A manufacturing company uses an Amazon RDS DB instance to store inventory of all stock items. The company maintains several AWS Lambda functions that interact with the database to add, update, and delete items. The Lambda
functions use hardcoded credentials to connect to the database.
A SysOps administrator must ensure that the database credentials are never stored in plaintext and that the password is rotated every 30 days.
Which solution will meet these requirements in the MOST operationally efficient manner?
A. Store the database password as an environment variable for each Lambda function. Create a new Lambda function that is named PasswordRotate. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and update the environment variable for each Lambda function. B. Use AWS Key Management Service (AWS KMS) to encrypt the database password and to store the encrypted password as an environment variable for each Lambda function. Grant each Lambda function access to the KMS key so that the database password can be decrypted when required. Create a new Lambda function that is named PasswordRotate to change the password every 30 days. C. Use AWS Secrets Manager to store credentials for the database. Create a Secrets Manager secret, and select the database so that Secrets Manager will use a Lambda function to update the database password automatically. Specify an automatic rotation schedule of 30 days. Update each Lambda function to access the database password from SecretsManager. D. Use AWS Systems Manager Parameter Store to create a secure string to store credentials for the database. Create a new Lambda function called PasswordRotate. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and to update the secret within Parameter Store. Update each Lambda function to access the database password from Parameter Store.
C. Use AWS Secrets Manager to store credentials for the database. Create a Secrets Manager secret, and select the database so that Secrets Manager will use a Lambda function to update the database password automatically. Specify an automatic rotation schedule of 30 days. Update each Lambda function to access the database password from SecretsManager. When you choose to enable rotation, Secrets Manager supports the following Amazon Relational Database Service (Amazon RDS) databases with AWS written and tested Lambda rotation function templates, and full configuration of the rotation process: 1. Amazon Aurora on Amazon RDS 2. MySQL on Amazon RDS 3. PostgreSQL on Amazon RDS 4. Oracle on Amazon RDS 5. MariaDB on Amazon RDS 6. Microsoft SQL Server on Amazon RDS https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
Question 342:
A company wants to monitor the security groups of its Amazon EC2 instances to ensure that SSH is not open to the public. If the port is opened, the company needs to close the port as soon as possible. Which combination of actions should a SysOps administrator take to meet these requirements? (Choose two.)
A. Add an Amazon CloudWatch alarm to detect the security groups that allow SSH. B. Add an AWS Config rule to detect the security groups that allow SSH. C. Add an assessment template to Amazon Inspector to detect the security groups that allow SSH. D. Call an AWS Systems Manager Automation runbook to close the port. E. Call AWS Systems Manager Run Command to close the port.
B. Add an AWS Config rule to detect the security groups that allow SSH. D. Call an AWS Systems Manager Automation runbook to close the port. Explanation Explanation/Reference:Add an AWS Config rule to detect the security groups that allow SSH. By creating a custom AWS Config rule, you can define the desired configuration that checks if SSH ports are open in security groups. This rule will evaluate the current state of the security groups and report any violations. Call an AWS Systems Manager Automation runbook to close the port. Set up an AWS Systems Manager Automation runbook that can be triggered when a violation is detected by the AWS Config rule. The runbook should include the necessary steps to close the SSH port in the affected security groups, ensuring that the port is no longer accessible to the public.
Question 343:
A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:
What is a possible cause of these failed connections?
A. A security group is denying traffic on port 443. B. The EC2 instance is shut down. C. The network ACL is blocking HTTPS traffic. D. The VPC has no internet gateway attached.
A. A security group is denying traffic on port 443. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records- examples.html#flow-log-example-accepted-rejected https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html# Accepted and rejected traffic: In this example, RDP traffic (destination port 3389, TCP protocol) to network interface eni-1235b8ca123456789 in account 123456789010 was rejected. 2 123456789010 eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK
Question 344:
A company is expanding globally and needs to back up data on Amazon Elastic Block Store (Amazon EBS) volumes to a different AWS Region. Most of the EBS volumes that store the data are encrypted, but some of the EBS volumes are unencrypted. The company needs the backup data from all the EBS volumes to be encrypted.
