C. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource.
amazon AWS Certified SysOps Administrator - Associate (SOA-C02) practice test
Question 1
A company has a new requirement stating that all resources in AWS must be tagged according to a set policy.
Which AWS service should be used to enforce and continually identify all resources that are not in compliance with the
policy?
- A. AWS CloudTrail
- B. Amazon Inspector
- C. AWS Config
- D. AWS Systems Manager
Answer:
C
Explanation:
Reference: https://aws.amazon.com/config/
Discussions
0
/ 1000
Question 2
A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB
instance. A SysOps administrator must update the template to ensure that the DB instance is created before the EC2
instance is launched.
What should the SysOps administrator do to meet this requirement?
- A. Add a wait condition to the template. Update the EC2 instance user data script to send a signal after the EC2 instance is started.
- B. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource.
- C. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource.
- D. Create multiple templates. Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created.
Answer:
B
Discussions
0
/ 1000
1 year, 3 months ago
Question 3
A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of
compliance because it was not encrypted.
Which approach will resolve the encryption requirement?
- A. Log in to the RDS console and select the encryption box to encrypt the database.
- B. Create a new encrypted Amazon EBS volume and attach it to the instance.
- C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
- D. Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
Answer:
A
Explanation:
Reference: https://cloudkul.com/blog/how-to-encrypt-aws-rds-database/
Discussions
0
/ 1000
1 year, 3 months ago
A. Log in to the RDS console and select the encryption box to encrypt the database.
Question 4
A company has an infernal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The
instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A SysOps administrator must make the
application highly available.
Which action should the SysOps administrator take to meet this requirement?
- A. Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
- B. Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
- C. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.
- D. Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.
Answer:
C
Discussions
0
/ 1000
Question 5
A development team recently deployed a new version of a web application to production. After the release, penetration
testing revealed a cross-site scripting vulnerability that could expose user data.
Which AWS service will mitigate this issue?
- A. AWS Shield Standard
- B. AWS WAF
- C. Elastic Load Balancing
- D. Amazon Cognito
Answer:
B
Explanation:
Reference: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-xss-match.html
Discussions
0
/ 1000
Question 6
A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be
deleted.
What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be
deleted?
- A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
- B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
- C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
- D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
Answer:
B
Discussions
0
/ 1000
Question 7
The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in
the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in
use and the total available IAM policies.
Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?
- A. AWS Trusted Advisor
- B. Amazon Inspector
- C. AWS Config
- D. AWS Organizations
Answer:
A
Explanation:
Reference: https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html#iam-policies
Discussions
0
/ 1000
1 year, 3 months ago
C. AWS Config
Question 8
An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department,
it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group
membership.
What is the BEST method to allow access using current LDAP credentials?
- A. Create an AWS Directory Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
- B. Create a Lambda function to read LDAP groups and automate the creation of IAM users.
- C. Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server.
- D. Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.
Answer:
D
Explanation:
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
Discussions
0
/ 1000
Question 9
A company is testing Amazon Elasticsearch Service (Amazon ES) as a solution for analyzing system logs from a fleet of
Amazon EC2 instances. During the test phase, the domain operates on a singlenode cluster. A SysOps administrator needs
to transition the test domain into a highly available production-grade deployment.
Which Amazon ES configuration should the SysOps administrator use to meet this requirement?
- A. Use a cluster of four data nodes across two AWS Regions. Deploy four dedicated master nodes in each Region.
- B. Use a cluster of six data nodes across three Availability Zones. Use three dedicated master nodes.
- C. Use a cluster of six data nodes across three Availability Zones. Use six dedicated master nodes.
- D. Use a cluster of eight data nodes across two Availability Zones. Deploy four master nodes in a failover AWS Region.
Answer:
B
Discussions
0
/ 1000
Question 10
A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-
premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53
should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes. All other traffic
should be directed to the secondary passive server. The failover record type, set ID, and routing policy have been set
appropriately for both primary and secondary servers.
Which next step should be taken to configure Route 53?
- A. Create an A record for each server. Associate the records with the Route 53 HTTP health check.
- B. Create an A record for each server. Associate the records with the Route 53 TCP health check.
- C. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.
- D. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.
Answer:
C
Explanation:
Reference: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-how-route-53-chooses-records.html
Discussions
0
/ 1000
Question 11
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A
SysOps administrator must ensure that the application can read, write, and delete messages from the SQS queues.
Which solution will meet these requirements in the MOST secure manner?
- A. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user's credentials in the application's configuration.
- B. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.
- C. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
- D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
Answer:
D
Discussions
0
/ 1000
1 year, 3 months ago
D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
Question 12
A SysOps administrator needs to give users the ability to upload objects to an Amazon S3 bucket. The SysOps administrator
creates a presigned URL and provides the URL to a user, but the user cannot upload an object to the S3 bucket. The
presigned URL has not expired, and no bucket policy is applied to the S3 bucket.
Which of the following could be the cause of this problem?
- A. The user has not properly configured the AWS CLI with their access key and secret access key.
- B. The SysOps administrator does not have the necessary permissions to upload the object to the S3 bucket.
- C. The SysOps administrator must apply a bucket policy to the S3 bucket to allow the user to upload the object.
- D. The object already has been uploaded through the use of the presigned URL, so the presigned URL is no longer valid.
Answer:
B
Explanation:
Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
Discussions
0
/ 1000
1 year, 3 months ago
C. The SysOps administrator must apply a bucket policy to the S3 bucket to allow the user to upload the object.
Question 13
An errant process is known to use an entire processor and run at 100%. A SysOps administrator wants to automate
restarting the instance once the problem occurs for more than 2 minutes.
How can this be accomplished?
- A. Create an Amazon CloudWatch alarm for the Amazon EC2 instance with basic monitoring. Enable an action to restart the instance.
- B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
- C. Create an AWS Lambda function to restart the EC2 instance, triggered on a scheduled basis every 2 minutes.
- D. Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks.
Answer:
B
Explanation:
Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html
Discussions
0
/ 1000
1 year, 3 months ago
B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
Question 14
A company wants to track its expenditures for Amazon EC2 and Amazon RDS within AWS. The company decides to
implement more rigorous tagging requirements for resources in its AWS accounts. A SysOps administrator needs to identify
all noncompliant resources.
What is the MOST operationally efficient solution that meets these requirements?
- A. Create a rule in Amazon EventBridge (Amazon CloudWatch Events) that invokes a custom AWS Lambda function that will evaluate all created or updated resources for the specified tags.
- B. Create a rule in AWS Config that invokes a custom AWS Lambda function that will evaluate all resources for the specified tags.
- C. Create a rule in AWS Config with the required-tags managed rule to evaluate all resources for the specified tags.
- D. Create a rule in Amazon EventBridge (Amazon CloudWatch Events) with a managed rule to evaluate all created or updated resources for the specified tags.
Answer:
C
Explanation:
Reference: https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html
Discussions
0
/ 1000
1 year, 3 months ago
B. Create a rule in AWS Config that invokes a custom AWS Lambda function that will evaluate all resources for the specified tags.
Question 15
A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the
CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.
What is the process to rotate the key?
- A. Enable automatic key rotation for the CMK, and specify a period of 6 months.
- B. Create a new CMK with new imported material, and update the key alias to point to the new CMK.
- C. Delete the current key material, and import new material into the existing CMK.
- D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.
Answer:
B
Explanation:
Reference: https://aws.amazon.com/kms/faqs/
Discussions
0
/ 1000
C . AWS Config