Amazon Amazon Certifications SOA-C02 Questions & Answers

• Question 191:

  A company stores files on 50 Amazon S3 buckets in the same AWS Region. The company wants to connect to the S3 buckets securely over a private connection from its Amazon EC2 instances. The company needs a solution that produces no additional cost.

  Which solution will meet these requirements?

  A. Create a gateway VPC endpoint for each S3 bucket. Attach the gateway VPC endpoints to each subnet inside the VPC.

  B. Create an interface VPC endpoint for each S3 bucket. Attach the interface VPC endpoints to each subnet inside the VPC.

  C. Create one gateway VPC endpoint for all the S3 buckets. Add the gateway VPC endpoint to the VPC route table.

  D. Create one interface VPC endpoint for all the S3 buckets. Add the interface VPC endpoint to the VPC route table.

  Correct Answer: C

  A gateway VPC endpoint allows you to connect to Amazon S3 from your VPC without requiring an internet gateway, NAT gateway, or VPN connection. It provides a private connection to Amazon S3 over your Amazon VPC using Amazon's private network. Since the company wants to connect to 50 Amazon S3 buckets securely over a private connection from its Amazon EC2 instances in the same AWS Region, creating one gateway VPC endpoint for all the S3 buckets is the most efficient and cost-effective solution. By creating one gateway VPC endpoint, you can connect to all S3 buckets in the same Region without the need to create multiple VPC endpoints for each bucket, thus reducing complexity and avoiding additional costs

• Question 192:

  A company is using Amazon Elastic File System (Amazon EFS) to share a file system among several Amazon EC2 instances. As usage increases, users report that file retrieval from the EFS file system is slower than normal.

  Which action should a SysOps administrator take to improve the performance of the file system?

  A. Configure the file system for Provisioned Throughput.

  B. Enable encryption in transit on the file system.

  C. Identify any unused files in the file system, and remove the unused files.

  D. Resize the Amazon Elastic Block Store (Amazon EBS) volume of each of the EC2 instances.

  Correct Answer: A

• Question 193:

  A company uses an Amazon Simple Queue Service (Amazon SQS) standard queue with its application. The application sends messages to the queue with unique message bodies The company decides to switch to an SQS FIFO queue.

  What must the company do to migrate to an SQS FIFO queue?

  A. Create a new SQS FIFO gueue Turn on content based deduplication on the new FIFO queue Update the application to include a message group ID in the messages

  B. Create a new SQS FIFO queue Update the application to include the DelaySeconds parameter in the messages

  C. Modify the queue type from SQS standard to SQS FIFO Turn off content-based deduplication on the queue Update the application to include a message group ID in the messages

  D. Modify the queue type from SQS standard to SQS FIFO Update the application to send messages with identical message bodies and to include the DelaySeconds parameter in the messages

  Correct Answer: A

  FIFO queues don't support per-message delays, only per-queue delays. If your application sets the same value of the DelaySeconds parameter on each message, you must modify your application to remove the per-message delay and set DelaySeconds on the entire queue instead. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues-moving.html

• Question 194:

  A company's customers are reporting increased latency while accessing static web content from Amazon S3 A SysOps administrator observed a very high rate of read operations on a particular S3 bucket.

  What will minimize latency by reducing load on the S3 bucket?

  A. Migrate the S3 bucket to a region that is closer to end users' geographic locations

  B. Use cross-region replication to replicate all of the data to another region

  C. Create an Amazon CloudFront distribution with the S3 bucket as the origin.

  D. Use Amazon ElastiCache to cache data being served from Amazon S3

  Correct Answer: C

  Rationale:

  A. Might help if everyone is always coming from "regions" that adjacent (requires effort/analysis)

  B. Woiuld increases load during replicaton, but might help later (same caveats as previous question)

  C. Simplest/best because CF starts caching to every edge globally based only on actual user requests, bucket remains unchanged, and no analysis required.

  D. ElastiCache is for DBs, not S3

• Question 195:

  A SysOps administrator is troubleshooting connection timeouts to an Amazon EC2 instance that has a public IP address. The instance has a private IP address of 172.31.16.139. When the SysOps administrator tries to ping the instance's public IP address from the remote IP address 203.0.113.12, the response is "request timed out." The flow logs contain the following information:

  

  What is one cause of the problem?

