AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 676750

1546 questions total · 21pages · All types, answers revealed

Page 9

Page 10 of 21

Page 11
676
MCQmedium

A company wants to ensure that all IAM user changes are logged and that an alert is sent when a new IAM user is created. Which services should be used together to achieve this? (Select THREE.)

A.Amazon CloudWatch Logs
B.AWS Config
C.Amazon CloudWatch Alarms
D.Amazon S3
E.AWS CloudTrail
AnswerA, C, E

CloudTrail logs can be streamed to CloudWatch Logs.

Why this answer

Amazon CloudWatch Logs is correct because it can receive and store log events from AWS CloudTrail, which records all IAM user changes including user creation. By sending CloudTrail logs to CloudWatch Logs, you can then create metric filters to detect specific API calls like 'CreateUser' and trigger CloudWatch Alarms to send notifications via SNS.

Exam trap

The trap here is that candidates often select AWS Config thinking it monitors API activity, but Config is designed for compliance and configuration auditing, not for real-time event logging and alerting on specific API calls.

How to eliminate wrong answers

Option B is wrong because AWS Config is a service for evaluating resource configurations against desired policies (e.g., checking if IAM users have MFA enabled), not for logging real-time API events or triggering alerts on user creation. Option D is wrong because Amazon S3 is an object storage service that can store CloudTrail logs but cannot natively filter logs or trigger alarms based on specific API events; it lacks the real-time monitoring and alerting capabilities needed for this use case.

677
Multi-Selectmedium

A company is using AWS CodeDeploy to deploy a new version of an application to a fleet of EC2 instances. The deployment is configured with a Blue/Green deployment type. During the deployment, the new instances pass all health checks, but the old instances are not being terminated automatically. The SysOps Administrator needs to ensure that the old instances are terminated after a successful deployment. Which TWO actions should the administrator take? (Choose TWO.)

Select 2 answers
A.Configure the Blue/Green deployment settings to automatically terminate the original instances after a specified wait time.
B.Register the old instances to a new load balancer.
C.Configure the deployment group to use the original load balancer for the Blue/Green deployment.
D.Change the deployment configuration to AllAtOnce.
E.Modify the deployment group to not use a load balancer.
AnswersA, C

This is the setting to terminate old instances.

Why this answer

Option A and Option C are correct. To automatically terminate old instances, the deployment group must be configured to re-use the original load balancer, and the original load balancer must be deregistered and then terminated after a specified wait time. Option B (registering instances to a new load balancer) is for green environment, not for termination.

Option D (modifying the deployment group to not use load balancer) would break the deployment. Option E (changing deployment config to AllAtOnce) affects speed, not termination behavior.

678
MCQmedium

A SysOps administrator manages a fleet of Amazon EC2 instances. The administrator needs to identify underutilized instances and receive recommendations for instance type changes to reduce costs. Which AWS service should be used to provide these rightsizing recommendations?

A.AWS Cost Explorer
B.AWS Trusted Advisor
C.AWS Compute Optimizer
D.Amazon CloudWatch Dashboard
AnswerC

AWS Compute Optimizer uses machine learning to analyze historical utilization and provides actionable recommendations to right-size EC2 instances, Auto Scaling groups, and other resources, helping to reduce costs and improve performance.

Why this answer

AWS Compute Optimizer is the correct service because it uses machine learning to analyze historical utilization metrics (CPU, memory, network, and storage) of EC2 instances and generates rightsizing recommendations, including instance type changes, to reduce costs and improve performance. It directly addresses the need to identify underutilized instances and provide actionable recommendations for cost optimization.

Exam trap

The trap here is that candidates often confuse AWS Compute Optimizer with AWS Trusted Advisor, because both offer cost optimization checks, but Compute Optimizer is the only service that provides detailed, ML-driven rightsizing recommendations for EC2 instance types based on historical utilization data.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides cost and usage data visualization and forecasting, but it does not analyze instance utilization metrics or generate specific rightsizing recommendations for EC2 instance types. Option B is wrong because AWS Trusted Advisor offers general best-practice checks, including cost optimization, but its EC2-specific recommendations are limited to idle instances and reserved instance utilization, not detailed rightsizing recommendations based on historical utilization patterns. Option D is wrong because Amazon CloudWatch Dashboard is a monitoring and visualization tool for metrics and logs, but it does not automatically analyze utilization data to produce instance type change recommendations; it requires manual setup and interpretation.

