Practice Free SOA-C02 Exam Online Questions
A SysOps administrator is reviewing VPC Flow Logs to troubleshoot connectivity issues in a VPC.
While reviewing the togs the SysOps administrator notices that rejected traffic is not listed.
What should the SysOps administrator do to ensure that all traffic is logged?
- A . Create a new flow tog that has a titter setting to capture all traffic
- B . Create a new flow log set the tog record format to a custom format Select the proper fields to include in the tog
- C . Edit the existing flow log Change the fitter setting to capture all traffic
- D . Edit the existing flow log. Set the log record format to a custom format Select the proper fields to include in the tog
A
Explanation:
To ensure that all traffic, including rejected traffic, is logged in VPC Flow Logs, you need to create a new flow log with a filter setting to capture all traffic.
Create a New Flow Log:
Open the VPC console.
Select the VPC for which you want to create the flow log.
Choose "Create flow log."
In the filter setting, select "All" to capture all traffic (accepted and rejected).
Flow Log Configuration:
Ensure that the destination for the flow logs (e.g., CloudWatch Logs or S3) is properly configured. Specify the appropriate IAM role to allow VPC Flow Logs to publish logs to the destination.
Reference: VPC Flow Logs
Creating a Flow Log
A company updates its security policy to prohibit the public exposure of any data in Amazon S3 buckets in the company’s account.
What should a SysOps administrator do to meet this requirement?
- A . Turn on S3 Block Public Access from the account level.
- B . Create an Amazon EventBridge (Amazon CloudWatch Events) rule to enforce that all S3 objects are private.
- C . Use Amazon Inspector to search for S3 buckets and to automatically reset S3 ACLs if any public S3 buckets are found.
- D . Use S3 Object Lambda to examine S3 ACLs and to change any public S3 ACLs to private.
A
Explanation:
Using Amazon S3 Block Public Access as a centralized way to limit public access. Block Public Access settings override bucket policies and object permissions. Be sure to enable Block Public Access for all accounts and buckets that you don’t want publicly accessible.
https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/#:~:text=Using%20Amazon%20S3%20Block%20Public,don’t%20want%20publicly%20acces sible.
A user is connected to an Amazon EC2 instance in a private subnet. The user is unable to access the internet from the instance by using the following curl command: curl http:/www.example.com.
A SysOps administrator reviews the VPC configuration and learns the following information:
• The private subnet has a route to a NAT gateway for CIDR 0.0.0.0/0
• The outbound security group for the EC2 instance contains one rule: outbound for port 443 to CIDR 0.0.0.0/0
• The inbound security group for the EC2 instance allows ports 22 and 443 from the user’s IP address.
• The inbound network ACL for the subnet allows port 22 and port range 1024-65535 from CIDR 0.0.0.0/0
Which action will allow the user to complete the curl request successfully?
- A . Add an additional inbound network ACL rule for port 80 to CIDR 0.0.0.0/0.
- B . Add an additional inbound security group rule for port 80 to CIDR 0.0.0.0/0.
- C . Add an additional outbound security group rule for port 80 to CIDR 0.0.0.0/0.
- D . Add an additional outbound security group rule for port 80 to the user’s IP address.
C
Explanation:
Since the EC2 instance is attempting to access the internet using HTTP (port 80) but is configured only to allow HTTPS (port 443) traffic, the security group needs adjustment:
Security Group Configuration: The outbound rules of the security group associated with the EC2 instance must allow traffic over HTTP. Add an outbound rule that enables port 80 to destination 0.0.0.0/0. This rule will allow the instance to send HTTP requests to any IP address on the internet.
Test Connectivity: After updating the security group, test the connectivity using the curl command again to ensure the configuration allows internet access via HTTP.
This change is necessary because the existing security group configuration does not permit outbound HTTP traffic, which is essential for accessing websites using HTTP.
A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application.
Which combination of actions should a SysOps administrator take to resolve this problem? (Select TWO.)
- A . Change to the least outstanding requests algorithm on the ALB target group.
- B . Configure cookie forwarding in the CloudFront distribution cache behavior.
- C . Configure header forwarding in the CloudFront distribution cache behavior.
- D . Enable group-level stickiness on the ALB listener rule.
- E . Enable sticky sessions on the ALB target group.
BE
Explanation:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html
You can configure each cache behavior to do one of the following: Forward all cookies to your origin
C CloudFront includes all cookies sent by the viewer when it forwards requests to the origin. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html
By default, an Application Load Balancer routes each request independently to a registered target based on the chosen load-balancing algorithm.
A company stores files on 50 Amazon S3 buckets in the same AWS Region. The company wants to connect to the S3 buckets securely over a private connection from its Amazon EC2 instances. The company needs a solution that produces no additional cost.
Which solution will meet these requirements?
- A . Create a gateway VPC endpoint for each S3 bucket. Attach the gateway VPC endpoints to each subnet inside the VPC.
- B . Create an interface VPC endpoint for each S3 bucket. Attach the interface VPC endpoints to each subnet inside the VPC.
- C . Create one gateway VPC endpoint for all the S3 buckets. Add the gateway VPC endpoint to the VPC route table.
- D . Create one interface VPC endpoint for all the S3 buckets. Add the interface VPC endpoint to the VPC route table.
C
Explanation:
To securely connect to the S3 buckets over a private connection from EC2 instances without incurring additional costs, the SysOps administrator can create a gateway VPC endpoint.
Create a Gateway VPC Endpoint:
Navigate to the VPC console.
Create a gateway VPC endpoint for Amazon S3.
Reference: Gateway VPC Endpoints
Add the Gateway VPC Endpoint to the VPC Route Table:
Select the appropriate route table(s) associated with the subnets in the VPC.
Add a route that directs S3 traffic (com.amazonaws.<region>.s3) to the gateway VPC endpoint.
Reference: Creating a Gateway Endpoint
This configuration allows the EC2 instances to access all the S3 buckets securely over the private network without additional costs, as there are no data transfer charges within the same AWS Region for using a gateway VPC endpoint.
A company wants to monitor the security groups of its Amazon EC2 instances to ensure that SSH is not open to the public. If the port is opened, the company needs to close the port as soon as possible.
Which combination of actions should a SysOps administrator take to meet these requirements? (Select TWO.)
- A . Add an Amazon CloudWatch alarm to detect the security groups that allow SSH.
- B . Add an AWS Config rule to detect the security groups that allow SSH.
- C . Add an assessment template to Amazon Inspector to detect the security groups that allow SSH
- D . Call an AWS Systems Manager Automation runbook to close the port.
- E . Call AWS Systems Manager Run Command to close the port.
B, D
Explanation:
To monitor and automatically respond to security groups allowing SSH access:
AWS Config: This service can be used to detect security groups that allow SSH access publicly (Option B). AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
AWS Systems Manager Automation: This can automatically execute actions like closing the port when a non-compliant security group is detected (Option D). It allows the execution of automated workflows that can respond to Config rule findings, ensuring immediate remediation actions such as closing ports. These two services combined offer a comprehensive solution to monitor, detect, and rectify unwanted security group configurations automatically. AWS documentation on AWS Config AWS Config and on Systems Manager Automation Systems Manager Automation provides additional insights.
A company uses an Amazon CloudFront distribution to deliver its website. Traffic logs for the website must be centrally stored, and all data must be encrypted at rest.
Which solution will meet these requirements?
- A . Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with internet access and server-side encryption that uses the default AWS managed key. Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
- B . Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with VPC access and server-side encryption that uses AES-256 Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
- C . Create an Amazon S3 bucket that Is configured with default server-side encryption that uses AES-256. Configure CloudFront to use the S3 bucket as a log destination.
- D . Create an Amazon S3 bucket that is configured with no default encryption. Enable encryption in the CloudFront distribution, and use the S3 bucket as a log destination.
C
Explanation:
To centrally store traffic logs for a website delivered through Amazon CloudFront and ensure all data is encrypted at rest, using an S3 bucket with default server-side encryption is the optimal solution.
Create an S3 Bucket:
Open the Amazon S3 console at Amazon S3 Console.
Create a new S3 bucket for storing the logs.
Enable Default Encryption:
Select the S3 bucket, navigate to Properties, and enable Default encryption. Choose AES-256 for server-side encryption. Configure CloudFront Logging:
Open the Amazon CloudFront console at Amazon CloudFront Console.
Select the CloudFront distribution and navigate to Edit.
In the logging section, enable logging and specify the S3 bucket created for log storage.
This setup ensures that all logs are encrypted at rest using AES-256 and stored centrally in an S3 bucket.
Reference: Amazon CloudFront Access Logs
Amazon S3 Default Encryption
A company stores its data in an Amazon S3 bucket. The company is required to classify the data and find any sensitive personal information in its S3 files.
Which solution will meet these requirements?
- A . Create an AWS Config rule to discover sensitive personal information in the S3 files and mark them as noncompliant.
- B . Create an S3 event-driven artificial intelligence/machine learning (AI/ML) pipeline to classify sensitive personal information by using Amazon Recognition.
- C . Enable Amazon GuardDuty. Configure S3 protection to monitor all data inside Amazon S3.
- D . Enable Amazon Macie. Create a discovery job that uses the managed data identifier.
D
Explanation:
Amazon Macie is a security service designed to help organizations find, classify, and protect sensitive data stored in Amazon S3. Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in Amazon S3. Creating a discovery job with the managed data identifier will allow Macie to identify sensitive personal information in the S3 files and classify it accordingly. Enabling AWS Config and Amazon GuardDuty will not help with this requirement as they are not designed to automatically classify and protect data.
A company has an AWS Site-to-Site VPN connection between on-premises resources and resources that are hosted in a VPC. A SysOps administrator launches an Amazon EC2 instance that has only a private IP address into a private subnet in the VPC. The EC2 instance runs Microsoft Windows Server.
A security group for the EC2 instance has rules that allow inbound traffic from the on-premises network over the VPN connection. The on-premises environment contains a third-party network firewall. Rules in the third-party network firewall allow Remote Desktop Protocol (RDP) traffic to flow between the on-premises users over the VPN connection.
The on-premises users are unable to connect to the EC2 instance and receive a timeout error.
What should the SysOps administrator do to troubleshoot this issue?
- A . Create Amazon CloudWatch logs for the EC2 instance to check for blocked traffic.
- B . Create Amazon CloudWatch logs for the Site-to-Site VPN connection to check for blocked traffic.
- C . Create VPC flow logs for the EC2 instance’s elastic network interface to check for rejected traffic.
- D . Instruct users to use EC2 Instance Connect as a connection method.
C
Explanation:
To troubleshoot connectivity issues for an EC2 instance that’s not accessible via RDP after moving to a private subnet, VPC flow logs are the most direct and useful tool. VPC flow logs capture information about the IP traffic going to and from network interfaces in your VPC, enabling you to identify whether the traffic to the EC2 instance is being allowed or rejected. Setting up flow logs for the EC2 instance’s network interface will help pinpoint any blocks or drops in traffic that could be causing the timeout error. Option C is the correct action as it directly investigates the traffic flow, which is crucial for resolving connectivity issues. AWS documentation on VPC flow logs provides further details VPC Flow Logs.
A company stores sensitive data in an Amazon S3 bucket. The company must log all access attempts to the S3 bucket. The company’s risk team must receive immediate notification about any delete events.
Which solution will meet these requirements?
- A . Enable S3 server access logging for audit logs. Set up an Amazon Simple Notification Service (Amazon SNSJ notification for the S3 bucket. Select DeleteObject tor the event type for the alert system.
- B . Enable S3 server access logging for audit logs. Launch an Amazon EC2 instance for the alert system. Run a cron job on the EC2 instance to download the access logs each day and to scan for a DeleteObject event.
- C . Use Amazon CloudWatch Logs for audit logs. Use Amazon CloudWatch alarms with an Amazon Simple Notification Service (Amazon SNS) notification for the alert system.
- D . Use Amazon CloudWatch Logs for audit logs. Launch an Amazon EC2 instance for The alert system. Run a cron job on the EC2 Instance each day to compare the list of the items with the list from the previous day. Configure the cron job to send a notification if an item is missing.
A
Explanation:
To meet the requirements of logging all access attempts to the S3 bucket and receiving immediate notification about any delete events, the company can enable S3 server access logging and set up an Amazon Simple Notification Service (Amazon SNS) notification for the S3 bucket. The S3 server access logs will record all access attempts to the bucket, including delete events, and the SNS notification can be configured to send an alert when a DeleteObject event occurs.