DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

2024 Updated SOA-C02 Exam Questions & Practice Tests, AWS Certified Sysops Administrator - Associate | SPOTO

Get ready to ace the AWS Certified SysOps Administrator - Associate (SOA-C02) exam with SPOTO's updated 2024 exam questions and practice tests. This certification is tailored for system administrators in cloud operations roles, validating expertise in deploying, managing, and operating workloads on AWS. SPOTO's practice tests and exam questions are designed to align with the latest exam trends, ensuring comprehensive preparation. Our exam dumps, sample questions, and free quizzes provide a hands-on approach to mastering key concepts. Prepare confidently with SPOTO's exam materials, exam answers, and exam practice resources. Our exam simulator and online exam questions simulate real exam scenarios, enhancing your readiness for success. Take your exam preparation to the next level with SPOTO's mock exams and study materials, setting you up for a successful outcome in the AWS Certified SysOps Administrator - Associate (SOA-C02) certification.

Take other online exams

Question #1
252. A company runs an Amazon RDS MySQL DB instance. Corporate policy requires that a daily backup of the database must be copied to a separate security account. What is the MOST cost-effective way to meet this requirement?
A. Copy an automated RDS snapshot to the security account using the copy-db-snapshot command with the AWS CLI
B. Create an RDS MySQL Read Replica for the critical database in the security account, then enable automatic backups for the Read Replica
C. Create an RDS snapshot with the AWS CLI create-db-snapshot command, share it with the security account, then create a copy of the shared snapshot in the security account
D. Use AWS DMS to replicate data from the critical database to another RDS MySQL instance in the security account, then use an automated backup for the RDS instance
View answer
Correct Answer: C

View The Updated SOA-C02 Exam Questions

SPOTO Provides 100% Real SOA-C02 Exam Questions for You to Pass Your SOA-C02 Exam!

Question #2
265. A company is operating a multi-account environment under a single organization using AWS Organizations. The Security team discovers that some employees are using AWS services in ways that violate company policies. A SysOps Administrator needs to prevent all users of an account, including the root user, from performing certain restricted actions. What should be done to accomplish this?
A. Apply service control policies (SCPs) to allow approved actions only
B. Apply service control policies (SCPs) to prevent restricted actions
C. Define permissions boundaries to allow approved actions only
D. Define permissions boundaries to prevent restricted actions
View answer
Correct Answer: D
Question #3
A company is expanding its fleet of Amazon EC2 instances before an expected increase of traffic. When a SysOps administrator attempts to add more instances, an InstanceLimitExceeded error is returned. What should the SysOps administrator do to resolve this error?
A. Add an additional CIDR block to the VPC
B. Launch the EC2 instances in a different Availability Zone
C. Launch new EC2 instances in another VPC
D. Use Service Quotas to request an EC2 quota increase
View answer
Correct Answer: C
Question #4
A company's SysOps administrator attempts to restore an Amazon Elastic Block Store (Amazon EBS) snapshot. However, the snapshot is missing because another system administrator accidentally deleted the snapshot. The company needs the ability to recover snapshots for a specified period of time after snapshots are deleted. Which solution will provide this functionality?
A. Turn on deletion protection on individual EBS snapshots that need to be kept
B. Create an 1AM policy that denies the deletion of EBS snapshots by using a condition statement for the snapshot age Apply the policy to all users
C. Create a Recycle Bin retention rule for EBS snapshots for the desired retention period
D. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule an AWS Lambda function to copy EBS snapshots to Amazon S3 Glacier
View answer
Correct Answer: A
Question #5
261. A SysOps Administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the Internet. Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)
A. Add a NAT gateway to a public subnet
B. Attach a private address to the elastic network interface on the EC2 instance
C. Attach an Elastic IP address to the internet gateway
D. Add an entry to the route table for the subnet that points to an internet gateway
E. Create an internet gateway and attach it to a VPC
View answer
Correct Answer: C
Question #6
341. A company has several accounts between different teams and wants to increase its auditing and compliance capabilities. The accounts are managed through AWS Organizations. Management wants to provide the security team with secure access to the account logs while also restricting the possibility for the logs to be modified. How can a SysOps administrator achieve this with the LEAST amount of operational overhead?
A. Store AWS CloudTrail logs in Amazon S3 in each account
B. Store AWS CloudTrail logs in Amazon S3 in each account
C. From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions
D. Use an AWS CloudFormation stack set to create an AWS CloudTrail trail in every account and restrict permissions to modify the logs
View answer
Correct Answer: B
Question #7
A company migrated an I/O intensive application to an Amazon EC2 general purpose instance. The EC2 instance has a single General Purpose SSD Amazon Elastic Block Store (Amazon EBS) volume attached. Application users report that certain actions that require intensive reading and writing to the disk are taking much longer than normal or are failing completely. After reviewing the performance metrics of the EBS volume, a SysOps administrator notices that the VolumeQueueLength metric is consistently high during
A. Modify the instance type to be storage optimized
B. Modify the volume properties by deselecting Auto-Enable Volume 10
C. Modify the volume properties to increase the IOPS
D. Modify the instance to enable enhanced networking
View answer
Correct Answer: C
Question #8
323. A company has a multi-tier web application. In the web tier, all the servers are in private subnets inside a VPC. The development team wants to make changes to the application that requires access to Amazon S3. What should be done to accomplish this?
A. Create a customer gateway to connect to Amazon S3
B. Create a gateway VPC endpoint for Amazon S3
C. Create a NAT gateway in the private subnets
D. Create an S3 bucket policy to allow connections from the private subnets
View answer
Correct Answer: B
Question #9
279. A SysOps Administrator needs to monitor all the object upload and download activity of a single Amazon S3 bucket. Monitoring must include tracking the AWS account of the caller, the IAM user role of the caller, the time of the API call, and the IP address of the API. Where can the Administrator find this information?
A. AWS CloudTrail data event logging
B. AWS CloudTrail management event logging
C. Amazon Inspector bucket event logging
D. Amazon Inspector user event logging
View answer
Correct Answer: D
Question #10
A company runs a website from Sydney, Australia. Users in the United States (US) and Europe are reporting that images and videos are taking a long time to load. However, local testing in Australia indicates no performance issues. The website has a large amount of static content in the form of images and videos that are stored m Amazon S3. Which solution will result In the MOST Improvement In the user experience for users In the US and Europe?
A. Configure AWS PrivateLink for Amazon S3
B. Configure S3 Transfer Acceleration
C. Create an Amazon CloudFront distributio
D. Distribute the static content to the CloudFront edge locations
E. Create an Amazon API Gateway API in each AWS Regio
F. Cache the content locally
View answer
Correct Answer: D
Question #11
326. An organization recently faced a network outage while uploading data into one of their S3 buckets. This outage generated many incomplete multipart uploads in that S3 bucket. A sysops administrator wants to delete the incomplete multipart uploads and ensure that the incomplete multipart uploads are deleted automatically the next time such an event occurs. How should this be done?
A. Create an Amazon S3 Event Notification to trigger an AWS Lambda function that deletes incomplete multipart uploads
B. Create an Amazon S3 lifecycle rule to abort incomplete multipart uploads so that they are deleted this time and in the future
C. Use the AWS CLI to list all the multipart uploads, and abort all the incomplete uploads from the day of the event so that they are deleted
D. Use the AWS Management Console to abort all the incomplete uploads from the day of the event so that they are deleted
View answer
Correct Answer: A
Question #12
A SysOps administrator notices a scale-up event for an Amazon EC2 Auto Scaling group. Amazon CloudWatch shows a spike in the RequestCount metric for the associated Application Load Balancer. The administrator would like to know the IP addresses for the source of the requests. Where can the administrator find this information?
A. Auto Scaling logs
B. AWS CloudTrail logs
C. EC2 instance logs
D. Elastic Load Balancer access logs
View answer
Correct Answer: A
Question #13
277. An Amazon EC2 instance in a private subnet needs to copy data to an Amazon S3 bucket. For security reasons, the connection from the EC2 instance to Amazon S3 must not traverse across the Internet. What action should the SysOps Administrator take to accomplish this?
A. Create a NAT instance and route traffic destined to Amazon S3 through it
B. Create a VPN connection between the EC2 instance and Amazon S3
C. Create an S3 VPC endpoint in the VPC where the EC2 instance resides
D. Use AWS Direct Connect to maximize throughput and keep the traffic private
View answer
Correct Answer: DE
Question #14
291. A company recently performed a security audit of all its internal applications developed in house. Certain business-critical applications that handle sensitive data were flagged because they use Amazon ES clusters that are open for read/write to a wider user group that intended. Who is responsible for correcting the issue?
