A company has an internal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A SysOps administrator must make the application highly available.
Which action should the SysOps administrator take to meet this requirement? Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage. Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region. Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.
A company hosts a website on multiple Amazon EC2 instances that run in an Auto Scaling group. Users are reporting slow responses during peak times between 6 PM and 11 PM every weekend. A SysOps administrator must implement a solution to improve performance during these peak times.
What is the MOST operationally efficient solution that meets these requirements? Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to increase the desired capacity before peak times. Configure a scheduled scaling action with a recurrence option to change the desired capacity before and after peak times. Create a target tracking scaling policy to add more instances when memory utilization is above 70%. Configure the cooldown period for the Auto Scaling group to modify desired capacity before and after peak times.
A company is running a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53 CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now being served the desktop version of the website.
Which action should a SysOps administrator take to resolve this issue? Configure the CloudFront distribution behavior to forward the User-Agent header. Configure the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers. Enable IPv6 on the ALUpdate the CloudFront distribution origin settings to use the dualstack endpoint. Enable IPv6 on the CloudFront distribution. Update the Route 53 record to use the dualstack endpoint.
A SysOps administrator has enabled AWS CloudTrail in an AWS account. If CloudTrail is disabled, it must be re-enabled immediately.
What should the SysOps administrator do to meet these requirements WITHOUT writing custom code? Add the AWS account to AWS Organizations. Enable CloudTrail in the management account. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Configure the rule to invoke an AWS Lambda function to enable CloudTrail. Create an Amazon EventBridge (Amazon CloudWatch Event) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail.
A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53, and wants to point its domain's zone apex to the website.
Which type of record should be used to meet these requirements? An AAAA record for the domain's zone apex An A record for the domain's zone apex A CNAME record for the domain's zone apex An alias record for the domain's zone apex.
A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Choose TWO) Implement AWS Shield to protect against unencrypted objects stored in S3 buckets. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets. .
A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application.
Which combination of actions should a SysOps administrator take to resolve this problem? (Choose TWO) Change to the least outstanding requests algorithm on the ALB target group. Configure cookie forwarding in the CloudFront distribution cache behavior. Configure header forwarding in the CloudFront distribution cache behavior. Enable group-level stickiness on the ALB listener rule. Enable sticky sessions on the ALB target group. .
A company is running a serverless application on AWS Lambda. The application stores data in an Amazon RDS for MySQL DB instance. Usage has steadily increased, and recently there have been numerous "too many connections" errors when the Lambda function attempts to connect to the database. The company already has configured the database to use the maximum max_connections value that is possible.
What should a SysOps administrator do to resolve these errors? Create a read replica of the database. Use Amazon Route 53 to create a weighted DNS record that contains both databases. Use Amazon RDS Proxy to create a proxy. Update the connection string in the Lambda function. Increase the value in the max_connect_errors parameter in the parameter group that the database uses. Update the Lambda function's reserved concurrency to a higher value.
A SysOps administrator is deploying an application on 10 Amazon EC2 instances. The application must be highly available. The instances must be placed on distinct underlying hardware.
What should the SysOps administrator do to meet these requirements? Launch the instances into a cluster placement group in a single AWS Region. Launch the instances into a partition placement group in multiple AWS Regions. Launch the instances into a spread placement group in multiple AWS Regions. Launch the instances into a spread placement group in a single AWS Region. .
A SysOps administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code:
AMI [ami-12345678] does not exist
How should the Administrator ensure that the AWS CloudFormation template is working in every region? Copy the source region's Amazon Machine Image (AMI) to the destination region and assign it the same ID. Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID. Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS::EC2::AMI::ImageID control. Modify the AWS CloudFormation template by including the AMI IDs in the "Mappings" section. Refer to the proper mapping within the template for the proper AMI ID.
A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances. The instances all exist in the same VPC across multiple Availability Zones. There are two instances in each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.
Which solution will meet these requirements? Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances. Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances. Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance. Create a mount target in each Availability Zone of the VPC. Use the mount target to mount the EFS file system on the instances in the respective Availability Zone. .
