AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 175

1546 questions total · 21pages · All types, answers revealed

Page 1 of 21

Page 2
1
MCQhard

A SysOps administrator is troubleshooting an application that runs on EC2 instances behind an ALB. Users report intermittent 503 errors. The administrator checks the ALB access logs and finds entries with 'elb_status_code' 503 and 'target_status_code' '-'. What is the most likely cause?

A.The target instances are unhealthy, causing the ALB to return 503.
B.The SSL certificate on the ALB has expired.
C.The target instances have high CPU utilization.
D.The security group on the ALB is blocking traffic.
AnswerA

If all targets are unhealthy, ALB returns 503.

Why this answer

The ALB access log entry with `elb_status_code` 503 and `target_status_code` '-' indicates that the load balancer itself generated the 503 error because it could not establish a connection to any healthy target. The dash for the target status code means the request never reached a target instance, which occurs when all targets in the target group are marked unhealthy by the health checks. This is the most common cause of intermittent 503 errors with an ALB.

Exam trap

The trap here is that candidates often confuse a 503 error with target-side issues (like high CPU or application errors), but the dash in the target_status_code is the key indicator that the ALB itself is rejecting the request due to no healthy targets, not that the request reached a target and failed.

How to eliminate wrong answers

Option B is wrong because an expired SSL certificate on the ALB would cause TLS handshake failures (e.g., 502 or 525 errors), not a 503 with a dash for the target status code. Option C is wrong because high CPU utilization on target instances would still allow the ALB to forward requests to them (resulting in a target_status_code like 200 or 500), but the dash indicates no connection was attempted. Option D is wrong because the ALB's security group controls inbound traffic to the load balancer; if it were blocking traffic, clients would receive a 504 or connection timeout, not a 503, and the access log would show a different elb_status_code.

2
MCQhard

A SysOps administrator is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises data center connected via AWS Direct Connect. The EC2 instance can reach other instances in the same VPC but cannot reach the on-premises network. The virtual private gateway (VGW) is attached to the VPC and the Direct Connect virtual interface is up. Which configuration step should the administrator verify first?

A.Check the security group rules for the EC2 instance
B.Confirm that the Direct Connect virtual interface is associated with the correct VLAN
C.Add a route in the VPC route table for the on-premises CIDR pointing to the virtual private gateway
D.Verify the network ACL inbound and outbound rules for the VPC subnet
AnswerC

This is required for traffic to flow from the VPC to on-premises via Direct Connect.

Why this answer

Option D is correct because for Direct Connect to work, the on-premises CIDR must be added to the VPC route table pointing to the virtual private gateway. Without this route, traffic from the VPC to on-premises is dropped. Option A is wrong because the security group controls inbound/outbound traffic but does not affect routing.

Option B is wrong because network ACLs are stateless and would need to allow both inbound and outbound; but the primary issue is routing. Option C is wrong because the VGW is already attached and the virtual interface is up, indicating the physical connection is fine.

3
MCQmedium

A SysOps administrator is investigating why an EC2 instance cannot access an S3 bucket using an IAM role. The instance has an associated IAM role with a policy that allows s3:GetObject on the bucket. The bucket policy also allows access from the role. However, the instance's application still gets access denied. What is the most likely cause?

A.The IAM role does not have s3:ListBucket permission
B.The IAM role is not associated with the instance profile used by the EC2 instance
C.The bucket policy explicitly denies access to the role
D.The S3 bucket is in a different region, requiring a VPC endpoint
AnswerB

If the role is not attached to the instance profile, the instance cannot assume the role and will not have permissions.

Why this answer

The instance profile must be correctly attached to the EC2 instance. Option C is correct because if the role is not properly associated with the instance profile, the instance will not have the necessary credentials. Option A is wrong because the S3 endpoint is not required for access via the internet.

Option B is wrong because the bucket policy allows the role. Option D is wrong because the role already has the GetObject permission.

4
MCQmedium

A company runs an Amazon RDS for MySQL DB instance in us-east-1. The SysOps administrator needs to implement a disaster recovery solution that can recover from a regional outage with a Recovery Point Objective (RPO) of less than 1 second and a Recovery Time Objective (RTO) of less than 1 minute. Which solution should the administrator use?

A.Multi-AZ deployment
B.Cross-region read replica
C.Aurora Global Database
D.Automated snapshot copy to another region
AnswerC

Provides sub-second RPO and minute-level RTO across regions.

Why this answer

Aurora Global Database is the correct choice because it provides a fully managed cross-region replication solution with a typical RPO of less than 1 second and an RTO of less than 1 minute during a regional failover. It uses a primary cluster in one region and up to five secondary clusters in other regions, with asynchronous replication that is optimized for low latency, meeting the stringent RPO/RTO requirements.

Exam trap

The trap here is that candidates often confuse Multi-AZ deployments (which are for high availability within a region) with cross-region disaster recovery, and they underestimate the replication lag and failover time of standard cross-region read replicas versus the optimized architecture of Aurora Global Database.

How to eliminate wrong answers

Option A is wrong because Multi-AZ deployment provides high availability within a single region, not cross-region disaster recovery, and its failover RTO is typically 1-2 minutes, exceeding the required 1 minute. Option B is wrong because a cross-region read replica for RDS MySQL uses asynchronous replication with a typical RPO of seconds to minutes, not less than 1 second, and promoting a read replica to a primary instance can take several minutes, failing the RTO requirement. Option D is wrong because automated snapshot copy to another region has an RPO of at least 5 minutes (the minimum snapshot interval) and restoring from a snapshot can take tens of minutes, both far exceeding the required RPO and RTO.

5
MCQhard

A SysOps administrator receives an alarm that an EC2 instance's status check has failed. The instance is part of an Auto Scaling group behind an Application Load Balancer. The administrator needs to ensure that the instance is automatically replaced and that the root cause is investigated. What is the MOST efficient combination of actions to achieve this?

A.Configure an Auto Scaling lifecycle hook to terminate the unhealthy instance and send the instance system log to an S3 bucket for analysis.
B.Create a CloudWatch alarm that triggers an SNS notification to the administrator to manually replace the instance.
C.Reboot the instance from the AWS Management Console and then review CloudTrail logs.
D.Manually stop and start the instance to recover it, then check the system logs.
AnswerA

Lifecycle hooks allow custom actions before termination, and system logs help with root cause analysis.

Why this answer

Option A is correct because it combines automatic instance replacement via the Auto Scaling group's health check (which marks the instance unhealthy and terminates it) with a lifecycle hook that captures the instance's system log before termination and sends it to S3 for root cause analysis. This is the most efficient approach as it requires no manual intervention and preserves diagnostic data.

Exam trap

The trap here is that candidates may think manual actions (reboot, stop/start) are sufficient for recovery, but the question explicitly requires automatic replacement and root cause investigation, which only a lifecycle hook with data capture provides.

How to eliminate wrong answers

Option B is wrong because it relies on manual replacement via SNS notification, which is inefficient and violates the requirement for automatic replacement. Option C is wrong because rebooting an instance with a failed status check does not address the underlying issue and does not automatically replace the instance; CloudTrail logs record API calls, not system-level diagnostics. Option D is wrong because manually stopping and starting the instance is not automatic and does not guarantee recovery; it also fails to capture diagnostic data for root cause analysis.

6
MCQmedium

An administrator runs the above CloudWatch command to analyze CPU utilization for an EC2 instance. The instance is currently running with a t3.large instance type. The company wants to optimize costs. Based on the data, which action should the administrator take?

A.Stop the instance to save costs immediately.
B.Downsize the instance to t3.medium to reduce costs.
C.Scale up the instance to t3.xlarge to improve performance.
D.Purchase a Reserved Instance for the current instance type.
AnswerB

Low CPU utilization suggests over-provisioning; downsizing saves costs.

Why this answer

The average CPU utilization over the week is low (around 15.5%), indicating the instance is over-provisioned. Downsizing to a t3.medium (half the vCPUs and memory) would likely be sufficient and reduce costs. Reserved Instances would be cost-effective only if the instance runs consistently, but the current utilization is low.

Scaling up would increase costs. Stopping the instance is not an option if needed.

7
MCQeasy

A SysOps administrator receives a notification that an EC2 instance's status check has failed. The instance is part of an Auto Scaling group. What is the immediate impact on the application?

A.The instance is still accessible and serving traffic.
B.The instance is immediately terminated.
C.The instance is automatically stopped and started.
D.The Auto Scaling group will launch a new instance to replace the failed one, potentially causing temporary downtime.
AnswerD

Auto Scaling replaces the instance, but there may be a brief interruption.

Why this answer

When an EC2 instance fails a status check, the Auto Scaling group detects the failure and initiates a replacement by launching a new instance. However, the failed instance is not immediately terminated; it may remain in a stopped or impaired state until the replacement is fully in service, which can cause temporary downtime for the application if the instance was actively handling traffic.

Exam trap

The trap here is that candidates assume the Auto Scaling group immediately terminates the failed instance (Option B), but in reality, the group waits for a health check grace period and the replacement process is not instantaneous, causing temporary downtime.

How to eliminate wrong answers

Option A is wrong because a failed status check indicates the instance is impaired (e.g., unreachable due to OS-level issues or hardware problems), so it is not accessible or serving traffic. Option B is wrong because the Auto Scaling group does not immediately terminate the instance; it first waits for the health check grace period and then performs a gradual replacement, and the instance may be terminated only after the new one is ready. Option C is wrong because EC2 status check failures do not automatically stop and start the instance; that action would require a manual or automated recovery via CloudWatch alarms or EC2 auto-recovery, not the Auto Scaling group's default behavior.

8
MCQhard

A SysOps Administrator attempted to update a CloudFormation stack. The stack update failed and is now in UPDATE_ROLLBACK_IN_PROGRESS state as shown in the exhibit. What should the administrator do to recover the stack to a stable state?

A.Wait for the rollback to complete and then investigate the failure reason.
B.Delete the stack and recreate it.
C.Manually update the Auto Scaling group to correct the issue.
D.Execute a change set to fix the failed resource.
AnswerA

Rollback will bring stack to previous stable state.

Why this answer

Option D is correct. Since the stack is in rollback, waiting for the rollback to complete is the appropriate action. The stack will attempt to roll back to the previous state.

Option A is wrong because deleting the stack is not necessary; the rollback will restore the previous state. Option B is wrong because continuing the update would fail. Option C is wrong because executing a change set would require the stack to be in a stable state.

9
MCQhard

A SysOps administrator is managing a CloudFormation stack that creates an Amazon RDS DB instance. The stack uses the 'DBInstance' resource with a 'DeletionPolicy' attribute set to 'Delete'. The administrator wants to modify the stack to retain the DB instance when the stack is deleted, but the change fails because the DB instance is in a state that does not allow modification. What is the MOST likely reason?

A.The stack is in a 'CREATE_COMPLETE' state and cannot be updated.
B.The DB instance has deletion protection enabled.
C.The DB instance is in a maintenance window that prevents modifications.
D.The DeletionPolicy attribute cannot be changed after the stack is created.
AnswerD

DeletionPolicy is a property of the resource that cannot be updated.

Why this answer

Option A is correct because the DeletionPolicy attribute is immutable after the resource is created; to change it, you must create a new stack or use a different resource name. Option B is wrong because RDS does not have a backup window restriction for DeletionPolicy changes. Option C is wrong because the DeletionPolicy is applied at deletion, not creation.

Option D is wrong because deletion protection is a separate property.

10
MCQmedium

A company has the following S3 bucket policy attached to a bucket named 'example-bucket'. A user is unable to download an object from the bucket using an HTTP URL (not HTTPS). What is the cause?

A.The bucket policy does not allow GetObject for anonymous users.
B.The Deny statement blocks all S3 actions when the request is not using HTTPS.
C.The bucket policy requires server-side encryption for all requests.
D.The Deny statement only applies to PutObject, not GetObject.
AnswerB

Deny overrides Allow when condition is met.

