Notes: Hi all, AWS Certified SysOps Administrator Associate SOA-Co2 Practice Exam Part 6 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take AWS Certified SysOps Administrator Associate SOA-Co2 Actual Exam Version because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.
201. A SysOps Administrator must secure AWS CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket. Which practices ensure that the log files are available and unaltered? (Choose two.)
A. Enable the CloudTrail log file integrity check in AWS Config Rules.
B. Use CloudWatch Events to scan log files hourly.
C. Enable CloudTrail log file integrity validation.
D. Turn on Amazon S3 MFA Delete for the CloudTrail bucket.
E. Implement a DENY ALL bucket policy on the CloudTrail bucket.
202. A company runs a web application that users access using the domain name www.example.com. The company manages the domain name using Amazon Route 53. The company created an Amazon CloudFront distribution in front of the application and would like www.example.com to access the application though CloudFront. What is the MOST cost-effective way to achieve this?
A. Create CNAME record in Amazon Route 53 that points to the CloudFront distribution URL.
B. Create an ALIAS record in Amazon Route 53 that points to the CloudFront distribution URL.
C. Create an A record in Amazon Route 53 that points to the public IP address of the web application. D. Create a PTR record in Amazon Route 53 that points to the public IP address of the web application.
203. A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted. What is the SIMPLEST approach the SysOps Administrator can take to ensure S3 buckets in those accounts can never be deleted?
A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being ddeleted.
B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
204. A company uses multiple accounts for its applications. Account A manages the company’s Amazon Route 53 domains and hosted zones. Account B uses a load balancer fronting the company’s web servers. How can the company use Route 53 to point to the load balancer in the MOST cost-effective and efficient manner?
A. Create an Amazon EC2 proxy in Account A that forwards requests to Account B.
B. Create a load balancer in Account A that points to the load balancer in Account B.
C. Create a CNAME record in Account A pointing to an alias record to the load balancer in Account B. D. Create an alias record in Account A pointing to the load balancer in Account B.
205. A SysOps Administrator is notified that a security vulnerability affects a version of MySQL that is being used with Amazon RDS MySQL. Who is responsible for ensuring that the patch is applied to the MySQL cluster?
A. The database vendor
B. The Security department of the SysOps Administrator company
D. The SysOps Administrator
206. A company’s web application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run in an EC@ Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon ElastiCache for Redis cluster and an Amazon RDS DB instance. Company policy requires all system patching to take place at midnight on Tuesday. Which resources will need to have a maintenance window configured for midnight on Tuesday? (Choose two.)
A. Elastic Load Balancer
B. EC2 instances
C. RDS instance
D. ElastiCache cluster
E. Auto Scaling group
207. A SysOps Administrator is deploying a website with dynamic content. Company policy requires that users from certain countries or regions cannot access the web content and should receive an error page. Which of the following can be used to implement this policy? (Choose two.)
A. Amazon CloudFront geo-restriction
B. Amazon GuardDuty geo-blocking
C. Amazon Route 53 geolocation routing
D. AWS Shield geo-restriction
E. Network access control list (NACL) restriction
208. A company stores thousands of non-critical log files in an Amazon S3 bucket. A set of reporting scripts retrieve these log files daily. Which of the following storage options will be the MOST cost-efficient for the company’s use case?
A. Amazon Glacier
B. Amazon S3 Standard IA (infrequent access) storage
C. Amazon S3 Standard Storage
D. AWS Snowball
209. A SysOps Administrator receives a connection timeout error when attempting to connect to an Amazon EC2 instance from a home network using SSH. The Administrator was able to connect to this EC2 instance SSH from their office network in the past. What cause the connection to time out?
A. The IAM role associated with the EC2 instance does not allow SSH connections from the home network.
B. The public key used by SSH located on the Administrator’s server not have the required permissions.
C. The route table contains a route that sends 0.0.0.0/0 to the internet gateway for the VPC.
D. The security group is not allowing inbound traffic from the home network on the SSH port.
210. A company is deploying a web service to Amazon EC2 instances behind an Elastic Load Balancer. All resources will be defined and created in a single AWS CloudFormation stack using a template. The creation of each EC2 instance will not be considered complete until an initialization script has been run successfully on the EC2 instance. The Elastic Load Balancer cannot be created until all EC2 instances have been created. Which CloudFormation resource will coordinate the Elastic Load Balancer creation in the CloudFormation stack template?
211. A company is concerned about a security vulnerability impacting its Linux operating system. What should the SysOps Administrator do to alleviate this concern?
A. Patch the vulnerability with Amazon Inspector.
B. Provide an AWS Trusted Advisor report showing which Amazon EC2 instances have been patched.
C. Redeploy the Amazon EC2 instances using AWS CloudFormation.
D. Patch the Linux operating system using AWS Systems Manager.
212. A SysOps Administrator is configuring AWS SSO for the first time. The Administrator has already created a directory in the master account using AWS Directory Service and enabled full access in AWS Organizations. What should the Administrator do next to configure the service?
A. Create IAM roles in each account to be used by AWS SSO, and associate users with these roles using AWS SSO.
B. Create IAM users in the master account, and use AWS SSO to associate the users with the accounts they will access.
C. Create permission sets in AWS SSO, and associate the permission sets with Directory Service users or groups.
D. Create service control policies (SCPs) in Organizations, and associate the SCPs with Directory Service users or groups.
213. A web application runs on Amazon EC2 instances and accesses external services. The external services require authentication credentials. The application is deployed using AWS CloudFormation to three separate environments: development, test, and production. Each environment has unique credentials services. What option securely provides the application with the needed credentials while requiring MINIMAL administrative overhead?
A. Pass the credentials for the target environment to the CloudFormation template as parameters. Use the user data script to insert the parameterized credentials into the EC2 instances.
B. Store the credentials as secure strings in AWS Systems Manager Parameter Store. Pass an environment tag as a parameter to the CloudFormation template. Use the user data script to insert the environment tag in the EC2 instances. Access the credentials from the application.
C. Create a separate CloudFormation template for each environment. In the Resources section, include a user data script for each EC2 instance. Use the user data script to insert the proper credentials for the environment into the EC2 instances.
D. Create separate Amazon Machine Images (AMIs) with the required credentials for each environment. Pass the environment tag as a parameter to the CloudFormation template. In the Mappings section of the CloudFormation template, map the environment tag to the proper AMI, then use that AMI when launching the EC2 instances.
214. A SysOps Administrator created an AWS CloudFormation template for the first time. The stack failed with a status of ROLLBACK_COMPLETE. The Administrator identified and resolved the template issue causing the failure. How should the Administrator continue with the stack deployment?
A. Delete the failed stack and create a new stack.
B. Execute a change set on the failed stack.
C. Perform an update-stack action on the failed stack.
D. Run a validate-template command.
215. A SysOps Administrator is building a process for sharing Amazon RDS database snapshots between different accounts associated with different business units with the same company. All data must be encrypted at rest. How should the Administrator implement this process?
A. Write a script to download the encrypted snapshot, decrypt if using the AWS KMS encryption key used to encrypt the snapshot, then create a new volume in each account.
B. Update the key policy to grant permission to the AWS KMS encryption key used to encrypt the snapshot with all relevant accounts, then share the snapshot with those accounts.
C. Create an Amazon EC2 instance based on the snapshot, then save the instance’s Amazon EBS volume as a snapshot and share it with the other accounts. Require each account owner to create a new volume from that snapshot and encrypt it.
D. Create a new unencrypted RDS instance from the encrypted snapshot, connect to the instance using SSH/RDP. export the database contents into a file, then share this file with the other accounts.
216. A SysOps Administrator has been notified that some Amazon EC2 instances in the company’s environment might have a vulnerable software version installed. What should be done to check all of the instances in the environment with the LEAST operational overhead?
A. Create and run an Amazon Inspector assessment template.
B. Manually SSH into each instance and check the software version.
C. Use AWS CloudTrail to verify Amazon EC2 activity in the account.
D. Write a custom script and use AWS CodeDeploy to deploy to Amazon EC2 instances.
217. Development teams are maintaining several workloads on AWS. Company management is concerned about rising costs and wants the SysOps Administrator to configure alerts so teams are notified when spending approaches preset limits. Which AWS service will satisfy these requirements?
A. AWS Budgets
B. AWS Cost Explorer
C. AWS Trusted Advisor
D. AWS Cost and Usage report
218. A SysOps Administrator is tasked with deploying and managing a single CloudFormation template across multiple AWS accounts. What feature of AWS CloudFormation will accomplish this?
A. Change sets
B. Nested stacks
C. Stack policies
219. A company runs an application that uses Amazon RDS for MySQL. During load testing of equivalent production volumes, the Development team noticed a significant increase in query latency. A SysOps Administrator concludes from investigating Amazon CloudWatch Logs that the CPU utilization on the RDS MySQL instance was at 100%. Which action will resolve this issue?
A. Configure AWS Database Migration Service (AWS DMS) to allow Amazon RDS for MySQL to scale and accept more requests.
B. Configure RDS for MySQL to scale horizontally by additional nodes to offload write requests.
C. Enable the Multi-AZ feature for the RDS instance.
D. Modify the RDS MySQL instance so it is a larger instance type.
220. A SysOps Administrator is using AWS KMS with AWS-generated key material to encrypt an Amazon EBS volume in a company’s AWS environment. The Administrator wants to rotate the KMS keys using automatic key rotation, and needs to ensure that the EBS volume encrypted with the current key remains readable. What should be done to accomplish this?
A. Back up the current KMS key and enable automatic key rotation.
B. Create a new key in AWS KMS and assign the key to Amazon EBS.
C. Enable automatic key rotation of the EBS volume key in AWS KMS.
D. Upload ne key material to the EBS volume key in AWS KMS to enable automatic key rotation for the volume.
221. A SysOps Administrator deployed an AWS Elastic Beanstalk worker node environment that reads messages from an auto-generated Amazon Simple Queue Service (Amazon SQS) queue and deleted them from the queue after processing. Amazon EC2 Auto Scaling scales in and scales out the number of worker nodes based on CPU utilization. After some time, the Administrator notices that the number of messages in the SQS queue are increasing significantly. Which action will remediate this issue?
A. Change the scaling policy to scale based upon the number of messages in the queue.
B. Decouple the queue from the Elastic Beanstalk worker node and create it as a separate resource.
C. Increase the number of messages in the queue.
D. Increase the retention period of the queue.
222. A Security team is concerned about the potential of intellectual property leaking to the internet. A SysOps Administrator is tasked with identifying controls to address the potential problem. The servers in question reside in a VPC and cannot be allowed to send traffic to the internet. How can these requirements be met?
A. Edit the route for the subnet with the following entry:
– Destination 0.0.0.0/0
– target: igw-xxxxxxxx
B. Ensure that the servers do not have Elastic IP addresses.
C. Enable Enhanced Networking on the instances to control traffic flows.
D. Put the servers in a private subnet.
223. A company is setting up a VPC peering connection between its VPC and a customer’s VPC. The company VPC is an IPv4 CIDR block of 172.16.0.0/16, and the customer’s is an IPv4 CIDR block of 10.0.0.0/16. The SysOps Administrator wants to be able to ping the customer’s database private IP address from one of the company’s Amazon EC2 instances. What action should be taken to meet the requirements?
A. Ensure that both accounts are linked and are part of consolidated billing to create a file sharing network, and then enable VPC peering.
B. Ensure that both VPC owners manually add a route to the VPC route tables that points to the IP address range of the other VPC.
C. Instruct the customer to set up a VPC with the same IPv4 CIDR block as that of the source VPC: 172.16.0.0/16.
D. Instruct the customer to create a virtual private gateway to link the two VPCs.
224. A company is concerned about its ability to recover from a disaster because all of its Amazon EC2 instances are located in a single Amazon VPC in us-east-1. A second Amazon VPC has been configured in eu-west-1 to act as a backup VPC in case of an outage. Data will be replicated from the primary region to the secondary region. The Information Security team’s compliance requirements specify that all data must be encrypted and must not traverse the public internet. How should the SysOps Administrator connect the two VPCs while meeting the compliance requirements?
A. Configure EC2 instances to act as VPN appliances, then configure route tables.
B. Configure inter-region VPC peering between the two VPCs, then configure route tables.
C. Configure NAT gateways in both VPCs, then configure route tables.
D. Configure an internet gateway in each VPC, and use these as the targets for the VPC route tables.
225. Two companies will be working on several development projects together. Each company has an AWS account with a single VPC in us-east-1. Two companies would like to access one another’s development servers. The IPv4 CIDR blocks in the two VPCs does not overlap. What can the SysOps Administrators for each company do to set up network routing?
