QUESTION 101
A SysOps administrator must ensure that all of a company’s Amazon S3 buckets have versioning enabled. Which solution will meet this requirement?
A. Enable AWS Config. Set up the s3-bucket-versioning-enabled AWS Config managed rule. Specify the configuration changes trigger type. Configure an automatic remediation action that uses an AWS Lambda function to enable versioning on noncompliant S3 buckets.
B. Enable AWS Config. Set up the s3-bucket-versioning-enabled AWS Config managed rule. Specify the configuration changes trigger type. Configure an automatic remediation action that uses the AWS-ConfigureS3BucketVersioning AWS Systems Manager Automation runbook to enable versioning on noncompliant S3 buckets.
C. Enable Amazon GuardDuty. Use GuardDuty to identify S3 buckets that have versioning disabled. Create an Amazon EventBridge rule that sends the GuardDuty findings to AWS Systems Manager Automation. Specify the AWS-ConfigureS3BucketVersioning Systems Manager Automation runbook to enable versioning on noncompliant S3 buckets.
D. Enable Amazon GuardDuty. Use GuardDuty to identify S3 buckets that have versioning disabled. Create an Amazon EventBridge rule that sends the GuardDuty findings to a target AWS Lambda function. Configure the Lambda function to enable versioning on noncompliant S3 buckets.
Correct Answer: A
QUESTION 102
A SysOps administrator needs to give an existing AWS Lambda function access to an existing Amazon S3 bucket. Traffic between the Lambda function and the S3 bucket must not use public IP addresses. The Lambda function has been configured to run in a VPC. Which solution will meet these requirements?
A. Configure VPC sharing between the Lambda VPC and the S3 bucket.
B. Attach a transit gateway to the Lambda VPC to allow the Lambda function to connect to the S3 bucket.
C. Create a NAT gateway. Associate the NAT gateway with the subnet where the Lambda function is configured to run.
D. Create an S3 interface endpoint. Change the Lambda function to use the new S3 DNS name.
Correct Answer: D
QUESTION 103
A company that uses AWS Organizations has an organization that contains several AWS accounts. A SysOps administrator needs to implement controls to prevent an account from leaving the organization. Which solution will meet these requirements?
A. Create a service control policy (SCP) that denies the LeaveOrganization action. Apply the SCP to the root organizational unit (OU).
B. Create a service control policy (SCP) that denies the RemoveAccountFromOrganization action. Apply the SCP to the root organizational unit (OU).
C. Deploy an AWS Lambda function in each member account to remove any Organizations permissions when a user is created.
D. Turn on AWS Config. Set up the account-part-of-organizations managed rule. Configure the rule to run every hour.
Correct Answer: A
QUESTION 104
A company’s application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company has configured an Amazon CloudWatch alarm to monitor the HTTPCode_Target_5XX_Count metric. The application crashes every few days during business hours. The crashes trigger the CloudWatch alarm and result in service disruption. The cause of the crashes is a memory leak in the application. While developers work to fix the problem, a SysOps administrator needs to implement a temporary solution. The solution must automatically reboot the EC2 instances every day and must minimize application disruption during business hours. Which solution will meet these requirements?
A. Create an Amazon EventBridge rule that is scheduled to run outside of business hours. Configure the rule to invoke the StartInstances operation on the EC2 instances.
B. Use AWS Systems Manager to create a daily maintenance window that is outside of business hours. Register the EC2 instances as a target. Assign the AWS-RestartEC2Instance runbook to the maintenance window.
C. Configure an additional CloudWatch alarm to monitor the StatusCheckFailed System metric for the EC2 instances. Configure an EC2 action on the additional alarm to reboot the instances.
D. Configure an additional CloudWatch alarm that is triggered every time the application crashes. Configure an EC2 action on the additional alarm to restart the application on the EC2 instances.
Correct Answer: B
QUESTION 105
A company’s IT help desk reports that a recently deployed Amazon EC2 instance has set off an Amazon CloudWatch alarm that monitors HTTP availability. The instance runs Amazon Linux and hosts a non-production web server. A SysOps administrator needs to connect to the instance to review the cloud-init.log log file for the instance. The instance is in an isolated subnet that does not have a NAT gateway. The VPC where the instance is located has no VPN connectivity. Which solution will meet these requirements with the LEAST operational effort?
A. Connect to the instance by using EC2 Instance Connect. Use an EC2 Instance Connect endpoint. Ensure that the security groups on the endpoint and instance allow SSH access.
B. Connect to the instance by using EC2 Instance Connect. Ensure that the instance security group and network ACL allow port 22 access from the IT help desk client’s IP address.
C. Connect to the instance by using AWS Systems Manager Session Manager. Ensure that the instance security group and network ACL allow outbound connectivity to the internet.
