AWS Certified SysOps Administrator – Associate (SOA-C02) Sample Questions

  1. Home
  2. AWS Certified SysOps Administrator – Associate (SOA-C02) Sample Questions
AWS Certified SysOps Administrator - Associate (SOA-C02) Sample Questions

System administrators with a role in cloud operations should take the AWS Certified SysOps Administrator Associate (SOA-C02) exam. They must have at least a year’s worth of deployment, management, networking, and security on AWS knowledge and experience for this.The article provides a list of AWS Certified SysOps Administrator – Associate (SOA-C02) Sample Questions that cover core exam topics including –

  • Firstly, maintaining AWS workloads as per the AWS Well-Architected Framework
  • Thirdly, executing operations using the AWS Management Console and the AWS CLI. And, implementing security controls for meeting compliance requirements.
  • Next, monitoring, log, and troubleshooting systems
  • Then, applying networking concepts (for example, DNS, TCP/IP, firewalls) and implementing architectural requirements like high availability, performance, capacity
  • Lastly, performing business continuity and disaster recovery procedures as well as identifying and classifying incidents

Advanced Sample Questions

A company has multiple applications running on EC2 instances in the same region and needs to route the traffic between these instances based on the URL. What AWS service can be used to route the traffic between these instances based on the URL?

  • A. ELB
  • B. ALB
  • C. CloudFront
  • D. Route 53

Answer: B (ALB)

Explanation: Amazon Application Load Balancer (ALB) can be used to route traffic between EC2 instances based on the URL. It supports URL-based routing and is capable of routing traffic based on the domain name, path, or a combination of both.

A company wants to store sensitive data in the cloud and needs to encrypt it. What AWS service can be used to encrypt sensitive data in the cloud?

  • A. KMS
  • B. S3
  • C. IAM
  • D. EC2

Answer: A (KMS)

Explanation: Amazon Key Management Service (KMS) can be used to encrypt sensitive data in the cloud. KMS is a managed service that enables you to easily create and manage encryption keys used to encrypt your data.

A company wants to run multiple EC2 instances in different availability zones for high availability. What AWS service can be used to run EC2 instances in different availability zones for high availability?

  • A. EC2 Auto Scaling
  • B. EC2
  • C. ELB
  • D. CloudFormation

Answer: A (EC2 Auto Scaling)

Explanation: EC2 Auto Scaling can be used to run EC2 instances in different availability zones for high availability. EC2 Auto Scaling enables you to automatically increase or decrease the number of EC2 instances based on demand, thereby ensuring high availability.

A company wants to monitor the performance of its EC2 instances. What AWS service can be used to monitor the performance of EC2 instances?

  • A. CloudWatch
  • B. EC2
  • C. S3
  • D. ELB

Answer: A (CloudWatch)

Explanation: Amazon CloudWatch can be used to monitor the performance of EC2 instances. CloudWatch provides data and operational insights for various AWS resources, including EC2 instances, and enables you to set alarms and automate actions based on specific thresholds.

A company wants to deploy and manage multiple EC2 instances in an automated and scalable manner. What AWS service can be used to deploy and manage multiple EC2 instances in an automated and scalable manner?

  • A. CloudFormation
  • B. EC2
  • C. S3
  • D. ELB

Answer: A (CloudFormation)

Explanation: Amazon CloudFormation can be used to deploy and manage multiple EC2 instances in an automated and scalable manner. CloudFormation is a service that enables you to create, update, and delete AWS resources in an organized and predictable manner. It enables you to automate the deployment of EC2 instances and manage them as a single stack.

A company wants to ensure that its EC2 instances are running in a secure and isolated environment. What AWS service can be used to secure and isolate EC2 instances?

  • A. VPC
  • B. EC2
  • C. S3
  • D. IAM

Answer: A (VPC)

Explanation: Amazon Virtual Private Cloud (VPC) can be used to secure and isolate EC2 instances. VPC allows you to launch EC2 instances in a virtual network that is isolated from the Internet and other AWS resources. It enables you to control the inbound and outbound traffic to and from your EC2 instances using security groups and network ACLs.

