QUESTION 21
A SysOps administrator has submitted an AWS Support case. The SysOps administrator needs to receive immediate and automatic notifications in a Slack channel when the case is updated. The SysOps administrator also must be able to use Slack to add comments to the case. which solution will meet these requirements?
A. Add the AWS Support App by authorizing the AWS account in Slack. Add the group ID and the required case type in Slack.
B. Add the AWS Support App by authorizing the Slack workspace. Add the channel ID and the required case type in the AWS account.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the HTTPS URL of the Slack channel to the SNS topic. Create an Amazon EventBridge rule that runs every minute and checks for case updates. Configure the rule to invoke an AWS Lambda function that publishes updates to the SNS topic.
D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the HTTPS URL of the Slack channel to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern with a source of aws.support and a detail type of Support Case Update. Specify the SNS topic as the rule’s target. Send all comments in Slack to the SNS topic.
Correct Answer: B
QUESTION 22
A compliance team requires all administrator passwords for Amazon RDS DB instances to be changed at least annually. Which solution meets this requirement in the MOST operationally efficient manner?
A. Store the database credentials in AWS Secrets Manager. Configure automatic rotation for the secret every 365 days.
B. Store the database credentials as a parameter in the RDS parameter group. Create a database trigger to rotate the password every 365 days.
C. Store the database credentials in a private Amazon S3 bucket. Schedule an AWS Lambda function to generate a new set of credentials every 365 days.
D. Store the database credentials in AWS Systems Manager Parameter Store as a secure string parameter. Configure automatic rotation for the parameter every 365 days.
Correct Answer: A
QUESTION 23
A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company’s security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts. Which solution will meet these requirements in the MOST secure manner?
A. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to an IAM user. Share the user credentials with the security administrator.
B. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions. Assign the policy to an IAM user. Share the user credentials with the security administrator.
C. Create an IAM policy in each developer account that has administrator access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
D. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
Correct Answer: D
QUESTION 24
A company has deployed Amazon EC2 instances from custom Amazon Machine Images (AMIs) in two AWS Regions. The company registered all the instances with AWS Systems Manager. The company discovers that the operating system on some instances has a significant zero-day exploit. However, the company does not know how many instances are affected. A SysOps administrator must implement a solution to deploy operating system patches for the affected EC2 instances. Which solution will meet this requirement with the LEAST operational overhead?
A. Define a patch baseline in Systems Manager Patch Manager. Use a Patch Manager scan to identify the affected instances. Use the Patch Now option in each Region to update the affected instances.
B. Use AWS Config to identify the affected instances. Define a patch baseline in Systems Manager Patch Manager. Use the Patch Now option in Patch Manager to update the affected instances.
C. Create an Amazon EventBridge rule to react to Systems Manager Compliance events. Configure the EventBridge rule to run a patch baseline on the affected instances.
D. Use AWS Config to identify the affected instances. Update the existing EC2 AMIs with the desired patch. Manually launch instances from the new AMIs to replace the affected instances in both Regions.
Correct Answer: A
QUESTION 25
A company is using a single AWS account to support a workload. A SysOps administrator is responsible for the security of the AWS account. The SysOps administrator must implement a solution to identify unusual API usage behavior by AWS users. Which solution will meet this requirement with the LEAST operational overhead?
A. Enable Amazon GuardDuty on the account. Review GuardDuty findings to identify anomalous user behavior.
B. Create an AWS CloudTrail trail. Export CloudTrail logs to Amazon S3. Query the logs for anomalous user behavior.
C. Create VPC flow logs for all VPCs in the account. Use Amazon CloudWatch Logs Insights to query the logs for anomalous user behavior.
D. Generate an IAM credential report for the account. Review the results to identify anomalous user behavior.
Correct Answer: A
QUESTION 26
A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created. What should a SysOps administrator do to meet this requirement?
A. Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.
B. Enable S3 Obiect Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
C. Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.
D. Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
Correct Answer: B
QUESTION 27
A company is worried that its developers might accidentally schedule AWS Key Management Service (AWS KMS) customer managed keys for deletion. The developers want to maintain agility in their DevOps operating model and have requested that their IAM permissions not be changed. The company’s security team must receive notification when a KMS key deletion is scheduled. Which combination of steps will meet these requirements? (Select TWO.)
