Amazon Amazon Certifications SOA-C02 Questions & Answers

• Question 291:

  A company has a new requirement stating that all resources In AWS must be tagged according to a set policy.

  Which AWS service should be used to enforce and continually Identify all resources that are not in compliance with the policy?

  A. AWS CloudTrail

  B. Amazon Inspector

  C. AWS Config

  D. AWS Systems Manager

  Correct Answer: C

• Question 292:

  A company needs to archive all audit logs for 10 years. The company must protect the logs from any future edits. Which solution will meet these requirements?

  A. Store the data in an Amazon Elastic Block Store (Amazon EBS) volume. Configure AWS Key Management Service (AWS KMS) encryption.

  B. Store the data in an Amazon S3 Glacier vault. Configure a vault lock policy for write- once, read-many (WORM) access.

  C. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Configure server-side encryption.

  D. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Configure multi-factor authentication (MFA).

  Correct Answer: B

  To meet the requirements of the workload, a company should store the data in an Amazon S3 Glacier vault and configure a vault lock policy for write-once, read-many (WORM) access. This will ensure that the data is stored securely and cannot be edited in the future. The other solutions (storing the data in an Amazon Elastic Block Store (Amazon EBS) volume and configuring AWS Key Management Service (AWS KMS) encryption, storing the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) and configuring server-side encryption, or storing the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) and configuring multi-factor authentication (MFA)) will not meet the requirements, as they do not provide a way to protect the audit logs from future edits. https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/userguide/object-lock.html

• Question 293:

  A development team recently deployed a new version of a web application to production After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data. Which AWS service will mitigate this issue?

  A. AWS Shield Standard

  B. AWS WAF

  C. Elastic Load Balancing

  D. Amazon Cognito

  Correct Answer: B

  https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

• Question 294:

  A SysOps administrator is using AWS Systems Manager Patch Manager to patch a fleet of Amazon EC2 instances. The SysOps administrator has configured a patch baseline and a maintenance window. The SysOps administrator also has used an instance tag to identify which instances to patch.

  The SysOps administrator must give Systems Manager the ability to access the EC2 instances. Which additional action must the SysOps administrator perform to meet this requirement?

  A. Add an inbound rule to the instances' security group.

  B. Attach an 1AM instance profile with access to Systems Manager to the instances.

  C. Create a Systems Manager activation Then activate the fleet of instances.

  D. Manually specify the instances to patch Instead of using tag-based selection.

  Correct Answer: B

  By default, AWS Systems Manager doesn't have permission to perform actions on your instances. Grant access by using an AWS Identity and Access Management (IAM) instance profile. An instance profile is a container that passes IAM role information to an Amazon Elastic Compute Cloud (Amazon EC2) instance at launch. You can create an instance profile for Systems Manager by attaching one or more IAM policies that define the necessary permissions to a new role or to a role you already created.

  https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html

• Question 295:

  A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts. Which solution will meet these requirements?

  A. Purchase RIs in individual member accounts. Disable Rl discount sharing in the management account.

  B. Purchase RIs in individual member accounts. Disable Rl discount sharing in the member accounts.

  C. Purchase RIs in the management account. Disable Rl discount sharing in the management account.

  D. Purchase RIs in the management account. Disable Rl discount sharing in the member accounts.

  Correct Answer: A

  RI discounts apply to accounts in an organization's consolidated billing family depending upon whether RI sharing is turned on or off for the accounts. By default, RI sharing for all accounts in an organization is turned on. The management account of an organization can change this setting by turning off RI sharing for an account. The capacity reservation for an RI applies only to the account the RI was purchased on, no matter whether RI sharing is turned on or off. https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ri-consolidated-billing/

• Question 296:

  A company has a memory-intensive application that runs on a fleet of Amazon EC2 instances behind an Elastic Load Balancer (ELB). The instances run in an Auto Scaling group. A Sysops administrator must ensure that the application can scale based on the number of users that connect to the application.

  Which solution will meet these requirements?

  A. Create a scaling policy that will scale the application based on the ActiveConnectionCount Amazon CloudWatch metric that is generated from the ELB.

  B. Create a scaling policy that will scale the application based on the mem used Amazon CloudWatch metric that is generated from the ELB.

  C. Create a scheduled scaling policy to increase the number of EC2 instances in the Auto Scaling group to support additional connections.

  D. Create and deploy a script on the ELB to expose the number of connected users as a custom Amazon CloudWatch metric. Create a scaling policy that uses the metric.

  Correct Answer: A

• Question 297:

  A SysOps administrator has successfully deployed a VPC with an AWS Cloud Formation template The SysOps administrator wants to deploy me same template across multiple accounts that are managed through AWS Organizations. Which solution will meet this requirement with the LEAST operational overhead?

  A. Assume the OrganizationAccountAcccssKolc IAM role from the management account. Deploy the template in each of the accounts

  B. Create an AWS Lambda function to assume a role in each account Deploy the template by using the AWS CloudFormation CreateStack API call

  C. Create an AWS Lambda function to query fc a list of accounts Deploy the template by using the AWS Cloudformation CreateStack API call.

  D. Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts

  Correct Answer: D

  AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions

• Question 298:

  A SysOps administrator needs to secure the credentials for an Amazon RDS database that is created by an AWS CloudFormation template. The solution must encrypt the credentials and must support automatic rotation. Which solution will meet these requirements?

  A. Create an AWS::SecretsManager::Secret resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:secretsmanager dynamic reference.

  B. Create an AWS::SecretsManager::Secret resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm-secure dynamic reference.

  C. Create an AWS::SSM::Parameter resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm dynamic reference.

  D. Create parameters for the database credentials in the CloudFormation template. Use the Ref intrinsic function to provide the credentials to the AWS::RDS::DBInstance resource.

  Correct Answer: A

• Question 299:

  A company has two VPC networks named VPC A and VPC B. The VPC A CIDR block is 10.0.0.0/16 and the VPC B CIDR block is 172.31.0.0/16. The company wants to establish a VPC peering connection named pcx-12345 between both VPCs.

  Which rules should appear in the route table of VPC A after configuration? (Select TWO.)

  A. Destination: 10.0.0.0/16, Target: Local

  B. Destination: 172.31.0.0/16, Target: Local

  C. Destination: 10.0.0.0/16, Target: pcx-12345

  D. Destination: 172.31.0.0/16, Target: pcx-12345

  E. Destination: 10.0.0.0/16. Target: 172.31.0.0/16

  Correct Answer: AD

  https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html

• Question 300:

  A company needs to automatically monitor an AWS account for potential unauthorized AWS Management Console logins from multiple geographic locations. Which solution will meet this requirement?

  A. Configure Amazon Cognito to detect any compromised 1AM credentials.

  B. Set up Amazon Inspector. Scan and monitor resources for unauthorized logins.

  C. Set up AWS Config. Add the iam-policy-blacklisted-check managed rule to the account.

  D. Configure Amazon GuardDuty to monitor the UnauthorizedAccess:IAMUser/ConsoleLoginSuccess finding.

  Correct Answer: D

  Guar duty IAM finding types: UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS UnauthorizedAccess:IAMUser/MaliciousIPCaller UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom UnauthorizedAccess:IAMUser/TorIPCaller