Amazon AWS Certified SysOps Administrator - Associate SOA-C02
Prev

There are 349 results

Next
#131 (Accuracy: 100% / 3 votes)
A company has multiple AWS accounts. The company uses AWS Organizations with an organizational unit (OU) for the production account and another OU for the development account. Corporate policies state that developers may use only approved AWS services in the production account.

What is the MOST operationally efficient solution to control the production account?
  • A. Create a customer managed policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production account.
  • B. Create a job function policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production OU.
  • C. Create a service control policy (SCP). Apply the SCP to the production OU.
  • D. Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.
#132 (Accuracy: 100% / 1 votes)
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A SysOps administrator must ensure that the application can read, write, and delete messages from the SQS queues.

Which solution will meet these requirements in the MOST secure manner?
  • A. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user's credentials in the application's configuration
  • B. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:RecelveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.
  • C. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
  • D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
#133 (Accuracy: 100% / 3 votes)
While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS. The customer gateway device resides in a data center with a NAT gateway in front of it.
What address should be used to create the customer gateway resource?
  • A. The private IP address of the customer gateway device
  • B. The MAC address of the NAT device in front of the customer gateway device
  • C. The public IP address of the customer gateway device
  • D. The public IP address of the NAT device in front of the customer gateway device
#134 (Accuracy: 100% / 3 votes)
A company has an AWS Site-to-Site VPN connection between on-premises resources and resources that are hosted in a VPC. A SysOps administrator launches an Amazon EC2 instance that has only a private IP address into a private subnet in the VPC. The EC2 instance runs Microsoft Windows Server.

A security group for the EC2 instance has rules that allow inbound traffic from the on-premises network over the VPN connection. The on-premises environment contains a third-party network firewall. Rules in the third-party network firewall allow Remote Desktop Protocol (RDP) traffic to flow between the on-premises users over the VPN connection.

The on-premises users are unable to connect to the EC2 instance and receive a timeout error.

What should the SysOps administrator do to troubleshoot this issue?
  • A. Create Amazon CloudWatch logs for the EC2 instance to check for blocked traffic.
  • B. Create Amazon CloudWatch logs for the Site-to-Site VPN connection to check for blocked traffic.
  • C. Create VPC flow logs for the EC2 instance's elastic network interface to check for rejected traffic.
  • D. Instruct users to use EC2 Instance Connect as a connection method.
#135 (Accuracy: 100% / 2 votes)
A company wants to apply an existing Amazon Route 53 private hosted zone to a new VPC to allow for customized resource name resolution within the VPC. The SysOps administrator created the VPC and added the appropriate resource record sets to the private hosted zone.

Which step should the SysOps administrator take to complete the setup?
  • A. Associate the Route 53 private hosted zone with the VPC.
  • B. Create a rule in the default security group for the VPC that allows traffic to the Route 53 Resolver.
  • C. Ensure the VPC network ACLs allow traffic to the Route 53 Resolver.
  • D. Ensure there is a route to the Route 53 Resolver in each of the VPC route tables.
#136 (Accuracy: 94% / 6 votes)
Users are reporting consistent forced logouts from a stateful web application. The logouts occur before the expiration of a 15-minute application logout timer.

The web application is hosted on Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Session affinity (sticky sessions) is already enabled on the ALB target group and uses duration-based cookies. The web application generates its own application cookie.

Which combination of actions should a SysOps administrator take to resolve the logout problem? (Choose two.)
  • A. Change to the least outstanding requests algorithm on the ALB target group.
  • B. Configure cookie forwarding in the CloudFront distribution's cache behavior settings.
  • C. Configure the duration-based cookie to be named AWSALB.
  • D. Configure the ALB to use the expiration cookie header.
  • E. Change the ALB to use application-based cookies.
#137 (Accuracy: 100% / 3 votes)
A company uses Amazon CloudFront to serve static content to end users. The company's marketing team recently deployed updates to 150 images on the company's website. However, the website is not displaying some of the new images.

A SysOps administrator reviews the CloudFront distribution's cache settings. The default TTL for the distribution is set to 1 week (604,800 seconds).

What should the SysOps administrator do to refresh the cache with the new images in the MOST operationally efficient way?
  • A. Create a new CloudFront distribution that has the same origin. Set the default TTL to 1 minute (60 seconds). Switch Amazon Route 53 DNS records to use the new distribution.
  • B. Instruct the marketing team to upload the new images to a different location. When the new images are uploaded, update the website to locate the new images.
  • C. Issue a CloudFront invalidation request to immediately expire the new images from the marketing team's update.
  • D. Update the existing CloudFront distribution to reconfigure the default TTL to 1 minute (60 seconds). During submission of the new configuration, include the flag to invalidate objects in the specified path.
#138 (Accuracy: 100% / 3 votes)
A company's social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services.

A SysOps administrator must implement a solution that routes requests to a defined list of AWS Regions. The routing must be based on the user's location.

Which solution will meet these requirements?
  • A. Configure a Route 53 latency routing policy.
  • B. Configure a Route 53 multivalue answer routing policy.
  • C. Configure a Route 53 geolocation routing policy.
  • D. Configure a Route 53 IP-based routing policy.
#139 (Accuracy: 100% / 3 votes)
A SysOps administrator notices that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. The SysOps administrator needs to increase the cache hit ratio for the distribution, improve network performance, and reduce the load on the origin.

Which combination of actions should the SysOps administrator take to meet these requirements? (Choose two.)
  • A. Enable CloudFront Origin Shield for the required AWS Regions.
  • B. Change the viewer protocol policy to use HTTPS only.
  • C. Add a second origin. Create an origin group that includes both origins. Activate CloudFront origin failover.
  • D. Turn on automatic compression of objects in the cache behavior settings.
  • E. Increase the CloudFront TTL values in the cache behavior settings.
#140 (Accuracy: 100% / 3 votes)
A SysOps administrator configured VPC flow logs by using the default format. The SysOps administrator specified Amazon CloudWatch Logs as the destination. This solution has worked successfully for several months. However, because of additional troubleshooting requirements, the SysOps administrator needs to include the tcp-flags field on the flow logs.

What should the SysOps administrator do to meet this requirement?
  • A. Create a new flow log. Include the tcp-flags field in the custom log format. Delete the original flow log.
  • B. In the CloudWatch Logs log group, modify the filter to include the tcp-flags field and the type field.
  • C. In CloudWatch Metrics, modify the metric configuration to include the tcp-flags field.
  • D. Modify the existing flow log. Include the tcp-flags field and the type field in the custom log format. Save the configuration.