DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

2024 SOA-C02 Exam Prep: Practice Tests & Study Materials, AWS Certified Sysops Administrator - Associate | SPOTO

Prepare for the AWS Certified SysOps Administrator - Associate (SOA-C02) exam with SPOTO's comprehensive exam prep resources. This certification is designed for system administrators working in cloud operations, validating skills in deploying, managing, and operating workloads on AWS. SPOTO offers practice tests, study materials, and exam dumps tailored to the latest exam standards. Our exam questions and answers, along with sample questions and free quizzes, ensure thorough preparation for the SOA-C02 exam. With SPOTO's exam materials, you'll gain insights into AWS operations, best practices, and troubleshooting techniques. Our exam simulator and online exam questions provide hands-on experience, preparing you to excel on exam day. Prepare effectively with SPOTO's exam practice, study materials, and mock exams to achieve success in the AWS Certified SysOps Administrator - Associate (SOA-C02) certification.

Take other online exams
Question #1
155. InfoSec is concerned that an employee may expose sensitive data in an Amazon S3 bucket. How can this concern be addressed without putting undue restrictions on users?
A. Apply an IAM policy on all users that denies the action s3:PutBucketPolicy
B. Restrict S3 bucket access to specific IAM roles managed using federated access
C. Activate an AWS Config rule to identify public buckets and alert InfoSec using Amazon SNS
D. Email the findings of AWS Personal Health Dashboard to InfoSec daily
View answer
Correct Answer: AC
Question #2
205. A SysOps Administrator is notified that a security vulnerability affects a version of MySQL that is being used with Amazon RDS MySQL. Who is responsible for ensuring that the patch is applied to the MySQL cluster?
A. The database vendor
B. The Security department of the SysOps Administrator company
C. AWS
D. The SysOps Administrator
View answer
Correct Answer: C
Question #3
143. A SysOps Administrator has an AWS Lambda function that stops all Amazon EC2 instances in a test environment at night and on the weekend. Stopping instances causes some servers to become corrupt due to the nature of the applications running on them. What can the SysOps Administrator use to identify these EC2 instances?
A. AWS Config
B. Amazon EC2 termination protection
C. Resource tagging
D. Amazon CloudWatch
View answer
Correct Answer: A
Question #4
152. An e-commerce company hosts its website on the AWS us-west-1 region. It plans to create a special site for a promotion that should be visible only to shoppers from Canada. What change should the SysOps Administrator make to the company’s existing AWS setup to achieve this result?
A. Update the Amazon Route 53 record set to use a latency routing policy for the new site
B. Update the Application Load Balancer with a new host-based routing rule for the new site
C. Update the Amazon Route 53 record set to use a geolocation routing policy for the new site
D. Update the Application Load Balancer with a new path-based routing rule for the new site
View answer
Correct Answer: D
Question #5
145. A company has an asynchronous nightly process that feeds the results to a data warehouse system for weekly and monthly reporting. The process is running on a fleet of Amazon EC2 instances. A SysOps Administrator has been asked to identify ways to reduce the cost of running this process. What is the MOST cost-effective solution?
A. Use On-Demand EC2 instances in an Auto Scaling group
B. Use Spot Instances to bid for the EC2 instances
C. Use Reserved Instances to ensure the capacity
D. Put the EC2 instances in a placement group
View answer
Correct Answer: A
Question #6
170. A company has multiple web applications running on Amazon EC2 instances in private subnets. The EC2 instances require connectivity to the internet for patching purposes, but cannot be publicly accessible. Which step will meet these requirements?
A. Add an internet gateway and update the route tables
B. Add a NAT gateway to the VPC and update the route tables
C. Add an interface endpoint and update the route tables
D. Add a virtual gateway to the VPC and update the route tables
View answer
Correct Answer: B
Question #7
157. A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times: *** Error Establishing a Database Connection. Which of the following may be causes of the connectivity problems? (Choose two.)
A. The security group for the database does not have the appropriate egress rule from the database to the web server
B. The certificate used by the web server is not trusted by the RDS instance
C. The security group for the database does not have the appropriate ingress rule from the web
D. The database is still being created and is not available for connectivity
View answer
Correct Answer: C
Question #8
192. A SysOps Administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. Which collection of configuration changes will increase the cache hit ratio for the distribution? (Select two.)
A. Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings
B. Change the Viewer Protocol Policy to use HTTPS only
C. Configure the distribution to use pre-signed cookies and URLs to restrict access to the distribution
D. Enable automatic compression of objects in the Cache Behavior Settings
E. Increase the CloudFront time to live (TTL) settings in the Cache Behavior
View answer
Correct Answer: AE
Question #9
187. A SysOps Administrator is running an auto-scaled application behind a Classic Load Balncer. Scaling out is triggered when the CPUUtilization instance metric is more than 75% across the Auto Scaling group. The Administrator noticed aggressive scaling out and after discussing with developers, an application memory leak is suspected causing aggressive garbage collection cycle. How can the Administrator troubleshoot the application without triggering the scaling process?
A. Suspend the scaling process before troubleshooting
B. Delete the Auto Scaling group and recreate it when troubleshooting is complete
C. Remove impacted instances from the Classic Load Balancer
D. Create a scale down trigger when the CPUUtilization instance metric is at 70%
View answer
Correct Answer: A
Question #10
130. A SysOps Administrator has received a request from the Compliance Department to enforce encryption on all objects uploaded to the corp-compliance bucket. How can the Administrator enforce encryption on all objects uploaded to the bucket?
