AWS Certified SysOps Administrator - Associate (SOA-C02) v1.0

Page:    1 / 6   
Exam contains 85 questions

A SysOps administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the internet.
Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)

  • A. Add a NAT gateway to a public subnet.
  • B. Attach a private address to the elastic network interface on the EC2 instance.
  • C. Attach an Elastic IP address to the internet gateway.
  • D. Add an entry to the route table for the subnet that points to an internet gateway.
  • E. Create an internet gateway and attach it to a VPC.


Answer : DE

An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps administrator has noticed that when trying to deploy the same AWS
CloudFormation stack, it fails to deploy.
What is likely to be the problem?

  • A. The Amazon Machine image used is not available in that region.
  • B. The AWS CloudFormation template needs to be updated to the latest version.
  • C. The VPC configuration parameters have changed and must be updated in the template.
  • D. The account has reached the default limit for VPCs allowed.


Answer : D

Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html


A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.
Which parameters should be specified to accomplish this in the MOST efficient manner?

  • A. Specify ג€*ג€ as the principal and PrincipalOrgId as a condition.
  • B. Specify all account numbers as the principal.
  • C. Specify PrincipalOrgId as the principal.
  • D. Specify the organizationג€™s master account as the principal.


Answer : A

Reference:
https://aws.amazon.com/blogs/security/iam-share-aws-resources-groups-aws-accounts-aws-organizations/


An Amazon S3 Inventory report reveals that more than 1 million objects in an S3 bucket are not encrypted. These objects must be encrypted, and all future objects must be encrypted at the time they are written.
Which combination of actions should a SysOps administrator take to meet these requirements? (Choose two.)

  • A. Create an AWS Config rule that runs evaluations against configuration changes to the S3 bucket. When an unencrypted object is found, run an AWS Systems Manager Automation document to encrypt the object in place.
  • B. Edit the properties of the S3 bucket to enable default server-side encryption.
  • C. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted. Create an S3 Batch Operations job to copy each object in place with encryption enabled.
  • D. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted. Send each object name as a message to an Amazon Simple Queue Service (Amazon SQS) queue. Use the SQS queue to invoke an AWS Lambda function to tag each object with a key of "Encryption" and a value of "SSE- KMS".
  • E. Use S3 Event Notifications to invoke an AWS Lambda function on all new object-created events for the S3 bucket. Configure the Lambda function to check whether the object is encrypted and to run an AWS Systems Manager Automation document to encrypt the object in place when an unencrypted object is found.


Answer : BE

A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Choose two.)

  • A. Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.
  • B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.
  • C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.
  • D. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.
  • E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.


Answer : CE

Reference:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#sample-acl


A SysOps administrator is notified that an Amazon EC2 instance has stopped responding. The AWS Management Console indicates that the system checks are failing.
What should the administrator do first to resolve this issue?

  • A. Reboot the EC2 instance so it can be launched on a new host.
  • B. Stop and then start the EC2 instance so that it can be launched on a new host.
  • C. Terminate the EC2 instance and relaunch it.
  • D. View the AWS CloudTrail log to investigate what changed on the EC2 instance.


Answer : B

An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted.
How can this be resolved?

  • A. Enable encryption on each hostג€™s connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect.
  • B. Enable encryption on the existing EFS volume by using the AWS Command Line Interface.
  • C. Enable encryption on each hostג€™s local drive. Restart each host to encrypt the drive.
  • D. Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.


Answer : D

A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:
2 111122223333 eni-<###> 192.0.2.15 203.0.113.56 40711 443 6 1 40 1418530010 1418530070 REJECT OK
What is a possible cause of these failed connections?

  • A. A security group is denying traffic on port 443.
  • B. The EC2 instance is shut down.
  • C. The network ACL is blocking HTTPS traffic.
  • D. The VPC has no internet gateway attached.


Answer : A

A company is migrating its production file server to AWS. All data that is stored on the file server must remain accessible if an Availability Zone becomes unavailable or when system maintenance is performed. Users must be able to interact with the file server through the SMB protocol. Users also must have the ability to manage file permissions by using Windows ACLs.
Which solution will net these requirements?

