AWS Certified SysOps Administrator SOA-C02 Part 5
Question #: 201
Topic #: 1
A SysOps administrator configures VPC flow logs to publish to Amazon CloudWatch Logs. The SysOps administrator reviews the logs in CloudWatch Logs and notices less traffic than expected. After the SysOps administrator compares the VPC flow logs to logs that were captured on premises, the SysOps administrator believes that the VPC flow logs are incomplete.
Which of the following is a possible reason for the difference in traffic?
A. CloudWatch Logs throttling has been applied.
B. The CloudWatch IAM role does not have a trust relationship with the VPC flow logs service.
C. The VPC flow log is still in the process of being created.
D. VPC flow logs cannot capture traffic from on-premises servers to a VPC.
Hint Answer: D
Question #: 202
Topic #: 1
An application is running on an Amazon EC2 instance in a VPC with the default DHCP option set. The application connects to an on-premises Microsoft SQL
Server database with the DNS name mssql.example.com. The application is unable to resolve the database DNS name.
Which solution will fix this problem?
A. Create an Amazon Route 53 Resolver inbound endpoint. Add a forwarding rule for the domain example.com. Associate the forwarding rule with the VPC.
B. Create an Amazon Route 53 Resolver inbound endpoint. Add a system rule for the domain example.com. Associate the system rule with the VPC.
C. Create an Amazon Route 53 Resolver outbound endpoint. Add a forwarding rule for the domain example.com. Associate the forwarding rule with the VPC.
D. Create an Amazon Route 53 Resolver outbound endpoint. Add a system rule for the domain example.com. Associate the system rule with the VPC.
Hint Answer: C
Question #: 203
Topic #: 1
A company has an application that uses an Amazon RDS for MariaDB Multi-AZ database. The application becomes unavailable for several minutes every time the database experiences a failover during a planned maintenance event.
What should a SysOps administrator do to reduce the downtime of the application during failover?
A. Create an RDS for MariaDB DB cluster that has multiple writer instances. Configure the application to retry failed queries on another primary node during maintenance events.
B. Configure the RDS maintenance window settings to pool connections while a failover is in process.
C. Configure an Amazon ElastiCache write-through cache for the database. Configure the application to connect to the cache instead of directly to the database.
D. Create an RDS proxy that is associated with the database. Configure the application to connect to the proxy instead of directly to the database.
Hint Answer: D
Question #: 204
Topic #: 1
A SysOps administrator has set up a new Amazon EC2 instance as a web server in a public subnet. The instance uses HTTP port 80 and HTTPS port 443.
The SysOps administrator has confirmed internet connectivity by downloading operating system updates and software from public repositories. However, the SysOps administrator cannot access the instance from a web browser on the internet.
Which combination of steps should the SysOps administrator take to troubleshoot this issue? (Choose three.)
A. Ensure that the inbound rules of the instance’s security group allow traffic on ports 80 and 443.
B. Ensure that the outbound rules of the instance’s security group allow traffic on ports 80 and 443.
C. Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance’s subnet.
D. Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance’s subnet.
E. Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.
F. Ensure that AWS WAF is turned on for the instance and is blocking web traffic.
Hint Answer: ADE
Question #: 205
Topic #: 1
A SysOps administrator is using IAM credentials to try to upload a file to a customer’s Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The SysOps administrator is receiving an AccessDenied message.
Which combination of configuration changes will correct this problem? (Choose two.)
A. Add this IAM policy to the SysOps administrator user:
B. Add this IAM policy to the customer S3 bucket:
C. Add this IAM policy to the SysOps administrator user:
D. Add this IAM policy to the customer account root user:
E. Add this IAM policy to the SysOps administrator account root user:
Hint Answer: AB
Question #: 206
Topic #: 1
A company is deploying an ecommerce application to an AWS Region that is located in France. The company wants users from only France to be able to access the first version of the application. The company plans to add more countries for the next version of the application. A SysOps administrator needs to configure the routing policy in Amazon Route 53.
Which solution will meet these requirements?
A. Use a geoproximity routing policy. Select France as the location in the record.
B. Use a geolocation routing policy. Select France as the location in the record.
C. Use an IP-based routing policy. Select all IP addresses that are allocated to France in the record.
D. Use a geoproximity routing policy. Select all IP addresses that are allocated to France in the record.
Hint Answer: B
Question #: 207
Topic #: 1
A SysOps administrator has an AWS CloudFormation template of the company’s existing infrastructure in us-west-2. The administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back.