A. Enable Amazon S3 default encryption on the bucket
B. Add the following policy statement to the bucket:
C. Add the following policy statement to the IAM user permissions policy:
D. Generate a resigned URL for the Amazon S3 PUT operation with server-side encryption flag set, and send the URL to the user
View answer
Correct Answer: B
Question #11
175. A SysOps Administrator must use a bastion host to administer a fleet of Amazon EC2 instances. All access to the bastion host is managed by the Security team. What is the MOST secure way for the Security team to provide the SysOps Administrator access to the bastion host?
A. Assign the same IAM role to the Administrator that is assigned to the bastion host
B. Provide the Administrator with the SSH key that was used for the bastion host when it was originally launched
C. Create a new IAM role with the same permissions as the Security team, and assign it to the Administrator
D. Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager
View answer
Correct Answer: B
Question #12
211. A company is concerned about a security vulnerability impacting its Linux operating system. What should the SysOps Administrator do to alleviate this concern?
A. Patch the vulnerability with Amazon Inspector
B. Provide an AWS Trusted Advisor report showing which Amazon EC2 instances have been patched
C. Redeploy the Amazon EC2 instances using AWS CloudFormation
D. Patch the Linux operating system using AWS Systems Manager
View answer
Correct Answer: D
Question #13
181. An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted. How can this be resolved?
A. Enable encryption on each EFS connection to the Amazon EFS volume
B. Enable encryption on the existing EFS volume by using the AWS Command Line interface
C. Enable encryption on each host local drive
D. Enable encryption on a newly created volume and copy all data from the original volume
View answer
Correct Answer: D
Question #14
163. An HTTP web application is launched on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run across multiple Availability Zones. A network ACL and a security group for the load balancer and EC2 instances allow inbound traffic on port 80. After launch, the website cannot be reached over the internet. What additional step should be taken?
A. Add a rule to the security group allowing outbound traffic on port 80
B. Add a rule to the network ACL allowing outbound traffic on port 80
C. Add a rule to the security group allowing outbound traffic on ports 1024 through 65535
D. Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535
View answer
Correct Answer: B
Question #15
207. A SysOps Administrator is deploying a website with dynamic content. Company policy requires that users from certain countries or regions cannot access the web content and should receive an error page. Which of the following can be used to implement this policy? (Choose two.)
A. Amazon CloudFront geo-restriction
B. Amazon GuardDuty geo-blocking
C. Amazon Route 53 geolocation routing
D. AWS Shield geo-restriction
E. Network access control list (NACL) restriction
View answer
Correct Answer: AC
Question #16
186. An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application. What is the MOST scalable storage solution to fulfill the requirement?
A. Connect a large Amazon EBS volume to multiple instances and schedule snapshots
B. Deploy Amazon EFS is in the VPC and create mount targets in multiple subnets
C. Launch an EC2 instance and share data using SMB/CIFS or NFS
D. Deploy an AWS Storage Gateway cached volume on Amazon EC2
View answer
Correct Answer: D
Question #17
139. A SysOps Administrator noticed that a large number of Elastic IP addresses are being created on the company’s AWS account., but they are not being associated with Amazon EC2 instances, and are incurring Elastic IP address charges in the monthly bill. How can the Administrator identify who is creating the Elastic IP address?
A. Attach a cost-allocation tag to each requested Elastic IP address with the IAM user name of the Developer who creates it
B. Query AWS CloudTrail logs by using Amazon Athena to search for Elastic IP address events
C. Create a CloudWatch alarm on the EIP Created metric and send an Amazon SNS notification when the alarm triggers
D. Use Amazon Inspector to get a report of all Elastic IP addresses created in the last 30 days
View answer
Correct Answer: B
Question #18
151. A company is running a new promotion that will result in a massive spike in traffic for a single application. The SysOps Administrator must prepare the application and ensure that the customers have a great experience. The application is heavy on memory and is running behind an AWS Application Load Balancer (ALB). The ALB has been pre-warmed, and the application is in an Auto Scaling group. What built-in metric should be used to control the Auto Scaling group’s scaling policy?
A. RejectedConnection Count
B. Request CountPerTarget
C. CPUUtilization
D. MemoryUtilization
View answer
Correct Answer: A
Question #19
202. A company runs a web application that users access using the domain name www.example.com. The company manages the domain name using Amazon Route 53. The company created an Amazon CloudFront distribution in front of the application and would like www.example.com to access the application though CloudFront. What is the MOST cost-effective way to achieve this?
A. Create CNAME record in Amazon Route 53 that points to the CloudFront distribution URL
B. Create an ALIAS record in Amazon Route 53 that points to the CloudFront distribution URL
C. Create an A record in Amazon Route 53 that points to the public IP address of the web application
View answer
Correct Answer: B
Question #20
166. A company is storing monthly reports on Amazon S3. The company’s security requirement states that traffic from the client VPC to Amazon S3 cannot traverse the internet. What should the SysOps Administrator do to meet this requirement?
A. Use AWS Direct Connect and a public virtual interface to connect to Amazon S3
B. Use a managed NAT gateway to connect to Amazon S3
C. Deploy a VPC endpoint to connect to Amazon S3
D. Deploy an internet gateway to connect to Amazon S3
View answer
Correct Answer: A
Question #21
156. A SysOps Administrator discovers the organization’s tape archival system is no longer functioning in its on-premises data center. What AWS service can be used to create a virtual tape interface to replace the physical tape system?
