Practice Free SOA-C02 Exam Online Questions
A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses Amazon Route 53 to route traffic.
The company also has a static website that is configured in an Amazon S3 bucket.
A SysOps administrator must use the static website as a backup to the web application. The failover to the static website must be fully automated.
Which combination of actions will meet these requirements? (Choose two.)
- A . Create a primary failover routing policy record. Configure the value to be the ALB.
- B . Create an AWS Lambda function to switch from the primary website to the secondary website when the health check fails.
- C . Create a primary failover routing policy record. Configure the value to be the ALB. Associate the record with a Route 53 health check.
- D . Create a secondary failover routing policy record. Configure the value to be the static website.
Associate the record with a Route 53 health check. - E . Create a secondary failover routing policy record. Configure the value to be the static website.
A C
Explanation:
To use the static website as a backup to the web application and ensure automated failover, the SysOps administrator should set up failover routing policies in Amazon Route 53.
Failover Routing Policies:
Route 53 failover routing allows you to route traffic to a primary resource when it is healthy and automatically failover to a secondary resource when the primary becomes unhealthy.
Steps to Implement:
Primary Failover Record: Create a primary failover routing policy record and set the value to the ALB.
Associate this record with a Route 53 health check that monitors the ALB.
Secondary Failover Record: Create a secondary failover routing policy record and set the value to the static website.
Reference: Amazon Route 53 Failover Routing
A SysOps administrator is designing a solution for an Amazon RDS for PostgreSQL DB instance. Database credentials must be stored and rotated monthly. The applications that connect to the DB instance send write-intensive traffic with variable client connections that sometimes increase significantly in a short period of time.
Which solution should a SysOps administrator choose to meet these requirements?
- A . Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS Proxy to handle the increases in database connections.
- B . Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS read replicas to handle the increases in database connections.
- C . Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS Proxy to handle the increases in database connections.
- D . Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS read replicas to handle the increases in database connections.
C
Explanation:
To meet the requirements of storing and rotating database credentials monthly and handling write-intensive traffic with variable client connections, you can use AWS Secrets Manager and Amazon RDS Proxy.
AWS Secrets Manager for Credential Rotation:
Open the AWS Secrets Manager console at AWS Secrets Manager Console.
Store the database credentials as a new secret and configure automatic rotation for every 30 days.
AWS Secrets Manager will handle the rotation process and update the secret with new credentials.
Amazon RDS Proxy for Connection Management:
Open the Amazon RDS console at Amazon RDS Console.
Create an RDS Proxy for the PostgreSQL DB instance.
Configure the proxy to handle the connection pooling and manage the connections efficiently.
The proxy will help manage the database connections, reduce the overhead on the database, and improve performance during peak loads.
This solution ensures that database credentials are securely stored and rotated automatically while handling increased database connections effectively.
Reference: AWS Secrets Manager
Using AWS Secrets Manager to Rotate Amazon RDS Database Credentials
Amazon RDS Proxy
A company’s SysOps administrator attempts to restore an Amazon Elastic Block Store (Amazon EBS) snapshot. However, the snapshot is missing because another system administrator accidentally deleted the snapshot. The company needs the ability to recover snapshots for a specified period of time after snapshots are deleted.
Which solution will provide this functionality?
- A . Turn on deletion protection on individual EBS snapshots that need to be kept.
- B . Create an 1AM policy that denies the deletion of EBS snapshots by using a condition statement for
the snapshot age Apply the policy to all users - C . Create a Recycle Bin retention rule for EBS snapshots for the desired retention period.
- D . Use Amazon EventBridge (Amazon CloudWatch Events) to schedule an AWS Lambda function to copy EBS snapshots to Amazon S3 Glacier.
C
Explanation:
To provide the ability to recover deleted EBS snapshots for a specified period, creating a Recycle Bin retention rule for EBS snapshots is the appropriate solution.
Recycle Bin:
The Recycle Bin for Amazon EBS snapshots allows you to recover snapshots that were deleted within a specified retention period.
Creating a Retention Rule:
Open the Amazon Data Lifecycle Manager console.
Create a new Recycle Bin retention rule for EBS snapshots and specify the desired retention period.
Reference: Amazon EBS Recycle Bin
A company is using Amazon CloudFront to serve static content for its web application to its users.
The CloudFront distribution uses an existing on-premises website as a custom origin.
The company requires the use of TLS between CloudFront and the origin server. This configuration
has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.
What should a SysOps administrator do to resolve this problem?
- A . Examine the expiration date on the certificate on the origin site. Validate that the certificate has not expired. Replace the certificate if necessary.
- B . Examine the hostname on the certificate on the origin site. Validate that the hostname matches one of the hostnames on the CloudFront distribution. Replace the certificate if necessary.
- C . Examine the firewall rules that are associated with the origin server. Validate that port 443 is open for inbound traffic from the internet. Create an inbound rule if necessary.
- D . Examine the network ACL rules that are associated with the CloudFront distribution. Validate that port 443 is open for outbound traffic to the origin server. Create an outbound rule if necessary.
A
Explanation:
HTTP 502 errors from CloudFront can occur because of the following reasons:
There’s an SSL negotiation failure because the origin is using SSL/TLS protocols and ciphers that aren’t supported by CloudFront.
There’s an SSL negotiation failure because the SSL certificate on the origin is expired or invalid, or because the certificate chain is invalid.
There’s a host header mismatch in the SSL negotiation between your CloudFront distribution and the custom origin.
The custom origin isn’t responding on the ports specified in the origin settings of the CloudFront distribution.
The custom origin is ending the connection to CloudFront too quickly.
https://aws.amazon.com/premiumsupport/knowledge-center/resolve-cloudfront-connection-error/
A SysOps administrator trust manage the security of An AWS account Recently an IAM users access key was mistakenly uploaded to a public code repository. The SysOps administrator must identity anything that was changed by using this access key.
- A . Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all IAM events lo an AWS Lambda function for analysis
- B . Query Amazon EC2 togs by using Amazon CloudWatch Logs Insights for all events Heated with the compromised access key within the suspected timeframe
- C . Search AWS CloudTrail event history tor all events initiated with the compromised access key within the suspected timeframe
- D . Search VPC Flow Logs foe all events initiated with the compromised access key within the suspected Timeframe.
C
Explanation:
To identify changes made by the compromised access key, the SysOps administrator should search the AWS CloudTrail event history:
AWS CloudTrail:
CloudTrail logs all API calls made in an AWS account, which includes events initiated by access keys.
This makes it the ideal service to investigate changes made using the compromised access key.
Reference: AWS CloudTrail Documentation
Search CloudTrail Event History:
Use the CloudTrail console to filter and search for events associated with the compromised access key within the suspected timeframe.
Reference: Viewing Events with CloudTrail Event History
A company uses AWS Cloud Formation to deploy its infrastructure. The company recently retired an application. A cloud operations engineer initiates CloudFormation stack deletion, and the stack gets stuck in DELETE FAILED status.
A SysOps administrator discovers that the stack had deployed a security group. The security group is referenced by other security groups in the environment. The SysOps administrator needs to delete the stack without affecting other applications.
Which solution will meet these requirements m the MOST operationally efficient manner?
- A . Create a new security group that has a different name Apply identical rules to the new security group. Replace all other security groups that reference the new security group. Delete the stack.
- B . Create a CloudFormation change set to delete the security group. Deploy the change set.
- C . Delete the stack again. Specify that the security group be retained.
- D . Perform CloudFormation drift detection Delete the stack.
C
Explanation:
Retain the Security Group:
When deleting a CloudFormation stack, you can specify resources to be retained instead of deleted.
Steps:
Go to the AWS Management Console.
Navigate to CloudFormation and select the stack.
Choose to delete the stack.
In the deletion options, specify that the security group should be retained.
This will delete the stack but keep the security group, ensuring no impact on other applications.
Reference: Deleting a Stack
A company deployed a new web application on multiple Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run in an Auto Scaling group. Users report that they are frequently being prompted to log in.
What should a SysOps administrator do to resolve this issue?
- A . Configure an Amazon CloudFront distribution with the ALB as the origin.
- B . Enable sticky sessions (session affinity) for the target group of EC2 instances.
- C . Redeploy the EC2 instances in a spread placement group.
- D . Replace the ALB with a Network Load Balancer.
C
Explanation:
To resolve the issue of users being frequently prompted to log in, which typically indicates that session persistence is not configured:
Sticky Sessions: Enable sticky sessions (session affinity) on the ALB’s target group. This configuration makes sure that all requests from a single user during a session are directed to the same EC2 instance, rather than being load balanced to different instances which might not share session data.
Configuration: This is done in the ALB settings under the target group attributes. Sticky sessions use a user-specific cookie generated by the ALB to route requests to the designated instance.
Session Cookie: The ALB handles the session cookie automatically, but you may adjust settings like the duration that the session cookie remains valid.
Enabling sticky sessions ensures that user sessions are maintained with the same server, reducing the instances of repeated logins and improving the user experience.