A company wants to store and access large amounts of data in the cloud. What AWS service can be used to store and access large amounts of data in the cloud?

  • A. S3
  • B. EC2
  • C. CloudFront
  • D. IAM

Answer: A (S3)

Explanation: Amazon Simple Storage Service (S3) can be used to store and access large amounts of data in the cloud. S3 is an object storage service that enables you to store, retrieve, and manage vast amounts of data at any time, from anywhere on the web. It is a highly available and durable storage option for storing and accessing large amounts of data.

A company wants to automate the deployment of EC2 instances. What AWS service can be used to automate the deployment of EC2 instances?

  • A. CloudFormation
  • B. EC2
  • C. S3
  • D. IAM

Answer: A (CloudFormation)

Explanation: Amazon CloudFormation can be used to automate the deployment of EC2 instances. CloudFormation enables you to create, update, and delete AWS resources in an organized and predictable manner. It provides a way to automate the deployment of EC2 instances by defining the desired state of the resources in a template and then applying that template to create or update the resources.

A company wants to load balance incoming traffic across multiple EC2 instances. What AWS service can be used to load balance incoming traffic across multiple EC2 instances?

  • A. ELB
  • B. EC2
  • C. S3
  • D. IAM

Answer: A (ELB)

Explanation: Amazon Elastic Load Balancer (ELB) can be used to load balance incoming traffic across multiple EC2 instances. ELB distributes incoming traffic across multiple EC2 instances, enabling you to improve the performance and reliability of your application. It automatically detects the health of your EC2 instances and routes traffic only to healthy instances, ensuring high availability.

A company wants to monitor the resource utilization of its EC2 instances. What AWS service can be used to monitor the resource utilization of EC2 instances?

  • A. CloudWatch
  • B. EC2
  • C. S3
  • D. ELB

Answer: A (CloudWatch)

Explanation: Amazon CloudWatch can be used to monitor the resource utilization of EC2 instances. CloudWatch enables you to collect and track metrics, set alarms, and automate actions based on specific thresholds. It provides real-time visibility into resource utilization, enabling you to identify and resolve performance issues with your EC2 instances in a timely manner.

Basic Sample Questions

Q1) To manage its numerous AWS accounts, a large firm uses AWS Organizations. According to corporate policy, all users should have read-only access to a certain Amazon S3 bucket under a central account. No one outside the company should be able to access the data in the S3 buckets. A SysOps administrator must configure permissions and add a bucket policy to the S3 bucket. Which inputs must be made in order to complete this work in the MOST EFFECTIVE manner?

  1.  Firstly, specify ג€*ג€ as the principal and PrincipalOrgId as a condition. 
  2.  Next, specify all account numbers as the principal.
  3.  Specify PrincipalOrgId as the principal.
  4.  Further, specify the organization’s master account as the principal.

Correct Answer:  Specify ג€*ג€ as the principal and PrincipalOrgId as a condition.

Explanation: You can organise a collection of AWS accounts into a single entity with the help of AWS Organizations. Organizing the accounts into organisational units (OUs) after they have joined the company will enable you to implement policies that will help you comply with security and compliance regulations. To establish hierarchical relationships between your accounts, you can create OUs inside OUs as well as many OUs within a single organisation. Your first account container is automatically created by AWS Organizations when you create an organisation. It has a unique moniker, which is root. The root contains every OU you build.

Refer: Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations

Q2)A company has a flash sale going on its website. The website is run using burstable Amazon EC2 instances that are a member of an Auto Scaling group. The Auto Scaling group is configured to deploy instances when the CPU use reaches 70%. A few hours into the auction, users start to complain about slow load times and error messages for refused connections. When checking Amazon CloudWatch metrics, a SysOps administrator notices that the fleet’s overall CPU use is above 20%. The website’s functionality must be restored by the SysOps administrator without changing the network infrastructure. Which solution will meet these requirements?

  1.  Firstly, activate unlimited mode for the instances in the Auto Scaling group. 
  2.  Secondly, implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group.
  3.  Further, move the website to a different AWS Region that is closer to the users.
  4.  Reduce the desired size of the Auto Scaling group to artificially increase CPU average utilization.

Correct Answer: Move the website to a different AWS Region that is closer to the users.

Explanation: Using the Amazon EC2 GUI, an AWS SDK, a command-line tool, or an Auto Scaling group, you can deploy your instances as unlimited or normal.

Refer: Launch a burstable performance instance as Unlimited or Standard

Q3)The Amazon EC2 Auto Scaling group is expanding, a SysOps administrator finds. The associated Application Load Balancer’s RequestCount metric increases, which is noticed by Amazon CloudWatch. The administrator is interested in the requests’ IP addresses of origin. Where does the administrator have access to this data?

  1.  Auto Scaling logs
  2.  AWS CloudTrail logs
  3.  EC2 instance logs
  4.  Elastic Load Balancer access logs

Correct Answer: AWS CloudTrail logs

Refer: Amazon EC2 Auto Scaling

Q4)A company is moving its production file server to AWS right now. All data stored on the file server must continue to be available in the event that an Availability Zone becomes unreachable or during system maintenance. Users must be able to connect to the file server using the SMB protocol. Additionally, Windows ACLs must be used by users to control file permissions. Which solution will meet these requirements?

  1.  Create a single AWS Storage Gateway file gateway.
  2.  Create an Amazon FSx for Windows File Server Multi-AZ file system. 
  3.  Deploy two AWS Storage Gateway file gateways across two Availability Zones. Configure an Application Load Balancer in front of the file gateways.
  4.  Deploy two Amazon FSx for Windows File Server Single-AZ 2 file systems. Configure Microsoft Distributed File System Replication (DFSR).

Correct Answer: Create an Amazon FSx for Windows File Server Multi-AZ file system.

Refer: What is FSx for Windows File Server?

Q5)A company wants to monitor its AWS charges for Amazon EC2 and Amazon RDS. The company decides to make its labelling more severe. its Amazon Web Services (AWS) accounts are in high demand. Any resources that are not compliant must be found by a SysOps administrator. What alternative meets these criteria in the MOST OPTIMAL way?

  1.  Create a rule in Amazon EventBridge (Amazon CloudWatch Events) that invokes a custom AWS Lambda function that will evaluate all created or updated resources for the specified tags.
  2.  Create a rule in AWS Config that invokes a custom AWS Lambda function that will evaluate all resources for the specified tags.
  3.  Create a rule in AWS Config with the required-tags managed rule to evaluate all resources for the specified tags.
  4.  Create a rule in Amazon EventBridge (Amazon CloudWatch Events) with a managed rule to evaluate all created or updated resources for the specified tags.

Correct Answer: Create a rule in AWS Config with the required-tags managed rule to evaluate all resources for the specified tags.

Refer: required-tags

Q6)For the advantage of its customers, a company maintains a number of apps. The standard AWS CloudFormation template for each application’s deployment creates a new Virtual Private Cloud (VPC). The same location and Amazon Web Services (AWS) account host all apps. A SysOps administrator attempts to install the same AWS CloudFormation stack but discovers that it does not deploy. What is the problem most likely to be?

  1. That area cannot access the Amazon Machine image utilised.
  2. The most recent version of the AWS CloudFormation template must be used.
  3. The template needs to be updated because the VPC configuration parameters have changed.
  4. The account has used up all of its permitted VPCs.

Correct Answer: The account has used up all of its permitted VPCs.

Refer: Amazon VPC quotas

Q7) The us-east-1 region hosts a company’s website. In the eu-central-1 Region, the company is currently prepare to publish its website. The website housed in eu-central-1 should be accessed by visitors from Europe. The remaining users access the US-East-1-hosted website. The company uses Amazon Route 53 to maintain the DNS records for the website. Which routing policy ought to be used to implement these requirements on the Route 53 record create by a SysOps administrator?

