Amazon-Web-Services SOA-C01 Free Practice Questions

NEW QUESTION 1
A user has launched an EBS backed instance. The user started the instance at 9 AM in the morning. Between 9 AM to 10 AM, the user is testing some script. Thus, he stopped the instance twice and restarted it. In the same hour the user rebooted the instance once. For how many instance hours will AWS charge the user?

• A. 3 hours
• B. 4 hours
• C. 2 hours
• D. 1 hour

Answer: A

Explanation:
A user can stop/start or reboot an EC2 instance using the AWS console, the Amazon EC2 CLI or the Amazon EC2 API. Rebooting an instance is equivalent to rebooting an operating system. When the instance is rebooted AWS will not charge the user for the extra hours. In case the user stops the instance, AWS does not charge the running cost but charges only the EBS storage cost. If the user starts and stops the instance multiple times in a single hour, AWS will charge the user for every start and stop. In this case, since the instance was rebooted twice, it will cost the user for 3 instance hours.

NEW QUESTION 2
A user has created a VPC with CIDR 20.0.0.0/24. The user has used all the IPs of CIDR and wants to increase the size of the VPC. The user has two subnets: public (20.0.0.0/28. and private (20.0.1.0/28.. How can the user change the size of the VPC?

• A. The user can delete all the instances of the subne
• B. Change the size of the subnets to 20.0.0.0/32 and 20.0.1.0/32, respectivel
• C. Then the user can increase the size of the VPC using CLI
• D. It is not possible to change the size of the VPC once it has been created
• E. The user can add a subnet with a higher range so that it will automatically increase the size of the VPC
• F. The user can delete the subnets first and then modify the size of the VPC

Answer: B

Explanation:
Once the user has created a VPC, he cannot change the CIDR of that VPC. The user has to terminate all the instances, delete the subnets and then delete the VPC. Create a new VPC with a higher size and launch instances with the newly created VPC and subnets.

NEW QUESTION 3
How can the domain's zone apex for example "myzoneapexdomain.com" be pointed towards an Elastic Load Balancer?

• A. By using an AAAA record
• B. By using an A record
• C. By using an Amazon Route 53 CNAME record
• D. By using an Amazon Route 53 Alias record

Answer: D

Explanation:
Reference:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias- non-alias.html

NEW QUESTION 4
A company is planning a large marketing campaign that should increase traffic to an AWS-hosted application by at least 10 times normal traffic. A SysOps Administrator is concerned that service limits will be reached with this anticipated traffic. The company has just upgraded to Business Support on the primary account.
How can the Administrator configure the current limits?

• A. Use the included Infrastructure Event Management benefit of Business Support to review the limits
• B. Run a service limits report using Amazon QuickSight
• C. Limits are seated automatically with Business Support and will not cause issues
• D. Use AWS Trusted Advisor to view current limits

Answer: B

NEW QUESTION 5
A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306.. The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?

• A. For Inbound allow Source: 20.0.1.0/24 on port 80
• B. For Outbound allow Destination: 0.0.0.0/0 on port 80
• C. For Inbound allow Source: 20.0.0.0/24 on port 80
• D. For Outbound allow Destination: 0.0.0.0/0 on port 443

Answer: C

Explanation:
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the private subnet can connect to the internet using the NAT instances. The user should first configure that NAT can receive traffic on ports 80 and 443 from the private subnet. Thus, allow ports 80 and 443 in Inbound for the private subnet 20.0.1.0/24. Now to route this traffic to the internet configure ports 80 and 443 in Outbound with destination 0.0.0.0/0. The NAT should not have an entry for the public subnet CIDR.

NEW QUESTION 6
Which services allow the customer to retain run administrative privileges or the undertying EC2 instances? Choose 2 answers

• A. AWS Elastic Beanstalk
• B. Amazon Elastic Map Reduce
• C. Elastic Load Balancing
• D. Amazon Relational Database Service
• E. Amazon Elasti Cache

Answer: AB

NEW QUESTION 7
A user has launched a Windows based EC2 instance. However, the instance has some issues and the user wants to check the log. When the user checks the Instance console output from the AWS console, what will it display?

• A. All the event logs since instance boot
• B. The last 10 system event log error
• C. The Windows instance does not support the console output
• D. The last three system events?? log errors

Answer: D

Explanation:
The AWS EC2 console provides a useful tool called Console output for problem diagnosis. It is useful to find out any kernel issues, termination reasons or service configuration issues. For a Windows instance it lists the last three system event log errors. For Linux it displays the exact console output.

NEW QUESTION 8
A user has created numerous EBS volumes. What is the general limit for each AWS account for the maximum number of EBS volumes that can be created?

• A. 10000
• B. 5000
• C. 100
• D. 1000

Answer: B

Explanation:
A user can attach multiple EBS volumes to the same instance within the limits specified by his AWS account. Each AWS account has a limit on the number of Amazon EBS volumes that the user can create, and the total storage available. The default limit for the maximum number of volumes that can be created is 5000.

NEW QUESTION 9
A user is planning to schedule a backup for an EBS volume. The user wants security of the snapshot data. How can the user achieve data encryption with a snapshot?

• A. Use encrypted EBS volumes so that the snapshot will be encrypted by AWS
• B. While creating a snapshot select the snapshot with encryption
• C. By default the snapshot is encrypted by AWS
• D. Enable server side encryption for the snapshot using S3

Answer: A

Explanation:
AWS EBS supports encryption of the volume. It also supports creating volumes from existing snapshots provided the snapshots are created from encrypted volumes. The data at rest, the I/O as well as all the snapshots of the encrypted EBS will also be encrypted. EBS encryption is based on the AES-256 cryptographic algorithm, which is the industry standard.

NEW QUESTION 10
How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another?

• A. Simply create a new volume in the other AZ and specify the original volume as the source.
• B. Detach the volume, then use the ec2-migrate-volume command to move it to another AZ.
• C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ.
• D. Detach the volume and attach it to another EC2 instance in the other AZ.

Answer: C

Explanation:
Snapshots can be used to create multiple new EBS volumes, expand the size of a volume, or move volumes across Availability Zones.
See: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html

NEW QUESTION 11
Amazon EBS snapshots have which of the following two characteristics? Choose 2 answers

• A. EBS snapshots only save incremental changes from snapshot to snapshot
• B. EBS snapshots can be created in real-time without stopping an EC2 instance
• C. EBS snapshots can only be restored to an EBS volume of the same size or smaller
• D. EBS snapshots can only be restored and mounted to an instance in the same Availability Zone as the original EBS volume

Answer: AB

NEW QUESTION 12
A company has mandated the use factor authentication (MFA) for all user, and requires users to make all API calls using CLI. However, uses are not prompted to enter MFA token, and able to return CLI commands without MF

• A. In an enforce MFA, the company attached an IAM policy to all users that derives API calls that not been authenticated with MF
• B. What additional step must be ensure that calls are authenticated using MFA?
• C. Enable MFA on IAM roles, requires IAM to use role credentials to sign API calls.
• D. Ask the IAM to log into the AWS Management Console with MFA before marking PI calls using the Cli.
• E. Restricted the IAM users to use the console, as MFA not supported for CLI use.
• F. Reporting users to use temporary credential from the get-session token command to sign API calls.

Answer: B

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

NEW QUESTION 13
When an EC2 instance that is backed by an S3-based AMI Is terminated, what happens to the data on me root volume?

• A. Data is automatically saved as an EBS volume.
• B. Data is automatically saved as an ESS snapshot.
• C. Data is automatically deleted.
• D. Data is unavailable until the instance is restarted.

