DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

SOA-C02 Exam Prep: Study Materials & Mock Tests, AWS Certified Sysops Administrator - Associate | SPOTO

SPOTO's SOA-C02 Exam Practice offers the latest mock exams to streamline your preparation. As an AWS Certified SysOps Administrator - Associate, you'll master deploying, managing, and operating AWS workloads. Our practice tests cover exam questions and answers, providing a comprehensive review of key concepts. Access free quizzes and sample questions to gauge your readiness. Our exam materials and answers are designed to enhance your exam practice and preparation. With our exam simulator, you can simulate the exam environment and tackle online exam questions with confidence. SPOTO's mock exams are your pathway to success in the AWS SOA-C02 certification.

Take other online exams

Question #1
121. A company is using AWS Organizations to manage all of their accounts. The Chief Technology Officer wants to prevent certain services from being used within production accounts until the services have been internally certified. They are willing to allow developers to experiment with these uncertified services in development accounts but need a way to ensure that these services are not used within production accounts. Which option ensures that services are not allowed within the production accounts, yet
A. Use AWS Config to shut down non-compliant services found within the production accounts on a periodic basis, while allowing these same services to run in the development accounts
B. Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services
C. Use IAM policies applied to the combination of user and account to prevent developers from using these services within the production accounts
D. Use Amazon CloudWatch to report on the use of non-certified services within any account, triggering an AWS Lambda function to terminate only those non-certified services when found in a production account
View answer
Correct Answer: B

View The Updated SOA-C02 Exam Questions

SPOTO Provides 100% Real SOA-C02 Exam Questions for You to Pass Your SOA-C02 Exam!

Question #2
78. An organization has been running their website on several m2 Linux instance behind a classic load balancer for more than two years. Traffic and utilization have been constant and predictable. What should the organization do to reduce cost ?
A. Purchase reserved instances for the specific m2 instances
B. Change the m2 instances type to equivalent m5 types and purchase reserved instances for specific m5 instances
C. Change the classic load balancer to an application load balancer and purchase reserved instances for the specific m2 instances
D. Purchase spot instances for the specific m2 instances
View answer
Correct Answer: C
Question #3
86. According to the shared responsibility model, for which of the following Amazon EC2 activities is AWS responsible? (Choose two.)
A. Patching the guest operating system
B. Monitoring memory utilization
C. Configuring network ACLs
D. Patching the hypervisor
E. Maintaining network infrastructure
View answer
Correct Answer: C
Question #4
72. A Company has created a separate AWS account for all development work to protect the production environment. In the development environment users request permission to manipulate IAM policies and roles. Corporate policies require that developers are blocked from accessing services. What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies?
A. Create a service control policy in AWS Organizations and apply it to the development account
B. Create a customer managed policy in IAM and apply it in to all users within the development account
C. Create a job function policy in IAM and apply it to all users within the development account
D. Create an IAM Policy and apply it in API Gateway to restrict the development account
View answer
Correct Answer: A
Question #5
73. A Company has a web application that runs on both on-premises and on Amazon EC2 instances. Over time both the on-premises server and EC2 instances is crashing. A SysOps Administrator suspects a memory leak in the application and wants unified method to monitor memory utilization. How can the Administrator track both the EC2 memory utilization and on-premises server memory utilization over time?
A. Write a script or use a third-party application to report memory utilization for both EC2 instances and on-premises servers
B. Use Amazon Cloudwatch agent for both Amazon EC2 instances and on-premises servers to report MemoryUtilization metrics to Cloudwatch and set a Cloudwatch alarm for notifications
C. Use Cloudwatch agent for Amazon EC2 instances to report memory Utilization to Cloudwatch and set Cloudwatch Alarms for notifications
D. Configure a load balancer to route traffic to both on-premises servers and EC2 instances, then use cloudwatch as the unified view of the metrics for the load balancer
View answer
Correct Answer: B
Question #6
125. Website users report that an application’s pages are loading slowly at the beginning of the workday. The application runs on Amazon EC2 instances, and data is stored in an Amazon RDS database. The SysOps Administrator suspects the issue is related to high CPU usage on a component of this application. How can the Administrator find out which component is causing the performance bottleneck?
A. Use AWS CloudTrail to review the resource usage history for each component
B. Use Amazon CloudWatch metrics to examine the resource usage of each component
C. Use Amazon Inspector to view the resource usage details for each component
D. Use Amazon CloudWatch Events to examine the high usage events for each component
View answer
Correct Answer: B
Question #7
40. A SysOps Administrator created an Amazon VPC with an IPV6 CIDR block, which requires access to the internet. However access from internet to VPC is prohibited. After adding and configuring the required components to the VPC. The Administrator is unable to connect from private subnet to the internet. What additional route destination rule should the Administrator add to the route tables?
A. Route ::/0 traffic to a NAT gateway
B. Route ::/0 traffic to an Internet Gateway
C. Rote 0
D. Route ::/0 traffic to an egress-only internet gateway
View answer
Correct Answer: A
Question #8
41. A fleet of servers must send local logs to Amazon Cloudwatch. How should the servers be configured to meet these requirements ?
A. Configure AWS Config to forward events to cloudwatch
B. Configure a simple network management protocol (SNMP) agent to forward events to Cloudwatch
C. Install and configure the unified Cloudwatch agent
D. Install and configure the Amazon Inspector agent
View answer
Correct Answer: C
Question #9
108. A company requires that all access from on-premises applications to AWS services go over its AWS Direct Connect connection rather than the public internet. How would a SysOps Administrator implement this requirement?
A. Implement an IAM policy that uses the aws:sourceConnection condition to allow access for the AWS Direct Connect connection ID only
B. Set up a public virtual interface on the AWS Direct Connect connection
C. Configure AWS Shield to protect the AWS Management Console from being accessed by IP addresses other than those within the data center ranges
D. Update all the VPC network ACLs to allow access from the data center IP ranges
View answer
Correct Answer: C
Question #10
118. An Amazon S3 bucket in a SysOps Administrator account can be accessed by users in other SWS accounts. How can the Administrator ensure that the bucket is only accessible to members of the Administrator’s AWS account?
A. Move the S3 bucket from a public subnet to a private subnet in the Amazon VPC
B. Change the bucket access control list (ACL) to restrict access to the bucket owner
C. Enable server-side encryption for all objects in the bucket
D. Use only Amazon S3 presigned URLs for accessing objects in the bucket
View answer
Correct Answer: A
Question #11
25. A SysOps Administrator is managing a MemCached cluster in Amazon ElasticCache. The cluster has been ready for capacity with a large instance type with more memory. What should the Administrator use to make this change?
A. Use the ModifyCacheCluster API and specify a new CacheNodeType
B. Use the CreateCacheCluster API and specify a new CacheNodeType
C. Use the ModifyCacheParameterGroup API and specify a new CacheNodeType
D. Use the RebootCacheCluster API and specify a new CacheNodeType
View answer
Correct Answer: A
Question #12
74. A SysOps Administrator is using AWS Cloudformation to deploy resources but would like to manually address any errors the template encounters. What should the Administrator add to the template to support the requirement?
A. Enable Termination Protection on the Stack
B. Set the OnFailure parameter to “DO_NOTHING”
C. Restrict the IAM permissions for CloudFormation to delete resources
D. Set the DeleteStack API action to “NO”
View answer
Correct Answer: B
Question #13
96. An organization stores sensitive customer information in S3 buckets protected by bucket policies. Recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information. Which steps should a Sysops administrator take to meet the CISO requirement? ( Select TWO)
A. Enable Amazon S3 Analytics on all affected S3 buckets to obtain a report of which buckets are being accessed without authorization
B. Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs
C. Use Amazon Athena to query S3 Analytics reports for HTTP 403 errors, and determine the IAM user or role making the requests
D. Use Amazon Athena to query the S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests
E. Use Amazon Athena to query the S3 Server Access Logs for HTTP 503 errors, and determine the IAM user or role making the requests
View answer
Correct Answer: B
Question #14
110. A company’s Information Security team has requested information on AWS environment compliance for Payment Card Industry (PCI) workloads. They have requested assistance in understanding what specific areas of the PCI standards are the responsibility of the company. Which AWS tool will provide the necessary information?
A. AWS Macie
B. AWS Artifact
C. AWS OpsWorks
D. AWS Organizations
View answer
Correct Answer: C
Question #15
What change should be made to fix this error?
A. Add a bucket policy that grants everyone read access to the bucket
B. Add a bucket policy that grants everyone read access to the bucket objects
C. Remove the default bucket policy that denies read access to the bucket
D. Configure cross-origin resource sharing (CORS) on the bucket
View answer
Correct Answer: B
Question #16
119. A company received its latest bill with a large increase in the number of requests against Amazon SQS as compared to the month prior. The company is not aware of any changes in its SQS usage. The company is concerned about the cost increase and who or what was making these calls. What should the SysOps Administrator use to validate the calls made to SQS?
A. AWS CloudTrail
B. Amazon CloudWatch
C. AWS Cost Explorer
D. Amazon S3 server access logs
View answer
Correct Answer: AE
Question #17
101. A workload has been moved from a data center to AWS. Previously, vulnerability scans were performed nightly by an external testing company. There is a mandate to continue the vulnerability scans in the AWS environment with third-party testing occurring at least once each month. What solution allows the vulnerability scans to continue without violating the AWS Acceptable Use Policy?
A. The existing nightly scan can continue with a few changes
B. If the external company is a vendor in the AWS Marketplace, notify them of the new IP address of the workload
C. Submit a penetration testing request every 90 days and have the external company test externally when the request is approved
D. AWS performs vulnerability testing behind the scenes daily and patches instances as needed
View answer
Correct Answer: A
Question #18
27. A SysOps Administrator has an AWS Direct Connect connection in place in region us-east-1, between an AWS account and a data center. The Administrator is now required to connect the data to a VPC in another AWS Region, us-west-2, which must have consistent network performance and low-latency What is the MOST efficient and quickest way to establish this connectivity?
A. Create an AWS VPN cloudhub architecture and use software VPN to connect to the VPC in region us-west-2
B. Create a new Direct Connect connection between the data center and region us-west-2
C. Create a VPC peering connection between the VPC in region us-east-1 and us-west-2 and access the VPC in us-west-2 from the data center
D. Use Direct Connect gateway with the existing Direct Connect connection to the Virtual Private Gateway of the VPC in region us-west-2
View answer
Correct Answer: D
Question #19
114. An AWS CodePipeline in us-east-1 returns “InternalError” with the code “JobFailed” when launching a deployment using an artifact from an Amazon S3 bucket in us-west-1. What is causing this error?
A. S3 Transfer Acceleration is not enabled
B. The S3 bucket is not in the appropriate region
C. The S3 bucket is being throttled
D. There are insufficient permissions on the artifact in Amazon S3
View answer
Correct Answer: C
Question #20
49. An organization has been running their website on several m2 Linux instances behind a classic load balancer for two years. Application load has been constant and predictable. What should the organization do to reduce costs?
A. Purchase Reserved instances for the specific m2
B. Change the m2 instances to equivalent m5 types, and purchase Reserved instances for the specific m5 instances
C. Change the classic load balancer to an application load balancer and purchase reserved instances for the specific m2 instances
D. Purchase Spot instances for the specific m2 instances
View answer
Correct Answer: C
Question #21
112. A company recently implemented an Amazon S3 lifecycle rule that accidentally deleted objects from one of its S3 buckets. The bucket has S3 versioning enabled. Which actions will restore the objects? (Choose two.)
A. Use the AWS Management Console to delete the object delete markers
B. Create a new lifecycle rule to delete the object delete markers that were created
C. Use the AWS CLI to delete the object delete markers while specifying the version IDs of the delete markers
D. Modify the existing lifecycle rule to delete the object delete markers that were created
E. Use the AWS CLI to delete the object delete markers while specifying the name of the objects only
View answer
Correct Answer: D
Question #22
43. In configuring an Amazon Route 53 health check, a SysOps Administrator selects ‘Yes’ to the String Matching option in the Advanced Configuration section. In the Search String box, the Administrator types the following text: /html. This is to ensure that the entire page is loading during the health check. Within 5 minutes of enabling the health check, the Administrator receives an alert stating that the check failed. However, when the Administrator navigates to the page, it loads successfully. What is th
A. The search string is not HTML encoded
B. The search string must be put in quotes
C. The search string must be escaped with a backslash (\) before the forward slash (/)
D. The search string is not in the first 5120 bytes of the tested page
View answer
Correct Answer: D
Question #23
62.An application running on Amazon EC2 allows users to launch batch jobs for data analysis. The jobs are run asynchronously, and the user is notified when they are complete. While multiple jobs can run concurrently, a user’s request need not be fulfilled for up to 24 hours. To run a job, the application launches an additional EC2 instance that performs all the analytics calculations. A job takes between 75 and 110 minutes to complete and cannot be interrupted. What is the MOST cost-effective way to run thi
A. Run the application on-Demand EC2 instances
B. Run the application on Reserved instance EC2 instances
C. Run the application on On-Demand EC2 instances
D. Run the application on Reserved instance EC2 instances
View answer
Correct Answer: A
Question #24
60. A SysOps Administrator found that newly-deployed Amazon EC2 application server is unable to connect to an Amazon RDS database. VPC Flow Logs and confirming that the flow log is active on the console, the log group cannot be located on Amazon Cloudwatch. What are the MOST likely reasons for this situation? (SELECT TWO)
A. The Administrator must configure the VPC Flow Logs to have them sent to AWS CloudTrail
B. The Administrator has waited less than ten minutes for the log group to be created in Cloudwatch
C. The account VPC Flow Logs have been disabled by using a service control policy
D. No relevant traffic has been sent since the VPC Flow Logs were created
E. The account has Amazon Guard Duty enabled
View answer
Correct Answer: BC
Question #25
85. The security team has decided that there will be no public internet access to HTTP (TCP port 80 ) because it is moving to HTTPS for all incoming web traffic. The team had asked a SysOps Administrator to provide a report on any security groups that are not compliant. What should the AWS SysOps Administrator do to provide near real time compliance reporting?
