Amazon SOA-C02 Online Practice Questions and Exam Preparation

Amazon SOA-C02 Online Questions & Answers

• Question 451:

  A company hosts a web portal on Amazon EC2 instances. The web portal uses an Elastic Load Balancer (ELB) and Amazon Route 53 for its public DNS service. The ELB and the EC2 instances are deployed by way of a single AWS CloudFormation stack in the us-east- 1 Region. The web portal must be highly available across multiple Regions.

  Which configuration will meet these requirements?

  A. Deploy a copy of the stack in the us-west-2 Region. Create a single start of authority (SOA) record in Route 53 that includes the IP address from each ELB. Configure the SOA record with health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record.
  B. Deploy a copy of the stack in the us-west-2 Region. Create an additional A record in Route 53 that includes the ELB in us-west-2 as an alias target. Configure the A records with a failover routing policy and health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record.
  C. Deploy a new group of EC2 instances in the us-west-2 Region. Associate the new EC2 instances with the existing ELB, and configure load balancer health checks on all EC2 instances. Configure the ELB to update Route 53 when EC2 instances in us-west-2 fail health checks.
  D. Deploy a new group of EC2 instances in the us-west-2 Region. Configure EC2 health checks on all EC2 instances in each Region. Configure a peering connection between the VPCs. Use the VPC in us-east-1 as the primary record and the VPC in us-west-2 as the secondary record.
  B. Deploy a copy of the stack in the us-west-2 Region. Create an additional A record in Route 53 that includes the ELB in us-west-2 as an alias target. Configure the A records with a failover routing policy and health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record.

  ---

  When you create a hosted zone, Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record for the zone. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html#migrate-dns-create-hosted-zone https://en.wikipedia.org/wiki/SOA_record

• Question 452:

  A company is storing media content in an Amazon S3 bucket and uses Amazon CloudFront to distribute the content to its users. Due to licensing terms, the company is not authorized to distribute the content in some countries. A SysOps

  administrator must restrict access to certain countries.

  What is the MOST operationally efficient solution that meets these requirements?

  A. Configure the S3 bucket policy to deny the GetObject operation based on the S3:LocationConstraint condition.
  B. Create a secondary origin access identity (OAI). Configure the S3 bucket policy to prevent access from unauthorized countries.
  C. Enable the geo restriction feature in the CloudFront distribution to prevent access from unauthorized countries.
  D. Update the application to generate signed CloudFront URLs only for IP addresses in authorized countries.
  C. Enable the geo restriction feature in the CloudFront distribution to prevent access from unauthorized countries.

  ---

  Explanation Explanation/Reference:You can use geographic restrictions, sometimes known as geo blocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront distribution. To use geographic restrictions, you have two options: Use the CloudFront geographic restrictions feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level. Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level.

• Question 453:

  A company is planning to host its stateful web-based applications on AWS A SysOps administrator is using an Auto Scaling group of Amazon EC2 instances The web applications will run 24 hours a day 7 days a week throughout the year The company must be able to change the instance type within the same instance family later in the year based on the traffic and usage patterns.

  Which EC2 instance purchasing option will meet these requirements MOST cost- effectively?

  A. Convertible Reserved Instances
  B. On-Demand instances
  C. Spot instances
  D. Standard Reserved instances
  A. Convertible Reserved Instances

  ---

  Explanation Explanation/Reference:Convertible Reserved Instances123are a type of AWS Reserved Instances that can be exchanged for other Convertible Reserved Instances currently offered by AWS1. They are associated with a specific Region, which is fixed for the duration of the reservation's term1. There are no restrictions to the number of times that you can exchange the RIs, provided that the target convertible reserved instance has an equal or higher value than the original convertible RI which it replaces2. Convertible Reserved Instances are useful when workloads are likely to change, or when you want to hedge against possible future price drops3 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-convertible-exchange.html

• Question 454:

  A SysOps administrator must create an IAM policy for a developer who needs access to specific AWS services. Based on the requirements, the SysOps administrator creates the following policy:

  

  Which actions does this policy allow? (Select TWO.)

  A. Create an AWS Storage Gateway.
  B. Create an IAM role for an AWS Lambda function.
  C. Delete an Amazon Simple Queue Service (Amazon SQS) queue.
  D. Describe AWS load balancers.
  E. Invoke an AWS Lambda function.
  D. Describe AWS load balancers.
  E. Invoke an AWS Lambda function.

• Question 455:

  A company is creating a new multi-account environment in AWS Organizations.

  The company will use AWS Control Tower to deploy the environment. Users must be able to create resources in approved AWS Regions only.

  The company must configure and govern all accounts by using a standard baseline configuration

  Which combination of steps will meet these requirements in the MOST operationally efficient way? (Select TWO.)

  A. Create a permission set and a custom permissions policy in AWS IAM Identity Center (AWS Single Sign-On) for each user to prevent each user from creating resources in unapproved Regions.
  B. Deploy AWS Config rules in each AWS account to govern the account's security compliance and to delete any resources that are created in unapproved Regions.
  C. Deploy AWS Lambda functions to configure security settings across all accounts in the organization and to delete any resources that are created in unapproved Regions.
  D. Implement a service control policy (SCP) to deny any access to AWS based on the requested Region.
  E. Modify the AWS Control Tower landing zone settings to govern the approved Regions.
  D. Implement a service control policy (SCP) to deny any access to AWS based on the requested Region.
  E. Modify the AWS Control Tower landing zone settings to govern the approved Regions.

  ---

  Explanation To restrict resource creation in unapproved regions across multiple AWS accounts efficiently, combining SCPs and Control Tower settings is effective: SCP for Regional Restrictions: Create and apply an SCP that explicitly denies access to AWS services in unapproved regions. This policy will enforce region- based restrictions at the organizational unit or account level. Control Tower Regional Governance: Adjust the settings in AWS Control Tower's landing zone to include governance for approved regions. This helps in maintaining a standard configuration that aligns with organizational policies regarding AWS regions. AWS Documentation Reference:For more information, check the AWS documentation on SCPs and AWS Control Tower: Service Control Policies AWS Control Tower.

• Question 456:

  A company stores data in Amazon S3 buckets that are provisioned in three separate AWS Regions. The data is copied from the S3 buckets to the data center over the public internet using a VPN. The SysOps administrator notices that, occasionally, the transfers take longer than usual, and determines the issue is congestion within the company's ISP network.

  What is the MOST cost-effective approach the administrator can take to ensure consistent transfer times from S3 to the data center?

  A. Establish an AWS Direct Connect link to each Region. Create a private virtual interface over each link.
  B. Establish an AWS Direct Connect link to each Region. Create a public virtual interface over each link.
  C. Establish an AWS Direct Connect link to one of the Regions. Create a private virtual interface over that link.
  D. Establish an AWS Direct Connect link to one of the Regions. Create a public virtual interface over that link.
  A. Establish an AWS Direct Connect link to each Region. Create a private virtual interface over each link.

• Question 457:

  To configure central configuration for Security Hub in an AWS Organization, the SysOps administrator must ensure it's set up centrally.

  A. Enable Security Hub in the organization's management account. Configure Security Hub central configuration.
  B. Enable Security Hub in the organization's management account. Configure and integrate AWS Trusted Advisor. Configure Security Hub from an opt-in Region.
  C. Delegate an AWS account that is not the organization's management account as the Security Hub administrator. Configure Security Hub central configuration.
  D. Delegate an AWS account that is not the organization's management account as the Security Hub administrator. Configure and integrate AWS Trusted Advisor. Configure Security Hub from an opt-in Region.
  C. Delegate an AWS account that is not the organization's management account as the Security Hub administrator. Configure Security Hub central configuration.

• Question 458:

  A SysOps administrator needs to design a disaster recovery (DR) plan for an application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The application uses an Amazon Aurora PostgreSQL database. The recovery time objective (RTO) and recovery point objective (RPO) are 15 minutes each.

  Which combination of steps should the SysOps administrator take to meet these requirements MOST cost-effectively? (Choose two.)

  A. Configure Aurora backups to be exported to the DR Region.
  B. Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option.
  C. Configure the DR Region with an ALB and an Auto Scaling group. Use the same configuration as in the primary Region.
  D. Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group's minimum capacity, maximum capacity, and desired capacity to 1.
  E. Manually launch a new ALB and a new Auto Scaling group by using AWS CloudFormation during a failover activity.
  B. Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option.
  D. Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group's minimum capacity, maximum capacity, and desired capacity to 1.

  ---

  Explanation Explanation/Reference:B. Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option. Aurora global database allows you to replicate your Aurora database across AWS Regions with minimal replication lag. By setting up the Aurora global database option, you ensure that data is continuously being replicated to the DR Region, which helps meet the Recovery Point Objective (RPO) of 15 minutes. D. Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group's minimum capacity, maximum capacity, and desired capacity to 1. By configuring the DR Region with an ALB and an Auto Scaling group with minimum, maximum, and desired capacity set to 1, you ensure that the infrastructure is in place and ready to receive traffic in case of a failover event. Running just one instance will help reduce costs in the DR Region during normal operations while meeting the Recovery Time Objective (RTO) of 15 minutes.

• Question 459:

  A Sysops administrator launches an Amazon EC2 instance from a Windows Amazon Machine Image (AMI). The EC2 instance includes additional Amazon Elastic Block Store (Amazon EBS) volumes. When the instance is launched, none of the additional Amazon Elastic Block Store (Amazon EBS) volumes are initialized and ready for use through a drive letter. The SysOps administrator needs to automate the EBS volume initialization.

  Which solution will meet these requirements in the MOST operationally efficient way?

  A. Create an Amazon EventBridge rule. Configure an AWS Systems Manager Automation runbook as a target of the EventBridge rule to initialize the disks after an EC2 instance launch event.
  B. Create an AmazolkventBridge rule. Configure an AWS Lambda function as a target of the EventBridge rule to initialize the drives after the AMI is launched.
  C. Create an AWS Config rule to automatically initialize the EBS volumes on Windows EC2 instances.
  D. Add the secondary volume configuration to the DriveLetterMappingConfig.json file. Configure the InitializeDisks.ps1 Windows PowerShell script to run at launch. Create a new AMI from the running EC2 instance.
  D. Add the secondary volume configuration to the DriveLetterMappingConfig.json file. Configure the InitializeDisks.ps1 Windows PowerShell script to run at launch. Create a new AMI from the running EC2 instance.

  ---

  Explanation Explanation/Reference:To automate the initialization of additional EBS volumes on Windows EC2 instances, the most effective approach is to integrate initialization scripts within the instance so that they execute upon startup: Configure Initialization Script: Use a Windows PowerShell script (InitializeDisks.ps1) to initialize and format the additional EBS volumes. The script can assign drive letters based on configurations specified in DriveLetterMappingConfig.json. Automate at Launch: Ensure that the PowerShell script runs automatically upon instance startup. This can be configured through Windows Task Scheduler or by setting it up in the startup folder. Create a Custom AMI: Once the instance is configured with the script and successfully initializes the disks on startup, create a new AMI from this setup. This AMI can then be used to launch new instances that will automatically initialize their additional EBS volumes with no manual intervention required. This method leverages native Windows tools and AWS capabilities to automate EBS volume initialization, enhancing operational efficiency without additional external dependencies.

• Question 460:

  A company's SysOps administrator manages a fleet of Windows Amazon EC2 instances that run in a single AWS account. The instances have a tag that includes a key of "OS" and a value of "Windows." The company uses AWS Systems Manager to patch the instances.

  The company has installed the Amazon CloudWatch agent on the instances, but the configuration is inconsistent. The SysOps administrator needs to reconfigure every instance to use the same predefined CloudWatch configuration.

  Which combination of steps will meet these requirements? (Choose two.)

  A. Store the CloudWatch agent configuration file in an Amazon S3 bucket.
  B. Store the contents of the CloudWatch agent configuration file in Systems Manager OpsCenter.
  C. Store the contents of the CloudWatch agent configuration file in Systems Manager Parameter Store.
  D. Create a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document. Select Systems Manager as an optional configuration source. Target the instances based on tag values.
  E. Create a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document. Configure the document to use the S3 bucket location as the configuration source. Target the instances based on tag value.
  C. Store the contents of the CloudWatch agent configuration file in Systems Manager Parameter Store.
  D. Create a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document. Select Systems Manager as an optional configuration source. Target the instances based on tag values.