A large company is using AWS Organizations to manage hundreds of AWS accounts across multiple AWS Regions. The company has turned on AWS Config throughout the organization.
The company requires all Amazon S3 buckets to block public read access. A SysOps administrator must generate a monthly report that shows all the S3 buckets and whether they comply with this requirement.
Which combination of steps should the SysOps administrator take to collect this data? {Select TWO).
A. Create an AWS Config aggregator in an aggregator account. Use the organization as the source. Retrieve the compliance data from the aggregator. B. Create an AWS Config aggregator in each account. Use an S3 bucket in an aggregator account as the destination. Retrieve the compliance data from the S3 bucket C. Edit the AWS Config policy in AWS Organizations. Use the organization's management account to turn on the s3-bucket-public-read-prohibited rule for the entire organization. D. Use the AWS Config compliance report from the organization's management account. Filter the results by resource, and select Amazon S3. E. Use the AWS Config API to apply the s3-bucket-public-read-prohibited rule in all accounts for all available Regions.
C. Edit the AWS Config policy in AWS Organizations. Use the organization's management account to turn on the s3-bucket-public-read-prohibited rule for the entire organization. D. Use the AWS Config compliance report from the organization's management account. Filter the results by resource, and select Amazon S3.
Question 122:
A SysOps administrator is deploying an application on 10 Amazon EC2 instances. The application must be highly available. The instances must be placed on distinct underlying hardware. What should the SysOps administrator do to meet these requirements?
A. Launch the instances into a cluster placement group in a single AWS Region. B. Launch the instances into a partition placement group in multiple AWS Regions. C. Launch the instances into a spread placement group in multiple AWS Regions. D. Launch the instances into a spread placement group in single AWS Region
D. Launch the instances into a spread placement group in single AWS Region Explanation Explanation/Reference:Spread ?strictly places a small group of instances across distinct underlying hardware to reduce correlated failures. A rack spread placement group can span multiple Availability Zones in the same Region. For rack spread level placement groups, you can have a maximum of seven running instances per Availability Zone per group. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
Question 123:
A company uses AWS Organizations to manage a set of AWS accounts. The company has set up organizational units (OUs) in the organization. An application OU supports various applications.
A SysOps administrator must prevent users from launching Amazon EC2 instances that do not have a CostCenter-Project tag into any account in the application OU. The restriction must apply only to accounts in the application OU.
Which solution will meet these requirements?
A. Create an IAM group that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Place all IAM users who need access to the application accounts in the IAM group. B. Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU. C. Create an IAM role that has a policy that allows the ec2:RunInstances action when the CostCenter-Project tag is present. Attach the IAM role to the IAM users that are in the application OU accounts. D. Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the root OU.
B. Create a service control policy (SCP) that denies the ec2:RunInstances action when the CostCenter-Project tag is missing. Attach the SCP to the application OU.
Question 124:
A company is deploying a third-party unit testing solution that is delivered as an Amazon EC2 Amazon Machine Image (AMI). All system configuration data is stored in Amazon DynamoDB. The testing results are stored in Amazon S3.
A minimum of three EC2 instances are required to operate the product. The company's testing team wants to use an additional three EC2 Instances when the Spot Instance prices are at a certain threshold. A SysOps administrator must
Implement a highly available solution that provides this functionality.
Which solution will meet these requirements with the LEAST operational overhead?
A. Define an Amazon EC2 Auto Scaling group by using a launch configuration. Use the provided AMI In the launch configuration. Configure three On-Demand Instances and three Spot Instances. Configure a maximum Spot Instance price In the launch configuration. B. Define an Amazon EC2 Auto Scaling group by using a launch template. Use the provided AMI in the launch template. Configure three On-Demand Instances and three Spot Instances. Configure a maximum Spot Instance price In the launch template. C. Define two Amazon EC2 Auto Scaling groups by using launch configurations. Use the provided AMI in the launch configurations. Configure three On-Demand Instances for one Auto Scaling group. Configure three Spot Instances for the other Auto Scaling group. Configure a maximum Spot Instance price in the launch configuration for the Auto Scaling group that has Spot Instances. D. Define two Amazon EC2 Auto Scaling groups by using launch templates. Use the provided AMI in the launch templates. Configure three On-Demand Instances for one Auto Scaling group. Configure three Spot Instances for the other Auto Scaling group. Configure a maximum Spot Instance price in the launch template for the Auto Scaling group that has Spot Instances.
B. Define an Amazon EC2 Auto Scaling group by using a launch template. Use the provided AMI in the launch template. Configure three On-Demand Instances and three Spot Instances. Configure a maximum Spot Instance price In the launch template. Option B provides a straightforward and streamlined solution with the least operational overhead. Using an Amazon EC2 Auto Scaling group with a launch template allows you to define the desired instance configuration, including the AMI, instance type, and Spot Instance pricing, in a single template. By configuring both On-Demand and Spot Instances in the same Auto Scaling group, you ensure that the application will have the required number of instances (minimum of three) and that additional Spot Instances will be used when the Spot Instance prices meet the specified threshold. https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchTemplates.html https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchConfiguration.html
Question 125:
A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts. Which solution will meet these requirements?
A. Purchase RIs in individual member accounts. Disable Rl discount sharing in the management account. B. Purchase RIs in individual member accounts. Disable Rl discount sharing in the member accounts. C. Purchase RIs in the management account. Disable Rl discount sharing in the management account. D. Purchase RIs in the management account. Disable Rl discount sharing in the member accounts.
A. Purchase RIs in individual member accounts. Disable Rl discount sharing in the management account. Explanation Explanation/Reference:RI discounts apply to accounts in an organization's consolidated billing family depending upon whether RI sharing is turned on or off for the accounts. By default, RI sharing for all accounts in an organization is turned on. The management account of an organization can change this setting by turning off RI sharing for an account. The capacity reservation for an RI applies only to the account the RI was purchased on, no matter whether RI sharing is turned on or off. https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ri-consolidated-billing/
Question 126:
A company's customers are reporting increased latency while accessing static web content from Amazon S3 A SysOps administrator observed a very high rate of read operations on a particular S3 bucket.
What will minimize latency by reducing load on the S3 bucket?
A. Migrate the S3 bucket to a region that is closer to end users' geographic locations B. Use cross-region replication to replicate all of the data to another region C. Create an Amazon CloudFront distribution with the S3 bucket as the origin. D. Use Amazon ElastiCache to cache data being served from Amazon S3
C. Create an Amazon CloudFront distribution with the S3 bucket as the origin. Rationale: A. Might help if everyone is always coming from "regions" that adjacent (requires effort/analysis) B. Woiuld increases load during replicaton, but might help later (same caveats as previous question) C. Simplest/best because CF starts caching to every edge globally based only on actual user requests, bucket remains unchanged, and no analysis required. D. ElastiCache is for DBs, not S3
Question 127:
A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?
A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR ranges. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Logs. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target. B. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instances. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation document to terminate the instances. C. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requests from noncorporate CIDR ranges. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups. D. Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by tag. Tag the EC2 instances with an identifier. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.
C. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requests from noncorporate CIDR ranges. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups. https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aws-system-manager/
Question 128:
A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Choose two.)
A. Implement AWS Shield to protect against unencrypted objects stored in S3 buckets. B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket. C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored. D. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted. E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.
C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored. E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets. https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html You can set the default encryption behavior on an Amazon S3 bucket so that all objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSES3) or AWS Key Management Service (AWS KMS) customer master keys (CMKs). https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/ How to Prevent Uploads of Unencrypted Objects to Amazon S3# By using an S3 bucket policy, you can enforce the encryption requirement when users upload objects, instead of assigning a restrictive IAM policy to all users.
Question 129:
A company plans to deploy a database on an Amazon Aurora MySQL DB cluster. The database will store data for a demonstration environment. The data must be reset on a daily basis. What is the MOST operationally efficient solution that meets these requirements?
A. Create a manual snapshot of the DB cluster after the data has been populated. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to restore the snapshot and then delete the previous DB cluster. B. Enable the Backtrack feature during the creation of the DB cluster. Specify a target backtrack window of 48 hours. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to perform a backtrack operation. C. Export a manual snapshot of the DB cluster to an Amazon S3 bucket after the data has been populated. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to restore the snapshot from Amazon S3. D. Set the DB cluster backup retention period to 2 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to restore the DB cluster to a point in time and then delete the previous DB cluster.
B. Enable the Backtrack feature during the creation of the DB cluster. Specify a target backtrack window of 48 hours. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to perform a backtrack operation. The correct answer is B. Enable the Backtrack feature during the creation of the DB cluster. Specify a target backtrack window of 48 hours. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to perform a backtrack operation. Enabling the Backtrack feature in Amazon Aurora MySQL allows you to rewind the database cluster to a specific point in time without the need for manual snapshots. This feature is specifically designed for scenarios where you want to reset the data to a previous state, such as in a demonstration environment. By specifying a target backtrack window of 48 hours, you ensure that you have the ability to backtrack to a recent state.
Question 130:
A SysOps administrator is unable to launch Amazon EC2 instances into a VPC because there are no available private IPv4 addresses in the VPC. Which combination of actions must the SysOps administrator take to launch the instances? (Select TWO.)
A. Associate a secondary IPv4 CIDR block with the VPC B. Associate a primary IPv6 CIDR block with the VPC C. Create a new subnet for the VPC D. Modify the CIDR block of the VPC E. Modify the CIDR block of the subnet that is associated with the instances
A. Associate a secondary IPv4 CIDR block with the VPC C. Create a new subnet for the VPC https://aws.amazon.com/premiumsupport/knowledge-center/subnet-insufficient-ips/
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SOA-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.