A Review Of Realistic SOA-C02 Free Exam Questions

NEW QUESTION 1

A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.
Which parameters should be specified to accomplish this in the MOST efficient manner?

• A. Specify "' as the principal and PrincipalOrgld as a condition.
• B. Specify all account numbers as the principal.
• C. Specify PrincipalOrgld as the principal.
• D. Specify the organization's management account as the principal.

Answer: A

Explanation:
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-p

NEW QUESTION 2

A company has an organization in AWS Organizations. The company uses shared VPCs to provide networking resources across accounts A SysOps administrator has been able to successfully launch and manage Amazon EC2 instances in a participant account However the SysOps administrator is now receiving an InstanceLimitExceeded error when the SysOps administrator tries to launch a new EC2 instance
What should the SysOps administrator do to resolve this error')

• A. Request an instance quota increase from the account that owns the VPC
• B. Launch additional EC2 instances in a different AWS Region
• C. Request an instance quota increase from the parte pant account
• D. Launch additional EC2 instances by using a different Amazon Machine image (AMI)

Answer: A

NEW QUESTION 3

A company needs to automatically monitor an AWS account for potential unauthorized AWS Management Console logins from multiple geographic locations.
Which solution will meet this requirement?

• A. Configure Amazon Cognito to detect any compromised 1AM credentials.
• B. Set up Amazon Inspecto
• C. Scan and monitor resources for unauthorized logins.
• D. Set up AWS Confi
• E. Add the iam-policy-blacklisted-check managed rule to the account.
• F. Configure Amazon GuardDuty to monitor the UnauthorizedAccess:IAMUser/ConsoleLoginSuccess finding.

Answer: D

NEW QUESTION 4

A company has a new requirement stating that all resources In AWS must be tagged according to a set policy. Which AWS service should be used to enforce and continually Identify all resources that are not in compliance with the policy?

• A. AWS CloudTrail
• B. Amazon Inspector
• C. AWS Config
• D. AWS Systems Manager

Answer: C

NEW QUESTION 5

A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances The instances all exist in the same VPC across multiple Availability Zones. There are two instances In each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.
Which solution will meet these requirements?

• A. Create a mount target for the EFS file system in the VP
• B. Use the mount target to mount the file system on each of the instances
• C. Create a mount target for the EFS file system in one Availability Zone of the VP
• D. Use the mount target to mount the file system on the instances in that Availability Zon
• E. Share the directory with the other instances.
• F. Create a mount target for each instanc
• G. Use each mount target to mount the EFS file system on each respective instance.
• H. Create a mount target in each Availability Zone of the VPC Use the mount target to mount the EFS file system on the Instances in the respective Availability Zone.

Answer: D

Explanation:
A mount target provides an IP address for an NFSv4 endpoint at which you can mount an Amazon EFS file system. You mount your file system using its Domain Name Service (DNS) name, which resolves to the IP address of the EFS mount target in the same Availability Zone as your EC2 instance. You can create one mount target in each Availability Zone in an AWS Region. If there are multiple subnets in an Availability Zone in your VPC, you create a mount target in one of the subnets. Then all EC2 instances in that Availability Zone share that mount target. https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html

NEW QUESTION 6

A software company runs a workload on Amazon EC2 instances behind an Application Load Balancer (ALB) A SysOcs administrator needs to define a custom health check for the EC2 instances. What is the MOST operationally efficient solution?

• A. Set up each EC2 Instance so that it writes its healthy/unhealthy status into a shared Amazon S3 bucket for the ALB to read
• B. Configure the health check on the ALB and ensure that the HeathCheckPath setting s correct
• C. Set up Amazon ElasticCache to track the EC2 instances as they scale in and out
• D. Configure an Amazon API Gateway health check to ensure custom checks on aw of the EC2 instances

Answer: B

NEW QUESTION 7

A company needs to take an inventory of applications that are running on multiple Amazon EC2 instances. The company has configured users and roles with the appropriate permissions for AWS Systems Manager. An updated version of Systems Manager Agent has been installed and is running on every instance. While configuring an inventory collection, a SysOps administrator discovers that not all the instances in a single subnet are managed by Systems Manager.
What must the SysOps administrator do to fix this issue?

• A. Ensure that all the EC2 instances have the correct tags for Systems Manager access.
• B. Configure AWS Identity and Access Management Access Analyzer to determine and automatically remediate the issue.
• C. Ensure that all the EC2 instances have an instance profile with Systems Manager access.
• D. Configure Systems Manager to use an interface VPC endpoint.

