AWS Certified SysOps Administrator SOA-C02 Part 2
Question #: 51
Topic #: 1
A company’s SysOps administrator is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs. However, there are no logs in CloudWatch Logs.
What could be blocking the VPC flow logs from being published to CloudWatch Logs?
A. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission
B. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateExportTask permission
C. The VPC is configured for IPv6 addresses
D. The VPC is peered with another VPC in the AWS account
Hint Answer: A
Question #: 52
Topic #: 1
A company uses a multi-account structure in the AWS Cloud. The company’s environment includes a shared account for common resources. The environment also includes a development account for new application development. The company uses Amazon Route 53 for DNS management. The company manages all its Route 53 hosted zones from the shared account.
A SysOps administrator needs to obtain a new SSL/TLS certificate for an application that is deployed in the development account.
What must the SysOps administrator do to meet this requirement?
A. Create a new AWS Key Management Service (AWS KMS) key in the shared account. Configure the key policy to give read access to the development account’s root principal.
B. Request a new certificate by using AWS Certificate Manager (ACM) from the shared account. Use Route 53 from the shared account to create validation record sets in the relevant hosted zone.
C. Request a new certificate by using AWS Certificate Manager (ACM) from the development account. Use Route 53 from the shared account to create validation record sets in the relevant hosted zone.
D. Create a new AWS Key Management Service (AWS KMS) key in the development account. Configure the key policy to give read access to the shared account’s root principal. Use Route 53 from the shared account to create a validation record set that references the Amazon Resource Name (ARN) of the KMS key.
Hint Answer: C
Question #: 53
Topic #: 1
A company needs to track spending in its AWS account. The company must receive a notification when current costs and forecasted costs exceed specific thresholds.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create a new IAM role. Attach the AWSPurchaseOrdersServiceRolePolicy AWS managed policy to the role. Check AWS Cost Explorer on a regular basis to monitor current costs and forecasted costs.
B. Create an AWS Cost and Usage Report. Create an AWS Step Functions state machine that runs when a new usage file is generated. Configure the state machine to pass the data to Amazon Forecast and to invoke an AWS Lambda function. Configure the Lambda function to parse the data and to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if costs exceed the thresholds.
C. Create an AWS Cost and Usage Report. Separate the current costs and forecasted costs by service. Schedule the report to be sent to an Amazon Simple Notification Service (Amazon SNS) topic each month.
D. Create a recurring cost budget in AWS Budgets. Create an alert for the actual cost. Create a second alert for the forecasted costs. Configure an Amazon Simple Notification Service (Amazon SNS) topic to receive the alerts.
Hint Answer: D
Question #: 54
Topic #: 1
A company uses AWS CloudFormation to deploy its infrastructure. The company recently retired an application. A cloud operations engineer initiates CloudFormation stack deletion, and the stack gets stuck in DELETE_FAILED status.
A SysOps administrator discovers that the stack had deployed a security group. The security group is referenced by other security groups in the environment. The SysOps administrator needs to delete the stack without affecting other applications.
Which solution will meet these requirements in the MOST operationally efficient manner?
A. Create a new security group that has a different name. Apply identical rules to the new security group. Replace all other security groups that reference the new security group Delete the stack.
B. Create a CloudFormation change set to delete the security group. Deploy the change set.
C. Delete the stack again. Specify that the security group be retained.
D. Perform CloudFormation drift detection. Delete the stack.
Hint Answer: C
Question #: 55
Topic #: 1
A company recently moved its server infrastructure to Amazon EC2 instances. The company wants to use Amazon CloudWatch Logs to track the instance logs.
What should a SysOps administrator do to meet this requirement in compliance with AWS best practices?
A. Configure CloudWatch from the AWS Management Console for the instances. Wait for AWS to automatically install and configure the agents for the instances
B. Install and configure the CloudWatch agent on the instances. Attach an IAM role to allow the instances to write logs to CloudWatch
C. Install and configure the CloudWatch agent on the instances. Attach an IAM user to allow the instances to write logs to CloudWatch
D. Install and configure the CloudWatch agent on the instances. Attach the necessary security groups to allow the instances to write logs to CloudWatch
Hint Answer: B
Question #: 56
Topic #: 1
A company that uses AWS Organizations recently implemented AWS Control Towerю The company now needs to centralize identity management. A SysOps administrator must federate AWS ШAM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all the company’s accounts and cloud applications.
Which prerequisites must the SysOps administrator have so that the SysOps administrator can connect to the external IdP? (Choose two.)
