New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

SOA-C02 Questions and Answers

Question # 6

Users of a company's internal web application recently experienced application performance issues for a brief period The application includes frontend web servers that run in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster The application also includes a bacKend Amazon Aurora PostgreSQL DB cluster that includes one DB instance.

A SysOps administrator determines that the source of the performance issues was high utilization of the DB cluster. The single writer instance experienced more than 90% utilization for 11 minutes The cause of the high utilization was an automated report that is scheduled to run one time each week

What should the SysOps administrator do to ensure that users do not experience performance Issues each week when the report runs?

A.

Increase the size of the DB instance. Monitor the performance during the next scheduled run of the report

B.

Add a reader instance. Change the database connection string of the report application to use the newly created reader instance.

C.

Add another writer instance Change the database connection string of the report application to use the newly created writer instance.

D.

Configure auto scaling for the DB cluster Set the minimum capacity units, maximum capacity units, and target utilization

Full Access
Question # 7

An application is deployed in a VPC in both the us-east-2 and eu-west-1 Regions. A significant amount of data needs to be transferred between the two Regions. What is the MOST cost-effective way to set up the data transfer?

A.

Establish a VPN connection between the Regions using third-party VPN products from AWS Marketplace.

B.

Establish Amazon CloudFront distributions tor the Amazon EC2 instances from both Regions.

C.

Establish an inter-Region VPC peering connection between the VPCs.

D.

Establish an AWS PrivateLinK connection between the two Regions.

Full Access
Question # 8

An ecommerce company uses an Amazon ElastiCache for Memcached cluster for in-memory caching of popular product queries on the shopping site. When viewing recent Amazon CloudWatch metrics data for the ElastiCache cluster, the SysOps administrator notices a large number of evictions.

Which of the following actions will reduce these evictions? (Choose two.)

A.

Add an additional node to the ElastiCache cluster.

B.

Increase the ElastiCache time to live (TTL).

C.

Increase the individual node size inside the ElastiCache cluster.

D.

Put an Elastic Load Balancer in front of the ElastiCache cluster.

E.

Use Amazon Simple Queue Service (Amazon SQS) to decouple the ElastiCache cluster.

Full Access
Question # 9

A SysOps administrator is examining the following AWS CloudFormation template:

Why will the stack creation fail?

A.

The Outputs section of the Cloud Formation template was omitted.

B.

The Parameters section of the CtoudFormation template was omitted.

C.

The PnvateDnsName cannot be set from a CloudFormation template.

D.

The VPC was not specified in the CloudFormation template.

Full Access
Question # 10

A SysOps administrator must create an IAM policy for a developer who needs access to specific AWS services. Based on the requirements, the SysOps administrator creates the following policy:

Which actions does this policy allow? (Select TWO.)

A.

Create an AWS Storage Gateway.

B.

Create an IAM role for an AWS Lambda function.

C.

Delete an Amazon Simple Queue Service (Amazon SQS) queue.

D.

Describe AWS load balancers.

E.

Invoke an AWS Lambda function.

Full Access
Question # 11

A company is undergoing an external audit of its systems, which run wholly on AWS. A SysOps administrator must supply documentation of Payment Card Industry Data Security Standard (PCI DSS) compliance for the infrastructure managed by AWS.

Which set of action should the SysOps administrator take to meet this requirement?

A.

Download the applicable reports from the AWS Artifact portal and supply these to the auditors.

B.

Download complete copies of the AWS CloudTrail log files and supply these to the auditors.

C.

Download complete copies of the AWS CloudWatch logs and supply these to the auditors.

D.

Provide the auditors with administrative access to the production AWS account so that the auditors can determine compliance.

Full Access
Question # 12

A company must ensure that any objects uploaded to an S3 bucket are encrypted.

Which of the following actions will meet this requirement? (Choose two.)

A.

Implement AWS Shield to protect against unencrypted objects stored in S3 buckets.

B.

Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.

C.

Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.

D.

Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.

E.

Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.

Full Access
Question # 13

A company updates its security policy to prohibit the public exposure of any data in Amazon S3 buckets in the company's account. What should a SysOps administrator do to meet this requirement?

A.

Turn on S3 Block Public Access from the account level.

B.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule to enforce that all S3 objects are private.

C.

Use Amazon Inspector to search for S3 buckets and to automatically reset S3 ACLs if any public S3 buckets are found.

D.

Use S3 Object Lambda to examine S3 ACLs and to change any public S3 ACLs to private.

Full Access
Question # 14

A company uses AWS Cloud Formation templates to deploy cloud infrastructure. An analysis of all the company's templates shows that the company has declared the same components in multiple templates. A SysOps administrator needs to create dedicated templates that have their own parameters and conditions for these common components.

Which solution will meet this requirement?

A.

Develop a CloudFormaiion change set.

B.

Develop CloudFormation macros.

C.

Develop CloudFormation nested stacks.

D.

Develop CloudFormation stack sets.

Full Access
Question # 15

A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances The instances all exist in the same VPC across multiple Availability Zones. There are two instances In each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.

Which solution will meet these requirements?

A.

Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances

B.

Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances.

C.

Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance.

D.

Create a mount target in each Availability Zone of the VPC Use the mount target to mount the EFS file system on the Instances in the respective Availability Zone.

Full Access
Question # 16

A SysOps administrator has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC, and all security groups allow all outbound traffic:

Which solution will provide the EC2 instances in the private subnet with access to the internet?

A.

Create a NAT gateway in the public subnet. Create a route from the private subnet to the NAT gateway.

B.

Create a NAT gateway in the public subnet. Create a route from the public subnet to the NAT gateway.

C.

Create a NAT gateway in the private subnet. Create a route from the public subnet to the NAT gateway.

D.

Create a NAT gateway in the private subnet. Create a route from the private subnet to the NAT gateway.

Full Access
Question # 17

A company uses AWS Organizations. A SysOps administrator wants to use AWS Compute Optimizer and AWS tag policies in the management account to govern all member accounts in the billing family. The SysOps administrator navigates to the AWS Organizations console but cannot activate tag policies through the management account.

What could be the reason for this issue?

A.

All features have not been enabled in the organization.

B.

Consolidated billing has not been enabled.

C.

The member accounts do not have tags enabled for cost allocation.

D.

The member accounts have not manually enabled trusted access for Compute Optimizer.

Full Access
Question # 18

A SysOps administrator is responsible for a company's security groups. The company wants to maintain a documented trail of any changes that are made to the security groups. The SysOps administrator must receive notification whenever the security groups change.

Which solution will meet these requirements?

A.

Set up Amazon Detective to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Queue Service (Amazon SOS) queue for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SQS queue.

B.

Set up AWS Systems Manager Change Manager to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

C.

Set up AWS Config to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

D.

Set up Amazon Detective to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic.

Full Access
Question # 19

A SysOps administrator is deploying an application on 10 Amazon EC2 instances. The application must be highly available. The instances must be placed on distinct underlying hardware.

What should the SysOps administrator do to meet these requirements?

A.

Launch the instances into a cluster placement group in a single AWS Region.

B.

Launch the instances into a partition placement group in multiple AWS Regions.

C.

Launch the instances into a spread placement group in multiple AWS Regions.

D.

Launch the instances into a spread placement group in single AWS Region

Full Access
Question # 20

A SysOps administrator has enabled AWS CloudTrail in an AWS account If CloudTrail is disabled it must be re-enabled immediately What should the SysOps administrator do to meet these requirements WITHOUT writing custom code''

A.

Add the AWS account to AWS Organizations Enable CloudTrail in the management account

B.

Create an AWS Config rule that is invoked when CloudTrail configuration changes Apply the AWS-ConfigureCloudTrailLogging automatic remediation action

C.

Create an AWS Config rule that is invoked when CloudTrail configuration changes Configure the rule to invoke an AWS Lambda function to enable CloudTrail

D.

Create an Amazon EventBridge (Amazon CloudWatch Events) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail

Full Access
Question # 21

A large multinational company has a core application that runs 24 hours a day, 7 days a week on Amazon EC2 and AWS Lambda. The company uses a combination of operating systems across different AWS Regions. The company wants to achieve cost savings and wants to use a pricing model that provides the most flexibility.

What should the company do to MAXIMIZE cost savings while meeting these requirements?

A.

Establish the compute expense by the hour. Purchase a Compute Savings Plan.

B.

Establish the compute expense by the hour. Purchase an EC2 Instance Savings Plan.

C.

Purchase a Reserved Instance for the instance types, operating systems, Region, and tenancy.

D.

Use EC2 Spot Instances to match the instances that run in each Region.

Full Access
Question # 22

Accompany wants to monitor the number of Amazon EC2 instances that it is running. The company also wants to automate a service quota increase when the number of instances reaches a specific threshold.

Which solution meets these requirements?

A.

Create an Amazon CloudWatch alarm to monitor Service Quotas. Configure the alarm to invoke an AWS Lambda function to request a quota increase when the alarm reaches the threshold.

B.

Create an AWS Config rule to monitor Service Quotas. Call an AWS Lambda function to remediate the action and increase the quota.

C.

Create an Amazon CloudWateh alarm to monitor the AWS Health Dashboard. Configure the alarm to invoke an AWS Lambda function to request a quota increase when the alarm reaches the threshold.

D.

Create an Amazon CloudWatch alarm to monitor AWS Trusted Advisor service quotas. Configure the alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to increase the quota.

Full Access
Question # 23

A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.

Which parameters should be specified to accomplish this in the MOST efficient manner?

A.

Specify '*' as the principal and PrincipalOrgld as a condition.

B.

Specify all account numbers as the principal.

C.

Specify PrincipalOrgld as the principal.

D.

Specify the organization's management account as the principal.

Full Access
Question # 24

A SysOps administrator is creating an Amazon EC2 Auto Scaling group in a new AWS account. After adding some instances, the SysOps administrator notices that the group has not reached the minimum number of instances. The SysOps administrator receives the following error message:

Which action will resolve this issue?

A.

Adjust the account spending limits for Amazon EC2 on the AWS Billing and Cost Management console

B.

Modify the EC2 quota for that AWS Region in the EC2 Settings section of the EC2 console.

C.

Request a quota Increase for the Instance type family by using Service Quotas on the AWS Management Console.

D.

Use the Rebalance action In the Auto Scaling group on the AWS Management Console.

Full Access
Question # 25

The SysOps administrator must dynamically reference the latest AMI ID from Systems Manager Parameter Store in CloudFormation templates for new AMI versions.

Options (Select THREE):

A.

Create a new Systems Manager parameter to store the AMI value in the standard parameter tier.

B.

Create a new Systems Manager parameter to store the AMI value in the advanced parameter tier.

C.

Enable trusted access with Organizations.

D.

Enable resource sharing with Organizations.

E.

Create a resource share by using AWS Resource Access Manager (AWS RAM). Specify the new parameter as the resource. Specify the entire organization as the principal.

F.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when a new AMI is published. Program the Lambda function to assume an IAM role in all linked accounts and to update Parameter Store with the new AMI ID.

Full Access
Question # 26

A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations.

What should a SysOps administrator do to implement this requirement?

A.

Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.

B.

Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.

C.

Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.

D.

Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.

Full Access
Question # 27

A SysOps administrator is troubleshooting connection timeouts to an Amazon EC2 instance that has a public IP address. The instance has a private IP address of 172.31.16.139. When the SysOps administrator tries to ping the instance's public IP address from the remote IP address 203.0.113.12, the response is "request timed out." The flow logs contain the following information:

What is one cause of the problem?

A.

Inbound security group deny rule

B.

Outbound security group deny rule

C.

Network ACL inbound rules

D.

Network ACL outbound rules

Full Access
Question # 28

A company is attempting to manage its costs in the AWS Cloud. A SysOps administrator needs specific company-defined tags that are assigned to resources to appear on the billing report.

What should the SysOps administrator do to meet this requirement?

A.

Activate the tags as AWS generated cost allocation tags.

B.

Activate the tags as user-defined cost allocation tags.

C.

Create a new cost category. Select the account billing dimension.

D.

Create a new AWS Cost and Usage Report. Include the resource IDs.

Full Access
Question # 29

A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance A SysOps administrator must update the template to ensure that the DB instance is created before the EC2 instance is launched

What should the SysOps administrator do to meet this requirement?

A.

Add a wait condition to the template Update the EC2 instance user data script to send a signal after the EC2 instance is started

B.

Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource

C.

Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource

D.

Create multiple templates Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created

Full Access
Question # 30

A company is managing a website with a global user base hosted on Amazon EC2 with an Application Load Balancer (ALB). To reduce the load on the web servers, a SysOps administrator configures an Amazon CloudFront distribution with the ALB as the origin. After a week of monitoring the solution, the administrator notices that requests are still being served by the ALB and there is no change in the web server load.

What are possible causes for this problem? (Choose two.)

A.

CloudFront does not have the ALB configured as the origin access identity.

B.

The DNS is still pointing to the ALB instead of the CloudFront distribution.

C.

The ALB security group is not permitting inbound traffic from CloudFront.

D.

The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution.

E.

The target groups associated with the ALB are configured for sticky sessions.

Full Access
Question # 31

An organization with a large IT department has decided to migrate to AWS With different job functions in the IT department it is not desirable to give all users access to all AWS resources Currently the organization handles access via LDAP group membership

What is the BEST method to allow access using current LDAP credentials?

A.

Create an AWS Directory Service Simple AD Replicate the on-premises LDAP directory to Simple AD

B.

Create a Lambda function to read LDAP groups and automate the creation of IAM users

C.

Use AWS CloudFormation to create IAM roles Deploy Direct Connect to allow access to the on-premises LDAP server

D.

Federate the LDAP directory with IAM using SAML Create different IAM roles to correspond to different LDAP groups to limit permissions

Full Access
Question # 32

A company recently acquired another corporation and all of that corporation's AWS accounts. A financial analyst needs the cost data from these accounts. A SysOps administrator uses Cost Explorer to generate cost and usage reports. The SysOps administrator notices that "No Tagkey" represents 20% of the monthly cost.

What should the SysOps administrator do to tag the "No Tagkey" resources?

A.

Add the accounts to AWS Organizations. Use a service control policy (SCP) to tag all the untagged resources.

B.

Use an AWS Config rule to find the untagged resources. Set the remediation action to terminate the resources.

C.

Use Cost Explorer to find and tag all the untagged resources.

D.

Use Tag Editor to find and taq all the untaqqed resources.

Full Access
Question # 33

A SysOps administrator must configure Amazon S3 to host a simple nonproduction webpage. The SysOps administrator has created an empty S3 bucket from the

AWS Management Console. The S3 bucket has the default configuration in place.

Which combination of actions should the SysOps administrator take to complete this process? (Choose two.)

A.

Configure the S3 bucket by using the "Redirect requests for an object" functionality to point to the bucket root URL.

B.

Turn off the "Block all public access" setting. Allow public access by using a bucket ACL that contains WEBSITE.

C.

Turn off the "Block all public access" setting. Allow public access by using a bucket ACL that allows access to the AuthenticatedUsers grantee.

D.

Turn off the "Block all public access" setting. Set a bucket policy that allows "Principal": the s3:GetObject action.

E.

Create an index.html document. Configure static website hosting, and upload the index document to the S3 bucket.

Full Access
Question # 34

A company's social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services. A SysOps administrator must implement a solution that routes requests to a defined list of AWS Regions. The routing must be based on the user's location. Which solution will meet these requirements?

A.

Configure a Route 53 latency routing policy.

B.

Configure a Route 53 multivalue answer routing policy.

C.

Configure a Route 53 geolocation routing policy.

D.

Configure a Route 53 IP-based routing policy.

Full Access
Question # 35

A database is running on an Amazon RDS Mufti-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted. Which approach will resolve the encryption requirement?

A.

Log in to the RDS console and select the encryption box to encrypt the database

B.

Create a new encrypted Amazon EBS volume and attach it to the instance

C.

Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.

D.

Take a snapshot of the RDS instance, copy and encrypt the snapshot and then restore to the new RDS instance

Full Access
Question # 36

A SysOps administrator needs to design a disaster recovery (DR) plan for an application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The application uses an Amazon Aurora PostgreSQL database. The recovery time objective (RTO) and recovery point objective (RPO) are 15 minutes each.

Which combination of steps should the SysOps administrator take to meet these requirements MOST cost-effectively? (Select TWO.)

A.

Configure Aurora backups to be exported to the DR Region.

B.

Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option.

C.

Configure the DR Region with an ALB and an Auto Scaling group. Use the same configuration as in the primary Region.

D.

Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group's minimum capacity, maximum capacity, and desired capacity to 1.

E.

Manually launch a new ALB and a new Auto Scaling group by using AWS CloudFormation during a failover activity.

Full Access
Question # 37

A company wants to use only IPv6 for all its Amazon EC2 instances. The EC2 instances must not be accessible from the internet, but

the EC2 instances must be able to access the internet. The company creates a dual-stack VPC and IPv6-only subnets.

How should a SysOps administrator configure the VPC to meet these requirements?

A.

Create and attach a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.

B.

Create and attach an internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway. Attach the custom route table to the IPv6-only subnets.

C.

Create and attach an egress-only internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the egress-only internet gateway. Attach the custom route table to the IPv6-only subnets.

D.

Create and attach an internet gateway and a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway and all IPv4 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.

Full Access
Question # 38

A company website contains a web tier and a database tier on AWS. The web tier consists of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones. The database tier runs on an Amazon ROS for MySQL Multi-AZ DB instance. The database subnet network ACLs are restricted to only the web subnets that need access to the database. The web subnets use the default network ACL with the default rules.

The company's operations team has added a third subnet to the Auto Scaling group configuration. After an Auto Scaling event occurs, some users report that they intermittently receive an error message. The error message states that the server cannot connect to the database. The operations team has confirmed that the route tables are correct and that the required ports are open on all security groups.

Which combination of actions should a SysOps administrator take so that the web servers can communicate with the DB instance? (Select TWO.)

A.

On the default ACL. create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets.

B.

On the default ACL, create outbound Allow rules of type MySQL/Aurora (3306). Specify the destinations as the database subnets.

C.

On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet.

D.

On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet.

E.

On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet.

Full Access
Question # 39

A company wants to store sensitive financial data within Amazon S3 buckets. The company has a corporate policy that does not allow public read or write access to the buckets. A SysOps administrator must create a solution to automatically remove S3 permissions that allow public read or write access.

Which AWS service should the SysOps administrator use to meet these requirements in the MOST operationally efficient manner?

A.

AWSConfig

B.

AWS Security Hub

C.

AWS Trusted Advisor

D.

Amazon Inspector

Full Access
Question # 40

A SysOps administrator is notified that an Amazon EC2 instance has stopped responding The AWS Management Console indicates that the system status checks are failing What should the administrator do first to resolve this issue?

A.

Reboot the EC2 instance so it can be launched on a new host

B.

Stop and then start the EC2 instance so that it can be launched on a new host

C.

Terminate the EC2 instance and relaunch it

D.

View the AWS CloudTrail log to investigate what changed on the EC2 instance

Full Access
Question # 41

A company is running an application on premises and wants to use AWS for data backup All of the data must be available locally The backup application can write only to block-based storage that is compatible with the Portable Operating System Interface (POSIX)

Which backup solution will meet these requirements?

A.

Configure the backup software to use Amazon S3 as the target for the data backups

B.

Configure the backup software to use Amazon S3 Glacier as the target for the data backups

C.

Use AWS Storage Gateway, and configure it to use gateway-cached volumes

D.

Use AWS Storage Gateway, and configure it to use gateway-stored volumes

Full Access
Question # 42

A company updates its security policy to clarify cloud hosting arrangements for regulated workloads. Workloads that are identified as sensitive must run on hardware that is not shared with other customers or with other AWS accounts within the company.

Which solution will ensure compliance with this policy?

A.

Deploy workloads only to Dedicated Hosts.

B.

Deploy workloads only to Dedicated Instances.

C.

Deploy workloads only to Reserved Instances.

D.

Place all instances in a dedicated placement group.

Full Access
Question # 43

A company currently runs its infrastructure within a VPC in a single Availability Zone The VPC is connected to the company's on-premises data center through an AWS Site-to-SIte VPN connection attached to a virtual pnvate gateway. The on-premises route tables route all VPC networks to the VPN connection Communication between the two environments is working correctly. A SysOps administrator created new VPC subnets within a new Availability Zone, and deployed new resources within the subnets. However, communication cannot be established between the new resources and the on-premises environment.

Which steps should the SysOps administrator take to resolve the issue?

A.

Add a route to the route tables of the new subnets that send on-premises traffic to the virtual private gateway.

B.

Create a ticket with AWS Support to request adding Availability Zones to the Site-to-Site VPN route configuration.

C.

Establish a new Site-to-Site VPN connection between a virtual private gateway attached to the new Availability Zone and the on-premises data center

D.

Replace the Site-to-Site VPN connection with an AWS Direct Connect connection.

Full Access
Question # 44

A company plans to run a public web application on Amazon EC2 instances behind an Elastic Load Balancer (ELB). The company's security team wants to protect the website by using AWS Certificate Manager (ACM) certificates The ELB must automatically redirect any HTTP requests to HTTPS

Which solution will meet these requirements?

A.

Create an Application Load Balancer that has one HTTPS listener on port 80 Attach an SSLTLS certificate to listener port 80 Create a rule to redirect requests from HTTP to HTTPS

B.

Create an Application Load Balancer that has one HTTP listener on port 80 and one HTTPS protocol listener on port 443 Attach an SSL TLS certificate to listener port 443 Create a rule to redirect requests from port 80 to port 443

C.

Create an Application Load Balancer that has two TCP listeners on port 80 and port 443 Attach an SSLTLS certificate to listener port 443 Create a rule to redirect requests from port 80 to port 443

D.

Create a Network Load Balancer that has two TCP listeners on port 80 and port 443 Attach an SSLTLS certificate to listener port 443 Create a rule to redirect requests from port 80 to port 443

Full Access
Question # 45

A company’s application on EC2 instances relies on a Single-AZ RDS for MySQL DB instance. The SysOps administrator needs to ensure failover to minimize downtime.

Options:

A.

Modify the DB instance to be a Multi-AZ DB instance deployment.

B.

Add a read replica in the same Availability Zone where the DB instance is deployed.

C.

Add the DB instance to an Auto Scaling group that has a minimum capacity of 2 and a desired capacity of 2.

D.

Use RDS Proxy to configure a proxy in front of the DB instance.

Full Access
Question # 46

A SysOps administrator has launched a large general purpose Amazon EC2 instance to regularly process large data files. The instance has an attached 1 TB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume. The instance also is EBS-optimized. To save costs, the SysOps administrator stops the instance each evening and restarts the instance each morning.

When data processing is active, Amazon CloudWatch metrics on the instance show a consistent 3.000 VolumeReadOps. The SysOps administrator must improve the I/O performance while ensuring data integrity.

Which action will meet these requirements?

A.

Change the instance type to a large, burstable, general purpose instance.

B.

Change the instance type to an extra large general purpose instance.

C.

Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume.

D.

Move the data that resides on the EBS volume to the instance store.

Full Access
Question # 47

A global gaming company is preparing to launch a new game on AWS. The game runs in multiple AWS Regions on a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group behind an Application Load Balancer (ALB) in each Region. The company plans to use Amazon Route 53 tor DNS services. The DNS configuration must direct users to the Region that is closest to mem and must provide automated failover.

Which combination of steps should a SysOps administrator take to configure Route 53 to meet these requirements9 {Select TWO.)

A.

Create Amazon CloudWatch alarms that monitor the health of the ALB m each Region Configure Route 53 DNS failover by using a health check that monitors the alarms.

B.

Create Amazon CloudWatch alarms that monitor the hearth of the EC2 instances in each Region. Configure Route 53 DNS failover by using a health check that monitors the alarms.

C.

Configure Route 53 DNS failover by using a health check that monitors the private

address of an EC2 instance in each Region.

D.

Configure Route 53 geoproximity routing Specify the Regions that are used for the infrastructure

E.

Configure Route 53 simple routing Specify the continent, country, and state or province that are used for the infrastructure.

Full Access
Question # 48

A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services.

Which solution will meet these requirements?

A.

In all member accounts, configure 1AM policies that deny access to all DynamoDB resources for all users, including the root user.

B.

Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization

C.

In all member accounts, configure 1AM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.

D.

Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.

Full Access
Question # 49

An AWS Lambda function is intermittently failing several times a day A SysOps administrator must find out how often this error has occurred in the last 7 days Which action will meet this requirement in the MOST operationally efficient manner?

A.

Use Amazon Athena to query the Amazon CloudWatch logs that are associated with the Lambda function

B.

Use Amazon Athena to query the AWS CloudTrail logs that are associated with the Lambda function

C.

Use Amazon CloudWatch Logs Insights to query the associated Lambda function logs

D.

Use Amazon Elasticsearch Service (Amazon ES) to stream the Amazon CloudWatch logs for the Lambda function

Full Access
Question # 50

A company has an AWS Cloud Formation template that creates an Amazon S3 bucket. A user authenticates to the corporate AWS account with their Active Directory credentials and attempts to deploy the Cloud Formation template. However, the stack creation fails.

Which factors could cause this failure? (Select TWO.)

A.

The user's IAM policy does not allow the cloudformation:CreateStack action.

B.

The user's IAM policy does not allow the cloudformation:CreateStackSet action.

C.

The user's IAM policy does not allow the s3:CreateBucket action.

D.

The user's IAM policy explicitly denies the s3:ListBucket action.

E.

The user's IAM policy explicitly denies the s3:PutObject action

Full Access
Question # 51

A company's architeclure team must receive immediate email notification whenever new Amazon EC2 Instances are launched In the company's main AWS production account

What should a SysOps administrator do to meet this requirement?

A.

Create a user data script that sends an email message through a smarx host connector Include the architecture team's email address in the user data script as the recipient. Ensure that all new EC2 instances include the user data script as part of a standardized build process.

B.

Create an Amazon Simple Notification Service (Amazon SNS) topic and a subscription that uses the email protocol. Enter (he architecture team's email address as the subscriber. Create an Amazon EventBridge rule that reacts when EC2 instances are launched Specify the SNS topic as the rule's target

C.

Create an Amazon Simple Queue Service (Amazon SOS) queue and a subscription that uses the email protocol Enter the architecture team's email address as the subscriber. Create an Amazon EventBridge rule that reacts when EC2 instances are launched Specify the SOS queue as the rule's target

D.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure AWS Systems Manager to publish EC2 events to the SNS topic. Create an AWS Lambda function to poll the SNS topic. Configure the Lambda function to send any messages to the architecture team's email address.

Full Access
Question # 52

A company needs to monitor the disk utilization of Amazon Elastic Block Store (Amazon EBS) volumes The EBS volumes are attached to Amazon EC2 Linux Instances A SysOps administrator must set up an Amazon CloudWatch alarm that provides an alert when disk utilization increases to more than 80%.

Which combination of steps must the SysOps administrator lake lo meet these requirements? (Select THREE.)

A.

Create an 1AM role that includes the Cloud Watch AgentServerPol icy AWS managed policy Attach me role to the instances

B.

Create an 1AM role that includes the CloudWatchApplicationInsightsReadOnlyAccess AWS managed policy. Attach the role to the instances

C.

Install and start the CloudWatch agent by using AWS Systems Manager or the command line

D.

Install and start the CloudWatch agent by using an 1AM role. Attach the Cloud Watch AgentServerPolicy AWS managed policy to the role.

E.

Configure a CloudWatch alarm to enter ALARM state when the disk_used_percent CloudWatch metric is greater than 80%.

F.

Configure a CloudWatch alarm to enter ALARM state when the disk_used CloudWatch metric is greater than 80% or when the disk_free CloudWatch metric is less than 20%.

Full Access
Question # 53

A company runs a single-page web application on AWS The application uses Amazon CloudFront lo deliver static content from an Amazon S3 bucket origin The application also uses an Amazon Elastic Kubemetes Service (Amazon EKS) duster to serve API calls

Users sometimes report that the website is not operational, even when monitoring shows that the index page is reachable and that the EKS cluster is healthy. A SysOps administrator must Implement additional monitoring that can delect when the website is not operational before users report the problem.

Which solution will meet these requirements?

A.

Create an Amazon CloudWatch Synthetics heartbeat monitor canary that points to the fully qualified domain name (FQDN) of the website.

B.

Create an Amazon CloudWatch Synthetics API canary that monitors the availability of API endpoints from the EKS cluster.

C.

Create an Amazon CloudWatch RUM app monitor that points to the fully qualified domain name (FQDN) of the website. Configure the app monitor to collect performance telemetry and JavaScript errors

D.

Create an Amazon CloudWatch RUM app monitor that uses the API endpoints from the EKS cluster

Full Access
Question # 54

The company’s ecommerce website running on EC2 instances behind an ALB intermittently returns HTTP 500 errors. The Auto Scaling group is only using EC2 status checks.

Options:

A.

Replace the ALB with a Network Load Balancer.

B.

Add Elastic Load Balancing (ELB) health checks to the Auto Scaling group.

C.

Update the target group configuration on the ALB. Enable session affinity (sticky sessions).

D.

Install the Amazon CloudWatch agent on all the instances. Configure the agent to reboot the instances.

Full Access
Question # 55

If your AWS Management Console browser does not show that you are logged in to an AWS account, close the browser and relaunch the

console by using the AWS Management Console shortcut from the VM desktop.

If the copy-paste functionality is not working in your environment, refer to the instructions file on the VM desktop and use Ctrl+C, Ctrl+V or Command-C , Command-V.

Configure Amazon EventBridge to meet the following requirements.

1. use the us-east-2 Region for all resources,

2. Unless specified below, use the default configuration settings.

3. Use your own resource naming unless a resource

name is specified below.

4. Ensure all Amazon EC2 events in the default event

bus are replayable for the past 90 days.

5. Create a rule named RunFunction to send the exact message every 1 5 minutes to an existing AWS Lambda function named LogEventFunction.

6. Create a rule named SpotWarning to send a notification to a new standard Amazon SNS topic named TopicEvents whenever an Amazon EC2

Spot Instance is interrupted. Do NOT create any topic subscriptions. The notification must match the following structure:

Input Path:

{“instance” : “$.detail.instance-id”}

Input template:

“ The EC2 Spot Instance has been on account.

Full Access
Question # 56

A SysOps administrator needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added.

Which additional actions should the administrator take to control access? (Choose two.)

A.

Attach an IAM policy to the users or groups that require access to the EC2 instances.

B.

Attach an IAM role to control access to the EC2 instances.

C.

Create a placement group for the EC2 instances and add a specific tag.

D.

Create a service account and attach it to the EC2 instances that need to be controlled.

E.

Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.

Full Access
Question # 57

A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:

2 111122223333 eni-<###> 192.0.2.15 203.0.113.56 40711 443 6 1 40 1418530010 1418530070 REJECT OK

What is a possible cause of these failed connections?

A.

A security group is denying traffic on port 443.

B.

The EC2 instance is shut down.

C.

The network ACL is blocking HTTPS traffic.

D.

The VPC has no internet gateway attached.

Full Access
Question # 58

A company has a cluster of Linux Amazon EC2 Spot Instances that read many files from and write many files to attached Amazon Elastic Block Store (Amazon EBS) volumes. The EC2 instances are frequently started and stopped. As part of the process when an EC2 instance starts, an EBS volume is restored from a snapshot.

EBS volumes that are restored from snapshots are experiencing initial performance that is lower than expected. The company's workload needs almost all the provisioned IOPS on the attached EBS volumes. The EC2 instances are unable to support the workload when the performance of the EBS volumes is too low. A SysOps administrator must implement a solution to ensure that the EBS volumes provide the expected performance when they are restored from snapshots.

Which solution will meet these requirements?

A.

Configure fast snapshot restore (FSR) on the snapshots that are used.

B.

Restore each snapshot onto an unencrypted EBS volume. Encrypt the EBS volume when the performance stabilizes.

C.

Format the EBS volumes as XFS file systems before restoring the snapshots.

D.

Increase the Linux read-ahead buffer to 1 MiB.

Full Access
Question # 59

A SysOps administrator is using Amazon EC2 instances to host an application. The SysOps administrator needs to grant permissions for the application to access an Amazon DynamoDB table.

Which solution will meet this requirement?

A.

Create access keys to access the DynamoDB table. Assign the access keys to the EC2 instance profile.

B.

Create an EC2 key pair to access the DynamoDB table. Assign the key pair to the EC2 instance profile.

C.

Create an IAM user to access the DynamoDB table. Assign the IAM user to the EC2 instance profile.

D.

Create an IAM role to access the DynamoDB table. Assign the IAM role to the EC2 instance profile.

Full Access
Question # 60

A software development company has multiple developers who work on the same product. Each developer must have their own development environment, and these development environments must be identical. Each development environment consists of Amazon EC2 instances and an Amazon RDS DB instance. The development environments should be created only when necessary, and they must be terminated each night to minimize costs.

What is the MOST operationally efficient solution that meets these requirements?

A.

Provide developers with access to the same AWS CloudFormation template so that they can provision their development environment when necessary. Schedule a nightly cron job on each development instance to stop all running processes to reduce CPU utilization to nearly zero.

B.

Provide developers with access to the same AWS CloudFormation template so that they can provision their development environment when necessary. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to delete the AWS CloudFormation stacks.

C.

Provide developers with CLI commands so that they can provision their own development environment when necessary. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to terminate all EC2 instances and the DB instance.

D.

Provide developers with CLI commands so that they can provision their own development environment when necessary. Schedule a nightly Amazon EventBridge (Amazon CloudWatch Events) rule to cause AWS CloudFormation to delete all of the development environment resources.

Full Access
Question # 61

A company is tunning a website on Amazon EC2 instances thai are in an Auto Scaling group When the website traffic increases, additional instances lake several minutes to become available because ot a long-running user data script that installs software A SysOps administrator must decrease the time that is required (or new instances to become available

Which action should the SysOps administrator take to meet this requirement?

A.

Reduce the scaling thresholds so that instances are added before traffic increases

B.

Purchase Reserved Instances to cover 100% of the maximum capacity of the Auto Scaling group

C.

Update the Auto Scaling group to launch instances that have a storage optimized instance type

D.

Use EC2 Image Builder to prepare an Amazon Machine Image (AMI) that has pre-installed software

Full Access
Question # 62

A Sysops administrator needs to configure automatic rotation for Amazon RDS database credentials. The credentials must rotate every 30 days. The solution must integrate with Amazon RDS.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Store the credentials in AWS Systems Manager Parameter Store as a secure string. Configure automatic rotation with a rotation interval of 30 days.

B.

Store the credentials in AWS Secrets Manager. Configure automatic rotation with a rotation interval of 30 days.

C.

Store the credentials in a file in an Amazon S3 bucket. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.

D.

Store the credentials in AWS Secrets Manager. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.

Full Access
Question # 63

A company uses AWS Organizations to host several applications across multiple AWS accounts. Several teams are responsible for building and maintaining the infrastructure of the applications across the AWS accounts.

A SysOps administrator must implement a solution to ensure that user accounts and permissions are centrally managed. The solution must be integrated with the company's existing on-premises Active Directory environment. The SysOps administrator already has enabled AWS 1AM Identity Center (AWS Single Sign-On) and has set up an AWS Direct Connect connection.

What is the MOST operationally efficient solution that meets these requirements?

A.

Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

B.

Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

C.

Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

D.

Use the built-in SSO directory as the identity source for 1AM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

Full Access
Question # 64

A SysOps administrator manages a company's Amazon S3 buckets. The SysOps administrator has identified 5 GB of incomplete multipart uploads in an S3 bucket in the company's AWS account. The SysOps administrator needs to reduce the number of incomplete multipart upload objects in the S3 bucket.

Which solution will meet this requirement?

A.

Create an S3 Lifecycle rule on the S3 bucket to delete expired markers or incomplete multipart uploads

B.

Require users that perform uploads of files into Amazon S3 to use the S3 TransferUtility.

C.

Enable S3 Versioning on the S3 bucket that contains the incomplete multipart uploads.

D.

Create an S3 Object Lambda Access Point to delete incomplete multipart uploads.

Full Access
Question # 65

A company has an internal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A SysOps administrator must make the application highly available.

Which action should the SysOps administrator take to meet this requirement?

A.

Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.

B.

Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.

C.

Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.

D.

Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.

Full Access
Question # 66

A company hosts an application on Amazon EC2 instances The instances are in an Amazon EC2 Auto Scaling group that uses a launch template The amount of application traffic changes throughout the day. Scaling events happen frequently.

A SysOps administrator needs to help developers troubleshoot the application. When a scaling event removes an instance. EC2 Auto Scaling terminates the instance before the developers can log in to the instance to diagnose issues.

Which solution will prevent termination of the instance so that the developers can log in to the instance?

A.

Ensure that the Delete on termination setting is turned off in the UserData section of the launch template

B.

Update the Auto Scaling group by enabling instance scale-in protection for newly launched instances.

C.

Use Amazon Inspector to configure a rules package to protect the instances from termination.

D.

Use Amazon GuardDuty to configure rules to protect the instances from termination.

Full Access
Question # 67

With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?

A.

Deny Post. Put. and Delete on the bucket.

B.

Enable server-side encryption on the bucket.

C.

Enable Amazon S3 versioning on the bucket.

D.

Enable snapshots on the bucket.

Full Access
Question # 68

A SysOps administrator uses AWS Systems Manager Session Manager to connect to instances After the SysOps administrator launches a new Amazon EC2 instance the EC2 instance does not appear in the Session Manager list of systems that are available for connection. The SysOps administrator verities that Systems Manager Agent is installed updated and running on the EC2 instance

What is the reason for this issue?

A.

The SysOps administrator does not have access to the key pair that is required for connection

B.

The SysOps administrator has not attached a security group to the EC2 instance to allow SSH on port 22.

C.

The EC2 instance does not have an attached IAM role that allows Session Manager to connect to the EC2 instance.

D.

The EC2 instance ID has not been entered into the Session Manager configuration

Full Access
Question # 69

A company runs a website from Sydney, Australia. Users in the United States (US) and Europe are reporting that images and videos are taking a long time to load. However, local testing in Australia indicates no performance issues. The website has a large amount of static content in the form of images and videos that are stored m Amazon S3.

Which solution will result In the MOST Improvement In the user experience for users In the US and Europe?

A.

Configure AWS PrivateLink for Amazon S3.

B.

Configure S3 Transfer Acceleration.

C.

Create an Amazon CloudFront distribution. Distribute the static content to the CloudFront edge locations

D.

Create an Amazon API Gateway API in each AWS Region. Cache the content locally.

Full Access
Question # 70

An application team uses an Amazon Aurora MySQL DB cluster with one Aurora Replica. The application team notices that the application read performance degrades when user connections exceed 200. The number of user connections is typically consistent around 180. with occasional sudden increases above 200 connections. The application team wants the application to automatically scale as user demand increases or decreases.

Which solution will meet these requirements?

A.

Migrate to a new Aurora multi-master DB cluster. Modify the application database connection string.

B.

Modify the DB cluster by changing to serverless mode whenever user connections exceed 200.

C.

Create an auto scaling policy with a target metric of 195 DatabaseConnections

D.

Modify the DB cluster by increasing the Aurora Replica instance size.

Full Access
Question # 71

A company runs an application on hundreds of Amazon EC2 instances in three Availability Zones The application calls a third-parly API over the public internet A SysOps administrator must provide the third party with a list of static IP addresses so that the third party can allow traffic from the application

Which solution will meet these requirements?

A.

Add a NAT gateway in the public subnet of each Availability Zone. Make the NAT gateway the default route of all private subnets In those Availability Zones.

B.

Allocate one Elastic IP address in each Availability Zone. Associate the Elastic IP address with all the instances in the Availability Zone

C.

Place the instances behind a Network Load Balancer (NLB). Send the traffic to the interne! through the private IP address of the NLB

D.

Update the main route table to send the traffic to the internet through an Elastic IP address that is assigned to each instance.

Full Access
Question # 72

You need to update an existing AWS CloudFormation stack. If needed, a copy to the CloudFormation template is available in an Amazon SB bucket named cloudformation-bucket

1. Use the us-east-2 Region for all resources.

2. Unless specified below, use the default configuration settings.

3. update the Amazon EQ instance named Devinstance by making the following changes to the stack named 1700182:

a) Change the EC2 instance type to us-east-t2.nano.

b) Allow SSH to connect to the EC2 instance from the IP address range

192.168.100.0/30.

c) Replace the instance profile IAM role with IamRoleB.

4. Deploy the changes by updating the stack using the CFServiceR01e role.

5. Edit the stack options to prevent accidental deletion.

6. Using the output from the stack, enter the value of the Prodlnstanceld in the text box below:

Full Access