A SysOps administrator has successfully deployed a VPC with an AWS CloudFormation template. The SysOps administrator wants to deploy the same template across multiple accounts that are managed through AWS Organizations.
Which solution will meet this requirement with the LEAST operational overhead? Assume the OrganizationAccountAccessRole IAM role from the management account. Deploy the template in each of the accounts. Create an AWS Lambda function to assume a role in each account. Deploy the template by using the AWS CloudFormation CreateStack API call. Create an AWS Lambda function to query for a list of accounts. Deploy the template by using the AWS CloudFormation CreateStack API call. Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts.
A company is running distributed computing software to manage a fleet of 20 Amazon EC2 instances for calculations. The fleet includes 2 control nodes and 18 task nodes to run the calculations. Control nodes can automatically start the task nodes.
Currently, all the nodes run on demand. The control nodes must be available 24 hours a day, 7 days a week. The task nodes run for 4 hours each day. A SysOps administrator needs to optimize the cost of this solution.
Which combination of actions will meet these requirements? (Choose TWO) Purchase EC2 Instance Savings Plans for the control nodes. Use Dedicated Hosts for the control nodes. Use Reserved Instances for the task nodes. Use Spot Instances for the control nodes. Use On-Demand Instances if there is no Spot availability. Use Spot Instances for the task nodes. Use On-Demand Instances if there is no Spot availability. .
A company is supposed to receive a data file every hour in an Amazon S3 bucket. An S3 event notification invokes an AWS Lambda function each time a file arrives. The function processes the data for use by an application.
The application team notices that sometimes the file does not arrive. The application team wants to receive a notification whenever the file does not arrive.
What is the MOST operationally efficient solution that meets these requirements? Add an S3 Lifecycle rule on the S3 bucket with a scope that is limited to objects that were created in the last hour. Configure another S3 event notification to be invoked by the lifecycle transition when the number of objects transitioned is zero. Publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team. Configure another S3 event notification to invoke a Lambda function that posts a message to an Amazon Simple Queue Service (Amazon SQS) queue. Create an Amazon CloudWatch alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team when the ApproximateAgeOfOldestMessage metric of the queue is greater than 1 hour. Create an Amazon CloudWatch alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to alert the application team when the Invocations metric of the Lambda function is zero for an hour. Configure the alarm to treat missing data as breaching. Create a new Lambda function to get the timestamp of the newest file in the S3 bucket. If the timestamp is more than 1 hour ago, publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the new function hourly.
A company recently acquired another corporation and all of that corporation's AWS accounts. A financial analyst needs the cost data from these accounts. A SysOps administrator uses Cost Explorer to generate cost and usage reports. The SysOps administrator notices that "No Tagkey" represents 20% of the monthly cost.
What should the SysOps administrator do to tag the "No Tagkey" resources? Add the accounts to AWS Organizations. Use a service control policy (SCP) to tag all the untagged resources. Use an AWS Config rule to find the untagged resources. Set the remediation action to terminate the resources. Use Cost Explorer to find and tag all the untagged resources. Use Tag Editor to find and tag all the untagged resources.
While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS. The customer gateway device resides in a data center with a NAT gateway in front of it.
What address should be used to create the customer gateway resource? The private IP address of the customer gateway device The MAC address of the NAT device in front of the customer gateway device The public IP address of the customer gateway device The public IP address of the NAT device in front of the customer gateway device.
A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals sudden increases in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A SysOps administrator must find the process ID (PID) of the service or process that is consuming more CPU.
What should the SysOps administrator do to collect the process utilization information with the LEAST amount of effort? Configure the Amazon CloudWatch agent procstat plugin to capture CPU process metrics. Configure an AWS Lambda function to run every minute to capture the PID and send a notification. Log in to the EC2 instance by using a .pem key each night. Then run the top command. Use the default Amazon CloudWatch CPU utilization metric to capture the PID in CloudWatch.
