QUESTION 181
A company runs a website on Amazon EC2 instances. Users can upload images to an Amazon S3 bucket and publish the images to the website. The company wants to deploy a serverless image-processing application that uses an AWS Lambda function to resize the uploaded images. The company’s development team has created the Lambda function. A CloudOps engineer must implement a solution to invoke the Lambda function when users upload new images to the S3 bucket. Which solution will meet this requirement?
A. A. Configure an Amazon Simple Notification Service (Amazon SNS) topic to invoke the Lambda function when a user uploads a new image to the S3 bucket.
B. B. Configure an Amazon CloudWatch alarm to invoke the Lambda function when a user uploads a new image to the S3 bucket.
C. C. Configure S3 Event Notifications to invoke the Lambda function when a user uploads a new image to the S3 bucket.
D. D. Configure an Amazon Simple Queue Service (Amazon SQS) queue to invoke the Lambda function when a user uploads a new image to the S3 bucket.
Correct Answer: C
QUESTION 182
A company’s AWS accounts are in an organization in AWS Organizations. The organization has all features enabled. The accounts use Amazon EC2 instances to host applications. The company manages the EC2 instances manually by using the AWS Management Console. The company applies updates to the EC2 instances by using an SSH connection to each EC2 instance. The company needs a solution that uses AWS Systems Manager to manage all the organization’s current and future EC2 instances. The latest version of Systems Manager Agent (SSM Agent) is running on the EC2 instances. Which solution will meet these requirements?
A. Configure a home AWS Region in Systems Manager Quick Setup in the organization’s management account. Deploy the Systems Manager Default Host Management Configuration Quick Setup from the management account.
B. Configure a home AWS Region in Systems Manager Quick Setup in the organization’s management account. Create a Systems Manager Run Command command that attaches the AmazonSSMServiceRolePolicy IAM policy to every IAM role that the EC2 instances use. Invoke the command in every account in the organization.
C. Create an AWS CloudFormation stack set that contains a Systems Manager parameter to define the Default Host Management Configuration role. Use the organization’s management account to deploy the stack set to every account in the organization.
D. Create an AWS CloudFormation stack set that contains an EC2 instance profile with the AmazonSSMManagedEC2InstanceDefaultPolicy IAM policy attached. Use the organization’s management account to deploy the stack set to every account in the organization.
Correct Answer: A
QUESTION 183
A finance company uses AWS Secrets Manager to store Amazon RDS credentials that are periodically rotated. A database team must receive a notification when the credentials are rotated to ensure compliance with security policies. The database team creates an Amazon Simple Notification Service (Amazon SNS) topic for the notifications. Which solution will meet these requirements?
A. Create an Amazon EventBridge rule to match AWS CloudTrail events for the RotateSecret API call with a RotationSucceeded result. Configure the rule to route matching events to the SNS topic.
B. Enable notifications for secret rotation in AWS Secrets Manager. Configure Secrets Manager to publish notifications to the SNS topic when secrets are rotated.
C. Use Amazon EventBridge to filter Amazon CloudWatch logs for RotationSucceeded events. Route notifications for all matches to the SNS topic.
D. Use Amazon CloudWatch logs to filter for RotationSucceeded events. Route notifications for all matches to the SNS topic.
Correct Answer: A
QUESTION 184
A company’s ecommerce application is running on Amazon EC2 instances that are behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group.Customers report that the website is occasionally down. When the website is down, the website returns an HTTP 500 (server error) status message to customer browsers. The Auto Scaling group’s health check is configured for EC2 status checks, and the instances are healthy. Which solution will resolve the problem?
A. Replace the ALB with a Network Load Balancer.
B. Add Elastic Load Balancing (ELB) health checks to the Auto Scaling group.
C. Update the target group configuration on the ALB. Enable session affinity (sticky sessions).
D. Install the Amazon CloudWatch agent on all the instances. Configure the agent to reboot the instances.
Correct Answer: B
QUESTION 185
A company uses Amazon ElastiCache (Redis OSS) to cache application data. A CloudOps engineer must implement a solution to increase the resilience of the cache. The solution also must minimize the recovery time objective (RTO). Which solution will meet these requirements?
A. Replace ElastiCache (Redis OSS) with ElastiCache (Memcached).
B. Create an Amazon EventBridge rule to initiate a backup every hour. Restore the backup when necessary.
C. Create a read replica in a second Availability Zone. Enable Multi-AZ for the ElastiCache (Redis OSS) replication group.
D. Enable automatic backups. Restore the backups when necessary.
Correct Answer: C
QUESTION 186
A company is using an Amazon Aurora MySQL DB cluster that has point-in-time recovery, backtracking, and automatic backup enabled. A CloudOps engineer needs to be able to roll back the DB cluster to a specific recovery point within the previous 72 hours. Restores must be completed in the same production DB cluster. Which solution will meet these requirements?
