CCNA Operations and Maintenance Questions

75 of 491 questions · Page 2/7 · Operations and Maintenance · Answers revealed

76
MCQmedium

A company runs SAP on AWS and uses an Application Load Balancer (ALB) to distribute traffic to web dispatchers. The operations team notices that some requests are failing with 503 errors. What is the MOST likely cause?

A.The SSL certificate on the ALB has expired.
B.Security groups allow too much traffic.
C.The target instances are failing health checks.
D.The ALB is out of capacity.
AnswerC

Unhealthy targets cause ALB to return 503 errors.

Why this answer

Option C is correct because 503 errors from an ALB indicate that the target instances are unhealthy or not responding. Option A is wrong because 503 errors are not caused by SSL certificate issues. Option B is wrong because security groups would cause connection timeouts, not 503.

Option D is wrong because ALB capacity is automatically scaled.

77
MCQeasy

An operations team needs to automate the patching of EC2 instances running SAP applications. The instances are part of an Auto Scaling group. The team wants to apply patches without causing downtime to the SAP system. Which approach should they use?

A.Use AWS Systems Manager Patch Manager with a maintenance window that patches all instances simultaneously
B.Use AWS CodeDeploy to deploy patches as a new application version
C.Use AWS Systems Manager Patch Manager with a maintenance window and configure the Auto Scaling group to perform a rolling update
D.Use AWS OpsWorks to manage patching, configuring a rolling update
AnswerC

Patches can be applied during a maintenance window, and rolling updates ensure availability.

Why this answer

Option C is correct because AWS Systems Manager Patch Manager can be integrated with an Auto Scaling group to perform a rolling update, which updates instances in batches, ensuring that the SAP application remains available throughout the patching process. This approach minimizes downtime by replacing or updating instances incrementally rather than all at once, which is critical for SAP systems that require high availability.

Exam trap

The trap here is that candidates might assume patching all instances simultaneously is acceptable for SAP systems, overlooking the critical requirement for zero downtime, or they might confuse CodeDeploy's application deployment capabilities with OS patching needs.

How to eliminate wrong answers

Option A is wrong because patching all instances simultaneously would cause downtime for the SAP system, as the instances would be unavailable at the same time. Option B is wrong because AWS CodeDeploy is designed for deploying application code, not for OS-level patching of EC2 instances; it does not manage system patches or integrate with Patch Manager for this purpose. Option D is wrong because AWS OpsWorks is a configuration management service that uses Chef or Puppet, but it is not the recommended or native service for automated patching of EC2 instances in an Auto Scaling group; Patch Manager with rolling updates is the standard approach.

78
MCQmedium

A company runs SAP on AWS and uses AWS Backup to back up the SAP HANA database. The backup job fails with an error indicating insufficient IAM permissions. What is the most likely missing permission?

A.ec2:DescribeInstances
B.kms:Decrypt
C.rds:CreateDBSnapshot
D.s3:PutObject
AnswerB

If the backup is encrypted, AWS Backup requires kms:Decrypt to access the key.

Why this answer

AWS Backup requires permissions to decrypt the KMS key used to encrypt the SAP HANA database or its backup target. If the IAM role assigned to AWS Backup lacks the `kms:Decrypt` action for the specific KMS key, the backup job fails with an insufficient IAM permissions error. This is because AWS Backup must read the encrypted data before transferring it to the backup vault.

Exam trap

The trap here is that candidates often assume the missing permission is `s3:PutObject` because backups are stored in S3, but the error occurs before the data is written, during the decryption step when the source is encrypted with a KMS key.

How to eliminate wrong answers

Option A is wrong because `ec2:DescribeInstances` is used to list or describe EC2 instances, not to perform backup operations on SAP HANA databases; it is not required for the backup job itself. Option C is wrong because `rds:CreateDBSnapshot` is specific to Amazon RDS instances, not SAP HANA on EC2, which uses AWS Backup with custom resources or the SAP HANA Backint agent. Option D is wrong because `s3:PutObject` is needed for writing backup data to an S3 bucket, but the error specifically indicates insufficient IAM permissions, and the most common missing permission in encrypted environments is `kms:Decrypt`, not the S3 write action.

79
MCQhard

An SAP system on AWS uses a Multi-AZ deployment for the database layer with synchronous replication. The application servers are in the same region but different Availability Zones. During a recent failure of the primary database instance, the automatic failover to the standby instance took longer than expected, exceeding the RTO of 5 minutes. Upon investigation, the team finds that the standby instance was not fully synchronized at the time of failure. What could be the cause?

A.The EBS volumes on the standby instance have lower IOPS than the primary.
B.The Multi-AZ configuration uses a single network interface.
C.The security groups on the standby instance block replication traffic.
D.The network latency between the Availability Zones is high.
AnswerD

High latency can cause synchronous replication to slow down.

Why this answer

Option C is correct because if the network latency between Availability Zones is high, synchronous replication can cause the primary to wait for acknowledgment, slowing down transactions and causing the standby to lag. Option A is wrong because Multi-AZ does not have a single point of failure for network. Option B is wrong because EBS volume performance affects both instances.

Option D is wrong because security groups do not cause replication lag.

80
Multi-Selecthard

A company runs a production web application on EC2 instances behind an ALB. The operations team receives an alert that the application is returning HTTP 503 errors. Which THREE steps should be taken to diagnose the issue?

Select 3 answers
A.Review VPC Flow Logs to identify if traffic is reaching the ALB.
B.Check the ALB's HealthyHostCount metric in CloudWatch.
C.Check the CPU utilization of the EC2 instances in the Auto Scaling group.
D.Verify the health check settings on the target group.
AnswersB, C, D

Indicates if targets are passing health checks.

Why this answer

The ALB's HealthyHostCount metric in CloudWatch shows the number of healthy targets registered to the target group. A value of zero or a persistent drop indicates that all EC2 instances are failing health checks, which directly causes HTTP 503 errors because the ALB has no healthy targets to forward traffic to. This metric is the first place to check when diagnosing 503 errors, as it pinpoints whether the issue is with target health rather than network connectivity or load.

Exam trap

Cisco often tests the misconception that CPU utilization or instance-level metrics are the primary cause of 503 errors, when in reality the ALB's health check mechanism and target group configuration are the direct cause, and CPU issues are only one possible underlying reason for health check failures.

81
Multi-Selecteasy

An operations team needs to monitor the performance of an SAP HANA database running on an EC2 instance. Which THREE CloudWatch metrics should the team monitor to ensure the database is not resource-constrained? (Choose THREE.)

Select 3 answers
A.DatabaseConnections
B.DiskReadOps
C.Memory (using CloudWatch agent)
D.CPUUtilization
E.NetworkIn
AnswersB, C, D

High disk I/O can indicate database workload.

Why this answer

CPUUtilization, Memory (via custom metrics or CloudWatch agent), and DiskReadOps/DiskWriteOps are key performance indicators. NetworkIn/NetworkOut are important for network throughput but not directly for database resource constraints. DatabaseConnections is for RDS, not EC2-hosted HANA.

82
MCQmedium

An SAP administrator notices that an Amazon RDS for SAP HANA instance is running low on storage. The administrator needs to increase the storage with minimal downtime. What is the most efficient approach?

A.Create a new RDS instance with larger storage and migrate data
B.Stop the instance, modify storage, and start the instance
C.Modify the RDS instance and increase the allocated storage
D.Take a snapshot, restore to a larger instance, and update DNS
AnswerC

RDS allows online storage scaling with no downtime for most use cases.

Why this answer

RDS supports storage modification without downtime if using Elastic Volumes (gp2/gp3/io1/io2). Increasing allocated storage does not require a new instance or snapshot restoration. Modifying the instance class is separate.

Stopping the instance is unnecessary.

83
Multi-Selecthard

An SAP system on AWS is experiencing performance degradation. The operations team suspects a network bottleneck. Which THREE metrics should they analyze in CloudWatch to diagnose the issue? (Choose THREE.)

Select 3 answers
A.NetworkOut
B.NetworkPacketsIn
C.CPUUtilization
D.NetworkIn
E.DiskReadOps
AnswersA, B, D

Shows outgoing network traffic.

Why this answer

Option A (NetworkIn), Option C (NetworkOut), and Option D (NetworkPacketsIn) are standard EC2 network metrics. Option B (DiskReadOps) is storage-related. Option E (CPUUtilization) is compute-related.

84
MCQmedium

An SAP administrator notices that the /usr/sap directory on an EC2 instance is filling up. The instance is part of an SAP application server cluster. Which AWS service can be used to add additional storage without downtime?

A.Amazon EFS
B.Amazon S3
C.Amazon EBS
D.EC2 Instance Store
AnswerC

EBS allows online resizing of volumes without downtime.

Why this answer

Option A is correct because Amazon EBS volumes can be attached to EC2 instances and expanded without downtime using Elastic Volumes. Option B is wrong because S3 is object storage, not block storage for OS. Option C is wrong because EFS is a file system but not suitable for /usr/sap which requires low latency.

Option D is wrong because Instance Store is ephemeral and not persistent.

85
MCQhard

An SAP system on AWS is configured with a multi-AZ deployment for high availability. During a failover test, the secondary instance does not take over as expected. The administrator checks the AWS Management Console and sees that the Elastic IP address is still attached to the primary instance. What is the most likely cause?

A.The Elastic IP is not reassigned during the failover process
B.The secondary instance's root volume is not attached
C.The security group of the secondary instance blocks incoming traffic
D.The route tables are not updated to point to the secondary instance
AnswerA

The Elastic IP must be moved to the secondary instance to maintain connectivity.

Why this answer

In a typical HA setup, the Elastic IP should be reassigned to the secondary instance during failover. If it remains attached to the primary, the secondary cannot be reached. The root device is not relevant to IP assignment.

Route tables are not per-instance. Security groups allow traffic but do not prevent failover.

86
Multi-Selecteasy

Which TWO steps are required to set up automated backups for an SAP HANA database running on EC2?

Select 2 answers
A.Create an Amazon EBS snapshot of the HANA data volumes
B.Install and configure the SAP HANA Backint agent for Amazon S3
C.Set up a lifecycle policy to transition backups to Amazon S3 Glacier
D.Create an Amazon S3 bucket to store the backup files
E.Enable automatic backups in the HANA Studio
AnswersB, D

Backint agent integrates with AWS to send backups to S3.

Why this answer

The SAP HANA Backint agent for Amazon S3 is a certified integration that allows HANA to send backup data directly to S3 via the Backint API, which is the standard method for automated, HANA-aware backups to object storage. This replaces traditional file-based backups and enables seamless integration with AWS backup services without manual scripting.

Exam trap

The trap here is that candidates confuse EBS snapshots (which are block-level and not HANA-aware) with HANA-consistent backups, or assume that HANA Studio's built-in backup feature alone is sufficient for automated cloud backups without the Backint agent.

87
MCQhard

A company runs SAP HANA on AWS and needs to perform a system copy from production to a test environment. The test environment is in a different AWS account. Which AWS service can be used to securely share the HANA backup files stored in Amazon S3 across accounts?

A.VPC Peering
B.S3 Transfer Acceleration
C.S3 bucket policy
D.AWS Direct Connect
AnswerC

Bucket policies can grant cross-account access to objects.

Why this answer

Option D is correct because S3 bucket policies can grant cross-account access to the backup files. Option A is wrong because S3 Transfer Acceleration improves speed, not access control. Option B is wrong because VPC Peering is for network connectivity, not S3 access.

Option C is wrong because AWS Direct Connect is for dedicated network connection.

88
Multi-Selectmedium

A company runs SAP HANA on AWS and needs to back up the database to Amazon S3. Which TWO AWS services can be used to automate the backup process?

Select 2 answers
A.AWS Lambda
B.AWS Backup
C.AWS CloudFormation
D.AWS CloudTrail
E.Amazon S3 Transfer Acceleration
AnswersA, B

Lambda can run custom backup scripts on a schedule.

Why this answer

Options C and E are correct. AWS Backup can schedule backups with S3 as a destination, and AWS Lambda can run custom backup scripts. Option A is wrong because CloudFormation is for infrastructure provisioning.

Option B is wrong because CloudTrail is for auditing. Option D is wrong because S3 Transfer Acceleration is a feature, not a service.

89
Multi-Selecteasy

An SAP administrator is troubleshooting a performance issue on an SAP application server. The administrator wants to collect detailed metrics about the EC2 instance's memory usage. Which TWO AWS services can be used to collect memory metrics? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS X-Ray
C.Amazon CloudWatch Agent
D.AWS Systems Manager (Run Command)
E.AWS Config
AnswersC, D

CloudWatch Agent collects memory metrics from EC2 instances.

Why this answer

Options A and B are correct: CloudWatch Agent can collect memory metrics, and Systems Manager can run scripts to collect and push custom metrics. Option C (CloudTrail) logs API calls, not memory. Option D (Config) is for configuration.

Option E (X-Ray) is for tracing.

90
Multi-Selectmedium

An SAP system on AWS uses an Application Load Balancer (ALB) to distribute traffic to multiple EC2 instances. The operations team wants to enable sticky sessions (session affinity) for the ALB. Which TWO steps are required? (Choose TWO.)

Select 2 answers
A.Set the stickiness duration in seconds
B.Configure a proxy protocol policy
C.Enable cross-zone load balancing
D.Create a custom cookie on the application server
E.Enable stickiness on the target group
AnswersA, E

Duration controls how long the session is sticky.

Why this answer

Options B and C are correct: Enable stickiness on the target group and configure the duration. Option A is not required; cookies are generated by the ALB. Option D is for Classic Load Balancer.

Option E is for cross-zone load balancing.

91
MCQmedium

A company runs a critical SAP HANA database on an Amazon EC2 instance. The operations team receives an alert that the instance's EBS-optimized throughput is consistently exceeding the baseline performance of the gp2 volume. Which action should the team take to resolve the performance issue without downtime?

A.Enable EBS optimization on the EC2 instance.
B.Increase the volume size to improve baseline IOPS.
C.Modify the volume type to gp3 and adjust the throughput setting.
D.Stop the EC2 instance and increase the volume size.
AnswerC

gp3 volumes support independent throughput adjustments without downtime.

Why this answer

Option B is correct because modifying the volume type to gp3 allows dynamic adjustment of IOPS and throughput without downtime, improving performance. Option A is wrong because stopping the instance causes downtime. Option C is wrong because increasing the volume size increases baseline IOPS but may not be sufficient and also requires downtime if the OS partition is resized.

Option D is wrong because enabling EBS optimization on a running instance requires a reboot.

92
MCQeasy

An SAP Basis administrator needs to restart the SAP application server on an EC2 instance after applying kernel patches. What is the recommended way to perform the restart to minimize downtime?

A.Log in to the instance and restart the SAP system using SAP MMC or sapcontrol.
B.Stop and start the EC2 instance from the AWS CLI.
C.Reboot the EC2 instance from the AWS Management Console.
D.Terminate the instance and launch a new one from the same AMI.
AnswerA

This restarts only the SAP services, not the entire OS, resulting in shorter downtime.

Why this answer

Using SAP MMC to restart the SAP system allows a controlled restart that avoids a full OS reboot, minimizing downtime.

93
MCQmedium

An administrator created the IAM policy shown in the exhibit for the operations team. The team needs to create snapshots of EBS volumes that have the tag 'Name' with a value starting with 'SAP-HANA-'. However, the policy is not working as expected. What is the most likely reason?

A.The resource ARN is incorrect; it should specify the snapshot resource type.
B.The action 'ec2:CreateSnapshot' should be 'ec2:CreateSnapshots' (plural).
C.The condition key should be 'aws:ResourceTag' instead of 'ec2:ResourceTag'.
D.The 'ec2:CreateSnapshot' action does not support the 'ec2:ResourceTag' condition key.
AnswerD

Not all actions support resource tag conditions.

Why this answer

Option D is correct because the ec2:CreateSnapshot action does not support the ec2:ResourceTag condition key. Condition keys must be supported by the action. Option A is wrong because the resource ARN is correct for volumes.

Option B is wrong because the action is allowed. Option C is wrong because the condition is not about the snapshot resource.

94
MCQmedium

A company runs an SAP HANA database on an EC2 instance with a large EBS volume. The volume is approaching its maximum capacity. The operations team needs to increase the storage size without downtime. What is the most efficient way to achieve this?

A.Use the AWS Management Console, CLI, or API to modify the existing EBS volume to increase its size while the instance is running.
B.Create a new larger EBS volume and use rsync to copy data while the instance is running, then remount.
C.Stop the EC2 instance, detach the current EBS volume, create a new larger volume from a snapshot, attach it, and start the instance.
D.Add an additional EBS volume and use LVM to extend the logical volume.
AnswerA

EBS volumes can be modified online without downtime.

Why this answer

Option B is correct because EBS volumes can be modified (including size increase) while attached and in use, without downtime. Option A is wrong because creating a new volume and migrating requires downtime to copy data. Option C is wrong because it requires stopping the instance to detach and reattach.

Option D is wrong because it incurs unnecessary cost and complexity.

95
MCQeasy

An SAP Basis administrator needs to apply an OS-level security patch to a fleet of SAP EC2 instances running Red Hat Enterprise Linux. The instances are part of an Auto Scaling group. Which approach is the MOST efficient and minimizes downtime?

A.Create a custom AMI and manually terminate each instance to launch new ones.
B.Stop all instances, apply the patch using a script, and restart them.
C.Use AWS Systems Manager Patch Manager to apply the patch to all instances simultaneously.
D.Create a new AMI with the patch applied, update the launch template, and perform a rolling update via Auto Scaling.
AnswerD

This minimizes downtime by replacing instances one by one.

Why this answer

Option A is correct because using a new AMI with the patch and launching a new instance via Auto Scaling ensures that the new instance is patched before replacing the old one. Option B is wrong because applying patches via Systems Manager to running instances may cause downtime. Option C is wrong because stopping and patching each instance causes downtime.

Option D is wrong because creating an AMI from a patched instance and updating the launch configuration is similar to A but more manual.

96
Multi-Selecthard

An operations team is planning a disaster recovery (DR) strategy for an SAP system on AWS. The system includes SAP HANA database and application servers. The DR site must have a Recovery Time Objective (RTO) of 2 hours and a Recovery Point Objective (RPO) of 15 minutes. Which THREE components are essential for this DR strategy? (Choose THREE.)

Select 3 answers
A.AWS CloudFormation templates to provision the DR infrastructure
B.Multi-AZ deployment of the SAP application servers
C.Amazon S3 Cross-Region Replication for SAP backup files
D.Amazon Route 53 health checks and failover routing
E.Cross-Region replication of EBS snapshots for SAP HANA data volumes
AnswersA, C, E

Automated provisioning helps meet the 2-hour RTO.

Why this answer

A, C, and D are correct. Cross-Region replication of EBS snapshots provides RPO of 15 minutes. CloudFormation templates automate infrastructure deployment to meet RTO.

S3 Cross-Region Replication for backups ensures data availability. B is wrong because Multi-AZ is for high availability, not DR. E is wrong because while Route 53 is important, it is not the core component for meeting RTO/RPO.

97
MCQeasy

An SAP administrator notices that the application logs show repeated authentication failures from a specific IP address. The SAP application is hosted on an EC2 instance behind an Application Load Balancer. What AWS service can be used to block traffic from that IP at the network level?

A.Use Amazon CloudFront with a geo-restriction to block the IP.
B.Use AWS WAF to create an IP set and block rule, associated with the ALB.
C.Update the security group of the EC2 instance to deny traffic from that IP.
D.Add a network ACL rule to the subnet to deny traffic from that IP.
AnswerB

AWS WAF can inspect source IP and block requests at the ALB level.

Why this answer

Option C is correct because AWS WAF can be associated with an ALB to filter IP addresses. Option A is wrong because Security Groups are stateful and cannot block based on IP address in the context of an ALB (they see only the ALB's IP). Option B is wrong because NACLs are stateless and applied at the subnet level, but the ALB is a managed service; WAF is more appropriate.

Option D is wrong because CloudFront is a CDN and not typically used solely for IP blocking in this scenario.

98
MCQhard

An SAP on AWS environment uses a shared file system via Amazon EFS for SAP transport files. The EFS file system is mounted on multiple EC2 instances. Users report that file operations are slow during peak hours. Which action should be taken to improve performance?

A.Enable EFS Provisioned Throughput mode and increase throughput
B.Migrate to Amazon EBS with Multi-Attach enabled
C.Move the transport files to Amazon S3 and use S3FS
D.Increase the number of EC2 instances to distribute the load
AnswerA

Provisioned Throughput provides consistent high throughput for demanding workloads.

Why this answer

Option D is correct because enabling EFS throughput mode to Provisioned with increased throughput can improve performance. Option A is wrong because moving to EBS with Multi-Attach is not suitable for shared file system across many instances. Option B is wrong because S3 does not provide a POSIX file system.

Option C is wrong because adding more instances does not improve EFS performance.

99
MCQhard

A company runs SAP HANA on AWS and uses AWS Backup to back up the HANA database volumes. The backup job fails with an error indicating that the volume is in use. What is the most likely cause of this failure?

A.The volume is attached to an instance and the filesystem is not frozen before snapshot.
B.The AWS Backup service does not have permission to create snapshots in the account.
C.The EBS volume is not tagged with the required backup tags.
D.The EC2 instance does not have the AWS Backup agent installed.
AnswerA

AWS Backup can snapshot attached volumes, but for consistent snapshots, the filesystem should be frozen or I/O paused. If not, the snapshot may be inconsistent, but the error 'volume in use' suggests the snapshot operation itself failed.

Why this answer

AWS Backup uses EBS snapshots, which require volumes to be in a consistent state. If the volume is attached and in use, the snapshot may fail if the filesystem is not frozen. The most common fix is to pause I/O before the snapshot.

100
MCQmedium

A company runs an SAP HANA database on an EC2 instance with EBS volumes. The operations team notices increased latency and I/O errors. Which AWS service should they use to analyze performance and identify bottlenecks?

A.AWS Config
B.Amazon CloudWatch
C.AWS Service Catalog
D.AWS Trusted Advisor
AnswerB

CloudWatch collects metrics and logs for EC2 and EBS, enabling latency and I/O analysis.

Why this answer

Option B is correct because Amazon CloudWatch provides metrics and logs to monitor EC2 and EBS performance. Option A (AWS Trusted Advisor) gives recommendations but not real-time performance data. Option C (AWS Config) tracks configuration changes, not performance.

Option D (AWS Service Catalog) manages service portfolios, not monitoring.

101
MCQeasy

An SAP Basis administrator needs to monitor the performance of SAP HANA database using Amazon CloudWatch. Which of the following metrics should be monitored to detect potential CPU bottlenecks?

A.MemoryUtilization
B.DiskReadBytes / DiskWriteBytes
C.CPUUtilization
D.NetworkPacketsIn / NetworkPacketsOut
AnswerC

CPU utilization directly indicates the percentage of CPU capacity used.

Why this answer

Option B is correct because the CPU Utilization metric directly measures the percentage of CPU capacity used. Option A is wrong because Memory utilization indicates memory pressure, not CPU. Option C is wrong because Disk Read/Write Bytes indicate I/O activity.

Option D is wrong because Network packets indicate network traffic.

102
MCQhard

A company runs a critical SAP ERP system on AWS. The architecture includes an SAP HANA database on an r5.24xlarge instance (with 768 GB RAM) in us-east-1a, and multiple SAP application servers in an Auto Scaling group across two Availability Zones (us-east-1a and us-east-1b). The database uses EBS volumes: two 1 TB gp3 volumes for data, one 500 GB gp3 for log, and one 100 GB gp3 for backup. The system has been running without issues for months. At 3:00 PM, the operations team receives alerts from Amazon CloudWatch that the HANA database instance's CPU utilization is at 100%, memory usage is at 95%, and the disk queue length for the log volume is consistently above 10. The SAP application is experiencing intermittent timeouts. The team checks the HANA studio and sees that there are many long-running queries and that the log volume is almost full (95% used). The database backups are scheduled to run at 2:00 AM and completed successfully. There have been no changes to the system or workload recently. The team suspects a performance degradation. What is the MOST likely cause of the issue?

A.The HANA database has reached its memory limit due to the global.ini allocation.
B.The gp3 volume's baseline IOPS are insufficient for the current workload.
C.A backup job is running and consuming CPU and I/O resources.
D.The log volume is almost full, causing HANA to stall transaction processing.
AnswerD

When the log volume is near capacity, HANA cannot write new log entries, stalling transactions and causing high resource usage.

Why this answer

Option C is correct because a full log volume can cause HANA to pause transactions, leading to increased CPU/memory usage and timeouts. Option A is wrong because HANA's memory management is dynamic and not constrained by OS limits. Option B is wrong because backups are not running at 3 PM.

Option D is wrong because the disk queue length indicates I/O issues, but the root cause is log volume full, not insufficient IOPS.

103
MCQmedium

A company runs an SAP HANA database on an r5.8xlarge EC2 instance. The operations team notices that the instance's CPU utilization spikes to 100% every night at 2 AM, causing SAP application timeouts. CloudWatch metrics show the spike corresponds to a backup process. Which action should be taken to resolve the issue?

A.Move the backup window to an earlier time when the system is less active.
B.Increase the instance size to handle the backup load.
C.Disable the nightly backup.
D.Implement CloudWatch alarm to restart the instance when CPU is high.
AnswerA

Rescheduling backups to off-peak hours reduces CPU contention during the spike.

