Amazon SOA-C02 AWS Certified SysOps Administrator - Associate Exam Practice Test

Page: 1 / 14
Total 484 questions

Want more questions? Get Premium Access.
()

Question 1

A company is using Amazon S3 to set up a temporary static website that is public. A SysOps administrator creates an S3 bucket by using the default settings. The SysOps administrator updates the S3 bucket properties to configure static website hosting. The SysOps administrator then uploads objects that contain content for index.html and error.html.

When the SysOps administrator navigates to the website URL. the SysOps administrator receives an HTTP Status Code 403: Forbidden (Access Denied) error.

What should the SysOps administrator do to resolve this error?

ACreate an Amazon Route 53 DNS entry. Point the entry to the S3 bucket.

BEdit the S3 bucket permissions by turning off Block Public Access settings. Create a bucket policy to allow GetObject access on the S3 bucket.

CEdit the permissions on the index html and error html files for read access

DEdit the S3 bucket permissions by turning off Block Public Access settings. Create a bucket policy to allow PutObject access on the S3 bucket.

Answer : B

Objective:

Resolve the HTTP 403 (Access Denied) error for the public S3 static website.

Root Cause:

By default, S3 buckets are private, and public access is blocked due to the Block Public Access settings.

Additionally, a bucket policy is needed to allow public access to the objects.

Solution Implementation:

Step 1: Turn off Block Public Access:

Navigate to the Permissions tab of the S3 bucket in the AWS Management Console.

Turn off the Block Public Access settings by disabling the following:

Block public access to buckets and objects via ACLs.

Block public access to buckets and objects via bucket policies.

Step 2: Add a Bucket Policy for Public Access:

Add a policy allowing GetObject for public access:

{

'Version': '2012-10-17',

'Statement': [

{

'Effect': 'Allow',

'Principal': '*',

'Action': 's3:GetObject',

'Resource': 'arn:aws:s3:::<bucket-name>/*'

}

]

}

Step 3: Test Access:

Confirm that the website is accessible via the public URL.

AWS Reference:

Block Public Access Settings: S3 Block Public Access

Bucket Policies for Static Websites: Bucket Policy Examples

Why Other Options Are Incorrect:

Option A: Route 53 is not required to resolve the 403 error; the issue is with S3 bucket permissions.

Option C: Editing file permissions alone will not work; bucket permissions must also allow public access.

Option D: PutObject permissions are unnecessary for serving a static website.

Question 2

A company needs to track spending in its AWS account. The company must receive a notification when current costs and forecasted costs exceed specific thresholds. Which solution will meet these requirements with the LEAST operational overhead?

ACreate a new 1AM role. Attach the AWSPurchaseOrdersServiceRolePolicy AWS managed policy to the role. Check AWS Cost Explorer on a regular basis to monitor current costs and forecasted costs

BCreate an AWS Cost and Usage Report Create an AWS Step Functions state machine that runs when a new usage file is generated Configure the state machine to pass the data to Amazon Forecast and to invoke an AWS Lambda Function Configure the Lambda function to parse the data and to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if costs exceed the thresholds.

CCreate an AWS Cost and Usage Report Separate the current costs and forecasted costs by service. Schedule the report to be sent to an Amazon Simple Notification Service (Amazon SNS) topic each month.

DCreate a recurring cost budget in AWS Budgets. Create an alert for the actual cost. Create a second alert for the forecasted costs. Configure an Amazon Simple Notification Service (Amazon SNS) topic to receive the alerts.

Answer : D

Step-by-Step

AWS Budgets Overview:

AWS Budgets enables you to set custom cost and usage budgets, and it provides alerts when you exceed those thresholds. It is designed for cost management with minimal operational overhead.

Recurring Cost Budget Creation:

Go to the AWS Budgets Console.

Select Create a budget.

Choose the Cost budget option.

Define whether this budget tracks actual costs or forecasted costs (you will create two budgets, one for each).

Configure the Budget Thresholds:

Set your budget thresholds for both actual costs and forecasted costs.

For example:

Actual Costs Alert: Budget = $1000, Alert at 80% usage ($800).

Forecasted Costs Alert: Budget = $1000, Alert at forecasted usage exceeding 80% ($800).

Alert Configuration:

In the budget creation process, enable Notifications and Actions.

Specify the email addresses or an Amazon SNS Topic to receive alerts.

