AWS Certified SysOps Administrator Practice Exam Part 4iam.awslagi
Notes: Hi all, AWS Certified SysOps Administrator Associate Practice Exam (SOA-C02) Part 4 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take AWS Certified SysOps Administrator Associate Guarantee Part because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.
For PDF Format:
Part 1: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-1
Part 2: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-2
Part 3: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-3
Part 4: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-4
Part 5: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-5
For Audio Version:
For Quiz Format:
Part 1: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-1-quiz
Part 2: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-2-quiz
Part 3: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-3-quiz
121. A company is using AWS Organizations to manage all of their accounts. The Chief Technology Officer wants to prevent certain services from being used within production accounts until the services have been internally certified. They are willing to allow developers to experiment with these uncertified services in development accounts but need a way to ensure that these services are not used within production accounts. Which option ensures that services are not allowed within the production accounts, yet are allowed in separate development accounts with the LEAST administrative overhead?
A. Use AWS Config to shut down non-compliant services found within the production accounts on a periodic basis, while allowing these same services to run in the development accounts.
B. Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.
C. Use IAM policies applied to the combination of user and account to prevent developers from using these services within the production accounts. Allow the services to run in development accounts
D. Use Amazon CloudWatch to report on the use of non-certified services within any account, triggering an AWS Lambda function to terminate only those non-certified services when found in a production account.
122. A company hosts its website on Amazon ECF2 instances behind an ELB Application Load Balancer. The company manages its DNS with Amazon Route 53, and wants to point its domain’s zone apex to the website. Which type of record should be used to meet these requirements?
A. An AAA record for the domain’s zone apex
B. An A record for the domain’s zone apex
C. A CNAME record for the domain’s zone apex
D. An alias record for the domain’s zone apex
123. A company currently has a single AWS account used by all project teams. The company is migrating to a multi-account strategy, where each project team will have its own account. The AWS IAM configuration must have the same roles and policies for each of the accounts. What is the MOST efficient way to implement and manage these new requirements?
A. Create a portfolio in the AWS Service Catalog for the IAM roles and policies. Have a specific product in the portfolio for each environment, project, and team that can be launched independently by each user.
B. Use AWS Organizations to create organizational units (OUs) for each group of projects and each team. Then leverage service control policies at the account level to restrict what services can used and what actions the users, groups, and roles can perform in those accounts.
C. Create an AWS Lambda script that leverages cross-account access to each AWS account, and create all the roles and policies needed using the IAM API and JSON documents stored in Amazon S3. D. Create a single AWS CloudFormation template. Use CloudFormation StackSets to launch the CloudFormation template into each target account from the Administrator account.
124. A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months. What is the process to rotate the key?
A. Enable automatic key rotation for the CMK, and specify a period of 6 months.
B. Create a new CMK with new imported material, and update the key alias to point to the new CMK. C. Delete the current key material, and import new material into the existing CMK.
D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.
125. Website users report that an application’s pages are loading slowly at the beginning of the workday. The application runs on Amazon EC2 instances, and data is stored in an Amazon RDS database. The SysOps Administrator suspects the issue is related to high CPU usage on a component of this application. How can the Administrator find out which component is causing the performance bottleneck?
A. Use AWS CloudTrail to review the resource usage history for each component.
B. Use Amazon CloudWatch metrics to examine the resource usage of each component.
C. Use Amazon Inspector to view the resource usage details for each component.
D. Use Amazon CloudWatch Events to examine the high usage events for each component.
126. A SysOps Administrator is running Amazon EC2 instances in multiple AWS Regions. The Administrator wants to aggregate the CPU utilization for all instances onto an Amazon CloudWatch dashboard. Each region should be present on the dashboard and represented by a single graph that contains the CPU utilization for all instances in that region. How can the Administrator meet these requirements?
A. Create a cross-region dashboard using AWS Lambda and distribute it to all regions
B. Create a custom CloudWatch dashboard and add a widget for each region in the AWS Management Console
C. Enable cross-region dashboards under the CloudWatch section of the AWS Management Console D. Switch from basic monitoring to detailed monitoring on all instances
127. A Development team has an application stack consisting of many OS dependencies and language runtime dependencies. When deploying the application to production, the most important factor is how quickly the instance is operational. What deployment methodology should be used to update the running environments to meet the requirement?
A. Use fully baked AMIs (“golden images”) created after each successful build, creating a new Auto Scaling group, and blue/green deployments with rollbacks.
B. Use user-data scripts to configure the instance correctly on boot by installing all dependencies when needed.
C. Use an AWS Lambda function to only update the application locally on each instance, then reattach it to the load balancer when the process complete.
