SOA-C02 Dumps Has Been Updated To Effectively Help You Prepare For The SOA-C02 Exam
The SOA-C02 dumps are well known as the best profile for the AWS Certified SysOps Administrator-Associate exam. But there is a premise, it must be the latest SOA-C02 dumps, not obsolete. passitdump.com has updated the SOA-C02 dumps with 154 practice questions and answers. Candidates are strongly encouraged to select the updated Amazon SOA-C02 dumps as learning material.
Real questions from SOA-C02 free dumps to check the validity.
Question 1:
A company has a new requirement stating that all resources In AWS must be tagged according to a set policy.
Which AWS service should be used to enforce and continually Identify all resources that are not in compliance with the policy?
A. AWS CloudTrail
B. Amazon Inspector
C. AWS Config
D. AWS Systems Manager
Correct Answer: C
Question 2:
A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.
What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?
A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
Correct Answer: B
If you\’re using AWS Organizations, check the service control policies for any statements that explicitly deny Amazon S3 access. In particular, check the service control policies for statements denying the s3:PutBucketPolicy action.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html https://aws.amazon.com/tw/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/
Question 3:
A company is running a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53 CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now being served the desktop version of the website.
Which action should a SysOps administrator take to resolve this issue?
A. Configure the CloudFront distribution behavior to forward the User-Agent header.
B. Configure the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers.
C. Enable IPv6 on the ALB. Update the CloudFront distribution origin settings to use the dualstack endpoint.
D. Enable IPv6 on the CloudFront distribution. Update the Route 53 record to use the dualstack endpoint.
Correct Answer: A
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#headercaching-web-device
Question 4:
A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company\’s security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts.
Which solution will meet these requirements in the MOST secure manner?
A. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to an IAM user. Share the user credentials with the security administrator.
B. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions. Assign the policy to an IAM user. Share the user credentials with the security administrator.
C. Create an IAM policy in each developer account that has administrator access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
D. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account.
Correct Answer: D
Question 5:
A company hosts an online shopping portal in the AWS Cloud. The portal provides HTTPS security by using a TLS certificate on an Elastic Load Balancer (ELB). Recently, the portal suffered an outage because the TLS certificate expired. A SysOps administrator must create a solution to automatically renew certificates to avoid this issue in the future.
What is the MOST operationally efficient solution that meets these requirements?
A. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. Write a scheduled AWS Lambda function to renew the certificate every 18 months.
B. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
C. Register a certificate with a third-party certificate authority (CA). Import this certificate into AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
D. Register a certificate with a third-party certificate authority (CA). Configure the ELB to import the certificate directly from the CA. Set the certificate refresh cycle on the ELB to refresh when the certificate is within 3 months of the expiration date.
Correct Answer: B
“A certificate is eligible for automatic renewal subject to the following considerations: ELIGIBLE if associated with another AWS service, such as Elastic Load Balancing or CloudFront. ELIGIBLE if exported since being issued or last renewed. ELIGIBLE if it is a private certificate issued by calling the ACM RequestCertificate API and then exported or associated with another AWS service. ELIGIBLE if it is a private certificate issued through the management console and then exported or associated with another AWS service.”
https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html
Question 6:
A company runs a stateless application that is hosted on an Amazon EC2 instance. Users are reporting performance issues. A SysOps administrator reviews the Amazon CloudWatch metrics for the application and notices that the instance\’s CPU utilization frequently reaches 90% during business hours.
What is the MOST operationally efficient solution that will improve the application\’s responsiveness?
A. Configure CloudWatch logging on the EC2 instance. Configure a CloudWatch alarm for CPU utilization to alert the SysOps administrator when CPU utilization goes above 90%.
B. Configure an AWS Client VPN connection to allow the application users to connect directly to the EC2 instance private IP address to reduce latency.
C. Create an Auto Scaling group, and assign it to an Application Load Balancer. Configure a target tracking scaling policy that is based on the average CPU utilization of the Auto Scaling group.
D. Create a CloudWatch alarm that activates when the EC2 instance\’s CPU utilization goes above 80% .Configure the alarm to invoke an AWS Lambda function that vertically scales the instance.
Correct Answer: C
Question 7:
A company is running a serverless application on AWS Lambda The application stores data in an Amazon RDS for MySQL DB instance Usage has steadily increased and recently there have been numerous “too many connections” errors when the Lambda function attempts to connect to the database The company already has configured the database to use the maximum max_connections value that is possible
What should a SysOps administrator do to resolve these errors\’?
A. Create a read replica of the database Use Amazon Route 53 to create a weighted DNS record that contains both databases
B. Use Amazon RDS Proxy to create a proxy Update the connection string in the Lambda function
C. Increase the value in the max_connect_errors parameter in the parameter group that the database uses
D. Update the Lambda function\’s reserved concurrency to a higher value
Correct Answer: B
RDS Proxy acts as an intermediary between your application and an RDS database. RDS Proxy establishes and manages the necessary connection pools to your database so that your application creates fewer database connections. Your Lambda functions interact with RDS Proxy instead of your database instance. It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to reuse existing connections, rather than creating new connections for every function invocation.
Check “Database proxy for Amazon RDS” section in the link to see how RDS proxy help Lambda handle huge connections to RDS MySQL https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-withaws-lambda/
Question 8:
An AWS Lambda function is intermittently failing several times a day A SysOps administrator must find out how often this error has occurred in the last 7 days
Which action will meet this requirement in the MOST operationally efficient manner?
A. Use Amazon Athena to query the Amazon CloudWatch logs that are associated with the Lambda function
B. Use Amazon Athena to query the AWS CloudTrail logs that are associated with the Lambda function
C. Use Amazon CloudWatch Logs Insights to query the associated Lambda function logs
D. Use Amazon Elasticsearch Service (Amazon ES) to stream the Amazon CloudWatch logs for the Lambda function
Correct Answer: C
Question 9:
An errant process is known to use an entire processor and run at 100%. A SysOps administrator wants to automate restarting the instance once the problem occurs for more than 2 minutes.
How can this be accomplished?
A. Create an Amazon CloudWatch alarm for the Amazon EC2 instance with basic monitoring. Enable an action to restart the instance.
B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
C. Create an AWS Lambda function to restart the EC2 instance, triggered on a scheduled basis every 2 minutes.
D. Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks.
Correct Answer: B
Question 10:
An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, an Amazon RDS PostgreSQL database, an Amazon EFS file system, and static objects stored in an Amazon S3 bucket. The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime.
To satisfy the requirements, which one of these services can the SysOps administrator enable at-rest encryption on?
A. EBS General Purpose SSD volumes
B. RDS PostgreSQL database
C. Amazon EFS file systems
D. S3 objects within a bucket
Correct Answer: D
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html
Question 11:
A company has a stateless application that is hosted on a fleet of 10 Amazon EC2 On-Demand Instances in an Auto Scaling group. A minimum of 6 instances are needed to meet service requirements.
Which action will maintain uptime for the application MOST cost-effectively?
A. Use a Spot Fleet with an On-Demand capacity of 6 instances.
B. Update the Auto Scaling group with a minimum of 6 On-Demand Instances and a maximum of 10 On-Demand Instances.
C. Update the Auto Scaling group with a minimum of 1 On-Demand Instance and a maximum of 6 On-Demand Instances.
D. Use a Spot Fleet with a target capacity of 6 instances.
Correct Answer: A
Question 12:
A company is running a flash sale on its website. The website is hosted on burstable performance Amazon EC2 instances in an Auto Scaling group. The Auto Scaling group is configured to launch instances when the CPU utilization is above 70%.
A couple of hours into the sale, users report slow load times and error messages for refused connections. A SysOps administrator reviews Amazon CloudWatch metrics and notices that the CPU utilization is at 20% across the entire fleet of instances.
The SysOps administrator must restore the website\’s functionality without making changes to the network infrastructure.
Which solution will meet these requirements?
A. Activate unlimited mode for the instances in the Auto Scaling group.
B. Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group.
C. Move the website to a different AWS Region that is closer to the users.
D. Reduce the desired size of the Auto Scaling group to artificially increase CPU average utilization.
Correct Answer: B
Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group does not breach the requirement of no changes in the network infrastructure. Reason is that cloudfront is a distribution that allows you to distribute content using a worldwide network of edge locations that provide low latency and high data transfer speeds. It plug in to existing setup, not changes to it.
Question 13:
A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53 should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes. All other traffic should be directed to the secondary passive server. The failover record type, set ID. and routing policy have been set appropriately for both primary and secondary servers.
Which next step should be taken to configure Route 53?
A. Create an A record for each server. Associate the records with the Route 53 HTTP health check.
B. Create an A record for each server. Associate the records with the Route 53 TCP health check.
C. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.
D. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.
Correct Answer: A
Question 14:
A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53. and wants to point its domain\’s zone apex to the website.
Which type of record should be used to meet these requirements?
A. A CNAME record for the domain\’s zone apex
B. An A record for the domain\’s zone apex
C. An AAAA record for the domain\’s zone apex
D. An alias record for the domain\’s zone apex
Correct Answer: D
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-nonalias.html https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
Question 15:
A large company is using AWS Organizations to manage hundreds of AWS accounts across multiple AWS Regions. The company has turned on AWS Config throughout the organization.
The company requires all Amazon S3 buckets to block public read access. A SysOps administrator must generate a monthly report that shows all the S3 buckets and whether they comply with this requirement. Which combination of steps should the SysOps administrator take to collect this data? {Select TWO).
A. Create an AWS Config aggregator in an aggregator account. Use the organization as the source. Retrieve the compliance data from the aggregator.
B. Create an AWS Config aggregator in each account. Use an S3 bucket in an aggregator account as the destination. Retrieve the compliance data from the S3 bucket
C. Edit the AWS Config policy in AWS Organizations. Use the organization\’s management account to turn on the s3-bucket-public-read-prohibited rule for the entire organization.
D. Use the AWS Config compliance report from the organization\’s management account. Filter the results by resource, and select Amazon S3.
E. Use the AWS Config API to apply the s3-bucket-public-read-prohibited rule in all accounts for all available Regions.
Correct Answer: CD