AWS Certified SysOps Administrator SOA-C02 Part 4
Question #: 151
Topic #: 1
A company hosts a production MySQL database on an Amazon Aurora single-node DB cluster. The database is queried heavily for reporting purposes. The DB cluster is experiencing periods of performance degradation because of high CPU utilization and maximum connections errors. A SysOps administrator needs to improve the stability of the database.
Which solution will meet these requirements?
A. Create an Aurora Replica node. Create an Auto Scaling policy to scale replicas based on CPU utilization. Ensure that all reporting requests use the read-only connection string
B. Create a second Aurora MySQL single-node DB cluster in a second Availability Zone. Ensure that all reporting requests use the connection string for this additional node
C. Create an AWS Lambda function that caches reporting requests. Ensure that all reporting requests call the Lambda function
D. Create a multi-node Amazon ElastiCache cluster. Ensure that all reporting requests use the ElastiCache cluster. Use the database if the data is not in the cache.
Hint Answer: A
Question #: 152
Topic #: 1
A company runs an application on Amazon EC2 instances that are in an Amazon EC2 Auto Scaling group. Scale-out actions take a long time to become complete because of long-running boot scripts. A SysOps administrator must implement a solution to reduce the required time for scale-out actions without overprovisioning the Auto Scaling group.
Which solution will meet these requirements?
A. Change the launch configuration to use a larger instance size.
B. Increase the minimum number of instances in the Auto Scaling group.
C. Add a predictive scaling policy to the Auto Scaling group.
D. Add a warm pool to the Auto Scaling group.
Hint Answer: D
Question #: 153
Topic #: 1
A company analyzes sales data for its customers. Customers upload files to one of the company’s Amazon S3 buckets, and a message is posted to an Amazon
Simple Queue Service (Amazon SQS) queue that contains the object Amazon Resource Name (ARN). An application that runs on an Amazon EC2 instance polls the queue and processes the messages. The processing time depends on the size of the file.
Customers are reporting delays in the processing of their files. A SysOps administrator decides to configure Amazon EC2 Auto Scaling as the first step. The
SysOps administrator creates an Amazon Machine Image (AMI) that is based on the existing EC2 instance. The SysOps administrator also creates a launch template that references the AMI.
How should the SysOps administrator configure the Auto Scaling policy to improve the response time?
A. Add several different instance sizes in the launch template. Create an Auto Scaling policy based on the ApproximateNumberOfMessagesVisible metric to select the size of the instance based on the number of messages in the queue.
B. Create an Auto Scaling policy based on the ApproximateNumberOfMessagesDelayed metric to scale the number of instances based on the number of messages in the queue that have been delayed.
C. Create a custom metric based on the ASGAverageCPUUtilization metric and the GroupPendingInstances metric from the Auto Scaling group. Modify the application to calculate the metric and post the metric to Amazon CloudWatch once each minute. Create an Auto Scaling policy based on this metric to scale the number of instances.
D. Create a custom metric based on the ApproximateNumberOfMessagesVisible metric and the number of instances in the InService state in the Auto Scaling group. Modify the application to calculate the metric and post the metric to Amazon CloudWatch once each minute. Create an Auto Scaling policy based on this metric to scale the number of instances.
Hint Answer: D
Question #: 154
Topic #: 1
A company has two VPC networks named VPC A and VPC B. The VPC A CIDR block is 10.0.0.0/16 and the VPC B CIDR block is 172.31.0.0/16. The company wants to establish a VPC peering connection named pcx-12345 between both VPCs.
Which rules should appear in the route table of VPC A after configuration? (Choose two.)
A. Destination: 10.0.0.0/16, Target: Local
B. Destination: 172.31.0.0/16, Target: Local
C. Destination: 10.0.0.0/16, Target: pcx-12345
D. Destination: 172.31.0.0/16, Target: pcx-12345
E. Destination: 10.0.0.0/16, Target: 172.31.0.0/16
Hint Answer: AD
Question #: 155
Topic #: 1
A company hosts a static website on Amazon S3. An Amazon CloudFront distribution presents this site to global users. The company uses the Managed-
CachingDisabled CloudFront cache policy. The company’s developers confirm that they frequently update a file in Amazon S3 with new information.
Users report that the website presents correct information when the website first loads the file. However, the users’ browsers do not retrieve the updated file after a refresh.
What should a SysOps administrator recommend to fix this issue?
A. Add a Cache-Control header field with max-age=0 to the S3 object.
B. Change the CloudFront cache policy to Managed-CachingOptimized.
C. Disable bucket versioning in the S3 bucket configuration.
D. Enable content compression in the CloudFront configuration.
Hint Answer: A
Question #: 156
Topic #: 1
A SysOps administrator is optimizing the cost of a workload. The workload is running in multiple AWS Regions and is using AWS Lambda with Amazon EC2 On-Demand Instances for the computer. The overall usage is predictable. The amount of computer that is consumed in each Region varies, depending on the users’ locations.
