The Secret Of Amazon-Web-Services SOA-C02 Training Materials

NEW QUESTION 1

A company updates its security policy to clarify cloud hosting arrangements for regulated workloads. Workloads that are identified as sensitive must run on hardware that is not shared with other customers or with other AWS accounts within the company.
Which solution will ensure compliance with this policy?

• A. Deploy workloads only to Dedicated Hosts.
• B. Deploy workloads only to Dedicated Instances.
• C. Deploy workloads only to Reserved Instances.
• D. Place all instances in a dedicated placement group.

Answer: A

Explanation:
Dedicated Hosts are physical servers that are dedicated to a single customer, ensuring that the customer’s workloads are not shared with other customers or with other AWS accounts within the company. This will ensure that the company’s security policy is followed and that sensitive workloads are running on hardware that is not shared with other customers or with other AWS accounts within the company.

NEW QUESTION 2

A webpage is stored in an Amazon S3 bucket behind an Application Load Balancer (ALB). Configure the SS bucket to serve a static error page in the event of a failure at the primary site.
* 1. Use the us-east-2 Region for all resources.
* 2. Unless specified below, use the default configuration settings.
* 3. There is an existing hosted zone named lab
751906329398-26023898.com that contains an A record with a simple routing policy that routes traffic to an existing ALB.
* 4. Configure the existing S3 bucket named lab-751906329398-26023898.com as a static hosted website using the object named index.html as the index document
* 5. For the index-html object, configure the S3 ACL to allow for public read access. Ensure public access to the S3 bucketjs allowed.
* 6. In Amazon Route 53, change the A record for domain lab-751906329398-26023898.com to a primary record for a failover routing policy. Configure the record so that it evaluates the health of the ALB to determine failover.
* 7. Create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing 53 bucket.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 3

With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?

• A. Deny Pos
• B. Pu
• C. and Delete on the bucket.
• D. Enable server-side encryption on the bucket.
• E. Enable Amazon S3 versioning on the bucket.
• F. Enable snapshots on the bucket.

Answer: B

NEW QUESTION 4

A SysOps administrator must configure a resilient tier of Amazon EC2 instances for a high performance computing (HPC) application. The HPC application requires minimum latency between nodes
Which actions should the SysOps administrator take to meet these requirements? (Select TWO.)

• A. Create an Amazon Elastic File System (Amazon EPS) file system Mount the file system to the EC2 instances by using user data
• B. Create a Multi-AZ Network Load Balancer in front of the EC2 instances
• C. Place the EC2 instances in an Auto Scaling group within a single subnet
• D. Launch the EC2 instances into a cluster placement group
• E. Launch the EC2 instances into a partition placement group

Answer: AD

NEW QUESTION 5

A company needs to ensure strict adherence to a budget for 25 applications deployed on AWS Separate teams are responsible for storage compute, and database costs. A SysOps administrator must implement an automated solution to alert each team when their projected spend will exceed a quarterly amount mat has been set by the finance department. The solution cannot additional compute, storage, or database costs.

• A. Configure AWS Cost and Usage Reports to send a daily report to an Amazon S3 bucke
• B. Create an AWS Lambda function that will evaluate Spend by service and nobly each team by using Amazon Simple Notification Service (Amazon SNS) notification
• C. Invoke the Lambda function when a report is placed in the S3 bucket
• D. Configure AWS Cost and Usage Reports to send a dairy report to an Amazon S3 bucke
• E. Create a rule In Amazon EventBridge (Amazon CloudWatch Events) to evaluate the spend by service and notify each team by using Amazon Simple Queue Service (Amazon SOS) when the cost threshold i6 exceeded.
• F. Use AWS Budgets :o create one cost budget and select each of the services in use Specify the budget amount defined by the finance department along with the forecasted cost threshold Enter the appropriate email recipients for the budget.
• G. Use AWS Budgets to create a cost budget for each team, filtering by the services they ow
• H. Specify the budget amount defined by the finance department along with a forecasted cost threshold Enter the appropriate email recipients for each budget.

Answer: D

NEW QUESTION 6

A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times:
"** Error Establishing a Database Connection
Which of the following may be causes of the connectivity problems? {Select TWO.)

• A. The security group for the database does not have the appropriate egress rule from the database to the web server.
• B. The certificate used by the web server is not trusted by the RDS instance.
• C. The security group for the database does not have the appropriate ingress rule from the web server to the database.
• D. The port used by the application developer does not match the port specified in the RDS configuration.
• E. The database is still being created and is not available for connectivity.

Answer: CD

NEW QUESTION 7

A company runs an application on Amazon EC2 instances. The EC2 instances are in an Auto Scaling group and run behind an Application Load Balancer (ALB). The application experiences errors when total requests exceed 100 requests per second. A SysOps administrator must collect information about total requests for a 2-week period to determine when requests exceeded this threshold.
What should the SysOps administrator do to collect this data?

• A. Use the ALB’s RequestCount metri
• B. Configure a time range of 2 weeks and a period of 1 minute.Examine the chart to determine peak traffic times and volumes.
• C. Use Amazon CloudWatch metric math to generate a sum of request counts for all the EC2 instances over a 2-week perio
• D. Sort by a 1-minute interval.
• E. Create Amazon CloudWatch custom metrics on the EC2 launch configuration templates to create aggregated request metrics across all the EC2 instances.
• F. Create an Amazon EventBridge (Amazon CloudWatch Events) rul
• G. Configure an EC2 event matching pattern that creates a metric that is based on EC2 request
• H. Display the data in a graph.

Answer: A

Explanation:
Using the ALB’s RequestCount metric will allow the SysOps administrator to collect information about total requests for a 2-week period and determine when requests exceeded the threshold of 100 requests per second. Configuring a time range of 2 weeks and a period of 1 minute will ensure that the data can be accurately examined to determine peak traffic times and volumes.

NEW QUESTION 8

An application runs on multiple Amazon EC2 instances in an Auto Scaling group The Auto Scaling group is
configured to use the latest version of a launch template A SysOps administrator must devise a solution that centrally manages the application logs and retains the logs for no more than 90 days
Which solution will meet these requirements?

• A. Launch an Amazon Machine Image (AMI) that is preconfigured with the Amazon CloudWatch Logs agent to send logs to an Amazon S3 bucket Apply a 90-day S3 Lifecycle policy on the S3 bucket to expire the application logs
• B. Launch an Amazon Machine Image (AMI) that is preconfigured with the Amazon CloudWatch Logs agent to send logs to a log group Create an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule to perform an instance refresh every 90 days
• C. Update the launch template user data to install and configure the Amazon CloudWatch Logs agent to send logs to a log group Configure the retention period on the log group to be 90 days
• D. Update the launch template user data to install and configure the Amazon CloudWatch Logs agent to send logs to a log group Set the log rotation configuration of the EC2 instances to 90 days

Answer: C

NEW QUESTION 9

A SysOps administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC. the administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the administrator add to the route tables?

• A. Route ;:/0 traffic to a NAT gateway
• B. Route ::/0 traffic to an internet gateway
• C. Route 0.0.0.0/0 traffic to an egress-only internet gateway
• D. Route ::/0 traffic to an egress-only internet gateway

Answer: D

Explanation:
https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html

NEW QUESTION 10

A SysOps administrator is reviewing VPC Flow Logs to troubleshoot connectivity issues in a VPC. While reviewing the togs the SysOps administrator notices that rejected traffic is not listed.
What should the SysOps administrator do to ensure that all traffic is logged?

• A. Create a new flow tog that has a titter setting to capture all traffic
• B. Create a new flow log set the tog record format to a custom format Select the proper fields to include in the tog
• C. Edit the existing flow log Change the fitter setting to capture all traffic
• D. Edit the existing flow lo
• E. Set the log record format to a custom format Select the proper fields to include in the tog

Answer: A

NEW QUESTION 11

A company needs to deploy a new workload on AWS. The company must encrypt all data at rest and must rotate the encryption keys once each year. The workload uses an Amazon RDS for MySQL Multi-AZ database for data storage.
Which configuration approach will meet these requirements?

• A. Enable Transparent Data Encryption (TDE) in the MySQL configuration fil
• B. Manually rotate the key every 12 months.
• C. Enable RDS encryption on the database at creation time by using the AWS managed key for Amazon RDS.
• D. Create a new AWS Key Management Service (AWS KMS) customer managed ke
• E. Enable automatic key rotatio
• F. Enable RDS encryption on the database at creation time by using the KMS key.
• G. Create a new AWS Key Management Service (AWS KMS) customer managed ke
• H. Enable automatic key rotatio
• I. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the RDS DB instance.

Answer: C

Explanation:
This configuration approach will meet the requirement of encrypting all data at rest and rotating the encryption keys once each year. By creating a new AWS KMS customer managed key and enabling automatic key rotation, the encryption keys will be rotated automatically every year. By enabling RDS encryption on the database at creation time using the KMS key, all data stored in the RDS for MySQL Multi-AZ database will be encrypted at rest. This approach provide more control over key management and rotation and provide additional security benefits.

NEW QUESTION 12

A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOpe administrator notices that some of these EC2 instances show up as heathy in the Auto Scaling g-out but show up as unhealthy in the ALB target group.
What is a possible reason for this issue?

• A. Security groups ate rot allowing traffic between the ALB and the failing EC2 instances
• B. The Auto Seating group health check is configured for EC2 status checks
• C. The EC2 instances are failing to launch and failing EC2 status checks.
• D. The target group health check is configured with an incorrect port or path

Answer: D

NEW QUESTION 13

A SysOps administrator is unable to authenticate an AWS CLI call to an AWS service Which of the following is the cause of this issue?

• A. The IAM password is incorrect
• B. The server certificate is missing
• C. The SSH key pair is incorrect
• D. There is no access key

Answer: C

NEW QUESTION 14

A company has two VPC networks named VPC A and VPC B. The VPC A CIDR block is 10.0.0.0/16 and the VPC B CIDR block is 172.31.0.0/16. The company wants to establish a VPC peering connection named
pcx-12345 between both VPCs.
Which rules should appear in the route table of VPC A after configuration? (Select TWO.)

• A. Destination: 10.0.0.0/16, Target: Local
• B. Destination: 172.31.0.0/16, Target: Local
• C. Destination: 10.0.0.0/16, Target: pcx-12345
• D. Destination: 172.31.0.0/16, Target: pcx-12345
• E. Destination: 10.0.0.0/16. Target: 172.31.0.0/16

Answer: AD

Explanation:
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html

NEW QUESTION 15

A company has a web application with a database tier that consists of an Amazon EC2 instance that runs MySQL. A SysOps administrator needs to minimize potential data loss and the time that is required to recover in the event of a database failure.
What is the MOST operationally efficient solution that meets these requirements?

• A. Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric to invoke an AWS Lambda function that stops and starts the EC2 instance.
• B. Create an Amazon RDS for MySQL Multi-AZ DB instanc
• C. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new databas
• D. Update the connection string in the web application.
• E. Create an Amazon RDS for MySQL Single-AZ DB instance with a read replic
• F. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new databas
• G. Update the connection string in the web application.
• H. Use Amazon Data Lifecycle Manager (Amazon DLM) to take a snapshot of the Amazon Elastic Block Store (Amazon EBS) volume every hou
• I. In the event of an EC2 instance failure, restore the EBS volume from a snapshot.

Answer: D

NEW QUESTION 16

A company's SysOps administrator deploys a public Network Load Balancer (NLB) in front of the company's web application. The web application does not use any Elastic IP addresses. Users must access the web application by using the company's domain name. The SysOps administrator needs to configure Amazon Route 53 to route traffic to the NLB.
Which solution will meet these requirements MOST cost-effectively?

• A. Create a Route 53 AAAA record for the NLB.
• B. Create a Route 53 alias record for the NLB.
• C. Create a Route 53 CAA record for the NLB.
• D. Create a Route 53 CNAME record for the NLB.

Answer: B

NEW QUESTION 17

A development team recently deployed a new version of a web application to production. After the release penetration testing revealed a cross-site scripting vulnerability that could expose user data.
Which AWS service will mitigate this issue?

• A. AWS Shield Standard
• B. AWS WAF
• C. Elastic Load Balancing
• D. Amazon Cognito

Answer: B

NEW QUESTION 18

A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded: however, upon navigating to the site, the following error message is received:
403 Forbidden - Access Denied
What change should be made to fix this error?

• A. Add a bucket policy that grants everyone read access to the bucket.
• B. Add a bucket policy that grants everyone read access to the bucket objects.
• C. Remove the default bucket policy that denies read access to the bucket.
• D. Configure cross-origin resource sharing (CORS) on the bucket.

Answer: B

NEW QUESTION 19

A SysOps administrator creates an AWS CloudFormation template to define an application stack that can be deployed in multiple AWS Regions.
The SysOps administrator also creates an Amazon CloudWatch dashboard by using the AWS Management Console. Each deployment of the application requires its own CloudWatch dashboard.
How can the SysOps administrator automate the creation of the CloudWatch dashboard each time the application is deployed?

• A. Create a script by using the AWS CLI to run the aws cloudformation put-dashboard command with the name of the dashboar
• B. Run the command each time a new CloudFormation stack is created.
• C. Export the existing CloudWatch dashboard as JSO
• D. Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resourc
• E. Include the exported JSON in the resource's DashboardBody property.
• F. Update the CloudFormation template to define an resourc
• G. Use the intrinsic Ref function to reference the ID of the existing CloudWatch dashboard.
• H. Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resourc
• I. Specify the name of the existingdashboard in the DashboardName property.

Answer: B

Explanation:
You can only use the Intrinsic Ref function to reference a resource that is being created at the same time as the current CloudFormation template. The question states that the CloudWatch dashboard was previously created using the AWS Management Console, so there is no ID to reference the existing CloudWatch dashboard in the CloudFormation template. You would need to export the existing CloudWatch dashboard as JSON, then use the DashboardBody property in the CloudFormation template to replicate it upon each deployment
(https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/CloudWatch-Dashboard-Body-Structu

NEW QUESTION 20
......