  A. Inbound security group deny rule

  B. Outbound security group deny rule

  C. Network ACL inbound rules

  D. Network ACL outbound rules

  Correct Answer: D

• Question 196:

  A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application's performance. A SysOps administrator must scale the application to meet the increased traffic.

  Which solution meets these requirements?

  A. Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance if the desired threshold is reached.

  B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.

  C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.

  D. Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy. Attach the ALB to the Auto Scaling group.

  Correct Answer: C

• Question 197:

  A company requires that all IAM user accounts that have not been used for 90 days or more must have their access keys and passwords immediately disabled A SysOps administrator must automate the process of disabling unused keys using the MOST operationally efficient method.

  How should the SysOps administrator implement this solution?

  A. Create an AWS Step Functions workflow to identify IAM users that have not been active for 90 days Run an AWS Lambda function when a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule is invoked to automatically remove the AWS access keys and passwords for these IAM users

  B. Configure an AWS Config rule to identify IAM users that have not been active for 90 days Set up an automatic weekly batch process on an Amazon EC2 instance to disable the AWS access keys and passwords for these IAM users

  C. Develop and run a Python script on an Amazon EC2 instance to programmatically identify IAM users that have not been active for 90 days Automatically delete these 1AM users

  D. Set up an AWS Config managed rule to identify IAM users that have not been active for 90 days Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users

  Correct Answer: D

  Checks if your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. The rule is NON_COMPLIANT if there are inactive accounts not recently used.

• Question 198:

  A company has a compliance requirement that no security groups can allow SSH ports to be open to all IP addresses. A SysOps administrator must implement a solution that will notify the company's SysOps team when a security group rule violates this requirement. The solution also must remediate the security group rule automatically.

  Which solution will meet these requirements?

  A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a security group changes. Configure the Lambda function to evaluate the security group for compliance, remove all inbound security group rules on all ports, and notify the SysOps team if the security group is noncompliant.

  B. Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm to notify the SysOps team through an Amazon Simple Notification Service (Amazon SNS) topic when (he metric is greater than 0. Subscribe an AWS Lambda function to the SNS topic to remediate the security group rule by removing the rule.

  C. Activate the AWS Config restricted-ssh managed rule. Add automatic remediation to the AWS Config rule by using the AWS Systems Manager Automation AWS- DisablePublicAccessForSecurityGroup runbook. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the SysOps team when the rule is noncompliant.

  D. Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm for when the metric is greater than 0. Add an AWS Systems Manager action to the CloudWatch alarm to suspend the security group by using the Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook when the alarm is in ALARM state. Add an Amazon Simple Notification Service (Amazon SNS) topic as a second target to notify the SysOps team.

  Correct Answer: C

  Checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0). This rule applies only to IPv4.

  Identifier: INCOMING_SSH_DISABLED

  Resource Types: AWS::EC2::SecurityGroup

  Trigger type: Configuration changes

• Question 199:

  A company has a policy that requires all Amazon EC2 instances to have a specific set of tags. If an EC2 instance does not have the required tags, the noncompliant instance should be terminated.

  What is the MOST operationally efficient solution that meets these requirements?

  A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all EC2 instance state changes to an AWS Lambda function to determine if each instance is compliant. Terminate any noncompliant instances.

  B. Create an IAM policy that enforces all EC2 instance tag requirements. If the required tags are not in place for an instance, the policy will terminate noncompliant instance.

  C. Create an AWS Lambda function to determine if each EC2 instance is compliant and terminate an instance if it is noncompliant. Schedule the Lambda function to invoke every 5 minutes.

  D. Create an AWS Config rule to check if the required tags are present. If an EC2 instance is noncompliant, invoke an AWS Systems Manager Automation document to terminate the instance.

  Correct Answer: D

  https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html

• Question 200:

  A SysOps administrator has an AWS CloudFormation template of the company's existing infrastructure in us-west-2. The administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back.

  Why would this template fail to deploy? (Select TWO.)

  A. The template referenced an IAM user that is not available in eu-west-1.

  B. The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1.

  C. The template did not have the proper level of permissions to deploy the resources.

  D. The template requested services that do not exist in eu-west-1.

  E. CloudFormation templates can be used only to update existing services.

  Correct Answer: BD

  https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html#troubleshooting-errors