AWS SysOps Administrator Exam Questions Free

AWS SysOps Administrator - Associate Exam Dumps

Domain	% of Exam
Monitoring, Logging, and Remediation	20%
Reliability and Business Continuity	16%
Deployment, Provisioning, and Automation	18%
Security and Compliance	16%
Networking and Content Delivery	18%
Cost and Performance Optimization	12%

1 / 65

1. A company runs a large number of Amazon EC2 instances for internal departments. The company needs to track the costs of its existing AWS resources by department. What should a SysOps administrator do to meet this requirement?

A) Apply user-defined tags to the instances through Tag Editor. Activate these tags for cost allocation.

B) Activate all of the AWS generated cost allocation tags for the account

C) Schedule an AWS Lambda function to run the AWS Pricing Calculator for EC2 usage on a recurring schedule.

D) Use the AWS Trusted Advisor dashboard to export EC2 cost reports.

2 / 65

2. A company runs several production workloads on Amazon EC2 instances. A SysOps administrator discovered that a production EC2 instance failed a system health check. The SysOps administrator recovered the instance manually. The SysOps administrator wants to automate the recovery task of EC2 instances and receive notifications whenever a system health check fails. Detailed monitoring is activated for all of the company's production EC2 instances. Which of the following is the MOST operationally efficient solution that meets these requirements?

A) For each production EC2 instance, create an Amazon CloudWatch alarm for Status Check Failed: System. Set the alarm action to recover the EC2 instance. Configure the alarm notification to be published to an Amazon Simple Notification Service (Amazon SNS) topic.

B) On each production EC2 instance, create a script that monitors the system health by sending a heartbeat notification every minute to a central monitoring server. If an EC2 instance fails to send a heartbeat, run a script on the monitoring server to stop and start the EC2 instance and to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic.

C) On each production EC2 instance, create a script that sends network pings to a highly available endpoint by way of a cron job. If the script detects a network response timeout, invoke a command to reboot the EC2 instance.

D) On each production EC2 instance, configure an Amazon CloudWatch agent to collect and send logs to a log group in Amazon CloudWatch Logs. Create a CloudWatch alarm that is based on a metric filter that tracks errors. Configure the alarm to invoke an AWS Lambda function to reboot the EC2 instance and send a notification email.

3 / 65

3. A SysOps administrator sets up Traffic Mirroring on an Amazon EC2 instance. The SysOps administrator examines the logs from the traffic mirror and discovers that a number of packets have been truncated.

What should the SysOps administrator do to resolve this problem?

A) Trace the truncated packets before they enter the AWS network.

B) Increase the maximum transmission unit (MTU) size for the mirror source.

C) Increase the maximum transmission unit (MTU) size for the mirror target.

D) Use a Nitro instance type for the EC2 instance that is being mirrored.

4 / 65

4. A SysOps administrator must ensure that AWS CloudFormation deployment changes are properly tracked for governance.

Which AWS service should the SysOps administrator use to meet this requirement?

A) AWS Artifact

B) AWS Config

C) Amazon Inspector

D) AWS Trusted Advisor

5 / 65

5. A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted. What is the SIMPLEST approach the SysOps Administrator can take to ensure S3 buckets in those accounts can never be deleted?

A) Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.

B) Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.

C) Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.

D) Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 bucket

6 / 65

A company is preparing to launch a new website. The website runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company launched the instances by using a custom Amazon Machine Image (AMI) from an EC2 instance that runs without problems in a different VPC in the same AWS Region.

After deployment of the new EC2 instances, external testing failed to connect to the instances by using HTTPS. The instances are reachable by using SSH through a bastion host instance that runs in the same VPC.

Which steps should a SysOps administrator take to find the problem? (Select TWO.)

A) Ensure that the security group that is assigned to the instances is open to port 443 from the ALB's security group.

B) Ensure that the ALB is assigned to a subnet with 0.0.0.0/0 routed to an internet gateway.

C) Ensure that the instances have a public IP address or an Elastic IP address that is assigned to each instance's elastic network interface.

D) Ensure that the instances are located in a subnet with 0.0.0.0/0 access routed to an internet gateway.

E) Ensure that both the system status and instance reachability checks for the instances are succeeding.

7 / 65

7. You receive an urgent call from a new DBA who accidentally dropped a table containing all your customers. Which Amazon RDS feature will allow you to reliably restore your database to within 5 minutes of when the mistake was made?

A) Multi-AZ RDS

B) RDS snapshots

C) RDS read replicas

D) RDS automated backup

8 / 65

8. A company is using AWS CloudTrail and wants to ensure that SysOps administrators can easily verify that the log files have not been deleted or changed. Which action should a SysOps administrator take to meet this requirement?

A) Grant administrators access to the AWS Key Management Service (AWS KMS) key used to encrypt the log files.

B) Enable CloudTrail log file integrity validation when the trail is created or updated.

C) Turn on Amazon S3 server access logging for the bucket storing the log files.

