Amazon SOA-C02 AWS Certified SysOps Administrator - Associate Exam Practice Test

Page: 1 / 14
Total 557 questions

Want more questions? Get Premium Access.
()

Question 1

[Monitoring, Reporting, and Automation]

A company is using an Amazon EC2 instance to inspect inbound traffic. The EC2 instance runs Amazon Linux and has the Amazon CloudWatch agent installed and configured.

The company needs to ingest metrics and logs from the EC2 instance into CloudWatch. The company also needs to receive notification when a specific number of errors occur for rejected web management requests. Which combination of steps will meet these requirements with the MOST operational efficiency? (Select TWO.)

ACreate an Amazon S3 bucket to store the logs. Configure an S3 event notification that occurs when new logs are added to the S3 bucket.

BCreate an Amazon Simple Queue Service (Amazon SQS) queue. Add the queue as the destination of the Amazon S3 event notification.

CCreate a CloudWatch Logs log group and log stream. Set up IAM permissions for the EC2 instance to write to the log group and log stream.

DCreate an AWS Lambda function to process the logs from CloudWatch. Configure the Amazon S3 event notification to invoke the Lambda function. Configure the Lambda function to publish to an Amazon Simple Notification Service (Amazon SNS) topic.

ECreate a metric filter for the log group. Configure a filter pattern for the errors. Create a CloudWatch alarm that is based on the metric filter. Configure the alarm to publish to an Amazon Simple Notification Service (Amazon SNS) topic when the alarm is in ALARM state.

Answer : C, E

C: Ensures logs are ingested into CloudWatch from EC2 via the CloudWatch agent.

E: Allows creation of metric filters and alarms based on log patterns (e.g., 'rejected web requests').

From CloudWatch Logs & Alarms documentation:

You can extract metric data from log events using metric filters and then create CloudWatch alarms based on these filters.

This is the most efficient and least operational overhead solution.

Question 2

[Monitoring, Reporting, and Automation]

A company needs to ensure strict adherence to a budget for 25 applications deployed on AWS Separate teams are responsible for storage compute, and database costs. A SysOps administrator must implement an automated solution to alert each team when their projected spend will exceed a quarterly amount mat has been set by the finance department. The solution cannot additional compute, storage, or database costs.

AConfigure AWS Cost and Usage Reports to send a daily report to an Amazon S3 bucket. Create an AWS Lambda function that will evaluate Spend by service and nobly each team by using Amazon Simple Notification Service (Amazon SNS) notifications. Invoke the Lambda function when a report is placed in the S3 bucket

BConfigure AWS Cost and Usage Reports to send a dairy report to an Amazon S3 bucket. Create a rule In Amazon EventBridge (Amazon CloudWatch Events) to evaluate the spend by service and notify each team by using Amazon Simple Queue Service (Amazon SOS) when the cost threshold i6 exceeded.

CUse AWS Budgets :o create one cost budget and select each of the services in use Specify the budget amount defined by the finance department along with the forecasted cost threshold Enter the appropriate email recipients for the budget.

DUse AWS Budgets to create a cost budget for each team, filtering by the services they own. Specify the budget amount defined by the finance department along with a forecasted cost threshold Enter the appropriate email recipients for each budget.

Answer : D

AWS Budgets allows you to set custom cost and usage budgets that alert you when you exceed your thresholds. This feature helps teams to monitor their spending and ensure it aligns with the set budget.

Steps:

Open AWS Budgets:

Open the AWS Budgets dashboard.

Create a New Budget:

Click on 'Create a budget'.

Select 'Cost budget' and click 'Next'.

Set Budget Details:

Enter a unique name for the budget.

Define the period (e.g., quarterly) and start date.

Set the budgeted amount as specified by the finance department.

Define Filters:

Use the filters to select the specific services each team is responsible for (e.g., storage, compute, database).

Set Alerts:

Specify the threshold for forecasted cost that will trigger an alert (e.g., 80% of the budget).

Enter the email addresses of the recipients (the respective teams).

Review and Create:

Review the configuration and click 'Create budget'.