Answer: C

Explanation:
Ensuring that all the EC2 instances have an instance profile with Systems Manager access is the most effective way to fix this issue. Having an instance profile with Systems Manager access will allow the SysOps administrator to configure the inventory collection for all the instances in the subnet, regardless of whether or not they are managed by Systems Manager.

NEW QUESTION 8

A SysOps administrator has enabled AWS CloudTrail in an AWS account. If CloudTrail is disabled, it must be re-enabled immediately. What should the SysOps administrator do to meet these requirements WITHOUT writing custom code?

• A. Add the AWS account to AWS Organization
• B. Enable CloudTrail in the management account.
• C. Create an AWS Config rule that is invoked when CloudTrail configuration change
• D. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action.
• E. Create an AWS Config rule that is invoked when CloudTrail configuration change
• F. Configure the rule to invoke an AWS Lambda function to enable CloudTrail.
• G. Create an Amazon EventBridge (Amazon CloudWatch Events) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail.

Answer: D

NEW QUESTION 9

A company has an existing web application that runs on two Amazon EC2 instances behind an Application Load Balancer (ALB) across two Availability Zones The application uses an Amazon RDS Multi-AZ DB Instance Amazon Route 53 record sets route requests tor dynamic content to the load balancer and requests for static content to an Amazon S3 bucket Site visitors are reporting extremely long loading times.
Which actions should be taken to improve the performance of the website? (Select TWO )

• A. Add Amazon CloudFront caching for static content
• B. Change the load balancer listener from HTTPS to TCP
• C. Enable Amazon Route 53 latency-based routing
• D. Implement Amazon EC2 Auto Scaling for the web servers
• E. Move the static content from Amazon S3 to the web servers

Answer: AD

NEW QUESTION 10

A company hosts several write-intensive applications. These applications use a MySQL database that runs on a single Amazon EC2 instance. The company asks a SysOps administrator to implement a highly available database solution that is ideal for multi-tenant workloads.
Which solution should the SysOps administrator implement to meet these requirements?

• A. Create a second EC2 instance for MySQ
• B. Configure the second instance to be a read replica.
• C. Migrate the database to an Amazon Aurora DB cluste
• D. Add an Aurora Replica.
• E. Migrate the database to an Amazon Aurora multi-master DB cluster.
• F. Migrate the database to an Amazon RDS for MySQL DB instance.

Answer: C

NEW QUESTION 11

An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of
fs-85ba4Kc. and it is actively used by 10 Amazon EC2 hosts The organization has become concerned that the file system is not encrypted
How can this be resolved?

• A. Enable encryption on each host's connection to the Amazon EFS volume Each connection must be recreated for encryption to take effect
• B. Enable encryption on the existing EFS volume by using the AWS Command Line Interface
• C. Enable encryption on each host's local drive Restart each host to encrypt the drive
• D. Enable encryption on a newly created volume and copy all data from the original volume Reconnect each host to the new volume

Answer: D

Explanation:
https://docs.aws.amazon.com/efs/latest/ug/encryption.html
Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. You can enable encryption of data at rest when creating an Amazon EFS file system. You can enable encryption of data in transit when you mount the file system.

NEW QUESTION 12

A SysOps administrator needs to give users the ability to upload objects to an Amazon S3 bucket. The SysOps administrator creates a presigned URL and provides the URL to a user, but the user cannot upload an object to the S3 bucket. The presigned URL has not expired, and no bucket policy is applied to the S3 bucket.
Which of the following could be the cause of this problem?

• A. The user has not properly configured the AWS CLI with their access key and secret access key.
• B. The SysOps administrator does not have the necessary permissions to upload the object to the S3 bucket.
• C. The SysOps administrator must apply a bucket policy to the S3 bucket to allow the user to upload the object.
• D. The object already has been uploaded through the use of the presigned URL, so the presigned URL is no longer valid.

Answer: B

NEW QUESTION 13

A SysOps administrator has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC, and all security groups allow all outbound traffic:
Which solution will provide the EC2 instances in the private subnet with access to the internet?

• A. Create a NAT gateway in the public subne
• B. Create a route from the private subnet to the NAT gateway.
• C. Create a NAT gateway in the public subne
• D. Create a route from the public subnet to the NAT gateway.
• E. Create a NAT gateway in the private subne
• F. Create a route from the public subnet to the NAT gateway.
• G. Create a NAT gateway in the private subne
• H. Create a route from the private subnet to the NAT gateway.

