AWS Certified SysOps Administrator SOA-C02 Practice Exam Part 9
Notes: Hi all, AWS Certified SysOps Administrator Associate SOA-Co2 Practice Exam Part 9 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take AWS Certified SysOps Administrator Associate SOA-Co2 Actual Exam Version because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.
321. A sysops administrator has an AWS Lambda function that performs maintenance on various AWS resources. This function must be run nightly. Which is the MOST cost-effective solution?
A. Launch a single t2.nano Amazon EC2 instance and create a Linux cron job to invoke the Lambda function at the same time every night.
B. Set up an Amazon CloudWatch metrics alarm to invoke the Lambda function at the same time every night.
C. Schedule a CloudWatch event to invoke the Lambda function at the same time every night.
D. Implement a Chef recipe in AWS OpsWorks stack to invoke the Lambda function at the same time every night.
322. A sysops administrator is managing an application on AWS that uses Amazon EC2 instances and Amazon Aurora MySQL. The EC2 instances and Aurora instances are in two different subnets. The application servers running in EC2 cannot connect to the Aurora database. The EC2 subnet is 192.168.87.0/24 and has a security group named sg-123456 with the following configuration.
Protocol type Port Number Source IP
TCP 22 (SSH) 192.168.87.0/24
ICMP All 0.0.0.0/0
Protocol type Port Number Destination IP
All All 0.0.0.0/0
The Aurora subnet is 192.168.88.0/24 and has a security group named sg-abcdef with the following configuration.
Protocol type Port Number Source IP
MYSQL/Aurora 3306 192.168.88.0/24
Protocol type Port Number Destination IP
All All 0.0.0.0/0
Which action should the sysops administrator take to allow the EC2 instances to connect to the Aurora database?
A. In the inbound rules table of the Aurora security group, add an inbound TCP rule with the MySQL port and sg-123456 as the traffic source.
B. In the inbound rules table of the EC2 security group, add an inbound TCP rule with the MySQL port and 192.168.88.0/24 as the traffic source.
C. In the outbound rules table of the Aurora security group, add an outbound TCP rule with the MySQL port and 192.168.87.0/24 as the destination.
D. In the outbound rules table of the EC2 security group, add an outbound TCP rule with the MySQL port and sg-abcdef as the destination.
323. A company has a multi-tier web application. In the web tier, all the servers are in private subnets inside a VPC. The development team wants to make changes to the application that requires access to Amazon S3. What should be done to accomplish this?
A. Create a customer gateway to connect to Amazon S3. Modify the route table of the private subnets to use the customer gateway.
B. Create a gateway VPC endpoint for Amazon S3. Modify the route table of the private subnets to use the gateway VPC endpoint.
C. Create a NAT gateway in the private subnets. Modify the route table of the subnets to use the NAT gateway.
D. Create an S3 bucket policy to allow connections from the private subnets. Modify the route table.
324. A sysops administrator is managing a VPC network consisting of public and private subnets. Instances in the private subnets access the Internet through a NAT gateway. A recent AWS bill shows that the NAT gateway charges have doubled. The administrator wants to identify which instances are creating the most network traffic. How should this be accomplished?
A. Enable flow logs on the NAT gateway elastic network interface and use Amazon CloudWatch insights to filter data based on the source IP addresses.
B. Run an AWS Cost and Usage report and group the findings by instance ID.
C. Use the VPC traffic mirroring feature to send traffic to Amazon QuickSight.
D. Use Amazon CloudWatch metrics generated by the NAT gateway for each individual instance.
325. When performing an audit on an S3 bucket, a SysOps Administrator discovered that Amazon CloudWatch reports that there are 12,345,678 objects in the bucket, whereas the AWS CLI reports that there are 98,765,432 objects in the same bucket. Which Amazon S3 feature can the SysOps Administrator use to obtain the definitive answer to the number of objects in the bucket?
A. Amazon S3 analytics
B. Amazon S3 inventory
C. AWS Management Console
D. Object tags
326. An organization recently faced a network outage while uploading data into one of their S3 buckets. This outage generated many incomplete multipart uploads in that S3 bucket. A sysops administrator wants to delete the incomplete multipart uploads and ensure that the incomplete multipart uploads are deleted automatically the next time such an event occurs. How should this be done?
