AWS SysOps Administrator Exam Scenarios

AWS Certified SysOps Exam Scenarios

Exam Scenarios for AWS SysOps Administrator

The scenarios and solutions in the tables below are commonly found on the AWS Certified SysOps Administrator Associate certification exam. Use these to gain an understanding of the type of knowledge required to pass this challenging exam. You can learn all of this knowledge and more and get access to hundreds more exam scenarios in the value-packed video course from Digital Cloud Training. These scenarios and many more are also covered in our practice test course for the SOA-C02 exam. 

Amazon EC2 and AWS Lambda

Exam Scenario Solution
Administrator needs to check if any Amazon EC2 instances will be affected by scheduled hardware maintenance Check the AWS Personal Health Dashboard
Scheduled hardware maintenance will affect a critical EC2 instance Stop and start the instance to move it to different underlying hardware
When launching an EC2 instance the InsufficientInstanceCapacity error is experienced This means AWS does not currently have enough capacity to service the request for that instance type. Try a different AZ or instance type
The error InstanceLimitExceeded is experienced when launching EC2 instances EC2 instance limits have been reached, need to contact support to request an increased limit
System status checks are failing for an EC2 instance Stop and start again to move to a new host

Elastic Load Balancing and Auto Scaling

Exam Scenario Solution
Design required for highly available and secure website on EC2 with ALB, and DB on EC2 Launch ALB in public subnets, web servers in private subnets and DB layer in private subnets – all layers across AZs
HealthyHostCount metrics for an ALB have dropped from 6 to 2. Need to determine the cause The health checks on target EC2 instances are failing
An instance attached to an ALB exceeded the UnhealthyThresholdCount for consecutive health check failures. What will happen? Health checks will continue and the ALB will take the instance out of service
Requirement to track the source IP of clients and the instance that processes the request Check the ALB access logs for this information

503 and 504 errors experienced and instances have high CPU utilization

Use EC2 Auto Scaling to dynamically scale

Amazon EBS, EFS, and AWS Storage Gateway

Exam Scenario Solution
User deleted some data in an Amazon EBS volume and there’s a recent snapshot Can create a new EBS volume from the snapshot and attach it to an instance and copy the delete file across
EBS volume runs out of space and need to prevent it happening again Use CloudWatch agent on EC2 and monitor disk metrics with CloudWatch alarm

Low latency access required for image files in an office location with synchronized backup to offsite location. Local access required and disaster recovery

Use an AWS Storage Gateway volume gateway configured as a stored volume

EBS volume capacity is increased but cannot see the space Need to extend the volume’s file system to gain access to extra space
Need to replace user-shared drives. Must support POSIX permissions and NFS protocols and be accessible from on-premise servers and EC2 Use Amazon EFS

AWS Systems Manager

Exam Scenario Solution
Application running on EC2 needs login credentials for a DB that are stored as secure strings in SSM Parameter Store Create an IAM role for the instance and grant permission to read the parameters
Linux instances are patched with Systems Manager Patch Manager. Application slows down whilst updates are happening Change maintenance window to patch 10% of instances in the patch group at a time
Custom Linux AMI used with AWS Systems Manager. Can’t find instances in Session Manager console Need to add permissions to instance profile and install the SSM agent on the instances
Multiple environments require authentication credentials for external service. Deployed using CloudFormation Store credentials in SSM Parameter Store and pass an environment tag as a parameter in CloudFormation template  
IAM access keys used to manage EC2 instances using the CLI. Company policy mandates that access keys are automatically disabled after 60 days Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation

AWS CloudFormation

Exam Scenario Solution
Need to review updates to an AWS CloudFormation stack before deploying them in production Use change sets
Stack deployed and manual changes were made. Need to capture changes and update template Use drift detection and use output to update template and redeploy the stack
Need to update new version of app on EC2 and ALB. Must avoid DNS changes and be able to rollback Update template with AutoScalingReplacingUpdate policy and perform an update
Need to write a single template that can be deployed across several environments / Region Use parameters to enter custom values and use Ref intrinsic function to reference the parameter
Tried to launch instance in a different region from a working template and it fails Probably due to incorrect AMI ID

Amazon Virtual Private Cloud (VPC)

Exam Scenario Solution
Need to identify the instances that are generating the most traffic using a NAT gateway Use VPC flow logs on the NAT gateway ENI and use CloudWatch insights to filter based on source IP address
Latency on a NAT instance has increased, need a solution that scales with demand cost-efficiently Swap with a NAT gateway
NAT gateway is NOT highly available across AZs, only within an AZ Use multiple NAT gateways for HA across AZs
NAT instance deployed but not working Make sure to disable source/destination checks
Need to enable access to S3 without the instances using public IP addresses Use a NAT gateway or VPC endpoint

Amazon Route 53

Exam Scenario Solution
Use Route 53 to direct based on health checks with (2xx) traffic to primary and other responses to secondary Need to create an A record for each server and a HTTP (not TCP) health check
Route 53 health check uses string matching for “/html”. Alert shows health check fails The search string must appear entirely within the first 5,120 bytes of the response body
Need to make a website promotion visible to users from a specific country only Use Route 53 geolocation routing policy
New website runs on EC2 behind ALB. Need to create record in Route 53 to point to the domain apex (e.g. example.com) Use an alias record
Hosted zone in Account A and ALB in Account B. Need the most cost-effective and efficient solution for pointing to the ALB Create an Alias record in Account A that points to ALB in Account B

Amazon S3 and CloudFront

Exam Scenario Solution
Static website on Amazon S3 with custom domain name Requires that the bucket name matches the DNS name / record set name in Route 53
503 errors experienced with new site and thousands of user Request rate is too high
Discrepancy with number of objects in bucket console vs CloudWatch Use Amazon S3 Inventory to properly determine the number of objects in a bucket
Need to enforce encryption on all objects uploaded to bucket Use a bucket policy with a “Condition”: { “Bool”: { “aws:SecureTransport”: “false” statement for PutObject and with the resource set to the bucket
Unauthorized users tried to connect to S3 buckets. Need to know which buckets are targeted and who is trying to get access Use S3 server access logs and Athena to query for HTTP 403 errors and look for IAM user or role making requests

Amazon RDS and ElastiCache

Exam Scenario Solution
Automated failover of a multi-AZ DB occurred This may be due to storage failure on primary DB or the instance type could have been changed
Need to encrypt unencrypted RDS database Take a snapshot, encrypt it, then restore a new encrypted instance from the snapshot
RDS DB query latency is high and CPU utilization is at 100% Scale up with larger instance type
Need to share RDS DB snapshots across different accounts. Data must be encrypted Use an AWS KMS key for encryption and update key policy to grant accounts with access then share snapshot
DB needs to be made HA to protect against failure and updates cannot impact users in business hours Change to Multi-AZ outside of business hours

Management, Governance and Billing

Exam Scenario Solution
Audit requests to AWS Organizations for creating new accounts by federated users use CloudTrail and look for the federated identity user name
Employees have created individual AWS accounts not under control. Security team need them in AWS Organizations Send each account an invitation from the central organization
Need to restrict ability to launch specific instance types for a specific team/account Use an organizations SCP to deny launches unless the instance type is T2, create an IAM group in the account granting access to T2 instances to the relevant users

Need to test notification settings for CloudWatch alarm with SNS

Use the set-alarm-state CLI command to test

Need to automatically disable access keys that are greater than 90 days old

Use an AWS Config rule to identify noncompliant keys and use Systems Manager Automation to remediate

Security and Compliance

Exam Scenario Solution
Company wishes to force users to change their passwords regularly Create an IAM password policy and enabled password expiration
Need to restrict access to a bucket based on source IP range Use bucket policy with “Condition”: “NotIpAddress”: statement
Need to control access to group of EC2 instances with specific tags Use an IAM policy with a condition element granting access based on the tag and attach an IAM policy to the user or groups that require access
IAM policy for SQS queue allows too much access. Who is responsible for correcting the issue? According the AWS shared responsibility mode, this is a customer responsibility
Data is encrypted with AWS KMS customer-managed CMKs. Need to enable rotation ensuring the data remains readable Just enable key rotation in AWS KMS for the CMK (backing key is rotated, data key is not changed)

You can gain all of the knowledge required to pass this challenging exam using our ultimate training package for the AWS SysOps Administrator Associate exam. Get access to many more AWS SysOps exam scenarios, 260 practice questions, and over 15 hours of on-demand videos. Enroll now!