A. A copy of the IAM identity Center SAML metadata
B. The IdP metadata including the public X 509 certificate
C. The IP address of the IdP
D. Root access to the management account
E. Administrative permissions to the member accounts of the organization
Hint Answer: AB
Question #: 57
Topic #: 1
A company runs thousands of Amazon EC2 instances that are based on the Amazon Linux 2 Amazon Machine Image (AMI). A SysOps administrator must implement a solution to record commands and output from any user that needs an interactive session on one of the EC2 instances. The solution must log the data to a durable storage location. The solution also must provide automated notifications and alarms that are based on the log data.
Which solution will meet these requirements with the MOST operational efficiency?
A. Configure command session logging on each EC2 instance. Configure the unified Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up query filters and alerts by using Amazon Athena.
B. Require all users to use a central bastion host when they need command line access to an EC2 instance. Configure the unified Amazon CloudWatch agent on the bastion host to send session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs.
C. Require all users to use AWS Systems Manager Session Manager when they need command line access to an EC2 instance. Configure Session Manager to stream session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs.
D. Configure command session logging on each EC2 instance. Require all users to use AWS Systems Manager Run Command documents when they need command line access to an EC2 instance. Configure the unified Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up CloudWatch alarms that are based on Amazon Athena query results.
Hint Answer: C
Question #: 58
Topic #: 1
A SysOps administrator needs to create a report that shows how many bytes are sent to and received from each target group member for an Application Load Balancer (ALB).
Which combination of steps should the SysOps administrator take to meet these requirements? (Choose two.)
A. Enable access logging for the ALB. Save the logs to an Amazon S3 bucket.
B. Install the Amazon CloudWatch agent on the instances in the target group.
C. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the target port field.
D. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the client port field.
E. Create an Amazon CloudWatch dashboard that shows the Sum statistic of the ProcessedBytes metric for the ALB.
Hint Answer: AC
Question #: 59
Topic #: 1
A company is uploading important files as objects to Amazon S3. The company needs to be informed if an object is corrupted during the upload.
What should a SysOps administrator do to meet this requirement?
A. Pass the Content-Disposition value as a request body during the object upload
B. Pass the Content-MD5 value as a request header during the object upload
C. Pass x-amz-object-lock-mode as a request header during the object upload
D. Pass x-amz-server-side-encryption-customer-algorithm as a request body during the object upload
Hint Answer: B
Question #: 60
Topic #: 1
A company observes that a newly created Amazon CloudWatch alarm is not transitioning out of the INSUFFICIENT_DATA state. The alarm was created to track the mem_used_percent metric from an Amazon EC2 instance that is deployed in a public subnet.
A review of the EC2 instance shows that the unified CloudWatch agent is installed and is running. However, the metric is not available in CloudWatch. A SysOps administrator needs to implement a solution to resolve this problem.
Which solution will meet these requirements?
A. Enable CloudWatch detailed monitoring for the EC2 instance
B. Create an IAM instance profile that contains CloudWatch permissions. Add the instance profile to the EC2 instance
C. Migrate the EC2 instance into a private subnet
D. Create an IAM user that has an access key ID and a secret access key. Update the unified CloudWatch agent configuration file to use those credentials
Hint Answer: B
Question #: 61
Topic #: 1
A company has an Amazon EC2 instance that has high CPU utilization. The EC2 instance is a t3.large instance and is running a test web application. The company discovers that the web application would operate better on a compute optimized large instance.
What should a SysOps administrator do to make this change?
A. Migrate the EC2 instance to a compute optimized instance by using AWS VM Import/Export.
B. Enable hibernation on the EC2 instance. Change the instance type to a compute optimized instance. Disable hibernation on the EC2 instance.
C. Stop the EC2 instance. Change the instance type to a compute optimized instance. Start the EC2 instance.
D. Change the instance type to a compute optimized instance while the EC2 instance is running.
Hint Answer: C
Question #: 62
Topic #: 1
A SysOps administrator created an AWS CloudFormation template that provisions an Amazon EventBridge rule that invokes an AWS Lambda function. The Lambda function is designed to write event details to an Amazon CloudWatch log group. The function has permissions to write events to Amazon CloudWatch Logs. However, the SysOps administrator discovered that the Lambda function is not running.
How should the SysOps administrator resolve the problem?
A. Update the CloudFormation stack to include an AWS::IAM::Role resource with the required IAM permissions for EventBridge to invoke the function. Assign the role to the EventBridge rule.
B. Update the CloudFormation stack to include an AWS::IAM::Role resource with the required IAM permissions for the function. Assign the role as the function execution role.
C. Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure events.amazonaws.com has permissions to invoke the function.
D. Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure lambda.amazonaws.com has permissions to invoke the function.
Hint Answer: C
Question #: 63
Topic #: 1
A company is using AWS Certificate Manager (ACM) to manage public SSL/TLS certificates. A SysOps administrator needs to send an email notification when a certificate has less than 14 days until expiration.
Which solution will meet this requirement with the LEAST operational overhead?
A. Create an Amazon CloudWatch custom metric to monitor certificate expiration for all ACM certificates. Create an Amazon EventBridge rule that has an event source of aws.cloudwatch. Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if the DaysToExpiry metric is less than 14. Subscribe the appropriate email addresses to the SNS topic.
B. Create an Amazon EventBridge rule that has an event source of aws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if DaysToExpiry is less than 14. Subscribe the appropriate email addresses to the SNS topic.
C. Create an Amazon CloudWatch dashboard that displays the DaysToExpiry metric for all ACM certificates. If DaysToExpiry is less than 14, send an email message to the appropriate email addresses. Send the email message by running a predefined CLI command to publish to an Amazon Simple Notification Service (Amazon SNS) topic.
D. Create an Amazon EventBridge rule that has an event source of aws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure a target SMS identity that uses a predefined email template. Configure the rule to send an event to the target SMS identity if DaysToExpiry is less than 14.
Hint Answer: B
Question #: 64
Topic #: 1
A SysOps administrator is responsible for the security of a company’s AWS account. The company has a policy that a user may stop or terminate Amazon EC2 instances only when the user is authenticated by using a multi-factor authentication (MFA) device.
Which policy should the SysOps administrator apply to meet this requirement?
A.
B.
C.
D.
Hint Answer: A
Question #: 65
Topic #: 1
A SysOps administrator needs to monitor a process that runs on Linux Amazon EC2 instances. If the process stops, the process must restart automatically. The Amazon CloudWatch agent is already installed on all the EC2 instances.
Which solution will meet these requirements?
A. Add a procstat monitoring configuration to the CloudWatch agent for the process. Create an Amazon EventBridge event rule that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops.
B. Add a StatsD monitoring configuration to the CloudWatch agent for the process. Create a CloudWatch alarm that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops.
C. Add a StatsD monitoring configuration to the CloudWatch agent for the process. Create an Amazon EventBridge event rule that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops.
D. Add a procstat monitoring configuration to the CloudWatch agent for the process. Create a CloudWatch alarm that initiates an AWS Systems Manager Automation runbook to restart the process after the process stops.
Hint Answer: A
Question #: 66
Topic #: 1
A company has a cluster of Linux Amazon EC2 Spot Instances that read many files from and write many files to attached Amazon Elastic Block Store (Amazon EBS) volumes. The EC2 instances are frequently started and stopped. As part of the process when an EC2 instance starts, an EBS volume is restored from a snapshot.
EBS volumes that are restored from snapshots are experiencing initial performance that is lower than expected. The company’s workload needs almost all the provisioned IOPS on the attached EBS volumes. The EC2 instances are unable to support the workload when the performance of the EBS volumes is too low. A SysOps administrator must implement a solution to ensure that the EBS volumes provide the expected performance when they are restored from snapshots.
Which solution will meet these requirements?
A. Configure fast snapshot restore (FSR) on the snapshots that are used.
B. Restore each snapshot onto an unencrypted EBS volume. Encrypt the EBS volume when the performance stabilizes.
C. Format the EBS volumes as XFS file systems before restoring the snapshots.
D. Increase the Linux read-ahead buffer to 1 MiB.
Hint Answer: A
Question #: 67
Topic #: 1
A SysOps administrator is re-architecting an application. The SysOps administrator has moved the database from a public subnet, where the database used a public endpoint, into a private subnet to restrict access from the public network. After this change, an AWS Lambda function that requires read access to the database cannot connect to the database. The SysOps administrator must resolve this issue without compromising security.
Which solution meets these requirements?
A. Create an AWS PrivateLink interface endpoint for the Lambda function. Connect to the database using its private endpoint.
B. Connect the Lambda function to the database VPC. Connect to the database using its private endpoint.
C. Attach an IAM role to the Lambda function with read permissions to the database.
D. Move the database to a public subnet. Use security groups for secure access.
Hint Answer: A
Question #: 68
Topic #: 1
A company is running Amazon RDS for PostgreSQL Multi-AZ DB clusters. The company uses an AWS CloudFormation template to create the databases individually with a default size of 100 GB. The company creates the databases every Monday and deletes the databases every Friday.
Occasionally, the databases run low on disk space and initiate an Amazon CloudWatch alarm. A SysOps administrator must prevent the databases from running low on disk space in the future.
Which solution will meet these requirements with the FEWEST changes to the application?
A. Modify the CloudFormation template to use Amazon Aurora PostgreSQL as the DB engine.
B. Modify the CloudFormation template to use Amazon DynamoDB as the database. Activate storage auto scaling during creation of the tables.
C. Modify the Cloud Formation template to activate storage auto scaling on the existing DB instances.
D. Create a CloudWatch alarm to monitor DB instance storage space. Configure the alarm to invoke the VACUUM command.
Hint Answer: C
Question #: 69
Topic #: 1
A company has an Amazon EC2 instance that supports a production system. The EC2 instance is backed by an Amazon Elastic Block Store (Amazon EBS) volume. The EBS volume’s drive has filled to 100% capacity, which is causing the application on the EC2 instance to experience errors.
Which solution will remediate these errors in the LEAST amount of time?
A. Modify the EBS volume by adding additional drive space. Log on to the EC2 instance. Use the file system-specific commands to extend the file system.
B. Create a snapshot of the existing EBS volume. When the snapshot is complete, create an EBS volume of a larger size from the snapshot in the same Availability Zone as the EC2 instance. Attach the new EBS volume to the EC2 instance. Mount the file system.
C. Create a new EBS volume of a larger size in the same Availability Zone as the EC2 instance. Attach the EBS volume to the EC2 instance. Copy the data from the existing EBS volume to the new EBS volume.
D. Stop the EC2 instance. Change the EC2 instance to a larger instance size that includes additional drive space. Start the EC2 instance.
Hint Answer: A
Question #: 70
Topic #: 1
A company stores data in Amazon S3 buckets that are provisioned in three separate AWS Regions. The data is copied from the S3 buckets to the data center over the public internet using a VPN. The SysOps administrator notices that, occasionally, the transfers take longer than usual, and determines the issue is congestion within the company’s ISP network.
What is the MOST cost-effective approach the administrator can take to ensure consistent transfer times from S3 to the data center?
A. Establish an AWS Direct Connect link to each Region. Create a private virtual interface over each link.
B. Establish an AWS Direct Connect link to each Region. Create a public virtual interface over each link.
C. Establish an AWS Direct Connect link to one of the Regions. Create a private virtual interface over that link.
D. Establish an AWS Direct Connect link to one of the Regions. Create a public virtual interface over that link.
Hint Answer: C
Question #: 71
Topic #: 1
A company’s web application runs on Amazon EC2 instances in a single AWS Region. The infrastructure must be designed so the application remains available with no performance degradation in the event of an Availability Zone (AZ) failure. To ensure optimal performance, the application must maintain a minimum of 12 instances at all times.
Which solution will meet the requirements with the fewest running instances possible?
A. 2 AZs with 6 instances in each AZ
B. 2 AZs with 12 instances in each AZ
C. 3 AZs with 4 instances in each AZ
D. 3 AZs with 6 instances in each AZ
Hint Answer: D
Question #: 72
Topic #: 1
A company stores its internal data within an Amazon S3 bucket. All existing data within the S3 bucket is protected by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3). S3 Versioning is enabled. A SysOps administrator must replicate the internal data to another S3 bucket in a different AWS account for disaster recovery. All the existing data is copied from the source S3 bucket to the destination S3 bucket.
Which replication solution is MOST operationally efficient?
A. Add a replication rule to the source bucket and specify the destination bucket. Create a bucket policy for the destination bucket to allow the owner of the source bucket to replicate objects.
B. Schedule an AWS Batch job with Amazon EventBridge to copy new objects from the source bucket to the destination bucket. Create a Batch Operations IAM role in the destination account.
C. Configure an Amazon S3 event notification for the source bucket to invoke an AWS Lambda function to copy new objects to the destination bucket. Ensure that the Lambda function has cross-account access permissions.
D. Run a scheduled script on an Amazon EC2 instance to copy new objects from the source bucket to the destination bucket. Assign cross-account access permissions to the EC2 instance’s role.
Hint Answer: A
Question #: 73
Topic #: 1
A company deploys a new application to Amazon EC2 instances. The application code is stored in an AWS CodeCommit repository. The company uses an AWS CodePipeline pipeline to deploy the code to the EC2 instances through a continuous integration and continuous delivery (CI/CD) process.
A SysOps administrator needs to ensure that sensitive database information is configured properly on the EC2 instances to prevent accidental leakage of credentials.
Which solutions will store and retrieve the sensitive information in the MOST secure manner? (Choose two.)
A. Store the values in AWS Secrets Manager. Update the code to retrieve these values when the application starts. Store the values as environmental variables that the application can use.
B. Store the values in AWS Systems Manager Parameter Store as secret strings. Update the code to retrieve these values when the application starts. Store the values as environmental variables that the application can use.
C. Store the values in an AWS Lambda function. Update the code to invoke the Lambda function when the application starts. Configure the Lambda function to inject the values as environmental variables that the application can use.
D. Store the configuration information in a file on the EC2 instances. Ensure that the underlying drives are encrypted by AWS Key Management Service (AWS KMS). Update the application to read the file when the application starts. Store the values as environmental variables.
E. Store the values in a text file in an Amazon S3 bucket. In the CI/CD pipeline, copy the file to the EC2 instance in an appropriate location on a disk that the application can read.
Hint Answer: AB
Question #: 74
Topic #: 1
A SysOps administrator has many Windows Amazon EC2 instances that need to share a file system between nodes. The SysOps administrator creates an Amazon Elastic File System (Amazon EFS) file share. After creation of the file share, the SysOps administrator is having trouble mounting the file share to the EC2 instances.
Which action should the SysOps administrator take so that the EC2 instances can share the files?
A. Delete the EFS file share. Create an Amazon FSx for Windows File Server file share for the EC2 instances.
B. Use the correct IAM credentials to mount the EFS file share.
C. Configure NFSv4 support on the Windows operating system that is running on the EC2 instances.
D. Allow the correct port for NFS through the security group and network ACL.
Hint Answer: A
Question #: 75
Topic #: 1
A company uses AWS CloudFormation to manage a stack of Amazon EC2 instances on AWS. A SysOps administrator needs to keep the instances and all of the instances’ data, even if someone deletes the stack.
Which solution will meet these requirements?
A. Set the DeletionPolicy attribute to Snapshot for the EC2 instance resource in the CloudFormation template.
B. Automate backups by using Amazon Data Lifecycle Manager (Amazon DLM).
C. Create a backup plan in AWS Backup.
D. Set the DeletionPolicy attribute to Retain for the EC2 instance resource in the CloudFormation template.
Hint Answer: D
Question #: 76
Topic #: 1
A SysOps administrator is managing a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group. The administrator wants to set an alarm for when all target instances associated with the ALB are unhealthy.
Which condition should be used with the alarm?
A. AWS/ApplicationELB HealthyHostCount <= 0
B. AWS/ApplicationELB UnhealthyHostCount >= 1
C. AWS/EC2 StatusCheckFailed <= 0
D. AWS/EC2 StatusCheckFailed >= 1
Hint Answer: A
Question #: 77
Topic #: 1
A company’s SysOps administrator manages a fleet of Windows Amazon EC2 instances that run in a single AWS account. The instances have a tag that includes a key of “OS” and a value of “Windows.” The company uses AWS Systems Manager to patch the instances.
The company has installed the Amazon CloudWatch agent on the instances, but the configuration is inconsistent. The SysOps administrator needs to reconfigure every instance to use the same predefined CloudWatch configuration.
Which combination of steps will meet these requirements? (Choose two.)
A. Store the CloudWatch agent configuration file in an Amazon S3 bucket.
B. Store the contents of the CloudWatch agent configuration file in Systems Manager OpsCenter.
C. Store the contents of the CloudWatch agent configuration file in Systems Manager Parameter Store.
D. Create a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document. Select Systems Manager as an optional configuration source. Target the instances based on tag values.
E. Create a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document. Configure the document to use the S3 bucket location as the configuration source. Target the instances based on tag value.
Hint Answer: CD
Question #: 78
Topic #: 1
A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOps administrator notices that some of these EC2 instances show up as healthy in the Auto Scaling group but show up as unhealthy in the ALB target group.
What is a possible reason for this issue?
A. Security groups are not allowing traffic between the ALB and the failing EC2 instances.
B. The Auto Scaling group health check is configured for EC2 status checks.
C. The EC2 instances are failing to launch and failing EC2 status checks.
D. The target group health check is configured with an incorrect port or path.
Hint Answer: B
Question #: 79
Topic #: 1
A company’s architecture team must receive immediate email notification whenever new Amazon EC2 instances are launched in the company’s main AWS production account.
‘What should a SysOps administrator do to meet this requirement?
A. Create a user data script that sends an email message through a smart host connector. Include the architecture team’s email address in the user data script as the recipient. Ensure that all new EC2 instances include the user data script as part of a standardized build process.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic and a subscription that uses the email protocol. Enter the architecture team’s email address as the subscriber. Create an Amazon EventBridge rule that reacts when EC2 instances are launched. Specify the SNS topic as the rule’s target.
C. Create an Amazon Simple Queue Service (Amazon SQS) queue and a subscription that uses the email protocol. Enter the architecture team’s email address as the subscriber. Create an Amazon EventBridge rule that reacts when EC2 instances are launched. Specify the SQS queue as the rule’s target.
D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure AWS Systems Manager to publish EC2 events to the SNS topic. Create an AWS Lambda function to poll the SNS topic. Configure the Lambda function to send any messages to the architecture team’s email address.
Hint Answer: B
Question #: 80
Topic #: 1
An ecommerce company uses an Amazon ElastiCache for Memcached cluster for in-memory caching of popular product queries on the shopping site. When viewing recent Amazon CloudWatch metrics data for the ElastiCache cluster, the SysOps administrator notices a large number of evictions.
Which of the following actions will reduce these evictions? (Choose two.)
A. Add an additional node to the ElastiCache cluster.
B. Increase the ElastiCache time to live (TTL).
C. Increase the individual node size inside the ElastiCache cluster.
D. Put an Elastic Load Balancer in front of the ElastiCache cluster.
E. Use Amazon Simple Queue Service (Amazon SQS) to decouple the ElastiCache cluster.
Hint Answer: AC
Question #: 81
Topic #: 1
A company runs a stateless application that is hosted on an Amazon EC2 instance. Users are reporting performance issues. A SysOps administrator reviews the
Amazon CloudWatch metrics for the application and notices that the instance’s CPU utilization frequently reaches 90% during business hours.
What is the MOST operationally efficient solution that will improve the application’s responsiveness?
A. Configure CloudWatch logging on the EC2 instance. Configure a CloudWatch alarm for CPU utilization to alert the SysOps administrator when CPU utilization goes above 90%.
B. Configure an AWS Client VPN connection to allow the application users to connect directly to the EC2 instance private IP address to reduce latency.
C. Create an Auto Scaling group, and assign it to an Application Load Balancer. Configure a target tracking scaling policy that is based on the average CPU utilization of the Auto Scaling group.
D. Create a CloudWatch alarm that activates when the EC2 instance’s CPU utilization goes above 80%. Configure the alarm to invoke an AWS Lambda function that vertically scales the instance.
Hint Answer: C
Question #: 82
Topic #: 1
A company is expanding its fleet of Amazon EC2 instances before an expected increase of traffic. When a SysOps administrator attempts to add more instances, an InstanceLimitExceeded error is returned.
What should the SysOps administrator do to resolve this error?
A. Add an additional CIDR block to the VPC.
B. Launch the EC2 instances in a different Availability Zone.
C. Launch new EC2 instances in another VPC.
D. Use Service Quotas to request an EC2 quota increase.
Hint Answer: D
Question #: 83
Topic #: 1
AnyCompany has acquired Example Corp and is attempting to consolidate the business systems of both companies. AnyCompany’s IT department needs to integrate with Example Corp’s IT ticketing system.
A SysOps administrator must implement a solution that uses Amazon CloudWatch alarms for Amazon EC2 instances in AnyCompany’s account to create new tickets in Example Corp’s ticketing system. The ticketing system provides an HTTPS endpoint for the creation of new tickets. The ticketing system accepts messages in the following JSON format:
Which approach to creating tickets from the CloudWatch alarms will meet these requirements with the LEAST development time?
A. Create an Amazon EventBridge rule that filters appropriate events and specifies EventBridge API destinations as a target. Configure EventBridge API destinations to send events to the HTTPS endpoint. In the EventBridge rule, create an input transformer to convert the source to a compatible output for the ticketing system.
B. Create an Amazon EventBridge rule that filters appropriate events and specifies an Amazon Kinesis data stream as the target. Create an AWS Lambda function to receive events from the Kinesis data stream. Configure the Lambda function to start an AWS Glue job to transform the data and forward the output to the HTTPS endpoint.
C. Create an Amazon EventBridge rule that filters appropriate events and specifies Amazon Simple Notification Service (Amazon SNS) as a target. Configure Amazon SNS to transform the events and send the events to the HTTPS endpoint.
D. Create an Amazon EventBridge rule that filters appropriate events and specifies an AWS Step Functions state machine as a target. Create an AWS Lambda function and an AWS Glue job in Step Functions to transform the events and send the events to the HTTPS endpoint.
Hint Answer: A
Question #: 84
Topic #: 1
A company runs a worker process on three Amazon EC2 instances. The instances are in an Auto Scaling group that is configured to use a simple scaling policy. The instances process messages from an Amazon Simple Queue Service (Amazon SQS) queue.
Random periods of increased messages are causing a decrease in the performance of the worker process. A SysOps administrator must scale the instances to accommodate the increased number of messages.
Which solution will meet these requirements?
A. Use CloudWatch to create a metric math expression to calculate the approximate age of the oldest message in the SQS queue. Create a target tracking scaling policy for the metric math expression to modify the Auto Scaling group.
B. Use CloudWatch to create a metric math expression to calculate the approximate number of messages visible in the SQS queue for each instance. Create a target tracking scaling policy for the metric math expression to modify the Auto Scaling group.
C. Create an Application Load Balancer (ALB). Attach the ALB to the Auto Scaling group. Create a target tracking scaling policy for the ALBRequestCountPerTarget metric to modify the Auto Scaling group.
D. Create an Application Load Balancer (ALB). Attach the ALB to the Auto Scaling group. Create a scheduled scaling policy for the Auto Scaling group.
