SOA-C02 Amazon Web Services AWS Certified SysOps Administrator - Associate (SOA-C02) Free Practice Exam Questions (2025 Updated)

Here are the steps to update an existing AWS CloudFormation stack:

Log in to the AWS Management Console and navigate to the CloudFormation service in the us-east-2 Region.

Find the existing stack named 1700182 and click on it.

Click on the "Update" button.

Choose "Replace current template" and upload the updated CloudFormation template from the Amazon S3 bucket named "cloudformation-bucket"

In the "Parameter" section, update the EC2 instance type to us-east-t2.nano and add the IP address range 192.168.100.0/30 for SSH access.

Replace the instance profile IAM role with IamRoleB.

In the "Capabilities" section, check the checkbox for "IAM Resources"

Choose the role CFServiceR01e and click on "Update Stack"

Wait for the stack to be updated.

Once the update is complete, navigate to the stack and click on the "Stack options" button, and select "Prevent updates to prevent accidental deletion"

To get the value of the Prodlnstanceld , navigate to the "Outputs" tab in the CloudFormation stack and find the key "Prodlnstanceld". The value corresponding to it is the value that you need to enter in the text box below.

Note:

You can use AWS CloudFormation to update an existing stack.

You can use the AWS CloudFormation service role to deploy updates.

You can refer to the AWS CloudFormation documentation for more information on how to update and manage stacks: https://aws.amazon.com/cloudformation/

Here are the steps to configure an Amazon S3 bucket to serve a static error page in the event of a failure at the primary site:

Log in to the AWS Management Console and navigate to the S3 service in the us-east-2 Region.

Find the existing S3 bucket named lab-751906329398-26023898.com and click on it.

In the "Properties" tab, click on "Static website hosting" and select "Use this bucket to host a website".

In "Index Document" field, enter the name of the object that you want to use as the index document, in this case, "index.html"

In the "Permissions" tab, click on "Block Public Access", and make sure that "Block all public access" is turned OFF.

Click on "Bucket Policy" and add the following policy to allow public read access:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::lab-751906329398-26023898.com/*"

}

]

}

Now navigate to the Amazon Route 53 service, and find the existing hosted zone named lab-751906329398-26023898.com.

Click on the "A record" and update the routing policy to "Primary - Failover" and add the existing ALB as the primary record.

Click on "Create Record" button and create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing S3 bucket.

Now, when the primary site (ALB) goes down, traffic will be automatically routed to the S3 bucket serving the static error page.

Note:

You can use CloudWatch to monitor the health of your ALB.

You can use Amazon S3 to host a static website.

You can use Amazon Route 53 for routing traffic to different resources based on health checks.

You can refer to the AWS documentation for more information on how to configure and use these services:

https://aws.amazon.com/s3/

https://aws.amazon.com/route53/

https://aws.amazon.com/cloudwatch/

Graphical user interface, application, Teams Description automatically generated

Installing the CloudWatch agent enables log monitoring, and a CloudWatch metric filter allows alerting on specific errors. Using EventBridge to trigger a Systems Manager Automation runbook automates the restart of the web server, creating an efficient and automated solution.

A mount target provides an IP address for an NFSv4 endpoint at which you can mount an Amazon EFS file system. You mount your file system using its Domain Name Service (DNS) name, which resolves to the IP address of the EFS mount target in the same Availability Zone as your EC2 instance. You can create one mount target in each Availability Zone in an AWS Region. If there are multiple subnets in an Availability Zone in your VPC, you create a mount target in one of the subnets. Then all EC2 instances in that Availability Zone share that mount target. https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html

Step-by-Step Explanation:

Understand the Problem:

Enforce a policy that requires all AWS resources to be tagged according to company policy.

Continuously identify non-compliant resources.

Analyze the Requirements:

Implement a solution to monitor and enforce resource tagging compliance.

Evaluate the Options:

Option A: AWS CloudTrail.

Provides logging and monitoring of API calls but does not enforce tagging policies.

Option B: Amazon Inspector.

Primarily used for security assessments, not resource tagging compliance.

Option C: AWS Config.

Monitors and evaluates the configurations of AWS resources.

Can enforce compliance by using AWS Config rules to check resource tags.

Option D: AWS Systems Manager.

Provides operational insights and management but is not specifically designed for compliance enforcement.

Select the Best Solution:

Option C: AWS Config is designed for compliance and configuration monitoring, making it the ideal service for enforcing and identifying non-compliant resource tags.

AWS Config

Managing Resource Tag Compliance with AWS Config

AWS Config provides the necessary tools to enforce and monitor resource tagging compliance, ensuring all resources adhere to the set policy.

HTTP 502 errors from CloudFront can occur because of the following reasons:

There's an SSL negotiation failure because the origin is using SSL/TLS protocols and ciphers that aren't supported by CloudFront.