D. Connect to the instance by using EC2 Instance Connect. Select a bastion host to connect to. Ensure that the security groups on the instance allow SSH access.
Correct Answer: A
QUESTION 106
An ecommerce company uses an Amazon ElastiCache (Reds OSS) cluster for in-memory caching of popular product queries on a shopping website. A SysOps administrator views Amazon CloudWatch metrics data for the ElastiCache cluster and notices a large number of evictions. The SysOps administrator needs to implement a solution to reduce the number of evictions. The solution also must keep the popular queries cached. Which solution will meet these requirements with the LEAST operational overhead?
A. Add another node to the ElastiCache cluster.
B. Increase the ElastiCache TTL value.
C. Decrease the ElastiCache TTL value.
D. Migrate to a new ElastiCache cluster that has larger nodes.
Correct Answer: B
QUESTION 107
A company has a non-production application that runs on an Amazon EC2 instance. The Amazon CloudWatch agent is installed on the EC2 instance. The application includes a process that randomly overuses temporary disk space and fills disks to 100% capacity. A SysOps administrator needs to automate a reboot of the EC2 instance after the disks reach 100% capacity. Which solution will meet this requirement in the MOST operationally efficient way?
A. Create a CloudWatch alarm for the EC2 instance. Create an Amazon EventBridge event rule that reacts to the CloudWatch alarm and reboots the EC2 instance.
B. Create a CloudWatch alarm for the EC2 instance. Create an Amazon Simple Email Service (Amazon SES) notification that reacts to the CloudWatch alarm and reboots the EC2 instance.
C. Create an AWS Lambda function to reboot the EC2 instance. Create a CloudWatch alarm that uses Amazon EventBridge to invoke the Lambda function.
D. Create an AWS Lambda function to reboot the EC2 instance. Use EC2 health checks to invoke the Lambda function.
Correct Answer: A
QUESTION 108
A company is using an Amazon EC2 instance to inspect inbound traffic. The EC2 instance runs Amazon Linux and has the Amazon CloudWatch agent installed and configured. The company needs to ingest metrics and logs from the EC2 instance into CloudWatch. The company also needs to receive notification when a specific number of errors occur for rejected web management requests. Which combination of steps will meet these requirements with the MOST operational efficiency? (Select TWO.)
A. Create an Amazon S3 bucket to store the logs. Configure an S3 event notification that occurs when new logs are added to the S3 bucket.
B. Create an Amazon Simple Queue Service (Amazon SQS) queue. Add the queue as the destination of the Amazon S3 event notification.
C. Create a CloudWatch Logs log group and log stream. Set up IAM permissions for the EC2 instance to write to the log group and log stream.
D. Create an AWS Lambda function to process the logs from CloudWatch. Configure the Amazon S3 event notification to invoke the Lambda function. Configure the Lambda function to publish to an Amazon Simple Notification Service (Amazon SNS) topic.
E. Create a metric filter for the log group. Configure a filter pattern for the errors. Create a CloudWatch alarm that is based on the metric filter. Configure the alarm to publish to an Amazon Simple Notification Service (Amazon SNS) topic when the alarm is in ALARM state.
Correct Answer: CE
QUESTION 109
A company runs an application on a fleet of Amazon EC2 Windows instances in a Multi-AZ deployment. The company needs a solution that will give the instances access to shared files. The solution must be highly available, must use native Windows storage capabilities, and must maximize consistency for all file requests. Which solution will meet these requirements?
A. Create an Amazon FSx for Windows File Server Multi-AZ file system. Map file shares on the instances by using the file system’s DNS name.
B. Grant the instances access to a shared Amazon S3 bucket. Use Windows Task Scheduler to synchronize the contents of the S3 bucket locally to each instance periodically.
C. Create an Amazon Elastic File System (Amazon EFS) file system that uses the EFS Standard storage class. Mount the file system to the instances by using the file system’s DNS name and the EFS mount helper.
D. Create a new Amazon Elastic Block Store (Amazon EBS) Multi-Attach volume. Attach the EBS volume as an additional drive to each instance.
Correct Answer: A
QUESTION 110
A company’s SysOps administrator needs to troubleshoot an AWS Lambda function that runs in a private subnet in a VPC. The company has enabled Lambda Insights logging in the Lambda environment. However, there are no Lambda Insights logs for the Lambda function. The SysOps administrator has confirmed that the Lambda function’s execution role has the correct permissions. The Lambda function cannot have public connectivity. What should the SysOps administrator do to make Lambda Insights logging work correctly?
A. Configure a VPC endpoint to direct traffic to Amazon CloudWatch Logs.
B. Add an internet gateway to the VPC. Ensure that the private subnet has a route through the internet gateway to access AWS services.
C. Add a NAT gateway to a public subnet that has access to the internet. Change the private subnet for the Lambda function to route internet traffic to the NAT gateway.