D. Use AWS OpsWorks scripts to execute on reboot of each instance to install all known dependencies, then re-attach the instances to the load balancer.
128. A web-based application is running in AWS. The application is using a MySQL Amazon RDS database instance for persistence. The application stores transactional data and is read-heavy. The RDS instance gets busy during the peak usage, which shows the overall application response times. The SysOps Administrator is asked to improve the read queries performance using a scalable solution. Which options will meet these requirements? (Choose two.)
A. Scale up the RDS instance to a larger instance size
B. Enable the RDS database Multi-AZ option
C. Create a read replica of the RDS instance
D. Use Amazon DynamoDB instead of RDS
E. Use Amazon ElastiCache to cache read queries
129. A Content Processing team has notified a SysOps Administrator that their content is sometimes taking a long time to process, whereas other times it processes quickly. The Content Processing submits messages to an Amazon Simple Queue Service (Amazon SQS) queue, which details the files that need to be processed. An Amazon EC2 instance polls the queue to determine which file to process next. How could the Administrator maintain a fast but cost-effective processing time?
A. Attach an Auto Scaling policy to the Amazon SQS queue to increase the number of EC2 instances based on the depth of the SQS queue
B. Create an Auto Scaling policy to increase the number of EC2 instances polling the queue and a CloudWatch alarm to scale based on MaxVisibility Timeout
C. Attach an Auto Scaling policy to the SQS queue to scale instances based on the depth of the dead-letter queue
D. Create an Auto Scaling policy to increase the number of EC2 instances polling the queue and a CloudWatch alarm to scale based on ApproximateNumberOfMessagesVisible
130. A SysOps Administrator has received a request from the Compliance Department to enforce encryption on all objects uploaded to the corp-compliance bucket. How can the Administrator enforce encryption on all objects uploaded to the bucket?
A. Enable Amazon S3 default encryption on the bucket
B. Add the following policy statement to the bucket:
C. Add the following policy statement to the IAM user permissions policy:
D. Generate a resigned URL for the Amazon S3 PUT operation with server-side encryption flag set, and send the URL to the user
131. An errant process is known to use an entire processor and run at 100%. A SysOps Administrator wants to automate restarting the instance once the problem occurs for more than 2 minutes. How can this be accomplished?
A. Create an Amazon CloudWatch alarm for the EC2 instance with basic monitoring. Enable an action to restart the instance.
B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
C. Create an AWS Lambda function to restart the EC2 instance, triggered on a scheduled basis every 2 minutes.
D. Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks.
132. A SysOps Administrator needs to report on Amazon EC2 instance cost by both project and environment (production, staging, development). Which action would impact the operations team the LEAST?
A. For each project and environment, create a new AWS account and link them to the master payer for unified management and billing
B. Use AWS Organizations to create a new organization for each project, then for each environment use a separate linked AWS account
C. Implement cost allocation tagging in the Billing and Cost Management console to implement tags to identify resources by project and environment
D. Add the project and environment information to the instance metadata so that the values can be queried and rolled up into reports
133. A web application’s performance has been degrading. Historically, the application has had highly variable workloads, but lately, there has been a steady growth in traffic as the result of a new product launch. After reviewing several Amazon CloudWatch metrics, it is discovered that over the last two weeks the balance of CPU credits has dropped to zero several times. Which solutions will improve performance? (Choose two.)
A. Begin using the T2 instance type
B. Purchase more CPU credits for the existing instance
C. Increase the size of the current instance type
D. Configure a CloudWatch alarm on the CPU credits metric
134. An Amazon EC2 instance is in a private subnet. To SSH to the instance, it is required to use a bastion host that has an IP address of 10.0.0.5. SSH logs on the EC2 instance in the private subnet show that connections are being made over SSH from several other IP addresses. The EC2 instance currently has the following inbound security group rules applied:
What is the MOST likely reason that another IP addresses is able to SSH to the EC2 instance?
A. The rule with 0.0.0.0/0 means SSH is open for any client to connect
B. The rule with /32 is not limiting to a single IP address
C. Any instance belonging to sg-xxxxxxxx is allowed to connect
D. There is an outbound rule allowing SSH traffic
135. An AWS CloudFormation template creates an Amazon RDS instance. This template is used to build up development environments as needed and then delete the stack when the environment is no longer required. The RDS-persisted data must be retained for further use, even after the CloudFormation stack is deleted. How can this be achieved in a reliable and efficient way?
