NotJustExam Interactive Question Bank | [Amazon] SOA-C02

Question 1

A company has an infernal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto
Scaling group in a single Availability Zone. A SysOps administrator must make the application highly available.
Which action should the SysOps administrator take to meet this requirement?

A. Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
B. Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
C. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.
D. Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.

Correct Answer: C

Explanation:

I agree with the suggested answer.
The question requires making the application highly available. The application currently runs in a single Availability Zone (AZ). To achieve high availability, the application must be able to withstand the failure of a single AZ. This can be achieved by distributing the application across multiple AZs.
The correct answer is C. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region. This will distribute the application across multiple AZs, making it highly available. Auto Scaling groups are designed to operate within a single AWS Region but across multiple Availability Zones.

Reasons for not choosing the other answers:

A: Increasing the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage. This will increase the capacity of the application, but it will not make it highly available as it is still only in a single AZ.
B: Increasing the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage. This will increase the capacity of the application, but it will not make it highly available as it is still only in a single AZ.
D: Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region. While this could increase availability, it would also increase latency and complexity. High Availability is best achieved by distributing instances across multiple Availability Zones within the same Region.

Citations:

AWS Auto Scaling, https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-groups.html
AWS Availability Zones, https://aws.amazon.com/about-aws/global-infrastructure/regions_availability-zones/

Question 2

A company hosts a website on multiple Amazon EC2 instances that run in an Auto Scaling group. Users are reporting slow responses during peak times between
6 PM and 11 PM every weekend. A SysOps administrator must implement a solution to improve performance during these peak times.
What is the MOST operationally efficient solution that meets these requirements?

A. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to increase the desired capacity before peak times.
B. Configure a scheduled scaling action with a recurrence option to change the desired capacity before and after peak times.
C. Create a target tracking scaling policy to add more instances when memory utilization is above 70%.
D. Configure the cooldown period for the Auto Scaling group to modify desired capacity before and after peak times.

Correct Answer: B

Explanation:

I agree with the suggested answer, which is B. Configure a scheduled scaling action with a recurrence option to change the desired capacity before and after peak times.

Reasoning:
The question describes a scenario with predictable peak times. Scheduled scaling is the most operationally efficient way to handle predictable load changes because it automatically adjusts the capacity of the Auto Scaling group based on a predefined schedule. This eliminates the need for manual intervention or complex scaling policies. A scheduled scaling action with a recurrence option is perfectly suited for this purpose.

Reasons for not choosing the other options:

A. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to increase the desired capacity before peak times: While this would technically work, it adds unnecessary complexity. It involves creating and managing additional resources (EventBridge rule and Lambda function) when a simpler solution (scheduled scaling action) is available. It's less operationally efficient.
C. Create a target tracking scaling policy to add more instances when memory utilization is above 70%: Target tracking scaling is best suited for unpredictable workloads where you want to maintain a specific metric (e.g., CPU utilization) at a target value. In this case, the load is predictable, so scheduled scaling is a better choice. Target tracking is also less efficient because it reacts to load changes rather than proactively adjusting capacity.
D. Configure the cooldown period for the Auto Scaling group to modify desired capacity before and after peak times: The cooldown period is the amount of time that must pass after a scaling activity completes before another scaling activity can start. It's not a mechanism for scheduling scaling activities. Configuring the cooldown period alone will not address the performance issues during peak times.

In summary, scheduled scaling is the most straightforward and efficient solution for predictable load changes, making option B the best answer.

Citations:

AWS Auto Scaling - Scheduled Scaling, https://docs.aws.amazon.com/autoscaling/ec2/userguide/schedule_time.html

Question 3

A company is running a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53 CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now being served the desktop version of the website.
Which action should a SysOps administrator take to resolve this issue?

A. Configure the CloudFront distribution behavior to forward the User-Agent header.
B. Configure the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers.
C. Enable IPv6 on the ALB. Update the CloudFront distribution origin settings to use the dualstack endpoint.
D. Enable IPv6 on the CloudFront distribution. Update the Route 53 record to use the dualstack endpoint.

Correct Answer: A

Explanation:

The suggested answer is A: Configure the CloudFront distribution behavior to forward the User-Agent header.

Reasoning:
The problem states that mobile users are being served the desktop version of the website. This typically happens because the server (in this case, the ALB) isn't correctly detecting the user's device type. The device type is usually determined by inspecting the User-Agent HTTP header. CloudFront, by default, doesn't forward all headers to the origin. To fix this, we need to configure CloudFront to forward the User-Agent header to the ALB. This allows the ALB to correctly identify the device type and serve the appropriate version of the website.

