Amazon Amazon Certifications SOA-C02 Questions & Answers

• Question 431:

  A company's SysOps administrator must ensure that all Amazon EC2 Windows instances that are launched in an AWS account have a third-party agent installed. The third-party agent has an msi package. The company uses AWS Systems Manager for patching, and the Windows instances are tagged appropriately. The third-party agent required periodic updates as new versions are released. The SysOps administrator must deploy these updates automatically

  Which combination of steps will meet these requirements with the LEAST operational effort? (Seed TWO.)

  A. Create a Systems Manager Distributor package for the third-party agent.

  B. Make sure that Systems Manager Inventory Is configured. If Systems Manager Inventory is not configured, set up a new inventory tor instances that is based on the appropriate tag value for Windows.

  C. Create a Systems Manager State Manager association to run the AWS- RunRemoteScript document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day

  D. Create a Systems Manager State Manager- association to run the AWS- ConfigureAWSPackage document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day

  E. Create a Systems Manager Opsitem with the tag value for Windows Attach the Systems Manager Distributor package to the Opsitem. Create a maintenance window that is specific to the package deployment Configure the maintenance window to cover 24 hours a day.

  Correct Answer: AD

  Step A: Create a Systems Manager Distributor package for the third-party agent.

  Systems Manager Distributor allows you to package and distribute software and files to your instances using SSM. By creating a Distributor package for the third-party agent's .msi package, you can centrally manage its installation and

  updates across EC2 instances.

  Step D: Create a Systems Manager State Manager association to run the AWS-ConfigureAWSPackage document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows

  with a schedule of 1 day.

  AWS-ConfigureAWSPackage document is used to install software packages on EC2 instances. By creating a State Manager association with AWS-ConfigureAWSPackage document and specifying the instance tags based on the appropriate

  tag value for Windows, you can ensure that the third-party agent package is deployed on the instances automatically.

  https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor-working-with-packages-deploy.html

• Question 432:

  A company runs hundreds of Amazon EC2 instances in a single AWS Region. Each EC2 instance has two attached 1 GiB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volumes. A critical workload is using all the available IOPS capacity on the EBS volumes.

  According to company policy, the company cannot change instance types or EBS volume types without completing lengthy acceptance tests to validate that the company's applications will function properly. A SysOps administrator needs to increase the I/O performance of the EBS volumes as quickly as possible.

  Which action should the SysOps administrator take to meet these requirements?

  A. Increase the size of the 1 GiB EBS volumes.

  B. Add two additional elastic network interfaces on each EC2 instance.

  C. Turn on Transfer Acceleration on the EBS volumes in the Region.

  D. Add all the EC2 instances to a cluster placement group.

  Correct Answer: A

  Increasing the size of the 1 GiB EBS volumes will increase the IOPS capacity of the volumes, which will improve the I/O performance of the EBS volumes. This option does not require any changes to the instance types or EBS volume types,

  so it can be done quickly without the need for lengthy acceptance tests to validate that the company's applications will function properly.

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/requesting-ebs-volume-modifications.html

• Question 433:

  A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances The instances all exist in the same VPC across multiple Availability Zones. There are two instances In each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.

  Which solution will meet these requirements?

  A. Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances

  B. Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances.

  C. Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance.

  D. Create a mount target in each Availability Zone of the VPC Use the mount target to mount the EFS file system on the Instances in the respective Availability Zone.

  Correct Answer: D

  A mount target provides an IP address for an NFSv4 endpoint at which you can mount an Amazon EFS file system. You mount your file system using its Domain Name Service (DNS) name, which resolves to the IP address of the EFS mount target in the same Availability Zone as your EC2 instance. You can create one mount target in each Availability Zone in an AWS Region. If there are multiple subnets in an Availability Zone in your VPC, you create a mount target in one of the subnets. Then all EC2 instances in that Availability Zone share that mount target. https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html

• Question 434:

  A company needs to create a daily Amazon Machine Image (AMI) of an existing Amazon Linux EC2 instance that hosts the operating system, application, and database on multiple attached Amazon Elastic Block Store (Amazon EBS) volumes. File system integrity must be maintained.

  Which solution will meet these requirements?

  A. Create an AWS Lambda function to call the CreateImage API operation with the EC2 instance ID and the no-reboot parameter enabled. Create a daily scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that invokes the function.

  B. Create an AWS Lambda function to call the CreateImage API operation with the EC2 instance ID and the reboot parameter enabled. Create a daily scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that invokes the function.

  C. Use AWS Backup to create a backup plan with a backup rule that runs daily. Assign the resource ID of the EC2 instance with the no-reboot parameter enabled.

  D. Use AWS Backup to create a backup plan with a backup rule that runs daily. Assign the resource ID of the EC2 instance with the reboot parameter enabled.

  Correct Answer: B

  https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinA MI.html "NoReboot By default, Amazon EC2 attempts to shut down and reboot the instance before creating the image. If the No Reboot option is set, Amazon EC2 doesn't shut down the instance before creating the image. When this option is used, file system integrity on the created image can't be guaranteed." Besides, we can use AWS EventBridge to invoke Lambda function https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImage.html

• Question 435:

  A company has deployed AWS Security Hub and AWS Config in a newly implemented organization in AWS Organizations. A SysOps administrator must implement a solution to restrict all member accounts in the organization from deploying Amazon EC2 resources in the ap-southeast-2 Region. The solution must be implemented from a single point and must govern an current and future accounts. The use of root credentials also must be restricted in member accounts.

  Which AWS feature should the SysOps administrator use to meet these requirements?

  A. AWS Config aggregator

  B. IAM user permissions boundaries

  C. AWS Organizations service control policies (SCPs)

  D. AWS Security Hub conformance packs

  Correct Answer: C

• Question 436:

  A company recently purchased Savings Plans. The company wants to receive email notification when the company's utilization drops below 90% for a given day.

  Which solution will meet this requirement?

  A. Create an Amazon CloudWatch alarm to monitor the Savings Plan check in AWS Trusted Advisor. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification when the utilization drops below 90% for a given day.

  B. Create an Amazon CloudWatch alarm to monitor the SavingsPlansUtilization metric under the AWS/SavingsPlans namespace in CloudWatch. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification when the utilization drops below 90% for a given day.

  C. Create a Savings Plans alert to monitor the daily utilization of the Savings Plans. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification when the utilization drops below 90% for a given day.

  D. Use AWS Budgets to create a Savings Plans budget to track the daily utilization of the Savings Plans. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification when the utilization drops below 90% for a given day.

  Correct Answer: D

  AWS Budgets can be used to create a Savings Plans budget and track the daily utilization of the company's Savings Plans. By creating a budget, it will trigger an action when the utilization drops below 90%, which in this case will be to send an email notification via an Amazon SNS topic. This will ensure that the company is notified when their Savings Plans utilization drops below 90%, allowing them to take action if necessary. Reference: [1] https://docs.aws.amazon.com/savingsplans/latest/userguide/sp-usingBudgets.html

• Question 437:

  A company is creating a new multi-account architecture. A Sysops administrator must implement a login solution to centrally manage user access and permissions across all AWS accounts. The solution must be integrated with AWS Organizations and must be connected to a third-party Security Assertion Markup Language (SAML) 2.0 identity provider (IdP).

  What should the SysOps administrator do to meet these requirements?

  A. Configure an Amazon Cognito user pool. Integrate the user pool with the third-party IdP.

  B. Enable and configure AWS Single Sign-On with the third-party IdP.

  C. Federate the third-party IdP with AWS Identity and Access Management (IAM) for each AWS account in the organization.

  D. Integrate the third-party IdP directly with AWS Organizations.

  Correct Answer: B

  AWS Single Sign-On (AWS SSO) is an AWS service that enables you to manage access to multiple AWS accounts and business applications through a single AWS SSO portal. It is designed to work with your identity provider (IdP) using Security Assertion Markup Language (SAML) 2.0, which makes it easy to set up federation with AWS SSO. With AWS SSO, you can centrally manage users and permissions for all your AWS accounts and business applications from your AWS SSO directory. AWS SSO is integrated with AWS Organizations, which allows you to manage access to all the AWS accounts in your organization.

• Question 438:

  A company's SysOps administrator deploys a public Network Load Balancer (NLB) in front of the company's web application. The web application does not use any Elastic IP addresses. Users must access the web application by using the company's domain name. The SysOps administrator needs to configure Amazon Route 53 to route traffic to the NLB. Which solution will meet these requirements MOST cost-effectively?

  A. Create a Route 53 AAAA record for the NLB.

  B. Create a Route 53 alias record for the NLB.

  C. Create a Route 53 CAA record for the NLB.

  D. Create a Route 53 CNAME record for the NLB.

  Correct Answer: B

  A record = URL to IPv4 AAAA record = URL to IPv6 CNAME record = URL to URL (All the same, one url = Many URL's) Alias record = AWS service

• Question 439:

  A company's application currently uses an IAM role that allows all access to all AWS services. A SysOps administrator must ensure that the company's IAM policies allow only the permissions that the application requires.

  How can the SysOps administrator create a policy to meet this requirement?

  A. Turn on AWS CloudTrail. Generate a policy by using AWS Security Hub.

  B. Turn on Amazon EventBridge (Amazon CloudWatch Events). Generate a policy by using AWS Identity and Access Management Access Analyzer.

  C. Use the AWS CLI to run the get-generated-policy command in AWS Identity and Access Management Access Analyzer.

  D. Turn on AWS CloudTrail. Generate a policy by using AWS Identity and Access Management Access Analyzer.

  Correct Answer: D

  Generate a policy by using AWS Identity and Access Management Access Analyzer. AWS CloudTrail is a service that records all API calls made on your account. You can use this data to generate a policy with AWS Identity and Access Management Access Analyzer that only allows the permissions that the application requires. This will ensure that the application only has the necessary permissions and will protect the company from any unauthorized access. https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html#what-is-access-analyzer-policy-generation

• Question 440:

  A company has a new requirement stating that all resources in AWS must be tagged according to a set policy.

  Which AWS service should be used to enforce and continually identify all resources that are not in compliance with the policy?

  A. AWS CloudTrail

  B. Amazon Inspector

  C. AWSConfig

  D. AWS Systems Manager

  Correct Answer: C