amazon AWS Certified SysOps Administrator - Associate (SOA-C02) practice test
Question 1
A company has a new requirement stating that all resources in AWS must be tagged according to a set policy.
Which AWS service should be used to enforce and continually identify all resources that are not in compliance with the
policy?
- A. AWS CloudTrail
- B. Amazon Inspector
- C. AWS Config
- D. AWS Systems Manager
Answer:
C
Explanation:
Reference: https://aws.amazon.com/config/
Question 2
A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB
instance. A SysOps administrator must update the template to ensure that the DB instance is created before the EC2
instance is launched.
What should the SysOps administrator do to meet this requirement?
- A. Add a wait condition to the template. Update the EC2 instance user data script to send a signal after the EC2 instance is started.
- B. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource.
- C. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource.
- D. Create multiple templates. Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created.
Answer:
B
Question 3
A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of
compliance because it was not encrypted.
Which approach will resolve the encryption requirement?
- A. Log in to the RDS console and select the encryption box to encrypt the database.
- B. Create a new encrypted Amazon EBS volume and attach it to the instance.
- C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
- D. Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
Answer:
A
Explanation:
Reference: https://cloudkul.com/blog/how-to-encrypt-aws-rds-database/
Question 4
A company has an infernal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The
instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A SysOps administrator must make the
application highly available.
Which action should the SysOps administrator take to meet this requirement?
- A. Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
- B. Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
- C. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.
- D. Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.
Answer:
C
Question 5
A development team recently deployed a new version of a web application to production. After the release, penetration
testing revealed a cross-site scripting vulnerability that could expose user data.
Which AWS service will mitigate this issue?
- A. AWS Shield Standard
- B. AWS WAF
- C. Elastic Load Balancing
- D. Amazon Cognito
Answer:
B
Explanation:
Reference: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-xss-match.html
Question 6
A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be
deleted.
What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be
deleted?
- A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
- B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
- C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
- D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
Answer:
B
Question 7
The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in
the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in
use and the total available IAM policies.
Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?
- A. AWS Trusted Advisor
- B. Amazon Inspector
- C. AWS Config
- D. AWS Organizations
Answer:
A
Explanation:
Reference: https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html#iam-policies
Question 8
An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department,
it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group
membership.
What is the BEST method to allow access using current LDAP credentials?
- A. Create an AWS Directory Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
- B. Create a Lambda function to read LDAP groups and automate the creation of IAM users.
- C. Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server.
- D. Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.
Answer:
D
Explanation:
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
Question 9
A company is testing Amazon Elasticsearch Service (Amazon ES) as a solution for analyzing system logs from a fleet of
Amazon EC2 instances. During the test phase, the domain operates on a singlenode cluster. A SysOps administrator needs
to transition the test domain into a highly available production-grade deployment.
Which Amazon ES configuration should the SysOps administrator use to meet this requirement?
- A. Use a cluster of four data nodes across two AWS Regions. Deploy four dedicated master nodes in each Region.
- B. Use a cluster of six data nodes across three Availability Zones. Use three dedicated master nodes.
- C. Use a cluster of six data nodes across three Availability Zones. Use six dedicated master nodes.
- D. Use a cluster of eight data nodes across two Availability Zones. Deploy four master nodes in a failover AWS Region.
Answer:
B
Question 10
A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-
premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53
should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes. All other traffic
should be directed to the secondary passive server. The failover record type, set ID, and routing policy have been set
appropriately for both primary and secondary servers.
Which next step should be taken to configure Route 53?
- A. Create an A record for each server. Associate the records with the Route 53 HTTP health check.
- B. Create an A record for each server. Associate the records with the Route 53 TCP health check.
- C. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.
- D. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.
Answer:
C
Explanation:
Reference: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-how-route-53-chooses-records.html