A. Write a script to continue backing up the RDS instance every five minutes
B. Create an AWS Lambda function to take a snapshot of the RDS instance, and manually execute the function before deleting the stack
C. Use the Snapshot Deletion Policy in the CloudFormation template definition of the RDS instance
D. Create a new CloudFormation template to perform backups of the RDS instance, and run this template before deleting the stack
136. A new application is being tested for deployment on an Amazon EC2 instance that requires greater IOPS than currently provided by the single 4TB General Purpose SSD (gp2) volume. Which actions should be taken to provide additional Amazon EBS IOPS for the application? (Choose two.)
A. Increase the size of the General Purpose (gp2) volume
B. Use RAID 0 to distribute I/O across multiple volumes
C. Migrate to a Provisioned IOPS SSD (io1) volume
D. Enable MAX I/O performance mode on the General Purpose (gp2) volume
E. Use RAID 1 to distribute I/O across multiple volumes
137. While creating the wait condition resource in AWS CloudFormation, a SysOps Administrator receives the error “received 0 signals out of the 1 expected from the EC2 instance”. What steps should be taken to troubleshoot this issue? (Choose two.)
A. Confirm from the cfn logs that the cfn-signal command was successfully run on the instance.
B. Try to re-create the stack with a different IAM user.
C. Check that the instance has a route to the Internet through a NAT device.
D. Update the AWS CloudFormation stack service role to have iam:PassRole permission.
E. Delete the existing stack and attempt to create a new once.
138. An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, am Amazon RDS PostgreSQL database, an Amazon EFS file system, and static objects stored in an Amazon S3 bucket. The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime. To satisfy the requirements, which one of these services can the SysOps Administrator enable at rest encryption on?
A. EBS General Purpose SSD volumes
B. RDS PostgreSQL database
C. Amazon EFS file systems
D. S3 objects within a bucket
139. A SysOps Administrator noticed that a large number of Elastic IP addresses are being created on the company’s AWS account., but they are not being associated with Amazon EC2 instances, and are incurring Elastic IP address charges in the monthly bill. How can the Administrator identify who is creating the Elastic IP address?
A. Attach a cost-allocation tag to each requested Elastic IP address with the IAM user name of the Developer who creates it.
B. Query AWS CloudTrail logs by using Amazon Athena to search for Elastic IP address events.
C. Create a CloudWatch alarm on the EIP Created metric and send an Amazon SNS notification when the alarm triggers.
D. Use Amazon Inspector to get a report of all Elastic IP addresses created in the last 30 days.
140. An application running by a SysOps Administrator is under repeated, large-scale distributed denial of service (DDoS) attacks. Each time an attack occurs, multiple customers reach out to the Support team to report outages. The Administrator wants to minimize potential downtime from the DDoS attacks. The company requires 24/7 support. Which AWS service should be set up to protect the application?
A. AWS Trusted Advisor
B. AWS Shield Advanced
C. Amazon Cognito
D. Amazon Inspector
141. A SysOps Administrator needs Amazon EC2 instances in two different VPCs in private subnets to be able to communicate. A peering connection between the two VPCs has been created using the AWS Management Console and shows a status of Active. The instances are still unable to send traffic to each other. Why are the EC2 instances unable to communicate?
A. One or both of the VPCs do not have an Internet Gateway attached
B. The route tables have not been updated
C. The peering connection has not been properly tagged
D. One or both of the instances do not have an Elastic IP address assigned
142. With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?
A. Deny Post, Put, and Delete on the bucket
B. Enable server-side encryption on the bucket
C. Enable Amazon S3 versioning on the bucket
D. Enable snapshots on the bucket
143. A SysOps Administrator has an AWS Lambda function that stops all Amazon EC2 instances in a test environment at night and on the weekend. Stopping instances causes some servers to become corrupt due to the nature of the applications running on them. What can the SysOps Administrator use to identify these EC2 instances?
A. AWS Config
B. Amazon EC2 termination protection
C. Resource tagging
D. Amazon CloudWatch
144. A company has Amazon EC2 instances that serve web content behind an Elastic Load Balancing (ELB) load balancer. The ELB Amazon CloudWatch metrics from a few hours ago indicate a significant number of 4XX errors. The EC2 instances from the time of these errors have been deleted. At the time of the 4XX errors, how can an Administrator obtain information about who originated these requests?
A. If ELB access logs have been enabled, the information can be retrieved from the S3 bucket
B. Contact AWS Support to obtain application logs from the deleted instances
C. Amazon S3 always keeps a backup of application logs from EC2 instances. Retrieve these logs for analysis
D. Use AWS Trusted Advisor to obtain ELB access logs
145. A company has an asynchronous nightly process that feeds the results to a data warehouse system for weekly and monthly reporting. The process is running on a fleet of Amazon EC2 instances. A SysOps Administrator has been asked to identify ways to reduce the cost of running this process. What is the MOST cost-effective solution?
