SOA-C01 Exam - AWS Certified SysOps Administrator - Associate

NEW QUESTION 1
A company website hosts patches for software that is sold globally. The website rules in AWS perform will until large software patch is released. The flood of download puts a strain on the web servers and leads to a poor customer experience.
What can the SysOps Administrator propose to enhance customer experience, create a more available platform, and keep costs low?

• A. Use an Amazon Cloud Front distribution to cache static content, including software patches.
• B. Increase the size of the NAT instance to improve through.
• C. Scale out the web servers in advance of patch releases to reduce Auto Scaling delays.
• D. Move the content to IO1 and provision additional IOPS to the volume that contains the software patches.

Answer: D

NEW QUESTION 2
A SysOps Administrator must monitor a fleet of Amazon EC2 Linux instance with the constraint that no agent be installed. The SysOps administrator Chooses Amazon CloudWatch as the monitoring tool.
Which metrics can be measured given the constraints? (Select THREE.)

• A. CPU Utilization
• B. Disk Read Operations
• C. Memory Utilization
• D. Network Packets in
• E. Network Packets Dropped
• F. CPU Ready Time

Answer: ABD

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html

NEW QUESTION 3
A system admin is managing buckets, objects and folders with AWS S3. Which of the below mentioned statements is true and should be taken in consideration by the sysadmin?

• A. The folders support only ACL
• B. Both the object and bucket can have an Access Policy but folder cannot have policy
• C. Folders can have a policy
• D. Both the object and bucket can have ACL but folders cannot have ACL

Answer: A

Explanation:
A sysadmin can grant permission to the S3 objects or the buckets to any user or make objects public using the bucket policy and user policy. Both use the JSON-based access policy language. Generally if user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. It cannot be applied at the object level. The folders are similar to objects with no content. Thus, folders can have only ACL and cannot have a policy.

NEW QUESTION 4
A user has configured ELB with two EBS backed instances. The user has stopped the instances for 1 week to save costs. The user restarts the instances after 1 week. Which of the below mentioned statements will help the user to understand the ELB and instance registration better?

• A. There is no way to register the stopped instances with ELB
• B. The user cannot stop the instances if they are registered with ELB
• C. If the instances have the same Elastic IP assigned after reboot they will be registered with ELB
• D. The instances will automatically get registered with ELB

Answer: C

Explanation:
Elastic Load Balancing registers the user??s load balancer with his EC2 instance using the associated IP address. When the instances are stopped and started back they will have a different IP address. Thus, they will not get registered with ELB unless the user manually registers them. If the instances are assigned the same Elastic IP after reboot they will automatically get registered with ELB.

NEW QUESTION 5
A user is trying to understand the ACL and policy for an S3 bucket. Which of the below mentioned policy permissions is equivalent to the WRITE ACL on a bucket?

• A. s3:GetObjectAcl
• B. s3:GetObjectVersion
• C. s3:ListBucketVersions
• D. s3:DeleteObject

Answer: D

Explanation:
Amazon S3 provides a set of operations to work with the Amazon S3 resources. Each AWS S3 bucket can have an ACL (Access Control List. or bucket policy associated with it. The WRITE ACL list allows the other AWS accounts to write/modify to that bucket. The equivalent S3 bucket policy permission for it is
s3:DeleteObject.

NEW QUESTION 6
A SysOps Administrator has attempted to copy an Marketplace AMI an associated billing Product code that was shared another account. When the copy process is attempted, it fails.
What action can be taken to successfully copy the AMI to the target destination?

• A. Use an EC2 instance in the account by using the shared AMI and then created an AMI from the instance
• B. Launch an EC2 instance in the account by using the shared AMI and then create an AMI from the instance
• C. Use the AWS CLI with the --nobillingProduct flag to execute the copy and ignore the billingProductcode.
• D. Create a VPC peering connection between the source and target account to facilitate the AMI copy process.

Answer: D

NEW QUESTION 7
When assessing an organization s use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers

• A. Key pairs
• B. Console passwords
• C. Access keys
• D. Signing certificates
• E. Security Group memberships

Answer: ACD

Explanation:
Reference:
http://media.amazonwebservices.com/AWS_Operational_Checklists.pdf

NEW QUESTION 8
An Organization has been backing up their database backup to Amazon S3. A lifecycle rule has been created to transition these backups to Amazon Glacier storage class. The application development now to restore a backup.
Which step can an Administrator take to restore the backup to Amazon S3 storage?

• A. Create a new lifecycle rule to restore the backup from GLACIER storage class to Amazon S3 storage.
• B. Use the Amazon Glacier console to restore the backup from CLACIER storage class to Amazon S3 storage.
• C. Modify the existing lifecycle rule to restore the backup GKACIER storage class to Amazon S3 storage.
• D. Use the Amazon S3 console to restore the backup from CLACIER storage class to Amazon storage.

Answer: D

Explanation:
Restoring an Archived S3 Object
This topic explains how to use the Amazon S3 console to restore an object that has been archived to Glacier.
To restore archived S3 objects
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
In the Bucket name list, choose the name of the bucket that contains the objects that you want to restore.

In the Name list, select the objects that you want to restore, choose Actions, and then choose Restore from Glacier.

In the Initiate restore dialog box, type the number of days that you want your archived data to be
accessible.
Choose one of the following retrieval options from the Retrieval options menu. Choose Bulk retrieval or Standard retrieval, and then choose Restore.
Choose Expedited retrieval.

If you have provisioned capacity, choose Restore to start a provisioned retrieval. If you have provisioned capacity, all of your expedited retrievals are served by your provisioned capacity. For more information about provisioned capacity, see Provisioned Capacity.
If you don't have provisioned capacity and you don't want to buy it, choose Restore.
If you don't have provisioned capacity, but you want to buy it, choose Add capacity unit, and then choose Buy. When you get the Purchase succeeded message, choose Restore to start provisioned retrieval.

NEW QUESTION 9
A user has setup an EBS backed instance and a CloudWatch alarm when the CPU utilization is more than 65%. The user has setup the alarm to watch it for 5 periods of 5 minutes each. The CPU utilization is 60% between 9 AM to 6 PM. The user has stopped the EC2 instance for 15 minutes between 11 AM to 11:15 AM. What will be the status of the alarm at 11:30 AM?

• A. Alarm
• B. OK
• C. Insufficient Data
• D. Error

Answer: B

Explanation:
Amazon CloudWatch alarm watches a single metric over a time period the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The state of the alarm will be OK for the whole day. When the user stops the instance for three periods the alarm may not receive the data

NEW QUESTION 10
When using the following AWS services, which should be implemented in multiple Availability Zones
for high availability solutions? Choose 2 answers

• A. Amazon DynamoDB
• B. Amazon Elastic Compute Cloud (EC2)
• C. Amazon Elastic Load Balancing
• D. Amazon Simple Notification Service (SNS)
• E. Amazon Simple Storage Service (S3)

Answer: BC

NEW QUESTION 11
When attached to an Amazon VPC which two components provide connectivity with external networks? Choose 2 answers

• A. Elastic IPS (EIP)
• B. NAT Gateway (NAT)
• C. Internet Gateway {IGW)
• D. Virtual Private Gateway (VGW)

Answer: CD

NEW QUESTION 12
You have a web-style application with a stateless but CPU and memory-intensive web tier running on
a cc2 8xlarge EC2 instance inside of a VPC The instance when under load is having problems returning requests within the SLA as defined by your business The application maintains its state in a DynamoDB table, but the data tier is properly provisioned and responses are consistently fast.
How can you best resolve the issue of the application responses not meeting your SLA?

• A. Add another cc2 8xlarge application instance, and put both behind an Elastic Load Balancer
• B. Move the cc2 8xlarge to the same Availability Zone as the DynamoDB table
• C. Cache the database responses in ElastiCache for more rapid access
• D. Move the database from DynamoDB to RDS MySQL in scale-out read-replica configuration

Answer: C

Explanation:
But it is possibly A as DynamoDB is automatically available across three facilities in an AWS Region. So moving in to a same AZ is not possible / necessary.
In this case the DB layer is not the issue, the EC2 8xlarge is the issue; so add another one with a ELB in-frond of it.
See also: https://aws.amazon.com/dynamodb/faqs/

NEW QUESTION 13
A company has two AWS account developers and production. All application send logs to a specific Amazon bucket for each account, and the Developers are requesting access to the production
account S3 buckets to view the logs?
Which is the MOST efficient way to provide the Developers with access?