A. AWS Premium Support
B. the Amazon ES team
C. the AWS IAM team
D. a SysOps Administrator
View answer
Correct Answer: D
Question #15
248. A SysOps Administrator has an AWS CloudFormation template of the company’s existing infrastructure in us-west-2. The Administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back. Why would this template fail to deploy? (Choose two.)
A. The template referenced an IAM user that is not available in eu-west-1
B. The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1
C. The template did not have the proper level of permissions to deploy the resources
D. The template requested services that do not exist in eu-west-1
E. CloudFormation templates can be used only to update existing services
View answer
Correct Answer: BD
Question #16
266. An application is running on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are configured in an Amazon EC2 Auto Scaling group. A SysOps Administrator must configure the application to scale based on the number of incoming requests. Which solution accomplishes this with the LEAST amount of effort?
A. Use a simple scaling policy based on a custom metric that measures the average active requests of all EC2 instances
B. Use a simple scaling policy based on the Auto Scaling group GroupDesiredCapacity metric
C. Use a target tracking scaling policy based on the ALB’s ActiveConnectionCount metric
D. Use a target tracking scaling policy based on the ALB’s RequestCountPerTarget metric
View answer
Correct Answer: B
Question #17
A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53. and wants to point its domain's zone apex to the website. Which type of record should be used to meet these requirements?
A. A CNAME record for the domain's zone apex
B. An A record for the domain's zone apex
C. An AAAA record for the domain's zone apex
D. An alias record for the domain's zone apex
View answer
Correct Answer: B
Question #18
Which of the following recommendations is NOT considered a best practice for using AWS CloudFormation more effectively and securely throughout its entire workflow?
A. Reuse templates to replicate stacks in multiple environments
B. Use nested stacks to reuse common template patterns
C. Embed credentials in your templates
D. Use IAM to control access
View answer
Correct Answer: B
Question #19
284. An Application Load Balancer (ALB) is configured in front of Amazon EC2 instances. The current target group health check configuration is: Interval: 30 seconds Unhealthy threshold: 10 Healthy threshold: 5 Which steps should a SysOps Administrator take to reduce the amount of time needed to remove unhealthy instances? (Choose two.)
A. Change the healthy threshold configuration to 1
B. Change the interval configuration to 15
C. Change the interval configuration to 60
D. Change the unhealthy threshold configuration to 15
E. Change the unhealthy threshold configuration to 5
View answer
Correct Answer: BE
Question #20
338. A company recently migrated from a third-party security application to Amazon Inspector. A sysops administrator discovered that a list of security findings is missing for some Amazon EC2 instances. Which action will resolve this problem?
A. Generate the missing security findings list manually by logging in to the affected EC2 instances and running CLI commands
B. Log in to the affected EC2 instances
C. Use a network reachability package to analyze network configurations to find security vulnerabilities on the affected EC2 instances
D. Verify that the Amazon Inspector agent is installed and running on the affected instances
View answer
Correct Answer: C
Question #21
A SysOps administrator is creating two AWS CloudFormation templates. The first template will create a VPC with associated resources, such as subnets, route tables, and an internet gateway. The second template will deploy application resources within the VPC that was created by the first template. The second template should refer to the resources created by the first template. How can this be accomplished with the LEAST amount of administrative effort?
A. Add an export field to the outputs of the first template and import the values in the second template
B. Create a custom resource that queries the stack created by the first template and retrieves the required values
C. Create a mapping in the first template that is referenced by the second template
D. Input the names of resources in the first template and refer to those names in the second template as a parameter
View answer
Correct Answer: C
Question #22
334. A financial service company is running distributed computing software to manage a fleet of 20 servers for their calculations. There are 2 control nodes and 18 worker nodes to run the calculations. Worker nodes can be automatically started by the control nodes when required. Currently, all nodes are running on demand, and the worker nodes are used for approximately 4 hours each day. Which combination of actions will be MOST cost-effective? (Choose two.)
A. Use Dedicated Hosts for the control nodes
B. Use Reserved Instances for the control nodes
C. Use Reserved Instances for the worker nodes
D. Use Spot Instances for the control nodes and On-Demand Instances if there is no Spot availability
View answer
Correct Answer: B
Question #23
321. A sysops administrator has an AWS Lambda function that performs maintenance on various AWS resources. This function must be run nightly. Which is the MOST cost-effective solution?
A. Launch a single t2
B. Set up an Amazon CloudWatch metrics alarm to invoke the Lambda function at the same time every night
C. Schedule a CloudWatch event to invoke the Lambda function at the same time every night
D. Implement a Chef recipe in AWS OpsWorks stack to invoke the Lambda function at the same time every night
View answer
Correct Answer: C
Question #24
267. A SysOps Administrator has created an Amazon EC2 instance using an AWS CloudFormation template in the us-east-1 Region. The Administrator finds that this template has failed to create an EC2 instance in the us-west-2 Region. What is one cause for this failure?
A. Resources tags defined in the CloudFormation template are specific to the us-east-1 Region
B. The Amazon Machine Image (AMI) ID referenced in the CloudFormation template could not be found in the us-west-2 Region
C. The cfn-init script did not execute during resource provisioning in the us-west-2 Region
D. The IAM user was not created in the specified Region
View answer
Correct Answer: C
Question #25
245. A company wants to reduce costs across the entire company after discovering that several AWS accounts were using unauthorized services and incurring extremely high costs. Which AWS service enables the company to reduce costs by controlling access to AWS services for all AWS accounts?
A. AWS Cost Explorer
B. AWS Config
C. AWS Organizations
D. AWS Budgets
View answer
Correct Answer: C
Question #26
An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy. What is likely to be the problem?
A. The Amazon Machine image used is not available in that region
B. The AWS CloudFormation template needs to be updated to the latest version
C. The VPC configuration parameters have changed and must be updated in the template
D. The account has reached the default limit for VPCs allowed
View answer
Correct Answer: CD
Question #27
A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance A SysOps administrator must update the template to ensure that the DB instance is created before the EC2 instance is launched What should the SysOps administrator do to meet this requirement?
A. Add a wait condition to the template Update the EC2 instance user data script to send a signal after the EC2 instance is started
B. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource
C. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource
D. Create multiple templates Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created
View answer
Correct Answer: D
Question #28
333. A popular auctioning platform requires near-real-time access to dynamic bidding information. The platform must be available at all times. The current Amazon RDS instance often reaches 100% CPU utilization during the weekend auction and can no longer be resized. To improve application performance, a sysops administrator is evaluating Amazon ElastiCache, and has chosen Redis (cluster mode enabled) instead of Memcached. What are the reasons for making this choice? (Choose two.)
A. Data partitioning
B. Multi-threaded processing
C. Multi-AZ with automatic failover
D. Multi-region with automatic failover
E. Online resharding
View answer
Correct Answer: D
Question #29
A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance. A SysOps administrator must update the template to ensure that the DB instance is created before the EC2 instance is launched. What should the SysOps administrator do to meet this requirement?
A. Add a wait condition to the templat
B. Update the EC2 instance user data script to send a signal after the EC2 instance is started
C. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource
D. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource
E. Create multiple template
F. Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created
View answer
Correct Answer: CE
Question #30
325. When performing an audit on an S3 bucket, a SysOps Administrator discovered that Amazon CloudWatch reports that there are 12,345,678 objects in the bucket, whereas the AWS CLI reports that there are 98,765,432 objects in the same bucket. Which Amazon S3 feature can the SysOps Administrator use to obtain the definitive answer to the number of objects in the bucket?
A. Amazon S3 analytics
B. Amazon S3 inventory
C. AWS Management Console
D. Object tags
View answer
Correct Answer: A
Question #31
330. A SysOps Administrator is maintaining an application running on Amazon EBS-backed Amazon EC2 instances in an Amazon EC2 Auto Scaling group. The application is set to automatically terminate unhealthy instances. The Administrator wants to preserve application logs from these instances for future analysis. Which action will accomplish this?
A. Change the storage type from EBS to instance store
B. Configure an Amazon CloudWatch Events rule to transfer the logs to Amazon S3 upon an EC2 state change to terminate
C. Configure the unified CloudWatch agent to stream the logs to Amazon CloudWatch Logs
D. Configure VPC Flow Logs for the subnet hosting the EC2 instance
View answer
Correct Answer: BC
Question #32
264. A SysOps Administrator needs to create a replica of a company’s existing AWS infrastructure in a new AWS account. Currently, an AWS Service Catalog portfolio is used to create and manage resources. What is the MOST efficient way to accomplish this?
A. Create an AWS CloudFormation template to use the AWS Service Catalog portfolio in the new AWS account
B. Manually create an AWS Service Catalog portfolio in the new AWS account that duplicates the original portfolio
C. Run the AWS Lambda function to create a new AWS Service Catalog portfolio based on the output of the DescribePortfolio API operation
D. Share the AWS Service Catalog portfolio with the other AWS accounts and import the portfolio into the other AWS accounts
View answer
Correct Answer: B
Question #33
343. A company is expanding its use of AWS services across its portfolios. The company wants to provision AWS accounts for each team to ensure a separation of business processes for security, compliance, and billing. Account creation and bootstrapping should be completed in a scalable and efficient way so new accounts are created with a defined baseline and governance guardrails in place. A SysOps administrator needs to design a provisioning process that saves time and resources. Which action should be take
A. Automate using AWS Elastic Beanstalk to provision the AWS accounts, set up infrastructure, and integrate with AWS Organizations
B. Create bootstrapping scripts in AWS OpsWorks and combine them with AWS CloudFormation templates to provision accounts and infrastructure
C. Use AWS Config to provision accounts and deploy instances using AWS Service Catalog
D. Use AWS Control Tower to create a template in Account Factory and use the template to provision new accounts
View answer
Correct Answer: D
Question #34
328. A SysOps Administrator maintains several Amazon EC2 instances that do not have access to the public internet. To patch operating systems, the instances require outbound internet connectivity. For security reasons, the instances should not be reachable from the public Internet. The Administrator deploys a NAT instance, updates the security groups, and configures the appropriate routes within the route table. However, the instances are still unable to reach the Internet. What should be done to resolve th
A. Assign Elastic IP addresses to the instances and create a route from the private subnets to the internet gateway
B. Delete the NAT instance and replace it with AWS WAF
C. Disable source/destination checks on the NAT instance
D. Start/stop the NAT instance so it is launched on a different host
View answer
Correct Answer: AE
Question #35
258. A SysOps Administrator is notified that an Amazon EC2 instance has stopped responding. The AWS Management Console indicates that the system checks are failing. What should the SysOps Administrator do first to resolve this issue?
A. Reboot the EC2 instance so it can be launched on a new host
B. Stop and then start the EC2 instance so that it can be launched on a new host
C. Terminate the EC2 instance and relaunch it
D. View the AWS CloudTrail log to investigate what changed on the EC2 instance
View answer
Correct Answer: A
Question #36
A SysOps administrator is creating two AWS CloudFormation templates. The first template will create a VPC with associated resources, such as subnets, route tables, and an internet gateway. The second template will deploy application resources within the VPC that was created by the first template. The second template should refer to the resources created by the first template. How can this be accomplished with the LEAST amount of administrative effort?
A. Add an export field to the outputs of the first template and import the values in the second template
B. Create a custom resource that queries the stack created by the first template and retrieves the required values
C. Create a mapping in the first template that is referenced by the second template
D. Input the names of resources in the first template and refer to those names in the second template as a parameter
View answer
Correct Answer: D
Question #37
275. As part of a federated identity configuration, an IAM policy is created and attached to an IAM role. Who is responsible for creating the IAM policy and attaching it to the IAM role, according to the shared responsibility model?
A. AWS is responsible for creating and attaching the IAM policy to the role
B. AWS is responsible for creating the role, and a SysOps Administrator is responsible for attaching the policy to the role
C. A SysOps Administrator is responsible for creating and attaching the IAM policy to the role
D. A SysOps Administrator is responsible for creating the role, and AWS is responsible for attaching the policy to the role
View answer
Correct Answer: C
Question #38
294. A Chief Financial Officer has asked for a breakdown of costs per project in a single AWS account using Cost Explorer. Which combination of options should be set to accomplish this? (Choose two.)
A. Create a VPC endpoint for the S3 bucket, and create an IAM policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source
B. Create a VPC endpoint for the S3 bucket, and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source
C. Create a service-linked role for Amazon EC2 that allows the EC2 instances to interact directly with Amazon S3, and attach an IAM policy to the role that allows the EC2 instances full access to the S3 bucket
D. Create a NAT gateway in the VPC, and modify the VPC route table to route all traffic destined for Amazon S3 through the NAT gateway
View answer
Correct Answer: B
Question #39
A SysOps administrator is unable to launch Amazon EC2 instances into a VPC because there are no available private IPv4 addresses in the VPC. Which combination of actions must the SysOps administrator take to launch the instances? (Select TWO.)
A. Associate a secondary IPv4 CIDR block with the VPC
B. Associate a primary IPv6 CIDR block with the VPC
C. Create a new subnet for the VPC
D. Modify the CIDR block of the VPC
E. Modify the CIDR block of the subnet that is associated with the instances
View answer
Correct Answer: B
Question #40
A company is trying to connect two applications. One application runs in an on-premises data center that has a hostname of hostl .onprem.private. The other application runs on an Amazon EC2 instance that has a hostname of hostl.awscloud.private. An AWS Site-to-Site VPN connection is in place between the on- premises network and AWS. The application that runs in the data center tries to connect to the application that runs on the EC2 instance, but DNS resolution fails. A SysOps administrator must implement D
A. Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem
B. Associate the resolver with the VPC of the EC2 instanc
C. Configure the on-premises DNS resolver to forward onprem
D. Set up an Amazon Route 53 inbound resolver endpoin
E. Associate the resolver with the VPC of the EC2 instanc
F. Configure the on-premises DNS resolver to forward awscloud
View answer
Correct Answer: C
Question #41
271. An application is running on an Amazon EC2 instance. A SysOps Administrator is tasked with allowing the application access to an Amazon S3 bucket. What should be done to ensure optimal security?
A. Apply an S3 bucket policy to allow access from all EC2 instances
B. Create an IAM user and create a script to inject the credentials on boot
C. Create and assign an IAM role for Amazon S3 access to the EC2 instance
D. Embed an AWS credentials file for an IAM user inside the Amazon Machine Image (AMI)
View answer
Correct Answer: D
Question #42
329. A SysOps Administrator using AWS KMS needs to rotate all customer master keys (CMKs) every week to meet Information Security guidelines. Which option would meet the requirement?
A. Create a new CMK every 7 days to manually rotate the encryption keys
B. Enable key rotation on the CMKs and set the rotation period to 7 days
C. Switch to using AWS CloudHSM as AWS KMS does not support key rotation
D. Use data keys for each encryption task to avoid the need to rotate keys
View answer
Correct Answer: AD
Question #43
A SysOps administrator launches an Amazon EC2 Linux instance in a public subnet. When the instance is running, the SysOps administrator obtains the public IP address and attempts to remotely connect to the instance multiple times. However, the SysOps administrator always receives a timeout error. Which action will allow the SysOps administrator to remotely connect to the instance?
A. Add a route table entry in the public subnet for the SysOps administrator's IP address
B. Add an outbound network ACL rule to allow TCP port 22 for the SysOps administrator's IP address
C. Modify the instance security group to allow inbound SSH traffic from the SysOps administrator's IP address
D. Modify the instance security group to allow outbound SSH traffic to the SysOps administrator's IP address
View answer
Correct Answer: B
Question #44
A SysOps administrator wants to manage a web server application with AWS Elastic Beanstalk. The Elastic Beanstalk service must maintain full capacity for new deployments at all times. Which deployment policies satisfy this requirement? (Select TWO.)
A. All at once
B. Immutable
C. Rebuild
D. Rolling
E. Rolling with additional batch
View answer
Correct Answer: AD
Question #45
242. A company issued SSL certificates to its users, and needs to ensure the private keys that are used to sign the certificates are encrypted. The company needs to be able to store the private keys and perform cryptographic signing operations in a secure environment. Which service should be used to meet these requirements?
A. AWS CloudHSM
B. AWS KMS
C. AWS Certificate Manager
D. Amazon Connect
View answer
Correct Answer: C
Question #46
285. A company has a web application that is used across all company divisions. Each application request contains a header that includes the name of the division making the request. The SysOps Administrator wants to identify and count the requests from each division. Which condition should be added to the web ACL of the AWS WAF to accomplish this?
A. Cross-site scripting
B. Geo match
C. IP match
D. String match
View answer
Correct Answer: D
Question #47
339. A medical imaging company needs to process large amounts of imaging data in real time using a specific instance type. The company wants to guarantee sufficient resource capacity for 1 year. Which action will meet these requirements in the MOST cost-effective manner?
A. Create 1-year On-Demand Capacity Reservations in the specific Availability Zones
B. Launch Amazon EC2 instances with termination protection enabled
C. Purchase 1-year Reserved Instances in the specific Availability Zones
D. Use a Spot Fleet across multiple Availability Zones
View answer
Correct Answer: D
Question #48
A company is using an AWS KMS customer master key (CMK) with imported key material The company references the CMK by its alias in the Java application to encrypt data The CMK must be rotated every 6 months What is the process to rotate the key?
A. Enable automatic key rotation for the CMK and specify a period of 6 months
B. Create a new CMK with new imported material, and update the key alias to point to the new CMK
C. Delete the current key material, and import new material into the existing CMK
D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months
View answer
Correct Answer: C
Question #49
A company runs hundreds of Amazon EC2 instances in a single AWS Region. Each EC2 instance has two attached 1 GiB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volumes. A critical workload is using all the available IOPS capacity on the EBS volumes. According to company policy, the company cannot change instance types or EBS volume types without completing lengthy acceptance tests to validate that the company’s applications will function properly. A SysOps administrator needs to increase
A. Increase the size of the 1 GiB EBS volumes
B. Add two additional elastic network interfaces on each EC2 instance
C. Turn on Transfer Acceleration on the EBS volumes in the Region
D. Add all the EC2 instances to a cluster placement group
View answer
Correct Answer: C
Question #50
244. A SysOps Administrator at an ecommerce company discovers that several 404 errors are being sent to one IP address every minute. The Administrator suspects a bot is collecting information about products listed on the company’s website. Which service should be used to block this suspected malicious activity?
A. AWS CloudTrail
B. Amazon Inspector
C. AWS Shield Standard
D. AWS WAF
View answer
Correct Answer: D
Question #51
A company is using an Amazon DynamoDB table for data. A SysOps administrator must configure replication of the table to another AWS Region for disaster recovery. What should the SysOps administrator do to meet this requirement?
A. Enable DynamoDB Accelerator (DAX)
B. Enable DynamoDB Streams, and add a global secondary index (GSI)
C. Enable DynamoDB Streams, and-add a global table Region
D. Enable point-in-time recovery
View answer
Correct Answer: A
Question #52
260. A company needs to migrate an on-premises asymmetric key management system into AWS. Which AWS service should be used to accomplish this?
A. AWS Certificate Manager
B. AWS CloudHSM
C. AWS KMS
D. AWS Secrets Manager
View answer
Correct Answer: DE
Question #53
A company is running a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53 CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now being served the desktop version of the website. Which action should a SysOps administrator take to resolve this issue?
A. Configure the CloudFront distribution behavior to forward the User-Agent header
B. Configure the CloudFront distribution origin setting
C. Add a User-Agent header to the list of origin custom headers
D. Enable IPv6 on the AL
E. Update the CloudFront distribution origin settings to use the dualstack endpoint
F. Enable IPv6 on the CloudFront distributio G
View answer
Correct Answer: A
Question #54
327. A company’s finance department wants to receive a monthly report showing AWS resource usage by department. Which solution should be used to meet the requirements?
A. Configure AWS Cost and Usage reports for each department
B. Schedule a monthly report for each department using AWS Budgets
C. Run a monthly AWS CloudTrail report of resource usage by tag using department codes
D. Tag all resources with department codes
View answer
Correct Answer: D
Question #55
324. A sysops administrator is managing a VPC network consisting of public and private subnets. Instances in the private subnets access the Internet through a NAT gateway. A recent AWS bill shows that the NAT gateway charges have doubled. The administrator wants to identify which instances are creating the most network traffic. How should this be accomplished?
A. Enable flow logs on the NAT gateway elastic network interface and use Amazon CloudWatch insights to filter data based on the source IP addresses
B. Run an AWS Cost and Usage report and group the findings by instance ID
C. Use the VPC traffic mirroring feature to send traffic to Amazon QuickSight
D. Use Amazon CloudWatch metrics generated by the NAT gateway for each individual instance
View answer
Correct Answer: A
Question #56
274. A Storage team wants all data transfers to an Amazon S3 bucket to remain within the AWS network. The team makes all changes to the AWS network infrastructure manually. An S3 VPC endpoint is created, and an endpoint policy with the proper permissions is set up. However, the application running on Amazon EC2 instances in the VPC is still unable to access the S3 bucket endpoint. What is one cause of this issue?
A. Request metrics for the S3 bucket need to be enabled
B. S3 access logs need to be disabled for the VPC endpoints to function
C. The subnet does not have the VPC endpoint as a target in the route table
D. The EC2 instances need to have an Elastic Network Adapter enabled
View answer
Correct Answer: C
Question #57
A company stores files on 50 Amazon S3 buckets in the same AWS Region The company wants to connect to the S3 buckets securely over a private connection from its Amazon EC2 instances The company needs a solution that produces no additional cost Which solution will meet these requirements?
A. Create a gateway VPC endpoint lor each S3 bucket Attach the gateway VPC endpoints to each subnet inside the VPC
B. Create an interface VPC endpoint (or each S3 bucket Attach the interface VPC endpoints to each subnet inside the VPC
C. Create one gateway VPC endpoint for all the S3 buckets Add the gateway VPC endpoint to the VPC route table
D. Create one interface VPC endpoint for all the S3 buckets Add the interface VPC endpoint to the VPC route table
View answer
Correct Answer: D
Question #58
A SysOps administrator has enabled AWS CloudTrail in an AWS account If CloudTrail is disabled it must be re-enabled immediately What should the SysOps administrator do to meet these requirements WITHOUT writing custom code''
A. Add the AWS account to AWS Organizations Enable CloudTrail in the management account
B. Create an AWS Config rule that is invoked when CloudTrail configuration changes Apply the AWS-ConfigureCloudTrailLogging automatic remediation action
C. Create an AWS Config rule that is invoked when CloudTrail configuration changes Configure the rule to invoke an AWS Lambda function to enable CloudTrail
D. Create an Amazon EventBridge (Amazon CloudWatch Events) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail
View answer
Correct Answer: C
Question #59
290. A SysOps Administrator working on an Amazon EC2 instance has misconfigured the clock by one hour. The EC2 instance is sending data to Amazon CloudWatch through the CloudWatch agent. The timestamps on the logs are 45 minutes in the future. What will be the result of this configuration?
A. Amazon CloudWatch will not capture the data because it is in the future
B. Amazon CloudWatch will accept the custom metric data and record it
C. The Amazon CloudWatch agent will check the Network Time Protocol (NTP) server before sending the data, and the agent will correct the time
D. The Amazon CloudWatch agent will check the Network Time Protocol (NTP) server, and the agent will not send the data because it is more than 30 minutes in the future
View answer
Correct Answer: B
Question #60
286. A SysOps Administrator is deploying an Amazon EC2 instance and is using third-party VPN software to route traffic to an on-premises data center. Based on the shared responsibility model, AWS is responsible for managing which element of this deployment?
A. Configuring Ipsec tunnels for the VPN
B. Ensuring high availability of the EC2 instance
C. Ensuring high availability of the VPN connection
D. Managing the health of the underlying EC2 host
View answer
Correct Answer: D
Question #61
305. A company has a business application hosted on Amazon EC2 instances behind an Application Load Balancer. Amazon CloudWatch metrics show that the CPU utilization on the EC2 instances is very high. There are also reports from users that receive HTTP 503 and 504 errors when they try to connect to the application. Which action will resolve these issues?
A. Reboot the instance as soon as possible to perform the system maintenance before the scheduled retirement
B. Reboot the instance outside business hours to perform the system maintenance before the scheduled retirement
C. Stop/start the instance outside business hours to move to a new host before the scheduled retirement
D. Write an AWS Lambda function to restore the system when the scheduled retirement occurs
View answer
Correct Answer: A
Question #62
307. An application is currently deployed on several Amazon EC2 instances that reside within a VPC. Due to compliance requirements, the EC2 instances cannot have access to the public internet. SysOps Administrators require SSH access to EC2 instances from their corporate office to perform maintenance and other administrative tasks. Which combination of actions should be taken to permit SSH access to the EC2 instances while meeting the compliance requirements? (Choose two.)
