Last Updated on September 4, 2021 by Admin 2

SOA-C01 : AWS-SysOps ​​​​​: Part 08

  1. A user is running one instance for only 3 hours every day. The user wants to save some cost with the instance. Which of the below mentioned Reserved Instance categories is advised in this case?

    • The user should not use RI; instead only go with the on-demand pricing
    • The user should use the AWS high utilized RI
    • The user should use the AWS medium utilized RI
    • The user should use the AWS low utilized RI
    Explanation:
    The AWS Reserved Instance provides the user with an option to save some money by paying a one-time fixed amount and then save on the hourly rate. It is advisable that if the user is having 30% or more usage of an instance per day, he should go for a RI. If the user is going to use an EC2 instance for more than 2200-2500 hours per year, RI will help the user save some cost. Here, the instance is not going to run for less than 1500 hours. Thus, it is advisable that the user should use the on-demand pricing.
  2. A user has setup an RDS DB with Oracle. The user wants to get notifications when someone modifies the security group of that DB. How can the user configure that?

    • It is not possible to get the notifications on a change in the security group
    • Configure SNS to monitor security group changes
    • Configure event notification on the DB security group
    • Configure the CloudWatch alarm on the DB for a change in the security group
    Explanation:
    Amazon RDS uses the Amazon Simple Notification Service to provide a notification when an Amazon RDS event occurs. These events can be configured for source categories, such as DB instance, DB security group, DB snapshot and DB parameter group. If the user is subscribed to a Configuration Change category for a DB security group, he will be notified when the DB security group is changed.
  3. A user is trying to setup a recurring Auto Scaling process. The user has setup one process to scale up every day at 8 am and scale down at 7 PM. The user is trying to setup another recurring process which scales up on the 1st of every month at 8 AM and scales down the same day at 7 PM. What will Auto Scaling do in this scenario?

    • Auto Scaling will execute both processes but will add just one instance on the 1st
    • Auto Scaling will add two instances on the 1st of the month
    • Auto Scaling will schedule both the processes but execute only one process randomly
    • Auto Scaling will throw an error since there is a conflict in the schedule of two separate Auto Scaling Processes
    Explanation:
    Auto Scaling based on a schedule allows the user to scale the application in response to predictable load changes. The user can also configure the recurring schedule action which will follow the Linux cron format. As per Auto Scaling, a scheduled action must have a unique time value. If the user attempts to schedule an activity at a time when another existing activity is already scheduled, the call will be rejected with an error message noting the conflict.
  4. A user is planning to setup infrastructure on AWS for the Christmas sales. The user is planning to use Auto Scaling based on the schedule for proactive scaling. What advice would you give to the user?

    • It is good to schedule now because if the user forgets later on it will not scale up
    • The scaling should be setup only one week before Christmas
    • Wait till end of November before scheduling the activity
    • It is not advisable to use scheduled based scaling
    Explanation:
    Auto Scaling based on a schedule allows the user to scale the application in response to predictable load changes. The user can specify any date in the future to scale up or down during that period. As per Auto Scaling the user can schedule an action for up to a month in the future. Thus, it is recommended to wait until end of November before scheduling for Christmas.
  5. A user is trying to understand the ACL and policy for an S3 bucket. Which of the below mentioned policy permissions is equivalent to the WRITE ACL on a bucket?

    • s3:GetObjectAcl
    • s3:GetObjectVersion
    • s3:ListBucketVersions
    • s3:DeleteObject
    Explanation:
    Amazon S3 provides a set of operations to work with the Amazon S3 resources. Each AWS S3 bucket can have an ACL (Access Control List. or bucket policy associated with it. The WRITE ACL list allows the other AWS accounts to write/modify to that bucket. The equivalent S3 bucket policy permission for it is
    s3:DeleteObject.
  6. A user has created an ELB with Auto Scaling. Which of the below mentioned offerings from ELB helps the user to stop sending new requests traffic from the load balancer to the EC2 instance when the instance is being deregistered while continuing in-flight requests?

    • ELB sticky session
    • ELB deregistration check
    • ELB connection draining
    • ELB auto registration Off
    Explanation:
    The Elastic Load Balancer connection draining feature causes the load balancer to stop sending new requests to the back-end instances when the instances are deregistering or become unhealthy, while ensuring that inflight requests continue to be served.
  7. A user has launched an EC2 instance from an instance store backed AMI. The infrastructure team wants to create an AMI from the running instance. Which of the below mentioned steps will not be performed while creating the AMI?

    • Define the AMI launch permissions
    • Upload the bundled volume
    • Register the AMI
    • Bundle the volume
    Explanation:
    When the user has launched an EC2 instance from an instance store backed AMI, it will need to follow certain steps, such as “Bundling the root volume”, “Uploading the bundled volume” and “Register the AMI”. Once the AMI is created the user can setup the launch permission. However, it is not required to setup during the launch.
  8. You are managing the AWS account of a big organization. The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees. Which of the below mentioned options is the best possible solution in this case?

    • The user should create a separate IAM user for each employee and provide access to them as per the policy
    • The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2 instance and setup AWS authentication on that server
    • The user should create IAM groups as per the organization’s departments and add each user to the group for better access control
    • Attach an IAM role with the organization’s authentication service to authorize each user for various AWS services
    Explanation:
    AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. The user is managing an AWS account for an organization that already has an identity system, such as the login system for the corporate network (SSO). In this case, instead of creating individual IAM users or groups for each user who need AWS access, it may be more practical to use a proxy server to translate the user identities from the organization network into the temporary AWS security credentials. This proxy server will attach an IAM role to the user after authentication.
  9. A user has configured a VPC with a new subnet. The user has created a security group. The user wants to configure that instances of the same subnet communicate with each other. How can the user configure this with the security group?

    • There is no need for a security group modification as all the instances can communicate with each other inside the same subnet
    • Configure the subnet as the source in the security group and allow traffic on all the protocols and ports
    • Configure the security group itself as the source and allow traffic on all the protocols and ports
    • The user has to use VPC peering to configure this
    Explanation:
    A Virtual Private Cloud (VPC. is a virtual network dedicated to the user’s AWS account. AWS provides two features that the user can use to increase security in VPC: security groups and network ACLs. Security groups work at the instance level. If the user is using the default security group, it will have a rule which allows the instances to communicate with other. For a new security group, the user has to specify the rule, add it to define the source as the security group itself, and select all the protocols and ports for that source.
  10. A user is launching an instance. He is on the “Tag the instance” screen. Which of the below mentioned information will not help the user understand the functionality of an AWS tag?

    • Each tag will have a key and value
    • The user can apply tags to the S3 bucket
    • The maximum value of the tag key length is 64 unicode characters
    • AWS tags are used to find the cost distribution of various resources
    Explanation:
    AWS provides cost allocation tags to categorize and track the AWS costs. When the user applies tags to his AWS resources, AWS generates a cost allocation report as a comma-separated value (CSV file. with the usage and costs aggregated by those tags. Each tag will have a key-value and can be applied to services, such as EC2, S3, RDS, EMR, etc. The maximum size of a tag key is 128 unicode characters.
  11. A user has created a VPC with CIDR 20.0.0.0/16. The user has created public and VPN only subnets along with hardware VPN access to connect to the user’s datacenter. The user wants to make so that all traffic coming to the public subnet follows the organization’s proxy policy. How can the user make this happen?

    • Setting up a NAT with the proxy protocol and configure that the public subnet receives traffic from NAT
    • Setting up a proxy policy in the internet gateway connected with the public subnet
    • It is not possible to setup the proxy policy for a public subnet
    • Setting the route table and security group of the public subnet which receives traffic from a virtual private gateway
    Explanation:
    The user can create subnets within a VPC. If the user wants to connect to VPC from his own data center, he can setup public and VPN only subnets which uses hardware VPN access to connect with his data center. When the user has configured this setup, it will update the main route table used with the VPN-only subnet, create a custom route table and associate it with the public subnet. It also creates an internet gateway for the public subnet. By default, the internet traffic of the VPN subnet is routed to a virtual private gateway while the internet traffic of the public subnet is routed through the internet gateway. The user can set up the route and security group rules. These rules enable the traffic to come from the organization’s network over the virtual private gateway to the public subnet to allow proxy settings on that public subnet.
  12. A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25 and a private subnet with CIDR 20.0.0.128/25. The user has launched one instance each in the private and public subnets. Which of the below mentioned options cannot be the correct IP address (private IP. assigned to an instance in the public or private subnet?

    • 20.0.0.255
    • 20.0.0.132
    • 20.0.0.122
    • 20.0.0.55
    Explanation:
    When the user creates a subnet in VPC, he specifies the CIDR block for the subnet. In this case the user has created a VPC with the CIDR block 20.0.0.0/24, which supports 256 IP addresses (20.0.0.0 to 20.0.0.255. The public subnet will have IP addresses between 20.0.0.0 – 20.0.0.127 and the private subnet will have IP addresses between 20.0.0.128 – 20.0.0.255. AWS reserves the first four IP addresses and the last IP address in each subnet’s CIDR block. These are not available for the user to use. Thus, the instance cannot have an IP address of 20.0.0.255
  13. A user has launched an EBS backed EC2 instance. The user has rebooted the instance. Which of the below mentioned statements is not true with respect to the reboot action?

    • The private and public address remains the same
    • The Elastic IP remains associated with the instance
    • The volume is preserved
    • The instance runs on a new host computer
    Explanation:
    A user can reboot an EC2 instance using the AWS console, the Amazon EC2 CLI or the Amazon EC2 API. Rebooting an instance is equivalent to rebooting an operating system. However, it is recommended that the user use the Amazon EC2 to reboot the instance instead of running the operating system reboot command from the instance. The instance remains on the same host computer and maintains its public DNS name, private IP address, and any data on its instance store volumes. It typically takes a few minutes for the reboot to complete, but the time it takes to reboot depends on the instance configuration.
  14. A user has setup a web application on EC2. The user is generating a log of the application performance at every second. There are multiple entries for each second. If the user wants to send that data to CloudWatch every minute, what should he do?

    • The user should send only the data of the 60th second as CloudWatch will map the receive data timezone with the sent data timezone
    • It is not possible to send the custom metric to CloudWatch every minute
    • Give CloudWatch the Min, Max, Sum, and SampleCount of a number of every minute
    • Calculate the average of one minute and send the data to CloudWatch
    Explanation:
    Amazon CloudWatch aggregates statistics according to the period length that the user has specified while getting data from CloudWatch. The user can publish as many data points as he wants with the same or similar time stamps. CloudWatch aggregates them by the period length when the user calls get statistics about those data points. CloudWatch records the average (sum of all items divided by the number of items. of the values received for every 1-minute period, as well as the number of samples, maximum value, and minimum value for the same time period. CloudWatch will aggregate all the data which have time stamps within a one-minute period.
  15. An AWS root account owner is trying to create a policy to access RDS. Which of the below mentioned statements is true with respect to the above information?

    • Create a policy which allows the users to access RDS and apply it to the RDS instances
    • The user cannot access the RDS database if he is not assigned the correct IAM policy
    • The root account owner should create a policy for the IAM user and give him access to the RDS services
    • The policy should be created for the user and provide access for RDS
    Explanation:
    AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the account owner wants to create a policy for RDS, the owner has to create an IAM user and define the policy which entitles the IAM user with various RDS services such as Launch Instance, Manage security group, Manage parameter group etc.
  16. A user is using a small MySQL RDS DB. The user is experiencing high latency due to the Multi AZ feature. Which of the below mentioned options may not help the user in this situation?

    • Schedule the automated back up in non-working hours
    • Use a large or higher size instance
    • Use PIOPS
    • Take a snapshot from standby Replica
    Explanation:
    An RDS DB instance which has enabled Multi AZ deployments may experience increased write and commit latency compared to a Single AZ deployment, due to synchronous data replication. The user may also face changes in latency if deployment fails over to the standby replica. For production workloads, AWS recommends the user to use provisioned IOPS and DB instance classes (m1.large and larger. as they are optimized for provisioned IOPS to give a fast, and consistent performance. With Multi AZ feature, the user can not have option to take snapshot from replica.
  17. A user is displaying the CPU utilization, and Network in and Network out CloudWatch metrics data of a single instance on the same graph. The graph uses one Y-axis for CPU utilization and Network in and another Y-axis for Network out. Since Network in is too high, the CPU utilization data is not visible clearly on graph to the user. How can the data be viewed better on the same graph?

    • It is not possible to show multiple metrics with the different units on the same graph
    • Add a third Y-axis with the console to show all the data in proportion
    • Change the axis of Network by using the Switch command from the graph
    • Change the units of CPU utilization so it can be shown in proportion with Network
    Explanation:
    Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyze. It is possible to show the multiple metrics with different units on the same graph. If the graph is not plotted properly due to a difference in the unit data over two metrics, the user can change the Y-axis of one of the graph by selecting that graph and clicking on the Switch option.
  18. A user is planning to use AWS services for his web application. If the user is trying to set up his own billing management system for AWS, how can he configure it?

    • Set up programmatic billing access. Download and parse the bill as per the requirement
    • It is not possible for the user to create his own billing management service with AWS
    • Enable the AWS CloudWatch alarm which will provide APIs to download the alarm data
    • Use AWS billing APIs to download the usage report of each service from the AWS billing console
    Explanation:
    AWS provides an option to have programmatic access to billing. Programmatic Billing Access leverages the existing Amazon Simple Storage Service (Amazon S3. APIs. Thus, the user can build applications that reference his billing data from a CSV (comma-separated value. file stored in an Amazon S3 bucket. AWS will upload the bill to the bucket every few hours and the user can download the bill CSV from the bucket, parse it and create a billing system as per the requirement.
  19. A user is planning to schedule a backup for an EBS volume. The user wants security of the snapshot data. How can the user achieve data encryption with a snapshot?

    • Use encrypted EBS volumes so that the snapshot will be encrypted by AWS
    • While creating a snapshot select the snapshot with encryption
    • By default, the snapshot is encrypted by AWS
    • Enable server side encryption for the snapshot using S3
    Explanation:
    AWS EBS supports encryption of the volume. It also supports creating volumes from existing snapshots provided the snapshots are created from encrypted volumes. The data at rest, the I/O as well as all the snapshots of the encrypted EBS will also be encrypted. EBS encryption is based on the AES-256 cryptographic algorithm, which is the industry standard.
  20. A user has created a public subnet with VPC and launched an EC2 instance within it. The user is trying to delete the subnet. What will happen in this scenario?

    • It will delete the subnet and make the EC2 instance as a part of the default subnet
    • It will not allow the user to delete the subnet until the instances are terminated
    • It will delete the subnet as well as terminate the instances
    • The subnet can never be deleted independently, but the user has to delete the VPC first
    Explanation:
    A Virtual Private Cloud (VPC. is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. When an instance is launched it will have a network interface attached with it. The user cannot delete the subnet until he terminates the instance and deletes the network interface.