A Review Of Validated SOA-C02 Free Practice Test

NEW QUESTION 1

A SysOps administrator needs to design a high-traffic static website. The website must be highly available and must provide the lowest possible latency to users across the globe.
Which solution will meet these requirements?

• A. Create an Amazon S3 bucket, and upload the website content to the S3 bucke
• B. Create an Amazon CloudFront distribution in each AWS Region, and set the S3 bucket as the origi
• C. Use Amazon Route 53 to create a DNS record that uses a geolocation routing policy to route traffic to the correct CloudFront distribution based on where the request originates.
• D. Create an Amazon S3 bucket, and upload the website content to the S3 bucke
• E. Create an Amazon CloudFront distribution, and set the S3 bucket as the origi
• F. Use Amazon Route 53 to create an alias record that points to the CloudFront distribution.
• G. Create an Application Load Balancer (ALB) and a target grou
• H. Create an Amazon EC2 Auto Scaling group with at least two EC2 instances in the associated target grou
• I. Store the website content on the EC2 instance
• J. Use Amazon Route 53 to create an alias record that points to the ALB.
• K. Create an Application Load Balancer (ALB) and a target group in two Region
• L. Create an Amazon EC2 Auto Scaling group in each Region with at least two EC2 instances in each target grou
• M. Store the website content on the EC2 instance
• N. Use Amazon Route 53 to create a DNS record that uses a geolocation routing policy to route traffic to the correct ALB based on where the request originates.

Answer: B

NEW QUESTION 2

A company plans to launch a static website on its domain example com and subdomain www example.com using Amazon S3. How should the SysOps administrator meet this requirement?

• A. Create one S3 bucket named example.com for both the domain and subdomain.
• B. Create one S3 bucket with a wildcard named '.example.com tor both the domain and subdomain.
• C. Create two S3 buckets named example.com and www.exdmpte.co
• D. Configure the subdomain bucket to redirect requests to the domain bucket.
• E. Create two S3 buckets named http//example.com and http//" exampte.co
• F. Configure the wildcard (') bucket to redirect requests to the domain bucket.

Answer: C

NEW QUESTION 3

A company's IT department noticed an increase in the spend of their developer AWS account. There are over 50 developers using the account, and the finance team wants to determine the service costs incurred by each developer.
What should a SysOps administrator do to collect this information? (Select TWO.)

• A. Activate the createdBy tag in the account.
• B. Analyze the usage with Amazon CloudWatch dashboards.
• C. Analyze the usage with Cost Explorer.
• D. Configure AWS Trusted Advisor to track resource usage.
• E. Create a billing alarm in AWS Budgets.

Answer: AC

NEW QUESTION 4

A company's SysOps administrator must ensure that all Amazon EC2 Windows instances that are launched in an AWS account have a third-party agent installed. The third-party agent has an msi package. The company uses AWS Systems Manager for patching, and the Windows instances are tagged appropriately. The third-party agent required periodic updates as new versions are released. The SysOps administrator must deploy these updates automatically
Which combination of steps will meet these requirements with the LEAST operational effort? (Seed TWO.) Create a Systems Manager Distributor package for the third-party agent.

• A. Make sure that Systems Manager Inventory Is configure
• B. If Systems Manager Inventory is not configured, set up a new inventory tor instances that is based on the appropriate tag value for Windows.
• C. Create a Systems Manager State Manager association to run the AWS-RunRemoteScript document.Populate the details of the third-party agent packag
• D. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day
• E. Create a Systems Manager State Manager- association to run the AWS-ConfigureAWSPackage documen
• F. Populate the details of the third-party agent packag
• G. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day
• H. Create a Systems Manager Opsitem with the tag value for Windows Attach the Systems Manager Distributor package to the Opsite
• I. Create a maintenance window that is specific to the package deployment Configure the maintenance window to cover 24 hours a day.