A. Create an Aurora Replica. Promote the replica to replace the primary DB instance.
B. Create an AWS Lambda function to restore an automatic backup to the existing DB cluster.
C. Use backtracking to rewind the existing DB cluster to the desired recovery point.
D. Use point-in-time recovery to restore the existing DB cluster to the desired recovery point.
Correct Answer: C
QUESTION 187
A company runs a workload in an Amazon VPC. The company configures Amazon CloudWatch Logs for the workload. The company needs a solution to automatically detect unusual API activity and security events in the company’s AWS account. Which solution will meet this requirement?
A. Use Amazon Inspector to scan VPC flow logs.
B. Use Amazon GuardDuty to monitor CloudWatch logs.
C. Implement AWS CloudTrail Insights.
D. Use AWS Config automatic anomaly detection.
Correct Answer: C
QUESTION 188
A CloudOps engineer creates an AWS CloudFormation template to define an application stack that can be deployed in multiple AWS Regions. The CloudOps engineer also creates an Amazon CloudWatch dashboard by using the AWS Management Console. Each deployment of the application requires its own CloudWatch dashboard. How can the CloudOps engineer automate the creation of the CloudWatch dashboard each time the application is deployed?
A. Create a script by using the AWS CLI to run the aws cloudformation put-dashboard command with the name of the dashboard. Run the command each time a new CloudFormation stack is created.
B. Export the existing CloudWatch dashboard as JSON. Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resource. Include the exported JSON in the resource’s DashboardBody property.
C. Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resource. Use the intrinsic Ref function to reference the ID of the existing CloudWatch dashboard.
D. Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resource. Specify the name of the existing dashboard in the DashboardName property.
Correct Answer: B
QUESTION 189
A CloudOps engineer is configuring an Amazon CloudFront distribution to use an SSL/TLS certificate. The CloudOps engineer must ensure automatic certificate renewal. Which combination of steps will meet this requirement?(Select TWO.)
A. Use a certificate issued by AWS Certificate Manager (ACM).
B. Use a certificate issued by a third-party certificate authority (CA).
C. Configure CloudFront to automatically renew the certificate when the certificate expires.
D. Configure email validation for the certificate.
E. Configure DNS validation for the certificate.
Correct Answer: E
QUESTION 190
A developer enables versioning on an Amazon S3 bucket. When the developer attempts to perform a write operation on the bucket, the developer encounters an HTTP 404NoSuchKey error. A CloudOps engineer must resolve this issue. Which solution will meet this requirement?
A. Disable versioning on the S3 bucket and retry the write operation.
B. Modify the bucket policy to allow write operations on versioned objects.
C. Wait at least 15 minutes after enabling versioning, and then perform the write operation.
D. Enable S3 Transfer Acceleration on the bucket.
Correct Answer: C
QUESTION 191
A CloudOps engineer needs to ensure that AWS resources across multiple AWS accounts are tagged consistently. The company uses an organization in AWS Organizations to centrally manage the accounts. The company wants to implement cost allocation tags to accurately track the costs that are allocated to each business unit. Which solution will meet these requirements with the LEAST operational overhead?
A. Use Organizations tag policies to enforce mandatory tagging on all resources. Enable cost allocation tags in the AWS Billing and Cost Management console.
B. Configure AWS CloudTrail events to invoke an AWS Lambda function to detect untagged resources and to automatically assign tags based on predefined rules.
C. Use AWS Config to evaluate tagging compliance. Use AWS Budgets to apply tags for cost allocation.
D. Use AWS Service Catalog to provision only pre-tagged resources. Use AWS Trusted Advisor to enforce tagging across the organization.
Correct Answer: A
QUESTION 192
A CloudOps engineer needs to copy an Amazon RDS PostgreSQL database snapshot to from one AWS account to another account within the same organization in AWS Organizations. The source database uses default settings for its VPC, security group, and KMS keys. When the CloudOps engineer attempts to copy the shared snapshot, the operation fails, and the CloudOps engineer receives an KMS key encryption error. The CloudOps engineer must resolve the error. Which solution will meet this requirement?
A. In the source AWS account, add permissions to the default KMS key to allow access from the destination AWS account. Retry the copy operation from the destination AWS account.
B. Create a customer managed KMS key. Add permissions to the key to allow access from the destination AWS account. Copy the snapshot in the source account. Replace the default KMS key with the customer managed key during the copy. Share the RDS snapshot that uses the customer managed KMS key with the destination account.
C. Create a customer managed KMS key. Add permissions to the key to allow access from the destination AWS account. Take a new snapshot of database. Replace the default KMS key with the customer managed key. Share the RDS snapshot with the destination account.
D. Create a customer managed KMS key. Add permissions to the key to allow access from the destination AWS account. Replace the default KMS key with the customer managed key in the current RDS for PostgreSQL database. Take a new snapshot of the database. Share the snapshot with the destination account.
Correct Answer: B
QUESTION 193
A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com. The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC. A CloudOps engineer must ensure that an on-premises server can query records in the example.com domain. What should the CloudOps engineer do to meet these requirements?
A. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
B. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
C. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
D. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
Correct Answer: A
QUESTION 194
A CloudOps engineer needs to control access to groups of Amazon EC2 instances using AWs Systems Manager Session Manager. Specific tags on the EC2 instances have already been added. Which additional actions should the CloudOps engineer take to control access? (Select TWO).
A. Attach an IAM policy to the users or groups that require access to the EC2 instances.
B. Attach an IAM role to control access to the EC2 instances.
C. Create a placement group for the EC2 instances and add a specific tag.
D. Create a service account and attach it to the EC2 instances that need to be controlled.
E. Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.
Correct Answer: AE
QUESTION 195
A company needs to upload gigabytes of files every day. The company needs to achieve higher throughput and upload speeds to Amazon S3.Which action should a CloudOps engineer take to meet this requirement?
A. Create an Amazon CloudFront distribution with the GET HTTP method allowed and the S3 bucket as an origin.
B. Create an Amazon ElastiCache cluster and enable caching for the S3 bucket.
C. Set up AWS Global Accelerator and configure it with the S3 bucket.
D. Enable S3 Transfer Acceleration and use the acceleration endpoint when uploading files.
Correct Answer: D
QUESTION 196
A consulting company has consultants who perform work in the company’s AWS accounts and the AWS accounts of the company’s clients. Currently, clients must generate IAM user credentials for each consultant. The company wants an account access solution that will improve scalability and security. The solution must enforce the principle of least privilege. Each client must retain full control of their own AWS account. Which solution will meet these requirements?
A. Create an IAM group for the consultants in the company’s account. Create an AWS CloudFormation template that includes an IAM role, and deploy the template to each client account. Set up a trust policy that allows the consultant IAM group to assume the new IAM role.
B. Create an IAM role in the company’s account that has a trust relationship with each client account. Configure resource-based policies in the client accounts to allow specific actions from the consulting company’s IAM role Amazon Resource Name (ARN).
C. Use AWS Organizations to invite all client accounts as member accounts of a new organization. Create Service Control Policies (SCPs) that define permissions for consultants. Apply the SCPs across the organization.
D. Set up AWS IAM Identity Center in the consulting company’s account. Create a permissions set that grants administrator access to all the consultants. Configure multi-account access by establishing trust relationships with client accounts.
Correct Answer: A
QUESTION 197
A company must use AWS Systems Manager Session Manager to manage a fleet of Amazon EC2 instances that run in the eu-west-1 Region. The company wants to use Session Manager to configure private connectivity that uses VPC endpoints. Which VPC endpoints are required to meet these requirements? (Select THREE.)
A. com.amazonaws.eu-west-1.ssm
B. com.amazonaws.eu-west-1.ec2messages
C. com.amazonaws.eu-west-1.ec2
D. com.amazonaws.eu-west-1.ssmmessages
E. com.amazonaws.eu-west-1.s3
F. com.amazonaws.eu-west-1.states
Correct Answer: ABD
QUESTION 198
A company hosts an FTP server on Amazon EC2 instances. In the company’s AWS environment, AWS Security Hub sends findings for the EC2 instances to Amazon EventBridge because the FTP port has become publicly exposed in the security groups that are attached to the instances. A CloudOps engineer wants an automated solution to remediate the Security Hub finding and any similar exposed port findings. The CloudOps engineer wants to use an event-driven approach. Which solution will meet these requirements?
A. Configure the existing EventBridge event to stop the EC2 instances that have the exposed port.
B. Create a cron job for the FTP server to invoke an AWS Lambda function. Configure the Lambda function to modify the security group of the identified EC2 instances and to remove the instances that allow public access.
C. Create a cron job for the FTP server that invokes an AWS Lambda function. Configure the Lambda function to modify the server to use SFTP instead of FTP.
D. Configure the existing EventBridge event to invoke an AWS Lambda function. Configure the function to remove the security group rule that allows public access.
Correct Answer: D
QUESTION 199
A company uses Amazon Route 53 with latency-based routing across multiple AWS Regions to provide resiliency. The company uses Route 53 with latency-based routing to direct traffic to the nearest Region. Within each Region, weighted A records distribute traffic across multiple Availability Zones. During a recent update, some Availability Zone endpoints became unhealthy. Route 53 continued to route traffic to the unhealthy endpoints. The company must prevent this issue from occurring in the future. Which solution will meet this requirement?
A. Add a Route 53 health check for each of the weighted records that received traffic during the recent update.
B. Increase the weight of Route 53 records in the Region where traffic must go during updates.
C. Reconfigure all records to use latency-based routing across all Regions uniformly.
D. Reduce the TTL value for latency-based routing to detect changes more quickly
Correct Answer: A
QUESTION 200
A company that uses AWS Organizations recently implemented AWS Control Tower. The company now needs to centralize identity management. A CloudOps engineer must federate AWS IAM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all the company’s accounts and cloud applications. Which prerequisites must the CloudOps engineer have so that the CloudOps engineer can connect to the external IdP? (Select TWO.)
A. A copy of the IAM Identity Center SAML metadata
B. The IdP metadata, including the public X.509 certificate
C. The IP address of the IdP
D. Root access to the management account
E. Administrative permissions to the member accounts of the organization
Correct Answer: AB
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.