SOA-C02 Amazon Web Services AWS Certified SysOps Administrator - Associate (SOA-C02) Free Practice Exam Questions (2025 Updated)

To set up a notification for failed health checks of targets in the ALB, follow these steps:

Create a CloudWatch Alarm:

Navigate to CloudWatch and create a new alarm based on the UnHealthyHostCount metric of the target group.

To prioritize alarm notifications over information notifications in an Amazon SQS environment, creating separate queues for each type of notification is the best approach. This allows the application processing the queues to prioritize fetching messages from the alarm notifications queue first. Option D directly addresses the need for prioritization without complicating the existing infrastructure. This setup is supported by best practices for using Amazon SQS, where using multiple queues to segregate message types is a recommended strategy Amazon SQS Best Practices.

In AWS, to enable outbound-only internet access for IPv6 traffic from instances in a private subnet, an egress-only internet gateway is used. This gateway allows instances to initiate outbound connections to the internet over IPv6, but prevents unsolicited inbound connections from the internet.

To implement this:

Create an Egress-Only Internet Gateway:This gateway is specifically designed for IPv6 traffic and provides a mechanism to allow outbound communication while blocking inbound traffic.

Update Route Tables:In the route tables associated with the private subnets, add a default route for IPv6 traffic (::/0) that points to the egress-only internet gateway. This ensures that all outbound IPv6 traffic from the private subnets is directed through the egress-only internet gateway.

By configuring the egress-only internet gateway and updating the route tables accordingly, instances in the private subnets can access the internet over IPv6 without exposing themselves to inbound internet traffic.

When you have EC2 instances requiring low-latency, high-throughput communication, the best placement strategy is to use a cluster placement group.

From the AWS EC2 Placement Group Guide:

A cluster placement group is a logical grouping of instances within a single AZ.

This strategy enables workloads to achieve low-latency network performance needed for tightly coupled node-to-node communication.

❌ Why the other options are incorrect:

B: Elastic IPs are used for static public IP addressing — they do not affect intra-cluster latency.

C: Jumbo frames require support from all hardware/network layers and are not guaranteed to lower latency.

D: Spread placement groups distribute instances across different hardware, which increases latency.

To manage user accounts and permissions across multiple AWS accounts and integrate with an on-premises Active Directory, using AD Connector is the most operationally efficient solution. AD Connector serves as a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without storing any directory data in the cloud. This setup allows IAM Identity Center to use the existing corporate credentials, ensuring centralized management and seamless user access control. Option C perfectly meets these requirements by leveraging existing infrastructure with minimal changes. AWS documentation on AD Connector offers guidance AWS Directory Service AD Connector.

To allow the Lambda function to access both the new RDS database in a private subnet and the internet, the Lambda function needs to be reconfigured for VPC access with a NAT gateway setup.

Reconfigure Lambda for VPC Access:

Attach the Lambda function to the private subnets where the RDS instance is located.

Add NAT gateways to the public subnets to allow outbound internet access from the private subnets.

NAT Gateway:

NAT gateways allow instances in private subnets to connect to the internet or other AWS services, but they prevent the internet from initiating connections with those instances.

Steps to Implement:

Create NAT gateways in the public subnets.

Update the route tables of the private subnets to route internet-bound traffic through the NAT gateways.

Ensure the Lambda function has the necessary IAM role permissions to access the VPC and RDS.

Configuring a Lambda Function to Access Resources in a VPC

NAT Gateways

Cluster placement groups are designed to place EC2 instances close together within a single Availability Zone, which reduces latency and maximizes network performance between instances.

Cluster Placement Group: Reduces network latency by keeping instances in close proximity within the same hardware, providing low-latency, high-throughput networking.

High Network Performance: Ideal for latency-sensitive applications, especially those running within a clustered architecture.

Spread placement groups are designed for high availability rather than low latency. Jumbo frames may improve throughput but not significantly reduce latency.

One possible cause for the failure of the CloudFormation template to create an EC2 instance in the us-west-2 Region is that the Amazon Machine Image (AMI) ID referenced in the template could not be found in the us-west-2 Region. This could be due to the fact that the AMI is not available in that region, or the credentials used to access the AMI were not configured properly. The other options (resource tags defined in the CloudFormation template are specific to the us-east-I Region, the cfn-init script did not run during resource provisioning in the us-west-2 Region, and the IAM user was not created in the specified Region) are not valid causes for this failure.

To encrypt an existing Amazon RDS DB instance that is not encrypted, you cannot directly enable encryption. Instead, you need to follow these steps:

Take a Snapshot:

Open the Amazon RDS console at Amazon RDS Console.

Select the DB instance and take a snapshot.

Copy and Encrypt the Snapshot:

After the snapshot is created, select the snapshot and choose Copy Snapshot.

In the copy snapshot dialog, enable encryption and choose a KMS key.

Restore the Encrypted Snapshot:

Once the encrypted snapshot is created, select it and choose Restore Snapshot.

Provide the necessary details to create a new DB instance from the encrypted snapshot.

This process ensures that the new DB instance is encrypted at rest.

Encrypting Amazon RDS Resources

Copying an Amazon RDS Snapshot

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

To block traffic to the external IP address identified by Amazon GuardDuty, the SysOps administrator should create a network ACL and add an outbound deny rule for traffic to the external IP address.

Network ACL:

Network ACLs (Access Control Lists) are stateless and operate at the subnet level. They can allow or deny specific inbound and outbound traffic based on rules.

Steps to Implement:

Go to the VPC console and select the network ACL associated with the subnet containing the EC2 instance.

Add an outbound rule to deny traffic to the external IP address provided by GuardDuty.