A. Each Administrator should create a custom routing table that points to the other company’s internet gateway public IP address.
B. Both Administrators should set up a NAT gateway in a public subnet in their respective VPCs. Then. using the public IP address from the NAT gateway, the Administrators should enable routing between the two VPCs.
C. Both Administrators should install a 1 Gbps AWS Direct Connect circuit in their respective environments. Then, using the AWS Management Console, the Administrators should create an AWS Direct Connect routing requests to enable connectivity.
D. One Administrator should create a VPC peering request and send it to the other Administrator’s account. Once the other Administrator accepts the request, update the routing tables t enable traffic.
226. A SysOps Administrator is responsible for maintaining an Amazon EC2 instance that acts as a bastion host. The Administrator can successfully connect to the instance using SSH, but attempts to ping the instance result in a timeout. What is one reason for the issue?
A. The instance does not have an Elastic IP address
B. The instance has a security group that does not allow Internet Control Message Protocol (ICMP) traffic
C. The instance is not set up in a VPC using AWS Direct Connect
D. The instance is running in a peered VPC
227. An enterprise company has discovered that a number of Amazon EC2 instances in a VPC are marked as high risk according to a Common Vulnerabilities and Exposures (CVE) report. The Security team requests that all these instances be upgraded. Who is responsible for upgrading the EC2 instances?
A. The AWS Security team
B. The Amazon EC2 team
C. The AWS Premium Support team
D. The company’s Systems Administrator
228. A SysOps Administrator is maintaining a web application using an Amazon CloudFront web distribution, an Application Load Balancer (ALB), Amazon RDS, and Amazon EC2 in a VPC. All services have logging enabled. The Administrator needs to investigate HTTP Layer 7 status codes from the web application. Which log sources contain the status codes? (Choose two.)
A. VPC Flow Logs
B. AWS CloudTrail logs
C. ALB access logs
D. CloudFront access logs
E. RDS logs
229. A company needs to ensure that all IAM users rotate their passwords on a regular basis. Which action should be taken take to implement this?
A. Configure multi-factor authentication for all IAM users
B. Deactivate existing users and recreate new users every time a credential rotation is required
C. Recreate identity federation with new identity providers every time a credential rotation is required
D. Set up a password policy to enable password expiration for IAM users
230. An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group that terminates unhealthy instances. The Auto Scaling group is configured to determine the health status of EC2 instances using both EC2 status checks and ALB health checks. The Development team wants to analyze the unhealthy instances before termination. What should the SysOps Administrator do to accomplish this?
A. Configure the ALB health check to restart instances instead of terminating them.
B. Configure an AWS Lambda function to take a snapshot of all instances before they are terminated. C. Implement Amazon CloudWatch Events to capture lifecycle events and trigger an AWS Lambda function for remediation.
D. Use an Amazon EC2 Auto Scaling lifecycle hook to pause instance termination after the instance has been removed from service.
231. An application running on Amazon EC2 needs login credentials to access a database. The login credentials are stored in AWS Systems Manager Parameter Store as secure string parameters. What is the MOST secure way to grant the application access to the credentials?
A. Create an IAM EC2 role for the EC2 instances and grant the role permission to read the Systems Manager parameters
B. Create an IAM group for the application and grant the group permissions to read the Systems Manager parameters
C. Create an IAM policy for the application and grant the policy permission to read the Systems Manager parameters
D. Create an IAM user for the application and grant the user permission to read the Systems Manager parameters
232. A SysOps Administrator is receiving alerts related to high CPU utilization of a Memcached-based Amazon ElastiCache cluster. Which remediation steps should be taken to resolve this issue? (Choose two.)
A. Add a larger Amazon EBS volume to the ElastiCache cluster nodes
B. Add a load balancer to route traffic to the ElastiCache cluster
C. Add additional worker nodes to the ElastiCache cluster
D. Create an Auto Scaling group to the ElastiCache cluster
E. Vertically scale the ElastiCache cluster by changing the node type
233. A SysOps Administrator manages an Amazon RDS MySQL DB instance in production. The database is accessed by several applications. The Administrator needs to ensure minimal downtime of the applications in the event the database suffers a failure. This change must not impact customer use during regular business hours. Which action will make the database MORE highly available?