Answer: AD

Explanation:
https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor-working-with-packages-deploy.html

NEW QUESTION 5

A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance.
Which of the following are possible causes of this issue? (Choose two.)

• A. A network ACL associated with the bastion's subnet is blocking the network traffic.
• B. The instance does not have a private IP address.
• C. The route table associated with the bastion's subnet does not have a route to the internet gateway.
• D. The security group for the instance does not have an inbound rule on port 22.
• E. The security group for the instance does not have an outbound rule on port 3389.

Answer: AC

NEW QUESTION 6

A SysOps administrator has an AWS CloudFormation template of the company's existing infrastructure in us-west-2. The administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back.
Why would this template fail to deploy? (Select TWO.)

• A. The template referenced an IAM user that is not available in eu-west-1.
• B. The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1.
• C. The template did not have the proper level of permissions to deploy the resources.
• D. The template requested services that do not exist in eu-west-1.
• E. CloudFormation templates can be used only to update existing services.

Answer: BD

NEW QUESTION 7

A company must ensure that any objects uploaded to an S3 bucket are encrypted. Which of the following actions will meet this requirement? (Choose two.)

• A. Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.
• B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.
• C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.
• D. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.
• E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.

Answer: CE

Explanation:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html
You can set the default encryption behavior on an Amazon S3 bucket so that all objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) customer master keys (CMKs).
https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/ How to Prevent Uploads of Unencrypted Objects to Amazon S3#
By using an S3 bucket policy, you can enforce the encryption requirement when users upload objects, instead of assigning a restrictive IAM policy to all users.

NEW QUESTION 8

A company is using Amazon CloudFront to serve static content for its web application to its users. The CloudFront distribution uses an existing on-premises website as a custom origin.
The company requires the use of TLS between CloudFront and the origin server. This configuration has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.
What should a SysOps administrator do to resolve this problem?

• A. Examine the expiration date on the certificate on the origin sit
• B. Validate that the certificate has not expire
• C. Replace the certificate if necessary.
• D. Examine the hostname on the certificate on the origin sit
• E. Validate that the hostname matches one of the hostnames on the CloudFront distributio
• F. Replace the certificate if necessary.
• G. Examine the firewall rules that are associated with the origin serve
• H. Validate that port 443 is open for inbound traffic from the interne
• I. Create an inbound rule if necessary.
• J. Examine the network ACL rules that are associated with the CloudFront distributio
• K. Validate that port 443 is open for outbound traffic to the origin serve
• L. Create an outbound rule if necessary.

Answer: A

Explanation:
HTTP 502 errors from CloudFront can occur because of the following reasons:
There's an SSL negotiation failure because the origin is using SSL/TLS protocols and ciphers that aren't supported by CloudFront.
There's an SSL negotiation failure because the SSL certificate on the origin is expired or invalid, or because the certificate chain is invalid.
There's a host header mismatch in the SSL negotiation between your CloudFront distribution and the custom origin.
The custom origin isn't responding on the ports specified in the origin settings of the CloudFront distribution. The custom origin is ending the connection to CloudFront too quickly.
https://aws.amazon.com/premiumsupport/knowledge-center/resolve-cloudfront-connection-error/

NEW QUESTION 9

A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts.
Which solution will meet these requirements?

• A. Purchase RIs in individual member account
• B. Disable Rl discount sharing in the management account.
• C. Purchase RIs in individual member account
• D. Disable Rl discount sharing in the member accounts.
• E. Purchase RIs in the management accoun
• F. Disable Rl discount sharing in the management account.
• G. Purchase RIs in the management accoun
• H. Disable Rl discount sharing in the member accounts.

Answer: A

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ri-consolidated-billing/
RI discounts apply to accounts in an organization's consolidated billing family depending upon whether RI sharing is turned on or off for the accounts. By default, RI sharing for all accounts in an organization is turned on. The management account of an organization can change this setting by turning off RI sharing for an account. The capacity reservation for an RI applies only to the account the RI was purchased on, no matter whether RI sharing is turned on or off.

