Weekend Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

How to Easily Pass the Amazon Web Services SOA-C02 Exam: Expert Advice

Questions 21

A company wants to monitor the security groups of its Amazon EC2 instances to ensure that SSH is not open to the public. If the port is opened, the company needs to close the port as soon as possible.

Which combination of actions should a SysOps administrator take to meet these requirements? (Select TWO.)

Options:

A.

Add an Amazon CloudWatch alarm to detect the security groups that allow SSH.

B.

Add an AWS Config rule to detect the security groups that allow SSH.

C.

Add an assessment template to Amazon Inspector to detect the security groups that allow SSH

D.

Call an AWS Systems Manager Automation runbook to close the port.

E.

Call AWS Systems Manager Run Command to close the port.

Buy Now
Questions 22

A company runs a stateless application that is hosted on an Amazon EC2 instance. Users are reporting performance issues. A SysOps administrator reviews the Amazon CloudWatch metrics for the application and notices that the instance's CPU utilization frequently reaches 90% during business hours.

What is the MOST operationally efficient solution that will improve the application's responsiveness?

Options:

A.

Configure CloudWatch logging on the EC2 instance. Configure a CloudWatch alarm for CPU utilization to alert the SysOps administrator when CPU utilization goes above 90%.

B.

Configure an AWS Client VPN connection to allow the application users to connect directly to the EC2 instance private IP address to reduce latency.

C.

Create an Auto Scaling group, and assign it to an Application Load Balancer. Configure a target tracking scaling policy that is based on the average CPU utilization of the Auto Scaling group.

D.

Create a CloudWatch alarm that activates when the EC2 instance's CPU utilization goes above 80%. Configure the alarm to invoke an AWS Lambda function that vertically scales the instance.

Buy Now
Questions 23

A company has an AWS Cloud Formation template that creates an Amazon S3 bucket. A user authenticates to the corporate AWS account with their Active Directory credentials and attempts to deploy the Cloud Formation template. However, the stack creation fails.

Which factors could cause this failure? (Select TWO.)

Options:

A.

The user's IAM policy does not allow the cloudformation:CreateStack action.

B.

The user's IAM policy does not allow the cloudformation:CreateStackSet action.

C.

The user's IAM policy does not allow the s3:CreateBucket action.

D.

The user's IAM policy explicitly denies the s3:ListBucket action.

E.

The user's IAM policy explicitly denies the s3:PutObject action

Buy Now
Questions 24

A Sysops administrator creates an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that uses AWS Fargate. The cluster is deployed successfully. The Sysops administrator needs to manage the cluster by using the kubect1 command line tool.

Which of the following must be configured on the Sysops administrator's machine so that kubect1 can communicate with the cluster API server?

Options:

A.

The kubeconfig file

B.

The kube-proxy Amazon EKS add-on

C.

The Fargate profile

D.

The eks-connector.yaml file

Buy Now
Questions 25

A company must ensure that any objects uploaded to an S3 bucket are encrypted.

Which of the following actions will meet this requirement? (Choose two.)

Options:

A.

Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.

B.

Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.

C.

Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.

D.

Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.

E.

Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.

Buy Now
Questions 26

A SysOps administrator created an AWS Cloud Formation template that provisions Amazon EC2 instances, an Elastic Load Balancer (ELB), and an Amazon RDS DB instance. During stack creation, the creation of the EC2 instances and the creation of the ELB are successful. However, the creation of the DB instance fails.

What is the default behavior of CloudFormation in this scenario?

Options:

A.

CloudFormation will roll back the stack and delete the stack.

B.

CloudFormation will roll back the stack but will not delete the stack.

C.

CloudFormation will prompt the user to roll back the stack or continue.

D.

CloudFormation will successfully complete the stack but will report a failed status for the DB instance.

Buy Now
Questions 27

A company has created a NAT gateway in a public subnet in a VPC. The VPC also contains a private subnet that includes Amazon EC2 instances. The EC2 instances use the NAT gateway to access the internet to download patches and updates. The company has configured a VPC flow log for the elastic network interface of the NAT gateway. The company is publishing the output to Amazon CloudWatch Logs.

A SysOps administrator must identify the top five internet destinations that the EC2 instances in the private subnet communicate with for downloads.

What should the SysOps administrator do to meet this requirement in the MOST operationally efficient way?

Options:

A.

Use AWS CloudTrail Insights events to identify the top five internet destinations.

B.

Use Amazon CloudFront standard logs (access logs) to identify the top five internet destinations.

C.

Use CloudWatch Logs Insights to identify the top five internet destinations.

D.

Change the flow log to publish logs to Amazon S3. Use Amazon Athena to query the log files in Amazon S3.

Buy Now
Questions 28

A manufacturing company uses an Amazon RDS DB instance to store inventory of all stock items. The company maintains several AWS Lambda functions that interact with the database to add, update, and delete items. The Lambda functions use hardcoded credentials to connect to the database.

A SysOps administrator must ensure that the database credentials are never stored in plaintext and that the password is rotated every 30 days.

Which solution will meet these requirements in the MOST operationally efficient manner?

Options:

A.

Store the database password as an environment variable for each Lambda function. Create a new Lambda function that is named

PasswordRotate. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and update the environment variable for each Lambda function.

B.

Use AWS Key Management Service (AWS KMS) to encrypt the database password and to store the encrypted password as an environment

variable for each Lambda function. Grant each Lambda function access to the KMS key so that the database password can be decrypted when required. Create a new Lambda function that is named PasswordRotate to change the password every 30 days.

C.

Use AWS Secrets Manager to store credentials for the database. Create a Secrets Manager secret, and select the database so that Secrets Manager will use a Lambda function to update the database password automatically. Specify an automatic rotation schedule of 30 days. Update each Lambda function to access the database password from SecretsManager.

D.

Use AWS Systems Manager Parameter Store to create a secure string to store credentials for the database. Create a new Lambda function called PasswordRotate. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and to update the secret within Parameter Store. Update each Lambda function to access the database password from Parameter Store.

Buy Now
Questions 29

A SysOps administrator is responsible for a company's security groups. The company wants to maintain a documented trail of any changes that are made to the security groups. The SysOps administrator must receive notification whenever the security groups change.

Which solution will meet these requirements?

Options:

A.

Set up Amazon Detective to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Queue Service (Amazon SOS) queue for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SQS queue.

B.

Set up AWS Systems Manager Change Manager to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

C.

Set up AWS Config to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

D.

Set up Amazon Detective to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

Buy Now
Questions 30

A SysOps administrator has set up a new Amazon EC2 instance as a web server in a public subnet. The instance uses HTTP port 80 and HTTPS port 443.

The SysOps administrator has confirmed internet connectivity by downloading operating system updates and software from public repositories. However, the SysOps administrator cannot access the instance from a web browser on the internet.

Which combination of steps should the SysOps administrator take to troubleshoot this issue? (Select THREE.)

Options:

A.

Ensure that the inbound rules of the instance's security group allow traffic on ports 80 and 443.

B.

Ensure that the outbound rules of the instance's security group allow traffic on ports 80 and 443.

C.

Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance's subnet.

D.

Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance's subnet.

E.

Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.

F.

Ensure that AWS WAF is turned on for the instance and is blocking web traffic.

Buy Now
Exam Code: SOA-C02
Exam Name: AWS Certified SysOps Administrator - Associate (SOA-C02)
Last Update: Oct 13, 2024
Questions: 425

PDF + Testing Engine

$159.99
$56

Testing Engine

$119.99
$42

PDF (Q&A)

$99.99
$35