Which approach should the SysOps administrator use to optimize this workload?
A. Purchase Computer Savings Plans based on the usage during the past 30 days.
B. Purchase Convertible Reserved Instances by calculating the usage baseline.
C. Purchase EC2 Instance Savings Plans based on the usage during the past 30 days.
D. Purchase Standard Reserved Instances by calculating the usage baseline.
Hint Answer: A
Question #: 157
Topic #: 1
An ecommerce company has built a web application that uses an Amazon Aurora DB cluster. The DB cluster includes memory optimized instance types with both a writer node and a reader node. Traffic volume changes throughout the day. During sudden traffic surges, Amazon CloudWatch metrics for the DB cluster indicate high RAM consumption and an increase in select latency.
A SysOps administrator must implement a configuration change to improve the performance of the DB cluster. The change must minimize downtime and must not result in the loss of data.
Which change will meet these requirements?
A. Add an Aurora Replica to the DB cluster.
B. Modify the DB cluster to convert the DB cluster into a multi-master DB cluster.
C. Take a snapshot of the DB cluster. From that snapshot, create a new DB cluster that has larger memory optimized instances.
D. Increase the disk storage capacity of the DB cluster to double the existing disk capacity.
Hint Answer: A
Question #: 158
Topic #: 1
An AWS Lambda function is intermittently failing several times a day. A SysOps administrator must find out how often this error has occurred in the last 7 days.
Which action will meet this requirement in the MOST operationally efficient manner?
A. Use Amazon Athena to query the Amazon CloudWatch logs that are associated with the Lambda function.
B. Use Amazon Athena to query the AWS CloudTrail logs that are associated with the Lambda function.
C. Use Amazon CloudWatch Logs Insights to query the associated Lambda function logs.
D. Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to stream the Amazon CloudWatch logs for the Lambda function.
Hint Answer: C
Question #: 159
Topic #: 1
A company is creating a new multi-account architecture. A SysOps administrator must implement a login solution to centrally manage user access and permissions across all AWS accounts. The solution must be integrated with AWS Organizations and must be connected to a third-party Security Assertion Markup Language (SAML) 2.0 identity provider (IdP).
What should the SysOps administrator do to meet these requirements?
A. Configure an Amazon Cognito user pool. Integrate the user pool with the third-party IdP.
B. Enable and configure AWS Single Sign-On with the third-party IdP.
C. Federate the third-party IdP with AWS Identity and Access Management (IAM) for each AWS account in the organization.
D. Integrate the third-party IdP directly with AWS Organizations.
Hint Answer: B
Question #: 160
Topic #: 1
A SysOps administrator wants to monitor the free disk space that is available on a set of Amazon EC2 instances that have Amazon Elastic Block Store (Amazon EBS) volumes attached. The SysOps administrator wants to receive a notification when the used disk space of the EBS volumes exceeds a threshold value, but only when the DiskReadOps metric also exceeds a threshold value. The SysOps administrator has set up an Amazon Simple Notification Service (Amazon SNS) topic.
How can the SysOps administrator receive notification only when both metrics exceed their threshold values?
A. Install the Amazon CloudWatch agent on the EC2 instances. Create a metric alarm for the disk space and a metric alarm for the DiskReadOps metric. Create a composite alarm that includes the two metric alarms to publish a notification to the SNS topic.
B. Install the Amazon CloudWatch agent on the EC2 instances. Create a metric alarm for the disk space and a metric alarm for the DiskReadOps metric. Configure each alarm to publish a notification to the SNS topic.
C. Create a metric alarm for the EBSByteBalance% metric and a metric alarm for the DiskReadOps metric. Create a composite alarm that includes the two metric alarms to publish a notification to the SNS topic.
D. Configure detailed monitoring for the EC2 instances. Create a metric alarm for the disk space and a metric alarm for the DiskReadOps metric. Create a composite alarm that includes the two metric alarms to publish a notification to the SNS topic.
Hint Answer: A
Question #: 161
Topic #: 1
A company has an application that collects notifications from thousands of alarm systems. The notifications include alarm notifications and information notifications. The information notifications include the system arming processes, disarming processes, and sensor status.
All notifications are kept as messages in an Amazon Simple Queue Service (Amazon SQS) queue. Amazon EC2 instances that are in an Auto Scaling group process the messages. A SysOps administrator needs to implement a solution that prioritizes alarm notifications over information notifications.
Which solution will meet these requirements?
A. Adjust the Auto Scaling group to scale faster when a high number of messages is in the queue.
B. Use the Amazon Simple Notification Service (Amazon SNS) fanout feature with Amazon SQS to send the notifications in parallel to all the C2 instances
C. Add an Amazon DynamoDB stream to accelerate the message processing
D. Create a queue for alarm notifications and a queue for information notifications. Update the application to collect messages from the alarm notifications queue first.