A. AWS Snowball
B. AWS SMS
C. Amazon Glacier
D. AWS Storage Gateway
View answer
Correct Answer: B
Question #22
190. After launching a new Amazon EC2 instance from a Microsoft Windows 2012 Amazon Machine Image (AMI), the SysOps Administrator is unable to connect to the instance using Remote Desktop Protocol (RDP). The instance is also unreachable. As part of troubleshooting, the Administrator deploys a second instance from a different AMI using the same configuration and is able to connect to the instance. What should be the next logical step in troubleshooting the first instance?
A. Use AWS Trusted Advisor to gather operating system log files for analysis
B. Use VPC Flow Logs to gather operating system log files for analysis
C. Use EC2Rescue to gather operating system log files for analysis
D. Use Amazon Inspector to gather operating system log files for analysis
View answer
Correct Answer: C
Question #23
141. A SysOps Administrator needs Amazon EC2 instances in two different VPCs in private subnets to be able to communicate. A peering connection between the two VPCs has been created using the AWS Management Console and shows a status of Active. The instances are still unable to send traffic to each other. Why are the EC2 instances unable to communicate?
A. One or both of the VPCs do not have an Internet Gateway attached
B. The route tables have not been updated
C. The peering connection has not been properly tagged
D. One or both of the instances do not have an Elastic IP address assigned
View answer
Correct Answer: D
Question #24
162. A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template. It installs and configures necessary software through AWS OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors. The SysOps Administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back. Based on thes
A. Conditions with a timeout set to 4 hours
B. CreationPolicy with a timeout set to 4 hours
C. DependsOn with a timeout set to 4 hours
D. Metadata with a timeout set to 4 hours
View answer
Correct Answer: A
Question #25
206. A company’s web application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run in an EC@ Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon ElastiCache for Redis cluster and an Amazon RDS DB instance. Company policy requires all system patching to take place at midnight on Tuesday. Which resources will need to have a maintenance window configured for midnight on Tuesday? (Choose two.)
A. Elastic Load Balancer
B. EC2 instances
C. RDS instance
D. ElastiCache cluster
E. Auto Scaling group
View answer
Correct Answer: CD
Question #26
220. A SysOps Administrator is using AWS KMS with AWS-generated key material to encrypt an Amazon EBS volume in a company’s AWS environment. The Administrator wants to rotate the KMS keys using automatic key rotation, and needs to ensure that the EBS volume encrypted with the current key remains readable. What should be done to accomplish this?
A. Back up the current KMS key and enable automatic key rotation
B. Create a new key in AWS KMS and assign the key to Amazon EBS
C. Enable automatic key rotation of the EBS volume key in AWS KMS
D. Upload ne key material to the EBS volume key in AWS KMS to enable automatic key rotation for the volume
View answer
Correct Answer: C
Question #27
169. Company A purchases company B and inherits three new AWS accounts. Company A would like to centralize billing and reserved instance benefits but wants to keep all other resources separate. How can this be accomplished?
A. Implement AWS Organizations and create a service control policy that defines the billing relationship with the new master account
B. Configure AWS Organizations Consolidated Billing and provide the finance team with IAM access to the billing console
C. Send Cost and Usage Reports files to a central Amazon S3 bucket and load the data into Amazon Redshift
D. Link the Reserved Instances to the master payer account and use Amazon Redshift Spectrum to query Detailed Billing Report data across all accounts
View answer
Correct Answer: B
Question #28
219. A company runs an application that uses Amazon RDS for MySQL. During load testing of equivalent production volumes, the Development team noticed a significant increase in query latency. A SysOps Administrator concludes from investigating Amazon CloudWatch Logs that the CPU utilization on the RDS MySQL instance was at 100%. Which action will resolve this issue?
A. Configure AWS Database Migration Service (AWS DMS) to allow Amazon RDS for MySQL to scale and accept more requests
B. Configure RDS for MySQL to scale horizontally by additional nodes to offload write requests
C. Enable the Multi-AZ feature for the RDS instance
D. Modify the RDS MySQL instance so it is a larger instance type
View answer
Correct Answer: D
Question #29
171. A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC. What is the SIMPLEST method to deploy and update the VPCs in each account?
A. Create an AWS CloudFormation template defines the VPC
B. Create a shell script that configures the VPC using the AWS CLI
C. Create an AWS Lambda function that configures the VPC
D. Create an AWS CloudFormation template that defines the VPC
View answer
Correct Answer: D
Question #30
221. A SysOps Administrator deployed an AWS Elastic Beanstalk worker node environment that reads messages from an auto-generated Amazon Simple Queue Service (Amazon SQS) queue and deleted them from the queue after processing. Amazon EC2 Auto Scaling scales in and scales out the number of worker nodes based on CPU utilization. After some time, the Administrator notices that the number of messages in the SQS queue are increasing significantly. Which action will remediate this issue?
A. Change the scaling policy to scale based upon the number of messages in the queue
B. Decouple the queue from the Elastic Beanstalk worker node and create it as a separate resource
C. Increase the number of messages in the queue
D. Increase the retention period of the queue
View answer
Correct Answer: A
Question #31
140. An application running by a SysOps Administrator is under repeated, large-scale distributed denial of service (DDoS) attacks. Each time an attack occurs, multiple customers reach out to the Support team to report outages. The Administrator wants to minimize potential downtime from the DDoS attacks. The company requires 24/7 support. Which AWS service should be set up to protect the application?
A. AWS Trusted Advisor
B. AWS Shield Advanced
C. Amazon Cognito
D. Amazon Inspector
View answer
Correct Answer: B
Question #32
179. Which of the following steps are required to configure SAML 2.0 for federated access to AWS? (Choose two.)
A. Create IAM users for each identity provider (IdP) user to allow access to the AWS environment
B. Define assertions that map the company’s identity provider (IdP) users to IAM roles
C. Create IAM roles with a trust policy that lists the SAML provider as the principal
D. Create IAM users, place them in a group named SAML, and grant them necessary IAM permissions
E. Grant identity provider (IdP) users the necessary IAM permissions to be able to log in to the AWS environment
View answer
Correct Answer: AB
Question #33
174. An Application performs read-heavy operations on an Amazon Aurora DB instance. The SysOps Administrator monitors the CPUUtilization CloudWatch metric and has recently seen it increase to 90%. The Administrator would like to understand what is driving the CPU surge. Which of the following should be Administrator additionally monitor to understand the CPU surge?
A. FreeableMemory and DatabaseConnections to understand the amount of available RAM and number of connections to DB instance
B. FreeableMemory and EngineUptime to understand the amount of available RAM and the amount of time the instance has been up and running
C. DatabaseConnections and AuroraReplicaLag for the number of connections to the DB instance and the amount of lag when replicating updates from the primary instance
D. DatabaseConnections and InsertLatency for the number of connections to the DB instance and latency for insert queries
View answer
Correct Answer: D
Question #34
217. Development teams are maintaining several workloads on AWS. Company management is concerned about rising costs and wants the SysOps Administrator to configure alerts so teams are notified when spending approaches preset limits. Which AWS service will satisfy these requirements?
A. AWS Budgets
B. AWS Cost Explorer
C. AWS Trusted Advisor
D. AWS Cost and Usage report
View answer
Correct Answer: A
Question #35
183. A SysOps Administrator manages an application that stores object metadata in Amazon S3. There is a requirement to have S2 server-side encryption enabled on all new objects in the bucket. How can the Administrator ensure that all new objects to the bucket satisfy this requirement?
A. Create an S3 lifecycle rule to automatically encrypt all new objects
B. Enable default bucket encryption to ensure that all new objects are encrypted
C. Use put-object-acl to allow objects to be encrypted with S2 server-side encryption
D. Apply the authorization header to S3 requests for S3 server-side encryption
View answer
Correct Answer: B
Question #36
214. A SysOps Administrator created an AWS CloudFormation template for the first time. The stack failed with a status of ROLLBACK_COMPLETE. The Administrator identified and resolved the template issue causing the failure. How should the Administrator continue with the stack deployment?
A. Delete the failed stack and create a new stack
B. Execute a change set on the failed stack
C. Perform an update-stack action on the failed stack
D. Run a validate-template command
View answer
Correct Answer: A
Question #37
133. A web application’s performance has been degrading. Historically, the application has had highly variable workloads, but lately, there has been a steady growth in traffic as the result of a new product launch. After reviewing several Amazon CloudWatch metrics, it is discovered that over the last two weeks the balance of CPU credits has dropped to zero several times. Which solutions will improve performance? (Choose two.)
A. Begin using the T2 instance type
B. Purchase more CPU credits for the existing instance
C. Increase the size of the current instance type
D. Configure a CloudWatch alarm on the CPU credits metric
View answer
Correct Answer: CD
Question #38
215. A SysOps Administrator is building a process for sharing Amazon RDS database snapshots between different accounts associated with different business units with the same company. All data must be encrypted at rest. How should the Administrator implement this process?
A. Write a script to download the encrypted snapshot, decrypt if using the AWS KMS encryption key used to encrypt the snapshot, then create a new volume in each account
B. Update the key policy to grant permission to the AWS KMS encryption key used to encrypt the snapshot with all relevant accounts, then share the snapshot with those accounts
C. Create an Amazon EC2 instance based on the snapshot, then save the instance’s Amazon EBS volume as a snapshot and share it with the other accounts
D. Create a new unencrypted RDS instance from the encrypted snapshot, connect to the instance using SSH/RDP
View answer
Correct Answer: B
Question #39
184. An application is running on multiple EC2 instances. As part of an initiative to improve overall infrastructure security, the EC2 instances were moved to a private subnet. However, since moving, the EC2 instances have not been able to automatically update, and a SysOps Administrator has not been able to SSH into them remotely. Which two actions could the Administrator take to securely resolve these issues? (Choose two.)
A. Set up a bastion host in a public subnet, and configure security groups and route tables accordingly
B. Set up a bastion host in the private subnet, and configure security groups accordingly
C. Configure a load balancer in a public subnet, and configure the route tables accordingly
D. Set up a NAT gateway in a public subnet, and change the private subnet route tables accordingly
E. Set up a NAT gateway in a private subnet, and ensure that the route tables are configured accordingly
View answer
Correct Answer: AD
Question #40
182. An existing data management application is running on a single Amazon EC2 instance and needs to be moved to a new AWS Region in another AWS account. How can a SysOps Administrator achieve this while maintaining the security of the application?