  • A. Create a single AWS Storage Gateway file gateway.
  • B. Create an Amazon FSx for Windows File Server Multi-AZ file system.
  • C. Deploy two AWS Storage Gateway file gateways across two Availability Zones. Configure an Application Load Balancer in front of the file gateways.
  • D. Deploy two Amazon FSx for Windows File Server Single-AZ 2 file systems. Configure Microsoft Distributed File System Replication (DFSR).


Answer : B

Reference:
https://docs.aws.amazon.com/fsx/latest/WindowsGuide/what-is.html


A new website will run on Amazon EC2 instances behind an Application Load Balancer. Amazon Route 53 will be used to manage DNS records.
What type of record should be set in Route 53 to point the websiteג€™s apex domain name (for example, ג€company.comג€) to the Application Load Balancer?

  • A. CNAME
  • B. SOA
  • C. TXT
  • D. ALIAS


Answer : D

Reference:
https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53-zoneapex-elb.html


A company's SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instance are encrypted with AWS managed keys.
The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI with the company's other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs.
Which solution will securely share the AMI with the other AWS accounts?

  • A. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
  • B. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the CMK. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with.
  • C. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the CMK. Modify the permissions on the copied AMI to make it public.
  • D. In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.


Answer : C

A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind an Application Load
Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application.
Which combination of actions should a SysOps administrator take to resolve this problem? (Choose two.)

  • A. Change to the least outstanding requests algorithm on the ALB target group.
  • B. Configure cookie forwarding in the CloudFront distribution cache behavior.
  • C. Configure header forwarding in the CloudFront distribution cache behavior.
  • D. Enable group-level stickiness on the ALB listener rule.
  • E. Enable sticky sessions on the ALB target group.


Answer : CE

A company needs to create a daily Amazon Machine Image (AMI) of an existing Amazon Linux EC2 instance that hosts the operating system, application, and database on multiple attached Amazon Elastic Block Store (Amazon EBS) volumes. File system integrity must be maintained.
Which solution will meet these requirements?

  • A. Create an AWS Lambda function to call the CreateImage API operation with the EC2 instance ID and the no-reboot parameter enabled. Create a daily scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that invokes the function.
  • B. Create an AWS Lambda function to call the CreateImage API operation with the EC2 instance ID and the reboot parameter enabled. Create a daily scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that invokes the function.
  • C. Use AWS Backup to create a backup plan with a backup rule that runs daily. Assign the resource ID of the EC2 instance with the no-reboot parameter enabled.
  • D. Use AWS Backup to create a backup plan with a backup rule that runs daily. Assign the resource ID of the EC2 instance with the reboot parameter enabled.


Answer : C

A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance. A SysOps administrator must update the template to ensure that the DB instance is created before the EC2 instance is launched.
What should the SysOps administrator do to meet this requirement?

  • A. Add a wait condition to the template. Update the EC2 instance user data script to send a signal after the EC2 instance is started.
  • B. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource.
  • C. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource.
  • D. Create multiple templates. Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created.


Answer : B

A SysOps administrator is setting up an automated process to recover an Amazon EC2 instance in the event of an underlying hardware failure. The recovered instance must have the same private IP address and the same Elastic IP address that the original instance had. The SysOps team must receive an email notification when the recovery process is initiated.
Which solution will meet these requirements?

  • A. Create an Amazon CloudWatch alarm for the EC2 instance, and specify the StatusCheckFailed_Instance metric. Add an EC2 action to the alarm to recover the instance. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic.
  • B. Create an Amazon CloudWatch alarm for the EC2 instance, and specify the StatusCheckFailed_System metric. Add an EC2 action to the alarm to recover the instance. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic.
  • C. Create an Auto Scaling group across three different subnets in the same Availability Zone with a minimum, maximum, and desired size of 1. Configure the Auto Scaling group to use a launch template that specifies the private IP address and the Elastic IP address. Add an activity notification for the Auto Scaling group to send an email message to the SysOps team through Amazon Simple Email Service (Amazon SES).
  • D. Create an Auto Scaling group across three Availability Zones with a minimum, maximum, and desired size of 1. Configure the Auto Scaling group to use a launch template that specifies the private IP address and the Elastic IP address. Add an activity notification for the Auto Scaling group to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic.


Answer : A

Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-createalarm.html


Page:    1 / 6   
Exam contains 85 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.