Why this answer

Option C is correct because the first statement denies all s3:* actions when SecureTransport is false (i.e., HTTP). The second statement allows GetObject to everyone, but the Deny statement takes precedence. Option A is wrong because the bucket policy does not require SSE.

Option B is wrong because the policy allows GetObject to everyone. Option D is wrong because the Deny is for all s3 actions, not just PutObject.

11
MCQhard

A company has a production DynamoDB table with on-demand capacity. They need to ensure business continuity with a Recovery Point Objective (RPO) of 5 minutes and a Recovery Time Objective (RTO) of 1 hour in case of a regional outage. What is the MOST cost-effective solution?

A.Use AWS Backup to schedule daily backups and restore in another region.
B.Enable DynamoDB global tables for the table.
C.Enable point-in-time recovery (PITR) on the table.
D.Configure cross-region read replicas for the table.
AnswerB

Global tables replicate data across multiple AWS Regions asynchronously, typically within seconds, achieving low RPO. Failover can be automated via Route 53 health checks to meet RTO.

Why this answer

Option A is correct because DynamoDB global tables provide cross-region replication with sub-second latency, meeting the 5-minute RPO, and failover can be automated within 1 hour. Option B is wrong because point-in-time recovery only protects against accidental writes/deletes, not regional outages. Option C is wrong because restoring a snapshot takes longer than 1 hour and data loss may exceed 5 minutes.

Option D is wrong because cross-region read replicas are not available for DynamoDB.

12
MCQmedium

A company runs a critical web application on EC2 instances behind an Application Load Balancer across three Availability Zones. The application stores session data in an RDS MySQL database. To improve reliability, the company wants to ensure that a single Availability Zone failure does not impact the application's availability. Which combination of actions should the SysOps administrator take?

A.Configure the ALB to use only healthy instances and enable detailed CloudWatch metrics.
B.Increase the EC2 instance size to handle more traffic in a single AZ.
C.Increase the Auto Scaling group's desired capacity to a larger number.
D.Deploy RDS in Multi-AZ configuration with automatic failover, and enable cross-zone load balancing on the ALB.
AnswerD

Multi-AZ RDS provides database failover, cross-zone ALB distributes traffic across AZs.

Why this answer

Option C is correct because deploying RDS Multi-AZ with automatic failover ensures that database operations continue during an AZ outage. Enabling cross-zone load balancing ensures the ALB can route traffic to healthy instances in other AZs. Option A is wrong because ELB health checks alone do not handle AZ failures.

Option B is wrong because increasing instance size does not provide AZ redundancy. Option D is wrong because increasing the Auto Scaling group's desired capacity does not distribute across AZs if not configured.

13
Matchingmedium

Match each AWS monitoring tool to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized log storage and analysis

Time-series data points

Trigger actions based on metrics

Event-driven automation (now EventBridge)

Customizable monitoring views

Why these pairings

These are components of Amazon CloudWatch.

14
Multi-Selecteasy

A company wants to audit all API calls made in their AWS account for security analysis. They need to record both management events and data events. Which THREE steps should be taken to set up comprehensive logging? (Choose THREE.)

Select 3 answers
A.Enable AWS CloudTrail to record data events for S3 and Lambda.
B.Enable AWS CloudTrail to record management events.
C.Enable VPC Flow Logs to capture API call metadata.
D.Send the log files to Amazon CloudWatch Logs for real-time analysis.
E.Configure the trail to deliver log files to an S3 bucket.
AnswersA, B, E

Data events must be explicitly enabled.

Why this answer

Option A is correct: CloudTrail records management events by default. Option B is correct: To capture data events, you must enable them in the trail. Option C is correct: Storing logs in an S3 bucket is standard.

Option D is wrong because CloudWatch Logs is for log monitoring, not recording. Option E is wrong because VPC Flow Logs capture network traffic, not API calls.

15
MCQmedium

A company uses an Amazon S3 bucket to store sensitive data. The SysOps administrator needs to be notified within 15 minutes if any object in the bucket becomes publicly accessible. Which solution will meet this requirement with the least operational overhead?

A.Configure an S3 event notification for all object creation events and publish to an Amazon SNS topic that sends an email alert.
B.Use an AWS Config managed rule to detect 's3-bucket-public-read-prohibited' and trigger an SNS notification via Amazon EventBridge.
C.Enable Amazon CloudTrail data events for the S3 bucket and create a CloudWatch Logs metric filter for PutObjectAcl (or PutObject with public ACL) and set an alarm.
D.Configure S3 event notifications for 's3:ObjectCreated:Put' and 's3:ObjectCreated:PutObjectAcl' with a suffix/prefix filter for public grants, sending to an SNS topic.
AnswerD

Correct. This allows real-time notification specifically when objects are created with public ACLs, meeting the requirement with minimal overhead.

Why this answer

Option D is correct because S3 event notifications can be configured specifically for `s3:ObjectCreated:Put` and `s3:ObjectCreated:PutObjectAcl` events, and you can filter by prefix/suffix to detect public grants (e.g., `public-read` or `public-read-write`). This directly triggers an SNS topic for near-real-time notification within seconds, meeting the 15-minute requirement with minimal overhead, as no additional services or complex configurations are needed.

Exam trap

The trap here is that candidates often choose CloudTrail or Config because they associate them with security monitoring, but they overlook the latency and overhead of those services compared to the direct, low-latency S3 event notification mechanism designed for real-time object-level alerts.

How to eliminate wrong answers

Option A is wrong because S3 event notifications for all object creation events do not filter for public ACLs; they would trigger on every object upload, causing noise and failing to specifically detect public accessibility. Option B is wrong because the AWS Config managed rule `s3-bucket-public-read-prohibited` checks the bucket-level policy, not individual object ACLs, and Config evaluations run every 10 minutes or on configuration changes, which may not guarantee notification within 15 minutes for object-level changes. Option C is wrong because CloudTrail data events for S3 have a latency of up to 15 minutes (often longer) for delivery to CloudWatch Logs, and metric filters plus alarms add complexity and potential delay, making it unreliable for the 15-minute requirement and higher operational overhead.

16
Multi-Selectmedium

A company is using an Auto Scaling group with a dynamic scaling policy based on average CPU utilization. The SysOps administrator notices that the scaling is not triggering as expected. Which THREE steps should the administrator take to troubleshoot the issue?

Select 3 answers
A.Check the scaling activity history in the Auto Scaling group for any errors or cooldown periods.
B.Ensure that the EC2 instances are passing the ELB health checks.
C.Review the scaling policy's cooldown period and threshold settings.
D.Verify that the CloudWatch alarm associated with the scaling policy is in ALARM state when CPU is high.
E.Manually increase the desired capacity to see if the scaling policy takes effect.
AnswersA, C, D

Activity history shows why scaling did not occur.

Why this answer

Option A is correct because the scaling activity history provides a log of all scaling actions, including errors, cooldown periods, and why a scaling event was or was not triggered. By reviewing this history, the administrator can identify if the scaling policy was blocked by a cooldown period, if the alarm state was not reached, or if there were any configuration errors that prevented the scaling action from executing.

Exam trap

The trap here is that candidates may confuse ELB health checks with the metric-based alarm that drives scaling, or think that manually adjusting capacity is a valid diagnostic step, when in fact it bypasses the automated policy logic and does not reveal why the policy failed to trigger.

17
MCQmedium

A company runs a stateful web application on a single Amazon EC2 instance. The application stores session state in memory and writes critical data to an Amazon EBS volume. The SysOps administrator needs to implement a highly available architecture that can tolerate an Availability Zone (AZ) failure. The administrator plans to use an Auto Scaling group and an Application Load Balancer (ALB). Which combination of steps is required to make the application highly available while preserving session and data durability across AZ failures?

A.Create an AMI of the current instance, configure an Auto Scaling group with a launch template that uses the AMI, and attach the existing EBS volume to new instances.
B.Create a multi-AZ Auto Scaling group and use sticky sessions (session affinity) on the ALB to tie users to specific instances.
C.Use an Auto Scaling group across multiple AZs, migrate session storage to Amazon ElastiCache (multi-AZ), and migrate application data from EBS to Amazon EFS (file system mounted across AZs).
D.Use an Auto Scaling group in a single AZ and use a Multi-AZ RDS instance for data storage.
AnswerC

ElastiCache provides a shared, cross-AZ in-memory session store. EFS provides a shared, cross-AZ file system. The Auto Scaling group launches instances in multiple AZs, and the ALB distributes traffic. This architecture survives an AZ failure.

Why this answer

Option C is correct because it addresses both session state and data durability across AZ failures. Migrating session storage to ElastiCache (multi-AZ) ensures session data survives instance failure, and migrating application data from EBS to EFS provides a shared, multi-AZ file system that persists independently of any single EC2 instance. This combination allows the Auto Scaling group to launch new instances in any AZ and immediately access both session and application data.

Exam trap

The trap here is that candidates often assume sticky sessions (session affinity) alone are sufficient for high availability, but they fail to realize that sticky sessions do not replicate session state across instances, so an instance failure still loses the session data.

How to eliminate wrong answers

Option A is wrong because attaching the existing EBS volume to new instances is not possible across AZs (EBS volumes are AZ-scoped) and does not provide a shared, durable data layer; it also fails to address session state persistence. Option B is wrong because sticky sessions alone do not preserve session data if the instance fails; they only route traffic to the same instance, and if that instance goes down, the session is lost. Option D is wrong because using a single AZ for the Auto Scaling group cannot tolerate an AZ failure, and while Multi-AZ RDS handles database durability, it does not address the application's in-memory session state or EBS-stored data.

18
MCQhard

A SysOps administrator is troubleshooting an issue where an EC2 instance running a web server is not reachable from the internet. The instance has a public IP and is in a public subnet. The security group allows HTTP and HTTPS from 0.0.0.0/0. The network ACL allows all inbound and outbound traffic. What should the administrator check NEXT?

A.Check that the instance is associated with an Elastic IP address.
B.Verify that the subnet's route table has a route to an internet gateway.
C.Confirm that the instance's operating system firewall is disabled.
D.Review the VPC Flow Logs for the instance's network interface.
AnswerB

Without a route to the internet gateway, traffic cannot reach the internet.

Why this answer

The instance is in a public subnet with a public IP and security group allowing HTTP/HTTPS, and the network ACL allows all traffic. The most likely remaining issue is that the subnet's route table lacks a route to an internet gateway (IGW), which is required for traffic to and from the internet. Without this route, the instance cannot send responses back to internet clients, making it unreachable despite having a public IP.

Exam trap

The trap here is that candidates often assume a public IP and permissive security groups are sufficient for internet access, overlooking the critical requirement of a route table entry pointing to an internet gateway for the subnet.

How to eliminate wrong answers

Option A is wrong because an Elastic IP is not required for internet connectivity; an instance with a public IP (auto-assigned) can already be reached from the internet if routing is correct. Option C is wrong because the question states the instance is not reachable from the internet, and while an OS firewall could block traffic, the more fundamental network-level routing issue should be checked first, and the OS firewall is not the most likely cause given the security group and NACL are permissive. Option D is wrong because VPC Flow Logs are useful for analyzing traffic that has already reached the network interface, but if the route table lacks an IGW route, traffic never reaches the instance, so flow logs would not show the missing route and are not the next logical check.

19
MCQhard

A SysOps administrator notices that an Amazon RDS for MySQL instance's CPU utilization is consistently above 80% during business hours. The administrator wants to identify the queries causing the high load without impacting performance. Which action should be taken?

A.Enable the MySQL slow query log and store it in CloudWatch Logs.
B.Enable Performance Insights on the RDS instance.
C.Enable Enhanced Monitoring to get OS-level metrics.
D.Increase the retention period for CloudWatch metrics to 15 months.
AnswerB

Performance Insights provides a real-time dashboard of database performance and top SQL queries with minimal overhead.

Why this answer

Performance Insights provides a database-specific performance schema that visualizes database load and identifies the SQL queries responsible for high CPU utilization. It operates with minimal overhead by sampling the database engine's internal performance data, making it ideal for diagnosing query performance issues without impacting the production workload.

Exam trap

The trap here is that candidates often confuse Enhanced Monitoring (OS-level metrics) with Performance Insights (database-level query analysis), or assume the slow query log is the best tool for identifying all high-CPU queries despite its threshold-based limitation.

How to eliminate wrong answers

Option A is wrong because the MySQL slow query log captures only queries that exceed a defined execution time threshold, not all queries causing high CPU utilization, and enabling it can add I/O overhead that may impact performance. Option C is wrong because Enhanced Monitoring provides OS-level metrics (CPU, memory, disk I/O) but does not identify which specific SQL queries are consuming CPU resources. Option D is wrong because increasing CloudWatch metric retention to 15 months only preserves historical data for long-term analysis, it does not help identify current queries causing high CPU load.

20
MCQeasy

A company runs a web application on EC2 instances in an Auto Scaling group. The application is behind an Application Load Balancer. The company wants to ensure that the application can handle a sudden spike in traffic without downtime. What should the SysOps administrator do?

A.Use a scheduled scaling policy to add instances during business hours.
B.Configure a target tracking scaling policy based on average CPU utilization.
C.Reduce the number of Availability Zones to lower latency.
D.Manually increase the desired capacity of the Auto Scaling group when traffic increases.
AnswerB

Target tracking automatically adjusts capacity to maintain a target metric.

Why this answer

Dynamic scaling policies adjust capacity based on demand. Option A is wrong because manual scaling is not automated. Option C is wrong because scheduled scaling is for predictable patterns.

Option D is wrong because it reduces availability.

21
MCQeasy

A SysOps administrator maintains an AWS CloudFormation stack that deploys an Amazon EC2 instance. The administrator needs to change the instance type from t2.micro to t3.micro. The administrator wants to review the proposed changes before applying them to ensure no unexpected resource replacement occurs. Which CloudFormation feature should the administrator use?

A.Use the AWS CloudFormation console to directly update the stack with the new instance type and monitor the events.
B.Create a change set from the updated template, review the changes, and then execute the change set.
C.Use the AWS CloudFormation drift detection feature to check for differences between the stack and the template.
D.Modify the CloudFormation template locally and use the AWS CLI to validate it with 'aws cloudformation validate-template'.
AnswerB

A change set provides a detailed summary of changes (add, modify, replace) before execution. This allows the administrator to see if the instance will be replaced or updated in place.

Why this answer

Option B is correct because a change set allows the administrator to review the proposed modifications (including whether any resource replacement will occur) before applying them. By creating a change set from the updated template, the administrator can inspect the list of changes, such as the instance type update, and confirm that no unexpected resource replacement (e.g., a new EC2 instance being created) will happen. Only after reviewing the change set can the administrator safely execute it to apply the changes.

Exam trap

The trap here is that candidates confuse change sets with drift detection or template validation, not realizing that change sets are specifically designed to preview the impact of stack updates before execution.

How to eliminate wrong answers

Option A is wrong because directly updating the stack via the console applies changes immediately without a review step, so the administrator cannot preview whether resource replacement will occur. Option C is wrong because drift detection compares the current stack resources against the expected template configuration to identify manual changes, not to preview proposed updates before applying them. Option D is wrong because 'aws cloudformation validate-template' only checks the syntax of the template, not the impact of changes on existing resources or whether replacement will occur.

22
MCQmedium

A company's security team requires that all Amazon S3 buckets are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any S3 bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

A.Use AWS Trusted Advisor to identify unencrypted buckets and then manually enable encryption.
B.Use AWS Config managed rule 's3-bucket-server-side-encryption-enabled' with an automatic remediation action using AWS Systems Manager Automation.
C.Use AWS CloudTrail to detect PutBucket operations and trigger a Lambda function that enables encryption.
D.Create an IAM bucket policy that denies any PutObject request that does not include x-amz-server-side-encryption header.
AnswerB

AWS Config evaluates compliance and can trigger a Systems Manager Automation document that enables default encryption on the bucket automatically.

Why this answer

Option B is correct because AWS Config's managed rule 's3-bucket-server-side-encryption-enabled' continuously evaluates S3 buckets for encryption compliance, and its automatic remediation action can invoke an AWS Systems Manager Automation document to enable SSE-S3 encryption on noncompliant buckets without custom code. This fully meets the requirement to automatically detect and remediate unencrypted buckets using AWS managed services.

Exam trap

The trap here is that candidates often confuse enforcing encryption on object uploads (via bucket policies or CloudTrail/Lambda) with ensuring the bucket's default encryption setting is enabled, which is what AWS Config's managed rule and remediation specifically address.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor only provides a manual check and recommendation; it cannot automatically apply encryption, and the requirement specifies automatic detection and remediation. Option C is wrong because AWS CloudTrail logs PutBucket operations but does not detect existing unencrypted buckets, and using a Lambda function introduces custom code, which the solution should minimize. Option D is wrong because an IAM bucket policy that denies PutObject requests without the encryption header only enforces encryption on new object uploads, not on the bucket's default encryption setting, and does not detect or remediate existing unencrypted buckets.

23
Multi-Selectmedium

A SysOps administrator is investigating a performance issue with an Amazon RDS for PostgreSQL instance. The administrator has enabled Performance Insights. Which TWO metrics from Performance Insights can help identify the root cause of a sudden increase in database load? (Choose TWO.)

Select 2 answers
A.Read IOPS and Write IOPS.
B.Average Active Sessions.
C.DB Load by Wait Events.
D.CPUUtilization percentage.
E.Top SQL queries by DB Load.
AnswersC, E

This shows the distribution of load across different wait events, helping pinpoint the type of contention.

Why this answer

Performance Insights measures database load in units of Average Active Sessions (AAS). The 'DB Load by Wait Events' metric breaks down this load by the specific wait events (e.g., I/O, locks, CPU) that are causing sessions to wait, directly pinpointing the bottleneck. This is the primary diagnostic view for identifying the root cause of a sudden load increase.

Exam trap

The trap here is that candidates confuse 'Average Active Sessions' (the overall load metric) with 'DB Load by Wait Events' (the breakdown), or they mistakenly think raw I/O metrics like IOPS are sufficient to diagnose database-level contention, when in fact wait event analysis is required to isolate the specific resource bottleneck.

24
Multi-Selectmedium

A company is using Amazon CloudFront to deliver content from an S3 bucket. The SysOps administrator wants to restrict access so that only CloudFront can access the S3 bucket. Which TWO steps should be taken?

Select 2 answers
A.Generate presigned URLs for all objects in the S3 bucket.
B.Configure the S3 bucket policy to grant the OAI s3:GetObject permission.
C.Configure CloudFront signed URLs to limit viewer access.
D.Create an Origin Access Identity (OAI) for the CloudFront distribution.
E.Set the S3 bucket policy to allow access only from the CloudFront distribution ID.
AnswersB, D

This allows CloudFront to read objects while blocking direct S3 access.

Why this answer

Options A and C are correct. Creating an Origin Access Identity (OAI) and granting it read access to the S3 bucket, then configuring the bucket policy to deny all other principals, ensures only CloudFront can access the content. Option B is incorrect because presigned URLs are for individual user access, not for CloudFront origin access.

Option D is incorrect because CloudFront signed URLs restrict viewer access, not origin access. Option E is incorrect because bucket policies use OAI, not CloudFront distribution IDs.

25
MCQhard

A company uses a centralized logging solution with Amazon OpenSearch Service. The log volume has grown significantly, increasing costs. The logs are retained for 90 days for compliance, but only the last 30 days are frequently accessed. Which combination of actions would reduce costs without compromising compliance?

A.Move the logs to Amazon S3 Glacier and use a Lambda function to query them.
B.Increase the number of data nodes to improve indexing performance.
C.Migrate indices older than 30 days to UltraWarm nodes.
D.Configure an index lifecycle policy to delete indices older than 30 days.
AnswerC

UltraWarm provides cost-effective storage for infrequently accessed data.

Why this answer

Using UltraWarm nodes for older data reduces storage costs while retaining data for 90 days. Option A is wrong because deleting data after 30 days violates compliance. Option C is wrong because increasing instance count increases costs.

Option D is wrong because cold storage retrieval is not appropriate for OpenSearch.

26
MCQeasy

A company has a fleet of EC2 instances in an Auto Scaling group behind an Application Load Balancer. The security team requires that all traffic to the instances be encrypted in transit. Currently, the ALB terminates HTTPS and forwards HTTP to the instances. The security team wants to ensure that the traffic between the ALB and the instances is also encrypted. What should the SysOps administrator do to meet this requirement with minimal changes?

A.Replace the ALB with a Network Load Balancer and use TLS termination on the instances.
B.Place a CloudFront distribution in front of the ALB and use HTTPS for all origins.
C.Set up a VPN connection between the ALB and the instances.
D.Change the ALB listener to use HTTPS and configure the target group to use HTTPS with a self-signed certificate on the instances.
AnswerD

Encrypts traffic between ALB and instances.

Why this answer

Option B is correct because you can create a TLS listener on the ALB that targets a target group using HTTPS. Option A is wrong because NLB does not support HTTPS health checks? Actually, NLB can handle TLS, but it requires more configuration. Option C is wrong because CloudFront adds complexity.

Option D is wrong because VPN is not needed.

27
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The deployment group has a minimum of 2 healthy instances. The Auto Scaling group has 4 instances. What should the SysOps administrator check first?

A.Review the deployment configuration to ensure it allows enough time for deployment.
B.Verify that the AppSpec file includes the correct hooks.
C.Check the Auto Scaling group's health check type and ensure it is set to ELB.
D.Check the IAM role for CodeDeploy to ensure it has sufficient permissions.
AnswerC

If the health check is not ELB, instances might be considered healthy even if they fail the deployment, leading to insufficient healthy instances.

Why this answer

The error indicates that the deployment could not maintain the minimum healthy instances. Checking the Auto Scaling group's health check configuration is the first step because if the health check type is not set to ELB, the instances might be marked healthy even if they are not receiving traffic. Option C is correct.

Option A is wrong because the error message does not point to missing hooks. Option B is wrong because the error is about health, not about permissions. Option D is wrong because the deployment configuration is not the primary issue; the error message specifically mentions healthy instances.

28
Multi-Selectmedium

A SysOps administrator is designing a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which THREE components are required to achieve this?

Select 3 answers
A.A VPC Gateway Endpoint
B.An Internet Gateway attached to the VPC
C.A NAT Gateway in a public subnet
D.A Site-to-Site VPN connection
E.A route table in the private subnet with a default route to the NAT Gateway
AnswersB, C, E

IGW provides internet access for public subnets and NAT Gateway.

Why this answer

Option A, Option D, and Option E are correct. A NAT Gateway in a public subnet, an Internet Gateway attached to the VPC, and a route table in the private subnet with a default route to the NAT Gateway are all required. Option B is wrong because a VPN is not needed.

Option C is wrong because a VPC Gateway Endpoint is for specific services like S3, not general internet access.

29
MCQmedium

A SysOps administrator attached the IAM policy shown to a user. The user needs to launch EC2 instances for a cost-sensitive project. What is the impact of this policy on cost optimization?

A.The policy allows launching any number of t3.micro instances, potentially increasing costs if many instances are launched.
B.The policy is too restrictive because it only allows t3.micro instances, which may not be sufficient for production workloads.
C.The policy does not allow launching any instances because the condition is on RunInstances.
D.The policy ensures cost control by allowing only t3.micro instances, which are the cheapest.
AnswerA

No limit on instance count can lead to cost overrun.

Why this answer

The correct answer is B. The policy allows running instances only of type t3.micro, which is a low-cost instance. However, it does not restrict the number of instances, so a user could launch many instances, increasing costs.

Option A is wrong because the policy restricts instance type. Option C is wrong because t3.micro is a small instance, not a large one. Option D is wrong because the policy does allow running instances with a condition.

30
Multi-Selecteasy

A company wants to ensure its SysOps Administrator can recover an EBS volume from a snapshot. Which TWO steps are required? (Choose TWO.)

Select 2 answers
A.Configure a KMS key for the snapshot.
B.Attach the volume to an EC2 instance.
C.Specify the Availability Zone when creating the volume.
D.Create a snapshot of the volume.
E.Enable encryption on the snapshot.
AnswersC, D

Required to create the volume in the correct AZ.

Why this answer

Option A is correct because you must have a snapshot to create a volume. Option D is correct because when creating a volume from a snapshot, you must specify the Availability Zone. Option B is wrong because snapshots are already encrypted at rest.

Option C is wrong because instance store volumes cannot be created from snapshots. Option E is wrong because KMS keys are optional for encryption.

31
MCQhard

A SysOps administrator needs to ensure that all S3 buckets in the account are logged to CloudTrail for data events. The administrator enables CloudTrail with data events for S3 and selects 'All buckets' in the current account. However, after a week, they notice that some buckets are not being logged. What is the most likely reason?

A.The IAM user who created the trail does not have s3:PutObject permissions on the buckets.
B.The S3 buckets do not have a bucket policy that allows CloudTrail to write the log files.
C.The S3 buckets are in a different AWS Region from the CloudTrail trail.
D.The S3 buckets have server access logging enabled, which conflicts with CloudTrail logging.
AnswerB

Without the appropriate bucket policy, CloudTrail cannot deliver logs to the target bucket.

Why this answer

When CloudTrail delivers S3 data event logs to a destination bucket, it writes log files on behalf of the trail. Even if the trail is configured to log data events for 'All buckets,' CloudTrail must have explicit permissions to write to the destination bucket. The destination bucket requires a bucket policy that grants CloudTrail the s3:PutObject action; without this policy, CloudTrail cannot deliver logs for any bucket, including those being monitored.

Option B correctly identifies this missing bucket policy as the most likely reason some buckets are not logged.

Exam trap

The trap here is that candidates assume enabling CloudTrail with 'All buckets' automatically grants write permissions, but they overlook the critical requirement of a bucket policy on the destination bucket that explicitly allows CloudTrail to deliver logs.

How to eliminate wrong answers

Option A is wrong because the IAM user who created the trail does not need s3:PutObject permissions on the buckets being logged; CloudTrail itself writes the logs to the destination bucket, and the trail creation only requires permissions to create the trail and configure logging, not to write to each source bucket. Option C is wrong because CloudTrail can log data events for S3 buckets in any region as long as the trail is configured with 'All buckets' or a bucket ARN that includes the region; regional mismatch does not prevent logging. Option D is wrong because server access logging and CloudTrail data event logging are independent features that can coexist on the same bucket without conflict; enabling one does not disable the other.

32
MCQeasy

A company is using AWS KMS to encrypt data at rest in S3. The security team wants to ensure that encryption keys are automatically rotated annually. Which type of KMS key should be used?

A.Use an asymmetric KMS key
B.Use a custom key store (CloudHSM)
C.Use an AWS managed key
D.Use a customer managed key with imported key material
AnswerC

AWS managed keys are automatically rotated every year.

Why this answer

AWS managed KMS keys (AWS managed keys) are automatically rotated every year (365 days) with no action required from the customer. This satisfies the security team's requirement for annual automatic key rotation without any manual intervention or additional configuration.

Exam trap

The trap here is that candidates often assume customer managed keys (with AWS generated material) also support automatic rotation, but the question specifically requires annual rotation without manual effort, and only AWS managed keys provide this by default without any setup.

How to eliminate wrong answers

Option A is wrong because asymmetric KMS keys do not support automatic key rotation; they are designed for encrypt/decrypt or sign/verify operations outside of AWS and must be manually rotated. Option B is wrong because a custom key store backed by CloudHSM does not support automatic key rotation; you must manage key rotation manually within the CloudHSM cluster. Option D is wrong because customer managed keys with imported key material do not support automatic rotation; AWS cannot rotate key material that was imported from an external source.

33
Multi-Selectmedium

A SysOps administrator needs to restrict access to an S3 bucket so that only users from the corporate network IP range (203.0.113.0/24) can read objects. Which TWO elements are required to implement this? (Choose two.)

Select 2 answers
A.An IAM policy that allows s3:GetObject from the corporate IP
B.Amazon CloudFront distribution with an origin access identity
C.The S3 endpoint URL (s3.amazonaws.com) accessible from the corporate network
D.An S3 bucket policy with a condition that uses aws:SourceIp
E.A VPC gateway endpoint for S3
AnswersC, D

Users must be able to reach the S3 endpoint.

Why this answer

Options A and B are correct. A bucket policy can use the aws:SourceIp condition to restrict access to the IP range. Additionally, if the users are accessing via the internet, they must use the S3 endpoint.

Option C is incorrect because VPC endpoints are for private connectivity, but the condition would be different. Option D is incorrect because IAM policies are for user permissions, not IP restrictions. Option E is incorrect because CloudFront is a CDN, not required.

34
MCQmedium

A SysOps administrator is troubleshooting connectivity issues between two VPCs that are peered together. The VPCs are in the same AWS region. An EC2 instance in VPC A (10.0.1.0/24) cannot ping an EC2 instance in VPC B (10.0.2.0/24). Both VPCs have route tables that include the CIDR of the other VPC with the peering connection as the target. The security groups and network ACLs allow all inbound and outbound traffic. What is the most likely issue?

A.The route tables do not have a route to the other VPC's CIDR.
B.The VPC peering connection is not enabled for DNS resolution.
C.There is a third VPC C that is peered with both VPC A and VPC B, and VPC A is trying to reach VPC B through VPC C.
D.The VPCs are in different AWS regions.
AnswerC

VPC peering does not support transitive routing; traffic must go directly through the peering connection.

Why this answer

Option C is correct because transitive routing is not supported with VPC peering. Even though VPC A and VPC B are both peered with VPC C, traffic cannot flow from VPC A to VPC B through VPC C. Each VPC peering connection is a one-to-one relationship, and EC2 instances in VPC A cannot reach VPC B unless there is a direct VPC peering connection between them.

The route tables in VPC A and VPC B must point directly to each other's CIDR via a direct peering connection, not through an intermediate VPC.

Exam trap

The trap here is that candidates assume VPC peering supports transitive routing, similar to a router in a traditional network, but AWS explicitly prohibits this — each peering connection is a direct, non-transitive link.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that both VPCs have route tables that include the CIDR of the other VPC with the peering connection as the target, so missing routes are not the issue. Option B is wrong because DNS resolution settings (enableDnsHostnames and enableDnsSupport) are irrelevant to ICMP ping connectivity between private IP addresses; DNS resolution only affects name resolution, not direct IP-based reachability. Option D is wrong because the question states the VPCs are in the same AWS region, and inter-region VPC peering is supported (though with additional considerations), so region mismatch is not the problem here.

35
Multi-Selecthard

A company runs a stateless web application on EC2 instances behind an Application Load Balancer. The SysOps Administrator needs to ensure the application can withstand the loss of an entire Availability Zone. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Enable cross-zone load balancing on the ALB.
B.Configure the Auto Scaling group to launch instances in at least two Availability Zones.
C.Ensure the ALB is configured to route traffic to all enabled AZs.
D.Configure the Auto Scaling group to use a dynamic scaling policy based on CPU utilization.
E.Use an Elastic IP address for each EC2 instance.
AnswersB, C, D

Ensures instances are distributed across AZs.

Why this answer

Option A is correct because deploying across multiple AZs ensures that if one AZ fails, the application still runs. Option C is correct because ALB can distribute traffic to healthy instances in any AZ. Option D is correct because Auto Scaling across AZs replaces failed instances in other AZs.

Option B is wrong because it would distribute traffic to one AZ at a time. Option E is wrong because EC2 is not zone-specific.

36
Multi-Selectmedium

A company is designing a disaster recovery strategy for a production RDS for MySQL database. The database is currently single-AZ. The recovery point objective (RPO) is 1 hour, and the recovery time objective (RTO) is 15 minutes. Which steps should the SysOps administrator take to meet these requirements? (Choose THREE.)

Select 3 answers
A.Disable automated backups to reduce performance impact.
B.Take manual DB snapshots every hour.
C.Enable automated backups with a retention period of at least 1 day.
D.Modify the DB instance to be Multi-AZ.
E.Create a read replica in a different Availability Zone.
AnswersB, C, D

Manual snapshots provide additional recovery points and can be restored quickly.

Why this answer

Options A, C, and E are correct. Enabling automated backups provides point-in-time recovery with an RPO of 5 minutes (within 1 hour requirement). Multi-AZ provides automatic failover with RTO typically under 1 minute (within 15 minutes).

Taking regular manual snapshots complements automated backups for long-term retention. Option B is wrong because read replicas are for read scaling, not failover. Option D is wrong because disabling automated backups increases RPO.

37
MCQeasy

A company uses AWS CodeCommit to store its source code and AWS CodeBuild to compile and test the code. The SysOps administrator is setting up a new build project that needs to access a private Amazon S3 bucket to download build dependencies. The build project runs in a VPC. The administrator has attached an IAM role to the build project with permissions to access the S3 bucket. However, the build fails with an access denied error when trying to download the dependencies. The S3 bucket is in the same region and account. What should the administrator do to resolve the issue?

A.Attach an internet gateway to the VPC to provide internet access.
B.Configure the security group for CodeBuild to allow outbound traffic to the S3 bucket.
C.Create a VPC endpoint for Amazon S3 and associate it with the VPC where CodeBuild runs.
D.Update the IAM role to include 's3:ListBucket' permission.
AnswerC

Why A is correct

Why this answer

Option A is correct because when CodeBuild runs in a VPC, it does not have internet access by default, and S3 endpoints are required to access S3 buckets without going through a NAT gateway or internet. Option B is incorrect because the IAM role permissions appear correct, but the issue is network connectivity. Option C is incorrect because security groups control traffic at the instance level, not for S3 access.

Option D is incorrect because the VPC does not need internet access if VPC endpoints are used.

38
MCQeasy

A SysOps administrator needs to create a VPC with both public and private subnets. The public subnet will host a NAT gateway and a bastion host. The private subnet will host application servers that need outbound internet access for updates. Which routing configuration should the administrator implement?

A.Public subnet route table: 0.0.0.0/0 -> Internet Gateway; Private subnet route table: 0.0.0.0/0 -> Internet Gateway via the NAT Gateway.
B.Public subnet route table: 0.0.0.0/0 -> Internet Gateway; Private subnet route table: 0.0.0.0/0 -> Internet Gateway.
C.Public subnet route table: 0.0.0.0/0 -> NAT Gateway; Private subnet route table: 0.0.0.0/0 -> Internet Gateway.
D.Public subnet route table: 0.0.0.0/0 -> Internet Gateway; Private subnet route table: 0.0.0.0/0 -> NAT Gateway.
AnswerD

This allows private instances to access the internet through the NAT gateway while remaining private.

Why this answer

The private subnet route table should have a default route (0.0.0.0/0) pointing to the NAT gateway, which is in the public subnet. The public subnet route table should have a default route pointing to the internet gateway. Option A is incorrect because the private subnet should not have a route to the internet gateway.

Option C is incorrect because the private subnet should not have a route to the NAT gateway via the internet gateway. Option D is incorrect because the NAT gateway should be in the public subnet.

39
Multi-Selecthard

A company is using AWS CloudFormation to deploy a stack that includes an Amazon RDS Multi-AZ DB instance. The stack creation fails with the error 'The DB instance already exists'. The SysOps Administrator needs to resolve this issue without modifying the template. Which THREE steps should the administrator take? (Choose THREE.)

Select 3 answers
A.Update the CloudFormation stack to change the deletion policy of the DB instance to Retain.
B.Delete the existing DB instance from the AWS account.
C.Use the CloudFormation resource import feature to bring the existing DB instance into the stack.
D.Use a different stack name in the CloudFormation template.
E.Change the DB instance identifier in the CloudFormation template to a unique value.
AnswersA, B, E

Changing deletion policy to Retain prevents accidental deletion during updates.

Why this answer

Option A, Option C, and Option E are correct. Deleting the existing DB instance allows CloudFormation to create a new one. Changing the deletion policy to Retain (Option C) ensures the existing DB instance is not deleted if the stack is updated.

Changing the DB instance identifier (Option E) avoids the name conflict. Option B (importing the resource) is not possible without modifying the template. Option D (using a different stack name) does not resolve the resource conflict.

40
MCQhard

Refer to the exhibit. An IAM policy allows running instances. A user attempts to launch a t2.micro instance with a 20 GiB gp2 volume and an additional 100 GiB io1 volume. What will happen?

A.The launch succeeds
B.The launch fails because the policy does not allow creating volumes over 100 GiB
C.The launch fails because the condition does not allow any volume
D.The launch fails because the io1 volume is not allowed
AnswerA

The instance type is t2.micro as required, and volumes are allowed.

Why this answer

The policy allows running t2.micro instances (first statement) and creating volumes (second statement) without restriction on volume type or size. However, the condition on the instance resource only restricts the instance type to t2.micro; the volume resource has no condition. Therefore, both volumes are allowed.

The instance launch succeeds. Option A is correct. Options B, C, D are incorrect.

41
MCQeasy

A company stores sensitive data in an RDS database. Which AWS service should be used to encrypt the database at rest?

A.AWS Certificate Manager (ACM)
B.AWS Identity and Access Management (IAM)
C.AWS Key Management Service (KMS)
D.AWS CloudHSM
AnswerC

KMS manages encryption keys for RDS.

Why this answer

Option C is correct because AWS KMS provides encryption keys for RDS encryption. Option A is wrong because ACM provides SSL/TLS certificates. Option B is wrong because CloudHSM is a hardware security module but not the primary service.

Option D is wrong because IAM manages identities.

42
Multi-Selectmedium

A SysOps administrator is creating an AWS CloudFormation template to deploy a web application. The template will create an Application Load Balancer (ALB), an Auto Scaling group, and an Amazon RDS database. The administrator wants to ensure that the Auto Scaling group is created only after the ALB and the RDS database are fully created and available. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Add a DependsOn attribute to the Auto Scaling group resource that lists only the ALB resource.
B.Add a DependsOn attribute to the Auto Scaling group resource that lists both the ALB and the RDS database resources.
C.Add an UpdatePolicy to the Auto Scaling group resource to wait for a signal.
D.Add a CreationPolicy to the RDS database resource to wait for a signal that the database is available.
E.Add a CreationPolicy to the Auto Scaling group resource to wait for a signal from the instances.
AnswersB, D

This ensures the Auto Scaling group is created after both resources are created.

Why this answer

DependsOn ensures the order of resource creation. For the Auto Scaling group to wait for both the ALB and RDS, it must list both as dependencies. Additionally, a CreationPolicy on the RDS instance can be used to signal when it is fully available (e.g., after the database is created and ready).

However, the question asks for two actions; the most direct are using DependsOn on the Auto Scaling group for both resources, and also possibly using a CreationPolicy on the RDS to ensure it is truly available, but since the question says 'fully created and available', the best two are: (1) Add a DependsOn attribute to the Auto Scaling group resource listing both the ALB and RDS resources. (2) Add a CreationPolicy to the RDS instance resource to wait for a signal that indicates it is available. Option A is incomplete. Option B is correct because DependsOn with both resources ensures creation order.

Option C is also correct because CreationPolicy on RDS ensures it signals readiness. Note: The question may have a different intended answer; but based on typical exam, DependsOn and CreationPolicy are the standard ways.

43
Multi-Selecthard

A company runs a web application on EC2 instances in an Auto Scaling group. The application uses an Amazon RDS Multi-AZ DB instance. The SysOps administrator notices that during a recent failover test, the application became unresponsive for several minutes. The administrator wants to improve the application's resilience during failover. Which three actions should the administrator take? (Choose THREE.)

Select 3 answers
A.Configure the Application Load Balancer health checks to have a low threshold (e.g., 2 consecutive failures) and a short interval (e.g., 5 seconds).
B.Implement retry logic in the application to handle transient database connection failures.
C.Change the RDS DB instance to use asynchronous replication instead of synchronous replication.
D.Increase the EC2 instance size to handle more connections during failover.
E.Configure an Amazon RDS Proxy in front of the RDS database to pool and share database connections.
AnswersA, B, E

Fast health checks allow the ALB to quickly take failing instances out of service, reducing user impact.

Why this answer

Options A, B, and D are correct. Using an RDS proxy (A) manages connections and reduces failover time. Retry logic (B) allows the application to reconnect after failover.

Health checks with low thresholds (D) help the load balancer quickly detect and route away from unhealthy instances. Option C is wrong because synchronous replication is already used in Multi-AZ; asynchronous replication would reduce durability. Option E is wrong because increasing instance size does not reduce failover time.

44
MCQmedium

A company requires that all users in an AWS account must authenticate with multi-factor authentication (MFA) before they can perform any actions on Amazon EC2 instances. The SysOps administrator needs to implement this requirement using IAM policies. Which IAM policy condition key should be used to enforce MFA?

A.aws:SourceIp
B.aws:MultiFactorAuthPresent
C.aws:RequestedRegion
D.iam:PassedToService
AnswerB

This condition key checks if the requester authenticated with an MFA device. It can be used to require MFA for specific actions.

Why this answer

The `aws:MultiFactorAuthPresent` condition key checks whether the user authenticated using a valid MFA device before making the API request. By setting this condition to `true` in an IAM policy, you can enforce that all actions on EC2 instances require MFA authentication, meeting the company's requirement.

Exam trap

The trap here is that candidates often confuse `aws:MultiFactorAuthPresent` with `aws:SourceIp` or `iam:PassedToService`, thinking IP-based or role-passing conditions can enforce MFA, but only the MFA-specific condition key directly checks authentication strength.

How to eliminate wrong answers

Option A is wrong because `aws:SourceIp` restricts access based on the source IP address, not MFA status. Option C is wrong because `aws:RequestedRegion` limits actions to specific AWS regions, not MFA enforcement. Option D is wrong because `iam:PassedToService` controls which roles can be passed to AWS services, not MFA authentication.

45
MCQmedium

A company uses Amazon S3 to store sensitive customer data. A SysOps administrator needs to ensure that any S3 bucket that is incorrectly configured to allow public read access is automatically remediated within five minutes. The administrator wants to use native AWS services with minimal custom code. Which solution should be used?

A.Use AWS Config with the 's3-bucket-public-read-prohibited' managed rule and configure automatic remediation to block public access.
B.Create an Amazon EventBridge (CloudWatch Events) rule that triggers an AWS Lambda function to check and fix public read access.
C.Apply an S3 bucket policy to each bucket that denies public read access.
D.Use AWS Trusted Advisor to check for public read access and manually remediate when notified.
AnswerA

AWS Config continuously evaluates bucket configurations and can automatically remediate noncompliant buckets using pre-built automation.

Why this answer

AWS Config with the 's3-bucket-public-read-prohibited' managed rule can automatically evaluate S3 bucket configurations against the desired state. When a non-compliant bucket is detected, AWS Config can trigger an automatic remediation action (e.g., applying an S3 bucket policy or blocking public access) using AWS Systems Manager Automation documents, all within the required five-minute window and with minimal custom code.

Exam trap

The trap here is that candidates often choose EventBridge + Lambda (Option B) because it seems more flexible, but they overlook the 'minimal custom code' constraint and the fact that AWS Config's managed rule with automatic remediation is a fully native, code-free solution.

How to eliminate wrong answers

Option B is wrong because while EventBridge and Lambda can achieve the goal, they require custom code (Lambda function) and manual setup, which contradicts the 'minimal custom code' requirement. Option C is wrong because applying a bucket policy to each bucket is a manual, one-time action that does not provide automatic detection and remediation of newly created or misconfigured buckets. Option D is wrong because Trusted Advisor provides only manual checks and notifications; it cannot automatically remediate misconfigurations, and relying on manual remediation violates the 'automatically remediated within five minutes' requirement.

46
MCQmedium

An environment has 12 individual CloudWatch metric alarms covering CPU, memory, disk, and network. When one instance degrades, all 12 alarms fire simultaneously and send 12 separate notifications to the on-call engineer. The team wants a single notification per incident regardless of how many individual alarms trigger. What CloudWatch feature addresses this?

A.Create a composite alarm that enters ALARM state when any of the 12 child alarms is in ALARM state, and configure a single SNS action on the composite alarm only
B.Increase the alarm evaluation period on all 12 alarms to 30 minutes so they fire less frequently
C.Use an SNS topic with a delivery policy that batches notifications sent within a 60-second window
D.Configure all 12 alarms to write to the same CloudWatch Events rule and suppress duplicate events with EventBridge deduplication
AnswerA

The composite alarm's rule expression 'ALARM(alarm1) OR ALARM(alarm2) OR ...' triggers when any child fires. By routing all notifications through the composite alarm's action and removing actions from the child alarms, exactly one notification is sent per incident. Child alarm states remain visible in the console for root cause analysis.

Why this answer

Option A is correct because a composite alarm in CloudWatch can aggregate multiple child alarms into a single parent alarm. When any of the 12 child alarms enters the ALARM state, the composite alarm transitions to ALARM and triggers a single SNS notification, thereby reducing alert noise to one notification per incident.

Exam trap

The trap here is that candidates may think SNS batching or EventBridge deduplication can consolidate separate alarm notifications, but those services do not aggregate distinct alarm state changes into a single event; only composite alarms provide that logical grouping.

How to eliminate wrong answers

Option B is wrong because increasing the evaluation period to 30 minutes does not consolidate multiple notifications into one; it merely delays the alarms, and all 12 would still fire individually after the longer period. Option C is wrong because SNS delivery policies control retries and message batching for HTTP/HTTPS endpoints, not deduplication or aggregation of separate alarm notifications; each alarm still sends its own message to the topic. Option D is wrong because CloudWatch Events (now EventBridge) can route alarm state changes to targets, but EventBridge deduplication applies to events based on a deduplication ID and is designed for idempotent event processing, not for collapsing multiple distinct alarm events into a single notification.

47
MCQhard

A company has an S3 bucket configured to log all access requests to another bucket. The security team notices that some delete requests are not being logged. What is the most likely cause?

A.The delete requests were made through AWS CloudTrail, which bypasses S3 access logging
B.The bucket policy denies logging of delete requests
C.The bucket has MFA Delete enabled, and the logging configuration does not capture MFA delete requests
D.S3 server access logs do not capture DELETE requests
AnswerC

MFA Delete requests may not be logged by S3 server access logs if the logging configuration is not set up to capture them.

Why this answer

S3 server access logs capture all requests that are made to a bucket, including delete requests. However, if the requester uses AWS Systems Manager or AWS CloudTrail to perform the deletion, it might not appear in S3 access logs if the logging bucket has a lifecycle policy that deletes logs before they are reviewed. But the most common reason for missing delete logs is that the requester used the S3 console with Multi-Factor Authentication (MFA) delete enabled, which requires additional authentication and might not be logged if the logging bucket itself has a policy that denies logging of MFA delete requests.

However, the question asks for the most likely cause. Option C is correct because if MFA delete is enabled on the bucket, delete requests require MFA, and S3 server access logs might not capture these requests if the logging configuration does not support it. Option A is wrong because AWS CloudTrail logs API calls, including delete requests, but they would be in CloudTrail, not missing from S3 logs.

Option B is wrong because S3 server access logs do capture delete requests. Option D is wrong because bucket policies do not prevent logging; they might deny access but the request would still be logged if denied.

48
Multi-Selecteasy

A company needs to monitor the CPU and memory utilization of its EC2 instances. Which TWO services can be used to collect and visualize these metrics?

Select 2 answers
A.Amazon CloudWatch
B.AWS CloudTrail
C.Amazon CloudWatch Agent
D.AWS Config
E.AWS Systems Manager
AnswersA, C

CloudWatch collects CPU utilization by default and can display metrics.

Why this answer

Amazon CloudWatch is the native AWS monitoring service that collects and stores metrics such as CPU utilization and memory utilization from EC2 instances. However, by default, CloudWatch only captures hypervisor-level metrics (like CPU) and not in-guest metrics (like memory utilization). To collect memory utilization, you must install the Amazon CloudWatch Agent on the instance, which sends custom metrics to CloudWatch.

Together, CloudWatch and the CloudWatch Agent provide both collection and visualization of CPU and memory metrics.

Exam trap

The trap here is that candidates often assume CloudWatch alone collects all EC2 metrics, but they miss that memory utilization requires the CloudWatch Agent because it is an in-guest metric not provided by the hypervisor.

49
MCQeasy

A SysOps Administrator needs to monitor network traffic in a VPC. Which AWS service provides packet-level information about IP traffic?

A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Config
D.VPC Flow Logs
AnswerD

Correct because Flow Logs capture IP traffic metadata.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic information for network interfaces. Option A is wrong because CloudWatch Logs can store logs but not capture IP traffic directly. Option B is wrong because AWS Config records resource configuration changes.

Option D is wrong because CloudTrail records API calls.

50
MCQeasy

An application runs on c5.xlarge EC2 instances 24 hours a day, 7 days a week in us-east-1. The workload is stable and will not change instance type for at least 12 months. The team wants to reduce compute costs by 30 to 40 percent compared to On-Demand pricing. Which purchasing option achieves this with the lowest financial risk?

A.Purchase a 1-year Standard Reserved Instance for c5.xlarge in us-east-1 with All Upfront or Partial Upfront payment
B.Use Spot Instances with an interruption tolerance of 5 minutes for the workload
C.Enable EC2 Auto Scaling with a target tracking policy to scale down to zero instances during off-peak hours
D.Purchase a 3-year Convertible Reserved Instance to maximize the discount percentage
AnswerA

A 1-year Standard RI matches the 12-month stability horizon and delivers 30–40 percent savings versus On-Demand. All Upfront provides the deepest discount; Partial Upfront reduces the upfront cash requirement with a slightly lower overall saving. The 1-year commitment limits risk compared to a 3-year commitment for an uncertain future period.

Why this answer

A 1-year Standard Reserved Instance (RI) with All Upfront or Partial Upfront payment offers a 30-40% discount over On-Demand pricing for a stable, always-on workload. This option provides the lowest financial risk because it commits to a fixed instance type and region for only one year, matching the workload's stable nature without the flexibility premium of Convertible RIs or the interruption risk of Spot Instances.

Exam trap

The trap here is that candidates may choose the 3-year Convertible RI (Option D) for its higher discount percentage, overlooking the fact that the longer commitment and unnecessary flexibility introduce greater financial risk for a stable, unchanging workload.

How to eliminate wrong answers

Option B is wrong because Spot Instances can be interrupted with as little as a 5-minute warning, which introduces significant financial and operational risk for a workload that must run 24/7 without interruption. Option C is wrong because scaling down to zero instances during off-peak hours would violate the requirement that the application runs 24/7, and it does not address the need to reduce costs for the always-on baseline. Option D is wrong because a 3-year Convertible Reserved Instance, while offering a higher discount percentage, introduces greater financial risk due to the longer commitment period and the unnecessary flexibility to change instance types, which the workload does not require.

51
MCQmedium

A SysOps administrator needs to deploy a web application across multiple AWS Regions for disaster recovery. The application uses Amazon RDS for MySQL and requires a secondary database in a different Region. What is the MOST cost-effective and automated solution to keep the databases synchronized?

A.Create a cross-Region read replica of the primary RDS instance in the secondary Region
B.Use AWS Database Migration Service (DMS) with ongoing replication
C.Set up a cron job on an EC2 instance to export the database and import it into the secondary Region
D.Enable Multi-AZ on the primary RDS instance and configure a read replica in the secondary Region
AnswerA

RDS cross-Region read replicas provide automated asynchronous replication to another Region, meeting the DR requirement cost-effectively.

Why this answer

Option C is correct because Amazon RDS Cross-Region Read Replicas automatically replicate data from the primary database to a secondary Region, providing a cost-effective solution without needing separate infrastructure. Option A is wrong because it requires manual scripting and is not fully automated. Option B is wrong because it uses RDS Multi-AZ, which is for high availability within a single Region, not cross-Region.

Option D is wrong because it uses a custom replication solution that is not managed by AWS.

52
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The operations team wants to be notified when a stack update fails. What is the simplest way to achieve this?

A.Enable CloudTrail and create a metric filter for 'UpdateStack' events, then set an alarm.
B.Write a script that periodically checks the CloudFormation console for stack status and sends an email.
C.Create an Amazon EventBridge rule that matches CloudFormation events and triggers a Lambda function to send an SNS notification.
D.Configure an SNS topic in the CloudFormation stack's notification options.
AnswerD

CloudFormation can directly send stack events to SNS topics, including failure notifications.

Why this answer

Option D is correct because CloudFormation natively supports specifying an SNS topic in the stack's notification options, which automatically sends notifications on stack events such as failures, without requiring any additional services or custom code. This is the simplest and most direct method to notify the operations team when a stack update fails.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing EventBridge or CloudTrail-based approaches, overlooking CloudFormation's built-in SNS notification feature as the simplest and most direct option.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs API calls but does not directly trigger notifications; creating a metric filter and alarm adds unnecessary complexity when a built-in notification mechanism exists. Option B is wrong because writing a script to poll the CloudFormation console is inefficient, introduces latency, and violates the principle of using event-driven notifications over polling. Option C is wrong because while EventBridge with Lambda and SNS can work, it is more complex than the native SNS integration and requires custom code, making it not the simplest solution.

53
MCQhard

A team uses AWS CodeDeploy with a deployment configuration of CodeDeployDefault.OneAtATime to deploy a web application to an Auto Scaling group. Instances are behind an Application Load Balancer. The deployment fails with 'The overall deployment failed because too many individual instances failed deployment.' What is the most likely cause?

A.The health check grace period on the Auto Scaling group is too short.
B.The target group deregistration delay is too long.
C.The CodeDeploy agent is not installed on the instances.
D.The deployment group is configured to skip the ELB health check.
AnswerA

Correct. A short grace period causes instances to be considered unhealthy before the deployment finishes, triggering Auto Scaling to replace them and causing repeated failures.

Why this answer

The deployment fails because the health check grace period on the Auto Scaling group is too short. When CodeDeploy deploys one instance at a time (CodeDeployDefault.OneAtATime), the instance is taken out of service, updated, and then returned to the load balancer. If the grace period expires before the instance passes its health checks, the Auto Scaling group marks it as unhealthy and terminates it, causing the deployment to fail with 'too many individual instances failed.'

Exam trap

The trap here is that candidates often confuse the health check grace period with the deregistration delay or assume the issue is with the CodeDeploy agent, but the specific error 'too many individual instances failed' points to Auto Scaling terminating instances due to health check failures, not a deployment script or agent problem.

How to eliminate wrong answers

Option B is wrong because a long target group deregistration delay would cause traffic to continue flowing to instances being replaced, but it would not cause instances to be terminated by the Auto Scaling group; it delays the removal of instances from the target group but does not trigger deployment failure. Option C is wrong because if the CodeDeploy agent were not installed, the deployment would fail immediately with an agent connectivity error, not with 'too many individual instances failed' after partial success. Option D is wrong because skipping the ELB health check would prevent the load balancer from routing traffic to the instances, but it would not cause the Auto Scaling group to terminate instances; the deployment would likely succeed but with no traffic, not fail with this specific error.

54
MCQhard

A SysOps administrator creates this IAM policy for a monitoring application. The application needs to publish custom metrics to CloudWatch and retrieve information about EC2 instances and Auto Scaling groups. The application reports that it cannot list EC2 instances. What is the most likely reason?

A.The policy uses a wildcard for the ec2:Describe action; it should specify ec2:DescribeInstances.
B.The policy does not grant access to the us-east-1 region.
C.The policy is missing the cloudwatch:PutMetricData action for the monitoring application.
D.The policy should include ec2:DescribeTags to list instances.
AnswerA

The action 'ec2:Describe' without a wildcard does not match any action.

Why this answer

The policy uses a wildcard for the ec2:Describe action, but IAM does not support wildcards for action names in the format 'ec2:Describe*'. The correct action to list EC2 instances is 'ec2:DescribeInstances'. Because the wildcard is invalid, the policy grants no EC2 Describe permissions, causing the application to fail when listing instances.

Exam trap

The trap here is that candidates assume a wildcard like 'ec2:Describe*' is valid for IAM actions, but AWS IAM does not support wildcards in action names—only in resource ARNs—so the policy effectively grants no EC2 Describe permissions.

How to eliminate wrong answers

Option B is wrong because the policy does not specify a region restriction, so it implicitly applies to all regions; the error is not due to region access. Option C is wrong because the application reports it cannot list EC2 instances, not that it cannot publish metrics; missing cloudwatch:PutMetricData would cause a different failure. Option D is wrong because ec2:DescribeTags is not required to list instances; the core permission needed is ec2:DescribeInstances, and the wildcard issue is the root cause.

55
MCQmedium

A company runs a fleet of EC2 instances in a production environment. The instances are part of an Auto Scaling group that uses a launch template with a m5.large instance type. The company's SysOps administrator notices that the instances are often over-provisioned, with average CPU utilization below 20% for the past month. The administrator wants to reduce costs without affecting application performance. The application is stateless and can handle temporary performance degradation. Which action should the administrator take?

A.Purchase Reserved Instances for the current m5.large instances to lower hourly cost.
B.Modify the launch template to use a t3.medium instance type.
C.Enable detailed monitoring on all instances to collect more data.
D.Increase the minimum size of the Auto Scaling group to reduce scale-out events.
AnswerB

Correct: t3.medium is smaller and cheaper, suitable for low average utilization with burst capability.

Why this answer

Option B is correct because switching to a smaller instance type (t3.medium) reduces cost while still providing burstable performance for occasional spikes. Option A (increase minimum) would increase cost. Option C (purchase Reserved Instances for current size) locks in over-provisioned capacity.

Option D (enable detailed monitoring) increases CloudWatch costs without addressing instance size.

56
MCQmedium

A SysOps administrator notices that the monthly bill for Amazon S3 has increased significantly. The company uses S3 for storing application logs and user uploads. The logs are accessed rarely but must be retained for 3 years. User uploads are accessed frequently for the first 30 days, then rarely after. Which S3 lifecycle policy will optimize storage costs?

A.Transition logs to S3 Glacier Deep Archive after 30 days, and transition user uploads to S3 Standard-IA after 30 days, then to Glacier Deep Archive after 90 days.
B.Transition user uploads to S3 Glacier Deep Archive after 30 days, and transition logs to S3 Glacier after 90 days.
C.Move logs to S3 Glacier Deep Archive after 30 days, and delete user uploads after 1 year.
D.Transition logs to S3 Standard-IA after 30 days, and transition user uploads to S3 One Zone-IA after 30 days.
AnswerA

This matches access patterns and retention requirements.

Why this answer

The correct answer is D. This policy transitions objects to cost-effective storage classes based on access patterns. Option A is wrong because logs should be moved to Glacier Deep Archive for long-term retention.

Option B is wrong because logs are rarely accessed but need retention, so moving to S3 Standard-IA is insufficient cost savings. Option C is wrong because user uploads should not be immediately archived; they are accessed frequently initially.

57
MCQmedium

A company uses AWS CodePipeline to automate the deployment of a web application. The pipeline consists of a source stage (AWS CodeCommit) and a deploy stage (AWS CodeDeploy) that deploys to an Auto Scaling group. The SysOps administrator needs to add a stage to run automated unit tests before the deployment proceeds. The tests must be executed in an isolated environment, and if they fail, the pipeline must stop and notify the development team. Which action should the administrator take?

A.Add a manual approval action between the source and deploy stages. The development team will manually run the tests on their local machines and then approve the pipeline to proceed.
B.Insert a test stage after the source stage with an AWS CloudFormation action that deploys a test stack and runs tests using a custom resource Lambda function.
C.Add a stage between source and deploy that uses an AWS CodeBuild action to run unit tests defined in a buildspec file. The pipeline will automatically stop if the build action fails.
D.Add a Lambda function as an action in the pipeline that runs the unit tests. The Lambda function writes the test results to an S3 bucket, and a subsequent approval action checks the results.
AnswerC

CodeBuild is the ideal service for running automated tests in a controlled environment. It integrates natively with CodePipeline: if the CodeBuild build fails, the pipeline transitions to a failed state, stopping further execution and optionally sending notifications via Amazon SNS.

Why this answer

Option C is correct because AWS CodeBuild is natively integrated with CodePipeline to run automated tests defined in a buildspec file. When the build action fails, CodePipeline automatically stops the pipeline execution and can send notifications via Amazon SNS, meeting the requirement for an isolated test environment and automatic failure notification without manual intervention.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing CloudFormation or Lambda, overlooking that CodeBuild is the native, simplest, and most cost-effective service for running automated tests within a CodePipeline.

How to eliminate wrong answers

Option A is wrong because it relies on manual approval and local test execution, which violates the requirement for automated tests in an isolated environment and does not provide automatic pipeline stop on test failure. Option B is wrong because using a CloudFormation action to deploy a test stack and run tests via a custom Lambda function adds unnecessary complexity, cost, and latency; it also does not natively integrate with CodePipeline's failure handling as cleanly as CodeBuild. Option D is wrong because a Lambda function action in CodePipeline cannot directly run unit tests in an isolated environment; it would require custom orchestration, and the subsequent approval action would not automatically stop the pipeline on failure—it would only pause for manual review.

58
Multi-Selecteasy

A SysOps administrator wants to monitor the CPU utilization of an Amazon RDS instance and receive an alert if it exceeds 90% for 5 consecutive minutes. Which TWO AWS services are required to set up this monitoring? (Choose TWO.)

Select 2 answers
A.Amazon Simple Notification Service (SNS)
B.AWS Config
C.Amazon RDS Enhanced Monitoring
D.Amazon CloudWatch Alarms
E.Amazon CloudWatch
AnswersD, E

CloudWatch Alarms can monitor the metric and trigger an alert.

Why this answer

Amazon CloudWatch is the service that collects and stores metrics such as CPU utilization from RDS instances. Amazon CloudWatch Alarms allow you to set a threshold (e.g., CPU > 90%) and evaluate it over a specified period (e.g., 5 consecutive minutes) to trigger an action, such as sending a notification via SNS.

Exam trap

The trap here is that candidates often confuse Enhanced Monitoring (which provides OS-level metrics) with the standard CloudWatch metrics (which already include CPU utilization), leading them to incorrectly select Enhanced Monitoring as a required service.

59
MCQmedium

A SysOps administrator wants to be alerted when an EC2 instance's status check fails. The instance is part of an Auto Scaling group. What is the BEST approach?

A.Use Amazon EventBridge to detect status check failures.
B.Create a CloudWatch alarm on the 'StatusCheckFailed' metric.
C.Enable CloudTrail to monitor EC2 instance status changes.
D.Configure an Auto Scaling lifecycle hook to send a notification.
AnswerB

CloudWatch has built-in metrics for status checks.

Why this answer

Option B is correct because the 'StatusCheckFailed' metric is automatically published by EC2 to CloudWatch, and a CloudWatch alarm on this metric can directly trigger an SNS notification or other action when the status check fails. This is the simplest and most reliable method for alerting on instance health, regardless of whether the instance is in an Auto Scaling group.

Exam trap

The trap here is that candidates often confuse CloudTrail (API logging) with CloudWatch (metrics and alarms), or assume EventBridge is the best choice for all event-driven monitoring, when in fact CloudWatch alarms on the native 'StatusCheckFailed' metric are the simplest and most direct solution for status check alerts.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge can detect status check failures via EC2 instance state change events, but it does not natively capture the 'StatusCheckFailed' metric; it would require custom event patterns and is less direct than using CloudWatch alarms. Option C is wrong because CloudTrail records API calls (e.g., StartInstances, StopInstances), not status check results, so it cannot detect status check failures. Option D is wrong because Auto Scaling lifecycle hooks are designed for custom actions during instance launch or termination, not for monitoring ongoing instance health or status check failures.

60
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The environment needs to be updated with a new application version. The SysOps administrator wants to minimize downtime during the deployment. Which deployment policy should be used?

A.Rolling based on health
B.Rolling with an additional batch
C.Immutable
D.All at once
AnswerB

Adds extra instances before terminating old ones, minimizing downtime.

Why this answer

Option D is correct because a rolling update with an additional batch creates new instances before terminating old ones, minimizing downtime. Option A is incorrect because all-at-once causes downtime. Option B is incorrect because immutable deployments create a full new set of instances, which can be costly but also minimizes downtime, but rolling with additional batch is more cost-effective.

Option C is incorrect because rolling update based on health does not add extra instances, so there is a brief period with reduced capacity.

61
MCQeasy

A company is using AWS Lambda functions to process events from Amazon S3. The functions are invoked several thousand times per minute. The SysOps administrator notices that the functions are taking longer to execute during peak times. Which action should the administrator take to improve performance?

A.Increase the Lambda function timeout.
B.Use a larger EC2 instance type for the Lambda functions.
C.Increase the memory allocation for the Lambda functions.
D.Enable provisioned concurrency on the Lambda functions.
AnswerC

More memory provides more CPU, speeding up execution.

Why this answer

Option A is correct because increasing the memory allocation for a Lambda function also increases the CPU allocation proportionally, which can reduce execution time for compute-bound tasks. Option B is wrong because Lambda functions cannot use provisioned concurrency by default; provisioned concurrency is for initializing execution environments to reduce cold starts, but it does not directly improve execution time. Option C is wrong because using a larger instance type is not applicable to Lambda; Lambda abstracts the underlying compute.

Option D is wrong because Lambda functions do not have a maximum execution time that can be extended beyond 15 minutes; that is a hard limit.

62
Multi-Selecthard

An organization uses AWS CloudFormation to manage its infrastructure. The SysOps administrator is implementing a change management process that requires all stack updates to be reviewed and approved before execution. The administrator wants to use CloudFormation change sets to preview changes. Which THREE steps are necessary to implement this process? (Choose THREE.)

Select 3 answers
A.Use the 'Detect Drift' feature to compare the stack with the new template.
B.Update the stack directly using the updated template.
C.Review the change set in the CloudFormation console.
D.Execute the change set after approval.
E.Create a change set from the updated template.
AnswersC, D, E

Why C is correct

Why this answer

Options A, C, and E are correct. To use change sets, you create a change set (A), which you can then review (C). After approval, you execute the change set (E).

Option B is incorrect because you do not update the stack directly; you use change sets. Option D is incorrect because you should create a change set from the new template, not compare stacks directly.

63
MCQeasy

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot be accessed via SSH from the internet. The security group allows inbound SSH (port 22) from 0.0.0.0/0. The network ACL (NACL) for the subnet has an inbound rule allowing SSH from 0.0.0.0/0. What else could be blocking access?

A.The NACL inbound rule is blocking traffic.
B.The internet gateway is not attached to the VPC.
C.The security group rule is misconfigured.
D.The NACL outbound rule is blocking return traffic.
AnswerD

NACL outbound must allow ephemeral ports for return traffic.

Why this answer

Option C is correct. The NACL must also have an outbound rule to allow return traffic. NACLs are stateless, so outbound rules must be explicitly set.

Option A is wrong because the security group is already correct. Option B is wrong because NACL inbound is allowed. Option D is wrong because the internet gateway allows inbound traffic.

64
Multi-Selectmedium

An organization needs to encrypt data in transit between an Amazon EC2 instance and an Application Load Balancer (ALB). Which THREE actions should be taken?

Select 3 answers
A.Enable encryption at rest on the EC2 instance's EBS volumes.
B.Ensure the EC2 instance has a valid SSL/TLS certificate installed.
C.Configure the security group to allow only encrypted traffic.
D.Configure the ALB listener to use HTTPS protocol.
E.Install an SSL/TLS certificate on the Application Load Balancer.
AnswersB, D, E

Required if ALB forwards traffic over HTTPS to the instance.

Why this answer

Correct options: B, C, D. Option B is correct because the ALB must have an SSL/TLS certificate to terminate HTTPS. Option C is correct because the ALB should use an HTTPS listener.

Option D is correct because the EC2 instance must have a certificate to support HTTPS if traffic is decrypted and re-encrypted, but if the ALB is configured to forward to the instance over HTTPS, the instance needs a certificate. Option A is wrong because security group rules do not encrypt traffic; they allow/deny. Option E is wrong because enabling encryption on the EC2 instance is not automatic; it requires application configuration.

65
MCQeasy

A SysOps administrator reviews the Lambda invocation metrics for a function. The function processes data from an S3 bucket and is triggered by S3 events. The cost for this function is higher than expected. What should the administrator do to reduce costs?

A.Set a reserved concurrency limit to cap the number of concurrent executions.
B.Change the function to be invoked on a schedule instead of by S3 events.
C.Increase the function's memory allocation to reduce execution time.
D.Reduce the function's memory allocation to lower cost per invocation.
AnswerC

Lambda cost is compute time * memory; increasing memory may reduce duration enough to lower total cost.

Why this answer

The correct answer is B. The function has very high invocations during peak hours (12:00-14:00). Increasing memory reduces execution time, which can lower total cost because Lambda pricing is based on compute time.

Option A is wrong because reducing memory increases duration and may increase cost. Option C is wrong because the function is already triggered by events; changing to scheduled invocation may not meet requirements. Option D is wrong because concurrency limit does not reduce total invocations.

66
MCQhard

A company uses Amazon CloudFront to serve content from an S3 bucket. The bucket is configured as an origin with Origin Access Control (OAC). Users report that they can access the content via CloudFront but also directly via the S3 bucket URL. How can the company restrict direct access to the S3 bucket?

A.Disable OAC and use Origin Access Identity (OAI) instead.
B.Use pre-signed URLs for all S3 requests.
C.Remove the bucket policy and rely on ACLs.
D.Update the S3 bucket policy to deny access to any principal other than the CloudFront service.
AnswerD

This ensures only CloudFront can access the bucket, blocking direct S3 URLs.

Why this answer

Option A is correct because an S3 bucket policy that denies all access except when the request includes a specific CloudFront header (via OAC) or is from the CloudFront service principal is the standard way to restrict direct access. Option B is wrong because removing the bucket policy would make the bucket public if ACLs allow, but OAC requires a bucket policy to allow CloudFront access. Option C is wrong because using a pre-signed URL is for temporary access, not for blocking direct access.

Option D is wrong because OAC already restricts access to CloudFront only; the bucket policy must explicitly deny all other principals.

67
MCQhard

A company runs a web application on EC2 instances in a private subnet. The application needs to connect to an RDS database in a different VPC. The VPCs are peered. The SysOps Administrator is troubleshooting connectivity issues. The RDS security group allows inbound traffic from the EC2 security group, but connections still fail. What could be the issue?

A.The RDS instance does not have public DNS resolution enabled.
B.The network ACL for the private subnet is blocking inbound traffic.
C.The route tables in each VPC do not have routes to the peered VPC CIDR.
D.The security group outbound rules on the EC2 instance are blocking traffic.
AnswerC

Without proper routes, traffic cannot flow across the VPC peering connection.

Why this answer

Option A is correct because VPC peering does not support transitive routing, so the EC2 instance cannot access the RDS if it is in a different region or if the route tables are not configured properly. Option B is wrong because security groups are stateful. Option C is wrong because network ACLs must allow outbound traffic, but the error description suggests routing issue.

Option D is wrong because DNS resolution is not needed for direct IP connectivity.

68
MCQeasy

A CloudFormation template launches an EC2 instance with the user data script shown. The instance launches successfully but the web server does not serve PHP pages. What is the MOST likely reason?

A.The script does not install PHP.
B.The script does not have execute permissions.
C.The CloudFormation template is missing a DependsOn clause for the instance.
D.The user data script is not base64 encoded correctly.
AnswerA

PHP is not installed; only Apache is installed.

Why this answer

Option D is correct because the script installs Apache (httpd) but does not install PHP. The script writes a PHP file but PHP is not installed. Option A is wrong because the script is base64 encoded correctly.

Option B is wrong because the script runs as root, so permissions are fine. Option C is wrong because the script exists; the instance launches.

69
MCQhard

A company runs a critical e-commerce application on Amazon ECS with Fargate launch type, fronted by an Application Load Balancer. The application uses an Amazon ElastiCache for Redis cluster for session state and an Amazon RDS for MySQL Multi-AZ database for persistent data. Recently, during a deployment of a new service version, the application became unresponsive for 15 minutes. The SysOps administrator discovered that the deployment updated the task definition with a new environment variable that pointed to an incorrect ElastiCache endpoint. The ECS service was configured with a rolling update, minimum healthy percent of 50%, and maximum percent of 200%. After the deployment, all tasks failed health checks due to a connection timeout to the wrong Redis endpoint. What is the MOST effective way to prevent this issue in future deployments?

A.Configure a CloudWatch alarm that triggers an automatic rollback if the error rate exceeds 10%.
B.Update the ECS service to use a canary deployment by updating one task at a time.
C.Implement a blue/green deployment strategy using AWS CodeDeploy and test the new task definition before shifting traffic.
D.Enable ECS deployment circuit breaker and set the rollback configuration to automatically roll back failed deployments.
AnswerC

Allows pre-production validation.

Why this answer

Option B is correct. Using AWS CodeDeploy with a blue/green deployment strategy allows testing the new task definition with a new target group before switching traffic. If health checks fail, traffic is not shifted.

Option A is wrong because CloudWatch alarms alert but do not prevent the deployment. Option C is wrong because updating one task first still risks the entire deployment if the variable is wrong. Option D is wrong because Circuit breaker only rolls back after failure, not preventing impact.

70
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team needs a centralized view of all API calls made across all accounts. Which solution should the SysOps administrator implement?

A.Use AWS Config aggregator to view configuration changes across accounts.
B.Create a CloudTrail trail in the management account that logs events for all accounts in the organization.
C.Use CloudWatch cross-account dashboards to view metrics from all accounts.
D.Enable CloudTrail in each account and have each account send logs to its own S3 bucket.
AnswerB

Organization trails centralize logging across accounts.

Why this answer

Option B is correct because AWS CloudTrail supports an organization trail that, when created in the management account, automatically logs API calls for all member accounts in the AWS Organization. This provides a centralized, single point of access to all API activity across the organization without needing to configure individual trails per account.

Exam trap

The trap here is that candidates may confuse AWS Config (which tracks configuration changes) with CloudTrail (which tracks API calls), or assume that individual account trails are sufficient for a centralized view, overlooking the simplicity and automatic coverage of an organization trail.

How to eliminate wrong answers

Option A is wrong because AWS Config aggregator provides a centralized view of resource configuration changes and compliance status, not API calls (which are logged by CloudTrail). Option C is wrong because CloudWatch cross-account dashboards aggregate metrics (e.g., CPU utilization, latency), not API call logs. Option D is wrong because sending logs to separate S3 buckets in each account does not provide a centralized view; it requires aggregating logs manually or using additional services like S3 replication or Athena, which is less efficient than an organization trail.

71
MCQmedium

A SysOps administrator is troubleshooting an EC2 instance that is unresponsive. The administrator can SSH into the instance but finds that the CloudWatch agent is not sending custom metrics. The CloudWatch agent configuration file is at '/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json'. What should the administrator check first?

A.Verify that the IAM role attached to the EC2 instance has the CloudWatchAgentServerPolicy.
B.Ensure that the IAM user has permissions to access CloudWatch.
C.Check if the security group allows outbound traffic on port 443.
D.Run 'sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a status' to check the agent status.
AnswerA

The IAM role must have permissions to put metrics.

Why this answer

The correct first check is to verify the IAM role attached to the EC2 instance has the CloudWatchAgentServerPolicy. The CloudWatch agent uses the instance's IAM role to obtain credentials for publishing metrics to CloudWatch. Without this policy, the agent will fail to send custom metrics even if it is running correctly and the instance has network connectivity.

Exam trap

The trap here is that candidates often jump to checking network connectivity (security group rules) or agent status first, overlooking that the IAM role permission is the most common root cause for a CloudWatch agent that is installed and running but not sending metrics.

How to eliminate wrong answers

Option B is wrong because the IAM user's permissions are irrelevant; the EC2 instance uses an IAM role, not a user, to access CloudWatch. Option C is wrong because while outbound HTTPS (port 443) is required for CloudWatch endpoints, the agent typically uses port 443 for TLS connections, but the most common cause of failure is missing IAM permissions, not network connectivity, especially when SSH works. Option D is wrong because checking the agent status is a valid troubleshooting step, but the question asks what to check first; verifying IAM permissions is the more fundamental prerequisite before investigating agent runtime issues.

72
MCQhard

A company runs a critical application on an EC2 instance that stores data on an EBS volume. The SysOps administrator needs to implement a backup strategy that provides the ability to restore the volume to a specific point in time within the last 24 hours, with a recovery time objective (RTO) of less than 15 minutes. Which solution meets these requirements?

A.Configure a RAID 1 mirror of the EBS volume across two Availability Zones.
B.Enable automated backups on the EC2 instance.
C.Use AWS Backup to create backup plans for the EBS volume.
D.Schedule EBS snapshots every hour and keep them for 24 hours.
AnswerD

EBS snapshots provide point-in-time recovery and can be restored to a new volume quickly, meeting the RTO.

Why this answer

Option C is correct because EBS Snapshots are point-in-time backups that can be used to create a new volume and attach it to an instance within minutes. Option A is wrong because automated backups are not available for EBS volumes. Option B is wrong because AWS Backup supports EBS snapshots but adds no advantage for RTO; snapshots still need to be restored.

Option D is wrong because RAID 1 mirrors data but does not provide point-in-time recovery.

73
MCQmedium

A SysOps administrator needs to monitor the CPU utilization of an Amazon EC2 instance and receive an email notification when the metric exceeds 90% for 5 consecutive minutes. The solution should use the least operational overhead. Which combination of AWS services should be used?

A.Create a CloudWatch alarm on the CPUUtilization metric and configure the alarm to send a notification to an Amazon SNS topic with email subscriptions.
B.Create an Amazon EventBridge rule that triggers an AWS Lambda function to check the CPUUtilization metric and send an email via Amazon SES.
C.Configure the EC2 instance to publish CPU logs to Amazon CloudWatch Logs, then create a metric filter to detect high CPU and trigger an SNS notification.
D.Use AWS CloudTrail to monitor EC2 CPU metrics and send notifications to an Amazon SQS queue.
AnswerA

This is the simplest approach. CloudWatch natively monitors EC2 metrics and can trigger SNS notifications without any custom code.

Why this answer

Option A is correct because a CloudWatch alarm directly monitors the CPUUtilization metric for an EC2 instance and can be configured to evaluate whether the metric exceeds 90% for 5 consecutive minutes (e.g., 5 evaluation periods of 1 minute each). The alarm then publishes to an Amazon SNS topic, which sends email notifications to subscribed endpoints, requiring no additional infrastructure or code, thus minimizing operational overhead.

Exam trap

The trap here is that candidates may overcomplicate the solution by introducing Lambda or log-based filters, when the simplest and most direct path—a CloudWatch alarm on the existing CPUUtilization metric with an SNS action—is the correct answer for minimal operational overhead.

How to eliminate wrong answers

Option B is wrong because it introduces unnecessary complexity by using an EventBridge rule and a Lambda function to poll or process metrics, which increases operational overhead and latency compared to a native CloudWatch alarm. Option C is wrong because publishing CPU logs to CloudWatch Logs and creating a metric filter is designed for log-based metrics (e.g., parsing log entries), not for the native CPUUtilization metric, which is already available as a CloudWatch metric without logs. Option D is wrong because AWS CloudTrail records API calls and management events, not EC2 CPU utilization metrics, and cannot monitor or trigger notifications based on performance metrics.

74
MCQmedium

A company has a web application running on EC2 instances behind an Application Load Balancer. The application experiences latency spikes during peak hours. Amazon CloudWatch metrics show that CPU and memory are not fully utilized. The SysOps administrator suspects the bottleneck is the database. The database is an RDS for MySQL instance. Which action should the administrator take to improve performance without over-provisioning?

A.Add a Read Replica to offload read queries.
B.Convert the RDS instance to a Multi-AZ deployment.
C.Enable RDS Performance Insights to analyze database load and identify slow queries.
D.Increase the RDS instance size to the next tier.
AnswerC

Performance Insights provides visibility into database performance.

Why this answer

The correct answer is B. RDS Performance Insights helps identify database bottlenecks (e.g., slow queries, locks). Option A is wrong because increasing instance size may not address the root cause.

Option C is wrong because Multi-AZ improves availability but not performance. Option D is wrong because Read Replicas help with read traffic but not if the bottleneck is writes or locking.

75
MCQhard

An organization has a requirement to automatically scale its web application based on a custom metric that measures the number of active user sessions stored in Amazon ElastiCache. The metric is published to CloudWatch every minute. The Auto Scaling group currently uses a simple scaling policy based on CPU utilization. What is the most effective way to implement scaling based on this custom metric?

A.Create a target tracking scaling policy that uses the custom metric as a target.
B.Create a step scaling policy that adjusts capacity based on the magnitude of the metric breach.
C.Create a scheduled scaling policy that increases capacity during peak hours.
D.Create a simple scaling policy that adds instances when the custom metric exceeds a threshold and removes when below.
AnswerA

Target tracking scaling policies can use custom metrics and automatically adjust capacity to maintain a target value.

Why this answer

Option D is correct. A target tracking scaling policy can be configured to use a custom CloudWatch metric, which simplifies management and maintains a target value. Option A (simple scaling policy) would require manual thresholds and is less responsive.

Option B (step scaling) is possible but more complex. Option C (scheduled scaling) is not appropriate for dynamic changes.

Page 1 of 21

Page 2