Amazon SOA-C02 AWS Certified SysOps Administrator - Associate Exam Practice Test

Page: 1 / 14
Total 484 questions

Want more questions? Get Premium Access.
()

Question 1

A company observes that a newly created Amazon CloudWatch alarm is not transitioning out of the INSUFFICIENT_DATA state. The alarm was created to track the mem_used_percent metric from an Amazon EC2 instance that is deployed in a public subnet.

A review of the EC2 instance shows that the unified CloudWatch agent is installed and is running. However, the metric is not available in CloudWatch. A SysOps administrator needs to implement a solution to resolve this problem

Which solution will meet these requirements?

AEnable CloudWatch detailed monitoring for the EC2 instance.

BCreate an 1AM instance profile that contains CloudWatch permissions. Add the instance profile to the EC2 instance.

CMigrate the EC2 instance into a private subnet

DCreate an 1AM user that has an access key ID and a secret access key. Update the unified CloudWatch agent configuration file to use those credentials.

Answer : B

Objective:

Ensure the mem_used_percent metric from the EC2 instance is available in Amazon CloudWatch.

Root Cause:

The unified CloudWatch agent requires IAM permissions to publish custom metrics to CloudWatch.

If an IAM instance profile is not attached or is missing necessary permissions, the metric will not appear in CloudWatch.

Solution Implementation:

Step 1: Create an IAM role with the required permissions:

Use the AmazonCloudWatchAgentServerPolicy managed policy, which grants permissions for the CloudWatch agent to send metrics.

Step 2: Create an IAM instance profile for the role.

Step 3: Attach the instance profile to the EC2 instance.

Step 4: Restart the unified CloudWatch agent on the EC2 instance to apply the changes:

bash

Copy code

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a stop

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a start

AWS Reference:

Unified CloudWatch Agent Configuration: CloudWatch Agent Permissions

Why Other Options Are Incorrect:

Option A: Enabling detailed monitoring only collects predefined metrics; it does not affect custom metrics like mem_used_percent.

Option C: The subnet (public or private) does not affect the collection of metrics by the CloudWatch agent.

Option D: Using IAM user credentials is not a best practice for EC2 instances; instance profiles are the recommended method.

Question 2

A company hosts an application on Amazon EC2 instances. The application periodically causes a surge in CPU utilization on the EC2 instances.

A SysOps administrator needs to implement a solution to detect when these surges occur. The solution also must send an email alert to the company's development team.

Which solution will meet these requirements?

ACreate an Amazon Simple Email Service (Amazon SES) email. Verify the development team's email address. Create an Amazon CloudWatch alarm for the EC2 instances Use the sum of the CPU utilization metric, an upper threshold of 80%. and a period of 15 minutes for the alarm. Link the alarm to the SES email.

BCreate an Amazon Simple Email Service (Amazon SES) email. Verify the development team's email address. Create an Amazon CloudWatch alarm for the EC2 instances Use the average of the CPU utilization metric, an upper threshold of 80%. and a period of 5 minutes for the alarm. Link the alarm to the SES email.

CCreate an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the development team's email address to the SNS topic. Create an Amazon CloudWatch alarm for the EC2 instances. Use the sum of the CPU utilization metric, an upper threshold of 80%. and a period of 15 minutes for the alarm. Link the alarm to the SNS topic.

DCreate an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the development team's email address to the SNS topic. Create an Amazon CloudWatch alarm for the EC2 instances. Use the average of the CPU utilization metric, an upper threshold of 80%. and a period of 5 minutes for the alarm. Link the alarm to the SNS topic

Answer : D

Monitoring EC2 Instances with CloudWatch:

Amazon CloudWatch provides monitoring and alarms for AWS resources.

Alarms can be created for metrics like CPUUtilization, and notifications can be sent to Amazon SNS topics.

Steps to Set Up the Solution:

Create an SNS Topic:

Open the Amazon SNS Console.

Create a topic (e.g., 'CPU_Alerts').

Add subscriptions for the development team's email addresses.

Create a CloudWatch Alarm:

Open the CloudWatch Console.

Navigate to the Alarms section and select Create Alarm.

Choose the EC2 CPUUtilization metric and set the alarm conditions:

Metric: Average CPU Utilization

Threshold: 80%

Period: 5 minutes

Link the alarm to the SNS topic for notifications.

Test the Alarm:

Simulate high CPU utilization to verify that alerts are sent to the subscribed email addresses.

Why Other Options Are Incorrect:

A and B: Using Amazon SES directly for alerts is not a standard practice for operational efficiency or integration with CloudWatch.

C: Using 'sum' instead of 'average' for CPU utilization is not appropriate for real-time monitoring, as it aggregates data over a large interval.

Amazon CloudWatch Alarms Documentation

Amazon SNS Documentation

Monitoring CPU Utilization

Question 3

A SysOps administrator is using AWS CloudFormation StackSets to create AWS resources in two AWS Regions in the same AWS account. A stack operation fails in one Region and returns the stack instance status of OUTDATED.

What is the cause of this failure?

AThe CloudFormation template changed on the local disk and has not been submitted to Cloud Formation.

BThe CloudFormation template is trying to create a global resource that is not unique

CThe stack has not yet been deployed to the Region.

DThe SysOps administrator is using an old version of the CloudFormation API.

Answer : C

AWS CloudFormation StackSets Overview:

StackSets allows for deployment of CloudFormation stacks across multiple AWS accounts and Regions.

A stack instance in the 'OUTDATED' status indicates that the stack template or parameters differ between the StackSet and the stack instance.

Why the Stack Instance Fails:

The 'OUTDATED' status occurs when the stack operation (creation or update) was not successfully completed in a specific Region.

In this case, the most likely reason is that the stack has not yet been deployed in the specified Region.

Steps to Resolve:

Check the deployment status in the CloudFormation StackSets Console.

Identify the Region where the stack is in the 'OUTDATED' status.

Retry the stack deployment for that Region by running a stack set update or stack instance operation.

Why Other Options Are Incorrect:

A: Local template changes do not impact CloudFormation unless submitted to AWS. This is unrelated to StackSets.

B: While creating a global resource might fail, it would result in an error status (e.g., 'FAILED'), not 'OUTDATED.'

D: Using an old API version would cause errors in the API request, not affect the stack instance status.

AWS CloudFormation StackSets Documentation

Troubleshooting StackSet Issues

Question 4

A company has a production application that runs on large compute optimized Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group. The Auto Scaling group has a desired capacity of 2, a maximum capacity of 2. and a minimum capacity of 1.

The application is CPU-bound. The EC2 instances show consistent CPU utilization of 90% or greater during peak usage periods. These peak usage periods are unpredictable and cause performance issues and latency issues.

Which solution will automate the resolution of these issues?

ADeploy additional instances outside the Auto Scaling group. Create a new target group that includes the existing instances and the additional instances as targets. Reconfigure the ALB to direct traffic to the new target group.

BIncrease the maximum capacity of the Auto Scaling group. Change the instances to a burstable instance type

CIncrease the maximum capacity of the Auto Scaling group. Configure a scaling policy to add instances when instance CPU utilization is greater than 80%.

DIncrease the desired capacity of the Auto Scaling group. Configure a scaling policy to add instances when instance CPU utilization is greater than 80%.

Answer : C

Objective:

Address high and unpredictable CPU usage by automating the scaling of resources.

Using Auto Scaling Policies:

Scaling policies can dynamically adjust the number of instances in an Auto Scaling group based on metrics like CPU utilization.

Steps to Implement:

Step 1: Increase the maximum capacity of the Auto Scaling group (e.g., from 2 to a higher value like 5).

Step 2: Create a scaling policy:

Use a target tracking scaling policy with a threshold of 80% CPU utilization.

When the CPU usage exceeds 80%, additional instances will be launched automatically.

Step 3: Monitor scaling behavior and adjust thresholds or capacities if necessary.

AWS Reference:

Target Tracking Scaling Policies: Scaling Policies for Auto Scaling Groups

Dynamic Scaling Best Practices: Dynamic Scaling in Auto Scaling

Why Other Options Are Incorrect:

Option A: Deploying additional instances outside the Auto Scaling group is not scalable and defeats the purpose of automation.

Option B: Switching to burstable instances does not resolve the issue since the workload is CPU-bound and consistently high.

Option D: Increasing desired capacity does not account for the unpredictability of peak periods, as it sets a static scaling behavior rather than dynamic.

Question 5

A company's security policy requires incoming SSH traffic to be restricted to a defined set of addresses. The company is using an AWS Config rule to check whether security groups allow unrestricted incoming SSH traffic.

A SysOps administrator discovers a noncompliant resource and fixes the security group manually. The SysOps administrator wants to automate the remediation of other noncomphant resources.

What is the MOST operationally efficient solution that meets these requirements?

ACreate an Amazon CloudWatch alarm for the AWS Config rule's status metric Create an AWS Lambda function that can remove the noncompliant rule from the security group. Configure the alarm action to invoke the Lambda function.

BConfigure an automatic remediation action on the AWS Config rule Specify the AWS-DisablelncommgSSHOnPort22 remediation action.

CConfigure an Amazon EventBridge rule for AWS Config configuration item change events. Create an AWS Lambda function that can remove the noncompliant rule from the security group. Configure the rule to invoke the Lambda function.

DCreate an AWS Lambda function that can analyze a security group's inbound rules to check for unrestricted SSH access. Configure the Lambda function to remove the noncompliant rule from the security group. Configure an Amazon EventBridge rule to invoke the Lambda function every hour.

Answer : B

Objective:

Automate remediation of security groups that allow unrestricted SSH access.

Using AWS Config Automatic Remediation:

AWS Config allows rules to have automatic remediation actions.

The remediation action AWS-DisableIncomingSSHOnPort22 is a managed action specifically designed to restrict unrestricted SSH access.

Steps to Implement:

Step 1: Open the AWS Config console.

Step 2: Identify the rule that checks for unrestricted SSH access (e.g., security-group-restricted-ssh).

Step 3: Enable automatic remediation:

Attach the managed remediation action AWS-DisableIncomingSSHOnPort22 to the rule.

Specify necessary IAM roles and permissions for the remediation action.

Step 4: Test the rule and remediation action on a noncompliant security group.

AWS Reference:

AWS Config Managed Rules: AWS Config Rules

Automatic Remediation: AWS Config Remediation

Why Other Options Are Incorrect:

Option A: Requires manual configuration of alarms and Lambda functions, which is less operationally efficient than using managed remediation.

Option C and D: Custom Lambda functions and EventBridge rules are unnecessary when AWS provides a managed remediation action.

Question 6

A company has users that deploy Amazon EC2 instances that have more disk performance capacity than is required. A SysOps administrator needs to review all Amazon Elastic Block Store (Amazon EBS) volumes that are associated with the instances and create cost optimization recommendations based on IOPS and throughput.

What should the SysOps administrator do to meet these requirements in the MOST operationally efficient way?

AUse the monitoring graphs in the EC2 console to view metrics for EBS volumes Review the consumed space against the provisioned space on each volume. Identify any volumes that have low utilization.

BStop the EC2 instances from the EC2 console. Change the EC2 instance type to Amazon EBS-optimized. Start the EC2 instances

COpt in to AWS Compute Optimizer. Allow sufficient time for metrics to be gathered. Review the Compute Optimizer findings for EBS volumes.

DInstall the fio tool onto the EC2 instances and create a cfg file to approximate the required workloads. Use the benchmark results to gauge whether the provisioned EBS volumes are of the most appropriate type.

Answer : C

AWS Compute Optimizer Overview:

AWS Compute Optimizer analyzes the configuration and utilization of AWS resources, including EBS volumes, to provide cost-optimization recommendations.

Steps to Use AWS Compute Optimizer for EBS Volumes:

Enable Compute Optimizer:

Open the Compute Optimizer Console.

Enable the service for your account.

Allow Metrics Collection:

Allow sufficient time (up to 12 hours) for Compute Optimizer to gather metrics on your EBS volumes.

Review Recommendations:

Go to the Compute Optimizer dashboard.

Navigate to the EBS volume recommendations.

Review the findings for underutilized or overprovisioned volumes.

Why Other Options Are Incorrect:

A: Manually reviewing EC2 monitoring graphs is less efficient and prone to errors compared to Compute Optimizer.

B: Changing instance types to EBS-optimized without assessing performance is unnecessary and unrelated to cost optimization.

D: Installing the fio tool and benchmarking is a time-intensive, manual process that does not align with operational efficiency.

AWS Compute Optimizer Documentation

EBS Volume Optimization

Question 7

A company requires that all activity in its AWS account be logged using AWS CloudTrail. Additionally, a SysOps administrator must know when CloudTrail log files are modified or deleted.

How should the SysOps administrator meet these requirements?

AEnable log file integrity validation Use the AWS CLI to validate the log files.

BEnable log file integrity validation. Use the AWS CloudTrail .Processing Library to validate the log files.

CUse CloudTrail Insights to monitor the log files for modifications.

DUse Amazon CloudWatch Logs to monitor the log files for modifications.

Answer : A

CloudTrail Log File Integrity Validation:

AWS CloudTrail provides a feature for log file integrity validation to ensure logs have not been modified or deleted.

Steps to Enable and Validate:

Enable Log File Integrity Validation:

Go to the CloudTrail Console.

Select or create a trail.

In the trail settings, enable Log file validation.

Use the AWS CLI for Validation:

Use the following CLI command:

aws cloudtrail validate-logs --trail-name <trail-name>

This command validates the digest files generated by CloudTrail against the log files.

Why Other Options Are Incorrect:

B: Using the AWS CloudTrail Processing Library is unnecessary for validation.

C: CloudTrail Insights is designed to identify unusual activity, not monitor log modifications.

D: Amazon CloudWatch Logs cannot directly monitor CloudTrail logs for integrity.

CloudTrail Log File Validation

AWS CLI Command for Validation