Hint Answer: D
Question #: 162
Topic #: 1
A company’s SysOps administrator manages a fleet of hundreds of Amazon EC2 instances that run Windows-based workloads and Linux-based workloads. Each EC2 instance has a tag that identifies its operating system. All the EC2 instances run AWS Systems Manager Session Manager.
A zero-day vulnerability is reported, and no patches are available. The company’s security team provides code for all the relevant operating systems to reduce the risk of the vulnerability. The SysOps administrator needs to implement the code on the EC2 instances and must provide a report that shows that the code has successfully run on all the instances.
What should the SysOps administrator do to meet these requirements as quickly as possible?
A. Use Systems Manager Run Command. Choose either the AWS-RunShellScript document or the AWS-RunPowerShellScript document. Configure Run Command with the code from the security team. Specify the operating system tag in the Targets parameter. Run the command. Provide the command history’s evidence to the security team.
B. Create an AWS Lambda function that connects to the EC2 instances through Session Manager. Configure the Lambda function to identify the operating system, run the code from the security team, and return the results to an Amazon RDS DB instance. Query the DB instance for the results. Provide the results as evidence to the security team.
C. Log on to each EC2 instance. Run the code from the security team on each EC2 instance. Copy and paste the results of each run into a single spreadsheet. Provide the spreadsheet as evidence to the security team.
D. Update the launch templates of the EC2 instances to include the code from the security team in the user data. Relaunch the EC2 instances by using the updated launch templates. Retrieve the EC2 instance logs of each instance. Provide the EC2 instance logs as evidence to the security team.
Hint Answer: A
Question #: 163
Topic #: 1
A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:
What is a possible cause of these failed connections?
A. A security group deny rule is blocking traffic on port 443.
B. The EC2 instance is shut down.
C. The network ACL is blocking HTTPS traffic.
D. The VPC has no internet gateway attached.
Hint Answer: C
Question #: 164
Topic #: 1
A SysOps administrator has noticed millions of LIST requests on an Amazon S3 bucket.
Which services or features can the administrator use to investigate where the requests are coming from? (Choose two.)
A. AWS CloudTrail data events
B. Amazon EventBridge
C. AWS Health Dashboard
D. Amazon S3 server access logging
E. AWS Trusted Advisor
Hint Answer: AD
Question #: 165
Topic #: 1
A company has attached the following policy to an IAM user:
Which of the following actions are allowed for the IAM user?
A. Amazon RDS DescribeDBInstances action in the us-east-1 Region
B. Amazon S3 PutObject operation in a bucket named testbucket
C. Amazon EC2 DescribeInstances action in the us-east-1 Region
D. Amazon EC2 AttachNetworkInterface action in the eu-west-1 Region
Hint Answer: C
Question #: 166
Topic #: 1
A SysOps administrator must create an IAM policy for a developer who needs access to specific AWS services. Based on the requirements, the SysOps administrator creates the following policy:
Which actions does this policy allow? (Choose two.)
A. Create an AWS Storage Gateway.
B. Create an IAM role for an AWS Lambda function.
C. Delete an Amazon Simple Queue Service (Amazon SQS) queue.
D. Describe AWS load balancers.
E. Invoke an AWS Lambda function.
Hint Answer: E
Question #: 167
Topic #: 1
A SysOps administrator needs to create alerts that are based on the read and write metrics of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to an Amazon EC2 instance. The SysOps administrator creates and enables Amazon CloudWatch alarms for the DiskReadBytes metric and the DiskWriteBytes metric.
A custom monitoring tool that is installed on the EC2 instance with the same alarm configuration indicates that the volume metrics have exceeded the threshold. However, the CloudWatch alarms were not in ALARM state.
Which action will ensure that the CloudWatch alarms function correctly?
A. Install and configure the CloudWatch agent on the EC2 instance to capture the desired metrics.
B. Install and configure AWS Systems Manager Agent on the EC2 instance to capture the desired metrics.
C. Reconfigure the CloudWatch alarms to use the VolumeReadBytes metric and the VolumeWriteBytes metric for the EBS volumes.
D. Reconfigure the CloudWatch alarms to use the VolumeReadBytes metric and the VolumeWriteBytes metric for the EC2 instance.
Hint Answer: C
Question #: 168
Topic #: 1
A user is connected to an Amazon EC2 instance in a private subnet. The user is unable to access the internet from the instance by using the following curl command: curl http:/www.example.com.
A SysOps administrator reviews the VPC configuration and learns the following information:
• The private subnet has a route to a NAT gateway for CIDR 0.0.0.0/0
• The outbound security group for the EC2 instance contains one rule: outbound for port 443 to CIDR 0.0.0.0/0
• The inbound security group for the EC2 instance allows ports 22 and 443 from the user’s IP address.
• The inbound network ACL for the subnet allows port 22 and port range 1024-65535 from CIDR 0.0.0.0/0
Which action will allow the user to complete the curl request successfully?
