QUESTION 121
A medical research company uses an Amazon Bedrock powered Al assistant with agents and knowledge bases to provide physicians quick access to medical study protocols. The company needs to generate audit reports that contain user identities, usage data for Bedrock agents, access data for knowledge bases, and interaction parameters. Which solution will meet these requirements?
A. Use AWS Cloud Trail to log API events from generative Al workloads. Store the events in Cloud Trail Lake. Use SQL-like queries to generate reports.
B. Use Amazon CloudWatch to capture generative Al application logs. Stream the logs to Amazon OpenSearch Service. Use an OpenSearch dashboard visualization to generate reports.
C. Use Amazon CloudWatch to log API events from generative Al workloads. Send the events to an Amazon S3 bucket. Use Amazon Athena queries to generate reports.
D. Use AWS Cloud Trail to capture generative Al application logs. Stream the logs to Amazon Managed Service for Apache Flink. Use SQL queries to generate reports.
Correct Answer: A
QUESTION 122
A company wants to create an automated solution for all accounts managed by AWS Organizations to detect any security groups that use 0.0.0.0/0 as the source address for inbound traffic. The company also wants to automatically remediate any noncompliant security groups by restricting access to a specific CIDR block that corresponds with the company’s intranet. Which set of actions should the SysOps administrator take to create a solution?
A. Create an AWS Config rule to detect noncompliant security groups. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.
B. Create an IAM policy to deny the creation of security groups that have 0.0.0.0/0 as the source address. Attach this IAM policy to every user in the company.
C. Create an AWS Lambda function to inspect new and existing security groups. Check for a noncompliant 0.0.0.0/0 source address and change the source address to the approved CIDR block.
D. Create a service control policy (SCP) for the organizational unit (OU) to deny the creation of security groups that have the 0.0.0.0/0 source address. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.
Correct Answer: A
QUESTION 123
A company must automate daily incremental backups of any Amazon Elastic Block Store (Amazon EBs) volume that is marked with a Lifecycle:Production tag. The company also must prevent users from using ec2:* permissions to delete any of these production snapshots. Which solution will meet these requirements?
A. Create a daily snapshot of all EBS volumes by using AWS Backup. Specify Lifecycle as the tag key. Specify Production as the tag value.
B. Create a daily snapshot of all EBS volumes by using Amazon Data Lifecycle Manager. Specify Lifecycle as the tag key. Specify Production as the tag value.
C. Create automatic remediation rules in AWS Trusted Advisor to deny any delete actions on the EBS volumes when the Lifecycle:Production tag is present.
D. Create a daily Amazon Machine Image (AMI) of any Amazon EC2 instances by using Amazon Data Lifecycle Manager.
Correct Answer: A
QUESTION 124
A company must ensure that all Amazon EC2 Windows instances that are launched in an AWS account have a third-party agent installed. The company uses AWS Systems Manager, and the Windows instances are tagged appropriately. The company must deploy periodic updates to the third-party agent when the updates become available. Which combination of steps will meet these requirements with the LEAST operational effort? (Select TWO.)
A. Create a Systems Manager Distributor package for the third-party agent.
B. Create a Systems Manager Opsltem that includes the tag value for Windows. Attach the Systems Manager inventory to the Opsltem.
C. Create an AWS Lambda function. Program the Lambda function to log in to each instance and to install or update the third-party agent as needed.
D. Create a Systems Manager State Manager association to run the AWS-RunRemoteScript document. Populate the details of the third-party agent package.
E. Create a Systems Manager State Manager association to run the Aw/s-ConfigureAWSPackage document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows.
Correct Answer: AE
QUESTION 125
An ecommerce website runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). A SysOps administrator is extending the Auto Scaling group to span one more Availability Zone. EC2 instances in the new Availability Zone are in the running state but fail to register with the target group. How can the SysOps administrator resolve this issue?
A. Attach the Availability Zone to the target group.
B. Attach at least one subnet in the new Availability Zone to the ALB.
C. Update inbound rules on the security groups of the EC2 instances.
D. Update outbound rules on the security groups of the ALB.
Correct Answer: B
QUESTION 126
A SysOps administrator recently configured Amazon S3 Cross-Region Replication on an S3 bucket. Which of the following does this feature replicate to the destination S3 bucket by default?
A. Objects in the source S3 bucket for which the bucket owner does not have permissions
B. Objects that are stored in S3 Glacier
C. Objects that existed before replication was configured
D. Object metadata
Correct Answer: D
QUESTION 127
A company’s financial department needs to view the cost details of each project in an AWS account. A SysOps administrator must perform the initial configuration that is required to view cost for each project in Cost Explorer. Which solution will meet this requirement?
A. Activate cost allocation tags. Add a project tag to the appropriate resources.
B. Configure consolidated billing. Create AWS Cost and Usage Reports.
C. Use AWS Budgets. Create AWS Budgets reports.
D. Use cost categories to define custom groups that are based on AWS cost and usage dimensions.
Correct Answer: A
QUESTION 128
A company hosts applications in private subnets across multiple Availability Zones within a VPC. The company has established a VPC peering connection between an application VPC and a second VPC. The peering connection is active. However, resources in the application VPC cannot communicate with resources in the second VPC. A SysOps administrator must resolve the connectivity issue. Which solution will meet this requirement?
A. Use AWS Resource Access Manager (AWS RAM) to share the private subnets.
B. Update the route tables of each VPC to point to the peer VPC.
C. Enable default route propagation in the route tables of both VPCs.
D. Update both VPCs to be in the same AWS Region.
Correct Answer: B
QUESTION 129
A company recently acquired another corporation and all of that corporation’s AWS accounts. A financial analyst needs the cost data from these accounts. A Sysops administrator uses Cost Explorer to generate cost and usage reports. The Sysops administrator notices that “No Tagkey” represents 20% of the monthly cost. What should the SysOps administrator do to tag the “No Tagkey” resources?
A. Add the accounts to AWS Organizations. Use a service control policy (SCP) to tag all the untagged resources.
B. Use an AWS Config rule to find the untagged resources. Set the remediation action to terminate the resources.
C. Use Cost Explorer to find and tag all the untagged resources.
D. Use Tag Editor to find and tag all the untagged resources.
Correct Answer: D
QUESTION 130
A SysOps administrator runs the AWS Systems Manager Run Command AWS-RunPatchBaseline document on a group of 20 Amazon Linux 2023 based Amazon EC2 instances. After the Run Command document runs successfully, the SysOps administrator finds that some of the EC2 instances were not patched. The SysOps administrator verifies that the desired Amazon Linux 2023 patch baseline is set as the default baseline. What is the MOST likely reason some instances were not updated to the latest kernel?
A. The instances that were not updated were added to the patch exception in the patch baseline.
B. The instances that were not updated have the PatchGroup tag.
C. The instances that were not updated have a custom ResourceGroup tag.
D. The instances that were not updated are considered noncompliant in the patch baseline.
Correct Answer: B
QUESTION 131
A company recently purchased Savings Plans. The company wants to receive email notification when the company’s utilization drops below 90% for a given day. Which solution will meet this requirement?
A. Create an Amazon CloudWatch alarm to monitor the Savings Plan check in AWS Trusted Advisor. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification when the utilization drops below 90% for a given day.
B. Create an Amazon CloudWatch alarm to monitor the SavingsPlansUtilization metric under the AWS/SavingsPlans namespace in CloudWatch. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification when the utilization drops below 90% for a given day.
C. Create a Savings Plans alert to monitor the daily utilization of the Savings Plans. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification when the utilization drops below 90% for a given day.
D. Use AWS Budgets to create a Savings Plans budget to track the daily utilization of the Savings Plans. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification when the utilization drops below 90% for a given day.
Correct Answer: D
QUESTION 132
A SysOps administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. Which collection of configuration changes will increase the cache hit ratio for the distribution? (Select TWO.)
A. Ensure that only required cookies, query strings, and headers are forwarded in the cache behavior settings.
B. Change the viewer protocol policy to use HTTPs only.
C. Configure the distribution to use presigned cookies and URLs to restrict access to the distribution.
D. Enable automatic compression of objects in the cache behavior settings.
E. Increase the CloudFront time to live (TTL) settings in the cache behavior settings.
Correct Answer: AE
QUESTION 133
A SysOps administrator needs to create a report that shows how many bytes are sent to and received from each target group member for an Application Load Balancer (ALB). Which combination of steps should the SysOps administrator take to meet these requirements? (Select TWO.)
A. Enable access logging for the ALB. Save the logs to an Amazon S3 bucket.
B. Install the Amazon CloudWatch agent on the instances in the target group.
C. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the target:port field.
D. Use Amazon Athena to query the ALB logs. Query the table. Use the received_ bytes and sent_ bytes fields to calculate the total bytes grouped by the client:port field.
E. Create an Amazon CloudWatch dashboard that shows the Sum statistic of the ProcessedBytes metric for the ALB.
Correct Answer: AC
QUESTION 134
A company hosts a static website on Amazon S3. An Amazon CloudFront distribution presents this site to global users. The company uses the Managed-CachingDisabled CloudFront cache policy. The company’s developers confirm that they frequently update a file in Amazon S3 with new information. Users report that the website presents correct information when the website first loads the file. However, the users’ browsers do not retrieve the updated file after a refresh. What should a SysOps administrator recommend to fix this issue?
A. Add a Cache-Control header field with max-age=0 to the S3 object.
B. Change the CloudFront cache policy to Managed-CachingOptimized.
C. Disable bucket versioning in the S3 bucket configuration.
D. Enable content compression in the CloudFront configuration.
Correct Answer: A
QUESTION 135
A SysOps administrator is configuring an Auto Scaling group of Amazon EC2 instances for an application. The average CPU utilization of the instances in the Auto Scaling group must remain at approximately 40% when the load on the application changes. Which solution will meet this requirement in the MOST operationally efficient manner?
