Updated AWS Certified SysOps Administrator - Associate SOA-C01 Training Tools

NEW QUESTION 1
A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region.
Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?

• A. Create a new peering connection Between Prod and Dev along with appropriate routes.
• B. Create a new entry to Prod in the Dev route table using the peering connection as the target.
• C. Attach a second gateway to De
• D. Add a new entry in the Prod route table identifying the gateway as the target.
• E. The VPCs have non-overlapping CIDR blocks in the same accoun
• F. The route tables contain local routes for all VPCs.

Answer: A

Explanation:
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-pg.pdf

NEW QUESTION 2
A user has launched an EC2 instance from an instance store backed AMI. The infrastructure team wants to create an AMI from the running instance. Which of the below mentioned steps will not be performed while creating the AMI?

• A. Define the AMI launch permissions
• B. Upload the bundled volume
• C. Register the AMI
• D. Bundle the volume

Answer: A

Explanation:
When the user has launched an EC2 instance from an instance store backed AMI, it will need to follow certain steps, such as ??Bundling the root volume??, ??Uploading the bundled volume?? and ??Register the AMI??. Once the AMI is created the user can setup the launch permission. However, it is not required to setup during the launch.

NEW QUESTION 3
A user has launched an EC2 instance. However, due to some reason the instance was terminated. If the user wants to find out the reason for termination, where can he find the details?

• A. It is not possible to find the details after the instance is terminated
• B. The user can get information from the AWS console, by checking the Instance description under the State transition reason label
• C. The user can get information from the AWS console, by checking the Instance description under the Instance Status Change reason label
• D. The user can get information from the AWS console, by checking the Instance description under the Instance Termination reason label

Answer: D

Explanation:
An EC2 instance, once terminated, may be available in the AWS console for a while after termination. The user can find the details about the termination from the description tab under the label State transition reason. If the instance is still running, there will be no reason listed. If the user has explicitly stopped or terminated the instance, the reason will be ??User initiated shutdown??.

NEW QUESTION 4
A user has configured an HTTPS listener on an ELB. The user has not configured any security policy which can help to negotiate SSL between the client and ELB. What will ELB do in this scenario?

• A. By default ELB will select the first version of the security policy
• B. By default ELB will select the latest version of the policy
• C. ELB creation will fail without a security policy
• D. It is not required to have a security policy since SSL is already installed

Answer: B

Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. If
the user has created an HTTPS/SSL listener without associating any security policy, Elastic Load Balancing will, by default, associate the latest version of the ELBSecurityPolicy-YYYY-MM with the load balancer.

NEW QUESTION 5
A user has configured ELB with three instances. The user wants to achieve High Availability as well as redundancy with ELB. Which of the below mentioned AWS services helps the user achieve this for ELB?

• A. Route 53
• B. AWS Mechanical Turk
• C. Auto Scaling
• D. AWS EMR

Answer: A

Explanation:
The user can provide high availability and redundancy for applications running behind Elastic Load Balancer by enabling the Amazon Route 53 Domain Name System (DNS. failover for the load balancers. Amazon Route 53 is a DNS service that provides reliable routing to the user??s infrastructure.

NEW QUESTION 6
A user has enabled the Multi AZ feature with the MS SQL RDS database server. Which of the below mentioned statements will help the user understand the Multi AZ feature better?

• A. In a Multi AZ, AWS runs two DBs in parallel and copies the data asynchronously to the replica copy
• B. In a Multi AZ, AWS runs two DBs in parallel and copies the data synchronously to the replica copy
• C. In a Multi AZ, AWS runs just one DB but copies the data synchronously to the standby replica
• D. AWS MS SQL does not support the Multi AZ feature

Answer: C

Explanation:
Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect your databases against DB instance failure and Availability Zone disruption.Note that the high-availability feature is not a scaling solution for read-only scenarios; you cannot use a standby replica to serve read traffic. To service read-only traffic, you should use a read replica.

NEW QUESTION 7
A root account owner is trying to understand the S3 bucket ACL. Which of the below mentioned options cannot be used to grant ACL on the object using the authorized predefined group?

• A. Authenticated user group
• B. All users group
• C. Log Delivery Group
• D. Canonical user group

Answer: D

Explanation:
An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups. Amazon S3 has a set of predefined groups. When granting account access to a group, the user can specify one of the URLs of that group instead of a canonical user ID. AWS S3 has the following predefined groups:
Authenticated Users group: It represents all AWS accounts. All Users group: Access permission to this group allows anyone to access the resource. Log Delivery group: WRITE permission on a bucket enables this group to write server access logs to the bucket.

