Top Tips Of Improved SOA-C02 Real Exam

NEW QUESTION 1

A company's SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instance are encrypted with AWS managed keys.
The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI with the company's other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs.
Which solution will securely share the AMI with the other AWS accounts?

• A. In the account where the AMI was created, create a customer master key (CMK). Modify the key policyto provide kms:DescribeKey, kms ReEncrypf, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared wit
• B. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
• C. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*. kms:CreateGrant, and kms;Decrypt permissions to the AWS accounts that the AMI will be shared wit
• D. Create a copy of the AM
• E. and specify the CM
• F. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with.
• G. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescrlbeKey, kms:ReEncrypt\ kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared wit
• H. Create a copy of the AM
• I. and specify the CM
• J. Modify the permissions on the copied AMI to make it public.
• K. In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescnbeKe
• L. kms:ReEncrypt\ kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared wit
• M. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.

Answer: B

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html

NEW QUESTION 2

A SysOps administrator trust manage the security of An AWS account Recently an IAM users access key was mistakenly uploaded to a public code repository. The SysOps administrator must identity anything that was changed by using this access key.

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all IAM events lo an AWS Lambda function for analysis
• B. Query Amazon EC2 togs by using Amazon CloudWatch Logs Insights for all events Heated with the compromised access key within the suspected timeframe
• C. Search AWS CloudTrail event history tor all events initiated with the compromised access key within the suspected timeframe
• D. Search VPC Flow Logs foe all events initiated with the compromised access key within the suspected Timeframe.

Answer: C

NEW QUESTION 3

A company plans to migrate several of its high performance computing (MPC) virtual machines (VMs) to Amazon EC2 instances on AWS. A SysOps administrator must identify a placement group for this deployment. The strategy must minimize network latency and must maximize network throughput between the HPC VMs.
Which strategy should the SysOps administrator choose to meet these requirements?

• A. Deploy the instances in a cluster placement group in one Availability Zone.
• B. Deploy the instances in a partition placement group in two Availability Zones
• C. Deploy the instances in a partition placement group in one Availability Zone
• D. Deploy the instances in a spread placement group in two Availably Zones

Answer: A

NEW QUESTION 4

A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?

• A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR range
• B. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Log
• C. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target.
• D. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instance
• E. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation document to terminate the instances.
• F. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requestsfrom noncorporate CIDR range
• G. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups.
• H. Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by ta
• I. Tag the EC2 instances with an identifie
• J. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.

Answer: C

Explanation:
https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aw

NEW QUESTION 5

A company's customers are reporting increased latency while accessing static web content from Amazon S3 A SysOps administrator observed a very high rate of read operations on a particular S3 bucket
What will minimize latency by reducing load on the S3 bucket?

• A. Migrate the S3 bucket to a region that is closer to end users' geographic locations
• B. Use cross-region replication to replicate all of the data to another region
• C. Create an Amazon CloudFront distribution with the S3 bucket as the origin.
• D. Use Amazon ElastiCache to cache data being served from Amazon S3

Answer: C

NEW QUESTION 6

A SysOps administrator uses AWS Systems Manager Session Manager to connect to instances After the SysOps administrator launches a new Amazon EC2 instance the EC2 instance does not appear in the Session Manager list of systems that are available for connection. The SysOps administrator verities that Systems Manager Agent is installed updated and running on the EC2 instance
What is the reason for this issue?

• A. The SysOps administrator does not have access to the key pair that is required for connection
• B. The SysOps administrator has not attached a security group to the EC2 instance to allow SSH on port 22.
• C. The EC2 instance does not have an attached IAM role that allows Session Manager to connect to the EC2 instance.
• D. The EC2 instance ID has not been entered into the Session Manager configuration

Answer: C

NEW QUESTION 7

A SysOps administrator is configuring an application on Amazon EC2 instances for a company Teams in other countries will use the application over the internet. The company requires the application endpoint to have a static pubic IP address.
How should the SysOps administrator deploy the application to meet this requirement?

• A. Behind an Amazon API Gateway API
• B. Behind an Application Load Balancer
• C. Behind an internet-facing Network Load Balancer
• D. In an Amazon CloudFront distribution

Answer: C

NEW QUESTION 8

An AWS Lambda function is intermittently failing several times a day A SysOps administrator must find out how often this error has occurred in the last 7 days Which action will meet this requirement in the MOST operationally efficient manner?