Why this answer

Option A is correct because adjusting the backup schedule to a non-peak time reduces CPU contention. Option B is wrong because increasing instance size might help but is not the most direct solution. Option C is wrong because it does not address the root cause.

Option D is wrong because disabling the backup is not appropriate.

104
MCQhard

An SAP administrator notices that the SAP application server is experiencing high memory utilization. The system uses a cluster of EC2 instances. What is the most cost-effective solution to automatically add an additional application server when memory exceeds 80%?

A.Configure an Auto Scaling group with a scaling policy based on a custom CloudWatch metric for memory utilization.
B.Create a CloudWatch alarm that sends an email to the administrator to manually launch a new instance.
C.Use an Auto Scaling group with a scaling policy based on CPU utilization.
D.Use AWS Elastic Beanstalk to deploy the application server.
AnswerA

Auto Scaling can use custom metrics to automatically adjust capacity.

Why this answer

Option B is correct because Auto Scaling with a custom metric (memory utilization) can scale out based on the threshold. Option A is wrong because CloudWatch alarms alone do not add instances. Option C is wrong because it does not automatically scale.

Option D is wrong because scaling based on CPU does not address memory.

105
MCQeasy

A company is running SAP on AWS and uses CloudWatch to monitor the SAP HANA database. The database administrator wants to create a dashboard that shows the current memory utilization of all HANA instances. Which CloudWatch feature should they use?

A.CloudWatch Logs
B.CloudWatch Alarms
C.CloudWatch Events
D.CloudWatch Dashboards
AnswerD

Dashboards can aggregate metrics from multiple instances.

Why this answer

Option A is correct because CloudWatch dashboards can display metrics from multiple sources in one view. Option B is wrong because CloudWatch Logs is for log data, not metrics. Option C is wrong because CloudWatch Alarms are for thresholds.

Option D is wrong because CloudWatch Events is for event-driven actions.

106
MCQeasy

A company runs SAP Business Suite on AWS. The SAP application servers are behind an Application Load Balancer (ALB). The operations team notices that occasionally, some requests fail with HTTP 503 errors. The team checks the ALB and finds that the target group has healthy instances. The SAP application logs show no errors. What is the most likely cause of the 503 errors?

A.The security groups for the application servers do not allow traffic from the ALB.
B.The SSL certificate on the ALB has expired.
C.The target group health checks are misconfigured, marking instances as healthy when they are not.
D.The ALB connection draining timeout is set too low, causing requests to be routed to instances that are being de-registered.
AnswerD

Connection draining ensures in-flight requests complete, but if timeout is too short, requests may fail.

Why this answer

Option A is correct. If the ALB connection draining timeout is too short, the ALB may send requests to instances that are being de-registered, resulting in 503 errors. Option B is wrong because if instances were unhealthy, the ALB would not route traffic to them.

Option C is wrong because SSL issues would cause other errors, not necessarily 503. Option D is wrong because security group misconfigurations would typically cause connection timeouts, not 503 errors.

107
MCQhard

A company runs SAP S/4HANA in a multi-AZ deployment with a primary and standby database. During a planned failover test, the database fails over but the SAP system becomes unresponsive. Investigation reveals that the SAP application servers cannot connect to the new primary database because the database VIP is not updated. What is the most likely cause?

A.The HANA instance number changed after failover.
B.The DNS record for the HANA host still points to the old primary IP address.
C.The HANA hostname in the SAP profile is set to the physical instance hostname instead of the VIP.
D.The HANA database VIP is not configured to move to the new primary instance during failover.
AnswerD

The VIP must be reassigned to the new primary for seamless connectivity.

Why this answer

Option A is correct because in a typical SAP HANA multi-AZ setup, a virtual IP address (VIP) is used for application connectivity. If the VIP is not moved to the new primary, applications will try to connect to the old primary. Option B is wrong because DNS changes are not typically used for HANA failover.

Option C is wrong because the HANA hostname usually remains constant via VIP. Option D is wrong because the HANA instance number does not change during failover.

108
MCQmedium

An SAP system is deployed across multiple Availability Zones using an Application Load Balancer (ALB). The Operations team notices that during a failover test, the ALB is sending traffic to unhealthy instances. Which configuration change would ensure the ALB stops sending traffic to unhealthy targets?

A.Enable sticky sessions (session affinity).
B.Configure a health check with appropriate thresholds and interval.
C.Increase the deregistration delay value.
D.Enable cross-zone load balancing.
AnswerB

Health checks determine if a target is healthy; if thresholds are too lenient, unhealthy instances may still receive traffic.

Why this answer

Option C is correct because configuring health checks properly ensures the ALB marks instances as unhealthy and stops routing traffic. Option A is wrong because increasing deregistration delay only affects how long connections are drained, not health check behavior. Option B is wrong because cross-zone load balancing distributes traffic across AZs, not health.

Option D is wrong because enabling sticky sessions does not affect health routing.

109
MCQhard

An SAP system is running on EC2 instances in a VPC. The security team requires that all traffic between the SAP application and database tiers be encrypted in transit. Which solution meets this requirement with minimal latency?

A.Use an AWS Site-to-Site VPN connection between the tiers
B.Use security groups to allow traffic only between the instances, with IPsec configured
C.Use an Application Load Balancer with TLS termination in front of the database tier
D.Install TLS certificates on each EC2 instance and enable HTTPS
AnswerB

IPsec within the same VPC can encrypt traffic with minimal latency when implemented correctly.

Why this answer

Option C is correct because using an Application Load Balancer with TLS termination at the application tier adds latency and complexity. Option A (AWS VPN) is for site-to-site, not internal. Option B (TLS certificates on each instance) adds CPU overhead for encryption.

Option D is correct because using security groups with IPsec is not possible natively; IPsec requires VPN or Transit Gateway.

110
MCQeasy

An SAP administrator needs to grant an external auditor read-only access to view SAP system logs stored in CloudWatch Logs. Which AWS identity-based policy should be used?

A.AWSSupportAccess
B.CloudWatchLogsReadOnlyAccess
C.AmazonS3ReadOnlyAccess
D.CloudWatchReadOnlyAccess
AnswerB

This policy grants read-only access to CloudWatch Logs.

Why this answer

Option A is correct because AWS managed policy CloudWatchLogsReadOnlyAccess provides read-only access to CloudWatch Logs. Option B is wrong because CloudWatchReadOnlyAccess includes metrics but not logs. Option C is wrong because AmazonS3ReadOnlyAccess is for S3.

Option D is wrong because AWSSupportAccess is for support cases.

111
MCQhard

A company runs SAP on AWS and uses a custom AMI for their EC2 instances. They want to ensure that all instances launched from this AMI automatically have the SAP host agent installed and configured. What is the most efficient way to achieve this?

A.Use AWS Systems Manager Run Command to install the agent after launch.
B.Create a new AMI that includes the SAP host agent pre-installed and configured.
C.Use a user data script that installs and configures the SAP host agent at instance launch.
D.Use AWS CodeDeploy to automatically deploy the agent to new instances.
AnswerB

A custom AMI ensures consistency and eliminates post-launch steps.

Why this answer

Option C is correct because baking the configuration into the AMI ensures that every instance launched has it without additional steps. Option A is wrong because user data runs at launch but adds a step and potential failure point. Option B is wrong because it requires manual execution.

Option D is wrong because it requires managing code and adds complexity.

112
Multi-Selecteasy

A company is planning to migrate its SAP workloads to AWS. Which THREE AWS services are commonly used to set up a secure network connectivity between on-premises and AWS? (Choose THREE.)

Select 3 answers
A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.AWS Direct Connect
D.VPC Peering
E.AWS Client VPN
AnswersA, B, C

Acts as a hub to connect VPCs and on-premises networks.

Why this answer

Options A, B, and C are correct. AWS VPN, Direct Connect, and Transit Gateway are used for hybrid connectivity. Option D is not correct because VPC Peering is for VPC-to-VPC, not on-premises.

Option E is not correct because Client VPN is for individual clients.

113
MCQeasy

Your SAP system on AWS uses a shared file system with Amazon EFS. The operations team notices that the SAP application is experiencing latency when reading files from EFS. Which action can improve read performance?

A.Use Amazon FSx for Windows File Server instead.
B.Move the file system to Amazon EBS with provisioned IOPS.
C.Use Amazon S3 with Transfer Acceleration.
D.Enable EFS performance mode 'max I/O'.
AnswerD

Improves throughput.

Why this answer

Option D is correct because enabling EFS 'max I/O' performance mode increases the file system's ability to handle a high number of concurrent read operations by distributing data across multiple servers within the AWS region. This mode is specifically designed for workloads like SAP that require high throughput and low-latency access to shared files, as it scales I/O operations horizontally without the bottleneck of a single file server.

Exam trap

The trap here is that candidates often confuse EFS performance modes with throughput settings, assuming 'max I/O' only helps with write-heavy workloads, when in fact it is critical for read-heavy, high-concurrency scenarios like SAP shared file systems.

How to eliminate wrong answers

Option A is wrong because Amazon FSx for Windows File Server uses the SMB protocol, which is not optimized for SAP's typical NFS-based shared file system requirements and can introduce additional latency due to protocol translation overhead. Option B is wrong because moving to Amazon EBS with provisioned IOPS would require attaching the volume to a single EC2 instance, breaking the shared file system requirement for SAP's distributed architecture and failing to provide concurrent access across multiple application servers. Option C is wrong because Amazon S3 with Transfer Acceleration is an object storage service that does not support file-level locking or POSIX semantics required by SAP for shared file systems, and Transfer Acceleration only improves upload speeds over long distances, not read latency for existing files.

114
MCQeasy

A company is using SAP HANA on AWS and needs to restore a backup to a new HANA instance. Which AWS service should be used to automate the backup and restore process?

A.AWS Backup
B.Amazon Data Lifecycle Manager (DLM)
C.AWS CloudFormation
D.Amazon S3
AnswerA

AWS Backup supports SAP HANA with Backint integration for automated backups.

Why this answer

Option C is correct because AWS Backup can automate backups of SAP HANA databases using Backint. Option A is wrong because S3 is storage, not automation. Option B is wrong because DLM manages EBS snapshots, not HANA backups.

Option D is wrong because CloudFormation is for infrastructure provisioning.

115
MCQhard

Refer to the exhibit. An IAM policy is attached to a user who manages SAP EC2 instances. Which of the following actions can the user perform?

A.Describe all EC2 instances, but start and stop only those with the tag Environment=production.
B.Describe, start, and stop all EC2 instances regardless of tags.
C.Start and stop any EC2 instance in the account.
D.Terminate any EC2 instance with the tag Environment=production.
AnswerA

The describe action is wildcard; start/stop have condition.

Why this answer

Option C is correct because the policy allows ec2:Describe* on all resources, and StartInstances and StopInstances only on instances with tag Environment=production. The user cannot start/stop instances without the tag. Option A is wrong because the user can describe all instances.

Option B is wrong because the user can only start/stop production instances. Option D is wrong because the policy does not allow termination.

116
Multi-Selecthard

Which THREE actions should be taken to ensure a secure and compliant SAP environment on AWS? (Choose 3)

Select 3 answers
A.Place all SAP servers in a public subnet for easy access
B.Restrict IAM permissions to only necessary actions
C.Use security groups to restrict inbound and outbound traffic
D.Enable encryption on EBS volumes and RDS instances
E.Store all application logs in Amazon S3 with public read access
AnswersB, C, D

Least privilege reduces security risks.

Why this answer

Options A, B, and D are correct. A: IAM policies enforce least privilege. B: Encryption protects data at rest.

D: Security groups control network access. Option C is wrong because public subnets expose resources. Option E is wrong because CloudTrail is for auditing, not storing logs.

117
MCQmedium

A company is running SAP on AWS and needs to reduce the cost of their development and test systems. The systems are only needed during business hours on weekdays. Which AWS service can be used to automatically stop and start the EC2 instances on a schedule?

A.AWS Instance Scheduler
B.Amazon EC2 Auto Scaling
C.Amazon CloudWatch Alarms
D.AWS Systems Manager Maintenance Windows
AnswerA

Instance Scheduler automates start/stop on a schedule.

Why this answer

Option A is correct because AWS Instance Scheduler is a solution that automatically stops and starts instances based on a schedule. Option B is wrong because Auto Scaling is for scaling, not scheduling. Option C is wrong because Systems Manager Maintenance Windows are for patching.

Option D is wrong because CloudWatch Alarms trigger based on metrics, not time-based schedules.

118
MCQhard

A company has an SAP S/4HANA system running on AWS with a custom backup solution that uses AWS Backup. The backup policy includes daily backups with a retention of 30 days. The operations team notices that backup jobs for the SAP application server are failing intermittently. What should the team do to troubleshoot the issue?

A.Verify that the IAM role used by AWS Backup has sufficient permissions.
B.Review the CloudWatch Logs for the backup job to identify error messages.
C.Switch to using SAP HANA Studio for backups.
D.Increase the backup frequency to capture more recovery points.
AnswerB

CloudWatch Logs contain detailed error information for troubleshooting.

Why this answer

Option D is correct because checking CloudWatch Logs for backup job errors provides specific details on failures. Option A is wrong because increasing backup frequency does not address the root cause. Option B is wrong because moving to a different backup tool may not be necessary.

Option C is wrong while helpful, checking IAM roles may not be the only issue.

119
MCQeasy

An SAP system administrator needs to restart a critical SAP application server EC2 instance that is part of a cluster. Which approach minimizes downtime?

A.Modify the instance type in the AWS Management Console.
B.Reboot the instance from the AWS Management Console.
C.Stop and start the instance from the AWS Management Console.
D.Terminate the instance and launch a new one with the same AMI.
AnswerB

Reboot is the fastest recovery without changing the host.

Why this answer

Option A is correct because a reboot does not change the underlying host, and the instance retains its public and private IP addresses. Option B is wrong because stop/start changes the underlying host and may take longer. Option C is wrong because terminating and launching a new instance loses all data on instance store volumes.

Option D is wrong because modifying instance type requires stop/start.

120
MCQhard

An SAP system on AWS uses a shared file system with Amazon EFS. The operations team notices that file operations have high latency during peak hours. The EFS file system is configured with Bursting Throughput mode. The team monitors the CloudWatch metric PercentIOLimit and sees it consistently at 100%. What should the team do to improve performance?

A.Enable encryption at rest for the file system
B.Change the performance mode to General Purpose
C.Increase the size of the file system by adding more files
D.Change the file system to Provisioned Throughput mode
AnswerD

Provisioned Throughput ensures consistent throughput regardless of burst credits.

Why this answer

PercentIOLimit at 100% indicates the file system is using all its burst credits. To avoid throttling, the team should change to Provisioned Throughput mode or increase the amount of data stored to earn more credits. Changing to General Purpose performance mode affects latency, not throughput.

Enabling encryption adds overhead. Increasing file system size indirectly helps earn more credits but is not a direct solution.

121
MCQeasy

An SAP administrator is troubleshooting connectivity between an SAP application server (security group sg-12345) and an SAP HANA database server. The inbound rule on the database security group is shown in the exhibit. Which additional configuration is required for the application server to communicate with the database?

A.Add an inbound rule allowing traffic from the application server's IP address.
B.Add an inbound rule to the application server's security group.
C.Modify the network ACL to allow inbound traffic on port 3300.
D.No additional rule is needed; the rule allows traffic from sg-12345.
AnswerC

NACLs are stateless and must allow both inbound and outbound traffic.

Why this answer

Option A is correct because the rule references the source security group, but the direction is inbound; the database needs an inbound rule allowing traffic from sg-12345. Without that, traffic is blocked. Option B is wrong because the rule already references sg-12345.

Option C is wrong because NACLs are stateless and need both inbound and outbound rules, but the question is about security group. Option D is wrong because the application server needs an outbound rule, not inbound.

122
MCQhard

An SAP administrator notices that the sapstartsrv process on an EC2 instance is failing to start after a system reboot. The instance is running SUSE Linux Enterprise Server (SLES) for SAP Applications. Which of the following log files should be examined FIRST to diagnose the issue?

A./var/log/messages
B./usr/sap/<SID>/SYS/global/sapstartsrv.log
C.SAP HANA studio trace files
D.Amazon CloudWatch logs for the instance
AnswerB

The sapstartsrv log file contains detailed information about the startup process of the SAP start service.

Why this answer

Option A is correct because sapstartsrv logs are stored in the SAP system profile directory. Option B is wrong because /var/log/messages contains system messages but not SAP-specific logs. Option C is wrong because the SAP HANA studio log is for database issues.

Option D is wrong because CloudWatch logs would not contain local boot logs unless configured.

123
MCQhard

An SAP system on AWS is experiencing high latency between the application server and the database server. Both servers are in the same VPC but in different Availability Zones. Which action should the administrator take to reduce latency?

A.Create a placement group and launch both instances in it
B.Move the application and database servers to the same Availability Zone
C.Upgrade the instance types to compute-optimized instances
D.Use AWS Direct Connect to connect the servers
AnswerB

Reduces network latency.