A. The ALB is associated with private subnets within the VPC
B. The ALB received a request from a client, but the client closed the connection
C. The ALB security group is not configured to allow inbound traffic from the users
D. The ALB target group does not contain healthy EC2 instances
View answer
Correct Answer: A
Question #63
262. A Security and Compliance team is reviewing Amazon EC2 workloads for unapproved AMI usage. Which action should a SysOps Administrator recommend?
A. Create a custom report using AWS Systems Manager Inventory to identify unapproved AMIs
B. Run Amazon Inspector on all EC2 instances and flag instances using unapproved AMIs
C. Use an AWS Config rule to identify unapproved AMIs
D. Use AWS Trusted Advisor to identify EC2 workloads using unapproved AMIs
View answer
Correct Answer: A
Question #64
249. A SysOps Administrator has been asked to configure user-defined cost allocation tags for a new AWS account. The company is using AWS Organizations for account management. What should the Administrator do to enable user-defined cost allocation tags?
A. Log in to the AWS Billing and Cost Management console of the new account, and use the Cost Allocation Tags manager to create the new user-defined cost allocation tags
B. Log in to the AWS Billing and Cost Management console of the payer account, and use Cost Allocation Tags manager to create the new user-defined cost allocation tags
C. Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the new account to mark the tags as cost allocation tags
D. Log in to the AWS Management Console of the new account, use the Tag Editor to create the new user-defined tags, then use the Cost Allocation Tags manager in the payer account to mark the tags as cost allocation tags
View answer
Correct Answer: B
Question #65
270. A SysOps Administrator has received a request to enable access logging for a Network Load Balancer and is setting up an Amazon S3 bucket to store the logs. What are the MINIMUM requirements for the S3 bucket? (Choose two.)
A. The bucket must be in the same Region as the Network Load Balancer
B. The bucket must have a bucket policy that grants Elastic Load Balancing permissions to write the access logs to the bucket
C. The bucket must have encryption enabled
D. The bucket must have lifecycle policies set
E. The bucket must have public access disabled
View answer
Correct Answer: C
Question #66
283. Security has identified an IP address that should be explicitly denied for both ingress and egress requests for all services in an Amazon VPC immediately. Which feature can be used to meet this requirement?
A. Host-based firewalls
B. NAT Gateway
C. Network access control lists
D. Security Groups
View answer
Correct Answer: A
Question #67
331. A SysOps Administrator must remove public IP addresses from all Amazon EC2 instances to prevent exposure to the internet. However, many corporate applications running on those EC2 instances need to access Amazon S3 buckets. The Administrator is tasked with allowing the EC2 instances to continue to access the S3 buckets. Which solutions can be used? (Choose two.)
A. Deploy a NAT gateway, and configure the route tables accordingly in the VPC where the EC2 instances are running
B. Modify the network ACLs with private IP addresses in the routes to connect to Amazon S3
C. Modify the security groups on the EC2 instances with private IP addresses in the routes to connect to Amazon S3
D. Set up AWS Direct Connect, and configure a virtual interface between the EC2 instances and the S3 buckets
E. Set up a VPC endpoint in the VPC where the EC2 instances are running, and configure the route tables accordingly
View answer
Correct Answer: CD
Question #68
A data storage company provides a service that gives users the ability to upload and download files as needed. The files are stored in Amazon S3 Standard and must be immediately retrievable for 1 year. Users access files frequently during the first 30 days after the files are stored. Users rarely access files after 30 days. The company's SysOps administrator must use S3 Lifecycle policies to implement a solution that maintains object availability and minimizes cost. Which solution will meet these requiremen
A. Move objects to S3 Glacier after 30 days
B. Move objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days
C. Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days
D. Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) immediately
View answer
Correct Answer: D
Question #69
A company must ensure that any objects uploaded to an S3 bucket are encrypted. Which of the following actions will meet this requirement? (Choose two.)
A. Implement AWS Shield to protect against unencrypted objects stored in S3 buckets
B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket
C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored
D. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted
E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets
View answer
Correct Answer: A
Question #70
A recent organizational audit uncovered an existing Amazon RDS database that is not currently configured for high availability. Given the critical nature of this database, it must be configured for high availability as soon as possible. How can this requirement be met?
A. Switch to an active/passive database pair using the create-db-instance-read-replica with the--availability-zone flag
B. Specify high availability when creating a new RDS instance, and live-migrate the data
C. Modify the RDS instance using the console to include the Multi-AZ option
D. Use the modify-db-instance command with the --na flag
View answer
Correct Answer: C
Question #71
A company needs to implement a managed file system to host Windows file shares for users on premises. Resources in the AWS Cloud also need access to the data on these file shares. A SysOps administrator needs to present the user file shares on premises and make the user file shares available on AWS with minimum latency. What should the SysOps administrator do to meet these requirements?
A. Set up an Amazon S3 File Gateway
B. Set up an AWS Direct Connect connection
C. Use AWS DataSync to automate data transfers between the existing file servers and AWS
D. Set up an Amazon FSx File Gateway
View answer
Correct Answer: A
Question #72
A SysOps administrator has launched a large general purpose Amazon EC2 instance to regularly process large data files. The instance has an attached 1 TB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume. The instance also is EBS-optimized. To save costs, the SysOps administrator stops the instance each evening and restarts the instance each morning. When data processing is active, Amazon CloudWatch metrics on the instance show a consistent 3.000 VolumeReadOps. The SysOps administrator
A. Change the instance type to a large, burstable, general purpose instance
B. Change the instance type to an extra large general purpose instance
C. Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume
D. Move the data that resides on the EBS volume to the instance store
View answer
Correct Answer: A
Question #73
A company is running a flash sale on its website. The website is hosted on burstable performance Amazon EC2 instances in an Auto Scaling group. The Auto Scaling group is configured to launch instances when the CPU utilization is above 70%. A couple of hours into the sale, users report slow load times and error messages for refused connections. A SysOps administrator reviews Amazon CloudWatch metrics and notices that the CPU utilization is at 20% across the entire fleet of instances. The SysOps administrator
A. Activate unlimited mode for the instances in the Auto Scaling group
B. Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group
C. Move the website to a different AWS Region that is closer to the users
D. Reduce the desired size of the Auto Scaling group to artificially increase CPU average utilization
View answer
Correct Answer: C
Question #74
310. An ecommerce company uses an Amazon ElastiCache for Memcached cluster for in-memory caching of popular product queries on the shopping site. When viewing recent Amazon CloudWatch metrics data for the ElastiCache cluster, the sysops administrator notices a large number of evictions. Which of the following actions will reduce these evictions? (Choose two.)
A. Activate the created By tag in the account
B. Activate the usage with Amazon CloudWatch dashboards
C. Analyze the usage with Cost Explorer
D. Configure AWS Trusted Advisor to track resource usage
E. Create a billing alarm in AWS Budgets
View answer
Correct Answer: A
Question #75
A SysOps administrator is responsible for a company's security groups. The company wants to maintain a documented trail of any changes that are made to the security groups. The SysOps administrator must receive notification whenever the security groups change. Which solution will meet these requirements?
A. Set up Amazon Detective to record security group change
B. Specify an Amazon CloudWatch Logs log group to store configuration history log
C. Create an Amazon Simple Queue Service (Amazon SOS) queue for notifications about configuration change
D. Subscribe the SysOps administrator's email address to the SQS queue
E. Set up AWS Systems Manager Change Manager to record security group change
F. Specify an Amazon CloudWatch Logs log group to store configuration history log G
View answer
Correct Answer: A
Question #76
281. A SysOps Administrator needs to retrieve a file from the GLACIER storage class of Amazon S3. The Administrator wants to receive an Amazon SNS notification when the file is available for access. What action should be taken to accomplish this?
A. Create an Amazon CloudWatch Events event for file restoration from Amazon S3 Glacier using the GlacierJobDescription API and send the event to an SNS topic the Administrator has subscribed to
B. Create an AWS Lambda function that performs a HEAD request on the object being restored and checks the storage class of the object
C. Enable an Amazon S3 event notification for the s3:ObjectCreated:Post event that sends a notification to an SNS topic the Administrator has subscribed to
D. Enable S3 event notification for the s3:ObjectCreated:Completed event that sends a notification to an SNS topic the Administrator has subscribed to
View answer
Correct Answer: D
Question #77
A software company runs a workload on Amazon EC2 instances behind an Application Load Balancer (ALB) A SysOcs administrator needs to define a custom health check for the EC2 instances. What is the MOST operationally efficient solution?
