ExamGecko
Search Search Login
Home Home / Amazon / SOA-C02

Amazon SOA-C02 Practice Test - Questions Answers, Page 35

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company's application on EC2 instances relies on a Single-AZ RDS for MySQL DB instance. The SysOps administrator needs to ensure failover to minimize downtime.
A SysOps administrator creates two VPCs, VPC1 and VPC2, in a company's AWS account The SysOps administrator deploys a Linux Amazon EC2 instance in VPC1 and deploys an Amazon RDS for MySQL DB instance in VPC2. The DB instance is deployed in a private subnet. An application that runs on the EC2 instance needs to connect to the database. What should the SysOps administrator do to give the EC2 instance the ability to connect to the database?
A company needs to monitor the disk utilization of Amazon Elastic Block Store (Amazon EBS) volumes The EBS volumes are attached to Amazon EC2 Linux Instances A SysOps administrator must set up an Amazon CloudWatch alarm that provides an alert when disk utilization increases to more than 80%. Which combination of steps must the SysOps administrator lake lo meet these requirements? (Select THREE.)
A company uses AWS CloudFormation to manage a stack of Amazon EC2 instances on AWS. A SysOps administrator needs to keep the instances and all of the instances' data, even if someone deletes the stack. Which solution will meet these requirements?
A SysOps administrator is optimizing the cost of a workload. The workload is running in multiple AWS Regions and is using AWS Lambda with Amazon EC2 On-Demand Instances for the compute. The overall usage is predictable. The amount of compute that is consumed in each Region varies, depending on the users' locations. Which approach should the SysOps administrator use to optimize this workload?
The SysOps administrator must dynamically reference the latest AMI ID from Systems Manager Parameter Store in CloudFormation templates for new AMI versions.
A company has an application that collects notifications from thousands of alarm systems. The notifications include alarm notifications and information notifications. The information notifications include the system arming processes, disarming processes, and sensor status. All notifications are kept as messages in an Amazon Simple Queue Service (Amazon SQS) queue. Amazon EC2 instances that are in an Auto Scaling group process the messages. A SysOps administrator needs to implement a solution that prioritizes alarm notifications over information notifications. Which solution will meet these requirements?
A team of developers is using several Amazon S3 buckets as centralized repositories. Users across the world upload large sets of files to these repositories. The development team's applications later process these files. A SysOps administrator sets up a new S3 bucket. DOC-EXAMPLE-BUCKET, to support a new workload. The new S3 bucket also receives regular uploads of large sets of files from users worldwide. When the new S3 bucket is put into production, the upload performance from certain geographic areas is lower than the upload performance that the existing S3 buckets provide. What should the SysOps administrator do to remediate this issue?
The SysOps administrator must modify the AWS Config rule that deletes noncompliant SSH inbound rules to update the rule to allow SSH from specific trusted IP addresses instead.
The SysOps administrator needs to address high disk I/O issues during EC2 instance bootstrap in an Auto Scaling group.

Question 341

Report
Export
Collapse

A company has an AWS Site-to-Site VPN connection between on-premises resources and resources that are hosted in a VPC. A SysOps administrator launches an Amazon EC2 instance that has only a private IP address into a private subnet in the VPC. The EC2 instance runs Microsoft Windows Server.

A security group for the EC2 instance has rules that allow inbound traffic from the on-premises network over the VPN connection. The on-premises environment contains a third-party network firewall. Rules in the third-party network firewall allow Remote Desktop Protocol (RDP) traffic to flow between the on-premises users over the VPN connection.

The on-premises users are unable to connect to the EC2 instance and receive a timeout error.

What should the SysOps administrator do to troubleshoot this issue?

A.
Create Amazon CloudWatch logs for the EC2 instance to check for blocked traffic.
A.
Create Amazon CloudWatch logs for the EC2 instance to check for blocked traffic.
Answers
B.
Create Amazon CloudWatch logs for the Site-to-Site VPN connection to check for blocked traffic.
B.
Create Amazon CloudWatch logs for the Site-to-Site VPN connection to check for blocked traffic.
Answers
C.
Create VPC flow logs for the EC2 instance's elastic network interface to check for rejected traffic.
C.
Create VPC flow logs for the EC2 instance's elastic network interface to check for rejected traffic.
Answers
D.
Instruct users to use EC2 Instance Connect as a connection method.
D.
Instruct users to use EC2 Instance Connect as a connection method.
Answers
Suggested answer: C

Explanation:

To troubleshoot connectivity issues for an EC2 instance that's not accessible via RDP after moving to a private subnet, VPC flow logs are the most direct and useful tool. VPC flow logs capture information about the IP traffic going to and from network interfaces in your VPC, enabling you to identify whether the traffic to the EC2 instance is being allowed or rejected. Setting up flow logs for the EC2 instance's network interface will help pinpoint any blocks or drops in traffic that could be causing the timeout error. Option C is the correct action as it directly investigates the traffic flow, which is crucial for resolving connectivity issues. AWS documentation on VPC flow logs provides further details VPC Flow Logs.

Question 342

Report
Export
Collapse

A SysOps administrator has set up a new Amazon EC2 instance as a web server in a public subnet. The instance uses HTTP port 80 and HTTPS port 443.

The SysOps administrator has confirmed internet connectivity by downloading operating system updates and software from public repositories. However, the SysOps administrator cannot access the instance from a web browser on the internet.

Which combination of steps should the SysOps administrator take to troubleshoot this issue? (Select THREE.)

A.
Ensure that the inbound rules of the instance's security group allow traffic on ports 80 and 443.
A.
Ensure that the inbound rules of the instance's security group allow traffic on ports 80 and 443.
Answers
B.
Ensure that the outbound rules of the instance's security group allow traffic on ports 80 and 443.
B.
Ensure that the outbound rules of the instance's security group allow traffic on ports 80 and 443.
Answers
C.
Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance's subnet.
C.
Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance's subnet.
Answers
D.
Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance's subnet.
D.
Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance's subnet.
Answers
E.
Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.
E.
Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.
Answers
F.
Ensure that AWS WAF is turned on for the instance and is blocking web traffic.
F.
Ensure that AWS WAF is turned on for the instance and is blocking web traffic.
Answers
Suggested answer: A, D, E

Explanation:

When troubleshooting inability to access an EC2 instance from the internet, you should:

A: Verify that the security group rules allow inbound HTTP and HTTPS traffic on ports 80 and 443. Security groups act as a virtual firewall to control the traffic to instances.

D: Check that outbound rules in the network ACL allow traffic for ephemeral ports 1024-65535. This is crucial for return traffic from web requests, which typically use these higher port numbers for responses.

E: Confirm that any software-based firewalls on the instance (such as Windows Firewall or iptables in Linux) are configured to allow inbound traffic on HTTP and HTTPS. These steps will ensure that the web server is correctly configured to receive and respond to web traffic from the internet. AWS provides guidelines on these configurations in their documentation on security groups EC2 Security Groups and network ACLs Network ACLs.

Question 343

Report
Export
Collapse

An application is deployed in a VPC in both the us-east-2 and eu-west-1 Regions. A significant amount of data needs to be transferred between the two Regions. What is the MOST cost-effective way to set up the data transfer?

A.
Establish a VPN connection between the Regions using third-party VPN products from AWS Marketplace.
A.
Establish a VPN connection between the Regions using third-party VPN products from AWS Marketplace.
Answers
B.
Establish Amazon CloudFront distributions tor the Amazon EC2 instances from both Regions.
B.
Establish Amazon CloudFront distributions tor the Amazon EC2 instances from both Regions.
Answers
C.
Establish an inter-Region VPC peering connection between the VPCs.
C.
Establish an inter-Region VPC peering connection between the VPCs.
Answers
D.
Establish an AWS PrivateLinK connection between the two Regions.
D.
Establish an AWS PrivateLinK connection between the two Regions.
Answers
Suggested answer: C

Explanation:

To efficiently transfer a significant amount of data between VPCs in different regions, establishing an inter-region VPC peering connection is the most cost-effective method. This setup allows direct network connectivity between two VPCs in different regions, which can handle large data transfers without the need for intermediate devices or services. Option C is the most straightforward and economical choice for this requirement. Further details can be found in the AWS documentation on VPC Peering VPC Peering.

Question 344

Report
Export
Collapse

A company uses AWS Organizations to host several applications across multiple AWS accounts. Several teams are responsible for building and maintaining the infrastructure of the applications across the AWS accounts.

A SysOps administrator must implement a solution to ensure that user accounts and permissions are centrally managed. The solution must be integrated with the company's existing on-premises Active Directory environment. The SysOps administrator already has enabled AWS 1AM Identity Center (AWS Single Sign-On) and has set up an AWS Direct Connect connection.

What is the MOST operationally efficient solution that meets these requirements?

A.
Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
A.
Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
Answers
B.
Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
B.
Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
Answers
C.
Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
C.
Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
Answers
D.
Use the built-in SSO directory as the identity source for 1AM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
D.
Use the built-in SSO directory as the identity source for 1AM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
Answers
Suggested answer: C

Explanation:

To manage user accounts and permissions across multiple AWS accounts and integrate with an on-premises Active Directory, using AD Connector is the most operationally efficient solution. AD Connector serves as a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without storing any directory data in the cloud. This setup allows IAM Identity Center to use the existing corporate credentials, ensuring centralized management and seamless user access control. Option C perfectly meets these requirements by leveraging existing infrastructure with minimal changes. AWS documentation on AD Connector offers guidance AWS Directory Service AD Connector.

Question 345

Report
Export
Collapse

A company wants to apply an existing Amazon Route 53 private hosted zone to a new VPC to allow for customized resource name resolution within the VPC. The Syspps administrator created the VPC and added the appropriate resource record sets to the private hosted zone.

Which step should the SysOps administrator take to complete the setup?

A.
Associate the Route 53 private hosted zone with the VPC.
A.
Associate the Route 53 private hosted zone with the VPC.
Answers
B.
Create a rule in the default security group for the VPC that allows traffic to the Route 53 Resolver.
B.
Create a rule in the default security group for the VPC that allows traffic to the Route 53 Resolver.
Answers
C.
Ensure the VPC network ACLs allow traffic to the Route 53 Resolver.
C.
Ensure the VPC network ACLs allow traffic to the Route 53 Resolver.
Answers
D.
Ensure there is a route to the Route 53 Resolver in each of the VPC route tables.
D.
Ensure there is a route to the Route 53 Resolver in each of the VPC route tables.
Answers
Suggested answer: A

Explanation:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html

To apply an existing Amazon Route 53 private hosted zone to a new VPC, the appropriate step is to associate the private hosted zone with the new VPC. This allows the resources within the VPC to use the custom DNS settings defined in the private hosted zone. Option A is the correct step to ensure that DNS queries from the new VPC are resolved using the specified private hosted zone. Detailed steps for this process can be found in the AWS Route 53 documentation on associating hosted zones with VPCs Associating Hosted Zones with VPCs.

Question 346

Report
Export
Collapse

A company runs its web application on multiple Amazon EC2 instances that are part of an Auto Scaling group. The company wants the Auto Scaling group to scale out as soon as CPU utilization rises above 50% for the instances.

How should a SysOps administrator configure the Auto Scaling group to meet these requirements?

A.
Configure the Auto Scaling group to scale based on events.
A.
Configure the Auto Scaling group to scale based on events.
Answers
B.
Configure the Auto Scaling group to scale based on a schedule.
B.
Configure the Auto Scaling group to scale based on a schedule.
Answers
C.
Configure the Auto Scaling group to scale dynamically based on demand.
C.
Configure the Auto Scaling group to scale dynamically based on demand.
Answers
D.
Configure the Auto Scaling group to use predictive scaling.
D.
Configure the Auto Scaling group to use predictive scaling.
Answers
Suggested answer: C

Explanation:

To ensure that the Auto Scaling group scales out when CPU utilization rises above 50%, the administrator should configure the Auto Scaling group to dynamically scale based on demand. This is achieved by setting up a scaling policy that triggers based on specific CloudWatch alarms---like CPU utilization exceeding 50%. This dynamic scaling method directly responds to changes in workload, ensuring that resources are allocated efficiently and promptly as demand increases. Option C is the correct answer, aligning with best practices for managing EC2 Auto Scaling based on real-time metrics. Further guidance is available in AWS documentation on dynamic scaling Dynamic Scaling for EC2.

Question 347

Report
Export
Collapse

A SysOps administrator needs to design a disaster recovery (DR) plan for an application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The application uses an Amazon Aurora PostgreSQL database. The recovery time objective (RTO) and recovery point objective (RPO) are 15 minutes each.

Which combination of steps should the SysOps administrator take to meet these requirements MOST cost-effectively? (Select TWO.)

A.
Configure Aurora backups to be exported to the DR Region.
A.
Configure Aurora backups to be exported to the DR Region.
Answers
B.
Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option.
B.
Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option.
Answers
C.
Configure the DR Region with an ALB and an Auto Scaling group. Use the same configuration as in the primary Region.
C.
Configure the DR Region with an ALB and an Auto Scaling group. Use the same configuration as in the primary Region.
Answers
D.
Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group's minimum capacity, maximum capacity, and desired capacity to 1.
D.
Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group's minimum capacity, maximum capacity, and desired capacity to 1.
Answers
E.
Manually launch a new ALB and a new Auto Scaling group by using AWS CloudFormation during a failover activity.
E.
Manually launch a new ALB and a new Auto Scaling group by using AWS CloudFormation during a failover activity.
Answers
Suggested answer: B, C

Explanation:

For a disaster recovery (DR) plan with a 15-minute RTO and RPO, the most cost-effective steps include:

B: Configuring the Aurora cluster to replicate data to the DR region using the Aurora global database option. This allows continuous replication with typically low replication lag, meeting the 15-minute RPO requirement efficiently.

C: Pre-configuring the DR region with an ALB and an Auto Scaling group using the same configuration as the primary region. This ensures readiness and quick failover, aligning with the 15-minute RTO target.

These steps provide a robust disaster recovery setup that minimizes downtime and data loss while optimizing costs by using built-in AWS functionalities and avoiding over-provisioning. More information can be found in the AWS documentation on Aurora Global Databases Aurora Global Databases and disaster recovery planning AWS Disaster Recovery.

Question 348

Report
Export
Collapse

A company migrates a write-once, read-many (WORM) drive to an Amazon S3 bucket that has S3 Object Lock configured in governance mode. During the migration, the company copies unneeded data to the S3 bucket.

A SysOps administrator attempts to delete the unneeded data from the S3 bucket by using the AWS CLI. However, the SysOps administrator receives an error.

Which combination of steps should the SysOps administrator take to successfully delete the unneeded data? (Select TWO.)

A.
Increase the Retain Until Date.
A.
Increase the Retain Until Date.
Answers
B.
Assume a role that has the s3:BypassLegalRetention permission.
B.
Assume a role that has the s3:BypassLegalRetention permission.
Answers
C.
Assume a role that has the s3:BypassGovernanceRetention permission.
C.
Assume a role that has the s3:BypassGovernanceRetention permission.
Answers
D.
Include the x-amz-bypass-governance-retention:true header in the request when issuing the delete command.
D.
Include the x-amz-bypass-governance-retention:true header in the request when issuing the delete command.
Answers
E.
Include the x-amz-bypass-legal-retention:true header in the request when issuing the delete command.
E.
Include the x-amz-bypass-legal-retention:true header in the request when issuing the delete command.
Answers
Suggested answer: C, D

Explanation:

When using Amazon S3 Object Lock configured in governance mode, deleting objects before their retention period ends requires specific permissions. To bypass these governance restrictions, the administrator must:

C: Assume a role that has the s3:BypassGovernanceRetention permission. This permission allows the role to override the governance mode restrictions.

D: Include the x-amz-bypass-governance-retention:true header in the delete request. This header is necessary to programmatically bypass the governance retention settings when making a delete request via the AWS CLI or SDK. These steps enable the deletion of objects under governance mode retention without waiting for the retention period to expire, addressing the need to remove unintended data uploads effectively. For further details, refer to the AWS documentation on S3 Object Lock Amazon S3 Object Lock.

Question 349

Report
Export
Collapse

A company is deploying an ecommerce application to an AWS Region that is located in France. The company wants users from only France to be able to access the first version of the application. The company plans to add more countries for the next version of the application. A SysOps administrator needs to configure the routing policy in Amazon Route 53.

Which solution will meet these requirements?

A.
Use a geoproximity routing policy. Select France as the location in the record.
A.
Use a geoproximity routing policy. Select France as the location in the record.
Answers
B.
Use a geolocation routing policy. Select France as the location in the record.
B.
Use a geolocation routing policy. Select France as the location in the record.
Answers
C.
Use an IP-based routing policy. Select all IP addresses that are allocated to France in the record.
C.
Use an IP-based routing policy. Select all IP addresses that are allocated to France in the record.
Answers
D.
Use a geoproximity routing policy. Select all IP addresses that are allocated to France in the record.
D.
Use a geoproximity routing policy. Select all IP addresses that are allocated to France in the record.
Answers
Suggested answer: B

Explanation:

To restrict access to an application based on geographic location (France in this case), the appropriate routing policy in Amazon Route 53 is geolocation routing. This policy allows you to specify traffic routing based on the geographic location of your users:

B: Use a geolocation routing policy. Select France as the location in the record. This ensures that only DNS queries originating from France are routed to the application, fulfilling the requirement to limit access to users within France initially. More information about setting up geolocation routing can be found in the AWS Route 53 documentation on geolocation routing Amazon Route 53 Geolocation Routing.

Question 350

Report
Export
Collapse

A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com. The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC. A SysOps administrator must ensure that an on-premises server can query records in the example.com domain.

What should the SysOps administrator do to meet these requirements?

A.
Create a Route 53 Resolver inbound endpoint Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
A.
Create a Route 53 Resolver inbound endpoint Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
Answers
B.
Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
B.
Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
Answers
C.
Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
C.
Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
Answers
D.
Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
D.
Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
Answers
Suggested answer: A

Explanation:

To allow on-premises servers to resolve DNS records in an Amazon Route 53 private hosted zone via AWS Direct Connect, the following step should be taken:

A: Create a Route 53 Resolver inbound endpoint and attach a security group that allows inbound traffic on TCP/UDP port 53 from the on-premises DNS servers. This setup enables the on-premises DNS servers to forward DNS queries to AWS for the domains managed by Route 53. The inbound resolver endpoint acts as a bridge between the on-premises network and AWS for DNS resolution. Additional guidance on setting up Route 53 Resolver endpoints can be found in AWS documentation Route 53 Resolver.

Total 425 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms