QUESTION 141
A company migrated a two-tier web application from an on-premises environment to AWS by using a rehost strategy. The company hosts the web tier on Amazon EC2 instances in a public subnet. The instances have Elastic IP addresses. The database tier is a single EC2 instance that runs Microsoft SQL Server. All the resources are in one Availability Zone. A SysOps administrator must implement a new architecture to improve the application’s security and make the application highly available. The new architecture must require minimum application code changes and administrative overhead. Which combination of steps will meet these requirements? (Select TWO.)
A. Place the web-tier instances in an Auto Scaling group. Configure the Auto Scaling group to support a Multi-AZ deployment into private subnets that are behind an internet-facing Application Load Balancer.
B. Place the web-tier instances in an Auto Scaling group. Configure the Auto Scaling group in multiple AWS Regions. Deploy the EC2 instances into private subnets that are behind an internet-facing Application Load Balancer.
C. Launch an additional EC2 instance to host SQL Server. Place the new database EC2 instance in a second AWS Region. Enable replication between the two database EC2 instances.
D. Use AWS Database Migration Service (AWS DMS) to migrate the database EC2 instance to Amazon RDS for SQL Server with Multi-AZ Database Mirroring (DBM).
E. Use AWS Database Migration Service (AWS DMS) to migrate the database EC2 instance to Amazon DynamoDB.
Correct Answer: AD
QUESTION 142
A company needs to configure a disaster recovery solution for a critical application that runs on AWS. The company must replicate its Amazon EC2 instances to a secondary AWS Region. The EC2 instances run Amazon Linux 2023. Which solution will meet these requirements with the MINIMUM recovery time objective (RTO)?
A. Configure AWS Backup to back up the EC2 instances to a secondary Region. Use Amazon Route 53 for DNS failover to the secondary Region when needed.
B. Configure Amazon Data Lifecycle Manager to back up the EC2 instances to a secondary Region. Use Amazon Route 53 for DNS failover to the secondary Region when needed.
C. Implement AWS Elastic Disaster Recovery to back up the Amazon EC2 instances to a secondary Region and to perform failover to the secondary Region when needed.
D. Create Amazon Machine Images (AMIs) of all the EC2 instances. Copy the AMIs to the secondary Region. When needed, launch EC2 instances from the AMIs. Use Amazon Route 53 for DNS failover.
Correct Answer: C
QUESTION 143
A SysOps administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code:
AMI [ami-12345678] does not exist.
How should the administrator ensure that the AWS CloudFormation template is working in every region?
A. Copy the source region’s Amazon Machine Image (AMI) to the destination region and assign it the same ID.
B. Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID.
C. Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS::EC2::AMI:: ImageID control.
D. Modify the AWS CloudFormation template by including the AMI IDs in the “Mappings” section. Refer to the proper mapping within the template for the proper AMI ID
Correct Answer: D
QUESTION 144
A SysOps administrator needs to implement a solution to monitor a company’s application endpoints and API endpoints. The solution must perform several operations in sequential order to determine whether an endpoint is functioning correctly. Which solution will meet these requirements?
A. Use Amazon CloudWatch Synthetics to create canaries to perform the monitoring.
B. Create Amazon CloudFront distributions that use CloudFront Functions to run the required code for monitoring.
C. Create an Amazon EventBridge event rule for each endpoint. Include the required operations for monitoring in the code for each rule.
D. Deploy the Amazon CloudWatch agent. Use CloudWatch ServiceLens to run the required code for monitoring.
Correct Answer: A
QUESTION 145
A SysOps administrator creates a new source AWS account to use with a company’s new application. The application will use Amazon CloudWatch for observability from a monitoring account. The company already used an AWS CloudFormation template to turn on CloudWatch cross-account observability for its other application accounts. Which combination of steps must the SysOps administrator take to set up the new source account for cross-account observability? (Select THREE.)
A. Download the CloudFormation template from the new source account.
B. Download the CloudFormation template from the monitoring account.
C. Deploy the CloudFormation stack in the new source account.
D. Deploy the CloudFormation stack in the monitoring account.
E. Add the new source account ID to the monitoring account’s configuration policy.
F. In the new source account, specify the data that the monitoring account will be able to view.
Correct Answer: BCE
QUESTION 146
A company has AWS accounts that use various AWS Regions. The accounts are in an organization in AWS Organizations. The company’s security team has enabled AWS Security Hub and several security standards by using a delegated administrator account. Cross-Region aggregation is enabled. Consolidated control findings are turned off. The security team is receiving multiple copies of Security Hub findings that refer to the same misconfiguration. The extra copies of findings are causing difficulty for the security team to prioritize remediation. Which solution will consolidate the findings with the LEAST operational overhead?
A. Turn on consolidated control findings in the Security Hub delegated administrator account.
B. Export the Security Hub findings. Consolidate the findings based on control ID. Visualize the findings in Amazon QuickSight.
C. Set up an AWS Config aggregator instead of Security Hub. Deploy a custom conformance pack by consolidating AWS Config rules.
D. Launch an Amazon EC2 instance in the organization’s management account. Configure a custom script to assume a role in each linked account to extract and consolidate findings from the accounts.
Correct Answer: A
QUESTION 147
A company needs to implement disaster recovery (DR) for its application. The application’s production environment consists of Amazon EC2 instances in an Auto Scaling group and an Amazon RDS database that has three read replicas. The DR environment uses a single EC2 instance in an Auto Scaling group and one cross-Region read replica. The company uses Amazon Route 53 for DNS resolution. A SysOps administrator must automate the DR process. However, the SysOps administrator must maintain manual control over the final failover step of updating DNS records. Which solution will meet these requirements with the LEAST downtime?
A. Create an AWS CloudFormation template that increases the Auto Scaling group’s EC2 instance count. Create an AWS Systems Manager Run Command document that adds three RDS read replicas. Update the Route 53 DNS record.
B. Create an AWS CloudFormation template that deploys a new Auto Scaling group that contains the appropriate number of EC2 instances. Use the CloudFormation template to deploy a new RDS DB instance and the required read replicas. When the DR environment is ready to support traffic. send a command to update the Route 53 DNS record.
C. Create an AWS Systems Manager Automation runbook that increases the Auto Scaling group’s EC2 instance count, adds three RDS read replicas, and fails over the database. When the DR environment is ready to support traffic, send a command to update the Route 53 DNS record.
D. Create an AWS Systems Manager Run Command document that increases the Auto Scaling group’s EC2 instance count, adds three RDS read replicas, and fails over the database. Update the Route 53 DNS record.
Correct Answer: C
QUESTION 148
A company manages an application that uses Amazon ElastiCache (Redis OSS) with two extra-large nodes spread across two different Availability Zones. The company’s IT team discovers that the ElastiCache (Redis OSS) cluster has 75% freeable memory. The application must maintain high availability. What is the MOST cost-effective way to resize the cluster?
A. Decrease the number of nodes in the ElastiCache (Redis OSS) cluster from 2 to 1.
B. Deploy a new ElastiCache (Redis OSS) cluster that uses large node types. Migrate the data from the original cluster to the new cluster. After the process is complete, shut down the original cluster.
C. Deploy a new ElastiCache (Redis OSS) cluster that uses large node types. Take a backup from the original cluster, and restore the backup in the new cluster. After the process is complete, shut down the original cluster.
D. Perform an online resizing for the ElastiCache (Reds OSS) cluster. Change the node types from extra-large nodes to large nodes.
Correct Answer: D
QUESTION 149
A company is using Amazon S3 buckets to store datasets. The company has several teams that use Amazon Athena to run one-time queries against the datasets. A SysOps administrator must implement a solution that stores each team’s Athena query results in that team’s individual S3 bucket. Which solution will meet this requirement?
A. Create individual Athena workgroups that have separate S3 query result locations.
B. Configure an AWS Glue Data Catalog database for each team. Instruct the teams to run their queries on tables in their separate databases.
C. Require each team to use the primary Athena workgroup. Instruct the teams to set individual S3 result locations when they query Athena.
D. Create an AWS Glue security configuration. Associate the security configuration with each team.
Correct Answer: A
QUESTION 150
A company has an ecommerce application. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company runs a backend PostgreSQL database on Amazon RDS. As the number of EC2 instances increases during times of high application usage, the database’s CPU utilization increases. At the same time, the database’s available memory significantly decreases. A SysOps administrator must reduce the overhead of the new database connections from the Auto Scaling group in a highly available manner. Which solution will meet this requirement?
A. Enable the RDS Multi-AZ feature.
B. Enable RDS Performance Insights.
C. Launch another EC2 instance. Install and configure PgBouncer with the existing PostgreSQL database connection string.
D. Create an RDS proxy. Configure connectivity to the existing PostgreSQL database.
Correct Answer: D
QUESTION 151
A company’s web application uses an Amazon Aurora DB cluster. The DB cluster includes memory optimized instances and operates 24 hours a day 7 days a week. The DB cluster has a writer node and a reader node. Application traffic volume changes significantly throughout the day. During sudden traffic increases, Amazon CloudWatch metrics for the DB cluster indicate high RAM consumption and an increase in SELECT latency. A SysOps administrator must apply a configuration change to improve the DB cluster’s performance. The change must minimize downtime and must not result in lost data. Which change will meet these requirements?
A. Attach an additional elastic network interface to the instances.
B. Double the disk storage capacity of the DB cluster. Add a nonvolatile memory express (NVMe) reservation as a local cache.
C. Take a snapshot of the DB cluster. From the snapshot, create a new DB cluster that has larger memory optimized instances.
D. Add an Aurora Replica to the DB cluster. Update the application to point read queries to the read replica endpoint.
Correct Answer: D
QUESTION 152
A company uses automations in AWS Systems Manager Automation. A new company policy requires more restrictive user permissions on resources. The policy states that all configurations must use infrastructure as code (IaC). The current automations use a service role that has elevated permissions. The automations will not function when the company implements the new permissions policy. Users must be able to run automations without the need for approvers. Which solutions will meet these requirements? (Select TWO.)
A. Use AWS Resource Access Manager (AWS RAM). Grant the service role the required permissions to share the automations.
B. Use AWS Identity and Access Management (IAM) to create a service role for Systems Manager Automation. Grant the service role the required permissions.
C. Use the aws:approve action. Grant the service role the required permissions to run the automations.
D. Use AWS CloudFormation to configure a service role for Systems Manager Automation. Grant the service role the required permissions.
E. Create VPC endpoints. Associate the automations with the PC endpoints by using a service role that has the required permissions.
Correct Answer: BD
QUESTION 153
A company stores customer data in an Amazon S3 bucket. Users from several AWS accounts need to access the data. The company owns some of the accounts. Partner companies own the other accounts that need to access the data. A SysOps administrator needs to implement a solution to give users the ability to query the data. The solution must track which users access each object. Additionally, the solution must minimize ongoing administrative effort as new users are added in the future. Which solution will meet these requirements?
A. Create an AWS Lake Formation data lake. Add the S3 bucket as a data source. Use Lake Formation to create a role-based permissions structure. Create resource shares in Lake Formation for all accounts that require access.
B. Create an AWS Lake Formation data lake. Add the S3 bucket as a data source. Use Lake Formation to create a role-based permissions structure. Create a trust policy for a user role that has Lake Formation permissions. Add each user to the trust policy.
C. Enable S3 bucket access logging. Modify the S3 bucket policy to allow access from Amazon Athena. Grant each user access to Athena through Athena workgroups.
D. Enable S3 bucket access logging. Modify the S3 bucket policy to allow access from Amazon Athena. Grant each user access to Athena through IAM permissions.
Correct Answer: A
QUESTION 154
A company uses an organization in AWS Organizations to manage multiple AWS accounts. A SysOps administrator must identify all IPv4 ports that are open to 0.0.0.0/0 across all accounts in the organization. Which solution will meet this requirement with the LEAST operational effort?
A. Use the AWS CLI to print all security group rules for review.
B. Review AWS Trusted Advisor findings in an organizational view for the Security Groups – Specific Ports Unrestricted check.
C. Create an AWS Lambda function to gather security group rules from all accounts. Aggregate the findings in an Amazon S3 bucket.
D. Enable Amazon Inspector in each account. Run an automated workload discovery job.
Correct Answer: B
QUESTION 155
A company uses an Amazon Simple Queue Service (Amazon SQS) queue and Amazon EC2 instances in an Auto Scaling group with target tracking to support a web application. The company also collects the ASGAverageNetworkIn metric for the Auto Scaling group. The company notices that EC2 instances are not being scaled in time to keep up with demand. The company investigates the issue and finds a large number of SQS messages in the queue during peak times. A SysOps administrator needs to reduce the number of messages in the SQS queue. Which solution will meet this requirement?
A. Define and use a new custom Amazon CloudWatch metric based on the SQS ApproximateNumberOfMessagesDelayed metric in the target tracking policy.
B. Define and use Amazon CloudWatch metric math to calculate the SQS queue backlog for each instance in the target tracking policy.
C. Define and use step scaling by specifying a ChangelnCapacity value for the EC2 instances.
D. Define and use simple scaling by specifying a ChangelnCapacity value for the EC2 instances.
Correct Answer: B
QUESTION 156
A company hosts a static website on Amazon S3. The website is served by an Amazon CloudFront distribution with a default TTL of 86,400 seconds. The company recently uploaded an updated version of the website to Amazon S3. However, users still see the old content when they refresh the site. A SysOps administrator must make the new version of the website visible to users as soon as possible. Which solution meets these requirements?
