SOA-C02 Practice Test Questions

A company has created an AWS CloudFormation template that consists of the AWS: EC2 Instance resource and a custom Cloud Formation resource The custom CloudFormation resource is an AWS Lambda function that attempts to run automation on the Amazon EC2 instance. During testing, the Lambda function fails because the Lambda function tries to run before the EC2 instance is launched. Which solution will resolve this issue?

A. Add a DependsOn attribute to the custom resource. Specify the EC2 instance in the DependsOn attribute.

B. Update the custom resource's service token to point to a valid Lambda function

C. Update the Lambda function to use the cfn-response module to send a response to the custom resource.

D. Use the Fn::lf intrinsic function to check for the EC2 instance before the custom resource runs.

A. Add a DependsOn attribute to the custom resource. Specify the EC2 instance in the DependsOn attribute.

Explanation:
DependsOn Attribute in CloudFormation:
The DependsOn attribute in AWS CloudFormation ensures that one resource is created only after another resource has been successfully created. In this case, it ensures that the EC2 instance is fully launched before the custom resource (the Lambda function) is executed.
Steps:
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
# EC2 properties
MyCustomResource:
Type: Custom::MyCustomResource
DependsOn: MyEC2Instance
Properties:
ServiceToken: !GetAtt MyLambdaFunction.Arn
# Other properties

A company has many accounts in an organization in AWS Organizations The company must automate resource provisioning from the organization's management account to the member accounts. Which solution will meet this requirement?

A. Create an AWS CkHJdFormation change set Deploy the change set to all member accounts

B. Create an AWS CtoudFormation nested stack Deploy the nested stack to all member accounts.

C. Create an AWS CtoudFormation stack set Deploy the stack set to all member accounts.

D. Create an AWS Serverless Application Model (AWS SAM) template. Deploy the template to all member accounts.

C. Create an AWS CtoudFormation stack set Deploy the stack set to all member accounts.

A company wants to track its AWS costs in all member accounts that are part of an organization in AWS Organizations. Managers of the member accounts want to receive a notification when the estimated costs exceed a predetermined amount each month. The managers are unable to configure a billing alarm. The IAM permissions for all users are correct. What could be the cause of this issue?

A. The management/payer account does not have billing alerts turned on.

B. The company has not configured AWS Resource Access Manager (AWS RAM) to share billing information between the member accounts and the management/payer account.

C. Amazon GuardDuty is turned on for all the accounts.

D. The company has not configured an AWS Config rule to monitor billing.

A. The management/payer account does not have billing alerts turned on.

Explanation:
For member accounts in AWS Organizations to receive notifications about estimated costs exceeding a predetermined amount, billing alerts must be enabled in the management/payer account.

Enable Billing Alerts in the Management Account:
Create a Budget and Set Up Notifications:

By enabling billing alerts in the management account, you allow member accounts to receive notifications about their estimated costs.

A company deploys a new application on three Amazon EC2 instances across three Availability Zones The company uses a Network Load Balancer (NLB) to route traffic lo the EC2 instances. A SysOps administrator must implement a solution so that the EC2 instances allow traffic from only the NLB. What should the SysOps administrator do to meet these requirements with the LEAST operational overhead?

A. Configure the security group that is associated with the EC2 instances to allow traffic from only the security group that is associated with the NLB.

B. Configure the security group that is associated with the EC2 instances to allow traffic from only the elastic network interfaces that are associated with the NLB.

C. Create a network ACL. Associate the network ACL with the application subnets. Configure the network ACL to allow inbound traffic from only the CIDR ranges of the NLB.

D. Use a third-party firewall solution that is installed on a separate EC2 instance. Configure a firewall rule that allows traffic to the application's EC2 instances from only the subnets where the NLB is deployed

A. Configure the security group that is associated with the EC2 instances to allow traffic from only the security group that is associated with the NLB.

An application runs on Amazon EC2 instances in an Auto Scaling group. Following the deployment of a new feature on the EC2 instances, some instances were marked as unhealthy and then replaced by the Auto Scaling group. The EC2 instances terminated before a SysOps administrator could determine the cause of the health status changes. To troubleshoot this issue, the SysOps administrator wants to ensure that an AWS Lambda function is invoked in this situation. How should the SysOps administrator meet these requirements?

A. Activate the instance scale-in protection setting for the Auto Scaling group. Invoke the Lambda function through Amazon EventBridge (Amazon CloudWatch Events).

B. Activate the instance scale-in protection setting for the Auto Scaling group. Invoke the Lambda function through Amazon Route 53.

C. Add a lifecycle hook to the Auto Scaling group to invoke the Lambda function through Amazon EventBridge (Amazon CloudWatch Events).

D. Add a lifecycle hook to the Auto Scaling group to invoke the Lambda function through Amazon Route 53.

C. Add a lifecycle hook to the Auto Scaling group to invoke the Lambda function through Amazon EventBridge (Amazon CloudWatch Events).

