Amazon Amazon Certifications SOA-C02 Questions & Answers

• Question 401:

  A company has an Amazon RDS DB instance. The company wants to implement a caching service while maintaining high availability. Which combination of actions will meet these requirements? (Choose two.)

  A. Add Auto Discovery to the data store.

  B. Create an Amazon ElastiCache for Memcached data store.

  C. Create an Amazon ElastiCache for Redis data store.

  D. Enable Multi-AZ for the data store.

  E. Enable Multi-threading for the data store.

  Correct Answer: CD

  multi-thread is related to performance.

  https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/AutoFailover.html#AutoFailover.Enable

  https://aws.amazon.com/elasticache/memcached/

  https://aws.amazon.com/elasticache/redis/

• Question 402:

  A company has attached the following policy to an IAM user:

  

  Which of the following actions are allowed for the IAM user?

  A. Amazon RDS DescribeDBInstances action in the us-east-1 Region

  B. Amazon S3 Putobject operation in a bucket named testbucket

  C. Amazon EC2 Describe Instances action in the us-east-1 Region

  D. Amazon EC2 AttachNetworkinterf ace action in the eu-west-1 Region

  Correct Answer: C

• Question 403:

  A company is using Amazon Elastic Container Sen/ice (Amazon ECS) to run a containerized application on Amazon EC2 instances. A SysOps administrator needs to monitor only traffic flows between the ECS tasks. Which combination of steps should the SysOps administrator take to meet this requirement? (Select TWO.)

  A. Configure Amazon CloudWatch Logs on the elastic network interface of each task.

  B. Configure VPC Flow Logs on the elastic network interface of each task.

  C. Specify the awsvpc network mode in the task definition.

  D. Specify the bridge network mode in the task definition.

  E. Specify the host network mode in the task definition.

  Correct Answer: BC

  The awsvpc network mode also provides greater security for your containers by enabling you to use security groups and network monitoring tools at a more granular level within your tasks. Because each task gets its own elastic network interface (ENI), you can also use other Amazon EC2 networking features such as VPC Flow Logs to monitor traffic to and from your tasks. Additionally, containers that belong to the same task can communicate over the localhost interface.

• Question 404:

  A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created. What should a SysOps administrator do to meet this requirement?

  A. Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.

  B. Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.

  C. Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.

  D. Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.

  Correct Answer: B

  B. Compliance mode is required for this situation. Comparison and reference below:

  https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html

  In governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant

  some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.

  In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention

  period can't be shortened. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period.

• Question 405:

  A company wants to archive sensitive data on Amazon S3 Glacier. The company's regulatory and compliance requirements do not allow any modifications to the data by any account.

  Which solution meets these requirements?

  A. Attach a vault lock policy to an S3 Glacier vault that contains the archived data. Use the lock ID to validate the vault lock policy after 24 hours.

  B. Attach a vault lock policy to an S3 Glacier vault that contains the archived data. Use the lock ID to validate the vault lock policy within 24 hours.

  C. Configure S3 Object Lock in governance mode. Upload all files after 24 hours.

  D. Configure S3 Object Lock in governance mode. Upload all files within 24 hours.

  Correct Answer: B

  While the policy is in the in-progress state, you have 24 hours to validate your Vault Lock policy before the lock ID expires. To prevent your vault from exiting the in-progress state, you must complete the Vault Lock process within these 24 hours. Otherwise, your Vault Lock policy will be deleted. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html#vault-lock-overview

• Question 406:

  A SysOps administrator is testing an application mat is hosted on five Amazon EC2 instances The instances run in an Auto Scaling group behind an Application Load Balancer (ALB) High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.

  Which action should the SysOps administrator take to meet these requirements?

  A. Enable instance scale-in protection.

  B. Place the instance into the Standby stale.

  C. Remove the listener from the ALB

  D. Suspend the Launch and Terminate process types.

  Correct Answer: D

  Placing the instance into the Standby state (answer B) would remove the instance from the ALB target group, which would prevent it from receiving traffic.

  The answer is D, because you need Suspend the Launch and Terminate process so that you can troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.

  # Suspend ALB Launch and Terminate processes to inhibit scale-in/scale-out while debugging root cause of high CPU utilization

  aws autoscaling suspend-processes --auto-scaling-group-name my-asg --scaling-processes Launch Terminate

  https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html

• Question 407:

  A company hosts a web portal on Amazon EC2 instances. The web portal uses an Elastic Load Balancer (ELB) and Amazon Route 53 for its public DNS service. The ELB and the EC2 instances are deployed by way of a single AWS CloudFormation stack in the us-east- 1 Region. The web portal must be highly available across multiple Regions.

  Which configuration will meet these requirements?

  A. Deploy a copy of the stack in the us-west-2 Region. Create a single start of authority (SOA) record in Route 53 that includes the IP address from each ELB. Configure the SOA record with health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record.

  B. Deploy a copy of the stack in the us-west-2 Region. Create an additional A record in Route 53 that includes the ELB in us-west-2 as an alias target. Configure the A records with a failover routing policy and health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record.

  C. Deploy a new group of EC2 instances in the us-west-2 Region. Associate the new EC2 instances with the existing ELB, and configure load balancer health checks on all EC2 instances. Configure the ELB to update Route 53 when EC2 instances in us-west-2 fail health checks.

  D. Deploy a new group of EC2 instances in the us-west-2 Region. Configure EC2 health checks on all EC2 instances in each Region. Configure a peering connection between the VPCs. Use the VPC in us-east-1 as the primary record and the VPC in us-west-2 as the secondary record.

  Correct Answer: B

  When you create a hosted zone, Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record for the zone. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html#migrate-dns-create-hosted-zone https://en.wikipedia.org/wiki/SOA_record

• Question 408:

  A company's SysOps administrator needs to change the AWS Support plan for one of the company's AWS accounts. The account has multi-factor authentication (MFA) activated, and the MFA device is lost.

  What should the SysOps administrator do to sign in?

  A. Sign in as a root user by using email and phone verification. Set up a new MFA device. Change the root user password.

  B. Sign in as an 1AM user with administrator permissions. Resynchronize the MFA token by using the 1AM console.

  C. Sign in as an 1AM user with administrator permissions. Reset the MFA device for the root user by adding a new device.

  D. Use the forgot-password process to verify the email address. Set up a new password and MFA device.

  Correct Answer: A

  The SysOps administrator needs to sign in as the root user to change the AWS Support plan. Since the MFA device is lost, the administrator can sign in by using email and phone verification. After signing in, the administrator should set up a new MFA device and change the root user password for security reasons. It is generally recommended to use IAM users with limited permissions instead of root user accounts. However, in this case, since the support plan needs to be changed, the root user account is necessary. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html

• Question 409:

  A SysOps administrator noticed that a large number of Elastic IP addresses are being created on the company's AWS account, but they are not being associated with Amazon EC2 instances, and are incurring Elastic IP address charges in the monthly bill.

  How can the administrator identify who is creating the Elastic IP addresses?

  A. Attach a cost-allocation tag to each requested Elastic IP address with the IAM user name of the developer who creates it.

  B. Query AWS CloudTrail logs by using Amazon Athena to search for Elastic IP address events.

  C. Create a CloudWatch alarm on the ElPCreated metric and send an Amazon SNS notification when the alarm triggers.

  D. Use Amazon Inspector to get a report of all Elastic IP addresses created in the last 30 days.

  Correct Answer: B

• Question 410:

  A company wants to track its AWS costs in all member accounts that are part of an organization in AWS Organizations. Managers of the member accounts want to receive a notification when the estimated costs exceed a predetermined amount each month. The managers are unable to configure a billing alarm. The IAM permissions for all users are correct.

  What could be the cause of this issue?

  A. The management/payer account does not have billing alerts turned on.

  B. The company has not configured AWS Resource Access Manager (AWS RAM) to share billing information between the member accounts and the management/payer account.

  C. Amazon GuardDuty is turned on for all the accounts.

  D. The company has not configured an AWS Config rule to monitor billing.

  Correct Answer: A