Answer: C

Explanation:
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html

NEW QUESTION 14
A user has launched 10 instances from the same AMI ID using Auto Scaling. The user is trying to see the average CPU utilization across all instances of the last 2 weeks under the CloudWatch console. How can the user achieve this?

• A. View the Auto Scaling CPU metrics
• B. Aggregate the data over the instance AMI ID
• C. The user has to use the CloudWatchanalyser to find the average data across instances
• D. It is not possible to see the average CPU utilization of the same AMI ID since the instance ID is different

Answer: A

Explanation:
Auto Scaling has its own aggregated CPU Utilization metric.

NEW QUESTION 15
A sys admin is using server side encryption with AWS S3. Which of the below mentioned statements helps the user understand the S3 encryption functionality?

• A. The server side encryption with the user supplied key works when versioning is enabled
• B. The user can use the AWS console, SDK and APIs to encrypt or decrypt the content for server side encryption with the user supplied key
• C. The user must send an AES-128 encrypted key
• D. The user can upload his own encryption key to the S3 console

Answer: A

Explanation:
AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key. The encryption with the user supplied key (SSE-C. does not work with the AWS console. The S3 does not store the keys and the user has to send a key with each request. The SSE-C works when the user has enabled versioning.

NEW QUESTION 16
A company Development team to access the AWS Management Console. A System Administrator has been asked to find a solution so that the Developers can sign in to the console using Active Directory (AD) credentials and not as IAM users.
What steps should the Systems Administrator take to enable functionality?

• A. Set up an Amazon Cognit federation, and the obtain temporary credentials using AWS Security Token Servic
• B. Assign the temporary credentials to an IAM role to allow a developers access to the AWS resource.
• C. Set up Active Directory Connector to use the corporate AD servers Enable AWS console access under the AWS Directory Service Console for the AD Connector that was just create
• D. Created a role with the resources and permissions that the Development team should have access to use.
• E. Connect the corporate AD servers to AWS using Amazon Cognito user pools Enable AWS console access within conito, and then assign the appropriate role to the user pool.
• F. Create a SAML template file using IAM assign the template to the corporate AD through the Simple AD Grant the Development team access to the SAML template.

Answer: A

NEW QUESTION 17
An organization (Account ID 123412341234. has attached the below mentioned IAM policy to a user. What does this policy statement entitle the user to perform?
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowUsersAllActionsForCredentials", "Effect": "Allow",
"Action": [ "iam:*LoginProfile", "iam:*AccessKey*",
"iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam:: 123412341234:user/${aws:username}"]
}]
}

• A. The policy allows the IAM user to modify all IAM user??s credentials using the console, SDK, CLI or APIs
• B. The policy will give an invalid resource error
• C. The policy allows the IAM user to modify all credentials using only the console
• D. The policy allows the user to modify all IAM user??s password, sign in certificates and access keys using only CLI, SDK or APIs

Answer: D

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the organization (Account ID 123412341234. wants some of their users to manage credentials (access keys, password, and sing in certificates. of all IAM users, they should set an applicable policy to that user or group of users. The below mentioned policy allows the IAM user to modify the credentials of all IAM user??s using only CLI, SDK or APIs. The user cannot use the AWS console for this activity since he does not have list permission for the IAM users.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowUsersAllActionsForCredentials", "Effect": "Allow"
"Action": [ "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam::123412341234:user/${aws:username}"]
}]
}

NEW QUESTION 18
A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?

• A. Allow Inbound traffic on port 22 from the user??s network
• B. The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
• C. The user can connect to a instance in a private subnet using the NAT instance
• D. Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the Internet

Answer: A

Explanation:
The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data center, the user can setup a case with a VPN only subnet (private. which uses VPN access to connect with his data center. When the user has configured this setup with Wizard, all network connections to the instances in the subnet will come from his data center. The user has to configure the security group of the private subnet which allows the inbound traffic on SSH (port 22. from the data center??s network range.