There's an SSL negotiation failure because the SSL certificate on the origin is expired or invalid, or because the certificate chain is invalid.

There's a host header mismatch in the SSL negotiation between your CloudFront distribution and the custom origin.

The custom origin isn't responding on the ports specified in the origin settings of the CloudFront distribution.

The custom origin is ending the connection to CloudFront too quickly.

https://aws.amazon.com/premiumsupport/knowledge-center/resolve-cloudfront-connection-error/

To configure Route 53 for high availability with failover between a primary and a secondary server, the following steps should be taken:

Create Health Checks:

Create HTTP health checks for both the primary and secondary servers. Ensure these health checks are configured to look for HTTP 2xx or 3xx status codes.

After increasing the size of an Amazon EBS volume, the operating system must be configured to use the additional space. For a Windows instance, you need to extend the file system using disk management tools.

Open Disk Management:

Connect to your Windows EC2 instance using RDP.

Open the Disk Management tool by right-clicking the Start button and selecting Disk Management.

Extend the Volume:

Locate the EBS volume that was resized.

Right-click on the volume and select Extend Volume.

Follow the Extend Volume Wizard to allocate the newly available space to the file system.

Verify the New Size:

After extending the volume, verify that the file system reflects the increased storage capacity.

Modifying the Size, IOPS, or Throughput of an EBS Volume

Extending a Windows File System After Resizing a Volume

Root user usage is strongly discouraged in AWS best practices, and cannot be restricted using identity-based IAM policies, because the root user has inherent and unalterable permissions. However, within an AWS Organization, Service Control Policies (SCPs) can be used to put maximum permission boundaries on even the root user in member accounts.

From the AWS Organizations User Guide:

SCPs affect all users and roles in attached accounts, including the root user.

If you attach an SCP that explicitly denies access to specific actions, even the root user is denied.

So, to prevent the root user from performing EC2 actions, you would:

Use the organization's management account

Create an SCP with a Deny on ec2:* actions for Principal: "arn:aws:iam::*:root"

Attach the SCP to member accounts

❌ Why other options are incorrect:

A. IAM policies cannot control root user access – Root is not governed by IAM identity-based policies.

C. AWS Config is a monitoring tool, not a preventive security control mechanism. It tracks what happened, not blocks it.

D. Amazon Inspector detects vulnerabilities; it does not prevent or deny actions by any user, including root.

When a portfolio is shared between AWS accounts in AWS Service Catalog, the administrator of the second account can import the shared portfolio and add products from the imported portfolio to their local portfolio. However, they cannot modify the imported portfolio directly.

Import the Shared Portfolio:

In the second AWS account, open the AWS Service Catalog console at AWS Service Catalog Console.

Navigate to Portfolios and choose Import portfolio.

Add Products to a Local Portfolio:

Once the portfolio is imported, the administrator can select products from the imported portfolio and add them to a local portfolio for easier management and deployment.

Sharing Portfolios Across Accounts

AWS Service Catalog Admin Guide

To ensure all objects in the S3 bucket are encrypted, including future objects, the following steps should be taken:

Enable Default Server-Side Encryption:

Edit the properties of the S3 bucket to enable default server-side encryption. This ensures that all new objects written to the bucket are encrypted by default.

Navigate to the S3 console, select the bucket, go to the "Properties" tab, and under "Default encryption", select the encryption method (SSE-S3, SSE-KMS, etc.).

Storage Auto Scaling:

Aurora storage auto scaling automatically increases the storage capacity of the database cluster when free storage space is running low.

Steps:

Go to the AWS Management Console.

Navigate to RDS and select your Aurora DB cluster.

Modify the DB cluster configuration to enable storage auto scaling.

Apply the changes.

Aurora Storage Auto Scaling

Scenario Analysis:

The EC2 instance is inaccessible through RDP due to misconfigured Windows Firewall settings.

The boot volume is encrypted, which restricts direct modification without proper mounting and decryption tools.

The goal is to back up the instance and regain RDP connectivity.

Why Option D is Correct:

AWS provides EC2Rescue for Windows Server as a tool to resolve common connectivity and boot issues for Windows EC2 instances.

The process of detaching the boot volume and attaching it to another instance ensures that the misconfigured instance does not impede further configuration.

The working instance acts as a recovery environment where EC2Rescue can be run to modify the Windows Firewall settings and allow RDP access.

Steps to Resolve the Issue (Following Option D):

Step 1: Stop the instance.In the EC2 console, select the affected instance and stop it to ensure safe operations.

Step 2: Detach the boot volume.Navigate to the instance's storage section, identify the boot volume (usually /dev/sda1), and detach it.

Step 3: Attach the boot volume to a recovery instance.

Identify a working instance that has EC2Rescue installed.

Attach the detached boot volume to the recovery instance as a secondary volume.

Step 4: Run EC2Rescue to fix Windows Firewall settings.

Log in to the recovery instance and launch EC2Rescue.

Select the attached secondary volume and run diagnostics or select specific repairs (e.g., enabling RDP access in Windows Firewall settings).

Step 5: Detach the boot volume from the recovery instance.After applying the fix, safely detach the volume from the recovery instance.

Step 6: Reattach the boot volume to the original instance.Attach the volume back to the original instance as its boot volume.

Step 7: Start the instance and verify connectivity.Start the original instance and attempt to connect via RDP using the instance's public or private IP (depending on the network configuration).

AWS References and Best Practices:

EC2Rescue for Windows Server:Official documentation: EC2Rescue

Encrypted EBS Volumes:Ensure the proper use of the same AWS KMS key when attaching encrypted volumes to other instances. Reference: EBS Encryption

Backup Before Modifications:AWS recommends creating snapshots of EBS volumes before making changes. Reference: Creating EBS Snapshots

Why Other Options Are Incorrect:

Option A: AWS does not support disabling encryption for EBS volumes directly. Additionally, creating a new key pair does not address the firewall misconfiguration.

Option B: Amazon Inspector does not provide tools for modifying Windows Firewall settings. It is primarily used for vulnerability assessments.

Option C: Disabling encryption is not supported, and Amazon Inspector cannot fix firewall issues.

To prevent an account from leaving an AWS Organization, you use an SCP to deny the organizations:LeaveOrganization action.

From AWS Organizations documentation:

You can use a deny statement on organizations:LeaveOrganization to prevent accounts from leaving your AWS Organization.

https://docs.aws.amazon.com/zh_tw/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.html

To give the application the ability to resolve internal domain names, the SysOps administrator should create an Amazon Route 53 Resolver outbound endpoint and configure it to forward DNS queries to the on-premises DNS server.

Route 53 Resolver Outbound Endpoint:

An outbound endpoint enables DNS queries to be forwarded from AWS resources in a VPC to an on-premises DNS server.

Steps to Implement:

In the Route 53 console, create a new outbound endpoint in the VPC.

Configure the outbound endpoint with the IP address of the on-premises DNS server.

Update the VPC DNS settings to use the Route 53 Resolver.

Route 53 Resolver Endpoints

Creating an Outbound Endpoint

For the issue of "too many connections" on a MySQL database, using RDS Proxy offers a streamlined solution:

RDS Proxy Setup: RDS Proxy sits between your application and the database. It pools and efficiently manages database connections, which reduces the number of direct connections to the database.

Connection Management: By handling connection pooling, RDS Proxy can help mitigate issues related to connection overhead and limits, such as the "too many connections" error, by allowing the database to serve more requests from a smaller and more stable number of connections.

Minimal Code Changes: Integrating RDS Proxy requires changes only to the database connection settings in the application's configuration files to point to the RDS Proxy endpoint instead of directly to the database. This minimizes the amount of code change needed and leverages RDS Proxy to handle connection scaling and management more efficiently.

This approach enhances database performance and scalability by efficiently managing connections without the need for significant application changes or database resizing.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

If you're using AWS Organizations, check the service control policies for any statements that explicitly deny Amazon S3 access. In particular, check the service control policies for statements denying the s3:PutBucketPolicy action. https://aws.amazon.com/tw/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/

Problem Analysis:

Users experience consistent forced logouts, indicating session data is not maintained properly.

Causes may include issues with session persistence between CloudFront, ALB, and the backend servers.

Action: Configure Cookie Forwarding in CloudFront:

CloudFront must forward cookies to maintain session state. Without forwarding cookies, session-specific data cannot reach the backend.

Update the Cache Behavior Settings in CloudFront:

Go to the CloudFront distribution settings.

In Cache Behaviors, select Forward Cookies.

Specify the relevant cookies required by the application.

Action: Enable Group-Level Stickiness in ALB:

Group-level stickiness ensures that a user's session consistently maps to the same backend server, preventing session disruption.

Steps:

Open the ALB Console.

Navigate to the Listener Rules.

Enable Group-Level Stickiness for the target groups under the listener rule settings.

Why Other Options Are Incorrect:

A: Changing to the least outstanding requests algorithm will not address session stickiness issues.

C: Forwarding headers does not resolve session-specific problems caused by cookies not being forwarded.

E: Weighted target groups manage traffic distribution but do not address session persistence.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads. It provides detailed monitoring for unauthorized access attempts, including console login attempts from unusual locations.

Amazon GuardDuty:

GuardDuty analyzes VPC flow logs, AWS CloudTrail logs, and DNS logs to detect suspicious activity.

It generates findings, such as UnauthorizedAccess

/ConsoleLoginSuccess, to alert administrators about potential security issues.

Setup:

Enable GuardDuty in your AWS account.

Configure GuardDuty to monitor unauthorized console logins.

Set up notifications for the relevant findings to alert administrators.

Amazon GuardDuty

GuardDuty Finding Types