A company has a public website that recently experienced problems. Some links led to missing webpages, and other links rendered incorrect webpages. The application infrastructure was running properly, and all the provisioned resources were healthy. Application logs and dashboards did not show any errors, and no monitoring alarms were raised. Systems administrators were not aware of any problems until end users reported the issues.
The company needs to proactively monitor the website for such issues in the future and must implement a solution as soon as possible.
Which solution will meet these requirements with the LEAST operational overhead?
- A . Rewrite the application to surface a custom error to the application log when issues occur. Automatically parse logs for errors. Create an Amazon CloudWatch alarm to provide alerts when issues are detected.
- B . Create an AWS Lambda function to test the website. Configure the Lambda function to emit an Amazon CloudWatch custom metric when errors are detected. Configure a CloudWatch alarm to provide alerts when issues are detected.
- C . Create an Amazon CloudWatch Synthetics canary. Use the CloudWatch Synthetics Recorder plugin to generate the script for the canary run. Configure the canary in line with requirements. Create an alarm to provide alerts when issues are detected.
C
Explanation:
Amazon CloudWatch Synthetics allows you to create canaries that monitor your endpoints and APIs. Canaries are scripts that run on a schedule to check your application’s availability and performance, and can detect issues before your customers do.
Create a CloudWatch Synthetics Canary:
Open the Amazon CloudWatch console at Amazon CloudWatch Console.
Navigate to Synthetics and choose Create Canary.
Use the CloudWatch Synthetics Recorder plugin to generate the script for the canary run.
Configure the Canary:
Define the schedule for the canary to run (e.g., every minute).
Specify the endpoint URL of the website.
Configure the canary to check for specific errors or issues based on your requirements.
Create Alarms:
Set up CloudWatch alarms to notify you when the canary detects issues. You can configure the alarm to send notifications via Amazon SNS.
Reference: Creating and Managing Canaries
CloudWatch Synthetics
A SysOps administrator is testing an application mat is hosted on five Amazon EC2 instances. The instances run in an Auto Scaling group behind an Application Load Balancer (ALB) High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.
Which action should the SysOps administrator take to meet these requirements?
- A . Enable instance scale-in protection.
- B . Place the instance into the Standby stale.
- C . Remove the listener from the ALB
- D . Suspend the Launch and Terminate process types.
D
Explanation:
To troubleshoot high CPU utilization during load testing without scaling out, the SysOps administrator should suspend the Launch and Terminate process types in the Auto Scaling group.
Suspending Processes:
Suspending the Launch and Terminate processes will temporarily stop the Auto Scaling group from adding or removing instances, allowing for troubleshooting without automatic scaling interruptions.
This ensures that the root cause of the high CPU utilization can be investigated without the Auto Scaling group launching additional instances.
Steps to Suspend Processes:
Go to the Auto Scaling group in the AWS Management Console.
Select the group and choose the "Suspend Processes" option.
Suspend the Launch and Terminate processes.
After troubleshooting, resume the processes to re-enable scaling.
Reference: Suspending and Resuming Scaling Processes
A SysOps administrator is setting up an automated process to recover an Amazon EC2 instance In the event of an underlying hardware failure. The recovered instance must have the same private IP address and the same Elastic IP address that the original instance had. The SysOps team must receive an email notification when the recovery process is initiated.
Which solution will meet these requirements?
- A . Create an Amazon CloudWatch alarm for the EC2 instance, and specify the SiatusCheckFailedjnstance metric. Add an EC2 action to the alarm to recover the instance. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS> topic. Subscribe the SysOps team email address to the SNS topic.
- B . Create an Amazon CloudWatch alarm for the EC2 Instance, and specify the
StatusCheckFailed_System metric. Add an EC2 action to the alarm to recover the instance. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic. - C . Create an Auto Scaling group across three different subnets in the same Availability Zone with a minimum, maximum, and desired size of 1. Configure the Auto Seating group to use a launch template that specifies the private IP address and the Elastic IP address. Add an activity notification
for the Auto Scaling group to send an email message to the SysOps team through Amazon Simple Email Service (Amazon SES). - D . Create an Auto Scaling group across three Availability Zones with a minimum, maximum, and desired size of 1. Configure the Auto Scaling group to use a launch template that specifies the private IP address and the Elastic IP address. Add an activity notification for the Auto Scaling group to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic.
B
Explanation:
You can create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. Terminated instances cannot be recovered. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. If the impaired instance has a public IPv4 address, the instance retains the public IPv4 address after recovery. If the impaired instance is in a placement group, the recovered instance runs in the placement group. When the StatusCheckFailed_System alarm is triggered, and the recover action is initiated, you will be notified by the Amazon SNS topic that you selected when you created the alarm and associated the recover action. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html