SOA-C02 Free Practice Test

- (Exam Topic 1)
A company requires that all IAM user accounts that have not been used for 90 days or more must have their access keys and passwords immediately disabled A SysOps administrator must automate the process of disabling unused keys using the MOST operationally efficient method.
How should the SysOps administrator implement this solution?

1. A. Create an AWS Step Functions workflow to identify IAM users that have not been active for 90 days Run an AWS Lambda function when a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule is invoked to automatically remove the AWS access keys and passwords for these IAM users
2. B. Configure an AWS Config rule to identify IAM users that have not been active for 90 days Set up an automatic weekly batch process on an Amazon EC2 instance to disable the AWS access keys and passwords for these IAM users
3. C. Develop and run a Python script on an Amazon EC2 instance to programmatically identify IAM users that have not been active for 90 days Automatically delete these 1AM users
4. D. Set up an AWS Config managed rule to identify IAM users that have not been active for 90 days Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users

Correct Answer: D

- (Exam Topic 1)
A SysOps administrator needs to secure the credentials for an Amazon RDS database that is created by an AWS CloudFormation template. The solution must encrypt the credentials and must support automatic rotation.
Which solution will meet these requirements?

1. A. Create an AWS::SecretsManager::Secret resource in the CloudFormation templat
2. B. Reference thecredentials in the AWS::RDS::DBInstance resource by using the resolve:secretsmanager dynamic reference.
3. C. Create an AWS::SecretsManager::Secret resource in the CloudFormation templat
4. D. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm-secure dynamic reference.
5. E. Create an AWS::SSM::Parameter resource in the CloudFormation templat
6. F. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm dynamic reference.
7. G. Create parameters for the database credentials in the CloudFormation templat
8. H. Use the Ref intrinsic function to provide the credentials to the AWS::RDS::DBInstance resource.

Correct Answer: A

- (Exam Topic 1)
A SysOps administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC. the administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the administrator add to the route tables?

1. A. Route ;:/0 traffic to a NAT gateway
2. B. Route ::/0 traffic to an internet gateway
3. C. Route 0.0.0.0/0 traffic to an egress-only internet gateway
4. D. Route ::/0 traffic to an egress-only internet gateway

Correct Answer: D
https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html

- (Exam Topic 1)
A company monitors its account activity using AWS CloudTrail. and is concerned that some log files are being tampered with after the logs have been delivered to the account's Amazon S3 bucket.
Moving forward, how can the SysOps administrator confirm that the log files have not been modified after being delivered to the S3 bucket?

1. A. Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.
2. B. Enable log file integrity validation and use digest files to verify the hash value of the log file.
3. C. Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
4. D. Enable S3 server access logging to track requests made to the log bucket for security audits.

Correct Answer: B
When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers. Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each. This file is called a digest file. CloudTrail signs each digest file using the private key of a public and private key pair. After delivery, you can use the public key to validate the digest file. CloudTrail uses different key pairs for each AWS region
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

- (Exam Topic 1)
A SysOps administrator is reviewing AWS Trusted Advisor recommendations. The SysOps administrator notices that all the application servers for a finance application are listed in the Low Utilization Amazon EC2 Instances check. The application runs on three instances across three Availability Zones. The SysOps administrator must reduce the cost of running the application without affecting the application's availability or design.
Which solution will meet these requirements?

1. A. Reduce the number of application servers.
2. B. Apply rightsizing recommendations from AWS Cost Explorer to reduce the instance size.
3. C. Provision an Application Load Balancer in front of the instances.
4. D. Scale up the instance size of the application servers.

Correct Answer: C