A company has an application that is running on Amazon EC2 instances in a VPC. The application needs access to download software updates from the internet. The VPC has public subnets and private subnets. The company's security policy requires all EC2 instances to be deployed in private subnets.
What should a SysOps administrator do to meet these requirements?
A. Add an internet gateway to the VPC. In the route table for the private subnets, add a route to the internet gateway. B. Add aNAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway. C. Add a NAT gateway to public subnet. In the route table for the private subnets, add a route to the NAT gateway. D. Add two internet gateways to the VPC. In the route tables for the private subnets and public subnets, add a route to each internet gateway.
C. Add a NAT gateway to public subnet. In the route table for the private subnets, add a route to the NAT gateway. Add a NAT gateway to a public subnet. In the route table for the private subnets, add a route to the NAT gateway. The application needs to be able to download updates from the internet, but it's running on EC2 instances in a private subnet. Private subnets do not have direct access to the internet. A NAT gateway allows instances in a private subnet to connect to the internet or other AWS services but prevent the internet from initiating a connection with those instances.
Question 382:
A company runs its entire suite of applications on Amazon EC2 instances. The company plans to move the applications to containers and AWS Fargate. Within 6 months, the company plans to retire its EC2 instances and use only Fargate.
The company has been able to estimate its future Fargate costs.
A SysOps administrator needs to choose a purchasing option to help the company minimize costs. The SysOps administrator must maximize any discounts that are available and must ensure that there are no unused reservations.
Which purchasing option will meet these requirements?
A. Compute Savings Plans for 1 year with the No Upfront payment option B. Compute Savings Plans for 1 year with the Partial Upfront payment option C. EC2 Instance Savings Plans for 1 year with the All Upfront payment option D. EC2 Reserved Instances for 1 year with the Partial Upfront payment option
B. Compute Savings Plans for 1 year with the Partial Upfront payment option Given the company's plan to move to Fargate within 6 months and retire EC2 instances, it might be more cost-efficient to choose Option A (No Upfront payment). This way, the company avoids any upfront commitment and can easily transition to Fargate without being tied to EC2 instances. Savings Plans apply to both EC2 and Fargate, making it a suitable option for the planned migration.
Question 383:
A company updates its security policy to clarify cloud hosting arrangements for regulated workloads. Workloads that are identified as sensitive must run on hardware that is not shared with other customers or with other AWS accounts within the company.
Which solution will ensure compliance with this policy?
A. Deploy workloads only to Dedicated Hosts. B. Deploy workloads only to Dedicated Instances. C. Deploy workloads only to Reserved Instances. D. Place all instances in a dedicated placement group.
A. Deploy workloads only to Dedicated Hosts. Explanation Explanation/Reference:The solution that will ensure compliance with the policy is to deploy workloads only to Dedicated Hosts. This is because Dedicated Hosts provide physical isolation between instances that belong to different accounts or different parts of the same account. By deploying workloads to Dedicated Hosts, the company can ensure that sensitive workloads are not sharing hardware with other customers or with other accounts within the company. Deploying workloads only to Dedicated Instances, on the other hand, does not provide the same level of isolation as Dedicated Hosts because the underlying hardware is still shared with other instances from the same account.
Question 384:
A SysOps administrator needs to monitor Amazon DynamoDB usage across a company's AWS accounts. The accounts are in an organization with all features enabled in AWS Organizations. The company recently experienced write throttling on a DynamoDB table after the company breached the AccountProvisionedWriteCapacityUnits quota in a member account.
The SysOps administrator must create alarms to monitor DynamoDB provisioned write capacity units (WCUs) and quota usage in each account. The SysOps administrator must manage and view the alarms from a single monitoring account.
Which combination of steps will meet these requirements? (Select TWO.)
A. Configure an Amazon CloudWatch delegated administrator from the organization's management account. B. Configure the monitoring account to accept metrics from source accounts. Link each source account to the monitoring account. C. Create a metric stream in each source account by using an Amazon Data Firehose stream. Configure the monitoring account to accept metrics from the Firehouse stream in the source accounts. D. Create two Amazon CloudWatch alarms in the monitoring account. Use the AccountProvisionedWriteCapacrtyUnits metric for the first alarm. Specify a math expression that uses the SERVICE_QUOTA() function as a new metric for the second alarm. E. Create two Amazon CloudWatch alarms in every account Use the ProvisionedWriteCapacityUnits metric for the first alarm. Specify a math expression that uses the SERVICE_QUOTA() function as a new metric for the second alarm.
A. Configure an Amazon CloudWatch delegated administrator from the organization's management account. E. Create two Amazon CloudWatch alarms in every account Use the ProvisionedWriteCapacityUnits metric for the first alarm. Specify a math expression that uses the SERVICE_QUOTA() function as a new metric for the second alarm.
Question 385:
A company has an AWS Cloud Formation template that creates an Amazon S3 bucket. A user authenticates to the corporate AWS account with their Active Directory credentials and attempts to deploy the Cloud Formation template. However, the stack creation fails.
Which factors could cause this failure? (Select TWO.)
A. The user's IAM policy does not allow the cloudformation:CreateStack action. B. The user's IAM policy does not allow the cloudformation:CreateStackSet action. C. The user's IAM policy does not allow the s3:CreateBucket action. D. The user's IAM policy explicitly denies the s3:ListBucket action. E. The user's IAM policy explicitly denies the s3:PutObject action
A. The user's IAM policy does not allow the cloudformation:CreateStack action. C. The user's IAM policy does not allow the s3:CreateBucket action.
Question 386:
A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API calls using the CLI. However. users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA.
What additional step must be taken to ensure that API calls are authenticated using MFA?
A. Enable MFA on IAM roles, and require IAM users to use role credentials to sign API calls. B. Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI. C. Restrict the IAM users to use of the console, as MFA is not supported for CLI use. D. Require users to use temporary credentials from the get-session token command to sign API calls.
D. Require users to use temporary credentials from the get-session token command to sign API calls. Explanation Explanation/Reference:The most appropriate step to ensure that API calls are authenticated using MFA is to require users to use temporary credentials from the get-session token command to sign API calls. This is because the get-session token command returns temporary security credentials consisting of an access key ID, a secret access key, and a session token that are valid only for a limited period of time. These credentials can be used to make API calls with MFA authentication.
Question 387:
A company is using AWS to deploy a critical application on a fleet of Amazon EC2 instances The company is rewriting the application because the application failed a security review The application will take 12 months to rewrite While this rewrite happens, the company needs to rotate IAM access keys that the application uses.
A SysOps administrator must implement an automated solution that finds and rotates IAM access Keys that are at least 30 days old. The solution must then continue to rotate the IAM access Keys every 30 days.
Which solution will meet this requirement with the MOST operational efficiency?
A. Use an AWS Config rule to identify IAM access Keys that are at least 30 days old. Configure AWS Config to invoKe an AWS Systems Manager Automation runbook to rotate the identified IAM access keys. B. Use AWS Trusted Advisor to identify IAM access Keys that are at least 30 days old. Configure Trusted Advisor to invoke an AWS Systems Manager Automation runbook to rotate the identified IAM access keys C. Create a script that checks the age of IAM access Keys and rotates them if they are at least 30 days old. Launch an EC2 instance. Schedule the script to run as a cron expression on the EC2 instance every day. D. Create an AWS Lambda function that checks the age of IAM access keys and rotates them if they are at least 30 days old Use an Amazon EventBridge rule to invoke the Lambda function every time a new IAM access key is created.
D. Create an AWS Lambda function that checks the age of IAM access keys and rotates them if they are at least 30 days old Use an Amazon EventBridge rule to invoke the Lambda function every time a new IAM access key is created. Lambda Function to Rotate IAM Access Keys: A Lambda function can be used to automate the rotation of IAM access keys based on their age. Steps: Amazon EventBridge Rule: EventBridge can trigger the Lambda function periodically and when a new key is created. Steps: Rotating Access Keys for IAM Users, Amazon EventBridge
Question 388:
A SysOps administrator needs to monitor a process that runs on Linux Amazon EC2 instances. If the process stops, the process must restart automatically. The Amazon CloudWatch agent is already installed on all the EC2 instances. Which solution will meet these requirements?
A. Add a procstat monitoring configuration to the CloudWatch agent for the process. Create an Amazon EventBridge event rule that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops. B. Add a StatsD monitoring configuration to the CloudWatch agent for the process. Create a CloudWatch alarm that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops. C. Add a StatsD monitoring configuration to the CloudWatch agent for the process. Create an Amazon EventBridge event rule that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops. D. Add a procstat monitoring configuration to the CloudWatch agent for the process. Create a CloudWatch alarm that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops.
A. Add a procstat monitoring configuration to the CloudWatch agent for the process. Create an Amazon EventBridge event rule that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops.
Question 389:
A company is undergoing an external audit of its systems, which run wholly on AWS. A SysOps administrator must supply documentation of Payment Card Industry Data Security Standard (PCI DSS) compliance for the infrastructure managed by AWS.
Which set of action should the SysOps administrator take to meet this requirement?
A. Download the applicable reports from the AWS Artifact portal and supply these to the auditors. B. Download complete copies of the AWS CloudTrail log files and supply these to the auditors. C. Download complete copies of the AWS CloudWatch logs and supply these to the auditors. D. Provide the auditors with administrative access to the production AWS account so that the auditors can determine compliance.
A. Download the applicable reports from the AWS Artifact portal and supply these to the auditors. Explanation Explanation/Reference:The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
Question 390:
A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances The instances all exist in the same VPC across multiple Availability Zones.
There are two instances In each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.
Which solution will meet these requirements?
A. Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances B. Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances. C. Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance. D. Create a mount target in each Availability Zone of the VPC Use the mount target to mount the EFS file system on the Instances in the respective Availability Zone.
D. Create a mount target in each Availability Zone of the VPC Use the mount target to mount the EFS file system on the Instances in the respective Availability Zone. A mount target provides an IP address for an NFSv4 endpoint at which you can mount an Amazon EFS file system. You mount your file system using its Domain Name Service (DNS) name, which resolves to the IP address of the EFS mount target in the same Availability Zone as your EC2 instance. You can create one mount target in each Availability Zone in an AWS Region. If there are multiple subnets in an Availability Zone in your VPC, you create a mount target in one of the subnets. Then all EC2 instances in that Availability Zone share that mount target. https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SOA-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.