↵
SOA-C01 - Certified Certified SysOps Admin Associate
↵ From: https://devspot.org/SOA-C01.html
Question 0: A Developer created an AWS Lambda function and has asked the SysOps Administrator to make this function run every 15 minutes. What is the MOST efficient way to accomplish this request?
Option A: Create an Amazon EC2 instance and schedule a cron to invoke the Lambda function.
Option B: Create a Repeat Time variable inside the Lambda function to invoke the Lamdba function.
Option C: Create a second Lambda function to monitor and invoke the first Lamdba function.
Option D: Create an Amazon CloudWatch scheduled event to invoke the Lambda function.
Question 1: A company's Auditor implemented a compliance requirement that all Amazon S3 buckets must have logging enabled. How should the SysOps Administrator ensure this compliance requirement is met, while still permitting Developers to create and use new S3 buckets?
Option A: Add AWS CloudTrail logging for the S3 buckets.
Option B: Implement IAM policies to allow only the Storage team to create S3 buckets.
Option C: Add the AWS Config managed rule S3_BUCKET_LOGGING_ENABLED.
Option D: Create an AWS Lambda function to delete the S3 buckets if logging is not turned on.
Question 2: An organization is concerned that its Amazon RDS databases are not protected. The solution to address this issue must be low cost, protect against table corruption that could be overlooked for several days, and must offer a 30-day window of protection. How can these requirements be met?
Option A: Enable Multi-AZ on the RDS instance to maintain the data in a second Availability Zone.
Option B: Create a read replica of the RDS instance to maintain the data in a second region.
Option C: Ensure that automated backups are enabled and set the appropriate retention period.
Option D: Enable versioning in RDS to recover altered table data when needed.
Question 3: An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps Administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy. What is likely to be the problem?
Option A: The Amazon Machine image used is not available in that region.
Option B: The AWS CloudFormation template needs to be updated to the latest version.
Option C: The VPC configuration parameters have changed and must be updated in the template.
Option D: The account has reached the default limit for VPCs allowed.
Question 4: Based on the AWS Shared Responsibility Model, which of the following actions are the responsibility of the customer for an Aurora database?
Option A: Performing underlying OS updates
Option B: Provisioning of storage for database
Option C: Scheduling maintenance, patches, and other updates
Option D: Executing maintenance, patches, and other updates
Question 5: A web-commerce application stores its data in an Amazon Aurora DB cluster with an Aurora replica. The application displays shopping cart information by reading data from the reader endpoint. When monitoring the Aurora database, the SysOps Administrator sees that the AuroraReplicaLagMaximum metric for a single replica is high. What behavior is the application MOST likely exhibiting to users?
Option A: Users cannot add any items to the shopping cart.
Option B: Users intermittently notice that the cart is not updated correctly.
Option C: Users cannot remove any items from the shopping cart.
Option D: Users cannot use the application because it is falling back to an error page.
Question 6: A company would like to review each change in the infrastructure before deploying updates in its AWS CloudFormation stacks. Which action will allow an Administrator to understand the impact of these changes before implementation?
Option A: Implement a blue/green strategy using AWS Elastic Beanstalk.
Option B: Perform a canary deployment using Application Load Balancers and target groups.
Option C: Create a change set for the running stack.
Option D: Submit the update using the UpdateStack API call.
Question 7: A Systems Administrator is responsible for maintaining custom, approved AMIs for a company. These AMIs must be shared with each of the company's AWS accounts. How can the Administrator address this issue?
Option A: Contact AWS Support for sharing AMIs with other AWS accounts.
Option B: Modify the permissions on the AMIs so that they are publicly accessible.
Option C: Modify the permissions on the IAM role that are associated with the AMI.
Option D: Share the AMIs with each AWS account using the console or CLI.
Question 8: A company's data retention policy dictates that backups be stored for exactly two years. After that time, the data must be deleted. How can Amazon EBS snapshots be managed to conform to this data retention policy?
Option A: Use an Amazon S3 lifecycle policy to delete snapshots older than two years.
Option B: Configure Amazon Inspector to find and delete old EBS snapshots.
Option C: Schedule an AWS Lambda function using Amazon CloudWatch Events to periodically run a script to delete old snapshots.
Option D: Configure an Amazon CloudWatch alarm to trigger the launch of an AWS CloudFormation template that will clean the older snapshots.
Question 9: A SysOps Administrator must devise a strategy for enforcing tagging of all EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes. What action can the Administrator take to implement this for real-time enforcement?
Option A: Use the AWS Tag Editor to manually search for untagged resources and then tag them properly in the editor.
Option B: Set up AWS Service Catalog with the TagOptions Library rule that enforces a tagging taxonomy proactively when instances and volumes are launched.
Option C: In a PowerShell or shell script, check for untagged items by using the resource tagging GetResources API action, and then manually tag the reported items.
Option D: Launch items by using the AWS API. Use the TagResources API action to apply the required tags when the instances and volumes are launched.
Question 10: During a security investigation, it is determined that there is a coordinated attack on the web applications deployed on Amazon EC2. The attack is performed through malformed HTTP headers. What AWS service of feature would prevent this traffic from reaching the EC2 instances?
Option A: Amazon Inspector
Option B: Amazon Security Groups
Option C: AWS WAF
Option D: Application Load Balancer (ALB)
Question 11: A company is deploying a legacy web application on Amazon EC2 instances behind an ELB Application Load Balancer. The application worked well in the test environment. However, in production, users report that they are prompted to log in to the system several times an hour. Which troubleshooting step should be taken to help resolve the problem reported by users?
Option A: Confirm that the Application Load Balancer is in a multi-AZ configuration.
Option B: Enable health checks on the Application Load Balancer.
Option C: Ensure that port 80 is configured on the security group.
Option D: Enable sticky sessions on the Application Load Balancer.
Question 12: A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API-calls using the CLI. However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA. What additional step must be taken to ensure that API calls are authenticated using MFA?
Option A: Enable MFA on IAM roles, and require IAM users to use role credentials to sign API calls.
Option B: Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI.
Option C: Restrict the IAM users to use of the console, as MFA is not supported for CLI use.
Option D: Require users to use temporary credentials from the get-session token command to sign API calls.
Question 13: An application is being developed that will be served across a fleet of Amazon EC2 instances, which require a consistent view of persistent data. Items stored vary in size from 1KB to 300MB; the items are read frequently, created occasionally, and often require partial changes without conflict. The data store is not expected to grow beyond 2TB, and items will be expired according to age and content type. Which AWS service solution meets these requirements?
Option A: Amazon S3 buckets with lifecycle policies to delete old objects.
Option B: Amazon RDS PostgreSQL and a job that deletes rows based on age and file type columns.
Option C: Amazon EFS and a scheduled process to delete files based on age and extension.
Option D: An EC2 instance store synced on boot from a central Amazon EBS-backed instance.
Question 14: A SysOps Administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC, the Administrator is unable to connect to any of the domains that reside on the internet. What additional route destination rule should the Administrator add to the route tables?
Option A: Route ::/0 traffic to a NAT gateway
Option B: Route ::/0 traffic to an internet gateway
Option C: Route 0.0.0.0/0 traffic to an egress-only internet gateway
Option D: Route ::/0 traffic to an egress-only internet gateway
Question 15: A recent organizational audit uncovered an existing Amazon RDS database that is not currently configured for high availability. Given the critical nature of this database, it must be configured for high availability as soon as possible. How can this requirement be met?
Option A: Switch to an active/passive database pair using the create-db-instance-read-replica with the - -availability-zone flag.
Option B: Specify high availability when creating a new RDS instance, and live-migrate the data.
Option C: Modify the RDS instance using the console to include the Multi-AZ option.
Option D: Use the modify-db-instance command with the - -ha flag.
Question 16: A company must ensure that any objects uploaded to an S3 bucket are encrypted. Which of the following actions will meet this requirement? (Choose two.)
Option A: Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.
Option B: Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.
Option C: Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.
Option D: Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.
Option E: Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.
Question 17: When the AWS Cloud infrastructure experiences an event that may impact an organization, which AWS service can be used to see which of the organization's resources are affected?
Option A: AWS Service Health Dashboard
Option B: AWS Trusted Advisor
Option C: AWS Personal Health Dashboard
Option D: AWS Systems Manager
Question 18: A company's static website hosted on Amazon S3 was launched recently, and is being used by tens of thousands of users. Subsequently, website users are experiencing 503 service unavailable errors. Why are these errors occurring?
Option A: The request rate to Amazon S3 is too high.
Option B: There is an error with the Amazon RDS database.
Option C: The requests to Amazon S3 do not have the proper permissions.
Option D: The users are in a different geographical region and Amazon Route 53 is restricting access.
Question 19: An organization has two AWS accounts: Development and Production. A SysOps Administrator manages access of IAM users to both accounts. Some IAM users in Development should have access to certain resources in Production. How can this be accomplished?
Option A: Create an IAM role in the Production account with the Development account as a trusted entity and then allow those users from the Development account to assume the Production account IAM role.
Option B: Create a group of IAM users in the Development account, and add Production account service ARNs as resources in the IAM policy.
Option C: Establish a federation between the two accounts using the on-premises Microsoft Active Directory, and allow the Development account to access the Production account through this federation.
Option D: Establish an Amazon Cognito Federated Identity between the two accounts, and allow the Development account to access the Production account through this federation.
Question 20: A SysOps Administrator is responsible for managing a set of 12.micro Amazon EC2 instances. The Administrator wants to automatically reboot any instance that exceeds 80% CPU utilization. Which of these solutions would meet the requirements?
Option A: Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a terminate alarm action.
Option B: Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a reboot alarm action.
Option C: Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a reboot alarm action.
Option D: Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a terminate alarm action.
Question 21: A company's customers are reporting increased latency while accessing static web content from Amazon S3. A SysOps Administrator observed a very high rate of read operations on a particular S3 bucket. What will minimize latency by reducing load on the S3 bucket?
Option A: Migrate the S3 bucket to a region that is closer to end users' geographic locations.
Option B: Use cross-region replication to replicate all of the data to another region.
Option C: Create an Amazon CloudFront distribution with the S3 bucket as the origin.
Option D: Use Amazon ElastiCache to cache data being served from Amazon S3.
Question 22: A company requires that all access from on-premises applications to AWS services go over its AWS Direct Connect connection rather than the public internet. How would a SysOps Administrator implement this requirement?
Option A: Implement an IAM policy that uses the aws:sourceConnection condition to allow access from the AWS Direct Connect connection ID only
Option B: Set up a public virtual interface on the AWS Direct Connect connection
Option C: Configure AWS Shield to protect the AWS Management Console from being accessed by IP addresses other than those within the data center ranges
Option D: Update all the VPC network ACLs to allow access from the data center IP ranges
Question 23: A SysOps Administrator must find a way to set up alerts when Amazon EC2 service limits are close to being reached. How can the Administrator achieve this requirement?
Option A: Use Amazon Inspector and Amazon CloudWatch Events.