A. Create an Amazon S3 Event Notification to trigger an AWS Lambda function that deletes incomplete multipart uploads.
B. Create an Amazon S3 lifecycle rule to abort incomplete multipart uploads so that they are deleted this time and in the future.
C. Use the AWS CLI to list all the multipart uploads, and abort all the incomplete uploads from the day of the event so that they are deleted.
D. Use the AWS Management Console to abort all the incomplete uploads from the day of the event so that they are deleted.
327. A company’s finance department wants to receive a monthly report showing AWS resource usage by department. Which solution should be used to meet the requirements?
A. Configure AWS Cost and Usage reports for each department. Run the reports monthly.
B. Schedule a monthly report for each department using AWS Budgets.
C. Run a monthly AWS CloudTrail report of resource usage by tag using department codes.
D. Tag all resources with department codes. Generate a monthly cost allocation report.
328. A SysOps Administrator maintains several Amazon EC2 instances that do not have access to the public internet. To patch operating systems, the instances require outbound internet connectivity. For security reasons, the instances should not be reachable from the public Internet. The Administrator deploys a NAT instance, updates the security groups, and configures the appropriate routes within the route table. However, the instances are still unable to reach the Internet. What should be done to resolve the issue?
A. Assign Elastic IP addresses to the instances and create a route from the private subnets to the internet gateway
B. Delete the NAT instance and replace it with AWS WAF
C. Disable source/destination checks on the NAT instance
D. Start/stop the NAT instance so it is launched on a different host
329. A SysOps Administrator using AWS KMS needs to rotate all customer master keys (CMKs) every week to meet Information Security guidelines. Which option would meet the requirement?
A. Create a new CMK every 7 days to manually rotate the encryption keys.
B. Enable key rotation on the CMKs and set the rotation period to 7 days.
C. Switch to using AWS CloudHSM as AWS KMS does not support key rotation.
D. Use data keys for each encryption task to avoid the need to rotate keys.
330. A SysOps Administrator is maintaining an application running on Amazon EBS-backed Amazon EC2 instances in an Amazon EC2 Auto Scaling group. The application is set to automatically terminate unhealthy instances. The Administrator wants to preserve application logs from these instances for future analysis. Which action will accomplish this?
A. Change the storage type from EBS to instance store.
B. Configure an Amazon CloudWatch Events rule to transfer the logs to Amazon S3 upon an EC2 state change to terminate.
C. Configure the unified CloudWatch agent to stream the logs to Amazon CloudWatch Logs.
D. Configure VPC Flow Logs for the subnet hosting the EC2 instance.
331. A SysOps Administrator must remove public IP addresses from all Amazon EC2 instances to prevent exposure to the internet. However, many corporate applications running on those EC2 instances need to access Amazon S3 buckets. The Administrator is tasked with allowing the EC2 instances to continue to access the S3 buckets. Which solutions can be used? (Choose two.)
A. Deploy a NAT gateway, and configure the route tables accordingly in the VPC where the EC2 instances are running.
B. Modify the network ACLs with private IP addresses in the routes to connect to Amazon S3.
C. Modify the security groups on the EC2 instances with private IP addresses in the routes to connect to Amazon S3.
D. Set up AWS Direct Connect, and configure a virtual interface between the EC2 instances and the S3 buckets.
E. Set up a VPC endpoint in the VPC where the EC2 instances are running, and configure the route tables accordingly.
332. A company’s application running on Amazon EC2 Linux recently crashed because it ran out of available memory. Management wants to be alerted if this ever happens again. Which combination of steps will accomplish this? (Choose two.)
A. Create an Amazon CloudWatch dashboard to monitor the memory usage metrics on the instance over time.
B. Create an alarm on the dashboard that publishes an Amazon SNS notification to alert the CIO when a threshold is passed.
C. Create an alarm on the metric that publishes an Amazon SNS notification to alert the CIO when a threshold is passed.
D. Create an alarm on the AWS Personal Health Dashboard that publishes an Amazon SNS notification to alert the CIO when the system is out of memory.
