Amazon Amazon Certifications SOA-C02 Questions & Answers

• Question 501:

  A company is running an ecommerce application on AWS. The application maintains many open but idle connections to an Amazon Aurora DB cluster. During times of peak usage, the database produces the following error message: "Too many connections." The database clients are also experiencing errors.

  Which solution will resolve these errors?

  A. Increase the read capacity units (RCUs) and the write capacity units (WCUs) on the database.

  B. Configure RDS Proxy. Update the application with the RDS Proxy endpoint.

  C. Turn on enhanced networking for the DB instances.

  D. Modify the DB cluster to use a burstable instance type.

  Correct Answer: B

• Question 502:

  A SysOps administrator wants to securely share an object from a private Amazon S3 bucket with a group of users who do not have an AWS account.

  What is the MOST operationally efficient solution that will meet this requirement?

  A. Attach an S3 bucket policy that only allows object downloads from the users' IP addresses.

  B. Create an IAM role that has access to the object. Instruct the users to assume the role.

  C. Create an IAM user that has access to the object. Share the credentials with the users.

  D. Generate a presigned URL for the object. Share the URL with the users.

  Correct Answer: D

• Question 503:

  A custom application must be installed on all Amazon EC2 instances. The application is small, updated frequently, and can be installed automatically.

  How can the application be deployed on new EC2 instances?

  A. Launch a script that downloads and installs the application using Amazon EC2 user data.

  B. Create a custom API using Amazon API Gateway to call an installation executable from an AWS CloudFormation template.

  C. Use AWS Systems Manager to inject the application into an AMI.

  D. Configure AWS CodePipeline to deploy code changes and updates.

  Correct Answer: A

• Question 504:

  A SysOps administrator notices that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. The SysOps administrator needs to increase the cache hit ratio for the distribution, improve network performance, and reduce the load on the origin.

  Which combination of actions should the SysOps administrator take to meet these requirements? (Choose two.)

  A. Enable CloudFront Origin Shield for the required AWS Regions.

  B. Change the viewer protocol policy to use HTTPS only.

  C. Add a second origin. Create an origin group that includes both origins. Activate CloudFront origin failover.

  D. Turn on automatic compression of objects in the cache behavior settings.

  E. Increase the CloudFront TTL values in the cache behavior settings.

  Correct Answer: AE

• Question 505:

  A SysOps administrator is using IAM credentials to try to upload a file to a customer's Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The SysOps administrator is receiving an AccessDenied message. Which combination of configuration changes will correct this problem? (Choose two.)

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  E. Option E

  Correct Answer: AB

• Question 506:

  A SysOps administrator is responsible for the security of a company's AWS account. The company has a policy that a user may stop or terminate Amazon EC2 instances only when the user is authenticated by using a multi-factor authentication (MFA) device.

  Which policy should the SysOps administrator apply to meet this requirement?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: A

• Question 507:

  A company manages its production applications across several AWS accounts. The company hosts the production applications on Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are spread across multiple VPCs. Each VPC uses its own Amazon Route 53 private hosted zone for private DNS.

  A VPC from Account A needs to resolve private DNS records from a private hosted zone that is associated with a different VPC in Account B.

  What should a SysOps administrator do to meet these requirements?

  A. In Account A, create an AWS Systems Manager document that updates the /etc/resolv.conf file across all EC2 instances to point to the AWS provided default DNS resolver for the VPC in Account B.

  B. In Account A, create an AWS CloudFormation template that associates the private hosted zone from Account B with the private hosted zone in Account A.

  C. In Account A, use the AWS CLI to create a VPC association authorization. When the association is created, use the AWS CLI in Account B to associate the VPC from Account A with the private hosted zone in Account B.

  D. In Account B, use the AWS CLI to create a VPC association authorization. When the association is created, use the AWS CLI in Account A to associate the VPC from Account B with the private hosted zone in Account A.

  Correct Answer: D

• Question 508:

  A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com. The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC. A SysOps administrator must ensure that an on-premises server can query records in the example.com domain.

  What should the SysOps administrator do to meet these requirements?

  A. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.

  B. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.

  C. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.

  D. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.

  Correct Answer: A

• Question 509:

  A company uses AWS Organizations to host several applications across multiple AWS accounts. Several teams are responsible for building and maintaining the infrastructure of the applications across the AWS accounts.

  A SysOps administrator must implement a solution to ensure that user accounts and permissions are centrally managed. The solution must be integrated with the company's existing on-premises Active Directory environment. The SysOps administrator already has enabled AWS IAM Identity Center (AWS Single Sign-On) and has set up an AWS Direct Connect connection.

  What is the MOST operationally efficient solution that meets these requirements?

  A. Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

  B. Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

  C. Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

  D. Use the built-in SSO directory as the identity source for IAM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

  Correct Answer: C

  Centralized Management: An AD Connector provides a centralized way to manage user identities from the existing on-premises Active Directory, reducing the need to create and manage separate user accounts in AWS. Reduced Operational

  Overhead: Compared to managing a separate AD domain controller on an EC2 instance (Option B) or copying users/groups to the built-in directory (Option D), using an AD Connector simplifies administration.

  Existing Integration: Since AWS Direct Connect is already established, connecting the on-premises AD through an AD Connector leverages the existing network connectivity.

• Question 510:

  A SysOps administrator has set up a new Amazon EC2 instance as a web server in a public subnet. The instance uses HTTP port 80 and HTTPS port 443.

  The SysOps administrator has confirmed internet connectivity by downloading operating system updates and software from public repositories. However, the SysOps administrator cannot access the instance from a web browser on the internet.

  Which combination of steps should the SysOps administrator take to troubleshoot this issue? (Choose three.)

  A. Ensure that the inbound rules of the instance's security group allow traffic on ports 80 and 443.

  B. Ensure that the outbound rules of the instance's security group allow traffic on ports 80 and 443.

  C. Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance's subnet.

  D. Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance's subnet.

  E. Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.

  F. Ensure that AWS WAF is turned on for the instance and is blocking web traffic.

  Correct Answer: ADE