679
MCQmedium

A company runs a web application on EC2 instances behind an ALB. They want to optimize costs for variable traffic patterns while maintaining high availability. Which solution is MOST cost-effective?

A.Use Dedicated Hosts to run the application and share resources across multiple accounts.
B.Use a mix of On-Demand and Spot Instances in an Auto Scaling group with a target tracking scaling policy.
C.Purchase Reserved Instances for the expected baseline capacity and use On-Demand for spikes.
D.Use only On-Demand EC2 Instances with an Auto Scaling group to handle variable traffic.
AnswerB

Spot Instances provide cost savings for fault-tolerant workloads, and Auto Scaling adjusts capacity dynamically.

Why this answer

Option B is correct because using Spot Instances in an Auto Scaling group with a mix of On-Demand and Spot instances provides cost savings while maintaining availability. Option A is wrong because Reserved Instances require a 1- or 3-year commitment and are not flexible for variable traffic. Option C is wrong because Dedicated Hosts are more expensive and not needed for this use case.

Option D is wrong because On-Demand only is more expensive than using Spot.

680
MCQmedium

An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket. The company security policy requires that credentials are not stored on the instance. What is the most secure way to grant access?

A.Create an IAM role with S3 access permissions and attach it to the EC2 instance profile.
B.Generate an access key and secret key for an IAM user, then store them in a configuration file on the instance.
C.Create an S3 bucket policy that allows access from the instance's public IP address.
D.Define the access keys as environment variables in the user data script when launching the instance.
AnswerA

Uses temporary credentials via instance metadata, no long-term credentials stored.

Why this answer

Option D is correct because an IAM role attached to the EC2 instance provides temporary credentials via the instance metadata service, avoiding long-term credentials. Option A is wrong because storing access keys in a file violates security policy. Option B is wrong because environment variables still expose credentials.

Option C is wrong because S3 bucket policies alone do not grant access to the instance; the instance needs an IAM role or user credentials.

681
MCQeasy

A SysOps administrator needs to deploy a CloudFormation stack across multiple AWS accounts in an organization using AWS Organizations. The administrator wants to use a single template and a single deployment operation. Which AWS service should be used to centrally manage the deployment?

A.AWS Systems Manager
B.AWS OpsWorks Stacks
C.AWS CodePipeline
D.AWS CloudFormation StackSets
AnswerD

StackSets enable cross-account, cross-region deployments.

Why this answer

Option A is correct because AWS CloudFormation StackSets allow deploying stacks across multiple accounts and regions from a single template. Option B is incorrect because OpsWorks is for configuration management. Option C is incorrect because CodePipeline is for CI/CD pipelines.

Option D is incorrect because Systems Manager is for operational management.

682
MCQeasy

A company runs a web application on EC2 instances behind an Application Load Balancer. The application experiences variable traffic patterns. What is the MOST cost-effective way to ensure the application scales based on demand?

A.Provision a fixed number of EC2 instances that can handle peak load at all times.
B.Use EC2 Auto Scaling with a scheduled scaling policy that adds instances during business hours.
C.Use EC2 Auto Scaling with a target tracking scaling policy based on average CPU utilization.
D.Use EC2 Auto Scaling with a manual scaling plan that requires an administrator to adjust the desired capacity.
AnswerC

Target tracking automatically adjusts capacity to maintain a target metric, scaling cost-effectively.

Why this answer

Option C is correct because a target tracking scaling policy automatically adjusts capacity based on a CloudWatch metric, which is cost-effective compared to manual or scheduled scaling. Option A is wrong because manual scaling is not automated. Option B is wrong because scheduled scaling does not handle variable traffic well.

Option D is wrong because it over-provisions instances.

683
MCQeasy

An organization needs to back up an Amazon EFS file system daily and retain backups for 30 days. Which AWS service provides a managed backup solution for EFS?

A.AWS Backup
B.Amazon Data Lifecycle Manager (DLM)
C.EFS replication to another region
D.S3 Lifecycle policies
AnswerA

AWS Backup supports EFS with scheduling and retention.

Why this answer

Correct answer is C. AWS Backup is a fully managed backup service that supports EFS and can schedule daily backups with retention policies. Option A is wrong because S3 Lifecycle policies manage object lifecycle in S3, not EFS backups.

Option B is wrong because Data Lifecycle Manager (DLM) manages EBS snapshots, not EFS. Option D is wrong because EFS-to-EFS replication is for continuous replication, not scheduled backup with retention.

684
MCQmedium

A company has an on-premises data center connected to AWS via an AWS Direct Connect private virtual interface (VIF). The SysOps administrator needs to ensure that all traffic between the on-premises network and Amazon S3 in the same AWS Region stays within the AWS network and does not traverse the internet. Which solution should the administrator implement?

A.Use a Direct Connect gateway and a public VIF with a route to S3 prefix lists
B.Use a Direct Connect gateway and a private VIF with VPC endpoints for S3
C.Use a VPN connection over Direct Connect to access S3
D.Use a Transit Gateway with a private VIF and route S3 traffic through a NAT instance
AnswerB

VPC Gateway Endpoints for S3 allow private connectivity from within the VPC. Combined with a private VIF, traffic to S3 stays within the AWS network without internet.

Why this answer

Option B is correct because a private VIF with VPC endpoints for S3 (Gateway Endpoints) ensures that traffic from on-premises to S3 stays within the AWS network. The private VIF provides connectivity to the VPC, and the Gateway Endpoint routes S3 traffic through the AWS backbone without traversing the internet. This combination meets the requirement of keeping traffic within the AWS network.

Exam trap

The trap here is that candidates often confuse public VIF with private VIF, thinking a public VIF is required for AWS service access, but Gateway Endpoints allow private VIF to access S3 without internet exposure.

How to eliminate wrong answers

Option A is wrong because a public VIF with a route to S3 prefix lists would still route traffic over the public internet (via the Direct Connect public VIF), which does not guarantee that traffic stays within the AWS network; it also requires routing over the internet gateway. Option C is wrong because a VPN connection over Direct Connect would encrypt traffic but still uses the public VIF or internet path, and it does not inherently keep traffic within the AWS network; it adds unnecessary complexity and does not meet the requirement of staying within the AWS network. Option D is wrong because a Transit Gateway with a private VIF and routing S3 traffic through a NAT instance would force traffic through a NAT instance, which typically uses an internet gateway to reach S3, thus traversing the internet; this violates the requirement.

685
MCQmedium

A company runs a REST API on Amazon EC2 instances behind an Application Load Balancer. The SysOps administrator needs to monitor the API endpoint from multiple geographic locations and receive an alarm if the p90 latency exceeds 2 seconds for two consecutive checks. The solution must use AWS managed services and not require custom code running on EC2. Which approach should the administrator use?

A.Set up Amazon CloudWatch Synthetics canaries to run from multiple AWS Regions and publish custom metrics. Create a CloudWatch alarm on the p90 latency metric.
B.Configure VPC Flow Logs on the Application Load Balancer and use Amazon CloudWatch Logs Insights to query for high-latency requests.
C.Enable Amazon CloudWatch RUM (Real User Monitoring) on the client side and create a CloudWatch alarm on the Duration metric.
D.Use AWS CloudTrail to log API calls and set a CloudWatch alarm on the event count for errors.
AnswerA

CloudWatch Synthetics canaries execute scripts in AWS-managed Lambda functions across Regions, measuring latency and success. They can publish metrics to CloudWatch, and an alarm can be created on a percentile statistic like p90.

Why this answer

Amazon CloudWatch Synthetics canaries are AWS-managed Node.js scripts that run on a schedule to monitor endpoints from multiple AWS Regions, capturing metrics like duration and latency. By configuring canaries to report p90 latency as a custom metric, you can create a CloudWatch alarm that triggers when p90 exceeds 2 seconds for two consecutive data points, meeting all requirements without custom EC2 code.

Exam trap

The trap here is that candidates may confuse VPC Flow Logs or CloudTrail with application-layer monitoring, but neither provides request-level latency metrics; CloudWatch Synthetics is the only AWS-managed service that can synthetically test an HTTP endpoint from multiple geographic locations and publish percentile latency metrics without custom EC2 code.

How to eliminate wrong answers

Option B is wrong because VPC Flow Logs capture network-level metadata (IPs, ports, protocols) but do not measure application-layer latency like p90; they cannot be used to query for request duration or percentile latencies. Option C is wrong because Amazon CloudWatch RUM collects client-side performance data from actual user browsers, which introduces variability from network conditions and device performance, and it requires client-side JavaScript injection, not a pure AWS-managed service for synthetic monitoring from multiple geographic locations. Option D is wrong because AWS CloudTrail logs API calls to the AWS management plane (e.g., EC2 API calls), not the application-layer REST API requests; it cannot measure p90 latency or trigger alarms on performance metrics.

686
MCQmedium

A company uses AWS CloudTrail to record all API activity. The SysOps administrator needs to be alerted in real time when an IAM user creates a new access key. Which combination of AWS services should be used to create this alert?

A.CloudTrail + Amazon S3 + Amazon SNS
B.CloudTrail + Amazon CloudWatch Logs + Amazon SNS
C.CloudTrail + AWS Config + Amazon SNS
D.CloudTrail + Amazon EventBridge + Amazon SNS
AnswerD

EventBridge can directly consume CloudTrail events and apply rules to match specific API actions, triggering SNS notifications with low latency.

Why this answer

Option D is correct because Amazon EventBridge can directly consume CloudTrail events in real time and trigger an SNS notification when an IAM user creates a new access key. EventBridge provides a serverless event bus that matches specific API calls (e.g., CreateAccessKey) using event patterns, enabling immediate alerting without additional polling or log processing.

Exam trap

The trap here is that candidates often assume CloudWatch Logs is required for any CloudTrail-based alerting, but EventBridge provides a simpler, lower-latency, and more direct integration for real-time API event monitoring.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs to Amazon S3 are delivered in batches (typically every 5 minutes), not in real time, so S3 events cannot trigger immediate alerts for access key creation. Option B is wrong because CloudTrail integration with CloudWatch Logs introduces latency (up to several minutes) and requires additional metric filters and alarms, which is not the most direct real-time approach. Option C is wrong because AWS Config is designed for resource configuration tracking and compliance evaluation, not for real-time API event alerting; it evaluates rules periodically or on configuration changes, not instantaneously for every API call.

687
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The environment is configured with a load balancer and an Auto Scaling group. Recently, the development team updated the application code and deployed it via Elastic Beanstalk. After the deployment, users report intermittent 503 errors. The SysOps administrator checks the environment health and sees that it is 'Severe' with many instances being replaced. The administrator notices that the new instances are being launched with the old application version. The deployment was a rolling update with a batch size of 1. What is the MOST likely cause of the issue?

A.The deployment failed health checks on the first instance and rolled back, replacing all instances with the old version.
B.The load balancer is configured with sticky sessions, causing requests to go to outdated instances.
C.The Elastic Beanstalk environment URL was changed during the deployment.
D.The health check URL was not updated to reflect the new application version.
AnswerA

Why C is correct

Why this answer

Option C is correct because in a rolling update with batch size 1, instances are updated one at a time. If the health check fails for the new batch, the deployment is rolled back, and the new instances are replaced with the old version. This would cause intermittent 503 errors as instances are being swapped.

Option A is incorrect because the environment URL does not change. Option B is incorrect because the load balancer stickiness would not cause version mismatches. Option D is incorrect because the health check URL is not changed by deployment.

688
Multi-Selecteasy

Which TWO measures help protect an AWS account root user? (Choose two.)

Select 2 answers
A.Use the root user regularly for administrative tasks.
B.Create an access key for the root user for programmatic access.
C.Grant other IAM users full administrator access.
D.Use a strong, complex password for the root user.
E.Enable multi-factor authentication (MFA) for the root user.
AnswersD, E

A strong password reduces the risk of unauthorized access.

Why this answer

Options A and B are correct. Enabling MFA and using a strong password are basic security measures for the root user. Option C is wrong because creating an access key for the root user is not recommended.

Option D is wrong because using root user regularly is not a security measure. Option E is wrong because delegating admin tasks to IAM users reduces root user usage.

689
MCQhard

A SysOps administrator is investigating a security breach. An IAM user 'Bob' is suspected of performing unauthorized actions. The administrator needs to determine the source IP addresses from which Bob's access keys were used in the last 30 days. Which AWS service or feature should be used?

A.AWS CloudTrail event history.
B.VPC Flow Logs.
C.Amazon CloudWatch Logs.
D.AWS IAM credential report.
AnswerA

CloudTrail records API calls with source IP.

Why this answer

AWS CloudTrail event history provides a record of all API calls made by IAM users, including the source IP address from which the request originated. By filtering the event history for the IAM user 'Bob' and the time range of the last 30 days, the administrator can identify the source IP addresses associated with each API call made using Bob's access keys. This directly meets the requirement to determine the source IP addresses of unauthorized actions.

Exam trap

The trap here is that candidates may confuse the IAM credential report (which shows credential metadata) with CloudTrail (which records actual API call details), leading them to choose the credential report for investigating source IPs when it only provides static credential status, not historical usage data.

How to eliminate wrong answers

Option B is wrong because VPC Flow Logs capture network traffic at the IP level (source/destination IPs, ports, protocols) but do not log IAM user identity or access key usage; they are used for analyzing network traffic patterns, not for tracking API calls by specific IAM users. Option C is wrong because Amazon CloudWatch Logs can store log data from various sources (e.g., application logs, system logs) but does not natively capture IAM user API call details or source IPs unless custom logging is configured; it is not the primary service for auditing IAM user activity. Option D is wrong because AWS IAM credential report provides information about the status of IAM user credentials (e.g., password last used, access key age, rotation status) but does not include source IP addresses or a history of API calls; it is used for credential auditing, not for investigating specific actions or source IPs.

690
MCQmedium

A company uses AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The administrator wants to ensure that the DB instance is not deleted when the stack is deleted. Which property should the administrator set in the CloudFormation template?

A.DeletionPolicy: Delete
B.DeletionPolicy: Snapshot
C.DeletionPolicy: Replace
D.DeletionPolicy: Retain
AnswerD

This retains the DB instance even after stack deletion.

Why this answer

The DeletionPolicy attribute with value 'Retain' ensures the resource is retained after stack deletion. Option C is correct. Option A is wrong because 'Snapshot' creates a final snapshot but still deletes the instance.

Option B is wrong because 'Delete' is the default behavior. Option D is wrong because 'Replace' is not a valid DeletionPolicy.

691
MCQeasy

A company hosts a web application on EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. Which step should the SysOps administrator take to troubleshoot the issue?

A.Verify the target group health check settings.
B.Enable cross-zone load balancing.
C.Increase the idle timeout on the load balancer.
D.Add more subnets to the load balancer.
AnswerA

Correct. Unhealthy targets cause 503 errors.

Why this answer

The 503 error indicates the load balancer cannot connect to the targets. Checking the target group health check configuration is the first step to identify if targets are marked unhealthy.

692
Multi-Selecteasy

A SysOps administrator is planning for disaster recovery of an RDS MySQL database. The database is currently in a single AZ. Which TWO actions will improve recovery time and reduce data loss? (Select TWO.)

Select 2 answers
A.Create a read replica in a different AWS Region.
B.Enable automated backups with a retention period of 7 days.
C.Enable Multi-AZ deployment for automatic failover.
D.Enable deletion protection on the RDS instance.
E.Increase the allocated storage to improve performance.
AnswersB, C

Automated backups enable point-in-time recovery.

Why this answer

Options B and D are correct. Multi-AZ provides a synchronous standby for failover, reducing RTO and RPO. Automated backups allow point-in-time recovery within seconds.

Option A is wrong because read replicas are for read scaling, not failover. Option C is wrong because increasing storage does not improve recovery. Option E is wrong because Deletion Protection does not aid recovery.

693
MCQmedium

A company uses AWS Systems Manager to automate patching of EC2 instances. The SysOps administrator creates a Maintenance Window that targets a list of instances. The patching task fails with the error: 'Instance is not in a supported state.' What should the administrator check FIRST?

A.Verify that the instance has a public IP address.
B.Verify that the instance's security group allows inbound traffic from Systems Manager.
C.Verify that the SSM Agent is installed and running on the instance.
D.Verify that the instance has an IAM instance profile attached with the necessary permissions.
AnswerC

The SSM Agent must be running for Systems Manager to manage the instance.

Why this answer

Option C is correct because Systems Manager requires the SSM Agent to be installed and running on the instance to execute commands. Option A is wrong because instance profiles are for IAM roles, not patching. Option B is wrong because security groups affect network access, not the agent.

