SOA-C01 | The Avant-garde Guide To SOA-C01 Question

Actualtests SOA-C01 Questions are updated and all SOA-C01 answers are verified by experts. Once you have completely prepared with our SOA-C01 exam prep kits you will be ready for the real SOA-C01 exam without a problem. We have Up to the minute Amazon-Web-Services SOA-C01 dumps study guide. PASSED SOA-C01 First attempt! Here What I Did.

Free demo questions for Amazon-Web-Services SOA-C01 Exam Dumps Below:

An application stores data in an Amazon RDS database instance. Automated RDS snapshots are taken during specified backup windows every night. In addition, a SysOps Administrator takes monthly manual RDS snapshots. During a maintenance window, the RDS instance was accidentally deleted. How can the Administrator restore the DRS database instance?

  • A. Restore the instance from the last available automated snapshot.
  • B. Restore the instance from the last available manual snapshot.
  • C. Restore the instance from the last full RDS snapshot and subsequent incremental snapshots
  • D. Restore the instance from the RDS in the secondary Availability Zone

Answer: A

Creating a Final Snapshot and Retaining Automated Backups
When you delete a DB instance, you can choose whether to create a final snapshot of the DB instance. You can also choose to retain automated backups after the DB instance is deleted. To be able to restore the DB instance at a later time, create a final snapshot or retain automated backups.
How to To be able to restore To delete a DB instance quickly, Instead of creating a snapshot, you choose your deleted DB you can skip creating a final DB can choose to enable Retain
instance at a later snapshot. time, create a final DB Important
automated backups when you delete a DB instance. These backups
If you skip the snapshot, to are still subject to the retention restore your DB instance you period of the DB instance and age
need one of the following:
out the same way systems
You have to use an earlier snapshots do. manual snapshot of the DB instance to restore the DB instance to that snapshot's point in time.
You have to choose to retain automated backups; you can use those to restore it to any point in time within your retention period.
Automated backups
Automated backups are retained for All automated backups All automated backups are a set period of time, regardless of are deleted and can't deleted and can't be whether you chose to create a final be recovered, unless recovered, unless you choose snapshot. They are retained for to retain automated backups you enable Retain automated backups.
when you delete the DB retention period that was set on the
DB instance at the time you deleted Manual instance.
Earlier manual Earlier manual snapshots it.
snapshots aren't aren't deleted. No snapshots are deleted. deleted.
You can't create a final snapshot of your DB instance if it has the status creating, failed, incompatible- restore, or incompatible-network. For more information about DB instance statuses, see DB Instance Status.

A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services provides detailed monitoring with CloudWatch without charging the user extra?

  • A. AWS Auto Scaling
  • B. AWS Route 53
  • C. AWS EMR
  • D. AWS SNS

Answer: B

CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. Services, such as RDS, ELB, OpsWorks, and Route 53 can provide the monitoring data every minute without charging the user.

An organization is setting up programmatic billing access for their AWS account. Which of the below mentioned services is not required or enabled when the organization wants to use programmatic access?

  • A. Programmatic access
  • B. AWS bucket to hold the billing report
  • C. AWS billing alerts
  • D. Monthly Billing report

Answer: C

AWS provides an option to have programmatic access to billing. Programmatic Billing Access leverages the existing Amazon Simple Storage Service (Amazon S3. APIs. Thus, the user can build applications that reference his billing data from a CSV (comma-separated value. file stored in an Amazon S3 bucket. To enable programmatic access, the user has to first enable the monthly billing report. Then the user needs to provide an AWS bucket name where the billing CSV will be uploaded. The user should also enable the Programmatic access option.

A user has launched an EBS backed EC2 instance. What will be the difference while performing the
restart or stop/start options on that instance?

  • A. For restart it does not charge for an extra hour, while every stop/start it will be charged as a separate hour
  • B. Every restart is charged by AWS as a separate hour, while multiple start/stop actions during a single hour will be counted as a single hour
  • C. For every restart or start/stop it will be charged as a separate hour
  • D. For restart it charges extra only once, while for every stop/start it will be charged as a separate hour

Answer: A

For an EC2 instance launched with an EBS backed AMI, each time the instance state is changed from stop to start/ running, AWS charges a full instance hour, even if these transitions happen multiple times within a single hour. Anyway, rebooting an instance AWS does not charge a new instance billing hour.