A. Add an additional inbound network ACL rule for port 80 to CIDR 0.0.0.0/0.
B. Add an additional inbound security group rule for port 80 to CIDR 0.0.0.0/0.
C. Add an additional outbound security group rule for port 80 to CIDR 0.0.0.0/0.
D. Add an additional outbound security group rule for port 80 to the user’s IP address.
Hint Answer: C
Question #: 169
Topic #: 1
Accompany wants to monitor the number of Amazon EC2 instances that it is running. The company also wants to automate a service quota increase when the number of instances reaches a specific threshold.
Which solution meets these requirements?
A. Create an Amazon CloudWatch alarm to monitor Service Quotas. Configure the alarm to invoke an AWS Lambda function to request a quota increase when the alarm reaches the threshold.
B. Create an AWS Config rule to monitor Service Quotas. Call an AWS Lambda function to remediate the action and increase the quota.
C. Create an Amazon CloudWateh alarm to monitor the AWS Health Dashboard. Configure the alarm to invoke an AWS Lambda function to request a quota increase when the alarm reaches the threshold.
D. Create an Amazon CloudWatch alarm to monitor AWS Trusted Advisor service quotas. Configure the alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to increase the quota.
Hint Answer: A
Question #: 170
Topic #: 1
A SysOps administrator needs to create an Amazon S3 bucket as a resource in an AWS CloudFormation template. The bucket name must be randomly generated, and the bucket must be encrypted. Other resources in the template will reference the bucket.
Which CloudFormation resource definition should the SysOps administrator use to meet these requirements?
A.
B.
C.
D.
Hint Answer: B
Question #: 171
Topic #: 1
A SysOps administrator is troubleshooting a VPC with public and private subnets that leverage custom network ACLs. Instances in the private subnet are unable to access the internet. There is an internet gateway attached to the public subnet. The private subnet has a route to a NAT gateway that is also attached to the public subnet. The Amazon EC2 instances are associated with the default security group for the VPC.
What is causing the issue in this scenario?
A. There is a network ACL on the private subnet set to deny all outbound traffic.
B. There is no NAT gateway deployed in the private subnet of the VPC.
C. The default security group for the VPC blocks all inbound traffic to the EC2 instances.
D. The default security group for the VPC blocks all outbound traffic from the EC2 instances.
Hint Answer: A
Question #: 172
Topic #: 1
A company’s VPC has an existing IPv4 configuration. The IPv4 configuration includes public subnets, private subnets, NAT gateways, default route tables, and ACLs.
The company associates an IPv6 CIDR block with the VPC. The company adds IPv6 allocations to each existing subnet and adds routes to the route tables. The company updates the ACLs to allow all IPv6 traffic.
Public subnets are working as expected, but private subnets are not allowing internet IPv6 connections.
What should a SysOps administrator do to allow outbound-only connectivity for the new IPv6 subnets?
A. Configure an egress-only internet gateway and associate it with the VPC. Create a default route in the route tables that are associated with the private subnets. Configure the default route to point to the egress-only internet gateway.
B. Turn on IPv6 NAT on the NAT gateways. Create a default route in the route tables that are associated with the private subnets. Configure the default route to point to the NAT gateways.
C. Configure a new IPv6-only NAT gateway. Create a default route in the route tables that are associated with the private subnets. Configure the default route to point to the IPv6-only NAT gateway.
D. Create a default route in the route tables that are associated with the private subnets. Configure the default route to point to the existing internet gateway.
Hint Answer: A
Question #: 173
Topic #: 1
A company recently deployed an application in production. The production environment currently runs on a single Amazon EC2 instance that hosts the application’s web application and a MariaDB database. Company policy states that all IT production environments must be highly available.
What should a SysOps administrator do to meet this requirement?
A. Migrate the database from the EC2 instance to an Amazon RDS for MariaDB Multi-AZ DB instance. Run the application on EC2 instances that are in an Auto Scaling group that extends across multiple Availability Zones. Place the EC2 instances behind a load balancer.
B. Migrate the database from the EC2 instance to an Amazon RDS for MariaDB Multi-AZ DB instance. Use AWS Application Migration Service to convert the application into an AWS Lambda function. Specify the Multi-AZ option for the Lambda function.
C. Copy the database to a different EC2 instance in a different Availability Zone. Use AWS Backup to create Amazon Machine Images (AMIs) of the application EC2 instance and the database EC2 instance. Create an AWS Lambda function that performs health checks every minute. In case of failure, configure the Lambda function to launch a new EC2 instance from the AMIs that AWS Backup created.
D. Migrate the database to a different EC2 instance. Place the application EC2 instance in an Auto Scaling group that extends across multiple Availability Zones. Create an Amazon Machine Image (AMI) from the database EC2 instance. Use the AMI to launch a second database EC2 instance in a different Availability Zone. Put the second database EC2 instance in the stopped state. Use the second database EC2 instance as a standby.