Option B: Use AWS Trusted Advisor and Amazon CloudWatch Events.
Option C: Use the Personal Health Dashboard and CloudWatch Events.
Option D: Use AWS CloudTrail and CloudWatch Events.
Question 24: A web application accepts orders from online users and places the orders into an Amazon SQS queue. Amazon EC2 instances in an EC2 Auto Scaling group read the messages from the queue, process the orders, and email order confirmations to the users. The Auto Scaling group scales up and down based on the queue depth. At the beginning of each business day, users report confirmation emails are delayed. What action will address this issue?
Option A: Create a scheduled scaling action to scale up in anticipation of the traffic.
Option B: Change the Auto Scaling group to scale up and down based on CPU utilization.
Option C: Change the launch configuration to launch larger EC2 instance types.
Option D: Modify the scaling policy to deploy more EC2 instances when scaling up.
Question 25: A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template. It installs and configures necessary software through AWS OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors. The SysOps Administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back. Based on these requirements, what should be added to the template?
Option A: Conditions with a timeout set to 4 hours.
Option B: CreationPolicy with a timeout set to 4 hours.
Option C: DependsOn with a timeout set to 4 hours.
Option D: Metadata with a timeout set to 4 hours.
Question 26: A SysOps Administrator must take a team's single existing AWS CloudFormation template and split it into smaller, service-specific templates. All of the services in the template reference a single, shared Amazon S3 bucket. What should the Administrator do to ensure that this S3 bucket can be referenced by all the service templates?
Option A: Include the S3 bucket as a mapping in each template.
Option B: Add the S3 bucket as a resource in each template.
Option C: Create the S3 bucket in its own template and export it.
Option D: Generate the S3 bucket using StackSets.
Question 27: After installing and configuring the Amazon CloudWatch agent on an EC2 instance, the anticipated system logs are not being received by CloudWatch Logs. Which of the following are likely to be the cause of this problem? (Choose two.)
Option A: A custom of third-party solution for logs is being used.
Option B: The IAM role attached to the EC2 instance does not have the proper permissions.
Option C: The CloudWatch agent does not support the operating system used.
Option D: A billing constraint is limiting the number of CloudWatch Logs within this account.
Option E: The EC2 instance is in a private subnet, and the VPC does not have a NAT gateway.
Question 28: A SysOps Administrator found that a newly-deployed Amazon EC2 application server is unable to connect to an existing Amazon RDS database. After enabling VPC Flow Logs and confirming that the flow log is active on the console, the log group cannot be located in Amazon CloudWatch. What are the MOST likely reasons for this situation? (Choose two.)
Option A: The Administrator must configure the VPC Flow Logs to have them sent to AWS CloudTrail.
Option B: The Administrator has waited less than ten minutes for the log group to be created in CloudWatch.
Option C: The account VPC Flow Logs have been disabled by using a service control policy.
Option D: No relevant traffic has been sent since the VPC Flow Logs were created
Option E: The account has Amazon GuardDuty enabled.
Question 29: An HTTP web application is launched on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run across multiple Availability Zones. A network ACL and a security group for the load balancer and EC2 instances allow inbound traffic on port 80. After launch, the website cannot be reached over the internet. What additional step should be taken?
Option A: Add a rule to the security group allowing outbound traffic on port 80.
Option B: Add a rule to the network ACL allowing outbound traffic on port 80.
Option C: Add a rule to the security group allowing outbound traffic on ports 1024 through 65535.
Option D: Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535.
Question 30: A company has an application that is running on an EC2 instance in one Availability Zone. A SysOps Administrator has been tasked with making the application highly available. The Administrator created a launch configuration from the running EC2 instance. The Administrator also properly configured a load balancer. What step should the Administrator complete next to make the application highly available?
Option A: Create an Auto Scaling group by using the launch configuration across at least 2 Availability Zones with a minimum size of 1, desired capacity of 1, and a maximum size of 1.
Option B: Create an Auto Scaling group by using the launch configuration across at least 3 Availability Zones with a minimum size of 2, desired capacity of 2, and a maximum of 2.
Option C: Create an Auto Scaling group by using the launch configuration across at least 2 regions with a minimum size of 1, desired capacity of 1, and a maximum size of 1.
Option D: Create an Auto Scaling group by using the launch configuration across at least 3 regions with a minimum size of 2, desired capacity of 2, and a maximum size of 2.
Question 31: An Applications team has successfully deployed an AWS CloudFormation stack consisting of 30 t2-medium Amazon EC2 instances in the us-west-2 Region. When using the same template to launch a stack in useast- 2, the launch failed and rolled back after launching only 10 EC2 instances. What is a possible cause of this failure?
Option A: The IAM user did not have privileges to launch the CloudFormation template.
Option B: The t2.medium EC2 instance service limit was reached.
Option C: An AWS Budgets threshold was breached.
Option D: The application's Amazon Machine Image (AMI) is not available in us-east-2.
Question 32: A SysOps Administrator stores crash dump files in Amazon S3. New security and privacy measures require that crash dumps older than 6 months be deleted. Which approach meets this requirement?
Option A: Use Amazon CloudWatch Events to delete objects older than 6 months.
Option B: Implement lifecycle policies to delete objects older than 6 months.
Option C: Use the Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage class to automatically delete objects older than 6 months.
Option D: Create versioning rules to delete objects older than 6 months.
Question 33: The Accounting department would like to receive billing updates more than once a month. They would like the updates to be in a format that can easily be viewed with a spreadsheet application. How can this request be fulfilled?
Option A: Use Amazon CloudWatch Events to schedule a billing inquiry on a bi-weekly basis. Use AWS Glue to convert the output to CSV.
Option B: Set AWS Cost and Usage Reports to publish bills daily to an Amazon S3 bucket in CSV format.
Option C: Use the AWS CLI to output billing data as JSON. Use Amazon SES to email bills on a daily basis.
Option D: Use AWS Lambda, triggered by CloudWatch, to query billing data and push to Amazon RDS.
Question 34: A SysOps Administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code: AMI [ami-12345678] does not exist How should the Administrator ensure that the AWS CloudFormation template is working in every region?
Option A: Copy the source region's Amazon Machine Image (AMI) to the destination region and assign it the same ID.
Option B: Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID.
Option C: Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS::EC2::AMI::ImageID control.
Option D: Modify the AWS CloudFormation template by including the AMI IDs in the 'Mappings' section. Refer to the proper mapping within the template for the proper AMI ID.
Question 35: A SysOps Administrator needs to confirm that security best practices are being followed with the AWS account root user. How should the Administrator ensure that this is done?
Option A: Change the root user password by using the AWS CLI routinely.
Option B: Periodically use the AWS CLI to rotate access keys and secret keys for the root user.
Option C: Use AWS Trusted Advisor security checks to review the configuration of the root user.
Option D: Periodically distribute the AWS compliance document from AWS Artifact that governs the root user configuration.
Question 36: The networking team has created a VPC in an AWS account. The application team has asked for access to resources in another VPC in the same AWS account. The SysOps Administrator has created the VPC peering connection between both the accounts, but the resources in one VPC cannot communicate with the resources in the other VPC. What could be causing this issue?
Option A: One of the VPCs is not sized correctly for peering.
Option B: There is no public subnet in one of the VPCs.
Option C: The route tables have not been updated.
Option D: One VPC has disabled the peering flag.
Question 37: An organization has been running their website on several m2 Linux instances behind a Classic Load Balancer for more than two years. Traffic and utilization have been constant and predictable. What should the organization do to reduce costs?
Option A: Purchase Reserved Instances for the specific m2 instances.
Option B: Change the m2 instances to equivalent m5 types, and purchase Reserved Instances for the specific m5 instances.
Option C: Change the Classic Load Balancer to an Application Load Balancer, and purchase Reserved Instances for the specific m2 instances.
Option D: Purchase Spot Instances for the specific m2 instances.
Question 38: A company is storing monthly reports on Amazon S3. The company's security requirement states that traffic from the client VPC to Amazon S3 cannot traverse the internet. What should the SysOps Administrator do to meet this requirement?
Option A: Use AWS Direct Connect and a public virtual interface to connect to Amazon S3.
Option B: Use a managed NAT gateway to connect to Amazon S3.
Option C: Deploy a VPC endpoint to connect to Amazon S3.
Option D: Deploy an internet gateway to connect to Amazon S3.
Question 39: An application resides on multiple EC2 instances in public subnets in two Availability Zones. To improve security, the Information Security team has deployed an Application Load Balancer (ALB) in separate subnets and pointed the DNS at the ALB instead of the EC2 instances. After the change, traffic is not reaching the instances, and an error is being returned from the ALB. What steps must a SysOps Administrator take to resolve this issue and improve the security of the application? (Choose two.)
Option A: Add the EC2 instances to the ALB target group, configure the health check, and ensure that the instances report healthy.
Option B: Add the EC2 instances to an Auto Scaling group, configure the health check to ensure that the instances report healthy, and remove the public IPs from the instances.
Option C: Create a new subnet in which EC2 instances and ALB will reside to ensure that they can communicate, and remove the public IPs from the instances.
Option D: Change the security group for the EC2 instances to allow access from only the ALB security group, and remove the public IPs from the instances.
Option E: Change the security group to allow access from 0.0.0.0/0, which permits access from the ALB.
Question 40: A SysOps Administrator is implementing SSL for a domain of an internet-facing application running behind an Application Load Balancer (ALB). The Administrator decides to use an SSL certificate from Amazon Certificate Manager (ACM) to secure it. Upon creating a request for the ALB fully qualified domain name (FQDN), it fails, and the error message 'Domain Not Allowed' is displayed. How can the Administrator fix this issue?
Option A: Contact the domain registrar and ask them to provide the verification required by AWS.
Option B: Place a new request with the proper domain name instead of the ALB FQDN
Option C: Select the certificate request in the ACM console and resend the validation email.
Option D: Contact AWS Support and verify the request by answering security challenge questions.
Question 41: A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of the application have been divided in a separate microservice running on a different Amazon EC2 instance. The Administrator has been tasked with reconfiguring the infrastructure to support this approach. How can the Administrator accomplish this with the LEAST administrative overhead?
Option A: Use Amazon CloudFront to log the URL and forward the request.
Option B: Use Amazon CloudFront to rewrite the header based on the microservice and forward the request.
Option C: Use an Application Load Balancer (ALB) and do path-based routing.
Option D: Use a Network Load Balancer (NLB) and do path-based routing.
Question 42: A company is running a popular social media site on EC2 instances. The application stores data in an Amazon RDS for MySQL DB instance and has implemented read caching by using an ElastiCache for Redis (cluster mode enabled) cluster to improve read times. A social event is happening over the weekend, and the SysOps Administrator expects website traffic to triple. What can a SysOps Administrator do to ensure improved read times for users during the social event?
Option A: Use Amazon RDS Multi-AZ.
Option B: Add shards to the existing Redis cluster.
Option C: Offload static data to Amazon S3.
Option D: Launch a second Multi-AZ Redis cluster.
Question 43: After a particularly high AWS bill, an organization wants to review the use of AWS services. What AWS service will allow the SysOps Administrator to quickly view this information to share it, and will also forecast expenses for the current billing period?
Option A: AWS Trusted Advisor
Option B: Amazon QuickSight
Option C: AWS Cost and Usage Report
Option D: AWS Cost Explorer
Question 44: A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances. How can the SysOps Administrator ensure that all customer data stored on the EFS file system meets the new requirement?
Option A: Update the EFS file system settings to enable server-side encryption using AES-256.
Option B: Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system.
Option C: Use AWS CloudHSM to encrypt the files directly before storing them in the EFS file system.
Option D: Modify the EFS file system mount options to enable Transport Layer Security (TLS) on each of the EC2 instances.
Question 45: The Database Administration team is interested in performing manual backups of an Amazon RDS Oracle DB instance. What steps should be taken to perform the backups?
Option A: Attach an Amazon EBS volume with Oracle RMAN installed to the RDS instance.
Option B: Take a snapshot of the EBS volume that is attached to the DB instance.
Option C: Install Oracle Secure Backup on the RDS instance and back up the Oracle database to Amazon S3.
Option D: Take a snapshot of the DB instance.
Question 46: An Auto Scaling group scales up and down based on Average CPU Utilization. The alarm is set to trigger a scaling event when the Average CPU Utilization exceeds 80% for 5 minutes. Currently, the Average CPU has been 95% for over two hours and new instances are not being added. What could be the issue?
Option A: A scheduled scaling action has not been defined.
Option B: In the field Suspend Process, 'ReplacesUnhealthy' has been selected.
Option C: The maximum size of the Auto Scaling group is below or at the current group size.
Option D: The Health Check Grace Period is set to less than 300 seconds.
Question 47: An application running on Amazon EC2 instances needs to write files to an Amazon S3 bucket. What is the MOST secure way to grant the application access to the S3 bucket?
Option A: Create an IAM user with the necessary privileges. Generate an access key and embed the key in the code running on the EC2 instances.
Option B: Install secure FTP (SFTP) software on the EC2 instances. Use an AWS Lambda function to copy the files from the EC2 instances to Amazon S3 using SFTP.
Option C: Create an IAM role with the necessary privileges. Associate the role with the EC2 instances at launch.
Option D: Use rsync and cron to set up the transfer of files from the EC2 instances to the S3 bucket. Enable AWS Shield to protect the data.
Question 48: In configuring an Amazon Route 53 health check, a SysOps Administrator selects ‘Yes' to the String Matching option in the Advanced Configuration section. In the Search String box, the Administrator types the following text: /html. This is to ensure that the entire page is loading during the health check. Within 5 minutes of enabling the health check, the Administrator receives an alert stating that the check failed. However, when the Administrator navigates to the page, it loads successfully. What is the MOST likely cause of this false alarm?
Option A: The search string is not HTML-encoded.
Option B: The search string must be put in quotes.
Option C: The search string must be escaped with a backslash (\) before the forward slash (/).
Option D: The search string is not in the first 5120 bytes of the tested page.
Question 49: A company has created a separate AWS account for all development work to protect the production environment. In this development account, developers have permission to manipulate IAM policies and roles. Corporate policies require that developers are blocked from accessing some services. What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies?
Option A: Create a service control policy in AWS Organizations and apply it to the development account.
Option B: Create a customer managed policy in IAM and apply it to all users within the development account.
Option C: Create a job function policy in IAM and apply it to all users within the development account.
Option D: Create an IAM policy and apply it in API Gateway to restrict the development account.
Question 50: Company A purchases Company B and inherits three new AWS accounts. Company A would like to centralize billing and Reserved Instance benefits but wants to keep all other resources separate. How can this be accomplished?
Option A: Implement AWS Organizations and create a service control policy that defines the billing relationship with the new master account.
Option B: Configure AWS Organizations Consolidated Billing and provide the finance team with IAM access to the billing console.
Option C: Send Cost and Usage Reports files to a central Amazon S3 bucket, and load the data into Amazon Redshift. Use Amazon QuickSight to provide visualizations to the finance team.
Option D: Link the Reserved Instances to the master payer account and use Amazon Redshift Spectrum to query Detailed Billing Report data across all accounts.
Question 51: A website uses Elastic Load Balancing (ELB) in front of several Amazon EC2 instances backed by an Amazon RDS database. The content is dynamically generated for visitors of a webpage based on their geographic location. and is updated daily. Some of the generated objects are large in size and are taking longer to download than they should, resulting in a poor user experience. Which approach will improve the user experience?
Option A: Implement Amazon ElastiCache to cache the content and reduce the load on the database.
Option B: Enable an Amazon CloudFront distribution with Elastic Load Balancing as a custom origin.
Option C: Use Amazon S3 to store and deliver the content.
Option D: Enable Auto Scaling for the EC2 instances so that they can scale automatically.
Question 52: While setting up an AWS managed VPN connection, a SysOPs Administrator creates a customer gateway resource in AWS. The customer gateway device resides in a data center with a NAT gateway in front of it. What address should be used to create the customer gateway resource?
Option A: The private IP address of the customer gateway device
Option B: The MAC address of the NAT device in front of the customer gateway device
Option C: The public IP address of the customer gateway device
Option D: The public IP address of the NAT device in front of the customer gateway device
Question 53: A SysOps Administrator attempting to delete an Amazon S3 bucket ran the following command: aws s3 rb s3://my bucket The command failed and bucket still exists. The administrator validated that no files existed in the bucket by running aws s3 1s s3://mybucket and getting an empty response. Why is the Administrator unable to delete the bucket, and what must be done to accomplish this task?
Option A: The bucket has MFA Delete enabled, and the Administrator must turn it off.
Option B: The bucket has versioning enabled, and the Administrator must permanently delete the objects' delete markers.
Option C: The bucket is storing files in Amazon Glacier, and the Administrator must wait 3-5 hours for the files to delete.
Option D: The bucket has server-side encryption enabled, and the Administrator must run the aws s3 rb s3:// my bucket -- sse command.
Question 54: A SysOps Administrator must provide data to show the overall usage of Amazon EC2 instances within each department, and must determine if the purchased Reserved Instances are being used effectively. Which service should be used to provide the necessary information?
Option A: AWS Personal Health Dashboard
Option B: AWS Cost Explorer
Option C: AWS Service Catalog
Option D: AWS Application Discovery Service
Question 55: A company has multiple web applications running on Amazon EC2 instances in private subnets. The EC2 instances require connectivity to the internet for patching purposes, but cannot be publicly accessible. Which step will meet these requirements?
Option A: Add an internet gateway and update the route tables.
Option B: Add a NAT gateway to the VPC and update the route tables.
Option C: Add an interface endpoint and update the route tables.
Option D: Add a virtual gateway to the VPC and update the route tables.
Question 56: A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC. What is the SIMPLEST method to deploy and update the VPCs in each account?
Option A: Create an AWS CloudFormation template defines the VPC. Log in to the AWS Management Console under each account and create a stack from the template.
Option B: Create a shell script that configures the VPC using the AWS CLI. Provide a list of accounts to the script from a text file, then create the VPC in every account in the list.
Option C: Create an AWS Lambda function that configures the VPC. Store the account information in Amazon DynamoDB, grant Lambda access to the DynamoDB table, then create the VPC in every account in the list.
Option D: Create an AWS CloudFormation template that defines the VPC. Create an AWS CloudFormation StackSet based on the template, then deploy the template to all accounts using the stack set.
Question 57: After a network change, application servers cannot connect to the corresponding Amazon RDS MySQL database. What should the SysOps Administrator analyze?
Option A: VPC Flow Logs
Option B: Elastic Load Balancing logs
Option C: Amazon CloudFront logs
Option D: Amazon RDS MySQL error logs
Question 58: A company wants to ensure that each department operates within their own isolated environment, and they are only able to use pre-approved services. How can this requirement be met?
Option A: Set up an AWS Organization to create accounts for each department, and apply service control policies to control access to AWS services.
Option B: Create IAM roles for each department, and set policies that grant access to specific AWS services.
Option C: Use the AWS Service Catalog to create catalogs of AWS services that are approved for use by each department.
Option D: Request that each department create and manage its own AWS account and the resources within it.
Question 59: A SysOps Administrator is receiving multiple reports from customers that they are unable to connect to the company's website. which is being served through Amazon CloudFront. Customers are receiving HTTP response codes for both 4XX and 5XX errors. Which metric can the Administrator use to monitor the elevated error rates in CloudFront?
Option A: TotalErrorRate
Option B: RejectedConnectionCount
Option C: NetworkTransmitThroughput
Option D: HealthyHostCount
Question 60: A company is using AWS Organizations to manage all their accounts. The Chief Technology Officer wants to prevent certain services from being used within production accounts until the services have been internally certified. They are willing to allow developers to experiment with these uncertified services in development accounts but need a way to ensure that these services are not used within production accounts. Which option ensures that services are not allowed within the production accounts, yet are allowed in separate development accounts within the LEAST administrative overhead?
Option A: Use AWS Config to shut down non-compliant services found within the production accounts on a periodic basis, while allowing these same services to run in the development accounts.
Option B: Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.
Option C: Use IAM policies applied to the combination of user and account to prevent developers from using these services within the production accounts. Allow the services to run in development accounts.
Option D: Use Amazon CloudWatch to report on the use of non-certified services within any account, triggering an AWS Lambda function to terminate only those non-certified services when found in a production account.
Question 61: A SysOps Administrator has configured health checks on a load balancer. An Amazon EC2 instance attached to this load balancer fails the health check. What will happen next? (Choose two.)
Option A: The load balancer will continue to perform the health check on the EC2 instance.
Option B: The EC2 instance will be terminated based on the health check failure.
Option C: The EC2 instance will be rebooted.
Option D: The load balancer will stop sending traffic to the EC2 instance.
Option E: A new EC2 instance will be deployed to replace the unhealthy instance.
Question 62: An Application performs read-heavy operations on an Amazon Aurora DB instance. The SysOps Administrator monitors the CPUUtilization CloudWatch metric and has recently seen it increase to 90%. The Administrator would like to understand what is driving the CPU surge. Which of the following should be Administrator additionally monitor to understand the CPU surge?
Option A: FreeableMemory and DatabaseConnections to understand the amount of available RAM and number of connections to DB instance.
Option B: FreeableMemory and EngineUptime to understand the amount of available RAM and the amount of time the instance has been up and running.
Option C: DatabaseConnections and AuroraReplicaLag for the number of connections to the DB instance and the amount of lag when replicating updates from the primary instance.
Option D: DatabaseConnections and InsertLatency for the number of connections to the DB instance and latency for insert queries.
Question 63: A SysOps Administrator must use a bastion host to administer a fleet of Amazon EC2 instances. All access to the bastion host is managed by the Security team. What is the MOST secure way for the Security team to provide the SysOps Administrator access to the bastion host?
Option A: Assign the same IAM role to the Administrator that is assigned to the bastion host.
Option B: Provide the Administrator with the SSH key that was used for the bastion host when it was originally launched.
Option C: Create a new IAM role with the same permissions as the Security team, and assign it to the Administrator.
Option D: Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.
Question 64: A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted. Which approach will resolve the encryption requirement?
Option A: Log in to the RDS console and select the encryption box to encrypt the database.
Option B: Create a new encrypted Amazon EBS volume and attach it to the instance.
Option C: Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
Option D: Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
Question 65: An Amazon EC2 instance is unable to connect an SMTP server in a different subnet. Other instances are successfully communicating with the SMTP server, however VPC Flow Logs have been enabled on the SMTP server's network interface and show the following information: 2 223342798652 eni-abe77dab 10.1.1.200 10.100.1.10 1123 25 17 70 48252 1515534437 1515535037 REJECT OK What can be done to correct this problem?
Option A: Add the instance to the security group for the SMTP server and ensure that is permitted to communicate over TCP port 25.
Option B: Disable the iptables service on the SMTP server so that the instance can properly communicate over the network.
Option C: Install an email client on the instance to ensure that it communicates correctly on TCP port 25 to the SMTP server.
Option D: Add a rule to the security group for the instance to explicitly permit TCP port 25 outbound to any address.
Question 66: A company's use of AWS Cloud services is quickly growing, so a SysOps Administrator has been asked to generate details of daily spending to share with management. Which method should the Administrator choose to produce this data?
Option A: Share the monthly AWS bill with management.
Option B: Use AWS CloudTrail Logs to access daily costs in JSON format.
Option C: Set up a daily Cost and Usage Report and download the output from Amazon S3.
Option D: Monitor AWS costs with Amazon CloudWatch and create billing alerts and notifications.
Question 67: A company's Security team wants to track data encryption events across all company AWS accounts. The team wants to capture all AWS KMS events related to deleting or rotating customer master keys (CMKs) from all production AWS accounts. The KMS events will be sent to the Security team's AWS account for monitoring. How can this be accomplished?
Option A: Create an AWS Lambda function that will run every few minutes in each production account, parse the KMS log for KMS events, and sent the information to an Amazon SQS queue managed by the Security team.
Option B: Create an event bus in the Security team's account, create a new Amazon CloudWatch Events rule that matches the KMS events in each production account, and then add the Security team's event bus as the target.
Option C: Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team.
Option D: Create an AWS Config rule that checks for KMS keys that are in a pending deletion or rotated state in every production account, then send Amazon SNS notifications of any non-compliant KMS resources to the Security team.
Question 68: A workload has been moved from a data center to AWS. Previously, vulnerability scans were performed nightly by an external testing company. There is a mandate to continue the vulnerability scans in the AWS environment with third-party testing occurring at least once each month. What solution allows the vulnerability scans to continue without violating the AWS Acceptable Use Policy?
Option A: The existing nightly scan can continue with a few changes. The external testing company must be notified of the new IP address of the workload and the security group of the workload must be modified to allow scans from the external company's IP range.
Option B: If the external company is a vendor in the AWS Marketplace, notify them of the new IP address of the workload.
Option C: Submit a penetration testing request every 90 days and have the external company test externally when the request is approved.
Option D: AWS performs vulnerability testing behind the scenes daily and patches instances as needed. If a vulnerability cannot be automatically addressed, a notification email is distributed.
Question 69: A SysOps Administrator is writing a utility that publishes resources from an AWS Lambda function in AWS Account A to an Amazon S3 bucket in AWS Account B. The Lambda function is able to successfully write new objects to the S3 bucket, but IAM users in Account B are unable to delete objects written to the bucket by Account A. Which step will fix this issue?
Option A: Add s3:DeleteObject permission to the IAM execution role of the AWS Lambda function in Account A.
Option B: Change the bucket policy of the S3 bucket in Account B to allow s3:DeleteObject permission for Account A.
Option C: Disable server-side encryption for objects written to the S3 bucket by the Lambda function.
Option D: Call the S3:PutObjectAcl API operation from the Lambda function in Account A to specify bucket owner, full control.
Question 70: An organization would like to set up an option for its Developers to receive an email whenever production Amazon EC2 instances are running over 80% CPU utilization. How can this be accomplished using an Amazon CloudWatch alarm?
Option A: Configure the alarm to send emails to subscribers using Amazon SES.
Option B: Configure the alarm to send emails to subscribers using Amazon SNS.
Option C: Configure the alarm to send emails to subscribers using Amazon Inspector.
Option D: Configure the alarm to send emails to subscribers using Amazon Cognito.
Question 71: Which of the following steps are required to configure SAML 2.0 for federated access to AWS? (Choose two.)
Option A: Create IAM users for each identity provider (IdP) user to allow access to the AWS environment.
Option B: Define assertions that map the company's identity provider (IdP) users to IAM roles.
Option C: Create IAM roles with a trust policy that lists the SAML provider as the principal.
Option D: Create IAM users, place them in a group named SAML, and grant them necessary IAM permissions.
Option E: Grant identity provider (IdP) users the necessary IAM permissions to be able to log in to the AWS environment.
Question 72: A SysOps Administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet. What should be added to the private subnet's route table in order to address this issue, given the information provided.
Option A: 0.0.0.0/0 IGW
Option B: 0.0.0.0/0 NAT
Option C: 10.0.1.0/24 IGW
Option D: 10.0.1.0/24 NAT
Question 73: A SysOps Administrator is responsible for a large fleet of EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance. Which option would provide this information with the LEAST administrative overhead?
Option A: Monitor AWS CloudTrail for StopInstances API calls related to upcoming maintenance.
Option B: Review the Personal Health Dashboard for any scheduled maintenance.
Option C: From the AWS Management Console, list any instances with failed system status checks.
Option D: Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring.
Question 74: An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs- 85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted. How can this be resolved?
Option A: Enable encryption on each host's connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect.
Option B: Enable encryption on the existing EFS volume by using the AWS Command Line Interface.
Option C: Enable encryption on each host's local drive. Restart each host to encrypt the drive.
Option D: Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.
Question 75: An organization finds that a high number of gp2 Amazon EBS volumes are running out of space. Which solution will provide the LEAST disruption with MINIMAL effort?
Option A: Create a snapshot and restore it to a larger gp2 volume.
Option B: Create a RAID 0 with another new gp2 volume to increase capacity.
Option C: Leverage the Elastic Volumes feature of EBS to increase gp2 volume size.
Option D: Write a script to migrate data to a larger gp2 volume.
Question 76: An e-commerce company wants to lower costs on its nightly jobs that aggregate the current day's sales and store the results in Amazon S3. The jobs are currently run using multiple on-demand instances and the jobs take just under 2 hours to complete. If a job fails for any reason, it needs to be restarted from the beginning. What method is the MOST cost effective based on these requirements?
Option A: Use a mixture of On-Demand and Spot Instances for job execution.
Option B: Submit a request for a Spot block to be used for job execution.
Option C: Purchase Reserved Instances to be used for job execution.
Option D: Submit a request for a one-time Spot Instance for job execution.
Question 77: An existing data management application is running on a single Amazon EC2 instance and needs to be moved to a new AWS Region in another AWS account. How can a SysOps Administrator achieve this while maintaining the security of the application?
Option A: Create an encrypted Amazon Machine Image (AMI) of the instance and make it public to allow the other account to search and launch an instance from it.
Option B: Create an AMI of the instance, add permissions for the AMI to the other AWS account, and start a new instance in the new region by using that AMI.
Option C: Create an AMI of the instance, copy the AMI to the new region, add permissions for the AMI to the other AWS account, and start new instance.
Option D: Create an encrypted snapshot of the instance and make it public. Provide only permissions to decrypt to the other AWS account.
Question 78: A SysOps Administrator manages an application that stores object metadata in Amazon S3. There is a requirement to have S2 server-side encryption enabled on all new objects in the bucket. How can the Administrator ensure that all new objects to the bucket satisfy this requirement?
Option A: Create an S3 lifecycle rule to automatically encrypt all new objects.
Option B: Enable default bucket encryption to ensure that all new objects are encrypted.
Option C: Use put-object-acl to allow objects to be encrypted with S2 server-side encryption.
Option D: Apply the authorization header to S3 requests for S3 server-side encryption.
Question 79: A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months. What is the process to rotate the key?
Option A: Enable automatic key rotation for the CMK, and specify a period of 6 months.
Option B: Create a new CMK with new imported material, and update the key alias to point to the new CMK.
Option C: Delete the current key material, and import new material into the existing CMK.
Option D: Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.
Question 80: The Security team has decided that there will be no public internet access to HTTP (TCP port 80) because it is moving to HTTPS for all incoming web traffic. The team has asked a SysOps Administrator to provide a report on any security groups that are not compliant. What should the SysOps Administrator do to provide near real-time compliance reporting?
Option A: Enable AWS Trusted Advisor and show the Security team that the Security Groups unrestricted access check will alarm.
Option B: Schedule an AWS Lambda function to run hourly to scan and evaluate all security groups, and send a report to the Security team.
Option C: Use AWS Config to enable the restricted-common-ports rule, and add port 80 to the parameters.
Option D: Use Amazon Inspector to evaluate the security groups during scans, and send the completed reports to the Security team.
Question 81: A SysOps Administrator has configured a CloudWatch agent to send custom metrics to Amazon CloudWatch and is now assembling a CloudWatch dashboard to display these metrics. What steps should the Administrator take to complete this task?
Option A: Select the AWS Namespace, filter by metric name, then add to the dashboard.
Option B: Add a text widget, select the appropriate metric from the custom namespace, then add to the dashboard.
Option C: Select the appropriate widget and metrics from the custom namespace, then add to the dashboard.
Option D: Open the CloudWatch console, from the CloudWatch Events, add all custom metrics.
Question 82: An application is running on multiple EC2 instances. As part of an initiative to improve overall infrastructure security, the EC2 instances were moved to a private subnet. However, since moving, the EC2 instances have not been able to automatically update, and a SysOps Administrator has not been able to SSH into them remotely. Which two actions could the Administrator take to securely resolve these issues? (Choose two.)
Option A: Set up a bastion host in a public subnet, and configure security groups and route tables accordingly.
Option B: Set up a bastion host in the private subnet, and configure security groups accordingly.
Option C: Configure a load balancer in a public subnet, and configure the route tables accordingly.
Option D: Set up a NAT gateway in a public subnet, and change the private subnet route tables accordingly.
Option E: Set up a NAT gateway in a private subnet, and ensure that the route tables are configured accordingly.
Question 83: A SysOps Administrator has been tasked with deploying a company's infrastructure as code. The Administrator wants to write a single template that can be reused for multiple environments in a safe, repeatable manner. What is the recommended way to use AWS CloudFormation to meet this requirement?
Option A: Use parameters to provision the resources.
Option B: Use nested stacks to provision the resources.
Option C: Use Amazon EC2 user data to provision the resources.
Option D: Use stack policies to provision the resources.
