Amazon Amazon Certifications SOA-C02 Questions & Answers

• Question 351:

  A company plans to migrate several of its high performance computing (MPC) virtual machines (VMs) to Amazon EC2 instances on AWS. A SysOps administrator must identify a placement group for this deployment. The strategy must minimize network latency and must maximize network throughput between the HPC VMs.

  Which strategy should the SysOps administrator choose to meet these requirements?

  A. Deploy the instances in a cluster placement group in one Availability Zone.

  B. Deploy the instances in a partition placement group in two Availability Zones

  C. Deploy the instances in a partition placement group in one Availability Zone

  D. Deploy the instances in a spread placement group in two Availably Zones

  Correct Answer: A

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

• Question 352:

  A SysOps administrator must create a solution that automatically shuts down any Amazon EC2 instances that have less than 10% average CPU utilization for 60 minutes or more.

  Which solution will meet this requirement In the MOST operationally efficient manner?

  A. Implement a cron job on each EC2 instance to run once every 60 minutes and calculate the current CPU utilization. Initiate an instance shutdown If CPU utilization is less than 10%.

  B. Implement an Amazon CloudWatch alarm for each EC2 instance to monitor average CPU utilization. Set the period at 1 hour, and set the threshold at 10%. Configure an EC2 action on the alarm to stop the instance.

  C. Install the unified Amazon CloudWatch agent on each EC2 instance, and enable the Basic level predefined metric set. Log CPU utilization every 60 minutes, and initiate an instance shutdown if CPU utilization is less than 10%.

  D. Use AWS Systems Manager Run Command to get CPU utilization from each EC2 instance every 60 minutes. Initiate an instance shutdown if CPU utilization is less than 10%.

  Correct Answer: B

  https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.ht ml

• Question 353:

  With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?

  A. Deny Post. Put. and Delete on the bucket.

  B. Enable server-side encryption on the bucket.

  C. Enable Amazon S3 versioning on the bucket.

  D. Enable snapshots on the bucket.

  Correct Answer: B

• Question 354:

  A SysOos administrator s tasked with analyzing database performance. The database runs on a single Amazon RDS D6 instance. The SysOps administrator finds that, during times of peak traffic, resources on the database are over utilized due to the amount of read traffic.

  Which actions should the SysOps administrator take to improve RDS performance? (Select TWO.)

  A. Add a read replica.

  B. Modify the application to use Amazon ElastiCache for Memcached.

  C. Migrate the database from RDS to Amazon DynamoDB.

  D. Migrate the database to Amazon EC2 with enhanced networking enabled

  E. Upgrade the database to a Multi-AZ deployment.

  Correct Answer: AB

  A. Adding a read replica can offload read traffic from the primary RDS instance to the replica, thus improving performance during times of peak traffic.

  B. Amazon ElastiCache for Memcached is an in-memory data store that can be used to improve read performance.

• Question 355:

  A company stores files on 50 Amazon S3 buckets in the same AWS Region The company wants to connect to the S3 buckets securely over a private connection from its Amazon EC2 instances The company needs a solution that produces no additional cost

  Which solution will meet these requirements?

  A. Create a gateway VPC endpoint lor each S3 bucket Attach the gateway VPC endpoints to each subnet inside the VPC

  B. Create an interface VPC endpoint (or each S3 bucket Attach the interface VPC endpoints to each subnet inside the VPC

  C. Create one gateway VPC endpoint for all the S3 buckets Add the gateway VPC endpoint to the VPC route table

  D. Create one interface VPC endpoint for all the S3 buckets Add the interface VPC endpoint to the VPC route table

  Correct Answer: C

  A gateway VPC endpoint allows you to connect to Amazon S3 from your VPC without requiring an internet gateway, NAT gateway, or VPN connection. It provides a private connection to Amazon S3 over your Amazon VPC using Amazon's private network. Since the company wants to connect to 50 Amazon S3 buckets securely over a private connection from its Amazon EC2 instances in the same AWS Region, creating one gateway VPC endpoint for all the S3 buckets is the most efficient and cost-effective solution. By creating one gateway VPC endpoint, you can connect to all S3 buckets in the same Region without the need to create multiple VPC endpoints for each bucket, thus reducing complexity and avoiding additional costs One gateway endpoint and specific bucket access point https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3

• Question 356:

  A development team recently deployed a new version of a web application to production. After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data.

  Which AWS service will mitigate this issue?

  A. AWS Shield Standard

  B. AWS WAF

  C. Elastic Load Balancing

  D. Amazon Cognito

  Correct Answer: B

  https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-xss-match.html

• Question 357:

  A company wants to build a solution for its business-critical Amazon RDS for MySQL database. The database requires high availability across different geographic locations. A SysOps administrator must build a solution to handle a disaster recovery (DR) scenario with the lowest recovery time objective (RTO) and recovery point objective (RPO).

  Which solution meets these requirements?

  A. Create automated snapshots of the database on a schedule. Copy the snapshots to the DR Region.

  B. Create a cross-Region read replica for the database.

  C. Create a Multi-AZ read replica for the database.

  D. Schedule AWS Lambda functions to create snapshots of the source database and to copy the snapshots to a DR Region.

  Correct Answer: B

• Question 358:

  A company is using Amazon CloudFront to serve static content for its web application to its users. The CloudFront distribution uses an existing on-premises website as a custom origin.

  The company requires the use of TLS between CloudFront and the origin server. This configuration has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.

  What should a SysOps administrator do to resolve this problem?

  A. Examine the expiration date on the certificate on the origin site. Validate that the certificate has not expired. Replace the certificate if necessary.

  B. Examine the hostname on the certificate on the origin site. Validate that the hostname matches one of the hostnames on the CloudFront distribution. Replace the certificate if necessary.

  C. Examine the firewall rules that are associated with the origin server. Validate that port 443 is open for inbound traffic from the internet. Create an inbound rule if necessary.

  D. Examine the network ACL rules that are associated with the CloudFront distribution. Validate that port 443 is open for outbound traffic to the origin server. Create an outbound rule if necessary.

  Correct Answer: A

  HTTP 502 errors from CloudFront can occur because of the following reasons:

  There's an SSL negotiation failure because the origin is using SSL/TLS protocols and ciphers that aren't supported by CloudFront.

  There's an SSL negotiation failure because the SSL certificate on the origin is expired or invalid, or because the certificate chain is invalid. There's a host header mismatch in the SSL negotiation between your CloudFront distribution and the

  custom origin.

  The custom origin isn't responding on the ports specified in the origin settings of the CloudFront distribution.

  The custom origin is ending the connection to CloudFront too quickly.

  https://aws.amazon.com/premiumsupport/knowledge-center/resolve-cloudfront-connection-error/

• Question 359:

  A company has an Amazon CloudFront distribution that uses an Amazon S3 bucket as its origin. During a review of the access logs, the company determines that some requests are going directly to the S3 bucket by using the website hosting endpoint. A SysOps administrator must secure the S3 bucket to allow requests only from CloudFront.

  What should the SysOps administrator do to meet this requirement?

  A. Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Remove access to and from other principals in the S3 bucket policy. Update the S3 bucket policy to allow access only from the OAI.

  B. Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Update the S3 bucket policy to allow access only from the OAI. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.

  C. Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Update the S3 bucket policy to allow access only from the OAI. Disable website hosting. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.

  D. Update the S3 bucket policy to allow access only from the CloudFront distribution. Remove access to and from other principals in the S3 bucket policy. Disable website hosting. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.

  Correct Answer: A

• Question 360:

  A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon FC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.

  Which solution will meet this requirement?

  A. Create a new security group to block traffic to the external IP address. Assign the new security group to the EC2 instance

  B. Use VPC flow logs with Amazon Athena to block traffic to the external IP address

  C. Create a network ACL Add an outbound deny rule tor traffic to the external IP address

  D. Create a new security group to block traffic to the external IP address Assign the new security group to the entire VPC

  Correct Answer: C

  Network Access Control Lists (NACLs) are used to control the traffic entering and exiting subnets in a VPC. They operate at the subnet level and are stateless, meaning that both inbound and outbound rules must be explicitly defined. By adding an outbound deny rule for traffic to the specific external IP address identified by GuardDuty, you can block any communication from the EC2 instance to that IP address.