NEW QUESTION 10

A company is hosting applications on Amazon EC2 instances. The company is hosting a database on an Amazon RDS for PostgreSQL DB instance. The company requires all connections to the DB instance to be encrypted.
What should a SysOps administrator do to meet this requirement?

• A. Allow SSL connections to the database by using an inbound security group rule.
• B. Encrypt the database by using an AWS Key Management Service (AWS KMS) encryption key.
• C. Enforce SSL connections to the database by using a custom parameter group.
• D. Patch the database with SSL/TLS by using a custom PostgreSQL extension.

Answer: C

Explanation:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.htm Amazon RDS supports SSL/TLS encryption for connections to the database, and this can be enabled by
creating a custom parameter group and setting the rds.force_ssl parameter to 1. This will ensure that all connections to the database are encrypted, protecting the data and maintaining compliance with the company's
requirements.l

NEW QUESTION 11

A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of the application have been divided in a separate microservice running on a different Amazon EC2 instance. The administrator has been tasked with reconfiguring the infrastructure to support this approach.
How can the administrator accomplish this with the LEAST administrative overhead?

• A. Use Amazon CloudFront to log the URL and forward the request.
• B. Use Amazon CloudFront to rewrite the header based on the microservice and forward the request.
• C. Use an Application Load Balancer (ALB) and do path-based routing.
• D. Use a Network Load Balancer (NLB) and do path-based routing.

Answer: C

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/elb-achieve-path-based-routing-alb/

NEW QUESTION 12

A company applies user-defined tags to resources that are associated with me company's AWS workloads Twenty days after applying the tags, the company notices that it cannot use re tags to filter views in the AWS Cost Explorer console.
What is the reason for this issue?

• A. It lakes at least 30 days to be able to use tags to filter views in Cost Explorer.
• B. The company has not activated the user-defined tags for cost allocation.
• C. The company has not created an AWS Cost and Usage Report
• D. The company has not created a usage budget in AWS Budgets

Answer: B

NEW QUESTION 13

A recent organizational audit uncovered an existing Amazon RDS database that is not currently configured for high availability. Given the critical nature of this database, it must be configured for high availability as soon as possible.
How can this requirement be met?

• A. Switch to an active/passive database pair using the create-db-instance-read-replica with the--availability-zone flag.
• B. Specify high availability when creating a new RDS instance, and live-migrate the data.
• C. Modify the RDS instance using the console to include the Multi-AZ option.
• D. Use the modify-db-instance command with the --na flag.

Answer: C

NEW QUESTION 14

A company stores sensitive data in an Amazon S3 bucket. The company must log all access attempts to the S3 bucket. The company's risk team must receive immediate notification about any delete events.
Which solution will meet these requirements?

• A. Enable S3 server access logging for audit log
• B. Set up an Amazon Simple Notification Service (Amazon SNSJ notification for the S3 bucke
• C. Select DeleteObject tor the event type for the alert system.
• D. Enable S3 server access logging for audit log
• E. Launch an Amazon EC2 instance for the alert system.Run a cron job on the EC2 instance to download the access logs each day and to scan for a DeleteObject event.
• F. Use Amazon CloudWatch Logs for audit log
• G. Use Amazon CloudWatch alarms with an Amazon Simple Notification Service (Amazon SNS) notification for the alert system.
• H. Use Amazon CloudWatch Logs for audit log
• I. Launch an Amazon EC2 instance for The alert system.Run a cron job on the EC2 Instance each day to compare the list of the items with the list from the previous da
• J. Configure the cron job to send a notification if an item is missing.

Answer: A

Explanation:
To meet the requirements of logging all access attempts to the S3 bucket and receiving immediate notification about any delete events, the company can enable S3 server access logging and set up an Amazon Simple Notification Service (Amazon SNS) notification for the S3 bucket. The S3 server access logs will record all access attempts to the bucket, including delete events, and the SNS notification can be configured to send an alert when a DeleteObject event occurs.