• A. Create an AWS Lambda function with an IAM role attached to it that has access to be accounts'S3 buckets Put me logs tram the production S3 bucket to the development S3 bucket
• B. Create IAM users for each Developer on the production account and add the Developers to an IAM group that provides read-only access to the S3 log bucket
• C. Create an Amazon EC2 bastion host with an 1AM role attached to it that has access to it that has production S3 log bucket and then provision access for the Developers on the host
• D. Create a resource-based pokey for the S3 bucket on the production account that grant access to the development account and then delegate the development account

Answer: B

Explanation:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

NEW QUESTION 14
An organization is planning to use AWS for their production roll out. The organization wants to implement automation for deployment such that it will automatically create a LAMP stack, download the latest PHP installable from S3 and setup the ELB. Which of the below mentioned AWS services meets the requirement for making an orderly deployment of the software?

• A. AWS Elastic Beanstalk
• B. AWS CloudFront
• C. AWS CloudFormation
• D. AWS DevOps

Answer: C

Explanation:
AWS CloudFormation is an application management tool which provides application modelling, deployment, configuration, management and related activities. CloudFormation provides an easy way to create and delete the collection of related AWS resources and provision them in an orderly way. AWS CloudFormation automates and simplifies the task of repeatedly and predictably creating groups of related resources that power the user??s applications. AWS CloudFront is a CDN; Elastic Beanstalk does quite a few of the required tasks. However, it is a PAAS which uses a ready AMI. AWS Elastic Beanstalk provides an environment to easily develop and run applications in the cloud.

NEW QUESTION 15
Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else'' If so how?

• A. N
• B. Two instances in two different AZ's can't talk directly to each other via ICMP ping as that protocol is not allowed across subnet (i.e., broadcast) boundaries
• C. Ye
• D. Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP
• E. Ye
• F. The security group for the monitoring instance needs to allow outbound ICMP and the application instance's security group needs to allow Inbound ICMP
• G. Yes, Both the monitoring instance's security group and the application instance's security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection- oriented protocol

Answer: C

NEW QUESTION 16
In AWS, which security aspects are the customer??s responsibility? Choose 4 answers

• A. Controlling physical access to compute resources
• B. Patch management on the EC2 instance s operating system
• C. Encryption of EBS (Elastic Block Storage) volumes
• D. Life-cycle management of IAM credentials
• E. Decommissioning storage devices
• F. Security Group and ACL (Access Control List) settings

Answer: BCDF

Explanation:
Decommissioning is AWS responsibility not Customer.

NEW QUESTION 17
A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

• A. The user should attach an IAM role with DynamoDB access to the EC2 instance
• B. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
• C. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
• D. The user should create an IAM user with DynamoDB and EC2 acces
• E. Attach the user with the application so that it does not use the root account credentials

Answer: A

Explanation:
With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests to AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should not create an IAM user and pass the user's credentials to the application or embed those credentials inside the application. Instead, the user should use roles for EC2 and give that role access to DynamoDB /S3. When the roles are attached to EC2, it will give temporary security credentials to the application hosted on that EC2, to connect with DynamoDB / S3.

NEW QUESTION 18
An application you maintain consists of multiple EC2 instances in a default tenancy VPC. This application has undergone an internal audit and has been determined to require dedicated hardware for one instance. Your compliance team has given you a week to move this instance to single-tenant hardware.
Which process will have minimal impact on your application while complying with this requirement?

• A. Create a new VPC with tenancy=dedicated and migrate to the new VPC
• B. Use ec2-reboot-instances command line and set the parameter "dedicated=true"
• C. Right click on the instance, select properties and check the box for dedicated tenancy
• D. Stop the instance, create an AMI, launch a new instance with tenancy=dedicated, and terminate the old instance

Answer: D

Explanation:
Reference:
See: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/dedicated- instance.html#dedicated-apichanges
You cannot change the tenancy of a default instance after you??ve launched it. You can change the tenancy of an instance from ??dedicated?? to ??host?? after you??ve launched it, and vice versa.

NEW QUESTION 19
A user has setup an RDS DB with Oracle. The user wants to get notifications when someone modifies the security group of that DB. How can the user configure that?

• A. It is not possible to get the notifications on a change in the security group
• B. Configure SNS to monitor security group changes
• C. Configure event notification on the DB security group
• D. Configure the CloudWatch alarm on the DB for a change in the security group

Answer: C

Explanation:
Amazon RDS uses the Amazon Simple Notification Service to provide a notification when an Amazon RDS event occurs. These events can be configured for source categories, such as DB instance, DB security group, DB snapshot and DB parameter group. If the user is subscribed to a Configuration Change category for a DB security group, he will be notified when the DB security group is changed.

