Amazon Amazon Certifications SOA-C02 Questions & Answers

• Question 281:

  A SysOps administrator is creating an Amazon EC2 Auto Scaling group in a new AWS account. After adding some instances, the SysOps administrator notices that the group has not reached the minimum number of instances. The SysOps administrator receives the following error message:

  

  Which action will resolve this issue?

  A. Adjust the account spending limits for Amazon EC2 on the AWS Billing and Cost Management console

  B. Modify the EC2 quota for that AWS Region in the EC2 Settings section of the EC2 console.

  C. Request a quota Increase for the Instance type family by using Service Quotas on the AWS Management Console.

  D. Use the Rebalance action In the Auto Scaling group on the AWS Management Console.

  Correct Answer: C

  The error message is suggesting that the account has hit its limit on the number of running EC2 instances. Therefore, the solution is to request a limit increase for the number of instances.

• Question 282:

  A SysOps administrator is deploying an application on 10 Amazon EC2 instances. The application must be highly available. The instances must be placed on distinct underlying hardware. What should the SysOps administrator do to meet these requirements?

  A. Launch the instances into a cluster placement group in a single AWS Region.

  B. Launch the instances into a partition placement group in multiple AWS Regions.

  C. Launch the instances into a spread placement group in multiple AWS Regions.

  D. Launch the instances into a spread placement group in single AWS Region

  Correct Answer: D

  Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures. A rack spread placement group can span multiple Availability Zones in the same Region. For rack spread level placement groups, you can have a maximum of seven running instances per Availability Zone per group.

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

• Question 283:

  A SysOps administrator launches an Amazon EC2 Linux instance in a public subnet. When the instance is running, the SysOps administrator obtains the public IP address and attempts to remotely connect to the instance multiple times. However, the SysOps administrator always receives a timeout error.

  Which action will allow the SysOps administrator to remotely connect to the instance?

  A. Add a route table entry in the public subnet for the SysOps administrator's IP address.

  B. Add an outbound network ACL rule to allow TCP port 22 for the SysOps administrator's IP address.

  C. Modify the instance security group to allow inbound SSH traffic from the SysOps administrator's IP address.

  D. Modify the instance security group to allow outbound SSH traffic to the SysOps administrator's IP address.

  Correct Answer: C

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

• Question 284:

  A company is expanding its fleet of Amazon EC2 instances before an expected increase of traffic. When a SysOps administrator attempts to add more instances, an InstanceLimitExceeded error is returned.

  What should the SysOps administrator do to resolve this error?

  A. Add an additional CIDR block to the VPC.

  B. Launch the EC2 instances in a different Availability Zone.

  C. Launch new EC2 instances in another VPC.

  D. Use Service Quotas to request an EC2 quota increase.

  Correct Answer: D

  -Instance Limit Exceeded -> Over 64 vCPU

  -Insufficient Instance Capacity -> AWS's problem

  - Instance Terminates Immediately -> EBS volume limit, corrupt or no permission for decryption

• Question 285:

  A company needs to upload gigabytes of files every day. The company need to achieve higher throughput and upload speeds to Amazon S3.

  Which action should a SysOps administrator take to meet this requirement?

  A. Create an Amazon CloudFront distribution with the GET HTTP method allowed and the S3 bucket as an origin.

  B. Create an Amazon ElastiCache duster and enable caching for the S3 bucket

  C. Set up AWS Global Accelerator and configure it with the S3 bucket

  D. Enable S3 Transfer Acceleration and use the acceleration endpoint when uploading files

  Correct Answer: D

  Enable Amazon S3 Transfer Acceleration Amazon S3 Transfer Acceleration can provide fast and secure transfers over long distances between your client and Amazon S3. Transfer Acceleration uses Amazon CloudFront's globally distributed edge locations. https://aws.amazon.com/premiumsupport/knowledge-center/s3-upload-large-files/

• Question 286:

  A SysOps administrator is setting up an automated process to recover an Amazon EC2 instance In the event of an underlying hardware failure. The recovered instance must have the same private IP address and the same Elastic IP address that the original instance had. The SysOps team must receive an email notification when the recovery process is initiated.

  Which solution will meet these requirements?

  A. Create an Amazon CloudWatch alarm for the EC2 instance, and specify the SiatusCheckFailedjnstance metric. Add an EC2 action to the alarm to recover the instance. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS> topic. Subscribe the SysOps team email address to the SNS topic.

  B. Create an Amazon CloudWatch alarm for the EC2 Instance, and specify the StatusCheckFailed_System metric. Add an EC2 action to the alarm to recover the instance. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic.

  C. Create an Auto Scaling group across three different subnets in the same Availability Zone with a minimum, maximum, and desired size of 1. Configure the Auto Seating group to use a launch template that specifies the private IP address and the Elastic IP address. Add an activity notification for the Auto Scaling group to send an email message to the SysOps team through Amazon Simple Email Service (Amazon SES).