D. Change the security group that is associated with the Lambda function to reference AWS managed prefix lists.
Correct Answer: A
QUESTION 111
A company is hosting applications on Amazon EC2 instances. The company is hosting a database on an Amazon RDS for PostgreSQL DB instance. The company requires all connections to the DB instance to be encrypted. What should a SysOps administrator do to meet this requirement?
A. Allow SSL connections to the database by using an inbound security group rule.
B. Encrypt the database by using an AWS Key Management Service (AWS KMS) encryption key.
C. Enforce SSL connections to the database by using a custom parameter group.
D. Patch the database with SSL/TLS by using a custom PostgreSQL extension.
Correct Answer: C
QUESTION 112
After an operating system update, a company experienced data corruption of the root volume of an Amazon EC2 instance that runs a critical application. The data corruption resulted in downtime for the application and lost profits. The company security policy states that operating system updates must be applied within 30 days of availability. The EC2 instance that was affected by the data corruption takes an Amazon Elastic Block Store (Amazon EBS) snapshot every 6 hours. The company has determined that an appropriate recovery point objective (RPO) is 12 hours. A SysOps administrator needs to implement a solution to avoid future loss of availability for the application. Which solution will meet this requirement in the MOST operationally efficient way?
A. Configure an AWS Lambda function that runs on a schedule to check the application status and to recover the EC2 instance from an EBS backup when necessary.
B. Use an AWS Systems Manager Automation action to restore the root volume to the latest available EBS backup when necessary.
C. Use Amazon EventBridge to notify the SysOps administrator through Amazon Simple Notification Service (SNS) when EventBridge receives an EC2 Instance State-change notification.
D. Update the EBS snapshot schedule to take a snapshot every 12 hours.
Correct Answer: B
QUESTION 113
A company uploads audio files to an Amazon S3 bucket. The company has configured S3 Event notifications to invoke an AWS Lambda function when an object is uploaded to the S3 bucket. The Lambda function processes the audio files by merging the files with advertisements. After the company deploys new code to the Lambda function, the function runs. However, occasionally the files are not processed successfully. A SysOps administrator needs to ensure that the Lambda function automatically retries to process any files that are not processed successfully the first time. Which solution will meet these requirements?
A. Create an Amazon Simple Queue Service (Amazon SQS) standard queue. Configure an S3 event notification to send messages to both the existing Lambda function and the SQS queue. Modify the Lambda function code to handle tailed messages by re-inserting the messages into the queue for retry.
B. Create an Amazon ElastiCache (Redis OSS) cache. Add the necessary IAM permissions for the Lambda function to access the cache. Modify the Lambda function to move failed messages to the cache.
C. Create an Amazon ElastiCache (Redis OSS) cache. Add the necessary IAM permissions for ElastiCache (Redis OSS) to invoke the Lambda function. Change the S3 event notification from Lambda to ElastiCache. Configure ElastiCache to invoke the Lambda function. Configure the Lambda function to return files to the cache if the function fails to process a file.
D. Create an Amazon Simple Queue Service (Amazon SQS) standard queue. Add IAM permissions to allow Amazon S3 to write to the queue. Modify the S3 event notification to create a message in the queue. Configure the queue to invoke the Lambda function when a message arrives in the queue. Create a dead-letter queue. Use a redrive policy for the dead-letter queue.
Correct Answer: D
QUESTION 114
A company has an AWS account that multiple teams use. A Sysops administrator needs to identity any IAM users and roles in the account that have not been used within the last 30 days. The Sysops administrator has created an Amazon Simple Notification Service (Amazon SNs) topic that must receive notifications about the unused identities. Which combination of steps will meet these requirements? (Select TWO.)
A. Configure and start an AWS Config configuration recorder. Add the iam-user-unused-credentials-check AWS Config managed rule. Specify 30 days.
B. Create an analyzer in AWS identity and Access Management Access Analyzer. Configure unused access analysis. Configure a tracking period of 30 days.
C. Configure the AWS Config delivery channel to use the SNS topic. Add a filter policy to the delivery channel to send notifications only for the iam-user-unused-credentials-check AWS Config managed rule.
D. Create an Amazon EventBridge rule. Configure an event pattern that has a source of AWS.iam and a detail type of Config Rules Compliance Change. Specify the SNS topic as the target.
E. Create an Amazon EventBridge rule. Configure an event pattern that has a source of AWS.access-analyzer and a detail type of Unused Access Finding for IAM Entities. Specify the SNS topic as the target.
Correct Answer: AC
QUESTION 115
A company deploys an application to multiple AWS Regions. The company uses an organization in AWS Organizations to manage multiple AWS accounts. The company must prevent all AWS accounts from launching AWS resources or accessing AWS services except in one allowed Region. Which solution will meet these requirements in the MOST operationally efficient way?
