A SysOps administrator is designing a solution for an Amazon RDS for PostgreSQL DB instance. Database credentials must be stored and rotated monthly. The applications that connect to the DB instance send write-intensive traffic with variable client connections that sometimes increase significantly in a short period of time.
Which solution should a SysOps administrator choose to meet these requirements?
A. Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS Proxy to handle the increases in database connections. B. Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS read replicas to handle the increases in database connections. C. Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS Proxy to handle the increases in database connections. D. Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS read replicas to handle the increases in database connections.
C. Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS Proxy to handle the increases in database connections. Explanation Explanation/Reference:Amazon RDS Proxy is available for Amazon Aurora with MySQL compatibility, Amazon Aurora with PostgreSQL compatibility, Amazon RDS for MariaDB, Amazon RDS for MySQL, and Amazon RDS for PostgreSQL.
Question 252:
A company's SysOps administrator uses AWS IAM Identity Center (AWS Single Sign-On) to connect to an Active Directory. The SysOps administrator creates a new account that all the company's users need to access.
The SysOps administrator uses the Active Directory Domain Users group for permissions to the new account because all users are already members of the group. When users try to log in, their access is denied.
Which action will resolve this access issue?
A. Create a new group. Add users to the new group to provide access. B. Correct the time on the Active Directory domain controllers. C. Remove the account. Re-add the account to the organization that is integrated with IAM Identity Center. D. Correct the permissions on the Active Directory group so that IAM Identity Center has read access.
D. Correct the permissions on the Active Directory group so that IAM Identity Center has read access.
Question 253:
A company stores its data in an Amazon S3 bucket. The company is required to classify the data and find any sensitive personal information in its S3 files. Which solution will meet these requirements?
A. Create an AWS Config rule to discover sensitive personal information in the S3 files and mark them as noncompliant. B. Create an S3 event-driven artificial intelligence/machine learning (AI/ML) pipeline to classify sensitive personal information by using Amazon Recognition. C. Enable Amazon GuardDuty. Configure S3 protection to monitor all data inside Amazon S3. D. Enable Amazon Macie. Create a discovery job that uses the managed data identifier.
D. Enable Amazon Macie. Create a discovery job that uses the managed data identifier. Explanation Explanation/Reference:Amazon Macie is a security service designed to help organizations find, classify, and protect sensitive data stored in Amazon S3. Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in Amazon S3. Creating a discovery job with the managed data identifier will allow Macie to identify sensitive personal information in the S3 files and classify it accordingly. Enabling AWS Config and Amazon GuardDuty will not help with this requirement as they are not designed to automatically classify and protect data.
Question 254:
A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. The application is accessed with a public URL.
A SysOps administrator needs to implement a monitoring solution that checks the availability of the application and follows the same routes and actions as a customer. The SysOps administrator must receive a notification if less than 95% of the monitoring runs find no errors.
Which solution will meet these requirements?
A. Create an Amazon CloudWatch Synthetics canary with a script that follows customer routes. Schedule the canary to run on a recurring schedule. Create a CloudWatch alarm that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when the SuccessPercent metric is less than 95%. B. Create Amazon Route 53 health checks that monitor the availability of the endpoint. Create Amazon CloudWatch alarms that publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when the HealthCheckPercentageHealthy metric is less than 95%. C. Create a single AWS Lambda function to check whether the endpoints are available for each customer path. Schedule the Lambda function by using Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda function to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when an endpoint returns an error. D. Create an AWS Lambda function for each customer path to check whether that specific endpoint is available. Schedule the Lambda functions by using Amazon EventBridge (Amazon CloudWatch Events). Configure each Lambda function to publish a custom metric to Amazon CloudWatch for the endpoint status. Create CloudWatch alarms based on each custom metric to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when an alarm is in the ALARM state.
A. Create an Amazon CloudWatch Synthetics canary with a script that follows customer routes. Schedule the canary to run on a recurring schedule. Create a CloudWatch alarm that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when the SuccessPercent metric is less than 95%. You can use Amazon CloudWatch Synthetics to create canaries, configurable scripts that run on a schedule, to monitor your endpoints and APIs. Canaries follow the same routes and perform the same actions as a customer, which makes it possible for you to continually verify your customer experience even when you don't have any customer traffic on your applications. By using canaries, you can discover issues before your customers do. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html
Question 255:
A company stores critical data m Amazon S3 buckets. A SysOps administrator must build a solution to record all S3 API activity. Which action will meet this requirement?
A. Configure S3 bucket metrics to record object access logs B. Create an AWS CloudTrail trail to log data events tor all S3 objects C. Enable S3 server access logging for each S3 bucket D. Use AWS IAM Access Analyzer for Amazon S3 to store object access logs.