  1.  Geolocation routing policy 
  2.  Geoproximity routing policy
  3.  Latency routing policy
  4.  Multivalue answer routing policy

Correct Answer: Multivalue answer routing policy

Refer: Choosing a routing policy

Q8) On Amazon EC2 instances that are route through an Application Load Balancer, a company hosts a website (ALB). By setting up an Amazon CloudFront distribution and designating the ALB as the origin, the organisation. The company created an Amazon Route 53 CNAME record to direct all traffic through the CloudFront distribution. Unexpectedly, the desktop version of the website is suddenly made available to mobile users. What is the best course of action a SysOps administrator should take to resolve this problem?

  1.  Configure the CloudFront distribution behavior to forward the User-Agent header.
  2.  Configure the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers. 
  3.  Enable IPv6 on the ALB. Update the CloudFront distribution origin settings to use the dualstack endpoint.
  4.  Enable IPv6 on the CloudFront distribution. Update the Route 53 record to use the dualstack endpoint.

Correct Answer:  Enable IPv6 on the ALB. Update the CloudFront distribution origin settings to use the dualstack endpoint.

Refer: Routing traffic to an ELB load balancer

Q9) Customers can upload and download files using a service provided by a data storage company on a need-to-know basis. The files must be instantaneously accessible for a year while being store in Amazon S3 Standard. Within the first 30 days of a file’s saving, users frequently view it. Users rarely access files after 30 days. The company’s SysOps administrator must create a solution using S3 Lifecycle rules that maintains object availability while cutting costs. Which solution will meet these requirements?

  1.  Move objects to S3 Glacier after 30 days.
  2.  Move objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
  3.  Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
  4.  Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) immediately.

Correct Answer: Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.

Refer: Transitioning objects using Amazon S3 Lifecycle

Q10) Using the Amazon Elasticsearch Service, a company examines sales and consumer usage data (Amazon ES). Members of the company’s widely dispersed sales staff are travelling. They must use the Active Directory-saved corporate credentials to log into Kibana. To enable cloud service authentication, the company has employed Active Directory Federation Services (AD FS). Which solution will meet these requirements?

  1.  Configure Active Directory as an authentication provider in Amazon ES. Add the Active Directory server’s domain name to Amazon ES. Configure Kibana to use Amazon ES authentication.
  2.  Deploy an Amazon Cognito user pool. Configure Active Directory as an external identity provider for the user pool. Enable Amazon Cognito authentication for Kibana on Amazon ES. 
  3.  Enable Active Directory user authentication in Kibana. Create an IP-based custom domain access policy in Amazon ES that includes the Active Directory server’s IP address.
  4.  Establish a trust relationship with Kibana on the Active Directory server. Enable Active Directory user authentication in Kibana. Add the Active Directory server’s IP address to Kibana.

Correct Answer: Deploy an Amazon Cognito user pool. Configure Active Directory as an external identity provider for the user pool. Enable Amazon Cognito authentication for Kibana on Amazon ES.

Refer: How to enable secure access to Kibana using AWS Single Sign-On

Q11) An Amazon EC2 instance recovery following a hardware failure is being automate by a SysOps administrator. The restored instance must share the same Elastic IP address and private IP address as the original instance. The SysOps staff must be contact via email when the recovery procedure is start. Which solution will meet these requirements?

  1. Add a StatusCheckFailed Instance metric to an Amazon CloudWatch alarm for the EC2 instance. To recover the instance, include an EC2 action in the alarm. To publish a message to an Amazon Simple Notification Service (Amazon SNS) subject, add an alarm notification. Add the email address for the SysOps team to the SNS subject.
  2. Designate the StatusCheckFailed System metric in an Amazon CloudWatch alarm you create for the EC2 instance. To recover the instance, include an EC2 action in the alarm. To publish a message to an Amazon Simple Notification Service (Amazon SNS) subject, add an alarm notification. Add the email address for the SysOps team to the SNS subject.
  3. Create an Auto Scaling group with a minimum, maximum, and desired size of 1 that spans three distinct subnets in the same availability zone. Create a launch template for the Auto Scaling group that includes both the private and elastic IP addresses. To send an email message to the SysOps team using Amazon Simple Email Service, add an activity notification for the Auto Scaling group (Amazon SES).

Correct Answer:  Create an Amazon CloudWatch alarm for the EC2 instance, and specify the StatusCheckFailed_Instance metric. Add an EC2 action to the alarm to recover the instance. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic.

Refer: Create a CloudWatch alarm for an instance

Q12) A virtual private cloud (VPC) with a public and private subnet has been create by a SysOps administrator. The private subnet prevents Amazon EC2 instances from connecting to the internet. The default network ACL is enabled on all subnets in the VPC, and all security groups permit all outbound traffic. Which choice will allow EC2 instances in the private subnet to connect to the internet?

  1. In the public subnet, set up a NAT gateway. From the private subnet, create a route to the NAT gateway.
  2. In the public subnet, set up a NAT gateway. Establish a route to the NAT gateway from the public subnet.
  3. In the private subnet, set up a NAT gateway. Establish a route to the NAT gateway from the public subnet.
  4. In the private subnet, establish a NAT gateway. From the private subnet, create a route to the NAT gateway.

Correct Answer: In the public subnet, set up a NAT gateway. From the private subnet, create a route to the NAT gateway.

Refer: NAT gateways

Q13) A company learns that a sizable portion of their gp2 Amazon EBS volumes are getting close to capacity. Which approach will require the LEAST amount of effort and produce the FEWEST interruptions?

  1.  Create a snapshot and restore it to a larger gp2 volume.
  2.  Create a RAID 0 with another new gp2 volume to increase capacity.
  3.  Leverage the Elastic Volumes feature of EBS to increase gp2 volume size.
  4.  Write a script to migrate data to a larger gp2 volume.

Correct Answer: Leverage the Elastic Volumes feature of EBS to increase gp2 volume size

Refer: Amazon EBS features

Q14) A new rule that requires all AWS resources to be labelled in accordance with a predetermined policy has been adopt by a company. Which AWS service ought to be employ to enforce the policy and continually uncover resources that do not comply with it?

  1.  AWS CloudTrail
  2.  Amazon Inspector
  3.  AWS Config 
  4.  AWS Systems Manager

Correct Answer: AWS Config

Refer: AWS Config

Q15) Two apps are being integrated by a company. The hostname host1.onprem.private designates one application that is housed in an on-site data centre. The substitute On an Amazon EC2 instance with the name host1.awscloud.private, the application is hosted. An AWS Site-to-Site VPN connection is established between the on-premises and the cloud. AWS and the internal network. DNS resolution fails when the data centre application tries to connect to the EC2 instance application. The following are some of a SysOps administrator’s duties:
The implementation of DNS resolution between on-premises and AWS resources. Which approach makes it possible for an on-premises application to find the hostname of an EC2 instance?

  1. Create a forwarding rule for the onprem.private hosted zone and an Amazon Route 53 inbound resolver endpoint. Connect the resolver to the EC2 instance’s VPC. Specify the inbound resolver endpoint as the destination for onprem.private DNS queries in the on-premises DNS resolver configuration.
  2. Create an inbound resolver endpoint for Amazon Route 53. Connect the resolver to the EC2 instance’s VPC. Set up the inbound resolver endpoint to receive DNS requests for awscloud.private from the on-premises DNS resolver.
  3. Create a onprem.private hosted zone forwarding rule for an Amazon Route 53 outbound resolver endpoint. Connect the resolver to the EC2 instance’s AWS region. Set up the on-premises DNS resolver such that it sends requests for onprem.private DNS to the outbound resolver endpoint.
  4. Create an outgoing resolver endpoint for Amazon Route 53. Connect the resolver to the EC2 instance’s AWS region. Awscloud.private DNS requests should be forward to the outbound resolver endpoint by configuring the on-premises DNS resolver to do so.

Correct Answer: Create an inbound resolver endpoint for Amazon Route 53. Connect the resolver to the EC2 instance’s VPC. Set up the inbound resolver endpoint to receive DNS requests for awscloud.private from the on-premises DNS resolver.

Refer: How do I configure a Route 53 Resolver inbound endpoint to resolve DNS records in my private hosted zone from my remote network?

Q16) A firm creates customised AMI images by launching new Amazon EC2 instances using an AWS CloudFormation template. Through AWS OpsWorks, it configures and instals the necessary software and takes photographs of each EC2 instance. Normally, installing and configuring software takes between two and three hours, but installation issues could cause the process to stop. To ensure that the entire stack fails and rolls back if the process stalls, the SysOps administrator must modify the CloudFormation template. In light of these specifications, what should be add to the template?

  1.  Firstly, conditions with a timeout set to 4 hours.
  2.  Secondly, creationPolicy with a timeout set to 4 hours.
  3.  Further, dependsOn with a timeout set to 4 hours.
  4.  Metadata with a timeout set to 4 hours.

Correct Answer: CreationPolicy with a timeout set to 4 hours.

Refer: Deploying applications on Amazon EC2 with AWS CloudFormation

Q17) Prior to uploading anything to an S3 bucket, a company must ensure that data is encrypt. Which of the following deeds would meet this requirement? (Choose two.)

  1. Firstly,use AWS Shield to defend against things stored in S3 buckets that are not encrypt.
  2. Secondly, implement an object access control list (ACL) to prevent the upload of unencrypted objects to the S3 bucket.
  3. Further, use the standard encryption offered by Amazon S3 to ensure that all objects being uploaded are encrypt before they are save.
  4. Put Amazon Inspector to use to check that objects uploaded to the S3 bucket are encrypt.
  5. Last but not least, implement S3 bucket policies to prevent the upload of unencrypted items to the buckets.

Correct Answer: Implement Amazon S3 default encryption to make sure that any object being upload is encrypt before it is store; Implement S3 bucket policies to deny unencrypt objects from being uploaded to the buckets.

Refer: Sample ACL

Q18) A company is concerned that some log files are being change after they are transmit to the account’s Amazon S3 bucket since it utilises AWS CloudTrail to monitor account activity. How can the SysOps Administrator make sure that after the log files are uploaded to the S3 bucket in the future, they haven’t been update?

  1. Firstly, to store logs in a backup location, stream CloudTrail logs to Amazon CloudWatch Logs.
  2. Secondly, use digest files to check the log file’s hash value. B. Enable log file integrity checking.
  3. Further, duplicate the S3 log bucket across regions and use S3 managed keys to encrypt log files.
  4. Enable access logging on the S3 server to monitor log bucket requests for security audits.

Correct Answer: Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.

Q19) Monitoring free space on Amazon EBS volumes connected to Amazon EC2 instances running Microsoft Windows in a company’s account requires the assistance of a SysOps Administrator. Potential issues must be brought to the administration’s attention. How can the administrator ensure that they receive email alerts before the EC2 instance’s performance suffers from a lack of storage?

  1. Firstly, use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications.
  2.  Secondly, use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic.
  3.  Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic.
  4.  Further, use AWS Trusted Advisor and enable email notification alerts for EC2 disk space.

Correct Answer: Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic.

Q20) Two extra-large nodes are used by a company to deliver an application that uses Amazon ElastiCache for Redis across two different Availability Zones. The ElastiCache for Redis cluster has 75% free RAM, according to the company’s information technology team. The availability of the application must be kept at a high level. What cluster resizing technique is the MOST economical?

  1.  Firstly, decrease the number of nodes in the ElastiCache for Redis cluster from 2 to 1.
  2.  Secondly, deploy a new ElastiCache for Redis cluster that uses large node types. Migrate the data from the original cluster to the new cluster. After the process is complete, shut down the original cluster.
  3.  Further, deploy a new ElastiCache for Redis cluster that uses large node types. Take a backup from the original cluster, and restore the backup in the new cluster. After the process is complete, shut down the original cluster.
  4.  Also, perform an online resizing for the ElastiCache for Redis cluster. Change the node types from extra-large nodes to large nodes.

Correct Answer: Deploy a new ElastiCache for Redis cluster that uses large node types. Migrate the data from the original cluster to the new cluster. After the process is complete, shut down the original cluster.

AWS Certified SysOps Administrator - Associate (SOA-C02) free practice test
Menu