C. The SysOps administrator must apply a bucket policy to the S3 bucket to allow the user to upload the object.
amazon AWS Certified SysOps Administrator - Associate (SOA-C02) practice test
Last exam update: Jul 20 ,2024
Question 1
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A
SysOps administrator must ensure that the application can read, write, and delete messages from the SQS queues.
Which solution will meet these requirements in the MOST secure manner?
- A. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user's credentials in the application's configuration.
- B. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.
- C. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
- D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
Answer:
D
Discussions
0
/ 1000
Question 2
A SysOps administrator needs to give users the ability to upload objects to an Amazon S3 bucket. The SysOps administrator
creates a presigned URL and provides the URL to a user, but the user cannot upload an object to the S3 bucket. The
presigned URL has not expired, and no bucket policy is applied to the S3 bucket.
Which of the following could be the cause of this problem?
- A. The user has not properly configured the AWS CLI with their access key and secret access key.
- B. The SysOps administrator does not have the necessary permissions to upload the object to the S3 bucket.
- C. The SysOps administrator must apply a bucket policy to the S3 bucket to allow the user to upload the object.
- D. The object already has been uploaded through the use of the presigned URL, so the presigned URL is no longer valid.
Answer:
B
Explanation:
Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
Discussions
0
/ 1000
12 months ago
Question 3
An errant process is known to use an entire processor and run at 100%. A SysOps administrator wants to automate
restarting the instance once the problem occurs for more than 2 minutes.
How can this be accomplished?
- A. Create an Amazon CloudWatch alarm for the Amazon EC2 instance with basic monitoring. Enable an action to restart the instance.
- B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
- C. Create an AWS Lambda function to restart the EC2 instance, triggered on a scheduled basis every 2 minutes.
- D. Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks.
Answer:
B
Explanation:
Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html
Discussions
0
/ 1000
12 months ago
B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
Question 4
A company wants to track its expenditures for Amazon EC2 and Amazon RDS within AWS. The company decides to
implement more rigorous tagging requirements for resources in its AWS accounts. A SysOps administrator needs to identify
all noncompliant resources.
What is the MOST operationally efficient solution that meets these requirements?
- A. Create a rule in Amazon EventBridge (Amazon CloudWatch Events) that invokes a custom AWS Lambda function that will evaluate all created or updated resources for the specified tags.
- B. Create a rule in AWS Config that invokes a custom AWS Lambda function that will evaluate all resources for the specified tags.
- C. Create a rule in AWS Config with the required-tags managed rule to evaluate all resources for the specified tags.
- D. Create a rule in Amazon EventBridge (Amazon CloudWatch Events) with a managed rule to evaluate all created or updated resources for the specified tags.
Answer:
C
Explanation:
Reference: https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html
Discussions
0
/ 1000
12 months ago
B. Create a rule in AWS Config that invokes a custom AWS Lambda function that will evaluate all resources for the specified tags.
Question 5
A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the
CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.
What is the process to rotate the key?
- A. Enable automatic key rotation for the CMK, and specify a period of 6 months.
- B. Create a new CMK with new imported material, and update the key alias to point to the new CMK.
- C. Delete the current key material, and import new material into the existing CMK.
- D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.
Answer:
B
Explanation:
Reference: https://aws.amazon.com/kms/faqs/
Discussions
0
/ 1000
Question 6
A SysOps administrator is trying to set up an Amazon Route 53 domain name to route traffic to a website hosted on Amazon
S3. The domain name of the website is www.anycompany.com and the S3 bucket name is anycompany-static. After the
record set is set up in Route 53, the domain name www.anycompany.com does not seem to work, and the static website is
not displayed in the browser.
Which of the following is a cause of this?
- A. The S3 bucket must be configured with Amazon CloudFront first.
- B. The Route 53 record set must have an IAM role that allows access to the S3 bucket.
- C. The Route 53 record set must be in the same region as the S3 bucket.
- D. The S3 bucket name must match the record set name in Route 53.
Answer:
D
Explanation:
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/route-53-no-targets/
Discussions
0
/ 1000
Question 7
A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS
Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for
changes that allow network access outside of the corporate network. Any change that exposes the application externally
must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?
- A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR ranges. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Logs. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target.
- B. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instances. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation document to terminate the instances.
- C. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requests from noncorporate CIDR ranges. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups.
- D. Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by tag. Tag the EC2 instances with an identifier. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.
Answer:
A
Discussions
0
/ 1000
Question 8
A company has a web application with a database tier that consists of an Amazon EC2 instance that runs MySQL. A SysOps
administrator needs to minimize potential data loss and the time that is required to recover in the event of a database failure.
What is the MOST operationally efficient solution that meets these requirements?
- A. Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric to invoke an AWS Lambda function that stops and starts the EC2 instance.