NEW QUESTION 19
A user has created a launch configuration for Auto Scaling where CloudWatch detailed monitoring is disabled. The user wants to now enable detailed monitoring. How can the user achieve this?

• A. Update the Launch config with CLI to set InstanceMonitoringDisabled = false
• B. The user should change the Auto Scaling group from the AWS console to enable detailed monitoring
• C. Update the Launch config with CLI to set InstanceMonitoring.Enabled = true
• D. Create a new Launch Config with detail monitoring enabled and update the Auto Scaling group

Answer: D

Explanation:
CloudWatch is used to monitor AWS as well as the custom services. To enable detailed instance monitoring for a new Auto Scaling group, the user does not need to take any extra steps. When the user creates the AutoScaling launch config as the first step for creating an Auto Scaling group, each launch configuration contains a flag named InstanceMonitoring.Enabled. The default value of this flag is true. When the user has created a launch configuration with InstanceMonitoring.Enabled = false it will involve multiple steps to enable detail monitoring. The steps are:
Create a new Launch config with detailed monitoring enabled Update the Auto Scaling group with a new launch config Enable detail monitoring on each EC2 instance

NEW QUESTION 20
An organization is planning to use AWS for 5 different departments. The finance department is responsible to pay for all the accounts. However, they want the cost separation for each account to map with the right cost centre. How can the finance department achieve this?

• A. Create 5 separate accounts and make them a part of one consolidate billing
• B. Create 5 separate accounts and use the IAM cross account access with the roles for better management
• C. Create 5 separate IAM users and set a different policy for their access
• D. Create 5 separate IAM groups and add users as per the department??s employees

Answer: A

Explanation:
AWS consolidated billing enables the organization to consolidate payments for multiple Amazon Web Services (AWS. accounts within a single organization by making a single paying account. Consolidated billing enables the organization to see a combined view of the AWS charges incurred by each account as well as obtain a detailed cost report for each of the individual AWS accounts associated with the paying account.

NEW QUESTION 21
A user has setup a CloudWatch alarm on the EC2 instance for CPU utilization. The user has setup to receive a notification on email when the CPU utilization is higher than 60%. The user is running a virus scan on the same instance at a particular time. The user wants to avoid receiving an email at this time. What should the user do?

• A. Remove the alarm
• B. Disable the alarm for a while using CLI
• C. Modify the CPU utilization by removing the email alert
• D. Disable the alarm for a while using the console

Answer: B

Explanation:
Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. When the user has setup an alarm and it is know that for some unavoidable event the status may change to Alarm, the user can disable the alarm using the DisableAlarmActions API or from the command line mon-disable-alarm-actions.

NEW QUESTION 22
George has shared an EC2 AMI created in the US East region from his AWS account with Stefano. George copies the same AMI to the US West region. Can Stefano access the copied AMI of George??s account from the US West region?

• A. No, copy AMI does not copy the permission
• B. It is not possible to share the AMI with a specific account
• C. Yes, since copy AMI copies all private account sharing permissions
• D. Yes, since copy AMI copies all the permissions attached with the AMI

Answer: A

Explanation:
Within EC2, when the user copies an AMI, the new AMI is fully independent of the source AMI; there is no link to the original (source. AMI. AWS does not copy launch the permissions, user-defined tags or the Amazon S3 bucket permissions from the source AMI to the new AMI. Thus, in this case by default Stefano will not have access to the AMI in the US West region.

NEW QUESTION 23
A user has setup an EBS backed instance and attached 2 EBS volumes to it. The user has setup a CloudWatch alarm on each volume for the disk data. The user has stopped the EC2 instance and detached the EBS volumes. What will be the status of the alarms on the EBS volume?

• A. OK
• B. Insufficient Data
• C. Alarm
• D. The EBS cannot be detached until all the alarms are removed

Answer: B

Explanation:
Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. Alarms invoke actions only for sustained state changes. There are three states of the alarm: OK, Alarm and Insufficient data. In this case since the EBS is detached and
inactive the state will be Insufficient.