A. Create a scheduled scaling action. Configure the action to run at times when the application typically experiences an increase in traffic.
B. Configure a simple scaling policy. Create an Amazon CloudWatch alarm that enters ALARM state when CPU utilization is greater than 40%. Associate the alarm with the scaling policy.
C. Configure a step scaling policy. Create an Amazon CloudWatch alarm that enters ALARM state when CPU utilization is greater than 40%. Associate the alarm with the scaling policy.
D. Configure a target tracking scaling policy. Specify a target value of 40 for average CPU utilization.
Correct Answer: D
QUESTION 136
A company’s developers manually install software modules on Amazon EC2 instances to deploy new versions of a service. A security audit finds that the instances have different combinations of approved modules and unapproved modules. A SysOps administrator must create a new instance image that contains only approved software. Which solution will meet these requirements?
A. Use Amazon Detective to continuously find and uninstall unauthorized modules from the instances.
B. Use Amazon GuardDuty to create and deploy an Amazon Machine Image (AMI) that includes only the approved modules.
C. Use AWS Systems Manager Run Command to install the approved modules on all running instances during an in-place update.
D. Use EC2 Image Builder to create and test an Amazon Machine Image (AMI) that includes only the approved modules. Update the deployment workflow to use the new AMI.
Correct Answer: D
QUESTION 137
A company has AWS accounts in an organization in AWS Organizations. The company has built an AWS Lambda function in one account. The Lambda function needs to retrieve a list of Amazon EC2 instances that are running in another account. Which solution will provide this access MOST securely?
A. Create an IAM user in the account where the EC2 instances are running. Collect access keys from the user. Store these credentials in AWS Systems Manager Parameter Store in the account of the Lambda function. Configure the Lambda function to use the access key and the secret key.
B. Configure the Lambda function’s execution role to assume a cross-account IAM role in the account where the EC2 instances are running. Modify the trust policy of the cross-account role to allow the Lambda function to assume the role. Add the AWS Security Token Service (AWS STS) AssumeRole API operation to the Lambda function’s code.
C. From the management account in the organization, call the Organizations CreatePolicy API operation to create a new service control policy (SCP. Configure the SCP to grant lambda:InvokeFunction permission. Assign the SCP to the organization root.
D. Create a new resource-based policy for the Lambda function. In the policy, set the Principal to “*” and set the Action to lambda:InvokeFunction. Create a condition on the policy to allow access when the value of the aws:PrincipalOrgID condition key matches the organization’s ID.
Correct Answer: B
QUESTION 138
A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance. A SysOps administrator must update the template to ensure that the DB instance is created before the EC2 instance is launched. What should the SysOps administrator do to meet this requirement?
A. Add a wait condition to the template. Update the EC2 instance user data script to send a signal after the EC2 instance is started.
B. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource.
C. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource.
D. Create multiple templates. Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created.
Correct Answer: B
QUESTION 139
A company is trying to connect two applications. One application runs in an on-premises data center that has a hostname of host1.onprem.private. The other application runs on an Amazon EC2 instance that has a hostname of host1.awscloud.private. An AWS Site-to-Site VPN connection is in place between the on-premises network and AWS. The application that runs in the data center tries to connect to the application that runs on the EC2 instance, but DNS resolution fails. A SysOps administrator must implement DNS resolution between on-premises and AWS resources. Which solution allows the on-premises application to resolve the EC2 instance hostname?
A. Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the inbound resolver endpoint.
B. Set up an Amazon Route 53 inbound resolver endpoint. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the inbound resolver endpoint.
C. Set up an Amazon Route 53 outbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the outbound resolver endpoint.
D. Set up an Amazon Route 53 outbound resolver endpoint. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the outbound resolver endpoint.
Correct Answer: B
QUESTION 140
A company made a configuration change to an Amazon EC2 Auto Scaling group that hosts a production application. The change affected the number of available EC2 instances and caused the application to be slow to respond. The company needs a solution to provide an email notification when a management change occurs to the Auto Scaling group. The company has already set up a trail in AWS CloudTrail to log management write changes. A SysOps administrator creates an Amazon Simple Notification Service (Amazon SNS) topic that has the appropriate subscribers. What should the SysOps administrator do next to meet this requirement?
A. Use AWS Config to monitor the trail for changes to the Auto Scaling group. Configure AWS Config to publish a message to the SNS topic when a change is detected.
B. Use AWS Security Hub to monitor the trail for changes to the Auto Scaling group. Configure Security Hub to publish a message to the SNS topic when a change is detected.
C. Create an Amazon EventBridge rule to run in response to CloudTrail management write events that involve the Auto Scaling group. Configure the EventBridge rule to publish a message to the SNS topic when a change is detected.
D. Store all Cloud Trail management events in an Amazon S3 bucket. Use S3 Event Notifications to publish a message to the SNS topic when a change to the Auto Scaling group is detected.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.