Why would this template fail to deploy? (Choose two.)
A. The template referenced an IAM user that is not available in eu-west-1.
B. The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1.
C. The template did not have the proper level of permissions to deploy the resources.
D. The template requested services that do not exist in eu-west-1.
E. CloudFormation templates can be used only to update existing services.
Hint Answer: BD
Question #: 208
Topic #: 1
A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com. The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC. A SysOps administrator must ensure that an on-premises server can query records in the example.com domain.
What should the SysOps administrator do to meet these requirements?
A. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
B. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
C. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
D. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
Hint Answer: A
Question #: 209
Topic #: 1
A company has an encrypted Amazon S3 bucket that is hosted in the ap-southeast-2 Region. Users from the eu-west-2 Region access the S3 bucket over the internet. The users from eu-west-2 need faster transfers to and from the S3 bucket for large files.
Which solution will meet these requirements?
A. Reduce the length of the S3 bucket prefixes within the S3 bucket.
B. Change the server-side encryption on the S3 bucket from AES to RSA.
C. Create a new S3 bucket that has an identical name in eu-west-2. Use the new S3 bucket endpoint’s domain name for access.
D. Enable S3 Transfer Acceleration on the S3 bucket. Use the new s3-accelerate endpoint’s domain name for access.
Hint Answer: D
Question #: 210
Topic #: 1
A company runs a high performance computing (HPC) application on an Amazon EC2 instance. The company needs to scale this architecture to two or more EC2 instances. The EC2 instances will need to communicate with each other at high speeds with low latency to support the application.
The company wants to ensure that the network performance can support the required communication between the EC2 instances
What should a SysOps administrator do to meet these requirements?
A. Create a cluster placement group. Back up the existing EC2 instance to an Amazon Machine Image (AMI). Restore the EC2 instance from the AMI into the placement group. Launch the additional EC2 instances into the placement group.
B. Back up the existing EC2 instance to an Amazon Machine Image (AMI). Create a launch template from the existing EC2 instance by specifying the AMI. Create an Auto Scaling group and configure the desired instance count.
C. Create a Network Load Balancer (NLB) and a target group. Launch the new EC2 instances and register them with the target group. Register the existing EC2 instance with the target group. Pass all application traffic through the NLB.
D. Back up the existing EC2 instance to an Amazon Machine Image (AMI). Create additional clones of the EC2 instance from the AMI in the same Availability Zone where the existing EC2 instance is located.
Hint Answer: A
Question #: 211
Topic #: 1
A company has applications that process transaction requests multiple times each minute. The applications write transaction data to a single Amazon RDS DB instance. As the company begins to process more transactions, the company becomes concerned that it has no failover solution in place for disaster recovery (DR). The company needs the DB instance to fail over automatically without losing any committed transactions.
Which solution will meet these requirements?
A. Create an RDS read replica in the same AWS Region. Configure an AWS Lambda function to promote the replica as the primary DB instance during a DR scenario.
B. Create an RDS read replica in a different AWS Region. Configure an AWS Lambda function to promote the replica as the primary DB instance during a DR scenario.
C. Modify the DB instance to be a Multi-AZ deployment.
D. Setup an Amazon CloudWatch alarm that monitors the DB instance memory utilization with a threshold greater than 90%. Invoke an AWS Lambda function to restart the DB instance.
Hint Answer: C
Question #: 212
Topic #: 1
A company has multiple AWS accounts. The company uses AWS Organizations with an organizational unit (OU) for the production account and another OU for the development account. Corporate policies state that developers may use only approved AWS services in the production account.
What is the MOST operationally efficient solution to control the production account?
A. Create a customer managed policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production account.
B. Create a job function policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production OU.
C. Create a service control policy (SCP). Apply the SCP to the production OU.
D. Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.
Hint Answer: C
Question #: 213
Topic #: 1
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A SysOps administrator must ensure that the application can read, write, and delete messages from the SQS queues.
Which solution will meet these requirements in the MOST secure manner?
A. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user’s credentials in the application’s configuration
B. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:RecelveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user’s access key and secret access key as environment variables on the EC2 instance.
C. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
Hint Answer: D
Question #: 214
Topic #: 1
While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS. The customer gateway device resides in a data center with a NAT gateway in front of it.
What address should be used to create the customer gateway resource?
