SOA-C02 Amazon Web Services AWS Certified SysOps Administrator - Associate (SOA-C02) Free Practice Exam Questions (2025 Updated)

If users are unable to connect to a specific Ubuntu EC2 instance using AWS Systems Manager Session Manager while other instances are accessible, the issue is likely due to IAM permissions:

Instance Profile Permissions: Ensure that the EC2 instance has the necessary IAM permissions to interact with Systems Manager. The AmazonSSMManagedInstanceCore managed policy includes permissions required for the SSM Agent on the instance to communicate with the AWS Systems Manager service.

Attach Managed Policy: Attach the AmazonSSMManagedInstanceCore policy to the IAM role that is associated with the Ubuntu instance's instance profile. This step is crucial as it authorizes the instance to use Systems Manager services, including Session Manager.

Verify Configuration and Connectivity: After updating the instance profile, verify that users can connect via Session Manager. This solution does not require any changes to network security settings like security groups.

By ensuring that the instance has the appropriate IAM permissions, you resolve issues related to access control and Systems Manager functionality, allowing authorized personnel to connect securely without using SSH or RDP.

If a user is unable to connect to an EC2 instance via RDP, the issue could be related to network ACLs or route table configurations.

Network ACL Blocking Traffic:

A network ACL (NACL) associated with the bastion's subnet might be blocking traffic on port 3389 (RDP).

Open the Amazon VPC console and navigate to Network ACLs.

Check the inbound and outbound rules for the NACL associated with the subnet. Ensure that port 3389 is allowed.

Route Table Missing Route to Internet Gateway:

The subnet's route table may not have a route to the internet gateway, which is necessary for internet connectivity.

Open the Amazon VPC console and navigate to Route Tables.

Check the route table associated with the subnet. Ensure there is a route with destination 0.0.0.0/0 pointing to the internet gateway (igw-xxxxxxxx).

Ensuring proper configuration of network ACLs and route tables will enable the required internet connectivity for RDP access.

Network ACLs

Route Tables

When using Amazon S3 Object Lock configured in governance mode, deleting objects before their retention period ends requires specific permissions. To bypass these governance restrictions, the administrator must:

C: Assume a role that has the s3:BypassGovernanceRetention permission. This permission allows the role to override the governance mode restrictions.

D: Include the x-amz-bypass-governance-retention:true header in the delete request. This header is necessary to programmatically bypass the governance retention settings when making a delete request via the AWS CLI or SDK. These steps enable the deletion of objects under governance mode retention without waiting for the retention period to expire, addressing the need to remove unintended data uploads effectively. For further details, refer to the AWS documentation on S3 Object Lock Amazon S3 Object Lock.

To monitor and automatically respond to security groups allowing SSH access:

AWS Config: This service can be used to detect security groups that allow SSH access publicly (Option B). AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

AWS Systems Manager Automation: This can automatically execute actions like closing the port when a non-compliant security group is detected (Option D). It allows the execution of automated workflows that can respond to Config rule findings, ensuring immediate remediation actions such as closing ports. These two services combined offer a comprehensive solution to monitor, detect, and rectify unwanted security group configurations automatically. AWS documentation on AWS Config AWS Config and on Systems Manager Automation Systems Manager Automation provides additional insights.

When you create a hosted zone, Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record for the zone. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html#migrate-dns-create-hosted-zone

https://en.wikipedia.org/wiki/SOA_record

Step-by-Step Explanation:

Understand the Problem:

The EC2 instance processes large data files and uses a 1 TB General Purpose SSD (gp2) EBS volume.

CloudWatch metrics show consistent high VolumeReadOps.

The requirement is to improve I/O performance while ensuring data integrity.

Analyze the Requirements:

Improve I/O performance.

Maintain data integrity.

Evaluate the Options:

Option A: Change the instance type to a large, burstable, general-purpose instance.

Burstable instances provide a baseline level of CPU performance with the ability to burst to a higher level when needed. However, this does not address the I/O performance directly.

Option B: Change the instance type to an extra-large general-purpose instance.

A larger instance type might improve performance, but it does not directly address the I/O performance of the EBS volume.

Option C: Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume.

Increasing the size of a General Purpose SSD (gp2) volume can increase its IOPS. The larger the volume, the higher the baseline performance in terms of IOPS.

Option D: Move the data that resides on the EBS volume to the instance store.

Instance store volumes provide high I/O performance but are ephemeral, meaning data will be lost if the instance is stopped or terminated. This does not ensure data integrity.

Select the Best Solution:

Option C: Increasing the EBS volume size to 2 TB will provide higher IOPS, improving I/O performance while maintaining data integrity.

Amazon EBS Volume Types

General Purpose SSD (gp2) Volumes

Increasing the size of the General Purpose SSD (gp2) volume is an effective way to improve I/O performance while ensuring data integrity remains intact.

Using the interface endpoint, applications in your on-premises data center can easily query S3 buckets over AWS Direct Connect or Site-to-Site VPN. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/

To enable AWS Config in all accounts and all regions within an AWS Organization, the most operationally efficient method is to use AWS CloudFormation StackSets. This allows you to deploy CloudFormation stacks across multiple AWS accounts and regions from a single CloudFormation template.

Create CloudFormation Template:

The template should include the necessary resources to enable AWS Config, such as the AWS::Config::ConfigurationRecorder, AWS::Config::DeliveryChannel, and AWS::Config::ConfigurationAggregator resources.

Create StackSet:

Open the AWS CloudFormation console at AWS CloudFormation Console.

Choose Create StackSet and upload your CloudFormation template.

Configure StackSet:

Specify the AWS accounts and regions where you want to deploy the stacks.

Set the deployment options, including the execution role and administrator role.

Deploy Stack Instances:

Deploy the stack instances to all specified accounts and regions. This will automatically enable AWS Config in each account and region.

AWS CloudFormation StackSets

Managing AWS Config Across Multiple Accounts

AWS CloudFormation StackSets Overview:

StackSets allows for deployment of CloudFormation stacks across multiple AWS accounts and Regions.

A stack instance in the "OUTDATED" status indicates that the stack template or parameters differ between the StackSet and the stack instance.

Why the Stack Instance Fails:

The "OUTDATED" status occurs when the stack operation (creation or update) was not successfully completed in a specific Region.

In this case, the most likely reason is that the stack has not yet been deployed in the specified Region.

Steps to Resolve:

Check the deployment status in the CloudFormation StackSets Console.

Identify the Region where the stack is in the "OUTDATED" status.

Retry the stack deployment for that Region by running a stack set update or stack instance operation.

Why Other Options Are Incorrect:

A: Local template changes do not impact CloudFormation unless submitted to AWS. This is unrelated to StackSets.

B: While creating a global resource might fail, it would result in an error status (e.g., "FAILED"), not "OUTDATED."

D: Using an old API version would cause errors in the API request, not affect the stack instance status.

To automate the invocation of an AWS Lambda function at the end of each day, you can use Amazon EventBridge (formerly known as CloudWatch Events) to create a scheduled rule.

Create a Scheduled EventBridge Rule:

Open the Amazon EventBridge console at Amazon EventBridge Console.

Choose Create rule.

Provide a name and description for the rule.

For Rule type, choose Schedule.

Define a cron expression that runs the rule at the end of each day. For example, cron(0 0 * * ? *) runs the function at midnight UTC.

Set the Target:

In the Targets section, choose Add target.

For Target type, select Lambda function.

Choose the Lambda function you want to invoke.

Create the Rule:

Review the settings and choose Create rule.

This setup ensures that the Lambda function runs automatically at the specified time every day.

Amazon EventBridge Scheduler

Managing EventBridge Rules

The Kubernetes Horizontal Pod Autoscaler (HPA) automatically scales the number of pods in a deployment, replica set, or stateful set based on observed CPU utilization or other custom metrics.

