Summer Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Free and Premium Amazon Web Services SOA-C02 Dumps Questions Answers

Page: 1 / 20
Total 528 questions

AWS Certified SysOps Administrator - Associate (SOA-C02) Questions and Answers

Question 1

A webpage is stored in an Amazon S3 bucket behind an Application Load Balancer (ALB). Configure the SS bucket to serve a static error page in the event of a failure at the primary site.

1. Use the us-east-2 Region for all resources.

2. Unless specified below, use the default configuration settings.

3. There is an existing hosted zone named lab-

751906329398-26023898.com that contains an A record with a simple routing policy that routes traffic to an existing ALB.

4. Configure the existing S3 bucket named lab-751906329398-26023898.com as a static hosted website using the object named index.html as the index document

5. For the index-html object, configure the S3 ACL to allow for public read access. Ensure public access to the S3 bucketjs allowed.

6. In Amazon Route 53, change the A record for domain lab-751906329398-26023898.com to a primary record for a failover routing policy. Configure the record so that it evaluates the health of the ALB to determine failover.

7. Create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing 53 bucket.

Options:

Buy Now
Question 2

You need to update an existing AWS CloudFormation stack. If needed, a copy to the CloudFormation template is available in an Amazon SB bucket named cloudformation-bucket

1. Use the us-east-2 Region for all resources.

2. Unless specified below, use the default configuration settings.

3. update the Amazon EQ instance named Devinstance by making the following changes to the stack named 1700182:

a) Change the EC2 instance type to us-east-t2.nano.

b) Allow SSH to connect to the EC2 instance from the IP address range

192.168.100.0/30.

c) Replace the instance profile IAM role with IamRoleB.

4. Deploy the changes by updating the stack using the CFServiceR01e role.

5. Edit the stack options to prevent accidental deletion.

6. Using the output from the stack, enter the value of the Prodlnstanceld in the text box below:

Options:

Question 3

If your AWS Management Console browser does not show that you are logged in to an AWS account, close the browser and relaunch the

console by using the AWS Management Console shortcut from the VM desktop.

If the copy-paste functionality is not working in your environment, refer to the instructions file on the VM desktop and use Ctrl+C, Ctrl+V or Command-C , Command-V.

Configure Amazon EventBridge to meet the following requirements.

1. use the us-east-2 Region for all resources,

2. Unless specified below, use the default configuration settings.

3. Use your own resource naming unless a resource

name is specified below.

4. Ensure all Amazon EC2 events in the default event

bus are replayable for the past 90 days.

5. Create a rule named RunFunction to send the exact message every 1 5 minutes to an existing AWS Lambda function named LogEventFunction.

6. Create a rule named SpotWarning to send a notification to a new standard Amazon SNS topic named TopicEvents whenever an Amazon EC2

Spot Instance is interrupted. Do NOT create any topic subscriptions. The notification must match the following structure:

Input Path:

{“instance” : “$.detail.instance-id”}

Input template:

“ The EC2 Spot Instance has been on account.

Options:

Question 4

A SysOps administrator must ensure that all of a company's current and future Amazon S3 buckets have logging enabled If an S3 bucket does not have logging enabled an automated process must enable logging for the S3 bucket.

Which solution will meet these requirements?

Options:

A.

Use AWS Trusted Advisor 10 perform a check for S3 buckets that do not have logging enabled Configure the check to enable logging for S3 buckets that do not have logging enabled.

B.

Configure an S3 bucket policy that requires all current and future S3 buckets to have logging enabled

C.

Use the s3-bucket-logging-enabled AWS Config managed rule. Add a remediation action that uses an AWS Lambda function to enable logging.

D.

Use the s3-bucket-logging-enabled AWS Config managed rule. Add a remediation action that uses the AWS-ConfigureS3BucketLoggmg AWS Systems Manager Automation runbook to enable logging.

Question 5

A company has applications that process transaction requests multiple times each minute. The applications write transaction data to a single Amazon RDS DB instance. As the company begins to process more transactions, the company becomes concerned that it has no failover solution in place for disaster recovery (DR). The company needs the DB instance to fail over automatically without losing any committed transactions.

Which solution will meet these requirements?

Options:

A.

Create an RDS read replica in the same AWS Region. Configure an AWS Lambda function to promote the replica as the primary DB instance during a DR scenario.

B.

Create an RDS read replica in a different AWS Region. Configure an AWS Lambda function to promote the replica as the primary DB instance during a DR scenario.

C.

Modify the DB instance to be a Multi-AZ deployment.

D.

Setup an Amazon CloudWatch alarm that monitors the DB instance memory utilization with a threshold greater than 90%. Invoke an AWS Lambda function to restart the DB instance.

Question 6

A large multinational company has a core application that runs 24 hours a day, 7 days a week on Amazon EC2 and AWS Lambda. The company uses a combination of operating systems across different AWS Regions. The company wants to achieve cost savings and wants to use a pricing model that provides the most flexibility.

What should the company do to MAXIMIZE cost savings while meeting these requirements?

Options:

A.

Establish the compute expense by the hour. Purchase a Compute Savings Plan.

B.

Establish the compute expense by the hour. Purchase an EC2 Instance Savings Plan.

C.

Purchase a Reserved Instance for the instance types, operating systems, Region, and tenancy.

D.

Use EC2 Spot Instances to match the instances that run in each Region.

Question 7

A company currently runs its infrastructure within a VPC in a single Availability Zone The VPC is connected to the company's on-premises data center through an AWS Site-to-SIte VPN connection attached to a virtual pnvate gateway. The on-premises route tables route all VPC networks to the VPN connection Communication between the two environments is working correctly. A SysOps administrator created new VPC subnets within a new Availability Zone, and deployed new resources within the subnets. However, communication cannot be established between the new resources and the on-premises environment.

Which steps should the SysOps administrator take to resolve the issue?

Options:

A.

Add a route to the route tables of the new subnets that send on-premises traffic to the virtual private gateway.

B.

Create a ticket with AWS Support to request adding Availability Zones to the Site-to-Site VPN route configuration.

C.

Establish a new Site-to-Site VPN connection between a virtual private gateway attached to the new Availability Zone and the on-premises data center

D.

Replace the Site-to-Site VPN connection with an AWS Direct Connect connection.

Question 8

The SysOps administrator needs to resolve high disk I/O issues during the bootstrap process of Nitro-based EC2 instances in an Auto Scaling group with gp3 EBS volumes.

Options (Select TWO):

Options:

A.

Increase the EC2 instance size.

B.

Increase the EBS volume capacity.

C.

Increase the EBS volume IOPS.

D.

Increase the EBS volume throughput.

E.

Change the instance type to an instance that is not Nitro-based.

Question 9

A company stores files on 50 Amazon S3 buckets in the same AWS Region The company wants to connect to the S3 buckets securely over a private connection from its Amazon EC2 instances The company needs a solution that produces no additional cost

Which solution will meet these requirements?

Options:

A.

Create a gateway VPC endpoint lor each S3 bucket Attach the gateway VPC endpoints to each subnet inside the VPC

B.

Create an interface VPC endpoint (or each S3 bucket Attach the interface VPC endpoints to each subnet inside the VPC

C.

Create one gateway VPC endpoint for all the S3 buckets Add the gateway VPC endpoint to the VPC route table

D.

Create one interface VPC endpoint for all the S3 buckets Add the interface VPC endpoint to the VPC route table

Question 10

A SysOps administrator needs to configure a solution that will deliver digital content to a set of authorized users through Amazon CloudFront. Unauthorized users must be restricted from access.

Which solution will meet these requirements?

Options:

A.

Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed URLs to access the S3 bucket through CloudFront.

B.

Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Restrict S3 bucket access with signed URLs in CloudFront.

C.

Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Enable field-level encryption.

D.

Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed cookies for restricted delivery of the content through CloudFront.

Question 11

A company runs its web application on multiple Amazon EC2 instances that are part of an Auto Scaling group. The company wants the Auto Scaling group to scale out as soon as CPU utilization rises above 50% for the instances.

How should a SysOps administrator configure the Auto Scaling group to meet these requirements?

Options:

A.

Configure the Auto Scaling group to scale based on events.

B.

Configure the Auto Scaling group to scale based on a schedule.

C.

Configure the Auto Scaling group to scale dynamically based on demand.

D.

Configure the Auto Scaling group to use predictive scaling.

Question 12

A company has an organization in AWS Organizations. The company uses shared VPCs to provide networking resources across accounts A SysOps administrator has been able to successfully launch and manage Amazon EC2 instances in a participant account However the SysOps administrator is now receiving an InstanceLimitExceeded error when the SysOps administrator tries to launch a new EC2 instance

What should the SysOps administrator do to resolve this error')

Options:

A.

Request an instance quota increase from the account that owns the VPC

B.

Launch additional EC2 instances in a different AWS Region

C.

Request an instance quota increase from the parte pant account

D.

Launch additional EC2 instances by using a different Amazon Machine image (AMI)

Question 13

A SysOps administrator has enabled AWS CloudTrail in an AWS account If CloudTrail is disabled it must be re-enabled immediately What should the SysOps administrator do to meet these requirements WITHOUT writing custom code''

Options:

A.

Add the AWS account to AWS Organizations Enable CloudTrail in the management account

B.

Create an AWS Config rule that is invoked when CloudTrail configuration changes Apply the AWS-ConfigureCloudTrailLogging automatic remediation action

C.

Create an AWS Config rule that is invoked when CloudTrail configuration changes Configure the rule to invoke an AWS Lambda function to enable CloudTrail

D.

Create an Amazon EventBridge (Amazon CloudWatch Events) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail

Question 14

A company’s AWS Lambda function is experiencing performance issues. The Lambda function performs many CPU-intensive operations. The Lambda function is not running fast enough and is creating bottlenecks in the system.

What should a SysOps administrator do to resolve this issue?

Options:

A.

In the CPU launch options for the Lambda function, activate hyperthreading.

B.

Turn off the AWS managed encryption.

C.

Increase the amount of memory for the Lambda function.

D.

Load the required code into a custom layer.

Question 15

A company is uploading important files as objects to Amazon S3 The company needs to be informed if an object is corrupted during the upload

What should a SysOps administrator do to meet this requirement?

Options:

A.

Pass the Content-Disposition value as a request body during the object upload.

B.

Pass the Content-MD5 value as a request header during the object upload.

C.

Pass x-amz-objecWock-mode as a request header during the object upload

D.

Pass x-amz-server-side-encryption-customer-algorithm as a request body during the object upload.

Question 16

A company is using Amazon CloudFront to serve static content for its web application to its users. The CloudFront distribution uses an existing on-premises website as a custom origin.

The company requires the use of TLS between CloudFront and the origin server. This configuration has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.

What should a SysOps administrator do to resolve this problem?

Options:

A.

Examine the expiration date on the certificate on the origin site. Validate that the certificate has not expired. Replace the certificate if necessary.

B.

Examine the hostname on the certificate on the origin site. Validate that the hostname matches one of the hostnames on the CloudFront distribution. Replace the certificate if necessary.

C.

Examine the firewall rules that are associated with the origin server. Validate that port 443 is open for inbound traffic from the internet. Create an inbound rule if necessary.

D.

Examine the network ACL rules that are associated with the CloudFront distribution. Validate that port 443 is open for outbound traffic to the origin server. Create an outbound rule if necessary.

Question 17

A SysOps administrator developed a Python script that uses the AWS SDK to conduct several maintenance tasks. The script needs to run automatically every night.

What is the MOST operationally efficient solution that meets this requirement?

Options:

A.

Convert the Python script to an AWS Lambda (unction. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the function every night.

B.

Convert the Python script to an AWS Lambda function. Use AWS CloudTrail to invoke the function every night.

C.

Deploy the Python script to an Amazon EC2 Instance. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the instance to start and stop every night.

D.

Deploy the Python script to an Amazon EC2 instance. Use AWS Systems Manager to schedule the instance to start and stop every night.

Question 18

A SysOps administrator is responsible for a company's security groups. The company wants to maintain a documented trail of any changes that are made to the security groups. The SysOps administrator must receive notification whenever the security groups change.

Which solution will meet these requirements?

Options:

A.

Set up Amazon Detective to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Queue Service (Amazon SOS) queue for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SQS queue.

B.

Set up AWS Systems Manager Change Manager to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

C.

Set up AWS Config to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

D.

Set up Amazon Detective to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

Question 19

A SysOps administrator must configure Amazon S3 to host a simple nonproduction webpage. The SysOps administrator has created an empty S3 bucket from the

AWS Management Console. The S3 bucket has the default configuration in place.

Which combination of actions should the SysOps administrator take to complete this process? (Choose two.)

Options:

A.

Configure the S3 bucket by using the "Redirect requests for an object" functionality to point to the bucket root URL.

B.

Turn off the "Block all public access" setting. Allow public access by using a bucket ACL that contains WEBSITE.

C.

Turn off the "Block all public access" setting. Allow public access by using a bucket ACL that allows access to the AuthenticatedUsers grantee.

D.

Turn off the "Block all public access" setting. Set a bucket policy that allows "Principal": the s3:GetObject action.

E.

Create an index.html document. Configure static website hosting, and upload the index document to the S3 bucket.

Question 20

A SysOps administrator recently configured Amazon S3 Cross-Region Replication on an S3 bucket

Which of the following does this feature replicate to the destination S3 bucket by default?

Options:

A.

Objects in the source S3 bucket for which the bucket owner does not have permissions

B.

Objects that are stored in S3 Glacier

C.

Objects that existed before replication was configured

D.

Object metadata

Question 21

A SysOps administrator needs to create alerts that are based on the read and write metrics of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to an Amazon EC2 instance. The SysOps administrator creates and enables Amazon CloudWatch alarms for the DiskReadBytes metric and the DiskWriteBytes metric.

A custom monitoring tool that is installed on the EC2 instance with the same alarm configuration indicates that the volume metrics have exceeded the threshold. However, the CloudWatch alarms were not in ALARM state.

Which action will ensure that the CloudWatch alarms function correctly?

Options:

A.

Install and configure the CloudWatch agent on the EC2 instance to capture the desired metrics.

B.

Install and configure AWS Systems Manager Agent on the EC2 instance to capture the desired metrics.

C.

Reconfigure the CloudWatch alarms to use the VolumeReadBytes metric and the VolumeWriteBytes metric for the EBS volumes.

D.

Reconfigure the CloudWatch alarms to use the VolumeReadBytes metric and the VolumeWriteBytes metric for the EC2 instance.

Question 22

A SysOps administrator is designing a solution for an Amazon RDS for PostgreSQL DB instance. Database credentials must be stored and rotated monthly. The applications that connect to the DB instance send write-intensive traffic with variable client connections that sometimes increase significantly in a short period of time.

Which solution should a SysOps administrator choose to meet these requirements?

Options:

A.

Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS Proxy to handle the increases in database connections.

B.

Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS read replicas to handle the increases in database connections.

C.

Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS Proxy to handle the increases in database connections.

D.

Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS read replicas to handle the increases in database connections.

Question 23

A company uses AWS Organizations to manage its multi-account environment. The organization contains a dedicated account for security and a dedicated account for logging. A SysOps administrator needs to implement a centralized solution that provides alerts when a resource metric in any account crosses a standard defined threshold.

Which solution will meet these requirements?

Options:

A.

Deploy an AWS CloudFormation stack set to the accounts in the organization. Use a template that creates the required Amazon CloudWatch alarms and references an Amazon Simple Notification Service (Amazon SNS) topic in the logging account with publish permissions for all the accounts.

B.

Deploy an AWS CloudFormation stack in each account. Use the stack to deploy the required Amazon CloudWalch alarms and the required Amazon Simple Notification Service (Amazon SNS) topic.

C.

Deploy an AWS Lambda function on a cron job in each account. Configure the Lambda function to read resources that are in the account and to invoke an Amazon Simple Notification Service (Amazon SNS) topic if any metrics cross the defined threshold.

D.

Deploy an AWS CloudFormation change set to the organization. Use a template to create the required Amazon CloudWatch alarms and to send alerts to a verified Amazon Simple Email Service (Amazon SES) identity.

Question 24

A company's security policy states that connecting to Amazon EC2 instances is not permitted through SSH and RDP. If access is required, authorized staff can connect to instances by using AWS Systems Manager Session Manager.

Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has AWS Systems Manager Agent (SSM Agent) pre-installed These users are able to use Session Manager to connect to other instances in the same subnet, and they are in an 1AM group that has Session Manager permission for all instances.

What should a SysOps administrator do to resolve this issue?

Options:

A.

Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.

B.

Assign the AmazonSSMManagedlnstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.

C.

Configure the SSM Agent to log in with a user name of "ubuntu".

D.

Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.

Question 25

A company requires the rotation of administrative credentials for production workloads on a regular basis. A SysOps administrator must implement this policy for an Amazon RDS DB instance's master user password.

Which solution will meet this requirement with the LEAST operational effort?

Options:

A.

Create an AWS Lambda function to change the RDS master user password. Create an Amazon EventBridge scheduled rule to invoke the Lambda function.

B.

Create a new SecureString parameter in AWS Systems Manager Parameter Store. Encrypt the parameter with an AWS Key Management Service (AWS KMS) key. Configure automatic rotation.

C.

Create a new String parameter in AWS Systems Manager Parameter Store. Configure automatic rotation.

D.

Create a new RDS database secret in AWS Secrets Manager. Apply the secret to the RDS DB instance. Configure automatic rotation.

Question 26

A SysOps administrator manages a company's Amazon S3 buckets. The SysOps administrator has identified 5 GB of incomplete multipart uploads in an S3 bucket in the company's AWS account. The SysOps administrator needs to reduce the number of incomplete multipart upload objects in the S3 bucket.

Which solution will meet this requirement?

Options:

A.

Create an S3 Lifecycle rule on the S3 bucket to delete expired markers or incomplete multipart uploads

B.

Require users that perform uploads of files into Amazon S3 to use the S3 TransferUtility.

C.

Enable S3 Versioning on the S3 bucket that contains the incomplete multipart uploads.

D.

Create an S3 Object Lambda Access Point to delete incomplete multipart uploads.

Question 27

A company migrates a write-once, read-many (WORM) drive to an Amazon S3 bucket that has S3 Object Lock configured in governance mode. During the migration, the company copies unneeded data to the S3 bucket.

A SysOps administrator attempts to delete the unneeded data from the S3 bucket by using the AWS CLI. However, the SysOps administrator receives an error.

Which combination of steps should the SysOps administrator take to successfully delete the unneeded data? (Select TWO.)

Options:

A.

Increase the Retain Until Date.

B.

Assume a role that has the s3:BypassLegalRetention permission.

C.

Assume a role that has the s3:BypassGovernanceRetention permission.

D.

Include the x-amz-bypass-governance-retention:true header in the request when issuing the delete command.

E.

Include the x-amz-bypass-legal-retention:true header in the request when issuing the delete command.

Question 28

A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). Web traffic increases significantly during the same 9-hour period every day and causes a decrease in the application's performance. A SysOps administrator must scale the application ahead of the changes in demand to accommodate the increased traffic.

Which solution will meet these requirements?

Options:

A.

Create an Amazon CloudWatch alarm to monitor application latency. Configure an alarm action to increase the size of each EC2 instance if the latency threshold is reached.

B.

Create an Amazon EventBridge rule to monitor application latency. Configure the rule to add an EC2 instance to the ALB if the latency threshold is reached

C.

Deploy the application to an EC2 Auto Scaling group that uses a target tracking scaling policy. Attach the ALB to the Auto Scaling group.

D.

Deploy the application to an EC2 Auto Scaling group that uses a scheduled scaling policy. Attach the ALB to the Auto Scaling group.

Question 29

A company has a policy that requires all Amazon EC2 instances to have a specific set of tags. If an EC2 instance does not have the required tags, the noncompliant instance should be terminated.

What is the MOST operationally efficient solution that meets these requirements?

Options:

A.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all EC2 instance state changes to an AWS Lambda function to determine if each instance is compliant. Terminate any noncompliant instances.

B.

Create an IAM policy that enforces all EC2 instance tag requirements. If the required tags are not in place for an instance, the policy will terminate noncompliant instance.

C.

Create an AWS Lambda function to determine if each EC2 instance is compliant and terminate an instance if it is noncompliant. Schedule the Lambda function to invoke every 5 minutes.

D.

Create an AWS Config rule to check if the required tags are present. If an EC2 instance is noncompliant, invoke an AWS Systems Manager Automation document to terminate the instance.

Question 30

A company recently acquired another corporation and all of that corporation's AWS accounts. A financial analyst needs the cost data from these accounts. A SysOps administrator uses Cost Explorer to generate cost and usage reports. The SysOps administrator notices that "No Tagkey" represents 20% of the monthly cost.

What should the SysOps administrator do to tag the "No Tagkey" resources?

Options:

A.

Add the accounts to AWS Organizations. Use a service control policy (SCP) to tag all the untagged resources.

B.

Use an AWS Config rule to find the untagged resources. Set the remediation action to terminate the resources.

C.

Use Cost Explorer to find and tag all the untagged resources.

D.

Use Tag Editor to find and taq all the untaqqed resources.

Question 31

A company is supposed to receive a data file every hour in an Amazon S3 bucket. An S3 event notification invokes an AWS Lambda function each time a file arrives. The function processes the data for use by an application.

The application team notices that sometimes the file does not arrive. The application team wants to receive a notification whenever the file does not arrive.

What is the MOST operationally efficient solution that meets these requirements?

Options:

A.

Add an S3 Lifecycle rule on the S3 bucket with a scope that is limited to objects that were created in the last hour. Configure another S3 event notification to be invoked by the lifecycle transition when the number of objects transitioned is zero. Publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team.

B.

Configure another S3 event notification to invoke a Lambda function that posts a message to an Amazon Simple Queue Service (Amazon SQS) queue. Create an Amazon CloudWatch alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team when the ApproximateAgeOfOldestMessage metric of the queue is greater than 1 hour.

C.

Create an Amazon CloudWatch alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to alert the application team when the Invocations metric of the Lambda function is zero for an hour. Configure the alarm to treat missing data as breaching.

D.

Create a new Lambda function to get the timestamp of the newest file in the S3 bucket. If the timestamp is more than 1 hour ago, publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the new function hourly.

Question 32

A SysOps administrator configuring AWS Client VPN to connect use's on a corporate network to AWS resources mat are running in a VPC According to compliance requirements, only traffic that is destined for the VPC can travel across the VPN tunnel.

How should the SysOps administrator configure Client VPN to meet these requirements?

Options:

A.

Associate the Client VPN endpoint with a private subnet that has an internet route through a NAT gateway.

B.

On the Client VPN endpoint, turns on the split-tunnel option.

C.

On the Client VPN endpoint, specify DNS server IP addresses

D.

Select a private certificate to use as the identity certificate tor the VPN client.

Question 33

A company asks a SysOps administrator to ensure that AWS CloudTrail files are not tampered with after they are created. Currently, the company uses AWS Identity and Access Management (IAM) to restrict access to specific trails. The company's security team needs the ability to trace the integrity of each file.

What is the MOST operationally efficient solution that meets these requirements?

Options:

A.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a new file is delivered. Configure the Lambda function to compute an MD5 hash check on the file and store the result in an Amazon DynamoDB table. The security team can use the values that are stored in DynamoDB to verify the integrity of the delivered files.

B.

Create an AWS Lambda function that is invoked each time a new file is delivered to the CloudTrail bucket. Configure the Lambda function to compute an MD5 hash check on the file and store the result as a tag in an Amazon S3 object. The security team can use the information in the tag to verify the integrity of the delivered files.

C.

Enable the CloudTrail file integrity feature on an Amazon S3 bucket. Create an IAM policy that grants the security team access to the file integrity logs that are stored in the S3 bucket.

D.

Enable the CloudTrail file integrity feature on the trail. The security team can use the digest file that is created by CloudTrail to verify the integrity of the delivered files.

Question 34

A user working in the Amazon EC2 console increased the size of an Amazon Elastic Block Store (Amazon EBS) volume attached to an Amazon EC2 Windows instance. The change is not reflected in the file system.

What should a SysOps administrator do to resolve this issue?

Options:

A.

Extend the file system with operating system-level tools to use the new storage capacity.

B.

Reattach the EBS volume to the EC2 instance.

C.

Reboot the EC2 instance that is attached to the EBS volume.

D.

Take a snapshot of the EBS volume. Replace the original volume with a volume that is created from the snapshot.

Question 35

A company runs its entire suite of applications on Amazon EC2 instances. The company plans to move the applications to containers and AWS Fargate. Within 6 months, the company plans to retire its EC2 instances and use only Fargate. The company has been able to estimate its future Fargate costs.

A SysOps administrator needs to choose a purchasing option to help the company minimize costs. The SysOps administrator must maximize any discounts that are available and must ensure that there are no unused reservations.

Which purchasing option will meet these requirements?

Options:

A.

Compute Savings Plans for 1 year with the No Upfront payment option

B.

Compute Savings Plans for 1 year with the Partial Upfront payment option

C.

EC2 Instance Savings Plans for 1 year with the All Upfront payment option

D.

EC2 Reserved Instances for 1 year with the Partial Upfront payment option

Question 36

A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded: however, upon navigating to the site, the following error message is received:

403 Forbidden - Access Denied

What change should be made to fix this error?

Options:

A.

Add a bucket policy that grants everyone read access to the bucket.

B.

Add a bucket policy that grants everyone read access to the bucket objects.

C.

Remove the default bucket policy that denies read access to the bucket.

D.

Configure cross-origin resource sharing (CORS) on the bucket.

Question 37

A company needs to track spending in its AWS account. The company must receive a notification when current costs and forecasted costs exceed specific thresholds. Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Create a new 1AM role. Attach the AWSPurchaseOrdersServiceRolePolicy AWS managed policy to the role. Check AWS Cost Explorer on a regular basis to monitor current costs and forecasted costs

B.

Create an AWS Cost and Usage Report Create an AWS Step Functions state machine that runs when a new usage file is generated Configure the state machine to pass the data to Amazon Forecast and to invoke an AWS Lambda Function Configure the Lambda function to parse the data and to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if costs exceed the thresholds.

C.

Create an AWS Cost and Usage Report Separate the current costs and forecasted costs by service. Schedule the report to be sent to an Amazon Simple Notification Service (Amazon SNS) topic each month.

D.

Create a recurring cost budget in AWS Budgets. Create an alert for the actual cost. Create a second alert for the forecasted costs. Configure an Amazon Simple Notification Service (Amazon SNS) topic to receive the alerts.

Question 38

A company's social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services. A SysOps administrator must implement a solution that routes requests to a defined list of AWS Regions. The routing must be based on the user's location. Which solution will meet these requirements?

Options:

A.

Configure a Route 53 latency routing policy.

B.

Configure a Route 53 multivalue answer routing policy.

C.

Configure a Route 53 geolocation routing policy.

D.

Configure a Route 53 IP-based routing policy.

Question 39

A company creates a new member account by using AWS Organizations. A SysOps administrator needs to add AWS Business Support to the new account

Which combination of steps must the SysOps administrator take to meet this requirement? (Select TWO.)

Options:

A.

Sign in to the new account by using 1AM credentials. Change the support plan.

B.

Sign in to the new account by using root user credentials. Change the support plan.

C.

Use the AWS Support API to change the support plan.

D.

Reset the password of the account root user.

E.

Create an IAM user that has administrator privileges in the new account.

Question 40

A company hosts a web application on an Amazon EC2 instance. The web server logs are published to Amazon CloudWatch Logs. The log events have the same structure and include the HTTP response codes that are associated with the user requests. The company needs to monitor the number of times that the web server returns an HTTP 404 response.

What is the MOST operationally efficient solution that meets these requirements?

Options:

A.

Create a CloudWatch Logs metric filter that counts the number of times that the web server returns an HTTP 404 response.

B.

Create a CloudWatch Logs subscription filter that counts the number of times that the web server returns an HTTP 404 response.

C.

Create an AWS Lambda function that runs a CloudWatch Logs Insights query that counts the number of 404 codes in the log events during the past hour.

D.

Create a script that runs a CloudWatch Logs Insights query that counts the number of 404 codes in the log events during the past hour.

Question 41

A company's SysOps administrator needs to change the AWS Support plan for one of the company's AWS accounts. The account has multi-factor authentication (MFA) activated, and the MFA device is lost.

What should the SysOps administrator do to sign in?

Options:

A.

Sign in as a root user by using email and phone verification. Set up a new MFA device. Change the root user password.

B.

Sign in as an 1AM user with administrator permissions. Resynchronize the MFA token by using the 1AM console.

C.

Sign in as an 1AM user with administrator permissions. Reset the MFA device for the root user by adding a new device.

D.

Use the forgot-password process to verify the email address. Set up a new password and MFA device.

Question 42

A company wants to prohibit its developers from using a particular family of Amazon EC2 instances The company uses AWS Organizations and wants to apply the restriction across multiple accounts

What is the MOST operationally efficient way for the company lo apply service control policies (SCPs) to meet these requirements?

Options:

A.

Add the accounts to an organizational unit (OUf Apply the SCPs to the OU.

B.

Add the accounts to resource groups in AWS Resource Groups. Apply the SCPs to the resource groups.

C.

Apply the SCPs to each developer account.

D.

Enroll the accounts with AWS Control Tower. Apply the SCPs to the AWS Control Tower management account.

Question 43

A company's financial department needs to view the cost details of each project in an AWS account A SysOps administrator must perform the initial configuration that is required to view cost for each project in Cost Explorer

Which solution will meet this requirement?

Options:

A.

Activate cost allocation tags Add a project tag to the appropriate resources

B.

Configure consolidated billing Create AWS Cost and Usage Reports

C.

Use AWS Budgets Create AWS Budgets reports

D.

Use cost categories to define custom groups that are based on AWS cost and usage dimensions

Question 44

A company is using an Amazon EC2 Auto Scaling group to support a workload A Sytfhe company now needs to centruito Scaling group is configured with two similar scaling policies dP) to centrally manage access to One scaling policy adds 5 instances when CPU utilization reaches 80%. The other sctrator can connect to the extemahen CPU utilization leaches 80%.

What will happen when CPU utilization reaches the 80% threshold?

Options:

A.

Amazon EC2 Auto Scaling will add 5 instances

B.

Amazon EC2 Auto Scaling will add 10 instances

C.

Amazon EC2 Auto Scaling will add 15 instances.

D.

The Auto Scaling group will not scale because of conflicting policies

Question 45

A company is undergoing an external audit of its systems, which run wholly on AWS. A SysOps administrator must supply documentation of Payment Card Industry Data Security Standard (PCI DSS) compliance for the infrastructure managed by AWS.

Which set of action should the SysOps administrator take to meet this requirement?

Options:

A.

Download the applicable reports from the AWS Artifact portal and supply these to the auditors.

B.

Download complete copies of the AWS CloudTrail log files and supply these to the auditors.

C.

Download complete copies of the AWS CloudWatch logs and supply these to the auditors.

D.

Provide the auditors with administrative access to the production AWS account so that the auditors can determine compliance.

Question 46

A company has an Amazon CloudFront distribution that uses an Amazon S3 bucket as its origin. During a review of the access logs, the company determines that some requests are going directly to the S3 bucket by using the website hosting endpoint. A SysOps administrator must secure the S3 bucket to allow requests only from CloudFront.

What should the SysOps administrator do to meet this requirement?

Options:

A.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Remove access to and from other principals in the S3 bucket policy. Update the S3 bucket policy to allow access only from the OAI.

B.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Update the S3 bucket policy to allow access only from the OAI. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.

C.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Update the S3 bucket policy to allow access only from the OAI. Disable website hosting. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.

D.

Update the S3 bucket policy to allow access only from the CloudFront distribution. Remove access to and from other principals in the S3 bucket policy. Disable website hosting. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.

Question 47

A SysOps administrator needs to create a report that shows how many bytes are sent to and received from each target group member for an Application Load Balancer (ALB).

Which combination of steps should the SysOps administrator take to meet these requirements? (Select TWO.)

Options:

A.

Enable access logging for the ALB. Save the logs to an Amazon S3 bucket.

B.

Install the Amazon CloudWatch agent on the Instances in the target group.

C.

Use Amazon Athena to query the ALB logs Query the table Use the received_bytes and senl_byt.es fields to calculate the total bytes grouped by the target:port field.

D.

Use Amazon Athena to query the ALB logs Query the table. Use the received_bytes and sent_byt.es fields to calculate the total bytes grouped by the clientport field

E.

Create an Amazon CloudWatch dashboard that shows the Sum statistic of the ProcessedBytes metric for the ALB.

Question 48

A company wants to store sensitive financial data within Amazon S3 buckets. The company has a corporate policy that does not allow public read or write access to the buckets. A SysOps administrator must create a solution to automatically remove S3 permissions that allow public read or write access.

Which AWS service should the SysOps administrator use to meet these requirements in the MOST operationally efficient manner?

Options:

A.

AWSConfig

B.

AWS Security Hub

C.

AWS Trusted Advisor

D.

Amazon Inspector

Question 49

A SysOps administrator applies the following policy to an AWS CloudFormation stack:

What is the result of this policy?

Options:

A.

Users that assume an IAM role with a logical ID that begins with "Production" are prevented from running the update-stack command.

B.

Users can update all resources in the stack except for resources that have a logical ID that begins with "Production".

C.

Users can update all resources in the stack except for resources that have an attribute that begins with "Production".

D.

Users in an IAM group with a logical ID that begins with "Production" are prevented from running the update-stack command.

Question 50

A company needs to restrict access to an Amazon S3 bucket to Amazon EC2 instances in a VPC only. All traffic must be over the AWS private network.

What actions should the SysOps administrator take to meet these requirements?

Options:

A.

Create a VPC endpoint for the S3 bucket, and create an IAM policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

B.

Create a VPC endpoint for the S3 bucket, and create an S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

C.

Create a service-linked role for Amazon EC2 that allows the EC2 instances to interact directly with Amazon S3, and attach an IAM policy to the role that allows the EC2 instances full access to the S3 bucket.

D.

Create a NAT gateway in the VPC, and modify the VPC route table to route all traffic destined for Amazon S3 through the NAT gateway.

Question 51

A company’s application on EC2 instances relies on a Single-AZ RDS for MySQL DB instance. The SysOps administrator needs to ensure failover to minimize downtime.

Options:

Options:

A.

Modify the DB instance to be a Multi-AZ DB instance deployment.

B.

Add a read replica in the same Availability Zone where the DB instance is deployed.

C.

Add the DB instance to an Auto Scaling group that has a minimum capacity of 2 and a desired capacity of 2.

D.

Use RDS Proxy to configure a proxy in front of the DB instance.

Question 52

A company wants to reduce costs for jobs that can be completed at any time. The jobs currently run by using multiple Amazon EC2 On-Demand Instances, and the jobs take slightly less than 2 hours to complete. If a job fails for any reason, it must be restarted from the beginning.

Which solution will meet these requirements MOST cost-effectively?

Options:

A.

Purchase Reserved Instances for the jobs.

B.

Submit a request for a one-time Spot Instance for the jobs.

C.

Submit a request for Spot Instances with a defined duration for the jobs.

D.

Use a mixture of On-Demand Instances and Spot Instances for the jobs.

Question 53

A company runs a multi-tier web application with two Amazon EC2 instances in one Availability Zone in the us-east-1 Region. A SysOps administrator must migrate one of the EC2 instances to a new Availability Zone

Which solution will accomplish this?

Options:

A.

Copy the EC2 instance to a different Availability Zone. Terminate the original instance

B.

Create an Amazon Machine Image (AMI) from the EC2 instance and launch it in a different Availability Zone. Terminate the original instance

C.

Move the EC2 instance to a different Availability Zone using the AWS CLI.

D.

Stop the EC2 instance, modify the Availability Zone, and start the instance.

Question 54

A company is running a development application on an Amazon EC2 instance. The application uploads 500.000 files that are 1 GB in size into a large! Amazon S3 bucket that has default encryption enabled The EC2 instance is in the same AWS Region where the S3 bucket is deployed.

The company uses performance logging that is built into the application software. The logs show that the application is constantly waiting for the files to be written to the S3 bucket. A SysOps administrator needs to improve the application's throughput performance. The SysOps administrator validates that the networking on the EC2 instance is not constrained.

What should the SysOps administrator do to improve the S3 upload performance''

Options:

A.

Enable S3 Transfer Acceleration on the S3 bucket.

B.

Split the S3 write operations to use multiple bucket prefixes to write items in parallel.

C.

Configure AWS PrivateLink for Amazon S3 Turn off encryption on the S3 bucket

D.

Configure AWS Global Accelerator in the Region. Turn off encryption on the S3 bucket.

Question 55

A development team recently deployed a new version of a web application to production After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data

Which AWS service will mitigate this issue?

Options:

A.

AWS Shield Standard

B.

AWS WAF

C.

Elastic Load Balancing

D.

Amazon Cognito

Question 56

A company runs a website from Sydney, Australia. Users in the United States (US) and Europe are reporting that images and videos are taking a long time to load. However, local testing in Australia indicates no performance issues. The website has a large amount of static content in the form of images and videos that are stored m Amazon S3.

Which solution will result In the MOST Improvement In the user experience for users In the US and Europe?

Options:

A.

Configure AWS PrivateLink for Amazon S3.

B.

Configure S3 Transfer Acceleration.

C.

Create an Amazon CloudFront distribution. Distribute the static content to the CloudFront edge locations

D.

Create an Amazon API Gateway API in each AWS Region. Cache the content locally.

Question 57

A company recently migrated its application to a VPC on AWS. An AWS Site-to-Site VPN connection connects the company’s on-premises network to the VPC. The application retrieves customer data from another system that resides on premises. The application uses an on-premises DNS server to resolve domain records. After the migration, the application is not able to connect to the customer data because of name resolution errors.

Which solution will give the application the ability to resolve the internal domain names?

Options:

A.

Launch EC2 instances in the VPC. On the EC2 instances, deploy a custom DNS forwarder that forwards all DNS requests to the on-premises DNS server. Create an Amazon Route 53 private hosted zone that uses the EC2 instances for name servers.

B.

Create an Amazon Route 53 Resolver outbound endpoint. Configure the outbound endpoint to forward DNS queries against the on-premises domain to the on-premises DNS server.

C.

Set up two AWS Direct Connect connections between the AWS environment and the on-premises network. Set up a link aggregation group (LAG) that includes the two connections. Change the VPC resolver address to point to the on-premises DNS server.

D.

Create an Amazon Route 53 public hosted zone for the on-premises domain. Configure the network ACLs to forward DNS requests against the on-premises domain to the Route 53 public hosted zone.

Question 58

A SysOps administrator needs to give users the ability to upload objects to an Amazon S3 bucket. The SysOps administrator creates a presigned URL and provides the URL to a user, but the user cannot upload an object to the S3 bucket. The presigned URL has not expired, and no bucket policy is applied to the S3 bucket.

Which of the following could be the cause of this problem?

Options:

A.

The user has not properly configured the AWS CLI with their access key and secret access key.

B.

The SysOps administrator does not have the necessary permissions to upload the object to the S3 bucket.

C.

The SysOps administrator must apply a bucket policy to the S3 bucket to allow the user to upload the object.

D.

The object already has been uploaded through the use of the presigned URL, so the presigned URL is no longer valid.

Question 59

A company needs to take an inventory of applications that are running on multiple Amazon EC2 instances. The company has configured users and roles with the appropriate permissions for AWS Systems Manager. An updated version of Systems Manager Agent has been installed and is running on every instance. While configuring an inventory collection, a SysOps administrator discovers that not all the instances in a single subnet are managed by Systems Manager.

What must the SysOps administrator do to fix this issue?

Options:

A.

Ensure that all the EC2 instances have the correct tags for Systems Manager access.

B.

Configure AWS Identity and Access Management Access Analyzer to determine and automatically remediate the issue.

C.

Ensure that all the EC2 instances have an instance profile with Systems Manager access.

D.

Configure Systems Manager to use an interface VPC endpoint.

Question 60

A SysOps administrator is building a process for sharing Amazon RDS database snapshots between different accounts associated with different business units within the same company. All data must be encrypted at rest.

How should the administrator implement this process?

Options:

A.

Write a script to download the encrypted snapshot, decrypt it using the AWS KMS encryption key used to encrypt the snapshot, then create a new volume in each account.

B.

Update the key policy to grant permission to the AWS KMS encryption key used to encrypt the snapshot with all relevant accounts, then share the snapshot with those accounts.

C.

Create an Amazon EC2 instance based on the snapshot, then save the instance's Amazon EBS volume as a snapshot and share it with the other accounts. Require each account owner to create a new volume from that snapshot and encrypt it.

D.

Create a new unencrypted RDS instance from the encrypted snapshot, connect to the instance using SSH/RDP. export the database contents into a file, then share this file with the other accounts.

Question 61

A company wants to use only IPv6 for all its Amazon EC2 instances. The EC2 instances must not be accessible from the internet, but

the EC2 instances must be able to access the internet. The company creates a dual-stack VPC and IPv6-only subnets.

How should a SysOps administrator configure the VPC to meet these requirements?

Options:

A.

Create and attach a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.

B.

Create and attach an internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway. Attach the custom route table to the IPv6-only subnets.

C.

Create and attach an egress-only internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the egress-only internet gateway. Attach the custom route table to the IPv6-only subnets.

D.

Create and attach an internet gateway and a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway and all IPv4 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.

Question 62

A SysOps administrator needs to provision a new fleet of Amazon EC2 Spot Instances in an Amazon EC2 Auto Scaling group. The Auto Scaling group will use a wide range of instance types The configured fleet must come from pools that have the most availability for the number of instances that are launched.

Which solution will meet these requirements?

Options:

A.

Launch the Spot Instances up to the maximum capacity of the Auto Scaling group

B.

Launch the Spot Instances by using the diversified strategy.

C.

Launch the Spot Instances by using the capacity optimized strategy.

D.

Use the Spot Instance advisor to help determine the best Spot allocation strategy.

Question 63

A SysOps administrator needs to delete an AWS CloudFormation stack that is no longer in use. The CloudFormation stack is in the DELETE_FAILED state. The SysOps administrator has validated the permissions that are required to delete the Cloud Formation stack.

Options:

A.

The configured timeout to delete the stack was too low for the delete operation to complete.

B.

The stack contains nested stacks that must be manually deleted fast.

C.

The stack was deployed with the -disable rollback option.

D.

There are additional resources associated with a security group in the stack

E.

There are Amazon S3 buckets that still contain objects in the stack.

Question 64

A SysOps administrator is helping a development team deploy an application to AWS Trie AWS CloudFormat on temp ate includes an Amazon Linux EC2 Instance an Amazon Aurora DB cluster and a hard coded database password that must be rotated every 90 days

What is the MOST secure way to manage the database password?

Options:

A.

Use the AWS SecretsManager Secret resource with the GenerateSecretString property to automatically generate a password Use the AWS SecretsManager RotationSchedule resource lo define a rotation schedule lor the password Configure the application to retrieve the secret from AWS Secrets Manager access the database

B.

Use me AWS SecretsManager Secret resource with the SecretStrmg property Accept a password as a CloudFormation parameter Use the AllowedPatteen property of the CloudFormaton parameter to require e minimum length, uppercase and lowercase letters and special characters Configure me application to retrieve the secret from AWS Secrets Manager to access the database

C.

Use the AWS SSM Parameter resource Accept input as a Qoudformatton parameter to store the parameter as a secure sting Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database

D.

Use the AWS SSM Parameter resource Accept input as a Cloudf ormetton parameter to store the parameter as a string Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database

Question 65

A SysOps administrator has submitted an AWS Support case. The SysOps administrator needs to receive immediate and automatic notifications in a Slack channel when the case is updated. The SysOps administrator also must be able to use Slack to add comments to the case.

Which solution will meet these requirements?

Options:

A.

Add the AWS Support App by authorizing the AWS account in Slack. Add the group ID and the required case type in Slack.

B.

Add the AWS Support App by authorizing the Slack workspace. Add the channel ID and the required case type in the AWS account.

C.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the HTTPS URL of the Slack channel to the SNS topic. Create an Amazon EventBridge rule that runs every minute and checks for case updates. Configure the rule to invoke an AWS Lambda function that publishes updates to the SNS topic.

D.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the HTTPS URL of the Slack channel to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern with a source of aws.support and a detail type of Support Case Update. Specify the SNS topic as the rule's target. Send all comments in Slack to the SNS topic.

Question 66

A company has a web application with a database tier that consists of an Amazon EC2 instance that runs MySQL. A SysOps administrator needs to minimize potential data loss and the time that is required to recover in the event of a database failure.

What is the MOST operationally efficient solution that meets these requirements?

Options:

A.

Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric to invoke an AWS Lambda function that stops and starts the EC2 instance.

B.

Create an Amazon RDS for MySQL Multi-AZ DB instance. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new database. Update the connection string in the web application.

C.

Create an Amazon RDS for MySQL Single-AZ DB instance with a read replica. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new database. Update the connection string in the web application.

D.

Use Amazon Data Lifecycle Manager (Amazon DLM) to take a snapshot of the Amazon Elastic Block Store (Amazon EBS) volume every hour. In the event of an EC2 instance failure, restore the EBS volume from a snapshot.

Question 67

A company hosts an application on Amazon EC2 instances. The application periodically causes a surge in CPU utilization on the EC2 instances.

A SysOps administrator needs to implement a solution to detect when these surges occur. The solution also must send an email alert to the company's development team.

Which solution will meet these requirements?

Options:

A.

Create an Amazon Simple Email Service (Amazon SES) email. Verify the development team's email address. Create an Amazon CloudWatch alarm for the EC2 instances Use the sum of the CPU utilization metric, an upper threshold of 80%. and a period of 15 minutes for the alarm. Link the alarm to the SES email.

B.

Create an Amazon Simple Email Service (Amazon SES) email. Verify the development team's email address. Create an Amazon CloudWatch alarm for the EC2 instances Use the average of the CPU utilization metric, an upper threshold of 80%. and a period of 5 minutes for the alarm. Link the alarm to the SES email.

C.

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the development team's email address to the SNS topic. Create an Amazon CloudWatch alarm for the EC2 instances. Use the sum of the CPU utilization metric, an upper threshold of 80%. and a period of 15 minutes for the alarm. Link the alarm to the SNS topic.

D.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the development team's email address to the SNS topic. Create an Amazon CloudWatch alarm for the EC2 instances. Use the average of the CPU utilization metric, an upper threshold of 80%. and a period of 5 minutes for the alarm. Link the alarm to the SNS topic

Question 68

A company has an AWS Config rule that identifies open SSH ports in security groups. The rule has an automatic remediation action to delete the SSH inbound rule for noncompliant security groups. However, business units require SSH access and can provide a list of trusted IPs to restrict access.

Options:

Options:

A.

Create a new AWS Systems Manager Automation runbook that adds an IP set to the security group's inbound rule. Update the AWS Config rule to change the automatic remediation action to use the new runbook.

B.

Create a new AWS Systems Manager Automation runbook that updates the security group’s inbound rule with the IP addresses from the business units. Update the AWS Config rule to change the automatic remediation action to use the new runbook.

C.

Create an AWS Lambda function that adds an IP set to the security group's inbound rule. Update the AWS Config rule to change the automatic remediation action to use the Lambda function.

D.

Create an AWS Lambda function that updates the security group's inbound rule with the IP addresses from the business units. Update the AWS Config rule to change the automatic remediation action to use the Lambda function.

Question 69

A company is deploying a third-party unit testing solution that is delivered as an Amazon EC2 Amazon Machine Image (AMI). The company is deploying the testing solution on On-Demand Instances. The company wants to use an additional three Spot Instances when the Spot Instance prices drop to a specific threshold. A minimum of three instances are required at all times to operate the testing solution. A SysOps administrator must implement high availability for the architecture. Which solution will meet these requirements with the LEAST management overhead?

Options:

A.

Configure a launch template for the Spot Instances. Set the maximum price for the Spot Instances. Configure another launch template for the On-Demand Instances.

B.

Configure a launch template that uses the InstanceMarketOptions property for the Spot Instances and the On-Demand Instances. Set the maximum price for the Spot Instances.

C.

Configure a launch template that uses the MixedInstancesPolicy property for the Spot Instances and the On-Demand Instances. Set the maximum price for the Spot Instances.

D.

Configure a launch template that uses the InstanceMarketOptions property and the MixedInstancesPolicy property for the Spot Instances and the On-Demand Instances. Set the maximum price for the Spot Instances.

Question 70

A SysOps administrator needs to share a new AMI with all accounts within an organization managed through AWS Organizations.

Options:

Options:

A.

Make the AMI public. Reference the AMI ID from within the member accounts of the organization.

B.

Share the AMI's associated snapshots with all the accounts in the organization.

C.

Share the AMI with the organization by specifying the organization Amazon Resource Name (ARN).

D.

Upload the AMI to AWS Marketplace. Search for the uploaded AMI when an instance is launched from a member account in the organization.

Question 71

A large company is using AWS Organizations to manage hundreds of AWS accounts across multiple AWS Regions. The company has turned on AWS Config throughout the organization.

The company requires all Amazon S3 buckets to block public read access. A SysOps administrator must generate a monthly report that shows all the S3 buckets and whether they comply with this requirement.

Which combination of steps should the SysOps administrator take to collect this data? {Select TWO).

Options:

A.

Create an AWS Config aggregator in an aggregator account. Use the organization as the source. Retrieve the compliance data from the aggregator.

B.

Create an AWS Config aggregator in each account. Use an S3 bucket in an aggregator account as the destination. Retrieve the compliance data from the S3 bucket

C.

Edit the AWS Config policy in AWS Organizations. Use the organization's management account to turn on the s3-bucket-public-read-prohibited rule for the entire organization.

D.

Use the AWS Config compliance report from the organization's management account. Filter the results by resource, and select Amazon S3.

E.

Use the AWS Config API to apply the s3-bucket-public-read-prohibited rule in all accounts for all available Regions.

Question 72

A company is using AWS Certificate Manager (ACM) to manage public SSL/TLS certificates. A SysOps administrator needs to send an email notification when a certificate has less than 14 days until expiration.

Which solution will meet this requirement with the LEAST operational overhead?

Options:

A.

Create an Amazon CloudWatch custom metric to monitor certificate expiration for all ACM certificates. Create an Amazon EventBridge rule that has an event source of a ws. cloud watch Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if the DaysToExpiry metric is less than 14. Subscribe the appropriate email addresses to the SNS topic.

B.

Create an Amazon EventBridge rule that has an event source of aws.acm. Configure the rule to evaluate the DaysToExpiry melric for all ACM certificates.Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if DaysToExpiry is less than 14. Subscribe the appropriate email addresses to the SNS topic.

C.

Create an Amazon CloudWatch dashboard that displays the DaysToExpiry metric for all ACM certificates. If DaysToExpiry is less than 14, send an emailmessage to the appropriate email addresses. Send the email message by running a predefined CLI command to publish to an Amazon Simple Notification Service (Amazon SNS) topic.

D.

Create an Amazon EventBridge rule that has an event source of aws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure a target SMS identity that uses a predefined email template. Configure the rule to send an event to the target SMS identity if DaysToExpiry is less than 14.

Question 73

A company has an application that runs behind an Application Load Balancer (ALB) in the us-west-2 Region. An Amazon Route 53 record set contains an alias record for app.anycompany.com that references the ALB in us-west-2 and uses a simple routing policy. The application is experiencing an increase in users from other locations in the world. These users are experiencing high latency.

Most of the new users are close to the ap-southeast-2 Region. The company deploys a copy of the application to ap-southeast-2. A SysOps administrator must implement a solution that automatically routes requests to the lowest latency endpoint for users without changing the URL.

Which solution will meet these requirements?

Options:

A.

Add a new value to the existing alias record for app.anycompany.com with the DNS name of the new ALB in ap-southeast-2.

B.

Change the existing alias record to use a geolocation routing policy. Create two geolocation records, one record that references each ALSelect the location that is closest to each Region.

C.

Change the existing alias record to use a latency routing policy. Create two latency records, one record that references each ALB.

D.

Change the existing alias record to use a multivalue routing policy Add the DNS name of each ALB to the record.

Question 74

A SysOps administrator noticed that a large number of Elastic IP addresses are being created on the company's AWS account, but they are not being associated with Amazon EC2 instances, and are incurring Elastic IP address charges in the monthly bill.

How can the administrator identify who is creating the Elastic IP addresses?

Options:

A.

Attach a cost-allocation tag to each requested Elastic IP address with the IAM user name of the developer who creates it.

B.

Query AWS CloudTrail logs by using Amazon Athena to search for Elastic IP address events.

C.

Create a CloudWatch alarm on the ElPCreated metric and send an Amazon SNS notification when the alarm triggers.

D.

Use Amazon Inspector to get a report of all Elastic IP addresses created in the last 30 days.

Question 75

A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.

What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?

Options:

A.

Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.

B.

Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.

C.

Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.

D.

Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.

Question 76

A company hosts its website on Amazon EC2 instances in the us-east-1 Region. The company is preparing to extend its website into the eu-central-1 Region, but the database must remain only in us-east-1. After deployment, the EC2 instances in eu-central-1 are unable to connect to the database in us-east-1.

What is the MOST operationally efficient solution that will resolve this connectivity issue?

Options:

A.

Create a VPC peering connection between the two Regions. Add the private IP address range of the instances to the inbound rule of the database security group.

B.

Create a VPC peering connection between the two Regions. Add the security group of the instances in eu-central-1 to the outbound rule of the database security group.

C.

Create a VPN connection between the two Regions. Add the private IP address range of the instances to the outbound rule of the database security group.

D.

Create a VPN connection between the two Regions. Add the security group of the instances in eu-central-1 to the inbound rule of the database security group.

Question 77

The application is experiencing high VolumeQueueLength on an EC2 instance with a gp3 EBS volume, causing slow performance during I/O-intensive tasks.

Options:

Options:

A.

Attach an Amazon ElastiCache cluster to the EBS volume.

B.

Modify the EBS volume properties by enabling the Auto-Enabled IO volume attribute.

C.

Modify the EBS volume properties to increase the IOPS.

D.

Modify the EC2 instance to enable enhanced networking. Reboot the EC2 instance.

Question 78

A SysOps administrator has used AWS Cloud Formal ion to deploy a serverless application Into a production VPC. The application consists of an AWS Lambda function an Amazon DynamoDB table, and an Amazon API Gateway API. The SysOps administrator must delete the AWS Cloud Formation stack without deleting the DynamoDB table.

Which action should the SysOps administrator take before deleting the AWS Cloud Formation stack?

Options:

A.

Add a Retain deletion policy to the DynamoDB resource in the AWS CloudFormation stack

B.

Add a Snapshot deletion policy to the DynamoDB resource in the AWS CloudFormation stack.

C.

Enable termination protection on the AWS Cloud Formation stack.

D.

Update the application's IAM policy with a Deny statement for the dynamodb:DeleteTabie action.

Page: 1 / 20
Total 528 questions