Notes: Hi all, AWS Certified SysOps Administrator Associate SOA-Co2 Practice Exam Part 7 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take AWS Certified SysOps Administrator Associate SOA-Co2 Actual Exam Version because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.
241. A SysOps Administrator observes a large number of rogue HTTP requests on an Application Load Balancer (ALB). The requests originate from various IP addresses. Which action should be taken to block this traffic?
A. Use Amazon CloudFront to cache the traffic and block access to the web servers
B. Use Amazon Guard Duty to protect the web servers from bots and scrapers
C. Use AWS Lambda to analyze the web server logs, detect bot traffic, and block the IP address in the security groups
D. Use AWS WAF rate-based blacklisting to block this traffic when it exceeds a defined threshold
242. A company issued SSL certificates to its users, and needs to ensure the private keys that are used to sign the certificates are encrypted. The company needs to be able to store the private keys and perform cryptographic signing operations in a secure environment. Which service should be used to meet these requirements?
A. AWS CloudHSM
B. AWS KMS
C. AWS Certificate Manager
D. Amazon Connect
243. A SysOps Administrator is trying to set up an Amazon Route 53 domain name to route traffic to a website hosted on Amazon S3. The domain name of the website is www.anycompany.com and the S3 bucket name is anycompany-static. After the record set is set up in Route 53, the domain name www.anycompany.com does not seem to work, and the static website is not displayed in the browser. Which of the following is a cause of this?
A. The S3 bucket must be configured with Amazon CloudFront first
B. The Route 53 record set must have an IAM role that allows access to the S3 bucket
C. The Route 53 record set must be in the same region as the S3 bucket
D. The S3 bucket name must match the record set name in Route 53
244. A SysOps Administrator at an ecommerce company discovers that several 404 errors are being sent to one IP address every minute. The Administrator suspects a bot is collecting information about products listed on the company’s website. Which service should be used to block this suspected malicious activity?
A. AWS CloudTrail
B. Amazon Inspector
C. AWS Shield Standard
D. AWS WAF
245. A company wants to reduce costs across the entire company after discovering that several AWS accounts were using unauthorized services and incurring extremely high costs. Which AWS service enables the company to reduce costs by controlling access to AWS services for all AWS accounts?
A. AWS Cost Explorer
B. AWS Config
C. AWS Organizations
D. AWS Budgets
246. A company has an application database on Amazon RDS that runs a resource-intensive reporting job. This is causing other applications using the database to run slowly. What should the SysOps Administrator do to resolve this issue?
A. Create Amazon RDS backups
B. Create Amazon RDS read replicas to run the report
C. Enable Multi-AZ mode on Amazon RDS
D. Use Amazon RDS automatic host replacement
247. A company wants to increase the availability and durability of a critical business application. The application currently uses a MySQL database running on an Amazon EC2 instance. The company wants to minimize application changes. How should the company meet these requirements?
A. Shut down the EC2 instance. Enable multi-AZ replication within the EC2 instance, then restart the instance.
B. Launch a secondary EC2 instance running MySQL. Configure a cron job that backs up the database on the primary EC2 instance and copies it to the secondary instance every 30 minutes.
C. Migrate the database to an Amazon RDS Aurora DB instance and create a Read Replica in another Availability Zone.
D. Create an Amazon RDS Microsoft SQL DB instance and enable multi-AZ replication. Back up the existing data and import it into the new database.
248. A SysOps Administrator has an AWS CloudFormation template of the company’s existing infrastructure in us-west-2. The Administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back. Why would this template fail to deploy? (Choose two.)
A. The template referenced an IAM user that is not available in eu-west-1
B. The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1
C. The template did not have the proper level of permissions to deploy the resources
D. The template requested services that do not exist in eu-west-1
E. CloudFormation templates can be used only to update existing services
249. A SysOps Administrator has been asked to configure user-defined cost allocation tags for a new AWS account. The company is using AWS Organizations for account management. What should the Administrator do to enable user-defined cost allocation tags?
A. Log in to the AWS Billing and Cost Management console of the new account, and use the Cost Allocation Tags manager to create the new user-defined cost allocation tags.
B. Log in to the AWS Billing and Cost Management console of the payer account, and use Cost Allocation Tags manager to create the new user-defined cost allocation tags.
C. Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the new account to mark the tags as cost allocation tags.
D. Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the payer account to mark the tags as cost allocation tags.
250. A company developed and now runs a memory-intensive application on multiple Amazon EC2 Linux instances. The memory utilization metrics of the EC2 Linux instances must be monitored every minute. How should the SysOps Administrator publish the memory metrics? (Choose two.)
A. Enable detailed monitoring on the instance within Amazon CloudWatch
B. Publish the memory metrics to Amazon CloudWatch Events
C. Publish the memory metrics using the Amazon CloudWatch agent
D. Publish the memory metrics using Amazon CloudWatch Logs
E. Set metrics_collection_interval to 60 seconds
251. A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded; however, upon navigating to the site, the following error message is received: 403 Forbidden – Access Denied What change should be made to fix this error?
A. Add a bucket policy that grants everyone read access to the bucket
B. Add a bucket policy that grants everyone read access to the bucket objects
C. Remove the default bucket policy that denies read access to the bucket
D. Configure cross-origin resource sharing (CORS) on the bucket
252. A company runs an Amazon RDS MySQL DB instance. Corporate policy requires that a daily backup of the database must be copied to a separate security account. What is the MOST cost-effective way to meet this requirement?
A. Copy an automated RDS snapshot to the security account using the copy-db-snapshot command with the AWS CLI.
B. Create an RDS MySQL Read Replica for the critical database in the security account, then enable automatic backups for the Read Replica.
C. Create an RDS snapshot with the AWS CLI create-db-snapshot command, share it with the security account, then create a copy of the shared snapshot in the security account.
D. Use AWS DMS to replicate data from the critical database to another RDS MySQL instance in the security account, then use an automated backup for the RDS instance.
253. A SysOps Administrator must set up notifications for whenever combined billing exceeds a certain threshold for all AWS accounts within a company. The Administrator has set up AWS Organizations and enabled Consolidated Billing. Which additional steps must the Administrator perform to set up the billing alerts?
A. In the payer account: Enable billing alerts in the Billing and Cost Management console; publish an Amazon SNS message when the billing alert triggers.
B. In each account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers.
C. In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in the Billing and Cost Management console to publish an SNS message when the alarm triggers.
D. In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers.
254. A VPC is connected to a company data center by a VPN. An Amazon EC2 instance with the IP address 172.31.16.139 is within a private subnet of the VPC. A SysOps Administrator issued a ping command to the EC2 instance from an on-premises computer with the IP address 203.0.113.12 and did not receive an acknowledgment. VPC Flow Logs were enabled and showed the following:
What action will resolve the issue?
2 123456789012 eni-1234bca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789012 eni-1234bca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
A. Modify the EC2 security group rules to allow inbound traffic from the on-premises computer
B. Modify the EC2 security group rules to allow outbound traffic to the on-premises computer
C. Modify the VPC network ACL rules to allow inbound traffic from the on-premises computer
D. Modify the VPC network ACL rules to allow outbound traffic to the on-premises computer
255. A web application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an EC2 Auto Scaling group access multiple Availability Zones. Amazon Route 53 is used for DNS and points to the load balancer. A SysOps Administrator has launched a new Auto Scaling group with a new version of the application, and wants to gradually shift traffic to the new version. How can this be accomplished?
A. Create an Auto Scaling target tracking scaling policy to gradually move traffic the old version to the new one
B. Change the Application Load Balancer to a Network Load Balancer, then add both Auto Scaling groups as targets
C. Use an Amazon Route 53 weighted routing policy to gradually move traffic from the old version to the new one
D. Deploy Amazon Redshift to gradually move traffic from the old version to the new one using a set of predefined values
256. A company uses federation to authenticate users and grant AWS permissions. The SysOps Administrator has been asked to determine who made a request to AWS Organizations for a new AWS account. What should the Administrator review to determine who made the request?
A. AWS CloudTrail for the federated identity user name
B. AWS IAM Access Advisor for the federated user name
C. AWS Organizations access log for the federated identity user name
D. Federated identity provider logs for the user name
257. A serverless application running on AWS Lambda is expected to receive a significant increase in traffic. A SysOps Administrator needs to ensure that the Lambda function is configured to scale so the application can process the increased traffic. What should the Administrator do to accomplish this?
A. Attach additional elastic network interfaces to the Lambda function
B. Configure AWS Application Auto Scaling based on the Amazon CloudWatch Lambda metric for the number of invocations
C. Ensure the concurrency limit for the Lambda function is higher than the expected simultaneous function executions
D. Increase the memory available to the Lambda function
258. A SysOps Administrator is notified that an Amazon EC2 instance has stopped responding. The AWS Management Console indicates that the system checks are failing. What should the SysOps Administrator do first to resolve this issue?
A. Reboot the EC2 instance so it can be launched on a new host.
B. Stop and then start the EC2 instance so that it can be launched on a new host.
C. Terminate the EC2 instance and relaunch it.
D. View the AWS CloudTrail log to investigate what changed on the EC2 instance
259. An ecommerce site is using Amazon ElastiCache with Memcached to store session state for a web application and to cache frequently used data. For the last month, users have been complaining about performance. The metric data for the Amazon EC2 instances and the Amazon RDS instance appear normal, but the eviction count metrics are high. What should be done to address this issue and improve performance?
A. Scale the cluster by adding additional nodes
B. Scale the cluster by adding read replicas
C. Scale the cluster by increasing CPU capacity
D. Scale the web layer by adding additional EC2 instances
260. A company needs to migrate an on-premises asymmetric key management system into AWS. Which AWS service should be used to accomplish this?
A. AWS Certificate Manager
B. AWS CloudHSM
C. AWS KMS
D. AWS Secrets Manager
261. A SysOps Administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the Internet. Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)
A. Add a NAT gateway to a public subnet
B. Attach a private address to the elastic network interface on the EC2 instance
C. Attach an Elastic IP address to the internet gateway
D. Add an entry to the route table for the subnet that points to an internet gateway
E. Create an internet gateway and attach it to a VPC
262. A Security and Compliance team is reviewing Amazon EC2 workloads for unapproved AMI usage. Which action should a SysOps Administrator recommend?
A. Create a custom report using AWS Systems Manager Inventory to identify unapproved AMIs
B. Run Amazon Inspector on all EC2 instances and flag instances using unapproved AMIs
C. Use an AWS Config rule to identify unapproved AMIs
D. Use AWS Trusted Advisor to identify EC2 workloads using unapproved AMIs
263. A company needs to have real-time access to image data while seamlessly maintaining a copy of the images in an offsite location. Which AWS solution would allow access to the image data locally while also providing for disaster recovery?
A. Create an AWS Storage Gateway volume gateway configured as a stored volume. Mount it from clients using Internet Small Computer System Interface (iSCSI).
B. Mount an Amazon EFS volume on a local server. Share this volume with employees who need access to the images.
C. Store the images in Amazon S3, and use AWS Data Pipeline to allow for caching of S3 data on local workstations.
D. Use Amazon S3 for file storage, and enable S3 Transfer Acceleration to maintain a cache for frequently used files to increase local performance.
264. A SysOps Administrator needs to create a replica of a company’s existing AWS infrastructure in a new AWS account. Currently, an AWS Service Catalog portfolio is used to create and manage resources. What is the MOST efficient way to accomplish this?
A. Create an AWS CloudFormation template to use the AWS Service Catalog portfolio in the new AWS account.
B. Manually create an AWS Service Catalog portfolio in the new AWS account that duplicates the original portfolio.
C. Run the AWS Lambda function to create a new AWS Service Catalog portfolio based on the output of the DescribePortfolio API operation.
D. Share the AWS Service Catalog portfolio with the other AWS accounts and import the portfolio into the other AWS accounts.
265. A company is operating a multi-account environment under a single organization using AWS Organizations. The Security team discovers that some employees are using AWS services in ways that violate company policies. A SysOps Administrator needs to prevent all users of an account, including the root user, from performing certain restricted actions. What should be done to accomplish this?
A. Apply service control policies (SCPs) to allow approved actions only
B. Apply service control policies (SCPs) to prevent restricted actions
C. Define permissions boundaries to allow approved actions only
D. Define permissions boundaries to prevent restricted actions
266. An application is running on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are configured in an Amazon EC2 Auto Scaling group. A SysOps Administrator must configure the application to scale based on the number of incoming requests. Which solution accomplishes this with the LEAST amount of effort?
A. Use a simple scaling policy based on a custom metric that measures the average active requests of all EC2 instances
B. Use a simple scaling policy based on the Auto Scaling group GroupDesiredCapacity metric
C. Use a target tracking scaling policy based on the ALB’s ActiveConnectionCount metric
D. Use a target tracking scaling policy based on the ALB’s RequestCountPerTarget metric
267. A SysOps Administrator has created an Amazon EC2 instance using an AWS CloudFormation template in the us-east-1 Region. The Administrator finds that this template has failed to create an EC2 instance in the us-west-2 Region. What is one cause for this failure?
A. Resources tags defined in the CloudFormation template are specific to the us-east-1 Region.
B. The Amazon Machine Image (AMI) ID referenced in the CloudFormation template could not be found in the us-west-2 Region.
C. The cfn-init script did not execute during resource provisioning in the us-west-2 Region.
D. The IAM user was not created in the specified Region.
268. Users are struggling to connect to a single public-facing development web server using its public IP address on a unique port number of 8181. The security group is correctly configured to allow access on that port, and the network ACLs are using the default configuration. Which log type will confirm whether users are trying to connect to the correct port?
A. AWS CloudTrail logs
B. Elastic Load Balancer access logs
C. VPC Flow Logs
D. Amazon S3 access logs
269. The Security team at AnyCompany discovers that some employees have been using individual AWS accounts that are not under the control of AnyCompany. The team has requested that those individual accounts be linked to the central organization using AWS Organizations. Which action should a SysOps Administrator take to accomplish this?
A. Add each existing account to the central organization using AWS IAM.
B. Create a new organization in each account and join them to the central organization.
C. Log in to each existing account an add them to the central organization.
D. Send each existing account an invitation from the central organization.
270. A SysOps Administrator has received a request to enable access logging for a Network Load Balancer and is setting up an Amazon S3 bucket to store the logs. What are the MINIMUM requirements for the S3 bucket? (Choose two.)
A. The bucket must be in the same Region as the Network Load Balancer.
B. The bucket must have a bucket policy that grants Elastic Load Balancing permissions to write the access logs to the bucket.
C. The bucket must have encryption enabled.
D. The bucket must have lifecycle policies set.
E. The bucket must have public access disabled.
271. An application is running on an Amazon EC2 instance. A SysOps Administrator is tasked with allowing the application access to an Amazon S3 bucket. What should be done to ensure optimal security?
A. Apply an S3 bucket policy to allow access from all EC2 instances.
B. Create an IAM user and create a script to inject the credentials on boot.
C. Create and assign an IAM role for Amazon S3 access to the EC2 instance.
D. Embed an AWS credentials file for an IAM user inside the Amazon Machine Image (AMI).
272. A company’s Marketing department generates gigabytes of assets each day and stores them locally. They would like to protect the files by backing them up to AWS. All the assets should be stored on the cloud, but the most recent assets should be available locally for low latency access. Which AWS service meets the requirements?
A. Amazon EBS
B. Amazon EFS
C. Amazon S3
D. AWS Storage Gateway
273. A SysOps Administrator is attempting to use AWS Systems Manager Session Manager to initiate a SSH session with an Amazon EC2 instance running on a custom Linux Amazon Machine Image (AMI). The Administrator cannot find the target instance in the Session Manager console. Which combination of actions will solve this issue? (Choose two.)
A. Add Systems Manager permissions to the instance profile.
B. Configure the bucket used by Session Manager logs to allow write access.
C. Install Systems Manager Agent on the instance.
D. Modify the instance security group to allow inbound traffic on SSH port 22.
E. Reboot the instance with a new SSH key pair named ssm-user.
274. A Storage team wants all data transfers to an Amazon S3 bucket to remain within the AWS network. The team makes all changes to the AWS network infrastructure manually. An S3 VPC endpoint is created, and an endpoint policy with the proper permissions is set up. However, the application running on Amazon EC2 instances in the VPC is still unable to access the S3 bucket endpoint. What is one cause of this issue?
A. Request metrics for the S3 bucket need to be enabled.
B. S3 access logs need to be disabled for the VPC endpoints to function.
C. The subnet does not have the VPC endpoint as a target in the route table.
D. The EC2 instances need to have an Elastic Network Adapter enabled.
275. As part of a federated identity configuration, an IAM policy is created and attached to an IAM role. Who is responsible for creating the IAM policy and attaching it to the IAM role, according to the shared responsibility model?
A. AWS is responsible for creating and attaching the IAM policy to the role.
B. AWS is responsible for creating the role, and a SysOps Administrator is responsible for attaching the policy to the role.
C. A SysOps Administrator is responsible for creating and attaching the IAM policy to the role.
D. A SysOps Administrator is responsible for creating the role, and AWS is responsible for attaching the policy to the role.
276. An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. The Information Security team wants to track application requests by the originating IP and the EC2 instance that processes the request. Which of the following tools or services provides this information?
A. Amazon CloudWatch
B. AWS CloudTrail
C. Elastic Load Balancing access logs
D. VPC Flow Logs
277. An Amazon EC2 instance in a private subnet needs to copy data to an Amazon S3 bucket. For security reasons, the connection from the EC2 instance to Amazon S3 must not traverse across the Internet. What action should the SysOps Administrator take to accomplish this?
A. Create a NAT instance and route traffic destined to Amazon S3 through it.
B. Create a VPN connection between the EC2 instance and Amazon S3.
C. Create an S3 VPC endpoint in the VPC where the EC2 instance resides.
D. Use AWS Direct Connect to maximize throughput and keep the traffic private.
278. A SysOps Administrator is in the process of setting up a new AWS Storage Gateway. The Storage Gateway activation is failing when the Administrator attempts to activate the Storage Gateway from the Storage Gateway console. What are the potential causes of this error? (Choose two.)
A. The Storage Gateway does not have an upload buffer configured.
B. The Storage Gateway does not have a backing Amazon S3 bucket configured.
C. The Storage Gateway does not have a cache volume configured.
D. The Storage Gateway does not have the correct time.
E. The Storage Gateway is not accessible from the Administrator’s client over port 80.
279. A SysOps Administrator needs to monitor all the object upload and download activity of a single Amazon S3 bucket. Monitoring must include tracking the AWS account of the caller, the IAM user role of the caller, the time of the API call, and the IP address of the API. Where can the Administrator find this information?
A. AWS CloudTrail data event logging
B. AWS CloudTrail management event logging
C. Amazon Inspector bucket event logging
D. Amazon Inspector user event logging
280. A company’s website went down for several hours. The root cause was a full disk on one of the company’s Amazon EC2 instances. Which steps should the SysOps Administrator take to prevent this from happening in this future?
A. Configure Amazon CloudWatch Events to filter and forward AWS Health events for disk space utilization to an Amazon SNS topic to notify the Administrator.
B. Create an AWS Lambda function to describe the volume status for each EC2 instance. Post a notification to an Amazon SNS topic when a volume status is impaired.
C. Enable detailed monitoring for the EC2 instances. Create an Amazon CloudWatch alarm to notify the Administrator when disk space is running low.
D. Use the Amazon CloudWatch agent on the EC2 instances to collect disk metrics. Create a CloudWatch alarm to notify the Administrator when disk space is running low.