AWS Certified SysOps Administrator SOA-C02 Part 3
Question #: 101
Topic #: 1
A company is supposed to receive a data file every hour in an Amazon S3 bucket. An S3 event notification invokes an AWS Lambda function each time a file arrives. The function processes the data for use by an application.
The application team notices that sometimes the file does not arrive. The application team wants to receive a notification whenever the file does not arrive.
What is the MOST operationally efficient solution that meets these requirements?
A. Add an S3 Lifecycle rule on the S3 bucket with a scope that is limited to objects that were created in the last hour. Configure another S3 event notification to be invoked by the lifecycle transition when the number of objects transitioned is zero. Publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team.
B. Configure another S3 event notification to invoke a Lambda function that posts a message to an Amazon Simple Queue Service (Amazon SQS) queue. Create an Amazon CloudWatch alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team when the ApproximateAgeOfOldestMessage metric of the queue is greater than 1 hour.
C. Create an Amazon CloudWatch alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to alert the application team when the Invocations metric of the Lambda function is zero for an hour. Configure the alarm to treat missing data as breaching.
D. Create a new Lambda function to get the timestamp of the newest file in the S3 bucket. If the timestamp is more than 1 hour ago, publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the new function hourly.
Hint Answer: C
Question #: 102
Topic #: 1
A company is running distributed computing software to manage a fleet of 20 Amazon EC2 instances for calculations. The fleet includes 2 control nodes and 18 task nodes to run the calculations. Control nodes can automatically start the task nodes.
Currently, all the nodes run on demand. The control nodes must be available 24 hours a day, 7 days a week. The task nodes run for 4 hours each day. A SysOps administrator needs to optimize the cost of this solution.
Which combination of actions will meet these requirements? (Choose two.)
A. Purchase EC2 Instance Savings Plans for the control nodes.
B. Use Dedicated Hosts for the control nodes.
C. Use Reserved Instances for the task nodes.
D. Use Spot Instances for the control nodes. Use On-Demand Instances if there is no Spot availability.
E. Use Spot Instances for the task nodes. Use On-Demand Instances if there is no Spot availability.
Hint Answer: AE
Question #: 103
Topic #: 1
A SysOps administrator has successfully deployed a VPC with an AWS CloudFormation template. The SysOps administrator wants to deploy the same template across multiple accounts that are managed through AWS Organizations.
Which solution will meet this requirement with the LEAST operational overhead?
A. Assume the OrganizationAccountAccessRole IAM role from the management account. Deploy the template in each of the accounts.
B. Create an AWS Lambda function to assume a role in each account. Deploy the template by using the AWS CloudFormation CreateStack API call.
C. Create an AWS Lambda function to query for a list of accounts. Deploy the template by using the AWS CloudFormation CreateStack API call.
D. Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts.
Hint Answer: D
Question #: 104
Topic #: 1
A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances. The instances all exist in the same VPC across multiple Availability Zones. There are two instances in each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.
Which solution will meet these requirements?
A. Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances.
B. Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances.
C. Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance.
D. Create a mount target in each Availability Zone of the VPC. Use the mount target to mount the EFS file system on the instances in the respective Availability Zone.
Hint Answer: D
Question #: 105
Topic #: 1
A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Choose two.)
A. Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.
B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.
C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.
D. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.
E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.
Hint Answer: CE
Question #: 106
Topic #: 1
A SysOps administrator has enabled AWS CloudTrail in an AWS account. If CloudTrail is disabled, it must be re-enabled immediately.
What should the SysOps administrator do to meet these requirements WITHOUT writing custom code?
A. Add the AWS account to AWS Organizations. Enable CloudTrail in the management account.
B. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action.
C. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Configure the rule to invoke an AWS Lambda function to enable CloudTrail.
D. Create an Amazon EventBridge (Amazon CloudWatch Event) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail.
Hint Answer: B
Question #: 107
Topic #: 1
A company hosts a website on multiple Amazon EC2 instances that run in an Auto Scaling group. Users are reporting slow responses during peak times between
6 PM and 11 PM every weekend. A SysOps administrator must implement a solution to improve performance during these peak times.
What is the MOST operationally efficient solution that meets these requirements?
A. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to increase the desired capacity before peak times.
B. Configure a scheduled scaling action with a recurrence option to change the desired capacity before and after peak times.
C. Create a target tracking scaling policy to add more instances when memory utilization is above 70%.
D. Configure the cooldown period for the Auto Scaling group to modify desired capacity before and after peak times.
Hint Answer: B
Question #: 108
Topic #: 1
A company has an infernal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto
Scaling group in a single Availability Zone. A SysOps administrator must make the application highly available.