Why other options are incorrect:

B: Configure the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers. Adding a custom header in CloudFront doesn't solve the issue. The origin (ALB) needs to *receive* the User-Agent header from the client, not a manufactured one from CloudFront. This option doesn't help the ALB determine the actual client's device type.
C: Enable IPv6 on the ALB. Update the CloudFront distribution origin settings to use the dualstack endpoint. IPv6 is irrelevant to this problem. The issue is with the server not detecting the device type, not with network connectivity or addressing.
D: Enable IPv6 on the CloudFront distribution. Update the Route 53 record to use the dualstack endpoint. Similar to option C, IPv6 is irrelevant here. Enabling IPv6 on CloudFront and updating the Route 53 record to use the dualstack endpoint will not solve the problem of mobile users being served the desktop version of the website.

Citations:

Using headers to customize the content that CloudFront delivers, https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-cloudfront-headers.html

Question 4

A SysOps administrator has enabled AWS CloudTrail in an AWS account. If CloudTrail is disabled, it must be re-enabled immediately.
What should the SysOps administrator do to meet these requirements WITHOUT writing custom code?

A. Add the AWS account to AWS Organizations. Enable CloudTrail in the management account.
B. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action.
C. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Configure the rule to invoke an AWS Lambda function to enable CloudTrail.
D. Create an Amazon EventBridge (Amazon CloudWatch Event) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail.

Correct Answer: B

Explanation:

I agree with the suggested answer, which is option B.
Reasoning:
The question requires immediate re-enablement of CloudTrail if it's disabled, without using custom code. AWS Config provides a managed rule, `AWS-ConfigureCloudTrailLogging`, that automatically remediates non-compliant CloudTrail configurations. This directly addresses the requirement. The Config rule monitors CloudTrail configuration changes, and when it detects that CloudTrail is disabled, it automatically re-enables it using the specified remediation action, fulfilling the requirements without any need for custom code.
Why other options are not correct:

Option A: Adding the account to AWS Organizations and enabling CloudTrail in the management account only ensures CloudTrail is enabled at the organizational level. It doesn't automatically re-enable CloudTrail in individual member accounts if it's disabled there, and is not a direct solution to the problem.
Option C: Creating an AWS Config rule to invoke an AWS Lambda function *does* address the requirement, but it involves writing custom code (the Lambda function), which the question specifically prohibits.
Option D: Creating an EventBridge rule to run an SSM Automation document *could* work, but is more complex and less direct than using AWS Config's built-in remediation. Also, an hourly rule might not immediately re-enable CloudTrail as required.

Citations:
AWS Config Managed Rules, https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html
AWS-ConfigureCloudTrailLogging, https://docs.aws.amazon.com/config/latest/developerguide/remediation-actions-managed.html#aws-configurecloudtraillogging

Question 5

A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53, and wants to point its domain's zone apex to the website.
Which type of record should be used to meet these requirements?

A. An AAAA record for the domain's zone apex
B. An A record for the domain's zone apex
C. A CNAME record for the domain's zone apex
D. An alias record for the domain's zone apex

Correct Answer: D

Explanation:

I agree with the suggested answer, which is D. An alias record for the domain's zone apex.

Reasoning:

Alias records are a Route 53-specific extension that allows you to map your zone apex (e.g., example.com) to AWS resources like Application Load Balancers, EC2 instances, or S3 buckets.
Alias records provide functionality similar to CNAME records but work for the zone apex, which CNAME records cannot.

Why other options are incorrect:

A and AAAA records map a domain name to a specific IP address. While they can be used for the zone apex, they don't take advantage of Route 53's integration with AWS resources, such as automatic updates when the IP address of an Application Load Balancer changes. Using an alias record is the better approach in this scenario.
CNAME records cannot be used for the zone apex, as they require another domain name, and the zone apex must resolve directly to an IP address or an AWS resource.

Citations:

AWS Route 53 Alias Records, https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html

Question 6

A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Choose two.)

A. Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.
B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.
C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.
D. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.
E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.

Correct Answer: CE

Explanation:

I agree with the suggested answer of CE.

Reasoning:
The question asks for actions that ensure all objects uploaded to an S3 bucket are encrypted. Options C and E directly address this requirement.