NEW QUESTION 8
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption (SSE-C., which of the below mentioned statements is true?

• A. The user should use the same encryption key for all versions of the same object
• B. It is possible to have different encryption keys for different versions of the same object
• C. AWS S3 does not allow the user to upload his own keys for server side encryption
• D. The SSE-C does not work when versioning is enabled

Answer: B

Explanation:
AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key (SSE-C.. If the bucket is versioning-enabled, each object version uploaded by the user using the SSE-C feature can have its own encryption key. The user is responsible for tracking which encryption key was used for which object's version

NEW QUESTION 9
Amazon EBS snapshots have which of the following two characteristics? Choose 2 answers

• A. EBS snapshots only save incremental changes from snapshot to snapshot
• B. EBS snapshots can be created in real-time without stopping an EC2 instance
• C. EBS snapshots can only be restored to an EBS volume of the same size or smaller
• D. EBS snapshots can only be restored and mounted to an instance in the same Availability Zone as the original EBS volume

Answer: AB

NEW QUESTION 10
A user is planning to schedule a backup for an EBS volume. The user wants security of the snapshot data. How can the user achieve data encryption with a snapshot?

• A. Use encrypted EBS volumes so that the snapshot will be encrypted by AWS
• B. While creating a snapshot select the snapshot with encryption
• C. By default the snapshot is encrypted by AWS
• D. Enable server side encryption for the snapshot using S3

Answer: A

Explanation:
AWS EBS supports encryption of the volume. It also supports creating volumes from existing snapshots provided the snapshots are created from encrypted volumes. The data at rest, the I/O as well as all the snapshots of the encrypted EBS will also be encrypted. EBS encryption is based on the AES-256 cryptographic algorithm, which is the industry standard.

NEW QUESTION 11
A sys admin is planning to subscribe to the RDS event notifications. For which of the below mentioned source categories the subscription cannot be configured?

• A. DB security group
• B. DB snapshot
• C. DB options group
• D. DB parameter group

Answer: C

Explanation:
Amazon RDS uses the Amazon Simple Notification Service (SNS. to provide a notification when an Amazon RDS event occurs. These events can be configured for source categories, such as DB instance, DB security group, DB snapshot and DB parameter group.

NEW QUESTION 12
Your organization's security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password.
Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers

• A. Configure multi-factor authentication for privileged 1AM users
• B. Create 1AM users for privileged accounts
• C. Implement identity federation between your organization's Identity provider leveraging the 1AM Security Token Service
• D. Enable the 1AM single-use password policy option for privileged users

Answer: AB

Explanation:
See also: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Enable MFA for privileged users
For extra security, enable multifactor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) and users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

NEW QUESTION 13
A user is trying to create a PIOPS EBS volume with 8 GB size and 200 IOPS. Will AWS create the volume?

• A. Yes, since the ratio between EBS and IOPS is less than 30
• B. No, since the PIOPS and EBS size ratio is less than 30
• C. No, the EBS size is less than 10 GB
• D. Yes, since PIOPS is higher than 100

Answer: C

Explanation:
A provisioned IOPS EBS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested should be a maximum of 30; for example, a volume with 3000 IOPS must be at least 100 GB.

NEW QUESTION 14
A company website hosts patches for software that is sold globally. The website rules in AWS perform will until large software patch is released. The flood of download puts a strain on the web servers and leads to a poor customer experience.
What can the SysOps Administrator propose to enhance customer experience, create a more available platform, and keep costs low?

• A. Use an Amazon Cloud Front distribution to cache static content, including software patches.
• B. Increase the size of the NAT instance to improve through.
• C. Scale out the web servers in advance of patch releases to reduce Auto Scaling delays.
• D. Move the content to IO1 and provision additional IOPS to the volume that contains the software patches.

Answer: D

NEW QUESTION 15
A user is measuring the CPU utilization of a private data centre machine every minute. The machine provides the aggregate of data every hour, such as Sum of data??, ??Min value??, ??Max value, and ??Number of Data points??.
The user wants to send these values to CloudWatch. How can the user achieve this?

• A. Send the data using the put-metric-data command with the aggregate-values parameter
• B. Send the data using the put-metric-data command with the average-values parameter
• C. Send the data using the put-metric-data command with the statistic-values parameter
• D. Send the data using the put-metric-data command with the aggregate ?Vdata parameter

Answer: C

Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user can publish the data to CloudWatch as single data points or as an aggregated set of data points called a statistic set using the command put- metric-data. When sending the aggregate data, the user needs to send it with the parameter statistic-values:
awscloudwatch put-metric-data --metric-name <Name> --namespace <Custom namespace -- timestamp
<UTC Format> --statistic-values Sum=XX,Minimum=YY,Maximum=AA,SampleCount=BB --unit Milliseconds

NEW QUESTION 16
A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better?

• A. SNS will send data every minute after configuration
• B. There is no need to enable since SNS provides data every minute
• C. AWS CloudWatch does not support monitoring for SNS
• D. SNS cannot provide data every minute

Answer: D

Explanation:
CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed
monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. The AWS SNS service sends data every 5 minutes. Thus, it supports only the basic monitoring. The user cannot enable detailed monitoring with SNS.

NEW QUESTION 17
A user has configured the Auto Scaling group with the minimum capacity as 3 and the maximum capacity as 5. When the user configures the AS group, how many instances will Auto Scaling launch?

• A. 3
• B. 5
• C. 2

Answer: A

Explanation:
The default launch is going to configure 3 instances. It will only go to 5 under certain conditions. It won??t launch initially 5 instances. This question doesn??t give enough information to answer fully.

NEW QUESTION 18
An AWS account owner has setup multiple IAM users. One IAM user only has CloudWatch access. He has setup the alarm action which stops the EC2 instances when the CPU utilization is below the threshold limit. What will happen in this case?

• A. It is not possible to stop the instance using the CloudWatch alarm
• B. CloudWatch will stop the instance when the action is executed
• C. The user cannot set an alarm on EC2 since he does not have the permission
• D. The user can setup the action but it will not be executed if the user does not have EC2 rights

Answer: D

Explanation:
Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup an action which stops the instances when their CPU utilization is below a certain threshold for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action. If the IAM user has read/write permissions for Amazon CloudWatch but not for Amazon EC2, he can still create an alarm. However, the stop or terminate actions will not be performed on the Amazon EC2 instance.

NEW QUESTION 19
A user is trying to delete an Auto Scaling group from CLI. Which of the below mentioned steps are to be performed by the user?

• A. Terminate the instances with the ec2-terminate-instance command
• B. Terminate the Auto Scaling instances with the as-terminate-instance command
• C. Set the minimum size and desired capacity to 0
• D. There is no need to change the capacit
• E. Run the as-delete-group command and it will reset all values to 0

Answer: C

Explanation:
If the user wants to delete the Auto Scaling group, the user should manually set the values of the minimum and desired capacity to 0. Otherwise Auto Scaling will not allow for the deletion of the group from CLI. While trying from the AWS console, the user need not set the values to 0 as the Auto Scaling console will automatically do so.

NEW QUESTION 20
An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DyanmoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?

• A. Define the group policy and add a condition which allows the access based on the IAM name
• B. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
• C. Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
• D. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables

Answer: D

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. AWS DynamoDB has only tables and the organization cannot makeseparate databases. The organization should create a table with the same name as the IAM user name and use the ARN of DynamoDB as part of the group policy. The sample policy is shown below:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["dynamodb:*"],
"Resource": "arn:aws:dynamodb:region:account-number-without-hyphens:table/${aws:username}"
}
]
}

NEW QUESTION 21
A root AWS account owner is trying to understand various options to set the permission to AWS S3. Which of the below mentioned options is not the right option to grant permission for S3?

• A. User Access Policy
• B. S3 Object Access Policy
• C. S3 Bucket Access Policy
• D. S3 ACL

Answer: B

Explanation:
Amazon S3 provides a set of operations to work with the Amazon S3 resources. Managing S3 resource access refers to granting others permissions to work with S3. There are three ways the root account owner can define access with S3:
S3 ACL: The user can use ACLs to grant basic read/write permissions to other AWS accounts.
S3 Bucket Policy: The policy is used to grant other AWS accounts or IAM users permissions for the bucket and the objects in it.
User Access Policy: Define an IAM user and assign him the IAM policy which grants him access to S3.

NEW QUESTION 22
......