AWS Certified SysOps Administrator SOA-C02 Practice Exam Part 5
Notes: Hi all, AWS Certified SysOps Administrator Associate SOA-Co2 Practice Exam Part 5 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take AWS Certified SysOps Administrator Associate SOA-Co2 Actual Exam Version because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.
161. A SysOps Administrator is responsible for managing a set of 12.micro Amazon EC2 instances. The Administrator wants to automatically reboot any instance that exceeds 80% CPU utilization. Which of these solutions would meet the requirements?
A. Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a terminate alarm action.
B. Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a reboot alarm action.
C. Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a reboot alarm action.
D. Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a terminate alarm action.
162. A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template. It installs and configures necessary software through AWS OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors. The SysOps Administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back. Based on these requirements, what should be added to the template?
A. Conditions with a timeout set to 4 hours.
B. CreationPolicy with a timeout set to 4 hours.
C. DependsOn with a timeout set to 4 hours.
D. Metadata with a timeout set to 4 hours.
163. An HTTP web application is launched on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run across multiple Availability Zones. A network ACL and a security group for the load balancer and EC2 instances allow inbound traffic on port 80. After launch, the website cannot be reached over the internet. What additional step should be taken?
A. Add a rule to the security group allowing outbound traffic on port 80.
B. Add a rule to the network ACL allowing outbound traffic on port 80.
C. Add a rule to the security group allowing outbound traffic on ports 1024 through 65535.
D. Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535.
164. A SysOps Administrator stores crash dump files in Amazon S3. New security and privacy measures require that crash dumps older than 6 months be deleted. Which approach meets this requirement?
A. Use Amazon CloudWatch Events to delete objects older than 6 months.
B. Implement lifecycle policies to delete objects older than 6 months.
C. Use the Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage class to automatically delete objects older than 6 months.
D. Create versioning rules to delete objects older than 6 months.
165. A SysOps Administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code: AMI [ami-12345678] does not exist. How should the Administrator ensure that the AWS CloudFormation template is working in every region?
A. Copy the source region’s Amazon Machine Image (AMI) to the destination region and assign it the same ID.
B. Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID.
C. Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS: :EC2: :AMI: :ImageID control.
D. Modify the AWS CloudFormation template by including the AMI IDs in the “Mappings” section. Refer to the proper mapping within the template for the proper AMI ID.
166. A company is storing monthly reports on Amazon S3. The company’s security requirement states that traffic from the client VPC to Amazon S3 cannot traverse the internet. What should the SysOps Administrator do to meet this requirement?
A. Use AWS Direct Connect and a public virtual interface to connect to Amazon S3.
B. Use a managed NAT gateway to connect to Amazon S3.
C. Deploy a VPC endpoint to connect to Amazon S3.
D. Deploy an internet gateway to connect to Amazon S3.
167. A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances. How can the SysOps Administrator ensure that all customer data stored on the EFS file system meets the new requirement?
A. Update the EFS file system settings to enable server-side encryption using AES-256.
B. Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system.
C. Use AWS CloudHSM to encrypt the files directly before storing them in the EFS file system.
D. Modify the EFS file system mount options to enable Transport Layer Security (TLS) on each of the EC2 instances.
168. An application running on Amazon EC2 instances needs to write files to an Amazon S3 bucket. What is the MOST secure way to grant the application access to the S3 bucket?
A. Create an IAM user with the necessary privileges. Generate an access key and embed the key in the code running on the EC2 instances.
B. Install secure FTP (SFTP) software on the EC2 instances. Use an AWS Lambda function to copy the files from the EC2 instances to Amazon S3 using SFTP.
C. Create an IAM role with the necessary privileges. Associate the role with the EC2 instances at launch.
D. Use rsync and cron to set up the transfer of files from the EC2 instances to the S3 bucket. Enable AWS Shield to protect the data.
169. Company A purchases company B and inherits three new AWS accounts. Company A would like to centralize billing and reserved instance benefits but wants to keep all other resources separate. How can this be accomplished?
A. Implement AWS Organizations and create a service control policy that defines the billing relationship with the new master account.
