Amazon SOA-C02 시험

Question No : 1

A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application.
Which combination of actions should a SysOps administrator take to resolve this problem? (Select TWO.)

• A.Change to the least outstanding requests algorithm on the ALB target group.
• B.Configure cookie forwarding in the CloudFront distribution cache behavior.
• C.Configure header forwarding in the CloudFront distribution cache behavior.
• D.Enable group-level stickiness on the ALB listener rule.
• E.Enable sticky sessions on the ALB target group.

답을 확인하기

정답:
Explanation:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html
You can configure each cache behavior to do one of the following: Forward all cookies to your origin C CloudFront includes all cookies sent by the viewer when it forwards requests to the origin. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html
By default, an Application Load Balancer routes each request independently to a registered target based on the chosen load-balancing algorithm.

Question No : 2

A large multinational company has a core application that runs 24 hours a day, 7 days a week on Amazon EC2 and AWS Lambda. The company uses a combination of operating systems across different AWS Regions. The company wants to achieve cost savings and wants to use a pricing model that provides the most flexibility.
What should the company do to MAXIMIZE cost savings while meeting these requirements?

• A.Establish the compute expense by the hour. Purchase a Compute Savings Plan.
• B.Establish the compute expense by the hour. Purchase an EC2 Instance Savings Plan.
• C.Purchase a Reserved Instance for the instance types, operating systems, Region, and tenancy.
• D.Use EC2 Spot Instances to match the instances that run in each Region.

답을 확인하기

정답:
Explanation:
To achieve maximum cost savings and flexibility for a 24/7 running application across different AWS regions and operating systems, the best approach is to use a Compute Savings Plan. Compute Savings Plans provide the most flexibility by automatically applying to any EC2 instance usage regardless of instance family, size, OS, tenancy, or AWS Region, and also apply to AWS Fargate and AWS Lambda usage.
Understand Compute Savings Plans:
Compute Savings Plans offer significant savings over On-Demand prices, with the flexibility to use the compute option that best suits your needs.
Purchase a Compute Savings Plan:
Login to the AWS Management Console.
Navigate to the Savings Plans section.
Choose Purchase Savings Plan and select Compute Savings Plan.
Define the hourly commitment amount and the term length (one or three years).
Monitor and Optimize Usage:
Ensure that your usage aligns with the Savings Plan to maximize savings.
Use AWS Cost Explorer and Savings Plans Utilization reports to monitor usage.
Savings Plans
Compute Savings Plans

Question No : 3

A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded: however, upon navigating to the site, the following error message is received:
403 Forbidden - Access Denied
What change should be made to fix this error?

• A.Add a bucket policy that grants everyone read access to the bucket.
• B.Add a bucket policy that grants everyone read access to the bucket objects.
• C.Remove the default bucket policy that denies read access to the bucket.
• D.Configure cross-origin resource sharing (CORS) on the bucket.

답을 확인하기

정답:
Explanation:
To fix the "403 Forbidden - Access Denied" error when accessing a static website hosted on Amazon S3, you need to ensure that the objects in the bucket have the appropriate permissions for public access. Here’s how to do it:
Login to AWS Management Console:
Open the Amazon S3 console at Amazon S3 Console.
Navigate to the Bucket:
In the S3 console, select the bucket hosting the static website.
Add a Bucket Policy:
Go to the Permissions tab.
Choose Bucket Policy and add the following policy to grant public read access to all objects in the bucket:
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
Save the Policy:
After adding the policy, save the changes.
This policy ensures that all objects in the bucket are publicly accessible, resolving the 403 Forbidden error.
Hosting a Static Website on Amazon S3
Bucket Policy Examples

Question No : 4

A company manages an application that uses Amazon ElastiCache for Redis with two extra-large nodes spread across two different Availability Zones. The company's IT team discovers that the ElastiCache for Redis cluster has 75% freeable memory. The application must maintain high availability.
What is the MOST cost-effective way to resize the cluster?

• A.Decrease the number of nodes in the ElastiCache for Redis cluster from 2 to 1.
• B.Deploy a new ElastiCache for Redis cluster that uses large node types. Migrate the data from the original cluster to the new cluster. After the process is complete, shut down the original duster.
• C.Deploy a new ElastiCache for Redis cluster that uses large node types. Take a backup from the original cluster, and restore the backup in the new cluster. After the process is complete, shut down the original cluster.
• D.Perform an online resizing for the ElastiCache for Redis cluster. Change the node types from extra-large nodes to large nodes.