A. Create an encrypted Amazon Machine Image (AMI) of the instance and make it public to allow the other account to search and launch an instance from it
B. Create an AMI of the instance, add permissions for the AMI to the other AWS account, and start a new instance in the new region by using that AMI
C. Create an AMI of the instance, copy the AMI to the new region, add permissions for the AMI to the other AWS account, and start new instance
D. Create an encrypted snapshot of the instance and make it public
View answer
Correct Answer: C
Question #41
193. What should a SysOps Administrator do to ensure a company has visibility into maintenance events performed by AWS?
A. Run a script that queries AWS Systems Manager for upcoming maintenance events, and then push these events to an Amazon SNS topic to which the Operations team is subscribed
B. Query the AWS Health API for upcoming maintenance events and integrate the results with the company’s existing operations dashboard
C. Integrate the AWS Service Health Dashboard RSS feed into the company’s existing operations dashboard
D. Use Amazon Inspector to send notifications of upcoming maintenance events to the Operations team distribution list
View answer
Correct Answer: B
Question #42
212. A SysOps Administrator is configuring AWS SSO for the first time. The Administrator has already created a directory in the master account using AWS Directory Service and enabled full access in AWS Organizations. What should the Administrator do next to configure the service?
A. Create IAM roles in each account to be used by AWS SSO, and associate users with these roles using AWS SSO
B. Create IAM users in the master account, and use AWS SSO to associate the users with the accounts they will access
C. Create permission sets in AWS SSO, and associate the permission sets with Directory Service users or groups
D. Create service control policies (SCPs) in Organizations, and associate the SCPs with Directory Service users or groups
View answer
Correct Answer: D
Question #43
142. With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?
A. Deny Post, Put, and Delete on the bucket
B. Enable server-side encryption on the bucket
C. Enable Amazon S3 versioning on the bucket
D. Enable snapshots on the bucket
View answer
Correct Answer: A
Question #44
138. An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, am Amazon RDS PostgreSQL database, an Amazon EFS file system, and static objects stored in an Amazon S3 bucket. The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime. To satisfy the requirements, which one of these services can the SysOps Administrator enable at rest encryption on?
A. EBS General Purpose SSD volumes
B. RDS PostgreSQL database
C. Amazon EFS file systems
D. S3 objects within a bucket
View answer
Correct Answer: B
Question #45
167. A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances. How can the SysOps Administrator ensure that all customer data stored on the EFS file system meets the new requirement?
A. Update the EFS file system settings to enable server-side encryption using AES-256
B. Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system
C. Use AWS CloudHSM to encrypt the files directly before storing them in the EFS file system
D. Modify the EFS file system mount options to enable Transport Layer Security (TLS) on each of the EC2 instances
View answer
Correct Answer: A
Question #46
191. A custom application must be installed on all Amazon EC2 instances. The application is small, updated frequently and can be installed automatically. How can the application be deployed on new EC2 instances?
A. Launch a script that downloads and installs the application using the Amazon EC2 user data
B. Create a custom API using Amazon API Gateway to call an installation executable from an AWS CloudFormation Template
C. Use AWS Systems Manager to inject the application into an AMI
D. Configure AWS CodePipeline to deploy code changes and updates
View answer
Correct Answer: A
Question #47
What is the MOST likely reason that another IP addresses is able to SSH to the EC2 instance?
A. The rule with 0
B. The rule with /32 is not limiting to a single IP address
C. Any instance belonging to sg-xxxxxxxx is allowed to connect
D. There is an outbound rule allowing SSH traffic
View answer
Correct Answer: AD
Question #48
203. A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted. What is the SIMPLEST approach the SysOps Administrator can take to ensure S3 buckets in those accounts can never be deleted?
A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being ddeleted
B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts
C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts
D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets
View answer
Correct Answer: B
Question #49
154. A company has deployed a new application running on Amazon EC2 instances. The application team must verify for the Security team that all common vulnerabilities and exposures have been addressed, both now and regularly throughout the application’s lifespan. How can the Application team satisfy the Security team’s requirement?
A. Perform regular assessments with Amazon Inspector
B. Perform regular assessments with AWS Trusted Advisor
C. Integrate AWS Personal Health Dashboard with Amazon CloudWatch events to get security notifications
D. Grant the Administrator and Security team access to AWS Artifact
View answer
Correct Answer: D
Question #50
201. A SysOps Administrator must secure AWS CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket. Which practices ensure that the log files are available and unaltered? (Choose two.)
A. Enable the CloudTrail log file integrity check in AWS Config Rules
B. Use CloudWatch Events to scan log files hourly
C. Enable CloudTrail log file integrity validation
D. Turn on Amazon S3 MFA Delete for the CloudTrail bucket
E. Implement a DENY ALL bucket policy on the CloudTrail bucket
View answer
Correct Answer: CE
Question #51
144. A company has Amazon EC2 instances that serve web content behind an Elastic Load Balancing (ELB) load balancer. The ELB Amazon CloudWatch metrics from a few hours ago indicate a significant number of 4XX errors. The EC2 instances from the time of these errors have been deleted. At the time of the 4XX errors, how can an Administrator obtain information about who originated these requests?
A. If ELB access logs have been enabled, the information can be retrieved from the S3 bucket
B. Contact AWS Support to obtain application logs from the deleted instances
C. Amazon S3 always keeps a backup of application logs from EC2 instances
D. Use AWS Trusted Advisor to obtain ELB access logs
View answer
Correct Answer: C
Question #52
216. A SysOps Administrator has been notified that some Amazon EC2 instances in the company’s environment might have a vulnerable software version installed. What should be done to check all of the instances in the environment with the LEAST operational overhead?
A. Create and run an Amazon Inspector assessment template
B. Manually SSH into each instance and check the software version
C. Use AWS CloudTrail to verify Amazon EC2 activity in the account
D. Write a custom script and use AWS CodeDeploy to deploy to Amazon EC2 instances
View answer
Correct Answer: A
Question #53
180. A SysOps Administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet. What should be added to the private subnet’s route table in order to address this issue, given the information provided.
A. 0
B. 0
C. 10
D. 10
View answer
Correct Answer: B
Question #54
218. A SysOps Administrator is tasked with deploying and managing a single CloudFormation template across multiple AWS accounts. What feature of AWS CloudFormation will accomplish this?
A. Change sets
B. Nested stacks
C. Stack policies
D. StackSets
View answer
Correct Answer: D
Question #55
208. A company stores thousands of non-critical log files in an Amazon S3 bucket. A set of reporting scripts retrieve these log files daily. Which of the following storage options will be the MOST cost-efficient for the company’s use case?
A. Amazon Glacier
B. Amazon S3 Standard IA (infrequent access) storage
C. Amazon S3 Standard Storage
D. AWS Snowball
View answer
Correct Answer: C
Question #56
185. A SysOps Administrator has been tasked with deploying a company’s infrastructure as code. The Administrator wants to write a single template that can be reused for multiple environments in a safe, repeatable manner. What is the recommended way to use AWS CloudFormation to meet this requirement?
A. Use parameters to provision the resources
B. Use nested stacks to provision the resources
C. Use Amazon EC2 user data to provision the resources
D. Use stack policies to provision the resources
View answer
Correct Answer: A
Question #57
178. A SysOps Administrator is writing a utility that publishes resources from an AWS Lambda function in AWS account A to an Amazon S3 bucket in AWS Account B. The Lambda function is able to successfully write new objects to the S3 bucket, but IAM users in Account B are unable to delete objects written to the bucket by Account A. Which step will fix this issue?
A. Add s3:Deleteobject permission to the IAM execution role of the AWS Lambda function in Account A
B. Change the bucket policy of the S3 bucket in Account B to allow s3:Deleteobject permission for Account A
C. Disable server-side encryption for objects written to the S3 bucket by the Lambda function
D. Call the S3:PutObjectAcl API operation from the Lambda function in Account A to specify bucket owner, full control
View answer
Correct Answer: D
Question #58
177. A company’s Security team wants to track data encryption events across all company AWS accounts. The team wants to capture all AWS KMS events related to deleting or rotating customer master keys (CMKs) from all production AWS accounts. The KMS events will be sent to the Security team’s AWS account for monitoring. How can this be accomplished?
A. Create an AWS Lambda function that will run every few minutes in each production account, parse the KMS log for KMS events, and sent the information to an Amazon SQS queue managed by the Security team
B. Create an event bus in the Security team’s account, create a new Amazon CloudWatch Events rule that matches the KMS events in each production account, and then add the Security team’s event bus as the target
C. Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team
D. Create an AWS Config rule that checks for KMS keys that are in a pending deletion or rotated state in every production account, then send Amazon SNS notifications of any non-compliant KMS resources to the Security team
View answer
Correct Answer: B
Question #59
161. A SysOps Administrator is responsible for managing a set of 12.micro Amazon EC2 instances. The Administrator wants to automatically reboot any instance that exceeds 80% CPU utilization. Which of these solutions would meet the requirements?
A. Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a terminate alarm action
B. Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a reboot alarm action
C. Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a reboot alarm action
D. Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a terminate alarm action
View answer
Correct Answer: B
Question #60
137. While creating the wait condition resource in AWS CloudFormation, a SysOps Administrator receives the error “received 0 signals out of the 1 expected from the EC2 instance”. What steps should be taken to troubleshoot this issue? (Choose two.)
A. Confirm from the cfn logs that the cfn-signal command was successfully run on the instance
B. Try to re-create the stack with a different IAM user
C. Check that the instance has a route to the Internet through a NAT device
D. Update the AWS CloudFormation stack service role to have iam:PassRole permission
E. Delete the existing stack and attempt to create a new once
View answer
Correct Answer: B
Question #61
148. An organization has hired an external firm to audit unauthorized changes on the company’s AWS environment, the external auditor needs appropriate access. How can this be accomplished?
A. Create an IAM user and assign them a new policy with GetResources access on AWS Artifact
B. Create an IAM user and add them to the existing “Administrator” IAM group
C. Create an IAM user and assign them a new IAM policy with read access to the AWS CloudTrail logs in Amazon S3
D. Create an IAM user and assign them a new policy with ListFindings access on Amazon Inspector
View answer
Correct Answer: A
Question #62
204. A company uses multiple accounts for its applications. Account A manages the company’s Amazon Route 53 domains and hosted zones. Account B uses a load balancer fronting the company’s web servers. How can the company use Route 53 to point to the load balancer in the MOST cost-effective and efficient manner?
A. Create an Amazon EC2 proxy in Account A that forwards requests to Account B
B. Create a load balancer in Account A that points to the load balancer in Account B
C. Create a CNAME record in Account A pointing to an alias record to the load balancer in Account B
View answer
Correct Answer: D
Question #63
146. A developer deploys an application running on Amazon EC2 by using an AWS CloudFormation template. The developer launches the stack from the console logged in as an AWS Identity and Access Management (IAM) user. When a SysOps Administrator attempts to run the same AWS CloudFormation template in the same AWS account from the console, it fails and returns the error: “The image id ‘[ami-2a69aa47]’ does not exist” What is the MOST likely cause of the failure?
