Practice Free SOA-C03 Exam Online Questions
A company uses AWS Systems Manager to automate common operational tasks across its AWS resources. The company wants to automatically collect software inventory of all its Amazon EC2 instances every day. The solution must store the data in an Amazon S3 bucket for auditing purposes.
Which solution will meet these requirements?
- A . Create a Systems Manager association with the AWS-GatherSoftwareInventory document. Schedule the association to run every day on all EC2 instances.
- B . Configure Systems Manager Distributor to package inventory collection software. Use Systems Manager Hybrid Activations to scan the inventory every day.
- C . Configure Systems Manager Patch Manager to deploy inventory collection agents. Configure Systems Manager Compliance to validate inventory data.
- D . Set up Systems Manager Session Manager to connect to EC2 instances. Use Systems Manager Fleet Manager to aggregate inventory results across the environment.
A company uses AWS Systems Manager Session Manager to manage EC2 instances in the eu-west-1 Region. The company wants private connectivity using VPC endpoints.
Which VPC endpoints are required to meet these requirements? (Select THREE.)
- A . com.amazonaws.eu-west-1.ssm
- B . com.amazonaws.eu-west-1.ec2messages
- C . com.amazonaws.eu-west-1.ec2
- D . com.amazonaws.eu-west-1.ssmmessages
- E . com.amazonaws.eu-west-1.s3
- F . com.amazonaws.eu-west-1.states
A multinational company uses an organization in AWS Organizations to manage over 200 member accounts across multiple AWS Regions. The company must ensure that all AWS resources meet specific security requirements.
The company must not deploy any EC2 instances in the ap-southeast-2 Region. The company must completely block root user actions in all member accounts. The company must prevent any user from deleting AWS CloudTrail logs, including administrators. The company requires a centrally managed solution that the company can automatically apply to all existing and future accounts.
Which solution will meet these requirements?
- A . Create AWS Config rules with remediation actions in each account to detect policy violations.
Implement IAM permissions boundaries for the account root users. - B . Enable AWS Security Hub across the organization. Create custom security standards to enforce the security requirements. Use AWS CloudFormation StackSets to deploy the standards to all the accounts in the organization. Set up Security Hub automated remediation actions.
- C . Use AWS Control Tower for account governance. Configure Region deny controls. Use Service Control Policies (SCPs) to restrict root user access.
- D . Configure AWS Firewall Manager with security policies to meet the security requirements. Use an AWS Config aggregator with organization-wide conformance packs to detect security policy violations.
A company needs to deploy instances of an application and associated infrastructure to multiple AWS Regions. The company wants to use a single AWS CloudFormation template to achieve this goal. The company uses AWS Organizations and wants to administer and run this template from a central administration account.
What should a CloudOps engineer do to meet these requirements?
- A . Create a CloudFormation template that is stored in Amazon S3. Configure Cross-Region Replication (CRR) on the S3 bucket. Reference the required accounts and remote Regions in the input template parameters.
- B . In the central administration account, create a CloudFormation primary template that loads CloudFormation nested stacks from Amazon S3 buckets in the target Regions.
- C . Create CloudFormation nested stacks by using a primary template in the central administration account. Configure the required accounts and Regions for deployment of the nested stacks.
- D . Create a CloudFormation stack set that includes service-managed permissions. Deploy the stack set into the required accounts and Regions from the central administration account.
A SysOps administrator needs to encrypt an existing Amazon Elastic File System (Amazon EFS) file system by using an existing AWS KMS customer managed key.
Which solution will meet these requirements?
- A . Use Amazon EFS replication to create a new file system. Copy the data and metadata from the existing file system to the new file system. Specify the KMS customer managed key in the replication configuration. When the replication process finishes, fail over to the new encrypted file system.
- B . Directly modify the file system to use encryption. Specify the KMS customer managed key.
- C . Use Amazon EFS replication to create a new file system. Copy the data and metadata from the existing file system to the new file system. Generate a new TLS certificate. Specify the TLS certificate in the replication configuration. When the replication process finishes, fail over to the new encrypted file system.
- D . Create a new EFS file system that is encrypted with the KMS customer managed key. Create an Amazon EC2 instance to copy the files. Mount the encrypted file system and unencrypted file system on the instance. Copy all data from the unencrypted file system to the encrypted file system. Unmount the unencrypted file system and remove the temporary instance.
A CloudOps engineer launches two Amazon EC2 instances and creates a single public subnet for testing purposes in the same Availability Zone. The CloudOps engineer wants Amazon Route 53 to respond with a public IP address only if a test webpage on an instance is running. However, even when the test webpage is unavailable, Route 53 still responds with the public IP addresses from both instances.
How can the CloudOps engineer resolve this issue?
- A . Create a Route 53 multivalue answer routing record. Associate a health check with the record.
- B . Configure latency-based routing with a health check in Route 53.
- C . Configure weighted routing in Route 53.
- D . Create another public subnet in the same Availability Zone for one of the instances.
A company’s AWS accounts are in an organization in AWS Organizations. The organization has all features enabled. The accounts use Amazon EC2 instances to host applications. The company manages the EC2 instances manually by using the AWS Management Console. The company applies updates to the EC2 instances by using an SSH connection to each EC2 instance.
The company needs a solution that uses AWS Systems Manager to manage all the organization’s current and future EC2 instances. The latest version of Systems Manager Agent (SSM Agent) is running on the EC2 instances.
Which solution will meet these requirements?
- A . Configure a home AWS Region in Systems Manager Quick Setup in the organization’s management account. Deploy the Systems Manager Default Host Management Configuration Quick Setup from the management account.
- B . Configure a home AWS Region in Systems Manager Quick Setup in the organization’s management account. Create a Systems Manager Run Command that attaches the AmazonSSMServiceRolePolicy IAM policy to every IAM role that the EC2 instances use. Invoke the command in every account in the organization.
- C . Create an AWS CloudFormation stack set that contains a Systems Manager parameter to define the Default Host Management Configuration role. Use the organization’s management account to deploy the stack set to every account in the organization.
- D . Create an AWS CloudFormation stack set that contains an EC2 instance profile with the
AmazonSSMManagedEC2InstanceDefaultPolicy IAM policy attached. Use the organization’s management account to deploy the stack set to every account in the organization.
A company moves workloads from public subnets to private subnets to improve security. During testing, servers in the private subnets cannot reach an external API. The VPC has a CIDR block of 10.0.0.0/16, two public subnets, two private subnets, one internet gateway, and a NAT gateway in each private subnet.
The company must ensure that workloads in the private subnets can reach the external API.
Which solution will meet this requirement?
- A . Deploy an outbound-only internet gateway and update route tables.
- B . Create an Amazon API Gateway HTTP API as a proxy.
- C . Deploy a NAT gateway in each public subnet and update private subnet route tables.
- D . Create a VPC interface endpoint and update route tables.
A CloudOps engineer created a VPC with a private subnet, a security group allowing all outbound traffic, and an endpoint for EC2 Instance Connect in the private subnet. The EC2 instance was launched without an SSH key pair, using the same subnet and security group. However, the engineer cannot connect via EC2 Instance Connect endpoint.
How can the CloudOps engineer connect to the instance?
- A . Create an inbound rule in the security group to allow HTTPS traffic on port 443 from the private subnet.
- B . Create an inbound rule in the security group to allow SSH traffic on port 22 from the private subnet.
- C . Create an IAM instance profile that allows AWS Systems Manager Session Manager to access the EC2 instance. Associate the instance profile with the instance.
- D . Recreate the EC2 instance. Associate an SSH key pair with the instance.
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon
SQS) queues. A CloudOps engineer must ensure that the application can read, write, and delete messages from the SQS queues.
Which solution will meet these requirements in the MOST secure manner?
- A . Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user’s credentials in the application’s configuration.
- B . Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user’s access key and secret access key as environment variables on the EC2 instance.
- C . Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
- D . Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.