- B. Create an Amazon RDS for MySQL Multi-AZ DB instance. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new database. Update the connection string in the web application.
- C. Create an Amazon RDS for MySQL Single-AZ DB instance with a read replica. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new database. Update the connection string in the web application.
- D. Use Amazon Data Lifecycle Manager (Amazon DLM) to take a snapshot of the Amazon Elastic Block Store (Amazon EBS) volume every hour. In the event of an EC2 instance failure, restore the EBS volume from a snapshot.
Answer:
D
Explanation:
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html
Discussions
0
/ 1000
Question 9
A company is running a website on Amazon EC2 instances that are in an Auto Scaling group. When the website traffic
increases, additional instances take several minutes to become available because of a long-running user data script that
installs software. A SysOps administrator must decrease the time that is required for new instances to become available.
Which action should the SysOps administrator take to meet this requirement?
- A. Reduce the scaling thresholds so that instances are added before traffic increases.
- B. Purchase Reserved Instances to cover 100% of the maximum capacity of the Auto Scaling group.
- C. Update the Auto Scaling group to launch instances that have a storage optimized instance type.
- D. Use EC2 Image Builder to prepare an Amazon Machine Image (AMI) that has pre-installed software.
Answer:
C
Discussions
0
/ 1000
Question 10
A SysOps administrator has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that
were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC,
and all security groups allow all outbound traffic.
Which solution will provide the EC2 instances in the private subnet with access to the internet?
- A. Create a NAT gateway in the public subnet. Create a route from the private subnet to the NAT gateway.
- B. Create a NAT gateway in the public subnet. Create a route from the public subnet to the NAT gateway.
- C. Create a NAT gateway in the private subnet. Create a route from the public subnet to the NAT gateway.
- D. Create a NAT gateway in the private subnet. Create a route from the private subnet to the NAT gateway.
Answer:
A
Explanation:
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Discussions
0
/ 1000
Question 11
A company is running a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company
configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53
CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now
being served the desktop version of the website.
Which action should a SysOps administrator take to resolve this issue?
- A. Configure the CloudFront distribution behavior to forward the User-Agent header.
- B. Configure the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers.
- C. Enable IPv6 on the ALB. Update the CloudFront distribution origin settings to use the dualstack endpoint.
- D. Enable IPv6 on the CloudFront distribution. Update the Route 53 record to use the dualstack endpoint.
Answer:
C
Explanation:
Reference: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
Discussions
0
/ 1000
Question 12
A company has multiple Amazon EC2 instances that run a resource-intensive application in a development environment. A
SysOps administrator is implementing a solution to stop these EC2 instances when they are not in use.
Which solution will meet this requirement?
- A. Assess AWS CloudTrail logs to verify that there is no EC2 API activity. Invoke an AWS lambda function to stop the EC2 instances.
- B. Create an Amazon CloudWatch alarm to stop the EC2 instances when the average CPU utilization is lower than 5% for a 30-minute period.
- C. Create an Amazon CloudWatch metric to stop the EC2 instances when the VolumeReadBytes metric is lower than 500 for a 30-minute period.
- D. Use AWS Config to invoke an AWS Lambda function to stop the EC2 instances based on resource configuration changes.
Answer:
A
Discussions
0
/ 1000
Question 13
A SysOps Administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based
Amazon EC2 instances within a companys account. The administrator must be alerted to potential issues.
What should the administrator do to receive email alerts before low storage space affects EC2 instance performance?
- A. Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications.
- B. Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic.
- C. Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic.
- D. Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space.
Answer:
C
Discussions
0
/ 1000
Question 14
A company's SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a
template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes
that are attached to the EC2 instance are encrypted with AWS managed keys.
The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI
with the company's other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management
Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs.
Which solution will securely share the AMI with the other AWS accounts?
- A. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
- B. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the CMK. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with.
- C. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the CMK. Modify the permissions on the copied AMI to make it public.
- D. In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
Answer:
C
Discussions
0
/ 1000
Question 15
A SysOps administrator has used AWS CloudFormation to deploy a serverless application into a production VPC. The
application consists of an AWS Lambda function, an Amazon DynamoDB table, and an Amazon API Gateway API. The
SysOps administrator must delete the AWS CloudFormation stack without deleting the DynamoDB table.
Which action should the SysOps administrator take before deleting the AWS CloudFormation stack?
- A. Add a Retain deletion policy to the DynamoDB resource in the AWS CloudFormation stack.
- B. Add a Snapshot deletion policy to the DynamoDB resource in the AWS CloudFormation stack.
- C. Enable termination protection on the AWS CloudFormation stack.
- D. Update the application’s IAM policy with a Deny statement for the dynamodb:DeleteTable action.
Answer:
A
Discussions
0
/ 1000
D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.