A. Enable AWS Trusted Advisor and show the security team that the security groups unrestricted access will check alarm
B. Schedule and AWS lambda function to run hourly to scan and evaluate all security groups and send report to the security team
C. Use AWS config to enable the restricted common port rule and add port 80 to parameters
D. Use Amazon Inspector to evaluate the security groups during scans, and send the completed reports to the Security team
View answer
Correct Answer: DE
Question #26
95. A SysOps Administrator is receiving multiple reports from customers that they are unable to connect to the company’s website. which is being served through Amazon CloudFront. Customers are receiving HTTP response codes for both 4XX and 5XX errors. Which metric can the Administrator use to monitor the elevated error rates in CloudFront?
A. TotalErrorRate
B. RejectedConnectionCount
C. NetworkTransmitThroughput
D. HealthyHostCount
View answer
Correct Answer: BC
Question #27
129. A Content Processing team has notified a SysOps Administrator that their content is sometimes taking a long time to process, whereas other times it processes quickly. The Content Processing submits messages to an Amazon Simple Queue Service (Amazon SQS) queue, which details the files that need to be processed. An Amazon EC2 instance polls the queue to determine which file to process next. How could the Administrator maintain a fast but cost-effective processing time?
A. Attach an Auto Scaling policy to the Amazon SQS queue to increase the number of EC2 instances based on the depth of the SQS queue
B. Create an Auto Scaling policy to increase the number of EC2 instances polling the queue and a CloudWatch alarm to scale based on MaxVisibility Timeout
C. Attach an Auto Scaling policy to the SQS queue to scale instances based on the depth of the dead-letter queue
D. Create an Auto Scaling policy to increase the number of EC2 instances polling the queue and a CloudWatch alarm to scale based on ApproximateNumberOfMessagesVisible
View answer
Correct Answer: C
Question #28
33. A SysOps Administrator has implemented an Auto Scaling group with a step scaling policy. The Administrator notices that the additional instances have not been included in the aggregated metrics. Why are the additional instances missing from the aggregated metrics?
A. The warm-up period has not expired
B. The instances are still in the boot process
C. The instances has not been attached to the auto scaling group
D. The instances are included in a different set of metrics
View answer
Correct Answer: D
Question #29
22. A SysOps Administrator must generate a report that provides a breakdown of all API activity by a specify user over call API action Given that AWS Cloudtrail was enabled, how can this report be generated?
A. Using the AWS management console, search for the user name in the Cloudtrail history
B. Use the cloudtrail digest files stored in the company’s Amazon S3 bucket
C. Locate the monthly reports that cloudtrail sends that are emailed to the account root users
D. Access the cloudtrail logs stored in Amazon S3 bucket tied to Cloudtrail
View answer
Correct Answer: D
Question #30
26. A Company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company wants to point its domain zone apex to the website Which type of record should be used to meet these requirements?
A. An AAAA record for the domain zone Apex
B. An A record for the domain zone Apex
C. A CNAME record for the domain zone Apex
D. An Alias Record for the domain zone Apex
View answer
Correct Answer: D
Question #31
106. A web application runs on Amazon EC2 instances behind an Elastic Load Balancing Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOps Administrator has notice that some EC2 instances show up healthy in the Auto Scaling console but show up as unhealthy in the ALB target console. What could be the issue?
A. The health check grace period for the Auto Scaling group is set too low; increase it
B. The target group health check is incorrectly configured and needs to be adjusted
C. The user data or AMI used for the Auto Scaling group launch configuration is incorrect
D. The Auto Scaling group health check type is based on EC2 instance health instead of Elastic Load Balancing health checks
View answer
Correct Answer: D
Question #32
103. A SysOps Administrator receives reports of an Auto Scaling group failing to scale when the nodes running Amazon Linux in the cluster are constrained by high memory utilization. What should the Administrator do to enable scaling to better adapt to the high memory utilization?
A. Create a custom script that pipes memory utilization to Amazon S3, then, scale with an AWS Lambda-powered event
B. Install the Amazon CloudWatch memory monitoring scripts, and create a custom metric based on the script’s results
C. Increase the minimum size of the cluster to meet memory and application load demands
D. Deploy an Application Load Balancer to more evenly distribute traffic among nodes
View answer
Correct Answer: B
Question #33
38. A SysOps Administrator is implementing SSL for a domain of an internet facing application running behind an Application Load Balancer. The Administrator decides to use SSL certificate from Amazon Certificate Manager (ACM) to secure it. Upon creating request for the ALB is fails and the error message “Domain not allowed” is displayed. How can the Administrator fix the issue?
A. Contact the domain registrar and ask them to provide the verification required by AWS
B. Place a new request with a proper domain name instead of the ALB FQDN
C. Select the certificate request in the ACM console and resend the validation email
D. Contact AWS support and verify the request by answering security challenge questions
View answer
Correct Answer: B
Question #34
92. An Amazon EC2 instance is unable to connect to an SMTP server in a different subnet. Other instance are successfully communicating with the SMTP server, however VPC flow logs have been enabled on the SMTP server’s network interface and show the following information. 2223342796652 eni-abe77dab 10.1.1.200 10.100.1.10 1123 25 17 70 48252 1515534437 1515535037 REJECT OK What can be done to correct problem?
A. Add the instance to the security group for the SMTP server and ensure that is permitted to communicate over TCP port 25
B. Disable the iptables service on the SMTP server so that the instance can properly communicate over the network
C. Install an email client on the instance to ensure that it communicates correctly on TCP port 25 to the SMTP server
D. Add a rule to the security group for the instance to explicitly permit TCP port 25 outbound to any address
View answer
Correct Answer: D
Question #35
32. A SysOps Administrator is notified that a security vulnerability affects a version of MySQL RDS database cluster. Who is responsible for ensuring that is the patch is applied to the MySQL cluster?
A. The database vendor
B. The security department of the SysOps Administrator company
C. AWS
D. The SysOps Administrator
View answer
Correct Answer: C
Question #36
23. When the AWS Cloud Infrastructure experiences an event that may impact an organization, which AWS service can be show up resources are affected ?
A. AWS Service Health Dashboard
B. AWS Trusted Advisor
C. AWS Personal Health Dashboard
D. AWS Systems Manager
View answer
Correct Answer: C
Question #37
81. A Company static website hosted on Amazon S3 was launched recently and is being used. Currently users are experiencing 503 services unavailable errors. Why are these errors occuring?
A. The request rate to Amazon S3 is too high
B. There is an error with the Amazon RDS database
C. The requests to Amazon S3 do not have the proper permissions
D. The users are in a different geographical region and Amazon Route53 is restricting access
View answer
Correct Answer: A
Question #38
51. A Company backs up data from data center using a tape gateway on AWS Storage Gateway. The SysOps Administrator must stop a running storage gateway. What process will protect data integrity?
A. Stop storage gateway and reboot the virtual machine, then restart Storage Gateway
B. Reboot the virtual machine then restart storage gateway
C. Reboot the virtual machine
D. Shutdown the virtual machine and stop storage gateway then turn the virtual machine
View answer
Correct Answer: B
Question #39
98. Malicious traffic is reaching company web servers from a single IP address located in another country. The SysOps Administrator is tasked with blocking this IP address. How should the Administrator implement the restriction?