NEW QUESTION 24
A user has created a queue named ??myqueue?? in US-East region with AWS SQS. The user??s AWS account ID is 123456789012. If the user wants to perform some action on this queue, which of the below Queue URL should he use?

• A. http://sqs.us-east-1.amazonaws.com/123456789012/myqueue
• B. http://sqs.amazonaws.com/123456789012/myqueue
• C. http://sq
• D. 123456789012.us-east-1.amazonaws.com/myqueue
• E. http:// 123456789012.sq
• F. us-east-1.amazonaws.com/myqueue

Answer: A

Explanation:
When creating a new queue in SQS, the user must provide a queue name that is unique within the scope of all queues of user??s account. If the user creates queues using both the latest WSDL and a previous version, he will have a single namespace for all his queues. Amazon SQS assigns each queue created by user an identifier called a queue URL, which includes the queue name and other components that Amazon SQS determines. Whenever the user wants to perform an action on a queue, he must provide its queue URL. The queue URL for the account id 123456789012 & queue name ??myqueue?? in US-East-1 region will be http:// sqs.us-east- 1.amazonaws.com/123456789012/myqueue.

NEW QUESTION 25
A new network is needed to run secure Amazon EC2 instance. This network cannot have direct access to the internet and must be separate from existing production instances. The instances will be manager using SSH from a Developer in a home office with a fixed IP address but without a VPN- capable router.
How should a SysOps Administrator create this network and manage these servers?

• A. Create a new subnet in an existing VP
• B. Configure access rules to allow SSH access from the Developer's IP addres
• C. Use AWS Shield to select the instances that should not have access to the internet.
• D. Associated an internet gateway with a new VPC with two subne
• E. Set up a bastion instance with an Elastic IP address Configure security groups and routing to allow SSH access to the bastion instance from the Developer's Ip address and SSH access from the bastion hot to the private subnet.
• F. Configure a new VPC with one public subnet no internet gatewa
• G. Configure the security for the instance to allow SSH from the Developer's IP address.
• H. Setup a new VPC with one private subne
• I. When deployment the instance use the User data to install and configure a third-party management tool for the instances Connect to the instance using the third-party tool.

Answer: C

NEW QUESTION 26
A user has configured ELB with two EBS backed instances. The user has stopped the instances for 1 week to save costs. The user restarts the instances after 1 week. Which of the below mentioned statements will help the user to understand the ELB and instance registration better?

• A. There is no way to register the stopped instances with ELB
• B. The user cannot stop the instances if they are registered with ELB
• C. If the instances have the same Elastic IP assigned after reboot they will be registered with ELB
• D. The instances will automatically get registered with ELB

Answer: C

Explanation:
Elastic Load Balancing registers the user??s load balancer with his EC2 instance using the associated IP address. When the instances are stopped and started back they will have a different IP address. Thus, they will not get registered with ELB unless the user manually registers them. If the instances are assigned the same Elastic IP after reboot they will automatically get registered with ELB.

NEW QUESTION 27
A user has launched an EC2 Windows instance from an instance store backed AMI. The user wants to convert the AMI to an EBS backed AMI. How can the user convert it?

• A. Attach an EBS volume to the instance and unbundle all the AMI bundled data inside the EBS
• B. A Windows based instance store backed AMI cannot be converted to an EBS backed AMI
• C. It is not possible to convert an instance store backed AMI to an EBS backed AMI
• D. Attach an EBS volume and use the copy command to copy all the ephermal content to the EBS Volume

Answer: B

Explanation:
Generally when a user has launched an EC2 instance from an instance store backed AMI, it can be converted to an EBS backed AMI provided the user has attached the EBS volume to the instance and
unbundles the AMI data to it. However, if the instance is a Windows instance, AWS does not allow this. In this case, since the instance is a Windows instance, the user cannot convert it to an EBS backed AMI.

NEW QUESTION 28
......