A SysOps administrator configured AWS Backup to capture snapshots from a single Amazon EC2 instance that has one Amazon Elastic Block Store (Amazon EBS) volume attached. On the first snapshot, the EBS volume has 10 GiB of data. On the second snapshot, the EBS volume still contains 10 GiB of data, but 4 GiB have changed. On the third snapshot, 2 GiB of data have been added to the volume, for a total of 12 GiB.
How much total storage is required to store these snapshots? 12 GiB 16 GiB 26 GiB 32 GiB.
A team is managing an AWS account that is a member of an organization in AWS Organizations. The organization has consolidated billing features enabled. The account hosts several applications.
A SysOps administrator has applied tags to resources within the account to reflect the environment. The team needs a report of the breakdown of charges by environment.
What should the SysOps administrator do to meet this requirement? Filter, map, and categorize resource groups in Tag Editor. Ensure that the organization's service control policies (SCPs) allow access to cost allocation tags. Ensure that the IAM credentials that are used to access Cost Explorer have permissions to group cost by tags. Activate the tag keys for cost allocation on the organization's management account. .
A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance. A SysOps administrator must update the template to ensure that the DB instance is created before the EC2 instance is launched.
What should the SysOps administrator do to meet this requirement? Add a wait condition to the template. Update the EC2 instance user data script to send a signal after the EC2 instance is started. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource. Create multiple templates. Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created.
A company hosts a static website on Amazon S3. The website is served by an Amazon CloudFront distribution with a default TTL of 86,400 seconds.
The company recently uploaded an updated version of the website to Amazon S3. However, users still see the old content when they refresh the site. A SysOps administrator must make the new version of the website visible to users as soon as possible.
Which solution meets these requirements? Adjust the TTL value for the DNS CNAME record that is pointing to the CloudFront distribution. Create an invalidation on the CloudFront distribution for the old S3 objects. Create a new CloudFront distribution. Update the DNS records to point to the new CloudFront distribution. Update the DNS record for the website to point to the S3 bucket.
A SysOps administrator is responsible for managing a company's cloud infrastructure with AWS CloudFormation. The SysOps administrator needs to create a single resource that consists of multiple AWS services. The resource must support creation and deletion through the CloudFormation console.
Which CloudFormation resource type should the SysOps administrator create to meet these requirements? AWS::EC2::Instance with a cfn-init helper script AWS::OpsWorks::Instance AWS::SSM::Document Custom::MyCustomType.
A new website will run on Amazon EC2 instances behind an Application Load Balancer. Amazon Route 53 will be used to manage DNS records.
What type of record should be set in Route 53 to point the website's apex domain name (for example, `company.com`) to the Application Load Balancer? CNAME SOA TXT ALIAS.
A company is implementing security and compliance by using AWS Trusted Advisor. The company's SysOps team is validating the list of Trusted Advisor checks that it can access.
Which factor will affect the quantity of available Trusted Advisor checks? Whether at least one Amazon EC2 instance is in the running state The AWS Support plan An AWS Organizations service control policy (SCP) Whether the AWS account root user has multi-factor authentication (MFA) enabled.
A SysOps administrator is investigating issues on an Amazon RDS for MariaDB DB instance. The SysOps administrator wants to display the database load categorized by detailed wait events.
How can the SysOps administrator accomplish this goal? Create an Amazon CloudWatch dashboard. Enable Amazon RDS Performance Insights. Enable and configure Enhanced Monitoring. Review the database logs in Amazon CloudWatch Logs.
A company is planning to host an application on a set of Amazon EC2 instances that are distributed across multiple Availability Zones. The application must be able to scale to millions of requests each second.
A SysOps administrator must design a solution to distribute the traffic to the EC2 instances. The solution must be optimized to handle sudden and volatile traffic patterns while using a single static IP address for each Availability Zone.
Which solution will meet these requirements? Amazon Simple Queue Service (Amazon SQS) queue Application Load Balancer AWS Global Accelerator Network Load Balancer .
A SysOps administrator is using AWS CloudFormation StackSets to create AWS resources in two AWS Regions in the same AWS account. A stack operation fails in one Region and returns the stack instance status of OUTDATED.
What is the cause of this failure? The CloudFormation template changed on the local disk and has not been submitted to CloudFormation. The CloudFormation template is trying to create a global resource that is not unique. The stack has not yet been deployed to the Region. The SysOps administrator is using an old version of the CloudFormation API.
A SysOps administrator must configure Amazon S3 to host a simple nonproduction webpage. The SysOps administrator has created an empty S3 bucket from the AWS Management Console. The S3 bucket has the default configuration in place.
Which combination of actions should the SysOps administrator take to complete this process? (Choose TWO) Configure the S3 bucket by using the "Redirect requests for an object" functionality to point to the bucket root URL. Turn off the "Block all public access" setting. Allow public access by using a bucket ACL that contains <Permission>WEBSITE</Permission>. Turn off the "Block all public access" setting. Allow public access by using a bucket ACL that allows access to the AuthenticatedUsers grantee. Turn off the "Block all public access" setting. Set a bucket policy that allows "Principal": the s3:GetObject action. Create an index.html document. Configure static website hosting, and upload the index document to the S3 bucket.
A company is using an Amazon Aurora MySQL DB cluster that has point-in-time recovery, backtracking, and automatic backup enabled. A SysOps administrator needs to be able to roll back the DB cluster to a specific recovery point within the previous 72 hours. Restores must be completed in the same production DB cluster.
Which solution will meet these requirements? Create an Aurora Replica. Promote the replica to replace the primary DB instance. Create an AWS Lambda function to restore an automatic backup to the existing DB cluster. Use backtracking to rewind the existing DB cluster to the desired recovery point. Use point-in-time recovery to restore the existing DB cluster to the desired recovery point.
A user working in the Amazon EC2 console increased the size of an Amazon Elastic Block Store (Amazon EBS) volume attached to an Amazon EC2 Windows instance. The change is not reflected in the file system.
What should a SysOps administrator do to resolve this issue? Extend the file system with operating system-level tools to use the new storage capacity. Reattach the EBS volume to the EC2 instance. Reboot the EC2 instance that is attached to the EBS volume. Take a snapshot of the EBS volume. Replace the original volume with a volume that is created from the snapshot.
A SysOps administrator is using Amazon EC2 instances to host an application. The SysOps administrator needs to grant permissions for the application to access an Amazon DynamoDB table.
Which solution will meet this requirement? Create access keys to access the DynamoDB table. Assign the access keys to the EC2 instance profile. Create an EC2 key pair to access the DynamoDB table. Assign the key pair to the EC2 instance profile. Create an IAM user to access the DynamoDB table. Assign the IAM user to the EC2 instance profile. Create an IAM role to access the DynamoDB table. Assign the IAM role to the EC2 instance profile.
A SysOps administrator wants to protect objects in an Amazon S3 bucket from accidental overwrite and deletion. Noncurrent objects must be kept for 90 days and then must be permanently deleted. Objects must reside within the same AWS Region as the original S3 bucket.
Which solution meets these requirements? Create an Amazon Data Lifecycle Manager (Amazon DLM) lifecycle policy for the S3 bucket. Add a rule to the lifecycle policy to delete noncurrent objects after 90 days. Create an AWS Backup policy for the S3 bucket. Create a backup rule that includes a lifecycle to expire noncurrent objects after 90 days. Enable S3 Cross-Region Replication on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days. Enable S3 Versioning on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days.
A company has an application that customers use to search for records on a website. The application's data is stored in an Amazon Aurora DB cluster. The application's usage varies by season and by day of the week.
The website's popularity is increasing, and the website is experiencing slower performance because of increased load on the DB cluster during periods of peak activity. The application logs show that the performance issues occur when users are searching for information. The same search is rarely performed multiple times.
A SysOps administrator must improve the performance of the platform by using a solution that maximizes resource efficiency.
Which solution will meet these requirements? Deploy an Amazon ElastiCache for Redis cluster in front of the DB cluster. Modify the application to check the cache before the application issues new queries to the database. Add the results of any queries to the cache. Deploy an Aurora Replica for the DB cluster. Modify the application to use the reader endpoint for search operations. Use Aurora Auto Scaling to scale the number of replicas based on load. Use Provisioned IOPS on the storage volumes that support the DB cluster to improve performance sufficiently to support the peak load on the application. Increase the instance size in the DB cluster to a size that is sufficient to support the peak load on the application. Use Aurora Auto Scaling to scale the instance size based on load.
A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer data. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company.
What is the MOST operationally efficient solution that meets these requirements? Configure AWS CloudTrail in all Regions to record all API activity. Create an Amazon EventBridge (Amazon CloudWatch Events) rule in all unauthorized Regions for ec2:RunInstances events. Use AWS Lambda to terminate the launched EC2 instances. In each AWS account, create a managed IAM policy that uses a Region condition to deny the ec2:RunInstances action in all unauthorized Regions. Attach this policy to all IAM groups in each AWS account. In each AWS account, create an IAM permissions boundary policy that uses a Region condition to deny the ec2:RunInstances action in all unauthorized Regions. Attach the permissions boundary policy to all IAM users in each AWS account. Create a service control policy (SCP) in AWS Organizations to deny the ec2:RunInstances action in all unauthorized Regions. Attach this policy to the root level of the organization.
A company's public website is hosted in an Amazon S3 bucket in the us-east-1 Region behind an Amazon CloudFront distribution. The company wants to ensure that the website is protected from DDoS attacks.
A SysOps administrator needs to deploy a solution that gives the company the ability to maintain control over the rate limit at which DDoS protections are applied.
Which solution will meet these requirements? Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution. Deploy an AWS WAF web ACL with an allow default action in us-east-1. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the S3 bucket. Deploy a global-scoped AWS WAF web ACL with a block default action. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the CloudFront distribution. Deploy an AWS WAF web ACL with a block default action in us-east-1. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the S3 bucket.
A SysOps administrator developed a Python script that uses the AWS SDK to conduct several maintenance tasks. The script needs to run automatically every night.
What is the MOST operationally efficient solution that meets this requirement? Convert the Python script to an AWS Lambda function. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the function every night. Convert the Python script to an AWS Lambda function. Use AWS CloudTrail to invoke the function every night. Deploy the Python script to an Amazon EC2 instance. Use Amazon EventBride (Amazon CloudWatch Events) to schedule the instance to start and stop every night. Deploy the Python script to an Amazon EC2 instance. Use AWS Systems Manager to schedule the instance to start and stop every night.
A SysOps administrator must create a solution that immediately notifies software developers if an AWS Lambda function experiences an error.
Which solution will meet this requirement? Create an Amazon Simple Notification Service (Amazon SNS) topic with an email subscription for each developer. Create an Amazon CloudWatch alarm by using the Errors metric and the Lambda function name as a dimension. Configure the alarm to send a notification to the SNS topic when the alarm state reaches ALARM. Create an Amazon Simple Notification Service (Amazon SNS) topic with a mobile subscription for each developer. Create an Amazon EventBridge (Amazon CloudWatch Events) alarm by using the LambdaError as the event pattern and the SNS topic name as a resource. Configure the alarm to send a notification to the SNS topic when the alarm state reaches ALARM. Verify each developer email address in Amazon Simple Email Service (Amazon SES). Create an Amazon CloudWatch rule by using the LambdaError metric and developer email addresses as dimensions. Configure the rule to send an email through Amazon SES when the rule state reaches ALARM. Verify each developer mobile phone in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge (Amazon CloudWatch Events) rule by using Error as the event pattern and the Lambda function name as a resource. Configure the rule to send a push notification through Amazon SES when the rule state reaches ALARM.
A company has a private Amazon S3 bucket that contains sensitive information.
A SysOps administrator needs to keep logs of the IP addresses from authentication failures that result from attempts to access objects in the bucket. The logs must be stored so that they cannot be overwritten or deleted for 90 days.
Which solution will meet these requirements? Create an AWS CloudTrail trail. Configure the log files to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days. Create an AWS CloudTrail trail. Configure the log files to be saved to a different S3 bucket. Turn on CloudTrail log file integrity validation for 90 days. Turn on access logging for the S3 bucket. Configure the access logs to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days. Turn on access logging for the S3 bucket. Configure the access logs to be saved in a second S3 bucket. Turn on S3 Object Lock on the second S3 bucket, and configure a default retention period of 90 days.
A SysOps administrator migrates NAT instances to NAT gateways. After the migration, an application that is hosted on Amazon EC2 instances in a private subnet cannot access the internet.
Which of the following are possible reasons for this problem? (Choose TWO) The application is using a protocol that the NAT gateway does not support. The NAT gateway is not in a security group. The NAT gateway is in an unsupported Availability Zone. The NAT gateway is not in the Available state. The port forwarding settings do not allow access to internal services from the internet.
A company runs an application on an Amazon EC2 instance. A SysOps administrator creates an Auto Scaling group and an Application Load Balancer (ALB) to handle an increase in demand. However, the EC2 instances are failing the health check.
What should the SysOps administrator do to troubleshoot this issue? Verify that the Auto Scaling group is configured to use all AWS Regions. Verify that the application is running on the protocol and the port that the listener is expecting. Verify the listener priority in the ALB. Change the priority if necessary. Verify the maximum number of instances in the Auto Scaling group. Change the number if necessary.
A SysOps administrator has created an AWS Service Catalog portfolio and has shared the portfolio with a second AWS account in the company. The second account is controlled by a different administrator.
Which action will the administrator of the second account be able to perform? Add a product from the imported portfolio to a local portfolio. Add new products to the imported portfolio. Change the launch role for the products contained in the imported portfolio. Customize the products in the imported portfolio.
A company has migrated its application to AWS. The company will host the application on Amazon EC2 instances of multiple instance families.
During initial testing, a SysOps administrator identifies performance issues on selected EC2 instances. The company has a strict budget allocation policy, so the SysOps administrator must use the right resource types with the performance characteristics to match the workload.
What should the SysOps administrator do to meet this requirement? Purchase regional Reserved Instances (RIs) for immediate cost savings. Review and take action on the EC2 rightsizing recommendations in Cost Explorer. Exchange the RIs for the optimal instance family after rightsizing. Purchase zonal Reserved Instances (RIs) for the existing instances. Monitor the RI utilization in the AWS Billing and Cost Management console. Make adjustments to instance sizes to optimize utilization. Review and take action on AWS Compute Optimizer recommendations. Purchase Compute Savings Plans to reduce the cost that is required to run the compute resources. Review resource utilization metrics in the AWS Cost and Usage Report. Rightsize the EC2 instances. Create On-Demand Capacity Reservations for the rightsized resources.
A SysOps administrator is tasked with deploying a company's infrastructure as code. The SysOps administrator want to write a single template that can be reused for multiple environments.
How should the SysOps administrator use AWS CloudFormation to create a solution? Use Amazon EC2 user data in a CloudFormation template. Use nested stacks to provision resources. Use parameters in a CloudFormation template. Use stack policies to provision resources.
A SysOps administrator is responsible for a large fleet of Amazon EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance.
Which option would provide this information with the LEAST administrative overhead? Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring. List any instances with failed system status checks using the AWS Management Console. Monitor AWS CloudTrail for StopInstances API calls. Review the AWS Personal Health Dashboard.
A SysOps administrator is attempting to deploy resources by using an AWS CloudFormation template. An Amazon EC2 instance that is defined in the template fails to launch and produces an InsufficientInstanceCapacity error.
Which actions should the SysOps administrator take to resolve this error? (Choose TWO) Create a separate AWS CloudFormation template for the EC2 instance. Modify the AWS CloudFormation template to not specify an Availability Zone for the EC2 instance. Modify the AWS CloudFormation template to use a different EC2 instance type. Use a different Amazon Machine Image (AMI) for the EC2 instance. Use the AWS CLI's validate-template command before creating a stack from the template.
A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses Amazon Route 53 to route traffic.
The company also has a static website that is configured in an Amazon S3 bucket.
A SysOps administrator must use the static website as a backup to the web application. The failover to the static website must be fully automated.
Which combination of actions will meet these requirements? (Choose TWO) Create a primary failover routing policy record. Configure the value to be the ALB. Create an AWS Lambda function to switch from the primary website to the secondary website when the health check fails. Create a primary failover routing policy record. Configure the value to be the ALB. Associate the record with a Route 53 health check. Create a secondary failover routing policy record. Configure the value to be the static website. Associate the record with a Route 53 health check. Create a secondary failover routing policy record. Configure the value to be the static website.
A data analytics application is running on an Amazon EC2 instance. A SysOps administrator must add custom dimensions to the metrics collected by the Amazon CloudWatch agent.
How can the SysOps administrator meet this requirement? Create a custom shell script to extract the dimensions and collect the metrics using the Amazon CloudWatch agent. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to evaluate the required custom dimensions and send the metrics to Amazon Simple Notification Service (Amazon SNS). Create an AWS Lambda function to collect the metrics from AWS CloudTrail and send the metrics to an Amazon CloudWatch Logs group. Create an append_dimensions field in the Amazon CloudWatch agent configuration file to collect the metrics. .
A company stores its data in an Amazon S3 bucket. The company is required to classify the data and find any sensitive personal information in its S3 files.
Which solution will meet these requirements? Create an AWS Config rule to discover sensitive personal information in the S3 files and mark them as noncompliant. Create an S3 event-driven artificial intelligence/machine learning (AI/ML) pipeline to classify sensitive personal information by using Amazon Rekognition. Enable Amazon GuardDuty. Configure S3 protection to monitor all data inside Amazon S3. Enable Amazon Macie. Create a discovery job that uses the managed data identifier. .
A company hosts a web portal on Amazon EC2 instances. The web portal uses an Elastic Load Balancer (ELB) and Amazon Route 53 for its public DNS service.
The ELB and the EC2 instances are deployed by way of a single AWS CloudFormation stack in the us-east-1 Region. The web portal must be highly available across multiple Regions.
Which configuration will meet these requirements? Deploy a copy of the stack in the us-west-2 Region. Create a single start of authority (SOA) record in Route 53 that includes the IP address from each ELB. Configure the SOA record with health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record. Deploy a copy of the stack in the us-west-2 Region. Create an additional A record in Route 53 that includes the ELB in us-west-2 as an alias target. Configure the A records with a failover routing policy and health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record. Deploy a new group of EC2 instances in the us-west-2 Region. Associate the new EC2 instances with the existing ELB, and configure load balancer health checks on all EC2 instances. Configure the ELB to update Route 53 when EC2 instances in us-west-2 fail health checks. Deploy a new group of EC2 instances in the us-west-2 Region. Configure EC2 health checks on all EC2 instances in each Region. Configure a peering connection between the VPCs. Use the VPC in us-east-1 as the primary record and the VPC in us-west-2 as the secondary record.
A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance.
Which of the following are possible causes of this issue? (Choose TWO) A network ACL associated with the bastion's subnet is blocking the network traffic. The instance does not have a private IP address. The route table associated with the bastion's subnet does not have a route to the internet gateway. The security group for the instance does not have an inbound rule on port 22. The security group for the instance does not have an outbound rule on port 3389. .
A SysOps administrator is examining the following AWS CloudFormation template.
Why will the stack creation fail? The Outputs section of the CloudFormation template was omitted. The Parameters section of the CloudFormation template was omitted. The PrivateDnsName cannot be set from a CloudFormation template. The VPC was not specified in the CloudFormation template. .
A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times:
*** Error Establishing a Database Connection
Which of the following may be causes of the connectivity problems? (Choose TWO) The security group for the database does not have the appropriate egress rule from the database to the web server. The certificate used by the web server is not trusted by the RDS instance. The security group for the database does not have the appropriate ingress rule from the web server to the database. The port used by the application developer does not match the port specified in the RDS configuration. The database is still being created and is not available for connectivity.
A compliance team requires all administrator passwords for Amazon RDS DB instances to be changed at least annually.
Which solution meets this requirement in the MOST operationally efficient manner? Store the database credentials in AWS Secrets Manager. Configure automatic rotation for the secret every 365 days. Store the database credentials as a parameter in the RDS parameter group. Create a database trigger to rotate the password every 365 days. Store the database credentials in a private Amazon S3 bucket. Schedule an AWS Lambda function to generate a new set of credentials every 365 days. Store the database credentials in AWS Systems Manager Parameter Store as a secure string parameter. Configure automatic rotation for the parameter every 365 days. .
A SysOps administrator is responsible for managing a fleet of Amazon EC2 instances. These EC2 instances upload build artifacts to a third-party service. The third-party service recently implemented a strict IP allow list that requires all build uploads to come from a single IP address.
What change should the systems administrator make to the existing build fleet to comply with this new requirement? Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service. Move all of the EC2 instances behind an internet gateway and provide the gateway IP address to the service. Move all of the EC2 instances into a single Availability Zone and provide the Availability Zone IP address to the service. Move all of the EC2 instances to a peered VPC and provide the VPC IP address to the service. .
A company uses an Amazon CloudFront distribution to deliver its website. Traffic logs for the website must be centrally stored, and all data must be encrypted at rest.
Which solution will meet these requirements? Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with internet access and server-side encryption that uses the default AWS managed customer master key (CMK). Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination. Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with VPC access and server-side encryption that uses AES-256. Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination. Create an Amazon S3 bucket that is configured with default server-side encryption that uses AES-256. Configure CloudFront to use the S3 bucket as a log destination. Create an Amazon S3 bucket that is configured with no default encryption. Enable encryption in the CloudFront distribution, and use the S3 bucket as a log destination. .
An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted.
How can this be resolved? Enable encryption on each host's connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect. Enable encryption on the existing EFS volume by using the AWS Command Line Interface. Enable encryption on each host's local drive. Restart each host to encrypt the drive. Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume. .
A SysOps administrator is using AWS Compute Optimizer to get recommendations for a fleet of Amazon EC2 instances. After the analysis is complete, some of the EC2 instances are missing from the Compute Optimizer dashboard.
What is the cause of this issue? The missing instances do not have the Amazon CloudWatch agent installed. Compute Optimizer does not support the instance types of the missing instances. Compute Optimizer already considers the missing instances to be optimized. The missing instances are running a Windows operating system.
A company is partnering with an external vendor to provide data processing services. For this integration, the vendor must host the company's data in an Amazon S3 bucket in the vendor's AWS account. The vendor is allowing the company to provide an AWS Key Management Service (AWS KMS) key to encrypt the company's data. The vendor has provided an IAM role Amazon Resources Name (ARN) to the company for this integration.
What should a SysOps administrator do to configure this integration? Create a new KMS key. Add the vendor's IAM role ARN to the KMS key policy. Provide the new KMS key ARN to the vendor. Create a new KMS key. Create a new IAM key. Add the vendor's IAM role ARN to an inline policy that is attached to the IAM user. Provide the new IAM user ARN to the vendor. Configure encryption using the KMS managed S3 key. Add the vendor's IAM role ARN to the KMS key policy. Provide the KMS managed S3 key ARN to the vendor. Configure encryption using the KMS managed S3 key. Create an S3 bucket. Add the vendor's IAM role ARN to the S3 bucket policy. Provide the S3 bucket ARN to the vendor. .
When the AWS Cloud infrastructure experiences an event that may impact an organization, which AWS service can be used to see which of the organization's resources are affected? AWS Service Health Dashboard AWS Trusted Advisor AWS Personal Health Dashboard AWS Systems Manager.
A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template. It installs and configures necessary software through AWS OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors.
The SysOps administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back.
Based on these requirements, what should be added to the template? Conditions with a timeout set to 4 hours. CreationPolicy with a timeout set to 4 hours. DependsOn with a timeout set to 4 hours. Metadata with a timeout set to 4 hours.
|