B. Configure AWS Organizations Consolidated Billing and provide the finance team with IAM access to the billing console.
C. Send Cost and Usage Reports files to a central Amazon S3 bucket and load the data into Amazon Redshift. Use Amazon QuickSight to provide visualizations to the finance team.
D. Link the Reserved Instances to the master payer account and use Amazon Redshift Spectrum to query Detailed Billing Report data across all accounts.
170. A company has multiple web applications running on Amazon EC2 instances in private subnets. The EC2 instances require connectivity to the internet for patching purposes, but cannot be publicly accessible. Which step will meet these requirements?
A. Add an internet gateway and update the route tables.
B. Add a NAT gateway to the VPC and update the route tables.
C. Add an interface endpoint and update the route tables.
D. Add a virtual gateway to the VPC and update the route tables.
171. A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC. What is the SIMPLEST method to deploy and update the VPCs in each account?
A. Create an AWS CloudFormation template defines the VPC. Log in to the AWS Management Console under each account and create a stack from the template.
B. Create a shell script that configures the VPC using the AWS CLI. Provide a list of accounts to the script from a text file, then create the VPC in every account in the list.
C. Create an AWS Lambda function that configures the VPC. Store the account information in Amazon DynamoDB, grant Lambda access to the DynamoDB table, then create the VPC in every account in the list.
D. Create an AWS CloudFormation template that defines the VPC. Create an AWS CloudFormation StackSet based on the template, then deploy the template to all accounts using the stack set.
172. After a network change, application servers cannot connect to the corresponding Amazon RDS MySQL database. What should the SysOps Administrator analyze?
A. VPC Flow Logs
B. Elastic Load Balancing logs
C. Amazon CloudFront logs
D. Amazon RDS MySQL error logs
173. A SysOps Administrator has configured health checks on a load balancer. An Amazon EC2 instance attached to this load balancer fails the health check. What will happen next? (Choose two.)
A. The load balancer will continue to perform the health check on the EC2 instance.
B. The EC2 instance will be terminated based on the health check failure.
C. The EC2 instance will be rebooted.
D. The load balancer will stop sending traffic to the EC2 instance.
E. A new EC2 instance will be deployed to replace the unhealthy instance.
174. An Application performs read-heavy operations on an Amazon Aurora DB instance. The SysOps Administrator monitors the CPUUtilization CloudWatch metric and has recently seen it increase to 90%. The Administrator would like to understand what is driving the CPU surge. Which of the following should be Administrator additionally monitor to understand the CPU surge?
A. FreeableMemory and DatabaseConnections to understand the amount of available RAM and number of connections to DB instance.
B. FreeableMemory and EngineUptime to understand the amount of available RAM and the amount of time the instance has been up and running.
C. DatabaseConnections and AuroraReplicaLag for the number of connections to the DB instance and the amount of lag when replicating updates from the primary instance.
D. DatabaseConnections and InsertLatency for the number of connections to the DB instance and latency for insert queries
175. A SysOps Administrator must use a bastion host to administer a fleet of Amazon EC2 instances. All access to the bastion host is managed by the Security team. What is the MOST secure way for the Security team to provide the SysOps Administrator access to the bastion host?
A. Assign the same IAM role to the Administrator that is assigned to the bastion host.
B. Provide the Administrator with the SSH key that was used for the bastion host when it was originally launched.
C. Create a new IAM role with the same permissions as the Security team, and assign it to the Administrator.
D. Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.
176. A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be cut of compliance because it was not encrypted. Which approach will resolve the encryption requirement?
A. Log in to the RDS console and select the encryption box to encrypt the database.
B. Create a new encrypted Amazon EBS volume and attach it to the instance.
C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
D. Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
177. A company’s Security team wants to track data encryption events across all company AWS accounts. The team wants to capture all AWS KMS events related to deleting or rotating customer master keys (CMKs) from all production AWS accounts. The KMS events will be sent to the Security team’s AWS account for monitoring. How can this be accomplished?
A. Create an AWS Lambda function that will run every few minutes in each production account, parse the KMS log for KMS events, and sent the information to an Amazon SQS queue managed by the Security team.