A. Use On-Demand EC2 instances in an Auto Scaling group
B. Use Spot Instances to bid for the EC2 instances
C. Use Reserved Instances to ensure the capacity
D. Put the EC2 instances in a placement group
146. A developer deploys an application running on Amazon EC2 by using an AWS CloudFormation template. The developer launches the stack from the console logged in as an AWS Identity and Access Management (IAM) user. When a SysOps Administrator attempts to run the same AWS CloudFormation template in the same AWS account from the console, it fails and returns the error: “The image id ‘[ami-2a69aa47]’ does not exist” What is the MOST likely cause of the failure?
A. The Administrator does not have the same IAM permissions as the developer.
B. The Administrator used a different SSH key from that of the developer.
C. The Administrator is running the template in a different region.
D. The Administrator’s Amazon EC2 service limits have been exceeded
147. A company has configured a library of IAM roles that grant access to various AWS resources. Each employee has an AWS IAM user, some of which have the permission to launch Amazon EC2 instances. The SysOps Administrator has attached the following policy to those users:
What would be the result of this policy?
A. Users are able to switch only to a role name that begins with “InfraTeam” followed by any other combination of characters.
B. Users with the role of InfraTeamLinux are able to launch an EC2 instance and attach that role to it.
C. “InfraTeam” role is being passed to a user who has full EC2 access.
D. EC2 instances that are launched by these users have full AWS permissions.
148. An organization has hired an external firm to audit unauthorized changes on the company’s AWS environment, the external auditor needs appropriate access. How can this be accomplished?
A. Create an IAM user and assign them a new policy with GetResources access on AWS Artifact
B. Create an IAM user and add them to the existing “Administrator” IAM group
C. Create an IAM user and assign them a new IAM policy with read access to the AWS CloudTrail logs in Amazon S3
D. Create an IAM user and assign them a new policy with ListFindings access on Amazon Inspector
149. A SysOps Administrator wants to automate the process of configuration, deployment, and management of Amazon EC2 instances using Chef or Puppet. Which AWS service will satisfy the requirement?
A. AWS Elastic Beanstalk
B. AWS CloudFormation
C. AWS OpsWorks
D. AWS Config
149. A company must share monthly report files that are uploaded to Amazon S3 with a third party. The third-party user list is dynamic, is distributed, and changes frequently. The least amount of access must be granted to the third party. Administrative overhead must be low for the internal teams who manage the process. How can this be accomplished while providing the LEAST amount of access to the third party?
A. Allow only specified IP addresses to access the S3 buckets which will host files that need to be provided to the third party.
B. Create an IAM role with the appropriate access to the S3 bucket, and grant login permissions to the console for the third party to access the S3 bucket.
C. Create a pre-signed URL that can be distributed by email to the third party, allowing it to download specific S3 filed.
D. Have the third party sign up for an AWS account, and grant it cross-account access to the appropriate S3 bucket in the source account.
150. An administrator is responding to an alarm that reports increased application latency. Upon review, the Administrator notices that the Amazon RDS Aurora database frequently runs at 100% CPU utilization. The application is read heavy and does frequent lookups of a product table. What should the Administrator do to reduce the application latency?
A. Move the product table to Amazon Redshift and use an interleaved sort key
B. Add Aurora Replicas and use a Reader Endpoint for product table lookups
C. Move the product table to Amazon CloudFront and set the cache-control headers to public
D. Use Auto Scaling to add extra Aurora nodes and set a trigger based on CPU utilization
151. A company is running a new promotion that will result in a massive spike in traffic for a single application. The SysOps Administrator must prepare the application and ensure that the customers have a great experience. The application is heavy on memory and is running behind an AWS Application Load Balancer (ALB). The ALB has been pre-warmed, and the application is in an Auto Scaling group. What built-in metric should be used to control the Auto Scaling group’s scaling policy?
A. RejectedConnection Count
B. Request CountPerTarget
152. An e-commerce company hosts its website on the AWS us-west-1 region. It plans to create a special site for a promotion that should be visible only to shoppers from Canada. What change should the SysOps Administrator make to the company’s existing AWS setup to achieve this result?