Hint Answer: A
Question #: 174
Topic #: 1
A company has a high-performance Windows workload. The workload requires a storage volume that provides consistent performance of 10,000 IOPS. The company does not want to pay for additional unneeded capacity to achieve this performance.
Which solution will meet these requirements with the LEAST cost?
A. Use a Provisioned IOPS SSD (io1) Amazon Elastic Block Store (Amazon EBS) volume that is configured with 10,000 provisioned IOPS.
B. Use a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume that is configured with 10,000 provisioned IOPS.
C. Use an Amazon Elastic File System (Amazon EFS) file system in Max I/O mode.
D. Use an Amazon FSx for Windows File Server file system that is configured with 10,000 IOPS.
Hint Answer: B
Question #: 175
Topic #: 1
A SysOps administrator must configure a resilient tier of Amazon EC2 instances for a high performance computing (HPC) application. The HPC application requires minimum latency between nodes.
Which actions should the SysOps administrator take to meet these requirements? (Choose two.)
A. Create an Amazon Elastic File System (Amazon EFS) file system. Mount the file system to the EC2 instances by using user data.
B. Create a Multi-AZ Network Load Balancer in front of the EC2 instances.
C. Place the EC2 instances in an Auto Scaling group within a single subnet.
D. Launch the EC2 instances into a cluster placement group.
E. Launch the EC2 instances into a partition placement group.
Hint Answer: CD
Question #: 176
Topic #: 1
A SysOps administrator needs to design a disaster recovery (DR) plan for an application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The application uses an Amazon Aurora PostgreSQL database. The recovery time objective (RTO) and recovery point objective (RPO) are 15 minutes each.
Which combination of steps should the SysOps administrator take to meet these requirements MOST cost-effectively? (Choose two.)
A. Configure Aurora backups to be exported to the DR Region.
B. Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option.
C. Configure the DR Region with an ALB and an Auto Scaling group. Use the same configuration as in the primary Region.
D. Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group’s minimum capacity, maximum capacity, and desired capacity to 1.
E. Manually launch a new ALB and a new Auto Scaling group by using AWS CloudFormation during a failover activity.
Hint Answer: BD
Question #: 177
Topic #: 1
A SysOps administrator is testing an application that is hosted on five Amazon EC2 instances. The instances run in an Auto Scaling group behind an Application Load Balancer (ALB). High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.
Which action should the SysOps administrator take to meet these requirements?
A. Enable instance scale-in protection.
B. Place the instance into the Standby state.
C. Remove the listener from the ALB.
D. Suspend the Launch and Terminate process types.
Hint Answer: D
Question #: 178
Topic #: 1
A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application’s performance. A SysOps administrator must scale the application to meet the increased traffic.
Which solution meets these requirements?
A. Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance if the desired threshold is reached.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.
C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.
D. Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy. Attach the ALB to the Auto Scaling group.
Hint Answer: C
Question #: 179
Topic #: 1
A SysOps administrator needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added.
Which additional actions should the administrator take to control access? (Choose two.)
A. Attach an IAM policy to the users or groups that require access to the EC2 instances.
B. Attach an IAM role to control access to the EC2 instances.
C. Create a placement group for the EC2 instances and add a specific tag.
D. Create a service account and attach it to the EC2 instances that need to be controlled.
E. Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.
Hint Answer: AE
Question #: 180
Topic #: 1
An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application.
What is the MOST scalable storage solution to fulfill this requirement?
A. Connect a large Amazon EBS volume to multiple instances and schedule snapshots.
B. Deploy Amazon EFS in the VPC and create mount targets in multiple subnets.
C. Launch an EC2 instance and share data using SMB/CIFS or NFS.
D. Deploy an AWS Storage Gateway cached volume on Amazon EC2.
Hint Answer: C
Question #: 181
Topic #: 1
A company manages its production applications across several AWS accounts. The company hosts the production applications on Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are spread across multiple VPCs. Each VPC uses its own Amazon Route 53 private hosted zone for private DNS.
A VPC from Account A needs to resolve private DNS records from a private hosted zone that is associated with a different VPC in Account B.
What should a SysOps administrator do to meet these requirements?
A. In Account A, create an AWS Systems Manager document that updates the /etc/resolv.conf file across all EC2 instances to point to the AWS provided default DNS resolver for the VPC in Account B.
B. In Account A, create an AWS CloudFormation template that associates the private hosted zone from Account B with the private hosted zone in Account A.
C. In Account A, use the AWS CLI to create a VPC association authorization. When the association is created, use the AWS CLI in Account B to associate the VPC from Account A with the private hosted zone in Account B.
D. In Account B, use the AWS CLI to create a VPC association authorization. When the association is created, use the AWS CLI in Account A to associate the VPC from Account B with the private hosted zone in Account A.
Hint Answer: D
Question #: 182
Topic #: 1
A SysOps administrator is preparing to deploy an application to Amazon EC2 instances that are in an Auto Scaling group. The application requires dependencies to be installed. Application updates are issued weekly.