Which solution will meet these requirements with the LEAST management overhead?
A. Configure a lifecycle policy in Amazon Data Lifecycle Manager (Amazon DLM) to create the EBS volume snapshots with cross-Region backups enabled. Encrypt the snapshot copies by using AWS Key Management Service (AWS KMS). B. Create a point-in-time snapshot of the EBS volumes. When the snapshot status is COMPLETED, copy the snapshots to another Region and set the Encrypted parameter to False. C. Create a point-in-time snapshot of the EBS volumes. Copy the snapshots to an Amazon S3 bucket that uses server-side encryption. Turn on S3 Cross-Region Replication on the S3 bucket. D. Schedule an AWS Lambda function with the Python runtime. Configure the Lambda function to create the EBS volume snapshots, encrypt the unencrypted snapshots, and copy the snapshots to another Region.
A. Configure a lifecycle policy in Amazon Data Lifecycle Manager (Amazon DLM) to create the EBS volume snapshots with cross-Region backups enabled. Encrypt the snapshot copies by using AWS Key Management Service (AWS KMS). Option A (Configure a lifecycle policy in Amazon Data Lifecycle Manager (Amazon DLM) to create the EBS volume snapshots with cross-Region backups enabled. Encrypt the snapshot copies by using AWS Key Management Service (AWS KMS)) is the most efficient and least management-intensive option. Amazon Data Lifecycle Manager (DLM) provides an automated way to create and manage EBS volume snapshots according to defined policies. By configuring a DLM lifecycle policy, you can specify cross-Region backups, which means that EBS volume snapshots will be copied to another AWS Region automatically. Additionally, you can enable encryption for the copied snapshots by using AWS Key Management Service (AWS KMS), ensuring that all backup data is encrypted as required.
Question 345:
A developer creates an AWS Lambda function that runs when an object is put into an Amazon S3 bucket. The function reformats the object and places the object back into the S3 bucket. During testing, the developer notices a recursive invocation loop. The developer asks a SysOps administrator to immediately stop the recursive invocations.
What should the SysOps administrator do to stop the loop without errors?
A. Delete all the objects from the S3 bucket. B. Set the function's reserved concurrency to 0. C. Update the S3 bucket policy to deny access for the function. D. Publish a new version of the function.
B. Set the function's reserved concurrency to 0. Monitoring applications for recursive invocation Whenever you have a Lambda function writing objects back to the same S3 bucket that triggered the event, it's best practice to limit the scaling in the development and testing phases. Use reserved concurrency to limit a function's scaling, for example. Setting the function's reserved concurrency to a lower limit prevents the function from scaling concurrently beyond that limit. It does not prevent the recursion, but limits the resources consumed as a safety mechanism. https://aws.amazon.com/blogs/compute/avoiding-recursive-invocation-with-amazon-s3-and-aws-lambda/
Question 346:
A company has an existing web application that runs on two Amazon EC2 instances behind an Application Load Balancer (ALB) across two Availability Zones The application uses an Amazon RDS Multi-AZ DB Instance Amazon Route 53 record sets route requests tor dynamic content to the load balancer and requests for static content to an Amazon S3 bucket Site visitors are reporting extremely long loading times.
Which actions should be taken to improve the performance of the website? (Select TWO )
A. Add Amazon CloudFront caching for static content B. Change the load balancer listener from HTTPS to TCP C. Enable Amazon Route 53 latency-based routing D. Implement Amazon EC2 Auto Scaling for the web servers E. Move the static content from Amazon S3 to the web servers
A. Add Amazon CloudFront caching for static content D. Implement Amazon EC2 Auto Scaling for the web servers Add Amazon CloudFront caching for static content. Implement Amazon EC2 Auto Scaling for the web servers. Not Enable Amazon Route 53 latency-based routing.: "To use latency-based routing, you create latency records for your resources in multiple AWS Regions." https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-latency.html
Question 347:
A software development company has multiple developers who work on the same product. Each developer must have their own development environment, and these development environments must be identical. Each development
environment consists of Amazon EC2 instances and an Amazon RDS DB instance. The development environments should be created only when necessary, and they must be terminated each night to minimize costs.