  D. Create an Auto Scaling group across three Availability Zones with a minimum, maximum, and desired size of 1. Configure the Auto Scaling group to use a launch template that specifies the private IP address and the Elastic IP address. Add an activity notification for the Auto Scaling group to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic.

  Correct Answer: B

  You can create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. Terminated instances cannot be recovered. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. If the impaired instance has a public IPv4 address, the instance retains the public IPv4 address after recovery. If the impaired instance is in a placement group, the recovered instance runs in the placement group. When the StatusCheckFailed_System alarm is triggered, and the recover action is initiated, you will be notified by the Amazon SNS topic that you selected when you created the alarm and associated the recover action. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

• Question 287:

  A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:

  2 111122223333 eni-<###> 192.0.2.15 203.0.113.56 40711 443 6 1 40 1418530010 1418530070 REJECT OK

  What is a possible cause of these failed connections?

  A. A security group is denying traffic on port 443.

  B. The EC2 instance is shut down.

  C. The network ACL is blocking HTTPS traffic.

  D. The VPC has no internet gateway attached.

  Correct Answer: A

  https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records- examples.html#flow-log-example-accepted-rejected https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html# Accepted and rejected traffic: In this example, RDP traffic (destination port 3389, TCP protocol) to network interface eni-1235b8ca123456789 in account 123456789010 was rejected. 2 123456789010 eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK

• Question 288:

  A SysOps administrator is unable to authenticate an AWS CLI call to an AWS service. Which of the following is the cause of this issue?

  A. The IAM password is incorrect

  B. The server certificate is missing

  C. The SSH key pair is incorrect

  D. There is no access key

  Correct Answer: D

  When the AWS CLI runs a command, it sends an encrypted request to the AWS servers to perform the appropriate AWS service operations. Your credentials (the ACCESS key and secret key) are involved in the encryption and enable AWS to authenticate the person making the request. There are several things that can interfere with the correct operation of this process, as follows.

  https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html

• Question 289:

  A company is trying to connect two applications. One application runs in an on-premises data center that has a hostname of hostl .onprem.private. The other application runs on an Amazon EC2 instance that has a hostname of

  hostl.awscloud.private. An AWS Site-to-Site VPN connection is in place between the on-premises network and AWS.

  The application that runs in the data center tries to connect to the application that runs on the EC2 instance, but DNS resolution fails. A SysOps administrator must implement DNS resolution between on-premises and AWS resources.

  Which solution allows the on-premises application to resolve the EC2 instance hostname?

  A. Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the inbound resolver endpoint.

  B. Set up an Amazon Route 53 inbound resolver endpoint. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the inbound resolver endpoint.

  C. Set up an Amazon Route 53 outbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the outbound resolver endpoint.

  D. Set up an Amazon Route 53 outbound resolver endpoint. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the outbound resolver endpoint.

  Correct Answer: B

  Set up an Amazon Route 53 inbound resolver endpoint: This allows DNS resolution for private DNS namespaces in the VPC that you associate with the resolver.

  Associate the resolver with the VPC of the EC2 instance: By associating the resolver with the VPC of the EC2 instance that runs the application with the hostname "host1.awscloud.private", DNS queries from that VPC will be resolved by the inbound resolver.

  Configure the on-premises DNS resolver to forward awscloud.private DNS queries: This step is done on the on-premises DNS resolver. You need to configure it to forward DNS queries for the "awscloud.private" domain to the inbound resolver endpoint.

  With this configuration, when the application in the on-premises data center tries to resolve the hostname of the EC2 instance in AWS (host1.awscloud.private), the DNS query will be forwarded to the Amazon Route 53 inbound resolver, and it will be able to resolve the private hostname.

• Question 290:

  A SysOps administrator is helping a development team deploy an application to AWS Trie AWS CloudFormat on temp ate includes an Amazon Linux EC2 Instance an Amazon Aurora DB cluster and a hard coded database password that must be rotated every 90 days.

  What is the MOST secure way to manage the database password?

  A. Use the AWS SecretsManager Secret resource with the GenerateSecretString property to automatically generate a password Use the AWS SecretsManager RotationSchedule resource lo define a rotation schedule lor the password Configure the application to retrieve the secret from AWS Secrets Manager access the database

  B. Use me AWS SecretsManager Secret resource with the SecretStrmg property Accept a password as a CloudFormation parameter Use the AllowedPatteen property of the CloudFormaton parameter to require e minimum length, uppercase and lowercase letters and special characters Configure me application to retrieve the secret from AWS Secrets Manager to access the database

  C. Use the AWS SSM Parameter resource Accept input as a Qoudformatton parameter to store the parameter as a secure sting Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database

  D. Use the AWS SSM Parameter resource Accept input as a Cloudf ormetton parameter to store the parameter as a string Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database

  Correct Answer: A