Ensure the rule is properly placed in the rule number order to be evaluated correctly.

Network ACLs

GuardDuty Documentation

When users report that old content is still appearing on the website after modifying files in an S3 bucket used by CloudFront, creating a CloudFront invalidation is the best solution.

CloudFront Invalidation:

Invalidation is the process of removing objects from the CloudFront cache before they expire.

This ensures that the updated content is served to the users.

Creating an Invalidation:

Open the CloudFront console.

Select the distribution and go to the "Invalidations" tab.

Create a new invalidation and specify the paths of the updated files.

Invalidating Files in Amazon CloudFront

To make the production environment highly available in accordance with company policy:

Database Migration: Move the MariaDB database from a single EC2 instance to Amazon RDS for MariaDB configured for Multi-AZ. This setup ensures high availability of the database with synchronous replication to a standby instance in a different Availability Zone.

Application Scalability: Deploy the application on EC2 instances within an Auto Scaling group. Configure the Auto Scaling group to operate across multiple Availability Zones to ensure that the application remains available even if one zone becomes unavailable.

Load Balancing: Place the EC2 instances behind an Elastic Load Balancer (ELB). The load balancer will distribute incoming application traffic across the multiple, geographically dispersed EC2 instances, further enhancing the availability and fault tolerance of the application.

This solution leverages AWS managed services to increase the reliability and availability of both the application and database layers, adhering to best practices for deploying critical production environments on AWS.

A CloudFormation stack in the DELETE_FAILED state typically indicates that some resources could not be deleted. One common reason is that S3 buckets in the stack still contain objects.

Steps:

Identify the Failed Resources:

Open the AWS CloudFormation console.

Select the stack in the DELETE_FAILED state.

Check the "Events" tab to identify the resource(s) that caused the failure.

Delete S3 Objects:

Open the Amazon S3 console.

Navigate to the bucket(s) listed in the CloudFormation events.

Delete all objects in the bucket. You can use the S3 console, AWS CLI, or an S3 batch operation to delete the objects.

Retry Stack Deletion:

After clearing the S3 bucket(s), go back to the CloudFormation console.

Select the stack and choose "Delete" to retry the deletion process.

To automate the creation and management of IAM roles for multiple AWS accounts in an AWS Organization, using AWS CloudFormation StackSets is the most operationally efficient solution.

AWS CloudFormation StackSets:

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple AWS accounts and regions with a single operation.

Using StackSets with AWS Organizations:

Create a CloudFormation template that defines the necessary IAM roles.

Use StackSets to deploy the template across multiple AWS accounts in your organization.

AWS CloudFormation StackSets

Creating IAM Roles with CloudFormation

You might want to use Transfer Acceleration on a bucket for various reasons: ->Your customers upload to a centralized bucket from all over the world. ->You transfer gigabytes to terabytes of data on a regular basis across continents. ->You can't use all of your available bandwidth over the internet when uploading to Amazon S3." https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html

The default behavior of AWS CloudFormation when the creation of a resource fails is to roll back the stack and delete the stack.

Stack Creation Failure:

If any resource within the stack fails to create, CloudFormation rolls back the stack by deleting all the resources that were successfully created up to the point of failure.

This ensures that no partially created resources are left in the user's account.

Review the Events:

Open the CloudFormation console.

Select the stack and review the "Events" tab to identify the cause of the failure.

AWS CloudFormation Stack Rollback

Troubleshooting AWS CloudFormation

The connectivity issues could be due to:

Security Group Ingress Rules:

Ensure that the security group for the RDS database has the correct ingress rules allowing traffic from the web server’s security group or IP address.

Go to the RDS console, select your database instance, and check the security groups.

In the security group settings, verify that the correct port (usually 3306 for MySQL) is open for the web server's IP or security group.

Port Configuration:

Verify that the application is configured to use the correct port that matches the RDS database configuration.

Check the application configuration files to ensure the port number matches the port specified in the RDS instance.

Amazon RDS Security Groups

Troubleshooting RDS Connectivity

To ensure high availability and that instances are placed on distinct underlying hardware, a spread placement group should be used. Spread placement groups place instances on distinct hardware, reducing the risk of simultaneous failures.

Create Spread Placement Group:

Open the EC2 console at Amazon EC2 Console.

Navigate to Placement Groups in the sidebar.

Click Create placement group and select Spread for the strategy.

Launch Instances:

When launching new instances, select the placement group you created.

Ensure the instances are in the same AWS Region but spread across distinct hardware.

Verify Placement:

After launching, verify that the instances are in the spread placement group by checking the instance details in the console.

Placement Groups

Creating a Spread Placement Group

AWS Compute Optimizer Overview:

AWS Compute Optimizer analyzes the configuration and utilization of AWS resources, including EBS volumes, to provide cost-optimization recommendations.

Steps to Use AWS Compute Optimizer for EBS Volumes:

Enable Compute Optimizer:

Open the Compute Optimizer Console.

Enable the service for your account.

Allow Metrics Collection:

Allow sufficient time (up to 12 hours) for Compute Optimizer to gather metrics on your EBS volumes.

Review Recommendations:

Go to the Compute Optimizer dashboard.

Navigate to the EBS volume recommendations.

Review the findings for underutilized or overprovisioned volumes.

Why Other Options Are Incorrect:

A: Manually reviewing EC2 monitoring graphs is less efficient and prone to errors compared to Compute Optimizer.

B: Changing instance types to EBS-optimized without assessing performance is unnecessary and unrelated to cost optimization.

D: Installing the fio tool and benchmarking is a time-intensive, manual process that does not align with operational efficiency.