A company has multiple AWS accounts. The company uses AWS Organizations with an organizational unit (OU) for the production account and another OU for the development account. Corporate policies state that developers may use only approved AWS services in the production account. What is the MOST operationally efficient solution to control the production account?
A. Create a customer managed policy in AWS Identity and Access Management (IAM).Apply the policy to all users within the production account.
B. Create a job function policy in AWS Identity and Access Management (IAM). Apply thepolicy to all users within the production OU.
C. Create a service control policy (SCP). Apply the SCP to the production OU.
D. Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.
A company has an AWS Lambda function in Account A. The Lambda function needs to read the objects in an Amazon S3 bucket in Account B. A SysOps administrator must create corresponding 1AM roles in both accounts. Which solution will meet these requirements?
A. In Account A, create a Lambda execution role to assume the role in Account B. InAccount B. create a role that the function can assume to gain access to the S3 bucket.
B. In Account A, create a Lambda execution role that provides access to the S3 bucket. InAccount B. create a role that the function can assume.
C. In Accou nt A. create a role that the function can assume. In Account B, create a Lambda execution role that provides access to the S3 bucket.
D. In Account A. create a role that the function can assume to gain access to the S3bucket. In Account B. create a Lambda execution role to assume the role in Account A.
A SysOps administrator needs to implement a backup strategy for Amazon EC2 resources and Amazon RDS resources. The backup strategy must meet the following retention requirements: • Daily backups: must be kept for 6 days • Weekly backups: must be kept for 4 weeks: • Monthly backups: must be kept for 11 months • Yearly backups: must be kept for 7 years Which backup strategy will meet these requirements with the LEAST administrative effort?
A. Use Amazon Data Lifecycle Manager to create an Amazon Elastic Block Store (AmazonEBS) snapshot policy. Create tags on each resource that needs to be backed up. Createmultiple schedules according to the requirements within the policy. Set the appropriatefrequency and retention period.
B. Use AWS Backup to create a new backup plan for each retention requirement with abackup frequency of daily, weekly, monthly, or yearly. Set the retention period to match therequirement. Create tags on each resource that needs to be backed up. Set up resourceassignment by using the tags.
C. Create an AWS Lambda function. Program the Lambda function to use native tooling totake backups of file systems in Amazon EC2 and to make copies of databases in AmazonRDS. Create an Amazon EventBridge rule to invoke the Lambda function.
D. Use Amazon Data Lifecycle Manager to create an Amazon Elastic Block Store (AmazonEBS) snapshot policy. Create tags on each resource that needs to be backed up. Set upresource assignment by using the tags. Create multiple schedules according to therequirements within the policy. Set the appropriate frequency and retention period. InAmazon RDS, activate automated backups on the required DB instances.
A SysOps administrator needs to design a disaster recovery (DR) plan for an application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The application uses an Amazon Aurora PostgreSQL database. The recovery time objective (RTO) and recovery point objective (RPO) are 15 minutes each. Which combination of steps should the SysOps administrator take to meet these requirements MOST cost-effectively? (Select TWO.)
A. Configure Aurora backups to be exported to the DR Region.
B. Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option.
C. Configure the DR Region with an ALB and an Auto Scaling group. Use the sameconfiguration as in the primary Region.
D. Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scalinggroup's minimum capacity, maximum capacity, and desired capacity to 1.
E. Manually launch a new ALB and a new Auto Scaling group by using AWSCloudFormation during a failover activity.
An application runs on Amazon EC2 instances in an Auto Scaling group. Following the deployment of a new feature on the EC2 instances, some instances were marked asunhealthy and then replaced by the Auto Scaling group. The EC2 instances terminated before a SysOps administrator could determine the cause of the health status changes. To troubleshoot this issue, the SysOps administrator wants to ensure that an AWS Lambda function is invoked in this situation. How should the SysOps administrator meet these requirements?
A. Activate the instance scale-in protection setting for the Auto Scaling group. Invoke theLambda function through Amazon EventBridge (Amazon CloudWatch Events).
B. Activate the instance scale-in protection setting for the Auto Scaling group. Invoke theLambda function through Amazon Route 53.
C. Add a lifecycle hook to the Auto Scaling group to invoke the Lambda function throughAmazon EventBridge (Amazon CloudWatch Events).
D. Add a lifecycle hook to the Auto Scaling group to invoke the Lambda function throughAmazon Route 53.
A company's SysOps administrator manages a fleet of hundreds of Amazon EC2 instances that run Windows-based workloads and Linux-based workloads. Each EC2 instance has a tag that identifies its operating system. All the EC2 instances run AWS Systems Manager Session Manager. A zero-day vulnerability is reported, and no patches are available. The company's security team provides code for all the relevant operating systems to reduce the risk of the vulnerability. The SysOps administrator needs to implement the code on the EC2 instances and must provide a report that shows that the code has successfully run on all the instances. What should the SysOps administrator do to meet these requirements as quickly as possible?
A. Use Systems Manager Run Command. Choose either the AWS-RunShellScriptdocument or the AWS-RunPowerShellScript document. Configure Run Command with thecode from the security team. Specify the operating system tag in the Targets parameter.Run the command. Provide the command history's evidence to the security team.
B. Create an AWS Lambda function that connects to the EC2 instances through SessionManager. Configure the Lambda function to identify the operating system, run the codefrom the security team, and return the results to an Amazon RDS DB instance. Query theDB instance for the results. Provide the results as evidence to the security team.
C. Log on to each EC2 instance. Run the code from the security team on each EC2instance. Copy and paste the results of each run into a single spreadsheet. Provide thespreadsheet as evidence to the security team.
D. Update the launch templates of the EC2 instances to include the code from the securityteam in the user data. Relaunch the EC2 instances by using the updated launch templates.Retrieve the EC2 instance logs of each instance. Provide the EC2 instance logs as evidence to the security team.
A company is hosting applications on Amazon EC2 instances. The company is hosting a database on an Amazon RDS for PostgreSQL DB instance. The company requires all connections to the DB instance to be encrypted. What should a SysOps administrator do to meet this requirement?
A. Allow SSL connections to the database by using an inbound security group rule.
B. Encrypt the database by using an AWS Key Management Service (AWS KMS) encryption key.
C. Enforce SSL connections to the database by using a custom parameter group.
D. Patch the database with SSL/TLS by using a custom PostgreSQL extension.
A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified. Which solution will meet this requirement?
A. Create a new security group to block traffic to the external IP address. Assign the newsecurity group to the EC2 instance.
B. Use VPC flow logs with Amazon Athena to block traffic to the external IP address.
C. Create a network ACL. Add an outbound deny rule for traffic to the external IP address.
D. Create a new security group to block traffic to the external IP address. Assign the newsecurity group to the entire VPC.
A company deploys a new application on three Amazon EC2 instances across three Availability Zones The company uses a Network Load Balancer (NLB) to route traffic lo the EC2 instances. A SysOps administrator must implement a solution so that the EC2 instances allow traffic from only the NLB. What should the SysOps administrator do to meet these requirements with the LEAST operational overhead?
A. Configure the security group that is associated with the EC2 instances to allow trafficfrom only the security group that is associated with the NLB.
B. Configure the security group that is associated with the EC2 instances to allow trafficfrom only the elastic network interfaces that are associated with the NLB.
C. Create a network ACL. Associate the network ACL with the application subnets.Configure the network ACL to allow inbound traffic from only the CIDR ranges of the NLB.
D. Use a third-party firewall solution that is installed on a separate EC2 instance. Configurea firewall rule that allows traffic to the application's EC2 instances from only the subnetswhere the NLB is deployed
A company has scientists who upload large data objects to an Amazon S3 bucket The scientists upload the objects as multipart uploads. The multipart uploads often fail because of poor end-client connectivity. The company wants to optimize storage costs that are associated with the data. A SysOps administrator must implement a solution that presents metrics for incomplete uploads. The solution also must automatically delete any incomplete uploads after 7 days. Which solution will meet these requirements?
A. Review the Incomplete Multipart Upload Bytes metre in the S3 Storage Lens dashboardCreate an S3 Lifecycle policy to automatically delete any incomplete multipart uploads after7 days.
B. Implement S3 Intelligent-Tiering to move data into tower-cost storage classes after 7days. Create an S3 Storage Lens policy to automatically delete any incomplete multipartuploads after 7 days.
C. Access the S3 console Review the Metrics tab to check the storage that incompletemultipart uploads are consuming. Create an AWS Lambda function to delete anyincomplete multipart uploads after 7 days.
D. Use the S3 analytics storage class analysis tool to identify and measure incompletemultipart uploads. Configure an S3 bucket policy to enforce restrictions on multipartuploads to delete incomplete multipart uploads after 7 days.