Last Updated on October 3, 2021 by Admin 2
SOA-C01 : AWS-SysOps : Part 27
The amount of data a company must back up has been increasing, and storage space is quickly running out. There is no budget to purchase new backup software that is capable of backing up data directly to the cloud.
What is the MOST cost-effective way to make storage available to the company’s legacy backup system?
- Launch an Amazon EC2 instance, add large Amazon EBS volumes, and connect using VPN
- Ship backup tapes to AWS for storage in secure AWS Availability Zones
- Use AWS Snowball on a weekly basis to transfer data to Amazon Glacier
- Use AWS Storage Gateway to present a VTL using iSCSI to the legacy application
The SysOps Administrator must integrate an existing on-premises asymmetrical key management system into an AWS services platform.
How can the Administrator meet this requirement?
- Implement AWS KMS and integrate with the existing on-premises asymmetrical key management system
- Implement AWS CloudHSM and integrate it with the existing key management infrastructure
- Deploy an Amazon EC2 instance and choose an AMI from an AWS partner in the AWS Marketplace
- Create a master key in AWS KMS, and export that key to the existing on-premises asymmetrical key management system
A Systems Administrator is planning to deploy multiple EC2 instances within two separate Availability Zones in the same AwS Region. The instances cannot be exposed to the Internet, but must be able to exchange traffic between one another. The data does not need to be encrypted.
What solution meets these requirements while maintaining the lowest cost?
- Create two private subnets within the same VPC. Communicate between instances using their private IP addresses
- Create 2 public subnets within the same VPC. Communicate between instances using their public IP addresses
- Create 2 separate VPCs, one for each Availability Zone. Create a private subnet within each VPC. Create a static route table pointing the destination CIDR to the other VPC
- Create 2 separate VPCs, one for each Availability Zone and create a public subnet in each. Deploy a VPN appliance within each VPC and establish a VPN tunnel between them. Communicate between instances by routing traffic through the VPN appliances
A company website hosts patches for software that is sold globally. The website runs in AWS and performs well until a large software patch is released. The flood of downloads puts a strain on the web servers and leads to a poor customer experience.
What can the SysOps Administrator propose to enhance customer experience, create a more available web platform, and keep costs low?
- Use an Amazon CloudFront distribution to cache static content, including software patches
- Increase the size of the NAT instance to improve throughput
- Scale out of web servers in advance of patch releases to reduce Auto Scaling delays
- Move the content to IO1 and provision additional IOPS to the volume that contains the software patches
An organization has developed a new memory-intensive application that is deployed to a large Amazon EC2 Linux fleet. There is concern about potential memory exhaustion, so the Development team wants to monitor memory usage by using Amazon CloudWatch.
What is the MOST efficient way to accomplish this goal?
- Deploy the solution to memory-optimized EC2 instances, and use the CloudWatch MemoryUtilization metric
- Enable the Memory Monitoring option by using AWS Config
- Install the AWS Systems Manager agent on the applicable EC2 instances to monitor memory
- Monitor memory by using a script within the instance, and send it to CloudWatch as a custom metric
A SysOps Administrator is running Amazon EC2 instances in multiple AWS Regions. The Administrator wants to aggregate the CPU utilization for all instances onto an Amazon CloudWatch dashboard. Each region should be present on the dashboard and represented by a single graph that contains the CPU utilization for all instances in that region.
How can the Administrator meet these requirements?
- Create a cross-region dashboard using AWS Lambda and distribute it to all regions
- Create a custom CloudWatch dashboard and add a widget for each region in the AWS Management Console
- Enable cross-region dashboards under the CloudWatch section of the AWS Management Console
- Switch from basic monitoring to detailed monitoring on all instances
A mobile application must allow users to securely access their own content stored in a shared Amazon S3 bucket.
Which AWS services should be used to enable this access? (Choose two.)
- AWS Directory Service
- AWS Shield
- IAM roles
- Amazon Cognito
- AWS Organizations
A Development team has an application stack consisting of many OS dependencies and language runtime dependencies. When deploying the application to production, the most important factor is how quickly the instance is operational.
What deployment methodology should be used to update the running environments to meet the requirement?
- Use fully baked AMIs (“golden images”) created after each successful build, creating a new Auto Scaling group, and blue/green deployments with rollbacks.
- Use user-data scripts to configure the instance correctly on boot by installing all dependencies when needed.
- Use an AWS Lambda function to only update the application locally on each instance, then re-attach it to the load balancer when the process complete.
- Use AWS OpsWorks scripts to execute on reboot of each instance to install all known dependencies, then re-attach the instances to the load balancer.
A web-based application is running in AWS. The application is using a MySQL Amazon RDS database instance for persistence. The application stores transactional data and is read-heavy. The RDS instance gets busy during the peak usage, which shows the overall application response times.
The SysOps Administrator is asked to improve the read queries performance using a scalable solution.
Which options will meet these requirements? (Choose two.)
- Scale up the RDS instance to a larger instance size
- Enable the RDS database Multi-AZ option
- Create a read replica of the RDS instance
- Use Amazon DynamoDB instead of RDS
- Use Amazon ElastiCache to cache read queries
A Content Processing team has notified a SysOps Administrator that their content is sometimes taking a long time to process, whereas other times it processes quickly. The Content Processing submits messages to an Amazon Simple Queue Service (Amazon SQS) queue, which details the files that need to be processed. An Amazon EC2 instance polls the queue to determine which file to process next.
How could the Administrator maintain a fast but cost-effective processing time?
- Attach an Auto Scaling policy to the Amazon SQS queue to increase the number of EC2 instances based on the depth of the SQS queue
- Create an Auto Scaling policy to increase the number of EC2 instances polling the queue and a CloudWatch alarm to scale based on MaxVisibility Timeout
- Attach an Auto Scaling policy to the SQS queue to scale instances based on the depth of the dead-letter queue
- Create an Auto Scaling policy to increase the number of EC2 instances polling the queue and a CloudWatch alarm to scale based on ApproximateNumberOfMessagesVisible
A SysOps Administrator receives reports of an Auto Scaling group failing to scale when the nodes running Amazon Linux in the cluster are constrained by high memory utilization.
What should the Administrator do to enable scaling to better adapt to the high memory utilization?
- Create a custom script that pipes memory utilization to Amazon S3, then, scale with an AWS Lambda-powered event
- Install the Amazon CloudWatch memory monitoring scripts, and create a custom metric based on the script’s results
- Increase the minimum size of the cluster to meet memory and application load demands
- Deploy an Application Load Balancer to more evenly distribute traffic among nodes
A SysOps Administrator has received a request from the Compliance Department to enforce encryption at rest of all new objects uploaded to the corp-compliance bucket.
How can the Administrator enforce encryption on all objects uploaded to the bucket?
- Enable Amazon S3 default encryption on the bucket.
- Generate a presigned URL for the Amazon S3 PUT operation with server-side encryption flag set, and send the URL to the user.
An errant process is known to use an entire processor and run at 100%. A SysOps Administrator wants to automate restarting the instance once the problem occurs for more than 2 minutes.
How can this be accomplished?
- Create an Amazon CloudWatch alarm for the EC2 instance with basic monitoring. Enable an action to restart the instance.
- Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
- Create an AWS Lambda function to restart the EC2 instance, triggered on a scheduled basis every 2 minutes.
- Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks.
A SysOps Administrator needs to report on Amazon EC2 instance cost by both project and environment (production, staging, development).
Which action would impact the operations team the LEAST?
- For each project and environment, create a new AWS account and link them to the master payer for unified management and billing
- Use AWS Organizations to create a new organization for each project, then for each environment use a separate linked AWS account
- Implement cost allocation tagging in the Billing and Cost Management console to implement tags to identify resources by project and environment
- Add the project and environment information to the instance metadata so that the values can be queried and rolled up into reports
A web application’s performance has been degrading. Historically, the application has had highly-variable workloads, but lately, there has been a steady growth in traffic as the result of a new product launch. After reviewing several Amazon CloudWatch metrics, it is discovered that over the last two weeks the balance of CPU credits has dropped to zero several times.
Which solutions will improve performance? (Choose two.)
- Begin using the T2 instance type
- Purchase more CPU credits for the existing instance
- Increase the size of the current instance type
- Configure a CloudWatch alarm on the CPU credits metric
An Amazon EC2 instance is in a private subnet. To SSH to the instance, it is required to use a bastion host that has an IP address of 10.0.0.5. SSH logs on the EC2 instance in the private subnet show that connections are being made over SSH from several other IP addresses. The EC2 instance currently has the following inbound security group rules applied:
What is the MOST likely reason that another IP addresses is able to SSH to the EC2 instance?
- The rule with 0.0.0.0/0 means SSH is open for any client to connect
- The rule with /32 is not limiting to a single IP address
- Any instance belonging to sg-xxxxxxxx is allowed to connect
- There is an outbound rule allowing SSH traffic
An AWS CloudFormation template creates an Amazon RDS instance. This template is used to build up development environments as needed and then delete the stack when the environment is no longer required. The RDS-persisted data must be retained for further use, even after the CloudFormation stack is deleted.
How can this be achieved in a reliable and efficient way?
- Write a script to continue backing up the RDS instance every five minutes
- Create an AWS Lambda function to take a snapshot of the RDS instance, and manually execute the function before deleting the stack
- Use the Snapshot Deletion Policy in the CloudFormation template definition of the RDS instance
- Create a new CloudFormation template to perform backups of the RDS instance, and run this template before deleting the stack
A company’s IT Security team is performing an audit of the AWS environment to determine which servers need to be patched and where additional security controls need to be added.
The company is responsible for which of the following? (Choose two.)
- Patching the OS on Amazon RDS instances
- Patching the OS on Amazon EC2 instances
- Enabling server-side encryption with Amazon S3-Managed Keys (SSE-S3) on S3 objects
- Patching the database engine on RDS instances
- Patching PHP in an AWS Elastic Beanstalk managed EC2 application
The InfoSec team has asked the SysOps Administrator to perform some hardening on the company Amazon RDS database instances.
Based on this requirement, what actions should be recommended for the start of the security review? (Choose two.)
- Use Amazon Inspector to present a detailed report of security vulnerabilities across the RDS database fleet
- Review the security group’s inbound access rules for least privilege
- Export AWS CloudTrail entries detailing all SSH activity on the RDS instances
- Use the cat command to enumerate the allowed SSH keys in ~/.ssh on each RDS instance
- Report on the Parameter Group settings and ensure that encrypted connections are enforced
A Big Data consulting company wants to separate its customers’ workloads for billing and security reasons. The company would like to maintain billing and security controls on these workloads.
According to best practices, how can the workloads be separated if no shared resources are needed?
- Require each customer to create their own account. Contact AWS Support to receive a consolidated bill.
- Create customer accounts within AWS Organizations specifying consolidated billing features.
- Create a separate VPC for each customer. Use security groups to isolate traffic.
- Dedicate an AWS Region to each customer. Ensure that each entry in Amazon Route 53 is unique.