The SysOps administrator needs to implement a solution to incorporate the application updates on a regular basis. The solution also must conduct a vulnerability scan during Amazon Machine Image (AMI) creation.
What is the MOST operationally efficient solution that meets these requirements?
A. Create a script that uses Packer. Schedule a cron job to run the script.
B. Install the application and its dependencies on an EC2 instance. Create an AMI of the EC2 instance.
C. Use EC2 Image Builder with a custom recipe to install the application and its dependencies.
D. Invoke the EC2 CreateImage API operation by using an Amazon EventBridge scheduled rule.
Hint Answer: C
Question #: 183
Topic #: 1
A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance.
Which of the following are possible causes of this issue? (Choose two.)
A. A network ACL associated with the bastion’s subnet is blocking the network traffic.
B. The instance does not have a private IP address.
C. The route table associated with the bastion’s subnet does not have a route to the internet gateway.
D. The security group for the instance does not have an inbound rule on port 22.
E. The security group for the instance does not have an outbound rule on port 3389.
Hint Answer: AC
Question #: 184
Topic #: 1
A SysOps administrator needs to configure an Amazon S3 bucket to host a web application. The SysOps administrator has created the S3 bucket and has copied the static files for the web application to the S3 bucket.
The company has a policy that all $3 buckets must not be public.
What should the SysOps administrator do to meet these requirements?
A. Create an Amazon CloudFront distribution. Configure the S3 bucket as an origin with an origin access identity (OAI). Give the OAI the s3:GetObject permission in the S3 bucket policy.
B. Configure static website hosting in the S3 bucket. Use Amazon Route 53 to create a DNS CNAME to point to the S3 website endpoint.
C. Create an Application Load Balancer (ALB). Change the protocol to HTTPS in the ALB listener configuration. Forward the traffic to the S3 bucket.
D. Create an accelerator in AWS Global Accelerator. Set up a listener configuration for port 443. Set the endpoint type to forward the traffic to the S3 bucket.
Hint Answer: A
Question #: 185
Topic #: 1
A company has deployed an application on AWS. The application runs on a fleet of Linux Amazon EC2 instances that are in an Auto Scaling group. The Auto Scaling group is configured to use launch templates. The launch templates launch Amazon Elastic Block Store (Amazon EBS) backed EC2 instances that use General Purpose SSD (gp3) EBS volumes for primary storage.
A SysOps administrator needs to implement a solution to ensure that all the EC2 instances can share the same underlying files. The solution also must ensure that the data is consistent.
Which solution will meet these requirements?
A. Create an Amazon Elastic File System (Amazon EFS) file system. Create a new launch template version that includes user data that mounts the EFS file system. Update the Auto Scaling group to use the new launch template version to cycle in newer EC2 instances and to terminate the older EC2 instances.
B. Enable Multi-Attach on the EBS volumes. Create a new launch template version that includes user data that mounts the EBS volume. Update the Auto Scaling group to use the new template version to cycle in newer EC2 instances and to terminate the older EC2 instances.
C. Create a cron job that synchronizes the data between the EBS volumes for all the EC2 instances in the Auto Scaling group. Create a lifecycle hook during instance launch to configure the cron job on all the EC2 instances. Rotate out the older EC2 instances.
D. Create a new launch template version that creates an Amazon Elastic File System (Amazon EFS) file system. Update the Auto Scaling group to use the new template version to cycle in newer EC2 instances and to terminate the older EC2 instances.
Hint Answer: A
Question #: 186
Topic #: 1
A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC.
What is the MOST operationally efficient method to deploy and update the VPCs in each account?
A. Create an AWS CloudFormation template that defines the VPC. Sign in to the AWS Management Console under each account. Create a stack from the template.
B. Create a shell script that configures the VPC using the AWS CLI. Provide a list of accounts to the shell script from a text file. Create the VPC in every account in the list.
C. Create an AWS Lambda function that configures the VPStore the account information in Amazon DynamoDB. Grant Lambda access to the DynamoDB table. Create the VPC in every account in the list.
D. Create an AWS CloudFormation template that defines the VPC. Create an AWS CloudFormation StackSet based on the template. Deploy the template to all accounts using the stack set.
Hint Answer: D
Question #: 187
Topic #: 1
A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services.
Which solution will meet these requirements?
A. In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.
B. Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization
C. In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.
D. Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.
Hint Answer: B
Question #: 188
Topic #: 1
A SysOps administrator is responsible for a legacy, CPU-heavy application. The application can only be scaled vertically. Currently, the application is deployed on a single t3.large Amazon EC2 instance. The system is showing 90% CPU usage and significant performance latency after a few minutes.
What change should be made to alleviate the performance problem?
A. Change the Amazon EBS volume to Provisioned IOPs.
B. Upgrade to a compute-optimized instance.
C. Add additional t2.large instances to the application.
D. Purchase Reserved Instances.
Hint Answer: B
Question #: 189
Topic #: 1
A SysOps administrator must create a solution that immediately notifies software developers if an AWS Lambda function experiences an error.
