Amazon SOA-C02 AWS Certified SysOps Administrator - Associate Exam Practice Test

Page: 1 / 14
Total 484 questions

Want more questions? Get Premium Access.
()

Question 1

A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer dat

a. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company.

What is the MOST operationally efficient solution that meets these requirements?

AConfigure AWS CloudTrail in all Regions to record all API activity Create an Amazon EventBridge rule in all unauthorized Regions for ec2:Runlnstances events. Use AWS Lambda to terminate the launched EC2 instances.

BIn each AWS account, create a managed 1AM policy that uses a Region condition to deny the ec2:Runlnstances action in all unauthorized Regions. Attach this policy to all 1AM groups in each AWS account.

CIn each AWS account, create an 1AM permissions boundary policy that uses a Region condition to deny the ec2:Runlnstances action in all unauthorized Regions. Attach the permissions boundary policy to all 1AM users in each AWS account.

DCreate a service control policy (SCP) in AWS Organizations to deny the ec2:Runlnstances action in all unauthorized Regions. Attach this policy to the root level of the organization.

Answer : D

Objective:

Enforce corporate policy to prevent the creation of EC2 instances in unauthorized AWS Regions.

Using Service Control Policies (SCPs):

SCPs are an AWS Organizations feature that allow centralized control over permissions for all accounts in the organization.

By attaching an SCP to the root level of the organization, you can enforce the restriction across all accounts.

Solution Implementation:

Step 1: Open the AWS Organizations console.

Step 2: Create a new SCP with the following policy:

{

'Version': '2012-10-17',

'Statement': [

{

'Effect': 'Deny',

'Action': 'ec2:RunInstances',

'Resource': '*',

'Condition': {

'StringNotEquals': {

'aws:RequestedRegion': [

'us-east-1',

'us-west-2'

]

}

]

}

Replace 'us-east-1' and 'us-west-2' with the allowed Regions.

Step 3: Attach the SCP to the root level of the organization.

AWS Reference:

Service Control Policies (SCPs): SCP Best Practices

Restricting EC2 Regions with SCP: SCP Examples

Why Other Options Are Incorrect:

Option A: CloudTrail and EventBridge with Lambda are operationally less efficient and reactive rather than preventative.

Option B: IAM policies applied at the account level require manual configuration for each account, which is less efficient.

Option C: Permissions boundaries are more suited for controlling specific IAM user or role actions, not account-wide restrictions.

Topic 2, Simulation

Question 2

A company hosts a static website in an Amazon S3 bucket. The website is accessed globally. The company has configured an Amazon CloudFront distribution and has set the S3 bucket as the distribution's origin. The Cache-Control max-age header is set to 1 hour The Maximum TTL is set to 5 minutes.

A SysOps administrator observes that website performance is lower than expected. CloudFront is not caching objects for the amount of time that is configured.

What is the reason for this issue?

AThe Expires header has been set to 3 hours

BCached assets are not expiring in the edge location.

CCache invalidation is missing in the CloudFront configuration.

DCache-duration settings conflict with each other

Answer : D

Problem Analysis:

The Cache-Control header (max-age=1 hour) conflicts with the CloudFront Maximum TTL setting (5 minutes).

CloudFront adheres to the lower of the two settings, leading to assets being cached for only 5 minutes.

Understanding Cache Behavior in CloudFront:

CloudFront evaluates headers such as Cache-Control and Expires along with its TTL settings.

The effective cache duration is the minimum value among these settings.

Resolution:

Align the Cache-Control max-age header and CloudFront Maximum TTL settings:

Update the CloudFront behavior to use a consistent value (e.g., set both to 1 hour).

Why Other Options Are Incorrect:

A: The Expires header value is irrelevant as CloudFront primarily considers Cache-Control and TTL settings.

B: The issue is not about expiring cached assets but about the duration of cache retention.

C: Cache invalidation is not required as it addresses purging specific objects from cache.

Amazon CloudFront Caching

Cache Behavior Settings in CloudFront

Question 3

A company's SysOps administrator manages a fleet of Windows Amazon EC2 instances that run in a single AWS account. The instances have a tag that includes a key of "OS" and a value of "Windows." The company uses AWS Systems Manager to patch the instances.

