Practice Free SOA-C02 Exam Online Questions
A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com. The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC. A SysOps administrator must ensure that an on-premises server can query records in the example.com domain.
What should the SysOps administrator do to meet these requirements?
- A . Create a Route 53 Resolver inbound endpoint Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
- B . Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS
servers. - C . Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
- D . Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
A
Explanation:
To allow on-premises servers to resolve DNS records in an Amazon Route 53 private hosted zone via
AWS Direct Connect, the following step should be taken:
A: Create a Route 53 Resolver inbound endpoint and attach a security group that allows inbound traffic on TCP/UDP port 53 from the on-premises DNS servers. This setup enables the on-premises DNS servers to forward DNS queries to AWS for the domains managed by Route 53. The inbound resolver endpoint acts as a bridge between the on-premises network and AWS for DNS resolution. Additional guidance on setting up Route 53 Resolver endpoints can be found in AWS documentation Route 53 Resolver.
A SysOps administrator has used AWS Cloud Formation to deploy a sereness application into a production VPC. The application consists of an AWS Lambda function, an Amazon DynamoOB table, and an Amazon API Gateway API. The SysOps administrator must delete the AWS Cloud Formation stack without deleting the DynamoOB table.
Which action should the SysOps administrator take before deleting the AWS Cloud Formation stack?
- A . Add a Retain deletion policy to the DynamoOB resource in the AWS CloudFormation stack.
- B . Add a Snapshot deletion policy to the DynamoOB resource In the AWS CloudFormation stack.
- C . Enable termination protection on the AWS Cloud Formation stack.
- D . Update the application’s IAM policy with a Deny statement for the dynamodb:DeleteTabie action.
A
Explanation:
Understand the Problem:
The requirement is to delete the CloudFormation stack without deleting the DynamoDB table.
Analyze the Requirements:
Ensure the DynamoDB table is preserved when the CloudFormation stack is deleted.
Evaluate the Options:
Option A: Add a Retain deletion policy to the DynamoDB resource.
The Retain policy ensures that the DynamoDB table is not deleted when the stack is deleted.
Option B: Add a Snapshot deletion policy to the DynamoDB resource.
Snapshot policy is not applicable to DynamoDB tables and would not retain the table itself.
Option C: Enable termination protection on the CloudFormation stack.
Prevents stack deletion entirely but does not specifically protect the DynamoDB table. Option D: Update the IAM policy with a Deny statement for dynamodb:DeleteTable. Prevents deletion of the table but is not a CloudFormation stack-specific solution. Select the Best Solution:
Option A: Adding a Retain deletion policy to the DynamoDB resource in the CloudFormation stack ensures the table is preserved when the stack is deleted.
Reference: AWS CloudFormation Deletion Policy
Using the Retain deletion policy ensures that the DynamoDB table is not deleted when the CloudFormation stack is deleted, preserving critical data.
A company hosts its website in the us-east-1 Region. The company is preparing to deploy its website into the eu-central-1 Region. Website visitors who are located in Europe should access the website that is hosted in eu-central-1. All other visitors access the website that is hosted in us-east-1. The company uses Amazon Route 53 to manage the website’s DNS records.
Which routing policy should a SysOps administrator apply to the Route 53 record set to meet these requirements?
- A . Geolocation routing policy
- B . Geoproximity routing policy
- C . Latency routing policy
- D . Multivalue answer routing policy
A
Explanation:
geolocation "Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region."
Could be confused with geoproximity – "Geoproximity routing lets Amazon Route 53 route traffic to your resources based on the geographic location of your users and your resources. You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias. A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource" the use case is not needed as per question.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html
A company’s SysOps administrator deploys four new Amazon EC2 instances by using the standard Amazon Linux 2 Amazon Machine Image (AMI). The company needs to be able to use AWS Systems Manager to manage the instances The SysOps administrator notices that the instances do not appear in the Systems Manager console
What must the SysOps administrator do to resolve this issue?
- A . Connect to each instance by using SSH Install Systems Manager Agent on each instance Configure Systems Manager Agent to start automatically when the instances start up
- B . Use AWS Certificate Manager (ACM) to create a TLS certificate Import the certificate into each instance Configure Systems Manager Agent to use the TLS certificate for secure communications
- C . Connect to each instance by using SSH Create an ssm-user account Add the ssm-user account to the /etcsudoers d directory
- D . Attach an IAM instance profile to the instances Ensure that the instance profile contains the AmazonSSMManagedinstanceCore policy
D
Explanation:
To manage Amazon EC2 instances using AWS Systems Manager, you need to ensure that the instances are associated with an IAM instance profile that grants the necessary permissions.