Answer: A

Explanation:
NAT Gateway resides in public subnet, and traffic should be routed from private subnet to NAT Gateway: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

NEW QUESTION 14

A company is running a flash sale on its website. The website is hosted on burstable performance Amazon EC2 instances in an Auto Scaling group. The Auto Scaling group is configured to launch instances when the CPU utilization is above 70%.
A couple of hours into the sale, users report slow load times and error messages for refused connections. A SysOps administrator reviews Amazon CloudWatch metrics and notices that the CPU utilization is at 20% across the entire fleet of instances.
The SysOps administrator must restore the website's functionality without making changes to the network infrastructure.
Which solution will meet these requirements?

• A. Activate unlimited mode for the instances in the Auto Scaling group.
• B. Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group.
• C. Move the website to a different AWS Region that is closer to the users.
• D. Reduce the desired size of the Auto Scaling group to artificially increase CPU average utilization.

Answer: B

Explanation:
Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group does not breach the requirement of no changes in the network infrastructure. Reason is that cloudfront is a distribution that allows you to distribute content using a worldwide network of edge locations that provide low latency and high data transfer speeds. It plug in to existing setup, not changes to it.

NEW QUESTION 15

A company manages an application that uses Amazon ElastiCache for Redis with two extra-large nodes spread across two different Availability Zones. The company's IT team discovers that the ElastiCache for Redis cluster has 75% freeable memory. The application must maintain high availability.
What is the MOST cost-effective way to resize the cluster?

• A. Decrease the number of nodes in the ElastiCache for Redis cluster from 2 to 1.
• B. Deploy a new ElastiCache for Redis cluster that uses large node type
• C. Migrate the data from the original cluster to the new cluste
• D. After the process is complete, shut down the original duster.
• E. Deploy a new ElastiCache for Redis cluster that uses large node type
• F. Take a backup from the original cluster, and restore the backup in the new cluste
• G. After the process is complete, shut down the original cluster.
• H. Perform an online resizing for the ElastiCache for Redis cluste
• I. Change the node types from extra-large nodes to large nodes.

Answer: D

Explanation:
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/scaling-redis-cluster-mode-enabled.html As demand on your clusters changes, you might decide to improve performance or reduce costs by changing the number of shards in your Redis (cluster mode enabled) cluster. We recommend using online horizontal scaling to do so, because it allows your cluster to continue serving requests during the scaling process. https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/redis-cluster-vertical-scaling-scaling-down.html

NEW QUESTION 16

A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.
Which solution will meet this requirement?

• A. Create a new security group to block traffic to the external IP addres
• B. Assign the new security group to the EC2 instance.
• C. Use VPC flow logs with Amazon Athena to block traffic to the external IP address.
• D. Create a network AC
• E. Add an outbound deny rule for traffic to the external IP address.
• F. Create a new security group to block traffic to the external IP addres
• G. Assign the new security group to the entire VPC.

Answer: C

Explanation:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

NEW QUESTION 17

A company has an Amazon RDS DB instance. The company wants to implement a caching service while maintaining high availability.
Which combination of actions will meet these requirements? (Choose two.)

• A. Add Auto Discovery to the data store.
• B. Create an Amazon ElastiCache for Memcached data store.
• C. Create an Amazon ElastiCache for Redis data store.
• D. Enable Multi-AZ for the data store.
• E. Enable Multi-threading for the data store.

Answer: CD

Explanation:
https://aws.amazon.com/elasticache/memcached/ https://aws.amazon.com/elasticache/redis/

NEW QUESTION 18

A company is undergoing an external audit of its systems, which run wholly on AWS. A SysOps administrator must supply documentation of Payment Card Industry Data Security Standard (PCI DSS) compliance for the infrastructure managed by AWS.
Which set of action should the SysOps administrator take to meet this requirement?

• A. Download the applicable reports from the AWS Artifact portal and supply these to the auditors.
• B. Download complete copies of the AWS CloudTrail log files and supply these to the auditors.
• C. Download complete copies of the AWS CloudWatch logs and supply these to the auditors.
• D. Provide the auditors with administrative access to the production AWS account so that the auditors can determine compliance.

Answer: A

NEW QUESTION 19

A SysOps administrator has successfully deployed a VPC with an AWS Cloud Formation template The SysOps administrator wants to deploy me same template across multiple accounts that are managed through AWS Organizations.
Which solution will meet this requirement with the LEAST operational overhead?

• A. Assume the OrganizationAccountAcccssKolc IAM role from the management accoun
• B. Deploy the template in each of the accounts
• C. Create an AWS Lambda function to assume a role in each account Deploy the template by using the AWS CloudFormation CreateStack API call
• D. Create an AWS Lambda function to query fc a list of accounts Deploy the template by using the AWS Cloudformation CreateStack API call.
• E. Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts

Answer: D

Explanation:
AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions

NEW QUESTION 20
......