A. Update the Amazon Route 53 record set to use a latency routing policy for the new site
B. Update the Application Load Balancer with a new host-based routing rule for the new site
C. Update the Amazon Route 53 record set to use a geolocation routing policy for the new site
D. Update the Application Load Balancer with a new path-based routing rule for the new site
152. A SysOps Administrator is creating an Amazon EC2 instance and has received an InsufficientInstanceCapacity error. What is the cause of the error and how can it be corrected?
A. AWS does not currently have enough capacity to service the request for that instance type. A different Availability Zone or instance type must be used.
B. The account has reached its concurrent running instance limit. An EC2 limit increase request must be filed with AWS Support.
C. The APIs that service the EC2 requests have received too many requests and capacity has been reached. The request should be attempted again in a few minutes.
D. The Administrator did not specify the correct size of the instance to support the capacity requirements of the workload. Select a bigger instance.
153. A web application runs on Amazon EC2 instances with public IPs assigned behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS Multi-AZ DB instance. The Application Load Balancer, EC2 instances, and RDS DB instance all run in separate sets of subnets. The EC2 instances can communicate with the DB instance, but cannot connect with external services. What is the MOST likely solution?
A. Assign a public IP address to the database server and restart the database engine.
B. Create and attach an Internet gateway to the VPC. Create a route table for the EC2 instance’s subnets that sends Internet traffic to the gateway.
C. Create and attach a virtual private gateway to the VPC. Create a route table for the EC2 instances’ subnets that sends Internet traffic to the gateway.
D. Create a VPC peering connection to a VPC that has an Internet gateway attached. Create a route table for the EC2 instances’ subnets that sends Internet traffic to the peered VPC.
154. A company has deployed a new application running on Amazon EC2 instances. The application team must verify for the Security team that all common vulnerabilities and exposures have been addressed, both now and regularly throughout the application’s lifespan. How can the Application team satisfy the Security team’s requirement?
A. Perform regular assessments with Amazon Inspector
B. Perform regular assessments with AWS Trusted Advisor
C. Integrate AWS Personal Health Dashboard with Amazon CloudWatch events to get security notifications
D. Grant the Administrator and Security team access to AWS Artifact
155. InfoSec is concerned that an employee may expose sensitive data in an Amazon S3 bucket. How can this concern be addressed without putting undue restrictions on users?
A. Apply an IAM policy on all users that denies the action s3:PutBucketPolicy
B. Restrict S3 bucket access to specific IAM roles managed using federated access
C. Activate an AWS Config rule to identify public buckets and alert InfoSec using Amazon SNS
D. Email the findings of AWS Personal Health Dashboard to InfoSec daily
156. A SysOps Administrator discovers the organization’s tape archival system is no longer functioning in its on-premises data center. What AWS service can be used to create a virtual tape interface to replace the physical tape system?
A. AWS Snowball
B. AWS SMS
C. Amazon Glacier
D. AWS Storage Gateway
157. A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times: *** Error Establishing a Database Connection. Which of the following may be causes of the connectivity problems? (Choose two.)
A. The security group for the database does not have the appropriate egress rule from the database to the web server.
B. The certificate used by the web server is not trusted by the RDS instance.
C. The security group for the database does not have the appropriate ingress rule from the web
server to the database.
D. The database is still being created and is not available for connectivity.
158. A SysOps Administrator must evaluate storage solutions to replace a company’s current user-shared drives infrastructure. Any solution must support security controls that enable Portable Operating System Interface (POSIX) permissions and Network File System protocols. Additionally, any solution must be accessible from multiple Amazon EC2 instances and on-premises servers connected to the Amazon VPC. Which AWS service meets the user drive requirements?
A. Amazon S3
B. Amazon EFS
C. Amazon EBS
D. Amazon SQS
159. A company’s Auditor implemented a compliance requirement that all Amazon S3 buckets must have logging enabled. How should the SysOps Administrator ensure this compliance requirement is met, while still permitting Developers to create and use new S3 buckets?
A. Add AWS CloudTrail logging for the S3 buckets.
B. Implement IAM policies to allow only the Storage team to create S3 buckets.
C. Add the AWS Config managed rule S3_BUCKET_LOGGING_ENABLED.
D. Create an AWS Lambda function to delete the S3 buckets if logging is not turned on.
160. A company is deploying a legacy web application on Amazon EC2 instances behind an ELB Application Load Balancer. The application worked well in the test environment. However, in production, users report that they are prompted to log in to the system several times an hour. Which troubleshooting step should be taken to help resolve the problem reported by users?
A. Confirm that the Application Load Balancer is in a multi-AZ configuration.
B. Enable health checks on the Application Load Balancer.
C. Ensure that port 80 is configured on the security group.
D. Enable sticky sessions on the Application Load Balancer