QUESTION 1
A company is managing a website with a global user base hosted on Amazon EC2 with an Application Load Balancer (ALB). To reduce the load on the web servers, a SysOps administrator configures an Amazon CloudFront distribution with the ALB as the origin. After a week of monitoring the solution, the administrator notices that requests are still being served by the ALB and there is no change in the web server load. What are possible causes for this problem? (Select TWO.)
A. CloudFront does not have the ALB configured as the origin access identity.
B. The DNS is still pointing to the ALB instead of the CloudFront distribution.
C. The ALB security group is not permitting inbound traffic from CloudFront.
D. The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution.
E. The target groups associated with the ALB are configured for sticky sessions.
Correct Answer: BD
QUESTION 2
A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer data. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company. What is the MOST operationally efficient solution that meets these requirements?
A. Configure AWS CloudTrail in all Regions to record all API activity. Create an Amazon EventBridge rule in all unauthorized Regions for ec2:Runinstances events. Use AWS Lambda to terminate the launched EC2 instances.
B. In each AWS account, create a managed IAM policy that uses a Region condition to deny the ec2:Runinstances action in all unauthorized Regions. Attach this policy to all IAM groups in each AWS account.
C. In each AWS account, create an IAM permissions boundary policy that uses a Region condition to deny the ec2:Runinstances action in all unauthorized Regions. Attach the permissions boundary policy to all IAM users in each AWS account.
D. Create a service control policy (SCP) in AWS Organizations to deny the ec2:Runinstances action in all unauthorized Regions. Attach this policy to the root level of the organization.
Correct Answer: D
QUESTION 3
The cache hit ratio for an Amazon CloudFront distribution is less than 10%. A SysOps administrator needs to increase the cache hit ratio for the distribution, improve network performance, and reduce the load on the origin. Which combination of actions should the SysOps administrator take to meet these requirements? (Select TWO.)
A. Enable CloudFront Origin Shield for the required AWS Regions.
B. Change the viewer protocol policy to use HTTPS only.
C. Configure the distribution to use presigned cookies and presigned URLS.
D. Turn on automatic compression of objects in the cache behavior settings.
E. Increase the CloudFront TTL values in the cache behavior settings.
Correct Answer: AE
QUESTION 4
A company has a web application that is deployed to four AWS Regions: us-west-2, eu-central-1, ap-southeast-2, and af-south-1. Each deployment of the application runs independently of the other deployments. A SysOps administrator needs to set up routing for end users. The end users must be routed based on the location of the user request and the location of application resources. For example, users in the United States must be routed to the resources in us-west-2. The company is using Amazon Route 53 to host the DNS records for the application. How should the SysOps administrator configure the Route 53 record to meet these requirements?
A. Configure a multivalue answer routing policy for the record. Specify each of the Regional endpoints in the policy to route end users to the resources in the appropriate Region.
B. Configure an IP-based routing policy for the record. Specify the IP ranges for each country to route end users to the resources in the appropriate Region.
C. Configure a geoproximity routing policy for the record. Use Route 53 traffic flow to route end users to the resources in the appropriate Region.
D. Configure a latency routing policy for the record. Specify each of the Regional endpoints in the policy to route end users to the resources in the appropriate Region.
Correct Answer: C
QUESTION 5
A company has an Auto Scaling group of Amazon EC2 instances that scale based on average CPU utilization. The Auto Scaling group events log indicates an InsufficientInstanceCapacity error. Which actions should a SysOps administrator take to remediate this issue? (Select TWO.)
A. Change the instance type that the company is using.
B. Configure the Auto Scaling group in different Availability Zones.
C. Configure the Auto Scaling group to use different Amazon Elastic Block Store (Amazon EBS) volume sizes.
D. Increase the maximum size of the Auto Scaling group.
E. Request an increase in the instance service quota.
Correct Answer: AB
QUESTION 6
A global company handles a large amount of personally identifiable information (PII) through an internal web portal. The company’s application runs in a corporate data center that is connected to AWS through an AWS Direct Connect connection. The application stores the PII in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet. What should a SysOps administrator do to meet the compliance requirement?
A. Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.
B. Configure AWS Network Firewall to redirect traffic to the internal S3 address.
C. Modify the application to use the S3 path-style endpoint.
D. Set up a range of VPC network ACLs to redirect traffic to the internal S3 address.
Correct Answer: A
QUESTION 7
A SysOps administrator configures an application to run on Amazon EC2 instances behind an Application Load Balancer (ALB) in a simple scaling Auto Scaling group with the default settings. The Auto Scaling group is configured to use the RequestCounterTarget metric for scaling. The SysOps administrator notices that the RequestCounterTarget metric exceeded the specified limit twice in 180 seconds. How will the number of EC2 instances in this Auto Scaling group be affected in this scenario?
A. The Auto Scaling group will launch an additional EC2 instance every time the RequestCounterTarget metric exceeds the predefined limit.
B. The Auto Scaling group will launch one EC2 instance and will wait for the default cooldown period before launching another instance.
C. The Auto Scaling group will send an alert to the ALB to rebalance the traffic and not add new EC2 instances until the load is normalized.
D. The Auto Scaling group will try to distribute the traffic among all EC2 instances before launching another instance.
Correct Answer: B
QUESTION 8
A data analytics application is running on an Amazon EC2 instance. A SysOps administrator must add custom dimensions to the metrics collected by the Amazon CloudWatch agent. How can the SysOps administrator meet this requirement?
A. Create a custom shell script to extract the dimensions and collect the metrics using the Amazon CloudWatch agent.
B. Create an Amazon EventBridge rule to evaluate the required custom dimensions and send the metrics to Amazon Simple Notification Service (Amazon SNS).
C. Create an AWS Lambda function to collect the metrics from AWS CloudTrail and send the metrics to an Amazon CloudWatch Logs group.
D. Create an append dimensions field in the Amazon CloudWatch agent configuration file to collect the metrics.
Correct Answer: D
QUESTION 9
A company needs to automatically monitor an AWS account for potential unauthorized AWS Management Console logins from multiple geographic locations. Which solution will meet this requirement?
A. Configure Amazon Cognito to detect any compromised IAM credentials.
B. Set up Amazon Inspector. Scan and monitor resources for unauthorized logins.
C. Set up AWS Config. Add the iam-policy-blacklisted-check managed rule to the account.
D. Configure Amazon GuardDuty to monitor the UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B finding.
Correct Answer: D
QUESTION 10
A company’s SysOps administrator manages a fleet of Windows Amazon EC2 instances that run in a single AWS account. The instances have a tag that includes a key of “OS” and a value of “Windows.” The company uses AWS Systems Manager to patch the instances. The company has installed the Amazon CloudWatch agent on the instances, but the configuration is inconsistent. The SysOps administrator needs to reconfigure every instance to use the same predefined CloudWatch configuration. Which combination of steps will meet these requirements? (Select TWO.)
A. Store the CloudWatch agent configuration file in an Amazon S3 bucket.
B. Store the contents of the CloudWatch agent configuration file in Systems Manager OpsCenter.
C. Store the contents of the CloudWatch agent configuration file in Systems Manager Parameter Store.
D. Create a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document. Select Systems Manager as an optional configuration source. Target the instances based on tag values.
E. Create a Systems Manager State Manager association to run the AmazonCloudWatch-ManageAgent Systems Manager Run Command document. Configure the document to use the S3 bucket location as the configuration source. Target the instances based on tag values.
Correct Answer: CD
QUESTION 11
A SysOps administrator needs to configure automatic rotation for Amazon RDS database credentials. The credentials must rotate every 30 days. The solution must integrate with Amazon RDS. Which solution will meet these requirements with the LEAST operational overhead?
A. Store the credentials in AWS Systems Manager Parameter Store as a secure string. Configure automatic rotation with a rotation interval of 30 days.
