Practice Free SOA-C02 Exam Online Questions
A Sysops administrator needs to configure automatic rotation for Amazon RDS database credentials.
The credentials must rotate every 30 days. The solution must integrate with Amazon RDS.
Which solution will meet these requirements with the LEAST operational overhead?
- A . Store the credentials in AWS Systems Manager Parameter Store as a secure string. Configure automatic rotation with a rotation interval of 30 days.
- B . Store the credentials in AWS Secrets Manager. Configure automatic rotation with a rotation interval of 30 days.
- C . Store the credentials in a file in an Amazon S3 bucket. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.
- D . Store the credentials in AWS Secrets Manager. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.
B
Explanation:
Storing the credentials in AWS Secrets Manager and configuring automatic rotation with a rotation interval of 30 days is the most efficient way to meet the requirements with the least operational overhead. AWS Secrets Manager automatically rotates the credentials at the specified interval, so there is no need for an additional AWS Lambda function or manual rotation. Additionally, Secrets Manager is integrated with Amazon RDS, so the credentials can be easily used with the RDS database.
The company needs to increase IOPS for two EC2 instances with gp2 volumes to support an upcoming promotion with higher I/O requirements.
- A . Migrate the attached EBS volumes to Throughput Optimized HDD (st1) EBS volumes.
- B . Configure Amazon ElastiCache integration on the EC2 instances.
- C . Migrate the workload to two storage optimized EC2 instances.
- D . Migrate the attached EBS volumes to General Purpose SSD (gp3) EBS volumes. Provision the appropriate IOPS.
D
Explanation:
Migrating to gp3 volumes allows for customizable IOPS at a lower cost than gp2, meeting the requirement for higher IOPS during the promotion. Throughput Optimized HDD (st1) volumes do not support high IOPS, and ElastiCache does not address I/O for EBS volumes.
A company website contains a web tier and a database tier on AWS. The web tier consists of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones. The database tier runs on an Amazon ROS for MySQL Multi-AZ DB instance. The database subnet network ACLs are restricted to only the web subnets that need access to the database. The web subnets use the default network ACL with the default rules.
The company’s operations team has added a third subnet to the Auto Scaling group configuration. After an Auto Scaling event occurs, some users report that they intermittently receive an error
message. The error message states that the server cannot connect to the database. The operations team has confirmed that the route tables are correct and that the required ports are open on all security groups.
Which combination of actions should a SysOps administrator take so that the web servers can communicate with the DB instance? (Select TWO.)
- A . On the default ACL. create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets.
- B . On the default ACL, create outbound Allow rules of type MySQL/Aurora (3306). Specify the destinations as the database subnets.
- C . On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet.
- D . On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet.
- E . On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet.
CD
Explanation:
To ensure that the new web subnet can communicate with the database instance, follow these steps:
Create an Inbound Allow Rule for MySQL/Aurora (3306):
On the network ACL for the database subnets, add an inbound allow rule to permit traffic from the third web subnet on port 3306 (MySQL/Aurora).
Reference: Network ACLs
Create an Outbound Allow Rule for Ephemeral Ports:
On the network ACL for the database subnets, add an outbound allow rule to permit traffic to the third web subnet on the ephemeral port range (1024-65535).
Reference: Ephemeral Ports
These changes will ensure that the new subnet can communicate with the database, resolving the connectivity issues.
A SysOps administrator has launched a large general purpose Amazon EC2 instance to regularly process large data files. The instance has an attached 1 TB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume. The instance also is EBS-optimized. To save costs, the SysOps administrator stops the instance each evening and restarts the instance each morning.
When data processing is active, Amazon CloudWatch metrics on the instance show a consistent 3.000 VolumeReadOps. The SysOps administrator must improve the I/O performance while ensuring data integrity.
Which action will meet these requirements?
- A . Change the instance type to a large, burstable, general purpose instance.
- B . Change the instance type to an extra large general purpose instance.
- C . Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume.
- D . Move the data that resides on the EBS volume to the instance store.
C
Explanation:
Step-by-Step
Understand the Problem:
The EC2 instance processes large data files and uses a 1 TB General Purpose SSD (gp2) EBS volume.
CloudWatch metrics show consistent high VolumeReadOps.
The requirement is to improve I/O performance while ensuring data integrity.
Analyze the Requirements:
Improve I/O performance.
Maintain data integrity.
Evaluate the Options:
Option A: Change the instance type to a large, burstable, general-purpose instance.
Burstable instances provide a baseline level of CPU performance with the ability to burst to a higher level when needed. However, this does not address the I/O performance directly.
Option B: Change the instance type to an extra-large general-purpose instance.
A larger instance type might improve performance, but it does not directly address the I/O performance of the EBS volume.
Option C: Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume.
Increasing the size of a General Purpose SSD (gp2) volume can increase its IOPS. The larger the volume, the higher the baseline performance in terms of IOPS.
Option D: Move the data that resides on the EBS volume to the instance store.
Instance store volumes provide high I/O performance but are ephemeral, meaning data will be lost if the instance is stopped or terminated. This does not ensure data integrity.
Select the Best Solution:
Option C: Increasing the EBS volume size to 2 TB will provide higher IOPS, improving I/O performance while maintaining data integrity.
Reference: Amazon EBS Volume Types
General Purpose SSD (gp2) Volumes
Increasing the size of the General Purpose SSD (gp2) volume is an effective way to improve I/O performance while ensuring data integrity remains intact.
A company currently runs its infrastructure within a VPC in a single Availability Zone The VPC is connected to the company’s on-premises data center through an AWS Site-to-SIte VPN connection attached to a virtual pnvate gateway. The on-premises route tables route all VPC networks to the VPN connection Communication between the two environments is working correctly. A SysOps administrator created new VPC subnets within a new Availability Zone, and deployed new resources within the subnets. However, communication cannot be established between the new resources and the on-premises environment.
Which steps should the SysOps administrator take to resolve the issue?
- A . Add a route to the route tables of the new subnets that send on-premises traffic to the virtual private gateway.
- B . Create a ticket with AWS Support to request adding Availability Zones to the Site-to-Site VPN route configuration.
- C . Establish a new Site-to-Site VPN connection between a virtual private gateway attached to the new Availability Zone and the on-premises data center
- D . Replace the Site-to-Site VPN connection with an AWS Direct Connect connection.
A
Explanation:
Adding a Route to the Route Tables:
When new subnets are created, they need appropriate routing to ensure communication with on-premises networks.
Steps:
Go to the AWS Management Console.
Navigate to VPC.
Select the route table associated with the new subnets.
Choose "Edit routes."
Add a new route with the destination CIDR block of the on-premises network.
For the target, select the virtual private gateway (VGW).
This ensures that traffic destined for the on-premises network is routed correctly through the VPN connection.
Reference: AWS VPC Route Tables
A SysOps administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company’s account. The administrator must be alerted to potential issues.
What should the administrator do to receive email alerts before low storage space affects EC2 instance performance?
- A . Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications
- B . Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic.
- C . Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic.
- D . Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space
C
Explanation:
To monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances and receive email alerts before low storage space affects performance, follow these steps:
Install the Amazon CloudWatch Agent:
Download and install the CloudWatch agent on your Windows EC2 instances.
Reference: Installing the CloudWatch Agent on EC2 Instances Configure the CloudWatch Agent:
Create a CloudWatch agent configuration file to collect disk space metrics.
Use the configuration wizard or create a JSON file specifying metrics to be collected, such as free disk space.
Reference: Create the CloudWatch Agent Configuration File Start the CloudWatch Agent:
Start the agent using the configuration file you created.
Reference: Starting the CloudWatch Agent
Create CloudWatch Alarms:
In the CloudWatch console, navigate to Alarms and create a new alarm based on the disk space metrics reported by the agent.
Set threshold conditions for low disk space and specify actions to be taken when the alarm state is triggered.
Reference: Creating Alarms
Set Up Amazon SNS for Notifications:
Create an SNS topic and subscribe your email address to this topic.
In the CloudWatch alarm configuration, add the SNS topic as a notification target.
Reference: Setting Up Amazon SNS Notifications
By following these steps, you ensure that you receive email alerts when disk space on your EC2 instances is running low, preventing performance issues.
A company has deployed a web application in a VPC that has subnets in three Availability Zones. The company launches three Amazon EC2 instances from an EC2 Auto Scaling group behind an Application Load Balancer (ALB).
A SysOps administrator notices that two of the EC2 instances are in the same Availability Zone, rather than being distributed evenly across all three Availability Zones. There are no errors in the Auto Scaling group’s activity history.
What is the MOST likely reason for the unexpected placement of EC2 instances?
- A . One Availability Zone did not have sufficient capacity for the requested EC2 instance type.
- B . The ALB was configured for only two Availability Zones.
- C . The Auto Scaling group was configured for only two Availability Zones.
- D . Amazon EC2 Auto Scaling randomly placed the instances in Availability Zones.
A
Explanation:
The most likely reason for the unexpected placement of EC2 instances is that one Availability Zone did not have sufficient capacity for the requested EC2 instance type.
Capacity Constraints:
AWS manages EC2 instance placement based on available capacity in the Availability Zones.
If a particular Availability Zone does not have enough capacity for the instance type you requested, AWS will place instances in other Availability Zones with sufficient capacity.
Auto Scaling Group Configuration:
Even if the Auto Scaling group is configured to use all three Availability Zones, instances might not be evenly distributed if one zone lacks the required capacity.
This can result in instances being placed in the remaining zones with available capacity.
Monitoring and Mitigation:
Monitor the capacity limits and instance distribution using CloudWatch and the Auto Scaling group’s activity history.
Consider using smaller instance types or different instance families to avoid capacity issues in specific zones.
Reference: Amazon EC2 Auto Scaling
Troubleshooting Amazon EC2 Capacity Issues
A company’s public website is hosted in an Amazon S3 bucket in the us-east-1 Region behind an Amazon CloudFront distribution. The company wants to ensure that the website is protected from DDoS attacks. A SysOps administrator needs to deploy a solution that gives the company the ability to maintain control over the rate limit at which DDoS protections are applied.
Which solution will meet these requirements?
- A . Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution.
- B . Deploy an AWS WAF web ACL with an allow default action in us-east-1. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the S3 bucket.
- C . Deploy a global-scoped AWS WAF web ACL with a block default action. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the CloudFront distribution.
- D . Deploy an AWS WAF web ACL with a block default action in us-east-1. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the S3 bucket.
A
Explanation:
AWS WAF (Web Application Firewall) helps protect your web applications from common web exploits and bots. A rate-based rule allows you to control the rate of requests to your application.
Create a Global-Scoped AWS WAF Web ACL:
Navigate to the AWS WAF console.
Create a new Web ACL and choose "Global" for the scope.
Set the default action to "Allow".
Configure a Rate-Based Rule:
Within the Web ACL, add a new rule and select "Rate-based rule".
Define the rate limit (e.g., 2000 requests per 5 minutes).
Set the action to "Block".
Associate Web ACL with CloudFront Distribution:
After creating the Web ACL and rule, go to your CloudFront distribution settings. In the "General" tab, associate the Web ACL with your CloudFront distribution. Review and Confirm:
Review the configuration and ensure the Web ACL is correctly associated with the CloudFront distribution.
Reference: AWS WAF Rate-Based Rules
Associating AWS WAF with CloudFront
A company is partnering with an external vendor to provide data processing services. For this integration, the vendor must host the company’s data in an Amazon S3 bucket in the vendor’s AWS account. The vendor is allowing the company to provide an AWS Key Management Service (AWS KMS) key to encrypt the company’s data. The vendor has provided an IAM role Amazon Resource Name (ARN) to the company for this integration.
What should a SysOps administrator do to configure this integration?
- A . Create a new KMS key. Add the vendor’s IAM role ARN to the KMS key policy. Provide the new KMS key ARN to the vendor.
- B . Create a new KMS key. Create a new IAM user. Add the vendor’s IAM role ARN to an inline policy that is attached to the IAM user. Provide the new IAM user ARN to the vendor.
- C . Configure encryption using the KMS managed S3 key. Add the vendor’s IAM role ARN to the KMS managed S3 key policy. Provide the KMS managed S3 key ARN to the vendor.
- D . Configure encryption using the KMS managed S3 key. Create an S3 bucket. Add the vendor’s IAM role ARN to the S3 bucket policy. Provide the S3 bucket ARN to the vendor.
A
Explanation:
To configure integration with an external vendor and ensure that the vendor can use the AWS KMS key to encrypt the company’s data in the vendor’s AWS account, follow these steps:
Create a New KMS Key:
Navigate to the AWS KMS console.
Create a new KMS key that will be used to encrypt the data.
Reference: Creating Keys
Add the Vendor’s IAM Role ARN to the KMS Key Policy:
Edit the key policy of the new KMS key to allow the vendor’s IAM role to use the key.
Example key policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::vendor-account-id:role/vendor-role-name"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
Reference: Key Policies in AWS KMS
Provide the KMS Key ARN to the Vendor:
After updating the key policy, provide the ARN of the newly created KMS key to the vendor. The vendor can then use this key to encrypt the data before storing it in their S3 bucket.
By following these steps, the company can ensure that its data is securely encrypted using its own KMS key while allowing the vendor to host the data in their AWS account.
A company has a stateless application that is hosted on a fleet of 10 Amazon EC2 On-Demand Instances in an Auto Scaling group. A minimum of 6 instances are needed to meet service requirements.
Which action will maintain uptime for the application MOST cost-effectively?
- A . Use a Spot Fleet with an On-Demand capacity of 6 instances.
- B . Update the Auto Scaling group with a minimum of 6 On-Demand Instances and a maximum of 10 On-Demand Instances.
- C . Update the Auto Scaling group with a minimum of 1 On-Demand Instance and a maximum of 6 On-Demand Instances.
- D . Use a Spot Fleet with a target capacity of 6 instances.
A
Explanation:
Step-by-Step
Understand the Problem:
The company has a stateless application on 10 EC2 On-Demand Instances in an Auto Scaling group.
At least 6 instances are needed to meet service requirements.
The goal is to maintain uptime cost-effectively.
Analyze the Requirements:
Maintain a minimum of 6 instances to meet service requirements. Optimize costs by using a mix of instance types. Evaluate the Options:
Option A: Use a Spot Fleet with an On-Demand capacity of 6 instances.
Spot Fleets allow you to request a combination of On-Demand and Spot Instances.
Ensuring a minimum of 6 On-Demand Instances guarantees the required capacity while leveraging lower-cost Spot Instances to meet additional demand.
Option B: Update the Auto Scaling group with a minimum of 6 On-Demand Instances and a maximum of 10 On-Demand Instances.
This option ensures the minimum required capacity but does not optimize costs since it only uses On-Demand Instances.
Option C: Update the Auto Scaling group with a minimum of 1 On-Demand Instance and a maximum of 6 On-Demand Instances.
This does not meet the requirement of maintaining at least 6 instances at all times.
Option D: Use a Spot Fleet with a target capacity of 6 instances.
This option relies entirely on Spot Instances, which may not always be available, risking insufficient capacity.
Select the Best Solution:
Option A: Using a Spot Fleet with an On-Demand capacity of 6 instances ensures the necessary uptime with a cost-effective mix of On-Demand and Spot Instances.
Reference: Amazon EC2 Auto Scaling
Amazon EC2 Spot Instances
Spot Fleet Documentation
Using a Spot Fleet with a combination of On-Demand and Spot Instances offers a cost-effective solution while ensuring the required minimum capacity for the application.