Explanation:
To enable troubleshooting of EC2 instances marked as unhealthy before they are terminated by the Auto Scaling group, you can use lifecycle hooks:

Add a Lifecycle Hook: Configure a lifecycle hook in the Auto Scaling group. This hook will hold the instance in a "wait" state either when it launches or terminates (in this case, when it's about to be terminated due to health check failure).
Integration with Amazon EventBridge (CloudWatch Events): Set up the lifecycle hook to send an event to EventBridge (formerly CloudWatch Events) when an instance is in the termination lifecycle state.
Invoke Lambda Function: Configure EventBridge to trigger an AWS Lambda function when it receives the termination lifecycle event from the Auto Scaling group. This Lambda function can then perform necessary diagnostics, logging, or data capture activities on the instance before it's terminated.

This configuration allows the SysOps administrator to perform necessary investigations on why instances were marked unhealthy before they are automatically replaced, offering a chance to diagnose and potentially correct underlying issues.

A company has a secure website running on Amazon EC2 instances behind an Application Load Balancer (ALB). An SSL certificate from AWS Certificate Manager (ACM) is used on the ALB. Users with legacy web browsers are experiencing issues with the website. How should the SysOps administrator resolve these issues in the MOST operationally efficient manner?

A. Create a new SSL certificate in ACM and install the new certificate on the ALB to support legacy web browsers.

B. Create a second ALB and install a custom SSL certificate with a different domain name on the second ALB to support legacy web browsers.

C. Remove the ALB from the configuration and install a custom SSL certificate on each web server.

D. Update the SSL negotiation configuration of the ALB with a security policy that contains ciphers for legacy web browsers.

Explanation:
The issues experienced by users with legacy browsers typically stem from the SSL/TLS ciphers that are supported or enforced by the ALB. Modern security policies may exclude older ciphers that are necessary for compatibility with older browsers. Here’s how to resolve it:

Access the ALB Settings: Go to the AWS Management Console, navigate to the ALB settings, and locate the SSL negotiation configurations.
Modify Security Policy: Update the SSL/TLS security policy on the ALB to include ciphers that are compatible with legacy browsers. AWS provides predefined security policies, and some of these policies are designed to support older ciphers while still maintaining a level of security that complies with general best practices.
Apply Changes: Once the security policy is updated, the ALB will start using this new configuration, which should resolve compatibility issues with legacy browsers without needing to replace the SSL certificate or alter the infrastructure.

This solution maintains the operational efficiency of the setup and avoids the need for additional resources like a second ALB or new certificates.

A company runs an application on Amazon EC2 instances. The EC2 instances are in an Auto Scaling group and run behind an Application Load Balancer (ALB). The application experiences errors when total requests exceed 100 requests per second. A SysOps administrator must collect information about total requests for a 2-week period to determine when requests exceeded this threshold. What should the SysOps administrator do to collect this data?

A. Use the ALB’s RequestCount metric. Configure a time range of 2 weeks and a period of 1 minute. Examine the chart to determine peak traffic times and volumes.

B. Use Amazon CloudWatch metric math to generate a sum of request counts for all the EC2 instances over a 2-week period. Sort by a 1-minute interval.

C. Create Amazon CloudWatch custom metrics on the EC2 launch configuration templates to create aggregated request metrics across all the EC2 instances.

D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure an EC2 event matching pattern that creates a metric that is based on EC2 requests. Display the data in a graph.

A. Use the ALB’s RequestCount metric. Configure a time range of 2 weeks and a period of 1 minute. Examine the chart to determine peak traffic times and volumes.

Explanation: Using the ALB’s RequestCount metric will allow the SysOps administrator to collect information about total requests for a 2-week period and determine when requests exceeded the threshold of 100 requests per second. Configuring a time range of 2 weeks and a period of 1 minute will ensure that the data can be accurately examined to determine peak traffic times and volumes.

A company's social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services. A SysOps administrator must implement a solution that routes requests to a defined list of AWS Regions. The routing must be based on the user's location. Which solution will meet these requirements?

A. Configure a Route 53 latency routing policy.

B. Configure a Route 53 multivalue answer routing policy.

C. Configure a Route 53 geolocation routing policy.

D. Configure a Route 53 IP-based routing policy.

C. Configure a Route 53 geolocation routing policy.

Explanation: For routing based on the user's geographic location to comply with data residency requirements, the best solution is to use Amazon Route 53 geolocation routing policy. This policy allows you to configure DNS responses based on the geographic location of the user, ensuring that requests are directed to specific AWS Regions that align with the company’s data residency requirements. Option C is correct. The AWS Route 53 documentation provides details on implementing geolocation routing policies Amazon Route 53 Geolocation Routing.

A company has an existing public web application for www.example.com. The Application Load Balancer (ALB) is configured with a single HTTP 80 listener. A SysOps administrator must ensure that all web requests to www.example.com are encrypted between the client and the ALB. The SysOps administrator already has requested and validated a public certificate for www.example.com in AWS Certificate Manager (ACM). Existing users of the application must not be required to change the endpoint to which they are connecting. Which additional set of steps should the SysOps administrator take to meet these requirements?

A. Create an additional ALB listener for HTTPS on port 443 Set the default action to forward all traffic to the target group Specify the ACM certificate that was created for www example.com as the default SSL certificate.

B. Create an additional ALB listener for HTTPS on port 443 Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www.example.com as the default SSL certificate. Delete the original HTTP listener on port 80.

C. Modify the ALB default rule for the HTTP port 80 listener Create a rule in the listener to forward all traffic for the host www example com to the target group Specify the ACM certificate that was created for www.example.com as the default SSL certificate.

D. Modify the ALB default rule for the HTTP port 80 listener to redirect to HTTPS on port 443. Create an additional HTTPS listener on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www example.com as the default SSL certificate.

A company wants to apply an existing Amazon Route 53 private hosted zone to a new VPC to allow for customized resource name resolution within the VPC. The Syspps administrator created the VPC and added the appropriate resource record sets to the private hosted zone. Which step should the SysOps administrator take to complete the setup?

A. Associate the Route 53 private hosted zone with the VPC.

B. Create a rule in the default security group for the VPC that allows traffic to the Route 53 Resolver.

C. Ensure the VPC network ACLs allow traffic to the Route 53 Resolver.

D. Ensure there is a route to the Route 53 Resolver in each of the VPC route tables.

A. Associate the Route 53 private hosted zone with the VPC.

To apply an existing Amazon Route 53 private hosted zone to a new VPC, the appropriate step is to associate the private hosted zone with the new VPC. This allows the resources within the VPC to use the custom DNS settings defined in the private hosted zone. Option A is the correct step to ensure that DNS queries from the new VPC are resolved using the specified private hosted zone. Detailed steps for this process can be found in the AWS Route 53 documentation on associating hosted zones with VPCs Associating Hosted Zones with VPCs.

A company wants to track its expenditures for Amazon EC2 and Amazon RDS within AWS. The company decides to implement more rigorous tagging requirements for resources in its AWS accounts. A SysOps administrator needs to identify all noncompliant resources. What is the MOST operationally efficient solution that meets these requirements?

A. Create a rule in Amazon EventBridge (Amazon CloudWatch Events) that invokes a custom AWS Lambda function that will evaluate all created or updated resources for the specified tags.

B. Create a rule in AWS Config that invokes a custom AWS Lambda function that will evaluate all resources for the specified tags.

C. Create a rule in AWS Config with the required-tags managed rule to evaluate all resources for the specified tags.

D. Create a rule in Amazon EventBridge (Amazon CloudWatch Events) with a managed rule to evaluate all created or updated resources for the specified tags.

C. Create a rule in AWS Config with the required-tags managed rule to evaluate all resources for the specified tags.

Explanation:
To efficiently monitor and identify noncompliant resources in terms of tagging within AWS, using AWS Config with a managed rule for required tagging is most appropriate:

AWS Config Setup: Configure AWS Config to monitor and record configurations of AWS resources within your environment.
Managed Rule for Required Tags: Utilize the "required-tags" managed rule in AWS Config, which checks whether your resources have the specific tags you define as mandatory. This rule can be customized to specify which tags are required and can automatically evaluate all existing and new resources in your environment.
Compliance Reporting: AWS Config provides detailed compliance reporting that helps you identify resources that do not meet the tagging requirements, facilitating easy remediation.

This approach leverages AWS Config’s capabilities for continuous monitoring and evaluation without needing to write custom code or manage additional services, providing an operationally efficient solution for compliance management.

A company plans to migrate several of its high performance computing (MPC) virtual machines (VMs) to Amazon EC2 instances on AWS. A SysOps administrator must identify a placement group for this deployment. The strategy must minimize network latency and must maximize network throughput between the HPC VMs. Which strategy should the SysOps administrator choose to meet these requirements?

A. Deploy the instances in a cluster placement group in one Availability Zone

B. Deploy the instances in a partition placement group in two Availability Zones

C. Deploy the instances in a partition placement group in one Availability Zone

D. Deploy the instances in a spread placement group in two Availably Zones

A. Deploy the instances in a cluster placement group in one Availability Zone

Explanation: For high-performance computing (HPC) applications that require minimized network latency and maximized network throughput, the best strategy is to use a cluster placement group. Here’s why:
Cluster Placement Group:
Reference: Placement Groups
High-Bandwidth, Low-Latency Networking:
Instances in a cluster placement group benefit from enhanced networking features, which significantly improve the communication speed between instances.
Reference: Enhanced Networking on Linux
Operational Benefits:
By grouping instances in a single Availability Zone, network traffic remains local to the zone, reducing latency compared to inter-zone communication.
This setup also simplifies the architecture for performance-critical applications.
By deploying your HPC instances in a cluster placement group in one Availability Zone, you ensure that network latency is minimized and throughput is maximized, meeting the performance requirements of your HPC applications.