A company asks a SysOps administrator to ensure that AWS CloudTrail files are not tampered with after they are created. Currently, the company uses AWS Identity and Access Management (IAM) to restrict access to specific trails. The company's security team needs the ability to trace the integrity of each file.
What is the MOST operationally efficient solution that meets these requirements?
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a new file is delivered. Configure the Lambda function to compute an MD5 hash check on the file and store the result in an Amazon DynamoDB table. The security team can use the values that are stored in DynamoDB to verify the integrity of the delivered files. B. Create an AWS Lambda function that is invoked each time a new file is delivered to the CloudTrail bucket. Configure the Lambda function to compute an MD5 hash check on the file and store the result as a tag in an Amazon S3 object. The security team can use the information in the tag to verify the integrity of the delivered files. C. Enable the CloudTrail file integrity feature on an Amazon S3 bucket. Create an IAM policy that grants the security team access to the file integrity logs that are stored in the S3 bucket. D. Enable the CloudTrail file integrity feature on the trail. The security team can use the digest file that is created by CloudTrail to verify the integrity of the delivered files.
D. Enable the CloudTrail file integrity feature on the trail. The security team can use the digest file that is created by CloudTrail to verify the integrity of the delivered files. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html "When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers. Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each. This file is called a digest file. Validated log files are invaluable in security and forensic investigations"
Question 192:
A SysOps administrator notices a scale-up event for an Amazon EC2 Auto Scaling group Amazon CloudWatch shows a spike in the RequestCount metric for the associated Application Load Balancer The administrator would like to know the IP addresses for the source of the requests.
Where can the administrator find this information?
A. Auto Scaling logs B. AWS CloudTrail logs C. EC2 instance logs D. Elastic Load Balancer access logs
D. Elastic Load Balancer access logs Explanation Explanation/Reference:Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
Question 193:
An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba4Kc. and it is actively used by 10 Amazon EC2 hosts The organization has become concerned that the file system is not encrypted. How can this be resolved?
A. Enable encryption on each host's connection to the Amazon EFS volume Each connection must be recreated for encryption to take effect B. Enable encryption on the existing EFS volume by using the AWS Command Line Interface C. Enable encryption on each host's local drive Restart each host to encrypt the drive D. Enable encryption on a newly created volume and copy all data from the original volume Reconnect each host to the new volume
D. Enable encryption on a newly created volume and copy all data from the original volume Reconnect each host to the new volume Explanation Explanation/Reference:https://docs.aws.amazon.com/efs/latest/ug/encryption.html Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. You can enable encryption of data at rest when creating an Amazon EFS file system. You can enable encryption of data in transit when you mount the file system.
Question 194:
A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company's security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts.
Which solution will meet these requirements in the MOST secure manner?
A. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to an IAM user. Share the user credentials with the security administrator. B. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions. Assign the policy to an IAM user. Share the user credentials with the security administrator. C. Create an IAM policy in each developer account that has administrator access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account. D. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account.
D. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account.
Question 195:
A company is running a development application on an Amazon EC2 instance. The application uploads 500.000 files that are 1 GB in size into a large! Amazon S3 bucket that has default encryption enabled The EC2 instance is in the same AWS Region where the S3 bucket is deployed.
The company uses performance logging that is built into the application software. The logs show that the application is constantly waiting for the files to be written to the S3 bucket. A SysOps administrator needs to improve the application's throughput performance. The SysOps administrator validates that the networking on the EC2 instance is not constrained.
What should the SysOps administrator do to improve the S3 upload performance''
A. Enable S3 Transfer Acceleration on the S3 bucket. B. Split the S3 write operations to use multiple bucket prefixes to write items in parallel. C. Configure AWS PrivateLink for Amazon S3 Turn off encryption on the S3 bucket D. Configure AWS Global Accelerator in the Region. Turn off encryption on the S3 bucket.
B. Split the S3 write operations to use multiple bucket prefixes to write items in parallel. Improve S3 Upload Performance: Using multiple bucket prefixes can improve throughput by allowing parallel upload streams. Steps:Best Practices for Amazon S3 Performance
Question 196:
A SysOps administrator deployed a three-tier web application to a OA environment and is now evaluating the high availability of the application. The SysOps administrator notices that, when they simulate an unavailable Availability Zone, the application fails to respond. The application stores data in Amazon RDS and Amazon DynamoDB.
How should the SysOps administrator resolve this issue?
A. Add addilional subnets lo the RDS instance subnet group. B. Add an Elastic Load Balancer in front of the RDS instance. C. Distribute the data in DynamoDB across Availability Zones. D. Enable Multi-AZ for the RDS instance.
