SOA-C01 AWS Certified SysOps Administrator - Associate Questions and Answers

Use a VPN to set up a tunnel between the on-premises data center and the AWS resources

Use AWS Certificate Manager to create TLS/SSL certificates

Use AWS CloudHSM to encrypt the data

Use AWS KMS to create TLS/SSL certificates

Use AWS KMS to manage the encryption keys used for data encryption

Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service.

Move all of the EC2 instances behind an internet gateway and provide the gateway IP address to the service.

Move all of the EC2 instances into a single Availability Zone and provide the Availability Zone IP address to the service.

Move all of the EC2 instances to a peered VPC and provide the VPC IP address to the service.

AWS will apply the patch during the next maintenance window and will provide the Administrator with a report of all patched EC2 instances

AWS will relaunch the EC2 instances with the latest version of the Amazon Machine Image (AMI) and will provide the Administrator with a report of all patched EC2 instances

AWS will research the vulnerability to see if the Administrator's operating system is impacted and will patch the EC2 instances that are affected

AWS will review the shared responsibility model with the Administrator and advise them regarding how to patch the EC2 instances

Change the root user password by using the AWS CLI routinely.

Periodically use the AWS CLI to rotate access keys and secret keys for the root user.

Use AWS Trusted Advisor security checks to review the configuration of the root user.

Periodically distribute the AWS compliance document from AWS Artifact that governs the root user configuration.

Back up the current KMS key and enable automatic key rotation.

Create a new key in AWS KMS and assign the key to Amazon EBS.

Enable automatic key rotation of the EBS volume key in AWS KMS.

Upload ne key material to the EBS volume key in AWS KMS to enable automatic key rotation for the volume.

Create a customer gateway to connect to Amazon S3 Modify the route table of the private subnets to use the customer gateway

Create a gateway VPC endpoint for Amazon S3 Modify the route table of the private subnets to use the gateway VPC endpoint.

Create a NAT gateway in the private subnets. Modify the route table of the subnets to use the NAT gateway.

Create an S3 bucket policy to allow connections from the private subnets. Modify the route table.

AWS CloudTrail data event logging

AWS CloudTrail management event logging

Amazon inspector bucket event logging

Amazon inspector event logging

Copy the AMI to each region using aws ec2 copy-image Update the CloudFormation mapping include mappings for the copy AMIs.

Creating a snapshot of the running instance and copy the snapshot to the other regions. Create an AMI from the snapshots. Update the CloudFormation template for each region to use the new AMI.

Run the existing CloudFormation template in each additional region based on the success of the template used currently in us-east-1.

Update the CloudFormation template to include the additional regions in the auto scaling group. Update the existing stack in us-east-1.

Create an AWS Lambda function K> look up user data settings of the EC2 instance and publish a notification to an Amazon Simple Notification Service {Amazon SNS) topic.

Create AWS Config rules to monitor the fleet of EC2 instances and publish a notification to an Amazon Simple Notification Service {Amazon SNS) topic.

Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to publish AWS Personal Health Dashboard events to an Amazon Simple Notification Service (Amazon SNS) topic.

Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to publish AWS Service Health Dashboard events lo an Amazon Simple Notification Service (Amazon SNS) topic.

Implement a blue/green strategy using AWS Elastic Beanstalk.

Perform a canary deployment using Application Load Balancers and target groups.

Create a change set for the running stack.

Submit the update using the UpdateStack API call.

AWS will apply the patch during the next maintenance window and will provide the Administrator with a report of all patched EC2 instances

AWS will relaunch the EC2 instances with the latest version of the Amazon Machine Image (AMI) and will provide the Administrator with a report of all patched EC2 instances

AWS will research the vulnerability to see if the Administrator's operating system is impacted and will patch the EC2 instances that are affected

AWS will review the shared responsibility model with the Administrator and advise them regarding how to patch the EC2 instances

a dedicated VPC.

a single subnet inside the VPC.

a placement group.

a single Availability Zone.

Add a product from the imported portfolio to a local portfolio.

Add new product to the imported portfolio.

Change the launch role for the products contained in the imported portfolio.

Remove Products from the imported portfolio.

Attach the snapshot to a new Amazon EC2 instance in the same Availability Zone, and copy the deleted file.

Browse to the snapshot and copy the file to the EBS volume within an Amazon EC2 instance.

Create a volume from the snapshot, attach the volume to an Amazon EC2 instance, and copy the deleted file.

Restore the file from the snapshot onto an EC2 instance using the Amazon EC2 console.

Configure an AWS Data Pipeline resource with a CopyActivity activity object. Specify the input and output bucket names and a list of object keys.

Configure the S3 bucket resource to activate cross-Region replication. Point to the existing S3 bucket and specify a list of object keys to replicate.

Create an AWS Lambda function that can perform the copy operation. Add the Lambda function to the template as a custom resource.

Specify the commands to copy the objects in the user data field of the template's S3 bucket resource.

AWS Service Health Dashboard

AWS Trusted Advisor

AWS Personal Health Dashboard

AWS Systems Manager

Add a new inbound rule:

database-ag TCP 5432

Add a new outbound rule:

database-sg TCP 5432

Add a new outbound rule:

0.0.0.0/0 Ail Traffic 0-€5535

Change the outbound rule to:

cache-sg TCP 54 32

Active AWS Budgets.

Active cost allocation tags

Create an organization using AWS Organization

Create and apply resource tags

enable AWS trusted advisor

Create a new CloudFormation stack based on the changes that were made Delete the old stack and deploy the new stack

Update the CloudFormation stack using a change set Review the changes and update the stack

Update the CloudFormation stack by modifying the selected parameters in the template to match what was changed

Use drift detection on the CloudFormation stack Use the output to update the CloudFormation template and redeploy the stack

Activate the createdBy tag in the account

Analyze the usage with Amazon CloudWatch dashboards

Analyze the usage with Cost Explorer

Configure AWS Trusted Advisor to track resource usage

Create a billing alarm in AWS Budgets

Create and run an Amazon Inspector assessment template.

Manually SSH into each instance and check the software version.

Use AWS CloudTrail to verify Amazon EC2 activity in the account.

Write a custom script and use AWS CodeDeploy to deploy to Amazon EC2 instances.

The cluster has Enhanced VPC Routing enabled and it must be turned off

The cluster is only a single node and needs to be expanded to multi-node.

The cluster login credentials are incorrect request new credentials from the Administrator

The cluster nodes are running in multiple Availability Zones, and all need to be placed in a single Availability Zone.

Scale the cluster by adding additional nodes

Scale the cluster by adding read replicas

Scale the cluster by increasing CPU capacity

Scale the web layer by adding additional EC2 instances

Use Amazon CloudFront to log the URL and forward the request

Use Amazon CloudFront to rewrite the header based on the microservice and forward the request

Use a Network Load Balancer (NLB) and do path-based routing

Use an Application Load Balancer (ALB) and do path-based routing

Delete the failed stack and create a new stack.

Execute a change set on the failed stack.

Perform an update-stack action on the failed stack.

Run a validate-template command.

Copy an automated RDS snapshot to the security account using the copy-db-snapshot command with the AWS CLI.

Create an RDS MySQL Read Replica for the critical database in the security account, then enable automatic backups for the Read Replica.

Create an RDS snapshot with the AWS CLI create-db-snapshot command, share it with the security account, then create a copy of the shared snapshot in the security account.

Use AWS DMS to replicate data from the critical database to another RDS MySQL instance in the security account, then use an automated backup for the RDS instance.

Use a simple scaling policy based on a custom metric that measures the average active requests of all EC2 instances

Use a simple scaling policy based on the Auto Scaling group GroupDesiredCapacity metric

Use a target tracking scaling policy based on the ALB’s ActiveConnectionCount metric

Use a target tracking scaling policy based on the ALB’s RequestCountPerTarget metric

Add s3:Deleteobject permission to the IAM execution role of the AWS Lambda function in Account A.

Change the bucket policy of the S3 bucket in Account B to allow s3:Deleteobject permission for Account A.

Disable server-side encryption for objects written to the S3 bucket by the Lambda function.

Call the S3:PutObjectAcl API operation from the Lambda function in Account A to specify bucket owner, full control.

Implement an IAM policy that uses the aws:sourceConnection condition to allow access from the AWS Direct Connect connection ID only

Set up a public virtual interface on the AWS Direct Connect connection

Configure AWS Shield to protect the AWS Management Console from being accessed by IP addresses other than those within the data center ranges

Update all the VPC network ACLs to allow access from the data center IP ranges

AWS Cost Explorer

AWS Config

AWS Organizations

AWS Budgets

Resources tags defined in the CloudFormation template are specific to the us-east-1 Region.

The Amazon Machine Image (AMI) ID referenced in the CloudFormation template could not be found in the us-west-2 Region.

The cfn-init script did not execute during resource provisioning in the us-west-2 Region.

The IAM user was not created in the specified Region.

The EC2 instances are in the same Availability Zone, causing contention between the two.

The route tables are not updated to allow traffic to flow between the ALB and the EC2 instances.

The ALB health check has failed, and the ALB has taken EC2 instances out of service.

The Amazon Route 53 health check has failed, and the ALB has taken EC2 instances out of service.

Enable the CloudTrail log file integrity check in AWS Config Rules.

Use CloudWatch Events to scan log files hourly.

Enable CloudTrail log file integrity validation.

Turn on Amazon S3 MFA Delete for the CloudTrail bucket.

Implement a DENY ALL bucket policy on the CloudTrail bucket.

change sets What features of AWS CloudFormation will

Nested stacks

Stack policies

StacksSets

Create a service control policy in AWS Organizations and apply it to the development account.

Create a customer managed policy in IAM and apply it to all users within the development account.

Create a job function policy in IAM and apply it to all users within the development account.

Create an IAM policy and apply it in API Gateway to restrict the development account.