Practice Free SOA-C02 Exam Online Questions
A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:
2 111122223333 eni-<###> 192.0.2.15 203.0.113.56 40711 443 6 1 40 1418530010 1418530070 REJECT OK
What is a possible cause of these failed connections?
- A . A security group is denying traffic on port 443.
- B . The EC2 instance is shut down.
- C . The network ACL is blocking HTTPS traffic.
- D . The VPC has no internet gateway attached.
A
Explanation:
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-accepted-rejected
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#
Accepted and rejected traffic: In this example, RDP traffic (destination port 3389, TCP protocol) to network interface eni-1235b8ca123456789 in account 123456789010 was rejected. 2 123456789010 eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK
A company that uses AWS Organizations recently implemented AWS Control Tower The company now needs to centralize identity management A SysOps administrator must federate AWS 1AM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all the company’s accounts and cloud applications
Which prerequisites must the SysOps administrator have so that the SysOps administrator can connect to the external IdP? (Select TWO.)
- A . A copy of the 1AM Identity Center SAML metadata
- B . The IdP metadata, including the public X.509 certificate
- C . The IP address of the IdP
- D . Root access to the management account
- E . Administrative permissions to the member accounts of the organization
AB
Explanation:
IAM Identity Center SAML Metadata:
This metadata is required to establish the trust relationship between AWS IAM Identity Center and the external SAML 2.0 identity provider.
Steps:
Download the IAM Identity Center SAML metadata from the AWS Management Console.
Provide this metadata to the external IdP.
IdP Metadata:
The metadata from the IdP, including the public X.509 certificate, is needed to configure the trust relationship.
Steps:
Obtain the IdP metadata, which includes the entity ID, endpoints, and X.509 certificate.
Configure the IAM Identity Center with this information.
Reference: Configuring SAML 2.0 Federation with AWS IAM Identity Center
A company runs a single-page web application on AWS The application uses Amazon CloudFront lo deliver static content from an Amazon S3 bucket origin The application also uses an Amazon Elastic Kubemetes Service (Amazon EKS) duster to serve API calls
Users sometimes report that the website is not operational, even when monitoring shows that the index page is reachable and that the EKS cluster is healthy. A SysOps administrator must Implement additional monitoring that can delect when the website is not operational before users report the problem.
Which solution will meet these requirements?
- A . Create an Amazon CloudWatch Synthetics heartbeat monitor canary that points to the fully qualified domain name (FQDN) of the website.
- B . Create an Amazon CloudWatch Synthetics API canary that monitors the availability of API endpoints from the EKS cluster.
- C . Create an Amazon CloudWatch RUM app monitor that points to the fully qualified domain name
(FQDN) of the website. Configure the app monitor to collect performance telemetry and JavaScript errors - D . Create an Amazon CloudWatch RUM app monitor that uses the API endpoints from the EKS cluster
A
Explanation:
Amazon CloudWatch Synthetics:
CloudWatch Synthetics allows you to create canaries to monitor your endpoints and API calls, simulating user behavior to detect issues before users do.
Steps:
Go to the AWS Management Console.
Navigate to CloudWatch and select "Synthetics."
Click on "Create canary."
Choose "Heartbeat monitoring" as the blueprint.
Configure the canary to point to the FQDN of the website.
Set the frequency and retention settings as per your requirement.
Create the canary.
This setup continuously checks the operational status of your website, alerting you if it becomes unreachable or has issues.
Reference: AWS CloudWatch Synthetics
A SysOps administrator is using AWS Systems Manager Patch Manager to patch a fleet of Amazon EC2 instances. The SysOps administrator has configured a patch baseline and a maintenance window. The SysOps administrator also has used an instance tag to identify which instances to patch.
The SysOps administrator must give Systems Manager the ability to access the EC2 instances.
Which additional action must the SysOps administrator perform to meet this requirement?
- A . Add an inbound rule to the instances’ security group.
- B . Attach an 1AM instance profile with access to Systems Manager to the instances.
- C . Create a Systems Manager activation Then activate the fleet of instances.
- D . Manually specify the instances to patch Instead of using tag-based selection.
B
Explanation:
To allow AWS Systems Manager Patch Manager to access your EC2 instances, you need to attach an IAM instance profile with the necessary permissions to the instances.
Create IAM Role for Systems Manager:
Open the IAM console at IAM Console.
Create a new role and choose EC2 as the trusted entity.
Attach the AmazonEC2RoleforSSM managed policy to the role.
Attach IAM Role to Instances:
Open the Amazon EC2 console at Amazon EC2 Console.
Select the instances that you want to manage with Systems Manager.
Choose Actions, then Instance Settings, and select Attach/Replace IAM Role.
Attach the IAM role you created.
This setup ensures that Systems Manager has the necessary permissions to manage the instances.
Reference: Setting Up AWS Systems Manager
Create an IAM Instance Profile for Systems Manager
The company wants to improve the security and high availability of a two-tier web application that was rehosted to AWS, currently in a single Availability Zone. (Select TWO):
- A . Place the web-tier instances in an Auto Scaling group. Configure the Auto Scaling group to support
a Multi-AZ deployment into private subnets that are behind an internet-facing Application Load Balancer. - B . Place the web-tier instances in an Auto Scaling group. Configure the Auto Scaling group in multiple AWS Regions. Deploy the EC2 instances into private subnets that are behind an internet-facing Application Load Balancer.
- C . Launch an additional EC2 instance to host SQL Server. Place the new database EC2 instance in a second AWS Region. Enable replication between the two database EC2 instances.
- D . Use AWS Database Migration Service (AWS DMS) to migrate the database EC2 instance to Amazon RDS for SQL Server with Multi-AZ Database Mirroring (DBM).
- E . Use AWS Database Migration Service (AWS DMS) to migrate the database EC2 instance to Amazon DynamoDB.
A, D
Explanation:
To improve security and availability, the best approach is to configure Multi-AZ for both the web and database tiers.
Multi-AZ Auto Scaling for Web Tier: Deploying the web-tier instances in an Auto Scaling group across multiple AZs with an internet-facing ALB provides high availability and fault tolerance.
RDS Multi-AZ for SQL Server: Migrating the SQL Server to RDS with Multi-AZ deployment ensures database redundancy and failover without additional management overhead.
Placing the web tier in multiple Regions would add unnecessary complexity, and migrating the database to DynamoDB is not suitable for applications requiring SQL Server’s relational capabilities.
A company is using an Amazon CloudWatch alarm lo monitor the FreeLocalStorage metric for an Amazon Aurora PostgreSQL production database The alarm goes into ALARM state and indicates that the database is running low on temporary storage. A SysOps administrator discovers that a weekly report is using most of the temporary storage that is currently allocated.
What should the SysOps administrator do to solve this problem?
- A . Turn on Aurora PostgreSQL query plan management.
- B . Modify the configuration of the DB cluster to turn on storage auto scaling.
- C . Add an Aurora read replica to the DB cluster. Modify the report lo use the new read replica.
- D . Modify the DB instance class for each DB instance In the DB cluster to increase the instance size.
B
Explanation:
Storage Auto Scaling:
Aurora storage auto scaling automatically increases the storage capacity of the database cluster when free storage space is running low.
Steps:
Go to the AWS Management Console.
Navigate to RDS and select your Aurora DB cluster.
Modify the DB cluster configuration to enable storage auto scaling.
Apply the changes.
Reference: Aurora Storage Auto Scaling
A company has two VPC networks named VPC A and VPC B. The VPC A CIDR block is 10.0.0.0/16 and the VPC B CIDR block is 172.31.0.0/16. The company wants to establish a VPC peering connection named pcx-12345 between both VPCs.
Which rules should appear in the route table of VPC A after configuration? (Select TWO.)
- A . Destination: 10.0.0.0/16, Target: Local
- B . Destination: 172.31.0.0/16, Target: Local
- C . Destination: 10.0.0.0/16, Target: pcx-12345
- D . Destination: 172.31.0.0/16, Target: pcx-12345
- E . Destination: 10.0.0.0/16. Target: 172.31.0.0/16
AD
Explanation:
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html
When establishing a VPC peering connection between two VPCs, you need to update the route tables of both VPCs to allow traffic to flow between them.
Route Table of VPC A (10.0.0.0/16):
Local Route: This route is automatically created to allow traffic within the VPC.
Destination: 10.0.0.0/16, Target: Local
Peering Connection Route: This route directs traffic destined for VPC B (172.31.0.0/16) through the VPC peering connection.
Destination: 172.31.0.0/16, Target: pcx-12345
Route Table of VPC B (172.31.0.0/16):
Local Route: This route is automatically created to allow traffic within the VPC.
Destination: 172.31.0.0/16, Target: Local
Peering Connection Route: This route directs traffic destined for VPC A (10.0.0.0/16) through the VPC peering connection.
Destination: 10.0.0.0/16, Target: pcx-12345
Reference: VPC Peering Routing
A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?
- A . Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR ranges. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Logs. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target.
- B . Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instances. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation
document to terminate the instances. - C . Configure AWS Config and a custom rule to monitor whether a security group allows inbound requests from noncorporate CIDR ranges. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups.
- D . Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by tag. Tag the EC2 instances with an identifier. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.
C
Explanation:
CloudWatch provides metrics for EBS volumes that can be used to create alarms. The correct metrics to monitor EBS volume read and write activity are VolumeReadBytes and VolumeWriteBytes.
Identify the Correct Metrics:
VolumeReadBytes: The number of bytes read from the EBS volume.
VolumeWriteBytes: The number of bytes written to the EBS volume.
Reconfigure CloudWatch Alarms:
Navigate to the CloudWatch console.
Select the existing alarms and update the metric to VolumeReadBytes and VolumeWriteBytes for the specific EBS volumes attached to your EC2 instance.
Set the Desired Thresholds:
Configure the threshold for the alarms based on your monitoring requirements (e.g., trigger an alarm if read/write bytes exceed a certain value).
Verify Alarm Configuration:
Ensure that the alarms are correctly configured and monitoring the appropriate EBS volume metrics. Test the configuration by generating traffic to the volumes and observing the alarm state changes.
Reference: Amazon CloudWatch Metrics for Amazon EBS
Creating Amazon CloudWatch Alarms
A company runs a high performance computing (HPC) application on an Amazon EC2 instance The company needs to scale this architecture to two or more EC2 instances. The EC2 instances wilt need to communicate with each other at high speeds with low latency to support the application.
The company wants to ensure that the network performance can support the required communication between the EC2 instances.
What should a SysOps administrator do to meet these requirements?
- A . Create a cluster placement group. Back up the existing EC2 instance to an Amazon Machine Image (AMI). Restore the EC2 instance from the AMI into the placement group Launch the additional EC2 instances into the placement group
- B . Back up the existing EC2 instance to an Amazon Machine Image (AMI). Create a launch template from the existing EC2 instance by specifying the AMI. Create an Auto Scaling group and configure the desired instance count.
- C . Create a Network Load Balancer (NLB) and a target group. Launch the new EC2 instances and register them with the target group Register the existing EC2 instance with the target group. Pass all application traffic through the NLB.
- D . Back up the existing EC2 Instance to an Amazon Machine Image (AMI). Create additional clones of the EC2 instance from the AMI in the same Availability Zone where the existing EC2 instance is located.
A
Explanation:
Cluster Placement Group:
Cluster placement groups are used to ensure low-latency networking between EC2 instances. They place instances physically close to each other within the same Availability Zone.
Steps:
Go to the AWS Management Console.
Navigate to EC2 and select "Placement Groups."
Create a new cluster placement group.
Back up the existing EC2 instance to an AMI.
Launch new EC2 instances from the AMI into the cluster placement group.
Ensure all instances are in the same Availability Zone.
Reference: Placement Groups
An AWS Cloud Formation template creates an Amazon RDS instance This template is used to build up development environments as needed and then delete the stack when the environment is no longer required. The RDS-persisted data must be retained for further use. even after the Cloud Format ton stack is deleted
How can this be achieved in a reliable and efficient way?
- A . Write a script to continue backing up the RDS instance every live minutes.
- B . Create an AWS Lambda function to take a snapshot of the RDS instance, and manually invoke the function before deleting the stack.
- C . Use the Snapshot Deletion Policy in the Cloud Formation template definition of the RDS instance.
- D . Create a new CloudFormallon template to perform backups of the RDS instance, and run this template before deleting the stack.
C
Explanation:
Snapshot Deletion Policy:
The Snapshot Deletion Policy ensures that a snapshot is created when an RDS instance is deleted as part of a CloudFormation stack deletion.
Steps:
Update your CloudFormation template to include the DeletionPolicy attribute for the RDS instance resource.
Example template snippet:
Resources:
MyDBInstance:
Type: AWS::RDS::DBInstance
Properties:
# DB instance properties DeletionPolicy: Snapshot
This configuration retains a snapshot of the RDS instance data when the stack is deleted.
Reference: AWS CloudFormation DeletionPolicy