D. Enable Multi-AZ for the RDS instance. To improve the high availability of an application that utilizes Amazon RDS and experiences failure when an Availability Zone becomes unavailable: Multi-AZ Deployment for RDS: Enable Multi-AZ deployments for your Amazon RDS instance. This setting ensures that RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. Automatic Failover: In the event of a primary RDS instance failure, RDS will automatically failover to the standby so that database operations can resume quickly with minimal disruption. High Availability Configuration: This configuration not only enhances the robustness of the database component but also ensures that the application remains operational even if one Availability Zone is experiencing issues. Enabling Multi-AZ for RDS is crucial for maintaining high availability and ensuring that the application remains resilient in the face of AZ disruptions.
Question 197:
A company has an Amazon EC2 instance that supports a production system. The EC2 instance is backed by an Amazon Elastic Block Store (Amazon EBS) volume. The EBS volume's drive has filled to 100% capacity, which is causing the application on the EC2 instance to experience errors.
Which solution will remediate these errors in the LEAST amount of time?
A. Modify the EBS volume by adding additional drive space. Log on to the EC2 instance. Use the file system-specific commands to extend the file system. B. Create a snapshot of the existing EBS volume. When the snapshot is complete, create an EBS volume of a larger size from the snapshot in the same Availability Zone as the EC2 instance. Attach the new EBS volume to the EC2 instance. Mount the file system. C. Create a new EBS volume of a larger size in the same Availability Zone as the EC2 instance. Attach the EBS volume to the EC2 instance. Copy the data from the existing EBS volume to the new EBS volume. D. Stop the EC2 instance. Change the EC2 instance to a larger instance size that includes additional drive space. Start the EC2 instance.
A. Modify the EBS volume by adding additional drive space. Log on to the EC2 instance. Use the file system-specific commands to extend the file system.
Question 198:
A company deployed a new web application on multiple Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run in an Auto Scaling group. Users report that they are frequently being prompted to log in.
What should a SysOps administrator do to resolve this issue?
A. Configure an Amazon CloudFront distribution with the ALB as the origin. B. Enable sticky sessions (session affinity) for the target group of EC2 instances. C. Redeploy the EC2 instances in a spread placement group. D. Replace the ALB with a Network Load Balancer.
B. Enable sticky sessions (session affinity) for the target group of EC2 instances.
Question 199:
A company needs to monitor the disk utilization of Amazon Elastic Block Store (Amazon EBS) volumes. The EBS volumes are attached to Amazon EC2 Linux instances. A SysOps administrator must set up an Amazon CloudWatch alarm that provides an alert when disk utilization increases to more than 80%.
Which combination of steps must the SysOps administrator take to meet these requirements? (Choose three.)
A. Create an IAM role that includes the CloudWatchAgentServerPolicy AWS managed policy. Attach the role to the instances. B. Create an IAM role that includes the CloudWatchApplicationInsightsReadOnlyAccess AWS managed policy. Attach the role to the instances. C. Install and start the CloudWatch agent by using AWS Systems Manager or the command line. D. Install and start the CloudWatch agent by using an IAM role. Attach the CloudWatchAgentServerPolicy AWS managed policy to the role. E. Configure a CloudWatch alarm to enter ALARM state when the disk_used_percent CloudWatch metric is greater than 80%. F. Configure a CloudWatch alarm to enter ALARM state when the disk_used CloudWatch metric is greater than 80% or when the disk_free CloudWatch metric is less than 20%.
C. Install and start the CloudWatch agent by using AWS Systems Manager or the command line. D. Install and start the CloudWatch agent by using an IAM role. Attach the CloudWatchAgentServerPolicy AWS managed policy to the role. E. Configure a CloudWatch alarm to enter ALARM state when the disk_used_percent CloudWatch metric is greater than 80%.
Question 200:
A company runs an application that hosts critical data for several clients. The company uses AWS CloudTrail to track user activities on various AWS resources. To meet new security requirements, the company needs to protect the CloudTrail
log files from being modified, deleted, or forged.
Which solution will meet these requirement?
A. Enable CloudTrail log file integrity validation. B. Use Amazon S3 MFA Delete on the S3 bucket where the CloudTrail log files are stored. C. Use Amazon S3 Versioning to keep all versions of the CloudTrail log files. D. Use AWS Key Management Service (AWS KMS) security keys to secure the CloudTrail log files.
C. Use Amazon S3 Versioning to keep all versions of the CloudTrail log files. CloudTrail File Integrity doesnt actually just let someone know that those files were forged? Plus, as far as I can tell it doesnt block people from deleting it. So they CAN be deleted or modified. The integrity validation will provide a way for people to identify forged or deleted files through digest files. On the other hand, enabling versioning on the bucket that trails are recorded, will create versions for modified objects, and even if it get deleted, it will be kept and marked as deleted
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SOA-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.