A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.
Which parameters should be specified to accomplish this in the MOST efficient manner?
A. Specify "' as the principal and PrincipalOrgld as a condition. B. Specify all account numbers as the principal. C. Specify PrincipalOrgld as the principal. D. Specify the organization's management account as the principal.
A. Specify "' as the principal and PrincipalOrgld as a condition. Explanation Explanation/Reference:https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/
Question 442:
A company is running an application on a group of Amazon EC2 instances behind an Application Load Balancer. The EC2 instances run across three Availability Zones. The company needs to provide the customers with a maximum of two static IP addresses for their applications.
How should a SysOps administrator meet these requirement?
A. Add AWS Global Accelerator in front of the Application Load Balancer. B. Add an internal Network Load Balancer behind the Application Load Balancer. C. Configure the Application Load Balancer in only two Availability Zones. D. Create two Elastic IP addresses and assign them to the Application Load Balancer.
A. Add AWS Global Accelerator in front of the Application Load Balancer.
Question 443:
A SysOps administrator has enabled AWS CloudTrail in an AWS account If CloudTrail is disabled it must be re-enabled immediately.
What should the SysOps administrator do to meet these requirements WITHOUT writing custom code''
A. Add the AWS account to AWS Organizations Enable CloudTrail in the management account B. Create an AWS Config rule that is invoked when CloudTrail configuration changes Apply the AWS-ConfigureCloudTrailLogging automatic remediation action C. Create an AWS Config rule that is invoked when CloudTrail configuration changes Configure the rule to invoke an AWS Lambda function to enable CloudTrail D. Create an Amazon EventBridge (Amazon CloudWatch Events) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail
B. Create an AWS Config rule that is invoked when CloudTrail configuration changes Apply the AWS-ConfigureCloudTrailLogging automatic remediation action
Question 444:
Users are periodically experiencing slow response times from a relational database. The database runs on a burstable Amazon EC2 instance with a 350 GB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume. A SysOps administrator monitors the EC2 instance in Amazon CloudWatch and observes that the VolumeReadOps metric drops to less than 10% of its peak value during the periods of slow response.
What should the SysOps administrator do to ensure consistently high performance?
A. Convert the gp2 volume to a General Purpose SSD (gp3) EBS volume. B. Convert the gp2 volume to a Cold HDD (sc1) EBS volume. C. Convert the EC2 instance to a memory optimized instance type. D. Activate unlimited mode on the EC2 instance.
A. Convert the gp2 volume to a General Purpose SSD (gp3) EBS volume. Option A (Convert the gp2 volume to a General Purpose SSD (gp3) EBS volume) is the correct option. The gp2 EBS volume type is designed for general-purpose workloads and provides a baseline performance and burst credits. The burst credits allow the volume to burst above the baseline performance when needed but are limited in capacity. If the volume depletes its burst credits, the performance can decrease, resulting in slow response times. On the other hand, gp3 is the next-generation general-purpose SSD EBS volume type that provides higher baseline performance, higher burst performance, and a new feature called "provisioned IOPS" that allows you to provision a consistent level of IOPS (Input/Output Operations Per Second) independent of volume size. By converting the gp2 volume to a gp3 volume, you will get higher baseline performance, which can help ensure consistently high performance for the database during periods of increased workload without relying solely on burst credits.
Question 445:
A SysOps administrator receives notification that an application that is running on Amazon EC2 instances has failed to authenticate to an Amazon RDS database To troubleshoot, the SysOps administrator needs to investigate AWS Secrets Manager password rotation.
Which Amazon CloudWatch log will provide insight into the password rotation?
A. AWS CloudTrail logs B. EC2 instance application logs C. AWS Lambda function logs D. RDS database logs
B. EC2 instance application logs
Question 446:
The SysOps administrator needs to address high disk I/O issues during EC2 instance bootstrap in an Auto Scaling group. (Select TWO):
A. Increase the EC2 instance size. B. Increase the EBS volume capacity. C. Increase the EBS volume IOPS. D. Increase the EBS volume throughput. E. Change the instance type to an instance that is not Nitro-based.
C. Increase the EBS volume IOPS. D. Increase the EBS volume throughput.
Question 447:
A company has an application that uses Amazon DynamoDB tables The tables are spread across AWS accounts and AWS Regions. The company uses AWS CloudFormation to deploy AWS resources.
A new team at the company is deleting unused AWS resources. The team accidentally deletes several production DynamoDB tables by running an AWS Lambda function that makes a DynamoDB DeleteTable API call. The table deletions
cause an application outage
A SysOps administrator must implement a solution that minimizes the chance of accidental deletions of tables. The solution also must minimize data loss that results from accidental deletions.
Which combination of steps will meet these requirements? (Select TWO.)
A. Enable termination protection for the CloudFormation stacks that deploy the DynamoDB tables. B. Enable deletion protection for the DynamoDB tables C. Enable point-in-time recovery for (he DynamoDB tables. Restore the tables if they are accidentally deleted. D. Schedule daily backups of the DynamoDB tables. Restore the tables if they are accidentally deleted. E. Export the DynamoDB tables to Amazon S3 every day. Use Import from Amazon S3 to restore data for tables that are accidentally deleted
B. Enable deletion protection for the DynamoDB tables C. Enable point-in-time recovery for (he DynamoDB tables. Restore the tables if they are accidentally deleted. Explanation Explanation/Reference:Enable deletion protection for the DynamoDB tables: AWS DynamoDB Deletion Protection Enable point-in-time recovery (PITR) for the DynamoDB tables: PITR provides continuous backups of your DynamoDB tables. You can restore the table to any point in time within the last 35 days. Steps: Go to the AWS Management Console. Navigate to DynamoDB. Select the table you want to enable PITR for. Choose the "Backups" tab. Click on "Enable Point-in-Time Recovery." If a table is accidentally deleted, you can restore it using PITR. Go to the DynamoDB console. Select "Backups" from the navigation pane. Find the table backup and choose "Restore." AWS DynamoDB Point-In-Time Recovery
Question 448:
A SysOps administrator is unable to authenticate an AWS CLI call to an AWS service.
Which of the following is the cause of this issue?
A. The IAM password is incorrect B. The server certificate is missing C. The SSH key pair is incorrect D. There is no access key
D. There is no access key When the AWS CLI runs a command, it sends an encrypted request to the AWS servers to perform the appropriate AWS service operations. Your credentials (the ACCESS key and secret key) are involved in the encryption and enable AWS to authenticate the person making the request. There are several things that can interfere with the correct operation of this process, as follows. https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html
Question 449:
A SysOps administrator configures VPC flow logs to publish to Amazon CloudWatch Logs. The SysOps administrator reviews the logs in CloudWatch Logs and notices less traffic than expected. After the SysOps administrator compares the VPC flow logs to logs that were captured on premises, the SysOps administrator believes that the VPC flow logs are incomplete.
Which of the following is a possible reason for the difference in traffic?
A. CloudWatch Logs throttling has been applied. B. The CloudWatch IAM role does not have a trust relationship with the VPC flow logs service. C. The VPC flow log is still in the process of being created. D. VPC flow logs cannot capture traffic from on-premises servers to a VPC.
D. VPC flow logs cannot capture traffic from on-premises servers to a VPC.
Question 450:
A company has a private Amazon S3 bucket that contains sensitive information. A SysOps administrator needs to keep logs of the IP addresses from authentication failures that result from attempts to access objects in the bucket. The logs
must be stored so that they cannot be overwritten or deleted for 90 days.
Which solution will meet these requirements?
A. Create an AWS CloudTrail trail. Configure the log files to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days. B. Create an AWS CloudTrail trail. Configure the log files to be saved to a different S3 bucket. Turn on CloudTrail log file integrity validation for 90 days. C. Turn on access logging for the S3 bucket. Configure the access logs to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days. D. Turn on access logging for the S3 bucket. Configure the access logs to be saved in a second S3 bucket. Turn on S3 Object Lock on the second S3 bucket, and configure a default retention period of 90 days.
D. Turn on access logging for the S3 bucket. Configure the access logs to be saved in a second S3 bucket. Turn on S3 Object Lock on the second S3 bucket, and configure a default retention period of 90 days. S3 Access logs and S3 Object lock - You can store S3 Access logs in a different S3 buckets so that you can analysis through Athena. Using S3 Object lock and specify retention period, files are blocked to be deleted for a amount of time.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SOA-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.