A. The private IP address of the customer gateway device
B. The MAC address of the NAT device in front of the customer gateway device
C. The public IP address of the customer gateway device
D. The public IP address of the NAT device in front of the customer gateway device
Hint Answer: D
Question #: 215
Topic #: 1
A company has an AWS Site-to-Site VPN connection between on-premises resources and resources that are hosted in a VPC. A SysOps administrator launches an Amazon EC2 instance that has only a private IP address into a private subnet in the VPC. The EC2 instance runs Microsoft Windows Server.
A security group for the EC2 instance has rules that allow inbound traffic from the on-premises network over the VPN connection. The on-premises environment contains a third-party network firewall. Rules in the third-party network firewall allow Remote Desktop Protocol (RDP) traffic to flow between the on-premises users over the VPN connection.
The on-premises users are unable to connect to the EC2 instance and receive a timeout error.
What should the SysOps administrator do to troubleshoot this issue?
A. Create Amazon CloudWatch logs for the EC2 instance to check for blocked traffic.
B. Create Amazon CloudWatch logs for the Site-to-Site VPN connection to check for blocked traffic.
C. Create VPC flow logs for the EC2 instance’s elastic network interface to check for rejected traffic.
D. Instruct users to use EC2 Instance Connect as a connection method.
Hint Answer: C
Question #: 216
Topic #: 1
A company wants to apply an existing Amazon Route 53 private hosted zone to a new VPC to allow for customized resource name resolution within the VPC. The SysOps administrator created the VPC and added the appropriate resource record sets to the private hosted zone.
Which step should the SysOps administrator take to complete the setup?
A. Associate the Route 53 private hosted zone with the VPC.
B. Create a rule in the default security group for the VPC that allows traffic to the Route 53 Resolver.
C. Ensure the VPC network ACLs allow traffic to the Route 53 Resolver.
D. Ensure there is a route to the Route 53 Resolver in each of the VPC route tables.
Hint Answer: A
Question #: 217
Topic #: 1
A company uses AWS Organizations to host several applications across multiple AWS accounts. Several teams are responsible for building and maintaining the infrastructure of the applications across the AWS accounts.
A SysOps administrator must implement a solution to ensure that user accounts and permissions are centrally managed. The solution must be integrated with the company’s existing on-premises Active Directory environment. The SysOps administrator already has enabled AWS IAM Identity Center (AWS Single Sign-On) and has set up an AWS Direct Connect connection.
What is the MOST operationally efficient solution that meets these requirements?
A. Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
B. Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
C. Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
D. Use the built-in SSO directory as the identity source for IAM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.
Hint Answer: C
Question #: 218
Topic #: 1
Users are reporting consistent forced logouts from a stateful web application. The logouts occur before the expiration of a 15-minute application logout timer.
The web application is hosted on Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Session affinity (sticky sessions) is already enabled on the ALB target group and uses duration-based cookies. The web application generates its own application cookie.
Which combination of actions should a SysOps administrator take to resolve the logout problem? (Choose two.)
A. Change to the least outstanding requests algorithm on the ALB target group.
B. Configure cookie forwarding in the CloudFront distribution’s cache behavior settings.
C. Configure the duration-based cookie to be named AWSALB.
D. Configure the ALB to use the expiration cookie header.
E. Change the ALB to use application-based cookies.
Hint Answer: BE
Question #: 219
Topic #: 1
A company uses Amazon CloudFront to serve static content to end users. The company’s marketing team recently deployed updates to 150 images on the company’s website. However, the website is not displaying some of the new images.
A SysOps administrator reviews the CloudFront distribution’s cache settings. The default TTL for the distribution is set to 1 week (604,800 seconds).
What should the SysOps administrator do to refresh the cache with the new images in the MOST operationally efficient way?
A. Create a new CloudFront distribution that has the same origin. Set the default TTL to 1 minute (60 seconds). Switch Amazon Route 53 DNS records to use the new distribution.
B. Instruct the marketing team to upload the new images to a different location. When the new images are uploaded, update the website to locate the new images.
C. Issue a CloudFront invalidation request to immediately expire the new images from the marketing team’s update.
D. Update the existing CloudFront distribution to reconfigure the default TTL to 1 minute (60 seconds). During submission of the new configuration, include the flag to invalidate objects in the specified path.
Hint Answer: C
Question #: 220
Topic #: 1
A company’s social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services.
A SysOps administrator must implement a solution that routes requests to a defined list of AWS Regions. The routing must be based on the user’s location.
Which solution will meet these requirements?
A. Configure a Route 53 latency routing policy.
B. Configure a Route 53 multivalue answer routing policy.
C. Configure a Route 53 geolocation routing policy.
D. Configure a Route 53 IP-based routing policy.
Hint Answer: C
Question #: 221
Topic #: 1
A SysOps administrator notices that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. The SysOps administrator needs to increase the cache hit ratio for the distribution, improve network performance, and reduce the load on the origin.
Which combination of actions should the SysOps administrator take to meet these requirements? (Choose two.)
A. Enable CloudFront Origin Shield for the required AWS Regions.
B. Change the viewer protocol policy to use HTTPS only.
C. Add a second origin. Create an origin group that includes both origins. Activate CloudFront origin failover.
D. Turn on automatic compression of objects in the cache behavior settings.
E. Increase the CloudFront TTL values in the cache behavior settings.
Hint Answer: AE
Question #: 222
Topic #: 1
A SysOps administrator configured VPC flow logs by using the default format. The SysOps administrator specified Amazon CloudWatch Logs as the destination. This solution has worked successfully for several months. However, because of additional troubleshooting requirements, the SysOps administrator needs to include the tcp-flags field on the flow logs.
What should the SysOps administrator do to meet this requirement?
A. Create a new flow log. Include the tcp-flags field in the custom log format. Delete the original flow log.
B. In the CloudWatch Logs log group, modify the filter to include the tcp-flags field and the type field.
C. In CloudWatch Metrics, modify the metric configuration to include the tcp-flags field.
D. Modify the existing flow log. Include the tcp-flags field and the type field in the custom log format. Save the configuration.
Hint Answer: A
Question #: 223
Topic #: 1
A manufacturing company uses an Amazon RDS DB instance to store inventory of all stock items. The company maintains several AWS Lambda functions that interact with the database to add, update, and delete items. The Lambda functions use hardcoded credentials to connect to the database.
A SysOps administrator must ensure that the database credentials are never stored in plaintext and that the password is rotated every 30 days.
Which solution will meet these requirements in the MOST operationally efficient manner?
A. Store the database password as an environment variable for each Lambda function. Create a new Lambda function that is named PasswordRotate. Use Amazon EventBridge to schedule the PasswordRotate function every 30 days to change the database password and update the environment variable for each Lambda function.
B. Use AWS Key Management Service (AWS KMS) to encrypt the database password and to store the encrypted password as an environment variable for each Lambda function. Grant each Lambda function access to the KMS key so that the database password can be decrypted when required. Create a new Lambda function that is named PasswordRotate to change the password every 30 days.
C. Use AWS Secrets Manager to store credentials for the database. Create a Secrets Manager secret, and select the database so that Secrets Manager will use a Lambda function to update the database password automatically. Specify an automatic rotation schedule of 30 days. Update each Lambda function to access the database password from Secrets Manager.
D. Use AWS Systems Manager Parameter Store to create a secure string to store credentials for the database. Create a new Lambda function called PasswordRotate. Use Amazon EventBridge to schedule the PasswordRotate function every 30 days to change the database password and to update the secret within Parameter Store. Update each Lambda function to access the database password from Parameter Store.
Hint Answer: C
Question #: 224
Topic #: 1
A company is using an Amazon DynamoDB table for data. A SysOps administrator must configure replication of the table to another AWS Region for disaster recovery.
What should the SysOps administrator do to meet this requirement?
A. Enable DynamoDB Accelerator (DAX).
B. Enable DynamoDB Streams, and add a global secondary index (GSI).
C. Enable DynamoDB Streams, and add a global table Region.
D. Enable point-in-time recovery.
Hint Answer: C
Question #: 225
Topic #: 1
A SysOps administrator needs to automate the invocation of an AWS Lambda function. The Lambda function must run at the end of each day to generate a report on data that is stored in an Amazon S3 bucket.
What is the MOST operationally efficient solution that meets these requirements?
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that has an event pattern for Amazon S3 and the Lambda function as a target.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that has a schedule and the Lambda function as a target.
C. Create an S3 event notification to invoke the Lambda function whenever objects change in the S3 bucket.
D. Deploy an Amazon EC2 instance with a cron job to invoke the Lambda function.
Hint Answer: B
Question #: 226
Topic #: 1
A company has a policy that all Amazon EC2 instance logs must be published to Amazon CloudWatch Logs. A SysOps administrator is troubleshooting an EC2 instance that is running Amazon Linux 2. The EC2 instance is not publishing logs to CloudWatch Logs. The Amazon CloudWatch agent is running on the EC2 instance, and the agent configuration file is correct.
What should the SysOps administrator do to resolve the issue?
A. Configure the AWS CLI on the EC2 instance. Create a cron job that calls the PutLogEvents API operation to push the log files to CloudWatch every 5 minutes.
B. Inspect the retention period of the CloudWatch Logs log group. Ensure that the retention period is set to a value that is greater than 1 day.
C. Set up an Amazon Kinesis data stream that is running in the same AWS Region as the EC2 instance. Configure the CloudWatch agent on the EC2 instance to send CloudWatch events to the data stream.
D. Ensure that the IAM role that is attached to the EC2 instance has permissions in CloudWatch Logs for the CreateLogGroup, CreateLogStream, PutLogEvents, and DescribeLogStreams actions.
Hint Answer: D
Question #: 227
Topic #: 1
A company has an AWS CloudFormation template that creates an Amazon S3 bucket. A user authenticates to the corporate AWS account with their Active Directory credentials and attempts to deploy the CloudFormation template. However, the stack creation fails.
Which factors could cause this failure? (Choose two.)
A. The user’s IAM policy does not allow the cloudformation:CreateStack action.
B. The user’s IAM policy does not allow the cloudformation:CreateStackSet action.
C. The user’s IAM policy does not allow the s3:CreateBucket action.
D. The user’s IAM policy explicitly denies the s3:ListBucket action.
E. The user’s IAM policy explicitly denies the s3:PutObject action.
Hint Answer: AC
Question #: 228
Topic #: 1
A company is expanding globally and needs to back up data on Amazon Elastic Block Store (Amazon EBS) volumes to a different AWS Region. Most of the EBS volumes that store the data are encrypted, but some of the EBS volumes are unencrypted. The company needs the backup data from all the EBS volumes to be encrypted.
Which solution will meet these requirements with the LEAST management overhead?
A. Configure a lifecycle policy in Amazon Data Lifecycle Manager (Amazon DLM) to create the EBS volume snapshots with cross-Region backups enabled. Encrypt the snapshot copies by using AWS Key Management Service (AWS KMS).
B. Create a point-in-time snapshot of the EBS volumes. When the snapshot status is COMPLETED, copy the snapshots to another Region and set the Encrypted parameter to False.
C. Create a point-in-time snapshot of the EBS volumes. Copy the snapshots to an Amazon S3 bucket that uses server-side encryption. Turn on S3 Cross-Region Replication on the S3 bucket.
D. Schedule an AWS Lambda function with the Python runtime. Configure the Lambda function to create the EBS volume snapshots, encrypt the unencrypted snapshots, and copy the snapshots to another Region.
Hint Answer: A
Question #: 229
Topic #: 1
A company runs hundreds of Amazon EC2 instances in a single AWS Region. Each EC2 instance has two attached 1 GiB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volumes. A critical workload is using all the available IOPS capacity on the EBS volumes.
According to company policy, the company cannot change instance types or EBS volume types without completing lengthy acceptance tests to validate that the company’s applications will function properly. A SysOps administrator needs to increase the I/O performance of the EBS volumes as quickly as possible.
Which action should the SysOps administrator take to meet these requirements?
A. Increase the size of the 1 GiB EBS volumes.
B. Add two additional elastic network interfaces on each EC2 instance.
C. Turn on Transfer Acceleration on the EBS volumes in the Region.
D. Add all the EC2 instances to a cluster placement group.
Hint Answer: A
Question #: 230
Topic #: 1
A company’s web application is available through an Amazon CloudFront distribution and directly through an internet-facing Application Load Balancer (ALB). A SysOps administrator must make the application accessible only through the CloudFront distribution and not directly through the ALB. The SysOps administrator must make this change without changing the application code.
Which solution will meet these requirements?
A. Modify the ALB type to internal. Set the distribution’s origin to the internal ALB domain name.
B. Create a Lambda@Edge function. Configure the function to compare a custom header value in the request with a stored password and to forward the request to the origin in case of a match. Associate the function with the distribution.
C. Replace the ALB with a new internal ALB. Set the distribution’s origin to the internal ALB domain name. Add a custom HTTP header to the origin settings for the distribution. In the ALB listener, add a rule to forward requests that contain the matching custom header and the header’s value. Add a default rule to return a fixed response code of 403.
D. Add a custom HTTP header to the origin settings for the distribution. In the ALB listener, add a rule to forward requests that contain the matching custom header and the header’s value. Add a default rule to return a fixed response code of 403.
Hint Answer: D
Question #: 231
Topic #: 1
An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department, it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group membership.
What is the BEST method to allow access using current LDAP credentials?
A. Create an AWS Directory Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
B. Create a Lambda function to read LDAP groups and automate the creation of IAM users.
C. Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server.
D. Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.
Hint Answer: D
Question #: 232
Topic #: 1
A company has a policy that requires all Amazon EC2 instances to have a specific set of tags. If an EC2 instance does not have the required tags, the noncompliant instance should be terminated.
What is the MOST operationally efficient solution that meets these requirement?
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all EC2 instance state changes to an AWS Lambda function to determine if each instance is compliant. Terminate any noncompliant instances.
B. Create an IAM policy that enforces all EC2 instance tag requirements. If the required tags are not in place for an instance, the policy will terminate noncompliant instance.
C. Create an AWS Lambda function to determine if each EC2 instance is compliant and terminate an instance if it is noncompliant. Schedule the Lambda function to invoke every 5 minutes.
D. Create an AWS Config rule to check if the required tags are present. If an EC2 instance is noncompliant, invoke an AWS Systems Manager Automation document to terminate the instance.
Hint Answer: D
Question #: 233
Topic #: 1
A company has deployed an application on Amazon EC2 instances in a single VPC. The company has placed the EC2 instances in a private subnet in the VPC.
The EC2 instances need access to Amazon S3 buckets that are in the same AWS Region as the EC2 instances. A SysOps administrator must provide the EC2 instances with access to the S3 buckets without requiring any changes to the EC2 instances or the application. The EC2 instances must not have access to the internet.
Which solution will meet these requirements?
A. Create an S3 gateway endpoint that uses the default gateway endpoint policy. Associate the private subnet with the gateway endpoint.
B. Create an S3 interface endpoint. Associate the EC2 instances with the interface endpoint.
C. Configure a NAT gateway. Associate the private subnet with the NAT gateway.
D. Configure a proxy EC2 instance. Update the private subnet route tables to route traffic through the proxy EC2 instance. Configure the proxy to route all S3 requests to the target S3 bucket.
Hint Answer: A
Question #: 234
Topic #: 1
A company has a private Amazon S3 bucket that contains sensitive information. A SysOps administrator needs to keep logs of the IP addresses from authentication failures that result from attempts to access objects in the bucket. The logs must be stored so that they cannot be overwritten or deleted for 90 days.
Which solution will meet these requirements?
A. Create an AWS CloudTrail trail. Configure the log files to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days.
B. Create an AWS CloudTrail trail. Configure the log files to be saved to a different S3 bucket. Turn on CloudTrail log file integrity validation for 90 days.
C. Turn on access logging for the S3 bucket. Configure the access logs to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days.
D. Turn on access logging for the S3 bucket. Configure the access logs to be saved in a second S3 bucket. Turn on S3 Object Lock on the second S3 bucket, and configure a default retention period of 90 days.
Hint Answer: D
Question #: 235
Topic #: 1
A company uses AWS CloudFormation to deploy its application infrastructure. Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application. A SysOps administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources.
Which solution will meet these requirements?
A. Set up an AWS Config rule to alert based on changes to any CloudFormation stack. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
B. Set up an Amazon EventBridge event with a rule to initiate based on any CloudFormation API call. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
C. Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*.
D. Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource Names (ARNs) of the protected resources.
Hint Answer: C
Question #: 236
Topic #: 1
A company wants to store sensitive financial data within Amazon S3 buckets. The company has a corporate policy that does not allow public read or write access to the buckets. A SysOps administrator must create a solution to automatically remove S3 permissions that allow public read or write access.
Which AWS service should the SysOps administrator use to meet these requirements in the MOST operationally efficient manner?
A. AWS Config
B. AWS Security Hub
C. AWS Trusted Advisor
D. Amazon Inspector
Hint Answer: A
Question #: 237
Topic #: 1
A company plans to launch a static website on its domain example.com and subdomain www.example.com using Amazon S3.
How should the SysOps administrator meet this requirement?
A. Create one S3 bucket named example.com for both the domain and subdomain.
B. Create one S3 bucket with a wildcard named *.example.com for both the domain and subdomain.
C. Create two S3 buckets named example.com and www.example.com. Configure the subdomain bucket to redirect requests to the domain bucket.
