QUESTION 81
A company’s VPC has connectivity to an on-premises data center through an AWS Site-to-Site VPN. The company needs Amazon EC2 instances in the VPC to send DNS queries for example.com to the DNS servers in the data center. Which solution will meet these requirements?
A. Create an Amazon Route 53 Resolver inbound endpoint. Create a conditional forwarding rule on the on-premises DNS servers to forward DNS requests for example.com to the inbound endpoints.
B. Create an Amazon Route 53 Resolver inbound endpoint. Create a forwarding rule on the resolver that sends all queries for example.com to the on-premises DNS servers. Associate this rule with the VPC.
C. Create an Amazon Route 53 Resolver outbound endpoint. Create a conditional forwarding rule on the on-premises DNS servers to forward DNS requests for example.com to the outbound endpoints.
D. Create an Amazon Route 53 Resolver outbound endpoint. Create a forwarding rule on the resolver that sends all queries for example.com to the on-premises DNS servers. Associate this rule with the VPC.
Correct Answer: D
QUESTION 82
A company’s APIs are not receiving all their expected events. The company has hundreds of Amazon EventBridge rules configured and no dead-letter queues for failed event delivery. A SysOps administrator must implement a solution that notifies an Amazon Simple Notification Service (Amazon SNS) topic when EventBridge rules are broken. Which solution will meet this requirement?
A. Use the EventBridge replay capability to replay FailedInvocations events. Configure Amazon CloudWatch to publish notifications to the SNS topic.
B. Create an EventBridge pipe that has a source of AllEvents. Set filtering in the pipe for FailedInvocations events. Specify the SNS topic as the target of the pipe.
C. Create an EventBridge rule that forwards failed events to the SNS topic. Use message filtering in EventBridge to filter for FailedInvocations events and to publish notifications to the SNS topic.
D. Create an Amazon CloudWatch alarm that uses the FailedInvocations metric for EventBridge. Configure the alarm to publish notifications to the SNS topic.
Correct Answer: D
QUESTION 83
An AWS CloudFormation template creates an Amazon RDS instance. This template is used to build up development environments as needed and then delete the stack when the environment is no longer required. The RDS-persisted data must be retained for further use, even after the CloudFormation stack is deleted. How can this be achieved in a reliable and efficient way?
A. Write a script to continue backing up the RDS instance every five minutes.
B. Create an AWS Lambda function to take a snapshot of the RDS instance, and manually invoke the function before deleting the stack.
C. Use the Snapshot Deletion Policy in the CloudFormation template definition of the RDS instance.
D. Create a new CloudFormation template to perform backups of the RDS instance, and run this template before deleting the stack.
Correct Answer: C
QUESTION 84
A SysOps administrator needs to delete an AWS CloudFormation stack that is no longer in use. The CloudFormation stack is in the DELETE_FAILED state. The SysOps administrator has validated the permissions that are required to delete the CloudFormation stack. Which of the following are possible causes of the DELETE_FAILED state? (Select TWO.)
A. The configured timeout to delete the stack was too low for the delete operation to complete.
B. The stack contains nested stacks that must be manually deleted first.
C. The stack was deployed with the -disable-rollback option.
D. There are additional resources associated with a security group in the stack.
E. There are Amazon S3 buckets that still contain objects in the stack.
Correct Answer: BE
QUESTION 85
A SysOps administrator is responsible for the performance of an AWS Lambda function. The Lambda function has a timeout of 3 seconds and has values set for provisioned concurrency and reserved concurrency.
Amazon CloudWatch metrics show that the Lambda function is experiencing several throttles each second. The metrics also show that the Lambda function’s average duration is less than 100 ms. What should the SysOps administrator do to eliminate the function throttles?
A. Increase the Lambda function’s memory.
B. Increase the Lambda function’s provisioned concurrency value.
C. Increase the Lambda function’s reserved concurrency value.
D. Configure a dead-letter queue for the Lambda function.
Correct Answer: B
QUESTION 86
A SysOps administrator needs to create new AWS accounts. The SysOps administrator is using a correctly installed AWS Control Tower implementation and has successfully created accounts in the past by using Account Factory. The SysOps administrator is logged in as the management account’s root user for an organization in AWS Organizations. The SysOps administrator tries to create two new workload accounts and receives the following error message: “No launch paths found for resource.” What should the SysOps administrator do to create the two new accounts?
A. Create the first account in Account Factory. Then create the second account by using a separate operation in Account Factory.
B. Log in as a user that has appropriate permissions. Create the two workload accounts in Account Factory.
C. Ensure that the root user in the management account has AWSServiceCatalogEndUserAccess permissions.
D. Ensure that AWS Control Tower has the LaunchPath setting set to True in AWS Service Catalog.
Correct Answer: C
QUESTION 87
A company runs multiple Amazon EC2 instances that are distributed across multiple AWS Regions. The company uses AWS Systems Manager tools to manage the EC2 instances. The company needs to deploy an auditing software package onto every instance to record user logins and any actions that users take. A SysOps administrator must implement a solution that automatically installs the auditing software on all existing EC2 instances. The solution also must automatically install the auditing software on any new EC2 instances when they are launched. Which solution will meet these requirements?
A. Create a Systems Manager Distributor package that includes the auditing software. Store the package in an Amazon S3 bucket. Create a Systems Manager State Manager association in each Region to install the software package on all managed instances in the company’s AWS account.
B. Load the installer for the auditing software into an Amazon S3 bucket. Connect to every instance by using Systems Manager Fleet Manager Remote Desktop. Download the installer by using the AWS CLI. Run the installer manually.
C. Create an AWS Lambda function that calls the software installer. Merge the auditing software into the Lambda function by using Lambda layers. Run the Lambda function from each instance by using a scheduled Amazon EventBridge rule.
D. Create an Amazon EventBridge rule to react to Amazon EC2 RunInstances events. Configure the rule to modify the events to include a step that runs the software installer. Reboot all the instances.
Correct Answer: A
QUESTION 88
A company runs its workload on Nitro-based Amazon EC2 instances that are in an Auto Scaling group. The instances have General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volumes that are configured with baseline performance. During bootstrap time, the EC2 instances download large Docker images and run initialization steps that require high disk I/O. The Auto Scaling group is terminating instances before the instances are in service. The EBSWriteBytes metric is almost constantly at maximum. Which combination of actions should a SysOps administrator take to resolve this issue? (Select TWO.)
A. Increase the EC2 instance size.
B. Increase the EBS volume capacity.
C. Increase the EBS volume IOPS.
D. Increase the EBS volume throughput.
E. Change the instance type to an instance that is not Nitro-based.
Correct Answer: CD
QUESTION 89
A SysOps administrator needs to deploy a critical update to a web application that runs on Amazon EC2 instances. The SysOps administrator must minimize application downtime during the update. The SysOps administrator also must minimize the risk of a failed deployment of the update. Which deployment types will meet these requirements? (Select TWO.)
A. All-at-once deployment
B. Blue/green deployment
C. Canary deployment
D. Immutable deployment
E. In-place deployment
Correct Answer: BC
QUESTION 90
A company runs several workloads on AWS. The company identifies five AWS Trusted Advisor service quota metrics to monitor in a specific AWS Region. The company wants to receive email notification each time resource usage exceeds 60% of one of the service quotas. Which solution will meet these requirements?
A. Create five Amazon CloudWatch alarms, one for each Trusted Advisor service quota metric. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification each time that usage exceeds 60% of one of the service quotas.
B. Create five Amazon CloudWatch alarms, one for each Trusted Advisor service quota metric. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification each time that usage exceeds 60% of one of the service quotas.
C. Use the AWS Health Dashboard to monitor each Trusted Advisor service quota metric. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification each time that usage exceeds 60% of one of the service quotas.
D. Use the AWS Health Dashboard to monitor each Trusted Advisor service quota metric. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification each time that usage exceeds 60% of one of the service quotas.
