Amazon SOA-C02 Question Answers

What is Amazon SOA-C02?

Amazon SOA-C02 is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The AWS Sysops Administrator Certification validates a candidate's expertise to work with Amazon. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the AWS Certified SysOps Administrator - Associate (SOA-C02) Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Amazon SOA-C02 Practice Questions. Passing AWS Certified SysOps Administrator - Associate (SOA-C02) will be your ticket to a better future!

Pass with Amazon SOA-C02 Braindumps!

Contrary to the belief that certification exams are generally hard to get through, passing AWS Certified SysOps Administrator - Associate (SOA-C02) is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Amazon SOA-C02 PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Amazon AWS Sysops Administrator certification is all about having the right information. Hence, we filled our Amazon SOA-C02 Dumps with all the necessary data you need to pass. These carefully curated sets of AWS Certified SysOps Administrator - Associate (SOA-C02) Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Amazon SOA-C02 Braindumps now!

We aim to provide all AWS Sysops Administrator certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Amazon SOA-C02 Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.

Why Choose Amazon SOA-C02 PDF?

Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the AWS Certified SysOps Administrator - Associate (SOA-C02) candidates. Not every Amazon exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the AWS Sysops Administrator solutions. Amazon SOA-C02 Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Amazon SOA-C02 Dumps with ease.

If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at [email protected].

Question # 1

A company needs to archive all audit logs for 10 years. The company must protect the logsfrom any future edits.Which solution will meet these requirements?

A. Store the data in an Amazon Elastic Block Store (Amazon EBS) volume. Configure AWSKey Management Service (AWS KMS) encryption.
B. Store the data in an Amazon S3 Glacier vault. Configure a vault lock policy for writeonce,read-many (WORM) access.
C. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Configureserver-side encryption.
D. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Configuremulti-factor authentication (MFA).

Show Answer

---

Question # 2

A SysOps administrator has successfully deployed a VPC with an AWS Cloud Formationtemplate The SysOps administrator wants to deploy me same template across multipleaccounts that are managed through AWS Organizations.Which solution will meet this requirement with the LEAST operational overhead?

A. Assume the OrganizationAccountAcccssKolc IAM role from the management account.Deploy the template in each of the accounts
B. Create an AWS Lambda function to assume a role in each account Deploy the templateby using the AWS CloudFormation CreateStack API call
C. Create an AWS Lambda function to query fc a list of accounts Deploy the template byusing the AWS Cloudformation CreateStack API call.
D. Use AWS CloudFormation StackSets from the management account to deploy thetemplate in each of the accounts

Show Answer

---

Question # 3

A company has a memory-intensive application that runs on a fleet of Amazon EC2instances behind an Elastic Load Balancer (ELB). The instances run in an Auto Scalinggroup. A Sysops administrator must ensure that the application can scale based on thenumber of users that connect to the application.Which solution will meet these requirements?

A. Create a scaling policy that will scale the application based on theActiveConnectionCount Amazon CloudWatch metric that is generated from the ELB.
B. Create a scaling policy that will scale the application based on the mem used AmazonCloudWatch metric that is generated from the ELB.
C. Create a scheduled scaling policy to increase the number of EC2 instances in the AutoScaling group to support additional connections.
D. Create and deploy a script on the ELB to expose the number of connected users as acustom Amazon CloudWatch metric. Create a scaling policy that uses the metric.

Show Answer

---

Question # 4

A company needs to automatically monitor an AWS account for potential unauthorizedAWS Management Console logins from multiple geographic locations.Which solution will meet this requirement?

A. Configure Amazon Cognito to detect any compromised 1AM credentials.
B. Set up Amazon Inspector. Scan and monitor resources for unauthorized logins.
C. Set up AWS Config. Add the iam-policy-blacklisted-check managed rule to the account.
D. Configure Amazon GuardDuty to monitor theUnauthorizedAccess:IAMUser/ConsoleLoginSuccess finding.

Show Answer

---

Question # 5

A company has two VPC networks named VPC A and VPC B. The VPC A CIDR block is10.0.0.0/16 and the VPC B CIDR block is 172.31.0.0/16. The company wants to establish aVPC peering connection named pcx-12345 between both VPCs.Which rules should appear in the route table of VPC A after configuration? (Select TWO.)

A. Destination: 10.0.0.0/16, Target: Local
B. Destination: 172.31.0.0/16, Target: Local
C. Destination: 10.0.0.0/16, Target: pcx-12345
D. Destination: 172.31.0.0/16, Target: pcx-12345
E. Destination: 10.0.0.0/16. Target: 172.31.0.0/16

Show Answer

---

Question # 6

A company needs to implement a managed file system to host Windows file shares forusers on premises. Resources in the AWS Cloud also need access to the data on these fileshares. A SysOps administrator needs to present the user file shares on premises andmake the user file shares available on AWS with minimum latency. What should the SysOps administrator do to meet these requirements?

A. Set up an Amazon S3 File Gateway.
B. Set up an AWS Direct Connect connection.
C. Use AWS DataSync to automate data transfers between the existing file servers andAWS.
D. Set up an Amazon FSx File Gateway.

Show Answer

---

Question # 7

A company has created a NAT gateway in a public subnet in a VPC. The VPC alsocontains a private subnet that includes Amazon EC2 instances. The EC2 instances use theNAT gateway to access the internet to download patches and updates. The company hasconfigured a VPC flow log for the elastic network interface of the NAT gateway. Thecompany is publishing the output to Amazon CloudWatch Logs.A SysOps administrator must identify the top five internet destinations that the EC2instances in the private subnet communicate with for downloads.What should the SysOps administrator do to meet this requirement in the MOSToperationally efficient way?

A. Use AWS CloudTrail Insights events to identify the top five internet destinations.
B. Use Amazon CloudFront standard logs (access logs) to identify the top five internetdestinations.
C. Use CloudWatch Logs Insights to identify the top five internet destinations.
D. Change the flow log to publish logs to Amazon S3. Use Amazon Athena to query the logfiles in Amazon S3.

Show Answer

---

Question # 8

A SysOps administrator needs to delete an AWS CloudFormation stack that is no longer inuse. The CloudFormation stack is in the DELETE_FAILED state. The SysOps administratorhas validated the permissions that are required to delete the Cloud Formation stack.

A. The configured timeout to delete the stack was too low for the delete operation tocomplete.
B. The stack contains nested stacks that must be manually deleted fast.
C. The stack was deployed with the -disable rollback option.
D. There are additional resources associated with a security group in the stack
E. There are Amazon S3 buckets that still contain objects in the stack.

Show Answer

---

Question # 9

A SysOps administrator needs to track the costs of data transfer between AWS Regions.The SysOps administrator must implement a solution to send alerts to an email distributionlist when transfer costs reach 75% of a specific threshold.What should the SysOps administrator do to meet these requirements?

A. Create an AWS Cost and Usage Report. Analyze the results in Amazon Athena.Configure an alarm to publish a message to an Amazon Simple Notification Service(Amazon SNS) topic when costs reach 75% of the threshold. Subscribe the emaildistribution list to the topic.
B. Create an Amazon CloudWatch billing alarm to detect when costs reach 75% of thethreshold. Configure the alarm to publish a message to an Amazon Simple NotificationService (Amazon SNS) topic. Subscribe the email distribution list to the topic.
C. Use AWS Budgets to create a cost budget for data transfer costs. Set an alert at 75% ofthe budgeted amount. Configure the budget to send a notification to the email distributionlist when costs reach 75% of the threshold.
D. Set up a VPC flow log. Set up a subscription filter to an AWS Lambda function toanalyze data transfer. Configure the Lambda function to send a notification to the emaildistribution list when costs reach 75% of the threshold.

Show Answer

---

Question # 10

A company hosts a web application on an Amazon EC2 instance. The web server logs arepublished to Amazon CloudWatch Logs. The log events have the same structure andinclude the HTTP response codes that are associated with the user requests. Thecompany needs to monitor the number of times that the web server returns an HTTP 404response. What is the MOST operationally efficient solution that meets these requirements?

A. Create a CloudWatch Logs metric filter that counts the number of times that the webserver returns an HTTP 404 response.
B. Create a CloudWatch Logs subscription filter that counts the number of times that theweb server returns an HTTP 404 response.
C. Create an AWS Lambda function that runs a CloudWatch Logs Insights query thatcounts the number of 404 codes in the log events during the past hour.
D. Create a script that runs a CloudWatch Logs Insights query that counts the number of404 codes in the log events during the past hour.

Show Answer

---

Question # 11

A company has a stateless application that is hosted on a fleet of 10 Amazon EC2 On-Demand Instances in an Auto Scaling group. A minimum of 6 instances are needed tomeet service requirements.Which action will maintain uptime for the application MOST cost-effectively?

A. Use a Spot Fleet with an On-Demand capacity of 6 instances.
B. Update the Auto Scaling group with a minimum of 6 On-Demand Instances and amaximum of 10 On-Demand Instances.
C. Update the Auto Scaling group with a minimum of 1 On-Demand Instance and amaximum of 6 On-Demand Instances.
D. Use a Spot Fleet with a target capacity of 6 instances.

Show Answer

---

Question # 12

A company runs an application on Amazon EC2 instances. The EC2 instances are in anAuto Scaling group and run behind an Application Load Balancer (ALB). The applicationexperiences errors when total requests exceed 100 requests per second. A SysOpsadministrator must collect information about total requests for a 2-week period to determine when requests exceeded this threshold.What should the SysOps administrator do to collect this data?

A. Use the ALB’s RequestCount metric. Configure a time range of 2 weeks and a period of1 minute. Examine the chart to determine peak traffic times and volumes.
B. Use Amazon CloudWatch metric math to generate a sum of request counts for all theEC2 instances over a 2-week period. Sort by a 1-minute interval.
C. Create Amazon CloudWatch custom metrics on the EC2 launch configuration templatesto create aggregated request metrics across all the EC2 instances.
D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure an EC2event matching pattern that creates a metric that is based on EC2 requests. Display thedata in a graph.

Show Answer

---

Question # 13

A company’s AWS Lambda function is experiencing performance issues. The Lambdafunction performs many CPU-intensive operations. The Lambda function is not running fastenough and is creating bottlenecks in the system.What should a SysOps administrator do to resolve this issue?

A. In the CPU launch options for the Lambda function, activate hyperthreading.
B. Turn off the AWS managed encryption.
C. Increase the amount of memory for the Lambda function.
D. Load the required code into a custom layer.

Show Answer

---

Question # 14

A company plans to migrate several of its high performance computing (MPC) virtualmachines (VMs) to Amazon EC2 instances on AWS. A SysOps administrator must identifya placement group for this deployment. The strategy must minimize network latency andmust maximize network throughput between the HPC VMs.Which strategy should the SysOps administrator choose to meet these requirements?

A. Deploy the instances in a cluster placement group in one Availability Zone.
B. Deploy the instances in a partition placement group in two Availability Zones
C. Deploy the instances in a partition placement group in one Availability Zone
D. Deploy the instances in a spread placement group in two Availably Zones

Show Answer

---

Question # 15

A company is using Amazon CloudFront to serve static content for its web application to itsusers. The CloudFront distribution uses an existing on-premises website as a customorigin.The company requires the use of TLS between CloudFront and the origin server. Thisconfiguration has worked as expected for several months. However, users are nowexperiencing HTTP 502 (Bad Gateway) errors when they view webpages that includecontent from the CloudFront distribution.What should a SysOps administrator do to resolve this problem?

A. Examine the expiration date on the certificate on the origin site. Validate that thecertificate has not expired. Replace the certificate if necessary.
B. Examine the hostname on the certificate on the origin site. Validate that the hostnamematches one of the hostnames on the CloudFront distribution. Replace the certificate ifnecessary.
C. Examine the firewall rules that are associated with the origin server. Validate that port443 is open for inbound traffic from the internet. Create an inbound rule if necessary.
D. Examine the network ACL rules that are associated with the CloudFront distribution.Validate that port 443 is open for outbound traffic to the origin server. Create an outboundrule if necessary.

Show Answer

---

Question # 16

A Sysops administrator has created an Amazon EC2 instance using an AWSCloudFormation template in the us-east-I Region. The administrator finds that thistemplate has failed to create an EC2 instance in the us-west-2 Region.What is one cause for this failure?

A. Resource tags defined in the CloudFormation template are specific to the us-east-IRegion.
B. The Amazon Machine Image (AMI) ID referenced in the CloudFormation template couldnot be found in the us-west-2 Region.
C. The cfn-init script did not run during resource provisioning in the us-west-2 Region.
D. The IAM user was not created in the specified Region.

Show Answer

---

Question # 17

A company has a public website that recently experienced problems. Some links led tomissing webpages, and other links rendered incorrect webpages. The applicationinfrastructure was running properly, and all the provisioned resources were healthy.Application logs and dashboards did not show any errors, and no monitoring alarms wereraised. Systems administrators were not aware of any problems until end users reportedthe issues.The company needs to proactively monitor the website for such issues in the future andmust implement a solution as soon as possible.Which solution will meet these requirements with the LEAST operational overhead?

A. Rewrite the application to surface a custom error to the application log when issues occur. Automatically parse logs for errors. Create an Amazon CloudWatch alarm to providealerts when issues are detected.
B. Create an AWS Lambda function to test the website. Configure the Lambda function toemit an Amazon CloudWatch custom metric when errors are detected. Configure aCloudWatch alarm to provide alerts when issues are detected.
C. Create an Amazon CloudWatch Synthetics canary. Use the CloudWatch SyntheticsRecorder plugin to generate the script for the canary run. Configure the canary in line withrequirements. Create an alarm to provide alerts when issues are detected.

Show Answer

---

Question # 18

A company's VPC has connectivity to an on-premises data center through an AWS Site-to-Site VPN. The company needs Amazon EC2 instances in the VPC to send DNS queries forexample com to the DNS servers in the data center.Which solution will meet these requirements?

A. Create an Amazon Route 53 Resolver inbound endpoint Create a conditional forwardingrule on the on-primes DNS servers to forward DNS requests for example.com to theinbound endpoints.
B. Create an Amazon Route 53 Resolver inbound endpoint Create a forwarding rule on theresolver that sends all queries for example.com to the on-premises DNS servers. Associatethis rule with the VPC.
C. Create an Amazon Route 53 Resolver outbound endpoint Create a conditionalforwarding rule on the on-premises DNS servers to forward DNS requests for example.comto the outbound endpoints
D. Create an Amazon Route 53 Resolver outbound endpoint. Create a forwarding rule onthe resolver that sends all queries for exarrc4e.com to the on-premises DNS serversAssociate this rule with the VPC.

Show Answer

---

Question # 19

A company plans to launch a static website on its domain example com and subdomainwww example.com using Amazon S3. How should the SysOps administrator meet thisrequirement?

A. Create one S3 bucket named example.com for both the domain and subdomain.
B. Create one S3 bucket with a wildcard named '.example.com tor both the domain andsubdomain.
C. Create two S3 buckets named example.com and www.exdmpte.com. Configure thesubdomain bucket to redirect requests to the domain bucket.
D. Create two S3 buckets named http//example.com and http//" exampte.com. Configurethe wildcard (') bucket to redirect requests to the domain bucket.

Show Answer

---

Question # 20

A Sysops administrator creates an Amazon Elastic Kubernetes Service (Amazon EKS)cluster that uses AWS Fargate. The cluster is deployed successfully. The Sysopsadministrator needs to manage the cluster by using the kubect1 command line tool.Which of the following must be configured on the Sysops administrator's machine so thatkubect1 can communicate with the cluster API server?

A. The kubeconfig file
B. The kube-proxy Amazon EKS add-on
C. The Fargate profile
D. The eks-connector.yaml file

Show Answer

---

Question # 21

A company is attempting to manage its costs in the AWS Cloud. A SysOps administratorneeds specific company-defined tags that are assigned to resources to appear on thebilling report.What should the SysOps administrator do to meet this requirement?

A. Activate the tags as AWS generated cost allocation tags.
B. Activate the tags as user-defined cost allocation tags.
C. Create a new cost category. Select the account billing dimension.
D. Create a new AWS Cost and Usage Report. Include the resource IDs.

Show Answer

---

Question # 22

A company has an application that runs only on Amazon EC2 Spot Instances. Theinstances run in an Amazon EC2 Auto Scaling group with scheduled scaling actions.However, the capacity does not always increase at the scheduled times, and instancesterminate many times a day. A Sysops administrator must ensure that the instances launchon time and have fewer interruptions. Which action will meet these requirements?