Set up alerts for both:

Actual Cost Exceeding Budget.

Forecasted Cost Exceeding Budget.

Amazon SNS Setup:

If using an SNS topic, ensure an Amazon SNS topic is created.

Grant appropriate permissions for the Budget service to publish to the SNS topic.

Add subscribers (e.g., email addresses or endpoints) to the SNS topic.

Automation and Monitoring:

Once set up, AWS Budgets continuously monitors actual and forecasted costs.

Alerts are sent automatically when thresholds are breached, reducing manual overhead and reliance on periodic monitoring.

Why This is the Best Option (Least Operational Overhead):

AWS Budgets directly integrates with SNS, allowing real-time alerts without building custom workflows or parsing reports.

It is a native AWS service specifically designed for cost tracking, minimizing complexity and setup time.

No custom code or additional services like Lambda or Step Functions are required, reducing operational maintenance.

AWS Budgets Documentation: AWS Budgets User Guide

AWS SNS Documentation: Amazon SNS Overview

AWS Cost Management: Cost Management Best Practices

AWS Forecasting and Alerts: Creating Cost Budgets

Question 3

A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). One of the company's vendors needs a static IP address. The vendor will add this static IP address to its outbound allow list so that the vendor can access the application on the EC2 instances.

Which solution will provide the static IP address?

AAssociate an Elastic IP address with the ALB.

BAssociate an AWS WAF web ACL that has an IP match condition rule with the ALB.

CCreate a VPC endpoint. Associate the VPC endpoint with the ALB.

DReplace the ALB with a Network Load Balancer.

Answer : D

Objective:

Provide a static IP address that the vendor can whitelist for accessing the application.

Using Network Load Balancer (NLB):

Unlike Application Load Balancers, NLBs support static IP addresses through Elastic IPs.

NLBs operate at the transport layer (Layer 4) and are ideal for use cases requiring a static IP.

Steps to Implement:

Step 1: Create an NLB in the same VPC as the application.

Step 2: Associate Elastic IP addresses with the NLB subnets.

Step 3: Update the target group to point to the existing EC2 instances.

Step 4: Update DNS records to map the application domain (www.example.com) to the NLB's static IP or DNS name.

AWS Reference:

Elastic IPs with NLB: Static IPs for NLB

NLB vs. ALB: Comparison of Load Balancers

Why Other Options Are Incorrect:

Option A: ALBs do not support Elastic IPs.

Option B: AWS WAF is for web access control, not providing static IPs.

Option C: VPC endpoints do not replace load balancers and are unrelated to static IP requirements.

Question 4

A SysOps administrator wants to monitor the free disk space that is available on a set of Amazon EC2 instances that have Amazon Elastic Block Store (Amazon EBS) volumes attached. The SysOps administrator wants to receive a notification when the used disk space of the EBS volumes exceeds a threshold value, but only when the DiskReadOps metric also exceeds a threshold value The SysOps administrator has set up an Amazon Simple Notification Service (Amazon SNS) topic.

How can the SysOps administrator receive notification only when both metrics exceed their threshold values?

AInstall the Amazon CloudWatch agent on the EC2 instances. Create a metric alarm for the disk space and a metric alarm for the DiskReadOps metric. Create a composite alarm that includes the two metric alarms to publish a notification to the SNS topic.

BInstall the Amazon CloudWatch agent on the EC2 instances. Create a metric alarm for the disk space and a metric alarm for the DiskReadOps metric. Configure each alarm to publish a notification to the SNS topic.

CCreate a metric alarm for the EBSByteBalance% metric and a metric alarm for the DiskReadOps metric. Create a composite alarm that includes the two metric alarms to publish a notification to the SNS topic.

DConfigure detailed monitoring for the EC2 instances. Create a metric alarm for the disk space and a metric alarm for the DiskReadOps metric. Create a composite alarm that includes the two metric alarms to publish a notification to the SNS topic.

Answer : A

Objective:

Receive a notification when both disk space usage and DiskReadOps exceed threshold values.

Composite Alarms:

Composite alarms allow combining multiple metric alarms into a single alarm. Notifications are triggered only when all conditions are met.

Steps to Implement:

Step 1: Install the CloudWatch agent on the EC2 instances and configure it to monitor disk space.

Step 2: Create individual metric alarms:

One for disk space usage.

One for the DiskReadOps metric.

Step 3: Create a composite alarm:

Include both metric alarms.

Configure the composite alarm to send notifications to the SNS topic when both conditions are met.

AWS Reference:

Composite Alarms in CloudWatch: Creating Composite Alarms

CloudWatch Agent Installation: Install CloudWatch Agent

Why Other Options Are Incorrect:

Option B: This would trigger notifications for either condition, not both simultaneously.

Option C: EBSByteBalance% is unrelated to free disk space.

Option D: Detailed monitoring is not required for composite alarms.

Question 5

A data analytics application is running on an Amazon EC2 instance. A SysOps administrator must add custom dimensions to the metrics collected by the Amazon CloudWatch agent.

How can the SysOps administrator meet this requirement?

ACreate a custom shell script to extract the dimensions and collect the metrics using the Amazon CloudWatch agent.

BCreate an Amazon EventBridge rule to evaluate the required custom dimensions and send the metrics to Amazon Simple Notification Service (Amazon SNS)

CCreate an AWS Lambda function to collect the metrics from AWS CloudTrail and send the metrics to an Amazon CloudWatch Logs group.

DCreate an append_dimensions field in the Amazon CloudWatch agent configuration file to collect the metrics.

Answer : D

Objective:

Add custom dimensions to the metrics collected by the Amazon CloudWatch agent.

Using append_dimensions:

The append_dimensions field in the Amazon CloudWatch agent configuration file allows adding custom dimensions to the metrics collected.

Dimensions help categorize and filter metrics in CloudWatch for more granular insights.

Steps to Implement:

Step 1: Edit the Amazon CloudWatch agent configuration file (commonly located at /opt/aws/amazon-cloudwatch-agent/bin/config.json).

Step 2: Add the append_dimensions field under the desired metrics section, specifying the custom dimensions in key-value pairs:

{

'metrics': {

'append_dimensions': {

'InstanceId': '${aws:InstanceId}',

'CustomDimensionKey': 'CustomDimensionValue'

}

Step 3: Restart the CloudWatch agent:

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \

-a stop

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \

-a start

AWS Reference:

Amazon CloudWatch Agent Configuration: CloudWatch Agent Configuration

Why Other Options Are Incorrect:

Option A: Writing a custom script is unnecessary as the CloudWatch agent natively supports appending dimensions.

Option B: EventBridge rules do not interact with CloudWatch metrics for adding dimensions.

Option C: AWS Lambda functions are not required for this use case.

Question 6

A company has an existing public web application for www.example.com. The Application Load Balancer (ALB) is configured with a single HTTP 80 listener. A SysOps administrator must ensure that all web requests to www.example.com are encrypted between the client and the ALB.

The SysOps administrator already has requested and validated a public certificate for www.example.com in AWS Certificate Manager (ACM). Existing users of the application must not be required to change the endpoint to which they are connecting.

Which additional set of steps should the SysOps administrator take to meet these requirements?

ACreate an additional ALB listener for HTTPS on port 443 Set the default action to forward all traffic to the target group Specify the ACM certificate that was created for www example.com as the default SSL certificate.

BCreate an additional ALB listener for HTTPS on port 443 Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www.example.com as the default SSL certificate. Delete the original HTTP listener on port 80.

CModify the ALB default rule for the HTTP port 80 listener Create a rule in the listener to forward all traffic for the host www example com to the target group Specify the ACM certificate that was created for www.example.com as the default SSL certificate.

DModify the ALB default rule for the HTTP port 80 listener to redirect to HTTPS on port 443. Create an additional HTTPS listener on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www example.com as the default SSL certificate.

Answer : D

Objective:

Ensure all traffic is encrypted using HTTPS.

Maintain the same endpoint (www.example.com) for existing users.

Use the validated ACM certificate for encryption.

Steps to Implement (Following Option D):

Step 1: Modify the HTTP Listener (Port 80):

Navigate to the ALB settings in the AWS Management Console.

Locate the existing HTTP listener on port 80.

Add a rule to redirect all HTTP traffic to HTTPS on port 443.

Redirection ensures users accessing http://www.example.com are automatically sent to https://www.example.com without any manual changes.

Step 2: Create an HTTPS Listener (Port 443):

Add a new listener for HTTPS on port 443 to the ALB.

Configure the listener to use the ACM certificate for www.example.com.

Set the default action to forward requests to the target group serving the application.

Step 3: Test the Configuration:

Verify that both http://www.example.com and https://www.example.com work seamlessly, with HTTP requests being redirected to HTTPS.

AWS Reference:

ALB HTTPS Redirection: Redirect HTTP to HTTPS using ALB

SSL Certificates with ACM: Using ACM certificates with ALB

Best Practices for ALB Configuration: ALB Listener Rules

Why Other Options Are Incorrect:

Option A and B: Do not address the redirection from HTTP to HTTPS, leaving the application exposed to unencrypted traffic.

Option C: Incorrectly suggests modifying the HTTP listener's default rule for SSL, which is technically unsupported. The HTTP listener cannot use an SSL certificate.

Question 7

A company has an Amazon EC2 instance that runs Windows Server 2019. An encrypted Amazon Elastic Block Store (Amazon EBS) volume is attached to the instance as the main boot volume. The company has lost the ability to use Remote Desktop Protocol (RDP) to connect to the instance.

The company needs to back up the instance. Before the backup, a SysOps administrator must change local Windows Firewall settings to fix the RDP connectivity issue.

The SysOps administrator stops the instance.

What should the SysOps administrator do next to regain access to the instance?

ADetach the main boot volume from the instance. Disable encryption on the main boot volume. Reattach the main boot volume to the instance. Create a new key pair. Assign the new key pair to the instance Reboot the instance. Connect to the instance by using RDP.

BDetach the mam boot volume from the instance. Use Amazon Inspector to reconfigure the Windows Firewall settings to allow RDP connectivity.

CDisable encryption for the main boot volume. Use Amazon Inspector to reconfigure the Windows Firewall settings to allow RDP connectivity. Re-enable encryption for the main boot volume.

DDetach the main boot volume from the instance. Attach the main boot volume to a working instance that has EC2Rescue installed. Use EC2Rescue to reconfigure the Windows Firewall settings to allow RDP connectivity. Detach the main boot volume from the working instance. Reattach the main boot volume to the initial instance.

Answer : D

Scenario Analysis:

The EC2 instance is inaccessible through RDP due to misconfigured Windows Firewall settings.

The boot volume is encrypted, which restricts direct modification without proper mounting and decryption tools.

The goal is to back up the instance and regain RDP connectivity.

Why Option D is Correct:

AWS provides EC2Rescue for Windows Server as a tool to resolve common connectivity and boot issues for Windows EC2 instances.

The process of detaching the boot volume and attaching it to another instance ensures that the misconfigured instance does not impede further configuration.

The working instance acts as a recovery environment where EC2Rescue can be run to modify the Windows Firewall settings and allow RDP access.

Steps to Resolve the Issue (Following Option D):

Step 1: Stop the instance. In the EC2 console, select the affected instance and stop it to ensure safe operations.

Step 2: Detach the boot volume. Navigate to the instance's storage section, identify the boot volume (usually /dev/sda1), and detach it.

Step 3: Attach the boot volume to a recovery instance.

Identify a working instance that has EC2Rescue installed.

Attach the detached boot volume to the recovery instance as a secondary volume.

Step 4: Run EC2Rescue to fix Windows Firewall settings.

Select the attached secondary volume and run diagnostics or select specific repairs (e.g., enabling RDP access in Windows Firewall settings).

Step 5: Detach the boot volume from the recovery instance. After applying the fix, safely detach the volume from the recovery instance.

Step 6: Reattach the boot volume to the original instance. Attach the volume back to the original instance as its boot volume.

Step 7: Start the instance and verify connectivity. Start the original instance and attempt to connect via RDP using the instance's public or private IP (depending on the network configuration).

AWS Reference and Best Practices:

EC2Rescue for Windows Server: Official documentation: EC2Rescue

Encrypted EBS Volumes: Ensure the proper use of the same AWS KMS key when attaching encrypted volumes to other instances. Reference: EBS Encryption

Backup Before Modifications: AWS recommends creating snapshots of EBS volumes before making changes. Reference: Creating EBS Snapshots

Why Other Options Are Incorrect:

Option A: AWS does not support disabling encryption for EBS volumes directly. Additionally, creating a new key pair does not address the firewall misconfiguration.

Option B: Amazon Inspector does not provide tools for modifying Windows Firewall settings. It is primarily used for vulnerability assessments.