Which solution will meet this requirement?
A. Create an Amazon Simple Notification Service (Amazon SNS) topic with an email subscription for each developer. Create an Amazon CloudWatch alarm by using the Errors metric and the Lambda function name as a dimension. Configure the alarm to send a notification to the SNS topic when the alarm state reaches ALARM.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic with a mobile subscription for each developer. Create an Amazon EventBridge (Amazon CloudWatch Events) alarm by using the LambdaError as the event pattern and the SNS topic name as a resource. Configure the alarm to send a notification to the SNS topic when the alarm state reaches ALARM.
C. Verify each developer email address in Amazon Simple Email Service (Amazon SES). Create an Amazon CloudWatch rule by using the LambdaError metric and developer email addresses as dimensions. Configure the rule to send an email through Amazon SES when the rule state reaches ALARM.
D. Verify each developer mobile phone in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge (Amazon CloudWatch Events) rule by using Error as the event pattern and the Lambda function name as a resource. Configure the rule to send a push notification through Amazon SES when the rule state reaches ALARM.
Hint Answer: A
Question #: 190
Topic #: 1
A SysOps administrator must analyze Amazon CloudWatch logs across 10 AWS Lambda functions for historical errors. The logs are in JSON format and are stored in Amazon S3. Errors sometimes do not appear in the same field, but all errors begin with the same string prefix.
What is the MOST operationally efficient way for the SysOps administrator to analyze the log files?
A. Use S3 Select to write a query to search for errors. Run the query across all log groups of interest.
B. Create an AWS Glue processing job to index the logs of interest. Run a query in Amazon Athena to search for errors.
C. Use Amazon CloudWatch Logs Insights to write a query to search for errors. Run the query across all log groups of interest.
D. Use Amazon CloudWatch Contributor Insights to create a rule. Apply the rule across all log groups of interest.
Hint Answer: B
Question #: 191
Topic #: 1
A company plans to run a public web application on Amazon EC2 instances behind an Elastic Load Balancer (ELB). The company’s security team wants to protect the website by using AWS Certificate Manager (ACM) certificates. The ELB must automatically redirect any HTTP requests to HTTPS.
Which solution will meet these requirements?
A. Create an Application Load Balancer that has one HTTPS listener on port 80. Attach an SSL/TLS certificate to listener port 80. Create a rule to redirect requests from HTTP to HTTPS.
B. Create an Application Load Balancer that has one HTTP listener on port 80 and one HTTPS protocol listener on port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.
C. Create an Application Load Balancer that has two TCP listeners on port 80 and port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.
D. Create a Network Load Balancer that has two TCP listeners on port 80 and port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.
Hint Answer: B
Question #: 192
Topic #: 1
A company has an existing web application that runs on two Amazon EC2 instances behind an Application Load Balancer (ALB) across two Availability Zones. The application uses an Amazon RDS Multi-AZ DB Instance. Amazon Route 53 record sets route requests for dynamic content to the load balancer and requests for static content to an Amazon S3 bucket. Site visitors are reporting extremely long loading times.
Which actions should be taken to improve the performance of the website? (Choose two.)
A. Add Amazon CloudFront caching for static content.
B. Change the load balancer listener from HTTPS to TCP.
C. Enable Amazon Route 53 latency-based routing.
D. Implement Amazon EC2 Auto Scaling for the web servers.
E. Move the static content from Amazon S3 to the web servers.
Hint Answer: AD
Question #: 193
Topic #: 1
A SysOps administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet.
Public Subnet (10.0.1.0/24) Route Table
Destination Target –
10.0.0.0/16 local
0.0.0.0/0 IGW
Private Subnet (10.0.2.0/24) Route Table
Destination Target –
10.0.0.0/16 local
What should be added to the private subnet’s route table in order to address this issue, given the information provided?
A. 0.0.0.0/0 IGW
B. 0.0.0.0/0 NAT
C. 10.0.1.0/24 IGW
D. 10.0.1.0/24 NAT
Hint Answer: B
Question #: 194
Topic #: 1
A SysOps administrator wants to securely share an object from a private Amazon S3 bucket with a group of users who do not have an AWS account.
What is the MOST operationally efficient solution that will meet this requirement?
A. Attach an S3 bucket policy that only allows object downloads from the users’ IP addresses.
B. Create an IAM role that has access to the object. Instruct the users to assume the role.
C. Create an IAM user that has access to the object. Share the credentials with the users.
D. Generate a presigned URL for the object. Share the URL with the users.
Hint Answer: D
Question #: 195
Topic #: 1
A company creates a new Amazon FSx for Windows File Server file system. To help manage costs, the company configures the storage capacity for the file system with minimal room for growth.
The company creates an Amazon Simple Notification Service (Amazon SNS) topic in the same AWS account whore the file system resides. The company subscribes a SysOps administrator’s email address to the SNS topic. The SysOps administrator needs to receive email notification when the file system has less than 100 GB of space available.
