Last Updated on October 3, 2021 by Admin 2
SOA-C01 : AWS-SysOps : Part 31
A company is deploying a legacy web application on Amazon EC2 instances behind an ELB Application Load Balancer. The application worked well in the test environment. However, in production, users report that they are prompted to log in to the system several times an hour.
Which troubleshooting step should be taken to help resolve the problem reported by users?
- Confirm that the Application Load Balancer is in a multi-AZ configuration.
- Enable health checks on the Application Load Balancer.
- Ensure that port 80 is configured on the security group.
- Enable sticky sessions on the Application Load Balancer.
A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API-calls using the CLI. However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA.
What additional step must be taken to ensure that API calls are authenticated using MFA?
- Enable MFA on IAM roles, and require IAM users to use role credentials to sign API calls.
- Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI.
- Restrict the IAM users to use of the console, as MFA is not supported for CLI use.
- Require users to use temporary credentials from the get-session token command to sign API calls.
An application is being developed that will be served across a fleet of Amazon EC2 instances, which require a consistent view of persistent data. Items stored vary in size from 1KB to 300MB; the items are read frequently, created occasionally, and often require partial changes without conflict. The data store is not expected to grow beyond 2TB, and items will be expired according to age and content type.
Which AWS service solution meets these requirements?
- Amazon S3 buckets with lifecycle policies to delete old objects.
- Amazon RDS PostgreSQL and a job that deletes rows based on age and file type columns.
- Amazon EFS and a scheduled process to delete files based on age and extension.
- An EC2 instance store synced on boot from a central Amazon EBS-backed instance.
A SysOps Administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC, the Administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the Administrator add to the route tables?
- Route ::/0 traffic to a NAT gateway
- Route ::/0 traffic to an internet gateway
- Route 0.0.0.0/0 traffic to an egress-only internet gateway
- Route ::/0 traffic to an egress-only internet gateway
A recent organizational audit uncovered an existing Amazon RDS database that is not currently configured for high availability. Given the critical nature of this database, it must be configured for high availability as soon as possible.
How can this requirement be met?
- Switch to an active/passive database pair using the create-db-instance-read-replica with the – -availability-zone flag.
- Specify high availability when creating a new RDS instance, and live-migrate the data.
- Modify the RDS instance using the console to include the Multi-AZ option.
- Use the modify-db-instance command with the – -ha flag.
A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Choose two.)
- Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.
- Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.
- Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.
- Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.
- Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.
When the AWS Cloud infrastructure experiences an event that may impact an organization, which AWS service can be used to see which of the organization’s resources are affected?
- AWS Service Health Dashboard
- AWS Trusted Advisor
- AWS Personal Health Dashboard
- AWS Systems Manager
A company’s static website hosted on Amazon S3 was launched recently, and is being used by tens of thousands of users. Subsequently, website users are experiencing 503 service unavailable errors.
Why are these errors occurring?
- The request rate to Amazon S3 is too high.
- There is an error with the Amazon RDS database.
- The requests to Amazon S3 do not have the proper permissions.
- The users are in a different geographical region and Amazon Route 53 is restricting access.
An organization has two AWS accounts: Development and Production. A SysOps Administrator manages access of IAM users to both accounts. Some IAM users in Development should have access to certain resources in Production.
How can this be accomplished?
- Create an IAM role in the Production account with the Development account as a trusted entity and then allow those users from the Development account to assume the Production account IAM role.
- Create a group of IAM users in the Development account, and add Production account service ARNs as resources in the IAM policy.
- Establish a federation between the two accounts using the on-premises Microsoft Active Directory, and allow the Development account to access the Production account through this federation.
- Establish an Amazon Cognito Federated Identity between the two accounts, and allow the Development account to access the Production account through this federation.
A SysOps Administrator is responsible for managing a set of 12.micro Amazon EC2 instances. The Administrator wants to automatically reboot any instance that exceeds 80% CPU utilization.
Which of these solutions would meet the requirements?
- Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a terminate alarm action.
- Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a reboot alarm action.
- Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a reboot alarm action.
- Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a terminate alarm action.
A company’s customers are reporting increased latency while accessing static web content from Amazon S3. A SysOps Administrator observed a very high rate of read operations on a particular S3 bucket.
What will minimize latency by reducing load on the S3 bucket?
- Migrate the S3 bucket to a region that is closer to end users’ geographic locations.
- Use cross-region replication to replicate all of the data to another region.
- Create an Amazon CloudFront distribution with the S3 bucket as the origin.
- Use Amazon ElastiCache to cache data being served from Amazon S3.
A company requires that all access from on-premises applications to AWS services go over its AWS Direct Connect connection rather than the public internet.
How would a SysOps Administrator implement this requirement?
- Implement an IAM policy that uses the aws:sourceConnection condition to allow access from the AWS Direct Connect connection ID only
- Set up a public virtual interface on the AWS Direct Connect connection
- Configure AWS Shield to protect the AWS Management Console from being accessed by IP addresses other than those within the data center ranges
- Update all the VPC network ACLs to allow access from the data center IP ranges
A SysOps Administrator must find a way to set up alerts when Amazon EC2 service limits are close to being reached.
How can the Administrator achieve this requirement?
- Use Amazon Inspector and Amazon CloudWatch Events.
- Use AWS Trusted Advisor and Amazon CloudWatch Events.
- Use the Personal Health Dashboard and CloudWatch Events.
- Use AWS CloudTrail and CloudWatch Events.
A web application accepts orders from online users and places the orders into an Amazon SQS queue. Amazon EC2 instances in an EC2 Auto Scaling group read the messages from the queue, process the orders, and email order confirmations to the users. The Auto Scaling group scales up and down based on the queue depth. At the beginning of each business day, users report confirmation emails are delayed.
What action will address this issue?
- Create a scheduled scaling action to scale up in anticipation of the traffic.
- Change the Auto Scaling group to scale up and down based on CPU utilization.
- Change the launch configuration to launch larger EC2 instance types.
- Modify the scaling policy to deploy more EC2 instances when scaling up.
A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template. It installs and configures necessary software through AWS OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors.
The SysOps Administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back.
Based on these requirements, what should be added to the template?
- Conditions with a timeout set to 4 hours.
- CreationPolicy with a timeout set to 4 hours.
- DependsOn with a timeout set to 4 hours.
- Metadata with a timeout set to 4 hours.
A SysOps Administrator must take a team’s single existing AWS CloudFormation template and split it into smaller, service-specific templates. All of the services in the template reference a single, shared Amazon S3 bucket.
What should the Administrator do to ensure that this S3 bucket can be referenced by all the service templates?
- Include the S3 bucket as a mapping in each template.
- Add the S3 bucket as a resource in each template.
- Create the S3 bucket in its own template and export it.
- Generate the S3 bucket using StackSets.
After installing and configuring the Amazon CloudWatch agent on an EC2 instance, the anticipated system logs are not being received by CloudWatch Logs.
Which of the following are likely to be the cause of this problem? (Choose two.)
- A custom of third-party solution for logs is being used.
- The IAM role attached to the EC2 instance does not have the proper permissions.
- The CloudWatch agent does not support the operating system used.
- A billing constraint is limiting the number of CloudWatch Logs within this account.
- The EC2 instance is in a private subnet, and the VPC does not have a NAT gateway.
A SysOps Administrator found that a newly-deployed Amazon EC2 application server is unable to connect to an existing Amazon RDS database. After enabling VPC Flow Logs and confirming that the flow log is active on the console, the log group cannot be located in Amazon CloudWatch.
What are the MOST likely reasons for this situation? (Choose two.)
- The Administrator must configure the VPC Flow Logs to have them sent to AWS CloudTrail.
- The Administrator has waited less than ten minutes for the log group to be created in CloudWatch.
- The account VPC Flow Logs have been disabled by using a service control policy.
- No relevant traffic has been sent since the VPC Flow Logs were created
- The account has Amazon GuardDuty enabled.
An HTTP web application is launched on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run across multiple Availability Zones. A network ACL and a security group for the load balancer and EC2 instances allow inbound traffic on port 80. After launch, the website cannot be reached over the internet.
What additional step should be taken?
- Add a rule to the security group allowing outbound traffic on port 80.
- Add a rule to the network ACL allowing outbound traffic on port 80.
- Add a rule to the security group allowing outbound traffic on ports 1024 through 65535.
- Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535.
A company has an application that is running on an EC2 instance in one Availability Zone. A SysOps Administrator has been tasked with making the application highly available. The Administrator created a launch configuration from the running EC2 instance. The Administrator also properly configured a load balancer.
What step should the Administrator complete next to make the application highly available?
- Create an Auto Scaling group by using the launch configuration across at least 2 Availability Zones with a minimum size of 1, desired capacity of 1, and a maximum size of 1.
- Create an Auto Scaling group by using the launch configuration across at least 3 Availability Zones with a minimum size of 2, desired capacity of 2, and a maximum of 2.
- Create an Auto Scaling group by using the launch configuration across at least 2 regions with a minimum size of 1, desired capacity of 1, and a maximum size of 1.
- Create an Auto Scaling group by using the launch configuration across at least 3 regions with a minimum size of 2, desired capacity of 2, and a maximum size of 2.