A. Adjust the TTL value for the DNS NAME record that is pointing to the CloudFront distribution.
B. Create an invalidation on the CloudFront distribution for the old S3 objects.
C. Create a new CloudFront distribution. Update the DNS records to point to the new CloudFront distribution.
D. Update the DNS record for the website to point to the S3 bucket.
Correct Answer: B
QUESTION 157
A company has many accounts in an organization in AWS Organizations. The company must automate resource provisioning from the organization’s management account to the member accounts. Which solution will meet this requirement?
A. Create an AWS CloudFormation change set. Deploy the change set to all member accounts.
B. Create an AWS CloudFormation nested stack. Deploy the nested stack to all member accounts.
C. Create an AWS CloudFormation stack set. Deploy the stack set to all member accounts.
D. Create an AWS Serverless Application Model (AWS SAM) template. Deploy the template to all member accounts.
Correct Answer: C
QUESTION 158
A company deploys AWS infrastructure in a VPC that has an internet gateway. The VPC has public subnets and private subnets. An Amazon RDS for MySQL DB instance is deployed in a private subnet. An AWS Lambda function uses the same private subnet and connects to the DB instance to query data. A developer modifies the Lambda function to require the function to publish messages to an Amazon Simple Queue Service (Amazon SQS) queue. After these changes. the Lambda function times out when it tries to publish messages to the SQS queue. Which solutions will resolve this issue? (Select TWO.)
A. Reconfigure the Lambda function so that the function is not connected to the VPC.
B. Deploy an RDS proxy. Configure the Lambda function to connect to the DB instance through the proxy.
C. Deploy a NAT gateway. Update the private subnet’s route table to route all traffic to the NAT gateway.
D. Create an interface endpoint for Amazon SQS in the VPC.
E. Create a gateway endpoint for Amazon SQS in the VPC.
Correct Answer: CD
QUESTION 159
A SysOps administrator launches an Amazon EC2 instance in a VPC that has an IPv4 CIDR block of 172.16.0.0/22. The VPC does not have internet access. The EC2 instance has an IAM instance profile that includes the AmazonSSMManagedEC2Instance DefaultPolicy AWS managed policy. The SysOps administrator tries to connect to the instance by using AWS Systems Manager Session Manager. The SysOps administrator receives the following error message: “We weren’t able to connect to your instance.” Which combination of steps should the SysOps administrator take to resolve this error? (Select THREE.)
A. Create an endpoint security group. Add an inbound rule for 172.16.0.0/22 with the HTTPS type. Keep the default outbound rule.
B. Create an endpoint security group. Add an inbound rule for the security group ID with the all traffic type. Add an outbound rule for 172.16.0.0/22 with the HTTPS type.
C. Add an inbound rule with the HTTPS type to the EC2 security group. Set the endpoint security group ID as the rule’s target source.
D. Add an outbound rule with the HTTPS type to the EC2 security group. Set the endpoint security group ID as the rule’s target destination.
E. Create VPC endpoints for ssm, ec2, and ec2messages operations. Apply the security group to the endpoint.
F. Create VPC endpoints for ssm, ssmmessages, and ec2messages operations. Apply the security group to the endpoint.
Correct Answer: CDF
QUESTION 160
A company has a security AWS account and a production AWS account. The company stores API keys as a secret in AWS Secrets Manager in the security account. The company uses an AWS Key Management Service (AWS KMS) AWS managed key to encrypt the secret. An AWS Lambda function in the production account returns an error when the function attempts to access the secret. Which combination of actions in the security account will allow the Lambda function to access the secret? (Select Two.)
A. Create a customer managed KMS key. Add a resource policy that allows the Lambda function to perform the kms:Decrypt and kms:DescribeKey actions. Change the key that encrypts the secret to be the new customer managed KMS key.
B. Create a customer managed KMS key. Add a resource policy that allows the Lambda function to perform the kms:CreateGrant and kms:GenerateDataKey actions. Change the key that encrypts the secret to be the new customer managed KMs key.
C. Update the AWS managed KMS key’s resource policy. In the policy, allow the Lambda function to perform the kms:Decrypt and kms:DescribeKey actions.
D. Add a resource policy to the secret. In the policy, allow the Lambda function to perform the secretsmanager:GetSecretValue action.
E. Add a resource policy to the secret. In the policy, allow the Lambda function to perform the secretsmanager:DescribeSecret action.
Correct Answer: CD
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.