Question 84: An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application. What is the MOST scalable storage solution to fulfill the requirement?
Option A: Connect a large Amazon EBS volume to multiple instances and schedule snapshots.
Option B: Deploy Amazon EFS is in the VPC and create mount targets in multiple subnets.
Option C: Launch an EC2 instance and share data using SMB/CIFS or NFS.
Option D: Deploy an AWS Storage Gateway cached volume on Amazon EC2.
Question 85: A company has Sales department and Marketing department. The company uses one AWS account. There is a need to determine what charges are incurred on the AWS platform by each department. There is also a need to receive notifications when a specified cost level is approached or exceeded. Which two actions must a SysOps Administrator take to achieve both requirements with the LEAST amount of administrative overhead? (Choose two.)
Option A: Use AWS Trusted Advisor to obtain a report containing the checked items in the Cost Optimization pillar.
Option B: Download the detailed billing report, upload it to a database, and match the line items with a list of known resources by department.
Option C: Create a script by using the AWS CLI to automatically apply tags to existing resources to each department. Schedule the script to run weekly.
Option D: Use AWS Organizations to create a department Organizational Unit and allow only authorized personnel in each department to create resources.
Option E: Create a Budget from the Billing and Cost Management console. Specify the budget type a Cost, assign tags for each department, define notifications, and specify any other options as required.
Question 86: A company has two AWS accounts: development and production. All applications send logs to a specific Amazon S3 bucket for each account, and the Developers are requesting access to the production account S3 buckets to view the logs. Which is the MOST efficient way to provide the Developers with access?
Option A: Create an AWS Lambda function with an IAM role attached to it that has access to both accounts' S3 buckets. Pull the logs from the production S3 bucket to the development S3 bucket.
Option B: Create IAM users for each Developer on the production account, and add the Developers to an IAM group that provides read-only access to the S3 log bucket.
Option C: Create an Amazon EC2 bastion host with an IAM role attached to it that has access to the production S3 log bucket, and then provision access for the Developers on the host.
Option D: Create a resource-based policy for the S3 bucket on the production account that grants access to the development account, and then delegate access in the development account.
Question 87: A company's application stores documents within an Amazon S3 bucket. The application is running on Amazon EC2 in a VPC. A recent change in security requirements states that traffic between the company's application and the S3 bucket must never leave the Amazon network. What AWS feature can provide this functionality?
Option A: Security groups
Option B: NAT gateways
Option C: Virtual private gateway
Option D: Gateway VPC endpoints
Question 88: A SysOps Administrator is running an auto-scaled application behind a Classic Load Balancer. Scaling out is triggered when the CPUUtilization instance metric is more than 75% across the Auto Scaling group. The Administrator noticed aggressive scaling out and after discussing with developers, an application memory leak is suspected causing aggressive garbage collection cycle. How can the Administrator troubleshoot the application without triggering the scaling process?
Option A: Suspend the scaling process before troubleshooting.
Option B: Delete the Auto Scaling group and recreate it when troubleshooting is complete.
Option C: Remove impacted instances from the Classic Load Balancer.
Option D: Create a scale down trigger when the CPUUtilization instance metric is at 70%.
Question 89: A company backs up data from its data center using a tape gateway on AWS Storage Gateway. The SysOps Administrator needs to reboot the virtual machine running Storage Gateway. What process will protect data integrity?
Option A: Stop Storage Gateway and reboot the virtual machine, then restart Storage Gateway.
Option B: Reboot the virtual machine, then restart Storage Gateway.
Option C: Reboot the virtual machine.
Option D: Shut down the virtual machine and stop Storage Gateway, then turn on the virtual machine.
Question 90: An organization has decided to consolidate storage and move all of its backups and archives to Amazon S3. With all of the data gathered into a hierarchy under a single directory, the organization determines there is 70 TB of data that needs to be uploaded. The organization currently has a 150-Mbps connection with 10 people working at the location. Which service would be the MOST efficient way to transfer this data to Amazon S3?
Option A: AWS Snowball
Option B: AWS Direct Connect
Option C: AWS Storage Gateway
Option D: Amazon S3 Transfer Acceleration
Question 91: A SysOps Administrator is deploying a legacy web application on AWS. The application has four Amazon EC2 instances behind a Classic Load Balancer and stores data in an Amazon RDS instance. The legacy application has known vulnerabilities to SQL injection attacks, but the application code is no longer available to update. What cost-effective configuration change should the Administrator make to mitigate the risk of SQL injection attacks?
Option A: Configure Amazon GuardDuty to monitor the application for SQL injection threats.
Option B: Configure AWS WAF with a Classic Load Balancer for protection against SQL injection attacks.
Option C: Replace the Classic Load Balancer with an Application Load Balancer and configure AWS WAF on the Application Load Balancer.
Option D: Configure an Amazon CloudFront distribution with the Classic Load Balancer as the origin and subscribe to AWS Shield Standard.
Question 92: A fleet of servers must send local logs to Amazon CloudWatch. How should the servers be configured to meet this requirement?
Option A: Configure AWS Config to forward events to CloudWatch.
Option B: Configure a Simple Network Management Protocol (SNMP) agent to forward events to CloudWatch.
Option C: Install and configure the unified CloudWatch agent.
Option D: Install and configure the Amazon Inspector agent.
Question 93: According to the shared responsibility model, for which of the following Amazon EC2 activities is AWS responsible? (Choose two.)
Option A: Patching the guest operating system
Option B: Monitoring memory utilization
Option C: Configuring network ACLs
Option D: Patching the hypervisor
Option E: Maintaining network infrastructure
Question 94: A company monitors its account activity using AWS CloudTrail, and is concerned that some log files are being tampered with after the logs have been delivered to the account's Amazon S3 bucket. Moving forward, how can the SysOps Administrator confirm that the log files have not been modified after being delivered to the S3 bucket.
Option A: Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.
Option B: Enable log file integrity validation and use digest files to verify the hash value of the log file.
Option C: Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
Option D: Enable S3 server access logging to track requests made to the log bucket for security audits.
Question 95: After launching a new Amazon EC2 instance from a Microsoft Windows 2012 Amazon Machine Image (AMI), the SysOps Administrator is unable to connect to the instance using Remote Desktop Protocol (RDP). The instance is also unreachable. As part of troubleshooting, the Administrator deploys a second instance from a different AMI using the same configuration and is able to connect to the instance. What should be the next logical step in troubleshooting the first instance?
Option A: Use AWS Trusted Advisor to gather operating system log files for analysis.
Option B: Use VPC Flow Logs to gather operating system log files for analysis.
Option C: Use EC2Rescue to gather operating system log files for analysis.
Option D: Use Amazon Inspector to gather operating system log files for analysis.
Question 96: A custom application must be installed on all Amazon EC2 instances. The application is small, updated frequently and can be installed automatically. How can the application be deployed on new EC2 instances?
Option A: Launch a script that downloads and installs the application using the Amazon EC2 user data.
Option B: Create a custom API using Amazon API Gateway to call an installation executable from an AWS CloudFormation Template.
Option C: Use AWS Systems Manager to inject the application into an AMI.
Option D: Configure AWS CodePipeline to deploy code changes and updates.
Question 97: A SysOps Administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. Which collection of configuration changes will increase the cache hit ratio for the distribution? (Choose two.)
Option A: Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings
Option B: Change the Viewer Protocol Policy to use HTTPS only
Option C: Configure the distribution to use presigned cookies and URLs to restrict access to the distribution
Option D: Enable automatic compression of objects in the Cache Behavior Settings
Option E: Increase the CloudFront time to live (TTL) settings in the Cache Behavior Settings
Question 98: On a weekly basis, the Administrator for a photo sharing website receives an archive of all files users have uploaded the previous week. these file archives can be as large as 10TB in size. For legal reasons, these archives must be saved with no possibility of someone deleting or modifying these archives. Occasionally, there may be a need to view the contents, but it is expected that retrieving them can take three or more hours. What should the Administrator do with the weekly archive?
Option A: Upload the file to Amazon S3 through the AWS Management Console and apply a lifecycle policy to change the storage class to Amazon Glacier.
Option B: Upload the archive to the Amazon Glacier with the AWS CLI and enable Vault Lock.
Option C: Create a Linux EC2 instance with an encrypted Amazon EBS volume and copy each weekly archive file for this instance.
Option D: Create a file gateway attached to a file share on an S3 bucket with the storage class S3 Infrequent Access. Upload the archives via the gateway.
Question 99: A SysOps Administrator is managing a Memcached cluster in Amazon ElastiCache. The cluster has been heavily used recently, and the Administrator wants to use a larger instance type with more memory. What should the Administrator use to make this change?
Option A: use the ModifyCacheCluster API and specify a new CacheNodeType
Option B: use the CreateCacheCluster API and specify a new CacheNodeType
Option C: use the ModifyCacheParameterGroup API and specify a new CacheNodeType
Option D: use the RebootCacheCluster API and specify a new CacheNodeType
Question 100: A company with dozens of AWS accounts wants to ensure that governance rules are being applied across all accounts. The CIO has recommended that AWS Config rules be deployed using an AWS CloudFormation template. How should these requirements be met?
Option A: Create a CloudFormation stack set, then select the CloudFormation template and use it to configure the AWS accounts
Option B: Write a script that iterates over the company's AWS accounts and executes the CloudFormation template in each account
Option C: Use AWS Organizations to execute the CloudFormation template in all accounts
Option D: Create a CloudFormation stack in the master account of AWS Organizations and execute the CloudFormation template to create AWS Config rules in all accounts
Question 101: A company's Information Security team has requested information on AWS environment compliance for Payment Card Industry (PCI) workloads. They have requested assistance in understanding what specific areas of the PCI standards are the responsibility of the company. Which AWS tool will provide the necessary information?
Option A: AWS Macie
Option B: AWS Artifact
Option C: AWS OpsWorks
Option D: AWS Organizations
Question 102: A company has deployed a fleet of Amazon EC2 web servers for the upcoming release of a new product. The SysOps Administrator needs to test the Amazon CloudWatch notification settings for this deployment to ensure that a notification is sent using Amazon SNS if the CPU utilization of an EC2 instance exceeds 70%. How should the Administrator accomplish this?
Option A: Use the set-alarm-state command in AWS CloudTrail to invoke the Amazon SNS notification
Option B: Use CloudWatch custom metrics to set the alarm state in AWS CloudTrail and enable Amazon SNS notifications
Option C: Use EC2 instance metadata to manually set the CPU utilization to 75% and invoke the alarm state
Option D: Use the set-alarm-state command in the AWS CLI for CloudWatch
Question 103: A SysOps Administrator has written an AWS Lambda function to launch new Amazon EC2 instances and deployed it in the us-east-1 region. The Administrator tested it by launching a new t2.nano instance in the us-east-1 region and it performed as expected. However, when the region name was updated in the Lambda function to launch an EC2 instance in the us-west-1 region, it failed. What is causing this error?
Option A: The AMI ID must be updated for the us-west-1 region in the Lambda function as well
Option B: The Lambda function can only launch EC2 instances in the same region where it is deployed
Option C: The Lambda function does not have the necessary IAM permission to launch more than one EC2 instance
Option D: The instance type defined in the Lambda function is not available in the us-west-1 region
Question 104: A SysOps Administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company's account. The Administrator must be alerted to potential issues. What should the Administrator do to receive email alerts before low storage space affects EC2 instance performance?
Option A: Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications
Option B: Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic
Option C: Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic
Option D: Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space
Question 105: A SysOps Administrator wants to prevent Developers from accidentally terminating Amazon EC2 instances. How can this be accomplished?
Option A: Use AWS Systems Manager to restrict EC2 termination
Option B: Use AWS Config to restrict EC2 termination
Option C: Apply Amazon CloudWatch Events to prevent EC2 termination
Option D: Enable termination protection on EC2 instances
Question 106: A company has attached the following policy to an IAM user. Which of the following actions are allowed for the IAM user?
Option A: Amazon RDS DescribeDBInstances action in the us-east-1 Region
Option B: Amazon S3 PutObject operation in a bucket named testbucket
Option C: Amazon EC2 DescribeInstances action in the us-east-1 Region
Option D: Amazon EC2 AttachNetworkInterface action in the eu-west-1 Region
Question 107: A SysOps Administrator launched an Amazon EC2 instance and received a message that the service limit was exceeded for that instance type. What action should the Administrator take to ensure that EC2 instances can be launched?
Option A: Use Amazon Inspector to trigger an alert when the limits are exceeded
Option B: Use the AWS CLI to bypass the limits placed on the account
Option C: Sign in to the AWS Management Console and adjust the limit values to launch new resources
Option D: Open a case with AWS Support requesting an increase of the EC2 instance limit
Question 108: A web application runs on Amazon EC2 instances behind an Elastic Load Balancing Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOps Administrator has notice that some EC2 instances show up healthy in the Auto Scaling console but show up as unhealthy in the ALB target console. What could be the issue?
Option A: The health check grace period for the Auto Scaling group is set too low; increase it
Option B: The target group health check is incorrectly configured and needs to be adjusted
Option C: The user data or AMI used for the Auto Scaling group launch configuration is incorrect
Option D: The Auto Scaling group health check type is based on EC2 instance health instead of Elastic Load Balancing health checks
Question 109: A company is running critical applications on Amazon EC2 instances. The company needs to ensure its resources are automatically recovered if they become impaired due to an underlying hardware failure. Which service can be used to monitor and recover the EC2 instances?
Option A: Amazon EC2 Systems Manager
Option B: Amazon Inspector
Option C: AWS CloudFormation
Option D: Amazon CloudWatch
Question 110: A gaming application is deployed on four Amazon EC2 instances in a default VPC. The SysOps Administrator has noticed consistently high latency in responses as data is transferred among the four instances. There is no way for the Administrator to alter the application code. The MOST effective way to reduce latency is to relaunch the EC2 instances in:
Option A: a dedicated VPC.
Option B: a single subnet inside the VPC.
Option C: a placement group.
Option D: a single Availability Zone.
Question 111: A company has created an online retail application that is hosted on a fleet of Amazon EC2 instances behind an ELB Application Load Balancer. User authentication is handled at the individual EC2 instance level. Once a user is authenticated; all requests from that user must go to the same EC2 instance. What should the SysOps Administrator enable to meet these requirements?
Option A: ELB TCP listeners
Option B: ELB sticky sessions
Option C: ELB connection draining
Option D: ELB cross-zone load balancing
Question 112: A SysOpsAdministrator is managing a large organization with multiple accounts on the Business Support plan all linked to a single payer account. The Administrator wants to be notified automatically of AWS Personal Health Dashboard events. In the main payer account, the Administrator configures Amazon CloudWatch Events triggered by AWS Health events triggered by AWS Health triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in the linked accounts failed to trigger. Why did the alerts fail?
Option A: Amazon SNS cannot be triggered from the AWS Personal Health Dashboard
Option B: The AWS Personal Health Dashboard only reports events from one account, not linked accounts.
Option C: The AWS Personal Health Dashboard must be configured from the payer account only; all events will then roll up into the payer account.
Option D: AWS Organizations must be used to monitor linked accounts.
Question 113: A company is planning to expand into an additional AWS Region for disaster recovery purposes. The company uses AWS CloudFormation, and its infrastructure is well-defined as code. The company would like to reuse as much of its existing code as possible when deploying resources to additional Regions. A SysOps Administrator is reviewing how Amazon Machine Images (AMIs) are selected in AWS CloudFormation, but is having trouble making the same stack work in the new Region. Which action would make it easier to manage multiple Regions?
Option A: Name each AMI in the new Region exactly the same as the equivalent AMI in the first Region.
Option B: Duplicate the stack so unique AMI names can be coded into the appropriate stack.
Option C: Create an alias for each AMI so that an AMI can be referenced by a common name across Regions.
Option D: Create a Mappings section in the stack, and define the Region to AMI associations.
Question 114: An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department, it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group membership. What is the BEST method to allow access using current LDAP credentials?
Option A: Create an AWS Directly Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
Option B: Create a Lambda function to read LDAP groups and automate the creation of IAM users.
Option C: Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the onpremises LDAP server.
Option D: Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.
Question 115: An organization stores sensitive customer in S3 buckets protected by bucket policies. recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information. Which steps should a SysOps Administrator take to meet the CISO's requirement? (Choose two.)
Option A: Enable Amazon S3 Analytics on all affected S3 buckets to obtain a report of which buckets are being accessed without authorization.
Option B: Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs.
Option C: Use Amazon Athena to query S3 Analytics report for HTTP 403 errors, and determine the IAM user or role making the requests.
Option D: Use Amazon Athena to query the S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests.
Option E: Use Amazon Athena to query the S3 Server Access Logs for HTTP 503 errors, and determine the IAM user or role making the requests.
Question 116: A SysOps Administrator responsible for an e-commerce web application observes the application does not launch new Amazon EC2 instances at peak times, even though the maximum capacity of the Auto Scaling group has not been reached. What should the Administrator do to identify the underlying problem? (Choose two.)
Option A: Monitor service limits in AWS Trusted Advisor.
Option B: Analyze VPC Flow Logs.
Option C: Monitor limits in AWS Systems Manager.
Option D: Use Amazon Inspector to gather performance information.
Option E: Check the response for RunInstances requests in AWS CloudTrail logs.
Question 117: A SysOps Administrator must generate a report that provides a breakdown of all API activity by a specific user the course of a year. Given that AWS Cloud Trail was enabled, how can this report be generated?
Option A: Using the AWS management Console, search for the user name in the CloudTrail history. Then filter by API and download the report in CSV format.
Option B: Use the CloudTrail digest files stored in the company's Amazon S3 bucket. then send the logs to Amazon QuickSight to create the report.
Option C: Locate the monthly reports that CloudTrail sends that are emailed to the account's root user. Then forward the reports to the auditor using a secure channel.
Option D: Access the CloudTrail logs stored in the Amazon S3 bucket tied to Cloud Trail. Use Amazon Athena to extract the information needed to generate the report.
Question 118: A company received its latest bill with a large increase in the number of requests against Amazon SQS as compared to the month prior. The company is not aware of any changes in its SQS usage. The company is concerned about the cost increase and who or what was making these calls. What should the SysOps Administrator use to validate the calls made to SQS?
Option A: AWS CloudTrail
Option B: Amazon CloudWatch
Option C: AWS Cost Explorer
Option D: Amazon S3 server access logs
Question 119: An Amazon S3 bucket in a SysOps Administrator's account can be accesses by users in other SWS accounts. How can the Administrator ensure that the bucket is only accessible to members of the Administrator's AWS account?
Option A: Move the S3 bucket from a public subnet to a private subnet in the Amazon VPC.
Option B: Change the bucket access control list (ACL) to restrict access to the bucket owner.
Option C: Enable server-side encryption for all objects in the bucket.
Option D: Use only Amazon S3 presigned URLs for accessing objects in the bucket.
Question 120: A company hosts its website on Amazon ECF2 instances behind an ELB Application Load Balancer. The company manages its DNS with Amazon Route 53, and wants to point its domain's zone apex to the website. Which type of record should be used to meet these requirements?
Option A: An AAA record for the domain's zone apex
Option B: An A record for the domain's zone apex
Option C: A CNAME record for the domain's zone apex
Option D: An alias record for the domain's zone apex
Question 121: A company has centralized all its logs into one Amazon CloudWatch Logs log group. The SysOps Administrator is to alert different teams of any issues relevant to them. What is the MOST efficient approach to accomplish this?
Option A: Write an AWS Lambda function that will query the logs every minute and contain the logic of which team to notify on which patterns and issues.
Option B: Set up different metric filters for each team based on patterns and alerts. Each alarm will notify the appropriate notification list.
Option C: Redesign the aggregation of logs so that each team's relevant parts are sent to a separate log group, then subscribe each team to its respective log group.
Option D: Create an AWS Auto Scaling group of Amazon EC2 instances that will scale based on the amount of ingested log entries. This group will pull log streams, look for patterns, and send notifications to relevant teams.
Question 122: A company website hosts patches for software that is sold globally. The website runs in AWS and performs well until a large software patch is released. The flood of downloads puts a strain on the web servers and leads to a poor customer experience. What can the Sysops Administrator propose to enhance customer experience, create a more available web platform, and keep costs low?
Option A: Use an Amazon CloudFront distribution to cache static content, including software patches.
Option B: Increase the size of the NAT instance to improve throughput.
Option C: Scale out the web servers in advance of patch releases to reduce Auto Scaling delays.
Option D: Move the content to IO1 and provision additional IOPS to the volume that contains the software patches.
Question 123: A SysOps Administrator created an Application Load balancer (ALB) and placed two Amazon EC2 instances in the same subnet behind the ALB. During monitoring, the Administrator observes HealthyHostCount drop to 1 in Amazon CloudWatch. What is MOST likely causing this issue?
Option A: The EC2 instances are in the same Availability Zone, causing contention between the two.
Option B: The route tables are not updated to allow traffic to flow between the ALB and the EC2 instances.
Option C: The ALB health check has failed, and the ALB has taken EC2 instances out of service.
Option D: The Amazon Route 53 health check has failed, and the ALB has taken EC2 instances out of service.
Question 124: A SysOps Administrator is managing an AWS account where Developers are authorized to launch Amazon EC2 instances to test new code. To limit costs, the Administrator must ensure that the EC2 instances in the account are terminated 24 hours after launch. How should the Administrator meet these requirements?
Option A: Create an Amazon CloudWatch alarm based on the CPUUtilization metric. When the metric is 0% for 24 hours, trigger an action to terminate the EC2 instance when the alarm is triggered.
Option B: Create an AWS Lambda function to check all EC2 instances and terminate instances running more than 24 hours. Trigger the function with an Amazon CloudWatch Events event every 15 minutes.