A. Edit the security group for the web servers and add a deny entry for the IP address
B. Edit the network access control list for the web server subnet and add a deny entry for the IP address
C. Edit the VPC route table to route the malicious IP address to a black hole
D. Use Amazon CloudFront’s geo restriction feature to block traffic from the IP address
View answer
Correct Answer: A
Question #40
115. A SySOps Administrator is managing an AWS account where Developers are authorized to launch Amazon EC2 instances to test new code. To limit costs, the Administrator must ensure that the EC2 instances in the account are terminated 24 hours after launch. How should the Administrator meet these requirements?
A. Create an Amazon CloudWatch alarm based on the CPUUtilization metric
B. Create an AWS Lambda function to check all EC2 instances and terminate instances running more than 24 hours
C. Add an action to AWS Trusted Advisor to turn off EC2 instances based on the Low Utilization Amazon EC2 Instances check, terminating instances identified by Trusted Advisor as running for more than 24 hours
D. Install the unified Amazon CloudWatch agent on every EC2 instance
View answer
Correct Answer: A
Question #41
46. A SysOps Administrator is analyzing how Reserved Instance discounts are allocated to Amazon EC2 instances across multiple AWS Account. Which AWS tool will provide the details necessary to understand the billing charges?
A. AWS Budgets
B. AWS Cost and Usage report
C. AWS Trusted Advisor
D. AWS Organizations
View answer
Correct Answer: B
Question #42
84. A SysOps Administrator is managing a large organization with multiple accounts on the Business Support plan all linked to a single payer account. The Administrator wants to be notified automatically of AWS Personal Health Dashboard events. In the main payer account, the Administrator configures Amazon CloudWatch Events triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in the linked accounts failed to trigger. Why did the alerts fail?
A. Amazon SNS cannot be triggered from the AWS Personal health Dashboard
B. The AWS personal health dashboard only reports events from one a account, not linked account
C. The AWS Personal Health Dashboard must be configured from the payer account only; all events will then roll up into the payer account
D. AWS Organizations must be used to monitor linked accounts
View answer
Correct Answer: A
Question #43
80. A Company creates custom AMI images by launching new Amazon EC2 instance from an Amazon Cloudformation template. AMI images is installed software through AWS OpsWorks and take image of each EC2 instance. The process of installing software take a long times, the process stalls due to installations errors. The SysOps administrator must modify the Cloudformation Template so if the process stalls, stacks will rollback. Based on the requirements, what should be added to the template?
A. Conditions with a timeout set to 4 hours
B. CreationPolicy with a timeout set to 4 hours
C. DependOn with a timeout set to 4 hours
D. MetaData with a timeout set to 4 hours
View answer
Correct Answer: B
Question #44
105. A company has two AWS accounts: development and production. All applications send logs to a specific Amazon S3 bucket for each account, and the Developers are requesting access to the production account S3 buckets to view the logs. Which is the MOST efficient way to provide the Developers with access?
A. Create an AWS Lambda function with an IAM role attached to it that has access to both accounts’ S3 buckets
B. Create IAM users for each Developer on the production account, and add the Developers to an IAM group that provides read-only access to the S3 log bucket
C. Create an Amazon EC2 bastion host with an IAM role attached to it that has access to the production S3 log bucket, and then provision access for the Developers on the host
D. Create a resource-based policy for the S3 bucket on the production account that grants access to the development account, and then delegate access in the development account
View answer
Correct Answer: B
Question #45
56. A Company must ensures that any objects uploaded to an s3 bucket must be encrypted. Which of the following actions will meet the requirement? ( SELECT TWO)
A. Implement AWS Shield to protect again unencrypted objects stored in s3 buckets
B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket
C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored
D. Implement Amazon Inspector to inspect objects uploaded to s3 bucket to make sure that they are encrypted
E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets
View answer
Correct Answer: CE
Question #46
55. A company with a dozens of AWS Account wants to ensure that governance rules are being applied across all accounts. The CIO has recommended that AWS Config rules be deployed using an AWS Cloudformation template. How should the requirements be met?
A. Create the Cloudformation stack set then select Cloudformation template and use it to configure the AWS accounts
B. Write a script that iterates over the Company AWS accounts and executes the Cloudformation template in each account
C. Use AWS Organizations to execute the Cloudformation template in all accounts
D. Create a Cloudformation template in the master account of AWS
View answer
Correct Answer: C
Question #47
107. A company is running critical applications on Amazon EC2 instances. The company needs to ensure its resources are automatically recovered if they become impaired due to an underlying hardware failure. Which service can be used to monitor and recover the EC2 instances?
A. Amazon EC2 Systems Manager
B. Amazon Inspector
C. AWS CloudFormation
D. Amazon CloudWatch
View answer
Correct Answer: B
Question #48
70. An Auto Scaling group scales up and down based on Average CPU Utilization. The alarms is set to trigger a scaling when CPU exceeds 80% for 5 minutes. Currently, the average CPU has been 95% for over two hours and new instances are not being added What could be the issue?
A. A Scheduled scaling action has not been defined
B. In the field suspend process “ ReplacesUnhealthy” has been selected
C. The maximum size of the Auto Scaling Group is below or at the current group size
D. The HealthCheck Grace Period is set to less than 300 seconds
View answer
Correct Answer: C
Question #49
59. An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps Administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy. What is likely to be the problem?
A. The Amazon Machine Image used is not Available in that region
B. The AWS Cloudformation template needs to be update to the latest version
C. The VPC configurations parameters have changed and must be updated in the template
D. The account has reached the default limit for VPCs allowed
View answer
Correct Answer: D
Question #50
75. A Company’s application stores documents within an Amazon S3 bucket. The application is running on Amazon EC2 in a VPC. A recent change in security requirements states that traffic between the company’s application and the S3 bucket must never leave the Amazon network. What AWS feature can provide this functionality?
A. Security Groups
B. NAT gateways
C. Virtual private gateway
D. Amazon VPC endpoints
View answer
Correct Answer: D
Question #51
111. A company uses AWS CloudFormation to deploy its application infrastructure. Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application. A SysOps Administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources. Which solution will meet these requirements?
A. Set up an AWS Config rule to alert based on changes to any Cloud Formation stack
B. Set up an Amazon CloudWatch Events event with a rule to trigger based on any CloudFormation API call
C. Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*
D. Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource names (ARNs) of the protected resources
View answer
Correct Answer: AD
Question #52
113. An application running on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones was deployed using an AWS CloudFormation template. The SysOps team has patched the Amazon Machine Image (AMI) version and must update all the EC2 instances to use the new AMI. How can the SysOps Administrator use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity?
A. Run the aws cloudformation update-stack command with the – rollback-configuration option
B. Update the CloudFormation template with the new AMI ID, then reboot the EC2 instances
C. Deploy a second CloudFormation stack and use Amazon Route 53 to redirect traffic to the new stack
D. Set an AutoScalingUpdate policy in the CloudFormation template to update the stack
View answer
Correct Answer: B
Question #53
24. A company in running a social media site on EC2 instance. The application store data in an Amazon RDS for MySQL and store read caching by using an Elastic Cache for Redis (cluster mode enabled) cluster to improve read times. A Social event is coming and SysOps Administrator expects website traffic to triple. What can a SysOps Administrator do to ensure improved read times for users during the social event?
A. Use Amazon RDS Multi-AZ
B. Add shards to the existing Redis Cluster
C. Offload static data to Amazon S3
D. Launch a second multi-AZ Redis Cluster
View answer
Correct Answer: B
Question #54
31. During a security investigation it is determined that there is a coordinated attack on the web application deployed in Amazon EC2 Instance through malformed HTTP headers What AWS service or feature would prevent this traffic from reaching the EC instances?
A. Amazon Inspector
B. Amazon Security Group
C. AWS WAF
D. Application Load Balancer (ALB)
View answer
Correct Answer: C
Question #55
102. A web service runs on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. External clients must whitelist specific public IP addresses in their firewalls to access the service. What load balancer or ELB feature should be used for this application?
A. Network Load Balancer
B. Application Load Balancer
C. Classic Load Balancer
D. Load balancer target groups
View answer
Correct Answer: B
Question #56
88. A SysOps Administrator is managing an application that runs on Amazon EC2 instances behind and application load balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The applications stores data in Amazon RDS MySQL DB instance. The Administrator must ensure that that application stays available if the database becomes unresponsive. How can these requirements be met?
A. Create read replicas for the RDS database and use them in case of a database failure
B. Create a new RDS instance from the snapshot of the original RDS instance if a failure occurs
C. Keep a separate RDS database running and switch the endpoint in the web application if a failure occurs
D. Modify the RDS instance to be a Multi-AZ deployment
View answer
Correct Answer: AE
Question #57
34.A SysOps Administrator is creating additional Amazon EC2 instances and received an InstanceLimitExceeded error. What is the cause of the issue and how can it be resolved?
A. The administrator has requested too many instances at once and must required fewer instances in batches
B. The concurrent running instance limit has been reached, and an EC2 limit increase request must be filed with AWS support
C. AWS currently does not have enough available capacity and a different instance type must be used
D. The Administrator must specify the maximum number of instance to be created while provisioning EC2 instances
View answer
Correct Answer: B
Question #58
42. A company data retention policy dictates that backups be stored for exactly two years. After that the data must be deleted. How can Amazon EBS snapshots be managed to conform to this data retention policy?
A. Use an Amazon S3 lifecycle policy to delete snapshots older than two years
B. Configure Amazon Inspector to find and delete old EBS Snapshots
C. Schedule an AWS Lambda function using Cloudwatch events to periodically run a scripts to delete old snapshots
D. Configure an Amazon Cloudwatch Alarm to trigger the launch of an AWS Cloudformation template that will clean the older snapshots
View answer
Correct Answer: C
Question #59
30. An Amazon EBS Volume attached to an EC2 instance was recently modified. Part of the modification included increasing capacity. Administrator notices that the increased storage capacity is not reflected in the file system. Which step should the Administrator complete to use the increased storage capacity?
A. Restart the EC2 instance
B. Extend the volume file system
C. Detach the EBS volume, resize it and attach it
D. Take an EBS snapshot and restore it to the bigger volume
View answer
Correct Answer: B
Question #60
45. A Developer created an AWS Lambda function and has asked the SysOps Administrator to make the function run in every 15 minutes . What is the MOST efficient way to accomplish this request?
A. Create an Amazon EC2 instance and schedule a cron to invoke the Lambda function
B. Create a repeat time variable inside the Lambda function to invoke the Lambda function
C. Create a second Lambda function to monitor and invoke the first Lambda function
D. Create an Amazon Cloudwatch scheduled event to invoke the Lambda function
View answer
Correct Answer: D
Question #61
58. A Company would like to review each change in the infrastructure before deploying updates in its AWS Cloudformation stacks. Which action will allow an Administrator to understand the impact of these changes before implement?
A. Implement a blue/green strategy using AWS Elastic Beanstalk
B. Perform a canary deployment using a Application Load Balancer and target groups
C. Create a change set for the running stack
D. Submit the update using UpdateStack API call
View answer
Correct Answer: C
Question #62
89. A company has Sales department and Marketing department. The company uses one AWS account. There is a need to determine what charges are incurred on the AWS platform by each department. There is also a need to receive notifications when a specified cost level is approached or exceeded. Which two actions must a SysOps Administrator take to achieve both requirements with the LEAST amount of administrative overhead? (Choose two.)
A. Use AWS Trusted Advisor to obtain a report containing the checked items in the Cost Optimization pillar
B. Download the detailed billing report, upload it to a database, and match the line items with a list of known resources by department
C. Create a script by using the AWS CLI to automatically apply tags to existing resources to each department
D. Use AWS Organizations to create a department Organizational Unit and allow only authorized personnel in each department to create resources
E. Create a Budget from the Billing and Cost Management console
View answer
Correct Answer: B
Question #63
128. A web-based application is running in AWS. The application is using a MySQL Amazon RDS database instance for persistence. The application stores transactional data and is read-heavy. The RDS instance gets busy during the peak usage, which shows the overall application response times. The SysOps Administrator is asked to improve the read queries performance using a scalable solution. Which options will meet these requirements? (Choose two.)
A. Scale up the RDS instance to a larger instance size
B. Enable the RDS database Multi-AZ option
C. Create a read replica of the RDS instance
D. Use Amazon DynamoDB instead of RDS
E. Use Amazon ElastiCache to cache read queries
View answer
Correct Answer: CE
Question #64
87. A company use of AWS Cloud services is quickly growing, so a SysOps Administrator has been asked to generate details of daily spending to share with management. Which method should the Administrator choose to produce this data?
A. Share the monthly AWS bill with management
B. Use AWS CloudTrail Logs to access daily costs in JSON format
C. Set up daily Cost and Usage Report and download the output from Amazon S3
D. Monitor AWS costs with Amazon Cloud Watch and create billing alerts and notifications
View answer
Correct Answer: D
Question #65
44. A SysOps Administrator must ensure that AWS Cloudformation deployment changes are properly backend for governance. Which AWS Service should be used to accomplish this?
A. AWS Artifact
B. AWS Config
C. Amazon Inspector
D. AWS Trusted Advisor
View answer
Correct Answer: B
Question #66
97. A SysOps Administrator is responsible for a large fleet of EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance. Which option would provide this information with the LEAST administrative overhead?
A. Monitor AWS CloudTrail for StopInstances API calls related to upcoming maintenance
B. Review the Personal Health Dashboard for any scheduled maintenance
C. From the AWS Management Console, list any instances with failed system status checks
D. Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring
View answer
Correct Answer: D
Question #67
76. An organization with a large IT department has decided to migrate to AWS . With different jobs functions in departments and is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group membership. What the best method to allow access using current LDAP credentials ?
A. Create an AWS directory service simple AD
B. Create Lambda function to read LDAP groups and automate the creation of IAM users
C. Use AWS Cloud Formations to create IAM roles
D. Federate the LDAP directory with IAM using SAML
View answer
Correct Answer: D
Question #68
117. A company has centralized all its logs into one Amazon CloudWatch Logs log group. The SysOps Administrator is to alert different teams of any issues relevant to them. What is the MOST efficient approach to accomplish this?
A. Write a AWS lambda function that will query the logs every minute and contain the logic of which team to notify on which patterns and issues
B. Set up different metric filters for each team based on patterns and alerts
C. Redesign the aggregation of logs so that each team’s relevant parts are sent to a separate log group, then subscribe each team to its respective log group
D. Create an AWS Auto Scaling group of Amazon EC2 instances that will scale based on the amount of ingested log entries
View answer
Correct Answer: B
Question #69
123. A company currently has a single AWS account used by all project teams. The company is migrating to a multi-account strategy, where each project team will have its own account. The AWS IAM configuration must have the same roles and policies for each of the accounts. What is the MOST efficient way to implement and manage these new requirements?
A. Create a portfolio in the AWS Service Catalog for the IAM roles and policies
B. Use AWS Organizations to create organizational units (OUs) for each group of projects and each team
C. Create an AWS Lambda script that leverages cross-account access to each AWS account, and create all the roles and policies needed using the IAM API and JSON documents stored in Amazon S3
View answer
Correct Answer: B
Question #70
83. A company has created an online retail application that is hosted on a fleet of EC2 instances behind of ELB application load balancer, authentication is handled at the individual EC2 instance level. Once a user is authenticated, all request have go to the same EC2 instance. What should the SysOps Administrator enable to meet these requirements?
A. ELB TCP listeners
B. ELB Sticky Sessions
C. ELB connection draining
D. ELB cross-zone load balancing
View answer
Correct Answer: B
Question #71
66. A company is received its latest bill with a large increase in the number of request against Amazon SQS as API call action. Admin need to know of any major changes in it SQS usage. The company is concerned about the cost increase and who or what was missing the calls. What should the SysOps Administrator use to validate the calls made to SQS?
A. Amazon Cloudtrail
B. Amazon Cloudwatch
C. AWS Cost Explorer
D. Amazon S3 Access logs
View answer
Correct Answer: A
Question #72
47. A SysOps Administrator wants to prevent Developer from accidentally terminating Amazon EC2 instance. How can this be accomplished?
A. Use AWS Systems Manager to restrict EC2 termination
B. Use AWS Config to restrict EC2 termination
C. Application Amazon Cloudwatch event to prevent EC2 termination
D. Enable termination protection on EC2 instances
View answer
Correct Answer: D
Question #73
71. The Database Administrator team is interested in performing manual backups of an Amazon RDS Oracle DB instance. What step should be taken to perform the backups?
A. Attach Amazon EBS Volume with Oracle RMAN installed to the RDS Instance
B. Take a snapshot of the EBS volume that is attached to the DB instance
C. Install Oracle Secure backup on the RDS instance and backup the Oracle database to Amazon S3
D. Take a snapshot of the DB Instance
View answer
Correct Answer: D
Question #74
69. A SysOps Administrator is reviewing AWS Trusted Advisor warnings and encounters a warning for an S3 bucket policy that discussing the issue with the bucket owner, the Administrator realizes the S3 bucket is an origin for an Amazon Cloudfront Which action should the Administrator take to ensure that users access objects in Amazon S3 by using only Cloudfront URL?
A. Encrypt the S3 bucket content with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
B. Create an Origin access identity and grand it permissions to read objects in the S3 buckets
C. Assign an IAM user to the Cloudfront distribution and whitelist the IAM user in the S3 bucket policy
D. Assign an IAM Role to the Cloudfront distribution and whitelist the IAM role in the S3 bucket policy
View answer
Correct Answer: B
Question #75
39. Malicious traffic is reaching company web servers. A SysOps Administrator is tasked with blocking this traffic. The malicious traffic request is addresses and represents much higher traffic than is typically seen from legitimate users. How should the Administrator protect the web servers?
A. Create a security group for the web servers and add deny rules for malicious sources
B. Set the network access control list for the web servers subnet and add deny entries
C. Place a web server behind AWS WAF and establish the rate limit to create a blacklist
D. Use Amazon Cloudfront to cache all pages and remove the traffic from the web servers
View answer
Correct Answer: C
Question #76
21. The Accounting Department would like to receive billing updates more than once a month. They would like the updates to be maintenanced with a spreadsheet application. How can this request be fulfilled?
A. Use Amazon Cloudwatch events to schedule a billing inquiry on a bi-weekly basis
B. Set AWS Cost and Usage reports to publish bills daily to an Amazon S3 bucket in CSV format
C. Use the AWS CLI to output billing data as JSON
D. Use the AWS Lambda, triggered by cloudwatch to query billing data and push to Amazon RDS
View answer
Correct Answer: B
Question #77
124. A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months. What is the process to rotate the key?
A. Enable automatic key rotation for the CMK, and specify a period of 6 months
B. Create a new CMK with new imported material, and update the key alias to point to the new CMK
D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months
View answer
Correct Answer: A
Question #78
48. An organization has developed a new memory intensive application that is deployed to a large Amazon EC2. The application is exhaustion, so the development team wants to monitor memory usage by using Amazon Cloudwatch. What is the MOST efficient way to accomplish this goal?
A. Deploy the solution to memory-optimized EC2 instances and use the cloudwatch MemoryUtilization metrics
B. Enable the memory monitoring option by using AWS Config
C. Install the AWS System Manager agent on applicable EC2 instances to monitor memory
D. Monitor memory by using a script within the instance and send it to cloudwatch as a custom metric
View answer
Correct Answer: D
Question #79
104. A SysOps Administrator attempting to delete an Amazon S3 bucket ran the following command: aws s3 rb s3://mybucket The command failed and bucket still exists. The administrator validated that no files existed in the bucket by running aws s3 1s s3://mybucket and getting an empty response. Why is the Administrator unable to delete the bucket, and what must be done to accomplish this task?
A. The bucket has MFA Delete enabled, and the Administrator must turn it off
B. The bucket has versioning enabled, and the Administrator must permanently delete the objects’ delete markers
C. The bucket is storing files in Amazon Glacier, and the Administrator must wait 3-5 hours for the files to delete
D. The bucket has server-side encryption enabled, and the Administrator must run the aws s3 rb s3://my bucket — sse command
View answer
Correct Answer: C
Question #80
35. A SysOps Administrator must devise a strategy for enforcing tagging of all EC2 instances and Amazon Elastic Block store (EBS) volumes. What action can the Administrator take to implement this for real-time enforcement?
A. Use the AWS Tag Editor to manually search for untagged resource and then tag them properly in the editor
B. Set Up AWS Service Catalog with the TagOptions Library rule that enforces a tagging taxonomy proactively when instances and volumes are launched
C. In a power shell or shell script, check for untagged items by using the resource tagging GetResources API action, and then manually tag the reported items
D. Launch items by using the AWS API
View answer
Correct Answer: B
Question #81
28. A web-commerce application stores its data in an Amazon Aurora DB cluster with an Aurora replica. The application displays shopping cart information by reading data from the reader endpoint. When monitoring the Aurora database, the SysOps Administrator sees the AuroraReplicaLagMaximum metric for a single replica is high. What behavior is the application MOST likely exhibiting to users?
A. Users cannot add any items to the shopping cart
B. Users immediately notice that the cart is not updated correctly
C. Users cannot remove any items from the shopping cart
D. Users cannot use the application because it is failing back to an error page
View answer
Correct Answer: B
Question #82
50. A SysOps Administrator has written an AWS Lambda function to launch new Amazon EC2 instances and deployed it in the us-east-1 region. The Administrator tested it by launching a new t2 nano instance in the us-east-1 region and it performed as expected. However, when the region name was updated in the Lambda function to launch an EC2 instance in the us-west-1 region, it failed. What is causing this error?
A. The AMI ID must be updated for the us-west-1 region in the Lambda function as well
B. The Lambda function can only launch EC2 instances in the same region where it is deployed
C. The Lambda function does not have the necessary IAM permission to launch more than one EC2 instance
D. The instance type defined in the Lambda function is not available in the us-west-1 region
View answer
Correct Answer: A
Question #83
77. An Sysops Administrator must set up notifications for whenever combined billing exceeds a certain threshold for all AWS account within company. The Administrator has set up AWS Organizations and enabled Consolidate billing. Which additionals steps must the Administrator perform to setup the billing alerts?
A. On the payer account Enable billing alerts in the Billing and Cost management console ; publish an Amazon SNS message when the billing alerts triggers
B. On each account Enable billing alerts in the billing and cost management console ; setup a billing alarm in Amazon Cloudwatch; publish an SNS message when the alarm triggers
C. On the payer account Enable billing alerts in the billing and cost management console; setup a billing alarm in the billing and cost management console to publish an SNS message when the alarm triggers
D. On the payer account Enable billing alerts in the billing and cost management console; setup billing alarm in Amazon Cloudwatch , publish an SNS message when the alarm triggers
View answer
Correct Answer: D
Question #84
37. An e-commerce company wants to lower costs on its nightly jobs that aggregate the current day’s sales and store the results in Amazon S3. The jobs are currently run using multiple on-demand instances and the job take just under 2 hours to complete. If a job fails for any reason, it needs to be restarted from the beginning. What method is the MOST cost effective based on these requirements?
A. Use a mixture of On-Demand and Spot instances for job execution
B. Submit a request for a Spot Block to be used for job execution
C. Purchase reserved instance to be used for job execution
D. Submit a request for a one-time spot instance for job execution
View answer
Correct Answer: A
Question #85
61. A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API-calls using the CLI. However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA. What additional step must be taken to ensure that API calls are authenticated using MFA?
A. Enable MFA on IAM roles and require IAM users to use role credentials to sign API calls
B. Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI
C. Restricts the IAM users to use of the console, as MFA is not supported for CLI use
D. Require user to use temporary credentials from the get sessions token command to sign API calls
View answer
Correct Answer: D
Question #86
57. Based on the AWS Shared Responsibility Model, which of the following actions are the responsibility of the customer for an Aurora database?
A. Performing underlying OS updates
B. Provisioning of storage for database
C. Scheduling maintenance, patches and other updates
D. Executing maintenance, patches and other updates
View answer
Correct Answer: C
Question #87
68. A SysOps Administrator must find a way to setup alerts when Amazon EC2 service limit are close to being reached? How can the Administrator achieve this requirement?
A. Use Amazon Inspector and Amazon Cloudwatch Events
B. Use AWS Trusted Advisor and Amazon Cloudwatch Events
C. Use the Personal Health Dashboard and Cloudwatch Events
D. Use AWS CloudTrail and Cloudwatch Events
View answer
Correct Answer: B
Question #88
122. A company hosts its website on Amazon ECF2 instances behind an ELB Application Load Balancer. The company manages its DNS with Amazon Route 53, and wants to point its domain’s zone apex to the website. Which type of record should be used to meet these requirements?
A. An AAA record for the domain’s zone apex
B. An A record for the domain’s zone apex
C. A CNAME record for the domain’s zone apex
D. An alias record for the domain’s zone apex
View answer
Correct Answer: D
Question #89
53. A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of the application have been divided in a separate microservice running on a different Amazon EC2 instance. The Administrator has been tasked with reconfiguring the infrastructure to support this approach. How can the Administrator accomplish this with the LEAST administrative overhead?
A. Use Amazon Cloudfront to log the URL and forward the request
B. Use Amazon Cloudfront to rewrite the header base on the micro service and forward the request
C. Use an Application Load Balancer (ALB) and do path-based routing
D. Use a Network Load Balancer (NLB) and do path-based routing
View answer
Correct Answer: C
Question #90
67. After a particularly high AWS bill, an organization wants to review the use of AWS Services What AWS Service will allow the SysOps Administrator to quickly view this information to share it and will also forecast equipment ?
A. AWS Trusted Advisor
B. Amazon QuickSight
C. AWS Cost and Usage Report
D. AWS Cost Explorer
View answer
Correct Answer: D
Question #91
64. A SysOps Administrator has been able to consolidate multiple secure websites onto a single servers and each site is running on a different port. The Administrator now wants to start a duplicate server in a second Availability Zone and put both behind a Load Balancer for high availability. What would be the command line necessary to deploy one of the sites certificates to the load balancer?
A. aws kms modify-listener –loadbalancer-name my-loadbalancer –certificates CertificateARN arn:aws:iam::123456:server-certificate/my-new-server-cert
B. aws elb set-load-balancer-listener-ssl-cerficate –load-balancer-name my-load-balancer –load-balaner-port 443 –ssl-cerficate-id arn:aws:iam::123456:server-certificate/new-server-cert
C. aws ec2 put-ssl-certificate –loadbalancer-name my-loadbalancer –load-balaner-port 443 –ssl-cerficate-id arn:aws:iam::123456:server-certificate/new-server-cert
D. aws acm put-ssl-cerficate –loadbalancer-name my-loadbalancer –load-balaner-port 443 –ssl-cerficate-id arn:aws:iam::123456:server-certificate/new-server-cert
View answer
Correct Answer: B
Question #92
20. A System Administrator is responsible for maintaining custom, approved AMIs for a company. The AMIs must be shared to other AWS Account. How can the Administrator address this issue?
A. Contact AWS support for sharing AMIs with the other AWS accounts
B. Modify the permissions on the AMIs so that they are publicly accessible
C. Modify the permissions on the IAM Role that associated with the AMI
D. Share the AMIs with each AWS account using the console or CLI
View answer
Correct Answer: D
Question #93
63. An organization has two AWS accounts Development and Production. A SysOps Administrator manages access via IAM. Users require in Development should have access to certain resource in Production. How can this be accomplished?
A. Create an IAM role in Production account with the Development account as a trusted entity and then allow those users from Development account to assume the Production account IAM role
B. Create a group of IAM users in the Development account and add Production account service ARNs as resources in the IAM policy
C. Establish a federation between the two accounts using the on-premises Microsoft Active Directory and allow development account to access the Production account through this federation
D. Establish an Amazon Cognito Federated Identity between the two accounts and allow the Development account to access the Production account through this federation
View answer
Correct Answer: D
Question #94
90. On a weekly basis, the Administrator for a photo sharing website receives an archive of all files users have uploaded the previous week. These file archives can be as a large as 10TB in size. For legal reasons, these archives must be saved with no possibility of someone deleting or modifying these archives. Occasionally, there may be a need to view the contents, but it is expected that retrieving them can take three or more hours. What should the Administrator do with the weekly archive?
A. Uploaded the file to Amazon S3 through the AWS management console and apply lifecycle policy to change the storage class to Amazon Glacier
B. Upload the archive to the Amazon Glacier with the AWS CLI and enable Vault Lock
C. Create a Linux EC2 instance with an encrypted Amazon EBS volume and copy each weekly archive file for this instance
D. Create a file gateway attached to a file share on an S3 bucket with the storage class S3 Infrequent Access
View answer
Correct Answer: A
Question #95
109. A SysOps Administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company’s account. The Administrator must be alerted to potential issues. What should the Administrator do to receive email alerts before low storage space affects EC2 instance performance?
A. Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications
B. Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic
C. Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic
D. Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space
View answer
Correct Answer: B
Question #96
99. A company website hosts patches for software that is sold globally. The website runs in AWS and performs well until a large software patch is released. The flood of downloads puts a strain on the web servers and leads to a poor customer experience. What can the SysOps Administrator propose to enhance customer experience, create a more available web platform, and keep costs low?
A. Use an Amazon CloudFront distribution to cache static content, including software patches
B. Increase the size of the NAT instance to improve throughput
C. Scale out of web servers in advance of patch releases to reduce Auto Scaling delays
D. Move the content to IO1 and provision additional IOPS to the volume that contains the software patches
View answer
Correct Answer: A
Question #97
93. A web application accepts orders from online users and places the orders into an Amazon SQS queue. Amazon EC2 instances in an EC2 Auto Scaling group read the messages from the queue, process the orders, and email order confirmations to the users. The Auto Scaling group scales up and down based on the queue depth. At the beginning of each business day, users report confirmation emails are delayed. What action will be address this issues?
A. Create a scheduled scaling action to scale up in anticipation of the traffic
B. Change the Auto Scaling group to scale up and down based on CPU utilization
C. Change the launch configuration to launch larger EC2 instance types
D. Modify the scaling policy to deploy more EC2 instances when scaling up
View answer
Correct Answer: B
Question #98
54. An organization is concerned that its Amazon RDS databases are not protected. The solution to address this issue must be low cost, protect against table corruption that could be overlooked for several days, and must offer a 30-day window of protection. How can these requirement must be met?
A. Enable multi-AZ on the RDS Instance to maintain the data in a second Availability Zone
B. Create a Read Replica of the RDS Instance to maintain the data in a second region
C. Ensure that automated backups are enabled and set the appropriate retention period
D. Enable versioning in RDS to recover altered table data when needed
View answer
Correct Answer: C
Question #99
126. A SysOps Administrator is running Amazon EC2 instances in multiple AWS Regions. The Administrator wants to aggregate the CPU utilization for all instances onto an Amazon CloudWatch dashboard. Each region should be present on the dashboard and represented by a single graph that contains the CPU utilization for all instances in that region. How can the Administrator meet these requirements?
A. Create a cross-region dashboard using AWS Lambda and distribute it to all regions
B. Create a custom CloudWatch dashboard and add a widget for each region in the AWS Management Console
C. Enable cross-region dashboards under the CloudWatch section of the AWS Management Console D
View answer
Correct Answer: B
Question #100
36. A company’s customers are reporting increased latency while accessing static web content from Amazon S3. A SysOps Administrator observed a very high rate of read operations on a particular S3 bucket. What will minimize latency by reducing load on the S3 bucket?
A. Migrate the S3 bucket to a region that is closer to end users geographic locations
B. Use cross-region replication to replicate all of the data to another region
C. Create Amazon Cloudfront distribution with the S3 bucket as the origin
D. Use Amazon Elastic to cache data being served from Amazon S3
View answer
Correct Answer: C
Question #101
91. A company wants to ensure that each department operates within their own isolated environment and that they are only able to use pre-approved services. How can this requirement be met?
A. Setup an AWS Organization to create accounts for each department and apply services control policies to control access to AWS services
B. Create IAM roles for each department, and set policies that grant access to specific AWS services
C. Use the AWS Service Catalog to create catalogs of AWS services that are approved for use by each department
D. Request that each department create and manage its own AWS account and the resources within it
View answer
Correct Answer: A
Question #102
94. An Applications team has successfully deployed an AWS CloudFormation stack consisting of 30 t2-medium Amazon EC2 instances in the us-west-2 Region. When using the same template to launch a stack in us-east-2, the launch failed and rolled back after launching only 10 EC2 instances. What is a possible cause of this failure?
A. The IAM user did not have privileges to launch the CloudFormation template
B. The t2 medium EC2 instance service limit was reached
C. An AWS Budgets threshold was breached
D. The application’s Amazon Machine Image (AMI) is not available in us-east-2
View answer
Correct Answer: A
Question #103
116. A SysOps Administrator created an Application Load balancer (ALB) and placed two Amazon EC2 instances in the same subnet behind the ALB. During monitoring, the Administrator observes HealthyHostCount drop to 1 in Amazon CloudWatch. What is MOST likely causing this issue?
A. The EC2 instances are in the same Availability Zone, causing contention between the two
B. The route tables are not updated to allow traffic to flow between the ALB and the EC2 instances
C. The ALB health check has failed, and the ALB has taken EC2 instances out of service
D. The Amazon Route 53 health check has failed, and the ALB has taken EC2 instances out of service
View answer
Correct Answer: D
Question #104
52. A SysOps Administrator is responsible for a legacy, CPU heavy application. The application can only be scaled vertical. Currently application running on t2.large Amazon EC2 instance. The system is showing 90% CPU usage and significant performance latency. What change should be made to alleviate the performance problem?
A. Change the EBS volume to provisioned IOPS
B. Upgrade to a compute-optimized instance
C. Add additional t2
D. Purchase the Reserved Instance
View answer
Correct Answer: B
Question #105
65. An application resides on multiple EC2 instances in public subnets in two Availability Zones. To improve security Application Load Balancer (ALB) in separate subnets and pointed the DNS at the ALB instead of EC2 instances. After the change, traffic is not reaching the instances and an error is being returned from the ALB. What steps must a SysOps Administrator take to resolve this issue and improve the security of the application? (SELECT TWO)
A. Add the EC2 instances to the ALB target group, configure the health check and ensure that the instances report healthy
B. Add the EC2 instances to an Auto Scaling group, configure the health check to ensure that the instances report healthy and remove the public IPs from the instances
C. Create a new subnet in which EC2 instances and ALB will reside to ensure that they can communicate and remove the public IPs from the instances
D. Change the security group for the EC2 instances to allow access from only the ALB security group and remove the public IPs from the instances
E. Change the security group to allow access from 0
View answer
Correct Answer: AD
Question #106
100. A website uses Elastic Load Balancing (ELB) in front of several Amazon EC2 instances backed by an Amazon RDS database. The content is dynamically generated for visitors of a webpage based on their geographic location. and is updated daily. Some of the generated objects are large in size and are taking longer to download than they should, resulting in a poor user experience. Which approach will improve the user experience?
A. Implement Amazon ElastiCache to cache the content and reduce the load on the database
B. Enable an Amazon CloudFront distribution with Elastic Load Balancing as a custom origin
C. Use Amazon S3 to store and deliver the content
D. Enable Auto Scaling for the EC2 instances so that they can scale automatically
View answer
Correct Answer: C

View The Updated AWS Exam Questions

SPOTO Provides 100% Real AWS Exam Questions for You to Pass Your AWS Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: