New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Amazon Web Services > AWS Certified Associate > SOA-C01

SOA-C01 AWS Certified SysOps Administrator - Associate Question and Answers

Question # 4

A SysOps Administrator needs to control access to groups of Amazon EC2 instances. Specific tags on the EC2 instances have already been added. Which additional actions should the Administrator take to control access? (Select TWO)

A.

Attach an IAM policy to the users or groups that require access to the EC2 instances

B.

Attach an IAM role to control access to the EC2 instances

C.

Create a placement group for the EC2 instances and add a specific tag

D.

Create a service account and attach it to the EC2 instances that need to be controlled

E.

Create an IAM policy that grants access to any EC2 instances with a tag specified in the condition element

Full Access
Question # 5

A SysOps Administrator manages an Amazon RDS MySQL DB instance in production. The database is accessed by several applications. The Administrator needs to ensure minimal downtime of the applications in the event the database suffers a failure. This change must not impact customer use during regular business hours.

Which action will make the database MORE highly available?

A.

Contact AWS Support to pre-warm the database to ensure that it can handle any unexpected spikes in traffic

B.

Create a new Multi-AZ RDS DB instance. Migrate the data to the new DB instance and delete the old one

C.

Create a read replica from the existing database outside of business hours

D.

Modify the DB instance to outside of business hours be a Multi-AZ deployment

Full Access
Question # 6

In configuring an Amazon Route 53 health check, a SysOps Administrator selects ‘Yes’ to the String Matching option in the Advanced Configuration section. In the Search String box, the Administrator types the following text: /html.

This is to ensure that the entire page is loading during the health check. Within 5 minutes of enabling the

health check, the Administrator receives an alert stating that the check failed. However, when the

Administrator navigates to the page, it loads successfully.

What is the MOST likely cause of this false alarm?

A.

The search string is not HTML-encoded.

B.

The search string must be put in quotes.

C.

The search string must be escaped with a backslash (\) before the forward slash (/).

D.

The search string is not in the first 5120 bytes of the tested page.

Full Access
Question # 7

A company has a business application hosted on Amazon EC2 instances behind an Application Load

Balancer. Amazon CloudWatch metrics show that the CPU utilization on the EC2 instances is very high. There are also reports from users that receive HTTP 503 and 504 errors when they try to connect to the application.

Which action will resolve these issues?

A.

Place the EC2 instances into an AWS Auto Scaling group.

B.

Configure the ALB's Target Group to use more frequent health checks.

C.

Enable sticky sessions on the Application Load Balancer.

D.

Increase the idle timeout setting of the Application Load Balancer.

Full Access
Question # 8

Development teams are maintaining several workloads on AWS. Company management is concerned about rising costs and wants the SysOps Administrator to configure alerts so teams are notified when spending approaches preset limits.

Which AWS service will satisfy these requirements?

A.

AWS Budgets

B.

AWS Cost Explorer

C.

AWS Trusted Advisor

D.

AWS Cost and Usage report

Full Access
Question # 9

A SysOps administrator is running an automatically scaled application behind an Application Load Balancer. Scaling out Is triggered when the CPU Utilization instance metric is more than 75% across the Auto Scaling group. The administrator noticed aggressive scaling out. Developers suspect an application memory leak that is causing aggressive garbage collection cycles.

How can the administrator troubleshoot the application without triggering the scaling process?

A.

Create a scale down trigger when the CPUUtilization instance metric is at 70%.

B.

Delete the Auto Scaling group and recreate it when troubleshooting is complete

C.

Remove impacted instances from the Application Load Balancer.

D.

Suspend the scaling process before troubleshooting.

Full Access
Question # 10

A SysOps Administration team is supporting an applications that stores a configuration file in an Amazon S3 bucket Previous revisions of the configuration file must be maintained for change control and rollback

How should the S3 bucket be configured to meet these requirements?

A.

Enable a lifecycle policy on the S3 bucket

B.

Enable cross-origin resource sharing on the S3 bucket

C.

Enable object tagging on the S3 bucket

D.

Enable versioning on the S3 bucket

Full Access
Question # 11

A user accidentally deleted a file from an Amazon EBS volume. The SysOps Administrator identified a recent snapshot for the volume.

What should the Administrator do to restore the user's file from the snapshot?

A.

Attach the snapshot to a new Amazon EC2 instance in the same Availability Zone, and copy the deleted file.

B.

Browse to the snapshot and copy the file to the EBS volume within an Amazon EC2 instance.

C.

Create a volume from the snapshot, attach the volume to an Amazon EC2 instance, and copy the deleted file.

D.

Restore the file from the snapshot onto an EC2 instance using the Amazon EC2 console.

Full Access
Question # 12

A company hosts a multi-tier ecommerce web application on AWS, and has recently been alerted to suspicious application traffic The architecture consists of Amazon EC2 instances deployed across multiple Availability Zones behind an Application Load Balancer (ALB) After examining the server logs, a sysops administrator determines that the suspicious traffic is an attempted SQL injection attack.

What should the sysops administrator do to prevent similar attacks?

A.

Install Amazon Inspector on the EC2 instances and configure a rules package Use the findings reports to identify and block SQL injection attacks.

B.

Modify the security group of the ALB Use the IP addresses from the logs to block the IP addresses where SQL injection originated.

C.

Create an AWS WAF web ACL in front of the ALB. Add an SQL injection rule to the web ACL Associate the web ACL to the ALB

D.

Enable Amazon GuardDuty in the AWS Region Use Amazon CloudWatch Events to trigger an AWS Lambda function response every time an SQL injection finding is discovered

Full Access
Question # 13

A company runs an Amazon RDS MySQL DB instance. Corporate policy requires that a daily backup of the database must be copied to a separate security account.

What is the MOST cost-effective way to meet this requirement?

A.

Copy an automated RDS snapshot to the security account using the copy-db-snapshot command with the AWS CLI.

B.

Create an RDS MySQL Read Replica for the critical database in the security account, then enable automatic backups for the Read Replica.

C.

Create an RDS snapshot with the AWS CLI create-db-snapshot command, share it with the security account, then create a copy of the shared snapshot in the security account.

D.

Use AWS DMS to replicate data from the critical database to another RDS MySQL instance in the security account, then use an automated backup for the RDS instance.

Full Access
Question # 14

An environment company has discovered that a number of Amazon EC2 instances in a VPC are marked as high risk according to a Common Vulnerabilities and Expressures (CVE) report. The Security tea, requests that all these instances be upgraded.

Who is responsible for upgrading the EC2 instances?

A.

The AWS Security team

B.

The Amazon EC2 team

C.

The AWS Premium Support team

D.

The company’s System Administrator

Full Access
Question # 15

A SysOps Administrator is managing a web application that runs on Amazon EC2 instances behind an ELB Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group. The administrator wants to set an alarm for when all target instances associated with the ALB are unhealthy.

Which condition should be used with the alarm?

A.

AWS/ApplicationELB HealthyHostCount <= 0

B.

AWS/ApplicationELB UnhealthyHostCount >= 1

C.

AWS/EC2 StatusCheckFailed <= 0

D.

AWS/EC2 StatusCheckFailed >= 1

Full Access
Question # 16

A SysOps Administrator has an AWS CloudFormation template of the company’s existing infrastructure in us-west-2. The Administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back.

Why would this template fail to deploy? (Choose two.)

A.

The template referenced an IAM user that is not available in eu-west-1

B.

The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1

C.

The template did not have the proper level of permissions to deploy the resources

D.

The template requested services that do not exist in eu-west-1

E.

CloudFormation templates can be used only to update existing services

Full Access
Question # 17

A sysops administrator has an AWS Lambda function that performs maintenance on various AWS resources. This function must be run nightly. Which is the MOST cost-effective solution?

A.

Launch a single t2.nano Amazon EC2 instance and create a Linux cron job to invoke the Lambda function at the same time every night.

B.

Set up an Amazon CloudWatch metrics alarm to invoke the Lambda function at the same time every night.

C.

Schedule a CloudWatch event to invoke the Lambda function at the same time every night.

D.

Implement a Chef recipe in AWS OpsWorks stack to invoke the Lambda function at the same time every night.

Full Access
Question # 18

A SysOps Administrator must set up notifications for whenever combined billing exceeds a certain threshold for all AWS accounts within a company. The Administrator has set up AWS Organizations and enabled Consolidated Billing.

Which additional steps must the Administrator perform to set up the billing alerts?

A.

In the payer account: Enable billing alerts in the Billing and Cost Management console; publish an Amazon SNS message when the billing alert triggers.

B.

In each account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers.

C.

In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in the Billing and Cost Management console to publish an SNS message when the alarm triggers.

D.

In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers.

Full Access
Question # 19

A SysOps Administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the Internet.

Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)

A.

Add a NAT gateway to a public subnet

B.

Attach a private address to the elastic network interface on the EC2 instance

C.

Attach an Elastic IP address to the internet gateway

D.

Add an entry to the route table for the subnet that points to an internet gateway

E.

Create an internet gateway and attach it to a VPC

Full Access
Question # 20

A company’s use of AWS Cloud services is quickly growing, so a SysOps Administrator has been asked to generate details of daily spending to share with management.

Which method should the Administrator choose to produce this data?

A.

Share the monthly AWS bill with management.

B.

Use AWS CloudTrail Logs to access daily costs in JSON format.

C.

Set up daily Cost and Usage Report and download the output from Amazon S3.

D.

Monitor AWS costs with Amazon Cloud Watch and create billing alerts and notifications.

Full Access
Question # 21

A SysOps Administrator is running Amazon EC2 instances in multiple AWS Regions. The Administrator wants to aggregate the CPU utilization for all instances onto an Amazon CloudWatch dashboard. Each region should be present on the dashboard and represented by a single graph that contains the CPU utilization for all instances in that region.

How can the Administrator meet these requirements?

A.

Create a cross-region dashboard using AWS Lambda and distribute it to all regions

B.

Create a custom CloudWatch dashboard and add a widget for each region in the AWS Management

Console

C.

Enable cross-region dashboards under the CloudWatch section of the AWS Management Console

D.

Switch from basic monitoring to detailed monitoring on all instances

Full Access
Question # 22

An application running on Amazon EC2 needs login credentials to access a database. The login credentials are stored in AWS Systems Manager Parameter Store as secure string parameters.

What is the MOST secure way to grant the application access to the credentials?

A.

Create an IAM EC2 role for the EC2 instances and grant the role permission to read the Systems Manager parameters

B.

Create an IAM group for the application and grant the group permissions to read the Systems Manager parameters

C.

Create an IAM policy for the application and grant the policy permission to read the Systems Manager parameters

D.

Create an IAM user for the application and grant the user permission to read the Systems Manager parameters

Full Access
Question # 23

A SysOps Administrator receives an email from AWS about a production Amazon EC2 instance backed by Amazon EBS that is on a degraded host scheduled for retirement. The scheduled retirement occurs during business-critical hours.

What should be done to MINIMIZE disruption to the business?

A.

Reboot the instance as soon as possible to perform the system maintenance before the scheduled retirement.

B.

Reboot the instance outside business hours to perform the system maintenance before the scheduled retirement.

C.

Reboot the instance outside business hours to a new host before the scheduled retirement.

D.

Write an AWS Lambda function to restore the system when the Scheduled retirement occurs

Full Access
Question # 24

An application team has asked a sysops administrator to provision an additional environment for an application in four additional regions. The application is running on more than 100 instances in us-east-1, using fully baked AMIs, An AWS CloudFormation template has been created to deploy resources in us-east-1.

What must the sysops administrator do to provision the application quickly?

A.

Copy the AMI to each region using aws ec2 copy-image Update the CloudFormation mapping include mappings for the copy AMIs.

B.

Creating a snapshot of the running instance and copy the snapshot to the other regions. Create an AMI from the snapshots. Update the CloudFormation template for each region to use the new AMI.

C.

Run the existing CloudFormation template in each additional region based on the success of the template used currently in us-east-1.

D.

Update the CloudFormation template to include the additional regions in the auto scaling group. Update the existing stack in us-east-1.

Full Access
Question # 25

A company wants to reduce costs across the entire company after discovering that several AWS accounts were using unauthorized services and incurring extremely high costs.

Which AWS service enables the company to reduce costs by controlling access to AWS services for all AWS accounts?

A.

AWS Cost Explorer

B.

AWS Config

C.

AWS Organizations

D.

AWS Budgets

Full Access
Question # 26

An application running on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones was deployed using an AWS CloudFormation template. A sysops administrator has patched the Amazon Machine Image (AMI) version and must update all the EC2 instances to use the new AMI.

How should Ihe administrator use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity?

A.

Deploy a second CloudFormation stack and use Amazon Route 53 to redirect traffic to the new stack.

B.

Run the awa cloudformation update-attack command with the —rollback-configuration option.

C.

Set an AutoScal ingRollingUpdate policy in the CloudFormation template to update the stack.

D.

Update the CloudFormation template with the new AMI ID. then reboot the EC2 instances.

Full Access
Question # 27

A company uses multiple accounts for its applications. Account A manages the company’s Amazon Route 53 domains and hosted zones. Account B uses a load balancer fronting the company’s web servers.

How can the company use Route 53 to point to the load balancer in the MOST cost-effective and efficient manner?

A.

Create an Amazon EC2 proxy in Account A that forwards requests to Account B.

B.

Create a load balancer in Account A that points to the load balancer in Account B.

C.

Create a CNAME record in Account A pointing to an alias record to the load balancer in Account B.

D.

Create an alias record in Account A pointing to the load balancer in Account B.

Full Access
Question # 28

A company has deployed a fleet of Amazon EC2 web servers for the upcoming release of a new product. The SysOps Administrator needs to test the Amazon CloudWatch notification settings for this deployment to ensure that a notification is sent using Amazon SNS if the CPU utilization of an EC2 instance exceeds 70%.

How should the Administrator accomplish this?

A.

Use the set-alarm-state command in AWS CloudTrail to invoke the Amazon SNS notification

B.

Use CloudWatch custom metrics to set the alarm state in AWS CloudTrail and enable Amazon SNS notifications

C.

Use EC2 instance metadata to manually set the CPU utilization to 75% and invoke the alarm state

D.

Use the set-alarm-state command in the AWS CLI for CloudWatch

Full Access
Question # 29

A company has deployed its infrastructure using AWS CloudFormation Recently the company made manual changes to the infrastructure. A SysOps Administrator is tasked with determining what was changed and updating the CloudFormation template

Which solution will ensure all the changes are captured?

A.

Create a new CloudFormation stack based on the changes that were made Delete the old stack and deploy the new stack

B.

Update the CloudFormation stack using a change set Review the changes and update the stack

C.

Update the CloudFormation stack by modifying the selected parameters in the template to match what was changed

D.

Use drift detection on the CloudFormation stack Use the output to update the CloudFormation template and redeploy the stack

Full Access
Question # 30

A company uses LDAP-based credentials and Has a Security Assertion Markup Language (SAML) 2.0 identity provider. A SysOps administrator has configured various federated roles in a new AWS account to provide AWS Management Console access for groups of users that use the existing LDAP-Based credentials. Several groups want to use the AWS CLI on their workstations to automate daily tasks. To enable them to do so, the SysOps administrator has created an application that authenticates a user and generates a SAML assertion.

Which API call should be used to retrieve credentials for federated programmatic access?

A.

sts:AssumeRote

B.

sts:AssumeRoleWithSAML

C.

stsAssumeRoleWithWebldentity

D.

sts:GetFederationToken

Full Access
Question # 31

A company has mandated the use of multi-factor authentication (MFA) for all 1AM users, and requires users to make all API calls using the CLI. However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA. the company attached an 1AM policy to all users that denies API calls that have not been authenticated with MFA.

What additional step must be taken to ensure that API calls are authenticated using MFA?

A.

Enable MFA on 1AM roles, and require 1AM users to use role credentials to sign API calls.

B.

Ask the 1AM users to log into the AWS Management Console with MFA before making API calls using the CLI.

C.

Restrict the 1AM users to use of the console, as MFA is not supported for CLI use.

D.

Require users to use temporary credentials from the get-session token command to sign API calls.

Full Access
Question # 32

Company A purchases company B and inherits three new AWS accounts. Company A would like to centralize billing and reserved instance benefits but wants to keep all other resources separate.

How can this be accomplished?

A.

Implement AWS Organizations and create a service control policy that defines the billing relationship with the new master account.

B.

Configure AWS Organizations Consolidated Billing and provide the finance team with IAM access to the billing console.

C.

Send Cost and Usage Reports files to a central Amazon S3 bucket and load the data into Amazon Redshift. Use Amazon QuickSight to provide visualizations to the finance team.

D.

Link the Reserved Instances to the master payer account and use Amazon Redshift Spectrum to query Detailed Billing Report data across all accounts.

Full Access
Question # 33

After a network change, application servers cannot connect to the corresponding Amazon RDS MySQL database.

What should the SysOps Administrator analyze?

A.

VPC Flow Logs

B.

Elastic Load Balancing logs

C.

Amazon CloudFront logs

D.

Amazon RDS MySQL error logs

Full Access
Question # 34

A SysOps Administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. Which collection of configuration changes will increase the cache hit ratio for the distribution? (Select two.)

A.

Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings

B.

Change the Viewer Protocol Policy to use HTTPS only

C.

Configure the distribution to use presigned cookies and URLs to restrict access to the distribution

D.

Enable automatic compression of objects in the Cache Behavior Settings

E.

Increase the CloudFront time to live (TTL) settings in the Cache Behavior Settings.

Full Access
Question # 35

A SysOps Administrator has been tasked with deploying a company’s infrastructure as code. The Administrator wants to write a single template that can be reused for multiple environments in a safe, repeatable manner.

What is the recommended way to use AWS CloudFormation to meet this requirement?

A.

Use parameters to provision the resources.

B.

Use nested stacks to provision the resources.

C.

Use Amazon EC2 user data to provision the resources.

D.

Use stack policies to provision the resources.

Full Access
Question # 36

An application resides on multiple EC2 instances in public subnets in two Availability Zones. To improve security, the Information Security team has deployed an Application Load Balancer (ALB) in separate subnets and pointed the DNS at the ALB instead of the EC2 instances.

After the change, traffic is not reaching the instances, and an error is being returned from the ALB.

What steps must a SysOps Administrator take to resolve this issue and improve the security of the application? (Select TWO.)

A.

Add the EC2 instances to the ALB target group, configure the health check, and ensure that the instances report healthy.

B.

Add the EC2 instances to an Auto Scaling group, configure the health check to ensure that the instances report healthy, and remove the public IPs from the instances.

C.

Create a new subnet in which EC2 instances and ALB will reside to ensure that they can communicate, and remove the public IPs from the instances.

D.

Change the security group for the EC2 instances to allow access from only the ALB security group, and remove the public IPs from the instances.

E.

Change the security group to allow access from 0.0.0.0/0, which permits access from the ALB.

Full Access
Question # 37

An organization stores sensitive customer information in S3 buckets protected by bucket policies. Recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The chief information security officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information.

Which steps should a SysOps administrator take to meet the CISO's requirement? (Select TWO.)

A.

Enable Amazon S3 Analytics on all affected S3 buckets to obtain a report of which buckets are being accessed without authorization.

B.

Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs.

C.

Use Amazon Athena to query S3 Analytics reports for HTTP 403 errors, and determine the 1AM user or role making the requests.

D.

Use Amazon Athena to query the S3 Server Access Logs for HTTP 403 errors, and determine the 1AM user or role making the requests.

E.

Use Amazon Athena to query the S3 Server Access Logs for HTTP 503 errors, and determine the 1AM user or role making the requests.

Full Access
Question # 38

An Applications team has successfully deployed an AWS CloudFormation stack consisting of 30 t2-medium Amazon EC2 instances in the us-west-2 Region. When using the same template to launch a stack in us-east-2, the launch failed and rolled back after launching only 10 EC2 instances.

What is a possible cause of this failure?

A.

The IAM user did not have privileges to launch the CloudFormation template.

B.

The t2 medium EC2 instance service limit was reached.

C.

An AWS Budgets threshold was breached.

D.

The application’s Amazon Machine Image (AMI) is not available in us-east-2.

Full Access
Question # 39

A SysOps administrator is implementing automated I/O load performance testing as part of lite continuous integraliorVcontinuous delivery (CI'CD) process for an application The application uses an Amazon Elastic Block Store (Amazon E8S) Provisioned IOPS volume for each instance that is restored from a snapshot and requires consistent I/O performance. During the initial tests, the I/O performance results are sporadic. The SysOps administrator must ensure that the tests yield more consistent results.

Which actions could the SysOps administrator take to accomplish this goal? (Select TWO.)

A.

Restore the EBS volume from the snapshot with fast snapshot restore enabled

B.

Restore the EBS volume from the snapshot using the cold HDD volume type.

C.

Restore the EBS volume from the snapshot and pre-warm the volume by reading all of the blocks.

D.

Restore the EBS volume from the snapshot and configure encryption.

E.

Restore the EBS volume from the snapshot and configure I/O block sizes at random

Full Access