답을 확인하기

정답:
Explanation:
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/scaling-redis-cluster-mode-enabled.html As demand on your clusters changes, you might decide to improve performance or reduce costs by changing the number of shards in your Redis (cluster mode enabled) cluster. We recommend using online horizontal scaling to do so, because it allows your cluster to continue serving requests during the scaling process.
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/redis-cluster-vertical-scaling-scaling-down.html

Question No : 5

A manufacturing company uses an Amazon RDS DB instance to store inventory of all stock items. The company maintains several AWS Lambda functions that interact with the database to add, update, and delete items. The Lambda functions use hardcoded credentials to connect to the database.
A SysOps administrator must ensure that the database credentials are never stored in plaintext and that the password is rotated every 30 days.
Which solution will meet these requirements in the MOST operationally efficient manner?

• A.Store the database password as an environment variable for each Lambda function. Create a new Lambda function that is namedPasswordRotate. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and update the environment variable for each Lambda function.
• B.Use AWS Key Management Service (AWS KMS) to encrypt the database password and to store the encrypted password as an environmentvariable for each Lambda function. Grant each Lambda function access to the KMS key so that the database password can be decrypted when required. Create a new Lambda function that is named PasswordRotate to change the password every 30 days.
• C.Use AWS Secrets Manager to store credentials for the database. Create a Secrets Manager secret, and select the database so that Secrets Manager will use a Lambda function to update the database password automatically. Specify an automatic rotation schedule of 30 days. Update each Lambda function to access the database password from SecretsManager.
• D.Use AWS Systems Manager Parameter Store to create a secure string to store credentials for the database. Create a new Lambda function called PasswordRotate. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and to update the secret within Parameter Store. Update each Lambda function to access the database password from Parameter Store.

답을 확인하기

정답:
Explanation:
To ensure that database credentials are never stored in plaintext and the password is rotated every 30 days, use AWS Secrets Manager:
Store Credentials in Secrets Manager:
Open the AWS Secrets Manager console.
Click on "Store a new secret."
Select "RDS database credentials" and provide the necessary details (username, password, database instance).
Configure the secret's name and details.
Enable Automatic Rotation:
During the secret creation process, enable automatic rotation.
Specify an automatic rotation schedule of 30 days.
Choose the Lambda function that Secrets Manager will use to update the database password automatically.
Update Lambda Functions:
Update each Lambda function to retrieve the database password from Secrets Manager.
Use the AWS SDK in your Lambda code to access Secrets Manager and fetch the secret value.
AWS Secrets Manager
Rotating AWS Secrets Manager Secrets
Retrieve Secrets from AWS Lambda

Question No : 6

A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host.
When looking at the web server logs, the following error is repeated multiple times:
"** Error Establishing a Database Connection
Which of the following may be causes of the connectivity problems? {Select TWO.)

• A.The security group for the database does not have the appropriate egress rule from the database to the web server.
• B.The certificate used by the web server is not trusted by the RDS instance.
• C.The security group for the database does not have the appropriate ingress rule from the web server to the database.
• D.The port used by the application developer does not match the port specified in the RDS configuration.
• E.The database is still being created and is not available for connectivity.

답을 확인하기

정답:
Explanation:
The connectivity issues could be due to:
Security Group Ingress Rules:
Ensure that the security group for the RDS database has the correct ingress rules allowing traffic from the web server’s security group or IP address.
Go to the RDS console, select your database instance, and check the security groups.
In the security group settings, verify that the correct port (usually 3306 for MySQL) is open for the web server's IP or security group.
Port Configuration:
Verify that the application is configured to use the correct port that matches the RDS database configuration.
Check the application configuration files to ensure the port number matches the port specified in the RDS instance.
Amazon RDS Security Groups
Troubleshooting RDS Connectivity

Question No : 7

A company hosts an online shopping portal in the AWS Cloud. The portal provides HTTPS security by using a TLS certificate on an Elastic Load Balancer (ELB). Recently, the portal suffered an outage because the TLS certificate expired. A SysOps administrator must create a solution to automatically renew certificates to avoid this issue in the future.
What is the MOST operationally efficient solution that meets these requirements?
A. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. Write a scheduled AWS Lambda function to renew the certificate every 18 months.
B. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
C. Register a certificate with a third-party certificate authority (CA). Import this certificate into AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
D. Register a certificate with a third-party certificate authority (CA). Configure the ELB to import the certificate directly from the CA. Set the certificate refresh cycle on the ELB to refresh when the certificate is within 3 months of the expiration date.

답을 확인하기

정답: B
Explanation:
"A certificate is eligible for automatic renewal subject to the following considerations: ELIGIBLE if associated with another AWS service, such as Elastic Load Balancing or CloudFront. ELIGIBLE if exported since being issued or last renewed. ELIGIBLE if it is a private certificate issued by calling the ACM RequestCertificate API and then exported or associated with another AWS service. ELIGIBLE if it is a private certificate issued through the management console and then exported or associated with another AWS service." https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html

Question No : 8

A company has launched a social media website that gives users the ability to upload images directly to a centralized Amazon S3 bucket. The website is popular in areas that are geographically distant from the AWS Region where the S3 bucket is located. Users are reporting that uploads are slow. A SysOps administrator must improve the upload speed.
What should the SysOps administrator do to meet these requirements?

• A.Create S3 access points in Regions that are closer to the users.
• B.Create an accelerator in AWS Global Accelerator for the S3 bucket.
• C.Enable S3 Transfer Acceleration on the S3 bucket.
• D.Enable cross-origin resource sharing (CORS) on the S3 bucket.

답을 확인하기

정답:
Explanation:
You might want to use Transfer Acceleration on a bucket for various reasons: ->Your customers upload to a centralized bucket from all over the world. ->You transfer gigabytes to terabytes of data on a regular basis across continents. ->You can't use all of your available bandwidth over the internet when uploading to Amazon S3." https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html

Question No : 9

A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53. and wants to point its domain's zone apex to the website.
Which type of record should be used to meet these requirements?

• A.A CNAME record for the domain's zone apex
• B.An A record for the domain's zone apex
• C.An AAAA record for the domain's zone apex
• D.An alias record for the domain's zone apex

답을 확인하기

정답:
Explanation:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

Question No : 10

A company is expanding its fleet of Amazon EC2 instances before an expected increase of traffic. When a SysOps administrator attempts to add more instances, an InstanceLimitExceeded error is returned.
What should the SysOps administrator do to resolve this error?

• A.Add an additional CIDR block to the VP
• B.Launch the EC2 instances in a different Availability Zone.
• C.Launch new EC2 instances in another VP
• D.Use Service Quotas to request an EC2 quota increase.

답을 확인하기

정답:
Explanation:
When encountering an InstanceLimitExceeded error, this indicates that you have reached your account limit for the number of EC2 instances.
Use Service Quotas:
Open the Service Quotas console.
In the navigation pane, choose "AWS services" and then "Amazon EC2."
Select the quota you want to increase, such as "Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances."
Click on "Request quota increase."
Fill in the required information, specifying the new quota value.
Submit the request.
Launch Instances After Approval: Once the quota increase is approved, you will be able to launch additional instances.
EC2 Service Quotas
Service Quotas Console

Question No : 11

An errant process is known to use an entire processor and run at 100%. A SysOps administrator wants to automate restarting the instance once the problem occurs for more than 2 minutes.
How can this be accomplished?

• A.Create an Amazon CloudWatch alarm for the Amazon EC2 instance with basic monitoring. Enable an action to restart the instance.
• B.Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
• C.Create an AWS Lambda function to restart the EC2 instance, triggered on a scheduled basis every 2 minutes.
• D.Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks.

답을 확인하기

정답:
Explanation:
To automate restarting an EC2 instance when it uses an entire processor and runs at 100% for more than 2 minutes, follow these steps:
Enable Detailed Monitoring: Ensure that your EC2 instance has detailed monitoring enabled. This provides data at 1-minute intervals, which is necessary for setting a CloudWatch alarm based on CPU usage.
Create a CloudWatch Alarm:
Go to the CloudWatch console.
Click on "Alarms" and then "Create Alarm."
Select "EC2 Metrics" and choose the instance for which you want to create the alarm.
Select the CPU utilization metric.
Set the threshold type to static and define the threshold (e.g., CPU utilization > 90% for 2 consecutive periods of 1 minute each).
Configure the alarm actions to specify the action to take when the alarm state is triggered. Choose the "EC2 action" and then "Reboot instance."
Review and Create: Review the settings and create the alarm.
Amazon CloudWatch Alarms
Amazon EC2 Monitoring

Question No : 12

A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts.
Which solution will meet these requirements?

• A.Purchase RIs in individual member accounts. Disable Rl discount sharing in the management account.
• B.Purchase RIs in individual member accounts. Disable Rl discount sharing in the member accounts.
• C.Purchase RIs in the management account. Disable Rl discount sharing in the management account.
• D.Purchase RIs in the management account. Disable Rl discount sharing in the member accounts.

답을 확인하기

정답:
Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ri-consolidated-billing/
RI discounts apply to accounts in an organization's consolidated billing family depending upon whether RI sharing is turned on or off for the accounts. By default, RI sharing for all accounts in an organization is turned on. The management account of an organization can change this setting by turning off RI sharing for an account. The capacity reservation for an RI applies only to the account the RI was purchased on, no matter whether RI sharing is turned on or off.

Question No : 13

A gaming application is deployed on four Amazon EC2 instances in a default VPC. The SysOps administrator has noticed consistently high latency in responses as data is transferred among the four instances. There is no way for the administrator to alter the application code.
The MOST effective way to reduce latency is to relaunch the EC2 instances in:

• A.a dedicated VP
• B.a single subnet inside the VP
• C.a placement group.
• D.a single Availability Zone.

답을 확인하기

정답:
Explanation:
To reduce latency in data transfer among EC2 instances, especially in high-performance computing (HPC) applications or applications requiring low network latency, using a placement group is the best approach:
Understanding Placement Groups:
A placement group in Amazon EC2 is a logical grouping of instances within a single Availability Zone.
Using placement groups, you can achieve low-latency network performance necessary for tightly coupled node-to-node communication.
Types of Placement Groups:
Cluster Placement Group: Instances are physically located close together in the same Availability Zone to provide low-latency network performance.
Partition Placement Group: Instances are divided into logical segments called partitions, reducing the likelihood of simultaneous failures.
Spread Placement Group: Instances are placed on distinct underlying hardware to reduce correlated failures.
Creating and Using a Placement Group:
You can create a placement group using the AWS Management Console, AWS CLI, or AWS SDKs. When launching instances, specify the placement group to ensure they are launched within the same group.
aws ec2 create-placement-group --group-name my-placement-group --strategy cluster
aws ec2 run-instances --image-id ami-12345678 --count 4 --instance-type c5.large --placement
GroupName=my-placement-group
Relocating Existing Instances:
Stop the instances, modify the placement group settings, and then restart them. Note that not all instance types are supported within placement groups, so check the documentation for compatibility.
Placement Groups
Cluster Instances for Low-Latency

Question No : 14

A company is running a flash sale on its website. The website is hosted on burstable performance Amazon EC2 instances in an Auto Scaling group. The Auto Scaling group is configured to launch instances when the CPU utilization is above 70%.
A couple of hours into the sale, users report slow load times and error messages for refused connections. A SysOps administrator reviews Amazon CloudWatch metrics and notices that the CPU utilization is at 20% across the entire fleet of instances.
The SysOps administrator must restore the website's functionality without making changes to the network infrastructure.
Which solution will meet these requirements?

• A.Activate unlimited mode for the instances in the Auto Scaling group.
• B.Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group.
• C.Move the website to a different AWS Region that is closer to the users.
• D.Reduce the desired size of the Auto Scaling group to artificially increase CPU average utilization.

답을 확인하기

정답:
Explanation:
Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group does not breach the requirement of no changes in the network infrastructure. Reason is that cloudfront is a distribution that allows you to distribute content using a worldwide network of edge locations that provide low latency and high data transfer speeds. It plug in to existing setup, not changes to it.

Question No : 15

A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API calls using the CLI. However. users are not prompted to enter MFA tokens, and are able to run CLI commands without MF
A. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA.
What additional step must be taken to ensure that API calls are authenticated using MFA?
A. Enable MFA on IAM roles, and require IAM users to use role credentials to sign API calls.
B. Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI.
C. Restrict the IAM users to use of the console, as MFA is not supported for CLI use.
D. Require users to use temporary credentials from the get-session token command to sign API calls.

답을 확인하기

정답: D
Explanation:
To enforce MFA for API calls using the AWS CLI, the users must use temporary security credentials obtained through the get-session-token command. Here’s how to do it: Enable MFA for IAM Users:
Ensure that MFA is enabled and properly configured for each IAM user.
Configure IAM Policy for MFA Enforcement:
Attach an IAM policy that denies API calls unless MFA is used. This policy should be attached to all users.
Obtain Temporary Security Credentials Using MFA:
Users need to use the aws sts get-session-token command to obtain temporary credentials. This command requires the MFA token.
sh
Copy code
aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/user --token-code 123456
Use Temporary Credentials for API Calls:
After obtaining the temporary credentials, set them as environment variables or configure them in the AWS CLI profile to make API calls.
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
Enabling MFA for IAM Users
Using Temporary Security Credentials
AWS CLI get-session-token