A. Specify the capacity-optimized allocation strategy for Spot Instances. Add more instancetypes to the Auto Scaling group.
B. Specify the capacity-optimized allocation strategy for Spot Instances. Increase the sizeof the instances in the Auto Scaling group.
C. Specify the lowest-price allocation strategy for Spot Instances. Add more instance typesto the Auto Scaling group.
D. Specify the lowest-price allocation strategy for Spot Instances. Increase the size of theinstances in the Auto Scaling group.

Show Answer

---

Question # 23

A company is storing backups in an Amazon S3 bucket. The backups must not be deletedfor at least 3 months after the backups are created.What should a SysOps administrator do to meet this requirement?

A. Configure an IAM policy that denies the s3:DeleteObject action for all users. Threemonths after an object is written, remove the policy.
B. Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups inthe new S3 bucket with a retention period of 3 months.
C. Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protectthe backups.
D. Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.

Show Answer

---

Question # 24

A company hosts a web portal on Amazon EC2 instances. The web portal uses an ElasticLoad Balancer (ELB) and Amazon Route 53 for its public DNS service. The ELB and theEC2 instances are deployed by way of a single AWS CloudFormation stack in the us-east-1 Region. The web portal must be highly available across multiple Regions.Which configuration will meet these requirements?

A. Deploy a copy of the stack in the us-west-2 Region. Create a single start of authority(SOA) record in Route 53 that includes the IP address from each ELB. Configure the SOArecord with health checks. Use the ELB in us-east-1 as the primary record and the ELB inus-west-2 as the secondary record.
B. Deploy a copy of the stack in the us-west-2 Region. Create an additional A record inRoute 53 that includes the ELB in us-west-2 as an alias target. Configure the A recordswith a failover routing policy and health checks. Use the ELB in us-east-1 as the primaryrecord and the ELB in us-west-2 as the secondary record.
C. Deploy a new group of EC2 instances in the us-west-2 Region. Associate the new EC2instances with the existing ELB, and configure load balancer health checks on all EC2instances. Configure the ELB to update Route 53 when EC2 instances in us-west-2 failhealth checks.
D. Deploy a new group of EC2 instances in the us-west-2 Region. Configure EC2 healthchecks on all EC2 instances in each Region. Configure a peering connection between theVPCs. Use the VPC in us-east-1 as the primary record and the VPC in us-west-2 as thesecondary record.

Show Answer

---

Question # 25

A company wants to create an automated solution for all accounts managed by AWSOrganizations to detect any worry groups that urn 0.0.0.0/0 as the source address forinbound traffic. The company also wants to automatically remediate any noncompliantsecurity groups by restricting access to a specific CIDR block corresponds with thecompany's intranet.

A. Create an AWS Config rule to detect noncompliant security groups. Set up automaticremediation to change the 0.0.0.0/0 source address to the approved CIDK block.
B. Create an IAM policy to deny the creation of security groups that have 0.0.0.0/0 as thesource address Attach this 1AM policy to every user in the company.
C. Create an AWS Lambda function to inspect now and existing security groups check for anoncompliant 0.0.0.0A) source address and change the source address to the approvedCIDR block.
D. Create a service control policy (SCP) for the organizational unit (OU) to deny thecreation of security groups that have the 0.0.0.0/0 source address. Set up automaticremediation to change Vie 0.0.0.0/0 source address to the approved CIDR block.

Show Answer

---

Question # 26

A company’s SysOps administrator regularly checks the AWS Personal Health Dashboardin each of the company’s accounts. The accounts are part of an organization in AWSOrganizations. The company recently added 10 more accounts to the organization. TheSysOps administrator must consolidate the alerts from each account’s Personal HealthDashboard.Which solution will meet this requirement with the LEAST amount of effort?

A. Enable organizational view in AWS Health.
B. Configure the Personal Health Dashboard in each account to forward events to a centralAWS CloudTrail log.
C. Create an AWS Lambda function to query the AWS Health API and to write all events toan Amazon DynamoDB table.
D. Use the AWS Health API to write events to an Amazon DynamoDB table.

Show Answer

---

Question # 27

A company runs hundreds of Amazon EC2 instances in a single AWS Region. Each EC2instance has two attached 1 GiB General Purpose SSD (gp2) Amazon Elastic Block Store(Amazon EBS) volumes. A critical workload is using all the available IOPS capacity on theEBS volumes.According to company policy, the company cannot change instance types or EBS volumetypes without completing lengthy acceptance tests to validate that the company’sapplications will function properly. A SysOps administrator needs to increase the I/Operformance of the EBS volumes as quickly as possible.Which action should the SysOps administrator take to meet these requirements?

A. Increase the size of the 1 GiB EBS volumes.
B. Add two additional elastic network interfaces on each EC2 instance.
C. Turn on Transfer Acceleration on the EBS volumes in the Region.
D. Add all the EC2 instances to a cluster placement group.

Show Answer

---

Question # 28

A company recently purchased Savings Plans. The company wants to receive emailnotification when the company’s utilization drops below 90% for a given day.Which solution will meet this requirement?

A. Create an Amazon CloudWatch alarm to monitor the Savings Plan check in AWSTrusted Advisor. Configure an Amazon Simple Queue Service (Amazon SQS) queue foremail notification when the utilization drops below 90% for a given day.
B. Create an Amazon CloudWatch alarm to monitor the SavingsPlansUtilization metricunder the AWS/SavingsPlans namespace in CloudWatch. Configure an Amazon SimpleQueue Service (Amazon SQS) queue for email notification when the utilization drops below90% for a given day.
C. Create a Savings Plans alert to monitor the daily utilization of the Savings Plans.Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notificationwhen the utilization drops below 90% for a given day.
D. Use AWS Budgets to create a Savings Plans budget to track the daily utilization of theSavings Plans. Configure an Amazon Simple Notification Service (Amazon SNS) topic foremail notification when the utilization drops below 90% for a given day.

Show Answer

---

Question # 29

A company’s application currently uses an IAM role that allows all access to all AWSservices. A SysOps administrator must ensure that the company’s IAM policies allow onlythe permissions that the application requires.How can the SysOps administrator create a policy to meet this requirement?

A. Turn on AWS CloudTrail. Generate a policy by using AWS Security Hub.
B. Turn on Amazon EventBridge (Amazon CloudWatch Events). Generate a policy byusing AWS Identity and Access Management Access Analyzer.
C. Use the AWS CLI to run the get-generated-policy command in AWS Identity and AccessManagement Access Analyzer.
D. Turn on AWS CloudTrail. Generate a policy by using AWS Identity and AccessManagement Access Analyzer.

Show Answer

---

Question # 30

A company is managing many accounts by using a single organization in AWSOrganizations. The organization has all features enabled. The company wants to turn onAWS Config in all the accounts of the organization and in all AWS Regions.What should a Sysops administrator do to meet these requirements in the MOSToperationally efficient way?

A. Use AVVS CloudFormation StackSets to deploy stack instances that turn on AWSConfig in all accounts and in all Regions.
B. Use AWS CloudFormation StackSets to deploy stack policies that turn on AWS Configin all accounts and in all Regions.
C. Use service control policies (SCPs) to configure AWS Config in all accounts and in allRegions.
D. Create a script that uses the AWS CLI to turn on AWS Config in all accounts in theorganization. Run the script from the organization's management account.

Show Answer

---

Question # 31

A company hosts an application on an Amazon EC2 instance in a single AWS Region. Theapplication requires support for non-HTTP TCP traffic and HTTP traffic.The company wants to deliver content with low latency by leveraging the AWS network.The company also wants to implement an Auto Scaling group with anElastic Load Balancer.How should a SysOps administrator meet these requirements?

A. Create an Auto Scaling group with an Application Load Balancer (ALB). Add an AmazonCloudFront distribution with the ALB as the origin.
B. Create an Auto Scaling group with an Application Load Balancer (ALB). Add anaccelerator with AWS Global Accelerator with the ALB as an endpoint.
C. Create an Auto Scaling group with a Network Load Balancer (NLB). Add an AmazonCloudFront distribution with the NLB as the origin.
D. Create an Auto Scaling group with a Network Load Balancer (NLB). Add an acceleratorwith AWS Global Accelerator with the NLB as an endpoint.

Show Answer

---

Question # 32

A company plans to deploy a database on an Amazon Aurora MySQL DB cluster. Thedatabase will store data for a demonstration environment. The data must be reset on adaily basis. What is the MOST operationally efficient solution that meets these requirements?

A. Create a manual snapshot of the DB cluster after the data has been populated. Createan Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambdafunction on a daily basis. Configure the function to restore the snapshot and then delete theprevious DB cluster.
B. Enable the Backtrack feature during the creation of the DB cluster. Specify a targetbacktrack window of 48 hours. Create an Amazon EventBridge (Amazon CloudWatchEvents) rule to invoke an AWS Lambda function on a daily basis. Configure the function toperform a backtrack operation.
C. Export a manual snapshot of the DB cluster to an Amazon S3 bucket after the data hasbeen populated. Create an Amazon EventBridge (Amazon CloudWatch Events) rule toinvoke an AWS Lambda function on a daily basis. Configure the function to restore thesnapshot from Amazon S3.
D. Set the DB cluster backup retention period to 2 days. Create an Amazon EventBridge(Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis.Configure the function to restore the DB cluster to a point in time and then delete theprevious DB cluster.

Show Answer

---

Question # 33

A SysOps administrator needs to secure the credentials for an Amazon RDS database that is created by an AWS CloudFormation template. The solution must encrypt the credentials and must support automatic rotation. Which solution will meet these requirements?

A. Create an AWS::SecretsManager::Secret resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:secretsmanager dynamic reference. 
B. Create an AWS::SecretsManager::Secret resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm-secure dynamic reference. 
C. Create an AWS::SSM::Parameter resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm dynamic reference. 
D. Create parameters for the database credentials in the CloudFormation template. Use the Ref intrinsic function to provide the credentials to the AWS::RDS::DBInstance resource. 

Show Answer

---

Question # 34

A company stores critical data m Amazon S3 buckets. A SysOps administrator must build a solution to record all S3 API activity. Which action will meet this requirement? 

A. Configure S3 bucket metrics to record object access logs
 B. Create an AWS CloudTrail trail to log data events tor all S3 objects 
C. Enable S3 server access logging for each S3 bucket 
D. Use AWS IAM Access Analyzer for Amazon S3 to store object access logs. 

Show Answer

---

Question # 35

A company with multiple AWS accounts needs to obtain recommendations for AWS Lambda functions and identify optimal resource configurations for each Lambda function. How should a SysOps administrator provide these recommendations?

A. Create an AWS Serverless Application Repository and export the Lambda function recommendations. 
B. Enable AWS Compute Optimizer and export the Lambda function recommendations 
C. Enable all features of AWS Organization and export the recommendations from AWS CloudTrail Insights. 
D. Run AWS Trusted Advisor and export the Lambda function recommendations 

Show Answer

---

Question # 36

A company's SysOps administrator needs to change the AWS Support plan for one of the company's AWS accounts. The account has multi-factor authentication (MFA) activated, and the MFA device is lost. What should the SysOps administrator do to sign in? 

A. Sign in as a root user by using email and phone verification. Set up a new MFA device. Change the root user password. 
B. Sign in as an 1AM user with administrator permissions. Resynchronize the MFA token by using the 1AM console. 
C. Sign in as an 1AM user with administrator permissions. Reset the MFA device for the root user by adding a new device. 
D. Use the forgot-password process to verify the email address. Set up a new password and MFA device. 

Show Answer

---

Question # 37

A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOpe administrator notices that some of these EC2 instances show up as heathy in the Auto Scaling g-out but show up as unhealthy in the ALB target group. What is a possible reason for this issue? 

A. Security groups ate rot allowing traffic between the ALB and the failing EC2 instances 
B. The Auto Seating group health check is configured for EC2 status checks 
C. The EC2 instances are failing to launch and failing EC2 status checks. 
D. The target group health check is configured with an incorrect port or path 

Show Answer

---

Question # 38

A company uses Amazon S3 to aggregate raw video footage from various media teams across the US. The company recently expanded into new geographies in Europe and Australia. The technical teams located in Europe and Australia reported delays when uploading large video tiles into the destination S3 bucket m toe United States. What are the MOST cost-effective ways to increase upload speeds into the S3 bucket? (Select TWO.) 

A. Create multiple AWS Direct Connect connections between AWS and branch offices in Europe and Australia tor He uploads into the destination S3 bucket 
B. Create multiple AWS Site-to-Site VPN connections between AWS and branch offices in Europe and Australia for file uploads into the destination S3 bucket. 
C. Use Amazon S3 Transfer Acceleration for file uploads into the destination S3 bucket. 
D. Use AWS Global Accelerator for file uploads into the destination S3 bucket from the branch offices in Europe and Australia. 
E. Use multipart uploads for file uploads into the destination S3 bucket from the branch offices in Europe and Australia. 

Show Answer

---

Question # 39

A company uses an Amazon S3 bucket to store data files. The S3 bucket contains hundreds of objects. The company needs to replace a tag on all the objects in the S3 bucket with another tag. What is the MOST operationally efficient way to meet this requirement? 

A. Use S3 Batch Operations. Specify the operation to replace all object tags. 
B. Use the AWS CLI to get the tags for each object. Save the tags in a list. Use S3 Batch Operations. Specify the operation to delete all object tags. Use the AWS CLI and the list to retag the objects. 
C. Use the AWS CLI to get the tags for each object. Save the tags in a list. Use the AWS CLI and the list to remove the object tags. Use the AWS CLI and the list to retag the objects.
 D. Use the AWS CLI to copy the objects to another S3 bucket. Add the new tag to the copied objects. Delete the original objects. 

Show Answer

---

Question # 40

A company wants to use only IPv6 for all its Amazon EC2 instances. The EC2 instances must not be accessible from the internet, but the EC2 instances must be able to access the internet. The company creates a dual-stack VPC and IPv6-only subnets. How should a SysOps administrator configure the VPC to meet these requirements?

A. Create and attach a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.
 B. Create and attach an internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway. Attach the custom route table to the IPv6-only subnets. 
C. Create and attach an egress-only internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the egress-only internet gateway. Attach the custom route table to the IPv6-only subnets. 
D. Create and attach an internet gateway and a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway and all IPv4 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets. 

Show Answer

---

Question # 41

A company updates its security policy to prohibit the public exposure of any data in Amazon S3 buckets in the company's account. What should a SysOps administrator do to meet this requirement? 

A. Turn on S3 Block Public Access from the account level. 
B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to enforce that all S3 objects are private. 
C. Use Amazon Inspector to search for S3 buckets and to automatically reset S3 ACLs if any public S3 buckets are found. 
D. Use S3 Object Lambda to examine S3 ACLs and to change any public S3 ACLs to private. 

Show Answer

---

Question # 42

A SysOps administrator configuring AWS Client VPN to connect use's on a corporate network to AWS resources mat are running in a VPC According to compliance requirements, only traffic that is destined for the VPC can travel across the VPN tunnel. How should the SysOps administrator configure Client VPN to meet these requirements?

 A. Associate the Client VPN endpoint with a private subnet that has an internet route through a NAT gateway. 
B. On the Client VPN endpoint, turns on the split-tunnel option. 
C. On the Client VPN endpoint, specify DNS server IP addresses
 D. Select a private certificate to use as the identity certificate tor the VPN client. 

Show Answer

---

Question # 43

A SysOps administrator is configuring an application on Amazon EC2 instances for a company Teams in other countries will use the application over the internet. The company requires the application endpoint to have a static pubic IP address. How should the SysOps administrator deploy the application to meet this requirement? 

A. Behind an Amazon API Gateway API 
B. Behind an Application Load Balancer 
C. Behind an internet-facing Network Load Balancer 
D. In an Amazon CloudFront distribution 

Show Answer

---

Question # 44

A company hosts a web portal on Amazon EC2 instances. The web portal uses an Elastic Load Balancer (ELB) and Amazon Route 53 for its public DNS service. The ELB and the EC2 instances are deployed by way of a single AWS CloudFormation stack in the us-east1 Region. The web portal must be highly available across multiple Regions. Which configuration will meet these requirements? 

A. Deploy a copy of the stack in the us-west-2 Region. Create a single start of authority (SOA) record in Route 53 that includes the IP address from each ELB. Configure the SOA record with health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record. 
B. Deploy a copy of the stack in the us-west-2 Region. Create an additional A record in Route 53 that includes the ELB in us-west-2 as an alias target. Configure the A records with a failover routing policy and health checks. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record. 
C. Deploy a new group of EC2 instances in the us-west-2 Region. Associate the new EC2 instances with the existing ELB, and configure load balancer health checks on all EC2 instances. Configure the ELB to update Route 53 when EC2 instances in us-west-2 fail health checks. 
D. Deploy a new group of EC2 instances in the us-west-2 Region. Configure EC2 health checks on all EC2 instances in each Region. Configure a peering connection between the VPCs. Use the VPC in us-east-1 as the primary record and the VPC in us-west-2 as the secondary record.

Show Answer

---

Question # 45

A company's SysOps administrator must ensure that all Amazon EC2 Windows instances that are launched in an AWS account have a third-party agent installed. The third-party agent has an msi package. The company uses AWS Systems Manager for patching, and the Windows instances are tagged appropriately. The third-party agent required periodic updates as new versions are released. The SysOps administrator must deploy these updates automatically Which combination of steps will meet these requirements with the LEAST operational effort? (Seed TWO.) Create a Systems Manager Distributor package for the third-party agent.  

A. Make sure that Systems Manager Inventory Is configured. If Systems Manager Inventory is not configured, set up a new inventory tor instances that is based on the appropriate tag value for Windows. 
B. Create a Systems Manager State Manager association to run the AWSRunRemoteScript document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day 
C. Create a Systems Manager State Manager- association to run the AWSConfigureAWSPackage document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows with a schedule of 1 day
 D. Create a Systems Manager Opsitem with the tag value for Windows Attach the Systems Manager Distributor package to the Opsitem. Create a maintenance window that is specific to the package deployment Configure the maintenance window to cover 24 hours a day. 

Show Answer

---

Question # 46

A company's SysOps administrator deploys a public Network Load Balancer (NLB) in front of the company's web application. The web application does not use any Elastic IP addresses. Users must access the web application by using the company's domain name. The SysOps administrator needs to configure Amazon Route 53 to route traffic to the NLB. Which solution will meet these requirements MOST cost-effectively? 

A. Create a Route 53 AAAA record for the NLB. 
B. Create a Route 53 alias record for the NLB. 
C. Create a Route 53 CAA record for the NLB. 
D. Create a Route 53 CNAME record for the NLB. 

Show Answer

---

Question # 47

A company runs several workloads on AWS. The company identifies five AWS Trusted Advisor service quota metrics to monitor in a specific AWS Region. The company wants to receive email notification each time resource usage exceeds 60% of one of the service quotas. Which solution will meet these requirements? 

A. Create five Amazon CloudWatch alarms, one for each Trusted Advisor service quota metric. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification each time that usage exceeds 60% of one of the service quotas. 
B. Create five Amazon CloudWatch alarms, one for each Trusted Advisor service quota metric. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification each time that usage exceeds 60% of one of the service quotas. 
C. Use the AWS Service Health Dashboard to monitor each Trusted Advisor service quota metric. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification each time that usage exceeds 60% of one of the service quotas. 
D. Use the AWS Service Health Dashboard to monitor each Trusted Advisor service quota metric. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification each time that usage exceeds 60% of one of the service quotas. 

Show Answer

---

Question # 48

A company recently its server infrastructure to Amazon EC2 instances. The company wants to use Amazon CloudWatch metrics to track instance memory utilization and available disk space. What should a SysOps administrator do to meet these requirements? 

A. Configure CloudWatch from the AWS Management Console tor all the instances that require monitoring by CloudWatch. AWS automatically installs and configures the agents far the specified instances. 
B. Install and configure the CloudWatch agent on all the instances Attach an IAM role to allow the instances to write logs to CloudWatch. 
C. Install and configure the CloudWatch agent on all the instances Attach an IAM user to allow the instances to write logs to CloudWatch. 
D. Install and configure the CloudWatch agent on all the instances. Attach the necessary security groups to allow the instances to write logs to CloudWatch 

Show Answer

---

Question # 49

A company's VPC has connectivity to an on-premises data center through an AWS Site-toSite VPN. The company needs Amazon EC2 instances in the VPC to send DNS queries for example com to the DNS servers in the data center. Which solution will meet these requirements?

A. Create an Amazon Route 53 Resolver inbound endpoint Create a conditional forwarding rule on the on-primes DNS servers to forward DNS requests for example.com to the inbound endpoints. 
B. Create an Amazon Route 53 Resolver inbound endpoint Create a forwarding rule on the resolver that sends all queries for example.com to the on-premises DNS servers. Associate this rule with the VPC. 
C. Create an Amazon Route 53 Resolver outbound endpoint Create a conditional forwarding rule on the on-premises DNS servers to forward DNS requests for example.com to the outbound endpoints 
D. Create an Amazon Route 53 Resolver outbound endpoint. Create a forwarding rule on the resolver that sends all queries for exarrc4e.com to the on-premises DNS servers Associate this rule with the VPC. 

Show Answer

---

Question # 50

A company creates a new member account by using AWS Organizations. A SysOps administrator needs to add AWS Business Support to the new account Which combination of steps must the SysOps administrator take to meet this requirement? (Select TWO.) 

A. Sign in to the new account by using 1AM credentials. Change the support plan. 
B. Sign in to the new account by using root user credentials. Change the support plan. 
C. Use the AWS Support API to change the support plan. 
D. Reset the password of the account root user. 
E. Create an 1AM user that has administrator privileges in the new account. 

Show Answer

---

Question # 51

A company has a high-performance Windows workload. The workload requires a storage volume mat provides consistent performance of 10.000 KDPS. The company does not want to pay for additional unneeded capacity to achieve this performance. Which solution will meet these requirements with the LEAST cost? 

A. Use a Provisioned IOPS SSD (lol) Amazon Elastic Block Store (Amazon EBS) volume that is configured with 10.000 provisioned IOPS 
B. Use a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume that is configured with 10.000 provisioned IOPS. 
C. Use an Amazon Elastic File System (Amazon EFS) file system w\ Max I/O mode. 
D. Use an Amazon FSx for Windows Fife Server foe system that is configured with 10.000 IOPS 

Show Answer

---

Question # 52

A SysOps administrator is testing an application mat is hosted on five Amazon EC2 instances The instances run in an Auto Scaling group behind an Application Load Balancer (ALB) High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out. Which action should the SysOps administrator take to meet these requirements? 

A. Enable instance scale-in protection. 
B. Place the instance into the Standby stale. 
C. Remove the listener from the ALB 
D. Suspend the Launch and Terminate process types.

Show Answer

---

Question # 53

A company hosts a database on an Amazon RDS Multi-AZ DB instance. The database is not encrypted. The company's new security policy requires all AWS resources to be encrypted at rest and in transit. What should a SysOps administrator do to encrypt the database? 

A. Configure encryption on the existing DB instance. 
B. Take a snapshot of the DB instance. Encrypt the snapshot. Restore the snapshot to the same DB instance. 
C. Encrypt the standby replica in a secondary Availability Zone. Promote the standby replica to the primary DB instance. 
D. Take a snapshot of the DB instance. Copy and encrypt the snapshot. Create a new DB instance by restoring the encrypted copy. 

Show Answer

---

Question # 54

A company has an initiative to reduce costs associated with Amazon EC2 and AWS Lambda. Which action should a SysOps administrator take to meet these requirements? 

A. Analyze the AWS Cost and Usage Report by using Amazon Athena to identity cost savings. 
B. Create an AWS Budgets alert to alarm when account spend reaches 80% of the budget. 
C. Purchase Reserved Instances through the Amazon EC2 console. 
D. Use AWS Compute Optimizer and take action on the provided recommendations. 

Show Answer

---

Question # 55

A SysOps administrator configures an Amazon S3 gateway endpoint in a VPC. The private subnets inside the VPC do not nave outbound internet access. A user logs in to an Amazon EC2 instance in one of the private subnets and cannot upload a file to an Amazon S3 bucket in the same AWS Region Which solution will solve this problem? 

A. Update the EC2 instance role policy to allow s3:PutObjed access to the target S3 bucket. 
B. Update the EC2 security group to allow outbound traffic to 0.0.0.070 for port 80.
C. Update the EC2 subnet route table to include the S3 prefix tot destination routes to the S3 gateway endpoint. 
D. Update the S3 bucket policy to allow s3 PurObject access from the private subnet OOR block. 

Show Answer

---

Question # 56

A company runs an application on an Amazon EC2 instance A SysOps administrator creates an Auto Scaling group and an Application Load Balancer (ALB) to handle an increase in demand However, the EC2 instances are failing tie health check. What should the SysOps administrator do to troubleshoot this issue? 

A. Verity that the Auto Scaling group is configured to use all AWS Regions.
 B. Verily that the application is running on the protocol and the port that the listens is expecting. 
C. Verify the listener priority in the ALB Change the priority if necessary. 
D. Verify the maximum number of instances in the Auto Scaling group Change the number if necessary 

Show Answer

---

Question # 57

A company is running an application on premises and wants to use AWS for data backup All of the data must be available locally The backup application can write only to blockbased storage that is compatible with the Portable Operating System Interface (POSIX) Which backup solution will meet these requirements?

A. Configure the backup software to use Amazon S3 as the target for the data backups 
B. Configure the backup software to use Amazon S3 Glacier as the target for the data backups 
C. Use AWS Storage Gateway, and configure it to use gateway-cached volumes 
D. Use AWS Storage Gateway, and configure it to use gateway-stored volumes 

Show Answer

---

Question # 58

A company applies user-defined tags to resources that are associated with me company's AWS workloads Twenty days after applying the tags, the company notices that it cannot use re tags to filter views in the AWS Cost Explorer console. What is the reason for this issue? 

A. It lakes at least 30 days to be able to use tags to filter views in Cost Explorer. 
B. The company has not activated the user-defined tags for cost allocation. 
C. The company has not created an AWS Cost and Usage Report 
D. The company has not created a usage budget in AWS Budgets

Show Answer

---

Question # 59

A SysOps administrator creates an AWS CloudFormation template to define an application stack that can be deployed in multiple AWS Regions. The SysOps administrator also creates an Amazon CloudWatch dashboard by using the AWS Management Console. Each deployment of the application requires its own CloudWatch dashboard. How can the SysOps administrator automate the creation of the CloudWatch dashboard each time the application is deployed?

A. Create a script by using the AWS CLI to run the aws cloudformation put-dashboard command with the name of the dashboard. Run the command each time a new CloudFormation stack is created.
 B. Export the existing CloudWatch dashboard as JSON. Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resource. Include the exported JSON in the resource's DashboardBody property. 
C. Update the CloudFormation template to define an resource. Use the intrinsic Ref function to reference the ID of the existing CloudWatch dashboard. 
D. Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resource. Specify the name of the existing dashboard in the DashboardName property. 

Show Answer

---

Question # 60

A SysOps administrator trust manage the security of An AWS account Recently an IAM users access key was mistakenly uploaded to a public code repository. The SysOps administrator must identity anything that was changed by using this access key. 

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all IAM events lo an AWS Lambda function for analysis 
B. Query Amazon EC2 togs by using Amazon CloudWatch Logs Insights for all events Heated with the compromised access key within the suspected timeframe 
C. Search AWS CloudTrail event history tor all events initiated with the compromised access key within the suspected timeframe 
D. Search VPC Flow Logs foe all events initiated with the compromised access key within the suspected Timeframe. 

Show Answer

---

Question # 61

A company wants to track its AWS costs in all member accounts that are part of an organization in AWS Organizations. Managers of the member accounts want to receive a notification when the estimated costs exceed a predetermined amount each month. The managers are unable to configure a billing alarm. The IAM permissions for all users are correct. What could be the cause of this issue? 

A. The management/payer account does not have billing alerts turned on. 
B. The company has not configured AWS Resource Access Manager (AWS RAM) to share billing information between the member accounts and the management/payer account. 
C. Amazon GuardDuty is turned on for all the accounts. 
D. The company has not configured an AWS Config rule to monitor billing. 

Show Answer

---

Question # 62

A SysOos administrator s tasked with analyzing database performance. The database runs on a single Amazon RDS D6 instance. The SysOps administrator finds that, during times of peak traffic, resources on the database are over utilized due to the amount of read traffic. Which actions should the SysOps administrator take to improve RDS performance? (Select TWO.) 

A. Add a read replica. 
B. Modify the application to use Amazon ElastiCache for Memcached. 
C. Migrate the database from RDS to Amazon DynamoDB. 
D. Migrate the database to Amazon EC2 with enhanced networking enabled 
E. Upgrade the database to a Multi-AZ deployment. 

Show Answer

---

Question # 63

A company is planning to host its stateful web-based applications on AWS A SysOps administrator is using an Auto Scaling group of Amazon EC2 instances The web applications will run 24 hours a day 7 days a week throughout the year The company must be able to change the instance type within the same instance family later in the year based on the traffic and usage patterns Which EC2 instance purchasing option will meet these requirements MOST costeffectively?

A. Convertible Reserved Instances
 B. On-Demand instances 
C. Spot instances 
D. Standard Reserved instances

Show Answer

---

Question # 64

A SysOps administrator has successfully deployed a VPC with an AWS Cloud Formation template The SysOps administrator wants to deploy me same template across multiple accounts that are managed through AWS Organizations. 

A. Assume the OrganizationAccountAcccssKolc IAM role from the management account. Deploy the template in each of the accounts 
B. Create an AWS Lambda function to assume a role in each account Deploy the template by using the AWS CloudFormation CreateStack API call 
C. Create an AWS Lambda function to query fc a list of accounts Deploy the template by using the AWS Cloudformation 
D. CreateStack API call. Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts 

Show Answer

---

Question # 65

A software company runs a workload on Amazon EC2 instances behind an Application Load Balancer (ALB) A SysOcs administrator needs to define a custom health check for the EC2 instances. What is the MOST operationally efficient solution? 

A. Set up each EC2 Instance so that it writes its healthy/unhealthy status into a shared Amazon S3 bucket for the ALB to read 
B. Configure the health check on the ALB and ensure that the HeathCheckPath setting s correct 
C. Set up Amazon ElasticCache to track the EC2 instances as they scale in and out 
D. Configure an Amazon API Gateway health check to ensure custom checks on aw of the EC2 instances 

Show Answer

---

Question # 66

A SysOps administrator is optimizing the cost of a workload. The workload is running in multiple AWS Regions and is using AWS Lambda with Amazon EC2 On-Demand Instances for the compute. The overall usage is predictable. The amount of compute that is consumed in each Region varies, depending on the users' locations. Which approach should the SysOps administrator use to optimize this workload? 

A. Purchase Compute Savings Plans based on the usage during the past 30 days 
B. Purchase Convertible Reserved Instances by calculating the usage baseline.
 C. Purchase EC2 Instance Savings Plane based on the usage during the past 30 days 
D. Purchase Standard Reserved Instances by calculating the usage baseline. 

Show Answer

---

Question # 67

A company has an application that is running on Amazon EC2 instances in a VPC. The application needs access to download software updates from the internet. The VPC has public subnets and private signets. The company's security policy requires all ECS instances to be deployed in private subnets What should a SysOps administrator do to meet those requirements? 

A. Add an internet gateway to the VPC In the route table for the private subnets, odd a route to the interne; gateway. 
B. Add a NAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway. 
C. Add a NAT gateway to a public subnet in the route table for the private subnets, add a route to the NAT gateway. 
D. Add two internet gateways to the VPC. In The route tablet for the private subnets and public subnets, add a route to each internet gateway. 

Show Answer

---

Question # 68

A company runs its entire suite of applications on Amazon EC2 instances. The company plans to move the applications to containers and AWS Fargate. Within 6 months, the company plans to retire its EC2 instances and use only Fargate. The company has been able to estimate its future Fargate costs. A SysOps administrator needs to choose a purchasing option to help the company minimize costs. The SysOps administrator must maximize any discounts that are available and must ensure that there are no unused reservations. Which purchasing option will meet these requirements?

A. Compute Savings Plans for 1 year with the No Upfront payment option 
B. Compute Savings Plans for 1 year with the Partial Upfront payment option 
C. EC2 Instance Savings Plans for 1 year with the All Upfront payment option 
D. EC2 Reserved Instances for 1 year with the Partial Upfront payment option 

Show Answer

---

Question # 69

A company maintains a large set of sensitive data in an Amazon S3 bucket. The company's security team asks a SyeOps administrator to help verify that all current objects in the S3 bucket are encrypted. What is the MOST operationally efficient solution that meets these requirements? 

A. Create a script that runs against the S3 bucket and outputs the status of each object. 
B. Create an S3 Inventory configuration on the S3 bucket Induce the appropriate status fields. 
C. Provide the security team with an IAM user that has read access to the S3 bucket. 
D. Use the AWS CLI to output a list of all objects in the S3 bucket. 

Show Answer

---

Question # 70

A SysOps administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company’s account. The administrator must be alerted to potential issues. What should the administrator do to receive email alerts before low storage space affects EC2 instance performance? 

A. Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications 
B. Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic. 
C. Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic. 
D. Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space 

Show Answer

---

Question # 71

A company needs to ensure strict adherence to a budget for 25 applications deployed on AWS Separate teams are responsible for storage compute, and database costs. A SysOps administrator must implement an automated solution to alert each team when their projected spend will exceed a quarterly amount mat has been set by the finance department. The solution cannot additional compute, storage, or database costs. 

A. Configure AWS Cost and Usage Reports to send a daily report to an Amazon S3 bucket. Create an AWS Lambda function that will evaluate Spend by service and nobly each team by using Amazon Simple Notification Service (Amazon SNS) notifications. Invoke the Lambda function when a report is placed in the S3 bucket 
B. Configure AWS Cost and Usage Reports to send a dairy report to an Amazon S3 bucket. Create a rule In Amazon EventBridge (Amazon CloudWatch Events) to evaluate the spend by service and notify each team by using Amazon Simple Queue Service (Amazon SOS) when the cost threshold i6 exceeded. 
C. Use AWS Budgets :o create one cost budget and select each of the services in use Specify the budget amount defined by the finance department along with the forecasted cost threshold Enter the appropriate email recipients for the budget. 
D. Use AWS Budgets to create a cost budget for each team, filtering by the services they own. Specify the budget amount defined by the finance department along with a forecasted cost threshold Enter the appropriate email recipients for each budget. 

Show Answer

---

Question # 72

A SysOps administrator has Nocked public access to all company Amazon S3 buckets. The SysOps administrator wants to be notified when an S3 bucket becomes publicly readable in the future. What is the MOST operationally efficient way to meet this requirement? 

A. Create an AWS Lambda function that periodically checks the public access settings for each S3 bucket. Set up Amazon Simple Notification Service (Amazon SNS) to send notifications. 
B. Create a cron script that uses the S3 API to check the public access settings for each S3 bucket. Set up Amazon Simple Notification Service (Amazon SNS) to send notifications 
C. Enable S3 Event notified tons for each S3 bucket. Subscribe S3 Event Notifications to an Amazon Simple Notification Service (Amazon SNS) topic. 
D. Enable the s3-bucket-public-read-prohibited managed rule in AWS Config. Subscribe the AWS Config rule to an Amazon Simple Notification Service (Amazon SNS) topic. 

Show Answer

---

Question # 73

A global gaming company is preparing to launch a new game on AWS. The game runs in multiple AWS Regions on a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group behind an Application Load Balancer (ALB) in each Region. The company plans to use Amazon Route 53 tor DNS services. The DNS configuration must direct users to the Region that is closest to mem and must provide automated failover. Which combination of steps should a SysOps administrator take to configure Route 53 to meet these requirements9 {Select TWO.)

A. Create Amazon CloudWatch alarms that monitor the health of the ALB m each Region Configure Route 53 DNS failover by using a health check that monitors the alarms. 
B. Create Amazon CloudWatch alarms that monitor the hearth of the EC2 instances in each Region. Configure Route 53 DNS failover by using a health check that monitors the alarms. 
C. Configure Route 53 DNS failover by using a health check that monitors the private address of an EC2 instance in each Region. 
D. Configure Route 53 geoproximity routing Specify the Regions that are used for the infrastructure 
E. Configure Route 53 simple routing Specify the continent, country, and state or province that are used for the infrastructure. 

Show Answer

---

Question # 74

A company is creating a new multi-account architecture. A Sysops administrator must implement a login solution to centrally manage user access and permissions across all AWS accounts. The solution must be integrated with AWS Organizations and must be connected to a third-party Security Assertion Markup Language (SAML) 2.0 identity provider (IdP). What should the SysOps administrator do to meet these requirements? 

A. Configure an Amazon Cognito user pool. Integrate the user pool with the third-party IdP. 
B. Enable and configure AWS Single Sign-On with the third-party IdP. 
C. Federate the third-party IdP with AWS Identity and Access Management (IAM) for each AWS account in the organization. 
D. Integrate the third-party IdP directly with AWS Organizations. 

Show Answer

---

Question # 75

Application A runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2 instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB. Other applications from an on-premises environment cannot communicate with Application A on port 8080. To troubleshoot the issue, a SysOps administrator analyzes the flow logs. The flow logs include the following records: What is the reason for the rejected traffic?

A. The security group of the EC2 instances has no Allow rule for the traffic from the NLB. 
B. The security group of the NLB has no Allow rule for the traffic from the on-premises environment. 
C. The ACL of the on-premises environment does not allow traffic to the AWS environment. 
D. The network ACL that is associated with the subnet does not allow outbound traffic for the ephemeral port range. 

Show Answer

---

Question # 76

A SysOps administrator has launched a large general purpose Amazon EC2 instance to regularly process large data files. The instance has an attached 1 TB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume. The instance also is EBS optimized. To save costs, the SysOps administrator stops the instance each evening and restarts the instance each morning. When data processing is active, Amazon CloudWatch metrics on the instance show a consistent 3.000 VolumeReadOps. The SysOps administrator must improve the I/O performance while ensuring data integrity. Which action will meet these requirements?

A. Change the instance type to a large, burstable, general purpose instance. 
B. Change the instance type to an extra large general purpose instance. 
C. Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume. 
D. Move the data that resides on the EBS volume to the instance store. 

Show Answer

---

Question # 77

A company has a stateless application that is hosted on a fleet of 10 Amazon EC2 OnDemand Instances in an Auto Scaling group. A minimum of 6 instances are needed to meet service requirements. Which action will maintain uptime for the application MOST cost-effectively? 

A. Use a Spot Fleet with an On-Demand capacity of 6 instances. 
B. Update the Auto Scaling group with a minimum of 6 On-Demand Instances and a maximum of 10 On-Demand Instances. 
C. Update the Auto Scaling group with a minimum of 1 On-Demand Instance and a maximum of 6 On-Demand Instances. 
D. Use a Spot Fleet with a target capacity of 6 instances.

Show Answer

---

Question # 78

A SysOps administrator must ensure that a company's Amazon EC2 instances auto scale as expected The SysOps administrator configures an Amazon EC2 Auto Scaling Lifecycle hook to send an event to Amazon EventBridge (Amazon CloudWatch Events), which then invokes an AWS Lambda function to configure the EC2 distances When the configuration is complete, the Lambda function calls the complete Lifecycle-action event to put the EC2 instances into service. In testing, the SysOps administrator discovers that the Lambda function is not invoked when the EC2 instances auto scale. What should the SysOps administrator do to reserve this issue?

A. Add a permission to the Lambda function so that it can be invoked by the EventBridge (CloudWatch Events) rule. 
B. Change the lifecycle hook action to CONTINUE if the lifecycle hook experiences a fa* we or timeout.
C. Configure a retry policy in the EventBridge (CloudWatch Events) rule to retry the Lambda function invocation upon failure. 
D. Update the Lambda function execution role so that it has permission to call the complete lifecycle-action event

Show Answer

---

Question # 79

A company needs to deploy a new workload on AWS. The company must encrypt all data at rest and must rotate the encryption keys once each year. The workload uses an Amazon RDS for MySQL Multi-AZ database for data storage. Which configuration approach will meet these requirements? 

A. Enable Transparent Data Encryption (TDE) in the MySQL configuration file. Manually rotate the key every 12 months. 
B. Enable RDS encryption on the database at creation time by using the AWS managed key for Amazon RDS. 
C. Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable RDS encryption on the database at creation time by using the KMS key. 
D. Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the RDS DB instance. 

Show Answer

---

Question # 80

A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon FC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified Which solution will meet this requirement? 

A. Create a new security group to block traffic to the external IP address. Assign the new security group to the EC2 instance 
B. Use VPC flow logs with Amazon Athena to block traffic to the external IP address 
C. Create a network ACL Add an outbound deny rule tor traffic to the external IP address 
D. Create a new security group to block traffic to the external IP address Assign the new security group to the entire VPC 

Show Answer

---

Question # 81

A SysOps administrator has created an AWS Service Catalog portfolio and has shared the portfolio with a second AWS account in the company. The second account is controlled by a different administrator. Which action will the administrator of the second account be able to perform? 

A. Add a product from the imported portfolio to a local portfolio. 
B. Add new products to the imported portfolio. 
C. Change the launch role for the products contained in the imported portfolio. 
D. Customize the products in the imported portfolio. 

Show Answer

---

Question # 82

A SysOps administrator is responsible for a company's security groups. The company wants to maintain a documented trail of any changes that are made to the security groups. The SysOps administrator must receive notification whenever the security groups change. Which solution will meet these requirements? 

A. Set up Amazon Detective to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Queue Service (Amazon SOS) queue for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SQS queue. 
B. Set up AWS Systems Manager Change Manager to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic. 
C. Set up AWS Config to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic. 
D. Set up Amazon Detective to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator's email address to the SNS topic. 

Show Answer

---

Question # 83

A company runs a website from Sydney, Australia. Users in the United States (US) and Europe are reporting that images and videos are taking a long time to load. However, local testing in Australia indicates no performance issues. The website has a large amount of static content in the form of images and videos that are stored m Amazon S3. Which solution will result In the MOST Improvement In the user experience for users In the US and Europe? 

A. Configure AWS PrivateLink for Amazon S3. 
B. Configure S3 Transfer Acceleration. 
C. Create an Amazon CloudFront distribution. Distribute the static content to the CloudFront edge locations 
D. Create an Amazon API Gateway API in each AWS Region. Cache the content locally. 

Show Answer

---

Question # 84

A company needs to upload gigabytes of files every day. The company need to achieve higher throughput and upload speeds to Amazon S3 Which action should a SysOps administrator take to meet this requirement? 

A. Create an Amazon CloudFront distribution with the GET HTTP method allowed and the S3 bucket as an origin. 
B. Create an Amazon ElastiCache duster and enable caching for the S3 bucket -large-files/ 
C. Set up AWS Global Accelerator and configure it with the S3 bucket 
D. Enable S3 Transfer Acceleration and use the acceleration endpoint when uploading files 

Show Answer

---

Question # 85

A company has an organization in AWS Organizations. The company uses shared VPCs to provide networking resources across accounts A SysOps administrator has been able to successfully launch and manage Amazon EC2 instances in a participant account However the SysOps administrator is now receiving an InstanceLimitExceeded error when the SysOps administrator tries to launch a new EC2 instance What should the SysOps administrator do to resolve this error') 

A. Request an instance quota increase from the account that owns the VPC 
B. Launch additional EC2 instances in a different AWS Region 
C. Request an instance quota increase from the parte pant account 
D. Launch additional EC2 instances by using a different Amazon Machine image (AMI) 

Show Answer

---

Question # 86

A company uses an Amazon CloudFront distribution to deliver its website Traffic togs for the website must be centrally stored and all data must be encrypted at rest Which solution will meet these requirements? 

A. Create an Amazon OpenSearch Service (Amazon Elasttcsearch Service) domain with internet access and server-side encryption that uses the default AWS managed key Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination 
B. Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with VPC access and server-side encryption that uses AES-256 Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elastcsearch Service) domain as a log destination 
C. Create an Amazon S3 bucket that is configured with default server side encryption that uses AES-256 Configure CloudFront to use the S3 bucket as a log destination 
D. Create an Amazon S3 bucket that is configured with no default encryption Enable encryption in the CloudFront dtstnbubon and use the S3 bucket as a log destination 

Show Answer

---

Question # 87

A SysOps administrator has launched a large general purpose Amazon EC2 instance to regularly process large data files. The instance has an attached 1 TB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume. The instance also is EBSoptimized. To save costs, the SysOps administrator stops the instance each evening and restarts the instance each morning. When data processing is active, Amazon CloudWatch metrics on the instance show a consistent 3.000 VolumeReadOps. The SysOps administrator must improve the I/O performance while ensuring data integrity. Which action will meet these requirements?

A. Change the instance type to a large, burstable, general purpose instance. 
B. Change the instance type to an extra large general purpose instance. 
C. Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume. 
D. Move the data that resides on the EBS volume to the instance store. 

Show Answer

---

Question # 88

A SysOps administrator is unable to authenticate an AWS CLI call to an AWS service Which of the following is the cause of this issue? 

A. The IAM password is incorrect 
B. The server certificate is missing 
C. The SSH key pair is incorrect 
D. There is no access key 

Show Answer

---

Question # 89

A company has a simple web application that runs on a set of Amazon EC2 instances behind an Elastic Load Balancer in the eu-west-2 Region. Amazon Route 53 holds a DNS record for the application with a simple touting policy. Users from all over the world access the application through their web browsers. The company needs to create additional copies of the application in the us-east-1 Region and in the ap-south-1 Region. The company must direct users to the Region that provides the fastest response times when the users load the application. What should a SysOps administrator do to meet these requirements?

A. In each new Region, create a new Elastic Load Balancer and a new set of EC2 Instances to run a copy of the application. Transition to a geolocation routing policy. 
B. In each new Region, create a copy of the application on new EC2 instances. Add these new EC2 instances to the Elastic Load Balancer in eu-west-2. Transition to a latency routing policy. 
C. In each new Region, create a copy of the application on new EC2 instances. Add these new EC2 instances to the Elastic Load Balancer in eu-west-2. Transition to a multivalue routing policy. 
D. In each new Region, create a new Elastic Load Balancer and a new set of EC2 instances to run a copy of the application. Transition to a latency routing policy. 

Show Answer

---

Question # 90

A SysOps administrator is reviewing VPC Flow Logs to troubleshoot connectivity issues in a VPC. While reviewing the togs the SysOps administrator notices that rejected traffic is not listed. What should the SysOps administrator do to ensure that all traffic is logged? 

A. Create a new flow tog that has a titter setting to capture all traffic 
B. Create a new flow log set the tog record format to a custom format Select the proper fields to include in the tog 
C. Edit the existing flow log Change the fitter setting to capture all traffic 
D. Edit the existing flow log. Set the log record format to a custom format Select the proper fields to include in the tog 

Show Answer

---

Question # 91

A company's SysOps administrator deploys four new Amazon EC2 instances by using the standard Amazon Linux 2 Amazon Machine Image (AMI). The company needs to be able to use AWS Systems Manager to manage the instances The SysOps administrator notices that the instances do not appear in the Systems Manager console What must the SysOps administrator do to resolve this issue? 

A. Connect to each instance by using SSH Install Systems Manager Agent on each instance Configure Systems Manager Agent to start automatically when the instances start up 
B. Use AWS Certificate Manager (ACM) to create a TLS certificate Import the certificate into each instance Configure Systems Manager Agent to use the TLS certificate for secure communications 
C. Connect to each instance by using SSH Create an ssm-user account Add the ssm-user account to the /etcsudoers d directory 
D. Attach an IAM instance profile to the instances Ensure that the instance profile contains the AmazonSSMManagedinstanceCore policy 

Show Answer

---

Question # 92

A company's customers are reporting increased latency while accessing static web content from Amazon S3 A SysOps administrator observed a very high rate of read operations on a particular S3 bucket What will minimize latency by reducing load on the S3 bucket? 

A. Migrate the S3 bucket to a region that is closer to end users' geographic locations 
B. Use cross-region replication to replicate all of the data to another region 
C. Create an Amazon CloudFront distribution with the S3 bucket as the origin. 
D. Use Amazon ElastiCache to cache data being served from Amazon S3 

Show Answer

---

Amazon SOA-C02 Frequently Asked Questions