Amazon SOA-C02 Online Practice Questions and Exam Preparation

Amazon SOA-C02 Online Questions & Answers

• Question 231:

  To manage Auto Scaling group instances that have OS vulnerabilities, the SysOps administrator needs an automated patching solution.

  A. Use AWS Systems Manager Patch Manager to patch the instances during a scheduled maintenance window. In the AWS-RunPatchBaseline document, ensure that the RebootOption parameter is set to RebootIfNeeded.
  B. Use EC2 Image Builder pipelines on a schedule to create new Amazon Machine Images (AMIs) and new launch templates that reference the new AMIs. Use the instance refresh feature for EC2 Auto Scaling to replace instances.
  C. Use AWS Config to scan for operating system vulnerabilities and to patch instances when the instance status changes to NON_COMPLIANT. Send an Amazon Simple Notification Service (Amazon SNS) notification to an operations team to reboot the instances during off-peak hours.
  D. In the Auto Scaling launch template, provide an Amazon Machine Image (AMI) ID for an AWS-provided base image. Update the user data with a shell script to download and install patches.
  A. Use AWS Systems Manager Patch Manager to patch the instances during a scheduled maintenance window. In the AWS-RunPatchBaseline document, ensure that the RebootOption parameter is set to RebootIfNeeded.

• Question 232:

  A company has a compliance requirement that no security groups can allow SSH ports to be open to all IP addresses. A SysOps administrator must implement a solution that will notify the company's SysOps team when a security group rule violates this requirement. The solution also must remediate the security group rule automatically.

  Which solution will meet these requirements?

  A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a security group changes. Configure the Lambda function to evaluate the security group for compliance, remove all inbound security group rules on all ports, and notify the SysOps team if the security group is noncompliant.
  B. Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm to notify the SysOps team through an Amazon Simple Notification Service (Amazon SNS) topic when (he metric is greater than 0. Subscribe an AWS Lambda function to the SNS topic to remediate the security group rule by removing the rule.
  C. Activate the AWS Config restricted-ssh managed rule. Add automatic remediation to the AWS Config rule by using the AWS Systems Manager Automation AWS- DisablePublicAccessForSecurityGroup runbook. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the SysOps team when the rule is noncompliant.
  D. Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm for when the metric is greater than 0. Add an AWS Systems Manager action to the CloudWatch alarm to suspend the security group by using the Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook when the alarm is in ALARM state. Add an Amazon Simple Notification Service (Amazon SNS) topic as a second target to notify the SysOps team.
  C. Activate the AWS Config restricted-ssh managed rule. Add automatic remediation to the AWS Config rule by using the AWS Systems Manager Automation AWS- DisablePublicAccessForSecurityGroup runbook. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the SysOps team when the rule is noncompliant.

  ---

  Checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0). This rule applies only to IPv4. Identifier: INCOMING_SSH_DISABLED Resource Types: AWS::EC2::SecurityGroup Trigger type: Configuration changes

• Question 233:

  A company is using an Amazon DynamoDB table for data. A SysOps administrator must configure replication of the table to another AWS Region for disaster recovery. What should the SysOps administrator do to meet this requirement?

  A. Enable DynamoDB Accelerator (DAX).
  B. Enable DynamoDB Streams, and add a global secondary index (GSI).
  C. Enable DynamoDB Streams, and-add a global table Region.
  D. Enable point-in-time recovery.
  C. Enable DynamoDB Streams, and-add a global table Region.

• Question 234:

  CORRECT TEXT Update an existing AWS CloudFormation stack. If needed, a copy 0t the CloudFormation template is available in an Amazon SB bucket named cloudformation-bucket

  1. Use the us-east-2 Region for all resources.

  2. Unless specified below, use the default configuration settings.

  3. update the Amazon EQ instance named Devinstance by making the following changes to the stack named 1700182:

  a) Change the EC2 instance type to us-east-t2.nano.

  b) Allow SSH to connect to the EC2 instance from the IP address range 192.168.100.0/30.

  c) Replace the instance profile IAM role with IamRoleB.

  4. Deploy the changes by updating the stack using the CFServiceR01e role.

  5. Edit the stack options to prevent accidental deletion.

  6. Using the output from the stack, enter the value of the Prodlnstanceld in the text box below:

  

  A. Check the answer in explanation.
  B. Place Holder
  A. Check the answer in explanation.

  ---

  Solution as given below.

  

• Question 235:

  A company uses an Amazon Simple Queue Service (Amazon SQS) standard queue with its application. The application sends messages to the queue with unique message bodies The company decides to switch to an SQS FIFO queue.

  What must the company do to migrate to an SQS FIFO queue?

  A. Create a new SQS FIFO gueue Turn on content based deduplication on the new FIFO queue Update the application to include a message group ID in the messages
  B. Create a new SQS FIFO queue Update the application to include the DelaySeconds parameter in the messages
  C. Modify the queue type from SQS standard to SQS FIFO Turn off content-based deduplication on the queue Update the application to include a message group ID in the messages
  D. Modify the queue type from SQS standard to SQS FIFO Update the application to send messages with identical message bodies and to include the DelaySeconds parameter in the messages
  A. Create a new SQS FIFO gueue Turn on content based deduplication on the new FIFO queue Update the application to include a message group ID in the messages

  ---

  FIFO queues don't support per-message delays, only per-queue delays. If your application sets the same value of the DelaySeconds parameter on each message, you must modify your application to remove the per-message delay and set DelaySeconds on the entire queue instead. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues-moving.html

• Question 236:

  A SysOps administrator must configure Amazon S3 to host a simple nonproduction webpage. The SysOps administrator has created an empty S3 bucket from the AWS Management Console. The S3 bucket has the default configuration in place.