Correct Answer: A
QUESTION 91
A company uses AWS Organizations to manage its AWS accounts. The company is implementing a CostCenter tag for business units to track costs and prevent noncompliant actions. The company needs to prevent users from launching Amazon EC2 instances with a CostCenter tag unless the tag has specified values. Which solution will meet this requirement with the LEAST administrative effort?
A. Create a service control policy (SCP) for the CostCenter tag in Organizations. Define the specified values in the policy. Attach the policy to all the company’s organizational units (OUs).
B. Configure inventory collection for the EC2 instances in AWS Systems Manager Inventory. Attach the CostCenter tag to the managed instances.
C. Create an Amazon Machine Image (AMI) for each of the company’s business units. Include a user data script that tags instances when they are launched.
D. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a user launches an EC2 instance. Configure the Lambda function to apply the appropriate CostCenter tag for each user’s IAM role or to terminate the instance if the tag lacks the specified values.
Correct Answer: A
QUESTION 92
A company has an Amazon RDS for MySQL DB instance that is configured as a Single-AZ DB instance. A SysOps administrator must configure the DB instance to fail over automatically in the event of a failure. Which action will meet this requirement?
A. Change the DB instance to an RDS for PostgreSQL DB instance.
B. Modify the DB instance to be a Multi-AZ DB instance.
C. Create a read replica of the DB instance.
D. Enable automated backups for the DB instance.
Correct Answer: B
QUESTION 93
A company is creating a new multi-account environment in AWS Organizations. The company will use AWS Control Tower to deploy the environment. Users must be able to create resources in approved AWS Regions only. The company must configure and govern all accounts by using a standard baseline configuration. Which combination of steps will meet these requirements in the MOST operationally efficient way? (Select TWO.)
A. Create a permission set and a custom permissions policy in AWS IAM Identity Center for each user to prevent each user from creating resources in unapproved Regions.
B. Deploy AWS Config rules in each AWS account to govern the account’s security compliance and to delete any resources that are created in unapproved Regions.
C. Deploy AWS Lambda functions to configure security settings across all accounts in the organization and to delete any resources that are created in unapproved Regions.
D. Implement a service control policy (SCP) to deny any access to AWS based on the requested Region.
E. Modify the AWS Control Tower landing zone settings to govern the approved Regions.
Correct Answer: DE
QUESTION 94
A company has deployed AWS Lambda functions, Amazon EC2 instances, and Amazon Elastic Block Store (Amazon EBS) volumes across multiple AWS Regions. A SysOps administrator needs to obtain recommendations for how to optimize the provisioned resources to balance utilization and cost. What should the SysOps administrator do to meet this requirement?
A. Use AWS Config to obtain optimization recommendations.
B. Use AWS Compute Optimizer to obtain optimization recommendations.
C. Tag all the resources. Use the AWS Cost and Usage Report to obtain optimization recommendations.
D. Tag all the resources. Use AWS Cost Explorer to obtain optimization recommendations.
Correct Answer: B
QUESTION 95
A company applies user-defined tags to resources that are associated with the company’s AWS workloads. Twenty days after applying the tags, the company notices that it cannot use the tags to filter views in the AWS Cost Explorer console. What is the reason for this issue?
A. It takes at least 30 days to be able to use tags to filter views in Cost Explorer.
B. The company has not activated the user-defined tags for cost allocation.
C. The company has not created an AWS Cost and Usage Report.
D. The company has not created a usage budget in AWS Budgets.
Correct Answer: B
QUESTION 96
A company requires the rotation of administrative credentials for production workloads on a regular basis. A SysOps administrator must implement this policy for an Amazon RDS DB instance’s master user password. Which solution will meet this requirement with the LEAST operational effort?
A. Create an AWS Lambda function to change the RDS master user password. Create an Amazon EventBridge scheduled rule to invoke the Lambda function.
B. Create a new SecureString parameter in AWS Systems Manager Parameter Store. Encrypt the parameter with an AWS Key Management Service (AWS KMS) key. Configure automatic rotation.
C. Create a new String parameter in AWS Systems Manager Parameter Store. Configure automatic rotation.
D. Create a new RDS database secret in AWS Secrets Manager. Apply the secret to the RDS DB instance. Configure automatic rotation.