Attach IAM Instance Profile:
Create an IAM role with the AmazonSSMManagedInstanceCore policy. Attach this IAM role to your EC2 instances. Steps to Attach IAM Instance Profile:
Open the EC2 console and select the instances.
Choose "Actions" -> "Instance Settings" -> "Attach/Replace IAM Role."
Select the IAM role with AmazonSSMManagedInstanceCore policy and attach it to the instances.
AmazonSSMManagedInstanceCore Policy:
This policy grants the required permissions for Systems Manager to manage the EC2 instances. It includes permissions for SSM Agent to communicate with the Systems Manager service.
Reference: AWS Systems Manager Prerequisites
AmazonSSMManagedInstanceCore Policy
A company is trying to connect two applications. One application runs in an on-premises data center that has a hostname of hostl .onprem.private. The other application runs on an Amazon EC2 instance that has a hostname of hostl.awscloud.private. An AWS Site-to-Site VPN connection is in place between the on-premises network and AWS.
The application that runs in the data center tries to connect to the application that runs on the EC2 instance, but DNS resolution fails. A SysOps administrator must implement DNS resolution between on-premises and AWS resources.
Which solution allows the on-premises application to resolve the EC2 instance hostname?
- A . Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the inbound resolver endpoint.
- B . Set up an Amazon Route 53 inbound resolver endpoint. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the inbound resolver endpoint.
- C . Set up an Amazon Route 53 outbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the outbound resolver endpoint.
- D . Set up an Amazon Route 53 outbound resolver endpoint. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the outbound resolver endpoint.
A
Explanation:
Step-by-Step
Understand the Problem:
There are two applications, one in an on-premises data center and the other on an Amazon EC2 instance.
DNS resolution fails when the on-premises application tries to connect to the EC2 instance. The goal is to implement DNS resolution between on-premises and AWS resources.
Analyze the Requirements:
Need to resolve the hostname of the EC2 instance from the on-premises network. Utilize the existing AWS Site-to-Site VPN connection for DNS queries.
Evaluate the Options:
Option A: Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zone.
This allows DNS queries from on-premises to be forwarded to Route 53 for resolution.
The resolver endpoint is associated with the VPC, enabling resolution of AWS resources.
Option B: Set up an Amazon Route 53 inbound resolver endpoint without specifying the forwarding rule.
This option does not address the specific need to resolve onprem.private DNS queries.
Option C: Set up an Amazon Route 53 outbound resolver endpoint.
Outbound resolver endpoints are used for forwarding DNS queries from AWS to on-premises, not vice versa.
Option D: Set up an Amazon Route 53 outbound resolver endpoint without specifying the forwarding rule.
Similar to Option C, this does not meet the requirement of resolving on-premises queries in AWS.
Select the Best Solution:
Option A: Setting up an inbound resolver endpoint with a forwarding rule for onprem.private and associating it with the VPC ensures that DNS queries from on-premises can resolve AWS resources effectively.
Reference: Amazon Route 53 Resolver
Integrating AWS and On-Premises Networks with Route 53
Using an Amazon Route 53 inbound resolver endpoint with a forwarding rule ensures that on-premises applications can resolve EC2 instance hostnames effectively.
A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.
Which parameters should be specified to accomplish this in the MOST efficient manner?
- A . Specify ‘*’ as the principal and PrincipalOrgld as a condition.
- B . Specify all account numbers as the principal.
- C . Specify PrincipalOrgld as the principal.
- D . Specify the organization’s management account as the principal.
A
Explanation:
To ensure that all users within the AWS Organization have read-level access to a specific Amazon S3 bucket, while preventing access outside the organization, you can specify a wildcard principal ("Principal": "*") and use the PrincipalOrgId condition key in the bucket policy.
Specify the Principal:
Use "Principal": "*". This means that any principal can access the bucket, but the actual access will be controlled by the condition.
Add Condition with PrincipalOrgId:
Add a condition to restrict access based on the PrincipalOrgId. This condition ensures that only the principals from the specified AWS Organization can access the bucket.
Example bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-exampleorgid"
}
}
}
]
}
Reference: Bucket Policy Examples
This approach ensures that all users within the organization have the required access while blocking access from outside the organization.
The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in use and the total available IAM policies.
Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?
- A . AWS Trusted Advisor
- B . Amazon Inspector
- C . AWS Config
- D . AWS Organizations
A
Explanation:
Step-by-Step
Understand the Problem:
The security team is concerned about the increasing number of IAM policies.
The task is to report on the current number of IAM policies and compare them to the service limits.
Analyze the Requirements:
The solution should help in checking the usage of IAM policies against the service limits.
