Guaranteed SOA-C01 Preparation Labs 2021

NEW QUESTION 1
A user is trying to create a PIOPS EBS volume with 8 GB size and 200 IOPS. Will AWS create the volume?

• A. Yes, since the ratio between EBS and IOPS is less than 30
• B. No, since the PIOPS and EBS size ratio is less than 30
• C. No, the EBS size is less than 10 GB
• D. Yes, since PIOPS is higher than 100

Answer: C

Explanation:
A provisioned IOPS EBS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested should be a maximum of 30; for example, a volume with 3000 IOPS must be at least 100 GB.

NEW QUESTION 2
A user has configured an HTTPS listener on an ELB. The user has not configured any security policy which can help to negotiate SSL between the client and ELB. What will ELB do in this scenario?

• A. By default ELB will select the first version of the security policy
• B. By default ELB will select the latest version of the policy
• C. ELB creation will fail without a security policy
• D. It is not required to have a security policy since SSL is already installed

Answer: B

Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. If
the user has created an HTTPS/SSL listener without associating any security policy, Elastic Load Balancing will, by default, associate the latest version of the ELBSecurityPolicy-YYYY-MM with the load balancer.

NEW QUESTION 3
When an EC2 EBS-backed (EBS root) instance is stopped, what happens to the data on any ephemeral store volumes?

• A. Data will be deleted and win no longer be accessible
• B. Data is automatically saved in an EBS volume.
• C. Data is automatically saved as an EBS snapshot
• D. Data is unavailable until the instance is restarted

Answer: A

Explanation:
See: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#instance-store- lifetime
However, data in the instance store is lost under the following circumstances:
?V The underlying disk drive fails
?V The instance stops
?V The instance terminates

NEW QUESTION 4
An application stores data in an Amazon RDS database instance. Automated RDS snapshots are taken during specified backup windows every night. In addition, a SysOps Administrator takes monthly manual RDS snapshots. During a maintenance window, the RDS instance was accidentally deleted. How can the Administrator restore the DRS database instance?

• A. Restore the instance from the last available automated snapshot.
• B. Restore the instance from the last available manual snapshot.
• C. Restore the instance from the last full RDS snapshot and subsequent incremental snapshots
• D. Restore the instance from the RDS in the secondary Availability Zone

Answer: A

Explanation:
Creating a Final Snapshot and Retaining Automated Backups
When you delete a DB instance, you can choose whether to create a final snapshot of the DB instance. You can also choose to retain automated backups after the DB instance is deleted. To be able to restore the DB instance at a later time, create a final snapshot or retain automated backups.
How to To be able to restore To delete a DB instance quickly, Instead of creating a snapshot, you choose your deleted DB you can skip creating a final DB can choose to enable Retain
instance at a later snapshot. time, create a final DB Important
automated backups when you delete a DB instance. These backups
snapshot.
If you skip the snapshot, to are still subject to the retention restore your DB instance you period of the DB instance and age
need one of the following:
out the same way systems
You have to use an earlier snapshots do. manual snapshot of the DB instance to restore the DB instance to that snapshot's point in time.
You have to choose to retain automated backups; you can use those to restore it to any point in time within your retention period.
Automated backups
Automated backups are retained for All automated backups All automated backups are a set period of time, regardless of are deleted and can't deleted and can't be whether you chose to create a final be recovered, unless recovered, unless you choose snapshot. They are retained for to retain automated backups you enable Retain automated backups.
when you delete the DB retention period that was set on the
DB instance at the time you deleted Manual instance.
Earlier manual Earlier manual snapshots it.
snapshots
snapshots aren't aren't deleted. No snapshots are deleted. deleted.
You can't create a final snapshot of your DB instance if it has the status creating, failed, incompatible- restore, or incompatible-network. For more information about DB instance statuses, see DB Instance Status.

NEW QUESTION 5
An organization is using cost allocation tags to find the cost distribution of different departments and projects. One of the instances has two separate tags with the key/ value as ??InstanceName/HR??, ??CostCenter/HR??. What will AWS do in this case?

• A. InstanceName is a reserved tag for AW
• B. Thus, AWS will not allow this tag
• C. AWS will not allow the tags as the value is the same for different keys
• D. AWS will allow tags but will not show correctly in the cost allocation report due to the same value ofthe two separate keys
• E. AWS will allow both the tags and show properly in the cost distribution report

Answer: D

Explanation:
AWS provides cost allocation tags to categorize and track the AWS costs. When the user applies tags to his AWS resources, AWS generates a cost allocation report as a comma-separated value (CSV file. with the usage and costs aggregated by those tags. Each tag will have a key-value and can be applied to services, such as EC2, S3, RDS, EMR, etc. It is required that the key should be different for each tag. The value can be the same for different keys. In this case since the value is different, AWS will properly show the distribution report with the correct values.