From Kubernetes documentation:

The HPA automatically scales the number of pods in a deployment depending on CPU usage or other select metrics.

It is commonly used to handle traffic surges with minimal manual intervention.

This is the most efficient and low-maintenance way to scale workloads in Amazon EKS in response to traffic changes.

Amazon FSx provides a fully managed file system that is optimized for Windows-based workloads and can be used to create file shares that can be accessed both on premises and in the AWS Cloud. The file shares that are created in Amazon FSx are highly available and can be accessed with low latency. Additionally, Amazon FSx supports Windows-based authentication, making it easy to integrate with existing Windows user accounts.

Enabling the organizational view in AWS Health will allow the SysOps administrator to consolidate the alerts from each account’s Personal Health Dashboard. It will also provide the administrator with a single view of all the accounts in the organization, allowing them to easily monitor the health of all the accounts in the organization.

To enable decryption of objects, the role only requires minimal permissions with least privilege:

kms

Necessary for reading and decrypting the data encrypted with KMS.

kms

Allows the role to check key properties, confirming it’s the correct key for decryption.

kms

Useful if multiple keys are in use and validation against an alias is needed.

These permissions are sufficient for decryption without granting additional permissions like encryption or key management.

The most likely reason for the unexpected placement of EC2 instances is that one Availability Zone did not have sufficient capacity for the requested EC2 instance type.

Capacity Constraints:

AWS manages EC2 instance placement based on available capacity in the Availability Zones.

If a particular Availability Zone does not have enough capacity for the instance type you requested, AWS will place instances in other Availability Zones with sufficient capacity.

Auto Scaling Group Configuration:

Even if the Auto Scaling group is configured to use all three Availability Zones, instances might not be evenly distributed if one zone lacks the required capacity.

This can result in instances being placed in the remaining zones with available capacity.

Monitoring and Mitigation:

Monitor the capacity limits and instance distribution using CloudWatch and the Auto Scaling group's activity history.

Consider using smaller instance types or different instance families to avoid capacity issues in specific zones.

Amazon EC2 Auto Scaling

Troubleshooting Amazon EC2 Capacity Issues

Ensuring that all the EC2 instances have an instance profile with Systems Manager access is the most effective way to fix this issue. Having an instance profile with Systems Manager access will allow the SysOps administrator to configure the inventory collection for all the instances in the subnet, regardless of whether or not they are managed by Systems Manager.

The issue of "request timed out" when pinging the public IP address of the EC2 instance could be due to the Network ACL (NACL) inbound rules.

Check NACL Inbound Rules:

Network ACLs act at the subnet level and can explicitly allow or deny traffic to or from a subnet.

Ensure that the NACL associated with the subnet containing the EC2 instance has inbound rules that allow ICMP traffic (which is used for ping).

Example rule to allow inbound ICMP traffic:

Rule Number: 100

Type: ICMP

Protocol: 1

Port Range: N/A (ICMP doesn't use ports)

Source: 0.0.0.0/0 (or specific IP range)

Allow/Deny: ALLOW

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html In governance mode, users can 't overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period. In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period.

For member accounts in AWS Organizations to receive notifications about estimated costs exceeding a predetermined amount, billing alerts must be enabled in the management/payer account.

Enable Billing Alerts in the Management Account:

Open the AWS Billing and Cost Management console at AWS Billing Console.

In the navigation pane, choose Billing preferences.

Under Billing preferences, ensure that Receive Billing Alerts is enabled.

Create a Budget and Set Up Notifications:

Open the AWS Budgets console at AWS Budgets Console.

Create a budget and configure it to monitor the estimated costs.

Set up notifications for when the budget thresholds are exceeded and specify the email addresses of the managers in the member accounts.

By enabling billing alerts in the management account, you allow member accounts to receive notifications about their estimated costs.

Setting Up Alerts and Notifications

Creating an AWS Budget