A. Use Amazon Macie to monitor for KMS key deletion events. Configure Macie to send the events to a target.
B. Create an Amazon EventBridge rule to detect KMS key deletion events from AWS Cloud Trail. Configure the rule to send the events to a target.
C. Create an Amazon Timestream for LiveAnalytics database to store KMS key deletion events. Configure the database activity stream to send the events to a target.
D. Create an Amazon Simple Notification Service (Amazon SNS) topic as a target for notifications.
E. Create an Amazon MQ queue as a target for notifications.
Correct Answer: BD
QUESTION 28
A company has a Python script that needs to send an SMS message to a monitoring center. A SysOps administrator must use Amazon EventBridge and AWS Lambda to automatically run the Python script every 60 minutes. Which solution will meet these requirements?
A. Configure an EventBridge event pattern rule to invoke a Lambda function that runs the Python script. Program the Lambda function to make an API call to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the appropriate phone number to the SNS topic.
B. Configure an EventBridge event pattern rule to invoke a Lambda function that runs the Python script. Program the Lambda function to make an API call to send a notification to an Amazon Simple Queue Service Amazon SQS) queue.
C. Configure a schedule in EventBridge Scheduler to invoke a Lambda function that runs the Python script. Program the Lambda function to make an API call to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the appropriate phone number to the SNS topic.
D. Configure a schedule in EventBridge Scheduler to invoke a Lambda function that runs the Python script. Program the Lambda function to make an API call to send a notification to an Amazon Simple Queue Service (Amazon SQS) queue.
Correct Answer: C
QUESTION 29
A company has created an AWS CloudFormation template that includes only an IAM role. The company needs to deploy the template to the company’s primary and secondary AWS Regions. During deployment, the template launches successfully in the primary Region. However, CloudFormation returns an error in the secondary Region. How should a SysOps administrator resolve the error?
A. Redeploy the CloudFormation template as a stack set with service-managed permissions.
B. Redeploy the CloudFormation template as a stack set with self-managed permissions.
C. In the secondary Region, remove the CAPABILITY_IAM capability when the stack is created. Specify the Region names in the Mappings section of the CloudFormation template.
D. In the CloudFormation template, add a condition that is true when the primary Region is used. Apply the condition to the IAM role resource.
Correct Answer: A
QUESTION 30
A company needs to launch a public website. The company will deploy the website on Amazon EC2 instances that are in an Auto Scaling group. The Auto Scaling group extends across multiple Availability Zones. The website must be accessed through only https://example.com. Which solution will meet these requirements?
A. Create an internet-facing Application Load Balancer (ALB). Create an Amazon Route 53 alias record that points to the ALB’s DNS name. Configure an HTTP to HTTPS redirect action for the ALB. On the HTTPS listener, create a host-based rule to forward requests for example.com to the website’s target group.
B. Create an Amazon CloudFront distribution. Create an internal Network Load Balancer (NLB). Specify the NLB as the distribution’s origin. Use an AWS WAF rule for host header filtering. Create an Amazon Route 53 alias record that points to the distribution’s DNS name.
C. Create an Amazon CloudFront distribution. Create an internet-facing Application Load Balancer (ALB). Specify the ALB as the distribution’s origin. Create an Amazon Route 53 alias record that points to the distribution’s DNS name.
D. Create an Amazon CloudFront distribution. Create an internet-facing Application Load Balancer (ALB). Specify the ALB as the distribution’s origin. Enable CloudFront Origin Shield. Add a custom Host header that contains the value “example.com”. Create an Amazon Route 53 alias record that points to the distribution’s DNS name.
Correct Answer: C
QUESTION 31
A company SysOps administrator needs to ensure that every new Amazon EC2 instance the company launches has a standard set of tags. The tags must specify who created the instance and which team owns the instance. The SysOps administrator must implement a solution that shuts down any new instance that does not have the required tags within a few minutes. Which solution will meet these requirements with the LEAST operational effort?
A. Create an Amazon EventBridge rule that starts an AWS Step Functions state machine. Configure the state machine to check each new instance’s tags and to shut down any new instance that does not have the required tags. Schedule the EventBridge rule to run every time a new EC2 instance starts.
