Last Updated on October 3, 2021 by Admin 2
SOA-C01 : AWS-SysOps : Part 35
A SysOps Administrator is deploying a legacy web application on AWS. The application has four Amazon EC2 instances behind a Classic Load Balancer and stores data in an Amazon RDS instance. The legacy application has known vulnerabilities to SQL injection attacks, but the application code is no longer available to update.
What cost-effective configuration change should the Administrator make to mitigate the risk of SQL injection attacks?
- Configure Amazon GuardDuty to monitor the application for SQL injection threats.
- Configure AWS WAF with a Classic Load Balancer for protection against SQL injection attacks.
- Replace the Classic Load Balancer with an Application Load Balancer and configure AWS WAF on the Application Load Balancer.
- Configure an Amazon CloudFront distribution with the Classic Load Balancer as the origin and subscribe to AWS Shield Standard.
A fleet of servers must send local logs to Amazon CloudWatch.
How should the servers be configured to meet this requirement?
- Configure AWS Config to forward events to CloudWatch.
- Configure a Simple Network Management Protocol (SNMP) agent to forward events to CloudWatch.
- Install and configure the unified CloudWatch agent.
- Install and configure the Amazon Inspector agent.
According to the shared responsibility model, for which of the following Amazon EC2 activities is AWS responsible? (Choose two.)
- Patching the guest operating system
- Monitoring memory utilization
- Configuring network ACLs
- Patching the hypervisor
- Maintaining network infrastructure
A company monitors its account activity using AWS CloudTrail, and is concerned that some log files are being tampered with after the logs have been delivered to the account’s Amazon S3 bucket.
Moving forward, how can the SysOps Administrator confirm that the log files have not been modified after being delivered to the S3 bucket.
- Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.
- Enable log file integrity validation and use digest files to verify the hash value of the log file.
- Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
- Enable S3 server access logging to track requests made to the log bucket for security audits.
CloudTrail log file integrity validation can be used to check whether a log file was modified, deleted, or unchanged after CloudTrail delivered it
After launching a new Amazon EC2 instance from a Microsoft Windows 2012 Amazon Machine Image (AMI), the SysOps Administrator is unable to connect to the instance using Remote Desktop Protocol (RDP). The instance is also unreachable. As part of troubleshooting, the Administrator deploys a second instance from a different AMI using the same configuration and is able to connect to the instance.
What should be the next logical step in troubleshooting the first instance?
- Use AWS Trusted Advisor to gather operating system log files for analysis.
- Use VPC Flow Logs to gather operating system log files for analysis.
- Use EC2Rescue to gather operating system log files for analysis.
- Use Amazon Inspector to gather operating system log files for analysis.
A custom application must be installed on all Amazon EC2 instances. The application is small, updated frequently and can be installed automatically.
How can the application be deployed on new EC2 instances?
- Launch a script that downloads and installs the application using the Amazon EC2 user data.
- Create a custom API using Amazon API Gateway to call an installation executable from an AWS CloudFormation Template.
- Use AWS Systems Manager to inject the application into an AMI.
- Configure AWS CodePipeline to deploy code changes and updates.
A SysOps Administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%.
Which collection of configuration changes will increase the cache hit ratio for the distribution? (Choose two.)
- Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings
- Change the Viewer Protocol Policy to use HTTPS only
- Configure the distribution to use presigned cookies and URLs to restrict access to the distribution
- Enable automatic compression of objects in the Cache Behavior Settings
- Increase the CloudFront time to live (TTL) settings in the Cache Behavior Settings
On a weekly basis, the Administrator for a photo sharing website receives an archive of all files users have uploaded the previous week. these file archives can be as large as 10TB in size. For legal reasons, these archives must be saved with no possibility of someone deleting or modifying these archives. Occasionally, there may be a need to view the contents, but it is expected that retrieving them can take three or more hours.
What should the Administrator do with the weekly archive?
- Upload the file to Amazon S3 through the AWS Management Console and apply a lifecycle policy to change the storage class to Amazon Glacier.
- Upload the archive to the Amazon Glacier with the AWS CLI and enable Vault Lock.
- Create a Linux EC2 instance with an encrypted Amazon EBS volume and copy each weekly archive file for this instance.
- Create a Linux EC2 instance with an encrypted Amazon EBS volume and copy each weekly archive file for this instance.
A SysOps Administrator is managing a Memcached cluster in Amazon ElastiCache. The cluster has been heavily used recently, and the Administrator wants to use a larger instance type with more memory. What should the Administrator use to make this change?
- use the ModifyCacheCluster API and specify a new CacheNodeType
- use the CreateCacheCluster API and specify a new CacheNodeType
- use the ModifyCacheParameterGroup API and specify a new CacheNodeType
- use the RebootCacheCluster API and specify a new CacheNodeType
A company with dozens of AWS accounts wants to ensure that governance rules are being applied across all accounts. The CIO has recommended that AWS Config rules be deployed using an AWS CloudFormation template. How should these requirements be met?
- Create a CloudFormation stack set, then select the CloudFormation template and use it to configure the AWS accounts
- Write a script that iterates over the company’s AWS accounts and executes the CloudFormation template in each account
- Use AWS Organizations to execute the CloudFormation template in all accounts
- Create a CloudFormation stack in the master account of AWS Organizations and execute the CloudFormation template to create AWS Config rules in all accounts
A company’s Information Security team has requested information on AWS environment compliance for Payment Card Industry (PCI) workloads. They have requested assistance in understanding what specific areas of the PCI standards are the responsibility of the company.
Which AWS tool will provide the necessary information?
- AWS Macie
- AWS Artifact
- AWS OpsWorks
- AWS Organizations
A company has deployed a fleet of Amazon EC2 web servers for the upcoming release of a new product. The SysOps Administrator needs to test the Amazon CloudWatch notification settings for this deployment to ensure that a notification is sent using Amazon SNS if the CPU utilization of an EC2 instance exceeds 70%.
How should the Administrator accomplish this?
- Use the set-alarm-state command in AWS CloudTrail to invoke the Amazon SNS notification
- Use CloudWatch custom metrics to set the alarm state in AWS CloudTrail and enable Amazon SNS notifications
- Use EC2 instance metadata to manually set the CPU utilization to 75% and invoke the alarm state
- Use the set-alarm-state command in the AWS CLI for CloudWatch
A SysOps Administrator has written an AWS Lambda function to launch new Amazon EC2 instances and deployed it in the us-east-1 region. The Administrator tested it by launching a new t2.nano instance in the us-east-1 region and it performed as expected. However, when the region name was updated in the Lambda function to launch an EC2 instance in the us-west-1 region, it failed.
What is causing this error?
- The AMI ID must be updated for the us-west-1 region in the Lambda function as well
- The Lambda function can only launch EC2 instances in the same region where it is deployed
- The Lambda function does not have the necessary IAM permission to launch more than one EC2 instance
- The instance type defined in the Lambda function is not available in the us-west-1 region
A SysOps Administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company’s account. The Administrator must be alerted to potential issues.
What should the Administrator do to receive email alerts before low storage space affects EC2 instance performance?
- Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications
- Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic
- Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic
- Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space
A SysOps Administrator wants to prevent Developers from accidentally terminating Amazon EC2 instances.
How can this be accomplished?
- Use AWS Systems Manager to restrict EC2 termination
- Use AWS Config to restrict EC2 termination
- Apply Amazon CloudWatch Events to prevent EC2 termination
- Enable termination protection on EC2 instances
A company has attached the following policy to an IAM user.
Which of the following actions are allowed for the IAM user?
- Amazon RDS DescribeDBInstances action in the us-east-1 Region
- Amazon S3 PutObject operation in a bucket named testbucket
- Amazon EC2 DescribeInstances action in the us-east-1 Region
- Amazon EC2 AttachNetworkInterface action in the eu-west-1 Region
A SysOps Administrator launched an Amazon EC2 instance and received a message that the service limit was exceeded for that instance type. What action should the Administrator take to ensure that EC2 instances can be launched?
- Use Amazon Inspector to trigger an alert when the limits are exceeded
- Use the AWS CLI to bypass the limits placed on the account
- Sign in to the AWS Management Console and adjust the limit values to launch new resources
- Open a case with AWS Support requesting an increase of the EC2 instance limit
A web application runs on Amazon EC2 instances behind an Elastic Load Balancing Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOps Administrator has notice that some EC2 instances show up healthy in the Auto Scaling console but show up as unhealthy in the ALB target console.
What could be the issue?
- The health check grace period for the Auto Scaling group is set too low; increase it
- The target group health check is incorrectly configured and needs to be adjusted
- The user data or AMI used for the Auto Scaling group launch configuration is incorrect
- The Auto Scaling group health check type is based on EC2 instance health instead of Elastic Load Balancing health checks
A company is running critical applications on Amazon EC2 instances. The company needs to ensure its resources are automatically recovered if they become impaired due to an underlying hardware failure.
Which service can be used to monitor and recover the EC2 instances?
- Amazon EC2 Systems Manager
- Amazon Inspector
- AWS CloudFormation
- Amazon CloudWatch
A gaming application is deployed on four Amazon EC2 instances in a default VPC. The SysOps Administrator has noticed consistently high latency in responses as data is transferred among the four instances. There is no way for the Administrator to alter the application code.
The MOST effective way to reduce latency is to relaunch the EC2 instances in:
- a dedicated VPC.
- a single subnet inside the VPC.
- a placement group.
- a single Availability Zone.