• A. Use Amazon Athena to query the Amazon CloudWatch logs that are associated with the Lambda function
• B. Use Amazon Athena to query the AWS CloudTrail logs that are associated with the Lambda function
• C. Use Amazon CloudWatch Logs Insights to query the associated Lambda function logs
• D. Use Amazon Elasticsearch Service (Amazon ES) to stream the Amazon CloudWatch logs for the Lambda function

Answer: C

NEW QUESTION 9

A SysOps administrator Is troubleshooting an AWS Cloud Formation template whereby multiple Amazon EC2 instances are being created The template is working In us-east-1. but it is failing In us-west-2 with the error code:

How should the administrator ensure that the AWS Cloud Formation template is working in every region?

• A. Copy the source region's Amazon Machine Image (AMI) to the destination region and assign it the same ID.
• B. Edit the AWS CloudFormatton template to specify the region code as part of the fully qualified AMI ID.
• C. Edit the AWS CloudFormatton template to offer a drop-down list of all AMIs to the user by using the aws :: EC2:: ami :: imageiD control.
• D. Modify the AWS CloudFormation template by including the AMI IDs in the "Mappings" sectio
• E. Refer to the proper mapping within the template for the proper AMI ID.

Answer: A

NEW QUESTION 10

A company wants to build a solution for its business-critical Amazon RDS for MySQL database. The database requires high availability across different geographic locations. A SysOps administrator must build a solution to handle a disaster recovery (DR) scenario with the lowest recovery time objective (RTO) and recovery point objective (RPO).
Which solution meets these requirements?

• A. Create automated snapshots of the database on a schedul
• B. Copy the snapshots to the DR Region.
• C. Create a cross-Region read replica for the database.
• D. Create a Multi-AZ read replica for the database.
• E. Schedule AWS Lambda functions to create snapshots of the source database and to copy the snapshots to a DR Region.

Answer: B

NEW QUESTION 11

An Amazon S3 Inventory report reveals that more than 1 million objects in an S3 bucket are not encrypted These objects must be encrypted, and all future objects must be encrypted at the time they are written
Which combination of actions should a SysOps administrator take to meet these requirements? (Select TWO )

• A. Create an AWS Config rule that runs evaluations against configuration changes to the S3 bucket When an unencrypted object is found run an AWS Systems Manager Automation document to encrypt the object in place
• B. Edit the properties of the S3 bucket to enable default server-side encryption
• C. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted Create an S3 Batch Operations job to copy each object in place with en cryption enabled
• D. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted Send each object name as a message to an Amazon Simple Queue Service (Amazon SQS) queue Use the SQS queue to invoke an AWS Lambda function to tag each object with a key of "Encryption" and a value of "SSE-KMS"
• E. Use S3 Event Notifications to invoke an AWS Lambda function on all new object-created events for the S3 bucket Configure the Lambda function to check whether the object is encrypted and to run an AWS Systems Manager Automation document to encrypt the object in place when an unencrypted object is found

Answer: BC

Explanation:
https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/

NEW QUESTION 12

A software development company has multiple developers who work on the same product. Each developer must have their own development environment, and these development environments must be identical. Each development environment consists of Amazon EC2 instances and an Amazon RDS DB instance. The development environments should be created only when necessary, and they must be terminated each night to minimize costs.
What is the MOST operationally efficient solution that meets these requirements?

• A. Provide developers with access to the same AWS CloudFormation template so that they can provision their development environment when necessar
• B. Schedule a nightly cron job on each development instance to stop all running processes to reduce CPU utilization to nearly zero.
• C. Provide developers with access to the same AWS CloudFormation template so that they can provision their development environment when necessar
• D. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to delete the AWS CloudFormation stacks.
• E. Provide developers with CLI commands so that they can provision their own development environment when necessar
• F. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to terminate all EC2 instances and the DB instance.
• G. Provide developers with CLI commands so that they can provision their own development environment when necessar
• H. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to cause AWS CloudFormation to delete all of the development environment resources.

Answer: B

NEW QUESTION 13

A company is trying to connect two applications. One application runs in an on-premises data center that has a hostname of hostl .onprem.private. The other application runs on an Amazon EC2 instance that has a hostname of hostl.awscloud.private. An AWS Site-to-Site VPN connection is in place between the on-premises network and AWS.
The application that runs in the data center tries to connect to the application that runs on the EC2 instance, but DNS resolution fails. A SysOps administrator must implement DNS resolution between on-premises and AWS resources.
Which solution allows the on-premises application to resolve the EC2 instance hostname?

• A. Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zon
• B. Associate the resolver with the VPC of the EC2 instanc
• C. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the inbound resolver endpoint.
• D. Set up an Amazon Route 53 inbound resolver endpoin
• E. Associate the resolver with the VPC of the EC2 instanc
• F. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the inbound resolver endpoint.
• G. Set up an Amazon Route 53 outbound resolver endpoint with a forwarding rule for the onprem.private hosted zon
• H. Associate the resolver with the AWS Region of the EC2 instanc
• I. Configure theon-premises DNS resolver to forward onprem.private DNS queries to the outbound resolver endpoint.
• J. Set up an Amazon Route 53 outbound resolver endpoin
• K. Associate the resolver with the AWS Region of the EC2 instanc
• L. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the outbound resolver endpoint.

Answer: C

NEW QUESTION 14

If your AWS Management Console browser does not show that you are logged in to an AWS account, close the browser and relaunch the
console by using the AWS Management Console shortcut from the VM desktop.
If the copy-paste functionality is not working in your environment, refer to the instructions file on the VM desktop and use Ctrl+C, Ctrl+V or Command-C , Command-V.
Configure Amazon EventBridge to meet the following requirements.
* 1. use the us-east-2 Region for all resources,
* 2. Unless specified below, use the default configuration settings.
* 3. Use your own resource naming unless a resource name is specified below.
* 4. Ensure all Amazon EC2 events in the default event bus are replayable for the past 90 days.
* 5. Create a rule named RunFunction to send the exact message every 1 5 minutes to an existing AWS Lambda function named LogEventFunction.
* 6. Create a rule named SpotWarning to send a notification to a new standard Amazon SNS topic named TopicEvents whenever an Amazon EC2
Spot Instance is interrupted. Do NOT create any topic subscriptions. The notification must match the following structure:

Input Path:
{“instance” : “$.detail.instance-id”}
Input template:
“ The EC2 Spot Instance <instance> has been on account.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 15

A company is running an application on premises and wants to use AWS for data backup All of the data must be available locally The backup application can write only to block-based storage that is compatible with the Portable Operating System Interface (POSIX)
Which backup solution will meet these requirements?

• A. Configure the backup software to use Amazon S3 as the target for the data backups
• B. Configure the backup software to use Amazon S3 Glacier as the target for the data backups
• C. Use AWS Storage Gateway, and configure it to use gateway-cached volumes
• D. Use AWS Storage Gateway, and configure it to use gateway-stored volumes

Answer: D

Explanation:
https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html

NEW QUESTION 16

A SysOps administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet.

What should be added to the private subnet's route table in order to address this issue, given the information provided?

• A. 0.0.0.0/0 IGW
• B. 0.0.0.0/0 NAT
• C. 10.0.1.0/24 IGW
• D. 10.0.1.0/24 NAT

Answer: B

NEW QUESTION 17

A company uses Amazon S3 to aggregate raw video footage from various media teams across the US. The company recently expanded into new geographies in Europe and Australia. The technical teams located in Europe and Australia reported delays when uploading large video tiles into the destination S3 bucket m toe United States.
What are the MOST cost-effective ways to increase upload speeds into the S3 bucket? (Select TWO.)

• A. Create multiple AWS Direct Connect connections between AWS and branch offices in Europe and Australia tor He uploads into the destination S3 bucket
• B. Create multiple AWS Site-to-Site VPN connections between AWS and branch offices in Europe and Australia for file uploads into the destination S3 bucket.
• C. Use Amazon S3 Transfer Acceleration for file uploads into the destination S3 bucket.
• D. Use AWS Global Accelerator for file uploads into the destination S3 bucket from the branch offices in Europe and Australia.
• E. Use multipart uploads for file uploads into the destination S3 bucket from the branch offices in Europe and Australia.

Answer: CE

NEW QUESTION 18

A SysOps administrator is responsible for a large fleet of Amazon EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance. Which option would provide this information with the LEAST administrative overhead?

• A. Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring
• B. List any instances with failed system status checks using the AWS Management Console
• C. Monitor AWS CloudTrail for Stopinstances API calls
• D. Review the AWS Personal Health Dashboard

Answer: D

Explanation:
https://docs.aws.amazon.com/health/latest/ug/cloudwatch-events-health.html

NEW QUESTION 19

A company stores files on 50 Amazon S3 buckets in the same AWS Region The company wants to connect to the S3 buckets securely over a private connection from its Amazon EC2 instances The company needs a solution that produces no additional cost
Which solution will meet these requirements?

• A. Create a gateway VPC endpoint lor each S3 bucket Attach the gateway VPC endpoints to each subnet inside the VPC
• B. Create an interface VPC endpoint (or each S3 bucket Attach the interface VPC endpoints to each subnet inside the VPC
• C. Create one gateway VPC endpoint for all the S3 buckets Add the gateway VPC endpoint to the VPC route table
• D. Create one interface VPC endpoint for all the S3 buckets Add the interface VPC endpoint to the VPC route table

Answer: C

NEW QUESTION 20
......