QUESTION 161
A company runs databases on Amazon RDS for MySQL DB instances. The company must generate database backups every 12 hours for all the DB instances. The company must retain the backups for 5 years. A SysOps administrator needs to develop an automated solution to generate and retain the database backups. Which solution will meet these requirements with the LEAST operational overhead?
A. Enable RDS automated backups. Set the backup frequency to 12 hours. Set the retention period to 5 years.
B. Configure an Amazon EventBridge rule to call the RDS CreateDBSnapshot API operation. Set the backup frequency to 12 hours. Set the retention period to 5 years.
C. Configure an AWS Lambda function to call the RDS CreateDBSnapshot API operation every 12 hours. Copy the snapshots to Amazon S3. Set up an S3 Lifecycle policy to retain the snapshots for 5 years.
D. Use AWS Backup to create an automated backup job in Amazon RDS. Set the backup frequency to 12 hours. Set the retention period to 5 years.
Correct Answer: D
QUESTION 162
A company runs an application across three AWS accounts in the us-west-2 Region. The application runs on Amazon EC2 instances. The company does not require the application to be highly available. To improve application performance, the company must set up the application in the same Availability Zone within each account. The company needs a solution to host all the instances in the same Availability Zone in each account. Which solution meet this requirement?
A. Use AWS Organizations to obtain the name of the Availability Zone that each instance is deployed to. Specify the Availability Zone name when new instances are launched.
B. Use AWS Resource Access Manager (AWS RAM) to obtain the ID of the Availability Zone that each instance is deployed to. Specify the Availability Zone ID when new instances are launched.
C. Use AWS Cloud Map to define friendly names for the Availability Zones in each account. Specify the appropriate friendly name when new instances are launched.
D. Use AWS CloudFormation to launch the instances in each account. Specify the appropriate Availability Zone name in the CloudFormation template that is deployed into each account.
Correct Answer: B
QUESTION 163
A company stores data in an Amazon S3 bucket. The company must ensure that some specific objects are not deleted or overwritten for 10 years to comply with local regulations. The company wants to use Amazon S3 Object Lock to protect the objects. Which solution will meet these requirements?
A. Configure the S3 bucket to require multi-factor authentication (MFA) for delete operations to prevent any accidental deletions.
B. Configure object ACLs and an S3 Lifecycle configuration to retain objects. Set up S3 Object Lock in governance mode.
C. Enable encryption for the S3 bucket that uses a custom AWS KMS key to restrict deletions or data overwriting. Apply a legal hold to the objects.
D. Enable versioning for the S3 bucket. Set up S3 Object Lock in compliance mode.
Correct Answer: D
QUESTION 164
A company has a microservice that runs on a set of Amazon EC2 instances. The EC2 instances run behind an Application Load Balancer (ALB). A SysOps administrator must use Amazon Route 53 to create a record that maps the ALB URL to example.com. Which type of record will meet this requirement?
A. An A record
B. An AAAA record
C. An alias record
D. A CNAME record
Correct Answer: C
QUESTION 165
A company has a VPC that includes a private subnet. The company tries to launch a new Amazon EC2 instance in the subnet, but the launch fails. An error message states that there are not enough free IP addresses in the subnet. A SysOps administrator needs to resolve the error. Which solution will meet this requirement?
A. Edit the subnet to increase the subnet’s CIDR range. Launch the instance.
B. Add a second subnet in the same Availability Zone. Launch the instance in the new subnet.
C. Create an Amazon VPC IP Address Manager (IPAM) pool. Allocate additional IP addresses from the pool to the private subnet. Launch the instance.
D. Use AWS Resource Access Manager (AWS RAM) to allocate more IP addresses to the subnet. Launch the instance.
Correct Answer: B
QUESTION 166
A company has a software as a service (SaaS) application. The company has integrated the application with AWS services by using the AWS SDK and an IAM user’s access key ID and secret access key. The company needs to implement the principle of least privilege for the IAM user. The company must avoid the usage of permanent credentials. Which solution will meet these requirements?
A. Migrate the application to use the AS Security Token Service (AWS STS) AssumeRoleWithSAML API operation.
B. Migrate the application to use the AWS Security Token Service (AWS STS) AssumeRole API operation. Allow the IAM user to call only AWS STS.
C. Add a policy to the existing IAM user to scope the permissions to only the permissions that the user needs for the application.
D. Add an IAM group to scope the permissions to only the permissions that the user needs for the application. Add the IAM user to the IAM group.
Correct Answer: B
QUESTION 167
A company has a non-production application that runs on an Amazon EC2 instance. The instance has an Amazon Elastic Block Store (Amazon EBS) volume attached. Each time an instance health check fails, a SysOps administrator resolves the issue by rebooting the instance. The SysOps administrator must implement an automated solution to reboot the instance after a failed health check. The SysOps administrator creates a service-linked IAM role for Amazon EventBridge. What should the SysOps administrator do next to meet the automation requirement?
A. Create an Amazon CloudWatch alarm for the HealthyHostCount metric. Include a search expression in the alarm that matches the instance. Configure the alarm to perform an EC2 reboot action when the metric value is greater than zero.
B. Create an Amazon CloudWatch alarm for the StatusCheckFailed Instance metric. Include a search expression in the alarm that matches the instance. Configure the alarm to perform an EC2 recover action when the metric value is greater than zero.
C. Create an Amazon CloudWatch alarm for the StatusCheckFailed_Instance metric. Use the instance ID as a dimension. Configure the alarm to perform an EC2 reboot action when the metric value is greater than zero.
D. Configure detailed monitoring for the instance. Create an Amazon CloudWatch alarm for the StatusCheckFailed Instance metric. Use the EC2 Amazon Machine Image (AMI) ID as a dimension. Configure the alarm to perform an EC2 stop instance operation and then an EC2 start instance operation when the metric value is greater than zero.
Correct Answer: C
QUESTION 168
A company runs multiple workloads within an organization in AWS Organizations. The company’s finance team requires detailed dashboards to track cost changes and to provide detailed cost metrics. The finance team needs to track trends on an hourly basis. Which solution will meet these requirements in the MOST operationally efficient way?
A. Set up AWS Budgets for the organization. Generate a budget report to view all project costs.
B. Generate an AWS Cost and Usage Report. Store the report in Amazon S3. Use Amazon Athena to query the data. Use Amazon QuickSight to develop dashboards based on the data in the AWS Cost and Usage Report.
C. Create an AWS Lambda function that runs once each day and assumes a role in every account in the organization. Configure the Lambda function to read AWS Cost Explorer data in each account and to store the cost data in an Amazon S3 bucket. Use Amazon Athena to query the data. Use Amazon QuickSight to display the data.
D. Create an IAM user for the finance team. Grant permissions to the IAM user to view AWS Cost Explorer data and billing data in the management account.
Correct Answer: B
QUESTION 169
A SysOps administrator wants to use AWS CloudFormation stacks to deploy Amazon CloudFront resources in an account. The SysOps administrator will use custom domain names, such as www.example.com and example.com. When the SysOps administrator tries to deploy a CloudFormation stack, the SysOps administrator receives the following error:
“Resource handler returned message: Invalid request provided: AWS::CloudFront::Distribution: One or more of the CNAMEs you provided are already associated with a different resource.”
What should the SysOps administrator do to deploy the stack successfully?
A. Check the names that are specified for NAMEs in the stack and correct them. Redeploy the stack.
B. Check the number of specified NAMEs in the stack for each distribution. Reduce the number to 10.
C. Remove any NAMEs that correspond to NAMEs in the existing CloudFront resource. Redeploy the stack.
D. Remove the NAME property from the template. Redeploy the stack.
Correct Answer: C
QUESTION 170
A company uses a custom Amazon Machine Image (AMI) as part of an EC2 Image Builder pipeline. A SysOps administrator notices that the custom AMI will reach the end of its support lifespan in few months. The SysOps administrator needs to update the EC2 Image Builder pipeline to use the latest AMI ID. Which solution will meet this requirement?
A. Create a new version of the existing EC2 Image Builder recipe. Update the AMI ID details. Update the pipeline to use the new recipe version.
B. Disable the AMI in the lifecycle rules for the existing AMI. Update the existing EC2 Image Builder recipe with the latest AMI ID details. Rerun the pipeline.
C. Update the build component to use the latest AMI ID details.
D. Replace the AMI ID in the launch template for the pipeline.
Correct Answer: A
QUESTION 171
A company uses AWS IAM Identity Center with an external identity provider to manage user access to an AWS account. A security team must receive an email notification if any user creates an IAM user. Which solution will meet this requirement?
A. Use an AWS managed rule in AWS Config to detect new IAM user creation events. Send configuration changes and notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to the SNS topic.
B. Enable AWS Security Hub. Create a custom action to detect new IAM user creation events. Configure Security Hub to send email notifications to the security team.
C. Create a trail in AWS CloudTrail. Create an Amazon EventBridge rule and event pattern to detect new IAM user creation events. Create an Amazon Simple Notification Service (Amazon SNS) topic as a target for the EventBridge rule.
D. Use AWS Identity and Access Management Access Analyzer to detect new IAM user creation events. Configure IAM Access Analyzer to send email notifications to the security team.
Correct Answer: C
QUESTION 172
A company’s website runs on compute optimized Amazon EC2 instances. The EC2 instances are in an Auto Scaling group behind an Application Load Balancer (ALB). Each EC2 instance uses an Amazon Elastic Block Store (Amazon EBS) volume. The EC2 instances store data on an Amazon RDS for MySQL Multi-AZ DB instance. More than 99% of the database calls are read operations. As website traffic increases, users experience slower responses and occasional timeouts. The CPU utilization of the EC2 instances averages 20%. The CPU utilization of the RDS DB instance averages 80%. Which actions will improve the website’s performance? (Select TWO.)
A. Increase the size of the EC2 instances.
B. Increase the size of the RDS DB instance.
C. Increase the IOPS throughput of the EBS volumes. Update the EC2 instances to be storage optimized instances.
D. Update the RDS DB instance to add read replicas. Configure the website to make read requests to the read replicas instead of to the primary DB instance.
E. Ensure that the ALB is in the same subnets as the EC2 instances.
Correct Answer: BD
QUESTION 173
A company uses AWS Organizations to manage multiple AWS accounts. The company uses AWS PrivateLink to support some workloads. The company needs to ensure that only approved accounts and principals can access the workloads through PrivateLink. Which solution will meet these requirements?
A. Use AWS Resource Access Manager (AWS RAM) to share PrivateLink services. Configure IAM policies to ensure only approved accounts and principals can access the services.
B. Use AWS Service Catalog to predefine PrivateLink configurations. Use IAM roles to enforce access policies.
C. Use service control policies (SCPs) to limit the creation of PrivateLink connections. Apply tag-based access control to enforce access governance.
D. Use Amazon VPC Flow Logs to monitor PrivateLink service access. Create Amazon CloudWatch alarms for unauthorized activities.
Correct Answer: A
QUESTION 174
A SysOps administrator receives a notification from AWS Config rule ec2-imdsv2-check. The notification states that a recently launched Amazon EC2 instance is noncompliant. Which solution will remediate the compliance failure?
A. Reconfigure security groups that are attached to the instance to disallow SSHv1 access.
B. Restart the instance to re-evaluate its compliance status.
C. Reconfigure the metadata options for the instance to require version 2.
D. Add the new instance to the exceptions for the AWS Config rule.
Correct Answer: C
QUESTION 175
A company hosts a website on Amazon EC2 instances behind an internet-facing Application Load Balancer (ALB). The instances are in an Auto Scaling group. An Amazon CloudFront distribution serves the website’s content. The company set the ALB as the distribution’s origin. The company recently detected malicious attacks against the website from specific countries. To counter the attacks, the company configured AWS WFA geographic match rules and associated the rules with the CloudFront distribution. The rules blocked the attacks initially, but the attacks have resumed because the attackers started targeting the ALB directly. What should a SysOps administrator do to protect the website from the attacks?
A. Activate Amazon Inspector in the company’s AWS account. Turn on Amazon EC2 scanning.
B. Replace the ALB with an internet-facing Network Load Balancer (NLB). Associate the existing AWS WAF rules with the NLB.
C. Update the network ACL in the subnet that contains the ALB. Allow inbound HTTP and HTTPS access from only the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list.
D. Update the security group that is associated with the ALB. Allow inbound HTTP and HTTPS access from only the com.amazonaws. global.cloudfront.origin-facing CloudFront managed prefix list.
Correct Answer: D
QUESTION 176
A company has a customized Linux operating system. The company has taken an Amazon Machine Image (AMI) of the operating system. The company uses the AMI to launch Amazon EC2 instances that include several internal tools to capture and analyze application log data. Recently, some of the company’s Java applications have experienced service interruptions because of Java Virtual Machine (JVM) garbage collection behavior. The existing tools are not capturing any JVM logs that are written to the general system log file. A SysOps administrator needs to implement a solution to capture the JVM logs. Which solution will meet this requirement with the LEAST operational effort?
A. Install, configure, and run the Amazon CloudWatch agent on the EC2 instances.
B. Migrate the applications to AWS Lambda functions that use the most recent JVM version.
C. Create an AWS Lambda function to connect to each EC2 instance. Configure each Lambda function to capture log data.
D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Send the JVM logs to the SNS topic.
Correct Answer: A
QUESTION 177
A company runs a high performance computing (HPC) data-processing application on Amazon EC2 instances in one Availability Zone within a development environment. The application uses a dataset that the company stores on an Amazon S3 general purpose bucket in the same AWS Region as the EC2 instances. A SysOps administrator must improve the application’s performance for retrieval of objects from Amazon S3. Which solution will meet these requirements?
A. Enable S3 Transfer Acceleration for the S3 bucket. Create an S3 access point for the bucket. Update the application to use the access point.
B. Create an S3 Lifecycle configuration for the S3 bucket to move all objects to the S3 Express One Zone storage class. Update the application to use an S3 Regional endpoint.
C. Create a second general purpose S3 bucket in the same Region. Copy the objects from the original bucket to the new bucket. Use the S3 Express One Zone storage class to store the objects in the new bucket. Update the application to use an S3 Regional endpoint.
D. Create an S3 directory bucket in the same Availability Zone. Import objects from the original bucket to the new bucket. Use the S3 Express One Zone storage class to store the objects in the new bucket. Update the application to use an S3 Zonal endpoint.
Correct Answer: D
QUESTION 178
A development team is building an application that will use an Amazon API Gateway REST API and AWS Lambda functions to receive and process requests. The Lambda functions will deliver messages to an Amazon Simple Notification Service (Amazon SNS) topic. External stakeholders subscribe to the SNS topic. The company wants to prevent sensitive data from being published to the SNS topic. Which solution will meet these requirements?
A. Associate a data protection policy with the SNS topic. Define policy statements that identify and protect the sensitive data.
B. Run a sensitive data discovery job in Amazon Macie. Define the scope to identify and redact sensitive information within the workflow before publishing messages to the SNS topic.
C. Deploy Amazon GuardDuty Lambda Protection. Define sensitive data patterns that generate specific finding types when the patterns are matched. Send notifications to the development team.
D. Use Amazon Inspector to scan the Lambda function code for sensitive information. Activate an alert when Amazon Inspector finds sensitive information.
Correct Answer: A
QUESTION 179
A development team is building an application that will use an Amazon API Gateway REST API and AWS Lambda functions to receive and process requests. The Lambda functions will deliver messages to an Amazon Simple Notification Service (Amazon SNS) topic. External stakeholders subscribe to the SNS topic. The company wants to prevent sensitive data from being published to the SNS topic. Which solution will meet these requirements?
A. Associate a data protection policy with the SNS topic. Define policy statements that identify and protect the sensitive data.
B. Run a sensitive data discovery job in Amazon Macie. Define the scope to identify and redact sensitive information within the workflow before publishing messages to the SNS topic.
C. Deploy Amazon GuardDuty Lambda Protection. Define sensitive data patterns that generate specific finding types when the patterns are matched. Send notifications to the development team.
D. Use Amazon Inspector to scan the Lambda function code for sensitive information. Activate an alert when Amazon Inspector finds sensitive information.
Correct Answer: A
QUESTION 180
An ecommerce company runs a microservices application on Amazon Elastic Container Service (Amazon ECS). Customers sometimes experience high latency when the customers attempt to complete a purchase through the application. A CloudOps engineer needs a solution to track individual transactions across multiple services to identify where latency is occurring. The solution must require minimal code changes and must provide a visual representation of service dependencies. Which solution will meet these requirements?
A. Set up the AWS X-Ray daemon as a sidecar container. Instrument the application code by using the X-Ray SDK. Use the service map to visualize request flows to identify latency.
B. Configure an Amazon CloudWatch agent on ECS containers as a sidecar container. Create custom metrics for each service. Set up CloudWatch dashboards to monitor response times.
C. Use Amazon VPC Flow Logs to collect logs for microservices that run on the ECS container. Monitor network traffic, and use the service map to identify latency between microservices.
D. Use Amazon CloudWatch Container Insights as a sidecar container to collect container metrics. Monitor response times, and visualize request flows to identify latency.
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.