The company has installed the Amazon CloudWatch agent on the instances, but the configuration is inconsistent. The SysOps administrator needs to reconfigure every instance to use the same predefined CloudWatch configuration

Which combination of steps will meet these requirements? (Select TWO.)

AStore the CloudWatch agent configuration file in an Amazon S3 bucket.

BStore the contents of the CloudWatch agent configuration file in Systems Manager OpsCenter

CStore the contents of the CloudWatch agent configuration file in Systems Manager Parameter Store.

DCreate a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document Select Systems Manager as an optional configuration source. Target the instances based on tag values.

ECreate a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document. Configure the document to use the S3 bucket location as the configuration source Target the instances based on tag values.

Answer : C, D

Problem Analysis:

The CloudWatch agent configuration is inconsistent across instances.

A centralized and automated mechanism is needed for consistent configuration management.

Action: Store Configuration in Systems Manager Parameter Store:

Parameter Store allows for secure, centralized storage of configuration files.

Steps:

Open Systems Manager Console.

Navigate to Parameter Store.

Create a parameter with the CloudWatch agent configuration file content.

Action: Use State Manager to Apply Configuration:

Systems Manager State Manager automates repetitive tasks such as ensuring consistent configuration.

Steps:

Open State Manager Console.

Create an association using the AmazonCloudWatch-ManageAgent document.

Configure the document to use Parameter Store as the configuration source.

Use tags (key = 'OS', value = 'Windows') to target the Windows EC2 instances.

Why Other Options Are Incorrect:

A: Using an S3 bucket for configuration storage lacks integration with Systems Manager for automation.

B: OpsCenter is for managing operational issues, not configuration files.

E: S3 as a configuration source is valid but introduces additional operational complexity compared to Parameter Store.

AWS Systems Manager Parameter Store

AWS State Manager Documentation

CloudWatch Agent Management

Question 4

Users are reporting consistent forced logouts from a stateful web application. The web application Is hosted on Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has multiple target groups with one listener rule The ALB is configured as the origin in an Amazon CloudFront distribution.

Which combination of actions should a SysOps administrator take to resolve the logout problem? (Select TWO.)

AChange to the least outstanding requests algorithm on the ALB target group.

BConfigure cookie forwarding in the CloudFront distribution's cache behavior settings.

CConfigure header forwarding in the CloudFront distribution's cache behavior settings.

DEnable group-level stickiness on the ALB listener rule for the target groups.

EConfigure weighted target groups on the ALB.

Answer : B, D

Problem Analysis:

Users experience consistent forced logouts, indicating session data is not maintained properly.

Causes may include issues with session persistence between CloudFront, ALB, and the backend servers.

Action: Configure Cookie Forwarding in CloudFront:

CloudFront must forward cookies to maintain session state. Without forwarding cookies, session-specific data cannot reach the backend.

Update the Cache Behavior Settings in CloudFront:

Go to the CloudFront distribution settings.

In Cache Behaviors, select Forward Cookies.

Specify the relevant cookies required by the application.

Action: Enable Group-Level Stickiness in ALB:

Group-level stickiness ensures that a user's session consistently maps to the same backend server, preventing session disruption.

Steps:

Open the ALB Console.

Navigate to the Listener Rules.

Enable Group-Level Stickiness for the target groups under the listener rule settings.

Why Other Options Are Incorrect:

A: Changing to the least outstanding requests algorithm will not address session stickiness issues.

C: Forwarding headers does not resolve session-specific problems caused by cookies not being forwarded.

E: Weighted target groups manage traffic distribution but do not address session persistence.

Amazon CloudFront Cookie Forwarding

ALB Sticky Sessions Documentation

Question 5

A company's SysOps administrator is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs However, there are no logs in CloudWatch Logs

What could be blocking the VPC flow logs from being published to CloudWatch Logs?

AThe 1AM policy that is attached to the 1AM role for the flow log is missing the logs:CreateLogGroup permission.

BThe 1AM policy that is attached to the 1AM role for the flow log is missing the logs:CreateExportTask permission.

CThe VPC is configured for IPv6 addresses.

DThe VPC is peered with another VPC in the AWS account.

Answer : A

* Objective:

Publish VPC flow logs to Amazon CloudWatch Logs.

* Root Cause:

VPC flow logs require an IAM role with permissions to create log groups, log streams, and write logs to CloudWatch Logs.

If the logs:CreateLogGroup permission is missing, the flow log cannot create the required log group, and logs will not appear in CloudWatch.

* Solution Implementation:

Step 1: Verify the IAM role attached to the VPC flow logs.

Step 2: Add the following permissions to the IAM policy:

logs:CreateLogGroup

logs:CreateLogStream

logs:PutLogEvents

Step 3: Update the IAM role policy and retry creating flow logs.

* AWS Reference:

VPC Flow Logs Permissions: Permissions for VPC Flow Logs

* Why Other Options Are Incorrect:

Option B: logs:CreateExportTask is for exporting logs from CloudWatch to S3, not for creating log groups.

Option C: IPv6 addresses do not impact the publishing of flow logs to CloudWatch Logs.

Option D: VPC peering does not block flow log functionality.

Question 6

A company has business-critical resources in one of its AWS accounts. The company wants to receive an email notification every time an AWS Management Console root user sign-in event occurs in the account.

Which solution will meet this requirement with the MOST operational efficiency?

ACreate an Amazon CloudWatch alarm that detects AWS Management Console root user sign-in events Configure the alarm to send email notifications directly through AWS Trusted Advisor.

BLaunch an Amazon EC2 instance Schedule a script to run every hour to analyze AWS CloudTrail events. Configure the script to publish email notifications to an Amazon Simple Notification Service (Amazon SNS) topic when AWS Management Console root user sign-in events occur.

CCreate an Amazon EventBndge rule that reacts to AWS Management Console root user sign-in events. Configure the rule to send email notifications to an Amazon Simple Queue Service (Amazon SQS) queue

DCreate an Amazon EventBndge rule that reacts to AWS Management Console root user sign-in events. Configure the rule to publish email notifications to an Amazon Simple Notification Service (Amazon SNS) topic.

Answer : D

Objective:

Notify administrators via email whenever a root user sign-in event occurs.

Using Amazon EventBridge and Amazon SNS:

EventBridge: Captures the root user sign-in events from AWS CloudTrail.

SNS: Publishes email notifications to subscribed recipients.

Steps to Implement:

Step 1: Enable CloudTrail for management events if not already enabled.

Step 2: Create an EventBridge rule:

Event pattern:

{

'source': ['aws.signin'],

'detail-type': ['AWS Console Sign In via Root Account']

}

Step 3: Set the rule target to an SNS topic.

Step 4: Subscribe email addresses to the SNS topic.

AWS Reference:

EventBridge Rules: Creating EventBridge Rules

SNS Subscriptions: Amazon SNS Subscriptions

Why Other Options Are Incorrect:

Option A: Trusted Advisor does not directly send notifications for root sign-ins.

Option B: Using an EC2 instance and scripts is less efficient and not operationally optimized.

Option C: Sending notifications to SQS introduces unnecessary complexity and delays.

Question 7

A SysOps administrator is creating resources from an AWS CloudFormation template that defines an Auto Scaling group of Amazon EC2 instances. The Auto Scaling group launch template provisions each EC2 instance by using a user data script. The creation of the Auto Scaling group resource is failing because of an error The wait condition is not receiving the required number of signals.

How should the SysOps administrator resolve this error?

ARun cfn-signal at the completion of the user data script.

BModify the EC2 instances' security group to allow outgoing traffic on port 443.

CReduce the Auto Scaling group's DesiredCapacity value in the CloudFormation template.

DSet the AssociatePubliclpAddress property to True in the Auto Scaling group launch template.

Answer : A

Objective:

Resolve the failure of the CloudFormation Auto Scaling group resource creation due to a missing wait condition signal.

cfn-signal:

The cfn-signal command is used in user data scripts to signal CloudFormation that the resource has been successfully created or configured.

This ensures the stack creation process continues as expected.

Steps to Implement:

At the end of the user data script in the EC2 launch template:

Add the command: cfn-signal --stack <stack-name> --resource <resource-name> --region <region>

Replace <stack-name>, <resource-name>, and <region> with appropriate values.

AWS Reference:

cfn-signal: Using cfn-signal to Signal Completion

Why Other Options Are Incorrect:

Option B: While port 443 is necessary for CloudFormation signaling, the main issue is the absence of cfn-signal.

Option C: Reducing DesiredCapacity may bypass the error but does not solve the root cause.

Option D: Associating a public IP may help connectivity but is unrelated to the wait condition.