Free SOA-C02 Sample Questions — AWS Certified SysOps Administrator - Associate (SOA-C02)

A SysOps administrator created an AWS CloudFormation template that provisions an Amazon EventBridge rule that invokes an AWS Lambda function. The Lambda function is designed to write event details to an Amazon CloudWatch log group. The function has permissions to write events to Amazon CloudWatch Logs. However, the SysOps administrator discovered that the Lambda function is not running. How should the SysOps administrator resolve the problem?

• A. Update the CloudFormation stack to include an AWS::IAM::Role resource with the required IAM permissions for EventBridge to invoke the function. Assign the role to the EventBridge rule
• B. Update the CloudFormation stack to include an AWS::IAM::Role resource with the required IAM permissions for the function. Assign the role as the function execution role
• C. Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure events.amazonaws.com has permissions to invoke the function
• D. Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure lambda.amazonaws.com has permissions to invoke the function

A SysOps administrator has created an AWS Service Catalog portfolio and has shared the portfolio with a second AWS account in the company. The second account is controlled by a different administrator. Which action will the administrator of the second account be able to perform?

• A. Add a product from the imported portfolio to a local portfolio
• B. Add new products to the imported portfolio
• C. Change the launch role for the products contained in the imported portfolio
• D. Customize the products in the imported portfolio

A SysOps administrator has many Windows Amazon EC2 instances that need to share a file system between nodes. The SysOps administrator creates an Amazon Elastic File System (Amazon EFS) file share. After creation of the file share, the SysOps administrator is having trouble mounting the file share to the EC2 instances. Which action should the SysOps administrator take so that the EC2 instances can share the files?

• A. Delete the EFS file share. Create an Amazon FSx for Windows File Server file share for the EC2 instances
• B. Use the correct IAM credentials to mount the EFS file share
• C. Configure NFSv4 support on the Windows operating system that is running on the EC2 instances
• D. Allow the correct port for NFS through the security group and network ACL

A company has a core application that must run 24 hours a day, 7 days a week. The application uses Amazon EC2. AWS Fargate, and AWS Lambda. The company uses a combination of operating systems across different AWS Regions. The company needs to maximize cost savings while committing to a pricing model that offers flexibility to make changes. What should the company do to meet these requirements?

• A. Purchase a Compute Savings Plan that is based on Savings Plans recommendations
• B. Purchase an EC2 Instance Savings Plan that covers the EC2 instance types and the Fargate and Lambda vCPU equivalents
• C. Purchase a Reserved Instance for the instance types, operating systems, Region, and tenancy,
• D. Use EC2 Spot Instances that match the type and size of existing instances that run in each Region

An AWS Lambda function is intermittently failing several times a day. A SysOps administrator must find out how often this error has occurred in the last 7 days. Which action will meet this requirement in the MOST operationally efficient manner?

• A. Use Amazon Athena to query the Amazon CloudWatch logs that are associated with the Lambda function
• B. Use Amazon Athena to query the AWS CloudTrail logs that are associated with the Lambda function
• C. Use Amazon CloudWatch Logs Insights to query the associated Lambda function logs
• D. Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to stream the Amazon CloudWatch logs for the Lambda function

A SysOps administrator needs to automate the invocation of an AWS Lambda function. The Lambda function must run at the end of each day to generate a report on data that is stored in an Amazon S3 bucket. What is the MOST operationally efficient solution that meets these requirements?

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that has an event pattern for Amazon S3 and the Lambda function as a target
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that has a schedule and the Lambda function as a target
• C. Create an S3 event notification to invoke the Lambda function whenever objects change in the S3 bucket
• D. Deploy an Amazon EC2 instance with a cron job to invoke the Lambda function

A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC. What is the MOST operationally efficient method to deploy and update the VPCs in each account?

• A. Create an AWS CloudFormation template that defines the VPC. Sign in to the AWS Management Console under each account. Create a stack from the template
• B. Create a shell script that configures the VPC using the AWS CLI. Provide a list of accounts to the shell script from a text file. Create the VPC in every account in the list
• C. Create an AWS Lambda function that configures the VPStore the account information in Amazon DynamoDB. Grant Lambda access to the DynamoDB table. Create the VPC in every account in the list
• D. Create an AWS CloudFormation template that defines the VPC. Create an AWS CloudFormation StackSet based on the template. Deploy the template to all accounts using the stack set

A company’s SysOps administrator deploys a public Network Load Balancer (NLB) in front of the company’s web application. The web application does not use any Elastic IP addresses. Users must access the web application by using the company’s domain name. The SysOps administrator needs to configure Amazon Route 53 to route traffic to the NLB. Which solution will meet these requirements MOST cost-effectively?

• A. Create a Route 53 AAAA record for the NLB
• B. Create a Route 53 alias record for the NLB
• C. Create a Route 53 CAA record for the NLB
• D. Create a Route 53 CNAME record for the NLB

A company recently migrated its application to a VPC on AWS. An AWS Site-to-Site VPN connection connects the company’s on-premises network to the VPC. The application retrieves customer data from another system that resides on premises. The application uses an on-premises DNS server to resolve domain records. After the migration, the application is not able to connect to the customer data because of name resolution errors. Which solution will give the application the ability to resolve the internal domain names?

• A. Launch EC2 instances in the VPC. On the EC2 instances, deploy a custom DNS forwarder that forwards all DNS requests to the on-premises DNS server. Create an Amazon Route 53 private hosted zone that uses the EC2 instances for name servers
• B. Create an Amazon Route 53 Resolver outbound endpoint. Configure the outbound endpoint to forward DNS queries against the on-premises domain to the on-premises DNS server
• C. Set up two AWS Direct Connect connections between the AWS environment and the on-premises network. Set up a link aggregation group (LAG) that includes the two connections. Change the VPC resolver address to point to the on-premises DNS server
• D. Create an Amazon Route 53 public hosted zone for the on-premises domain. Configure the network ACLs to forward DNS requests against the on-premises domain to the Route 53 public hosted zone

A company is deploying a third-party unit testing solution that is delivered as an Amazon EC2 Amazon Machine Image (AMI). All system configuration data is stored in Amazon DynamoDB. The testing results are stored in Amazon S3. A minimum of three EC2 instances are required to operate the product. The company’s testing team wants to use an additional three EC2 instances when the Spot Instance prices are at a certain threshold. A SysOps administrator must implement a highly available solution that provides this functionality. Which solution will meet these requirements with the LEAST operational overhead?

• A. Define an Amazon EC2 Auto Scaling group by using a launch configuration. Use the provided AMI in the launch configuration. Configure three On-Demand Instances and three Spot Instances. Configure a maximum Spot Instance price in the launch configuration
• B. Define an Amazon EC2 Auto Scaling group by using a launch template. Use the provided AMI in the launch template. Configure three On-Demand Instances and three Spot instances. Configure a maximum Spot Instance price in the launch template
• C. Define two Amazon EC2 Auto Scaling groups by using launch configurations. Use the provided AMI in the launch configurations. Configure three On-Demand Instances for one Auto Scaling group. Configure three Spot Instances for the other Auto Scaling group. Configure a maximum Spot Instance price in the launch configuration for the Auto Scaling group that has Spot Instances
• D. Define two Amazon EC2 Auto Scaling groups by using launch templates. Use the provides AMI in the launch templates. Configure three On-Demand Instances for one Auto Scaling group. Configure three Spot Instances for the other Auto Scaling group. Configure a maximum Spot Instance price in the launch template for the Auto Scaling group that has Spot Instances

A SysOps administrator creates a custom Amazon Machine Image (AMI) in the eu-west-2 Region and uses the AMI to launch Amazon EC2 instances. The SysOps administrator needs to use the same AMI to launch EC2 instances in two other Regions: us-east-1 and us-east-2. What must the SysOps administrator do to use the custom AMI in the additional Regions?

• A. Copy the AMI to the additional Regions
• B. Make the AMI public in the Community AMIs section of the AWS Management Console
• C. Share the AMI to the additional Regions. Assign the required access permissions
• D. Copy the AMI to a new Amazon S3 bucket. Assign access permissions to the AMI for the additional Regions

A company needs to view a list of security groups that are open to the internet on port 3389. What should a SysOps administrator do to meet this requirement?

• A. Configure Amazon GuardDuty to scan security groups and report unrestricted access on port 3389
• B. Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389
• C. Use AWS Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389
• D. Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389

A company is running workloads on premises and on AWS. A SysOps administrator needs to automate tasks across all servers on premises by using AWS services. The SysOps administrator must not install long-term credentials on the on-premises servers. What should the SysOps administrator do to meet these requirements?