E. Configure the Amazon CloudWatch agent to collect and push memory usage metrics on the instance.
333. A popular auctioning platform requires near-real-time access to dynamic bidding information. The platform must be available at all times. The current Amazon RDS instance often reaches 100% CPU utilization during the weekend auction and can no longer be resized. To improve application performance, a sysops administrator is evaluating Amazon ElastiCache, and has chosen Redis (cluster mode enabled) instead of Memcached. What are the reasons for making this choice? (Choose two.)
A. Data partitioning
B. Multi-threaded processing
C. Multi-AZ with automatic failover
D. Multi-region with automatic failover
E. Online resharding
334. A financial service company is running distributed computing software to manage a fleet of 20 servers for their calculations. There are 2 control nodes and 18 worker nodes to run the calculations. Worker nodes can be automatically started by the control nodes when required. Currently, all nodes are running on demand, and the worker nodes are used for approximately 4 hours each day. Which combination of actions will be MOST cost-effective? (Choose two.)
A. Use Dedicated Hosts for the control nodes.
B. Use Reserved Instances for the control nodes.
C. Use Reserved Instances for the worker nodes.
D. Use Spot Instances for the control nodes and On-Demand Instances if there is no Spot availability. E. Use Spot Instances for the worker nodes and On-Demand Instances if there is no Spot availability.
335. A sysops administrator must monitor a fleet of Amazon EC2 Linux instances with the constraint that no agents be installed. The sysops administrator chooses Amazon CloudWatch as the monitoring tool. Which metrics can be measured given the constraints? (Choose three.)
A. CPU Utilization
B. Disk Read Operations
C. Memory Utilization
D. Network Packets In
E. Network Packets Dropped
F. CPU Ready Time
336. A sysops administrator set up an Amazon ElastiCache for Memcached cluster for an application. During testing, the application experiences increased latency. Amazon CloudWatch metrics for the Memcached cluster show CPUUtilization is consistently above 95% and FreeableMemory is consistently under 1 MB. Which action will solve the problem?
A. Configure ElastiCache automatic scaling for the Memcached cluster. Set the CPUUtilization metrics as a scaling trigger above 75% and FreeableMemory below 10 MB.
B. Configure ElastiCache to read replicas for each Memcached node in different Availability Zones to distribute the workload.
C. Deploy an Application Load Balancer to distribute the workload to Memcached cluster nodes.
D. Replace the Memcached cluster and select a node type that has a higher CPU and memory.
337. A security audit revealed that the security groups in a VPC have ports 22 and 3389 open to all, introducing a possible threat that instances can be stopped or configurations can be modified. A sysops administrator needs to automate remediation. What should the sysops administrator do to meet these requirements?
A. Create an IAM managed policy to deny access to ports 22 and 3389 on any security groups in a VPC.
B. Define an AWS Config rule and remediation action with AWS Systems Manager automation documents.
C. Enable AWS Trusted Advisor to remediate public port access.
D. Use AWS Systems Manager configuration compliance to remediate public port access.
338. A company recently migrated from a third-party security application to Amazon Inspector. A sysops administrator discovered that a list of security findings is missing for some Amazon EC2 instances. Which action will resolve this problem?
A. Generate the missing security findings list manually by logging in to the affected EC2 instances and running CLI commands.
B. Log in to the affected EC2 instances. Download and install the Amazon Inspector agent from AWS Marketplace on each instance.
C. Use a network reachability package to analyze network configurations to find security vulnerabilities on the affected EC2 instances.
D. Verify that the Amazon Inspector agent is installed and running on the affected instances. Restart the Amazon Inspector agent.
339. A medical imaging company needs to process large amounts of imaging data in real time using a specific instance type. The company wants to guarantee sufficient resource capacity for 1 year. Which action will meet these requirements in the MOST cost-effective manner?
A. Create 1-year On-Demand Capacity Reservations in the specific Availability Zones.
B. Launch Amazon EC2 instances with termination protection enabled.
C. Purchase 1-year Reserved Instances in the specific Availability Zones.
D. Use a Spot Fleet across multiple Availability Zones.
340. A sysops administrator is trying to deploy a new Amazon EC2 instance using the AWS Management Console, but the instance is failing to launch. What could be causing this problem? (Choose two.)