B. Create an event bus in the Security team’s account, create a new Amazon CloudWatch Events rule that matches the KMS events in each production account, and then add the Security team’s event bus as the target.
C. Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team.
D. Create an AWS Config rule that checks for KMS keys that are in a pending deletion or rotated state in every production account, then send Amazon SNS notifications of any non-compliant KMS resources to the Security team.
178. A SysOps Administrator is writing a utility that publishes resources from an AWS Lambda function in AWS account A to an Amazon S3 bucket in AWS Account B. The Lambda function is able to successfully write new objects to the S3 bucket, but IAM users in Account B are unable to delete objects written to the bucket by Account A. Which step will fix this issue?
A. Add s3:Deleteobject permission to the IAM execution role of the AWS Lambda function in Account A.
B. Change the bucket policy of the S3 bucket in Account B to allow s3:Deleteobject permission for Account A.
C. Disable server-side encryption for objects written to the S3 bucket by the Lambda function.
D. Call the S3:PutObjectAcl API operation from the Lambda function in Account A to specify bucket owner, full control.
179. Which of the following steps are required to configure SAML 2.0 for federated access to AWS? (Choose two.)
A. Create IAM users for each identity provider (IdP) user to allow access to the AWS environment.
B. Define assertions that map the company’s identity provider (IdP) users to IAM roles.
C. Create IAM roles with a trust policy that lists the SAML provider as the principal.
D. Create IAM users, place them in a group named SAML, and grant them necessary IAM permissions.
E. Grant identity provider (IdP) users the necessary IAM permissions to be able to log in to the AWS environment.
180. A SysOps Administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet. What should be added to the private subnet’s route table in order to address this issue, given the information provided.
C. 10.0.1.0/24 IGW
181. An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted. How can this be resolved?
A. Enable encryption on each EFS connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect.
B. Enable encryption on the existing EFS volume by using the AWS Command Line interface.
C. Enable encryption on each host local drive. Restart each host to encrypt the drive.
D. Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.
182. An existing data management application is running on a single Amazon EC2 instance and needs to be moved to a new AWS Region in another AWS account. How can a SysOps Administrator achieve this while maintaining the security of the application?
A. Create an encrypted Amazon Machine Image (AMI) of the instance and make it public to allow the other account to search and launch an instance from it.
B. Create an AMI of the instance, add permissions for the AMI to the other AWS account, and start a new instance in the new region by using that AMI.
C. Create an AMI of the instance, copy the AMI to the new region, add permissions for the AMI to the other AWS account, and start new instance.
D. Create an encrypted snapshot of the instance and make it public. Provide only permissions to decrypt to the other AWS.
183. A SysOps Administrator manages an application that stores object metadata in Amazon S3. There is a requirement to have S2 server-side encryption enabled on all new objects in the bucket. How can the Administrator ensure that all new objects to the bucket satisfy this requirement?
A. Create an S3 lifecycle rule to automatically encrypt all new objects.
B. Enable default bucket encryption to ensure that all new objects are encrypted.
C. Use put-object-acl to allow objects to be encrypted with S2 server-side encryption.
D. Apply the authorization header to S3 requests for S3 server-side encryption.
184. An application is running on multiple EC2 instances. As part of an initiative to improve overall infrastructure security, the EC2 instances were moved to a private subnet. However, since moving, the EC2 instances have not been able to automatically update, and a SysOps Administrator has not been able to SSH into them remotely. Which two actions could the Administrator take to securely resolve these issues? (Choose two.)
A. Set up a bastion host in a public subnet, and configure security groups and route tables accordingly.
B. Set up a bastion host in the private subnet, and configure security groups accordingly.
C. Configure a load balancer in a public subnet, and configure the route tables accordingly.
D. Set up a NAT gateway in a public subnet, and change the private subnet route tables accordingly.
E. Set up a NAT gateway in a private subnet, and ensure that the route tables are configured accordingly.
185. A SysOps Administrator has been tasked with deploying a company’s infrastructure as code. The Administrator wants to write a single template that can be reused for multiple environments in a safe, repeatable manner. What is the recommended way to use AWS CloudFormation to meet this requirement?
A. Use parameters to provision the resources.
B. Use nested stacks to provision the resources.
C. Use Amazon EC2 user data to provision the resources.
D. Use stack policies to provision the resources.
186. An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application. What is the MOST scalable storage solution to fulfill the requirement?
A. Connect a large Amazon EBS volume to multiple instances and schedule snapshots.
B. Deploy Amazon EFS is in the VPC and create mount targets in multiple subnets.
C. Launch an EC2 instance and share data using SMB/CIFS or NFS.
D. Deploy an AWS Storage Gateway cached volume on Amazon EC2.
187. A SysOps Administrator is running an auto-scaled application behind a Classic Load Balncer. Scaling out is triggered when the CPUUtilization instance metric is more than 75% across the Auto Scaling group. The Administrator noticed aggressive scaling out and after discussing with developers, an application memory leak is suspected causing aggressive garbage collection cycle. How can the Administrator troubleshoot the application without triggering the scaling process?
A. Suspend the scaling process before troubleshooting.
B. Delete the Auto Scaling group and recreate it when troubleshooting is complete.
C. Remove impacted instances from the Classic Load Balancer.
D. Create a scale down trigger when the CPUUtilization instance metric is at 70%.
188. A SysOps Administrator is deploying a legacy web application on AWS. The application has four Amazon EC2 instances behind Classic Load Balancer and stores data in an Amazon RDS instance. The legacy application has known vulnerabilities to SQL injection attacks, but the application code is no longer available to update. What cost-effective configuration change should the Administrator make to migrate the risk of SQL injection attacks?
A. Configure Amazon GuardDuty to monitor the application for SQL injection threats.
B. Configure AWS WAF with a Classic Load Balancer for protection against SQL injection attacks.
C. Replace the Classic Load Balancer with an Application Load Balancer and configure AWS WAF on the Application Load Balancer.
D. Configure an Amazon CloudFront distribution with the Classic Load Balancer as the origin and subscribe to AWS Shield Standard.
189. A company monitors its account activity using AWS CloudTrail, and is concerned that some log files are being tampered with after the logs have been delivered to the account’s Amazon S3 bucket. Moving forward, how can the SysOps Administrator confirm that the log files have not been modified after being delivered to the S3 bucket.
A. Stream the CloudTrail logs to Amazon CloudWatch to store logs at a secondary location.
B. Enable log file integrity validation and use digest files to verify the hash value of the log file.
C. Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
D. Enable S3 server access logging to track requests made to the log bucket for security audits.
190. After launching a new Amazon EC2 instance from a Microsoft Windows 2012 Amazon Machine Image (AMI), the SysOps Administrator is unable to connect to the instance using Remote Desktop Protocol (RDP). The instance is also unreachable. As part of troubleshooting, the Administrator deploys a second instance from a different AMI using the same configuration and is able to connect to the instance. What should be the next logical step in troubleshooting the first instance?
A. Use AWS Trusted Advisor to gather operating system log files for analysis.
B. Use VPC Flow Logs to gather operating system log files for analysis.
C. Use EC2Rescue to gather operating system log files for analysis.
D. Use Amazon Inspector to gather operating system log files for analysis.
191. A custom application must be installed on all Amazon EC2 instances. The application is small, updated frequently and can be installed automatically. How can the application be deployed on new EC2 instances?
A. Launch a script that downloads and installs the application using the Amazon EC2 user data.
B. Create a custom API using Amazon API Gateway to call an installation executable from an AWS CloudFormation Template.
C. Use AWS Systems Manager to inject the application into an AMI.
D. Configure AWS CodePipeline to deploy code changes and updates.
192. A SysOps Administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. Which collection of configuration changes will increase the cache hit ratio for the distribution? (Select two.)
A. Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings
B. Change the Viewer Protocol Policy to use HTTPS only
C. Configure the distribution to use pre-signed cookies and URLs to restrict access to the distribution
D. Enable automatic compression of objects in the Cache Behavior Settings
E. Increase the CloudFront time to live (TTL) settings in the Cache Behavior
193. What should a SysOps Administrator do to ensure a company has visibility into maintenance events performed by AWS?
A. Run a script that queries AWS Systems Manager for upcoming maintenance events, and then push these events to an Amazon SNS topic to which the Operations team is subscribed.
B. Query the AWS Health API for upcoming maintenance events and integrate the results with the company’s existing operations dashboard.
C. Integrate the AWS Service Health Dashboard RSS feed into the company’s existing operations dashboard.
D. Use Amazon Inspector to send notifications of upcoming maintenance events to the Operations team distribution list.
194. A SysOps Administrator manages a website running on Amazon EC2 instances behind an ELB Application Load Balancer. Users visiting the load balancer’s DNS address in a browser are reporting errors. The administrator has confirmed:
– The security groups and network ACLs are correctly configured.
– The load balancer target group shows no healthy instances.
What should the Administrator do to resolve this issue?
A. Review the application’s logs for requests originating from the VPC DNS address.
B. Review the load balancer access logs, looking for any issues or errors.
C. Review the load balancer target group health check configuration.
D. Review the load balancer listener configuration.
195. A company is running multiple AWS Lambda functions in a non-VPC environment. Most of the functions are application-specific; an operational function is involved synchronously every hour. Recently, the Applications team deployed new functions that are triggered based on an Amazon S3 event to process multiple files that are uploaded to an S3 bucket simultaneously. The SysOps Administrator notices that the operational function occasionally fails to execute due to throttling. What step should the Administrator take to make sure that the operational function executes?
A. Redeploy the operational function to a VPC.
B. Increase the operational function timeout.
C. Set the operational function concurrency to 1.
D. Increase the operational function memory.
196. A SysOps Administrator must ensure all Amazon EBS volumes currently in use, and those created in the future, are encrypted with a specific AWS KMS customer master key (CMK). What is the MOST efficient way for the Administrator to meet this requirement?
A. Create an AWS Lambda function to run on a daily schedule, and have the function run the aws ec2 describe-volumes –filters encrypted command.
B. Within Aws Config, configure the encrypted-volumes managed rule and specify the key ID of the CMK.
C. Log in to the AWS Management Console on a daily schedule, then filter the list of volumes by encryption status, then export this list.
D. Create an AWS Lambda function to run on a daily schedule, and have the function run the aws kms describe key command.
197. A company has an application running on a fleet of Microsoft Windows instances. Patches to the operating system need to be applied each month. AWS Systems Manager Patch Manager is used to apply the patches on a schedule. When the fleet is being patched, customers complain about delayed service responses.
A. Change the number of instances patched at any one time to 100%.
B. Create a snapshot of each server in the fleet using a Systems Manager Automation document before starting the patch process.
C. Configure the maintenance window to patch 10% of the instance in the patch group at a time.
D. Create a patched Amazon Machine Image (AMI). Configure the maintenance window option to deploy the patched AMI on only 10% of the fleet at a time.
198. A local agency plans to deploy 50 Raspberry Pi devices throughout a city. All the devices need to be managed centrally, and their configurations need to be consistent. What is the BEST service for managing these devices?
A. AWS Config
B. AWS Systems Manager
C. Amazon Inspector
D. AWS Service Catalog
199. A SysOps Administrator needs an Amazon EBS volume type for a big data application. The application data is accessed infrequently and stored sequentially. What EBS volume type will be the MOST cost-effective solution?
A. Provisioned IOPS SSD (io1)
B. Cold HDD (sc1)
C. Throughout Optimized HDD (st1)
D. General Purpose SSD (gp2)
200. A SysOps Administrator created an AWS Service Catalog portfolio and shared the portfolio with a second AWS account in the company. The second account is controlled by a different Administrator. Which action will the Administrator of the second account be able to perform?
A. Add a product from the imported portfolio to a local portfolio.
B. Add new products to the imported portfolio.
C. Change the launch role for the products contained in the imported portfolio.
D. Remove products from the imported portfolio.