Sample questions
AWS Certified SysOps Administrator Associate SOA-C02 practice questions
A company uses an Amazon DynamoDB table with on-demand capacity mode. The table handles a workload with a steady baseline of 500 writes per second but spikes to 2,000 writes per second for a few hours each day. The SysOps administrator wants to reduce costs without affecting application performance during spikes. Which action should the administrator take?
Trap 1: Enable DynamoDB Accelerator (DAX) to cache reads.
DAX is a read cache; it does not reduce write capacity costs.
Trap 2: Create a global table to distribute write traffic.
Global tables replicate data across regions and increase write costs due to additional replication.
Trap 3: Use Amazon ElastiCache to buffer write requests.
ElastiCache is not integrated with DynamoDB write capacity and does not reduce the cost of writes.
- A
Switch to provisioned capacity with auto scaling to handle the spikes.
Provisioned capacity with auto scaling can be more cost-effective for workloads with a predictable baseline and occasional spikes. You pay only for the provisioned capacity, not per-request.
- B
Enable DynamoDB Accelerator (DAX) to cache reads.
Why wrong: DAX is a read cache; it does not reduce write capacity costs.
- C
Create a global table to distribute write traffic.
Why wrong: Global tables replicate data across regions and increase write costs due to additional replication.
- D
Use Amazon ElastiCache to buffer write requests.
Why wrong: ElastiCache is not integrated with DynamoDB write capacity and does not reduce the cost of writes.
A company uses Amazon CloudWatch Logs to store application logs. The SysOps administrator needs to count the occurrences of the string 'ERROR' in the logs and trigger an Amazon SNS notification when more than 10 errors occur within a 5-minute window. Which steps should the administrator take?
Trap 1: Create a CloudWatch alarm directly on the log group
CloudWatch alarms cannot be created directly on log groups. Alarms must be based on metrics, not raw log data.
Trap 2: Create an AWS Lambda function to parse the logs and send a…
Using a Lambda function to parse logs and send notifications introduces unnecessary complexity and cost. CloudWatch Logs metric filters provide a built-in solution.
Trap 3: Create an Amazon EventBridge rule to filter log events and send to…
Amazon EventBridge can react to events but does not natively filter log patterns from CloudWatch Logs. This use case is better handled by metric filters and alarms.
- A
Create a metric filter on the log group and then create a CloudWatch alarm on the resulting metric
Creating a metric filter on the log group produces a metric that can be used in a CloudWatch alarm. This is the standard, low-operational-overhead approach.
- B
Create a CloudWatch alarm directly on the log group
Why wrong: CloudWatch alarms cannot be created directly on log groups. Alarms must be based on metrics, not raw log data.
- C
Create an AWS Lambda function to parse the logs and send a notification to Amazon SNS
Why wrong: Using a Lambda function to parse logs and send notifications introduces unnecessary complexity and cost. CloudWatch Logs metric filters provide a built-in solution.
- D
Create an Amazon EventBridge rule to filter log events and send to SNS
Why wrong: Amazon EventBridge can react to events but does not natively filter log patterns from CloudWatch Logs. This use case is better handled by metric filters and alarms.
A SysOps administrator needs to monitor the CPU utilization of an Amazon EC2 instance and send an alert when it exceeds 90% for 5 consecutive minutes. Which combination of AWS services should the administrator use to meet this requirement?
Trap 1: Amazon CloudWatch Logs, a metric filter to extract CPU utilization…
CPU utilization is already available as a CloudWatch metric; using a log-based metric filter is unnecessary and adds complexity. The EC2 instance would need to emit CPU utilization as log entries, which is not the standard way.
Trap 2: A CloudWatch dashboard and an AWS Lambda function that checks the…
Dashboards are for visualization, not for triggering alerts. Using a Lambda function to poll the dashboard is inefficient and not a designed practice.
Trap 3: Amazon EventBridge (CloudWatch Events) and a Lambda function that…
EventBridge can schedule events, but it does not provide direct CPU monitoring. A Lambda function would need to retrieve and analyze CloudWatch metrics, which is more complex than using a CloudWatch alarm directly.
- A
Amazon CloudWatch metric (CPUUtilization), a CloudWatch alarm, and an Amazon SNS topic.
This combination allows monitoring of the metric, evaluation against a threshold, and notification via SNS. It is the simplest and most direct method.
- B
Amazon CloudWatch Logs, a metric filter to extract CPU utilization from logs, and an alarm on that metric.
Why wrong: CPU utilization is already available as a CloudWatch metric; using a log-based metric filter is unnecessary and adds complexity. The EC2 instance would need to emit CPU utilization as log entries, which is not the standard way.
- C
A CloudWatch dashboard and an AWS Lambda function that checks the dashboard periodically.
Why wrong: Dashboards are for visualization, not for triggering alerts. Using a Lambda function to poll the dashboard is inefficient and not a designed practice.
- D
Amazon EventBridge (CloudWatch Events) and a Lambda function that calls the EC2 DescribeInstances API.
Why wrong: EventBridge can schedule events, but it does not provide direct CPU monitoring. A Lambda function would need to retrieve and analyze CloudWatch metrics, which is more complex than using a CloudWatch alarm directly.
A SysOps administrator needs to monitor the CPU utilization of an Amazon EC2 instance fleet and send an alert when the average CPU utilization exceeds 80% for 10 consecutive minutes. The administrator also wants to automatically stop the instance if the CPU utilization remains above 90% for 30 minutes to prevent runaway costs. Which combination of AWS services should be used?
Trap 1: Amazon CloudWatch alarm + AWS Lambda + AWS Systems Manager…
While this combination could work, it is more complex than necessary. Systems Manager Automation is typically used for multi-step runbooks; for a simple stop action, Lambda with the EC2 stop API is sufficient and more straightforward.
Trap 2: Amazon CloudWatch Logs + Amazon EventBridge + AWS Step Functions
CPU utilization is a metric, not a log. CloudWatch Logs is for log data, not metrics. EventBridge can trigger on metric alarms, but Step Functions is an orchestration service that adds unnecessary complexity for a simple stop action.
Trap 3: AWS CloudTrail + Amazon EventBridge + AWS CodePipeline
CloudTrail logs API actions, not CPU metrics. CodePipeline is a CI/CD service. This combination is not appropriate for monitoring and stopping instances based on CPU utilization.
- A
Amazon CloudWatch alarm + AWS Lambda + AWS Systems Manager Automation
Why wrong: While this combination could work, it is more complex than necessary. Systems Manager Automation is typically used for multi-step runbooks; for a simple stop action, Lambda with the EC2 stop API is sufficient and more straightforward.
- B
Amazon CloudWatch alarm + Amazon Simple Notification Service (SNS) + AWS Lambda
A CloudWatch alarm monitors the CPU metric and publishes to an SNS topic when the threshold is breached. The SNS topic triggers a Lambda function that calls the EC2 StopInstances API to stop the instance. This is a clean, low-overhead solution.
- C
Amazon CloudWatch Logs + Amazon EventBridge + AWS Step Functions
Why wrong: CPU utilization is a metric, not a log. CloudWatch Logs is for log data, not metrics. EventBridge can trigger on metric alarms, but Step Functions is an orchestration service that adds unnecessary complexity for a simple stop action.
- D
AWS CloudTrail + Amazon EventBridge + AWS CodePipeline
Why wrong: CloudTrail logs API actions, not CPU metrics. CodePipeline is a CI/CD service. This combination is not appropriate for monitoring and stopping instances based on CPU utilization.
A company's security policy requires that all Amazon S3 buckets must have server-side encryption enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and notify the security team. Which AWS service should be used to detect non-compliant buckets?
Trap 1: Amazon Inspector
Amazon Inspector assesses EC2 instances for software vulnerabilities and network exposure, not S3 bucket configurations.
Trap 2: AWS CloudTrail
CloudTrail logs API activity but does not perform proactive compliance checks on resource configurations.
Trap 3: Amazon GuardDuty
GuardDuty is a threat detection service that monitors for malicious activity; it does not evaluate encryption settings.
- A
Amazon Inspector
Why wrong: Amazon Inspector assesses EC2 instances for software vulnerabilities and network exposure, not S3 bucket configurations.
- B
AWS Config
AWS Config has managed rules to evaluate resource settings, including S3 bucket encryption. It can automatically detect non-compliant buckets and send notifications.
- C
AWS CloudTrail
Why wrong: CloudTrail logs API activity but does not perform proactive compliance checks on resource configurations.
- D
Amazon GuardDuty
Why wrong: GuardDuty is a threat detection service that monitors for malicious activity; it does not evaluate encryption settings.
A SysOps administrator uses AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance. The administrator wants to ensure that if the stack is updated, the EC2 instance is not accidentally replaced if its properties change. The administrator wants the stack update to fail when a property change would require replacement. Which CloudFormation feature should the administrator use?
Trap 1: CreationPolicy
CreationPolicy controls the creation success of a resource based on signals, but does not affect updates or prevent replacement.
Trap 2: DeletionPolicy
DeletionPolicy determines what happens when a resource is deleted; setting it to Retain would cause replacement to fail, but this is not the intended or clean solution.
Trap 3: UpdateReplacePolicy
CloudFormation does not have an attribute named UpdateReplacePolicy. The correct approach is StackPolicy.
- A
CreationPolicy
Why wrong: CreationPolicy controls the creation success of a resource based on signals, but does not affect updates or prevent replacement.
- B
DeletionPolicy
Why wrong: DeletionPolicy determines what happens when a resource is deleted; setting it to Retain would cause replacement to fail, but this is not the intended or clean solution.
- C
StackPolicy
StackPolicy allows you to explicitly deny update actions (including replacement) on specific resources, causing updates that require replacement to fail.
- D
UpdateReplacePolicy
Why wrong: CloudFormation does not have an attribute named UpdateReplacePolicy. The correct approach is StackPolicy.
A company runs a production web application on a single Amazon EC2 instance. The application experiences a predictable and steady workload 24/7. The SysOps administrator wants to minimize compute costs for this instance while ensuring it remains available during the expected workload. Which EC2 purchasing option should the administrator use?
Trap 1: On-Demand Instances
On-Demand Instances provide flexibility with no upfront commitment, but they are the most expensive option for a steady workload. The administrator can reduce costs further by committing to a Reserved Instance.
Trap 2: Spot Instances
Spot Instances offer large discounts but can be terminated by AWS at any time if capacity is needed. This makes them unsuitable for a production workload that must run continuously without interruption.
Trap 3: Dedicated Hosts
Dedicated Hosts provide a physical server dedicated for your use, which is useful for licensing requirements, but they are more expensive than Reserved Instances and not a cost-optimization choice for most workloads.
- A
On-Demand Instances
Why wrong: On-Demand Instances provide flexibility with no upfront commitment, but they are the most expensive option for a steady workload. The administrator can reduce costs further by committing to a Reserved Instance.
- B
Reserved Instances
Reserved Instances (RIs) provide a discounted hourly rate in exchange for a one- or three-year commitment. A standard RI is ideal for steady-state, predictable workloads, offering up to 72% savings compared to On-Demand.
- C
Spot Instances
Why wrong: Spot Instances offer large discounts but can be terminated by AWS at any time if capacity is needed. This makes them unsuitable for a production workload that must run continuously without interruption.
- D
Dedicated Hosts
Why wrong: Dedicated Hosts provide a physical server dedicated for your use, which is useful for licensing requirements, but they are more expensive than Reserved Instances and not a cost-optimization choice for most workloads.
A company hosts a web application on Amazon EC2 instances in two AWS regions: us-east-1 and eu-west-1. The application is behind an Application Load Balancer (ALB) in each region. The SysOps administrator wants to direct users to the region that provides the lowest latency, automatically routing traffic away from a region if it becomes unhealthy. Which Amazon Route 53 routing policy should be used?
Trap 1: Geolocation routing
Geolocation routing directs traffic based on the geographic location of the user, not the actual latency. It does not automatically adapt to changes in network conditions.
Trap 2: Weighted routing
Weighted routing distributes traffic based on assigned weights. It does not consider latency or health for routing decisions and would not automatically failover to the healthy region.
Trap 3: Failover routing
Failover routing is used for active-passive configurations. All traffic goes to the primary region unless it fails, then goes to the secondary. It does not consider latency and cannot route based on performance.
- A
Geolocation routing
Why wrong: Geolocation routing directs traffic based on the geographic location of the user, not the actual latency. It does not automatically adapt to changes in network conditions.
- B
Latency routing
Latency routing uses measurements of latency between AWS regions and the user to direct traffic to the region with the lowest latency. When health checks are attached to the ALBs, latency routing automatically avoids unhealthy endpoints by excluding them from responses.
- C
Weighted routing
Why wrong: Weighted routing distributes traffic based on assigned weights. It does not consider latency or health for routing decisions and would not automatically failover to the healthy region.
- D
Failover routing
Why wrong: Failover routing is used for active-passive configurations. All traffic goes to the primary region unless it fails, then goes to the secondary. It does not consider latency and cannot route based on performance.
A company has an AWS account that contains multiple Amazon S3 buckets with sensitive data. A SysOps administrator needs to ensure that all S3 buckets in the account have versioning enabled to protect against accidental deletions. The administrator wants to automatically remediate any bucket that is created without versioning enabled. Which solution should be used?
Trap 1: Use Amazon CloudWatch Events to detect CreateBucket API calls and…
This reactive approach only addresses buckets created after the rule is set up. It does not handle existing buckets that lack versioning, nor does it detect buckets that have versioning disabled after creation. It requires separate handling for existing resources.
Trap 2: Use AWS CloudTrail to monitor CreateBucket events and send an alert…
Manual intervention is not automated and may lead to delays or missed buckets. This does not meet the requirement for automatic remediation.
Trap 3: Use AWS Service Catalog to enforce versioning on all buckets…
Service Catalog only enforces compliance on resources provisioned through its products. Buckets created outside of Service Catalog (e.g., directly via the console or CLI) are not covered. This solution is incomplete.
- A
Use AWS Config with a managed rule (s3-bucket-versioning-enabled) and an automatic remediation action that uses an AWS Systems Manager Automation document to enable versioning
AWS Config evaluates resources against the rule. When a noncompliant bucket is detected (whether newly created or changed), the automatic remediation using Systems Manager Automation enables versioning on the bucket, ensuring continuous compliance.
- B
Use Amazon CloudWatch Events to detect CreateBucket API calls and trigger an AWS Lambda function to enable versioning
Why wrong: This reactive approach only addresses buckets created after the rule is set up. It does not handle existing buckets that lack versioning, nor does it detect buckets that have versioning disabled after creation. It requires separate handling for existing resources.
- C
Use AWS CloudTrail to monitor CreateBucket events and send an alert to the SysOps administrator for manual action
Why wrong: Manual intervention is not automated and may lead to delays or missed buckets. This does not meet the requirement for automatic remediation.
- D
Use AWS Service Catalog to enforce versioning on all buckets provisioned through it
Why wrong: Service Catalog only enforces compliance on resources provisioned through its products. Buckets created outside of Service Catalog (e.g., directly via the console or CLI) are not covered. This solution is incomplete.
A company runs a critical application on Amazon EC2 instances across multiple Availability Zones. The application stores state data on a shared Amazon EFS file system. The SysOps administrator needs to ensure that the file system remains available if an entire Availability Zone fails. The file system must also provide low-latency access from all instances. Which configuration meets these requirements?
Trap 1: Create an EFS file system with the One Zone storage class and mount…
One Zone storage class stores data only in a single Availability Zone. If that zone fails, the file system becomes unavailable, violating the requirement.
Trap 2: Create an EFS file system with the Standard storage class, enable…
Cross-Region replication provides disaster recovery but introduces cross-Region latency and higher costs. The requirement is for Availability Zone failure resilience within a single Region.
Trap 3: Create an EFS file system with the Standard storage class, and…
Amazon EFS does not have a configurable Multi-AZ deployment option; its Standard storage class inherently replicates across AZs. This option is misleading and unnecessary.
- A
Create an EFS file system with the One Zone storage class and mount it from all instances.
Why wrong: One Zone storage class stores data only in a single Availability Zone. If that zone fails, the file system becomes unavailable, violating the requirement.
- B
Create an EFS file system with the Standard storage class, enable replication to another Region, and use DNS failover.
Why wrong: Cross-Region replication provides disaster recovery but introduces cross-Region latency and higher costs. The requirement is for Availability Zone failure resilience within a single Region.
- C
Create an EFS file system with the Standard storage class in the same Region, and mount it from all instances using the regional mount target.
EFS Standard automatically replicates data across multiple AZs in the Region. Mounting via the regional mount target ensures low-latency access from all AZs and availability during an AZ outage.
- D
Create an EFS file system with the Standard storage class, and enable Multi-AZ deployment.
Why wrong: Amazon EFS does not have a configurable Multi-AZ deployment option; its Standard storage class inherently replicates across AZs. This option is misleading and unnecessary.
A company requires that all Amazon S3 buckets in its AWS account must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to detect any bucket that does not have KMS encryption enabled and automatically remediate it by enabling encryption. Which AWS service should be used to implement this automated compliance enforcement?
Trap 1: AWS CloudTrail
AWS CloudTrail records API activity but does not evaluate current configurations or trigger automated remediation. It is used for auditing and monitoring, not for compliance enforcement.
Trap 2: Amazon GuardDuty
Amazon GuardDuty is a threat detection service that monitors for malicious activity. It does not check S3 configuration compliance or remediate encryption settings.
Trap 3: AWS Trusted Advisor
AWS Trusted Advisor provides recommendations on cost, performance, and security (including S3 bucket permissions), but it does not automatically remediate non-compliant resources. It relies on manual actions.
- A
AWS Config
AWS Config can continuously monitor and evaluate S3 bucket configurations. With a managed rule for server-side encryption, it can detect non-compliant buckets. Combined with automatic remediation actions, AWS Config can enable encryption on non-compliant buckets without manual intervention.
- B
AWS CloudTrail
Why wrong: AWS CloudTrail records API activity but does not evaluate current configurations or trigger automated remediation. It is used for auditing and monitoring, not for compliance enforcement.
- C
Amazon GuardDuty
Why wrong: Amazon GuardDuty is a threat detection service that monitors for malicious activity. It does not check S3 configuration compliance or remediate encryption settings.
- D
AWS Trusted Advisor
Why wrong: AWS Trusted Advisor provides recommendations on cost, performance, and security (including S3 bucket permissions), but it does not automatically remediate non-compliant resources. It relies on manual actions.
A company manages multiple AWS accounts using AWS Organizations. The security team wants to restrict the use of Amazon EC2 instance types to only those that are approved for production workloads (e.g., m5.large, m5.xlarge). The policy should be applied to all member accounts in the organization, and it should prevent any non-approved instance type from being launched. The SysOps administrator should implement this with minimal operational overhead. Which solution should be used?
Trap 1: Create an IAM policy in each member account that denies…
This requires managing policies in each account individually, increasing operational overhead and risk of inconsistency.
Trap 2: Use AWS Config with the managed rule 'ec2-instance-type-check' and…
This is a detective control that reacts after launch, potentially incurring cost and delay before termination. It is not preventive.
Trap 3: Use Amazon EventBridge to detect RunInstances API calls and invoke…
This is also a reactive approach with custom code, and it may terminate instances after they have already launched, causing resource waste and potential security exposure.
- A
Create an IAM policy in each member account that denies ec2:RunInstances unless the instance type is in the approved list.
Why wrong: This requires managing policies in each account individually, increasing operational overhead and risk of inconsistency.
- B
Create an AWS Organizations Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not in the approved list.
SCPs are applied at the organization or OU level and are inherited by all accounts. They provide preventive controls with minimal overhead.
- C
Use AWS Config with the managed rule 'ec2-instance-type-check' and an automatic remediation action that terminates non-compliant instances.
Why wrong: This is a detective control that reacts after launch, potentially incurring cost and delay before termination. It is not preventive.
- D
Use Amazon EventBridge to detect RunInstances API calls and invoke a Lambda function that terminates unapproved instances.
Why wrong: This is also a reactive approach with custom code, and it may terminate instances after they have already launched, causing resource waste and potential security exposure.
A company runs a multi-tier application that uses an Amazon RDS for PostgreSQL database. The SysOps administrator needs to monitor the database for performance anomalies, such as sudden spikes in connections or query latencies. The administrator wants to receive alerts when metrics deviate from their expected baseline. The solution must automatically adjust to changes in normal behavior over time, such as seasonal patterns. Which AWS service or feature should the administrator use?
Trap 1: Use Amazon RDS Performance Insights to analyze database load and…
Performance Insights helps identify performance bottlenecks but does not provide automated baseline anomaly detection. With static thresholds, alarms must be manually adjusted and do not adapt to seasonal patterns.
Trap 2: Enable Amazon CloudWatch Metrics Explorer to create a dashboard…
Metrics Explorer creates interactive dashboards but does not provide automatic anomaly detection or alerting. It requires manual observation.
Trap 3: Use AWS X-Ray to trace database queries and set alarms on trace…
X-Ray is for tracing requests through distributed applications, not for monitoring database instance-level metrics. It does not provide anomaly detection on RDS metrics.
- A
Configure Amazon CloudWatch Anomaly Detection on the relevant RDS metrics (e.g., DatabaseConnections, ReadLatency, WriteLatency) and set an alarm to notify when the metric breaches the anomaly band.
CloudWatch Anomaly Detection automatically builds a baseline and adapts to behavior changes over time, including seasonality. It can trigger alarms when metrics deviate significantly from predicted patterns.
- B
Use Amazon RDS Performance Insights to analyze database load and set CloudWatch alarms on the DBLoad metric with static thresholds.
Why wrong: Performance Insights helps identify performance bottlenecks but does not provide automated baseline anomaly detection. With static thresholds, alarms must be manually adjusted and do not adapt to seasonal patterns.
- C
Enable Amazon CloudWatch Metrics Explorer to create a dashboard that visualizes the metrics and manually review for anomalies.
Why wrong: Metrics Explorer creates interactive dashboards but does not provide automatic anomaly detection or alerting. It requires manual observation.
- D
Use AWS X-Ray to trace database queries and set alarms on trace segment durations.
Why wrong: X-Ray is for tracing requests through distributed applications, not for monitoring database instance-level metrics. It does not provide anomaly detection on RDS metrics.
A company runs a critical MySQL database on an Amazon RDS DB instance in a single Availability Zone. The SysOps administrator needs to implement a disaster recovery solution with a Recovery Point Objective (RPO) of 5 minutes and a Recovery Time Objective (RTO) of 1 hour, while minimizing costs. Which solution meets these requirements?
Trap 1: Enable Multi-AZ deployment with a synchronous standby replica in…
Multi-AZ only protects against an AZ failure within the same region, not a regional outage. It does not meet the regional DR requirement.
Trap 2: Create a cross-Region read replica and promote it to a standalone…
A cross-Region read replica provides low RPO (seconds) but requires a running instance in the DR region, incurring ongoing costs. Additionally, promotion may take longer than 1 hour.
Trap 3: Take daily automated snapshots and copy them to another Region…
Daily snapshots have an RPO of up to 24 hours, which does not meet the 5-minute RPO requirement.
- A
Enable Multi-AZ deployment with a synchronous standby replica in another Availability Zone
Why wrong: Multi-AZ only protects against an AZ failure within the same region, not a regional outage. It does not meet the regional DR requirement.
- B
Create a cross-Region read replica and promote it to a standalone DB instance during a disaster
Why wrong: A cross-Region read replica provides low RPO (seconds) but requires a running instance in the DR region, incurring ongoing costs. Additionally, promotion may take longer than 1 hour.
- C
Enable cross-Region automated backups to another Region
Cross-Region automated backups replicate snapshots and transaction logs to another region, achieving an RPO of about 5 minutes and RTO of under 1 hour, with no extra compute cost until recovery.
- D
Take daily automated snapshots and copy them to another Region manually
Why wrong: Daily snapshots have an RPO of up to 24 hours, which does not meet the 5-minute RPO requirement.
A company runs a critical database on an Amazon RDS for MySQL DB instance. The SysOps administrator needs to ensure that the database can survive a single Availability Zone failure with minimal downtime. Which configuration should the administrator implement?
Trap 1: Enable automatic backups.
Automatic backups provide point-in-time recovery but do not automatically fail over; downtime would be longer to restore a backup.
Trap 2: Deploy a read replica in a different AZ.
A read replica is for read scaling and asynchronous replication; it does not provide automatic failover for the primary database.
Trap 3: Take a manual snapshot and copy it to another AZ.
Manual snapshots are point-in-time backups and would require manual restoration, resulting in significant downtime.
- A
Enable automatic backups.
Why wrong: Automatic backups provide point-in-time recovery but do not automatically fail over; downtime would be longer to restore a backup.
- B
Deploy a read replica in a different AZ.
Why wrong: A read replica is for read scaling and asynchronous replication; it does not provide automatic failover for the primary database.
- C
Enable Multi-AZ deployment.
Correct. Multi-AZ provides a synchronous standby in another AZ and automatic failover, minimizing downtime during an AZ failure.
- D
Take a manual snapshot and copy it to another AZ.
Why wrong: Manual snapshots are point-in-time backups and would require manual restoration, resulting in significant downtime.
A company runs a web application on Amazon EC2 instances in an Auto Scaling group that spans two Availability Zones. The application uses an Application Load Balancer (ALB) that is deployed across the same Availability Zones. The SysOps administrator wants to ensure the application remains available if an entire Availability Zone fails. Which configuration is essential for this high availability?
Trap 1: Enable cross-zone load balancing on the Application Load Balancer.
Incorrect. Cross-zone load balancing distributes traffic across all instances in all AZs, but it does not guarantee instance distribution. It is enabled by default for ALB.
Trap 2: Use an Amazon Route 53 health check to route traffic away from a…
Incorrect. Route 53 health checks with failover routing can redirect to another region, but within a region the ALB handles AZ failures by routing to healthy instances.
Trap 3: Attach an Elastic IP address to each instance in the Auto Scaling…
Incorrect. Elastic IPs do not provide high availability; they provide static IPs. The ALB already provides a single endpoint.
- A
Configure the Auto Scaling group with at least one instance in each Availability Zone.
Correct. The Auto Scaling group must have instances in multiple AZs to survive an AZ failure. AZ rebalancing will maintain capacity.
- B
Enable cross-zone load balancing on the Application Load Balancer.
Why wrong: Incorrect. Cross-zone load balancing distributes traffic across all instances in all AZs, but it does not guarantee instance distribution. It is enabled by default for ALB.
- C
Use an Amazon Route 53 health check to route traffic away from a failed AZ.
Why wrong: Incorrect. Route 53 health checks with failover routing can redirect to another region, but within a region the ALB handles AZ failures by routing to healthy instances.
- D
Attach an Elastic IP address to each instance in the Auto Scaling group to ensure IP persistence.
Why wrong: Incorrect. Elastic IPs do not provide high availability; they provide static IPs. The ALB already provides a single endpoint.
A company has multiple VPCs in the same AWS Region that need to communicate with each other. The SysOps administrator wants to avoid the complexity of a full mesh of VPC peering connections. Which AWS service should the administrator use to connect all VPCs with a central hub?
Trap 1: AWS Direct Connect
Direct Connect is a dedicated connection between on-premises and AWS, not a hub for connecting multiple VPCs within a Region.
Trap 2: VPC peering
VPC peering creates direct point-to-point connections, requiring a full mesh of connections for multiple VPCs, which becomes complex.
Trap 3: AWS PrivateLink
PrivateLink allows you to access services privately within a VPC, but it does not provide inter-VPC connectivity between multiple customer VPCs.
- A
AWS Direct Connect
Why wrong: Direct Connect is a dedicated connection between on-premises and AWS, not a hub for connecting multiple VPCs within a Region.
- B
AWS Transit Gateway
Correct. Transit Gateway provides a scalable hub-and-spoke model, allowing you to attach many VPCs and manage routing centrally.
- C
VPC peering
Why wrong: VPC peering creates direct point-to-point connections, requiring a full mesh of connections for multiple VPCs, which becomes complex.
- D
AWS PrivateLink
Why wrong: PrivateLink allows you to access services privately within a VPC, but it does not provide inter-VPC connectivity between multiple customer VPCs.
A company runs a critical stateful web application on Amazon EC2 instances in a single AWS region. The application stores user session data in an Amazon ElastiCache for Redis cluster. The SysOps administrator must design a disaster recovery (DR) strategy that can survive a complete regional outage with a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The application must be able to redirect users to the DR region with minimal manual effort. Which combination of actions meets these requirements?
Trap 1: Use Amazon Route 53 with weighted routing to distribute traffic…
Weighted routing does not automatically failover; it requires manual adjustment. CloudFormation StackSets would take time to provision instances, likely exceeding the 1-hour RTO. Also, the requirement mentions ElastiCache Redis, not DynamoDB.
Trap 2: Use an Amazon CloudFront distribution with multiple origins…
CloudFront does not provide cross-region failover for origins in the way Route 53 does. Session stickiness is not sufficient for DR because Redis data is not replicated across regions, so users would lose sessions after failover. RPO would be effectively longer than 15 minutes without replication.
Trap 3: Use EC2 instances with an Auto Scaling group in both regions
Snapshot-based replication every 15 minutes could meet the RPO, but copying snapshots and restoring them during a disaster would take more than 1 hour, exceeding the RTO. Latency routing does not provide automatic failover in a regional outage; it routes based on latency, which could still send traffic to the failed region.
- A
Use Amazon Route 53 with weighted routing to distribute traffic between the two regions. Use a global DynamoDB table for session data, and launch EC2 instances in the DR region only when a failure is detected using AWS CloudFormation StackSets.
Why wrong: Weighted routing does not automatically failover; it requires manual adjustment. CloudFormation StackSets would take time to provision instances, likely exceeding the 1-hour RTO. Also, the requirement mentions ElastiCache Redis, not DynamoDB.
- B
Create a read replica of the ElastiCache Redis cluster in the DR region using the native cross-region replication feature. Use Route 53 with failover routing to point to the DR region ALB when the primary health check fails. Pre-configure EC2 instances in an Auto Scaling group in the DR region.
Global Datastore for Redis provides cross-Region replication with low RPO. Pre-configured Auto Scaling groups in the DR region ensure that compute capacity is ready. Route 53 failover routing automatically redirects traffic when the primary ALB health check fails. This combination meets the RPO and RTO requirements with minimal manual effort.
- C
Use an Amazon CloudFront distribution with multiple origins (primary and DR). Enable session stickiness at the CloudFront level. Use EC2 instances in both regions behind separate ALBs. No special data replication is needed because sessions are stored in Redis.
Why wrong: CloudFront does not provide cross-region failover for origins in the way Route 53 does. Session stickiness is not sufficient for DR because Redis data is not replicated across regions, so users would lose sessions after failover. RPO would be effectively longer than 15 minutes without replication.
- D
Use EC2 instances with an Auto Scaling group in both regions. Schedule a Lambda function to take snapshots of the Redis cluster every 15 minutes and copy them to the DR region. Use Route 53 latency routing to direct users to the nearest region.
Why wrong: Snapshot-based replication every 15 minutes could meet the RPO, but copying snapshots and restoring them during a disaster would take more than 1 hour, exceeding the RTO. Latency routing does not provide automatic failover in a regional outage; it routes based on latency, which could still send traffic to the failed region.
A company has an Application Load Balancer (ALB) in the us-east-1 region. Users in Asia report high latency. The SysOps administrator wants to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. Which step is required to integrate Global Accelerator with the ALB?
Trap 1: Create a CloudFront distribution and point it to the ALB as an…
CloudFront is primarily for caching static and dynamic content, but it does not provide the same low-latency, static IP address capabilities for dynamic content that Global Accelerator offers. Global Accelerator is better suited for non-cacheable traffic.
Trap 2: Set up a Route 53 geoproximity routing policy for the ALB.
Route 53 geoproximity routing can route users to the closest region, but Global Accelerator provides additional benefits like anycast static IPs and faster failover, making it the preferred solution for this requirement.
Trap 3: Use AWS WAF to allow traffic from Global Accelerator edge locations.
AWS WAF is a web application firewall that protects against common web exploits. It does not route traffic or accelerate content delivery.
- A
Create a CloudFront distribution and point it to the ALB as an origin.
Why wrong: CloudFront is primarily for caching static and dynamic content, but it does not provide the same low-latency, static IP address capabilities for dynamic content that Global Accelerator offers. Global Accelerator is better suited for non-cacheable traffic.
- B
Configure the ALB as an endpoint group in a Global Accelerator accelerator.
Global Accelerator uses endpoint groups that contain endpoints such as ALBs, NLBs, or EC2 instances. Adding the ALB as an endpoint in an endpoint group registers it for traffic routing.
- C
Set up a Route 53 geoproximity routing policy for the ALB.
Why wrong: Route 53 geoproximity routing can route users to the closest region, but Global Accelerator provides additional benefits like anycast static IPs and faster failover, making it the preferred solution for this requirement.
- D
Use AWS WAF to allow traffic from Global Accelerator edge locations.
Why wrong: AWS WAF is a web application firewall that protects against common web exploits. It does not route traffic or accelerate content delivery.
A company runs an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB terminates SSL/TLS and forwards traffic to the instances over HTTP. The SysOps administrator needs to capture the original client IP address in the instance logs. How should the administrator configure this?
Trap 1: Enable stickiness on the ALB target group.
Stickiness (session affinity) ensures a client's requests are sent to the same target. It does not provide the client IP to the instances.
Trap 2: Configure the ALB to use Proxy Protocol v2.
Proxy Protocol is used with Network Load Balancers to preserve the client IP. ALB uses X-Forwarded-For headers instead.
Trap 3: Enable access logs on the ALB and store them in Amazon S3.
Access logs capture detailed information about requests sent to the ALB, including client IP, but they are stored in S3, not available directly on the EC2 instances. The requirement is to capture the IP in instance logs.
- A
Enable stickiness on the ALB target group.
Why wrong: Stickiness (session affinity) ensures a client's requests are sent to the same target. It does not provide the client IP to the instances.
- B
Enable the X-Forwarded-For header on the ALB.
The ALB automatically adds the X-Forwarded-For header containing the original client IP address when terminating TLS. The backend instances can log this header to capture the client IP.
- C
Configure the ALB to use Proxy Protocol v2.
Why wrong: Proxy Protocol is used with Network Load Balancers to preserve the client IP. ALB uses X-Forwarded-For headers instead.
- D
Enable access logs on the ALB and store them in Amazon S3.
Why wrong: Access logs capture detailed information about requests sent to the ALB, including client IP, but they are stored in S3, not available directly on the EC2 instances. The requirement is to capture the IP in instance logs.
A company uses Amazon S3 to store sensitive customer data. A SysOps administrator needs to ensure that any S3 bucket that is incorrectly configured to allow public read access is automatically remediated within five minutes. The administrator wants to use native AWS services with minimal custom code. Which solution should be used?
Trap 1: Create an Amazon EventBridge (CloudWatch Events) rule that triggers…
While this works, it requires custom Lambda code, which is more effort than using AWS Config's managed rule with remediation.
Trap 2: Apply an S3 bucket policy to each bucket that denies public read…
This requires manual per-bucket configuration and does not automatically detect new buckets or changes.
Trap 3: Use AWS Trusted Advisor to check for public read access and…
Trusted Advisor provides checks but requires manual remediation; it does not automatically fix the issue within five minutes.
- A
Use AWS Config with the 's3-bucket-public-read-prohibited' managed rule and configure automatic remediation to block public access.
AWS Config continuously evaluates bucket configurations and can automatically remediate noncompliant buckets using pre-built automation.
- B
Create an Amazon EventBridge (CloudWatch Events) rule that triggers an AWS Lambda function to check and fix public read access.
Why wrong: While this works, it requires custom Lambda code, which is more effort than using AWS Config's managed rule with remediation.
- C
Apply an S3 bucket policy to each bucket that denies public read access.
Why wrong: This requires manual per-bucket configuration and does not automatically detect new buckets or changes.
- D
Use AWS Trusted Advisor to check for public read access and manually remediate when notified.
Why wrong: Trusted Advisor provides checks but requires manual remediation; it does not automatically fix the issue within five minutes.
A SysOps administrator deploys a web application using AWS Elastic Beanstalk. The administrator wants to deploy a new application version with zero downtime and minimize the risk of failure by launching a completely new set of instances before swapping traffic. Which deployment policy should the administrator choose?
Trap 1: All at once
All instances are terminated and replaced at the same time, causing downtime.
Trap 2: Rolling
Instances are updated in batches, but during the update, some capacity is temporarily reduced, and rollback is harder.
Trap 3: Rolling with additional batch
Similar to rolling but with an extra batch of new instances. Still involves in-place updates and potential capacity issues.
- A
All at once
Why wrong: All instances are terminated and replaced at the same time, causing downtime.
- B
Rolling
Why wrong: Instances are updated in batches, but during the update, some capacity is temporarily reduced, and rollback is harder.
- C
Rolling with additional batch
Why wrong: Similar to rolling but with an extra batch of new instances. Still involves in-place updates and potential capacity issues.
- D
Immutable
Deploys a full new Auto Scaling group with the new version, tests it, and then swaps traffic, ensuring zero downtime and easy rollback.
A company wants to ensure that only specific IAM roles within the same AWS account can encrypt and decrypt data using an AWS KMS customer managed key. Which type of policy must be configured to achieve this restriction?
Trap 1: IAM policy attached to the roles
An IAM policy alone cannot grant KMS key permissions unless the key policy also allows IAM policies. The key policy must explicitly allow the roles.
Trap 2: Service control policy (SCP)
SCPs are used in AWS Organizations to control permissions at the account level, not for individual KMS keys.
Trap 3: Resource policy attached to the KMS key
KMS uses key policies, not resource policies. The term resource policy is generally used for S3 or SNS; KMS has key policies.
- A
IAM policy attached to the roles
Why wrong: An IAM policy alone cannot grant KMS key permissions unless the key policy also allows IAM policies. The key policy must explicitly allow the roles.
- B
KMS key policy
KMS key policies are resource-based policies that define who can use the key. They are required to grant access to IAM roles.
- C
Service control policy (SCP)
Why wrong: SCPs are used in AWS Organizations to control permissions at the account level, not for individual KMS keys.
- D
Resource policy attached to the KMS key
Why wrong: KMS uses key policies, not resource policies. The term resource policy is generally used for S3 or SNS; KMS has key policies.
A SysOps administrator is testing the failover of an Amazon RDS for PostgreSQL Multi-AZ DB instance. The application currently writes to the primary instance in us-east-1a. Which action will manually trigger a failover to the standby instance in us-east-1b?
Trap 1: Modify the DB instance to Single-AZ and then back to Multi-AZ.
Incorrect. This would cause downtime and is not a proper failover test; it changes the architecture.
Trap 2: Reboot the DB instance without selecting any failover option.
Incorrect. A standard reboot does not force failover; it restarts the current primary.
Trap 3: Promote the standby instance using the Amazon RDS console.
Incorrect. Multi-AZ standby is not a read replica; it cannot be promoted manually. Promotion applies to read replicas.
- A
Reboot the DB instance and select 'Reboot with failover'.
Correct. This explicitly triggers a failover to the standby instance.
- B
Modify the DB instance to Single-AZ and then back to Multi-AZ.
Why wrong: Incorrect. This would cause downtime and is not a proper failover test; it changes the architecture.
- C
Reboot the DB instance without selecting any failover option.
Why wrong: Incorrect. A standard reboot does not force failover; it restarts the current primary.
- D
Promote the standby instance using the Amazon RDS console.
Why wrong: Incorrect. Multi-AZ standby is not a read replica; it cannot be promoted manually. Promotion applies to read replicas.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.