What is the MOST operationally efficient solution that meets these requirements?
A. Provide developers with access to the same AWS CloudFormation template so that they can provision their development environment when necessary. Schedule a nightly cron job on each development instance to stop all running processes to reduce CPU utilization to nearly zero. B. Provide developers with access to the same AWS CloudFormation template so that they can provision their development environment when necessary. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to delete the AWS CloudFormation stacks. C. Provide developers with CLI commands so that they can provision their own development environment when necessary. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to terminate all EC2 instances and the DB instance. D. Provide developers with CLI commands so that they can provision their own development environment when necessary. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to cause AWS CloudFormation to delete all of the development environment resources.
B. Provide developers with access to the same AWS CloudFormation template so that they can provision their development environment when necessary. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to delete the AWS CloudFormation stacks. This solution allows each developer to easily create an identical development environment when they need it by using the CloudFormation template. AWS CloudFormation templates are a great way to version and standardize infrastructure, and can be used to create and manage a collection of related AWS resources. The EventBridge rule scheduled to trigger the Lambda function ensures that all resources associated with each CloudFormation stack are deleted every night, minimizing unnecessary costs.
Question 348:
A SysOps administrator wants to protect objects in an Amazon S3 bucket from accidental overwrite and deletion. Noncurrent objects must be kept for 90 days and then must be permanently deleted. Objects must reside within the same AWS
Region as the original S3 bucket.
Which solution meets these requirements?
A. Create an Amazon Data Lifecycle Manager (Amazon DLM) lifecycle policy for the S3 bucket. Add a rule to the lifecycle policy to delete noncurrent objects after 90 days. B. Create an AWS Backup policy for the S3 bucket. Create a backup rule that includes a lifecycle to expire noncurrent objects after 90 days. C. Enable S3 Cross-Region Replication on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days. D. Enable S3 Versioning on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days.
D. Enable S3 Versioning on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days. https://cloudacademy.com/blog/s3-lifecycle-policies-versioning-encryption-aws-security/
Question 349:
A SysOps administrator configured VPC flow logs by using the default format. The SysOps administrator specified Amazon CloudWatch Logs as the destination. This solution has worked successfully for several months. However, because of additional troubleshooting requirements, the SysOps administrator needs to include the tcp-flags field on the flow logs.
What should the SysOps administrator do to meet this requirement?
A. Create a new flow log. Include the tcp-flags field in the custom log format. Delete the original flow log. B. In the CloudWatch Logs log group, modify the filter to include the tcp-flags field and the type field. C. In CloudWatch Metrics, modify the metric configuration to include the tcp-flags field. D. Modify the existing flow log. Include the tcp-flags field and the type field in the custom log format. Save the configuration.
A. Create a new flow log. Include the tcp-flags field in the custom log format. Delete the original flow log. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-limitations
Question 350:
A SysOps administrator is creating two AWS CloudFormation templates. The first template will create a VPC with associated resources, such as subnets, route tables, and an internet gateway. The second template will deploy application resources within the VPC that was created by the first template. The second template should refer to the resources created by the first template.
How can this be accomplished with the LEAST amount of administrative effort?
A. Add an export field to the outputs of the first template and import the values in the second template. B. Create a custom resource that queries the stack created by the first template and retrieves the required values. C. Create a mapping in the first template that is referenced by the second template. D. Input the names of resources in the first template and refer to those names in the second template as a parameter.
A. Add an export field to the outputs of the first template and import the values in the second template. Explanation Explanation/Reference:Note: To reference a resource in another AWS CloudFormation stack, you must first create cross-stack references. To create a cross-stack reference, use the export field to flag the value of a resource output for export. Ref link: https://repost.aws/knowledge-center/cloudformation-reference-resource Ref link: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-crossstackref.html
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SOA-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.