instance has stopped responding. The AWS Management Console indicates that the system checks are failing.

    What should the administrator do first to resolve this issue?

    • Reboot the EC2 instance so it can be launched on a new host.
    • Stop and then start the EC2 instance so that it can be launched on a new host.
    • Terminate the EC2 instance and relaunch it.
    • View the AWS CloudTrail log to investigate what changed on the EC2 instance.

  17. An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted.

    How can this be resolved?

    • Enable encryption on each host’s connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect.
    • Enable encryption on the existing EFS volume by using the AWS Command Line Interface.
    • Enable encryption on each host’s local drive. Restart each host to encrypt the drive.
    • Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.

  18. A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:

    2 111122223333 eni-<###> 192.0.2.15 203.0.113.56 40711 443 6 1 40 1418530010 1418530070 REJECT OK

    What is a possible cause of these failed connections?

    • A security group is denying traffic on port 443.
    • The EC2 instance is shut down.
    • The network ACL is blocking HTTPS traffic.
    • The VPC has no internet gateway attached.

  19. A company is migrating its production file server to AWS. All data that is stored on the file server must remain accessible if an Availability Zone becomes unavailable or when system maintenance is performed. Users must be able to interact with the file server through the SMB protocol. Users also must have the ability to manage file permissions by using Windows ACLs.

    Which solution will net these requirements?

    • Create a single AWS Storage Gateway file gateway.
    • Create an Amazon FSx for Windows File Server Multi-AZ file system.
    • Deploy two AWS Storage Gateway file gateways across two Availability Zones. Configure an Application Load Balancer in front of the file gateways.
    • Deploy two Amazon FSx for Windows File Server Single-AZ 2 file systems. Configure Microsoft Distributed File System Replication (DFSR).

  20. A new website will run on Amazon EC2 instances behind an Application Load Balancer. Amazon Route 53 will be used to manage DNS records.

    What type of record should be set in Route 53 to point the website’s apex domain name (for example, “company.com”) to the Application Load Balancer?

    • CNAME
    • SOA
    • TXT
    • ALIAS