NEW QUESTION 20
A user has created a VPC with a public subnet. The user has terminated all the instances which are part of the subnet. Which of the below mentioned statements is true with respect to this scenario?

• A. The user cannot delete the VPC since the subnet is not deleted
• B. All network interface attached with the instances will be deleted
• C. When the user launches a new instance it cannot use the same subnet
• D. The subnet to which the instances were launched with will be deleted

Answer: B

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user??s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. When an instance is launched it will have a network interface attached with it. The user cannot delete the subnet until he terminates the instance and deletes the network interface. When the user terminates the instance all the network interfaces attached with it are also deleted.

NEW QUESTION 21
A company uses AWS Organization with a multi-account structure. A Syslog Administrator was notified that an IAM user with the System Administrator policy applied was not able to launch any Amazon EC2 instance using a public?
Why is this occurring?

• A. The account is an AWS Organization master account, and by default it cannot provision EC2 instances.
• B. The account is an AWS Organization member account, and a service control policy is denying provisioning of EC2 instances.
• C. The account AWS Organization master account, and it does not have an access key activated for the IAM account.
• D. The account is an AWS Organization master account, and it does not have an access key activated for the IAM account.

Answer: B

Explanation:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

NEW QUESTION 22
A user is trying to configure the CloudWatch billing alarm. Which of the below mentioned steps should be performed by the user for the first time alarm creation in the AWS Account Management section?

• A. Enable Receiving Billing Reports
• B. Enable Receiving Billing Alerts
• C. Enable AWS billing utility
• D. Enable CloudWatch Billing Threshold

Answer: B

Explanation:
AWS CloudWatch supports enabling the billing alarm on the total AWS charges. Before the user can create an alarm on the estimated charges, he must enable monitoring of the estimated AWS charges, by selecting the option ??Enable receiving billing alerts??. It takes about 15 minutes before the user can view the billing data. The user can then create the alarms.

NEW QUESTION 23
A user has configured an ELB to distribute the traffic among multiple instances. The user instances are facing some issues due to the back-end servers. Which of the below mentioned CloudWatch
metrics helps the user understand the issue with the instances?

• A. HTTPCode_Backend_3XX
• B. HTTPCode_Backend_4XX
• C. HTTPCode_Backend_2XX
• D. HTTPCode_Backend_5XX

Answer: D

Explanation:
CloudWatch is used to monitor AWS as well as the custom services. For ELB, CloudWatch provides various metrics including error code by ELB as well as by back-end servers (instances.. It gives data for the count of the number of HTTP response codes generated by the back-end instances. This metric does not include any response codes generated by the load balancer. These metrics are:
The 2XX class status codes represents successful actions
The 3XX class status code indicates that the user agent requires action The 4XX class status code represents client errors
The 5XX class status code represents back-end server errors

NEW QUESTION 24
A user is accessing RDS from an application. The user has enabled the Multi AZ feature with the MS SQL RDS DB. During a planned outage how will AWS ensure that a switch from DB to a standby replica will not affect access to the application?

• A. RDS will have an internal IP which will redirect all requests to the new DB
• B. RDS uses DNS to switch over to stand by replica for seamless transition
• C. The switch over changes Hardware so RDS does not need to worry about access
• D. RDS will have both the DBs running independently and the user has to manually switch over

Answer: B

Explanation:
In the event of a planned or unplanned outage of a DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if the user has enabled Multi AZ. The automatic failover mechanism simply changes the DNS record of the DB instance to point to the standby DB instance. As a result, the user will need to re-establish any existing connections to the DB instance. However, as the DNS is the same, the application can access DB seamlessly.

NEW QUESTION 25
A user is trying to setup a scheduled scaling activity using Auto Scaling. The user wants to setup the
recurring schedule. Which of the below mentioned parameters is not required in this case?

• A. Maximum size
• B. Auto Scaling group name
• C. End time
• D. Recurrence value

Answer: A

Explanation:
Auto Scaling based on a schedule allows the user to scale the application in response to predictable load changes. The user can also configure the recurring schedule action which will follow the Linux cron format. If the user is setting a recurring event, it is required that the user specifies the Recurrence value (in a cron format., end time (not compulsory but recurrence will stop after this. and the Auto Scaling group for which the scaling activity is to be scheduled.

NEW QUESTION 26
......