B. Configure an EC2 placement group that includes the required tags as part of the placement strategy. Add a placement constraint that shuts down any new instance that does not have the required tags.
C. Create an AWS Lambda function that checks each new instance’s tags and shuts down any new instance that does not have the required tags. Run the Lambda function at midnight each night by using a (0 0 * * *) cron expression in EventBridge.
D. Use the required-tags AWS Config managed rule to check each new instance’s tags. Apply a remediation action that shuts down any new instance that does not have the required tags.
Correct Answer: D
QUESTION 32
A non-production application is installed on an Amazon EC2 instance. The application’s developer has created an Amazon CloudWatch alarm that reboots the EC2 instance if a critical application error occurs. When the developer tests the new alarm, the alarm enters ALARM state. However, the EC2 instance fails to reboot. A SysOps administrator needs to troubleshoot the developer’s IAM permissions. What should the SysOps administrator do to ensure that the developer can configure the alarm correctly?
A. Ensure that the developer has the iam:AttachGroupPolicy permission.
B. Ensure that the developer has the iam:CreateServiceLinkedRole permission.
C. Ensure that the developer has the iam:CreateServiceSpecificCredential permission.
D. Ensure that the developer does not have the iam:EnableMFADevice permission.
Correct Answer: B
QUESTION 33
A company hosts a critical legacy application on two Amazon EC2 instances that are in one Availability Zone. The instances run behind an Application Load Balancer (ALB). The company uses Amazon CloudWatch alarms to send Amazon Simple Notification Service (Amazon SNS) notifications when the ALB health checks detect an unhealthy instance. After a notification, the company’s engineers manually restart the unhealthy instance. A SysOps administrator must configure the application to be highly available and more resilient to failures. Which solution will meet these requirements?
A. Create an Amazon Machine Image (AMI) from a healthy instance. Launch additional instances from the AMI in the same Availability Zone. Add the new instances to the ALB target group.
B. Increase the size of each instance. Create an Amazon EventBridge rule. Configure the EventBridge rule to restart the instances if they enter a failed state.
C. Create an Amazon Machine Image (AMI) from a healthy instance. Launch an additional instance from the AMI in the same Availability Zone. Add the new instance to the ALB target group. Create an AWS Lambda function that runs when an instance is unhealthy. Configure the Lambda function to stop and restart the unhealthy instance.
D. Create an Amazon Machine Image (AMI) from a healthy instance. Create a launch template that uses the AMI. Create an Amazon EC2 Auto Scaling group that is deployed across multiple Availability Zones. Configure the Auto Scaling group to add instances to the ALB target group.
Correct Answer: D
QUESTION 34
A company runs a workload on a high performance computing (HPC) cluster on AWS. The workload is Linux-based and uses three Amazon EC2 instances. Each EC2 instance has a 10 TIB Throughput Optimized HDD (st1) Amazon Elastic Block Store (Amazon EBS) volume. A SysOps administrator determines that the current storage is not meeting the workload’s performance needs. The workload needs a durable file store that has throughput of 100,000 IOPS. Which solution will meet these requirements?
A. Create an Amazon ElastiCache (Redis OSS) instance. Keep the append-only file (AOF) feature disabled.
B. Create an Amazon S3 bucket in the same AWS Region where the HPC cluster is deployed. Use the same S3 bucket prefix on all objects.
C. Create an Amazon FSx for Lustre file system. Configure an appropriate number of IOPS.
D. Create an Amazon S3 bucket in the same AWS Region where the HPC cluster is deployed. Enable S3 Transfer Acceleration.
Correct Answer: C
QUESTION 35
A company’s security policy states that connecting to Amazon EC2 instances is not permitted through SSH and RDP. If access is required, authorized staff can connect to instances by using AWS Systems Manager Session Manager. Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has AWS Systems Manager Agent (SSM Agent) pre-installed. These users are able to use Session Manager to connect to other instances in the same subnet, and they are in an IAM group that has Session Manager permission for all instances. What should a SysOps administrator do to resolve this issue?
A. Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.
B. Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
C. Configure the SSM Agent to log in with a user name of “ubuntu”.
D. Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.
Correct Answer: B
QUESTION 36
A SysOps administrator manages the security of accounts in an organization in AWS Organizations. The SysOps administrator must implement a solution that applies a base configuration to all accounts when the accounts join the organization. Which solution will meet this requirement with the LEAST operational overhead?
