Amazon (SOA-C02) Exam Questions And Answers page 8
A company website contains a web tier and a database tier on AWS. The web tier consists of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones. The database tier runs on an Amazon RDS for MySQL Multi-AZ DB instance. The database subnet network ACLs are restricted to only the web subnets that need access to the database. The web subnets use the default network ACL with the default rules.
The company s operations team has added a third subnet to the Auto Scaling group configuration. After an Auto Scaling event occurs, some users report that they intermittently receive an error message. The error messages states that the server cannot connect to the database. The operations team has confirmed that the route tables are correct and that the required ports are open on all security groups.
Which combination of actions should a SysOps administrator take so that the web servers can communicate with the DB instance? (Choose two.)
The company s operations team has added a third subnet to the Auto Scaling group configuration. After an Auto Scaling event occurs, some users report that they intermittently receive an error message. The error messages states that the server cannot connect to the database. The operations team has confirmed that the route tables are correct and that the required ports are open on all security groups.
Which combination of actions should a SysOps administrator take so that the web servers can communicate with the DB instance? (Choose two.)
On the default ACL. Create outbound Allow rules of type MySQL/Aurora (3306). Specify the destinations as the database subnets.
On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet.
On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet.
On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet.
Deployment, Provisioning, and Automation
Networking and Content Delivery
A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted.
Which approach will resolve the encryption requirement?
Which approach will resolve the encryption requirement?
Log in to the RDS console and select the encryption box to encrypt the database.
Create a new encrypted Amazon EBS volume and attach it to the instance.
Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
Monitoring and Reporting
Security and Compliance
A data storage company provides a service that gives users the ability to upload and download files as needed. The files are stored in Amazon S3 Standard and must be immediately retrievable for 1 year. Users access files frequently during the first 30 days after the files are stored. Users rarely access files after 30 days.
The company's SysOps administrator must use S3 Lifecycle policies to implement a solution that maintains object availability and minimizes cost.
Which solution will meet these requirements?
The company's SysOps administrator must use S3 Lifecycle policies to implement a solution that maintains object availability and minimizes cost.
Which solution will meet these requirements?
Move objects to S3 Glacier after 30 days.
Move objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) immediately.
High Availability and Business Continuity
Cost and Performance Optimization
A development team recently deployed a new version of a web application to production. After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data.
Which AWS service will mitigate this issue?
Which AWS service will mitigate this issue?
AWS Shield Standard
AWS WAF
Elastic Load Balancing
Amazon Cognito
Security and Compliance
A gaming application is deployed on four Amazon EC2 instances in a default VPC. The SysOps administrator has noticed consistently high latency in responses as data is transferred among the four instances. There is no way for the administrator to alter the application code.
The MOST effective way to reduce latency is to relaunch the EC2 instances in:
The MOST effective way to reduce latency is to relaunch the EC2 instances in:
a dedicated VPC.
a single subnet inside the VPC.
a placement group.
a single Availability Zone.
Deployment, Provisioning, and Automation
Networking and Content Delivery
A large company is using AWS Organizations to manage hundreds of AWS accounts across multiple AWS Regions. The company has turned on AWS Config throughout the organization.
The company requires all Amazon S3 buckets to block public read access. A SysOps administrator must generate a monthly report that shows all the S3 buckets and whether they comply with this requirement.
Which combination of steps should the SysOps administrator take to collect this data? (Choose two.)
The company requires all Amazon S3 buckets to block public read access. A SysOps administrator must generate a monthly report that shows all the S3 buckets and whether they comply with this requirement.
Which combination of steps should the SysOps administrator take to collect this data? (Choose two.)
Create an AWS Config aggregator in an aggregator account. Use the organization as the source. Retrieve the compliance data from the aggregator.
Create an AWS Config aggregator in each account. Use an S3 bucket in an aggregator account as the destination. Retrieve the compliance data from the S3 bucket.
Edit the AWS Config policy in AWS Organizations. Use the organization s management account to turn on the S3-bucket-public-read-prohibited rule for the entire organization.
Use the AWS Config compliance report from the organization s management account. Filter the results by resource, and select Amazon S3.
Use the Aws Config API to apply the s3-bucket-public-read-prohibited rule in all accounts for all available Regions.
Monitoring and Reporting
Networking and Content Delivery
A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.
Which parameters should be specified to accomplish this in the MOST efficient manner?
Which parameters should be specified to accomplish this in the MOST efficient manner?
Specify PrincipalOrgId as the principal.
Specify * as the principal and PrincipalOrgId as a condition.
Specify all account numbers as the principal.
Specify the organization s master account as the principal.
Deployment, Provisioning, and Automation
Security and Compliance
A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.
Which parameters should be specified to accomplish this in the MOST efficient manner?
Which parameters should be specified to accomplish this in the MOST efficient manner?
Specify * as the principal and PrincipalOrgId as a condition.
Specify all account numbers as the principal.
Specify PrincipalOrgId as the principal.
Specify the organization s master account as the principal.
Deployment, Provisioning, and Automation
Security and Compliance
A manufacturing company uses an Amazon RDS DB instance to store inventory of all stock items. The company maintains several AWS Lambda functions that interact with the database to add, update, and delete items. The Lambda functions use hardcoded credentials to connect to the database.
A SysOps administrator must ensure that the database credentials are never stored in plaintext and that the password is rotated every 30 days.
Which solution will meet these requirements in the MOST operationally efficient manner?
A SysOps administrator must ensure that the database credentials are never stored in plaintext and that the password is rotated every 30 days.
Which solution will meet these requirements in the MOST operationally efficient manner?
Store the database password as an environment variable for each Lambda function. Create a new Lambda function that is named PasswordRotate. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and update the environment variable for each Lambda function.
Use AWS Key Management Service (AWS KMS) to encrypt the database password and to store the encrypted password as an environment variable for each Lambda function. Grant each Lambda function access to the KMS key so that the database password can be decrypted when required. Create a new Lambda function that is named PasswordRotate to change the password every 30 days.
Use AWS Secrets Manager to store credentials for the database. Create a Secrets Manager secret and select the database so that Secrets Manager will use a Lambda function to update the database password automatically. Specify an automatic rotation schedule of 30 days. Update each Lambda function to access the database password from Secrets Manager.
Use AWS Systems Manager Parameter Store to create a secure string to store credentials for the database. Create a new Lambda function called PasswordRotate. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and to update the secret within Parameter Store. Update each Lambda function to access the database password from Parameter Store.
Security and Compliance
Cost and Performance Optimization
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A SysOps administrator must ensure that the application can read, write, and delete messages from the SQS queues.
Which solution will meet these requirements in the MOST secure manner?
Which solution will meet these requirements in the MOST secure manner?
Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user's credentials in the application's configuration.
Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.
Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
Security and Compliance
Networking and Content Delivery
Comments