Which action should the SysOps administrator take to meet this requirement?
A. Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
B. Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
C. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.
D. Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.
Hint Answer: C
Question #: 109
Topic #: 1
A company needs to implement a solution to install specific software on Amazon EC2 instances when the instances launch.
Which solution will meet this requirement?
A. Configure AWS Systems Manager State Manager associations to bootstrap the EC2 instances with the required software at launch.
B. Use the Amazon CloudWatch agent to detect EC2 InstanceStart events and to inject the required software. Modify the InstanceRole IAM role to add permissions for the StartTask API operation.
C. Use Amazon Inspector to detect EC2 launch events. Configure Amazon Inspector to install the required software as part of lifecycle hooks for theEC2launch events.
D. Use AWS Security Hub remediation actions to install the required software at launch.
Hint Answer: A
Question #: 110
Topic #: 1
A SysOps administrator has created an AWS Service Catalog portfolio and has shared the portfolio with a second AWS account in the company. The second account is controlled by a different administrator.
Which action will the administrator of the second account be able to perform?
A. Add a product from the imported portfolio to a local portfolio.
B. Add new products to the imported portfolio.
C. Change the launch role for the products contained in the imported portfolio.
D. Customize the products in the imported portfolio.
Hint Answer: A
Question #: 111
Topic #: 1
A company has an application that customers use to search for records on a website. The application’s data is stored in an Amazon Aurora DB cluster. The application’s usage varies by season and by day of the week.
The website’s popularity is increasing, and the website is experiencing slower performance because of increased load on the DB cluster during periods of peak activity. The application logs show that the performance issues occur when users are searching for information. The same search is rarely performed multiple times.
A SysOps administrator must improve the performance of the platform by using a solution that maximizes resource efficiency.
Which solution will meet these requirements?
A. Deploy an Amazon ElastiCache for Redis cluster in front of the DB cluster. Modify the application to check the cache before the application issues new queries to the database. Add the results of any queries to the cache.
B. Deploy an Aurora Replica for the DB cluster. Modify the application to use the reader endpoint for search operations. Use Aurora Auto Scaling to scale the number of replicas based on load.
C. Use Provisioned IOPS on the storage volumes that support the DB cluster to improve performance sufficiently to support the peak load on the application.
D. Increase the instance size in the DB cluster to a size that is sufficient to support the peak load on the application. Use Aurora Auto Scaling to scale the instance size based on load.
Hint Answer: B
Question #: 112
Topic #: 1
A SysOps administrator is investigating issues on an Amazon RDS for MariaDB DB instance. The SysOps administrator wants to display the database load categorized by detailed wait events.
How can the SysOps administrator accomplish this goal?
A. Create an Amazon CloudWatch dashboard.
B. Enable Amazon RDS Performance Insights.
C. Enable and configure Enhanced Monitoring.
D. Review the database logs in Amazon CloudWatch Logs.
Hint Answer: B
Question #: 113
Topic #: 1
A team is managing an AWS account that is a member of an organization in AWS Organizations. The organization has consolidated billing features enabled. The account hosts several applications.
A SysOps administrator has applied tags to resources within the account to reflect the environment. The team needs a report of the breakdown of charges by environment.
What should the SysOps administrator do to meet this requirement?
A. Filter, map, and categorize resource groups in Tag Editor.
B. Ensure that the organization’s service control policies (SCPs) allow access to cost allocation tags.
C. Ensure that the IAM credentials that are used to access Cost Explorer have permissions to group cost by tags.
D. Activate the tag keys for cost allocation on the organization’s management account.
Hint Answer: D
Question #: 114
Topic #: 1
A company has developed a service that is deployed on a fleet of Linux-based Amazon EC2 instances that are in an Auto Scaling group. The service occasionally fails unexpectedly because of an error in the application code. The company’s engineering team determines that resolving the underlying cause of the service failure could take several weeks.
A SysOps administrator needs to create a solution to automate recovery if the service crashes on any of the EC2 instances.
Which solutions will meet this requirement? (Choose two.)
A. Install the Amazon CloudWatch agent on the EC2 instances. Configure the CloudWatch agent to monitor the service. Set the CloudWatch action to restart if the service health check fails.
B. Tag the EC2 instances. Create an AWS Lambda function that uses AWS Systems Manager Session Manager to log in to the tagged EC2 instances and restart the service. Schedule the Lambda function to run every 5 minutes.
C. Tag the EC2 instances. Use AWS Systems Manager State Manager to create an association that uses the AWS-RunShellScript document. Configure the association command with a script that checks if the service is running and that starts the service if the service is not running. For targets, specify the EC2 instance tag. Schedule the association to run every 5 minutes.
D. Update the EC2 user data that is specified in the Auto Scaling group’s launch template to include a script that runs on a cron schedule every 5 minutes. Configure the script to check if the service is running and to start the service if the service is not running. Redeploy all the EC2 instances in the Auto Scaling group with the updated launch template.
E. Update the EC2 user data that is specified in the Auto Scaling group’s launch template to ensure that the service runs during startup. Redeploy all the EC2 instances in the Auto Scaling group with the updated launch template.
Hint Answer: AC
Question #: 115
Topic #: 1
A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals sudden increases in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A SysOps administrator must find the process ID (PID) of the service or process that is consuming more CPU.
What should the SysOps administrator do to collect the process utilization information with the LEAST amount of effort?
A. Configure the Amazon CloudWatch agent procstat plugin to capture CPU process metrics.
B. Configure an AWS Lambda function to run every minute to capture the PID and send a notification.
C. Log in to the EC2 instance by using a .pem key each night. Then run the top command.
D. Use the default Amazon CloudWatch CPU utilization metric to capture the PID in CloudWatch.
Hint Answer: A
Question #: 116
Topic #: 1
A company runs a web application that users access using the name www example com. The company manages the domain name example.com using Amazon Route 53. The company created an Amazon CloudFront distribution in front of the application and would like www.example.com to access the application through CloudFront.
What is the MOST cost-effective way to achieve this?
A. Create a CNAME record in Amazon Route 53 that points to the CloudFront distribution URL.
B. Create an ALIAS record in Amazon Route 53 that points to the CioudFront distribution URL.
C. Create an A record in Amazon Route 53 that points to the public IP address of the web application,
D. Create a PTR record in Amazon Route 53 that points to the public IP address of the web application.
Hint Answer: B
Question #: 117
Topic #: 1
A company needs to monitor its website’s availability to end users. The company needs a solution to provide an Amazon Simple Notification Service (Amazon SNS) notification if the website’s uptime decreases to less than 99%. The monitoring must provide an accurate view of the user experience on the website.
Which solution will meet these requirements?
A. Create an Amazon CloudWatch alarm that is based on the website’s logs that are published to a CloudWatch Logs log group. Configure the alarm to publish an SNS notification if the number of HTTP 4xx errors and 5xx errors exceeds a specified threshold.
B. Create an Amazon CloudWatch alarm that is based on the website’s published metrics in CloudWatch. Configure the alarm to publish an SNS notification that is based on anomaly detection.
C. Create an Amazon CloudWatch Synthetics heartbeat monitoring canary. Associate the canary with the website’s URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.
D. Create an Amazon CloudWatch Synthetics broken link checker monitoring canary. Associate the canary with the website’s URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.
Hint Answer: C
Question #: 118
Topic #: 1
A company recently purchased Savings Plans. The company wants to receive email notification when the company’s utilization drops below 90% for a given day.
Which solution will meet this requirement?
A. Create an Amazon CloudWatch alarm to monitor the Savings Plan check in AWS Trusted Advisor. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification when the utilization drops below 90% for a given day.
B. Create an Amazon CloudWatch alarm to monitor the SavingsPlansUtilization metric under the AWS/SavingsPlans namespace in CloudWatch. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification when the utilization drops below 90% for a given day.
C. Create a Savings Plans alert to monitor the daily utilization of the Savings Plans. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification when the utilization drops below 90% for a given day.
D. Use AWS Budgets to create a Savings Plans budget to track the daily utilization of the Savings Plans. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification when the utilization drops below 90% for a given day.
Hint Answer: D
Question #: 119
Topic #: 1
A company needs to monitor the disk utilization of Amazon Elastic Block Store (Amazon EBS) volumes. The EBS volumes are attached to Amazon EC2 Linux instances. A SysOps administrator must set up an Amazon CloudWatch alarm that provides an alert when disk utilization increases to more than 80%.
Which combination of steps must the SysOps administrator take to meet these requirements? (Choose three.)
A. Create an IAM role that includes the CloudWatchAgentServerPolicy AWS managed policy. Attach the role to the instances.
B. Create an IAM role that includes the CloudWatchApplicationInsightsReadOnlyAccess AWS managed policy. Attach the role to the instances.
