Amazon SOA-C02 Exam Practice Test Instant Access

Question 1

The application is experiencing high VolumeQueueLength on an EC2 instance with a gp3 EBS volume, causing slow performance during I/O-intensive tasks.

Options:

AAttach an Amazon ElastiCache cluster to the EBS volume.

BModify the EBS volume properties by enabling the Auto-Enabled IO volume attribute.

CModify the EBS volume properties to increase the IOPS.

DModify the EC2 instance to enable enhanced networking. Reboot the EC2 instance.

Answer : C

Increasing the IOPS for the gp3 EBS volume will address the high VolumeQueueLength by allowing more read/write operations, directly improving performance for I/O-intensive tasks. ElastiCache and enhanced networking do not directly affect EBS performance for this issue.

Question 2

The company needs EC2 instances in the VPC to resolve DNS names for on-premises hosts using Direct Connect.

Options:

ACreate an Amazon Route 53 private hosted zone. Populate the zone with the hostnames and IP addresses of the hosts in the on-premises data center.

BCreate an Amazon Route 53 Resolver outbound endpoint. Add the IP addresses of an on-premises DNS server for the domain names that need to be forwarded.

CSet up a forwarding rule for reverse DNS queries in Amazon Route 53 Resolver. Set the enableDnsHostnames attribute to true for the VPC.

DAdd the hostnames and IP addresses for the on-premises hosts to the /etc/hosts file of each EC2 instance.

Answer : B

Using a Route 53 Resolver outbound endpoint allows DNS queries for on-premises hosts to be forwarded to the on-premises DNS server over the Direct Connect connection, minimizing maintenance and automating name resolution without the need for manual entry or file management.

Question 3

The company wants to improve the security and high availability of a two-tier web application that was rehosted to AWS, currently in a single Availability Zone.

Options (Select TWO):

APlace the web-tier instances in an Auto Scaling group. Configure the Auto Scaling group to support a Multi-AZ deployment into private subnets that are behind an internet-facing Application Load Balancer.

BPlace the web-tier instances in an Auto Scaling group. Configure the Auto Scaling group in multiple AWS Regions. Deploy the EC2 instances into private subnets that are behind an internet-facing Application Load Balancer.

CLaunch an additional EC2 instance to host SQL Server. Place the new database EC2 instance in a second AWS Region. Enable replication between the two database EC2 instances.

DUse AWS Database Migration Service (AWS DMS) to migrate the database EC2 instance to Amazon RDS for SQL Server with Multi-AZ Database Mirroring (DBM).

EUse AWS Database Migration Service (AWS DMS) to migrate the database EC2 instance to Amazon DynamoDB.

Answer : A, D

To improve security and availability, the best approach is to configure Multi-AZ for both the web and database tiers.

Multi-AZ Auto Scaling for Web Tier: Deploying the web-tier instances in an Auto Scaling group across multiple AZs with an internet-facing ALB provides high availability and fault tolerance.

RDS Multi-AZ for SQL Server: Migrating the SQL Server to RDS with Multi-AZ deployment ensures database redundancy and failover without additional management overhead.

Placing the web tier in multiple Regions would add unnecessary complexity, and migrating the database to DynamoDB is not suitable for applications requiring SQL Server's relational capabilities.

Question 4

The SysOps administrator must dynamically reference the latest AMI ID from Systems Manager Parameter Store in CloudFormation templates for new AMI versions.

Options (Select THREE):

ACreate a new Systems Manager parameter to store the AMI value in the standard parameter tier.

BCreate a new Systems Manager parameter to store the AMI value in the advanced parameter tier.

CEnable trusted access with Organizations.

DEnable resource sharing with Organizations.

ECreate a resource share by using AWS Resource Access Manager (AWS RAM). Specify the new parameter as the resource. Specify the entire organization as the principal.

FCreate an Amazon EventBridge rule that invokes an AWS Lambda function when a new AMI is published. Program the Lambda function to assume an IAM role in all linked accounts and to update Parameter Store with the new AMI ID.

Answer : A, D, E

To allow CloudFormation templates in all accounts within the organization to reference the latest AMI ID:

Parameter Store in Standard Tier: Storing the AMI ID in Systems Manager Parameter Store provides a central and easy-to-update source.

Enable Resource Sharing with Organizations: This allows the parameter to be shared across accounts in the organization.

Resource Share in AWS RAM: AWS Resource Access Manager (RAM) can be used to share the parameter with the entire organization, allowing other accounts to access the AMI ID.

Using the standard tier in Parameter Store is sufficient, and an EventBridge rule with Lambda for updating AMIs would add unnecessary complexity.

Question 5

The company's security team needs to consolidate Security Hub findings to reduce duplicate notifications for the same misconfigurations.

Options:

ATurn on consolidated control findings in the Security Hub delegated administrator account.

BExport the Security Hub findings. Consolidate the findings based on control ID. Visualize the findings in Amazon QuickSight.

CSet up an AWS Config aggregator instead of Security Hub. Deploy a custom conformance pack by consolidating AWS Config rules.

DLaunch an Amazon EC2 instance in the organization's management account. Configure a custom script to assume a role in each linked account to extract and consolidate findings from the accounts.

Answer : A

Enabling consolidated control findings in Security Hub reduces duplication by merging findings for similar controls across multiple standards. This reduces the operational burden of prioritizing remediation based on multiple copies of the same findings.

Consolidated Control Findings: Merges findings for controls across standards to avoid duplicates, providing a clearer view of misconfigurations without the need for additional infrastructure or manual processing.

Least Operational Overhead: This solution is managed within Security Hub without the need for external tools or manual exports.

Using AWS Config aggregators, QuickSight visualization, or custom EC2-based solutions would introduce additional complexity and overhead.

Question 6

A SysOps administrator needs EC2 instances in a VPC to resolve DNS names for hosts in an on-premises data center.

Options:

ACreate an Amazon Route 53 private hosted zone. Populate the zone with the hostnames and IP addresses of the hosts in the on-premises data center.

BCreate an Amazon Route 53 Resolver outbound endpoint. Add the IP addresses of an on-premises DNS server for the domain names that need to be forwarded.

CSet up a forwarding rule for reverse DNS queries in Amazon Route 53 Resolver. Set the enableDnsHostnames attribute to true for the VPC.

DAdd the hostnames and IP addresses for the on-premises hosts to the /etc/hosts file of each EC2 instance.

Answer : B

The most efficient way to enable DNS resolution between the VPC and the on-premises environment is by configuring a Route 53 Resolver outbound endpoint.

Route 53 Resolver Outbound Endpoint: This enables the VPC to forward DNS queries to the on-premises DNS server, which can resolve internal hostnames.

Minimal Maintenance: This solution is scalable and requires minimal ongoing maintenance compared to manual entries or creating and managing a large number of DNS entries manually.

Question 7

The SysOps administrator finds that users can no longer download a file from an S3 presigned URL after a few days.

Options (Select TWO):

AThe presigned URL's expiration date and time have passed.

BThe SysOps administrator's access key is no longer valid.

CThe S3 bucket's Block Public Access settings are enabled.

DThe S3 object's ACL does not include READ access for the All Users group.

EThe S3 object's ACL does not include READ_ACP access for the All Users group.

Answer : A, B

Several factors can affect the availability of an S3 object through a presigned URL:

Expiration of Presigned URL: A presigned URL is valid only until its specified expiration time. Once expired, it becomes inaccessible.

Invalid Access Key: If the access key of the SysOps administrator who generated the presigned URL is revoked or rotated, the URL will no longer be valid.

Other options like enabling Block Public Access or changing the object ACL to All Users are not necessary for presigned URLs, as these URLs temporarily grant access regardless of public bucket settings.

Amazon SOA-C02 AWS Certified SysOps Administrator - Associate Exam Practice Test