NEW QUESTION 6
A user has created a Cloudformation stack. The stack creates AWS services, such as EC2 instances, ELB, AutoScaling, and RDS. While creating the stack it created EC2, ELB and AutoScaling but failed to
create RDS. What will Cloudformation do in this scenario?

• A. Cloudformation can never throw an error after launching a few services since it verifies all the steps before launching
• B. It will warn the user about the error and ask the user to manually create RDS
• C. Rollback all the changes and terminate all the created services
• D. It will wait for the user??s input about the error and correct the mistake after the input

Answer: C

Explanation:
AWS Cloudformation is an application management tool which provides application modelling, deployment, configuration, management and related activities. The AWS Cloudformation stack is a collection of AWS resources which are created and managed as a single unit when AWS CloudFormation instantiates a template. If any of the services fails to launch, Cloudformation will rollback all the changes and terminate or delete all the created services.

NEW QUESTION 7
A company is planning a large marketing campaign that should increase traffic to an AWS-hosted application by at least 10 times normal traffic. A SysOps Administrator is concerned that service limits will be reached with this anticipated traffic. The company has just upgraded to Business Support on the primary account.
How can the Administrator configure the current limits?

• A. Use the included Infrastructure Event Management benefit of Business Support to review the limits
• B. Run a service limits report using Amazon QuickSight
• C. Limits are seated automatically with Business Support and will not cause issues
• D. Use AWS Trusted Advisor to view current limits

Answer: B

NEW QUESTION 8
A company operate a secure website running an Amazon EC2 instance behind a Classic Load Balancer. An SSL certificate from AWS Certificate Manager is deployment on the load balancer. The company's Marketing team has determined that too many customer using older browser are experiencing issues with the website has asked a SysOps Administrator to fix this issue.
What course of action should the administrator take?

• A. Update the SSL negotiation configuration of the load balancer by creating a custom security polic
• B. Ensure the appropriate cipher has been enabled so that the web application can support the webbrowser.
• C. Create a separate Classic Load Balancer and install custom SSL certificate with a different domain name on it that support the web browse
• D. Ask customer with the affected browser to use this domain name instead of the one they are accustomed to using.
• E. Create a new SSL certificate in Certificate Manager and install this certificate on each of the servers to accommodates the web browsers.
• F. Remove the load balancer from the configuration and instead install a custom SSL certificate on each of the web servers.

Answer: A

Explanation:
Update the SSL Negotiation Configuration of Your Classic Load Balancer
Elastic Load Balancing provides security policies that have predefined SSL negotiation configurations to use to negotiate SSL connections between clients and your load balancer. If you are using the HTTPS/SSL protocol for your listener, you can use one of the predefined security policies, or use your own custom security policy.
For more information about the security policies, see SSL Negotiation Configurations for Classic Load Balancers. For information about the configurations of the security policies provided by Elastic Load Balancing, see Predefined SSL Security Policies.
If you create an HTTPS/SSL listener without associating a security policy, Elastic Load Balancing associates the default predefined security policy, ELBSecurityPolicy-2021-08, with your load balancer. If you have an existing load balancer with an SSL negotiation configuration that does not use the latest protocols and ciphers, we recommend that you update your load balancer to use ELBSecurityPolicy-2021-08. If you prefer, you can create a custom configuration. We strongly recommend that you test the new security policies before you upgrade your load balancer configuration.
The following examples show you how to update the SSL negotiation configuration for an HTTPS/SSL listener. Note that the change does not affect requests that were received by a load balancer node and are pending routing to a healthy instance, but the updated configuration will be used with new requests that are received.

NEW QUESTION 9
An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance's security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

• A. The outbound security group needs to be modified to allow outbound traffic.
• B. The outbound network ACL needs to be modified to allow outbound traffic.
• C. Nothing, it can be accessed from any IP address using SSH.
• D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.

Answer: B

Explanation:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

NEW QUESTION 10
A user has created an ELB with three instances. How many security groups will ELB create by default?

• A. 3
• B. 5
• C. 2
• D. 1

Answer: C

Explanation:
Elastic Load Balancing provides a special Amazon EC2 source security group that the user can use to ensure that back-end EC2 instances receive traffic only from Elastic Load Balancing. This feature needs two security groups: the source security group and a security group that defines the ingress rules for the back-end instances. To ensure that traffic only flows between the load balancer and the back-end instances, the user can add or modify a rule to the back-end security group which can limit the ingress traffic. Thus, it can come only from the source security group provided by Elastic Load Balancing.

NEW QUESTION 11
A user has enabled detailed CloudWatch metric monitoring on an Auto Scaling group. Which of the below mentioned metrics will help the user identify the total number of instances in an Auto Scaling group cluding pending, terminating and running instances?