Why this answer

Option A is correct because placing both instances in the same AZ reduces network hops. Option B is wrong because increasing instance size does not directly reduce latency. Option C is wrong because using a VPN adds complexity and may not reduce latency.

Option D is wrong while using a placement group may help, placing in same AZ is more direct.

124
MCQhard

A company runs a critical application on an EC2 instance that uses a large EBS volume for database storage. The volume is not encrypted at rest. To meet compliance requirements, the company must enable encryption on the volume with minimal downtime. Which solution meets these requirements?

A.Take a snapshot of the volume with encryption enabled, create a new encrypted volume from the snapshot, detach the original volume, and attach the new volume
B.Use the AWS Management Console to modify the volume and enable encryption in place
C.Take a snapshot of the volume, copy the snapshot with encryption enabled, then restore to a new volume and attach it to the instance
D.Detach the volume, enable encryption using the ModifyVolume API, then reattach
AnswerA

Creating an encrypted snapshot and restoring it to a new encrypted volume is the standard procedure with minimal downtime.

Why this answer

Option A is correct because taking a snapshot of the unencrypted volume with encryption enabled creates an encrypted snapshot. From that snapshot, you can create a new encrypted EBS volume. Detaching the original volume and attaching the new encrypted volume to the same EC2 instance achieves encryption with minimal downtime—only the brief period required for the detach/attach operations.

This approach does not require copying the snapshot, which would add unnecessary time.

Exam trap

The trap here is that candidates may think the ModifyVolume API or console modification can enable encryption on an existing volume, but AWS does not support in-place encryption changes—only snapshot-based workflows are valid.

How to eliminate wrong answers

Option B is wrong because the AWS Management Console does not support enabling encryption in place on an existing EBS volume; encryption can only be applied during volume creation or via snapshot operations. Option C is wrong because while it works, it introduces unnecessary additional time by copying the snapshot before restoring, which increases downtime compared to directly creating the volume from the original encrypted snapshot. Option D is wrong because the ModifyVolume API does not support enabling encryption on an existing volume; it can only modify size, volume type, or IOPS, not encryption attributes.

125
MCQmedium

A company wants to centralize monitoring of EC2 instance metrics across multiple AWS accounts. Which solution is MOST scalable and cost-effective?

A.Log in to each account and view CloudWatch metrics individually.
B.Use CloudWatch cross-region metrics to aggregate metrics in a single account.
C.Configure each account to publish metrics to an S3 bucket and use Athena to query.
D.Set up CloudWatch cross-account observability with a monitoring account.
AnswerD

Provides centralized, real-time monitoring with minimal overhead.

Why this answer

CloudWatch cross-account observability allows you to centralize monitoring by designating a monitoring account that can view metrics, logs, and traces from multiple source accounts. This approach is scalable because it uses a single monitoring account without requiring manual logins or complex data pipelines, and it is cost-effective because you only pay for the metrics you ingest and store in the monitoring account, avoiding redundant data transfers or storage costs.

Exam trap

The trap here is that candidates may confuse cross-region metrics (which aggregate across regions but not accounts) with cross-account observability, or they may overcomplicate the solution by choosing S3 and Athena, which is less efficient and more costly than the native cross-account feature.

How to eliminate wrong answers

Option A is wrong because manually logging into each account to view metrics individually is not scalable and introduces operational overhead, especially as the number of accounts grows. Option B is wrong because CloudWatch cross-region metrics aggregate metrics across regions, not across accounts; they do not solve the multi-account centralization requirement. Option C is wrong because publishing metrics to an S3 bucket and querying with Athena incurs additional costs for S3 storage, Athena query execution, and data transfer, and it adds latency and complexity compared to native CloudWatch cross-account observability.

126
MCQmedium

A company is running an SAP HANA database on an AWS EC2 instance. The system administrator needs to ensure that the database logs are automatically backed up to Amazon S3 and retained for 30 days. Which combination of AWS services can achieve this with minimal operational overhead?

A.Use Amazon CloudWatch Logs with a retention policy of 30 days.
B.Use an S3 Lifecycle Policy to transition logs to S3 Glacier after 30 days.
C.Use an S3 Lifecycle Policy to transition logs to S3 Standard-IA after 30 days.
D.Use AWS Backup to schedule backups of the EC2 instance.
AnswerB

Glacier is cost-effective for long-term retention and the policy can delete after 30 days.

Why this answer

Option B is correct because it uses a Lifecycle Policy to transition logs to S3 Glacier after 30 days, meeting the retention requirement with minimal overhead. Option A involves manual scripting and lifecycle rules that don't automatically delete logs after 30 days. Option C uses CloudWatch Logs but doesn't automatically delete logs after 30 days.

Option D uses AWS Backup, which is for EC2 backups, not log files.

127
MCQmedium

A company runs SAP on AWS and uses an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances running SAP Web Dispatcher. The ALB has a target group with health checks configured on port 8080. Recently, the operations team noticed that some instances are being deregistered due to health check failures. The instances are healthy and the Web Dispatcher is running. The health check response time is consistently below 2 seconds. What is the most likely cause?

A.The health check interval is too short, causing the threshold to be exceeded.
B.The security group for the instances blocks inbound traffic from the internet.
C.The instances are running out of memory.
D.The health check path is incorrect.
AnswerA

Short interval with low threshold can cause intermittent failures.

Why this answer

Option B is correct because the health check threshold may be set too low, causing false positives. Option A is wrong because if the path were wrong, all health checks would fail. Option C is wrong because the ALB health checks come from its own IPs, not the internet.

Option D is wrong if the instances are healthy.

128
MCQmedium

A company is running an SAP HANA database on an EC2 instance with EBS volumes. The operations team notices that the /hana/data filesystem is growing faster than expected and the available space is critically low. Which action should be taken to monitor the disk space usage proactively?

A.Configure AWS Budgets to alert on storage costs.
B.Use AWS Config rules to monitor disk space.
C.Publish custom CloudWatch metrics for disk space and set an alarm.
D.Create an AWS Trusted Advisor check for disk utilization.
AnswerC

Custom CloudWatch metrics can monitor disk space and trigger alarms.

Why this answer

Option C is correct because CloudWatch custom metrics can be used to monitor disk space utilization on EC2 instances, and an alarm can be set to notify when usage exceeds a threshold. Option A is wrong because AWS Trusted Advisor does not monitor disk space on EC2 instances directly. Option B is wrong because AWS Config evaluates resource configurations, not disk space.

Option D is wrong because AWS Budgets tracks cost usage, not disk space.

129
Multi-Selecthard

A company runs SAP ERP on AWS. The system includes a primary application server and a secondary application server for high availability. The secondary server is not receiving updates from the primary. Which THREE steps should the administrator take to investigate?

Select 3 answers
A.Restart the secondary application server to force a resync.
B.Verify network connectivity between the primary and secondary servers using ping or telnet on SAP ports.
C.Review the SAP message server trace logs for errors.
D.Check the status of SAP enqueue replication using transaction SM51.
E.Check the SAP Gateway service status on the primary server.
AnswersB, C, D

Network issues are a common cause of replication failure.

Why this answer

Options B, C, and D are correct. Checking the SAP enqueue replication status (B) verifies that locks are being replicated. Reviewing the SAP message server logs (C) can show communication errors.

Verifying network connectivity between servers (D) is fundamental. Option A is wrong because the SAP Gateway is not directly related to replication. Option E is wrong because the secondary server should not be restarted without investigation.

130
MCQmedium

A company is running SAP on AWS and needs to ensure high availability for their SAP HANA database. They have set up a multi-AZ deployment with replication. During a planned failover test, the secondary node fails to take over. Which AWS service should be used to monitor and automatically remediate the replication status?

A.AWS Lambda
B.AWS Systems Manager Automation
C.Amazon CloudWatch
D.AWS Elastic Beanstalk
AnswerB

Systems Manager Automation provides runbooks that can monitor and auto-remediate HANA replication issues.

Why this answer

Option B (AWS Systems Manager Automation) is correct because it can run automated runbooks to check and remediate replication issues. Option A (AWS Lambda) can be used but requires custom scripting and is not as integrated for remediation. Option C (Amazon CloudWatch) only monitors, does not automatically remediate.

Option D (AWS Elastic Beanstalk) is not relevant for HANA replication.

131
MCQhard

An SAP administrator is troubleshooting a failed backup of an SAP HANA database running on an EC2 instance. The backup is configured to use AWS Backup with a backup vault. The error log shows: 'AccessDenied: User: arn:aws:sts::123456789012:assumed-role/AWSBackupRole/backup-job is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:123456789012:key/abcd1234-...' Which IAM policy modification is required to resolve this issue?

A.Add cloudhsm:Decrypt permission to the backup role.
B.Add kms:Decrypt permission to the backup role on the KMS key.
C.Add kms:CreateGrant permission to the backup role.
D.Add kms:Encrypt permission to the backup role.
AnswerB

The error shows that the backup role is not authorized to perform kms:Decrypt on the KMS key; adding this permission will resolve the issue.

Why this answer

Option C is correct because the backup role needs kms:Decrypt permission on the KMS key used to encrypt the backup vault. Option A is wrong because kms:Encrypt is required for writing, but the error shows a failure at decrypt. Option B is wrong because kms:CreateGrant is not needed for this operation.

Option D is wrong because cloudhsm:Decrypt is not relevant.

132
Multi-Selectmedium

A company runs SAP HANA on AWS and needs to implement a disaster recovery (DR) strategy. The DR site must have a Recovery Time Objective (RTO) of 30 minutes and a Recovery Point Objective (RPO) of 15 minutes. Which two AWS services should be used together to achieve these objectives? (Choose TWO.)

Select 2 answers
A.AWS Database Migration Service
B.SAP HANA System Replication
C.AWS CloudEndure Disaster Recovery
D.Amazon S3
E.Amazon EBS snapshots
AnswersB, E

Provides near-synchronous replication for low RPO.

Why this answer

Option B (HANA System Replication) is correct because it provides near-synchronous replication with low RPO. Option D (Amazon EBS snapshots) is correct if combined with replication, but for RPO of 15 minutes, HANA replication is more suitable. However, the question expects two services: HANA System Replication (for real-time replication) and Amazon EBS snapshots (for additional recovery points).

Option A is wrong because S3 is not used for HANA replication. Option C is wrong because DMS is for database migration, not DR. Option E is wrong because CloudEndure is for server-level replication, but not specifically for HANA.

133
MCQeasy

An SAP Basis administrator needs to monitor the memory usage of an SAP HANA database running on an EC2 instance. Which AWS service should be used to collect and visualize custom memory metrics from the OS?

A.AWS CloudTrail
B.Amazon CloudWatch with the CloudWatch Agent
C.AWS Systems Manager Inventory
D.AWS Config
AnswerB

CloudWatch Agent collects custom OS metrics like memory and sends them to CloudWatch.

Why this answer

Option A is correct because CloudWatch Agent can collect custom metrics from the OS and send them to CloudWatch. Option B is wrong because AWS Config is for resource configuration tracking. Option C is wrong because Systems Manager Inventory collects software inventory, not real-time memory metrics.

Option D is wrong because CloudTrail logs API activity, not OS metrics.

134
MCQhard

An SAP system on AWS uses a custom AMI for its application servers. The operations team needs to update the AMI to include a new security patch. What is the MOST efficient way to update all existing instances without downtime?

A.Create a new AMI version, update the Auto Scaling group's launch template, and perform a rolling update.
B.Stop all instances, apply the patch, create a new AMI, and start instances.
C.Use AWS Systems Manager Patch Manager to apply the patch to all running instances.
D.Create a new AMI, launch new instances manually, and terminate old ones.
AnswerA

This approach updates the AMI and replaces instances with minimal downtime.

Why this answer

Option B is correct because using a launch template with a new AMI version and rolling update via Auto Scaling group minimizes downtime. Option A is wrong because patching each instance individually is manual and error-prone. Option C is wrong because stopping instances causes downtime.

Option D is wrong because creating new instances manually is inefficient.

135
MCQmedium

An SAP HANA database is experiencing high memory utilization. The operations team needs to determine if the database is using more memory than allocated. Which CloudWatch metric should they monitor?

A.MemoryUtilization
B.SwapUsage
C.CPUUtilization
D.HANA_Memory_Usage
AnswerA

This metric (published by the SAP HANA agent) shows memory utilization percentage.

Why this answer

Option D is correct because `MemoryUtilization` is a custom metric typically published by the SAP HANA agent. Option A is not a standard metric name. Option B (`SwapUsage`) shows swap, not memory.

Option C (`CPUUtilization`) is for CPU.

136
MCQmedium

An SAP Basis administrator is troubleshooting a performance issue on an SAP application server running on an Amazon EC2 instance. The administrator notices high CPU utilization. Which AWS tool can provide detailed insights into the CPU usage at the process level without installing additional agents?

A.AWS Systems Manager Inventory
B.Amazon CloudWatch CPU Utilization metric
C.Amazon EC2 Instance Connect
D.AWS Systems Manager Run Command
AnswerD

Run Command can execute scripts like 'top' to get process-level CPU usage without additional agents.

Why this answer

AWS Systems Manager Inventory collects metadata about instances but not process-level CPU. EC2 Instance Connect is for shell access. CloudWatch metrics provide aggregate CPU, not per-process.

Systems Manager Run Command can execute scripts to gather process data, but the question asks for a tool that provides the information directly without agents; however, Systems Manager with default agent can run commands to get process-level data, which is more direct than the others. CloudWatch does not provide process-level CPU without custom metrics.

137
MCQeasy

An SAP administrator needs to apply a security patch to the operating system of an EC2 instance running SAP. The instance is part of an Auto Scaling group. What is the best practice to apply the patch while minimizing downtime?

A.Create a new AMI with the patch applied, update the launch configuration, and perform a rolling update using an Auto Scaling lifecycle hook.
B.Update the launch configuration with the patched AMI and manually terminate running instances.
C.Stop the Auto Scaling group, patch the instance, and restart the group.
D.SSH into each instance and apply the patch manually.
AnswerA

Rolling updates replace instances one at a time, minimizing downtime.

Why this answer

Option B is correct because using a lifecycle hook with a new AMI ensures patched instances replace old ones without downtime. Option A is wrong because updating the launch configuration does not affect running instances. Option C is wrong because patching in place may require downtime and manual steps.

Option D is wrong because stopping the instance causes downtime.

138
MCQmedium

An SAP system on AWS uses an Auto Scaling group for the application tier. The scaling policy is based on the average CPU utilization of the EC2 instances. During peak hours, the system scales out, but the new instances take a long time to become available because they need to install SAP software and configure them. This delay causes performance degradation. The operations team wants to reduce the time to scale out. Which solution should they implement?

A.Increase the instance size to reduce boot time.
B.Create a custom AMI with SAP software pre-installed and use it in the launch configuration.
C.Switch to AWS Elastic Beanstalk for automatic scaling.
D.Use an instance store-backed AMI instead of EBS-backed.
AnswerB

Custom AMI reduces provisioning time.

Why this answer

Option A is correct because using a pre-configured AMI with SAP software pre-installed eliminates the need for installation at launch. Option B is wrong because instance store is ephemeral. Option C is wrong because Elastic Beanstalk is not the best for SAP.

Option D is wrong because increasing instance size does not reduce launch time.

139
MCQeasy

An SAP administrator needs to restore an SAP HANA database from a backup stored in Amazon S3. The backup was created using AWS Backup. What is the required IAM permission for the restore operation?

A.kms:Decrypt
B.s3:GetObject
C.s3:PutObject
D.ec2:DescribeInstances
AnswerB

Restore requires reading the backup file from S3.

Why this answer

Option B is correct because to restore from S3, the HANA database user or the backup tool needs s3:GetObject permission to read the backup files. Option A is wrong because s3:PutObject is for writing backups. Option C is wrong because ec2:DescribeInstances is not needed for restore from S3.

Option D is wrong because kms:Decrypt may be needed if encryption is used, but the question asks for required permission, and GetObject is essential.

140
MCQmedium

An operations team is responsible for patching the operating system of SAP EC2 instances. They want to automate the patching process while minimizing downtime. Which approach should they use?

A.Deploy a configuration management tool like AWS OpsWorks to apply patches.
B.Use AWS Systems Manager Patch Manager with a maintenance window and a patch baseline.
C.Schedule a weekly maintenance window and manually apply patches via RDP/SSH.
D.Create an Auto Scaling group with a custom AMI that includes the latest patches.
AnswerB

Patch Manager automates patching and can be scheduled to minimize downtime.

Why this answer

Option B is correct because AWS Systems Manager Patch Manager automates patching with minimal downtime when used with a maintenance window. Option A is wrong because manual patching is not automated. Option C is wrong because OpsWorks is not designed for OS patching.

Option D is wrong because Auto Scaling groups are for scaling, not patching.

141
MCQeasy

A company runs SAP on AWS and uses AWS CloudTrail to monitor API activity. The security team wants to receive real-time notifications when specific SAP-related API calls are made. Which AWS service should they use to filter and forward these events?

A.Amazon Inspector
B.AWS Config
C.Amazon EventBridge
D.AWS Trusted Advisor
AnswerC

EventBridge can filter CloudTrail events and trigger actions.

Why this answer

Option B is correct because Amazon EventBridge can ingest CloudTrail events and route them to targets such as SNS for notifications based on event patterns. Option A is wrong because Amazon Inspector is for vulnerability assessment. Option C is wrong because AWS Config is for resource compliance.

Option D is wrong because AWS Trusted Advisor provides best practice checks, not real-time event filtering.

142
MCQeasy

A company runs SAP on AWS and needs to automate the patching of SAP application servers. The solution should apply patches during a defined maintenance window and ensure high availability. What is the most efficient approach?

A.Use AWS Systems Manager Patch Manager with a maintenance window.
B.Update the CloudFormation stack to replace instances with new AMIs.
C.Use AWS Lambda to invoke Run Command on each instance sequentially.
D.Manually connect to each instance via SSH and apply patches.
AnswerA

Patch Manager automates patching with scheduled maintenance windows and can target Auto Scaling groups for HA.

Why this answer

Option D is correct because AWS Systems Manager automates patching with maintenance windows and supports high availability by targeting instances in an Auto Scaling group. Option A (Lambda with Run Command) is possible but less efficient. Option B (manual patching via SSH) is not automated.

Option C (CloudFormation update) is complex and not ideal for patching.

143
Multi-Selecthard

Which THREE steps should be taken when troubleshooting a slow-running SAP HANA database on AWS? (Select THREE.)

Select 3 answers
A.Immediately scale up the EC2 instance type
B.Review HANA SQL plan cache for slow queries
C.Check CloudWatch metrics for CPU utilization and disk I/O
D.Review IAM roles attached to the instance
E.Verify HANA memory allocation and check for memory pressure
AnswersB, C, E

Slow queries can indicate performance issues.

Why this answer

Option A is correct - verify memory allocation is a key step. Option C is correct - check CPU utilization. Option D is correct - review slow queries.

Option B is incorrect - scaling up before analysis may be premature. Option E is incorrect - checking IAM roles is not directly related to HANA performance.

144
MCQhard

An SAP administrator receives an alert that the SAP HANA database is using 95% of its allocated memory. The system is running on an EC2 instance with 1 TB of RAM. The administrator needs to add more memory without significant downtime. Which action should be taken?

A.Modify the EC2 instance type to a larger size while the instance is running.
B.Add additional EBS volumes to the instance to increase memory capacity.
C.Stop the SAP HANA database, change the EC2 instance type to one with more memory, then restart the database.
D.Increase the swap space on the instance to provide virtual memory.
AnswerC

This provides the needed memory increase with controlled downtime.

Why this answer

Option D (Stop the SAP HANA database, change the EC2 instance type to one with more memory, restart the database) is correct because it directly increases memory with minimal downtime. Option A (Add swap space) is not a permanent solution. Option B (Modify instance type while running) is not supported for all instance types.

Option C (Add more EBS volumes) does not increase RAM.

145
MCQhard

An SAP administrator is reviewing a CloudFormation template that defines an Auto Scaling group for SAP application servers. The exhibit shows the relevant section. The group currently has 2 instances running. The administrator wants to ensure that during a rolling update, at least one instance remains available. Which property should be added?

A.UpdatePolicy attribute with AutoScalingRollingUpdate and MinInstancesInService set to 1.
B.Set MaxSize to 1.
C.Set DesiredCapacity to 3.
D.Add a HealthCheckGracePeriod of 300 seconds.
AnswerA

This ensures that during updates, at least one instance remains in service.

Why this answer

Option A is correct because UpdatePolicy with AutoScalingRollingUpdate allows control of the rolling update, including MinInstancesInService to keep at least one instance running. Option B is wrong because DesiredCapacity only sets the target count. Option C is wrong because HealthCheckGracePeriod is for health checks.

Option D is wrong because MaxSize does not control rolling updates.

146
MCQhard

A company uses AWS Config to record resource changes and evaluate rules. Recently, the compliance status of an S3 bucket rule changed from COMPLIANT to NON_COMPLIANT. The operations team investigates and finds that the bucket policy was modified. What is the MOST efficient way to identify who made the change and the exact time?

A.Examine the S3 server access logs for the bucket.
B.Search AWS CloudTrail event history for PutBucketPolicy events for the S3 bucket.
C.Review the configuration timeline in AWS Config for the S3 bucket.
D.Use AWS Systems Manager Automation to run a script that checks CloudWatch Logs.
AnswerB

CloudTrail records all API calls with details.

Why this answer

AWS CloudTrail captures all API calls made to AWS services, including S3 bucket policy modifications via the PutBucketPolicy API. By searching the CloudTrail event history for PutBucketPolicy events filtered by the specific S3 bucket ARN, you can directly identify the IAM user or role that made the change, along with the exact timestamp. This is the most efficient method because it provides a complete audit trail of API activity without requiring additional logging setup or parsing.

Exam trap

The trap here is that candidates confuse AWS Config's configuration timeline (which shows what changed and when, but not who) with CloudTrail's audit trail (which shows who made the API call), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because S3 server access logs record object-level requests (GET, PUT, DELETE) and do not capture management-plane API calls like PutBucketPolicy; they would not show who modified the bucket policy. Option C is wrong because the AWS Config configuration timeline shows resource configuration changes and compliance status over time, but it does not record the identity of the user or service that made the change. Option D is wrong because AWS Systems Manager Automation is designed for operational runbooks and remediation, not for querying audit logs; using it to check CloudWatch Logs is an inefficient, roundabout approach compared to directly querying CloudTrail.

147
MCQeasy

An SAP system administrator receives an alert that an EBS volume attached to an SAP application server is at 95% capacity. The volume is 100 GB gp2 and stores log files. What is the MOST efficient way to resolve the space issue?

A.Increase the volume size using Amazon EBS Elastic Volumes.
B.Delete the oldest log files manually.
C.Configure log rotation and move old logs to Amazon S3 Glacier.
D.Attach an additional EBS volume for log storage.
AnswerC

Automating archiving to S3 Glacier frees space and retains logs for compliance.

Why this answer

Option D is correct because archiving old logs to Amazon S3 Glacier frees space and provides cost-effective long-term storage. Option A is wrong because log rotation must be configured before deleting. Option B is wrong because manual deletion is error-prone.

Option C is wrong because increasing volume size is temporary.

148
MCQmedium

An SAP HANA database on AWS is configured with automatic backups to Amazon S3. The backup process is failing with the error 'Access Denied'. The administrator has confirmed the S3 bucket exists and the IAM role attached to the EC2 instance has the correct permissions. What could be the issue?

A.The S3 bucket has a bucket policy that denies access to the IAM role
B.The IAM role's trust policy does not allow the EC2 service
C.The S3 bucket is encrypted with AWS KMS and the role lacks kms:Decrypt permissions
D.The VPC does not have an S3 VPC endpoint configured
AnswerA

A bucket policy with an explicit deny overrides IAM permissions.

Why this answer

If the bucket policy denies access even if the IAM role allows, the explicit deny in the bucket policy overrides. The error indicates a permissions issue. The role might lack proper trust policy only if it can't assume, but the error suggests access denied to S3.

The bucket policy is likely the cause. KMS key issues would give a different error. VPC endpoint issues would cause connectivity errors.

149
MCQeasy

An SAP administrator needs to receive alerts when the CPU utilization of an SAP application server exceeds 90% for 5 minutes. Which AWS service should be used to set up the alert?

A.VPC Flow Logs
B.Amazon CloudWatch Alarms
C.AWS CloudTrail
D.AWS Config
AnswerB

CloudWatch Alarms monitor metrics and send notifications.

Why this answer

Option B is correct because CloudWatch alarms can monitor CPU utilization metrics and trigger alerts. Option A is incorrect because CloudTrail records API calls. Option C is incorrect because Config monitors resource configurations.

Option D is incorrect because VPC Flow Logs capture network traffic.

150
Multi-Selecthard

Which THREE components are required to set up a highly available SAP HANA database using AWS services? (Choose 3)

Select 3 answers
A.Application Load Balancer
B.Single Availability Zone deployment
C.Multi-AZ deployment with synchronous replication
D.Cluster manager (e.g., Pacemaker)
E.Elastic IP address
AnswersC, D, E

Ensures data is replicated across AZs.

Why this answer

Options A, B, and D are correct. A Multi-AZ deployment with synchronous replication (A) provides HA. A cluster manager (B) automates failover.

An Elastic IP (D) provides a static IP for failover. Option C (Single AZ) does not provide HA. Option E (ALB) is not needed for database HA.

← PreviousPage 2 of 7 · 491 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Operations and Maintenance questions.