The scenarios and solutions in the tables below will help you prepare for the AWS Certified SysOps Administrator Associate certification exam. Use these exam scenarios to gain an understanding of the type of knowledge required to pass this challenging exam. You can learn all of this knowledge and more and get access to hundreds more exam scenarios in the value-packed video course from Digital Cloud Training. These scenarios and many more are also covered in our practice test course for the SOA-C02 exam.
Amazon EC2 and AWS Lambda
| Exam Scenario | Solution |
| Administrator needs to check if any Amazon EC2 instances will be affected by scheduled hardware maintenance | Check the AWS Personal Health Dashboard |
| Scheduled hardware maintenance will affect a critical EC2 instance | Stop and start the instance to move it to different underlying hardware |
| When launching an EC2 instance the InsufficientInstanceCapacity error is experienced | This means AWS does not currently have enough capacity to service the request for that instance type. Try a different AZ or instance type |
| The error InstanceLimitExceeded is experienced when launching EC2 instances | EC2 instance limits have been reached, need to contact support to request an increased limit |
| System status checks are failing for an EC2 instance | Stop and start again to move to a new host |
Elastic Load Balancing and Auto Scaling
| Exam Scenario | Solution |
| Design required for highly available and secure website on EC2 with ALB, and DB on EC2 | Launch ALB in public subnets, web servers in private subnets and DB layer in private subnets – all layers across AZs |
| HealthyHostCount metrics for an ALB have dropped from 6 to 2. Need to determine the cause | The health checks on target EC2 instances are failing |
| An instance attached to an ALB exceeded the UnhealthyThresholdCount for consecutive health check failures. What will happen? | Health checks will continue and the ALB will take the instance out of service |
| Requirement to track the source IP of clients and the instance that processes the request | Check the ALB access logs for this information |
| 503 and 504 errors experienced and instances have high CPU utilization | Use EC2 Auto Scaling to dynamically scale |
Amazon EBS, EFS, and AWS Storage Gateway
| Exam Scenario | Solution |
| User deleted some data in an Amazon EBS volume and there’s a recent snapshot | Can create a new EBS volume from the snapshot and attach it to an instance and copy the delete file across |
| EBS volume runs out of space and need to prevent it happening again | Use CloudWatch agent on EC2 and monitor disk metrics with CloudWatch alarm |
| Low latency access required for image files in an office location with synchronized backup to offsite location. Local access required and disaster recovery | Use an AWS Storage Gateway volume gateway configured as a stored volume |
| EBS volume capacity is increased but cannot see the space | Need to extend the volume’s file system to gain access to extra space |
| Need to replace user-shared drives. Must support POSIX permissions and NFS protocols and be accessible from on-premise servers and EC2 | Use Amazon EFS |
AWS Systems Manager
| Exam Scenario | Solution | |
| Application running on EC2 needs login credentials for a DB that are stored as secure strings in SSM Parameter Store | Create an IAM role for the instance and grant permission to read the parameters | |
| Linux instances are patched with Systems Manager Patch Manager. Application slows down whilst updates are happening | Change maintenance window to patch 10% of instances in the patch group at a time | |
| Custom Linux AMI used with AWS Systems Manager. Can’t find instances in Session Manager console | Need to add permissions to instance profile and install the SSM agent on the instances | |
| Multiple environments require authentication credentials for external service. Deployed using CloudFormation | Store credentials in SSM Parameter Store and pass an environment tag as a parameter in CloudFormation template | |
| IAM access keys used to manage EC2 instances using the CLI. Company policy mandates that access keys are automatically disabled after 60 days | Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation |
AWS CloudFormation
| Exam Scenario | Solution |
| Need to review updates to an AWS CloudFormation stack before deploying them in production | Use change sets |
| Stack deployed and manual changes were made. Need to capture changes and update template | Use drift detection and use output to update template and redeploy the stack |
| Need to update new version of app on EC2 and ALB. Must avoid DNS changes and be able to rollback | Update template with AutoScalingReplacingUpdate policy and perform an update |
| Need to write a single template that can be deployed across several environments / Region | Use parameters to enter custom values and use Ref intrinsic function to reference the parameter |
| Tried to launch instance in a different region from a working template and it fails | Probably due to incorrect AMI ID |
Amazon Virtual Private Cloud (VPC)
| Exam Scenario | Solution |