Option C: Add an action to AWS Trusted Advisor to turn off EC2 instances based on the Low Utilization Amazon EC2 Instances check, terminating instances identified by Trusted Advisor as running for more than 24 hours.
Option D: Install the unified Amazon CloudWatch agent on every EC2 instance. Configure the agent to terminate instances after they have been running for 24 hours.
Question 125: An AWS CodePipeline in us-east-1 returns 'InternalError' with the code 'JobFailed' when launching a deployment using an artifact from an Amazon S3 bucket in us-west-1. What is causing this error?
Option A: S3 Transfer Acceleration is not enabled.
Option B: The S3 bucket is not in the appropriate region.
Option C: The S3 bucket is being throttled.
Option D: There are insufficient permissions on the artifact in Amazon S3.
Question 126: An application running on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones was deployed using an AWS CloudFormation template. The SysOps team has patched the Amazon Machine Image (AMI) version and must update all the EC2 instances to use the new AMI. How can the SysOps Administrator use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity?
Option A: Run the aws cloudfomation update-stack command with the – rollback-configuration option
Option B: Update the CloudFormation template with the new AMI ID, then reboot the EC2 instances
Option C: Deploy a second CloudFormation stack and use Amazon Route 53 to redirect traffic to the new stack
Option D: Set an AutoScalingUpdate policy in the CloudFormation template to update the stack.
Question 127: A SysOps Administrator is responsible for a legacy, CPU-heavy application. The application can only be scaled vertically. Currently, the application is deployed on a single t2.large Amazon EC2 instance. The system is showing 90% CPU usage and significant performance latency after a few minutes. What change should be made to alleviate the performance problem?
Option A: Change the Amazon EBS volume to Provisioned IOPs.
Option B: Upgrade to a compute-optimized instance.
Option C: Add additional t2.large instances to the application.
Option D: Purchase Reserved Instances.
Question 128: A company recently implemented an Amazon S3 lifecycle rule that accidentally deleted objects from one of its S3 buckets. The bucket has S3 versioning enabled. Which actions will restore the objects? (Choose two.)
Option A: Use the AWS Management Console to delete the object delete markers.
Option B: Create a new lifecycle rule to delete the object delete markers that were created.
Option C: Use the AWS CLI to delete the object delete markers while specifying the version IDs of the delete markers.
Option D: Modify the existing lifecycle rule to delete the object delete markers that were created.
Option E: Use the AWS CLI to delete the object delete markers while specifying the name of the objects only.
Question 129: A company uses AWS CloudFormation to deploy its application infrastructure. Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application. A SysOps Administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources. Which solution will meet these requirements?
Option A: Set up an AWS Config rule to alert based on changes to any CloudFormation stack. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
Option B: Set up an Amazon CloudWatch Events event with a rule to trigger based on any CloudFormation API call. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
Option C: Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*.
Option D: Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource names (ARNs) of the protected resources.
Question 130: A SysOps Administrator is analyzing how Reserved Instance discounts are allocated to Amazon EC2 instances across accounts in the company's consolidated bill. Which AWS tool will provide the details necessary to understand the billing charges?
Option A: AWS Budgets
Option B: AWS Cost and Usage report
Option C: AWS Trusted Advisor
Option D: AWS Organizations
Question 131: What should a SysOps Administrator do to ensure a company has visibility into maintenance events performed by AWS?
Option A: Run a script that queries AWS Systems Manager for upcoming maintenance events, and then push these events to an Amazon SNS topic to which the Operations team is subscribed.
Option B: Query the AWS Health API for upcoming maintenance events and integrate the results with the company's existing operations dashboard.
Option C: Integrate the AWS Service Health Dashboard's RSS feed into the company's existing operations dashboard.
Option D: Use Amazon Inspector to send notifications of upcoming maintenance events to the Operations team distribution list.
Question 132: A SysOps Administrator manages a website running on Amazon EC2 instances behind an ELB Application Load Balancer. Users visiting the load balancer's DNS address in a browser are reporting errors. The administrator has confirmed: The security groups and network ACLs are correctly configured. The load balancer target group shows no healthy instances. What should the Administrator do to resolve this issue?
Option A: Review the application's logs for requests originating from the VPC DNS address.
Option B: Review the load balancer access logs, looking for any issues or errors.
Option C: Review the load balancer target group health check configuration.
Option D: Review the load balancer listener configuration.
Question 133: A company is running multiple AWS Lambda functions in a non-VPC environment. Most of the functions are application-specific; an operational function is involved synchronously every hour. Recently, the Applications team deployed new functions that are triggered based on an Amazon S3 event to process multiple files that are uploaded to an S3 bucket simultaneously. The SysOps Administrator notices that the operational function occasionally fails to execute due to throttling. What step should the Administrator take to make sure that the operational function executes?
Option A: Redeploy the operational function to a VPC.
Option B: Increase the operational function timeout.
Option C: Set the operational function concurrency to 1.
Option D: Increase the operational function memory.
Question 134: A SysOps Administrator must ensure all Amazon EBS volumes currently in use, and those created in the future, are encrypted with a specific AWS KMS customer master key (CMK). What is the MOST efficient way for the Administrator to meet this requirement?
Option A: Create an AWS Lambda function to run on a daily schedule, and have the function run the aws ec2 describe-volumes --filters encrypted command.
Option B: Within AWS Config, configure the encrypted-volumes managed rule and specify the key ID of the CMK.
Option C: Log in to the AWS Management Console on a daily schedule, then filter the list of volumes by encryption status, then export this list.
Option D: Create an AWS Lambda function to run on a daily schedule, and have the function run the aws kms describe-key command.
Question 135: A company has an application running on a fleet of Microsoft Windows instances. Patches to the operating system need to be applied each month. AWS Systems Manager Patch Manager is used to apply the patches on a schedule. When the fleet is being patched, customers complain about delayed service responses. What can be done to ensure patches are deployed with MINIMAL customer impact?
Option A: Change the number of instances patched at any one time to 100%.
Option B: Create a snapshot of each server in the fleet using a Systems Manager Automation document before starting the patch process.
Option C: Configure the maintenance window to patch 10% of the instances in the patch group at a time.
Option D: Create a patched Amazon Machine Image (AMI). Configure the maintenance window option to deploy the patched AMI on only 10% of the fleet at a time.
Question 136: A local agency plans to deploy 500 Raspberry Pi devices throughout a city. All the devices need to be managed centrally, and their configurations need to be consistent. What is the BEST service for managing these devices?
Option A: AWS Config
Option B: AWS Systems Manager
Option C: Amazon Inspector
Option D: AWS Service Catalog
Question 137: A SysOps Administrator needs an Amazon EBS volume type for a big data application. The application data is accessed infrequently and stored sequentially. What EBS volume type will be the MOST cost-effective solution?
Option A: Provisioned IOPS SSD (io1)
Option B: Cold HDD (sc1)
Option C: Throughput Optimized HDD (st1)
Option D: General Purpose SSD (gp2)
Question 138: A SysOps Administrator created an AWS Service Catalog portfolio and shared the portfolio with a second AWS account in the company. The second account is controlled by a different Administrator. Which action will the Administrator of the second account be able to perform?
Option A: Add a product from the imported portfolio to a local portfolio.
Option B: Add new products to the imported portfolio.
Option C: Change the launch role for the products contained in the imported portfolio.
Option D: Remove products from the imported portfolio.
Question 139: A SysOps Administrator must secure AWS CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket. Which practices will ensure that the log files are available and unaltered? (Choose two.)
Option A: Enable the CloudTrail log file integrity check in AWS Config Rules.
Option B: Use CloudWatch Events to scan log files hourly.
Option C: Enable CloudTrail log file integrity validation.
Option D: Turn on Amazon S3 MFA Delete for the CloudTrail bucket.
Option E: Implement a DENY ALL bucket policy on the CloudTrail bucket.
Question 140: A company runs a web application that users access using the domain name www.example.com. The company manages the domain name using Amazon Route 53. The company created an Amazon CloudFront distribution in front of the application and would like www.example.com to access the application through CloudFront. What is the MOST cost-effective way to achieve this?
Option A: Create a CNAME record in Amazon Route 53 that points to the CloudFront distribution URL.
Option B: Create an ALIAS record in Amazon Route 53 that points to the CloudFront distribution URL.
Option C: Create an A record in Amazon Route 53 that points to the public IP address of the web application.
Option D: Create a PTR record in Amazon Route 53 that points to the public IP address of the web application.
Question 141: A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted. What is the SIMPLEST approach the SysOps Administrator can take to ensure S3 buckets in those accounts can never be deleted?
Option A: Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
Option B: Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
Option C: Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
Option D: Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
Question 142: A company uses multiple accounts for its applications. Account A manages the company's Amazon Route 53 domains and hosted zones. Account B uses a load balancer fronting the company's web servers. How can the company use Route 53 to point to the load balancer in the MOST cost-effective and efficient manner?
Option A: Create an Amazon EC2 proxy in Account A that forwards requests to Account B.
Option B: Create a load balancer in Account A that points to the load balancer in Account B.
Option C: Create a CNAME record in Account A pointing to an alias record to the load balancer in Account B.
Option D: Create an alias record in Account A pointing to the load balancer in Account B.
Question 143: A SysOps Administrator implemented the following bucket policy to allow only the corporate IP address range of 54.240.143.0/24 to access objects in an Amazon S3 bucket. Some employees are reporting that they are able to access the S3 bucket from IP addresses outside the corporate IP address range. How can the Administrator address this issue?
Option A: Modify the Condition operator to include both NotIpAddress and IpAddress to prevent unauthorized access to the S3 bucket.
Option B: Modify the Condition element from the IAM policy to aws:StringEquals instead of aws:SourceIp.
Option C: Modify the IAM policy instead of the bucket policy to restrict users from accessing the bucket based on their source IP addresses.
Option D: Change Effect from Allow to Deny in the second statement of the policy to deny requests not from the source IP range.
Question 144: A SysOps Administrator is notified that a security vulnerability affects a version of MySQL that is being used with Amazon RDS MySQL. Who is responsible for ensuring that the patch is applied to the MySQL cluster?
Option A: The database vendor
Option B: The Security department of the SysOps Administrator's company
Option C: AWS
Option D: The SysOps Administrator
Question 145: A company's web application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run in an EC2 Auto Scaling group across multiple Availability Zones. Data is stored in an Amazon ElastiCache for Redis cluster and an Amazon RDS DB instance. Company policy requires all system patching to take place at midnight on Tuesday. Which resources will need to have a maintenance window configured for midnight on Tuesday? (Choose two.)
Option A: Elastic Load Balancer
Option B: EC2 instances
Option C: RDS instance
Option D: ElastiCache cluster
Option E: Auto Scaling group
Question 146: A SysOps Administrator is deploying a website with dynamic content. Company policy requires that users from certain countries or regions cannot access the web content and should receive an error page. Which of the following can be used to implement this policy? (Choose two.)
Option A: Amazon CloudFront geo-restriction
Option B: Amazon GuardDuty geo-blocking
Option C: Amazon Route 53 geolocation routing
Option D: AWS Shield geo-restriction
Option E: Network access control list (NACL) restriction
Question 147: A company stores thousands of non-critical log files in an Amazon S3 bucket. A set of reporting scripts retrieve these log files daily. Which of the following storage options will be the MOST cost-efficient for the company's use case?
Option A: Amazon Glacier
Option B: Amazon S3 Standard IA (infrequent access) storage
Option C: Amazon S3 Standard Storage
Option D: AWS Snowball
Question 148: A SysOps Administrator receives a connection timeout error when attempting to connect to an Amazon EC2 instance from a home network using SSH. The Administrator was able to connect to this EC2 instance using from their office network in the past. What caused the connection to time out?
Option A: The IAM role associated with the EC2 instance does not allow SSH connections from the home network.
Option B: The public key used by SSH located on the Administrator's server does not have the required permissions.
Option C: The route table contains a route that sends 0.0.0.0/0 to the internet gateway for the VPC.
Option D: The security group is not allowing inbound traffic from the home network on the SSH port.
Question 149: A company is deploying a web service to Amazon EC2 instances behind an Elastic Load Balancer. All resources will be defined and created in a single AWS CloudFormation stack using a template. The creation of each EC2 instance will not be considered complete until an initialization script has been run successfully on the EC2 instance. The Elastic Load Balancer cannot be created until all EC2 instances have been created. Which CloudFormation resource will coordinate the Elastic Load Balancer creation in the CloudFormation stack template?
Option A: CustomResource
Option B: DependsOn
Option C: Init
Option D: WaitCondition
Question 150: A company is concerned about a security vulnerability impacting its Linux operating system. What should the SysOps Administrator do to alleviate this concern?
Option A: Patch the vulnerability with Amazon Inspector.
Option B: Provide an AWS Trusted Advisor report showing which Amazon EC2 instances have been patched.
Option C: Redeploy the Amazon EC2 instances using AWS CloudFormation.
Option D: Patch the Linux operating system using AWS Systems Manager.
Question 151: A SysOps Administrator is configuring AWS SSO for the first time. The Administrator has already created a directory in the master account using AWS Directory Service and enabled full access in AWS Organizations. What should the Administrator do next to configure the service?
Option A: Create IAM roles in each account to be used by AWS SSO, and associate users with these roles using AWS SSO.
Option B: Create IAM users in the master account, and use AWS SSO to associate the users with the accounts they will access.
Option C: Create permission sets in AWS SSO, and associate the permission sets with Directory Service users or groups.
Option D: Create service control policies (SCPs) in Organizations, and associate the SCPs with Directory Service users or groups.
Question 152: A web application runs on Amazon EC2 instances and accesses external services. The external services require authentication credentials. The application is deployed using AWS CloudFormation to three separate environments: development, test, and production. Each environment requires unique credentials for external services. What option securely provides the application with the needed credentials while requiring MINIMAL administrative overhead?
Option A: Pass the credentials for the target environment to the CloudFormation template as parameters. Use the user data script to insert the parameterized credentials into the EC2 instances.
Option B: Store the credentials as secure strings in AWS Systems Manager Parameter Store. Pass an environment tag as a parameter to the CloudFormation template. Use the user data script to insert the environment tag in the EC2 instances. Access the credentials from the application.
Option C: Create a separate CloudFormation template for each environment. In the Resources section, include a user data script for each EC2 instance. Use the user data script to insert the proper credentials for the environment into the EC2 instances.
Option D: Create separate Amazon Machine Images (AMIs) with the required credentials for each environment. Pass the environment tag as a parameter to the CloudFormation template. In the Mappings section of the CloudFormation template, map the environment tag to the proper AMI, then use that AMI when launching the EC2 instances.
Question 153: A SysOps Administrator created an AWS CloudFormation template for the first time. The stack failed with a status of ROLLBACK_COMPLETE. The Administrator identified and resolved the template issue causing the failure. How should the Administrator continue with the stack deployment?
Option A: Delete the failed stack and create a new stack.
Option B: Execute a change set on the failed stack.
Option C: Perform an update-stack action on the failed stack.
Option D: Run a validate-template command.
Question 154: A SysOps Administrator is building a process for sharing Amazon RDS database snapshots between different accounts associated with different business units within the same company. All data must be encrypted at rest. How should the Administrator implement this process?
Option A: Write a script to download the encrypted snapshot, decrypt it using the AWS KMS encryption key used to encrypt the snapshot, then create a new volume in each account.
Option B: Update the key policy to grant permission to the AWS KMS encryption key used to encrypt the snapshot with all relevant accounts, then share the snapshot with those accounts.
Option C: Create an Amazon EC2 instance based on the snapshot, then save the instance's Amazon EBS volume as a snapshot and share it with the other accounts. Require each account owner to create a new volume from that snapshot and encrypt it.
Option D: Create a new unencrypted RDS instance from the encrypted snapshot, connect to the instance using SSH/RDP, export the database contents into a file, then share this file with the other accounts.
Question 155: A SysOps Administrator has been notified that some Amazon EC2 instances in the company's environment might have a vulnerable software version installed. What should be done to check all of the instances in the environment with the LEAST operational overhead?
Option A: Create and run an Amazon Inspector assessment template.
Option B: Manually SSH into each instance and check the software version.
Option C: Use AWS CloudTrail to verify Amazon EC2 activity in the account.
Option D: Write a custom script and use AWS CodeDeploy to deploy to Amazon EC2 instances.
Question 156: Development teams are maintaining several workloads on AWS. Company management is concerned about rising costs and wants the SysOps Administrator to configure alerts so teams are notified when spending approaches preset limits. Which AWS service will satisfy these requirements?
Option A: AWS Budgets
Option B: AWS Cost Explorer
Option C: AWS Trusted Advisor
Option D: AWS Cost and Usage report
Question 157: A SysOps Administrator is tasked with deploying and managing a single CloudFormation template across multiple AWS accounts. What feature of AWS CloudFormation will accomplish this?
Option A: Change sets
Option B: Nested stacks
Option C: Stack policies
Option D: StackSets
Question 158: A company runs an application that uses Amazon RDS for MySQL. During load testing of equivalent production volumes, the Development team noticed a significant increase in query latency. A SysOps Administrator concludes from investigating Amazon CloudWatch Logs that the CPU utilization on the RDS MySQL instance was at 100%. Which action will resolve this issue?
Option A: Configure AWS Database Migration Service (AWS DMS) to allow Amazon RDS for MySQL to scale and accept more requests.
Option B: Configure RDS for MySQL to scale horizontally by adding additional nodes to offload write requests.
Option C: Enable the Multi-AZ feature for the RDS instance.
Option D: Modify the RDS MySQL instance so it is a larger instance type.
Question 159: A SysOps Administrator is using AWS KMS with AWS-generated key material to encrypt an Amazon EBS volume in a company's AWS environment. The Administrator wants to rotate the KMS keys using automatic key rotation, and needs to ensure that the EBS volume encrypted with the current key remains readable. What should be done to accomplish this?
Option A: Back up the current KMS key and enable automatic key rotation.
Option B: Create a new key in AWS KMS and assign the key to Amazon EBS.
Option C: Enable automatic key rotation of the EBS volume key in AWS KMS.
Option D: Upload new key material to the EBS volume key in AWS KMS to enable automatic key rotation for the volume.
Question 160: A SysOps Administrator deployed an AWS Elastic Beanstalk worker node environment that reads messages from an auto-generated Amazon Simple Queue Service (Amazon SQS) queue and deletes them from the queue after processing. Amazon EC2 Auto Scaling scales in and scales out the number of worker nodes based on CPU utilization. After some time, the Administrator notices that the number of messages in the SQS queue are increasing significantly. Which action will remediate this issue?
Option A: Change the scaling policy to scale based upon the number of messages in the queue.
Option B: Decouple the queue from the Elastic Beanstalk worker node and create it as a separate resource.
Option C: Increase the number of messages in the queue.
Option D: Increase the retention period of the queue.
Question 161: A Security team is concerned about the potential of intellectual property leaking to the internet. A SysOps Administrator is tasked with identifying controls to address the potential problem. The servers in question reside in a VPC and cannot be allowed to send traffic to the internet. How can these requirements be met?
Option A: Edit the route for the subnet with the following entry: Destination 0.0.0.0/0 target: igw-xxxxxxxx
Option B: Ensure that the servers do not have Elastic IP addresses.
Option C: Enable Enhanced Networking on the instances to control traffic flows.
Option D: Put the servers in a private subnet.
Question 162: A company is setting up a VPC peering connection between its VPC and a customer's VPC. The company VPC is an IPv4 CIDR block of 172.16.0.0/16, and the customer's is an IPv4 CIDR block of 10.0.0.0/16. The SysOps Administrator wants to be able to ping the customer's database private IP address from one of the company's Amazon EC2 instances. What action should be taken to meet the requirements?
Option A: Ensure that both accounts are linked and are part of consolidated billing to create a file sharing network, and then enable VPC peering.
Option B: Ensure that both VPC owners manually add a route to the VPC route tables that points to the IP address range of the other VPC.
Option C: Instruct the customer to set up a VPC with the same IPv4 CIDR block as that of the source VPC: 172.16.0.0/16.
Option D: Instruct the customer to create a virtual private gateway to link the two VPCs.
Question 163: A company is concerned about its ability to recover from a disaster because all of its Amazon EC2 instances are located in a single Amazon VPC in us-east-1. A second Amazon VPC has been configured in eu-west-1 to act as a backup VPC in case of an outage. Data will be replicated from the primary region to the secondary region. The Information Security team's compliance requirements specify that all data must be encrypted and must not traverse the public internet. How should the SysOps Administrator connect the two VPCs while meeting the compliance requirements?
Option A: Configure EC2 instances to act as VPN appliances, then configure route tables.
Option B: Configure inter-region VPC peering between the two VPCs, then configure route tables.
Option C: Configure NAT gateways in both VPCs, then configure route tables.
Option D: Configure an internet gateway in each VPC, and use these as the targets for the VPC route tables.
Question 164: Two companies will be working on several development projects together. Each company has an AWS account with a single VPC in us-east-1. Two companies would like to access one another's development servers. The IPv4 CIDR blocks in the two VPCs does not overlap. What can the SysOps Administrators for each company do to set up network routing?
Option A: Each Administrator should create a custom routing table that points to the other company's internet gateway public IP address.
Option B: Both Administrators should set up a NAT gateway in a public subnet in their respective VPCs. Then. using the public IP address from the NAT gateway, the Administrators should enable routing between the two VPCs.
Option C: Both Administrators should install a 1 Gbps AWS Direct Connect circuit in their respective environments. Then, using the AWS Management Console, the Administrators should create an AWS Direct Connect routing requests to enable connectivity.
Option D: One Administrator should create a VPC peering request and send it to the other Administrator's account. Once the other Administrator accepts the request, update the routing tables to enable traffic.