A. The AWS account has reached EC2 limits for the Region.
B. The AWS account has reached EC2 limits for the Availability Zone.
C. An EC2 key pair has not been specified.
D. The EC2 instance is missing an instance profile with ec2:RunInstances permissions.
E. The subnet being used has no more usable private IP addresses.
341. A company has several accounts between different teams and wants to increase its auditing and
compliance capabilities. The accounts are managed through AWS Organizations. Management
wants to provide the security team with secure access to the account logs while also restricting the
possibility for the logs to be modified. How can a SysOps administrator achieve this with the LEAST amount of operational overhead?
A. Store AWS CloudTrail logs in Amazon S3 in each account. Create a new account to store compliance data and replicate the objects into the newly created account.
B. Store AWS CloudTrail logs in Amazon S3 in each account. Create an IAM user with read-only access to the CloudTrail logs.
C. From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions. Use IAM roles to restrict access.
D. Use an AWS CloudFormation stack set to create an AWS CloudTrail trail in every account and restrict permissions to modify the logs.
342. A company in a highly regulated industry has just migrated an Amazon EC2 based application to AWS. For compliance reasons, all network traffic data between the servers must be captured and retained. Which solution will accomplish this with the LEAST amount of effort?
A. Set up AWS CloudTrail on the VPC. Configure Amazon CloudWatch Logs as the destination.
B. Set up AWS CloudTrail on the VPC. Configure Amazon S3 as the destination.
C. Set up flow logs at the elastic network interface level. Configure Amazon S3 as the destination.
D. Set up flow logs at the VPC level. Configure Amazon S3 as the destination.
343. A company is expanding its use of AWS services across its portfolios. The company wants to provision AWS accounts for each team to ensure a separation of business processes for security, compliance, and billing. Account creation and bootstrapping should be completed in a scalable and efficient way so new accounts are created with a defined baseline and governance guardrails in place. A SysOps administrator needs to design a provisioning process that saves time and resources. Which action should be taken to meet these requirements?
A. Automate using AWS Elastic Beanstalk to provision the AWS accounts, set up infrastructure, and integrate with AWS Organizations.
B. Create bootstrapping scripts in AWS OpsWorks and combine them with AWS CloudFormation templates to provision accounts and infrastructure.
C. Use AWS Config to provision accounts and deploy instances using AWS Service Catalog.
D. Use AWS Control Tower to create a template in Account Factory and use the template to provision new accounts.
344. A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals spikes in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A SysOps administrator is tasked with finding the process ID (PID) of the service or process that is consuming more CPU. How can the administrator accomplish this with the LEAST amount of effort?
A. Configure an AWS Lambda function in Python 3.7 to run every minute to capture the PID and send a notification.
B. Configure the procstat plugin to collect and send CPU metrics for the running processes.
C. Log in to the EC2 Linux instance using a .pem key each night and then run the top command.
D. Use the default Amazon CloudWatch CPU utilization metric to capture the PID in the CloudWatch dashboard.
345. A company is using an Amazon ElastiCache for Redis cluster in a production environment. To align with the company’s technical requirements, a SysOps administrator needs to select a deployment to provide increased availability and fault tolerance. Which action should the SysOps administrator take to accomplish this goal?
A. Deploy the ElastiCache cluster with Memcached as the engine.
B. Deploy the Redis cluster within an Auto Scaling group to launch replicas across multiple Availability Zones.
C. Verify that cluster mode is disabled. Increase the number of shards.
D. Verify that Multi-AZ with automatic failover is enabled. Place replicas in multiple Availability Zones.
346. The chief financial officer (CFO) of an organization has seen a spike in Amazon S3 storage costs over the last few months. A SysOps administrator suspects that these costs are related to storage for older versions of S3 objects from one of its S3 buckets. What can the administrator do to confirm this suspicion?
A. Enable Amazon S3 inventory and then query the inventory to identify the total storage of previous object versions.
B. Use object-level cost allocation tags to identify the total storage of previous object versions.
C. Enable the Amazon S3 analytics feature for the bucket to identify the total storage of previous object versions.
D. Use Amazon CloudWatch storage metrics for the S3 bucket to identify the total storage of previous object versions.
347. A company manages more than 1,000 Amazon EC2 instances running Amazon Linux 2 in multiple VPCs. A SysOps administrator must change the statically configured DNS server IP address on all the EC2 instances. Which solution will require the LEAST amount of effort?
A. Develop an AWS Lambda function to update the corporate DNS IP address on all the EC2 instances.
B. Run a shell script to update the corporate DNS IP address on each EC2 instance.
C. Update the Amazon Machine Images (AMIs) of the EC2 instances to configure the updated corporate DNS IP address.
D. Use the AWS Systems Manager Run Command to update the corporate DNS IP address on all the EC2 instances.
348. A company wants to reduce costs on jobs that can be completed at any time. The jobs are currently run using multiple On-Demand Instances, and the jobs take just under 2 hours to complete. If a job fails for any reason, it can be restarted from the beginning. Which method is the MOST cost-effective based on these requirements?
A. Purchase Reserved Instances to be used for job execution.
B. Submit a request for a one-time Spot Instance for job execution.
C. Submit a request for a Spot block to be used for job execution.
D. Use a mixture of On-Demand and Spot Instances for job execution.
349. A company has a multi-account AWS environment that includes the following: A central identity account that contains all IAM users and groups Several member accounts that contain IAM roles A SysOps administrator must grant permissions for a particular IAM group to assume a role in one of the member accounts. How should the SysOps administrator accomplish this task?
A. In the member account, add sts:AssumeRole permissions to the role’s policy. In the identity account, add a trust policy to the group that specifies the account number of the member account. B. In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:AssumeRole permissions.
C. In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:PassRole permissions.
D. In the member account, add the group Amazon Resource Name (ARN) to the role’s inline policy. In the identity account, add a trust policy to the group with sts:AssumeRole permissions.
350. An image processing system runs asynchronously on AWS Lambda. A SysOps administrator is configuring a Lambda function to notify developers when an image falls to process after three attempts. The SysOps administrator has created an Amazon Simple Notification Service (Amazon SNS) topic to notify the developers. Which additional action should the SysOps administrator take to meet this requirement?
A. Configure an Amazon CloudWatch alarm for errors from the Lambda function, which notifies the Amazon SNS topic.
B. Implement a dead-letter queue targeting the Amazon SNS topic.
C. Modify the Lambda function code to publish failed orders to the Amazon SNS topic before exiting.
D. Subscribe to Lambda function error notifications from the AWS Personal Health Dashboard.
351. A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance. Which of the following are possible causes of this issue? (Choose two.)
A. A network ACL associated with the bastion’s subnet is blocking the network traffic.
B. The instance does not have a private IP address.
C. The route table associated with the bastion’s subnet does not have a route to the internet gateway.
D. The security group for the instance does not have an inbound rule on port 22.
E. The security group for the instance does not have an outbound rule on port 3389.
352. A company is managing a website with a global user base hosted on Amazon EC2 with an Application Load Balancer (ALB). To reduce the load on the web servers, a SysOps administrator configures an Amazon CloudFront distribution with the ALB as the origin. After a week of monitoring the solution, the administrator notices that requests are still being served by the ALB and there is no change in the web server load. What are possible causes for this problem? (Choose two.)
A. CloudFront does not have the ALB configured as the origin access identity.
B. The DNS is still pointing to the ALB instead of the CloudFront distribution.
C. The ALB security group is not permitting inbound traffic from CloudFront.
D. The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution.
E. The target groups associated with the ALB are configured for sticky sessions.
353. A company is managing multiple AWS accounts using AWS Organizations. One of these accounts is used only for retaining logs in an Amazon S3 bucket. The company wants to make sure that compute resources cannot be used in the account. How can this be accomplished with the LEAST administrative effort?
A. Apply an IAM policy to all IAM entities in the account with a statement to explicitly deny NotAction: s3:*.
B. Configure AWS Config to terminate compute resources that have been created in the accounts.
C. Configure AWS CloudTrail to block any action where the event source is not s3:amazonaws.com.
D. Update the service control policy on the account to deny the unapproved services.
354. A company is evaluating solutions for connecting its data centers to a VPC in an AWS Region running a mission-critical application. A secondary Region has already been set up as a disaster recovery solution. The company needs a consistent, low-latency connection of at least 10 Gbps that must be highly resilient and fault tolerant. Which solution meets these requirements?
A. Set up a 10 Gbps AWS Direct Connect connection at two Direct Connect locations. Use two customer routers and dynamically routed, active/active connections.
B. Set up a 10 Gbps AWS Direct Connect connection. Use a Direct Connect gateway to support both Regions.
C. Establish an AWS Direct Connect connection for the primary connection to the VPC with an AWSmanaged VPN connection as a backup.
D. Establish 10 VPN connections to the VPC. Enable the VPN Equal Cost Multipath (ECMP) feature to balance traffic over the active connections.
355. A company’s security policy states that connecting to Amazon EC2 instances is not permitted through SSH and RDP. If access is required, authorized staff can connect to instances by using AWS Systems Manager Session Manager. Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has AWS Systems Manager Agent (SSM Agent) pre-installed. These users are able to use Session Manager to connect to other instances in the same subnet, and they are in an IAM group that has Session Manager permission for all instances. What should a SysOps administrator do to resolve this issue?
A. Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.
B. Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
C. Configure the SSM Agent to log in with a username of “ubuntu”.
D. Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.
356. A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53 should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes. All other traffic should be directed to the secondary passive server. The failover record type, set ID, and routing policy have been set appropriately for both primary and secondary servers. Which next step should be taken to configure Route 53?
A. Create an A record for each server. Associate the records with the Route 53 HTTP health check.
B. Create an A record for each server. Associate the records with the Route 53 TCP health check.
C. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.
D. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.
357. A company has a three-tier stateful web application. The application is served through an Amazon CloudFront distribution with default configuration options and an Application Load Balancer (ALB) as the origin. Logged-in users get intermittently logged out and see inconsistent content. Which action should the company take to ensure a stable user experience during a session?
A. Enable session affinity (sticky sessions) on the ALB. Configure CloudFront to forward all cookies to the origin.
B. Restrict viewer access to signed cookies in CloudFront. Enable session affinity (sticky sessions) on the ALB.
C. Switch from duration-based session affinity (sticky sessions) to application-controlled session affinity (sticky sessions) on the ALB.
D. Configure the CloudFront TTL to be equal to or less than the ALB session duration.
358. A company has an application that is hosted on two Amazon EC2 instances in different Availability Zones. Both instances contain data that is critical for the company’s business. Backups need to be retained for 7 days and need to be updated every 12 hours. Which solution will meet these requirements with the LEAST amount of effort?
A. Use an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule to create snapshots of the Amazon Elastic Block Store (Amazon EBS) volumes.
B. Use Amazon Data Lifecycle Manager (Amazon DLM) to create a snapshot lifecycle policy for both instances.
C. Create a batch job to generate automated snapshots of the Amazon Elastic Block Store (Amazon EBS) volumes.
D. Create an AWS Lambda function to copy the data to Amazon S3 Glacier.
359. A SysOps administrator is re-architecting an application. The SysOps administrator has moved the database from a public subnet, where the database used a public endpoint, into a private subnet to restrict access from the public network. After this change, an AWS Lambda function that requires read access to the database cannot connect to the database. The SysOps administrator must resolve this issue without compromising security. Which solution meets these requirements?
A. Create an AWS PrivateLink interface endpoint for the Lambda function. Connect to the database using its private endpoint.
B. Connect the Lambda function to the database VPC. Connect to the database using its private endpoint.
C. Attach an IAM role to the Lambda function with read permissions to the database.
D. Move the database to a public subnet. Use security groups for secure access.
360. A company that hosts a multi-tier ecommerce web application on AWS has been alerted to suspicious application traffic. The architecture consists of Amazon EC2 instances deployed across multiple Availability Zones behind an Application Load Balancer (ALB). After examining the instance logs, a SysOps administrator determines that the suspicious traffic is an attempted SQL injection attack. What should the SysOps administrator do to prevent similar attacks?
A. Create an Amazon CloudFront distribution with the ALB as the origin. Enable AWS Shield Advanced to protect from SQL injection attacks at edge locations.
B. Create an AWS WAF web ACL, and configure a SQL injection rule to add to the web ACL. Associate the WAF web ACL with the ALB.
C. Enable Amazon GuardDuty. Use Amazon EventBridge (Amazon CloudWatch Events) to trigger an AWS Lambda function every time GuardDuty detects SQL injection.
D. Install Amazon Inspector on the EC2 instances, and configure a rules package. Use the findings reports to identify and block SQL injection attacks.