[2022年01月07日]AWS-SysOps究極な学習ガイド [Q151-Q174]

[2022年01月07日]AWS-SysOps究極な学習ガイド

究極なガイドで準備AWS-SysOps認定試験SysOps Administratorは2022年更新

質問 151
Security has identified an IP address that should be explicitly denied for both ingress and egress requests for all services in an Amazon VPC immediately.
Which feature can be used to meet this requirement?

A. Security Groups
B. Network access control lists
C. NAT Gateway
D. Host-based firewalls

正解: D

解説:
https://aws.amazon.com/answers/networking/vpc-security-capabilities/

質問 152
A route table in VPC can be associated with multiple subnets. However, a subnet can be associated with only ______ route table(s) at a time.

A. four
B. one
C. two
D. three

正解: B

解説:
Every subnet in your VPC must be associated with exactly one route table at a time. However, the same route table can be associated with multiple subnets.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html

質問 153
A user has configured an Auto Scaling group with ELB. The user has enabled detailed CloudWatch monitoring on Auto Scaling. Which of the below mentioned statements will help the user understand the functionality better?

A. Detailed monitoring will send data every minute without additional charges
B. In this case, Auto Scaling will send data every minute and will charge the user extra
C. It is not possible to setup detailed monitoring for Auto Scaling
D. Auto Scaling sends data every minute only and does not charge the user

正解: B

解説:
Explanation
CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute.
Auto Scaling includes 7 metrics and 1 dimension, and sends data to CloudWatch every 5 minutes by default.
The user can enable detailed monitoring for Auto Scaling, which sends data to CloudWatch every minute.
However, this will have some extra-costs.

質問 154
A system admin wants to add more zones to the existing ELB. The system admin wants to perform this activity from CLI. Which of the below mentioned command helps the system admin to add new zones to the existing ELB?

A. elb-enable-zones-for-lb
B. It is not possible to add more zones to the existing ELB
C. elb-configure-zones-for-lb
D. elb-add-zones-for-lb

正解: A

解説:
The user has created an Elastic Load Balancer with the availability zone and wants to add more
zones to the existing ELB. The user can do so in two ways:
From the console or CLI, add new zones to ELB;

質問 155
You have an Auto Scaling group associated with an Elastic Load Balancer (ELB). You have noticed that instances launched via the Auto Scaling group are being marked unhealthy due to an ELB health check, but these unhealthy instances are not being terminated.
What do you need to do to ensure trial instances marked unhealthy by the ELB will be terminated and replaced?

A. Change the health check set on the Elastic Load Balancer to use TCP rather than HTTP checks
B. Increase the value for the Health check interval set on the Elastic Load Balancer
C. Change the thresholds set on the Auto Scaling group health check
D. Add an Elastic Load Balancing health check to your Auto Scaling group

正解: D

解説:
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-add-elb-healthcheck.html
Add an Elastic Load Balancing Health Check to your Auto Scaling Group By default, an Auto Scaling group periodically reviews the results of EC2 instance status to determine the health state of each instance. However, if you have associated your Auto Scaling group with an Elastic Load Balancing load balancer, you can choose to use the Elastic Load Balancing health check. In this case, Auto Scaling determines the health status of your instances by checking the results of both the EC2 instance status check and the Elastic Load Balancing instance health check.
For information about EC2 instance status checks, see Monitor Instances With Status Checks in the Amazon EC2 User Guide for Linux Instances. For information about Elastic Load Balancing health checks, see Health Check in the Elastic Load Balancing DeveloperGuide.
This topic shows you how to add an Elastic Load Balancing health check to your Auto Scaling group, assuming that you have created a load balancer and have registered the load balancer with your Auto Scaling group. If you have not registered the load balancer with your Auto Scaling group, see Set Up a Scaled and Load-Balanced Application.
Auto Scaling marks an instance unhealthy if the calls tothe Amazon EC2 action DescribeInstanceStatus return any state other than running, the system status shows impaired, or the calls to Elastic Load Balancing action DescribeInstanceHealth returns OutOfService in the instance state field.
If there are multiple load balancers associated with your Auto Scaling group, Auto Scaling checks the health state of your EC2 instances by making health check calls to each load balancer. For each call, if the Elastic Load Balancing action returns any state other than InService, theinstance is marked as unhealthy. After Auto Scaling marks an instance as unhealthy, it remains in that state, even if subsequent calls from other load balancers return an InService state for the same instance.

質問 156
A SysOps Administrator must remove public IP addresses from all Amazon EC2 Instances to prevent exposure to the internet. However, many corporate applications running on those EC2 instances need to access Amazon S3 buckets. The administrator is tasked with allowing the EC2 instances to continue to access the S3 buckets.
Which solutions can be used? (Select Two).

A. Deploy a NAT Gateway and configure the route tables according in the VPC where the EC2 instances are running.
B. Modify the security groups on the EC2 instances with private IP addresses in the routes to connect to Amazon S3.
C. Modify the network ACLs with the private IP addresses in the routes to connect to Amazon S3.
D. Set up AWS Direct connect and configure a virtual interface between the EC2 instances and the S3 buckets.
E. Set up VPC endpoint in the VPC where the EC2 instances are running and configure the routes tables accordingly.

正解: A,E

質問 157
An enterprise is using federated Security Assertion Markup Language (SAML) to access the AWS Management Console.
How should the SAML assertion mapping be configured?

A. Map the user attribute to an AWS user. The AWS user is assigned specific IAM policies that govern access to AWS resources.
B. Map the role attribute to an AWS role. The AWS role is assigned IAM policies that govern access to AWS resources.
C. Map the policy attribute to IAM policies the federated user is assigned to. These policies govern access to AWS resources.
D. Map the group attribute to an AWS group. The AWS group is assigned IAM policies that govern access to AWS resources.

正解: B

質問 158
AWS Cloud Hardware Security Modules (HSMs) are designed to _____.

A. provide another level of login security specifically for LDAP
B. store your AWS keys safely
C. allow AWS to audit your infrastructure
D. securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance

正解: D

解説:
Explanation
A Hardware Security Module (HSM) is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware device. They are designed to securely store cryptographic key material and also to be able to use this key material without exposing it outside the cryptographic boundary of the appliance.

質問 159
A company's IT department noticed an increase in the spend of their Developer AWS account. There are over
50 Developers using the account and the Finance Tram wants to determine the service costs incurred by each Developer.
What should a SysOps Administrator do to collect this information? (Select TWO)

A. Analyze the usage with Amazon CloudWatch dashboards
B. Create a billing alarm in AWS Budgets
C. Activate the createdBy tag in the account
D. Analyze the usage with Cost Explorer
E. Configure AWS Trusted Advisor to track resource usage

正解: C,D

質問 160
A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24. and VPN only subnets CIDR (20.0.1.0/24. along with the VPN gateway (vgw-12345. to connect to the user's data centre. The user's data centre has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456. to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario?

A. Destination: 0.0.0.0/0 and Target: i-12345
B. Destination: 20.0.0.0/16 and Target: local
C. Destination: 20.0.1.0/24 and Target: i-12345
D. Destination: 172.28.0.0/12 and Target: vgw-12345

正解: C

解説:
Explanation
The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data centre. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all traffic of the VPN subnet. If the user has setup a NAT instance to route all the internet requests then all requests to the internet should be routed to it. All requests to the organization's DC will be routed to the VPN gateway.
Here are the valid entries for the main route table in this scenario:
Destination: 0.0.0.0/0 & Target: i-12345 (To route all internet traffic to the NAT Instance.
Destination: 172.28.0.0/12 & Target: vgw-12345 (To route all the organization's data centre traffic to the VPN gateway.
Destination: 20.0.0.0/16 & Target: local (To allow local routing in VPC.

質問 161
A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it?

A. Stop one of the instances and change the availability zone
B. From the AWS EC2 console, select the Actions - > Change zones and specify new zone
C. Create an AMI of the running instance and launch the instance in a separate AZ
D. The zone can only be modified using the AWS CLI

正解: C

解説:
With AWS EC2, when a user is launching an instance he can select the availability zone
(AZ. at the time of launch. If the zone is not selected, AWS selects it on behalf of the user. Once the instance is launched, the user cannot change the zone of that instance unless he creates an AMI of that instance and launches a new instance from it.

質問 162
AMIs can be ______________.

A. created only for Linux instances
B. created only by Amazon
C. public or private
D. only private unless created by Amazon

正解: C

解説:
After you create an AMI, you can keep it private so that only you can use it, or you can share it with a specified list of AWS accounts. You can also make your custom AMI public so that the communi-ty can use it. Building a safe, secure, usable AMI for public consumption is a fairly straightforward process, if you follow a few simple guidelines.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

質問 163
You run a web application with the following components Elastic Load Balancer (EL8), 3 Web/Application servers, 1 MySQL RDS database with read replicas, and Amazon Simple Storage Service (Amazon S3) for static content. Average response time for users is increasing slowly.
What three CloudWatch RDS metrics will allow you to identify if the database is the bottleneck? (Choose three.)

A. The average number of disk I/O operations per second.
B. The amount of write latency.
C. The amount of time a Read Replica DB Instance lags behind the source DB Instance
D. The amount of disk space occupied by binary logs on the master.
E. The number of outstanding IOs waiting to access the disk.

正解: B,C,E

質問 164
An image processing system runs asynchronously on AWS Lambda. A SysOps administrator is configuring a Lambda function to notify developers when an image falls to process after three attempts. The SysOps administrator has created an Amazon Simple Notification Service (Amazon SNS) topic to notify the developers.
Which additional action should the SysOps administrator take to meet this requirement?

A. Configure an Amazon CloudWatch alarm for errors from the Lambda function, which notifies the Amazon SNS topic.
B. Implement a dead-letter queue targeting the Amazon SNS topic.
C. Modify the Lambda function code to publish failed orders to the Amazon SNS topic before exiting.
D. Subscribe to Lambda function error notifications from the AWS Personal Health Dashboard.

正解: A

質問 165
A user is measuring the CPU utilization of a private data centre machine every minute. The machine
provides the aggregate of data every hour, such as Sum of data", "Min value", "Max value, and "Number
of Data points". The user wants to send these values to CloudWatch. How can the user achieve this?

A. Send the data using the put-metric-data command with the average-values parameter
B. Send the data using the put-metric-data command with the aggregate -data parameter
C. Send the data using the put-metric-data command with the statistic-values parameter
D. Send the data using the put-metric-data command with the aggregate-values parameter

正解: C

解説:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload
the data to CloudWatch using CLI or APIs. The user can publish the data to CloudWatch as single data
points or as an aggregated set of data points called a statistic set using the command put-metric-data.
When sending the aggregate data, the user needs to send it with the parameter statistic-values:
aws cloudwatch put-metric-data --metric-name <Name> --namespace <Custom namespace> --timestamp
<UTC Format> --statistic-values Sum=XX,Minimum=YY,Maximum=AA,SampleCount=BB --unit
Milliseconds
Reference: http://docs.aws.amazon.com/cli/latest/reference/cloudwatch/put-metric-data.html

質問 166
A user has scheduled the maintenance window of an RDS DB on Monday at 3 AM.
Which of the below mentioned events may force to take the DB instance offline during the maintenance window?

A. DB password change
B. Security patching
C. Making the DB Multi AZ
D. Enabling Read Replica

正解: B

解説:
Amazon RDS performs maintenance on the DB instance during a user-definable maintenance window. The system may be offline or experience lower performance during that window.
The only maintenance events that may require RDS to make the DB instance offline are:
Scaling compute operations Software patching.
Required software patching is automatically scheduled only for patches that are security and durability related.
Such patching occurs infrequently (typically once every few months. and seldom requires more than a fraction of the maintenance window.

質問 167
What does Amazon S3 stand for?

A. Standard Storage Service
B. Simple Storage Service
C. Social Storage Service
D. Secure Storage Service

正解: B

解説:
Explanation
Amazon Simple Storage Service (Amazon S3) is storage for the Internet. It provides a simple interface to manage scalable, reliable, and low latency data storage service over the Internet.

質問 168
A SysOps Administrator has set up a new Application Load Balancer (ALB) in front of a pair of private web server in multiple Availability Zones. After deployment an updates CloudFormation template with many changes, user now goes to one web server only. What is the NOST likely reason that the traffic is not being balanced between both servers?

A. The faulty is returning HTTP 200 has been removed.
B. The web client are using HTTP/2, which is terminated at the ALB.
C. Sticky session have been disabled in the ALB for the working sever.
D. The ALB using a custom ping path that is not found on the faulty server.

正解: D

解説:
The load balancer sends a health check request to each registered target every HealthCheckIntervalSeconds seconds, using the specified port, protocol, and ping path.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health- checks.html

質問 169
A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below
mentioned services does not provide detailed monitoring with CloudWatch?

A. AWS Route53
B. AWS ELB
C. AWS EMR
D. AWS RDS

正解: C

解説:
CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed
monitoring for the supported AWS products. In basic monitoring, a service sends data points to
CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch
every minute. Services, such as RDS, EC2, Auto Scaling, ELB, and Route 53 can provide the monitoring
data every minute.
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/supported_services.html

質問 170
Which of the following statements is NOT true of CloudWatch?

A. CloudWatch can be accessed using the AWS SDKS.
B. CloudWatch can be accessed using CloudWatch API.
C. CloudWatch can be accessed using the CloudWatch CLI for iOS.
D. CloudWatch can be accessed using the AWS console.

正解: C

解説:
Explanation
AWS Cloudwatch can be accessed from the Amazon CloudWatch Console, CloudWatch API, AWS CLI and AWS SDKs.

質問 171
You are managing the AWS account of a big organization. The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees. Which of the below mentioned options is the best possible solution in this case?

A. The user should create a separate IAM user for each employee and provide access to them as per the policy
B. The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2 instance and setup AWS authentication on that server
C. The user should create IAM groups as per the organization's departments and add each user to the group for better access control
D. Attach an IAM role with the organization's authentication service to authorize each user for various AWS services

正解: D

解説:
Explanation/Reference:
Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. The user is managing an AWS account for an organization that already has an identity system, such as the login system for the corporate network (SSO). In this case, instead of creating individual IAM users or groups for each user who need AWS access, it may be more practical to use a proxy server to translate the user identities from the organization network into the temporary AWS security credentials. This proxy server will attach an IAM role to the user after authentication.

質問 172
Which command must be present in a Cisco device configuration to enable the device to resolve an FQDN?

A. ip domain-name
B. ip name-server
C. ip host
D. ip domain-lookup

正解: D

質問 173
A corporate website is hosted on several Amazon EC2 instances across multiple regions around the globe.
How should an Administrator configure the website to maintain high availability with minimal downtime if one of the regions has network connectivity congestion for an extended period of time?

A. Create an Elastic Load Balancer that fails over to the secondary site when the primary site is not reachable.
B. Create an Amazon Route 53 latency Based Routing Record Set that resolves to Elastic Load Balancers I each region and has the Evaluate Target Health flag set to "true".
C. Create an Amazon Route 53 Latency Based Routing Record Set that resolves to an Elastic Load Balancer in each region. Set an appropriate health check on each ELB.
D. Create an Elastic Load Balancer in front of all the Amazon EC2 instances.

正解: B

解説:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-how-route-53- chooses-records.html

質問 174
......

Amazon AWS-SysOps 認定試験の出題範囲：

トピック	出題範囲
トピック 1	High Availability: Implement Scalability and Elasticity Based on Scenario Ensure Level of Fault Tolerance Based on Business Needs
トピック 2	Security: Implement and Manage Security Policies Ensure Data Integrity and Access Controls When Using the AWS Platform
トピック 3	Monitoring and Metrics: Demonstrate Ability to Monitor Availability and Performance
トピック 4	Deployment and Provisioning: Demonstrate the Ability to Build the Environment to Confirm with the Architected Design
トピック 5	Identify Performance Bottlenecks and Implement Remedies and Potential Issue on a Given Application Deployment
トピック 6	Data Management: Demonstrate Ability to Create Backups for Different Services and enforce Compliance Requirements
トピック 7	Demonstrate the Ability to Provision Cloud Resources and Manage Implementation Automation
トピック 8	Analysis: Optimize the Environment to Ensure Maximum Performance
トピック 9	Demonstrate Ability to Monitor and Manage Billing and Cost Optimization Processes