Notes: Hi all, AWS Certified SysOps Administrator Associate SOA-Co2 Practice Exam Part 10 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take AWS Certified SysOps Administrator Associate SOA-Co2  Actual Exam Version because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.

361. A company is migrating its exchange server from its on-premises location to a VPC in the AWS Cloud. Users working from home connect using a secure, encrypted channel over the internet to the exchange server. However, after the migration to AWS, users are having trouble receiving email. The VPC flow log records display the following.

What is the root cause of the problem?

A. SMTP traffic from the network interface was blocked by an outbound network ACL.
B. SMTP traffic from the network interface was blocked by an outbound security group.
C. SMTP traffic to the network interface was blocked by an inbound network ACL.
D. SMTP traffic to the network interface was blocked by an inbound security group.

362. An Amazon EC2 instance has a secondary Amazon Elastic Block Store (EBS) volume attached that contains sensitive data. A new company policy requires the secondary volume to be encrypted at rest. Which solution will meet this requirement?

A. Create a snapshot of the volume. Create a new volume from the snapshot with the Encrypted parameter set to true. Detach the original volume and attach the new volume to the instance.
B. Create an encrypted Amazon Machine Image (AMI) of the EC2 instance. Launch a new instance with the encrypted AMI. Terminate the original instance.
C. Stop the EC2 instance. Encrypt the volume with AWS CloudHSM. Start the instance and verify encryption.
D. Stop the EC2 instance. Modify the instance properties and set the Encrypted parameter to true. Start the instance and verify encryption.

363. A SysOps administrator recently launched an application consisting of web servers running on Amazon EC2 instances, an Amazon ElastiCache cluster communicating on port 6379, and an Amazon RDS for PostgreSQL DB instance communicating on port 5432. The web servers are in the security group web-sg, the ElastiCache cluster is in the security group cache-sg, and the DB instance is in the security group database-sg. The application fails on start, with the error message “Unable to connect to the database”. The rules in web-sg are as follows.

Which change should the SysOps administrator make to web-sg to correct the issue without compromising security?

A. Add a new inbound rule: database-sg TCP 5432
B. Add a new outbound rule: database-sg TCP 5432
C. Add a new outbound rule: 0.0.0.0/0 All Traffic 0-65535
D. Change the outbound rule to: cache-sg TCP 5432

364. A kernel patch for AWS Linux has been released, and systems need to be updated to the new version. A SysOps administrator must apply an in-place update to an existing Amazon EC2 instance without replacing the instance. How should the SysOps administrator apply the new software version to the instance?

A. Add the instance to a patch group and patch baseline containing the desired patch by using AWS Systems Manager Patch Manager.
B. Develop a new version of the instance’s Amazon Machine Image (AMI). Apply that new AMI to the instance.
C. Develop a new user data script containing the patch. Configure the instance with the new script.
D. Run commands on the instance remotely using the AWS CLI.

365. A company needs to implement a system for object-based storage in a write-once, read-many (WORM) model. Objects cannot be deleted or changed after they are stored, even by an AWS account root user or administrators. Which solution will meet these requirements?

A. Set up Amazon S3 Cross-Region Replication and run daily updates.
B. Set up Amazon S3 Object Lock in governance mode with S3 Versioning enabled.
C. Set up Amazon S3 Object Lock in compliance mode with S3 Versioning enabled.
D. Set up an Amazon S3 Lifecycle policy to move the objects to Amazon S3 Glacier.

366. A company runs a multi-tier web application with two Amazon EC2 instances in one Availability Zone in the us-east-1 Region. A SysOps administrator must migrate one of the EC2 instances to a new Availability Zone. Which solution will accomplish this?

A. Copy the EC2 instance to a different Availability Zone. Terminate the original instance.
B. Create an Amazon Machine Image (AMI) from the EC2 instance and launch it in a different Availability Zone. Terminate the original instance.
C. Move the EC2 instance to a different Availability Zone using the AWS CLI.
D. Stop the EC2 instance, modify the Availability Zone, and start the instance.

367. A company’s application infrastructure was deployed using AWS CloudFormation and is composed of Amazon EC2 instances behind an Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. When releasing a new version of the application, the update deployment must avoid DNS changes and allow rollback. Which solution should a SysOps administrator use to meet the deployment requirements for this new release?

A. Configure the Auto Scaling group to use lifecycle hooks. Deploy new instances with the new application version. Complete the lifecycle hook action once healthy.
B. Create a new Amazon Machine Image (AMI) containing the updated code. Create a launch configuration with the AMI. Update the Auto Scaling group to use the new launch configuration.
C. Deploy a second CloudFormation stack. Wait for the application to be available. Cut over to the new Application Load Balancer.
D. Modify the CloudFormation template to use an AutoScalingReplacingUpdate policy. Update the stack. Perform a second update with the new release.

368. A company wants to launch a group of Amazon EC2 instances that need to communicate with each other with the lowest possible latency. Which combination of actions should a SysOps administrator take when launching these instances? (Choose two.)

A. Launch instances in different VPCs with a VPN tunnel.
B. Launch instances in different VPCs with VPC peering enabled.
C. Launch instances in a cluster placement group.
D. Launch instances in a spread placement group.
E. Launch instances with enhanced networking enabled.

369. A company has multiple AWS accounts. The company uses AWS Organizations with an organizational unit (OU) for the production account and another OU for the development account. Corporate policies state that developers may use only approved AWS services in the production account. What is the MOST operationally efficient solution to control the production account?

A. Create a customer managed policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production account.
B. Create a job function policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production OU.
C. Create a service control policy (SCP). Apply the SCP to the production OU.
D. Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.

370. A company’s data processing workflow uses AWS Lambda to interact with other AWS services, including AWS Step Functions, Amazon DynamoDB, and Amazon S3. The Lambda functions make several API calls to these services as a part of the workflow. AWS CloudTrail has been enabled in the AWS Region and is logging to Amazon CloudWatch Logs. The Lambda functions are also logging to CloudWatch Logs. A SysOps administrator notices that a specific Lambda function in the workflow is taking longer to run than it did last month. The SysOps administrator needs to determine the parts of the Lambda function that are experiencing higher-than-normal response times. What solution will accomplish this?

A. Analyze logs in CloudWatch Logs for the timestamps at which the API calls are made while the Lambda function is running. Compare with the logs from the previous month.
B. Enable AWS X-Ray for the function. Analyze the service map and traces to help identify the API calls with anomalous response times.
C. Search CloudTrail logs for the calls from the Lambda function. Compare the observed and expected times of API calls relative to the time when the function starts.
D. Use CloudWatch to monitor the Duration metric of function invocations for the Lambda function. Compare with the measurements from the previous month.

371. Developers are using IAM access keys to manage AWS resources using AWS CLI. Company policy requires that access keys are automatically disabled when the access key age is greater than 90 days. Which solution will accomplish this?

A. Configure an Amazon CloudWatch alarm to trigger an AWS Lambda function that disables keys older than 90 days.
B. Configure AWS Trusted Advisor to identify and disable keys older than 90 days.
C. Set a password policy on the account with a 90-day expiration.
D. Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation.

372. A company wants to store sensitive data in Amazon S3. The S3 bucket and its contents must be accessible only from the on-premises corporate network. What should a SysOps administrator do to configure the S3 bucket policy statement?

A. Use a Deny effect with a condition based on the aws:sourceVpc key.
B. Use a Deny effect with a condition based on the NotIpAddress key.
C. Use an Allow effect with a condition based on the IpAddress key.
D. Use an Allow effect with a condition based on the s3:LocationConstraint key.

373. A SysOps administrator wants to encrypt an existing Amazon RDS DB instance with AWS Key Management Service (AWS KMS). How should the SysOps administrator accomplish this goal?

A. Copy the data volumes of the unencrypted instance. Apply the KMS key to the copied data volumes. Start the instance with the encrypted volumes.
B. Create a read replica of the unencrypted instance. Encrypt the read replica with the KMS key. Promote the read replica to become the primary instance.
C. Take a snapshot of the unencrypted instance. Apply the KMS key to the existing instance using the modify-db-instance command. Restart the instance.
D. Take a snapshot of the unencrypted instance. Create an encrypted copy of the snapshot with the KMS key. Restore the instance from the encrypted snapshot.

374. A company needs to deploy a web application on two Amazon EC2 instances behind an Application Load Balancer (ALB). Two EC2 instances will also be deployed to host the database. The infrastructure needs to be designed across Availability Zones (AZs) for high availability and must limit public access to the instances as much as possible. How should this be achieved within a VPC?

A. Use two AZs and create a public subnet in each AZ for the Application Load Balancer, a private subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.
B. Use two AZs and create a public subnet in each AZ for the Application Load Balancer, a public subnet in each AZ for the web servers, and a public subnet in each AZ for the database servers.
C. Use two AZs and create one public subnet for the Application Load Balancer, a private subnet in each AZ for the web servers, and a public subnet in each AZ for the database servers.
D. Use two AZs and create one public subnet for the Application Load Balancer, a public subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.

375. A SysOps administrator is responsible for managing a fleet of Amazon EC2 instances. These EC2 instances upload build artifacts to a third-party service. The third-party service recently implemented strict IP whitelisting that requires all build uploads to come from a single IP address. What change should the systems administrator make to the existing build fleet to comply with this new requirement?

A. Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service.
B. Move all of the EC2 instances behind an internet gateway and provide the gateway IP address to the service.
C. Move all of the EC2 instances into a single Availability Zone and provide the Availability Zone IP address to the service.
D. Move all of the EC2 instances to a peered VPC and provide the VPC IP address to the service.

376. A SysOps administrator manages an AWS CloudFormation template that provisions Amazon EC2 instances, an Elastic Load Balancer, and Amazon RDS instances. As part of an ongoing transformation project, CloudFormation stacks are being created and deleted continuously. The administrator needs to ensure that the RDS instances continue running after a stack has been deleted. Which action should be taken to meet these requirements?

A. Edit the template to remove the RDS resources and update the stack.
B. Enable termination protection on the stack.
C. Set the DeletionPolicy attribute for RDS resources to Retain in the template.
D. Set the deletion-protection parameter on RDS resources.

377. A streaming company is using AWS resources in the us-east-1 Region for its production environment. The web tier of the streaming site runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group is configured to scale when the CPU utilization of the instances is greater than 75%. The user database is hosted on an Amazon RDS MySQL cluster, and video content is stored within an Amazon S3 bucket. Amazon CloudWatch metrics show that the RDS MySQL Multi-AZ DB instance has around 16 GB of memory free and an average CPU utilization of 70%. It is taking users in Asia several seconds longer to access the streaming website. Which combination of actions will improve the access load times? (Choose two.)

A. Configure RDS MySQL Multi-AZ to reduce RDS CPU and RAM utilization and distribute queries to multiple Availability Zones.
B. Modify the EC2 Auto Scaling group so it will scale horizontally when CPU utilization is 50%.
C. Provision a second production environment in the Asia Pacific Region and use an ALB to distribute cross-Region access.
D. Provision a second production environment in the Asia Pacific Region and use Amazon Route 53 latency-based routing.
E. Set up an Amazon CloudFront distribution to handle static content for users accessing it from different geographic locations.

378. A large company has multiple AWS accounts that are assigned to each department. A SysOps administrator needs to help the company reduce overhead and manage its AWS resources more easily. The SysOps administrator also must ensure that department users, including AWS account root users, have access only to AWS services that are essential for their job function. Which solution will meet these requirements?

A. Enable AWS Directory Service. Enforce Group Policy Objects (GPOs) on each department to restrict access.
B. Migrate all the accounts to a central account. Create IAM groups for each department with only the necessary permissions.
C. Use AWS Organizations and implement service control policies (SCPs) to ensure accounts use only essential AWS services.
D. Use AWS Single Sign-On and configure it to limit access to only essential AWS services.

379. A security officer has requested that internet access be removed from subnets in a VPC. The subnets currently route internet-bound traffic to a NAT gateway. A SysOps administrator needs to remove this access while allowing access to Amazon S3. Which solution will meet these requirements?

A. Set up an internet gateway. Update the route table on the subnets to use the internet gateway to route traffic to Amazon S3.
B. Set up an S3 VPC gateway endpoint. Update the route table on the subnets to use the gateway endpoint to route traffic to Amazon S3.
C. Set up additional NAT gateways in each Availability Zone. Update the route table on the subnets to use the NAT gateways to route traffic to Amazon S3.
D. Set up an egress-only internet gateway. Update the route table on the subnets to use the egress only internet gateway to route traffic to Amazon S3.

380. An application is running on Amazon EC2 instances and storing all application data in Amazon S3. The company wants to archive all files older than 30 days to reduce costs. Archived files are used for auditing purposes only; however, the audit team may need to retrieve files in under a minute. How should the SysOps administrator implement these requirements?

A. Configure an S3 bucket policy to move all objects older than 30 days to S3 Standard-Infrequent Access (S3 Standard-IA).
B. Create a lifecycle rule to move all objects older than 30 days to S3 Glacier.
C. Create a lifecycle rule to move all objects older than 30 days to S3 Standard-Infrequent Access (S3 Standard-IA).
D. Use S3 Intelligent-Tiering to move files older than 30 days to S3 Glacier Deep Archive.

381. A company has developed a new memory-intensive application that is deployed to a large Amazon EC2 Linux fleet. The company is concerned about potential memory exhaustion, so the development team wants to monitor memory usage by using Amazon CloudWatch. What is the MOST operationally efficient way to accomplish this goal?

A. Create an AWS Lambda function to capture memory utilization of the EC2 instances. Schedule the Lambda function with Amazon EventBridge (Amazon CloudWatch Events).
B. Deploy the application to memory optimized EC2 instances. Use the CloudWatch MemoryUtilization metric.
C. Install the CloudWatch agent on the EC2 instances to collect and send metrics to CloudWatch.
D. Install the CloudWatch monitoring scripts on the EC2 instances to collect and send metrics to CloudWatch.

382. A company uses LDAP-based credentials and has a Security Assertion Markup Language (SAML) 2.0 identity provider. A SysOps administrator has configured various federated roles in a new AWS account to provide AWS Management Console access for groups of users that use the existing LDAP-based credentials. Several groups want to use the AWS CLI on their workstations to automate daily tasks. To enable them to do so, the SysOps administrator has created an application that authenticates a user and generates a SAML assertion. Which API call should be used to retrieve credentials for federated programmatic access?

A. sts:AssumeRole
B. sts:AssumeRoleWithSAML
C. sts:AssumeRoleWithWebIdentity
D. sts:GetFederationToken

383. A SysOps administrator is implementing automated I/O load performance testing as part of the continuous integration/continuous delivery (CI/CD) process for an application. The application uses an Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS volume for each instance that is restored from a snapshot and requires consistent I/O performance. During the initial tests, the I/O performance results are sporadic. The SysOps administrator must ensure that the tests yield more consistent results. Which actions could the SysOps administrator take to accomplish this goal? (Choose two.)

A. Restore the EBS volume from the snapshot with fast snapshot restore enabled.
B. Restore the EBS volume from the snapshot using the cold HDD volume type.
C. Restore the EBS volume from the snapshot and pre-warm the volume by reading all of the blocks.
D. Restore the EBS volume from the snapshot and configure encryption.
E. Restore the EBS volume from the snapshot and configure I/O block size at random.

384. A streaming services company has a three-tier web application hosted on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). When the Auto Scaling group scales in, a deregistration delay occurs and the delay is sometimes longer than the time required to terminate the EC2 instance. A SysOps administrator must ensure that the latest logs are delivered to an external system before the EC2 instance is terminated. Which solution will solve this problem?

A. Add a lifecycle hook to the Auto Scaling group to put the EC2 instance in a wait state until the log files have been delivered.
B. Configure a fixed response for the ALB to use custom error messages to respond to incoming requests with HTTP error response codes.
C. Create an Amazon CloudWatch alarm based on the RequestCountPerTarget metric for the Auto Scaling group. Modify the cooldown period to wait until the EC2 instance is terminated.
D. Update the launch configuration to enable scale-in protection for the Auto Scaling group and detach the EC2 instance protected for termination.

385. A SysOps administrator needs to register targets for a Network Load Balancer (NLB) using IP addresses. Which prerequisite should the SysOps administrator validate to perform this task?

A. Ensure the NLB listener security policy is set to ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-1-2-Res-2019-08, or ELBSecurityPolicy-TLS-1-0-2015-04.
B. Ensure the health check setting on the NLB for the Matcher configuration is between 200 and 399. C. Ensure the targets are within any of these CIDR blocks: 10.0.0.0/8 (RFC 1918), 100.64.0.0/10 (RFC 6598), 172.16.0.0/12 (RFC 1918), or 192.168.0.0/16 (RFC 1918).
D. Ensure the NLB is exposed as an endpoint service before registering the targets using IP addresses.

386. A company has a web application that is deployed in a VPC. Inbound traffic to this web application comes in through an internet gateway and arrives at a Network Load Balancer (NLB). From there, the traffic travels to multiple Amazon EC2 instances in two private subnets. The company wants to perform deep packet inspection on the inbound traffic to identify potential hacking attempts. Which solution meets these requirements?

A. Configure AWS Shield for the VPC.
B. Use AWS Network Firewall on the VPC. Configure Network Firewall to perform deep packet inspection.
C. Use AWS Network Firewall on the subnets. Configure Network Firewall to perform deep packet inspection.
D. Set up Traffic Mirroring on an inbound port of the NLB.

387. A SysOps administrator has set up a new public Application Load Balancer (ALB) in front of a pair of private web servers in multiple Availability Zones. After deploying an updated AWS CloudFormation template with many changes, user traffic now goes to one web server only. What is the MOST likely reason that the traffic is not being balanced between both servers?

A. The faulty server is returning HTTP 200 codes and has been removed.
B. Sticky sessions have been disabled in the ALB for the working server.
C. The ALB is using a custom ping path that is not found on the faulty server.
D. The web clients are using HTTP/2, which is terminated at the ALB.

388. A company’s AWS account users are launching Amazon EC2 instances without required cost allocation tags. A SysOps administrator needs to prevent users within an organization in AWS Organizations from launching new EC2 instances that do not have the required tags. The solution must require the least possible operational overhead. Which solution meets these requirements?

A. Set up an AWS Lambda function that will initiate a run instance event and check for the required tags. Configure the function to prevent the launch of EC2 instances if the tags are missing.
B. Set up an AWS Config rule to monitor for EC2 instances that lack the required tags.
C. Set up a service control policy (SCP) that prevents the launch of EC2 instances that lack the required tags. Attach the SCP to the organization root.
D. Set up an Amazon CloudWatch alarm to stop any EC2 instances that lack the required tags.

389. A company recently migrated its three-tier web application to AWS. The application runs on Amazon EC2 instances that are in an Auto Scaling group. A SysOps administrator must create a monitoring dashboard to watch CPU and network utilization for each instance at 1-minute intervals. How can the SysOps administrator meet this requirement?

A. Create an Amazon CloudWatch dashboard with basic monitoring.
B. Set up AWS CloudTrail with a dashboard on Amazon QuickSight.
C. Create an Amazon CloudWatch dashboard, and enable detailed monitoring.
D. Use the AWS Personal Health Dashboard.

390. A company is hosting backend web services across Amazon EC2 Linux instances in public subnets in a VPC. A SysOps administrator tries to connect to the instance by using SSH but is unable to connect. What could be the cause of the failed connection?

A. The security group does not allow inbound traffic on port 22.
B. The network ACL does not allow outbound traffic on port 80.
C. The security group does not allow outbound traffic on port 3389.
D. The network ACL does not allow inbound traffic on port 443.

391. A company uses many Amazon Elastic Block Store (Amazon EBS) volumes. The company wants to use Amazon Data Lifecycle Manager (Amazon DLM) to manage the lifecycle of EBS snapshots that have tags of “Production” and “Compliance”. Which combination of the following are needed to turn on this feature? (Choose two.)

A. A minimum storage requirement of 5 GB
B. One IAM role for Amazon DLM and another IAM role for the users
C. Encryption of the EBS volumes
D. A minimum baseline performance of 3 IOPS/GB
E. Tagging of the EBS volumes

392. A company is creating an application that will keep records. The application will run on Amazon EC2 instances and will use an Amazon Aurora MySQL database as its data store. To maintain compliance, the application must not retain information that is determined to be sensitive. Which technique should a SysOps administrator use to detect if sensitive data is being stored in the application?

A. Export data from the database by using an AWS Lambda function. Store the data in Amazon S3. Use Amazon Macie to examine the stored data. Examine the report for any sensitive data that is discovered.
B. Install the Amazon GuardDuty plugin for Aurora. Configure GuardDuty to examine the database. Add the corresponding EC2 CIDR ranges to the trusted IP list in GuardDuty. Examine the report for any sensitive data that is discovered.
C. Deploy Amazon Inspector by installing the Amazon Inspector agent on all EC2 instances. Set the Amazon Inspector assessment type to HOST assessment. Include NETWORK communications with the Aurora DB cluster. Examine the report for any sensitive data that is discovered.
D. Use VPC Flow Logs to examine traffic between the EC2 instances and the Aurora DB cluster. Store the log files in Amazon S3. Use Amazon Detective to examine the extracted log files. Examine the report for any sensitive data that is discovered.

393. A SysOps administrator needs a secure way to connect to AWS Key Management Service (AWS KMS) within a VPC. The SysOps administrator must ensure that connections to AWS KMS do not traverse the internet. What is the MOST secure solution that meets these requirements?

A. Use a bastion host to connect to AWS KMS.
B. Use a NAT gateway to connect to AWS KMS.
C. Use a VPC gateway endpoint for Amazon S3 to connect to AWS KMS.
D. Use a VPC interface endpoint to connect to AWS KMS.

394. A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations. What should a SysOps administrator do to implement this requirement?

A. Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.
B. Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.
C. Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.
D. Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.

395. A company has an application that is running on an Amazon EC2 instance in one Availability Zone. A SysOps administrator needs to make the application highly available. The SysOps administrator has created a launch configuration from the running EC2 instance. The SysOps administrator also has properly configured a load balancer. What should the SysOps administrator do next to make the application highly available?

A. Create an Auto Scaling group by using the launch configuration across at least two Availability Zones. Configure a minimum capacity of 1, a desired capacity of 1, and a maximum capacity of 1.
B. Create an Auto Scaling group by using the launch configuration across at least three Availability Zones. Configure a minimum capacity of 2, a desired capacity of 2, and a maximum capacity of 2.
C. Create an Auto Scaling group by using the launch configuration across at least two AWS Regions. Configure a minimum capacity of 1, a desired capacity of 1, and a maximum capacity of 1.
D. Create an Auto Scaling group by using the launch configuration across at least three AWS Regions. Configure a minimum capacity of 2, a desired capacity of 2, and a maximum capacity of 2.

396. A SysOps administrator is testing a new batch job. The batch job will upload 20 GB of data from Amazon EC2 instances in a private subnet to an Amazon S3 bucket each day. After the first test is complete, a small cost is reported. The cost has the heading “NAT Gateway – Data Processed.” Which change can the SysOps administrator make to eliminate this cost for future tests?

A. Configure and use a VPC endpoint.
B. Write an S3 bucket policy to enforce encryption in transit for the uploads.
C. Configure the S3 bucket to use the S3 Intelligent-Tiering storage class.
D. Disable cross-origin resource sharing (CORS) for the S3 bucket.

397. A SysOps administrator is deploying a fleet of over 100 Amazon EC2 instances in an Amazon VPC. After the instances are set up and serving clients, a new DNS server needs to be added to the instances for DNS resolution. What is the MOST efficient way to make this change?

A. Update the DHCP options set for the Amazon VPC.
B. Use AWS OpsWorks to update the DNS server configuration for each instance.
C. Use AWS Systems Manager to update the DMS server configuration for each instance.
D. Write a script to update the DNS server configuration for each instance.

398. A company wants to track Amazon EC2 usage charges that are based on the value of a tag that is named Business-Unit. Company leaders instruct developers to update all EC2 resources with the tag. The developers notify the leaders that they have completed this task. Later that week, a finance team member checks Cost Explorer. The finance team member sees EC2 costs in the different accounts but cannot find the Business-Unit tag to filter by or group by. What is the MOST likely reason that the Business-Unit tag is absent?

A. The Business-Unit tag is not activated as a cost allocation tag in the AWS Billing and Cost Management console.
B. The Business-Unit tag is not valid because tag key names do not support dashes (-).
C. The instances have been rebooted, and the developers neglected to re-add the Business-Unit tag after the reboot.
D. The IAM user does not have permission to view the tags in Cost Explorer.

399. A developer created a new application that uses Spot Fleet for a variety of instance families across multiple Availability Zones. What should the developer do to ensure that the Spot Fleet is configured for cost optimization?

A. Deploy a capacityOptimized allocation strategy for provisioning Spot Instances.
B. Ensure instance capacity by specifying the desired target capacity and how much of that capacity must be On-Demand.
C. Use the lowestPrice allocation strategy with InstancePoolsToUseCount in the Spot Fleet request.
D. Launch instances up to the Spot Fleet target capacity or the maximum acceptable payment amount.

400. A SysOps administrator must run a script on production servers to fix an issue. The company has a policy to block all remote interactive access to production servers. Based on this situation, how should the administrator run the script?

A. Share and use the Amazon EC2 key pairs to gain access to the servers and run the script.
B. Put the script into the user data of the instances.
C. Configure the script to run as a cron job or scheduled task on the EC2 instances.
D. Use AWS Systems Manager to run the script.

401. A company is hosting a website on an Amazon EC2 instance that runs in a public subnet inside a VPC. The company uses Amazon CloudWatch Logs for web server log analysis. A SysOps administrator has installed and configured the CloudWatch Logs agent on the EC2 instance and has confirmed that the agent is running. However, logs are not showing up in CloudWatch Logs. Which solution will resolve this issue?

A. Modify the EC2 instance security group rules to allow inbound traffic on port 80.
B. Create an IAM user that has the proper permissions for CloudWatch logs. Create an IAM instance profile, and associate it with the IAM user. Associate the instance profile with the EC2 instance.
C. Create an IAM role that has the proper permissions for CloudWatch logs. Create an IAM instance profile, and associate it with the IAM role. Associate the instance profile with the EC2 instance.
D. Modify the VPC’s network ACL rules for the public subnet to allow inbound traffic on port 80.

402. A company’s audit shows that users have been changing cost-related tags on Amazon EC2 instances after deployment. The company has an organization in AWS Organizations with many AWS accounts. The company needs a solution to detect the EC2 instances automatically. The solution must require the least possible operational overhead. Which solution meets these requirements?

A. Use service control policies (SCPs) to track EC2 instances that do not have the required tags.
B. Use Amazon Inspector to run a report to identify EC2 instances that do not have the required tags. C. Use an AWS Config rule to track EC2 instances that do not have the required tags.
D. Use AWS Well-Architected Tool (AWS WA Tool) to run a report to identify EC2 instances that do not have the required tags.