A. Contact AWS Support to pre-warm the database to ensure that it can handle any unexpected spikes in traffic
B. Create a new Multi-AZ RDS DB instance. Migrate the data to the new DB instance and delete the old one
C. Create a read replica from the existing database hours
D. Modify the DB instance to outside of business hours be a Multi-AZ deployment
234. An enterprise is using federated Security Assertion Markup Language (SAML) to access the AWS Management Console. How should the SAML assertion mapping be configured?
A. Map the group attribute to an AWS group. The AWS group is assigned IAM policies that govern access to AWS resources.
B. Map the policy attribute to IAM policies the federated user is assigned to. These policies govern access to AWS resources.
C. Map the role attribute to an AWS role. The AWS role is assigned IAM policies that govern access to AWS resources.
D. Map the user attribute to an AWS user. The AWS user is assigned specific IAM policies that govern access to AWS resources.
235. A SysOps Administrator is managing a web application that runs on Amazon EC2 instances behind an ELB Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group. The administrator wants to set an alarm for when all target instances associated with the ALB are unhealthy. Which condition should be used with the alarm?
A. AWS/ApplicationELB HealthyHostCount <= 0 B. AWS/ApplicationELB UnhealthyHostCount >= 1
C. AWS/EC2 StatusCheckFailed <= 0 D. AWS/EC2 StatusCheckFailed >= 1
236. A company has deployed a NAT instance to allow web servers to obtain software updates from the internet. There is high latency on the NAT instance as the network grows. A SysOps Administrator needs to reduce latency on the instance in a manner that is efficient, cost-effective, and allows for scaling with future demand. Which action should be taken to accomplish this?
A. Add a second NAT instance and place both instances behind a load balancer
B. Convert the NAT instance to a larger instance size
C. Replace the NAT instance with a NAT gateway
D. Replace the NAT instance with a virtual private gateway
237. A security researcher has published a new Common Vulnerabilities and Exposures (CVE) report that impacts a popular operating system. A SysOps Administrator is concerned with the new CVE report and wants to patch the company’s systems immediately. The administrator contacts AWS Support and requests the patch be applied to all Amazon EC2 instances. How will AWS respond to this request?
A. AWS will apply the patch during the next maintenance window, and will provide the Administrator with a report of all patched EC2 instances.
B. AWS will relaunch the EC2 instances with the latest version of the Amazon Machine Image (AMI), and will provide the Administrator with a report of all patched EC2 instances.
C. AWS will research the vulnerability to see if the Administrator’s operating system is impacted, and will patch the EC2 instances that are affected.
D. AWS will review the shared responsibility model with the Administrator and advise them regarding how to patch the EC2 instances.
238. A Development team recently deployed a new version of a web application to production. After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data. Which AWS service will mitigate this issue?
A. AWS Shield Standard
B. AWS WAF
C. Elastic Load Balancing
D. Amazon Cognito
239. A Development team is designing an application that processes sensitive information within a hybrid deployment. The team needs to ensure the application data is protected both in transit and at rest. Which combination of actions should be taken to accomplish this? (Choose two.)
A. Use a VPN to set up a tunnel between the on-premises data center and the AWS resources
B. Use AWS Certificate Manager to create TLS/SSL certificates
C. Use AWS CloudHSM to encrypt the data
D. Use AWS KMS to create TLS/SSL certificates
E. Use AWS KMS to manage the encryption keys used for data encryption
240. A company is using AWS Storage Gateway to create block storage volumes and mount them as Internet Small Computer Systems Interface (iSCSI) devices from on-premises servers. As the Storage Gateway has taken on several new projects, some of the Development teams report that the performance of the iSCSI drives has degraded. When checking the Amazon CloudWatch metrics, a SysOps Administrator notices that the CacheHitPercent metric is below 60% and the CachePercentUsed metric is above 90%. What steps should the Administrator take to increase Storage Gateway performance?
A. Change the default block size for the Storage Gateway from 64 KB to 128 KB, 256 KB, or 512 KB to improve I/O performance.
B. Create a larger disk for the cached volume. In the AWS Management Console, edit the local disks, then select the new disk as the cached volume.
C. Ensure that the physical disks for the Storage Gateway are in a RAID 1 configuration to allow higher throughput.
D. Take point-in-time snapshots of all the volumes in Storage Gateway, flush the cache completely, then restore the volumes from the clean snapshots.