D. Create two S3 buckets named http://example.com and http://*.example.com. Configure the wildcard (*) bucket to redirect requests to the domain bucket.
Hint Answer: C
Question #: 238
Topic #: 1
A company wants to use only IPv6 for all its Amazon EC2 instances. The EC2 instances must not be accessible from the internet, but the EC2 instances must be able to access the internet. The company creates a dual-stack VPC and IPv6-only subnets.
How should a SysOps administrator configure the VPC to meet these requirements?
A. Create and attach a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.
B. Create and attach an internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway. Attach the custom route table to the IPv6-only subnets.
C. Create and attach an egress-only internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the egress-only internet gateway. Attach the custom route table to the IPv6-only subnets.
D. Create and attach an internet gateway and a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway and all IPv4 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.
Hint Answer: C
Question #: 239
Topic #: 1
A SysOps administrator is reviewing VPC Flow Logs to troubleshoot connectivity issues in a VPC. While reviewing the logs, the SysOps administrator notices that rejected traffic is not listed.
What should the SysOps administrator do to ensure that all traffic is logged?
A. Create a new flow log that has a filter setting to capture all traffic.
B. Create a new flow log. Set the log record format to a custom format. Select the proper fields to include in the log.
C. Edit the existing flow log. Change the filter setting to capture all traffic.
D. Edit the existing flow log. Set the log record format to a custom format. Select the proper fields to include in the log.
Hint Answer: A
Question #: 240
Topic #: 1
A company is using Amazon Elastic Container Service (Amazon ECS) to run a containerized application on Amazon EC2 instances. A SysOps administrator needs to monitor only traffic flows between the ECS tasks.
Which combination of steps should the SysOps administrator take to meet this requirement? (Choose two.)
A. Configure Amazon CloudWatch Logs on the elastic network interface of each task.
B. Configure VPC Flow Logs on the elastic network interface of each task.
C. Specify the awsvpc network mode in the task definition.
D. Specify the bridge network mode in the task definition.
E. Specify the host network mode in the task definition.
Hint Answer: BC
Question #: 241
Topic #: 1
A company’s SysOps administrator must ensure that all Amazon EC2 Windows instances that are launched in an AWS account have a third-party agent installed. The third-party agent has an .msi package. The company uses AWS Systems Manager for patching, and the Windows instances are tagged appropriately. The third-party agent requires periodic updates as new versions are released. The SysOps administrator must deploy these updates automatically.
Which combination of steps will meet these requirements with the LEAST operational effort? (Choose two.)
A. Create a Systems Manager Distributor package for the third-party agent.
B. Make sure that Systems Manager Inventory is configured. If Systems Manager Inventory is not configured, set up a new inventory for instances that is based on the appropriate tag value for Windows.
C. Create a Systems Manager State Manager association to run the AWS-RunRemoteScript document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day.
D. Create a Systems Manager State Manager association to run the AWS-ConfigureAWSPackage document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day.
E. Create a Systems Manager OpsItem with the tag value for Windows. Attach the Systems Manager Distributor package to the OpsItem. Create a maintenance window that is specific to the package deployment. Configure the maintenance window to cover 24 hours a day.
Hint Answer: AD
Question #: 242
Topic #: 1
A company uses AWS CloudFormation templates to deploy cloud infrastructure. An analysis of all the company’s templates shows that the company has declared the same components in multiple templates. A SysOps administrator needs to create dedicated templates that have their own parameters and conditions for these common components.
Which solution will meet this requirement?
A. Develop a CloudFormation change set.
B. Develop CloudFormation macros.
C. Develop CloudFormation nested stacks.
D. Develop CloudFormation stack sets.
Hint Answer: C
Question #: 243
Topic #: 1
A company with multiple AWS accounts needs to obtain recommendations for AWS Lambda functions and identify optimal resource configurations for each Lambda function.
How should a SysOps administrator provide these recommendations?
A. Create an AWS Serverless Application Repository and export the Lambda function recommendations.
B. Enable AWS Compute Optimizer and export the Lambda function recommendations.
C. Enable all features of AWS Organizations and export the recommendations from AWS CloudTrail Insights.
D. Run AWS Trusted Advisor and export the Lambda function recommendations.
Hint Answer: B
Question #: 244
Topic #: 1
A company has a critical serverless application that uses multiple AWS Lambda functions. Each Lambda function generates 1 GB of log data daily in its own Amazon CloudWatch Logs log group. The company’s security team asks for a count of application errors, grouped by type, across all of the log groups.