C: Implementing Amazon S3 default encryption ensures that all objects are encrypted at rest when stored in the S3 bucket. This means that even if an object is uploaded without explicit encryption, S3 will automatically encrypt it using the specified default encryption method (e.g., SSE-S3, SSE-KMS, or DSSE-S3).
E: Implementing S3 bucket policies that deny unencrypted object uploads enforces encryption in transit. By using a bucket policy, you can explicitly require that all PUT requests (uploads) include specific encryption headers (e.g., `x-amz-server-side-encryption`). If a request doesn't include the required header, the bucket policy will deny the upload, thus ensuring that only encrypted objects are stored.

Reasons for not choosing other options:

A: AWS Shield protects against DDoS attacks and doesn't enforce encryption of objects stored in S3.
B: Object ACLs control access permissions to objects but do not enforce or prevent unencrypted uploads.
D: Amazon Inspector is a vulnerability assessment service and doesn't automatically encrypt objects or prevent unencrypted uploads to S3. While it can identify unencrypted objects, it doesn't prevent them from being uploaded initially.

Citations:

Amazon S3 default encryption, https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html
Using bucket policies, https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-bucket-policies.html
AWS Shield, https://aws.amazon.com/shield/
Amazon Inspector, https://aws.amazon.com/inspector/

Question 7

A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind an Application Load
Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application.
Which combination of actions should a SysOps administrator take to resolve this problem? (Choose two.)

A. Change to the least outstanding requests algorithm on the ALB target group.
B. Configure cookie forwarding in the CloudFront distribution cache behavior.
C. Configure header forwarding in the CloudFront distribution cache behavior.
D. Enable group-level stickiness on the ALB listener rule.
E. Enable sticky sessions on the ALB target group.

Correct Answer: BE

Explanation:

I agree with the suggested answer of B and E.

The problem describes random logouts from a stateful web application. This indicates a session management issue where users are not consistently routed to the same backend server. To solve this, we need to ensure that session information is maintained and that the same server handles subsequent requests from a user.

Here's why B and E are the correct choices:

B. Configure cookie forwarding in the CloudFront distribution cache behavior. CloudFront, by default, does not forward cookies to the origin. If the application uses cookies to maintain session state, CloudFront needs to be configured to forward these cookies. Without cookie forwarding, the ALB will not receive the session cookie and therefore cannot route the request to the correct instance.
E. Enable sticky sessions on the ALB target group. Sticky sessions (also known as session affinity) ensure that requests from a single user are consistently routed to the same EC2 instance behind the ALB. This is crucial for maintaining session state in a stateful application. By enabling sticky sessions, the ALB uses a cookie to track which instance a user is connected to.

Here's why the other options are incorrect:

A. Change to the least outstanding requests algorithm on the ALB target group. This algorithm distributes requests based on the number of outstanding requests to each instance. While it can help with load balancing, it doesn't ensure session stickiness, so it won't solve the logout issue.
C. Configure header forwarding in the CloudFront distribution cache behavior. While forwarding certain headers can be useful in some cases, the problem description specifies a stateful web application, implying session management via cookies. Therefore, header forwarding is not the primary solution here. If the application used custom headers for session management, this could be relevant, but cookie forwarding is more directly related to the described problem.
D. Enable group-level stickiness on the ALB listener rule. Group-level stickiness is not a standard ALB feature. ALB stickiness is configured at the target group level, not the listener rule level. Thus, this option is not a valid configuration.

In summary, enabling cookie forwarding in CloudFront and enabling sticky sessions on the ALB target group are the correct actions to ensure that user sessions are maintained, preventing random logouts in the described scenario.

Citations:

Using cookies to forward requests to origin, https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-cookies.html
Configure load balancer stickiness, https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html

Question 8

A company is running a serverless application on AWS Lambda. The application stores data in an Amazon RDS for MySQL DB instance. Usage has steadily increased, and recently there have been numerous "too many connections" errors when the Lambda function attempts to connect to the database. The company already has configured the database to use the maximum max_connections value that is possible.
What should a SysOps administrator do to resolve these errors?

A. Create a read replica of the database. Use Amazon Route 53 to create a weighted DNS record that contains both databases.
B. Use Amazon RDS Proxy to create a proxy. Update the connection string in the Lambda function.
C. Increase the value in the max_connect_errors parameter in the parameter group that the database uses.
D. Update the Lambda function's reserved concurrency to a higher value.

Correct Answer: B

Explanation:

I agree with the suggested answer, which is B. Use Amazon RDS Proxy to create a proxy. Update the connection string in the Lambda function.

Reasoning:
The core problem is too many connections to the RDS database. RDS Proxy is designed to manage database connections efficiently, especially in serverless environments like AWS Lambda. It pools and shares database connections, reducing the overhead of establishing new connections for each Lambda function invocation. This prevents the database from being overwhelmed by connection requests.

Why other options are incorrect:

A. Create a read replica of the database. Use Amazon Route 53 to create a weighted DNS record that contains both databases:
C. Increase the value in the max_connect_errors parameter in the parameter group that the database uses:
D. Update the Lambda function's reserved concurrency to a higher value:

Citations:

Using Amazon RDS Proxy with AWS Lambda, https://docs.aws.amazon.com/lambda/latest/dg/services-rds-proxy.html

Question 9

A SysOps administrator is deploying an application on 10 Amazon EC2 instances. The application must be highly available. The instances must be placed on distinct underlying hardware.
What should the SysOps administrator do to meet these requirements?

A. Launch the instances into a cluster placement group in a single AWS Region.
B. Launch the instances into a partition placement group in multiple AWS Regions.
C. Launch the instances into a spread placement group in multiple AWS Regions.
D. Launch the instances into a spread placement group in a single AWS Region.

Correct Answer: D

Explanation:

I agree with the suggested answer, which is D. Launch the instances into a spread placement group in a single AWS Region.

Reasoning:
The question emphasizes high availability and placement on distinct underlying hardware within a single application deployment. Spread placement groups are specifically designed to meet these requirements within a single AWS Region. They ensure that each instance is placed on distinct hardware, thus maximizing fault tolerance. They also can span multiple Availability Zones within the same Region to improve availability.
Why other options are incorrect:

A. Launch the instances into a cluster placement group in a single AWS Region: Cluster placement groups are designed for low latency and high network throughput, not necessarily for high availability through distinct hardware placement.
B. Launch the instances into a partition placement group in multiple AWS Regions: Placement groups cannot span multiple regions. Additionally, while partition placement groups aim to distribute instances across partitions, they are not the best choice when the primary requirement is distinct hardware for each instance, and they do not support multiple regions.
C. Launch the instances into a spread placement group in multiple AWS Regions: Placement groups are confined to a single AWS Region. Therefore, distributing instances across multiple regions using a spread placement group is not possible.

In summary, spread placement groups within a single region best address the need for high availability by placing instances on distinct underlying hardware.

Citations:

AWS Placement Groups, https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

Question 10

A SysOps administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code:
AMI [ami-12345678] does not exist
How should the Administrator ensure that the AWS CloudFormation template is working in every region?

A. Copy the source region's Amazon Machine Image (AMI) to the destination region and assign it the same ID.
B. Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID.
C. Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS::EC2::AMI::ImageID control.
D. Modify the AWS CloudFormation template by including the AMI IDs in the ג€Mappingsג€ section. Refer to the proper mapping within the template for the proper AMI ID.

Correct Answer: D

Explanation:

I agree with the suggested answer (D).
Reasoning:
The error "AMI [ami-12345678] does not exist" indicates that the AMI ID used in the CloudFormation template is not valid in the us-west-2 region. AMI IDs are region-specific, meaning an AMI ID valid in us-east-1 will likely not be valid in us-west-2. The most appropriate solution is to use the Mappings section in the CloudFormation template to define different AMI IDs for each region. This allows the template to select the correct AMI ID based on the region where the stack is being created.
Using the `Fn::FindInMap` intrinsic function, the template can dynamically determine the appropriate AMI ID to use for a given region. This makes the template portable and reusable across multiple regions.

Reasons for not choosing the other answers:
* **A:** Copying AMIs and assigning the same ID is not possible, as AMI IDs are assigned by AWS and are unique within a region. Additionally, this approach is cumbersome and doesn't scale well.
* **B:** While specifying the region code as part of the fully qualified AMI ID might seem like a solution, it's not the standard way to handle AMI IDs in CloudFormation templates across regions. The `Mappings` section is the recommended approach.
* **C:** Offering a drop-down list of all AMIs to the user (using `AWS::EC2::AMI::ImageID`) is not practical or scalable, especially if the template is intended to be used by different users or across multiple environments. This would require manual selection of the correct AMI each time the template is launched, increasing the risk of errors.

Citations:
AWS CloudFormation Mappings, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html
Fn::FindInMap, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-findinmap.html

[Amazon] SOA-C02 - SysOps Administrator Associate Exam Dumps & Study Guide

Free [Amazon] SOA-C02 - SysOps Administrator Associate Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10