Practice Free SOA-C02 Exam Online Questions
A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations.
What should a SysOps administrator do to implement this requirement?
- A . Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.
- B . Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.
- C . Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.
- D . Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.
C
Explanation:
To enforce the use of approved EC2 instance configurations across different business units efficiently:
AWS Service Catalog: Utilize AWS Service Catalog to manage and govern commonly deployed IT services. Create a catalog of pre-approved products (in this case, EC2 instance configurations).
Publish Products: Define and publish EC2 instance configurations as products within the Service Catalog. These products will incorporate all the necessary and approved configurations, options, and software.
Launch Constraints: Assign launch constraints to these products, ensuring that users can only launch EC2 instances as defined by the pre-approved configurations.
Control Access: Grant business units access only to the Service Catalog for provisioning EC2 instances. This ensures they use only those configurations that comply with company policies and standards.
This approach not only standardizes resource deployment but also simplifies management and enhances compliance across the organization.
A global company handles a large amount of personally identifiable information (Pll) through an internal web portal. The company’s application runs in a corporate data center that is connected to AWS through an AWS Direct Connect connection. The application stores the Pll in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.
What should a SysOps administrator do to meet the compliance requirement?
- A . Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.
- B . Configure AWS Network Firewall to redirect traffic to the internal S3 address.
- C . Modify the application to use the S3 path-style endpoint.
- D . Set up a range of VPC network ACLs to redirect traffic to the Internal S3 address.
A
Explanation:
Using the interface endpoint, applications in your on-premises data center can easily query S3 buckets over AWS Direct Connect or Site-to-Site VPN. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
A company is running a development application on an Amazon EC2 instance. The application uploads 500.000 files that are 1 GB in size into a large! Amazon S3 bucket that has default encryption enabled The EC2 instance is in the same AWS Region where the S3 bucket is deployed.
The company uses performance logging that is built into the application software. The logs show that the application is constantly waiting for the files to be written to the S3 bucket. A SysOps administrator needs to improve the application’s throughput performance. The SysOps administrator validates that the networking on the EC2 instance is not constrained.
What should the SysOps administrator do to improve the S3 upload performance”
- A . Enable S3 Transfer Acceleration on the S3 bucket.
- B . Split the S3 write operations to use multiple bucket prefixes to write items in parallel.
- C . Configure AWS PrivateLink for Amazon S3 Turn off encryption on the S3 bucket
- D . Configure AWS Global Accelerator in the Region. Turn off encryption on the S3 bucket.
B
Explanation:
Improve S3 Upload Performance:
Using multiple bucket prefixes can improve throughput by allowing parallel upload streams.
Steps:
Modify the application to write files to different prefixes in the S3 bucket.
Example: Instead of writing all files to s3://bucket-name/, write to s3://bucket-name/prefix1/,
s3://bucket-name/prefix2/, etc.
Reference: Best Practices for Amazon S3 Performance
A company uses an Amazon Simple Queue Service (Amazon SQS) standard queue with its application. The application sends messages to the queue with unique message bodies The company decides to switch to an SQS FIFO queue
What must the company do to migrate to an SQS FIFO queue?
- A . Create a new SQS FIFO gueue Turn on content based deduplication on the new FIFO queue Update the application to include a message group ID in the messages
- B . Create a new SQS FIFO queue Update the application to include the DelaySeconds parameter in the messages
- C . Modify the queue type from SQS standard to SQS FIFO Turn off content-based deduplication on the queue Update the application to include a message group ID in the messages
- D . Modify the queue type from SQS standard to SQS FIFO Update the application to send messages with identical message bodies and to include the DelaySeconds parameter in the messages
A
Explanation:
FIFO queues don’t support per-message delays, only per-queue delays. If your application sets the same value of the DelaySeconds parameter on each message, you must modify your application to remove the per-message delay and set DelaySeconds on the entire queue instead.
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues-moving.html
A company uses an Amazon Simple Queue Service (Amazon SQS) standard queue with its application. The application sends messages to the queue with unique message bodies The company decides to switch to an SQS FIFO queue
What must the company do to migrate to an SQS FIFO queue?
- A . Create a new SQS FIFO gueue Turn on content based deduplication on the new FIFO queue Update the application to include a message group ID in the messages
- B . Create a new SQS FIFO queue Update the application to include the DelaySeconds parameter in the messages
- C . Modify the queue type from SQS standard to SQS FIFO Turn off content-based deduplication on the queue Update the application to include a message group ID in the messages
- D . Modify the queue type from SQS standard to SQS FIFO Update the application to send messages with identical message bodies and to include the DelaySeconds parameter in the messages
A
Explanation:
FIFO queues don’t support per-message delays, only per-queue delays. If your application sets the same value of the DelaySeconds parameter on each message, you must modify your application to remove the per-message delay and set DelaySeconds on the entire queue instead.
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues-moving.html
A company’s security policy states that connecting to Amazon EC2 instances is not permitted through SSH and RDP. If access is required, authorized staff can connect to instances by using AWS Systems Manager Session Manager.
Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has AWS Systems Manager Agent (SSM Agent) pre-installed These users are able to use Session Manager to connect to other instances in the same subnet, and they are in an 1AM group that has Session Manager permission for all instances.
What should a SysOps administrator do to resolve this issue?
- A . Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.
- B . Assign the AmazonSSMManagedlnstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
- C . Configure the SSM Agent to log in with a user name of "ubuntu".
- D . Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.
B
Explanation:
If users are unable to connect to a specific Ubuntu EC2 instance using AWS Systems Manager Session Manager while other instances are accessible, the issue is likely due to IAM permissions:
Instance Profile Permissions: Ensure that the EC2 instance has the necessary IAM permissions to interact with Systems Manager. The AmazonSSMManagedInstanceCore managed policy includes permissions required for the SSM Agent on the instance to communicate with the AWS Systems Manager service.
Attach Managed Policy: Attach the AmazonSSMManagedInstanceCore policy to the IAM role that is associated with the Ubuntu instance’s instance profile. This step is crucial as it authorizes the instance to use Systems Manager services, including Session Manager.
Verify Configuration and Connectivity: After updating the instance profile, verify that users can connect via Session Manager. This solution does not require any changes to network security settings like security groups.
By ensuring that the instance has the appropriate IAM permissions, you resolve issues related to access control and Systems Manager functionality, allowing authorized personnel to connect securely without using SSH or RDP.
A team of developers is using several Amazon S3 buckets as centralized repositories. Users across the world upload large sets of files to these repositories. The development team’s applications later process these files.
A SysOps administrator sets up a new S3 bucket. DOC-EXAMPLE-BUCKET, to support a new workload. The new S3 bucket also receives regular uploads of large sets of files from users worldwide. When the new S3 bucket is put into production, the upload performance from certain geographic areas is lower than the upload performance that the existing S3 buckets provide.
What should the SysOps administrator do to remediate this issue?
- A . Provision an Amazon ElasliCache for Redis cluster for the new S3 bucket. Provide the developers with the configuration endpoint of the cluster for use in their API calls.
- B . Add the new S3 bucket to a new Amazon CloudFront distribution. Provide the developers with the domain name of the new distribution for use in their API calls.
- C . Enable S3 Transfer Acceleration for the new S3 bucket. Verify that the developers are using the DOC-EXAMPLE-BUCKET.s3-accelerate.amazonaws.com endpoint name in their API calls.
- D . Use S3 multipart upload for the new S3 bucket. Verify that the developers are using Region-specific S3 endpoint names such as D0C-EXAMPLE-BUCKET.s3. [RegionJ.amazonaws.com in their API calls.
C
Explanation:
For improving upload performance globally for an Amazon S3 bucket, enabling S3 Transfer Acceleration is the best solution. This service optimizes file transfers to S3 using Amazon CloudFront’s globally distributed edge locations. After enabling this feature, uploads to the S3 bucket are first routed to an AWS edge location and then transferred to S3 over an optimized network path. Option C is correct, and the developers should use the provided accelerate endpoint in their API calls. For more details, consult the AWS documentation on S3 Transfer Acceleration Amazon S3 Transfer Acceleration.
A company is running an application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are launched by an Auto Scaling group and are automatically registered in a target group. A SysOps administrator must set up a notification to alert application owners when targets fail health checks.
What should the SysOps administrator do to meet these requirements?
- A . Create an Amazon CloudWatch alarm on the UnHealthyHostCount metric. Configure an action to send an Amazon Simple Notification Service (Amazon SNS) notification when the metric is greater than 0.
- B . Configure an Amazon EC2 Auto Scaling custom lifecycle action to send an Amazon Simple Notification Service (Amazon SNS) notification when an instance is in the Pending:Wait state.
- C . Update the Auto Scaling group. Configure an activity notification to send an Amazon Simple Notification Service (Amazon SNS) notification for the Unhealthy event type.
- D . Update the ALB health check to send an Amazon Simple Notification Service (Amazon SNS) notification when an instance is unhealthy.
A
Explanation:
To set up a notification for failed health checks of targets in the ALB, follow these steps:
Create a CloudWatch Alarm:
Navigate to CloudWatch and create a new alarm based on the UnHealthyHostCount metric of the target group.
Reference: Creating Alarms
Configure the Alarm Action:
Configure the alarm to send an Amazon SNS notification when the UnHealthyHostCount metric is greater than 0.
Reference: Using Amazon SNS for CloudWatch Alarms
This setup will notify application owners whenever a target fails health checks.
A SysOps administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC. the administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the administrator add to the route tables?
- A . Route ;:/0 traffic to a NAT gateway
- B . Route ::/0 traffic to an internet gateway
- C . Route 0.0.0.0/0 traffic to an egress-only internet gateway
- D . Route ::/0 traffic to an egress-only internet gateway
D
Explanation:
https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html
To allow outbound IPv6 traffic from instances in your VPC to the internet, but prevent inbound traffic from the internet, you should use an egress-only internet gateway.
Egress-Only Internet Gateway:
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet and prevents the internet from initiating an IPv6 connection with your instances.
Routing Configuration:
Open the Amazon VPC console.
Select the route table associated with your VPC.
Add a route for IPv6 traffic (destination ::/0) to the egress-only internet gateway.
Reference: Egress-Only Internet Gateways
Routing for IPv6 Traffic
A company needs to view a list of security groups that are open to the internet on port 3389.
What should a SysOps administrator do to meet this requirement?
- A . Configure Amazon GuardDuly to scan security groups and report unrestricted access on port 3389.
- B . Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389
- C . Use AWS Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389.
- D . Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389.
D
Explanation:
To find security groups that are open to the internet on port 3389, using AWS Trusted Advisor is the most straightforward solution.
AWS Trusted Advisor:
AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.
It includes a security check that identifies security groups with unrestricted access.
Steps to Use Trusted Advisor:
Open the AWS Trusted Advisor console.
In the "Security" category, look for the check that identifies security groups with unrestricted access. Review the report to find security groups that allow unrestricted access on port 3389 (RDP).
Reference: AWS Trusted Advisor
AWS Trusted Advisor Best Practices