Amazon AWS Certified SysOps Administrator - Associate SOA-C02
Prev

There are 349 results

Next
#271 (Accuracy: 100% / 3 votes)
A company has an application that uses a scheduled AWS Lambda function to retrieve datasets from external sources over the internet. The function is not associated with a VPC. The company is modifying the application to store the information that the Lambda function retrieves on an Amazon RDS DB instance in a private subnet. The VPC has two public subnets and two private subnets.

A SysOps administrator must deploy a solution that allows the Lambda function to access the new database and continue to access the internet.

Which solution meets these requirements?
  • A. Create a new Lambda function with VPC access and an Elastic IP address. Attach the function to public subnets in two Availability Zones. Associate a security group with the Elastic IP address. Configure the security group outbound rules to allow Lambda to access the required resources.
  • B. Create a new Lambda function with VPC access and two public IP addresses. Attach the function to public subnets in the same Availability Zones that the database uses. Associate a security group with the function. Configure the security group inbound rules to allow Lambda to access the required resources.
  • C. Reconfigure the Lambda function for VPC access. Add NAT gateways to the public subnets in the VPAdd route table entries in the private subnets to route through the NAT gateways to the internet. Attach the function to the private subnets that support the database. Associate a security group with the function. Configure the security group outbound rules to allow Lambda to access the internet.
  • D. Reconfigure the Lambda function for VPC access. Attach the function to the private subnets. Add route table entries in the private subnets to route through the internet gateway to the internet. Associate a security group with the subnets. Configure the security group inbound rules to allow Lambda to access the required resources through the internet gateway.
#272 (Accuracy: 90% / 6 votes)
A company stores sensitive data in an Amazon S3 bucket. The company must log all access attempts to the S3 bucket. The company’s risk team must receive immediate notification about any delete events.

Which solution will meet these requirements?
  • A. Enable S3 server access logging for audit logs. Set up an Amazon Simple Notification Service (Amazon SNS) notification for the S3 bucket. Select DeleteObject for the event type for the alert system.
  • B. Enable S3 server access logging for audit logs. Launch an Amazon EC2 instance for the alert system. Run a cron job on the EC2 instance to download the access logs each day and to scan for a DeleteObject event.
  • C. Use Amazon CloudWatch Logs for audit logs. Use Amazon CloudWatch alarms with an Amazon Simple Notification Service (Amazon SNS) notification for the alert system.
  • D. Use Amazon CloudWatch Logs for audit logs. Launch an Amazon EC2 instance for the alert system. Run a cron job on the EC2 instance each day to compare the list of the items with the list from the previous day. Configure the cron job to send a notification if an item is missing.
#273 (Accuracy: 100% / 3 votes)
A company has implemented a Kubernetes cluster on Amazon Elastic Kubernetes Service (Amazon ECS) to host a microservices-based application. The company expects application traffic to increase significantly for the next month and wants to prevent the application from crashing because of the high number of requests.

Which solution will meet these requirements with the LEAST administrative overhead?
  • A. Create a second EKS cluster. Load balance the workload between the two clusters.
  • B. Implement the Kubernetes Horizontal Pod Autoscaler. Set a target CPU utilization percentage.
  • C. Migrate the application from Amazon EKS to Amazon EC2 for the next month. Migrate the application back to Amazon EKS when the month ends.
  • D. Implement the Kubernetes Vertical Pod Autoscaler. Set a target CPU utilization percentage.
#274 (Accuracy: 100% / 2 votes)
A SysOps administrator wants to protect objects in an Amazon S3 bucket from accidental overwrite and deletion. Noncurrent objects must be kept for 90 days and then must be permanently deleted. Objects must reside within the same AWS Region as the original S3 bucket.
Which solution meets these requirements?
  • A. Create an Amazon Data Lifecycle Manager (Amazon DLM) lifecycle policy for the S3 bucket. Add a rule to the lifecycle policy to delete noncurrent objects after 90 days.
  • B. Create an AWS Backup policy for the S3 bucket. Create a backup rule that includes a lifecycle to expire noncurrent objects after 90 days.
  • C. Enable S3 Cross-Region Replication on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days.
  • D. Enable S3 Versioning on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days.
#275 (Accuracy: 100% / 4 votes)
A company updates its security policy to prohibit the public exposure of any data in Amazon S3 buckets in the company's account.

What should a SysOps administrator do to meet this requirement?
  • A. Turn on S3 Block Public Access from the account level.
  • B. Create an Amazon Event Bridge (Amazon CloudWatch Events) rule to enforce that all S3 objects are private.
  • C. Use Amazon Inspector to search for S3 buckets and to automatically reset S3 ACLs if any public S3 buckets are found.
  • D. Use S3 Object Lambda to examine S3 ACLs and to change any public S3 ACLs to private.
#276 (Accuracy: 100% / 4 votes)
A company is managing a website with a global user base hosted on Amazon EC2 with an Application Load Balancer (ALB). To reduce the load on the web servers, a SysOps administrator configures an Amazon CloudFront distribution with the ALB as the origin. After a week of monitoring the solution, the administrator notices that requests are still being served by the ALB and there is no change in the web server load.

What are possible causes for this problem? (Choose two.)
  • A. CloudFront does not have the ALB configured as the origin access identity.
  • B. The DNS is still pointing to the ALB instead of the CloudFront distribution.
  • C. The ALB security group is not permitting inbound traffic from CloudFront.
  • D. The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution.
  • E. The target groups associated with the ALB are configured for sticky sessions.
#277 (Accuracy: 100% / 2 votes)
A company has many accounts in an organization in AWS Organizations. The company must automate resource provisioning from the organization’s management account to the member accounts.

Which solution will meet this requirement?
  • A. Create an AWS CloudFormation change set. Deploy the change set to all member accounts.
  • B. Create an AWS CloudFormation nested stack. Deploy the nested stack to all member accounts.
  • C. Create an AWS CloudFormation stack set. Deploy the stack set to all member accounts.
  • D. Create an AWS Serverless Application Model (AWS SAM) template. Deploy the template to all member accounts.
#278 (Accuracy: 100% / 3 votes)
A SysOps administrator creates a custom Amazon Machine Image (AMI) in the eu-west-2 Region and uses the AMI to launch Amazon EC2 instances. The SysOps administrator needs to use the same AMI to launch EC2 instances in two other Regions: us-east-1 and us-east-2.

What must the SysOps administrator do to use the custom AMI in the additional Regions?
  • A. Copy the AMI to the additional Regions.
  • B. Make the AMI public in the Community AMIs section of the AWS Management Console.
  • C. Share the AMI to the additional Regions. Assign the required access permissions.
  • D. Copy the AMI to a new Amazon S3 bucket. Assign access permissions to the AMI for the additional Regions.
#279 (Accuracy: 100% / 3 votes)
A company manages a set of accounts on AWS by using AWS Organizations. The company's security team wants to use a native AWS service to regularly scan all AWS accounts against the Center for Internet Security (CIS) AWS Foundations Benchmark.

What is the MOST operationally efficient way to meet these requirements?
  • A. Designate a central security account as the AWS Security Hub administrator account. Create a script that sends an invitation from the Security Hub administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure Security Hub to run the CIS AWS Foundations Benchmark scans.
  • B. Run the CIS AWS Foundations Benchmark across all accounts by using Amazon Inspector.
  • C. Designate a central security account as the Amazon GuardDuty administrator account. Create a script that sends an invitation from the GuardDuty administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure GuardDuty to run the CIS AWS Foundations Benchmark scans.
  • D. Designate an AWS Security Hub administrator account. Configure new accounts in the organization to automatically become member accounts. Enable CIS AWS Foundations Benchmark scans.
#280 (Accuracy: 100% / 1 votes)
A company has turned on server access logging for all of its existing Amazon S3 buckets. The company wants to implement a solution to monitor the logging settings for new and existing S3 buckets. The solution must remediate any S3 buckets that do not have logging turned on.

What should a SysOps administrator do to meet these requirements in the MOST operationally efficient way?
  • A. Track the logging information by using AWS CloudTrail. Launch an AWS Lambda function for remediation.
  • B. Configure automatic remediation in AWS Config by using the s3-bucket-logging-enabled rule.
  • C. Configure AWS Trusted Advisor to monitor the logging configuration and to turn on access logging if necessary.
  • D. Track the logging information by using Amazon CloudWatch metrics. Launch an AWS Lambda function for remediation.