You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch.
Which method would be the best way to authenticate your CloudWatch PUT request?

  • A. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
  • B. Create an IAM user with the Put MetricData permission and modify the Auto Scaling launch configuration to inject the users credentials into the instance User Data
  • C. Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group
  • D. Create an IAM user with the Put MetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed

Answer: A

A System Administrator is trying to identify why Put Object calls are not made from an Amazon EC2 instance to an Amazon bucket in the same region.
The instance is launched in a subnet with CIDR range and 'Auto assign public IP set to yes. The instance profile tied to this instance has AmazonS3Access policy.
Security group rules for the instance:
SOA-C01 dumps exhibit
Based on the information provided what is causing the lack of access to S3 from the instance?

  • A. The instance profile does not have explicit permissions to write objects to the S3 bucket.
  • B. The route table does not have a rule for all traffic to pass through a NAT gateway.
  • C. The route table does not have rule for all traffic to pass through an internet gateway

Answer: B

Controlling Access to Instances in a Subnet
In this example, instances in your subnet can communicate with each other, and are accessible from a trusted remote computer. The remote computer may be a computer in your local network or an instance in a different subnet or VPC that you use to connect to your instances to perform administrative tasks. Your security group rules and network ACL rules allow access from the IP address of your remote computer ( All other traffic from the Internet or other networks is denied.
SOA-C01 dumps exhibit
All instances use the same security group (sg-1a2b3c4d), with the following rules.
Protocol Protocol Port Source Comments
SOA-C01 dumps exhibit
SOA-C01 dumps exhibit
This scenario gives you the flexibility to change the security groups or security group rules for your instances, and have the network ACL as the backup layer of defense. The network ACL rules apply to all instances in the subnet, so if you accidentally make your security group rules too permissive, the network ACL rules continue to permit access only from the single IP address. For example, the following rules are more permissive than the earlier rules ?X they allow inbound SSH access from any IP address.
SOA-C01 dumps exhibit
However, only other instances within the subnet and your remote computer are able to access this instance. The network ACL rules still prevent all inbound traffic to the subnet except from your remote computer.

A user is configuring a CloudWatch alarm on RDS to receive a notification when the CPU utilization of RDS is higher than 50%. The user has setup an alarm when there is some inactivity on RDS, such as RDS unavailability. How can the user configure this?

  • A. Setup the notification when the CPU is more than 75% on RDS
  • B. Setup the notification when the state is Insufficient Data
  • C. Setup the notification when the CPU utilization is less than 10%
  • D. It is not possible to setup the alarm on RDS

Answer: B

Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a
number of time periods. The alarm has three states: Alarm, OK and Insufficient data. The Alarm will change to Insufficient Data when any of the three situations arise: when the alarm has just started, when the metric is not available or when enough data is not available for the metric to determine the alarm state. If the user wants to find that RDS is not available, he can setup to receive the notification when the state is in Insufficient data.

A SysOps Administrator supports a legacy application that is hardcoded to service The application has recently been moved to AWS. The external DNS are managed by a third-party provider. The Administrator has set up an internal domain for and configured this record using Amazon Route.
What solution offers the MOST efficient way to have instances in the same account resolve to the Route 53 service instead of the provider?