A. Create an AWS CloudFormation template that has a permissions boundary that allows only a specific Region. Apply the CioudFormation template to the Organizations management account
B. Create a service control policy (SCP) that denies actions in all Regions except the allowed Region. Apply the SCP to the corresponding Avs accounts.
C. Edit AWS identity and Access Management (IAM) settings for every AWS account to disable AWS Security Token Service (AWS STS) endpoints for every Region except the allowed Region.
D. Create IAM policies that include the AWS:RequestedRegion condition to allow a specific Region. Apply the IAM policy to the relevant IAM users.
Correct Answer: B
QUESTION 116
A SysOps administrator needs to deploy a large batch of data changes to an Amazon Aurora PostgreSQL database. The deployment must not result in data loss. The database has a security group attached. Which solution will meet these requirements with the MINIMUM downtime?
A. Create a database clone. Manually deploy the changes to the cloned database. After the deployment is complete, manually switch the infrastructure to the cloned database.
B. Create an Amazon EC2 instance and initiate a migration from the instance. Modify the security group to allow only the EC2 instance to access the database. After the deployment is complete, return the security group to its original configuration.
C. Restore a snapshot of the database. Test the changes on the restored database. If the test is successful, deploy the changes to the current database.
D. Use an Amazon RDS blue/green deployment. Switch to the green environment after deployment and testing are complete.
Correct Answer: D
QUESTION 117
A company runs an application on a fleet of Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. The instances run in an Auto Scaling group. The application’ s performance remains consistent throughout most of each day. However, an increase in user traffic slows the performance during the same 2-hour period each day. A SysOps administrator needs to resolve the application performance issue. Which solution will meet this requirement with the LEAST operational effort?
A. Adjust the minimum capacity of the Auto Scaling group to the size required to meet the increased demand during the 2-hour period.
B. Adjust the launch template that is associated with the Auto Scaling group to be more sensitive to increases in user traffic.
C. Create a scheduled scaling action to scale out the number of EC2 instances shortly before the increase in user traffic occurs.
D. Manually add a few more EC2 instances to the Auto Scaling group to support the increase in user traffic. Enable instance scale-in protection on the Auto Scaling group.
Correct Answer: C
QUESTION 118
A SysOps administrator needs to implement a solution to back up a company’s Amazon S3 objects. The solution also must prevent any entity from deleting the backups after 7 days. Which solution will meet these requirements?
A. Configure AWS Backup to back up the S3 resource type. Configure AWS Backup Vault Lock in governance mode with a minimum retention period of 6 days.
B. Configure AWS Backup to back up the S3 resource type. Configure AWS Backup Vault Lock in compliance mode with a grace time of 6 days.
C. Configure S3 Object Lock on all S3 buckets. Set a retention period of 6o days.
D. Configure S3 Object Lock on all S3 buckets. Set a legal hold on all S3 objects.
Correct Answer: B
QUESTION 119
Some users at a company require SSH access to an Amazon EC2 instance that runs in a private subnet. The users access the company’s AWS environment by using IAM users. A SysOps administrator needs to provide the users SSH access to the EC2 instance without increasing security risks. Which solution will meet these requirements?
A. Create a public subnet. Deploy a bastion host EC2 instance that has a public IP address in a public subnet. Establish connectivity through TCP port 22 between the bastion host and the EC2 instance. Allow inbound traffic from 0.0.0.0/0 to the bastion host. Grant the company users access to the bastion host.
B. Create a public subnet. Deploy a public NAT gateway in the public subnet. Configure routing to allow traffic between the EC2 instance and the public NAT gateway. Grant the company users access to the EC2 instance through the public NAT gateway.
C. Move the EC2 instance to a public subnet. Assign the instance a public IP address. Configure the EC2 instance security group to allow traffic through TCP port 22 from 0.0.0.0/0.
D. Create an IAM role that includes the AmazonSSMManagedlnstanceCore policy. Attach the IAM role to the EC2 instance. Install the AWS Systems Manager Agent on the instance. Update the policy that is associated with the IAM users to grant the IAM users access to the required session documents.
Correct Answer: D
QUESTION 120
An application accesses databases that run on an Amazon Aurora PostgreSQL Multi-AZ DB cluster. The application is gaining more users and is experiencing an increased load. A Sysops administrator needs to improve the application performance by pooling and sharing database user connections. Which solution will meet this requirement?
A. Increase the IOPs of the DB cluster.
B. Use Amazon RDS Proxy to set up a proxy. Associate the proxy with the DB cluster.
C. Enable Enhanced Monitoring on the DB cluster. Move the logs to Amazon CloudWatch.
D. Enable Performance Insights for 35 days on the DB cluster.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.