Last Updated on October 3, 2021 by Admin 2

SOA-C01 : AWS-SysOps ​​​​​: Part 11

  1. A user has created a VPC with a subnet and a security group. The user has launched an instance in that subnet and attached a public IP. The user is still unable to connect to the instance. The Internet gateway has also been created. What can be the reason for the error?

    • The internet gateway is not configured with the route table
    • The private IP is not present
    • The outbound traffic on the security group is disabled
    • The internet gateway is not configured with the security group
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. AWS provides two features the user can use to increase security in VPC: security groups and network ACLs. Security groups work at the instance level. When a user launches an instance and wants to connect to an instance, he needs an internet gateway. The Internet gateway should be configured with the route table to allow traffic from the Internet.
  2. A user is trying to setup a security policy for ELB. The user wants ELB to meet the cipher supported by the client by configuring the server order preference in ELB security policy. Which of the below mentioned preconfigured policies supports this feature?

    • ELBSecurity Policy-2014-01
    • ELBSecurity Policy-2011-08
    • ELBDefault Negotiation Policy
    • ELBSample- OpenSSLDefault Cipher Policy
    Explanation:
    Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. If the load balancer is configured to support the Server Order Preference, then the load balancer gets to select the first cipher in its list that matches any one of the ciphers in the client’s list. When the user verifies the preconfigured policies supported by ELB, the policy “ELBSecurity Policy-2014-01” supports server order preference.
  3. A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling AlarmNotification which notifies Auto Scaling for CloudWatch alarms. process for a while. What will Auto Scaling do during this period?

    • AWS will not receive the alarms from CloudWatch
    • AWS will receive the alarms but will not execute the Auto Scaling policy
    • Auto Scaling will execute the policy but it will not launch the instances until the process is resumed
    • It is not possible to suspend the AlarmNotification process
    Explanation:
    Auto Scaling performs various processes, such as Launch, Terminate Alarm Notification etc. The user can also suspend individual process. The AlarmNotification process type accepts notifications from the Amazon CloudWatch alarms that are associated with the Auto Scaling group. If the user suspends this process type, Auto Scaling will not automatically execute the scaling policies that would be triggered by the alarms.
  4. George has launched three EC2 instances inside the US-East-1a zone with his AWS account. Ray has launched two EC2 instances in the US-East-1a zone with his AWS account. Which of the below mentioned statements will help George and Ray understand the availability zone (AZ) concept better?

    • The instances of George and Ray will be running in the same data center
    • All the instances of George and Ray can communicate over a private IP with a minimal cost
    • All the instances of George and Ray can communicate over a private IP without any cost
    • The US-East-1a region of George and Ray can be different availability zones
    Explanation:
    Each AWS region has multiple, isolated locations known as Availability Zones. To ensure that the AWS resources are distributed across the Availability Zones for a region, AWS independently maps the Availability Zones to identifiers for each account. In this case the Availability Zone US-East-1a where George’s EC2 instances are running might not be the same location as the US-East-1a zone of Ray’s EC2 instances. There is no way for the user to coordinate the Availability Zones between accounts.
  5. A user had aggregated the CloudWatch metric data on the AMI ID. The user observed some abnormal behavior of the CPU utilization metric while viewing the last 2 weeks of data. The user wants to share that data with his manager. How can the user achieve this easily with the AWS console?

    • The user can use the copy URL functionality of CloudWatch to share the exact details
    • The user can use the export data option from the CloudWatch console to export the current data point
    • The user has to find the period and data and provide all the aggregation information to the manager
    • The user can use the CloudWatch data copy functionality to copy the current data points
    Explanation:
    Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyze. The console provides the option to save the URL or bookmark it so that it can be used in the future by typing the same URL. The Copy URL functionality is available under the console when the user selects any metric to view.
  6. A user has setup a CloudWatch alarm on the EC2 instance for CPU utilization. The user has setup to receive a notification on email when the CPU utilization is higher than 60%. The user is running a virus scan on the same instance at a particular time. The user wants to avoid receiving an email at this time. What should the user do?

    • Remove the alarm
    • Disable the alarm for a while using CLI
    • Modify the CPU utilization by removing the email alert
    • Disable the alarm for a while using the console
    Explanation:
    Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. When the user has setup an alarm and it is known that for some unavoidable event the status may change to Alarm, the user can disable the alarm using the DisableAlarmActions API or from the command line mon-disable-alarm-actions.
  7. A user has configured ELB with SSL using a security policy for secure negotiation between the client and load balancer. Which of the below mentioned SSL protocols is not supported by the security policy?

    • TLS 1.3
    • TLS 1.2
    • SSL 2.0
    • SSL 3.0
    Explanation:
    Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. Elastic Load Balancing supports the following versions of the SSL protocol:
    TLS 1.2
    TLS 1.1
    TLS 1.0
    SSL 3.0
    SSL 2.0
  8. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp. and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the private subnet database security group (DBSecGrp)?

    • Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp)
    • Allow Inbound on port 3306 from source 20.0.0.0/16
    • Allow Outbound on port 3306 for Destination Web Server Security Group (WebSecGrp)
    • Allow Outbound on port 80 for Destination NAT Instance IP
    Explanation:
    A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the private subnet can receive inbound traffic from the public subnet on the DB port. Thus, configure port 3306 in Inbound with the source as the Web Server Security Group (WebSecGrp). The user should configure ports 80 and 443 for Destination 0.0.0.0/0 as the route table directs traffic to the NAT instance from the private subnet.
  9. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created public and VPN only subnets along with hardware VPN access to connect to the user’s data center. The user has not yet launched any instance as well as modified or deleted any setup. He wants to delete this VPC from the console. Will the console allow the user to delete the VPC?

    • Yes, the console will delete all the setups and also delete the virtual private gateway
    • No, the console will ask the user to manually detach the virtual private gateway first and then allow deleting the VPC
    • Yes, the console will delete all the setups and detach the virtual private gateway
    • No, since the NAT instance is running
    Explanation:
    The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data center, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data center. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all traffic of the VPN subnet. If the virtual private gateway is attached with VPC and the user deletes the VPC from the console it will first detach the gateway automatically and only then delete the VPC.
  10. A user is trying to create a PIOPS EBS volume with 4000 IOPS and 100 GB size. AWS does not allow the user to create this volume. What is the possible root cause for this?

    • The ratio between IOPS and the EBS volume is higher than 30
    • The maximum IOPS supported by EBS is 3000
    • The ratio between IOPS and the EBS volume is lower than 50
    • PIOPS is supported for EBS higher than 500 GB size
    Explanation:
    A provisioned IOPS EBS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested should be a maximum of 30; for example, a volume with 3000 IOPS must be at least 100 GB.
  11. A user has setup a custom application which generates a number in decimals. The user wants to track that number and setup the alarm whenever the number is above a certain limit. The application is sending the data to CloudWatch at regular intervals for this purpose. Which of the below mentioned statements is not true with respect to the above scenario?

    • The user can get the aggregate data of the numbers generated over a minute and send it to CloudWatch
    • The user has to supply the time zone with each data point
    • CloudWatch will not truncate the number until it has an exponent larger than 126 (i.e. (1 x 10^126))
    • The user can create a file in the JSON format with the metric name and value and supply it to CloudWatch
  12. A user has launched an EC2 Windows instance from an instance store backed AMI. The user has also set the Instance initiated shutdown behavior to stop. What will happen when the user shuts down the OS?

    • It will not allow the user to shutdown the OS when the shutdown behavior is set to Stop
    • It is not possible to set the termination behavior to Stop for an Instance store backed AMI instance
    • The instance will stay running but the OS will be shutdown
    • The instance will be terminated
    Explanation:
    When the EC2 instance is launched from an instance store backed AMI, it will not allow the user to configure the shutdown behavior to “Stop”. It gives a warning that the instance does not have the EBS root volume.
  13. A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption (SSE-C., which of the below mentioned statements is true?

    • The user should use the same encryption key for all versions of the same object
    • It is possible to have different encryption keys for different versions of the same object
    • AWS S3 does not allow the user to upload his own keys for server side encryption
    • The SSE-C does not work when versioning is enabled
    Explanation:
    AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key (SSE-C). If the bucket is versioning-enabled, each object version uploaded by the user using the SSE-C feature can have its own encryption key. The user is responsible for tracking which encryption key was used for which object’s version
  14. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 in this VPC. The user is trying to create another subnet with the same VPC for CIDR 20.0.0.1/24. What will happen in this scenario?