C. Install and start the CloudWatch agent by using AWS Systems Manager or the command line.
D. Install and start the CloudWatch agent by using an IAM role. Attach the CloudWatchAgentServerPolicy AWS managed policy to the role.
E. Configure a CloudWatch alarm to enter ALARM state when the disk_used_percent CloudWatch metric is greater than 80%.
F. Configure a CloudWatch alarm to enter ALARM state when the disk_used CloudWatch metric is greater than 80% or when the disk_free CloudWatch metric is less than 20%.
Hint Answer: ACE
Question #: 120
Topic #: 1
A SysOps administrator is troubleshooting an AWS CloudFormation stack creation that failed. Before the SysOps administrator can identify the problem, the stack and its resources are deleted. For future deployments, the SysOps administrator must preserve any resources that CloudFormation successfully created.
What should the SysOps administrator do to meet this requirement?
A. Set the value of the DisableRollback parameter to False during stack creation
B. Set the value of the OnFailure parameter to DO_NOTHING during stack creation
C. Specify a rollback configuration that has a rollback trigger of DO_NOTHING during stack creation
D. Set the value of the OnFailure parameter to ROLLBACK during stack creation
Hint Answer: B
Question #: 121
Topic #: 1
A SysOps administrator launches an Amazon EC2 instance in a private subnet of a VPC. When the SysOps administrator attempts a curl command from the command line of the EC2 instance, the SysOps administrator cannot connect to https:www.example.com.
What should the SysOps administrator do to resolve this issue?
A. Ensure that there is an outbound security group for port 443 to 0.0.0.0/0.
B. Ensure that there is an inbound security group for port 443 from 0.0.0.0/0.
C. Ensure that there is an outbound network ACL for ephemeral ports 1024-66535 to 0.0.0.0/0.
D. Ensure that there is an outbound network ACL for port 80 to 0.0.0.0/0.
Hint Answer: C
Question #: 122
Topic #: 1
A company is using Amazon CloudWatch alarms to monitor Amazon Elastic Kubernetes Service (Amazon EKS) workloads. The alarms are initiated through a threshold definition and are not helping the EKS cluster operate more efficiently.
A SysOps administrator must implement a solution that identifies anomalies and generates recommendations for how to address the anomalies.
Which solution will meet these requirements?
A. Use CloudWatch anomaly detection to identify anomalies and provide recommendations
B. Use CloudWatch Container Insights with Amazon DevOps Guru to identify anomalies and provide recommendations.
C. Use CloudWatch Container Insights to identify anomalies and provide recommendations
D. Use CloudWatch anomaly detection with CloudWatch Container Insights to identify anomalies and provide recommendations
Hint Answer: B
Question #: 123
Topic #: 1
A SysOps administrator has an Amazon S3 website and wants to restrict access to a single Amazon CloudFront distribution. Visitors to the website should not be able to circumvent CloudFront or view the S3 website directly from the bucket.
Which AWS service or feature will meet these requirements?
A. S3 bucket ACL
B. AWS Firewall Manager
C. Amazon Route 53 private hosted zone
D. Origin access identity (OAI)
Hint Answer: D
Question #: 124
Topic #: 1
A SysOps administrator receives an alert that a production Auto Scaling group has been scaled down to two Amazon EC2 instances. The Auto Scaling group was originally configured with a minimum capacity of three instances. However, the SysOps administrator confirms that the configuration now reflects a minimum capacity of two instances.
Which AWS service will help identify who made the change?
A. AWS Config
B. Amazon Inspector
C. Amazon Macie
D. Amazon Cloud Watch Logs
Hint Answer: A
Question #: 125
Topic #: 1
A company has a web application with a database tier that consists of an Amazon EC2 instance that runs MySQL. A SysOps administrator needs to minimize potential data loss and the time that is required to recover in the event of a database failure.
What is the MOST operationally efficient solution that meets these requirements?
A. Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric to invoke an AWS Lambda function that stops and starts the EC2 instance.
B. Create an Amazon RDS for MySQL Multi-AZ DB instance. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new database. Update the connection string in the web application.
C. Create an Amazon RDS for MySQL Single-AZ DB instance with a read replica. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new database. Update the connection string in the web application
D. Use Amazon Data Lifecycle Manager (Amazon DLM) to take a snapshot of the Amazon Elastic Block Store (Amazon EBS) volume every hour. In the event of an EC2 instance failure, restore the EBS volume from a snapshot.