  • A. Hardcode the name server record to the internal Route 53 IP address tor each instance
  • B. Enable DNS resolution in the subnets as required
  • C. Ensure that DNS resolution is enabled on the VPC
  • D. Create an OS-specific hardcoded entry tor DNS resolution to the private URL

Answer: C

Using DNS with Your VPC
Domain Name System (DNS) is a standard by which names used on the Internet are resolved to their corresponding IP addresses. A DNS hostname is a name that uniquely and absolutely names a computer; it's composed of a host name and a domain name. DNS servers resolve DNS hostnames to their corresponding IP addresses.
Public IPv4 addresses enable communication over the Internet, while private IPv4 addresses enable communication within the network of the instance (either EC2-Classic or a VPC). For more information, see IP Addressing in Your VPC.
We provide an Amazon DNS server. To use your own DNS server, create a new set of DHCP options for your VPC. For more information, see DHCP Options Sets.
DNS Hostnames
DNS Support in Your VPC DNS Limits
Viewing DNS Hostnames for Your EC2 Instance Updating DNS Support for Your VPC
Using Private Hosted Zones

A storage admin wants to encrypt all the objects stored in S3 using server side encryption. The user does not want to use the AES 256 encryption key provided by S3. How can the user achieve this?

  • A. The admin should upload his secret key to the AWS console and let S3 decrypt the objects
  • B. The admin should use CLI or API to upload the encryption key to the S3 bucke
  • C. When making a callto the S3 API mention the encryption key URL in each request
  • D. S3 does not support client supplied encryption keys for server side encryption
  • E. The admin should send the keys and encryption algorithm with each API call

Answer: D

AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API callto supply his own encryption key. Amazon S3 never stores the user??s encryption key. The user has to supply it for each encryption or decryption call.

A user wants to make so that whenever the CPU utilization of the AWS EC2 instance is above 90%, the redlight of his bedroom turns on. Which of the below mentioned AWS services is helpful for this purpose?

  • A. AWS CloudWatch + AWS SES
  • B. AWS CloudWatch + AWS SNS
  • C. Non
  • D. It is not possible to configure the light with the AWS infrastructure services
  • E. AWS CloudWatch and a dedicated software turning on the light

Answer: B

Amazon Simple Notification Service (Amazon SNS. is a fast, flexible, and fully managed push messaging service. Amazon SNS can deliver notifications by SMS text message or email to the Amazon Simple Queue Service (SQS. queues or to any HTTP endpoint. The user can configure some sensor devices at his home which receives data on the HTTP end point (REST calls. and turn on the red light. The user can configure the CloudWatch alarm to send a notification to the AWS SNS HTTP end point (the sensor device. and it will turn the light red when there is an alarm condition.

A user has configured ELB with three instances. The user wants to achieve High Availability as well as redundancy with ELB. Which of the below mentioned AWS services helps the user achieve this for ELB?

  • A. Route 53
  • B. AWS Mechanical Turk
  • C. Auto Scaling
  • D. AWS EMR

Answer: A

The user can provide high availability and redundancy for applications running behind Elastic Load Balancer by enabling the Amazon Route 53 Domain Name System (DNS. failover for the load balancers. Amazon Route 53 is a DNS service that provides reliable routing to the user??s infrastructure.

An AWS root account owner is trying to create a policy to access RDS. Which of the below mentioned statements is true with respect to the above information?

  • A. Create a policy which allows the users to access RDS and apply it to the RDS instances
  • B. The user cannot access the RDS database if he is not assigned the correct IAM policy
  • C. The root account owner should create a policy for the IAM user and give him access to the RDS services
  • D. The policy should be created for the user and provide access for RDS

Answer: C

AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the account owner wants to create a policy for RDS, the owner has to create an IAM user and define the policy which entitles the IAM user with various RDS services such as Launch Instance, Manage security group, Manage parameter group etc.

In order to optimize performance for a compute cluster that requires low inter-node latency, which feature in the following list should you use?

  • A. AWS Direct Connect
  • B. Placement Groups
  • C. VPC private subnets
  • D. EC2 Dedicated Instances
  • E. Multiple Availability Zones

Answer: B


A system admin is planning to encrypt all objects being uploaded to S3 from an application. The system admin does not want to implement his own encryption algorithm; instead he is planning to use server side encryption by supplying his own key (SSE-C.. Which parameter is not required while making a call for SSE-C?

  • A. x-amz-server-side-encryption-customer-key-AES-256
  • B. x-amz-server-side-encryption-customer-key
  • C. x-amz-server-side-encryption-customer-algorithm
  • D. x-amz-server-side-encryption-customer-key-MD5

Answer: A

AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key (SSE-C.. When the user is supplying his own encryption key, the user has to send the below mentioned parameters as a part of the API calls:
x-amz-server-side-encryption-customer-algorithm: Specifies the encryption algorithm
x-amz-server-side-encryption-customer-key: To provide the base64-encoded encryption key
x-amz-server-side-encryption-customer-key-MD5: To provide the base64-encoded 128-bit MD5 digest of the encryption key

You have a server with a 5O0GB Amazon EBS data volume. The volume is 80% full. You need to back up the volume at regular intervals and be able to re-create the volume in a new Availability Zone in the shortest time possible. All applications using the volume can be paused for a period of a few minutes with no discernible user impact.
Which of the following backup methods will best fulfill your requirements?

  • A. Take periodic snapshots of the EBS volume
  • B. Use a third party Incremental backup application to back up to Amazon Glacier
  • C. Periodically back up all data to a single compressed archive and archive to Amazon S3 using a parallelized multi-part upload
  • D. Create another EBS volume in the second Availability Zone attach it to the Amazon EC2 instance, and use a disk manager to mirror me two disks

Answer: A

Since an EBS volume should be in the same AZ as the EC2 instance. You cannot connect a EBS volume in another AZ. EBS volumes can only be attached to EC2 instances within the same Availability Zone.

You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC) in the same Availability Zone (AZ) but in different subnets. One instance is running a database and the other instance an application that will interface with the database. You want to confirm that they can talk to each other for your application to work properly.
Which two things do we need to confirm in the VPC settings so that these EC2 instances can communicate inside the VPC?
Choose 2 answers

  • A. A network ACL that allows communication between the two subnets.
  • B. Both instances are the same instance class and using the same Key-pair.
  • C. That the default route is set to a NAT instance or internet Gateway (IGW) for them to communicate.
  • D. Security groups are set to allow the application host to talk to the database on the right port/protocol.

Answer: AD

You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

  • A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block
  • B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block
  • C. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block
  • D. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block

Answer: B


You have been asked to leverage Amazon VPC BC2 and SOS to implement an application that submits and receives millions of messages per second to a message queue. You want to ensure your application has sufficient bandwidth between your EC2 instances and SQS.
Which option will provide the most scalable solution for communicating between the application and SQS?

  • A. Ensure the application instances are properly configured with an Elastic Load Balancer
  • B. Ensure the application instances are launched in private subnets with the EBS-optimized option enabled
  • C. Ensure the application instances are launched in public subnets with the associate-public-IP- address=true option enabled
  • D. Launch application instances in private subnets with an Auto Scaling group and Auto Scaling triggers configured to watch the SQS queue size

Answer: D

The question is about most ??scalable solution for communicating?? for SQS that is parallel processing of SQS messages.
See also:

A sys admin is using server side encryption with AWS S3. Which of the below mentioned statements helps the user understand the S3 encryption functionality?

  • A. The server side encryption with the user supplied key works when versioning is enabled
  • B. The user can use the AWS console, SDK and APIs to encrypt or decrypt the content for server side encryption with the user supplied key
  • C. The user must send an AES-128 encrypted key
  • D. The user can upload his own encryption key to the S3 console

Answer: A

AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key. The encryption with the user supplied key (SSE-C. does not work with the AWS console. The S3 does not store the keys and the user has to send a key with each request. The SSE-C works when the user has enabled versioning.

Your organization's security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password.
Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers

  • A. Configure multi-factor authentication for privileged 1AM users
  • B. Create 1AM users for privileged accounts
  • C. Implement identity federation between your organization's Identity provider leveraging the 1AM Security Token Service
  • D. Enable the 1AM single-use password policy option for privileged users

Answer: AB

See also:
Enable MFA for privileged users
For extra security, enable multifactor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) and users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).


P.S. now are offering 100% pass ensure SOA-C01 dumps! All SOA-C01 exam questions have been updated with correct answers: (639 New Questions)