D) Configure the S3 bucket to replicate the log files to another bucket.

9 / 65

9. A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances. How can the SysOps Administrator ensure that all customer data stored on the EFS file system meets the new requirement?

A) Update the EFS file system settings to enable server-side encryption using AES-256.

B) Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system.

C) Use AWS CloudHSM to encrypt the files directly before storing them in the EFS file system.

D) Modify the EFS file system mount options to enable Transport Layer Security (TLS) on of the each EC2 instances.

10 / 65

10. An IT director needs a monthly breakdown of cloud computing expenditures for each department in a company. The company uses AWS Organizations to manage the AWS accounts and has multiple AWS accounts in each organization.

Which combination of steps will provide this information? (Select TWO.)

A) Use AWS Systems Manager Fleet Manager to identify resources that are not tagged in each account. Apply a tag that is named Department to any untagged resources.

B) Activate a cost allocation tag that is named Department in the AWS Billing and Cost Management console in the Organizations management account. Use a tag policy to mandate a Department tag on new resources.

C) Use the AWS Resource Groups Tag Editor to identify resources that are not tagged in each account. Apply a tag that is named Department to any untagged resources.

D) Activate a cost allocation tag that is named Department within the AWS Billing and Cost Management console in each account in the organization.

E) Create an AWS Config rule across all accounts in the organization to mark resources that lack a Department tag as noncompliant.

11 / 65

11.

A company has deployed a new application that runs on Amazon EC2 instances. The company’s security team wants the application team to verify that all common vulnerabilities and exposures are addressed regularly throughout the application's life span.

How can the application team meet this requirement?

A) Perform regular assessments with Amazon Inspector.

B) Perform regular assessments with AWS Trusted Advisor.

C) Integrate the AWS Health Dashboard with Amazon EventBridge events to get security notifications.

D) Grant the security team access to AWS Artifact.

12 / 65

12. An admin is planning to monitor the ELB. Which of the below mentioned services does NOT help the admin capture the monitoring information about the ELB activity?

A) ELB Access logs

B) ELB health check

C) CloudWatch metrics

D) ELB API calls with CloudTrail

13 / 65

13. Your organization's security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password.Which of the two following options would allow an organization to enforce this policy for AWS users? (Select all that apply)

A) Configure multi-factor authentication for privileged IAM users

B) Create IAM users for privileged accounts

C) Implement identity federation between your organization's Identity provider leveraging the IAM Security Token Service

D) Enable the IAM single-use password policy option for privileged users

14 / 65

14. What would happen to an RDS (Relational Database Service) multi-Availability Zone deployment if the primary DB instance fails?

A) The IP of the primary DB instance is switched to the standby DB instance

B) The RDS (Relational Database Service) DB instance reboots

C) A new DB instance is created in the standby availability zone

D) The canonical name record (CNAME) is changed from primary to standby

15 / 65

15. A user is accessing RDS from an application. The user has enabled the Multi AZ feature with the MS SQL RDS DB. During a planned outage how will AWS ensure that a switch from DB to a standby replica will not affect access to the application?

A) RDS will have an internal IP which will redirect all requests to the new DB

B) RDS uses DNS to switch over to stand by replica for seamless transition

C) The switch over changes Hardware so RDS does not need to worry about access

D) RDS will have both the DBs running independently and the user has to manually switch over

16 / 65

16. A media company produces new video files on premises every day with a total size of around 100GBs after compression. All files have a size of 1-2 GB and need to be uploaded to Amazon S3 every night in a fixed time window between 3am and 5am. Current upload takes almost 3 hours, although less than half of the available bandwidth is used. What step(s) would ensure that the file uploads are able to complete in the allotted time window?

A) Increase your network bandwidth to provide faster throughput to S3

B) Upload the files in parallel to S3

C) Pack all files into a single archive, upload it to S3, then extract the files in AWS

D) Use AWS Import/Export to transfer the video files

17 / 65

17. A customer has a web application that uses cookie based sessions to track logged in users. It is deployed on AWS using ELB and Auto Scaling. The customer observes that when load increases, Auto Scaling launches new instances but the load on the existing instances does not decrease, causing all existing users to have a sluggish experience. Which two answer choices independently describe a behavior that could be the cause of the sluggish user experience? (Select Two)

A) ELB's normal behavior sends requests from the same user to the same backend instance

B) ELB's behavior when sticky sessions are enabled causes ELB to send requests in the same session to the same backend instance.

C) A faulty browser is not honoring the TTL of the ELB DNS name.

D) The web application uses long polling such as comet or websockets, thereby keeping a connection open to a web server for a long time

18 / 65

18. A company's application stores documents within an Amazon S3 bucket. The application is running on Amazon EC2 in a VPC. A recent change in security requirements states that traffic between the company's application and the S3 bucket must never leave the Amazon network. What AWS feature can provide this functionality?

A) Gateway VPC endpoints

B) Security groups

C) NAT gateways

D) Virtual private gateway

19 / 65

19. If you want to launch Amazon Elastic Compute Cloud (EC2) instances and assign each instance a predetermined private IP address you should:

A) Assign a group or sequential Elastic IP address to the instances

B) Launch the instances in a Placement Group

C) Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already

D) Launch the instances in the Amazon virtual Private Cloud (VPC).

20 / 65

20. An organization has created 5 IAM users. The organization wants to give them the same login ID but different passwords. How can the organization achieve this?

A) It is not possible to have the same login ID for multiple IAM users of the same account.

B) The organization should create a separate login ID but give the IAM users the same alias so that each one can login with their alias.

C) The organization should create each user in a separate region so that they have their own URL to login.

D) The organization should create various groups and add each user with the same login ID to different groups. The user can login with their own group ID

21 / 65

21. A company's customers report that they are receiving HTTP 404 errors on the company's website. The company's infrastructure includes several Amazon EC2 instances. The logs are sent from each instance to a consolidated log group in Amazon CloudWatch Logs. A SysOps administrator needs to create a notification to indicate when the HTTP 404 errors pass a certain threshold.

Which steps are required to meet this requirement? (Select TWO.)

A) Configure a log stream with log file compression.

B) Configure CloudWatch Logs Insights to generate metrics on HTTP 404 errors.

C) Create metric filters with a filter pattern that identifies the HTTP 404 errors.

D) Create an Amazon CloudWatch alarm based on the count of HTTP 404 errors.

E) Create an Amazon EventBridge (Amazon CloudWatch Events) event based on the CloudWatch Logs Insights threshold.

22 / 65

22.

A SysOps administrator needs to deploy a duplicate AWS development environment into a new AWS Region. The environment will be periodically redeployed as part of the maintenance process. The SysOps administrator deploys the current working template into the new Region. The template's Amazon EC2 instances fail to deploy, and AWS CloudFormation automatically rolls back the deployment.After reviewing the logs, the SysOps administrator discovers that the EC2 instances are not deploying because of an Amazon Machine Image (AMI) ID value that is not valid in the new Region. The SysOps administrator must correct the CloudFormation template so that the instances deploy correctly.
What should the SysOps administrator do to meet this requirement with the LEAST operational overhead?

A) Create a template that is specific to each Region.

B) Create a Mappings section in the template to reference the correct AMI ID value for both Regions.

C) Remove the EC2 instances from the template. Manually deploy the EC2 instances.

D) Create a parameter field that requests the AMI ID value. Pass the AMI ID value to the resource section for EC2 deployment.

23 / 65

23. A SysOps administrator needs to block malicious traffic that is reaching a company's web servers. The malicious traffic is distributed over many IP addresses. The malicious traffic consists of a significantly higher number of connections than the company typically receives from legitimate users. The SysOps administrator needs to protect the web servers by using a solution that maximizes operational efficiency.

Which solution meets these requirements?

A) Create a security group for the web servers. Add deny rules for malicious sources.

B) Set the network ACL for the subnet that is assigned to the web servers. Add deny rules for malicious sources.

C) Use Amazon CloudFront to cache all pages and remove the traffic from the web servers.

D) Place the web servers behind AWS WAF. Establish the rate limit to create a deny list.

24 / 65

24. A photo sharing site delivers content worldwide from a library on Amazon S3 by using Amazon CloudFront. Some users try to access photos that do not exist. Other users try to access photos that the users are not authorized to view.

Which Amazon CloudWatch metric should a SysOps administrator monitor to better understand the extent of this issue?

A) GetRequests S3 metric

B) 4xxErrorRate CloudFront metric

C) 5xxErrorRate CloudFront metric

D) PostRequests S3 metric

25 / 65

25. A company has a key management service in its on-premises data center. The key management service uses an RSA asymmetric encryption algorithm. The company needs to integrate its system with a highly available, secure service in AWS to replace the on-premises service. The keys must be stored in dedicated hardware security modules that are validated by a third party. The company must control these hardware security modules.

Which solution will meet these requirements?

A) Import the current keys from the on-premises environment into an AWS CloudHSM cluster.

B) Revoke the current keys. Generate new asymmetric keys in AWS Key Management Service (AWS KMS).

C) Generate a customer key from AWS Key Management Service (AWS KMS). Import the key into the on-premises environment.

D) Launch an Amazon EC2 instance. Install an application that generates RSA keys. Import the existing keys into the application.

26 / 65

26. An organization is generating digital policy files which are required by the admins for verification. Once the files are verified they may not be required in the future unless there is some compliance issue. If the organization wants to save them in a cost effective way, which is the best possible solution?

A) AWS RRS (Reduced Redundancy Storage)

B) AWS S3 (Simple Storage Service)

C) AWS RDS (Relational Database Service)

D) AWS Glacier

27 / 65

27.

A company maintains its AWS accounts with AWS Organizations and uses AWS Firewall Manager. The company wants to change the administrator account of Firewall Manager to a different account within the organization.

What should a SysOps administrator do to accomplish this task?

A) Remove the current administrator account from the organization that administers the firewall. Add the new administrator to the organization that administers the firewall.

B) Modify the service control policy (SCP) to deny access to Firewall Manager on the current account. Modify the SCP to allow access to Firewall Manager on the new administrator account.

C) Use the AWS Systems Manager console with the Organizations maintenance account to switch Firewall Manager from the original administrator account to the new Firewall Manager administrator account number. D

D) Log in to the current Firewall administrator account. Use the revoke feature of Firewall Manager. Sign in to the AWS Management Console by using the Organizations management account. Enter the new Firewall Manager administrator account number.

28 / 65

28. A SysOps administrator attached the following IAM policy to a developer's IAM user account:

{

"Version": "2012-10-17",

"Statement": {

"Effect": "Allow",

"Action": "dynamodb:GetItem",

"Resource": "*",

"Condition": {

"DateGreaterThan": {

"aws:CurrentTime": "2020-07-01T00:00:00Z"

"DateLessThan": {

"aws:CurrentTime": "2020-12-31T23:59:59Z"

}

"StringEquals": {

"aws:SourceVpc": "vpc-111bbb22"

}

Which permission will the developer have for using GetItem?

A) Access is allowed on or between July 1, 2020, and December 31, 2020 (UTC), and if the request is initiated from vpc-111bbb22.

B) Access is allowed on or between July 1, 2020, and December 31, 2020 (UTC), or if the request is initiated from vpc-111bbb22.

C) Access is allowed on or between July 1, 2020, and December 31, 2020 (UTC), and if the request uses a VPC endpoint in vpc-111bbb22.

D) Access is allowed on or between July 1, 2020, and December 31, 2020 (UTC), or if the request uses a VPC endpoint in vpc-111bbb22.

29 / 65

29. A SysOps Administrator has implemented an Auto Scaling group with a step scaling policy. The Administrator notices that the additional instances have not been included in the the aggregated metrics. Why are the additional instances missing from the aggregated metrics?

A) The warm-up period has not expired

B) The instances are still in the boot process

C) The instances have not been attached to the Auto Scaling group

D) The instances are included in a different set of metrics

30 / 65

30. A SysOps Administrator is deploying a legacy web application on AWS. The application has four instance amazon EC2 instances behind Classic Load Balancer and stores data in an Amazon RDS instance. The legacy application has known vulnerabilities to SQL injection attacks, but the application the code is no longer available to update. What cost-effective configuration change should the Administrator make to migrate the risk of SQL injection attacks?

A) Configure Amazon GuardDuty to monitor the application for SQL injection threats.

B) Configure AWS WAF with a Classic Load Balancer for protection against SQL injection attacks.

C) Replace the Classic Load Balancer with an Application Load Balancer and configure AWS WAF to the Application Load Balancer.

D) Configure an Amazon CloudFront distribution with the Classic Load Balancer as the origin and subscribe aws shield standard.

31 / 65

31. Which two AWS services provide out-of-the-box user configurable automatic backup-as-a-service and backup rotation options? (Select all that apply)

A) Amazon S3

B) Amazon RDS

C) Amazon EBS

D) Amazon Redshift

E) Athena

32 / 65

32. A large enterprise has numerous AWS accounts spread across different departments. They want to implement centralized governance, establish a baseline security posture, and ensure compliance across all accounts. Which AWS service provides a set of predefined guardrails to help achieve these objectives?

A) Amazon IAM

B) AWS CloudTrail

C) AWS Control Tower

D) Amazon System Manager

33 / 65

33. You are managing a legacy application inside of the VPC with hard-coded IP addresses in its configuration. Which two mechanisms will allow the application to failover to new instances without the need for reconfiguration? (Select Two)

A) Create an ELB to reroute traffic to a failover instance

B) Create a secondary ENI that can be moved to a failover instance

C) Use Route53 health checks to fail traffic over to a failover instance

D) Assign a secondary private IP address to the primary ENI that can be moved to a failover instance

34 / 65

34. A company has an application that uses Amazon ElastiCache for Memcached to cache query responses to improve latency. However, the application's users are reporting slow response times. A SysOps administrator notices that the Amazon CloudWatch metrics for Memcached evictions are high. Which actions should the SysOps administrator take to fix this issue? (Select TWO.)

A) Flush the contents of ElastiCache for Memcached.

B) Increase the ConnectionOverhead parameter value.

C) Increase the number of nodes in the cluster.

D) Increase the size of the nodes in the cluster.

E) Decrease the number of nodes in the cluster.

35 / 65

35. A company's disaster recovery policy states that Amazon Elastic Block Store (Amazon EBS) snapshots must be created daily. The EBS snapshots must be retained for 6 months and then must be deleted. A SysOps administrator must automate this process.

Which solution will meet these requirements with the LEAST operational overhead?

A) Use Amazon EventBridge (Amazon CloudWatch Events) rules for AWS Config.

B) Use Amazon Data Lifecycle Manager (Amazon DLM).

C) Use an Amazon S3 Lifecycle rule.

D) Use AWS CodePipeline to create snapshots. Use an AWS CloudFormation template to retain and delete snapshots.

36 / 65

36. A company runs an application on a large fleet of Amazon EC2 instances to process financial transactions. The EC2 instances share data by using an Amazon Elastic File System (Amazon EFS) file system. The company wants to deploy the application to a new Availability Zone and has created new subnets and a mount target in the new Availability Zone. When a SysOps administrator launches new EC2 instances in the new subnets, the EC2 instances are unable to mount the file system. What is a reason for this issue?

A) The EFS mount target has been created in a private subnet.

B) The IAM role that is associated with the EC2 instances does not allow the efs:MountFileSystem action.

C) The route tables have not been configured to route traffic to a VPC endpoint for Amazon EFS in the new Availability Zone.

D) The security group for the mount target does not allow inbound NFS connections from the security group used by the EC2 instances.

37 / 65

37. A company hosts an internal application on Amazon EC2 instances. The application is used only during work hours from 8:00 AM to 6:00 PM on Monday through Friday. The company wants to start and stop the EC2 instances on a schedule around these work hours to optimize cost.

Which solution to automate the process for starting and stopping the EC2 instances is the MOST operationally efficient?

A) Create an AWS Lambda function to start and stop the instances before and after work hours. Use a cron expression to create an Amazon EventBridge (Amazon CloudWatch Events) rule to run the Lambda function on a schedule.

B) Use AWS Systems Manager Fleet Manager to upload a script to start and stop the instances before and after work hours. Use a cron expression to set up a schedule to run the script for the instances.

C) Use AWS Systems Manager Fleet Manager to upload a script to start and stop the instances before and after work hours. Use a rate expression to set up a schedule to run the script for the instances.

D) Create an AWS Lambda function to start and stop the instances before and after work hours. Use a rate expression to create an Amazon EventBridge (Amazon CloudWatch Events) rule to run the Lambda function on a schedule.

38 / 65

38. A company hosts a web application on an Amazon EC2 instance. Users report that the web application is occasionally unresponsive. Amazon CloudWatch metrics indicate that the CPU utilization is 100% during these times. A SysOps administrator must implement a solution to monitor for this issue. Which solution will meet this requirement?

A) Create a CloudWatch alarm that monitors AWS CloudTrail events for the EC2 instance.

B) Create a CloudWatch alarm that monitors CloudWatch metrics for EC2 instance CPU utilization.

C) Create an Amazon Simple Notification Service (Amazon SNS) topic to monitor CloudWatch metrics for EC2 instance CPU utilization.

D) Create a recurring assessment check on the EC2 instance by using Amazon Inspector to detect deviations in CPU utilization.

39 / 65

39. How can the domain's zone apex for example "myzoneapexdomain.com" be pointed towards an Elastic Load Balancer?

A) By using an AAAA record

B) By using an A record

C) By using an Amazon Route 53 CNAME record

D) By using an Amazon Route 53 Alias record

40 / 65

40. You have set up Individual AWS accounts for each project. You have been asked to make sure your AWS Infrastructure costs do not exceed the budget set per project for each month. Which of the following approaches can help ensure that you do not exceed the budget each month?

A) Consolidate your accounts so you have a single bill for all accounts and projects

B) Set up auto scaling with CloudWatch alarms using SNS to notify you when you are running too many Instances in a given account

C) Set up CloudWatch billing alerts for all AWS resources used by each project, with a notification occurring when the amount for each resource tagged to a particular project matches the budget allocated to the project

D) Set up CloudWatch billing alerts for all AWS resources used by each account, with email notifications when it hits 50%. 80% and 90% of its budgeted monthly spend

41 / 65

41. You are running a web-application on AWS consisting of the following components: an Elastic Load Balancer (ELB), an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measure falls into AWS's responsibility?

A) Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access.

B) Protect against IP spoofing or packet sniffing.

C) Assure all communication between EC2 instances and ELB is encrypted.

D) Install latest security patches on ELB, RDS, and EC2 instances

42 / 65

42. A user has developed an application which is required to send the data to a NoSQL database. The user wants to decouple the data sending such that the application keeps processing and sending data but does not wait for an acknowledgement of DB. Which of the below mentioned applications helps in this scenario?

A) AWS Simple Notification Service

B) AWS Simple Workflow

C) AWS Simple Queue Service

D) AWS Simple Query Service

43 / 65

43. A company needs to ensure that an AWS Lambda function can access resources in a VPC in the company's account. The Lambda function requires access to third-party APIs that can be accessed only over the internet. Which action should a SysOps administrator take to meet these requirements?

A) Attach an Elastic IP address to the Lambda function and configure a route to the internet gateway of the VPC.

B) Connect the Lambda function to a private subnet that has a route to the virtual private gateway of the VPC.

C) Connect the Lambda function to a public subnet that has a route to the internet gateway of the VPC.

D) Connect the Lambda function to a private subnet that has a route to a NAT gateway deployed in a public subnet of the VPC.

44 / 65

44. A company is running a website that stores data in an Amazon RDS for MySQL DB instance. The company expects the data that is stored in the database to grow significantly during the next 6 months.

A SysOps administrator can see that the DB instance will run out of storage space in that time period. The current DB instance uses General Purpose SSD (gp2) volumes for storage.

Which action can the SysOps administrator take to scale the storage for the DB instance?

A) Launch an RDS read replica.

B) Enable storage autoscaling for the DB instance.

C) Turn on the Multi-AZ feature for the DB instance.

D) Change the DB instance storage type to standard magnetic.

45 / 65

45. You're currently using AWS Auto Scaling for your application. Your app is running a fleet of VMs behind the Elastic Load Balancer that scales out and in, in accordance with the current amount of received traffic. You are preparing for an advertising campaign which will attract more visitors than you currently have, and increase your traffic 10 times. Your calculations show that at the peak time of traffic, you will need up to 120 EC2 instances. What preparations must be done to get your infrastructure ready for the traffic spikes? (Select all that apply)

A) Pre-allocate 120 Elastic IP addresses.

B) Check your current account limits and change the limits so that your account would be able to handle the new capacity requirements.

C) Adjust the configuration for Auto Scaling, so that it would be able to spin up 120 instances when necessary

D) Request pre-warming for your Elastic Load Balancer so that it would not be clogged with increased traffic

46 / 65

46. A SysOps administrator is responsible for an Amazon RDS Single-AZ DB instance that stores customer and sales information. An Amazon CloudWatch dashboard shows increased consumption of CPU and memory for the DB instance in the last week of each month. The increased consumption is caused by extensive reads to the sales data by users that run reports. The SysOps administrator needs a solution that runs the reports without affecting the ability of users to send data to the database.

Which solution will meet this requirement with the LEAST amount of effort?

A) Convert the DB instance into an Amazon DynamoDB table.

B) Convert the DB instance into a Multi-AZ DB instance.

C) Create an Amazon ElastiCache for Memcached cluster.

D) Implement read replicas. Point the sales report jobs to the read replicas.

47 / 65

47. An application that you are managing has EC2 instances & Dynamo OB tables deployed to several AWS Regions In order to monitor the performance of the application globally, you would like to see two graphs 1) Avg CPU Utilization across all EC2 instances and 2) Number of Throttled Requests for all DynamoDB tables. How can you accomplish this?

A) Tag your resources with the application name, and select the tag name as the dimension in the Cloudwatch Management console to view the respective graphs

B) Use the Cloud Watch CLI tools to pull the respective metrics from each regional endpoint Aggregate the data offline & store it for graphing in CloudWatc

C) Add SNMP traps to each instance and DynamoDB table Leverage a central monitoring server to capture data from each instance and table Put the aggregate data into Cloud Watch for graphin

D) Add a CloudWatch agent to each instance and attach one to each DynamoDB table

48 / 65

48. A company is running a custom database on an Amazon EC2 instance. The database stores its data on an Amazon Elastic Block Store (Amazon EBS) volume. A SysOps administrator must set up a backup strategy for the EBS volume. What should the SysOps administrator do to meet this requirement?

A) Create an Amazon CloudWatch alarm for the VolumeIdleTime metric with an action to take a snapshot of the EBS volume.

B) Create a pipeline in AWS Data Pipeline to take a snapshot of the EBS volume on a recurring schedule.

C) Create an Amazon Data Lifecycle Manager (Amazon DLM) policy to take a snapshot of the EBS volume on a recurring schedule.

D) Create an AWS DataSync task to take a snapshot of the EBS volume on a recurring schedule

49 / 65

49. A company created a new application that uses a Spot Fleet for a variety of instance families across multiple Availability Zones.

What should a SysOps administrator do to ensure that the Spot Fleet is configured for cost optimization?

A) Apply Spot pricing and Reserved Instances purchasing to the same instances.

B) Ensure instance capacity by specifying the desired target capacity. Specify how much of that capacity must be On-Demand Instances.

C) Use the lowestPrice allocation strategy in combination with the InstancePoolsToUseCount parameter in the Spot Fleet request.

D) Launch instances up to the Spot Fleet target capacity or the maximum acceptable payment amount.

50 / 65

50. The company uses AWS Organizations to manage its accounts. For the production account, a SysOps administrator must ensure that all data is backed up daily for all current and future Amazon EC2 instances and Amazon Elastic File System (Amazon EFS) file systems. Backups must be retained for 30 days. Which solution will meet these requirements with the LEAST amount of effort?

A) Create a backup plan in AWS Backup. Assign resources by resource ID, selecting all existing EC2 and EFS resources that are running in the account. Edit the backup plan daily to include any new resources. Schedule the backup plan to run every day with a lifecycle policy to expire backups after 30 days.

B) Create a backup plan in AWS Backup. Assign resources by tags. Ensure that all existing EC2 and EFS resources are tagged correctly. Apply a service control policy (SCP) for the production account OU that prevents instance and file system creation unless the correct tags are applied. Schedule the backup plan to run every day with a lifecycle policy to expire backups after 30 days.

C) Create a lifecycle policy in Amazon Data Lifecycle Manager (Amazon DLM). Assign all resources by resource ID, selecting all existing EC2 and EFS resources that are running in the account. Edit the lifecycle policy daily to include any new resources. Schedule the lifecycle policy to create snapshots every day with a retention period of 30 days

D) Create a lifecycle policy in Amazon Data Lifecycle Manager (Amazon DLM). Assign all resources by tags. Ensure that all existing EC2 and EFS resources are tagged correctly. Apply a service control policy (SCP) that prevents resource creation unless the correct tags are applied. Schedule the lifecycle policy to create snapshots every day with a retention period of 30 days.

51 / 65

51. You have a stateless web-style application with a CPU and memory-intensive web tier running on a c3.8xlarge EC2 instance inside of a VPC. The instance when under load faces problems returning requests within the SLA, as defined by your business. The application maintains its state in a DynamoDB table, but the data tier is properly provisioned and responses are consistently fast. How can you best resolve the issue of the application responses not meeting your SLA?

A) Add another c3.8xlarge application instance, and put both behind an Elastic Load Balancer

B) Move the c3.8xlarge to the same Availability Zone as the DynamoDB table

C) Cache the database responses in ElastiCache for more rapid access

D) Move the database from DynamoDB to RDS MySQL in scale-out read-replica configuration

52 / 65

52. A company uses an AWS CloudFormation stack to create an Auto Scaling group of Amazon EC2 instances. The company needs to address a security vulnerability in the Amazon Machine Image (AMI) that the EC2 instances use. The company needs to update to the latest operating system to address the security concerns. The company's application runs on the EC2 instances and must stay online at all times. At least one EC2 instance must stay operational during the change operation.

A SysOps administrator is updating the AMI ID in the CloudFormation template.

How can the SysOps administrator apply the AMI update to meet these requirements?

A) Use a direct update of the stack.

B) Run a change set for the stack.

C) Use the AutoScalingRollingUpdate policy.

D) Use the AutoScalingReplacingUpdate policy.

53 / 65

53. You have an Auto Scaling group running behind Elastic Load Balancer (ELB) and associated with that ELB. You have noticed that some of the instances in the Auto Scaling Group were marked as unhealthy by the ELB, but were not terminated. What setting do you need to change so that the instances marked as unhealthy by the ELB would be terminated correctly by the Auto Scaling during its normal Self-healing procedure?

A) Adjust the thresholds for the Auto Scaling group health check

B) Add an Elastic Load Balancing health check to your Auto Scaling Group

C) Increase the Health check interval on the ELB

D) Use TCP Health Check instead of the HTTP Health Check on the Elastic Load Balancer

54 / 65

54. Which of the following are the characteristics of Amazon S3? (Select two)

A) Objects are directly accessible via a URL

B) S3 should be used to host a relational database

C) S3 allows you to store objects or virtually unlimited size

D) S3 allows you to store virtually unlimited amounts of data

E) S3 offers Provisioned IOPS

55 / 65

55. An organization is using cost allocation tags to find the cost distribution of different departments and projects. One of the instances has two separate tags with the key/ value as “InstanceName/HR”, “CostCenter/HR”. What will AWS do in this case?

A) AWS will allow tags but will not show correctly in the cost allocation report due to the same value of the two separate keys

B) InstanceName is a reserved tag for AWS

C) Thus, AWS will not allow this tag

D) AWS will not allow the tags as the value is the same for different keys

56 / 65

56. A company has an application that runs on a fleet of Amazon EC2 instances that run Microsoft Windows. The company needs to apply patches to the operating system each month. The company uses AWS Systems Manager Patch Manager to apply the patches on a schedule. When the fleet is being patched, users of the application report delayed service responses.

What should the company do to MINIMIZE the impact on users during patch deployment?

A) Change the number of instances patched at any one time to 100%.

B) Create a snapshot of each instance in the fleet by using a Systems Manager Automation runbook before the start of the patch process.

C) Configure the maintenance window to patch 10% of the instances in the patch group at a time.

D) Create a patched Amazon Machine Image (AMI). Configure the maintenance window option to deploy the patched AMI on only 10% of the fleet at a time.

57 / 65

57. You have a proprietary data store on-premises that must be backed up daily by dumping the data store contents to a single compressed 50GB file and sending the file to AWS. Your SLAs state that any dump file backed up within the past 7 days can be retrieved within 2 hours. Your compliance department has stated that all data must be held indefinitely. The time required to restore the data store from a backup is approximately 1 hour. Your on-premise network connection is capable of sustaining 1gbps to AWS. Which backup methods to AWS would be most cost-effective while still meeting all of your requirements?

A) Send the daily backup files to Glacier immediately after being generated

B) Transfer the daily backup files to an EBS volume in AWS and take daily snapshots of the volume

C) Transfer the daily backup files to S3 and use appropriate bucket lifecycle policies to send to Glacier

D) Host the backup files on a Storage Gateway with Gateway-Cached Volumes and take daily snapshots

58 / 65

58. A SysOps Administrator observes a large number of rogue HTTP requests on an Application Load Balancer (ALB). The requests originate from various IP addresses. Which action should be taken to block this traffic?

A) Use Amazon CloudFront to cache the traffic and block access to the web servers

B) Use Amazon GuardDuty to protect the web servers from bots and scrapers

C) Use AWS WAF rate-based blacklisting to block this traffic when it exceeds a defined threshold.

D) Use AWS Lambda to analyze the web server logs, detect bot traffic, and block the IP address in the security groups

59 / 65

59. A company is hosting a service-oriented architecture across multiple Amazon EC2 instances. Each instance hosts a different application. The services read and write messages to Amazon Simple Queue Service (Amazon SQS) queues for cross-service communication. The company uses Amazon CloudWatch for monitoring.

The company has configured a CloudWatch alarm to alert system operators when the value of the ApproximateNumberOfMessagesVisible metric is more than 50. A system operator just received an alert that the alarm has entered the ALARM state.

What could be the cause of the alarm?

A) The visibility timeout for the SQS queue is set to a value that is too long in duration.

B) The applications that are receiving the messages from the SQS queue are purging the messages from the queue after processing the messages.

C) The delivery delay for the SQS queue is set to a value that is too long in duration.

D) The applications that are receiving the messages from the SQS queue are not deleting the messages from the queue after processing them.

60 / 65

60. You use S3 to store critical data for your company. Several users within your group currently have full permissions to your S3 buckets. You need to come up with a solution that does not impact your users and also protect against the accidental deletion of objects. Which two options will address this issue? (Select Two)

A) Enable versioning on your S3 Buckets

B) Configure your S3 Buckets with MFA delete

C) Create a Bucket policy and only allow read only permissions to all users at the bucket level

D) Enable object life cycle policies and configure the data older than 3 months to be archived in Glacier

61 / 65

61. Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application. Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else'' If so how?

A) No Two instances in two different AZ's can't talk directly to each other via ICMP ping as that protocol is not allowed across subnet (iebroadcast) boundaries

B) Yes, Both the monitoring instance's security group and the application instance's security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol

C) Yes Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP

D) Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application instance's security group needs to allow Inbound ICMP

62 / 65

62. Your company Is moving towards tracking web page users with a small tracking Image loaded on each page Currently you are serving this image out of US-East, but are starting to get concerned about the time It takes to load the image for users on the west coast. What are the two best ways to speed up serving this image? Choose 2 answers

A) Use Route 53's Latency Based Routing and serve the image out of US-West-2 as well as US-East-1

B) Serve the image out through CloudFront

C) Serve the image out of S3 so that it isn't being served oft of your web application tier

D) Use EBS PIOPs to serve the image faster out of your EC2 instances

63 / 65

63. A company uses AWS Organizations to create and manage many AWS accounts. The company wants to deploy new IAM roles in each account. Which action should the SysOps administrator take to deploy the new roles in each of the organization’s accounts?

Which action should the SysOps administrator take to deploy the new roles in each of the organization’s accounts?

A) Create a service control policy (SCP) in the organization to add the new IAM roles to each account.

B) Deploy an AWS CloudFormation change set to the organization with a template to create the new IAM roles.

C) Use AWS CloudFormation StackSets to deploy a template to each account to create the new IAM roles.

D) Use AWS Config to create an organization rule to add the new IAM roles to each account.

64 / 65

64. Your organization is preparing to leverage AWS Cloudformation. Which of the below statements will NOT help you to correctly describe Cloudformation?

A) Cloudformation follows the DevOps model for the creation of Dev and Test.

B) AWS Cloudformation does not charge the user for its service but only charges for the AWS resources created with it.

C) Cloudformation works with a wide variety of AWS services, such as EC2, EBS, VPC, IAM, S3, RDS, ELB, and so on.

D) CloudFormation provides a set of application bootstrapping scripts which enables the user to install Software.

65 / 65

65. Your company is moving towards tracking web page users with a small tracking image loaded on each page. Currently you are serving this image out of US-East, but are starting to get concerned about the time it takes to load the image for users on the west coast. What are the two best ways to speed up serving this image? (Select Two)

A) Use Route 53s Latency Based Routing and serve the image out of US-West-2 as well as US-East-1

B) Serve the image out through CloudFront

C) Serve the image out of S3 so that it isn't being served off your web application tier

D) Use EBS PIOPs to serve the image faster out of your EC2 instances

Your score is

The average score is 10%

Exit