• A. Create an IAM role and instance profile that include AWS Systems Manager permissions. Attach the role to the on-premises servers
• B. Create a managed-instance activation in AWS Systems Manager. Install the Systems Manager Agent (SSM Agent) on the on-premises servers. Register the servers with the activation code and ID from the instance activation
• C. Create an AWS managed IAM policy that includes the appropriate AWS Systems Manager permissions. Download the IAM policy to the on-premises servers
• D. Create an IAM user and an access key. Log on to the on-premises servers and install the AWS CLI. Configure the access key in the AWS credentials file after the AWS CLI is successfully installed

A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted. What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?

• A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted
• B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts
• C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts
• D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets

A SysOps administrator is using AWS CloudFormation StackSets to create AWS resources in two AWS Regions in the same AWS account. A stack operation fails in one Region and returns the stack instance status of OUTDATED. What is the cause of this failure?

• A. The CloudFormation template changed on the local disk and has not been submitted to CloudFormation
• B. The CloudFormation template is trying to create a global resource that is not unique
• C. The stack has not yet been deployed to the Region
• D. The SysOps administrator is using an old version of the CloudFormation API

A global company operates out of five AWS Regions. A SysOps administrator wants to identify all the company's tagged and untagged Amazon EC2 instances. The company requires the output to display the instance ID and tags. What is the MOST operationally efficient way for the SysOps administrator to meet these requirements?

• A. Create a tag-based resource group in AWS Resource Groups
• B. Use AWS Trusted Advisor. Export the EC2 On-Demand Instances check results from Trusted Advisor
• C. Use Cost Explorer. Choose a service type of EC2-Instances, and group by Resource
• D. Use Tag Editor in AWS Resource Groups. Select all Regions, and choose a resource type of AWS::EC2::Instance

A company wants to track its expenditures for Amazon EC2 and Amazon RDS within AWS. The company decides to implement more rigorous tagging requirements for resources in its AWS accounts. A SysOps administrator needs to identify all noncompliant resources. What is the MOST operationally efficient solution that meets this requirement?

• A. Create a rule in Amazon EventBridge that invokes a custom AWS Lambda function that will evaluate all created or updated resources for the specified tags
• B. Create a rule in AWS Config that invokes a custom AWS Lambda function that will evaluate all resources for the specified tags
• C. Create a rule in AWS Config with the required-tags managed rule to evaluate all resources for the specified tags
• D. Create a rule in Amazon EventBridge with a managed rule to evaluate all created or updated resources for the specified tags

A SysOps administrator must configure a resilient tier of Amazon EC2 instances for a high performance computing (HPC) application. The HPC application requires minimum latency between nodes. Which actions should the SysOps administrator take to meet these requirements? (Choose two.)

• A. Create an Amazon Elastic File System (Amazon EFS) file system. Mount the file system to the EC2 instances by using user data
• B. Create a Multi-AZ Network Load Balancer in front of the EC2 instances
• C. Place the EC2 instances in an Auto Scaling group within a single subnet
• D. Launch the EC2 instances into a cluster placement group
• E. Launch the EC2 instances into a partition placement group

A company’s SysOps administrator must ensure that all Amazon EC2 Windows instances that are launched in an AWS account have a third-party agent installed. The third-party agent has an .msi package. The company uses AWS Systems Manager for patching, and the Windows instances are tagged appropriately. The third-party agent requires periodic updates as new versions are released. The SysOps administrator must deploy these updates automatically. Which combination of steps will meet these requirements with the LEAST operational effort? (Choose two.)

• A. Create a Systems Manager Distributor package for the third-party agent
• B. Make sure that Systems Manager Inventory is configured. If Systems Manager Inventory is not configured, set up a new inventory for instances that is based on the appropriate tag value for Windows
• C. Create a Systems Manager State Manager association to run the AWS-RunRemoteScript document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day
• D. Create a Systems Manager State Manager association to run the AWS-ConfigureAWSPackage document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day
• E. Create a Systems Manager OpsItem with the tag value for Windows. Attach the Systems Manager Distributor package to the OpsItem. Create a maintenance window that is specific to the package deployment. Configure the maintenance window to cover 24 hours a day

A company is running an ecommerce application on AWS. The application maintains many open but idle connections to an Amazon Aurora DB cluster. During times of peak usage, the database produces the following error message: "Too many connections." The database clients are also experiencing errors. Which solution will resolve these errors?

• A. Increase the read capacity units (RCUs) and the write capacity units (WCUs) on the database
• B. Configure RDS Proxy. Update the application with the RDS Proxy endpoint
• C. Turn on enhanced networking for the DB instances
• D. Modify the DB cluster to use a burstable instance type