• A. GroupTotalInstances
• B. GroupSumInstances
• C. It is not possible to get a count of all the three metrics togethe
• D. The user has to find the individual number of running, terminating and pending instances and sum it
• E. GroupInstancesCount

Answer: A

Explanation:
CloudWatch is used to monitor AWS as well as the custom services. For Auto Scaling, CloudWatch provides various metrics to get the group information, such as the Number of Pending, Running or Terminating instances at any moment. If the user wants to get the total number of Running, Pending and Terminating instances at any moment, he can use the GroupTotalInstances metric.

NEW QUESTION 12
How can the domain's zone apex for example "myzoneapexdomain.com" be pointed towards an Elastic Load Balancer?

• A. By using an AAAA record
• B. By using an A record
• C. By using an Amazon Route 53 CNAME record
• D. By using an Amazon Route 53 Alias record

Answer: D

Explanation:
Reference:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias- non-alias.html

NEW QUESTION 13
A user is trying to connect to a running EC2 instance using SSH. However, the user gets a Host key not found error. Which of the below mentioned options is a possible reason for rejection?

• A. The user has provided the wrong user name for the OS login
• B. The instance CPU is heavily loaded
• C. The security group is not configured properly
• D. The access key to connect to the instance is wrong

Answer: A

Explanation:
If the user is trying to connect to a Linux EC2 instance and receives the Host Key not found error the probable reasons are:
The private key pair is not right The user name to login is wrong

NEW QUESTION 14
You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC) in the same Availability Zone (AZ) but in different subnets. One instance is running a database and the other instance an application that will interface with the database. You want to confirm that they can talk to each other for your application to work properly.
Which two things do we need to confirm in the VPC settings so that these EC2 instances can communicate inside the VPC?
Choose 2 answers

• A. A network ACL that allows communication between the two subnets.
• B. Both instances are the same instance class and using the same Key-pair.
• C. That the default route is set to a NAT instance or internet Gateway (IGW) for them to communicate.
• D. Security groups are set to allow the application host to talk to the database on the right port/protocol.

Answer: AD

NEW QUESTION 15
A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?

• A. SAML-based Identity Federation
• B. Cross-Account Access
• C. AWS Identity and Access Management roles
• D. Web Identity Federation

Answer: D

NEW QUESTION 16
A user has recently started using EC2. The user launched one EC2 instance in the default subnet in EC2-VPC Which of the below mentioned options is not attached or available with the EC2 instance when it is launched?

• A. Public IP address
• B. Internet gateway
• C. Elastic IP
• D. Private IP address

Answer: C

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to a user??s AWS account. A subnet is a range of IP addresses in the VPC. The user can launch the AWS resources into a subnet. There are two supported platforms into which a user can launch instances: EC2-Classic and EC2-VPC (default subnet. A default VPC has all the benefits of EC2-VPC and the ease of use of EC2-Classic. Each instance that the user launches into a default subnet has a private IP address and a public IP address. These instances can communicate with the internet through an internet gateway. An internet gateway enables the EC2 instances to connect to the internet through the Amazon EC2 network edge.

NEW QUESTION 17
You are building an online store on AWS that uses SQS to process your customer orders. Your backend system needs those messages in the same sequence the customer orders have been put in. How can you achieve that?

• A. It is not possible to do this with SQS
• B. You can use sequencing information on each message
• C. You can do this with SQS but you also need to use SWF
• D. Messages will arrive in the same order by default

Answer: B

Explanation:
Amazon SQS is engineered to always be available and deliver messages. One of the resulting tradeoffs is that SQSdoes not guarantee first in, first out delivery of messages. For many distributed applications, each message can stand on its own, and as long as all messages are delivered, the order is not important. If your system requires that order be preserved, you can place sequencing information in each message, so that you can reorder the messages when the queue returns them.

NEW QUESTION 18
A user has setup an EBS backed instance and a CloudWatch alarm when the CPU utilization is more than 65%. The user has setup the alarm to watch it for 5 periods of 5 minutes each. The CPU utilization is 60% between 9 AM to 6 PM. The user has stopped the EC2 instance for 15 minutes between 11 AM to 11:15 AM. What will be the status of the alarm at 11:30 AM?

• A. Alarm
• B. OK
• C. Insufficient Data
• D. Error

Answer: B

Explanation:
Amazon CloudWatch alarm watches a single metric over a time period the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The state of the alarm will be OK for the whole day. When the user stops the instance for three periods the alarm may not receive the data

NEW QUESTION 19
A user runs the command ??dd if=/dev/xvdf of=/dev/null bs=1M?? on an EBS volume created from a snapshot and attached to a Linux instance. Which of the below mentioned activities is the user performing with the step given above?