Correct Answer: D
QUESTION 97
A company uses an Amazon Aurora PostgreSQL database. The company’s compliance policy requires the data to be available in a separate, distinct geographic location. The company must maintain a recovery point objective (RPO) of 20 seconds in disaster recovery scenarios. Which solution will meet these requirements?
A. Reconfigure the database to be an Aurora global database. Set the RPO to 20 seconds.
B. Reconfigure the database to be an Aurora Serverless v2 database with an Aurora Replica in a separate Availability Zone. Set the replica lag to 20 seconds.
C. Modify the database to use a Multi-AZ cluster that has two readable standby instances in separate Availability Zones.
D. Add an Aurora Replica in a separate Availability Zone. Set the replica lag to 20 seconds.
Correct Answer: A
QUESTION 98
A company website contains a web tier and a database tier on AWS. The web tier consists of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones. The database tier runs on an Amazon RDS for MySQL Multi-AZ DB instance. The database subnet network ACLs are restricted to only the web subnets that need access to the database. The web subnets use the default network ACL with the default rules. The company’s operations team has added a third subnet to the Auto Scaling group configuration. After an Auto Scaling event occurs, some users report that they intermittently receive an error message. The error message states that the server cannot connect to the database. The operations team has confirmed that the route tables are correct and that the required ports are open on all security groups. Which combination of actions should a SysOps administrator take so that the web servers can communicate with the DB instance? (Select TWO.)
A. On the default ACL, create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets.
B. On the default ACL, create outbound Allow rules of type MySQL/Aurora (3306). Specify the destinations as the database subnets.
C. On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet.
D. On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet.
E. On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet.
Correct Answer: CD
QUESTION 99
A company is running a stateless application. The application consists of a web server and a PostgreSQL database that run on a single Amazon EC2 instance. The EC2 instance becomes overloaded during times of high application traffic, leading to slow response times. A SysOps administrator needs to implement a solution to resolve the application’s performance issues. The solution must accommodate increased application traffic as the number of users continues to grow. The solution also must make the application highly available. Which combination of steps will meet these requirements? (Select TWO.)
A. Create an Amazon CloudFront distribution. Specify the EC2 instance as the origin.
B. Configure an EC2 Auto Scaling group of web servers behind an Application Load Balancer.
C. Upgrade the existing EC2 instance to a larger instance type with more CPU and memory resources.
D. Use an Amazon RDS for PostgreSQL Multi-AZ deployment for the database. Point the application to the new endpoint.
E. Upgrade the PostgreSQL database on the EC2 instance to a newer version.
Correct Answer: BD
QUESTION 100
A SysOps administrator is troubleshooting an implementation of Amazon CloudWatch Synthetics. The CloudWatch Synthetics results must be sent to an Amazon S3 bucket. The SysOps administrator has copied the configuration of an existing canary that runs on a VPC that has an internet gateway attached. However, the SysOps administrator cannot get the canary to successfully start on a private VPC that has no internet access. What should the SysOps administrator do to successfully run the canary on the private VPC?
A. Ensure that the DNS resolution option and the DNS hostnames option are turned on in the VPC. Add the synthetics:GetCanaryRuns permission to the VPC. On the S3 bucket, add the IgnorePublicAcs permission to the CloudWatch Synthetics role.
B. Ensure that the DNS resolution option and the DNS hostnames option are turned off in the VPC. Create a gateway VPC endpoint for Amazon S3. Add the permissions to allow CloudWatch Synthetics to use the S3 endpoint.
C. Ensure that the DNS resolution option and the DNS hostnames option are turned off in the VPC. Add a security group to the canary to allow outbound traffic on the DNS port. Add the permissions to allow CloudWatch Synthetics to write to the S3 bucket.
D. Ensure that the DNS resolution option and the DNS hostnames option are turned on in the VPC. Create an interface VPC endpoint for CloudWatch. Create a gateway VPC endpoint for Amazon S3. Add the permissions to allow CloudWatch Synthetics to use both endpoints.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.