What should a SysOps administrator do to meet this requirement?
A. Perform a CloudWatch Logs Insights query that uses the stats command and count function.
B. Perform a CloudWatch Logs search that uses the groupby keyword and count function.
C. Perform an Amazon Athena query that uses the SELECT and GROUP BY keywords.
D. Perform an Amazon RDS query that uses the SELECT and GROUP BY keywords.
Hint Answer: A
Question #: 245
Topic #: 1
A company is planning to host an application on a set of Amazon EC2 instances that are distributed across multiple Availability Zones. The application must be able to scale to millions of requests each second.
A SysOps administrator must design a solution to distribute the traffic to the EC2 instances. The solution must be optimized to handle sudden and volatile traffic patterns while using a single static IP address for each Availability Zone.
Which solution will meet these requirements?
A. Amazon Simple Queue Service (Amazon SQS) queue
B. Application Load Balancer
C. AWS Global Accelerator
D. Network Load Balancer
Hint Answer: D
Question #: 246
Topic #: 1
A company hosts a static website on Amazon S3. The website is served by an Amazon CloudFront distribution with a default TTL of 86,400 seconds.
The company recently uploaded an updated version of the website to Amazon S3. However, users still see the old content when they refresh the site. A SysOps administrator must make the new version of the website visible to users as soon as possible.
Which solution meets these requirements?
A. Adjust the TTL value for the DNS CNAME record that is pointing to the CloudFront distribution.
B. Create an invalidation on the CloudFront distribution for the old S3 objects.
C. Create a new CloudFront distribution. Update the DNS records to point to the new CloudFront distribution.
D. Update the DNS record for the website to point to the S3 bucket.
Hint Answer: B
Question #: 247
Topic #: 1
A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance. A SysOps administrator must update the template to ensure that the DB instance is created before the EC2 instance is launched.
What should the SysOps administrator do to meet this requirement?
A. Add a wait condition to the template. Update the EC2 instance user data script to send a signal after the EC2 instance is started.
B. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource.
C. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource.
D. Create multiple templates. Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created.
Hint Answer: B
Question #: 248
Topic #: 1
A company hosts its website in the us-east-1 Region. The company is preparing to deploy its website into the eu-central-1 Region. Website visitors who are located in Europe should access the website that is hosted in eu-central-1. All other visitors access the website that is hosted in us-east-1. The company uses Amazon Route 53 to manage the website’s DNS records.
Which routing policy should a SysOps administrator apply to the Route 53 record set to meet these requirements?
A. Geolocation routing policy
B. Geoproximity routing policy
C. Latency routing policy
D. Multivalue answer routing policy
Hint Answer: A
Question #: 249
Topic #: 1
A company is storing media content in an Amazon S3 bucket and uses Amazon CloudFront to distribute the content to its users. Due to licensing terms, the company is not authorized to distribute the content in some countries. A SysOps administrator must restrict access to certain countries.
What is the MOST operationally efficient solution that meets these requirements?
A. Configure the S3 bucket policy to deny the GetObject operation based on the S3:LocationConstraint condition.
B. Create a secondary origin access identity (OAI). Configure the S3 bucket policy to prevent access from unauthorized countries.
C. Enable the geo restriction feature in the CloudFront distribution to prevent access from unauthorized countries.
D. Update the application to generate signed CloudFront URLs only for IP addresses in authorized counties.
Hint Answer: C
Question #: 250
Topic #: 1
A company’s VPC has connectivity to an on-premises data center through an AWS Site-to-Site VPN. The company needs Amazon EC2 instances in the VPC to send DNS queries for example.com to the DNS servers in the data center.
Which solution will meet these requirements?
A. Create an Amazon Route 53 Resolver inbound endpoint. Create a conditional forwarding rule on the on-premises DNS servers to forward DNS requests for example.com to the inbound endpoints.
B. Create an Amazon Route 53 Resolver inbound endpoint. Create a forwarding rule on the resolver that sends all queries for example.com to the on-premises DNS servers. Associate this rule with the VPC.
C. Create an Amazon Route 53 Resolver outbound endpoint. Create a conditional forwarding rule on the on-premises DNS servers to forward DNS requests for example.com to the outbound endpoints.
D. Create an Amazon Route 53 Resolver outbound endpoint. Create a forwarding rule on the resolver that sends all queries for example.com to the on-premises DNS servers. Associate this rule with the VPC.
Hint Answer: D