B. Create an AWS CloudTrail trail to log data events tor all S3 objects
Question 256:
The company needs a shared file solution for EC2 Windows instances in a Multi-AZ deployment that uses native Windows storage capabilities and maximizes consistency.
A. Create an Amazon FSx for Windows File Server Multi-AZ file system. Map file shares on the instances by using the file system's DNS name. B. Grant the instances access to a shared Amazon S3 bucket. Use Windows Task Scheduler to synchronize the contents of the S3 bucket locally to each instance periodically. C. Create an Amazon Elastic File System (Amazon EFS) file system that uses the EFS Standard storage class. Mount the file system to the instances by using the file system's DNS name and the EFS mount helper. D. Create a new Amazon Elastic Block Store (Amazon EBS) Multi-Attach volume. Attach the EBS volume as an additional drive to each instance.
A. Create an Amazon FSx for Windows File Server Multi-AZ file system. Map file shares on the instances by using the file system's DNS name.
Question 257:
An Amazon S3 Inventory report reveals that more than 1 million objects in an S3 bucket are not encrypted These objects must be encrypted, and all future objects must be encrypted at the time they are written. Which combination of actions should a SysOps administrator take to meet these requirements? (Select TWO )
A. Create an AWS Config rule that runs evaluations against configuration changes to the S3 bucket When an unencrypted object is found run an AWS Systems Manager Automation document to encrypt the object in place B. Edit the properties of the S3 bucket to enable default server-side encryption C. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted Create an S3 Batch Operations job to copy each object in place with en cryption enabled D. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted Send each object name as a message to an Amazon Simple Queue Service (Amazon SQS) queue Use the SQS queue to invoke an AWS Lambda function to tag each object with a key of "Encryption" and a value of "SSE-KMS" E. Use S3 Event Notifications to invoke an AWS Lambda function on all new object-created events for the S3 bucket Configure the Lambda function to check whether the object is encrypted and to run an AWS Systems Manager Automation document to encrypt the object in place when an unencrypted object is found
B. Edit the properties of the S3 bucket to enable default server-side encryption C. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted Create an S3 Batch Operations job to copy each object in place with en cryption enabled https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/
Question 258:
A company hosts a continuous integration and continuous delivery (CI/CD) environment on AWS. The CI/CD environment includes a Jenkins server that is hosted on an Amazon EC2 instance. A 500 GB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume is attached to the EC2 instance.
Because of disk throughput limitations, the Jenkins server reports performance issues that are resulting in slower builds on the server. The EBS volume needs to sustain 3,000 IOPS while performing nightly build tasks.
A SysOps administrator examines the server's history in Amazon CloudWatch. The BurstBalance metric has had a value of 0 during nightly builds. The SysOps administrator needs to improve the performance and meet the sustained throughput requirements.
Which solution will meet these requirements MOST cost-effectively?
A. Double the gp2 EBS volume size from 500 GB to 1,000 GB. B. Change the volume type from gp2 to General Purpose SSD (gp3). C. Change the volume type from gp2 to Throughput Optimized HDD (st1). D. Change the volume type from gp2 to Provisioned IOPS SSD (io2).
B. Change the volume type from gp2 to General Purpose SSD (gp3).
Question 259:
A SysOps administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the internet. Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)
A. Add a NAT gateway to a public subnet. B. Attach a private address to the elastic network interface on the EC2 instance. C. Attach an Elastic IP address to the internet gateway. D. Add an entry to the route table for the subnet that points to an internet gateway. E. Create an internet gateway and attach it to a VPC.
D. Add an entry to the route table for the subnet that points to an internet gateway. E. Create an internet gateway and attach it to a VPC. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
Question 260:
A new website will run on Amazon EC2 instances behind an Application Load Balancer. Amazon Route 53 will be used to manage DNS records. What type of record should be set in Route 53 to point the website's apex domain name (for example.company.com to the Application Load Balancer?
A. CNAME B. SOA C. TXT D. ALIAS
D. ALIAS Explanation Explanation/Reference:An ALIAS record is a Route 53 extension to DNS that provides a Route 53-specific alias for a resource record set. When Route 53 receives a DNS query for a domain name that is associated with an ALIAS record, Route 53 responds with the IP address of the resource that is specified in the record. An ALIAS record can be used to map an apex domain name to an Application Load Balancer. In this case, the ALIAS record points to the DNS name of the Application Load Balancer. A CNAME record is a type of DNS record that points one domain name to another. However, CNAME records cannot be used to map an apex domain name to an Application Load Balancer. An SOA (Start of Authority) record is a DNS record that specifies authoritative information about a DNS zone, such as the email address of the person responsible for managing the zone. A TXT record is a type of DNS record that is used to associate some arbitrary text with a DNS record. It is not used to map domain names to IP addresses or to other domain names. https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53-zoneapex-elb.html
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SOA-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.