A SysOps Administrator must find a way to set up alerts when Amazon EC2 service limits are close to being reached.
How can the Administrator achieve this requirement?
- A . Use Amazon Inspector and Amazon CloudWatch Events.
- B . Use AWS Trusted Advisor and Amazon CloudWatch Events.
- C . Use the Personal Health Dashboard and CloudWatch Events.
- D . Use AWS CloudTrail and CloudWatch Events.
A SysOps administrator created an AWS service catalog portfolio and shared the portfolio with a second AWS account in the company. The second account is controlled by a different administrator.
Which action will the administrator of the second account be able to perform?
- A . Add a product from the imported portfolio to a local portfolio.
- B . Add new product to the imported portfolio.
- C . Change the launch role for the products contained in the imported portfolio.
- D . Remove Products from the imported portfolio.
After launching a new Amazon EC2 instance from a Microsoft Windows 2012 Amazon Machine Image (AMI), the SysOps Administrator is unable to connect to the instance using Remote Desktop Protocol (RDP). The instance is also unreachable. As part of troubleshooting, the Administrator deploys a second instance from a different AMI using the same configuration and is able to connect to the instance.
What should be the next logical step in troubleshooting the first instance?
- A . Use AWS Trusted Advisor to gather operating system log files for analysis.
- B . Use VPC Flow Logs to gather operating system log files for analysis.
- C . Use EC2Rescue to gather operating system log files for analysis.
- D . Use Amazon metrics using Amazon CloudWatch Logs.
C
Explanation:
Reference https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-remote-desktop-connection-ec2-windows/
An application team has asked a sysops administrator to provision an additional environment for an application in four additional regions. The application is running on more than 100 instances in us-east-1, using fully baked AMIs, An AWS CloudFormation template has been created to deploy resources in us-east-1.
What must the sysops administrator do to provision the application quickly?
- A . Copy the AMI to each region using aws ec2 copy-image Update the CloudFormation mapping include mappings for the copy AMIs.
- B . Creating a snapshot of the running instance and copy the snapshot to the other regions. Create an AMI from the snapshots. Update the CloudFormation template for each region to use the new AMI.
- C . Run the existing CloudFormation template in each additional region based on the success of the template used currently in us-east-1.
- D . Update the CloudFormation template to include the additional regions in the auto scaling group. Update the existing stack in us-east-1.
A company has an application database on Amazon RDS that runs a resource-intensive reporting job This is causing other applications using the database to run slowly
What should the SysOps Administrator do to resolve this issue*?
- A . Create Amazon RDS backups
- B . Create Amazon RDS read replicas to run the report
- C . Enable Multi-AZ mode on Amazon RDS
- D . Use Amazon RDS automatic host replacement
A SysOps Administrator receives reports of an Auto Scaling group failing to scale when the nodes running Amazon Linux in the cluster are constrained by high memory utilization.
What should the Administrator do to enable scaling to better adapt to the high memory utilization?
- A . Create a custom script that pipes memory utilization to Amazon S3, then, scale with an AWS Lambda-powered event
- B . Install the Amazon CloudWatch memory monitoring scripts, and create a custom metric based on the script’s results
- C . Increase the minimum size of the cluster to meet memory and application load demands
- D . Deploy an Application Load Balancer to more evenly distribute traffic among nodes
A SysOps Administrator is deploying a legacy web application on AWS. The application has four Amazon EC2 instances behind Classic Load Balancer and stores data in an Amazon RDS instance. The legacy application has known vulnerabilities to SQL injection attacks, but the application code is no longer available to update.
What cost-effective configuration change should the Administrator make to migrate the risk of SQL injection attacks?
- A . Configure Amazon GuardDuty to monitor the application for SQL injection threats.
- B . Configure AWS WAF with a Classic Load Balancer for protection against SQL injection attacks.
- C . Replace the Classic Load Balancer with an Application Load Balancer and configure AWS WAF on the Application Load Balancer.
- D . Configure an Amazon CloudFront distribution with the Classic Load Balancer as the origin and subscribe to AWS Shield Standard.
D
Explanation:
Reference http://jayendrapatil.com/page/15/?cat=-1
A SysOps Administrator is tasked with deploying and managing a single CloudFormation templates across multiple AWS Accounts. accomplish this?
- A . change sets.
What features of AWS CloudFormation will - B . Nested stacks
- C . Stack policies
- D . StacksSets
Which command must be present in a Cisco device configuration to enable the device to resolve an FQDN?
- A . ip domain-name
- B . ip domain-lookup
- C . ip host
- D . ip name-server
A SysOps Administrator must secure AWS CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket.
Which practices ensure that the log files are available and unaltered? (Choose two.)
- A . Enable the CloudTrail log file integrity check in AWS Config Rules.
- B . Use CloudWatch Events to scan log files hourly.
- C . Enable CloudTrail log file integrity validation.
- D . Turn on Amazon S3 MFA Delete for the CloudTrail bucket.
- E . Implement a DENY ALL bucket policy on the CloudTrail bucket.
Developers are using 1AM access keys to manage AWS resources using AWS CL1 Company policy requires that access keys are automatically disabled when the access key age is greater than 90 days.
Which solution will accomplish this?
- A . Configure an Amazon CloudWatch alarm to trigger an AWS Lambda function that disables keys older than 90 days
- B . Configure AWS Trusted Advisor to identify and disable keys older than 90 days.
- C . Set a password policy on the account with a 90-day expiration
- D . Use an AWS Config rule to identify noncompliant keys Create a custom AWS Systems Manager Automation document for remediation.
A user accidentally deleted a file from an Amazon EBS volume. The SysOps Administrator identified a recent snapshot for the volume.
What should the Administrator do to restore the user’s file from the snapshot?
- A . Attach the snapshot to a new Amazon EC2 instance in the same Availability Zone, and copy the deleted file.
- B . Browse to the snapshot and copy the file to the EBS volume within an Amazon EC2
instance. - C . Create a volume from the snapshot, attach the volume to an Amazon EC2 instance, and copy the deleted file.
- D . Restore the file from the snapshot onto an EC2 instance using the Amazon EC2 console.
An application resides on multiple EC2 instances in public subnets in two Availability Zones. To improve security, the Information Security team has deployed an Application Load Balancer (ALB) in separate subnets and pointed the DNS at the ALB instead of the EC2 instances.
After the change, traffic is not reaching the instances, and an error is being returned from the ALB.
What steps must a SysOps Administrator take to resolve this issue and improve the security of the application? (Select TWO.)
- A . Add the EC2 instances to the ALB target group, configure the health check, and ensure that the instances report healthy.
- B . Add the EC2 instances to an Auto Scaling group, configure the health check to ensure that the instances report healthy, and remove the public IPs from the instances.
- C . Create a new subnet in which EC2 instances and ALB will reside to ensure that they can communicate, and remove the public IPs from the instances.
- D . Change the security group for the EC2 instances to allow access from only the ALB security group, and remove the public IPs from the instances.
- E . Change the security group to allow access from 0.0.0.0/0, which permits access from the ALB.
The Chief Financial Officer (CFO) of an organization has seen a spike in Amazon S3 storage costs over the last few months A sysops administrator suspects that these costs are related to storage for older versions of S3 objects from one of its S3 buckets.
What can the administrator do to confirm this suspicion1?
- A . Enable Amazon S3 inventory and then query the inventory to identify the total storage of previous object versions
- B . Use object-level cost allocation tags to identify the total storage of previous object versions.
- C . Enable the Amazon S3 analytics feature for the bucket to identify the total storage of previous object versions
- D . Use Amazon CloudWatch storage metrics for the S3 bucket to identify the total storage of previous object versions
A SysOps Administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company’s account. The Administrator must be alerted to potential issues.
What should the Administrator do to receive email alerts before low storage space affects EC2 instance performance?
- A . Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications
- B . Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic
- C . Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic
- D . Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space
A SysOps Administrator is attempting to use AWS Systems Manager Session Manager to initiate a SSH session with an Amazon EC2 instance running on a custom Linux Amazon Machine Image (AMI). The Administrator cannot find the target instance in the Session Manager console.
Which combination of actions with solve this issue? (Select TWO)
- A . Add Systems Manager permissions to the instance profile
- B . Configure the bucket used by Session Manager logs to allow write access
- C . install Systems Manager Agent on the instance
- D . Modify the instance security group to allow inbound traffic on SSH port 22
- E . Reboot the instance with a new SSH key pair named ssm-user
A developer is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB) and notices that the application is not receiving all the expected elements from HTTP requests. The developer suspects users are not sending the correct query string
How should a sysops administrator verify this?
- A . Monitor the ALB default Amazon CloudWatch metrics Verify that the requests contain the expected query string
- B . Configure the ALB to store access logs within Amazon S3 Verify that log entries contain the expected query string
- C . Open the ALB logs in Amazon CloudWatch Verify that requests contain the expected query string
- D . Create a custom Amazon CloudWatch metric to store requests Verify that the metric contains the expected query string
A SysOps Administrator needs to monitor all the object upload and download activity of a single Amazon S3 bucket. Monitoring most include tracking the AWS account of the catier, the IAM user role of the caller, the time of the API call, and the IP address of the API.
Where can the administrator find this information?
- A . AWS CloudTrail data event logging
- B . AWS CloudTrail management event logging
- C . Amazon inspector bucket event logging
- D . Amazon inspector event logging
CORRECT TEXT
A sysops administrator must generate a report that provides a breakdown of all API activity by a specific user over the course of a year. AWS CloudTrail has already been enabled.
How should this report be generated?
A, Access the Cloud Trail logs stored in the Amazon S3 bucket tied to Cloud Trail. Use Amazon Athena to extract the information needed to generate the report
B. Locate the monthly reports that CloudTrail sends that are emailed to the account’s root user. Forward the reports to the auditor using a secure channel
C. Use the AWS Management Console to search for the user name in the CloudTrail history. Filter by API and download the report in CSV format
D. Use the CloudTrail digest files stored in the company’s Amazon S3 bucket. Send the logs to Amazon QuickSight to create the report.
A company received its latest bill with a large increase in the number of requests against Amazon SQS as compared to the month prior. The company is not aware of any major changes in its SQA usage. The company is concerned about the cost increase and who or what was making these calls.
What should a sysops administrator use to validate the calls mode to SQS?
- A . Amazon CloudWatch
- B . Amazon S3 server access logs
- C . AWS CloudTrail
- D . AWS Cost Explorer
A SysOps Administrator has been tasked with deploying a company’s infrastructure as code. The Administrator wants to write a single template that can be reused for multiple environments in a safe, repeatable manner.
What is the recommended way to use AWS CloudFormation to meet this requirement?
- A . Use parameters to provision the resources.
- B . Use nested stacks to provision the resources.
- C . Use Amazon EC2 user data to provision the resources.
- D . Use stack policies to provision the resources.
A SysOps Administrator needs to create a replica of a company’s existing AWS infrastructure in a new AWS account. Currently, an AWS Service Catalog portfolio is used to create and manage resources.
What is the MOST efficient way to accomplish this?
- A . Create an AWS CloudFormation template to use the AWS Service Catalog portfolio in the new AWS account.
- B . Manually create an AWS Service Catalog portfolio in the new AWS account that duplicates the original portfolio.
- C . Run an AWS Lambda function to create a new AWS Service Catalog portfolio based on the output of the DescribePortfolio API operation.
- D . Share the AWS Service Catalog portfolio with the other AWS accounts and import the portfolio into the other AWS accounts.
D
Reference: Refer to
https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing
.html
A sysops administrator is implementing SSL for a domain of an internet facing application running behind an Application load balancer (ALB). The administrator decides to use an SSL certificates from Amazon certificate Manager (ACM) to secure it. Upon creating a request for the ALB fully qualified domain name (FQND), it fails, and the error message “Domain not allowed” is displayed.
How can the administrator fix this issue?
- A . Contact the domain register and ask them to provide the verification required by AWS.
- B . Place a new request with the proper domain name instead of the ALB FQDN.
- C . Select the certificate request in the ACM console and resend the validation email.
- D . Contact AWS support and verify the request by answering security challenge questions.
A company is managing a website with a global user base hosted on Amazon EC2 with an Application Load Balancer (ALB). To reduce the load on the web servers, a SysOps administrator configures an Amazon CloudFront distribution with the ALB as the origin After a week of monitonng the solution, the administrator notices that requests are still being served by the ALB and there is no change in the web server load.
What are possible causes for this problem? (Select TWO.)
- A . CloudFront does not have the ALB configured as the origin access identity.
- B . The DNS is still pointing to the ALB instead of the CloudFront distribution.
- C . The ALB security group is not permitting inbound traffic from CloudFront.
- D . The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution.
- E . The target groups associated with the ALB are configured for sticky sessions.
An application running on Amazon EC2 allows users to launch batch jobs for data analysis. The jobs are run asynchronously, and the user is notified when they are complete. While multiple jobs can run concurrently, a user’s request need not be fulfilled for up to 24 hours. To run a job, the application launches an additional EC2 instance that performs all the analytics calculations. A job takes between 75 and 110 minutes to complete and cannot be interrupted.
What is the MOST cost-effective way to run this workload?
- A . Run the application on On-Demand EC2 instances. Run the jobs on Spot Instances with a specified duration.
- B . Run the application on Reserved Instance EC2 instances. Run the jobs on AWS Lambda.
- C . Run the application on On-Demand EC2 instances. Run the jobs on On-Demand EC2 instances.
- D . Run the application on Reserved instance EC2 instances. Run the jobs on Spot Instances with a specified duration.
A company’s Auditor implemented a compliance requirement that all Amazon S3 buckets must have logging enabled.
How should the SysOps Administrator ensure this compliance requirement is met, while still permitting Developers to create and use new S3 buckets?
- A . Add AWS CloudTrail logging for the S3 buckets.
- B . Implement IAM policies to allow only the Storage team to create S3 buckets.
- C . Add the AWS Config managed rule S3_BUCKET_LOGGING_ENABLED.
- D . Create an AWS Lambda function to delete the S3 buckets if logging is not turned on.
A company runs a web application that users access using the domain name www example com. The company manages the domain name using Amazon Route 53. The company created an Amazon CloudFront distribution in front of the application and would like www example com to access the application through CloudFront.
What is the MOST cost-effective way to achieve this?
- A . Create a CNAME record in Amazon Route 53 that points to the CloudFront distribution URL
- B . Create an ALIAS record in Amazon Route 53 that points to the CloudFront distribution URL
- C . Creole an A record in Amazon Route 53 that points to the public IP address of the web application
- D . Create a PTR record in Amazon Route 53 that points to the public IP address of the web application
B
Explanation: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html
A sysops administrator has an AWS Lambda function that performs maintenance on various AWS resources. This function must be run nightly.
Which is the MOST cost-effective solution?
- A . Launch a single t2.nano Amazon EC2 instance and create a Linux cron job to invoke the Lambda function at the same time every night.
- B . Set up an Amazon CloudWatch metrics alarm to invoke the Lambda function at the same time every night.
- C . Schedule a CloudWatch event to invoke the Lambda function at the same time every night.
- D . Implement a Chef recipe in AWS OpsWorks stack to invoke the Lambda function at the same time every night.
A SysOps Administrator must find a way to set up alerts when Amazon EC2 service limits are close to being reached.
How can the Administrator achieve this requirement?
- A . Use Amazon Inspector and Amazon CloudWatch Events.
- B . Use AWS Trusted Advisor and Amazon CloudWatch Events.
- C . Use the Personal Health Dashboard and CloudWatch Events.
- D . Use AWS CloudTrail and CloudWatch Events.
A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.
What is the SIMPLEST approach the SysOps Administrator can take to ensure S3 buckets in those accounts can never be deleted?
- A . Set up MFA Delete on all the S3 buckets to prevent the buckets from being ddeleted.
- B . Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
- C . Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
- D . Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.
A company’s IT department noticed an increase in the spend of their Developer AWS account. There are over 50 Developers using the account and the Finance Tram wants to determine the service costs incurred by each Developer.
What should a SysOps Administrator do to collect this information? (Select TWO)
- A . Activate the createdBy tag in the account
- B . Analyze the usage with Amazon CloudWatch dashboards
- C . Analyze the usage with Cost Explorer
- D . Configure AWS Trusted Advisor to track resource usage
- E . Create a billing alarm in AWS Budgets
A SysOps Administrator has been asked to configure user-defined cost allocation tags for a new AWS account. The company is using AWS Organizations for account management.
What should the Administrator do to enable user-defined cost allocation tags?
- A . Log in to the AWS Billing and Cost Management console of the new account, and use the Cost Allocation Tags manager to create the new user-defined cost allocation tags.
- B . Log in to the AWS Billing and Cost Management console of the payer account, and use Cost Allocation Tags manager to create the new user-defined cost allocation tags.
- C . Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the new account to mark the tags as cost allocation tags.
- D . Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the payer account to mark the tags as cost allocation tags.
A
Explanation:
Reference: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html
A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53 should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes All other traffic should be directed to the secondary passive server. The failover record type, set ID. and routing policy have been set appropriately for both primary and secondary servers.
Which next step should be taken to configure Route 53?
- A . Create an A record for each server. Associate the records with the Route 53 HTTP health check.
- B . Create an A record for each server. Associate the records with the Route 53 TCP health check.
- C . Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.
- D . Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.
A SysOps Administrator is configuring AWS SSO tor the first time. The Administrator has already created a directory in the master account using AWS Directory Service and enabled full access in AWS Organizations
What should the Administrator do next to configure the service?
- A . Create IAM roles in each account to be used by AWS SSO, and associate users with these roles using AWS SSO
- B . Create IAM users in the master account and use AWS SSO to associate the users with the accounts they will access
- C . Create permission sets in AWS SSO and associate the permission sets with Directory Service users or groups
- D . Create service control policies (SCPs) in Organizations and associate the SCPs with Directory Service users or groups
An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region A sysops administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy
What is likely to be the problem?
- A . The Amazon Machine Image used is not available in that region
- B . The AWS CloudFormation template needs to be updated to the latest version
- C . The VPC configuration parameters have changed and must be updated in the template
- D . The account has reached the default limit for VPCs allowed
A SysOps Administrator needs to confirm that security best practices are being followed with the AWS account root user.
How should the Administrator ensure that this is done?
- A . Change the root user password by using the AWS CLI routinely.
- B . Periodically use the AWS CLI to rotate access keys and secret keys for the root user.
- C . Use AWS Trusted Advisor security checks to review the configuration of the root user.
- D . Periodically distribute the AWS compliance document from AWS Artifact that governs the root user configuration.
Users are struggling to connect to a single public-facing development web server using its public IP address on a unique port number ot 8181. The security group is correctly configured to allow access on that port and the network ACLs are using the default configuration
Which log type will confirm whether users are trying to connect to the correct port?
- A . AWS CloudTrail logs
- B . Elastic Load Balancer access logs
- C . Amazon S3 access logs
- D . VPC Flow Logs
A company has an AWS account for each department and wants to consolidate billing and reduce overhead. The company wants to make sure that the finance team is denied from accessing services other than Amazon EC2: the security team is denied from accessing services other than AWS CloudTrail. and IT can access any resource.
Which solution meets these requirements with the LEAST amount of operational overhead”
- A . Create a role for each department within AWS 1AM and assign each role the necessary permissions.
- B . Create a user for each department within AWS 1AM and assign each user the necessary permissions.
- C . Implement service control policies within AWS Organizations to determine which resources each department can access
- D . Place each department into an organizational unit (OU) within AWS Organizations and use 1AM policies to determine which resources they can access
A SysOps Administrator is notified that a security vulnerability affects a version of MySQL that is being used with Amazon RDS MySQL.
Who is responsible for ensuring that the patch is applied to the MySQL cluster?
- A . The database vendor
- B . The Security department of the SysOps Administrator’s company
- C . AWS
- D . The SysOps Administrator
A security team is concerned that intellectual property might leak to the internet A SysOps administrator must identify controls to address the potential problem. The instances in question operate in a VPC and cannot be allowed to send traffic to the internet.
What should the SysOps administrator do to meet these requirements?
- A . Add the following route to a route table for the subnets used by the instances:
Destination: 0.0.0.0/0 Target: igw-xxxxxxxx - B . Ensure that the instances do not have Elastic IP addresses. Move the instances to a private subnet.
- C . Enable enhanced networking on the instances Move the instances to a private subnet.
- D . Remove any routes that allow internet traffic from the route table associated with the instance’s subnets
A company uses multiple accounts for its applications. Account A manages the company’s Amazon Route 53 domains and hosted zones. Account B uses a load balancer fronting the company’s web servers.
How can the company use Route 53 to point to the load balancer in the MOST cost-effective and efficient manner?
- A . Create an Amazon EC2 proxy in Account A that forwards requests to Account B.
- B . Create a load balancer in Account A that points to the load balancer in Account B.
- C . Create a CNAME record in Account A pointing to an alias record to the load balancer in Account B.
- D . Create an alias record in Account A pointing to the load balancer in Account B.
An application is running on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are configured in an Amazon EC2 Auto Scaling group. A SysOps Administrator must configure the application to scale based on the number of incoming requests.
Which solution accomplishes this with the LEAST amount of effort?
- A . Use a simple scaling policy based on a custom metric that measures the average active requests of all EC2 instances
- B . Use a simple scaling policy based on the Auto Scaling group GroupDesiredCapacity metric
- C . Use a target tracking scaling policy based on the ALB’s ActiveConnectionCount metric
- D . Use a target tracking scaling policy based on the ALB’s RequestCountPerTarget metric
A SysOps administrator maintains several Amazon EC2 instances that do not have access to the public internet. To patch operating systems, the instances should not be reachable from the Public internet.
The administrator deploys a NAT instance, updates the security groups, and configures the appropriate routes within the route table. However, the instances are still unable to reach the internet.
What should be done to resolve the issue?
- A . Assign elastic IP addresses to the instances and create a route from the private subnets to the internet gateway.
- B . Delete the NAT instance and replace it with AWS WAF.
- C . Disable source/destination checks on the NAT instance.
- D . Start/Stop the NAT instance so it is launched on a different host.
A web application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. Amazon Route 53 is used for DNS and points to the load balancer. A SysOps Administrator has launched a new Auto Scaling group with a new version of the application, and wants to gradually shift traffic to the new version.
How can this be accomplished?
- A . Create an Auto Scaling target tracking scaling policy to gradually move traffic the old version to the new one
- B . Change the Application Load Balancer to a Network Load Balancer, then add both Auto Scaling groups as targets
- C . Use an Amazon Route 53 weighted routing policy to gradually move traffic from the old version to the new one
- D . Deploy Amazon Redshift to gradually move traffic from the old version to the new one using a set of predefined values
A
Reference: https://github.com/aws/containers-roadmap/issues/76
A company is storing monthly reports on Amazon S3. The company’s security requirement states that traffic from the client VPC to Amazon S3 cannot traverse the internet.
What should the SysOps Administrator do to meet this requirement?
- A . Use AWS Direct Connect and a public virtual interface to connect to Amazon S3.
- B . Use a managed NAT gateway to connect to Amazon S3.
- C . Deploy a VPC endpoint to connect to Amazon S3.
- D . Deploy an internet gateway to connect to Amazon S3.
A company has created a separate AWS account for all development work to protect the production environment. In this development account, developers have permission to manipulate IAM policies and roles. Corporate policies require that developers are blocked from accessing some services.
What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies?
- A . Create a service control policy in AWS Organizations and apply it to the development
account. - B . Create a customer managed policy in IAM and apply it to all users within the development account.
- C . Create a job function policy in IAM and apply it to all users within the development account.
- D . Create an IAM policy and apply it in API Gateway to restrict the development account.
A SysOps Administrator is writing a utility that publishes resources from an AWS Lambda function in AWS account A to an Amazon S3 bucket in AWS Account B. The Lambda function is able to successfully write new objects to the S3 bucket, but IAM users in Account B are unable to delete objects written to the bucket by Account A.
Which step will fix this issue?
- A . Add s3:Deleteobject permission to the IAM execution role of the AWS Lambda function in Account A.
- B . Change the bucket policy of the S3 bucket in Account B to allow s3:Deleteobject permission for Account A.
- C . Disable server-side encryption for objects written to the S3 bucket by the Lambda function.
- D . Call the S3:PutObjectAcl API operation from the Lambda function in Account A to specify bucket owner, full control.
A company has discovered an operating system security vulnerability that is impacting its production Amazon EC2 instances.
Which action should the company take?
- A . Patch the instances with AWS Systems Manager.
- B . Patch the vulnerability with Amazon Inspector.
- C . Redeploy the Amazon EC2 instances with AWS CloudFormation.
- D . Stop the instances. Change the Amazon Machine Image (AMI) to a patched version.
Restart the instances.
A company has centralized all its logs into one Amazon CloudWatch Logs log group. The SysOps Administrator is to alert different teams of any issues relevant to them.
What is the MOST efficient approach to accomplish this?
- A . Write a AWS lambda function that will query the logs every minute and contain the logic of which team to notify on which patterns and issues.
- B . Set up different metric filters for each team based on patterns and alerts. Each alarm will notify the appropriate notification list.
- C . Redesign the aggregation of logs so that each team’s relevant parts are sent to a separate log group, then subscribe each team to its respective log group.
- D . Create an AWS Auto Scaling group of Amazon EC2 instances that will scale based on the amount of ingested log entries. This group will pull streams, look for patterns, and send notifications to relevant teams.
A company has several accounts between different teams and wants to increase its auditing and compliance capabilities. The accounts are managed through AWS Organizations. Management wants to provide the security team with secure access to the account logs while also restricting the possibility for the logs to be modified.
How can a sysops administrator achieve this is with the LEAST amount of operational overhead?
- A . Store AWS CloudTrail logs in Amazon S3 in each account Create a new account to store compliance data and replicate the objects into the newly created account
- B . Store AWS CloudTrail logs in Amazon S3 in each account. Create an 1AM user with read-only access to the CloudTrail logs
- C . From the master account create an organization trail using AWS CloudTrail and apply it to all Regions Use 1AM roles to restrict access.
- D . Use an AWS CloudFormation stack set to create an AWS CloudTrail trail in every account and restrict permissions to modify the logs
The Accounting department would like to receive billing updates more than once a month. They would like the updates to be in a format that can easily be viewed with a spreadsheet application.
How can this request be fulfilled?
- A . Use Amazon CloudWatch Events to schedule a billing inquiry on a bi-weekly basis. Use AWS Glue to convert the output to CSV.
- B . Set AWS Cost and Usage Reports to publish bills daily to an Amazon S3 bucket in CSV format.
- C . Use the AWS CLI to output billing data as JSON. Use Amazon SES to email bills on a daily basis.
- D . Use AWS Lambda, triggered by CloudWatch, to query billing data and push to Amazon RDS.
A company hosts a multi-tier ecommerce web application on AWS, and has recently been alerted to suspicious application traffic. The architecture consists of Amazon EC2 instances deployed across multiple Availability Zones behind an Application Load Balancer (ALB)
After examining the server logs, a sysops administrator determines that the suspicious traffic is an attempted SQL injection attack.
What should the sysops administrator do to prevent similar attacks?
- A . Install Amazon Inspector on the EC2 instances and configure a rules package Use the findings reports to identify and block SQL injection attacks.
- B . Modify the security group of the ALB Use the IP addresses from the logs to block the IP addresses where SQL injection originated.
- C . Create an AWS WAF web ACL in front of the ALB. Add an SQL injection rule to the web ACL Associate the web ACL to the ALB
- D . Enable Amazon GuardDuty in the AWS Region Use Amazon CloudWatch Events to trigger an AWS Lambda function response every time an SQL injection finding is discovered
A web application runs on Amazon EC2 instances and accesses external services. The external services require authentication credentials. The application is deployed using AWS CloudFormation to three separate environments development test, and production Each environment requires unique credentials for external services
What option securely provides the application with the needed credential while requiring MINIMAL administrative overhead?
- A . Pass the credentials for the target environment to the CloudFormation template as parameters Use the user data script to insert the parameterized credentials into the EC2 instances
- B . Store the credentials as secure strings in AWS Systems Manager Parameter Store. Pass an environment tag as a parameter to the CloudFormation template Use the user data script to insert the environment tag in the EC2 instances Access the credentials from the application
- C . Create a separate CloudFormation template for each environment in the Resources section include a user data script for each EC2 instance Use the user data script to insert the proper credentials for the environment into the EC2 instances
- D . Create separate Amazon Machine Images (AMIs) with the required credentials for each environment Pass the environment tag as a parameter to the CloudFormation template In the Mappings section of the CloudFormation template, map the environment tag to the proper AMI then use that AMI when launching the EC2 instances
A company wants to identify specific Amazon EC2 instances that are underutilized and the estimated cost savings for each instance.
How can this be done with MINIMAL effort?
- A . Use AWS Budgets to report on low utilization of EC2 instances.
- B . Run an AWS Systems Manager script to check for tow memory utilization of EC2 instances.
- C . Run Cost Explorer to look for low utilization of EC2 instances.
- D . Use Amazon CloudWatch metrics to identify EC2 instances with low utilization.
An Amazon EC2 instance has a secondary Amazon Elastic Block Store (EBS) volume attached that contains sensitive data A new company policy requires the secondary volume to be encrypted at rest.
Which solution will meet this requirement?
- A . Create a snapshot of the volume Create a new volume from the snapshot with the Encrypted parameter set to true. Detach the original volume and attach the new volume to the instance.
- B . Create an encrypted Amazon Machine Image (AMI) of the EC2 instance. Launch a new instance with the encrypted AMI. Terminate the original instance.
- C . Stop the EC2 instance Encrypt the volume with AWS CloudHSM. Start the instance and verify encryption.
- D . Stop the EC2 instance. Modify the instance properties and set the Encrypted parameter to true. Start the instance and verify encryption.
A SysOps Administrator is trying to set up an Amazon Route 53 domain namo to route traffic to a website hosted on Amazon S3. The domain name of the website is www anycompany com and the S3 bucket name is anycompany-static After the record set is set up in Route 53, the domain name www anycompany com does not seem to work, and the static website is not displayed in the browser
Which of the following is a cause of this?
- A . The S3 bucket must be configured with Amazon CloudFront first.
- B . The Route 53 record set must have an IAM role that allows access to the S3 bucket
- C . The Route 53 record set must be in the same region as the S3 bucket
- D . The S3 bucket name must match the record sot name in Route 53.
A chief financial officer has asked for a breakdown of costs per project in a single AWS account using cost explorer.
Which combination of options should be set to accomplish this? (Select two)
- A . Active AWS Budgets.
- B . Active cost allocation tags
- C . Create an organization using AWS Organization
- D . Create and apply resource tags
- E . enable AWS trusted advisor
A company manages multiple AWS accounts and wants to provide access to AWS from a single management account using an existing on-premises Microsoft Active Directory domain.
Which solution will meet these requirements with the LEAST amount of effort?
- A . Create an Active Directory connector using AWS Directory Service. Create 1AM users in the target accounts with the appropriate trust policy.
- B . Create an Active Directory connector using AWS Directory Service. Associate the directory with AWS Single Sign-On (AWS SSO). Configure user access to target accounts through AWS SSO.
- C . Create an Amazon Cognito federated identity pool Associate the pool identity with the on-premises directory. Configure the 1AM roles with the appropriate trust policy.
- D . Create an identity provider in AWS I AM associated with the on-premises directory.
Create IAM roles in the target accounts with the appropriate trust policy.
A new Amazon Redshift Spectrum Cluster has been launched for a team of Business Analysis. When the team attempts to use the cluster to query the data in Amazon S3, they receive the following error:
What is one cause of this?
- A . The cluster has Enhanced VPC Routing enabled and it must be turned off
- B . The cluster is only a single node and needs to be expanded to multi-node.
- C . The cluster login credentials are incorrect request new credentials from the Administrator
- D . The cluster nodes are running in multiple Availability Zones, and all need to be placed in a single Availability Zone.
A kernel patch for AWS Linux has been released, and systems need to be updated to the new version. A SysOps administrator must apply an m-place update to an existing Amazon EC2 instance without replacing the instance.
How should the SysOps administrator apply the new software version to the instance?
- A . Add the instance to a patch group and patch baseline containing the desired patch by using AWS Systems Manager Patch Manager.
- B . Develop a new version of the instance’s Amazon Machine Image (AMI). Apply that new AMI to the instance.
- C . Develop a new user data script containing the patch Configure the instance with the new script.
- D . Run commands on the instance remotely using the AWS CLI.
A SysOpsAdministrator is managing a large organization with multiple accounts on the Business Support plan all linked to a single payer account. The Administrator wants to be notified automatically of AWS Personal Health Dashboard events.
In the main payer account, the Administrator configures Amazon CloudWatch Events triggered by AWS Health events triggered by AWS Health triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in the linked accounts failed to trigger.
Why did the alerts fail?
- A . Amazon SNS cannot be triggered from the AWS Personal Health Dashboard
- B . The AWS Personal Health Dashboard only reports events from one account, not linked accounts.
- C . The AWS Personal Health Dashboard must be configured from the payer account only; all events will then roll up into the payer account.
- D . AWS Organizations must be used to monitor linked accounts.
A SysOps administrator implemented the following bucket policy to allow only the corporate IP address range of 54.240.143.0/24 to access objects in an Amazon S3 bucket.
Some employees are reporting that they are able to access the S3 bucket from IP addresses outside the corporate IP address range.
How can the Administrator address this issue?
- A . Modify the Condition operator to include both NotIpAddress and IpAddress to prevent unauthorized access to the S3 bucket.
- B . Modify the Condition element from the IAM policy to aws:StringEquals instead of aws:SourceIp.
- C . Modify the IAM policy instead of the bucket policy to restrict users from accessing the bucket based on their source IP addresses.
- D . Change Effect from Allow to Deny in the second statement of the policy to deny requests not from the source IP range.
A company developed and now runs a memory-intensive application on multiple Amazon EC2 Linux instances. The memory utilization metrics of the EC2 Linux instances must be monitored every minute.
How should the SysOps Administrator publish the memory metrics? (Choose two.)
- A . Enable detailed monitoring on the instance within Amazon CloudWatch
- B . Publish the memory metrics to Amazon CloudWatch Events
- C . Publish the memory metrics using the Amazon CloudWatch agent
- D . Publish the memory metrics using Amazon CloudWatch Logs
- E . Set metrics_collection_interval to 60 seconds
A,B
Explanation:
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/automating_with_cloudwatch_ev ents.html
A security researcher has published a new Common Vulnerabilities and Exposures (CVE) report that impacts a popular operating system A SysOps Administrator is concerned with the new CVE report and wants to patch the company’s systems immediately. The Administrator contacts AWS Support and requests the patch be applied to all Amazon EC2 instances
How will AWS respond to this request?
- A . AWS will apply the patch during the next maintenance window and will provide the Administrator with a report of all patched EC2 instances
- B . AWS will relaunch the EC2 instances with the latest version of the Amazon Machine Image (AMI) and will provide the Administrator with a report of all patched EC2 instances
- C . AWS will research the vulnerability to see if the Administrator’s operating system is impacted and will patch the EC2 instances that are affected
- D . AWS will review the shared responsibility model with the Administrator and advise them regarding how to patch the EC2 instances
A company’s static website hosted on Amazon S3 was launched recently, and is being used by tens of thousands of users. Subsequently, website users are experiencing 503 service unavailable errors.
Why are these errors occurring?
- A . The request rate to Amazon S3 is too high.
- B . There is an error with the Amazon RDS database.
- C . The requests to Amazon S3 do not have the proper permissions.
- D . The users are in different geographical region and Amazon Route 53 is restricting access.
An ecommerce site is using Amazon ElastiCache with Memcached to store session state for a web application and to cache frequently used data. For the last month, users have
been complaining about performance. The metric data for the Amazon EC2 instances and the Amazon RDS instance appear normal, but the eviction count metrics are high.
What should be done to address this issue and improve performance?
- A . Scale the cluster by adding additional nodes
- B . Scale the cluster by adding read replicas
- C . Scale the cluster by increasing CPU capacity
- D . Scale the web layer by adding additional EC2 instances
A company stores thousands of non-critical log files in an Amazon S3 bucket A set of reporting scripts retrieve these log files daily.
Which of the following storage options will be the MOST cost efficient for the company’s use case?
- A . Amazon Glacier
- B . Amazon S3 Standard IA (infrequent access) storage
- C . Amazon S3 Standard Storage
- D . AWS Snowball
An application is running on an Amazon EC2 instance. A SysOps Administrator is tasked with allowing the application access to an Amazon S3 bucket.
What should be done to ensure optimal security?
- A . Apply an S3 bucket policy to allow access from all EC2 instances
- B . Create an IAM user and create a script to inject the credentials on boot
- C . Create and assign an IAM role tor Amazon S3 access to the EC2 instance.
- D . Embed an AWS credential file for an IAM user inside the Amazon Machine Image (AMI)
A SysOps Administrator is troubleshooting Amazon EC2 connectivity issues to the internet. The EC2 instance is in a private subnet.
Below is the route table that is applied to the subnet of the EC2 instance.
Destination C 10.2.0.0/16
Target C local
Status C Active
Propagated C No
Destination C 0.0.0.0/0
Target C nat-xxxxxxx
Status C Blackhole
Propagated C No
What has caused the connectivity issue?
- A . The NAT gateway no longer exists
- B . There is no route to the internet gateway.
- C . The routes are no longer propagating.
- D . There is no route rule with a destination for the internet.
A SysOps Administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC, the Administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the Administrator add to the route tables?
- A . Route ::/0 traffic to a NAT gateway
- B . Route ::/0 traffic to an internet gateway
- C . Route 0.0.0.0/0 traffic to an egress-only internet gateway
- D . Route ::/0 traffic to an egress-only internet gateway
A SysOps Administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created.
The template is working in us-east-1, but it is failing in us-west-2 with the error code:
AMI [ami-12345678] does not exist.
How should the Administrator ensure that the AWS CloudFormation template is working in every region?
- A . Copy the source region’s Amazon Machine Image (AMI) to the destination region and assign it the same ID.
- B . Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID.
- C . Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS: :EC2: :AMI: :ImageID control.
- D . Modify the AWS CloudFormation template by including the AMI IDs in the “Mappings” section. Refer to the proper mapping within the template for the proper AMI ID.
A company needs to have real-time access to image data while seamlessly maintaining a copy of the images in an offsite location.
Which AWS solution would allow access to the image data locally while also providing for disaster recovery?
- A . Create an AWS Storage Gateway volume gateway configured as a stored volume Mount it from clients using Internet Small Computer System Interface OSCSI)
- B . Mount an Amazon EFS volume on a local server Share this volume with employees who need access to the images
- C . Store the images in Amazon S3 and use AWS Data Pipeline to allow for caching of S3 data on local workstations
- D . Use Amazon S3 for file storage, and enable S3 Transfer Acceleration to maintain a cache for frequently used files to increase local performance
A
Explanation: https://aws.amazon.com/storagegateway/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc
A SySOps Administrator has created a new Amazon S3 bucket named mybucket for the Operations team. Members of the team are part of an IAM group to which the following IAM policy has been assigned.
Which of the following actions will be allowed on the bucket? (Select TWO.)
- A . Get the bucket’s region.
- B . Delete an object.
- C . Delete the bucket
- D . Download an object
- E . List all the buckets in the account.
An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. The Information Security team wants to track application requests by the originating IP and the EC2 instance that processes the request.
Which of the following tools or services provides this information?
- A . Amazon CloudWatch
- B . AWS CloudTrail
- C . Elastic Load Balancing access logs
- D . VPC Flow Logs
B
Reference: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elb.html
A SysOps Administrator must ensure all Amazon EBS volumes currently in use, and those created in the future, are encrypted with a specific AWS KMS customer master key (CMK).
What is the MOST efficient way for the Administrator to meet this requirement?
- A . Create an AWS Lambda function to run on a daily schedule, and have the function run the aws ec2 describe-volumes –filters encrypted command.
- B . Within Aws Config, configure the encrypted-volumes managed rule and specify the key ID of the CMK.
- C . Log in to the AWS Management Console on a daily schedule, then filter the list of volumes by encryption status, then export this list.
- D . Create an AWS Lambda function to run on a daily schedule, and have the function run the aws kms describe key command.
C
Explanation:
Reference: https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html
A company has an existing web application that runs on two Amazon EC2 instances behind an Application Load Balancer (ALB) across two Availability Zones. The application uses an Amazon RDS Multi-AZ DB Instance. Amazon Route 53 record sets route requests for dynamic content to the load balancer and requests for static content to an Amazon S3 bucket. Site visitors are reporting extremely long loading times.
Which actions should be taken to improve the performance of the website? (Choose two.)
- A . Add Amazon CloudFront caching for static content.
- B . Change the load balancer listener from HTTPS to TCP.
- C . Enable Amazon Route 53 latency-based routing.
- D . Implement Amazon EC2 Auto Scaling for the web servers.
- E . Move the static content from Amazon S3 to the web servers.
A company’s use of AWS Cloud services is quickly growing, so a SysOps Administrator has been asked to generate details of daily spending to share with management.
Which method should the Administrator choose to produce this data?
- A . Share the monthly AWS bill with management.
- B . Use AWS CloudTrail Logs to access daily costs in JSON format.
- C . Set up daily Cost and Usage Report and download the output from Amazon S3.
- D . Monitor AWS costs with Amazon Cloud Watch and create billing alerts and notifications.
A company’s website went down for several hours. The root cause was a full disk on one of the company’s Amazon EC2 instances.
Which steps should the SysOps Administrator take to prevent this from happening in this future?
- A . Configure Amazon CloudWatch Events to filter and forward AWS Health events for disk space utilization to an Amazon SNS topic to notify the Administrator.
- B . Create an AWS Lambda function to describe the volume status for each EC2 instance.
Post a notification to an Amazon SNS topic when a volume status is impaired. - C . Enable detailed monitoring for the EC2 instances. Create an Amazon CloudWatch alarm to notify the
Administrator when disk space is running low. - D . Use the Amazon CloudWatch agent on the EC2 instances to collect disk metrics. Create a CloudWatch alarm to notify the Administrator when disk space is running low.
A SysOps Administrator has been able to consolidate multiple, secure websites onto a single server, and each site is running on a different port. The Administrator now wants to start a duplicate server in a second Availability Zone and put both behind a load balancer for high availability.
What would be the command line necessary to deploy one of the sites’ certificates to the load balancer?
- A . Option A
- B . Option B
- C . Option C
- D . Option D
B
Explanation:
Reference https://docs.aws.amazon.com/ko_kr/cli/latest/reference/elb/set-load-balancer-listener-sslcertificate.html
A company has a sales department and a marketing department. The company uses one AWS account. There is a need to determine what charges are incurred on the AWS platform by each department. There is also a need to receive notifications when a specified cost level is approached or exceeded.
Which actions must a SysOps administrator take to achieve both requirements with the LEAST amount of administrative overhead? (Select TWO.)
- A . Use AWS Trusted Advisor to obtain a report containing the checked items in the Cost Optimization pillar.
- B . Download the detailed billing report, upload it to a database, and match the line items with a list of known resources by department.
- C . Create a script by using the AWS CLI to automatically apply tags to existing resources for each department. Schedule the script to run weekly.
- D . Use AWS Organizations to create a department Organizational Unit and allow only authorized personnel in each department to create resources.
- E . Create a Budget from the Billing and Cost Management console. Specify the budget type as Cost, assign tags for each department. define notifications, and specify any other options as required.