Amazon SOA-C02 Exam Practice Test Instant Access

Question 1

[Security and Compliance]

A compliance learn requites all administrator passwords for Amazon RDS DB instances to be changed at least annually.

Which solution meets this requirement in the MOST operationally efficient manner?

AStore the database credentials in AWS Secrets Manager. Configure automatic rotation for the secret every 365 days.

BStore the database credentials as a parameter In the RDS parameter group. Create a database trigger to rotate the password every 365 days.

CStore the database credentials in a private Amazon S3 bucket. Schedule an AWS Lambda function to generate a new set of credentials every 365 days.

DStore the database credentials in AWS Systems Manager Parameter Store as a secure string parameter. Configure automatic rotation for the parameter every 365 days.

Answer : A

The most operationally efficient solution to ensure that administrator passwords for Amazon RDS DB instances are changed at least annually is to use AWS Secrets Manager with automatic rotation.

AWS Secrets Manager:

AWS Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront cost and complexity of managing your own hardware security infrastructure.

Secrets Manager enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Configure Automatic Rotation:

Store the database credentials in AWS Secrets Manager.

Configure the secret to rotate automatically every 365 days.

AWS Secrets Manager provides built-in integration for rotating credentials for supported databases, including Amazon RDS.

Steps to Configure:

Open the Secrets Manager console.

Create a new secret and provide the necessary database credentials.

Enable automatic rotation and set the rotation interval to 365 days.

Secrets Manager will handle the rotation process, updating the credentials in the database and ensuring they are securely stored.

AWS Secrets Manager

Rotating Your AWS Secrets Manager Secrets

Question 2

[Security and Compliance]

To configure central configuration for Security Hub in an AWS Organization, the SysOps administrator must ensure it's set up centrally.

Options:

AEnable Security Hub in the organization's management account. Configure Security Hub central configuration.

BEnable Security Hub in the organization's management account. Configure and integrate AWS Trusted Advisor. Configure Security Hub from an opt-in Region.

CDelegate an AWS account that is not the organization's management account as the Security Hub administrator. Configure Security Hub central configuration.

DDelegate an AWS account that is not the organization's management account as the Security Hub administrator. Configure and integrate AWS Trusted Advisor. Configure Security Hub from an opt-in Region.

Answer : C

To centrally manage Security Hub across an organization, AWS allows you to delegate a member account as the Security Hub administrator. This enables centralized configuration and security insights without directly using the management account, which is a best practice.

Delegating a Non-Management Account: AWS recommends using a designated Security Hub administrator account (different from the management account) for central security configurations.

Security Hub Central Configuration: Configuring Security Hub in this manner ensures that security findings from all member accounts are consolidated and manageable from the designated administrator account.

Question 3

[Security and Compliance]

The SysOps administrator needs to complete the KMS key policy for least privilege read access for the DataEngineer role to decrypt S3 objects encrypted with a KMS key.

Options:

A'kms:ReEncrypt', 'kms:GenerateDataKey*', 'kms:Encrypt', 'kms:DescribeKey'

B'kms:ListAliases', 'kms:GetKeyPolicy', 'kms:Describe*', 'kms:Decrypt'

C'kms:ListAliases', 'kms:DescribeKey', 'kms:Decrypt'

D'kms:Update*', 'kms:TagResource', 'kms:Revoke*', 'kms:Put*', 'kms:List*', 'kms:Get*', 'kms:Enable*', 'kms:Disable*', 'kms:Describe*', 'kms:Delete*', 'kms:Create*', 'kms:CancelKeyDeletion'

Answer : C

To enable decryption of objects, the role only requires minimal permissions with least privilege:

kms

Necessary for reading and decrypting the data encrypted with KMS.

kms

Allows the role to check key properties, confirming it's the correct key for decryption.

kms

Useful if multiple keys are in use and validation against an alias is needed.

These permissions are sufficient for decryption without granting additional permissions like encryption or key management.

Question 4

[Cost and Performance Optimization]

A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts.

Which solution will meet these requirements?

APurchase RIs in individual member accounts. Disable Rl discount sharing in the management account.

BPurchase RIs in individual member accounts. Disable Rl discount sharing in the member accounts.

CPurchase RIs in the management account. Disable Rl discount sharing in the management account.

DPurchase RIs in the management account. Disable Rl discount sharing in the member accounts.

Answer : A

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ri-consolidated-billing/

RI discounts apply to accounts in an organization's consolidated billing family depending upon whether RI sharing is turned on or off for the accounts. By default, RI sharing for all accounts in an organization is turned on. The management account of an organization can change this setting by turning off RI sharing for an account. The capacity reservation for an RI applies only to the account the RI was purchased on, no matter whether RI sharing is turned on or off.

Question 5

[Deployment, Provisioning, and Automation]

A SysOps administrator manages the security of accounts in an organization in AWS Organizations. The administrator must implement a solution that applies a base configuration to all accounts when they join the organization.

Which solution will meet this requirement with the LEAST operational overhead?