| Need to identify the instances that are generating the most traffic using a NAT gateway | Use VPC flow logs on the NAT gateway ENI and use CloudWatch insights to filter based on source IP address |
| Latency on a NAT instance has increased, need a solution that scales with demand cost-efficiently | Swap with a NAT gateway |
| NAT gateway is NOT highly available across AZs, only within an AZ | Use multiple NAT gateways for HA across AZs |
| NAT instance deployed but not working | Make sure to disable source/destination checks |
| Need to enable access to S3 without the instances using public IP addresses | Use a NAT gateway or VPC endpoint |
Amazon Route 53
| Exam Scenario | Solution |
| Use Route 53 to direct based on health checks with (2xx) traffic to primary and other responses to secondary | Need to create an A record for each server and a HTTP (not TCP) health check |
| Route 53 health check uses string matching for “/html”. Alert shows health check fails | The search string must appear entirely within the first 5,120 bytes of the response body |
| Need to make a website promotion visible to users from a specific country only | Use Route 53 geolocation routing policy |
| New website runs on EC2 behind ALB. Need to create record in Route 53 to point to the domain apex (e.g. example.com) | Use an alias record |
| Hosted zone in Account A and ALB in Account B. Need the most cost-effective and efficient solution for pointing to the ALB | Create an Alias record in Account A that points to ALB in Account B |
Amazon S3 and CloudFront
| Exam Scenario | Solution |
| Static website on Amazon S3 with custom domain name | Requires that the bucket name matches the DNS name / record set name in Route 53 |
| 503 errors experienced with new site and thousands of user | Request rate is too high |
| Discrepancy with number of objects in bucket console vs CloudWatch | Use Amazon S3 Inventory to properly determine the number of objects in a bucket |
| Need to enforce encryption on all objects uploaded to bucket | Use a bucket policy with a “Condition”: { “Bool”: { “aws:SecureTransport”: “false” statement for PutObject and with the resource set to the bucket |
| Unauthorized users tried to connect to S3 buckets. Need to know which buckets are targeted and who is trying to get access | Use S3 server access logs and Athena to query for HTTP 403 errors and look for IAM user or role making requests |
Amazon RDS and ElastiCache
| Exam Scenario | Solution |
| Automated failover of a multi-AZ DB occurred | This may be due to storage failure on primary DB or the instance type could have been changed |
| Need to encrypt unencrypted RDS database | Take a snapshot, encrypt it, then restore a new encrypted instance from the snapshot |
| RDS DB query latency is high and CPU utilization is at 100% | Scale up with larger instance type |
| Need to share RDS DB snapshots across different accounts. Data must be encrypted | Use an AWS KMS key for encryption and update key policy to grant accounts with access then share snapshot |
| DB needs to be made HA to protect against failure and updates cannot impact users in business hours | Change to Multi-AZ outside of business hours |
Management, Governance and Billing
| Exam Scenario | Solution |
| Audit requests to AWS Organizations for creating new accounts by federated users | use CloudTrail and look for the federated identity user name |
| Employees have created individual AWS accounts not under control. Security team need them in AWS Organizations | Send each account an invitation from the central organization |
| Need to restrict ability to launch specific instance types for a specific team/account | Use an organizations SCP to deny launches unless the instance type is T2, create an IAM group in the account granting access to T2 instances to the relevant users |
| Need to test notification settings for CloudWatch alarm with SNS | Use the set-alarm-state CLI command to test |
| Need to automatically disable access keys that are greater than 90 days old | Use an AWS Config rule to identify noncompliant keys and use Systems Manager Automation to remediate |
Security and Compliance
| Exam Scenario | Solution |
| Company wishes to force users to change their passwords regularly | Create an IAM password policy and enabled password expiration |
| Need to restrict access to a bucket based on source IP range | Use bucket policy with “Condition”: “NotIpAddress”: statement |
| Need to control access to group of EC2 instances with specific tags | Use an IAM policy with a condition element granting access based on the tag and attach an IAM policy to the user or groups that require access |
| IAM policy for SQS queue allows too much access. Who is responsible for correcting the issue? | According the AWS shared responsibility mode, this is a customer responsibility |
| Data is encrypted with AWS KMS customer-managed CMKs. Need to enable rotation ensuring the data remains readable | Just enable key rotation in AWS KMS for the CMK (backing key is rotated, data key is not changed) |
You can gain all of the knowledge required to pass this challenging exam using our popular training for the AWS SysOps Administrator Associate exam. Get access to many more AWS SysOps exam scenarios, 260 practice questions, and over 15 hours of on-demand videos. Enroll now!