    • The VPC will modify the first subnet CIDR automatically to allow the second subnet IP range
    • It is not possible to create a subnet with the same CIDR as VPC
    • The second subnet will be created
    • It will throw a CIDR overlaps error
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. The user can create a subnet with the same size of VPC. However, he cannot create any other subnet since the CIDR of the second subnet will conflict with the first subnet.
  15. A user has launched an RDS MySQL DB with the Multi AZ feature. The user has scheduled the scaling of instance storage during maintenance window. What is the correct order of events during maintenance window?

    1.Perform maintenance on standby
    2.Promote standby to primary
    3.Perform maintenance on original primary
    4.Promote original master back as primary

    • 1, 2, 3, 4
    • 1, 2, 3
    • 2, 3, 1, 4
    Explanation:
    Running MySQL on the RDS DB instance as a Multi-AZ deployment can help the user reduce the impact of a maintenance event, as the Amazon will conduct maintenance by following the steps in the below mentioned order:
    Perform maintenance on standby
    Promote standby to primary
    Perform maintenance on original primary, which becomes the new standby.
  16. A sys admin is using server side encryption with AWS S3. Which of the below mentioned statements helps the user understand the S3 encryption functionality?A sys admin is using server side encryption with AWS S3. Which of the below mentioned statements helps the user understand the S3 encryption functionality?

    • The server side encryption with the user supplied key works when versioning is enabled
    • The user can use the AWS console, SDK and APIs to encrypt or decrypt the content for server side encryption with the user supplied key
    • The user must send an AES-128 encrypted key
    • The user can upload his own encryption key to the S3 console
    Explanation:
    AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key. The encryption with the user supplied key (SSE-C. does not work with the AWS console. The S3 does not store the keys and the user has to send a key with each request. The SSE-C works when the user has enabled versioning.
  17. A root account owner is trying to understand the S3 bucket ACL. Which of the below mentioned options cannot be used to grant ACL on the object using the authorized predefined group?

    • Authenticated user group
    • All users group
    • Log Delivery Group
    • Canonical user group
    Explanation:
    An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups. Amazon S3 has a set of predefined groups. When granting account access to a group, the user can specify one of the URLs of that group instead of a canonical user ID. AWS S3 has the following predefined groups:
    Authenticated Users group: It represents all AWS accounts. All Users group: Access permission to this group allows anyone to access the resource. Log Delivery group: WRITE permission on a bucket enables this group to write server access logs to the bucket.
  18. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user’s data center. The user’s data center has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario?

    • Destination: 20.0.1.0/24 and Target: i-12345
    • Destination: 0.0.0.0/0 and Target: i-12345
    • Destination: 172.28.0.0/12 and Target: vgw-12345
    • Destination: 20.0.0.0/16 and Target: local
    Explanation:
    The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data center, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data center. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all traffic of the VPN subnet. If the user has setup a NAT instance to route all the Internet requests, then all requests to the internet should be routed to it. All requests to the organization’s DC will be routed to the VPN gateway.
    Here are the valid entries for the main route table in this scenario:
    Destination: 0.0.0.0/0 & Target: i-12345 (To route all internet traffic to the NAT Instance.
    Destination: 172.28.0.0/12 & Target: vgw-12345 (To route all the organization’s data center traffic to the VPN gateway).
    Destination: 20.0.0.0/16 & Target: local (To allow local routing in VPC).
  19. A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24 . The NAT instance ID is i-a12345. Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet?

    • Destination: 0.0.0.0/0 and Target: i-a12345
    • Destination: 20.0.0.0/0 and Target: 80
    • Destination: 20.0.0.0/0 and Target: i-a12345
    • Destination: 20.0.0.0/24 and Target: i-a12345
    Explanation:
    A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create two route tables and attach to the subnets. The main route table will have the entry “Destination: 0.0.0.0/0 and Target: ia12345”, which allows all the instances in the private subnet to connect to the internet using NAT.
  20. A root account owner has given full access of his S3 bucket to one of the IAM users using the bucket ACL. When the IAM user logs in to the S3 console, which actions can he perform?

    • He can just view the content of the bucket
    • He can do all the operations on the bucket
    • It is not possible to give access to an IAM user using ACL
    • The IAM user can perform all operations on the bucket using only API/SDK
    Explanation:
    Each AWS S3 bucket and object has an ACL (Access Control List) associated with it. An ACL is a list of grants identifying the grantee and the permission granted. The user can use ACLs to grant basic read/write permissions to other AWS accounts. ACLs use an Amazon S3–specific XML schema. The user cannot grant permissions to other users (IAM users) in his account.