• A. Pre warming the EBS volume
• B. Initiating the device to mount on the EBS volume
• C. Formatting the volume
• D. Copying the data from a snapshot to the device

Answer: A

Explanation:
When the user creates an EBS volume and is trying to access it for the first time it will encounter reduced IOPS due to wiping or initiating of the block storage. To avoid this as well as achieve the best performance it is required to pre warm the EBS volume. For a volume created from a snapshot and attached with a Linux OS, the ??dd?? command pre warms the existing data on EBS and any restored snapshots of volumes that have been previously fully pre warmed. This command maintains incremental snapshots; however, because this operation is read-only, it does not pre warm unused space that has never been written to on the original volume. In the command ??dd if=/dev/xvdf of=/dev/null bs=1M?? , the parameter ??if=input file?? should be set to the drive that the user wishes to warm. The ??of=output file?? parameter should be set to the Linux null virtual device, /dev/null. The ??bs?? parameter sets the block size of the read operation; for optimal performance, this should be set to 1 MB.

NEW QUESTION 20
The Security tram is connect because the number of AWS identity and access Management (IAM) policies being in the environment is increasing. The tasked a SysOps Administrator to report on the number of IAM policies in use and use the total IAM policies.
Which AWS service should the Administrator use to check how current IAM policy compares to current limits?

• A. MWS Trusted Advisor
• B. Amazon Inspector
• C. AWS Config
• D. Organizations

Answer: C

Explanation:
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

NEW QUESTION 21
A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario?

• A. The AWS VPC will automatically create a NAT instance with the micro size
• B. VPC bounds the main route table with a private subnet and a custom route table with a public subnet
• C. The user has to manually create a NAT instance
• D. VPC bounds the main route table with a public subnet and a custom route table with a private subnet

Answer: B

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user??s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance of a smaller or higher size, respectively. The VPC has an implied router and the VPC wizard updates the main route table used with the private subnet, creates a custom route table and associates it with the public subnet.

NEW QUESTION 22
A user has a refrigerator plant. The user is measuring the temperature of the plant every 15 minutes. If the user wants to send the data to CloudWatch to view the data visually, which of the below mentioned statements is true with respect to the information given above?

• A. The user needs to use AWS CLI or API to upload the data
• B. The user can use the AWS Import Export facility to import data to CloudWatch
• C. The user will upload data from the AWS console
• D. The user cannot upload data to CloudWatch since it is not an AWS service metric

Answer: A

Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. While sending the data the user has to include the metric name, namespace and timezone as part of the request.

NEW QUESTION 23
A user has launched an EC2 instance from an instance store backed AMI. The infrastructure team wants to create an AMI from the running instance. Which of the below mentioned steps will not be performed while creating the AMI?

• A. Define the AMI launch permissions
• B. Upload the bundled volume
• C. Register the AMI
• D. Bundle the volume

Answer: A

Explanation:
When the user has launched an EC2 instance from an instance store backed AMI, it will need to follow certain steps, such as ??Bundling the root volume??, ??Uploading the bundled volume?? and ??Register the AMI??. Once the AMI is created the user can setup the launch permission. However, it is not required to setup during the launch.

NEW QUESTION 24
A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it?

• A. The zone can only be modified using the AWS CLI
• B. It is not possible to change the zone of an instance after it is launched
• C. Stop one of the instances and change the availability zone
• D. From the AWS EC2 console, select the Actions - > Change zones and specify the new zone

Answer: B

Explanation:
With AWS EC2, when a user is launching an instance he can select the availability zone (AZ. at the time of launch. If the zone is not selected, AWS selects it on behalf of the user. Once the instance is
launched, the user cannot change the zone of that instance unless he creates an AMI of that instance and launches a new instance from it.

NEW QUESTION 25
A storage admin wants to encrypt all the objects stored in S3 using server side encryption. The user does not want to use the AES 256 encryption key provided by S3. How can the user achieve this?

• A. The admin should upload his secret key to the AWS console and let S3 decrypt the objects
• B. The admin should use CLI or API to upload the encryption key to the S3 bucke
• C. When making a callto the S3 API mention the encryption key URL in each request
• D. S3 does not support client supplied encryption keys for server side encryption
• E. The admin should send the keys and encryption algorithm with each API call

Answer: D

Explanation:
AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API callto supply his own encryption key. Amazon S3 never stores the user??s encryption key. The user has to supply it for each encryption or decryption call.

NEW QUESTION 26
Your organization is preparing for a security assessment of your use of AWS.
In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers

• A. Create individual IAM users for everyone in your organization
• B. Configure MFA on the root account and for privileged IAM users
• C. Assign IAM users and groups configured with policies granting least privilege access
• D. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate

Answer: BC

Explanation:
Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

NEW QUESTION 27
......