Hint Answer: B
Question #: 85
Topic #: 1
A company is implementing a monitoring solution that is based on machine learning. The monitoring solution consumes Amazon EventBridge (Amazon CloudWatch Events) events that are generated by Amazon EC2 Auto Scaling. The monitoring solution provides detection of anomalous behavior such as unanticipated scaling events and is configured as an EventBridge (CloudWatch Events) API destination.
During initial testing, the company discovers that the monitoring solution is not receiving events. However, Amazon CloudWatch is showing that the EventBridge (CloudWatch Events) rule is being invoked. A SysOps administrator must implement a solution to retrieve client error details to help resolve this issue.
Which solution will meet these requirements with the LEAST operational effort?
A. Create an EventBridge (CloudWatch Events) archive for the event pattern to replay the events. Increase the logging on the monitoring solution. Use replay to invoke the monitoring solution. Examine the error details.
B. Add an Amazon Simple Queue Service (Amazon SQS) standard queue as a dead-letter queue for the target. Process the messages in the dead-letter queue to retrieve error details.
C. Create a second EventBridge (CloudWatch Events) rule for the same event pattern to target an AWS Lambda function. Configure the Lambda function to invoke the monitoring solution and to record the results to Amazon CloudWatch Logs. Examine the errors in the logs.
D. Configure the EventBridge (CloudWatch Events) rule to send error messages to an Amazon Simple Notification Service (Amazon SNS) topic.
Hint Answer: B
Question #: 86
Topic #: 1
A company’s SysOps administrator needs to change the AWS Support plan for one of the company’s AWS accounts. The account has multi-factor authentication (MFA) activated, and the MFA device is lost.
What should the SysOps administrator do to sign in?
A. Sign in as a root user by using email and phone verification. Set up a new MFA device. Change the root user password.
B. Sign in as an IAM user with administrator permissions. Resynchronize the MFA token by using the IAM console.
C. Sign in as an IAM user with administrator permissions. Reset the MFA device for the root user by adding a new device.
D. Use the forgot-password process to verify the email address. Set up a new password and MFA device.
Hint Answer: A
Question #: 87
Topic #: 1
A SysOps administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code:
AMI [ami-12345678] does not exist
How should the Administrator ensure that the AWS CloudFormation template is working in every region?
A. Copy the source region’s Amazon Machine Image (AMI) to the destination region and assign it the same ID.
B. Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID.
C. Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS::EC2::AMI::ImageID control.
D. Modify the AWS CloudFormation template by including the AMI IDs in the ג€Mappingsג€ section. Refer to the proper mapping within the template for the proper AMI ID.
Hint Answer: D
Question #: 88
Topic #: 1
A SysOps administrator is deploying an application on 10 Amazon EC2 instances. The application must be highly available. The instances must be placed on distinct underlying hardware.
What should the SysOps administrator do to meet these requirements?
A. Launch the instances into a cluster placement group in a single AWS Region.
B. Launch the instances into a partition placement group in multiple AWS Regions.
C. Launch the instances into a spread placement group in multiple AWS Regions.
D. Launch the instances into a spread placement group in a single AWS Region.
Hint Answer: D
Question #: 89
Topic #: 1
A company is running a serverless application on AWS Lambda. The application stores data in an Amazon RDS for MySQL DB instance. Usage has steadily increased, and recently there have been numerous “too many connections” errors when the Lambda function attempts to connect to the database. The company already has configured the database to use the maximum max_connections value that is possible.
What should a SysOps administrator do to resolve these errors?
A. Create a read replica of the database. Use Amazon Route 53 to create a weighted DNS record that contains both databases.
B. Use Amazon RDS Proxy to create a proxy. Update the connection string in the Lambda function.
C. Increase the value in the max_connect_errors parameter in the parameter group that the database uses.
D. Update the Lambda function’s reserved concurrency to a higher value.
Hint Answer: B
Question #: 90
Topic #: 1
A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53, and wants to point its domain’s zone apex to the website.
Which type of record should be used to meet these requirements?
A. An AAAA record for the domain’s zone apex
B. An A record for the domain’s zone apex
C. A CNAME record for the domain’s zone apex
D. An alias record for the domain’s zone apex
Hint Answer: D
Question #: 91
Topic #: 1
A company is running a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53 CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now being served the desktop version of the website.
Which action should a SysOps administrator take to resolve this issue?
A. Configure the CloudFront distribution behavior to forward the User-Agent header.
B. Configure the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers.
C. Enable IPv6 on the ALB. Update the CloudFront distribution origin settings to use the dualstack endpoint.
D. Enable IPv6 on the CloudFront distribution. Update the Route 53 record to use the dualstack endpoint.
Hint Answer: A
Question #: 92
Topic #: 1
A company creates a new member account by using AWS Organizations. A SysOps administrator needs to add AWS Business Support to the new account.
Which combination of steps must the SysOps administrator take to meet this requirement? (Choose two.)
A. Sign in to the new account by using IAM credentials. Change the support plan.
B. Sign in to the new account by using root user credentials. Change the support plan.
C. Use the AWS Support API to change the support plan.
D. Reset the password of the account root user.
E. Create an IAM user that has administrator privileges in the new account.
Hint Answer: AE
Question #: 93
Topic #: 1
A company has a simple web application that runs on a set of Amazon EC2 instances behind an Elastic Load Balancer in the eu-west-2 Region. Amazon Route 53 holds a DNS record for the application with a simple routing policy. Users from all over the world access the application through their web browsers.
The company needs to create additional copies of the application in the us-east-1 Region and in the ap-south-1 Region. The company must direct users to the Region that provides the fastest response times when the users load the application.
What should a SysOps administrator do to meet these requirements?
A. In each new Region, create a new Elastic Load Balancer and a new set of EC2 instances to run a copy of the application. Transition to a geolocation routing policy.
B. In each new Region, create a copy of the application on new EC2 instances. Add these new EC2 instances to the Elastic Load Balancer in eu-west-2. Transition to a latency routing policy.
C. In each new Region, create a copy of the application on new EC2 instances. Add these new EC2 instances to the Elastic Load Balancer in eu-west-2. Transition to a multivalue routing policy.
D. In each new Region, create a new Elastic Load Balancer and a new set of EC2 instances to run a copy of the application. Transition to a latency routing policy.
Hint Answer: D
Question #: 94
Topic #: 1
A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind an Application Load
Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application.
Which combination of actions should a SysOps administrator take to resolve this problem? (Choose two.)
A. Change to the least outstanding requests algorithm on the ALB target group.
B. Configure cookie forwarding in the CloudFront distribution cache behavior.
C. Configure header forwarding in the CloudFront distribution cache behavior.
D. Enable group-level stickiness on the ALB listener rule.
E. Enable sticky sessions on the ALB target group.
Hint Answer: BE
Question #: 95
Topic #: 1
A SysOps administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC, the administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the administrator add to the route tables?
A. Route ::/0 traffic to a NAT gateway
B. Route ::/0 traffic to an internet gateway
C. Route 0.0.0.0/0 traffic to an egress-only internet gateway
D. Route ::/0 traffic to an egress-only internet gateway
Hint Answer: D
Question #: 96
Topic #: 1
A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.
What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?
A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
Hint Answer: B
Question #: 97
Topic #: 1
A SysOps administrator has an AWS CloudFormation template that is used to deploy an encrypted Amazon Machine Image (AMI). The CloudFormation template will be used in a second account so the SysOps administrator copies the encrypted AMI to the second account. When launching the new CloudFormation stack in the second account, it fails.
Which action should the SysOps administrator take to correct the issue?
A. Change the AMI permissions to mark the AMI as public.
B. Deregister the AMI in the source account.
C. Re-encrypt the destination AMI with an AWS Key Management Service (AWS KMS) key from the destination account.
D. Update the CloudFormation template with the ID of the AMI in the destination account.
Hint Answer: C
Question #: 98
Topic #: 1
A SysOps administrator wants to upload a file that is 1 TB in size from on-premises to an Amazon S3 bucket using multipart uploads.
What should the SysOps administrator do to meet this requirement?
A. Upload the file using the S3 console.
B. Use the s3api copy-object command.
C. Use the s3api put-object command.
D. Use the s3 cp command
Hint Answer: D
Question #: 99
Topic #: 1
A company is planning to host its stateful web-based applications on AWS. A SysOps administrator is using an Auto Scaling group of Amazon EC2 instances. The web applications will run 24 hours a day, 7 days a week throughout the year. The company must be able to change the instance type within the same instance family later in the year based on the traffic and usage patterns.
Which EC2 instance purchasing option will meet these requirements MOST cost-effectively?
A. Convertible Reserved Instances
B. On-Demand Instances
C. Spot Instances
D. Standard Reserved Instances
Hint Answer: A
Question #: 100
Topic #: 1
A company recently acquired another corporation and all of that corporation’s AWS accounts. A financial analyst needs the cost data from these accounts. A
SysOps administrator uses Cost Explorer to generate cost and usage reports. The SysOps administrator notices that “No Tagkey” represents 20% of the monthly cost.
What should the SysOps administrator do to tag the “No Tagkey” resources?
A. Add the accounts to AWS Organizations. Use a service control policy (SCP) to tag all the untagged resources.
B. Use an AWS Config rule to find the untagged resources. Set the remediation action to terminate the resources.
C. Use Cost Explorer to find and tag all the untagged resources.
D. Use Tag Editor to find and tag all the untagged resources.
Hint Answer: D