B. Store the credentials in AWS Secrets Manager. Configure automatic rotation with a rotation interval of 30 days.
C. Store the credentials in a file in an Amazon S3 bucket. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.
D. Store the credentials in AWS Secrets Manager. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.
Correct Answer: B
QUESTION 12
A company has an application that uses a scheduled AWS Lambda function to retrieve datasets from external sources over the internet. The function is not associated with a VPC. The company is modifying the application to store the information that the Lambda function retrieves on an Amazon RDS DB instance in a private subnet. The VPC has two public subnets and two private subnets. A SysOps administrator must deploy a solution that allows the Lambda function to access the new database and continue to access the internet. Which solution meets these requirements?
A. Create a new Lambda function with VPC access and an Elastic IP address. Attach the function to public subnets in two Availability Zones. Associate a security group with the Elastic IP address. Configure the security group outbound rules to allow Lambda to access the required resources.
B. Create a new Lambda function with VPC access and two public IP addresses. Attach the function to public subnets in the same Availability Zones that the database uses. Associate a security group with the function. Configure the security group inbound rules to allow Lambda to access the required resources.
C. Reconfigure the Lambda function for VPC access. Add NAT gateways to the public subnets in the VPC. Add route table entries in the private subnets to route through the NAT gateways to the internet. Attach the function to the private subnets that support the database. Associate a security group with the function. Configure the security group outbound rules to allow Lambda to access the internet.
D. Reconfigure the Lambda function for VPC access. Attach the function to the private subnets. Add route table entries in the private subnets to route through the internet gateway to the internet. Associate a security group with the subnets. Configure the security group inbound rules to allow Lambda to access the required resources through the internet gateway.
Correct Answer: C
QUESTION 13
An application uses an Amazon Aurora MySQL DB cluster that includes one Aurora Replica. The application’s read performance degrades when there are more than 200 user connections. The number of user connections is approximately 180 on a consistent basis. Occasionally, the number of user connections increases rapidly to more than 200. A SysOps administrator must implement a solution that will scale the application automatically as user demand increases or decreases. Which solution will meet these requirements?
A. Modify the DB cluster by increasing the Aurora Replica instance size.
B. Modify the DB cluster by changing to serverless mode whenever the number of user connections exceeds 200.
C. Migrate to a new Aurora DB cluster that has multiple writer instances. Modify the application’s database connection string.
D. Create an auto scaling policy that has a target value of 195 for the DatabaseConnections metric.
Correct Answer: D
QUESTION 14
An application is running on an Amazon EC2 instance in a VPC with the default DHCP option set. The application connects to an on-premises Microsoft SQL Server database with the DNS name mssql.example.com. The application is unable to resolve the database DNS name. Which solution will fix this problem?
A. Create an Amazon Route 53 Resolver inbound endpoint. Add a forwarding rule for the domain example.com. Associate the forwarding rule with the VPC.
B. Create an Amazon Route 53 Resolver inbound endpoint. Add a system rule for the domain example.com. Associate the system rule with the VPC.
C. Create an Amazon Route 53 Resolver outbound endpoint. Add a forwarding rule for the domain example.com. Associate the forwarding rule with the VPC.
D. Create an Amazon Route 53 Resolver outbound endpoint. Add a system rule for the domain example.com. Associate the system rule with the VPC.
Correct Answer: C
QUESTION 15
A company uses Amazon S3 to aggregate raw video footage from various media teams across the US. The company recently expanded into new geographies in Europe and Australia. The technical teams located in Europe and Australia reported delays when uploading large video files into the destination S3 bucket in the United States. What are the MOST cost-effective ways to increase upload speeds into the S3 bucket? (Select TWO.)
A. Create multiple AWS Direct Connect connections between AWS and branch offices in Europe and Australia for file uploads into the destination S3 bucket.
B. Create multiple AWS Site-to-Site VPN connections between AWS and branch offices in Europe and Australia for file uploads into the destination S3 bucket.
C. Use Amazon S3 Transfer Acceleration for file uploads into the destination S3 bucket.
D. Use AWS Global Accelerator for file uploads into the destination S3 bucket from the branch offices in Europe and Australia.
E. Use multipart uploads for file uploads into the destination S3 bucket from the branch offices in Europe and Australia.
Correct Answer: CE
QUESTION 16
A company runs an application on Amazon EC2 instances that are behind an Application Load Balancer (ALB). The application supports customers in Europe and runs in a single Availability Zone in the eu-west-1 Region. The company hosts its DNS records in Amazon Route 53. A SysOps administrator needs to implement a solution to make the application highly available. The solution must minimize application downtime. Which combination of actions will meet these requirements? (Select TWO.)
A. Deploy the EC2 instances in an Auto Scaling group across multiple Availability Zones. Configure the EC2 instances as a target of the ALB.
B. Deploy the EC2 instances in multiple Availability Zones. Configure Route 53 latency-based routing.
C. Configure Route 53 health checks to monitor the ALB.
D. Configure Route 53 health checks to monitor the target EC2 instances.
E. Configure ALB health checks to monitor the target EC2 instances.
Correct Answer: AC
QUESTION 17
A data storage company has a service that gives users the ability to upload and download files. The files are stored as objects in Amazon S3 Standard storage. A SysOps administrator must use S3 Lifecycle policies to reduce the cost of the storage. The objects must be immediately retrievable for 1 year. Users access the objects frequently during the first 30 days after the objects are stored. Users rarely access the objects after 30 days. The SysOps administrator must implement a solution that maintains the current object availability. Which solution will meet these requirements MOST cost-effectively?
A. Move the objects to S3 Glacier Deep Archive after 30 days.
B. Move the objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
C. Move the objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
D. Move the objects to S3 Standard-Infrequent Access (S3 Standard-IA) immediately.
Correct Answer: C
QUESTION 18
A company is using an Amazon S3 bucket in the us-east-1 Region to set up a static website. The S3 bucket is named example-website-hosting-bucket. The website stores photographs in the following structure: www.example.com/Photographs/user/. The S3 bucket has an Amazon Resource Name (ARN) of arn:aws:s3:::example-website-hosting-bucket. A SysOps administrator configured the S3 bucket for static website hosting and to allow public read access. The SysOps administrator did not configure S3 Block Public Access. Amazon Route 53 does not display the S3 bucket as the alias target when the SysOps administrator attempts to create a DNS record. Which solution will make the website available?
A. In Route 53, update the record to reference the S3 bucket by using the following ARN: s3::example-website-hosting-bucket.s3-website-us-east-1.amazonaws.com.
B. Change the ARN of the S3 bucket to arn:aws:s3:.:example-website-hosting-bucket/Photographs. Configure Route 53 to point to the S3 bucket through the ARN.
C. Configure versioning on the S3 bucket. Create an S3 access point that points to the S3 bucket. Create an access point alias name for Route 53 to use to reach the S3 bucket through the access point.
D. Create a new S3 bucket named www.example.com. Migrate the website contents to the new S3 bucket. Configure the new S3 bucket with the same settings as the original S3 bucket. Configure the Route 53 alias record to point to the new S3 bucket.
Correct Answer: A
QUESTION 19
A SysOps administrator creates a new VPC that includes a public subnet and a private subnet. The SysOps administrator successfully launches 11 Amazon EC2 instances in the private subnet. The SysOps administrator attempts to launch one more EC2 instance in the same subnet. However, the SysOps administrator receives an error message that states that not enough free IP addresses are available. What must the SysOps administrator do to deploy more EC2 instances?
A. Edit the private subnet to change the CIDR block to /27.
B. Edit the private subnet to extend across a second Availability Zone.
C. Assign additional Elastic IP addresses to the private subnet.
D. Create a new private subnet to hold the required EC2 instances.
Correct Answer: D
QUESTION 20
A SysOps administrator wants to make a file available to the public by using Amazon S3. The SysOps administrator creates a presigned URL by using the AWS CLI. Users are able to download the file. After a few days, the SysOps administrator finds out that users can no longer download the file. What are the possible reasons that the file is no longer available? (Select TWO.)
A. The presigned URL’s expiration date and time have passed.
B. The SysOps administrator’s access key is no longer valid.
C. The S3 bucket’s Block Public Access settings are enabled.
D. The S3 object’s ACL does not include READ access for the All Users group.
E. The S3 objects ACL does not include READ_ACP access for the All Users group
Correct Answer: AB
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.