A. Set up each EC2 Instance so that it writes its healthy/unhealthy status into a shared Amazon S3 bucket for the ALB to read
B. Configure the health check on the ALB and ensure that the HeathCheckPath setting s correct
C. Set up Amazon ElasticCache to track the EC2 instances as they scale in and out
D. Configure an Amazon API Gateway health check to ensure custom checks on aw of the EC2 instances
View answer
Correct Answer: D
Question #78
287. A SysOps Administrator is notified that an automated failover of an Amazon RDS database has occurred. What are possible causes for this? (Choose two.)
A. A read contention on the database
B. A storage failure on the primary database
C. A write contention on the database
D. Database corruption errors
E. The database instance type was changed
View answer
Correct Answer: B
Question #79
268. Users are struggling to connect to a single public-facing development web server using its public IP address on a unique port number of 8181. The security group is correctly configured to allow access on that port, and the network ACLs are using the default configuration. Which log type will confirm whether users are trying to connect to the correct port?
A. AWS CloudTrail logs
B. Elastic Load Balancer access logs
C. VPC Flow Logs
D. Amazon S3 access logs
View answer
Correct Answer: D
Question #80
An application team uses an Amazon Aurora MySQL DB cluster with one Aurora Replica. The application team notices that the application read performance degrades when user connections exceed 200. The number of user connections is typically consistent around 180. with occasional sudden increases above 200 connections. The application team wants the application to automatically scale as user demand increases or decreases. Which solution will meet these requirements?
A. Migrate to a new Aurora multi-master DB cluste
B. Modify the application database connection string
C. Modify the DB cluster by changing to serverless mode whenever user connections exceed 200
D. Create an auto scaling policy with a target metric of 195 DatabaseConnections
E. Modify the DB cluster by increasing the Aurora Replica instance size
View answer
Correct Answer: C
Question #81
A manufacturing company uses an Amazon RDS DB instance to store inventory of all stock items. The company maintains several AWS Lambda functions that interact with the database to add, update, and delete items. The Lambda functions use hardcoded credentials to connect to the database. A SysOps administrator must ensure that the database credentials are never stored in plaintext and that the password is rotated every 30 days. Which solution will meet these requirements in the MOST operationally efficient man
A. Store the database password as an environment variable for each Lambda functio
B. Create a new Lambda function that is named PasswordRotat
C. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the PasswordRotate function every 30 days to change the database password and update the environment variable for each Lambda function
D. Use AWS Key Management Service (AWS KMS) to encrypt the database password and to store the encrypted password as an environment variable for each Lambda functio
E. Grant each Lambda function access to the KMS key so that the database password can be decrypted when require
F. Create a new Lambda function that is named PasswordRotate to change the password every 30 days
View answer
Correct Answer: A
Question #82
251. A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded; however, upon navigating to the site, the following error message is received: 403 Forbidden – Access Denied What change should be made to fix this error?
A. Add a bucket policy that grants everyone read access to the bucket
B. Add a bucket policy that grants everyone read access to the bucket objects
C. Remove the default bucket policy that denies read access to the bucket
D. Configure cross-origin resource sharing (CORS) on the bucket
View answer
Correct Answer: B
Question #83
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A SysOps administrator must ensure that the application can read, write, and delete messages from the SQS queues. Which solution will meet these requirements in the MOST secure manner?
A. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queue
B. Embed the IAM user's credentials in theapplication's configuration
C. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queue
D. Export the IAM user's access key and secretaccess key as environment variables on the EC2 instance
E. Create and associate an IAM role that allows EC2 instances to call AWS service
F. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues
View answer
Correct Answer: D
Question #84
278. A SysOps Administrator is in the process of setting up a new AWS Storage Gateway. The Storage Gateway activation is failing when the Administrator attempts to activate the Storage Gateway from the Storage Gateway console. What are the potential causes of this error? (Choose two.)
A. The Storage Gateway does not have an upload buffer configured
B. The Storage Gateway does not have a backing Amazon S3 bucket configured
C. The Storage Gateway does not have a cache volume configured
D. The Storage Gateway does not have the correct time
E. The Storage Gateway is not accessible from the Administrator’s client over port 80
View answer
Correct Answer: A
Question #85
288. A recent AWS CloudFormation stack update has failed and returned the error UPDATE_ROLLBACK_FAILED. A SysOps Administrator is tasked with returning the CloudFormation stack to its previous working state. What must be done to accomplish this?
A. Fix the error that caused the rollback to fail, then select the Continue Update Rollback action in the console
B. Select the Update Stack action with a working template in the console
C. Update the password of the IAM user, then select the Continue Update Rollback action in the console
D. Use the AWS CLI to manually change the stack status to UPDATE_COMPLETE, then continue updating the stack with a working template
View answer
Correct Answer: A
Question #86
340. A sysops administrator is trying to deploy a new Amazon EC2 instance using the AWS Management Console, but the instance is failing to launch. What could be causing this problem? (Choose two.)
A. The AWS account has reached EC2 limits for the Region
B. The AWS account has reached EC2 limits for the Availability Zone
C. An EC2 key pair has not been specified
D. The EC2 instance is missing an instance profile with ec2:RunInstances permissions
E. The subnet being used has no more usable private IP addresses
View answer
Correct Answer: A
Question #87
332. A company’s application running on Amazon EC2 Linux recently crashed because it ran out of available memory. Management wants to be alerted if this ever happens again. Which combination of steps will accomplish this? (Choose two.)
A. Create an Amazon CloudWatch dashboard to monitor the memory usage metrics on the instance over time
B. Create an alarm on the dashboard that publishes an Amazon SNS notification to alert the CIO when a threshold is passed
C. Create an alarm on the metric that publishes an Amazon SNS notification to alert the CIO when a threshold is passed
D. Create an alarm on the AWS Personal Health Dashboard that publishes an Amazon SNS notification to alert the CIO when the system is out of memory
E. Configure the Amazon CloudWatch agent to collect and push memory usage metrics on the instance
View answer
Correct Answer: ABD
Question #88
246. A company has an application database on Amazon RDS that runs a resource-intensive reporting job. This is causing other applications using the database to run slowly. What should the SysOps Administrator do to resolve this issue?
A. Create Amazon RDS backups
B. Create Amazon RDS read replicas to run the report
C. Enable Multi-AZ mode on Amazon RDS
D. Use Amazon RDS automatic host replacement
View answer
Correct Answer: B
Question #89
A SysOps administrator needs to design a high-traffic static website. The website must be highly available and must provide the lowest possible latency to users across the globe. Which solution will meet these requirements?
A. Create an Amazon S3 bucket, and upload the website content to the S3 bucke
B. Create an Amazon CloudFront distribution in each AWS Region, and set the S3 bucket as the origi
C. Use Amazon Route 53 to create a DNS record thatuses a geolocation routing policy to route traffic to the correct CloudFront distribution based on where the request originates
D. Create an Amazon S3 bucket, and upload the website content to the S3 bucke
E. Create an Amazon CloudFront distribution, and set the S3 bucket as the origi
F. Use Amazon Route 53 to create an alias record that points to the CloudFrontdistribution
View answer
Correct Answer: B
Question #90
255. A web application runs on Amazon EC2 instances behind an ELB Application Load Balancer. The instances run in an EC2 Auto Scaling group access multiple Availability Zones. Amazon Route 53 is used for DNS and points to the load balancer. A SysOps Administrator has launched a new Auto Scaling group with a new version of the application, and wants to gradually shift traffic to the new version. How can this be accomplished?
A. Create an Auto Scaling target tracking scaling policy to gradually move traffic the old version to the new one
B. Change the Application Load Balancer to a Network Load Balancer, then add both Auto Scaling groups as targets
C. Use an Amazon Route 53 weighted routing policy to gradually move traffic from the old version to the new one
D. Deploy Amazon Redshift to gradually move traffic from the old version to the new one using a set of predefined values
View answer
Correct Answer: A
Question #91
342. A company in a highly regulated industry has just migrated an Amazon EC2 based application to AWS. For compliance reasons, all network traffic data between the servers must be captured and retained. Which solution will accomplish this with the LEAST amount of effort?
A. Set up AWS CloudTrail on the VPC
B. Set up AWS CloudTrail on the VPC
C. Set up flow logs at the elastic network interface level
D. Set up flow logs at the VPC level
View answer
Correct Answer: D
Question #92
337. A security audit revealed that the security groups in a VPC have ports 22 and 3389 open to all, introducing a possible threat that instances can be stopped or configurations can be modified. A sysops administrator needs to automate remediation. What should the sysops administrator do to meet these requirements?
A. Create an IAM managed policy to deny access to ports 22 and 3389 on any security groups in a VPC
B. Define an AWS Config rule and remediation action with AWS Systems Manager automation documents
C. Enable AWS Trusted Advisor to remediate public port access
D. Use AWS Systems Manager configuration compliance to remediate public port access
View answer
Correct Answer: AD
Question #93
A company has an Amazon RDS DB instance. The company wants to implement a caching service while maintaining high availability. Which combination of actions will meet these requirements? (Choose two.)
A. Add Auto Discovery to the data store
B. Create an Amazon ElastiCache for Memcached data store
C. Create an Amazon ElastiCache for Redis data store
D. Enable Multi-AZ for the data store
E. Enable Multi-threading for the data store
View answer
Correct Answer: AD
Question #94
247. A company wants to increase the availability and durability of a critical business application. The application currently uses a MySQL database running on an Amazon EC2 instance. The company wants to minimize application changes. How should the company meet these requirements?
A. Shut down the EC2 instance
B. Launch a secondary EC2 instance running MySQL
C. Migrate the database to an Amazon RDS Aurora DB instance and create a Read Replica in another Availability Zone
D. Create an Amazon RDS Microsoft SQL DB instance and enable multi-AZ replication
View answer
Correct Answer: C
Question #95
A company uses Amazon S3 to aggregate raw video footage from various media teams across the US. The company recently expanded into new geographies in Europe and Australia. The technical teams located in Europe and Australia reported delays when uploading large video tiles into the destination S3 bucket m toe United States. What are the MOST cost-effective ways to increase upload speeds into the S3 bucket? (Select TWO.)
A. Create multiple AWS Direct Connect connections between AWS and branch offices in Europe and Australia tor He uploads into the destination S3 bucket
B. Create multiple AWS Site-to-Site VPN connections between AWS and branch offices in Europe and Australia for file uploads into the destination S3 bucket
C. Use Amazon S3 Transfer Acceleration for file uploads into the destination S3 bucket
D. Use AWS Global Accelerator for file uploads into the destination S3 bucket from the branch offices in Europe and Australia
E. Use multipart uploads for file uploads into the destination S3 bucket from the branch offices in Europe and Australia
View answer
Correct Answer: B
Question #96
269. The Security team at AnyCompany discovers that some employees have been using individual AWS accounts that are not under the control of AnyCompany. The team has requested that those individual accounts be linked to the central organization using AWS Organizations. Which action should a SysOps Administrator take to accomplish this?
A. Add each existing account to the central organization using AWS IAM
B. Create a new organization in each account and join them to the central organization
C. Log in to each existing account an add them to the central organization
D. Send each existing account an invitation from the central organization
View answer
Correct Answer: AC
Question #97
256. A company uses federation to authenticate users and grant AWS permissions. The SysOps Administrator has been asked to determine who made a request to AWS Organizations for a new AWS account. What should the Administrator review to determine who made the request?
A. AWS CloudTrail for the federated identity user name
B. AWS IAM Access Advisor for the federated user name
C. AWS Organizations access log for the federated identity user name
D. Federated identity provider logs for the user name
View answer
Correct Answer: C
Question #98
344. A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals spikes in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A SysOps administrator is tasked with finding the process ID (PID) of the service or process that is consuming more CPU. How can the administrator accomplish this with the LEAST amount of effort?
A. Configure an AWS Lambda function in Python 3
B. Configure the procstat plugin to collect and send CPU metrics for the running processes
C. Log in to the EC2 Linux instance using a
D. Use the default Amazon CloudWatch CPU utilization metric to capture the PID in the CloudWatch dashboard
View answer
Correct Answer: D
Question #99
A SysOps administrator is deploying an application on 10 Amazon EC2 instances. The application must be highly available. The instances must be placed on distinct underlying hardware. What should the SysOps administrator do to meet these requirements?
A. Launch the instances into a cluster placement group in a single AWS Region
B. Launch the instances into a partition placement group in multiple AWS Regions
C. Launch the instances into a spread placement group in multiple AWS Regions
D. Launch the instances into a spread placement group in single AWS Region
View answer
Correct Answer: A
Question #100
A company for compliance purposes needs to assess how well its resource configurations comply with internal practices, industry guidelines, and regulations. Which tool should a SysOps administrator use to meet these requirements?
A. AWS Security Hub
B. AWS Shield
C. AWS Health
D. AWS Config
View answer
Correct Answer: A
Question #101
241. A SysOps Administrator observes a large number of rogue HTTP requests on an Application Load Balancer (ALB). The requests originate from various IP addresses. Which action should be taken to block this traffic?
A. Use Amazon CloudFront to cache the traffic and block access to the web servers
B. Use Amazon Guard Duty to protect the web servers from bots and scrapers
C. Use AWS Lambda to analyze the web server logs, detect bot traffic, and block the IP address in the security groups
D. Use AWS WAF rate-based blacklisting to block this traffic when it exceeds a defined threshold
View answer
Correct Answer: D
Question #102
276. An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. The Information Security team wants to track application requests by the originating IP and the EC2 instance that processes the request. Which of the following tools or services provides this information?
A. Amazon CloudWatch
B. AWS CloudTrail
C. Elastic Load Balancing access logs
D. VPC Flow Logs
View answer
Correct Answer: D
Question #103
250. A company developed and now runs a memory-intensive application on multiple Amazon EC2 Linux instances. The memory utilization metrics of the EC2 Linux instances must be monitored every minute. How should the SysOps Administrator publish the memory metrics? (Choose two.)
A. Enable detailed monitoring on the instance within Amazon CloudWatch
B. Publish the memory metrics to Amazon CloudWatch Events
C. Publish the memory metrics using the Amazon CloudWatch agent
D. Publish the memory metrics using Amazon CloudWatch Logs
E. Set metrics_collection_interval to 60 seconds
View answer
Correct Answer: AC
Question #104
A development team recently deployed a new version of a web application to production After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data Which AWS service will mitigate this issue?
A. AWS Shield Standard
B. AWS WAF
C. Elastic Load Balancing
D. Amazon Cognito
View answer
Correct Answer: A
Question #105
A SysOps Administrator is managing a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group. The administrator wants to set an alarm for when all target instances associated with the ALB are unhealthy. Which condition should be used with the alarm?
A. AWS/ApplicationELB HealthyHostCount <= 0
B. AWS/ApplicationELB UnhealthyHostCount >= 1
C. AWS/EC2 StatusCheckFailed <= 0
D. AWS/EC2 StatusCheckFailed >= 1
View answer
Correct Answer: D
Question #106
Which action should the sysops administrator take to allow the EC2 instances to connect to the Aurora database?
A. In the inbound rules table of the Aurora security group, add an inbound TCP rule with the MySQL port and sg-123456 as the traffic source
B. In the inbound rules table of the EC2 security group, add an inbound TCP rule with the MySQL port and 192
C. In the outbound rules table of the Aurora security group, add an outbound TCP rule with the MySQL port and 192
D. In the outbound rules table of the EC2 security group, add an outbound TCP rule with the MySQL port and sg-abcdef as the destination
View answer
Correct Answer: B
Question #107
289. A company needs to run a distributed application that processes large amount of data across multiple Amazon EC2 instances. The application is designed to tolerate processing interruptions. What is the MOST cost-effective Amazon EC2 pricing model for these requirements?
A. Dedicated Hosts
B. On-Demand Instances
C. Reserved Instances
D. Spot Instances
View answer
Correct Answer: D
Question #108
272. A company’s Marketing department generates gigabytes of assets each day and stores them locally. They would like to protect the files by backing them up to AWS. All the assets should be stored on the cloud, but the most recent assets should be available locally for low latency access. Which AWS service meets the requirements?
A. Amazon EBS
B. Amazon EFS
C. Amazon S3
D. AWS Storage Gateway
View answer
Correct Answer: AC
Question #109
253. A SysOps Administrator must set up notifications for whenever combined billing exceeds a certain threshold for all AWS accounts within a company. The Administrator has set up AWS Organizations and enabled Consolidated Billing. Which additional steps must the Administrator perform to set up the billing alerts?
A. In the payer account: Enable billing alerts in the Billing and Cost Management console; publish an Amazon SNS message when the billing alert triggers
B. In each account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers
C. In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in the Billing and Cost Management console to publish an SNS message when the alarm triggers
D. In the payer account: Enable billing alerts in the Billing and Cost Management console; set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm triggers
View answer
Correct Answer: D
Question #110
A SysOps Administrator is managing a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an EC2 Auto Scaling group. The administrator wants to set an alarm for when all target instances associated with the ALB are unhealthy. Which condition should be used with the alarm?
A. AWS/ApplicationELB HealthyHostCount <= 0
B. AWS/ApplicationELB UnhealthyHostCount >= 1
C. AWS/EC2 StatusCheckFailed <= 0
D. AWS/EC2 StatusCheckFailed >= 1
View answer
Correct Answer: C
Question #111
A company has an application that runs only on Amazon EC2 Spot Instances. The instances run in an Amazon EC2 Auto Scaling group with scheduled scaling actions. However, the capacity does not always increase at the scheduled times, and instances terminate many times a day. A Sysops administrator must ensure that the instances launch on time and have fewer interruptions. Which action will meet these requirements?
A. Specify the capacity-optimized allocation strategy for Spot Instance
B. Add more instance types to the Auto Scaling group
C. Specify the capacity-optimized allocation strategy for Spot Instance
D. Increase the size of the instances in the Auto Scaling group
E. Specify the lowest-price allocation strategy for Spot Instance
F. Add more instance types to the Auto Scaling group
View answer
Correct Answer: C
Question #112
282. A company has received a notification in its AWS Personal Health Dashboard that one of its Amazon EBS-backed Amazon EC2 instances is on hardware that is scheduled for maintenance. The instance runs a critical production workload that must be available during normal business hours. Which steps will ensure that the instance maintenance does not produce an outage?
A. Configure an Amazon Lambda function to automatically start the instance if it is stopped
B. Create an Amazon Machine Image (AMI) of the instance and use the AMI to launch a new instance once the existing instance is retired
C. Enable termination protection on the EC2 instance
D. Stop and start the EC2 instance during a maintenance window outside of normal business hours
View answer
Correct Answer: D
Question #113
336. A sysops administrator set up an Amazon ElastiCache for Memcached cluster for an application. During testing, the application experiences increased latency. Amazon CloudWatch metrics for the Memcached cluster show CPUUtilization is consistently above 95% and FreeableMemory is consistently under 1 MB. Which action will solve the problem?
A. Configure ElastiCache automatic scaling for the Memcached cluster
B. Configure ElastiCache to read replicas for each Memcached node in different Availability Zones to distribute the workload
C. Deploy an Application Load Balancer to distribute the workload to Memcached cluster nodes
D. Replace the Memcached cluster and select a node type that has a higher CPU and memory
View answer
Correct Answer: A
Question #114
335. A sysops administrator must monitor a fleet of Amazon EC2 Linux instances with the constraint that no agents be installed. The sysops administrator chooses Amazon CloudWatch as the monitoring tool. Which metrics can be measured given the constraints? (Choose three.)
A. CPU Utilization
B. Disk Read Operations
C. Memory Utilization
D. Network Packets In
E. Network Packets Dropped
F. CPU Ready Time
View answer
Correct Answer: C
Question #115
273. A SysOps Administrator is attempting to use AWS Systems Manager Session Manager to initiate a SSH session with an Amazon EC2 instance running on a custom Linux Amazon Machine Image (AMI). The Administrator cannot find the target instance in the Session Manager console. Which combination of actions will solve this issue? (Choose two.)
A. Add Systems Manager permissions to the instance profile
B. Configure the bucket used by Session Manager logs to allow write access
C. Install Systems Manager Agent on the instance
D. Modify the instance security group to allow inbound traffic on SSH port 22
E. Reboot the instance with a new SSH key pair named ssm-user
View answer
Correct Answer: C
Question #116
A company wants to be alerted through email when IAM CreateUser API calls are made within its AWS account. Which combination of actions should a SysOps administrator take to meet this requirement? (Choose two.)
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with AWS CloudTrail as the event source and IAM CreateUser as the specific API call for the event pattern
B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with Amazon CloudSearch as the event source and IAM CreateUser as the specific API call for the event pattern
C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with AWS IAM Access Analyzer as the event source and IAM CreateUser as the specific API call for the event pattern
D. Use an Amazon Simple Notification Service (Amazon SNS) topic as an event target with an email subscription
E. Use an Amazon Simple Email Service (Amazon SES) notification as an event target with an email subscription
View answer
Correct Answer: A
Question #117
A SysOps administrator is responsible for a large fleet of Amazon EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance. Which option would provide this information with the LEAST administrative overhead?
A. Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring
B. List any instances with failed system status checks using the AWS Management Console
C. Monitor AWS CloudTrail for Stopinstances API calls
D. Review the AWS Personal Health Dashboard
View answer
Correct Answer: CE
Question #118
257. A serverless application running on AWS Lambda is expected to receive a significant increase in traffic. A SysOps Administrator needs to ensure that the Lambda function is configured to scale so the application can process the increased traffic. What should the Administrator do to accomplish this?
A. Attach additional elastic network interfaces to the Lambda function
B. Configure AWS Application Auto Scaling based on the Amazon CloudWatch Lambda metric for the number of invocations
C. Ensure the concurrency limit for the Lambda function is higher than the expected simultaneous function executions
D. Increase the memory available to the Lambda function
View answer
Correct Answer: B
Question #119
A company has multiple Amazon EC2 instances that run a resource-intensive application in a development environment. A SysOps administrator is implementing a solution to stop these EC2 instances when they are not in use. Which solution will meet this requirement?
A. Assess AWS CloudTrail logs to verify that there is no EC2 API activit
B. Invoke an AWS Lambda function to stop the EC2 instances
C. Create an Amazon CloudWatch alarm to stop the EC2 instances when the average CPU utilization is lower than 5% for a 30-minute period
D. Create an Amazon CloudWatch metric to stop the EC2 instances when the VolumeReadBytes metric is lower than 500 for a 30-minute period
E. Use AWS Config to invoke an AWS Lambda function to stop the EC2 instances based on resource configuration changes
View answer
Correct Answer: AD
Question #120
A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically. Which solution meets these requirements in the MOST operationally efficient manner?
A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR range
B. Turn on VPC Flow Logs, and send the logs to AmazonCloudWatch Log
C. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target
D. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instance
E. If public IP addresses are found on theEC2 instances, initiate another Systems Manager Automation document to terminate the instances
F. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requests from noncorporate CIDR range G
View answer
Correct Answer: D
Question #121
A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOpe administrator notices that some of these EC2 instances show up as heathy in the Auto Scaling g-out but show up as unhealthy in the ALB target group. What is a possible reason for this issue?
A. Security groups ate rot allowing traffic between the ALB and the failing EC2 instances
B. The Auto Seating group health check is configured for EC2 status checks
C. The EC2 instances are failing to launch and failing EC2 status checks
D. The target group health check is configured with an incorrect port or path
View answer
Correct Answer: B
Question #122
A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket. Which parameters should be specified to accomplish this in the MOST efficient manner?
A. Specify “*” as the principal and PrincipalOrgId as a condition
B. Specify all account numbers as the principal
C. Specify PrincipalOrgId as the principal
D. Specify the organization’s master account as the principal
View answer
Correct Answer: D
Question #123
243. A SysOps Administrator is trying to set up an Amazon Route 53 domain name to route traffic to a website hosted on Amazon S3. The domain name of the website is www.anycompany.com and the S3 bucket name is anycompany-static. After the record set is set up in Route 53, the domain name www.anycompany.com does not seem to work, and the static website is not displayed in the browser. Which of the following is a cause of this?
A. The S3 bucket must be configured with Amazon CloudFront first
B. The Route 53 record set must have an IAM role that allows access to the S3 bucket
C. The Route 53 record set must be in the same region as the S3 bucket
D. The S3 bucket name must match the record set name in Route 53
View answer
Correct Answer: D

View The Updated AWS Exam Questions

SPOTO Provides 100% Real AWS Exam Questions for You to Pass Your AWS Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: