Practice Free SOA-C02 Exam Online Questions
Question #31
A SysOps administrator launches an Amazon EC2 instance in a private subnet of a VPC. When the SysOps administrator attempts a curl command from the command line of the EC2 instance, the SysOps administrator cannot connect to https:www.example.com.
What should the SysOps administrator do to resolve this issue?
- A . Ensure that there is an outbound security group for port 443 to 0.0.0.0/0.
- B . Ensure that there is an inbound security group for port 443 from 0.0.0.0/0.
- C . Ensure that there is an outbound network ACL for ephemeral ports 1024-66535 to 0.0.0.0/0.
- D . Ensure that there is an outbound network ACL for port 80 to 0.0.0.0/0.
Correct Answer: A
A
Explanation:
To resolve the issue of the EC2 instance in a private subnet not being able to connect to external websites via HTTPS (port 443), it is necessary to adjust the security group settings:
Outbound Security Group Rules: Verify that the security group associated with the EC2 instance allows outbound traffic on port 443 to any destination (0.0.0.0/0). This rule is crucial because it enables the instance to initiate HTTPS connections to external websites.
Network ACLs: While the primary concern here is the security group, ensure also that the Network Access Control List (ACL) associated with the subnet permits outbound HTTPS traffic. However, the ACLs by default allow all outbound traffic unless specifically restricted.
Internet Connectivity: Since the instance is in a private subnet, ensure that it has a route to the internet through a NAT Gateway or NAT Instance located in a public subnet. Without this, the instance won’t be able to reach external networks even if the security groups and ACLs are correctly configured.
By ensuring that the security group permits outbound HTTPS traffic, you address the most common configuration oversight that would prevent such connectivity.
A
Explanation:
To resolve the issue of the EC2 instance in a private subnet not being able to connect to external websites via HTTPS (port 443), it is necessary to adjust the security group settings:
Outbound Security Group Rules: Verify that the security group associated with the EC2 instance allows outbound traffic on port 443 to any destination (0.0.0.0/0). This rule is crucial because it enables the instance to initiate HTTPS connections to external websites.
Network ACLs: While the primary concern here is the security group, ensure also that the Network Access Control List (ACL) associated with the subnet permits outbound HTTPS traffic. However, the ACLs by default allow all outbound traffic unless specifically restricted.
Internet Connectivity: Since the instance is in a private subnet, ensure that it has a route to the internet through a NAT Gateway or NAT Instance located in a public subnet. Without this, the instance won’t be able to reach external networks even if the security groups and ACLs are correctly configured.
By ensuring that the security group permits outbound HTTPS traffic, you address the most common configuration oversight that would prevent such connectivity.
Question #32
A company recently its server infrastructure to Amazon EC2 instances. The company wants to use Amazon CloudWatch metrics to track instance memory utilization and available disk space.
What should a SysOps administrator do to meet these requirements?
- A . Configure CloudWatch from the AWS Management Console tor all the instances that require monitoring by CloudWatch. AWS automatically installs and configures the agents far the specified instances.
- B . Install and configure the CloudWatch agent on all the instances. Attach an IAM role to allow the instances to write logs to CloudWatch.
- C . Install and configure the CloudWatch agent on all the instances. Attach an IAM user to allow the instances to write logs to CloudWatch.
- D . Install and configure the CloudWatch agent on all the instances. Attach the necessary security groups to allow the instances to write logs to CloudWatch
Correct Answer: B
B
Explanation:
To track instance memory utilization and available disk space using Amazon CloudWatch, the SysOps administrator should install and configure the CloudWatch agent on all instances.
Install and Configure the CloudWatch Agent:
The CloudWatch agent can collect both system-level metrics (e.g., memory utilization, disk space) and application-level metrics and logs.
Install the CloudWatch agent on each EC2 instance and configure it to collect the necessary metrics.
Attach an IAM Role:
The EC2 instances need permissions to write logs and metrics to CloudWatch.
Attach an IAM role with the necessary permissions (e.g., CloudWatchAgentServerPolicy) to each EC2 instance.
Reference: Installing the CloudWatch Agent
Create IAM Roles to Use with the CloudWatch Agent
B
Explanation:
To track instance memory utilization and available disk space using Amazon CloudWatch, the SysOps administrator should install and configure the CloudWatch agent on all instances.