By setting up individual budgets for each team and filtering by services, you can ensure that each team is alerted when their projected spend approaches the threshold. This method does not incur additional compute, storage, or database costs.

AWS Budgets

Creating an AWS Budget

Question 3

[Networking and Content Delivery]

While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS The customer gateway device resides in a data center with a NAT gateway in front of it

What address should be used to create the customer gateway resource?

AThe private IP address of the customer gateway device

BThe MAC address of the NAT device in front of the customer gateway device

CThe public IP address of the customer gateway device

DThe public IP address of the NAT device in front of the customer gateway device

Answer : D

When setting up an AWS managed VPN connection and creating a customer gateway resource, if the customer gateway device resides behind a NAT device, you should use the public IP address of the NAT device. This is because the VPN connection from AWS will be established to the public IP address that AWS can reach.

Identify the Public IP Address of the NAT Device:

Determine the public IP address assigned to the NAT device in front of the customer gateway.

Create Customer Gateway Resource:

Navigate to the VPC console in the AWS Management Console.

In the navigation pane, choose 'Customer Gateways' and then click 'Create Customer Gateway'.

Enter a name for the customer gateway.

For the 'IP Address', enter the public IP address of the NAT device.

Configure VPN Connection:

Create a VPN connection by navigating to the 'VPN Connections' section and clicking 'Create VPN Connection'.

Select the created customer gateway and complete the VPN setup wizard.

Update Routing and Configuration:

Ensure that the routing configurations on both the AWS side and the on-premises side are updated to route traffic through the VPN connection.

Configure the customer gateway device (behind the NAT) to accept traffic from the NAT device and route it appropriately.

AWS Managed VPN Connections

Customer Gateway Resource

Question 4

[Monitoring, Reporting, and Automation]

A company has implemented a data ingestion pipeline to process files in the form of messages. A frontend application accepts user input and stores the input in Amazon S3. A backend application uses Amazon EC2 instances to process the object that was uploaded to Amazon S3. The company recently experienced a significant increase in customer traffic. The frontend application is now sending more messages at one time than the backend application can handle, resulting in some lost messages.

Which action will resolve this problem with the LEAST operational effort?

ARedevelop the backend application as a series of AWS Lambda functions.

BImplement an Amazon Kinesis data stream to replace the backend application.

CImplement an Application Load Balancer to distribute message traffic across the backend application instances.

DImplement an Amazon Simple Queue Service (Amazon SQS) queue between the frontend and backend components.

Answer : D

This is a classic decoupling scenario --- SQS is used to buffer requests between frontend (producer) and backend (consumer) to handle sudden traffic spikes.

From SQS documentation:

SQS is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.

This approach ensures messages are not lost and the backend can process at its own pace.

Question 5

[Monitoring, Reporting, and Automation]

An application runs on multiple Amazon EC2 instances in an Auto Scaling group The Auto Scaling group is configured to use the latest version of a launch template A SysOps administrator must devise a solution that centrally manages the application logs and retains the logs for no more than 90 days

Which solution will meet these requirements?

ALaunch an Amazon Machine Image (AMI) that is preconfigured with the Amazon CloudWatch Logs agent to send logs to an Amazon S3 bucket Apply a 90-day S3 Lifecycle policy on the S3 bucket to expire the application logs

BLaunch an Amazon Machine Image (AMI) that is preconfigured with the Amazon CloudWatch Logs agent to send logs to a log group Create an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule to perform an instance refresh every 90 days

CUpdate the launch template user data to install and configure the Amazon CloudWatch Logs agent to send logs to a log group Configure the retention period on the log group to be 90 days

DUpdate the launch template user data to install and configure the Amazon CloudWatch Logs agent to send logs to a log group Set the log rotation configuration of the EC2 instances to 90 days

Answer : C

To centrally manage application logs and retain them for no more than 90 days, you can use the Amazon CloudWatch Logs agent to send logs to a CloudWatch log group and configure the log group's retention period.

Update the Launch Template User Data:

Navigate to the EC2 console.

Select the launch template used by the Auto Scaling group.

Edit the launch template to include the following user data script:

#!/bin/bash

yum update -y

yum install -y awslogs

cat <<EOF > /etc/awslogs/awslogs.conf

[general]

state_file = /var/lib/awslogs/agent-state

[/var/log/messages]

file = /var/log/messages

log_group_name = /my-log-group

log_stream_name = {instance_id}/messages

datetime_format = %b %d %H:%M:%S

[/var/log/secure]

file = /var/log/secure

log_group_name = /my-log-group

log_stream_name = {instance_id}/secure

datetime_format = %b %d %H:%M:%S

EOF

systemctl start awslogsd

systemctl enable awslogsd

Replace /my-log-group with the name of your CloudWatch log group.

Configure the Log Group Retention Period:

Navigate to the CloudWatch console.

In the navigation pane, choose 'Logs'.

Select the log group created by the CloudWatch Logs agent.

Click on 'Actions' and then 'Edit retention settings'.

Set the retention period to 90 days.

Verify the Configuration:

Ensure that logs from the EC2 instances are being sent to the CloudWatch log group.

Verify that the log group's retention period is correctly set to 90 days.

Amazon CloudWatch Logs Agent

Setting Log Retention in CloudWatch

Question 6

[Cost and Performance Optimization]

A team of developers is using several Amazon S3 buckets as centralized repositories. Users across the world upload large sets of files to these repositories. The development team's applications later process these files.

A SysOps administrator sets up a new S3 bucket. DOC-EXAMPLE-BUCKET, to support a new workload. The new S3 bucket also receives regular uploads of large sets of files from users worldwide. When the new S3 bucket is put into production, the upload performance from certain geographic areas is lower than the upload performance that the existing S3 buckets provide.

What should the SysOps administrator do to remediate this issue?

AProvision an Amazon ElasliCache for Redis cluster for the new S3 bucket. Provide the developers with the configuration endpoint of the cluster for use in their API calls.

BAdd the new S3 bucket to a new Amazon CloudFront distribution. Provide the developers with the domain name of the new distribution for use in their API calls.

CEnable S3 Transfer Acceleration for the new S3 bucket. Verify that the developers are using the DOC-EXAMPLE-BUCKET.s3-accelerate.amazonaws.com endpoint name in their API calls.

DUse S3 multipart upload for the new S3 bucket. Verify that the developers are using Region-specific S3 endpoint names such as D0C-EXAMPLE-BUCKET.s3.
[RegionJ.amazonaws.com in their API calls.

Answer : C

For improving upload performance globally for an Amazon S3 bucket, enabling S3 Transfer Acceleration is the best solution. This service optimizes file transfers to S3 using Amazon CloudFront's globally distributed edge locations. After enabling this feature, uploads to the S3 bucket are first routed to an AWS edge location and then transferred to S3 over an optimized network path. Option C is correct, and the developers should use the provided accelerate endpoint in their API calls. For more details, consult the AWS documentation on S3 Transfer Acceleration Amazon S3 Transfer Acceleration.

Question 7

[Security and Compliance]

A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.

Which solution will meet this requirement?

ACreate a new security group to block traffic to the external IP address. Assign the new security group to the EC2 instance.

BUse VPC flow logs with Amazon Athena to block traffic to the external IP address.

CCreate a network ACL. Add an outbound deny rule for traffic to the external IP address.

DCreate a new security group to block traffic to the external IP address. Assign the new security group to the entire VPC.

Answer : C

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

To block traffic to the external IP address identified by Amazon GuardDuty, the SysOps administrator should create a network ACL and add an outbound deny rule for traffic to the external IP address.

Network ACL:

Network ACLs (Access Control Lists) are stateless and operate at the subnet level. They can allow or deny specific inbound and outbound traffic based on rules.

Steps to Implement:

Go to the VPC console and select the network ACL associated with the subnet containing the EC2 instance.

Add an outbound rule to deny traffic to the external IP address provided by GuardDuty.

Ensure the rule is properly placed in the rule number order to be evaluated correctly.

Network ACLs

GuardDuty Documentation