  Which combination of actions should the SysOps administrator take to complete this process? (Choose two.)

  A. Configure the S3 bucket by using the "Redirect requests for an object" functionality to point to the bucket root URL.
  B. Turn off the "Block all public access" setting. Allow public access by using a bucket ACL that contains WEBSITE.
  C. Turn off the "Block all public access" setting. Allow public access by using a bucket ACL that allows access to the AuthenticatedUsers grantee.
  D. Turn off the "Block all public access" setting. Set a bucket policy that allows "Principal": the s3:GetObject action.
  E. Create an index.html document. Configure static website hosting, and upload the index document to the S3 bucket.
  D. Turn off the "Block all public access" setting. Set a bucket policy that allows "Principal": the s3:GetObject action.
  E. Create an index.html document. Configure static website hosting, and upload the index document to the S3 bucket.

  ---

  Step 1: Create a bucket Step 2: Enable static website hosting Step 3: Edit Block Public Access settings Step 4: Add a bucket policy that makes your bucket content publicly available Step 5: Configure an index document Step 6: Configure an error document Step 7: Test your website endpoint Step 8: Clean up https://docs.aws.amazon.com/AmazonS3/latest/userguide/HostingWebsiteOnS3Setup.html

• Question 237:

  A SysOps administrator must analyze Amazon CloudWatch logs across 10 AWS Lambda functions for historical errors. The logs are in JSON format and are stored in Amazon S3. Errors sometimes do not appear in the same field, but all errors begin with the same string prefix.

  What is the MOST operationally efficient way for the SysOps administrator to analyze the log files?

  A. Use S3 Select to write a query to search for errors. Run the query across all log groups of interest.
  B. Create an AWS Glue processing job to index the logs of interest. Run a query in Amazon Athena to search for errors.
  C. Use Amazon CloudWatch Logs Insights to write a query to search for errors. Run the query across all log groups of interest.
  D. Use Amazon CloudWatch Contributor Insights to create a rule. Apply the rule across all log groups of interest.
  C. Use Amazon CloudWatch Logs Insights to write a query to search for errors. Run the query across all log groups of interest.

  ---

  "CloudWatch Logs Insights automatically discovers fields in logs from AWS services such as Amazon Route 53, AWS Lambda, AWS CloudTrail, and Amazon VPC, and any application or custom log that emits log events as JSON." https:// docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html

• Question 238:

  A company's reporting job that used to run in 15 minutes is now taking an hour to run. An application generates the reports. The application runs on Amazon EC2 instances and extracts data from an Amazon RDS for MySQL database. A SysOps administrator checks the Amazon CloudWatch dashboard for the RDS instance and notices that the Read IOPS metrics are high, even when the reports are not running. The SysOps administrator needs to improve the performance and the availability of the RDS instance.

  Which solution will meet these requirements?

  A. Configure an Amazon ElastiCache cluster in front of the RDS instance. Update the reporting job to query the ElastiCache cluster.
  B. Deploy an RDS read replica. Update the reporting job to query the reader endpoint.
  C. Create an Amazon CloudFront distribution. Set the RDS instance as the origin. Update the reporting job to query the CloudFront distribution.
  D. Increase the size of the RDS instance.
  B. Deploy an RDS read replica. Update the reporting job to query the reader endpoint.

  ---

  Using an RDS read replica will improve the performance and availability of the RDS instance by offloading read queries to the replica. This will also ensure that the reporting job completes in a timely manner and does not affect the performance of other queries that might be running on the RDS instance. Additionally, updating the reporting job to query the reader endpoint will ensure that all read queries are directed to the read replica. [1] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html

• Question 239:

  A compliance team requires all administrator passwords tor Amazon RDS DB instances to be changed at toast annually Which solution meets this requirement in the MOST operationally efficient manner?

  A. Store the database credentials in AWS Secrets Manager Configure automate rotation for the secret every 365 days
  B. Store the database credentials as a parameter in the RDS parameter group Create a database trigger to rotate the password every 365 days
  C. Store the database credentials in a private Amazon S3 bucket Schedule an AWS Lambda function to generate a new set of credentials every 365 days
  D. Store the database credentials in AWS Systems Manager Parameter Store as a secure string parameter Configure automatic rotation for the parameter every 365 days
  A. Store the database credentials in AWS Secrets Manager Configure automate rotation for the secret every 365 days

  ---

  Explanation Explanation/Reference:To implement password rotation lifecycles, use AWS Secrets Manager. You can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle using Secrets Manager. For more information, see What is AWS Secrets Manager? in the AWS Secrets Manager User Guide. Rotate Amazon RDS database credentials automatically with AWS Secrets Manager https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/

• Question 240:

  A company needs to monitor its website's availability to end users. The company requires a solution that provides an Amazon Simple Notification Service (Amazon SNS) notification if the website's uptime decreases to less than 99%. The monitoring must accurately reflect the user experience on the website.

  Which solution will meet these requirements?

  A. Create an Amazon CloudWatch alarm based on the website's logs published to a CloudWatch Logs log group. Configure the alarm to publish an SNS notification if the number of HTTP 4xx and 5xx errors exceeds a specified threshold.
  B. Create an Amazon CloudWatch alarm based on the website's published metrics in CloudWatch. Configure the alarm to publish an SNS notification based on anomaly detection.
  C. Create an Amazon CloudWatch Synthetics heartbeat monitoring canary. Associate the canary with the website's URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.
  D. Create an Amazon CloudWatch Synthetics broken link checker monitoring canary. Associate the canary with the website's URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.
  C. Create an Amazon CloudWatch Synthetics heartbeat monitoring canary. Associate the canary with the website's URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.