SOA-C01 Sample Questions Answers

The template referenced an IAM user that is not available in eu-west-1

The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1

The template did not have the proper level of permissions to deploy the resources

The template requested services that do not exist in eu-west-1

CloudFormation templates can be used only to update existing services

Configuring IPsec tunnels for the VPN

Ensuring high availability of the EC2 instance

Ensuring high availability of the VPN connection

Managing the health of the underlying EC2 host

AWS CloudTrail for the federated identity user name

AWS IAM Access Advisor for the federated user name

AWS Organizations access log for the federated identity user name

Federated identity provider logs for the user name

Use Amazon Inspector and Amazon CloudWatch Events.

Use AWS Trusted Advisor and Amazon CloudWatch Events.

Use the Personal Health Dashboard and CloudWatch Events.

Use AWS CloudTrail and CloudWatch Events.

Select the AWS Namespace, filter by metric name, then add to the dashboard.

Add a text widget, select the appropriate metric from the custom namespace, then add to the dashboard.

Select the appropriate widget and metrics from the custom namespace, then add to the dashboard.

Open the CloudWatch console, from the CloudWatch Events, add all custom metrics.

Deploy a NAT Gateway and configure the route tables according in the VPC where the EC2 instances are running.

Modify the network ACLs with the private IP addresses in the routes to connect to Amazon S3.

Modify the security groups on the EC2 instances with private IP addresses in the routes to connect to Amazon S3.

Set up AWS Direct connect and configure a virtual interface between the EC2 instances and the S3 buckets.

Set up VPC endpoint in the VPC where the EC2 instances are running and configure the routes tables accordingly.

Create a snapshot of the volume. Create a new volume from the snapshot with the Encrypted parameter set to true. Detach the original volume and attach the new volume to the instance.

Create an encrypted Amazon Machine Image (AMI) of the EC2 instance. Launch a new instance with the encrypted AMI. Terminate the original instance.

Stop the EC2 instance. Encrypt the volume with AWS CloudHSM. Start the instance and verify encryption.

Stop the EC2 instance. Modify the instance properties and set the Encrypted parameter to true. Start the instance and verify encryption.

Add Systems Manager permissions to the instance profile

Configure the bucket used by Session Manager logs to allow write access

install Systems Manager Agent on the instance

Modify the instance security group to allow inbound traffic on SSH port 22

Reboot the instance with a new SSH key pair named ssm-user

Log in to the RDS console and select the encryption box to encrypt the database.

Create a new encrypted Amazon EBS volume and attach it to the instance.

Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.

Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

Create one public subnet for the Application Load Balancer, one public subnet for the servers, and private subnet for the database servers.

Create one public subnets for the Application Load Balancer, two private subnets for the web servers, and two private subnets for the database servers.

Create two public subnets for the Application Load Balancer, two public subnets for the web servers, and two public subnets for the database servers.

Create two public subnets for the Application Load Balancer, two public subnets for the web servers, and two public subnets for the database servers.

Continue the update rollback while skipping the resources that have been manually deleted.

Run the signal-resource command with the 08 instance name to proceed with the stack rollback.

Recreate the DB Instance using the same resource name, and update the stack.

Remove Amazon RDS from the template, and update the stack.

Write a AWS lambda function that will query the logs every minute and contain the logic of which team to notify on which patterns and issues.

Set up different metric filters for each team based on patterns and alerts. Each alarm will notify the appropriate notification list.

Redesign the aggregation of logs so that each team’s relevant parts are sent to a separate log group, then subscribe each team to its respective log group.

Create an AWS Auto Scaling group of Amazon EC2 instances that will scale based on the amount of ingested log entries. This group will pull streams, look for patterns, and send notifications to relevant teams.

Deploy a second CloudFormation stack and use Amazon Route 53 to redirect traffic to the new stack.

Run the awa cloudformation update-attack command with the —rollback-configuration option.

Set an AutoScal ingRollingUpdate policy in the CloudFormation template to update the stack.

Update the CloudFormation template with the new AMI ID. then reboot the EC2 instances.

The AWS Security team

The Amazon EC2 team

The AWS Premium Support team

The company’s System Administrator

Amazon SNS cannot be triggered from the AWS Personal Health Dashboard

The AWS Personal Health Dashboard only reports events from one account, not linked accounts.

The AWS Personal Health Dashboard must be configured from the payer account only; all events will then roll up into the payer account.

AWS Organizations must be used to monitor linked accounts.

Add each existing account to the central organization using AWS IAM.

Create a new organization in each account and join them to the central organization.

Log in to each existing account an add them to the central organization.

Send each existing account an invitation from the central organization.

D18912E1457D5D1DDCBD40AB3BF70D5D

Use duplicate resource definitions for each environment selected based on conditions

Use nested stacks to provision the resources

Use parameter references and mappings for resource attributes

Use AWS Cloud Formation StackSets to provision the resources

Apply an 1AM policy to all 1AM entities in the account with a statement to explicitly deny NotAction: s3:

Configure AWS Config to terminate compute resources that have been created in the accounts.

Configure AWS CloudTrail to block any action where the event source is not s3.amazonaws.com.

Update the service control policy on the account to deny the unapproved services.

Host-based firewalls

NAT Gateway

Network access control lists

Security Groups

Change the root user password by using the AWS CLI routinely.

Periodically use the AWS CLI to rotate access keys and secret keys for the root user.

Use AWS Trusted Advisor security checks to review the configuration of the root user.

Periodically distribute the AWS compliance document from AWS Artifact that governs the root user configuration.

Store AWS CloudTrail logs in Amazon S3 in each account Create a new account to store compliance data and replicate the objects into the newly created account

Store AWS CloudTrail logs in Amazon S3 in each account. Create an 1AM user with read-only access to the CloudTrail logs

From the master account create an organization trail using AWS CloudTrail and apply it to all Regions Use 1AM roles to restrict access.

Use an AWS CloudFormation stack set to create an AWS CloudTrail trail in every account and restrict permissions to modify the logs

Create a Cloud Form at ion stack in the master account of AWS Organizations and execute the Cloud Formation template to create AWS Config rules in all accounts.

Create a CloudFormation stack set. then select the Cloud Formation template and use It to configure the AWS accounts.

Use AWS Organizations to execute the CloudFormation template in all accounts.

Write a script that iterates over the company's AWS accounts and executes the Cloud Formation template in each account.

Copy the AMI to each region using aws ec2 copy-image Update the CloudFormation mapping include mappings for the copy AMIs.

Creating a snapshot of the running instance and copy the snapshot to the other regions. Create an AMI from the snapshots. Update the CloudFormation template for each region to use the new AMI.

Run the existing CloudFormation template in each additional region based on the success of the template used currently in us-east-1.

Update the CloudFormation template to include the additional regions in the auto scaling group. Update the existing stack in us-east-1.

Create a VPC endpoint for the S3 bucket, and create an IAM policy that conditionally limits al S3 actions on the bucket to the VPC endpoint as the source

Create a VPC endpoint for the S3 bucket and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source

Create a service-linked role for Amazon EC2 that allows the EC2 instances to interact directly with Amazon S3, and attach an IAM policy to the role that allows the EC2 instances full access to the S3 bucket

Create a NAT gateway in the VPC, and modify the VPC route table to route all traffic destined for Amazon S3 through the NAT gateway

Create an Auto Scaling target tracking scaling policy to gradually move traffic the old version to the new one

Change the Application Load Balancer to a Network Load Balancer, then add both Auto Scaling groups as targets

Use an Amazon Route 53 weighted routing policy to gradually move traffic from the old version to the new one

Deploy Amazon Redshift to gradually move traffic from the old version to the new one using a set of predefined values

The EC2 instances are in the same Availability Zone, causing contention between the two.

The route tables are not updated to allow traffic to flow between the ALB and the EC2 instances.

The ALB health check has failed, and the ALB has taken EC2 instances out of service.

The Amazon Route 53 health check has failed, and the ALB has taken EC2 instances out of service.

Use Amazon CloudFront to cache the traffic and block access to the web servers

Use Amazon GuardDuty to protect the web servers from bots and scrapers

Use AWS Lambda to analyze the web server logs, detect bot traffic, and block the IP address in the security groups

Use AWS WAF rate-based blacklisting to block this traffic when it exceeds a defined threshold

Create an A record for each server. Associate the records with the Route 53 HTTP health check.

Create an A record for each server. Associate the records with the Route 53 TCP health check.

Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.

Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.

Configure EC2 instances to act as VPN appliances, then configure route tables.

Configure inter-region VPC peering between the two VPCs, then configure route tables.

Configure NAT gateways in both VPCs, then configure route tables.

Configure an internet gateway in each VPC, and use these as the targets for the VPC route tables.

Create an Amazon CloudWatch Events for file restoration from Amazon S3 Glacier using the GlacierJobDescrbption API and send the event to an SNS topic the administrator has subscribed to.

Create an AWS Lambda function that perform a HEAD request on the object being restored and checks the storage class of the object. Then send a notification to an SNS topic the administrator has subscribed to when the storage class changes to STANDARD.

Enable an Amazon S3 event notification for the s3: ObjectCreated : Post event that a sends notification to an SNS topic the administrator has subscribed.

Enable S3 event notification for the S3: ObjectRestore: Completed event that sends a notification to an SNS topic the Administrator has subscribed to.

In the payer account: Enable billing alerts in the Billing and Cost Management console; publish an Amazon SNS message when the billing alert triggers.

In each account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers.

In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in the Billing and Cost Management console to publish an SNS message when the alarm triggers.

In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers.

Log in to the AWS Billing and Cost Management console of the new account, and use the Cost Allocation Tags manager to create the new user-defined cost allocation tags.

Log in to the AWS Billing and Cost Management console of the payer account, and use Cost Allocation Tags manager to create the new user-defined cost allocation tags.

Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the new account to mark the tags as cost allocation tags.

Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the payer account to mark the tags as cost allocation tags.

Create an encrypted Amazon Machine Image (AMI) of the instance and make it public to allow the other account to search and launch an instance from it.

Create an AMI of the instance, add permissions for the AMI to the other AWS account, and start a new instance in the new region by using that AMI.

Create an AMI of the instance, copy the AMI to the new region, add permissions for the AMI to the other AWS account, and start the new instance.

Create an encrypted snapshot of the instance and make it public Provide only permissions to decrypt to the other AWS account.

Use Amazon CloudFront to log the URL and forward the request

Use Amazon CloudFront to rewrite the header based on the microservice and forward the request

Use a Network Load Balancer (NLB) and do path-based routing

Use an Application Load Balancer (ALB) and do path-based routing

Auto Scaling logs

AWS CloudTrail logs

EC2 instance logs

Elastic Load Balancer access logs

Attach the snapshot to a new Amazon EC2 instance in the same Availability Zone, and copy the deleted file.

Browse to the snapshot and copy the file to the EBS volume within an Amazon EC2 instance.

Create a volume from the snapshot, attach the volume to an Amazon EC2 instance, and copy the deleted file.

Restore the file from the snapshot onto an EC2 instance using the Amazon EC2 console.