SOA-C01 Exam - AWS Certified SysOps Administrator - Associate

NEW QUESTION 1
You have a proprietary data store on-premises that must be backed up daily by dumping the data store contents to a single compressed 50GB file and sending the file to AWS. Your SLAs state that any dump file backed up within the past 7 days can be retrieved within 2 hours. Your compliance department has stated that all data must be held indefinitely. The time required to restore the data store from a backup is approximately 1 hour. Your on-premise network connection is capable of sustaining 1gbps to AWS.
Which backup methods to AWS would be most cost-effective while still meeting all of your requirements?

• A. Send the daily backup files to Glacier immediately after being generated
• B. Transfer the daily backup files to an EBS volume in AWS and take daily snapshots of the volume
• C. Transfer the daily backup files to S3 and use appropriate bucket lifecycle policies to send to Glacier
• D. Host the backup files on a Storage Gateway with Gateway-Cached Volumes and take daily snapshots

Answer: D

Explanation:
Reference:
http://aws.amazon.com/storagegateway/faqs/

NEW QUESTION 2
A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.0.1/24. How can the user create the second subnet?

• A. There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet based on the second subnet??s CIDR
• B. The user can modify the first subnet CIDR from the console
• C. It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created
• D. The user can modify the first subnet CIDR with AWS CLI

Answer: D

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user??s AWS account. A user can create a subnet with VPC and launch instances inside the subnet. The user can create a subnet with the same size of VPC. However, he cannot create any other subnet since the CIDR of the second subnet will conflict with the first subnet. The user cannot modify the CIDR of a subnet once it is created. Thus, in this case if required, the user has to delete the subnet and create new subnets.

NEW QUESTION 3
A user is trying to create a PIOPS EBS volume with 4000 IOPS and 100 GB size. AWS does not allow the user to create this volume. What is the possible root cause for this?

• A. The ratio between IOPS and the EBS volume is higher than 30
• B. The maximum IOPS supported by EBS is 3000
• C. The ratio between IOPS and the EBS volume is lower than 50
• D. PIOPS is supported for EBS higher than 500 GB size

Answer: A

Explanation:
A provisioned IOPS EBS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested should be a maximum of 30; for example, a volume with 3000 IOPS must be at least 100 GB.

NEW QUESTION 4
A user is displaying the CPU utilization, and Network in and Network out CloudWatch metrics data of a single instance on the same graph. The graph uses one Y-axis for CPU utilization and Network in and another Y-axis for Network out. Since Network in is too high, the CPU utilization data is not visible clearly on graph to the user. How can the data be viewed better on the same graph?

• A. It is not possible to show multiple metrics with the different units on the same graph
• B. Add a third Y-axis with the console to show all the data in proportion
• C. Change the axis of Network by using the Switch command from the graph
• D. Change the units of CPU utilization so it can be shown in proportion with Network

Answer: C

Explanation:
Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyse. It is possible to show the multiple metrics with different units on the same graph. If the graph is not plotted properly due to a difference in the unit data over two metrics, the user can change the Y-axis of one of the graph by selecting that graph and clicking on the Switch option.

NEW QUESTION 5
An organization has configured Auto Scaling for hosting their application. The system admin wants to understand the Auto Scaling health check process. If the instance is unhealthy, Auto Scaling launches an instance and terminates the unhealthy instance. What is the order execution?

• A. Auto Scaling launches a new instance first and then terminates the unhealthy instance
• B. Auto Scaling performs the launch and terminate processes in a random order
• C. Auto Scaling launches and terminates the instances simultaneously
• D. Auto Scaling terminates the instance first and then launches a new instance

Answer: D

Explanation:
Auto Scaling keeps checking the health of the instances at regular intervals and marks the instance for replacement when it is unhealthy. The ReplaceUnhealthy process terminates instances which are marked as unhealthy and subsequently creates new instances to replace them. This process first terminates the instance and then launches a new instance.

NEW QUESTION 6
An organization has configured a VPC with an Internet Gateway (IGW). pairs of public and private subnets (each with one subnet per Availability Zone), and an Elastic Load Balancer (ELB) configured to use the public subnets. The application??s web tier leverages the ELB. Auto Scaling and a multi-AZ RDS database instance The organization would like to eliminate any potential single points of failure in this design.
What step should you take to achieve this organization's objective?

• A. Nothing, there are no single points of failure in this architecture.
• B. Create and attach a second IGW to provide redundant internet connectivity.
• C. Create and configure a second Elastic Load Balancer to provide a redundant load balancer.
• D. Create a second multi-AZ RDS instance in another Availability Zone and configure replication to provide a redundant database.

Answer: A

NEW QUESTION 7
A user runs the command ??dd if=/dev/zero of=/dev/xvdfbs=1M?? on a fresh blank EBS volume attached to a Linux instance. Which of the below mentioned activities is the user performing with the command given above?

• A. Creating a file system on the EBS volume
• B. Mounting the device to the instance
• C. Pre warming the EBS volume
• D. Formatting the EBS volume

Answer: C

Explanation:
When the user creates a new EBS volume and is trying to access it for the first time it will encounter reduced IOPS due to wiping or initiating of the block storage. To avoid this as well as achieve the best performance it is required to pre warm the EBS volume. For a blank volume attached with a Linux OS, the ??dd?? command is used to write to all the blocks on the device. In the command ??dd if=/dev/zero of=/dev/xvdfbs=1M?? the parameter ??if =import file?? should be set to one of the Linux virtual devices, such as /dev/zero. The ??of=output file?? parameter should be set to the drive that the user wishes to warm. The ??bs?? parameter sets the block size of the write operation; for optimal performance, this should be set to 1 MB.

NEW QUESTION 8
A user has launched an EC2 Windows instance from an instance store backed AMI. The user has also set the Instance initiated shutdown behavior to stop. What will happen when the user shuts down the OS?

• A. It will not allow the user to shutdown the OS when the shutdown behaviour is set to Stop
• B. It is not possible to set the termination behaviour to Stop for an Instance store backed AMI instance
• C. The instance will stay running but the OS will be shutdown
• D. The instance will be terminated

Answer: B

Explanation:
When the EC2 instance is launched from an instance store backed AMI, it will not allow the user to configure the shutdown behaviour to ??Stop??. It gives a warning that the instance does not have the EBS root volume.

NEW QUESTION 9
A user is measuring the CPU utilization of a private data centre machine every minute. The machine provides the aggregate of data every hour, such as Sum of data??, ??Min value??, ??Max value, and ??Number of Data points??.
The user wants to send these values to CloudWatch. How can the user achieve this?

• A. Send the data using the put-metric-data command with the aggregate-values parameter
• B. Send the data using the put-metric-data command with the average-values parameter
• C. Send the data using the put-metric-data command with the statistic-values parameter
• D. Send the data using the put-metric-data command with the aggregate ?Vdata parameter

Answer: C

Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user can publish the data to CloudWatch as single data points or as an aggregated set of data points called a statistic set using the command put- metric-data. When sending the aggregate data, the user needs to send it with the parameter statistic-values:
awscloudwatch put-metric-data --metric-name <Name> --namespace <Custom namespace -- timestamp
<UTC Format> --statistic-values Sum=XX,Minimum=YY,Maximum=AA,SampleCount=BB --unit Milliseconds

NEW QUESTION 10
You are managing a legacy application Inside VPC with hard coded IP addresses in its configuration. Which two mechanisms will allow the application to failover to new instances without the need for reconfiguration? Choose 2 answers

• A. Create an ELB to reroute traffic to a failover instance
• B. Create a secondary ENI that can be moved to a failover instance
• C. Use Route53 health checks to fail traffic over to a failover instance
• D. Assign a secondary private IP address to the primary ENI0 that can be moved to a failover instance

Answer: BD

Explanation:
This is an odd question. First of all, option A cannot be right because ELB does not failover. Cannot be C because Route 53 does work with hard coded IP. Only B & D cannot be rule out so best answer.

NEW QUESTION 11
A user is trying to aggregate all the CloudWatch metric data of the last 1 week. Which of the below mentioned statistics is not available for the user as a part of data aggregation?

• A. Aggregate
• B. Sum
• C. Sample data
• D. Average

Answer: A

Explanation:
Amazon CloudWatch is basically a metrics repository. Either the user can send the custom data or an AWS product can put metrics into the repository, and the user can retrieve the statistics based on those metrics. The statistics are metric data aggregations over specified periods of time. Aggregations are made using the namespace, metric name, dimensions, and the data point unit of measure, within the time period that is specified by the user. CloudWatch supports Sum, Min, Max, Sample Data and Average statistics aggregation.

NEW QUESTION 12
A user has enabled the Multi AZ feature with the MS SQL RDS database server. Which of the below mentioned statements will help the user understand the Multi AZ feature better?

• A. In a Multi AZ, AWS runs two DBs in parallel and copies the data asynchronously to the replica copy
• B. In a Multi AZ, AWS runs two DBs in parallel and copies the data synchronously to the replica copy
• C. In a Multi AZ, AWS runs just one DB but copies the data synchronously to the standby replica
• D. AWS MS SQL does not support the Multi AZ feature

Answer: C

Explanation:
Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect your databases against DB instance failure and Availability Zone disruption.Note that the high-availability feature is not a scaling solution for read-only scenarios; you cannot use a standby replica to serve read traffic. To service read-only traffic, you should use a read replica.

NEW QUESTION 13
Which of the following statements about this S3 bucket policy is true?

• A. Denies the server with the IP address 192.166 100.0 full access to the "mybucket" bucket
• B. Denies the server with the IP address 192.166 100.188 full access to the "mybucket bucket
• C. Grants all the servers within the 192 168 100 0/24 subnet full access to the "mybucket" bucket
• D. Grants all the servers within the 192 168 100 188/32 subnet full access to the "mybucket" bucket

Answer: C

NEW QUESTION 14
An organization (account ID 123412341234. has configured the IAM policy to allow the user to modify his credentials. What will the below mentioned statement allow the user to perform?
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow", "Action": [ "iam:AddUserToGroup",
"iam:RemoveUserFromGroup", "iam:GetGroup"
],
"Resource": "arn:aws:iam:: 123412341234:group/TestingGroup"
}]

• A. The IAM policy will throw an error due to an invalid resource name
• B. The IAM policy will allow the user to subscribe to any IAM group
• C. Allow the IAM user to update the membership of the group called TestingGroup
• D. Allow the IAM user to delete the TestingGroup

Answer: C

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the organization (account ID 123412341234. wants their users to manage their subscription to the groups, they should create a relevant policy for that. The below mentioned policy allows the respective IAM user to update the membership of the group called MarketingGroup.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow", "Action": [ "iam:AddUserToGroup",
"iam:RemoveUserFromGroup", "iam:GetGroup"
],
"Resource": "arn:aws:iam:: 123412341234:group/ TestingGroup "
}]

NEW QUESTION 15
A company has a new requirement stating that all resources in AWS must be tagged according to a set policy. Which AWS service should to enforce and continually identify all resources that are not in compliance with the policy?

• A. AWS CloudTrail
• B. Amazon Inspector
• C. AWS Config
• D. AWS Systems Manager

Answer: C

Explanation:
AWS Config
TRACK RESOURCE INVENTORY AND CHANGES
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

NEW QUESTION 16
A user has granted read/write permission of his S3 bucket using ACL. Which of the below mentioned options is a valid ID to grant permission to other AWS accounts (grantee. using ACL?

• A. IAM User ID
• B. S3 Secure ID
• C. Access ID
• D. Canonical user ID

Answer: D

Explanation:
An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups. The user can grant permission to an AWS account by the email address of that account or by the canonical user ID. If the user provides an email in the grant request, Amazon S3 finds the canonical user ID for that account and adds it to the ACL. The resulting ACL will always contain the canonical user ID for the AWS account, and not the AWS account's email address.

NEW QUESTION 17
After a particularly high bill, an organization wants to review the use of AWS services.
What AWS service will allow the SysOps Administrator to quickly view this information to shared it, and will also forest expenses for the billing period?

• A. AWS Trusted Advisor
• B. Amazon QuickSight
• C. AWS Cost and Usage Report
• D. AWS Cost Explorer

Answer: C

NEW QUESTION 18
You have started a new job and are reviewing your company's infrastructure on AWS You notice one web application where they have an Elastic Load Balancer (&B) in front of web instances in an Auto Scaling Group When you check the metrics for the ELB in CloudWatch you see four healthy instances in Availability Zone (AZ) A and zero in AZ B There are zero unhealthy instances.
What do you need to fix to balance the instances across AZs?

• A. Set the ELB to only be attached to another AZ
• B. Make sure Auto Scaling is configured to launch in both AZs
• C. Make sure your AMI is available in both AZs
• D. Make sure the maximum size of the Auto Scaling Group is greater than 4

Answer: B

NEW QUESTION 19
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?

• A. "Effect": "Allow", "Action": [??Describe??], "Resource": "Billing"
• B. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
• C. "Effect": "Allow", "Action": ["aws-portal:ViewUsage"], "Resource": "*"
• D. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"

Answer: C

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the CFO wants to allow only AWS usage report page access, the policy for that IAM user will be as given below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow", "Action": [
"aws-portal:ViewUsage"
],
"Resource": "*"
}
]
}

NEW QUESTION 20
A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve encryption of the EBS volume. How can the user encrypt the data at rest?

• A. Use AWS EBS encryption to encrypt the data at rest
• B. The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool
• C. The user has to select the encryption enabled flag while launching the EC2 instance
• D. Encryption of volume is not available as a part of the free usage tier

Answer: B

Explanation:
AWS EBS supports encryption of the volume while creating new volumes. It supports encryption of the data at rest, the I/O as well as all the snapshots of the EBS volume. The EBS supports encryption for the selected instance type and the newer generation instances, such as m3, c3, cr1, r3, g2. It is not supported with a micro instance.

NEW QUESTION 21
An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85baf1fc, and it is actively used by 10 Amazon EC2 hosts.
The organization has become concerned that the file system is not encrypted. How can this be resolved?

• A. Enable encryption on each hosts connection to the Amazon EFS volume Each connection must be recreated for encryption to take effect
• B. Enable encryption on the existing EFS volume by using the AWS Command Line Interface
• C. Enable encryption on each host's local drive Restart each host to encrypt the drive
• D. Enable encryption on a newly created volume and copy all data from the original volume Reconnect each host to the new volume

Answer: A

Explanation:
https://docs.aws.amazon.com/efs/latest/ug/encryption.html https://aws.amazon.com/premiumsupport/knowledge-center/encrypt-data-efs/

NEW QUESTION 22
A user has enabled session stickiness with ELB. The user does not want ELB to manage the cookie; instead he wants the application to manage the cookie. What will happen when the server instance, which is bound to a cookie, crashes?

• A. The response will have a cookie but stickiness will be deleted
• B. The session will not be sticky until a new cookie is inserted
• C. ELB will throw an error due to cookie unavailability
• D. The session will be sticky and ELB will route requests to another server as ELB keeps replicating the Cookie

Answer: B

Explanation:
With Elastic Load Balancer, if the admin has enabled a sticky session with application controlled stickiness, the load balancer uses a special cookie generated by the application to associate the session with the original server which handles the request. ELB follows the lifetime of the application-generated cookie corresponding to the cookie name specified in the ELB policy configuration. The load balancer only inserts a new stickiness cookie if the application response includes a new application cookie. The load balancer stickiness cookie does not update with each request. If the application cookie is explicitly removed or expires, the session stops being sticky until a new application cookie is issued.

NEW QUESTION 23
Your organization is preparing for a security assessment of your use of AWS.
In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers

• A. Create individual IAM users for everyone in your organization
• B. Configure MFA on the root account and for privileged IAM users
• C. Assign IAM users and groups configured with policies granting least privilege access
• D. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate

Answer: BC

Explanation:
Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

NEW QUESTION 24
Which of the below mentioned AWS RDS logs cannot be viewed from the console for MySQL?

• A. Error Log
• B. Slow Query Log
• C. Transaction Log
• D. General Log

Answer: C

Explanation:
The user can view, download, and watch the database logs using the Amazon RDS console, the Command Line Interface (CLI., or the Amazon RDS API. For the MySQL RDS, the user can view the error log, slow querylog, and general logs. RDS does not support viewing the transaction logs.

NEW QUESTION 25
An organization wants to move to Cloud. They are looking for a secure encrypted database storage option. Which of the below mentioned AWS functionalities helps them to achieve this?

• A. AWS MFA with EBS
• B. AWS EBS encryption
• C. Multi-tier encryption with Redshift
• D. AWS S3 server side storage

Answer: B

Explanation:
AWS EBS supports encryption of the volume while creating new volumes. It also supports creating volumes from existing snapshots provided the snapshots are created from encrypted volumes. The data at rest, the I/O as well as all the snapshots of EBS will be encrypted. The encryption occurs on the servers that host the EC2 instances, providing encryption of data as it moves between the EC2 instances and EBS storage. EBS encryption is based on the AES-256 cryptographic algorithm, which is the industry standard.

NEW QUESTION 26
......