ACreate the configuration in an AWS CloudFormation template. Deploy the template to all accounts in the organization by using StackSets automatic deployments.

BTurn on AWS Config in the organization's management account. Use multi-account, multi-Region data aggregation. Review results on the Aggregated Resources page.

CCreate an AWS Lambda function in the organization's management account to configure resources. Configure the Lambda function with cross-account access. Run the function when a new account is detected.

DCreate the configuration in an AWS CloudFormation template. Deploy the template to all accounts in the organization by using an AWS Lambda function that runs when a new account is detected.

Answer : A

AWS CloudFormation StackSets allows you to deploy a single CloudFormation template across multiple AWS accounts and Regions. By using automatic deployments with StackSets:

New Accounts: When a new account is added to the organization or a specific organizational unit (OU), the StackSet automatically deploys the specified resources.

Consistency: Ensures that all accounts have a consistent base configuration.

Operational Efficiency: Reduces manual intervention, as deployments are handled automatically.

This method provides a scalable and efficient way to enforce baseline configurations across an organization.

Working with AWS CloudFormation StackSets: AWS CloudFormation StackSets Documentation

Question 6

[Deployment, Provisioning, and Automation]

A company has a memory-intensive application that runs on a fleet of Amazon EC2 instances behind an Elastic Load Balancer (ELB). The instances run in an Auto Scaling group. A Sysops administrator must ensure that the application can scale based on the number of users that connect to the application.

Which solution will meet these requirements?

ACreate a scaling policy that will scale the application based on the ActiveConnectionCount Amazon CloudWatch metric that is generated from the ELB.

BCreate a scaling policy that will scale the application based on the mem used Amazon CloudWatch metric that is generated from the ELB.

CCreate a scheduled scaling policy to increase the number of EC2 instances in the Auto Scaling group to support additional connections.

DCreate and deploy a script on the ELB to expose the number of connected users as a custom Amazon CloudWatch metric. Create a scaling policy that uses the metric.

Answer : A

To ensure that the application can scale based on the number of users that connect to the application, the SysOps administrator should create a scaling policy that scales the application based on the ActiveConnectionCount Amazon CloudWatch metric generated from the ELB.

ActiveConnectionCount Metric:

The ActiveConnectionCount metric indicates the number of active connections to the ELB. By monitoring this metric, the application can scale in response to the number of users actively connected.

Steps to Implement:

Go to the Amazon EC2 Auto Scaling console.

Select the Auto Scaling group that manages the EC2 instances for the application.

Create a new scaling policy.

Set the policy to scale based on the ActiveConnectionCount metric from the ELB.

Elastic Load Balancing Metrics and Dimensions

Auto Scaling Policies

Question 7

[Security and Compliance]

A company recently deployed an application in production. The production environment currently runs on a single Amazon EC2 instance that hosts the application's web application and a MariaDB database. Company policy states that all IT production environments must be highly available.

What should a SysOps administrator do to meet this requirement?

AMigrale the database from the EC2 instance to an Amazon RDS for MariaDB Multi-AZ DB instance. Run the application on EC2 instances that are in an Auto Scaling group that extends across multiple Availability Zones. Place the EC2 instances behind a load balancer.

BMigrate the database from the EC2 instance to an Amazon RDS for MariaDB Multi-AZ DB instance. Use AWS Application Migration Service to convert the application into an AWS Lambda function. Specify the Multi-AZ option for the Lambda function.

CCopy the database to a different EC2 instance in a different Availability Zone. Use AWS Backup to create Amazon Machine Images (AMIs) of the application EC2 instance and the database EC2 instance. Create an AWS Lambda function that performs health checks every minute. In case of failure, configure the Lambda function to launch a new EC2 instance from the AMIs that AWS Backup created.

DMigrate the database to a different EC2 instance. Place the application EC2 instance in an Auto Scaling group that extends across multiple Availability Zones. Create an Amazon Machine Image (AMI) from the database EC2 instance. Use the AMI to launch a second database EC2 instance in a different Availability Zone. Put the second database EC2 instance in the stopped state. Use the second database EC2 instance as a standby.

Answer : A

To make the production environment highly available in accordance with company policy:

Database Migration: Move the MariaDB database from a single EC2 instance to Amazon RDS for MariaDB configured for Multi-AZ. This setup ensures high availability of the database with synchronous replication to a standby instance in a different Availability Zone.

Application Scalability: Deploy the application on EC2 instances within an Auto Scaling group. Configure the Auto Scaling group to operate across multiple Availability Zones to ensure that the application remains available even if one zone becomes unavailable.

Load Balancing: Place the EC2 instances behind an Elastic Load Balancer (ELB). The load balancer will distribute incoming application traffic across the multiple, geographically dispersed EC2 instances, further enhancing the availability and fault tolerance of the application.

This solution leverages AWS managed services to increase the reliability and availability of both the application and database layers, adhering to best practices for deploying critical production environments on AWS.

Amazon AWS Certified SysOps Administrator - Associate SOA-C02 Exam Practice Test