Install and Configure the CloudWatch Agent:
The CloudWatch agent can collect both system-level metrics (e.g., memory utilization, disk space) and application-level metrics and logs.
Install the CloudWatch agent on each EC2 instance and configure it to collect the necessary metrics.
Attach an IAM Role:
The EC2 instances need permissions to write logs and metrics to CloudWatch.
Attach an IAM role with the necessary permissions (e.g., CloudWatchAgentServerPolicy) to each EC2 instance.
Reference: Installing the CloudWatch Agent
Create IAM Roles to Use with the CloudWatch Agent
Question #33
A SysOps administrator has successfully deployed a VPC with an AWS Cloud Formation template The SysOps administrator wants to deploy me same template across multiple accounts that are managed through AWS Organizations.
Which solution will meet this requirement with the LEAST operational overhead?
- A . Assume the OrganizationAccountAcccssKolc IAM role from the management account. Deploy the template in each of the accounts
- B . Create an AWS Lambda function to assume a role in each account Deploy the template by using
the AWS CloudFormation CreateStack API call - C . Create an AWS Lambda function to query fc a list of accounts Deploy the template by using the AWS Cloudformation CreateStack API call.
- D . Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts
Correct Answer: D
D
Explanation:
AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions
If a Lambda function is not being invoked by an Amazon EventBridge (formerly CloudWatch Events) rule, the likely issue is a missing permission. The Lambda function needs permission to be invoked by the EventBridge rule.
Steps:
Add Permission to Lambda Function:
Open the AWS Lambda console.
Select your Lambda function.
Choose "Configuration" and then "Permissions".
Under the "Resource-based policy" section, add a policy that grants EventBridge permission to invoke your function.
Example policy:
json
Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:events:REGION:ACCOUNT_ID:rule/RULE_NAME"
}
}
}
]
}
Verify the EventBridge Rule:
Open the Amazon EventBridge console.
Select the rule that targets your Lambda function.
Ensure that the rule is correctly configured to match events and the target is your Lambda function.
Reference: AWS Lambda Permissions Model
Amazon EventBridge Rules
D
Explanation:
AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions
If a Lambda function is not being invoked by an Amazon EventBridge (formerly CloudWatch Events) rule, the likely issue is a missing permission. The Lambda function needs permission to be invoked by the EventBridge rule.
Steps:
Add Permission to Lambda Function:
Open the AWS Lambda console.
Select your Lambda function.
Choose "Configuration" and then "Permissions".
Under the "Resource-based policy" section, add a policy that grants EventBridge permission to invoke your function.
Example policy:
json
Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:events:REGION:ACCOUNT_ID:rule/RULE_NAME"
}
}
}
]
}
Verify the EventBridge Rule:
Open the Amazon EventBridge console.
Select the rule that targets your Lambda function.
Ensure that the rule is correctly configured to match events and the target is your Lambda function.
Reference: AWS Lambda Permissions Model
Amazon EventBridge Rules
Question #34
A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance.
Which of the following are possible causes of this issue? (Choose two.)
- A . A network ACL associated with the bastion’s subnet is blocking the network traffic.
- B . The instance does not have a private IP address.
- C . The route table associated with the bastion’s subnet does not have a route to the internet gateway.
- D . The security group for the instance does not have an inbound rule on port 22.
- E . The security group for the instance does not have an outbound rule on port 3389.
Correct Answer: AC
AC
Explanation:
If a user is unable to connect to an EC2 instance via RDP, the issue could be related to network ACLs or route table configurations.
Network ACL Blocking Traffic:
A network ACL (NACL) associated with the bastion’s subnet might be blocking traffic on port 3389 (RDP).
Open the Amazon VPC console and navigate to Network ACLs.
Check the inbound and outbound rules for the NACL associated with the subnet. Ensure that port 3389 is allowed.
Route Table Missing Route to Internet Gateway:
The subnet’s route table may not have a route to the internet gateway, which is necessary for internet connectivity.
Open the Amazon VPC console and navigate to Route Tables.
Check the route table associated with the subnet. Ensure there is a route with destination 0.0.0.0/0 pointing to the internet gateway (igw-xxxxxxxx).