Hint Answer: D
Question #: 126
Topic #: 1
A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses Amazon Route 53 to route traffic.
The company also has a static website that is configured in an Amazon S3 bucket.
A SysOps administrator must use the static website as a backup to the web application. The failover to the static website must be fully automated.
Which combination of actions will meet these requirements? (Choose two.)
A. Create a primary failover routing policy record. Configure the value to be the ALB.
B. Create an AWS Lambda function to switch from the primary website to the secondary website when the health check fails.
C. Create a primary failover routing policy record. Configure the value to be the ALB. Associate the record with a Route 53 health check.
D. Create a secondary failover routing policy record. Configure the value to be the static website. Associate the record with a Route 53 health check.
E. Create a secondary failover routing policy record. Configure the value to be the static website.
Hint Answer: CE
Question #: 127
Topic #: 1
A SysOps administrator migrates NAT instances to NAT gateways. After the migration, an application that is hosted on Amazon EC2 instances in a private subnet cannot access the internet.
Which of the following are possible reasons for this problem? (Choose two.)
A. The application is using a protocol that the NAT gateway does not support.
B. The NAT gateway is not in a security group.
C. The NAT gateway is in an unsupported Availability Zone.
D. The NAT gateway is not in the Available state.
E. The port forwarding settings do not allow access to internal services from the internet.
Hint Answer: AD
Question #: 128
Topic #: 1
A SysOps administrator needs to deploy an application in multiple AWS Regions. The SysOps administrator must implement a solution that routes users to the Region with the lowest latency. In case of failure, the solution must automatically route requests to a Region with a healthy instance of the application. The company needs a solution with the shortest time to failover.
Which solution will meet these requirements?
A. Create Amazon Route 53 A records that have the same name for each endpoint. Use a latency routing policy. Associate a health check with each record.
B. Create Amazon Route 53 A records that have the same name for each endpoint. Use a failover routing policy. Associate a health check with each record.
C. Create an AWS Global Accelerator standard accelerator. Create an endpoint group for each Region. Add a listener to the accelerator. Associate the endpoint group with the listener.
D. Create Amazon Route 53 A records that have the same name for each endpoint. Use a geolocation routing policy. Associate a health check with each record.
Hint Answer: C
Question #: 129
Topic #: 1
A company manages its multi-account environment by using AWS Organizations. The company needs to automate the creation of daily incremental backups of any Amazon Elastic Block Store (Amazon EBS) volume that is marked with a Lifecycle: Production tag in one of its primary AWS accounts.
The company wants to prevent users from using Amazon EC2 * permissions to delete any of these production snapshots.
What should a SysOps administrator do to meet these requirements?
A. Create a daily snapshot of all EBS volumes by using Amazon Data Lifecycle Manager. Specify Lifecycle as the tag key. Specify Production as the tag value.
B. Associate a service control policy (SCP) with the account to deny users the ability to delete EBS snapshots. Create an Amazon EventBridge rule with a 24-hour cron schedule. Configure EBS Create Snapshot as the target. Target all EBS volumes with the specified tags.
C. Create a daily snapshot of all EBS volumes by using AWS Backup. Specify Lifecycle as the tag key. Specify Production as the tag value.
D. Create a daily Amazon Machine Image (AMI) of every production EC2 instance within the AWS account by using Amazon Data Lifecycle Manager.
Hint Answer: B
Question #: 130
Topic #: 1
A SysOps administrator configures an Amazon S3 gateway endpoint in a VPC. The private subnets inside the VPC do not have outbound internet access. User logs in to an Amazon EC2 instance in one of the private subnets and cannot upload a file to an Amazon S3 bucket in the same AWS Region.
Which solution will solve this problem?
A. Update the EC2 instance role policy to include s3:PutObject access to the target S3 bucket.
B. Update the EC2 security group to allow outbound traffic to 0.0.0.0/0 for port 80.
C. Update the EC2 subnet route table to include the S3 prefix list destination routes to the S3 gateway endpoint.
D. Update the S3 bucket policy to allow s3:PutObject access from the private subnet CIDR block.
Hint Answer: C
Question #: 131
Topic #: 1
A company runs an application that uses a MySQL database on an Amazon EC2 instance. The EC2 instance has a General Purpose SSD Amazon Elastic Block
Store (Amazon EBS) volume. The company made changes to the application code and now wants to perform load testing to evaluate the impact of the code changes.
A SysOps administrator must create a new MySQL instance from a snapshot of the existing production instance. This new instance needs to perform as similarly as possible to the production instance.
Which restore option meets these requirements?
A. Use EBS fast snapshot restore to create a new General Purpose SSD EBS volume from the production snapshot.
B. Use EBS fast snapshot restore to create a new Provisioned IOPS SSD EBS volume from the production snapshot.
C. Use EBS snapshot restore to create a new General Purpose SSD EBS volume from the production snapshot.
D. Use EBS snapshot restore to create a new Provisioned IOPS SSD EBS volume from the production snapshot.
Hint Answer: A
Question #: 132
Topic #: 1
An errant process is known to use an entire processor and run at 100%. A SysOps administrator wants to automate restarting an Amazon EC2 instance when the problem occurs for more than 2 minutes.
How can this be accomplished?
A. Create an Amazon CloudWatch alarm for the EC2 instance with basic monitoring. Add an action to restart the instance.
B. Create an Amazon CloudWatch alarm for the EC2 instance with detailed monitoring. Add an action to restart the instance.
C. Create an AWS Lambda function to restart the EC2 instance, invoked on a scheduled basis every 2 minutes.
D. Create an AWS Lambda function to restart the EC2 instance, invoked by EC2 health checks.
Hint Answer: B
Question #: 133
Topic #: 1
A company plans to migrate several of its high performance computing (HPC) virtual machines (VMs) to Amazon EC2 instances on AWS. A SysOps administrator must identify a placement group for this deployment. The strategy must minimize network latency and must maximize network throughput between the HPC VMs.
Which strategy should the SysOps administrator choose to meet these requirements?
A. Deploy the instances in a cluster placement group in one Availability Zone.
B. Deploy the instances in a partition placement group in two Availability Zones.
C. Deploy the instances in a partition placement group in one Availability Zone.
D. Deploy the instances in a spread placement group in two Availability Zones.
Hint Answer: A
Question #: 134
Topic #: 1
A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API calls using the CLI. However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA.
What additional step must be taken to ensure that API calls are authenticated using MFA?
A. Enable MFA on IAM roles, and require IAM users to use role credentials to sign API calls.
B. Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI.
C. Restrict the IAM users to use of the console, as MFA is not supported for CLI use.
D. Require users to use temporary credentials from the get-session token command to sign API calls.
Hint Answer: D
Question #: 135
Topic #: 1
A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.
Which solution will meet this requirement?
A. Create a new security group to block traffic to the external IP address. Assign the new security group to the EC2 instance.
B. Use VPC flow logs with Amazon Athena to block traffic to the external IP address.
C. Create a network ACL. Add an outbound deny rule for traffic to the external IP address.
D. Create a new security group to block traffic to the external IP address. Assign the new security group to the entire VPC.
Hint Answer: C
Question #: 136
Topic #: 1
A SysOps administrator needs to develop a solution that provides email notification and inserts a record into a database every time a file is put into an Amazon S3 bucket.
What is the MOST operationally efficient solution that meets these requirements?
A. Set up an S3 event notification that targets an Amazon Simple Notification Service (Amazon SNS) topic. Create two subscriptions for the SNS topic. Use one subscription to send the email notification. Use the other subscription to invoke an AWS Lambda function that inserts the record into the database.
B. Set up an Amazon CloudWatch alarm that enters ALARM state whenever an object is created in the S3 bucket. Configure the alarm to invoke an AWS Lambda function that sends the email notification and inserts the record into the database.
C. Create an AWS Lambda function to send the email notification and insert the record into the database whenever a new object is detected in the S3 bucket. Invoke the function every minute with an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule.
D. Set up two S3 event notifications. Target a separate AWS Lambda function with each notification. Configure one function to send the email notification. Configure the other function to insert the record into the database.
Hint Answer: A
Question #: 137
Topic #: 1
A development team recently deployed a new version of a web application to production. After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data.
Which AWS service will mitigate this issue?
A. AWS Shield Standard
B. AWS WAF
C. Elastic Load Balancing
D. Amazon Cognito
Hint Answer: B
Question #: 138
Topic #: 1
A company has an application that is running on Amazon EC2 instances in a VPC. The application needs access to download software updates from the internet. The VPC has public subnets and private subnets. The company’s security policy requires all EC2 instances to be deployed in private subnets.
What should a SysOps administrator do to meet these requirements?
A. Add an internet gateway to the VPC. In the route table for the private subnets, add a route to the internet gateway.
B. Add aNAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway.
C. Add a NAT gateway to public subnet. In the route table for the private subnets, add a route to the NAT gateway.
D. Add two internet gateways to the VPC. In the route tables for the private subnets and public subnets, add a route to each internet gateway.
Hint Answer: C
Question #: 139
Topic #: 1
A development team created and deployed a new AWS Lambda function 15 minutes ago. Although the function was invoked many times, Amazon CloudWatch Logs are not showing any log messages.
What is one cause of this?
A. The developers did not enable log messages for this Lambda function.
B. The Lambda function’s role does not include permissions to create CloudWatch Logs items.
C. The Lambda function raises an exception before the first log statement has been reached.
D. The Lambda functions creates local log files that have to be shipped to CloudWatch Logs first before becoming visible.
Hint Answer: B
Question #: 140
Topic #: 1
A company is trying to connect two applications. One application runs in an on-premises data center that has a hostname of host1.onprem private. The other application runs on an Amazon EC2 instance that has a hostname of host1.awscloud private. An AWS Site-to-Site VPN connection is in place between the on-premises network and AWS.
The application that runs in the data center tries to connect to the application that runs on the EC2 instance, but DNS resolution fails. A SysOps administrator must implement DNS resolution between on-premises and AWS resources.
Which solution allows the on-premises application to resolve the EC2 instance hostname?
A. Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the inbound resolver endpoint.
B. Set up an Amazon Route 53 inbound resolver endpoint. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the inbound resolver endpoint.
C. Set up an Amazon Route 53 outbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the outbound resolver endpoint.
D. Set up an Amazon Route 53 outbound resolver endpoint. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the outbound resolver endpoint.
Hint Answer: B
Question #: 141
Topic #: 1
A SysOps administrator is creating resources from an AWS. CloudFbrmation template that defines an Auto Scaling group of Amazon EC2 instances. The Auto Scaling group launch template provisions each EC2 instance by using a user data script. The creation of the Auto Scaling group resource is failing because of an error. The wait condition is not receiving the required number of signals.
How should the SysOps administrator resolve this error?
A. Run cfn-signal at the completion of the user data script.
B. Modify the EC2 instances’ security group to allow outgoing traffic on port 443.
C. Reduce the Auto Scaling group’s DesiredCapacity value in the CloudFormation template.
D. Set the AssociatePublicIpAddress property to True in the Auto Scaling group launch template.
Hint Answer: A
Question #: 142
Topic #: 1
A developer creates a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The developer reviews the deployment and notices some suspicious traffic to the application. The traffic is malicious and is coming from a single public IP address. A SysOps administrator must block the public IP address.
Which solution will meet this requirement?
A. Create a security group rule to deny all inbound traffic from the suspicious IP address. Associate the security group with the ALB.
B. Implement Amazon Detective to monitor traffic and to block malicious activity from the internet. Configure Detective to integrate with the ALB.
C. Implement AWS Resource Access Manager (AWS RAM) to manage traffic rules and to block malicious activity from the internet. Associate AWS RAM with the ALB.
D. Add the malicious IP address to an IP set in AWS WAF. Create a web ACL. Include an IP set rule with the action set to BLOCK. Associate the web ACL with the ALB.
Hint Answer: D
Question #: 143
Topic #: 1
A company runs its entire suite of applications on Amazon EC2 instances. The company plans to move the applications to containers and AWS Fargate. Within 6 months, the company plans to retire its EC2 instances and use only Fargate. The company has been able to estimate its future Fargate costs.
A SysOps administrator needs to choose a purchasing option to help the company minimize costs. The SysOps administrator must maximize any discounts that are available and must ensure that there are no unused reservations.
Which purchasing option will meet these requirements?
A. Compute Savings Plans for 1 year with the No Upfront payment option
B. Compute Savings Plans for 1 year with the Partial Upfront payment option
C. EC2 Instance Savings Plans for 1 year with the All Upfront payment option
D. EC2 Reserved Instances for 1 year with the Partial Upfront payment option
Hint Answer: B
Question #: 144
Topic #: 1
A company has migrated its legacy on-premises web application to an Amazon EC2 instance. The web application requires a single static public IP address to accept traffic and process requests. End users must be able to reach the web application through the example.com domain. A SysOps administrator must implement a solution that maintains the web application with the least amount of effort.
Which combination of actions will meet these requirements? (Choose two.)
A. Configure an Application Load Balancer (ALB). Add the EC2 instance to a target group that is associated with the ALB.
B. Create an Amazon Route 53 A record for the associated EC2 IP address.
C. Create an Amazon Route 53 CNAME record for the associated EC2 IP address.
D. Create an Elastic IP address, and associate it with the EC2 instance.
E. Create an Auto Scaling group with a minimum capacity of 1 and a maximum capacity of 2.
Hint Answer: BD
Question #: 145
Topic #: 1
A company runs its applications on a large number of Amazon EC2 instances. A SysOps administrator must implement a solution to notify the operations team whenever an EC2 instance state changes.
What is the MOST operationally efficient solution that meets these requirements?
A. Create a script that captures instance state changes and publishes a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Use AWS Systems Manager Run Command to run the script on all EC2 instances.
B. Create an Amazon EventBridge event rule that captures EC2 instance state changes. Set an Amazon Simple Notification Service (Amazon SNS) topic as the target
C. Create an Amazon EventBridge event rule that captures EC2 instance state changes. Set as the target an AWS Lambda function that publishes a notification to an Amazon Simple Notification Service (Amazon SNS) topic.
D. Create an AWS Config custom rule that evaluates instance state changes with automatic remediation. Use the rule to invoke an AWS Lambda function that publishes a notification to an Amazon Simple Notification Service (Amazon SNS) topic.
Hint Answer: B
Question #: 146
Topic #: 1
A company asks a SysOps administrator to provision an additional environment for an application in four additional AWS Regions. The application is running on more than 100 Amazon C2 instances in the us-east-1 Region, using fully configured Amazon Machine Images (AMIs). The company has an AWS CloudFormation template to deploy resources in us-east-1.
What should the SysOps administrator do to provision the application in the MOST operationally efficient manner?
A. Copy the AMI to each Region by using the aws ec2 copy-image command. Update the CloudFormation template to include mappings for the copied AMIs.
B. Create a snapshot of the running instance. Copy the snapshot to the other Regions. Create an AMI from the snapshots. Update the CloudFormation template for each Region to use the new AMI.
C. Run the existing CloudFormation template in each additional Region based on the success of the template that is used currently in us-east-1.
D. Update the CloudF ormation template to include the additional Regions in the Auto Scaling group. Update the existing stack in us-east-1.
Hint Answer: A
Question #: 147
Topic #: 1
A company wants to monitor the security groups of its Amazon EC2 instances to ensure that SSH is not open to the public. If the port is opened, the company needs to close the port as soon as possible.
Which combination of actions should a SysOps administrator take to meet these requirements? (Choose two.)
A. Add an Amazon CloudWatch alarm to detect the security groups that allow SSH.
B. Add an AWS Config rule to detect the security groups that allow SSH.
C. Add an assessment template to Amazon Inspector to detect the security groups that allow SSH.
D. Call an AWS Systems Manager Automation runbook to close the port.
E. Call AWS Systems Manager Run Command to close the port.
Hint Answer: BD
Question #: 148
Topic #: 1
A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company’s security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts.
Which solution will meet these requirements in the MOST secure manner?
A. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to an IAM user. Share the user credentials with the security administrator.
B. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions. Assign the policy to an IAM user. Share the user credentials with the security administrator.
C. Create an IAM policy in each developer account that has administrator access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
D. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
Hint Answer: D
Question #: 149
Topic #: 1
A company stores files on 50 Amazon S3 buckets in the same AWS Region. The company wants to connect to the S3 buckets securely over a private connection from its Amazon EC2 instances. The company needs a solution that produces no additional cost.
Which solution will meet these requirements?
A. Create a gateway VPC endpoint for each S3 bucket. Attach the gateway VPC endpoints to each subnet inside the VPC.
B. Create an interface VPC endpoint for each S3 bucket. Attach the interface VPC endpoints to each subnet inside the VPC.
C. Create one gateway VPC endpoint for all the S3 buckets. Add the gateway VPC endpoint to the VPC route table.
D. Create one interface VPC endpoint for all the S3 buckets. Add the interface VPC endpoint to the VPC route table.
Hint Answer: C
Question #: 150
Topic #: 1
A company has set up an IPsec tunnel between its AWS environment and its on-premises data center. The tunnel is reporting as UP, but the Amazon EC2 instances are not able to ping any on-premises resources.
What should a SysOps administrator do to resolve this issue?
A. Create a new inbound rule on the EC2 instances’ security groups to allow ICMP traffic from the on-premises CIDR.
B. Create a peering connection between the IPsec tunnel and the subnet of the EC2 instances.
C. Enable route propagation for the virtual private gateway in the route table that is assigned to the subnet of the EC2 instances.
D. Modify the VPC’s DHCP options set. Add the IPsec tunnel to the VPN section.
Hint Answer: C