A. Create the configuration in an AWS CloudFormation template. Deploy the template to all accounts in the organization by using StackSets automatic deployments.
B. Turn on AWS Config in the organization’s management account. Use multi-account, multi-Region data aggregation. Review results on the Aggregated Resources page.
C. Create an AWS Lambda function in the organization’s management account to configure resources. Configure the Lambda function with cross-account access. Run the function when a new account is detected.
D. Create the configuration in an AWS CloudFormation template. Deploy the template to all accounts in the organization by using an AWS Lambda function that runs when a new account is detected.
Correct Answer: A
QUESTION 37
A company is creating an application that runs on smart TVs and mobile phones. Static images for the application are loaded from an Amazon CloudFront distribution. The images have large file sizes that result in a poor experience for users of mobile devices. The company has created a set of smaller images for mobile devices. A SysOps administrator must configure CloudFront to cache different content based on the user’s device type. Which solution will meet this requirement?
A. Create two new CloudFront distributions: one distribution with the smart TV resources, and one distribution with the mobile device resources. Create a CloudFront behavior. Add a policy to send the requests to the correct distribution.
B. Set the Elemental-MediaTailor-PersonalizedManifests origin request policy on the CloudFront distribution to enable caching of different images depending on the requesting device.
C. Create a CloudFront origin request policy. Include the CloudFront-Is-SmartTV-Viewer header and the CloudFront-Is-Mobile-Viewer header in the origin request settings.
D. Configure AWS Amplify to set the CloudFront distribution origin request policy to enable caching of different images for mobile devices.
Correct Answer: C
QUESTION 38
A company needs to enforce tagging requirements for Amazon DynamoDB tables in its AWS accounts. A SysOps administrator must implement a solution to identify and remediate all DynamoDB tables that do not have the appropriate tags. Which solution will meet these requirements with the LEAST operational overhead?
A. Create a custom AWS Lambda function to evaluate and remediate all DynamoDB tables. Create an Amazon EventBridge scheduled rule to invoke the Lambda function.
B. Create a custom AWS Lambda function to evaluate and remediate all DynamoDB tables. Create an AWS Config custom rule to invoke the Lambda function.
C. Use the required-tags AWS Config managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure an automatic remediation action that uses an AWS Systems Manager Automation custom runbook.
D. Create an Amazon EventBridge managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure the EventBridge rule to run an AWS Systems Manager Automation custom runbook for remediation.
Correct Answer: C
QUESTION 39
A company has an Amazon EC2 instance that is deployed in an isolated private subnet in a VPC. The EC2 instance needs to access data that is in an Amazon S3 bucket. The company has an S3 gateway endpoint in the VPC. The connection to the S3 bucket is failing for an unknown reason. A SysOps administrator must investigate this issue while keeping the private subnet isolated. Which combination of steps will meet these requirements? (Select TWO.)
A. Create an internet gateway. Ensure that the private subnet’s route table has a route to the internet gateway.
B. Create a NAT gateway. Ensure that the private subnet’s route table has a route to the NAT gateway.
C. Ensure that the private subnet’s route table has a route to the S3 gateway endpoint.
D. Ensure that the EC2 instance’s security group allows inbound traffic from the prefix list for Amazon S3.
E. Ensure that the EC2 instance’s security group allows outbound traffic to the prefix list for Amazon S3.
Correct Answer: CE
QUESTION 40
A company has an Amazon Route 53 private hosted zone in its AWS account. The private hosted zone is connected to the company’s on-premises data center by an AWS Direct Connect connection. Virtual machines (VMs) in the on-premises data center need to resolve DNS queries that exist in the private hosted zone. What is the MOST operationally efficient solution that meets this requirement?
A. Create a Route 53 inbound resolver. Configure the on-premises VMs to use the inbound resolver.
B. Create a Route 53 outbound resolver. Configure the on-premises VMs to use the outbound resolver.
C. Configure the security group on the Route 53 private hosted zone by adding an inbound rule for the on-premises CIDR range.
D. Configure a Route 53 public hosted zone. Create an NS record for the private hosted zone. Query the public hosted zone from the on-premises VMs.
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.