Ensuring proper configuration of network ACLs and route tables will enable the required internet connectivity for RDP access.
Reference: Network ACLs
Route Tables
AC
Explanation:
If a user is unable to connect to an EC2 instance via RDP, the issue could be related to network ACLs or route table configurations.
Network ACL Blocking Traffic:
A network ACL (NACL) associated with the bastion’s subnet might be blocking traffic on port 3389 (RDP).
Open the Amazon VPC console and navigate to Network ACLs.
Check the inbound and outbound rules for the NACL associated with the subnet. Ensure that port 3389 is allowed.
Route Table Missing Route to Internet Gateway:
The subnet’s route table may not have a route to the internet gateway, which is necessary for internet connectivity.
Open the Amazon VPC console and navigate to Route Tables.
Check the route table associated with the subnet. Ensure there is a route with destination 0.0.0.0/0 pointing to the internet gateway (igw-xxxxxxxx).
Ensuring proper configuration of network ACLs and route tables will enable the required internet connectivity for RDP access.
Reference: Network ACLs
Route Tables
Question #35
A company is hosting applications on Amazon EC2 instances. The company is hosting a database on an Amazon RDS for PostgreSQL DB instance. The company requires all connections to the DB instance to be encrypted.
What should a SysOps administrator do to meet this requirement?
- A . Allow SSL connections to the database by using an inbound security group rule.
- B . Encrypt the database by using an AWS Key Management Service (AWS KMS) encryption key.
- C . Enforce SSL connections to the database by using a custom parameter group.
- D . Patch the database with SSL/TLS by using a custom PostgreSQL extension.
Correct Answer: C
C
Explanation:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.htm
Amazon RDS supports SSL/TLS encryption for connections to the database, and this can be enabled by creating a custom parameter group and setting the rds.force_ssl parameter to 1. This will ensure that all connections to the database are encrypted, protecting the data and maintaining compliance with the company’s requirements.l
C
Explanation:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.htm
Amazon RDS supports SSL/TLS encryption for connections to the database, and this can be enabled by creating a custom parameter group and setting the rds.force_ssl parameter to 1. This will ensure that all connections to the database are encrypted, protecting the data and maintaining compliance with the company’s requirements.l
Question #35
A company is hosting applications on Amazon EC2 instances. The company is hosting a database on an Amazon RDS for PostgreSQL DB instance. The company requires all connections to the DB instance to be encrypted.
What should a SysOps administrator do to meet this requirement?
- A . Allow SSL connections to the database by using an inbound security group rule.
- B . Encrypt the database by using an AWS Key Management Service (AWS KMS) encryption key.
- C . Enforce SSL connections to the database by using a custom parameter group.
- D . Patch the database with SSL/TLS by using a custom PostgreSQL extension.
Correct Answer: C
C
Explanation:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.htm
Amazon RDS supports SSL/TLS encryption for connections to the database, and this can be enabled by creating a custom parameter group and setting the rds.force_ssl parameter to 1. This will ensure that all connections to the database are encrypted, protecting the data and maintaining compliance with the company’s requirements.l
C
Explanation:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.htm
Amazon RDS supports SSL/TLS encryption for connections to the database, and this can be enabled by creating a custom parameter group and setting the rds.force_ssl parameter to 1. This will ensure that all connections to the database are encrypted, protecting the data and maintaining compliance with the company’s requirements.l
Question #37
A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application’s performance. A SysOps administrator must scale the application to meet the increased traffic.
Which solution meets these requirements?
- A . Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance If the desired threshold is reached.
- B . Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.
- C . Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.
- D . Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy.
Attach the ALB to the Auto Scaling group.
Correct Answer: C
C
Explanation:
Step-by-Step
Understand the Problem:
The web application experiences performance degradation during random periods of increased traffic.
Analyze the Requirements:
Implement a scalable solution to handle varying traffic loads. Maintain application performance during traffic spikes. Evaluate the Options:
Option A: Monitor application latency with CloudWatch alarm and increase instance size.
Manually resizing instances is not efficient for handling random traffic spikes.
Option B: Use EventBridge rule to add EC2 instance to ALB.
This approach is not as efficient as Auto Scaling for dynamic traffic management.
Option C: Deploy to an Auto Scaling group with target tracking scaling policy.
Automatically adjusts the number of instances based on traffic demand.
Ensures consistent application performance by scaling in response to traffic changes.
Option D: Deploy to an Auto Scaling group with scheduled scaling policy.
Suitable for predictable traffic patterns but not for random traffic spikes.
Select the Best Solution:
Option C: Using an Auto Scaling group with a target tracking scaling policy ensures the application scales dynamically based on traffic, maintaining performance.
Reference: Amazon EC2 Auto Scaling
Target Tracking Scaling Policies
Auto Scaling with a target tracking policy provides a robust solution for handling random traffic increases by dynamically adjusting the number of instances.
C
Explanation:
Step-by-Step
Understand the Problem:
The web application experiences performance degradation during random periods of increased traffic.
Analyze the Requirements:
Implement a scalable solution to handle varying traffic loads. Maintain application performance during traffic spikes. Evaluate the Options:
Option A: Monitor application latency with CloudWatch alarm and increase instance size.
Manually resizing instances is not efficient for handling random traffic spikes.
Option B: Use EventBridge rule to add EC2 instance to ALB.
This approach is not as efficient as Auto Scaling for dynamic traffic management.
Option C: Deploy to an Auto Scaling group with target tracking scaling policy.
Automatically adjusts the number of instances based on traffic demand.
Ensures consistent application performance by scaling in response to traffic changes.
Option D: Deploy to an Auto Scaling group with scheduled scaling policy.
Suitable for predictable traffic patterns but not for random traffic spikes.
Select the Best Solution:
Option C: Using an Auto Scaling group with a target tracking scaling policy ensures the application scales dynamically based on traffic, maintaining performance.
Reference: Amazon EC2 Auto Scaling
Target Tracking Scaling Policies
Auto Scaling with a target tracking policy provides a robust solution for handling random traffic increases by dynamically adjusting the number of instances.
Question #38
A company has an internal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A SysOps administrator must make the application highly available.
Which action should the SysOps administrator take to meet this requirement?
- A . Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
- B . Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
- C . Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.
- D . Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.
Correct Answer: C
C
Explanation:
To make an internal web application highly available, you should configure the Amazon EC2 Auto Scaling group to launch instances in multiple Availability Zones within the same AWS Region. This ensures that the application remains available even if one Availability Zone becomes unavailable.
Login to AWS Management Console:
Open the Amazon EC2 console at Amazon EC2 Console.
Update Auto Scaling Group:
In the navigation pane, choose Auto Scaling Groups.
Select the Auto Scaling group that you want to modify.
Choose Edit.
Add Multiple Availability Zones:
In the Availability Zones and subnets section, select at least one additional Availability Zone.
Ensure that the selected subnets belong to different Availability Zones.
Save Changes:
Save the configuration changes to update the Auto Scaling group.
Reference: Distributing Instances Across Multiple Availability Zones
Auto Scaling Groups
C
Explanation:
To make an internal web application highly available, you should configure the Amazon EC2 Auto Scaling group to launch instances in multiple Availability Zones within the same AWS Region. This ensures that the application remains available even if one Availability Zone becomes unavailable.
Login to AWS Management Console:
Open the Amazon EC2 console at Amazon EC2 Console.
Update Auto Scaling Group:
In the navigation pane, choose Auto Scaling Groups.
Select the Auto Scaling group that you want to modify.
Choose Edit.
Add Multiple Availability Zones:
In the Availability Zones and subnets section, select at least one additional Availability Zone.
Ensure that the selected subnets belong to different Availability Zones.
Save Changes:
Save the configuration changes to update the Auto Scaling group.
Reference: Distributing Instances Across Multiple Availability Zones
Auto Scaling Groups
Question #39
A company has applications that process transaction requests multiple times each minute. The applications write transaction data to a single Amazon RDS DB instance. As the company begins to process more transactions, the company becomes concerned that it has no failover solution in place for disaster recovery (DR). The company needs the DB instance to fail over automatically without losing any committed transactions.
Which solution will meet these requirements?
- A . Create an RDS read replica in the same AWS Region. Configure an AWS Lambda function to promote the replica as the primary DB instance during a DR scenario.
- B . Create an RDS read replica in a different AWS Region. Configure an AWS Lambda function to promote the replica as the primary DB instance during a DR scenario.
- C . Modify the DB instance to be a Multi-AZ deployment.
- D . Setup an Amazon CloudWatch alarm that monitors the DB instance memory utilization with a threshold greater than 90%. Invoke an AWS Lambda function to restart the DB instance.
Correct Answer: C
C
Explanation:
For an RDS instance that needs high availability and automatic failover capabilities, setting it up as a Multi-AZ deployment is the most effective solution:
Multi-AZ Deployment: This feature allows Amazon RDS to automatically provision and manage a synchronous standby replica of your database in a different Availability Zone (AZ). The primary DB instance and the standby replica contain the same data, providing data redundancy and fail-safe mechanism.
Automatic Failover: In the event of a planned or unplanned outage of your primary DB instance (including DB instance failure, AZ failure, or network failure), RDS automatically fails over to the standby so that database operations can resume quickly without administrative intervention.
Data Integrity: This setup ensures no data loss for committed transactions, as the standby replica is always in sync with the primary.
By enabling Multi-AZ deployment, you ensure that your database environment has high availability and robustness, addressing both disaster recovery and operational continuity without losing any committed transactions.
C
Explanation:
For an RDS instance that needs high availability and automatic failover capabilities, setting it up as a Multi-AZ deployment is the most effective solution:
Multi-AZ Deployment: This feature allows Amazon RDS to automatically provision and manage a synchronous standby replica of your database in a different Availability Zone (AZ). The primary DB instance and the standby replica contain the same data, providing data redundancy and fail-safe mechanism.
Automatic Failover: In the event of a planned or unplanned outage of your primary DB instance (including DB instance failure, AZ failure, or network failure), RDS automatically fails over to the standby so that database operations can resume quickly without administrative intervention.
Data Integrity: This setup ensures no data loss for committed transactions, as the standby replica is always in sync with the primary.
By enabling Multi-AZ deployment, you ensure that your database environment has high availability and robustness, addressing both disaster recovery and operational continuity without losing any committed transactions.
Question #40
A company’s SysOps administrator needs to change the AWS Support plan for one of the company’s AWS accounts. The account has multi-factor authentication (MFA) activated, and the MFA device is lost.
What should the SysOps administrator do to sign in?
- A . Sign in as a root user by using email and phone verification. Set up a new MFA device. Change the root user password.
- B . Sign in as an 1AM user with administrator permissions. Resynchronize the MFA token by using the 1AM console.
- C . Sign in as an 1AM user with administrator permissions. Reset the MFA device for the root user by adding a new device.
- D . Use the forgot-password process to verify the email address. Set up a new password and MFA device.
Correct Answer: A
A
Explanation:
If the MFA device for the root user is lost, you can regain access to the AWS account by using email and phone verification. AWS Support provides a process to recover root account access.
Recover Root Account Access:
Go to the AWS sign-in page and choose Root user.
Enter the root user email address.
On the MFA prompt page, choose Troubleshoot MFA.
Follow the prompts for email and phone verification to verify your identity.
Set Up a New MFA Device:
Once you regain access, navigate to the IAM console at IAM Console.
Go to the Users section and select the root user.
Set up a new MFA device.
Change the Root User Password:
It is recommended to change the root user password after recovering access for security reasons.
Reference: Enabling and Managing Virtual MFA Devices (AWS Management Console)
Troubleshooting Multi-Factor Authentication
A
Explanation:
If the MFA device for the root user is lost, you can regain access to the AWS account by using email and phone verification. AWS Support provides a process to recover root account access.
Recover Root Account Access:
Go to the AWS sign-in page and choose Root user.
Enter the root user email address.
On the MFA prompt page, choose Troubleshoot MFA.
Follow the prompts for email and phone verification to verify your identity.
Set Up a New MFA Device:
Once you regain access, navigate to the IAM console at IAM Console.
Go to the Users section and select the root user.
Set up a new MFA device.
Change the Root User Password:
It is recommended to change the root user password after recovering access for security reasons.
Reference: Enabling and Managing Virtual MFA Devices (AWS Management Console)
Troubleshooting Multi-Factor Authentication