Evaluate the Options:
Option A: AWS Trusted Advisor
AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.
It includes a service limits check that alerts you when you are approaching the limits of your AWS service usage, including IAM policies.
Option B: Amazon Inspector
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It does not report on IAM policy usage.
Option C: AWS Config
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. While useful for compliance, it does not provide a comparison against service limits.
Option D: AWS Organizations
AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. It does not provide insights into IAM policy limits.
Select the Best Solution:
Option A: AWS Trusted Advisor is the correct answer because it includes a service limits check that can report on the current number of IAM policies in use and compare them to the service limits.
Reference: AWS Trusted Advisor Documentation
IAM Service Limits
AWS Trusted Advisor is the appropriate tool for monitoring IAM policy usage and comparing it against service limits, providing the necessary insights to manage and optimize IAM policies effectively.
A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded: however, upon navigating to the site, the following error message is received:
403 Forbidden – Access Denied
What change should be made to fix this error?
- A . Add a bucket policy that grants everyone read access to the bucket.
- B . Add a bucket policy that grants everyone read access to the bucket objects.
- C . Remove the default bucket policy that denies read access to the bucket.
- D . Configure cross-origin resource sharing (CORS) on the bucket.
B
Explanation:
To fix the "403 Forbidden – Access Denied" error when accessing a static website hosted on Amazon S3, you need to ensure that the objects in the bucket have the appropriate permissions for public access. Here’s how to do it:
Login to AWS Management Console:
Open the Amazon S3 console at Amazon S3 Console.
Navigate to the Bucket:
In the S3 console, select the bucket hosting the static website.
Add a Bucket Policy:
Go to the Permissions tab.
Choose Bucket Policy and add the following policy to grant public read access to all objects in the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
Save the Policy:
After adding the policy, save the changes.
This policy ensures that all objects in the bucket are publicly accessible, resolving the 403 Forbidden error.
Reference: Hosting a Static Website on Amazon S3
Bucket Policy Examples
A SysOps administrator is troubleshooting connection timeouts to an Amazon EC2 instance that has a public IP address. The instance has a private IP address of 172.31.16.139. When the SysOps administrator tries to ping the instance’s public IP address from the remote IP address 203.0.113.12, the response is "request timed out." The flow logs contain the following information:
What is one cause of the problem?
- A . Inbound security group deny rule
- B . Outbound security group deny rule
- C . Network ACL inbound rules
- D . Network ACL outbound rules
C
Explanation:
The issue of "request timed out" when pinging the public IP address of the EC2 instance could be due to the Network ACL (NACL) inbound rules.
Check NACL Inbound Rules:
Network ACLs act at the subnet level and can explicitly allow or deny traffic to or from a subnet.
Ensure that the NACL associated with the subnet containing the EC2 instance has inbound rules that allow ICMP traffic (which is used for ping).
Example rule to allow inbound ICMP traffic:
Rule Number: 100
Type: ICMP
Protocol: 1
Port Range: N/A (ICMP doesn’t use ports)
Source: 0.0.0.0/0 (or specific IP range)
Allow/Deny: ALLOW
Reference: Network ACLs
Verify Security Groups:
Although the most probable cause is NACLs, also ensure that the security group attached to the instance allows inbound ICMP traffic.
By allowing ICMP traffic in the NACL inbound rules, you can resolve the timeout issue when pinging the EC2 instance.
A company receives an alert from an Amazon CloudWatch alarm The alarm indicates that a web application that Is running on Amazon EC2 instances is not responding to requests The EC2 instances have a Red Hat Enterprise Linux operating system and are in an Auto Scaling group. The Auto Scaling group has a minimum capacity of 2 and a maximum capacity of 5.
An Investigation reveals that the web application is experiencing oul-of-memory errors. The company adds memory lo the web application and wants to track operating system memory utilization. A CloudWatch memory metric does not currently exist tor the EC2 Instances in the Auto Scaling group
What should a SysOps administrator do to provide a CloudWatch memory metric for the EC2 instances?
- A . Use an Amazon Machine Image (AMI) that includes the CloudWatch agent.
- B . Turn on CloudWatch detailed monitoring
- C . Turn on Instance Metadata Service Version 2 (IMOSv2).
- D . Use an Amazon Machine Image (AMI) that is based on Amazon Linux.
A
Explanation:
Using an AMI with CloudWatch Agent:
The CloudWatch agent can collect memory utilization metrics and send them to CloudWatch.
Steps:
Create or use an existing AMI that includes the CloudWatch agent installed and configured.
Ensure the CloudWatch agent is configured to collect memory metrics.
Use this AMI for instances in the Auto Scaling group.
Reference: Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent