Amazon Amazon Certifications SOA-C02 Questions & Answers

• Question 21:

  A SysOps administrator is examining the following AWS CloudFormation template:

  

  Why will the stack creation fail?

  A. The Outputs section of the CloudFormation template was omitted.

  B. The Parameters section of the CloudFormation template was omitted.

  C. The PrivateDnsName cannot be set from a CloudFormation template.

  D. The VPC was not specified in the CloudFormation template.

  Correct Answer: C

  https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html Only available is PrivateDnsNameOptions.

• Question 22:

  A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services.

  Which solution will meet these requirements?

  A. In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.

  B. Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization

  C. In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.

  D. Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.

  Correct Answer: B

  Service Control Policies (SCPs) are a feature of AWS Organizations that allow you to set permissions across all member accounts in the organization. When you apply an SCP at the root of the organization, it affects all member accounts

  within that organization.

  In this scenario, by creating an SCP that denies all DynamoDB actions and applying it to the root of the AWS organization, you effectively block access to Amazon DynamoDB for all users, including the root user, in all member accounts within

  the organization. This solution prevents any team, including their administrators, from using DynamoDB while still allowing access to other AWS services that are not restricted by the SCP.

• Question 23:

  A SysOps administrator manages a company's Amazon S3 buckets. The SysOps administrator has identified 5 GB of incomplete multipart uploads in an S3 bucket in the company's AWS account. The SysOps administrator needs to reduce the number of incomplete multipart upload objects in the S3 bucket.

  Which solution will meet this requirement?

  A. Create an S3 Lifecycle rule on the S3 bucket to delete expired markers or incomplete multipart uploads.

  B. Require users that perform uploads of files into Amazon S3 to use the S3 TransferUtility.

  C. Enable S3 Versioning on the S3 bucket that contains the incomplete multipart uploads.

  D. Create an S3 Object Lambda Access Point to delete incomplete multipart uploads.

  Correct Answer: A

  S3 Lifecycle rules allow you to define actions that Amazon S3 should take on objects in the bucket over time. This includes transitioning objects between storage classes and deleting objects when they meet certain criteria. To reduce the number of incomplete multipart upload objects in the S3 bucket, you can create an S3 Lifecycle rule that targets incomplete multipart uploads and specifies a deletion action for them. This will help in automatically cleaning up the incomplete multipart uploads after a certain period.

• Question 24:

  A company runs an application on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The application sometimes becomes slow and unresponsive. Amazon CloudWatch metrics show that some EC2 instances are experiencing high CPU load.

  A SysOps administrator needs to create a CloudWatch dashboard that can automatically display CPU metrics of all the EC2 instances. The metrics must include new instances that are launched as part of the Auto Scaling group.

  What should the SysOps administrator do to meet these requirements in the MOST operationally efficient way?

  A. Create a CloudWatch dashboard. Use activity notifications from the Auto Scaling group to invoke a custom AWS Lambda function. Use the Lambda function to update the CloudWatch dashboard to monitor the CPUUtilization metric for the new instance IDs.

  B. Create a CloudWatch dashboard. Run a custom script on each EC2 instance to stream the CPU utilization to the dashboard.

  C. Use CloudWatch metrics explorer to filter by the aws:autoscaling:groupName tag and to create a visualization for the CPUUtilization metric. Add the visualization to a CloudWatch dashboard.

  D. Use CloudWatch metrics explorer to filter by instance state and to create a visualization for the CPUUtilization metric. Add the visualization to a CloudWatch dashboard.

  Correct Answer: C

  https://aws.amazon.com/about-aws/whats-new/2020/11/amazon-cloudwatch-launches-metrics-explorer/

• Question 25:

  A company has an encrypted Amazon S3 bucket that is hosted in the ap-southeast-2 Region. Users from the eu-west-2 Region access the S3 bucket over the internet. The users from eu-west-2 need faster transfers to and from the S3 bucket for large files.

  Which solution will meet these requirements?

  A. Reduce the length of the S3 bucket prefixes within the S3 bucket.

  B. Change the server-side encryption on the S3 bucket from AES to RSA.

  C. Create a new S3 bucket that has an identical name in eu-west-2. Use the new S3 bucket endpoint's domain name for access.

  D. Enable S3 Transfer Acceleration on the S3 bucket. Use the new s3-accelerate endpoint's domain name for access.

  Correct Answer: D

• Question 26:

  A company has a large on-premises tape backup solution. The company has started to use AWS Storage Gateway. The company created a Tape Gateway to replace the existing on-premises hardware. The company's backup engineer noticed that some of the backup jobs that were supposed to write to AWS failed to run because of a "Not Enough Space" error.

  The company does not want these failures to happen again. The company also wants to consistently have enough tape available on AWS.

  What is the MOST operationally efficient way for a SysOps administrator to meet these requirements?

  A. Create an AWS Lambda function that runs on an hourly basis and checks how many tapes have available space. If the available tapes are below a certain threshold, provision more.

  B. Install the Amazon CloudWatch agent on the on-premises system. Push the log files to a CloudWatch log group. Create an AWS Lambda function that creates more tapes when the "Not Enough Space" error appears. Create a metric filter and a metric alarm that launches the Lambda function.

  C. Create an additional Tape Gateway with its own set of tapes. Configure Amazon Simple Notification Service (Amazon SNS) to send a notification to the backup engineer if the tapes that are associated with the primary Tape Gateway do not have available space.

  D. Configure tape auto-create on the Tape Gateway. In the auto-create settings, configure a minimum number of tapes, an appropriate barcode prefix, and a tape pool.

  Correct Answer: D

  The Tape Gateway automatically creates new virtual tapes to maintain the minimum number of available tapes that you configure. It then makes these new tapes available for import by the backup application so that your backup jobs can run without interruption. Automatic tape creation removes the need for custom scripting in addition to the manual process for creating new virtual tapes. https://docs.aws.amazon.com/storagegateway/latest/tgw/managing-automatic-tape-creation.html

• Question 27:

  A SysOps administrator needs to deploy an application in multiple AWS Regions. The SysOps administrator must implement a solution that routes users to the Region with the lowest latency. In case of failure, the solution must automatically route requests to a Region with a healthy instance of the application. The company needs a solution with the shortest time to failover.

  Which solution will meet these requirements?

  A. Create Amazon Route 53 A records that have the same name for each endpoint. Use a latency routing policy. Associate a health check with each record.

  B. Create Amazon Route 53 A records that have the same name for each endpoint. Use a failover routing policy. Associate a health check with each record.

  C. Create an AWS Global Accelerator standard accelerator. Create an endpoint group for each Region. Add a listener to the accelerator. Associate the endpoint group with the listener.

  D. Create Amazon Route 53 A records that have the same name for each endpoint. Use a geolocation routing policy. Associate a health check with each record.

  Correct Answer: C

  AWS Global Accelerator is a service that helps to improve the availability and performance of applications by directing traffic through the AWS global network. It automatically routes traffic to the closest AWS Region based on the lowest

  latency for the end user.

  By creating an endpoint group for each AWS Region, the Global Accelerator can distribute traffic across multiple Regions. This means that users will be routed to the Region with the lowest latency, ensuring the best performance for their

  location.

  Adding a listener to the accelerator allows it to listen for incoming traffic and direct it to the appropriate endpoint group. The AWS Global Accelerator constantly monitors the health of the endpoints (applications) in each endpoint group. If an

  endpoint becomes unhealthy or experiences a failure, the Global Accelerator automatically reroutes traffic to a healthy instance of the application in another Region, ensuring high availability and automatic failover.

• Question 28:

  A company has an application that collects notifications from thousands of alarm systems. The notifications include alarm notifications and information notifications. The information notifications include the system arming processes, disarming processes, and sensor status.

  All notifications are kept as messages in an Amazon Simple Queue Service (Amazon SQS) queue. Amazon EC2 instances that are in an Auto Scaling group process the messages. A SysOps administrator needs to implement a solution that prioritizes alarm notifications over information notifications.

  Which solution will meet these requirements?

  A. Adjust the Auto Scaling group to scale faster when a high number of messages is in the queue.

  B. Use the Amazon Simple Notification Service (Amazon SNS) fanout feature with Amazon SQS to send the notifications in parallel to all the C2 instances

  C. Add an Amazon DynamoDB stream to accelerate the message processing

  D. Create a queue for alarm notifications and a queue for information notifications. Update the application to collect messages from the alarm notifications queue first.

  Correct Answer: D

  Option D is the correct solution to prioritize alarm notifications over information notifications. By creating separate queues for alarm notifications and information notifications, you can ensure that the messages are kept separate and can be processed independently. This approach allows you to prioritize the alarm notifications by having the application collect messages from the alarm notifications queue first.

• Question 29:

  A company's SysOps administrator manages a fleet of hundreds of Amazon EC2 instances that run Windows-based workloads and Linux-based workloads. Each EC2 instance has a tag that identifies its operating system. All the EC2 instances run AWS Systems Manager Session Manager.

  A zero-day vulnerability is reported, and no patches are available. The company's security team provides code for all the relevant operating systems to reduce the risk of the vulnerability. The SysOps administrator needs to implement the code on the EC2 instances and must provide a report that shows that the code has successfully run on all the instances.

  What should the SysOps administrator do to meet these requirements as quickly as possible?

  A. Use Systems Manager Run Command. Choose either the AWS-RunShellScript document or the AWS-RunPowerShellScript document. Configure Run Command with the code from the security team. Specify the operating system tag in the Targets parameter. Run the command. Provide the command history's evidence to the security team.

  B. Create an AWS Lambda function that connects to the EC2 instances through Session Manager. Configure the Lambda function to identify the operating system, run the code from the security team, and return the results to an Amazon RDS DB instance. Query the DB instance for the results. Provide the results as evidence to the security team.

  C. Log on to each EC2 instance. Run the code from the security team on each EC2 instance. Copy and paste the results of each run into a single spreadsheet. Provide the spreadsheet as evidence to the security team.

  D. Update the launch templates of the EC2 instances to include the code from the security team in the user data. Relaunch the EC2 instances by using the updated launch templates. Retrieve the EC2 instance logs of each instance. Provide the EC2 instance logs as evidence to the security team.

  Correct Answer: A

  The AWS Systems Manager Run Command allows the SysOps administrator to execute commands on multiple EC2 instances simultaneously, which is crucial for managing a large fleet of instances efficiently. By using the AWS-RunShellScript or AWS-RunPowerShellScript documents, the SysOps administrator can run the code provided by the security team on both Windows-based and Linux-based instances, as required. The SysOps administrator can specify the operating system tag as a target parameter, ensuring that the code is only executed on the relevant instances, which saves time and prevents errors. AWS Systems Manager keeps a history of Run Command executions, providing an easy way to provide evidence to the security team that the code has successfully run on all instances.

• Question 30:

  A company needs to deploy instances of an application and associated infrastructure to multiple AWS Regions. The company wants to use a single AWS CloudFormation template to achieve this goal. The company uses AWS Organizations and wants to administer and run this template from a central administration account.

  What should a SysOps administrator do to meet these requirements?

  A. Create a CloudFormation template that is stored in Amazon S3. Configure Cross-Region Replication (CRR) on the S3 bucket. Reference the required accounts and remote Regions in the input template parameters.

  B. In the central administration account, create a CloudFormation primary template that loads CloudFormation nested stacks from Amazon S3 buckets in the target Regions.

  C. Create CloudFormation nested stacks by using a primary template in the central administration account. Configure the required accounts and Regions for deployment of the nested stacks.

  D. Create a CloudFormation stack set that includes service-managed permissions. Deploy the stack set into the required accounts and Regions from the central administration account.

  Correct Answer: D

  Using CloudFormation stack sets with service-managed permissions is the recommended approach when you need to deploy CloudFormation stacks to multiple AWS accounts and/or regions from a central administration account. Stack sets simplify the process of deploying and managing infrastructure across multiple accounts and regions, ensuring consistency and ease of administration