A. The Administrator does not have the same IAM permissions as the developer
B. The Administrator used a different SSH key from that of the developer
C. The Administrator is running the template in a different region
D. The Administrator’s Amazon EC2 service limits have been exceeded
View answer
Correct Answer: C
Question #64
173. A SysOps Administrator has configured health checks on a load balancer. An Amazon EC2 instance attached to this load balancer fails the health check. What will happen next? (Choose two.)
A. The load balancer will continue to perform the health check on the EC2 instance
B. The EC2 instance will be terminated based on the health check failure
C. The EC2 instance will be rebooted
D. The load balancer will stop sending traffic to the EC2 instance
E. A new EC2 instance will be deployed to replace the unhealthy instance
View answer
Correct Answer: AD
Question #65
158. A SysOps Administrator must evaluate storage solutions to replace a company’s current user-shared drives infrastructure. Any solution must support security controls that enable Portable Operating System Interface (POSIX) permissions and Network File System protocols. Additionally, any solution must be accessible from multiple Amazon EC2 instances and on-premises servers connected to the Amazon VPC. Which AWS service meets the user drive requirements?
A. Amazon S3
B. Amazon EFS
C. Amazon EBS
D. Amazon SQS
View answer
Correct Answer: D
Question #66
168. An application running on Amazon EC2 instances needs to write files to an Amazon S3 bucket. What is the MOST secure way to grant the application access to the S3 bucket?
A. Create an IAM user with the necessary privileges
B. Install secure FTP (SFTP) software on the EC2 instances
C. Create an IAM role with the necessary privileges
D. Use rsync and cron to set up the transfer of files from the EC2 instances to the S3 bucket
View answer
Correct Answer: C
Question #67
136. A new application is being tested for deployment on an Amazon EC2 instance that requires greater IOPS than currently provided by the single 4TB General Purpose SSD (gp2) volume. Which actions should be taken to provide additional Amazon EBS IOPS for the application? (Choose two.)
A. Increase the size of the General Purpose (gp2) volume
B. Use RAID 0 to distribute I/O across multiple volumes
C. Migrate to a Provisioned IOPS SSD (io1) volume
D. Enable MAX I/O performance mode on the General Purpose (gp2) volume
E. Use RAID 1 to distribute I/O across multiple volumes
View answer
Correct Answer: A
Question #68
209. A SysOps Administrator receives a connection timeout error when attempting to connect to an Amazon EC2 instance from a home network using SSH. The Administrator was able to connect to this EC2 instance SSH from their office network in the past. What cause the connection to time out?
A. The IAM role associated with the EC2 instance does not allow SSH connections from the home network
B. The public key used by SSH located on the Administrator’s server not have the required permissions
C. The route table contains a route that sends 0
D. The security group is not allowing inbound traffic from the home network on the SSH port
View answer
Correct Answer: D
Question #69
131. An errant process is known to use an entire processor and run at 100%. A SysOps Administrator wants to automate restarting the instance once the problem occurs for more than 2 minutes. How can this be accomplished?
A. Create an Amazon CloudWatch alarm for the EC2 instance with basic monitoring
B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring
C. Create an AWS Lambda function to restart the EC2 instance, triggered on a scheduled basis every 2 minutes
D. Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks
View answer
Correct Answer: B
Question #70
153. A web application runs on Amazon EC2 instances with public IPs assigned behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS Multi-AZ DB instance. The Application Load Balancer, EC2 instances, and RDS DB instance all run in separate sets of subnets. The EC2 instances can communicate with the DB instance, but cannot connect with external services. What is the MOST likely solution?
A. Assign a public IP address to the database server and restart the database engine
B. Create and attach an Internet gateway to the VPC
C. Create and attach a virtual private gateway to the VPC
D. Create a VPC peering connection to a VPC that has an Internet gateway attached
View answer
Correct Answer: B
Question #71
135. An AWS CloudFormation template creates an Amazon RDS instance. This template is used to build up development environments as needed and then delete the stack when the environment is no longer required. The RDS-persisted data must be retained for further use, even after the CloudFormation stack is deleted. How can this be achieved in a reliable and efficient way?
A. Write a script to continue backing up the RDS instance every five minutes
B. Create an AWS Lambda function to take a snapshot of the RDS instance, and manually execute the function before deleting the stack
C. Use the Snapshot Deletion Policy in the CloudFormation template definition of the RDS instance
D. Create a new CloudFormation template to perform backups of the RDS instance, and run this template before deleting the stack
View answer
Correct Answer: AD
Question #72
147. A company has configured a library of IAM roles that grant access to various AWS resources. Each employee has an AWS IAM user, some of which have the permission to launch Amazon EC2 instances. The SysOps Administrator has attached the following policy to those users: What would be the result of this policy?
A. Users are able to switch only to a role name that begins with “InfraTeam” followed by any other combination of characters
B. Users with the role of InfraTeamLinux are able to launch an EC2 instance and attach that role to it
C. “InfraTeam” role is being passed to a user who has full EC2 access
D. EC2 instances that are launched by these users have full AWS permissions
View answer
Correct Answer: C
Question #73
176. A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be cut of compliance because it was not encrypted. Which approach will resolve the encryption requirement?
A. Log in to the RDS console and select the encryption box to encrypt the database
B. Create a new encrypted Amazon EBS volume and attach it to the instance
C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance
D. Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance
View answer
Correct Answer: A
Question #74
213. A web application runs on Amazon EC2 instances and accesses external services. The external services require authentication credentials. The application is deployed using AWS CloudFormation to three separate environments: development, test, and production. Each environment has unique credentials services. What option securely provides the application with the needed credentials while requiring MINIMAL administrative overhead?
A. Pass the credentials for the target environment to the CloudFormation template as parameters
B. Store the credentials as secure strings in AWS Systems Manager Parameter Store
C. Create a separate CloudFormation template for each environment
D. Create separate Amazon Machine Images (AMIs) with the required credentials for each environment
View answer
Correct Answer: B
Question #75
210. A company is deploying a web service to Amazon EC2 instances behind an Elastic Load Balancer. All resources will be defined and created in a single AWS CloudFormation stack using a template. The creation of each EC2 instance will not be considered complete until an initialization script has been run successfully on the EC2 instance. The Elastic Load Balancer cannot be created until all EC2 instances have been created. Which CloudFormation resource will coordinate the Elastic Load Balancer creation in t
A. CustomResource
B. DependsOn
C. Init
D. WaitCondition
View answer
Correct Answer: B
Question #76
149. A SysOps Administrator wants to automate the process of configuration, deployment, and management of Amazon EC2 instances using Chef or Puppet. Which AWS service will satisfy the requirement?
A. AWS Elastic Beanstalk
B. AWS CloudFormation
C. AWS OpsWorks
D. AWS Config
View answer
Correct Answer: B
Question #77
172. After a network change, application servers cannot connect to the corresponding Amazon RDS MySQL database. What should the SysOps Administrator analyze?
A. VPC Flow Logs
B. Elastic Load Balancing logs
C. Amazon CloudFront logs
D. Amazon RDS MySQL error logs
View answer
Correct Answer: A
Question #78
132. A SysOps Administrator needs to report on Amazon EC2 instance cost by both project and environment (production, staging, development). Which action would impact the operations team the LEAST?
A. For each project and environment, create a new AWS account and link them to the master payer for unified management and billing
B. Use AWS Organizations to create a new organization for each project, then for each environment use a separate linked AWS account
C. Implement cost allocation tagging in the Billing and Cost Management console to implement tags to identify resources by project and environment
D. Add the project and environment information to the instance metadata so that the values can be queried and rolled up into reports
View answer
Correct Answer: C
Question #79
189. A company monitors its account activity using AWS CloudTrail, and is concerned that some log files are being tampered with after the logs have been delivered to the account’s Amazon S3 bucket. Moving forward, how can the SysOps Administrator confirm that the log files have not been modified after being delivered to the S3 bucket.
A. Stream the CloudTrail logs to Amazon CloudWatch to store logs at a secondary location
B. Enable log file integrity validation and use digest files to verify the hash value of the log file
C. Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys
D. Enable S3 server access logging to track requests made to the log bucket for security audits
View answer
Correct Answer: B
Question #80
149. A company must share monthly report files that are uploaded to Amazon S3 with a third party. The third-party user list is dynamic, is distributed, and changes frequently. The least amount of access must be granted to the third party. Administrative overhead must be low for the internal teams who manage the process. How can this be accomplished while providing the LEAST amount of access to the third party?
A. Allow only specified IP addresses to access the S3 buckets which will host files that need to be provided to the third party
B. Create an IAM role with the appropriate access to the S3 bucket, and grant login permissions to the console for the third party to access the S3 bucket
C. Create a pre-signed URL that can be distributed by email to the third party, allowing it to download specific S3 filed
D. Have the third party sign up for an AWS account, and grant it cross-account access to the appropriate S3 bucket in the source account
View answer
Correct Answer: C
Question #81
188. A SysOps Administrator is deploying a legacy web application on AWS. The application has four Amazon EC2 instances behind Classic Load Balancer and stores data in an Amazon RDS instance. The legacy application has known vulnerabilities to SQL injection attacks, but the application code is no longer available to update. What cost-effective configuration change should the Administrator make to migrate the risk of SQL injection attacks?
A. Configure Amazon GuardDuty to monitor the application for SQL injection threats
B. Configure AWS WAF with a Classic Load Balancer for protection against SQL injection attacks
C. Replace the Classic Load Balancer with an Application Load Balancer and configure AWS WAF on the Application Load Balancer
D. Configure an Amazon CloudFront distribution with the Classic Load Balancer as the origin and subscribe to AWS Shield Standard
View answer
Correct Answer: C
Question #82
165. A SysOps Administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code: AMI [ami-12345678] does not exist. How should the Administrator ensure that the AWS CloudFormation template is working in every region?
A. Copy the source region’s Amazon Machine Image (AMI) to the destination region and assign it the same ID
B. Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID
C. Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS: :EC2: :AMI: :ImageID control
D. Modify the AWS CloudFormation template by including the AMI IDs in the “Mappings” section
View answer
Correct Answer: D
Question #83
152. A SysOps Administrator is creating an Amazon EC2 instance and has received an InsufficientInstanceCapacity error. What is the cause of the error and how can it be corrected?
A. AWS does not currently have enough capacity to service the request for that instance type
B. The account has reached its concurrent running instance limit
C. The APIs that service the EC2 requests have received too many requests and capacity has been reached
D. The Administrator did not specify the correct size of the instance to support the capacity requirements of the workload
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.