Which combination of steps should the SysOps administrator take to meet this requirement? (Choose two.)
A. Create an Amazon EventBridge rule for when the FreeStorageCapacity metric is less than or equal to 100,000,000,000 bytes (100 GB).
B. Create an Amazon CloudWatch alarm for when the FreeStorageCapacity metric is less than or equal to 100,000,000,000 bytes (100 GB).
C. Create an AWS Lambda function that will run when the Amazon CloudWatch alarm enters ALARM state. Configure the Lambda function to publish to the SNS topic.
D. Configure the Amazon EventBridge rule’s alarm action to publish to the SNS topic when the rule enters ALARM state.
E. Configure the Amazon CloudWatch alarm action to publish to the SNS topic when the alarm enters ALARM state.
Hint Answer: BE
Question #: 196
Topic #: 1
A company has a core application that must run 24 hours a day, 7 days a week. The application uses Amazon EC2. AWS Fargate, and AWS Lambda. The company uses a combination of operating systems across different AWS Regions.
The company needs to maximize cost savings while committing to a pricing model that offers flexibility to make changes.
What should the company do to meet these requirements?
A. Purchase a Compute Savings Plan that is based on Savings Plans recommendations
B. Purchase an EC2 Instance Savings Plan that covers the EC2 instance types and the Fargate and Lambda vCPU equivalents.
C. Purchase a Reserved Instance for the instance types, operating systems, Region, and tenancy,
D. Use EC2 Spot Instances that match the type and size of existing instances that run in each Region.
Hint Answer: A
Question #: 197
Topic #: 1
A SysOps administrator needs to update an AWS account name.
What should the SysOps administrator do to accomplish this goal?
A. Add the AdministratorAccess policy to the SysOps administrator’s IAM user.
B. Add the AWS_ConfigureRole policy to the SysOps administrator’s IAM user.
C. Change the AWS account name through the AWS Trusted Advisor interface.
D. Sign in as the AWS account root user to make the change.
Hint Answer: D
Question #: 198
Topic #: 1
A SysOps administrator has been able to consolidate multiple, secure websites onto a single server, and each site is running on a different port. The administrator now wants to start a duplicate server in a second Availability Zone and put both behind a load balancer for high availability.
What would be the command line necessary to deploy one of the sites’ certificates to the load balancer?
A. aws kms modify-listener –-load-balancer-name my-load-balancer
-–certificates CertificateArn=arn:aws:iam::123456789012:server-certifiate/my-new-server-cert
B. aws elb set-load-balancer-listener-ssl-certificate –load-balancer-name my-load-balancer –-load-balancer-port 443 –-ssl-certificate-id arn:aws:iam::123456789012:server-certificate/new-server-cert
C. aws ec2 put-ssl-certificate –-load-balancer-name my-load-balancer –-load-balancer-port 443 –-ssl-certificate-id arn:aws:iam::123456789012:server-certificate/new-server-cert
D. aws acm put-ssl-certificate –-load-balancer-name my-load-balancer –-load-balancer-port 443 –-ssl-certificate-id arn:aws:iam::123456789012:server-certificate/new-server-cert
Hint Answer: B
Question #: 199
Topic #: 1
A global company wants to allow anyone in the world to upload videos from a mobile phone. The company’s mobile app uploads the videos across the public internet to an Amazon S3 bucket in the us-east-1 Region for further processing.
Videos that users upload from locations that are distant from us-east-1 have slower upload speeds than videos that users upload from close to us-east-1. In many cases, the slow uploads cause users from the distant locations to cancel their uploads.
Which solution will improve the upload speeds for the users from distant locations?
A. Enable S3 Transfer Acceleration on the S3 bucket. Change the mobile app to use the S3 Transfer Acceleration endpoint for uploads.
B. Create an S3 access point for the S3 bucket in several AWS Regions across the world. Change the mobile app to use the S3 access point endpoint for uploads.
D. Use S3 Select on the S3 bucket. Change the mobile app to use the S3 Select global endpoint for uploads.
D. Create new public Network Load Balancers (NLBs) in several AWS Regions across the world. Specify the S3 bucket as the target of the NLBs. Change the mobile app to use the closest NLB for uploads.
Hint Answer: A
Question #: 200
Topic #: 1
A company’s SysOps administrator uses AWS IAM Identity Center (AWS Single Sign-On) to connect to an Active Directory. The SysOps administrator creates a new account that all the company’s users need to access.
The SysOps administrator uses the Active Directory Domain Users group for permissions to the new account because all users are already members of the group. When users try to log in, their access is denied.
Which action will resolve this access issue?
A. Create a new group. Add users to the new group to provide access.
B. Correct the time on the Active Directory domain controllers.
C. Remove the account. Re-add the account to the organization that is integrated with IAM Identity Center.
D. Correct the permissions on the Active Directory group so that IAM Identity Center has read access.
Hint Answer: D