NEW QUESTION 15

A company wants to track its AWS costs in all member accounts that are part of an organization in AWS Organizations. Managers of the member accounts want to receive a notification when the estimated costs exceed a predetermined amount each month. The managers are unable to configure a billing alarm. The IAM permissions for all users are correct. What could be the cause of this issue?

• A. The management/payer account does not have billing alerts turned on.
• B. The company has not configured AWS Resource Access Manager (AWS RAM) to share billing information between the member accounts and the management/payer account.
• C. Amazon GuardDuty is turned on for all the accounts.
• D. The company has not configured an AWS Config rule to monitor billing.

Answer: B

NEW QUESTION 16

A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application's performance. A SysOps administrator must scale the application to meet the increased traffic. Which solution meets these requirements?

• A. Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance if the desired threshold is reached.
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.
• C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy.Attach the ALB to the Auto Scaling group.
• D. Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy.Attach the ALB to the Auto Scaling group.

Answer: C

NEW QUESTION 17

A Sysops administrator needs to configure automatic rotation for Amazon RDS database credentials. The credentials must rotate every 30 days. The solution must integrate with Amazon RDS.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Store the credentials in AWS Systems Manager Parameter Store as a secure strin
• B. Configure automatic rotation with a rotation interval of 30 days.
• C. Store the credentials in AWS Secrets Manage
• D. Configure automatic rotation with a rotation interval of 30 days.
• E. Store the credentials in a file in an Amazon S3 bucke
• F. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.
• G. Store the credentials in AWS Secrets Manage
• H. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.

Answer: B

Explanation:
Storing the credentials in AWS Secrets Manager and configuring automatic rotation with a rotation interval of 30 days is the most efficient way to meet the requirements with the least operational overhead. AWS Secrets Manager automatically rotates the credentials at the specified interval, so there is no need for an additional AWS Lambda function or manual rotation. Additionally, Secrets Manager is integrated with Amazon RDS, so the credentials can be easily used with the RDS database.

NEW QUESTION 18

A company is running a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53 CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now being served the desktop version of the website.
Which action should a SysOps administrator take to resolve this issue?

• A. Configure the CloudFront distribution behavior to forward the User-Agent header.
• B. Configure the CloudFront distribution origin setting
• C. Add a User-Agent header to the list of origin custom headers.
• D. Enable IPv6 on the AL
• E. Update the CloudFront distribution origin settings to use the dualstack endpoint.
• F. Enable IPv6 on the CloudFront distributio
• G. Update the Route 53 record to use the dualstack endpoint.

Answer: A

Explanation:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-

NEW QUESTION 19

A company is running a serverless application on AWS Lambda The application stores data in an Amazon RDS for MySQL DB instance Usage has steadily increased and recently there have been numerous "too many connections" errors when the Lambda function attempts to connect to the database The company already has configured the database to use the maximum max_connections value that is possible
What should a SysOps administrator do to resolve these errors'?

• A. Create a read replica of the database Use Amazon Route 53 to create a weighted DNS record that contains both databases
• B. Use Amazon RDS Proxy to create a proxy Update the connection string in the Lambda function
• C. Increase the value in the max_connect_errors parameter in the parameter group that the database uses
• D. Update the Lambda function's reserved concurrency to a higher value

Answer: B

Explanation:
https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-with-aws-lambda/
RDS Proxy acts as an intermediary between your application and an RDS database. RDS Proxy establishes and manages the necessary connection pools to your database so that your application creates fewer database connections. Your Lambda functions interact with RDS Proxy instead of your database instance. It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to reuse existing connections, rather than creating new connections for every function invocation.
Check "Database proxy for Amazon RDS" section in the link to see how RDS proxy help Lambda handle huge connections to RDS MySQL
https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-with-aws-lambda/

NEW QUESTION 20
......