Option D is wrong because patching does not require a public IP.

694
MCQmedium

A company has two Amazon VPCs: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16) in the same AWS Region. The SysOps administrator needs to enable private IP connectivity between the two VPCs without using the public internet. The solution must be simple, low-cost, and provide high throughput. Which AWS service should the administrator use?

A.VPC peering
B.AWS Site-to-Site VPN
C.AWS Direct Connect
D.AWS Transit Gateway
AnswerA

VPC peering establishes a direct, private network connection between two VPCs using the AWS backbone. It is simple to set up, has low cost (no hourly fees, only data transfer charges), and provides high throughput with no bandwidth constraints.

Why this answer

VPC peering is the correct choice because it enables direct private IP connectivity between two VPCs using the AWS global network, without requiring internet gateways, VPNs, or physical connections. It is simple to set up (no additional hardware or software), low-cost (no per-hour charges, only data transfer costs), and provides high throughput (bandwidth is limited only by the instance types, not by the peering connection itself).

Exam trap

The trap here is that candidates often over-engineer the solution by choosing AWS Transit Gateway (Option D) for its advanced features, forgetting that for a simple two-VPC connection, VPC peering is the most cost-effective and straightforward option without unnecessary complexity.

How to eliminate wrong answers

Option B (AWS Site-to-Site VPN) is wrong because it requires a virtual private gateway on each VPC and an on-premises VPN endpoint, adding complexity and cost (per-hour charges) while throughput is limited by the VPN tunnel (typically up to 1.25 Gbps per tunnel). Option C (AWS Direct Connect) is wrong because it is designed for dedicated on-premises to AWS connectivity, not for VPC-to-VPC peering, and involves high cost, long provisioning times, and physical infrastructure. Option D (AWS Transit Gateway) is wrong because while it can connect multiple VPCs, it introduces additional cost (per-hour and per-GB charges) and complexity (requires transit gateway attachments and route table management) that is unnecessary for a simple two-VPC scenario.

695
MCQeasy

A company is designing a highly available web application on AWS. The application runs on EC2 instances behind an Application Load Balancer. Which configuration ensures that the application remains available if an entire AWS Availability Zone fails?

A.Deploy EC2 instances in multiple subnets of the same Availability Zone.
B.Launch EC2 instances in at least two different Availability Zones.
C.Use a larger EC2 instance type to handle the load.
D.Use EC2 instances in multiple AWS Regions.
AnswerB

Distributing instances across AZs provides fault isolation for AZ failures.

Why this answer

Option C is correct because deploying EC2 instances across multiple Availability Zones ensures that if one AZ fails, the load balancer can route traffic to instances in the other AZ. Option A is wrong because multiple subnets in the same AZ do not protect against AZ failure. Option B is wrong because multiple VPCs add complexity but do not inherently provide AZ redundancy.

Option D is wrong because a larger instance type does not address AZ failure.

696
MCQmedium

A company runs a global e-commerce application that uses Amazon DynamoDB as its primary database. The application requires single-digit millisecond read and write latency from any region and must continue to operate during a regional outage with minimal data loss. Which DynamoDB feature should the SysOps administrator enable to meet these requirements?

A.DynamoDB Accelerator (DAX)
B.DynamoDB global tables
C.DynamoDB Point-in-Time Recovery (PITR)
D.DynamoDB Auto Scaling
AnswerB

Global tables replicate data across multiple AWS Regions, providing low-latency access and automatic failover during a regional outage, meeting both performance and business continuity needs.

Why this answer

DynamoDB global tables provide multi-Region, multi-active replication, enabling single-digit millisecond reads and writes from any Region while offering automatic failover and recovery during a regional outage. This feature uses DynamoDB Streams to replicate data across Regions with eventual consistency, meeting the requirement for continued operation with minimal data loss.

Exam trap

The trap here is that candidates often confuse DynamoDB Accelerator (DAX) with global tables, assuming a caching layer can provide multi-Region availability, but DAX is Region-specific and does not replicate data across Regions.

How to eliminate wrong answers

Option A is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that reduces read latency but does not provide multi-Region replication or write availability during a regional outage. Option C is wrong because Point-in-Time Recovery (PITR) enables backup restoration to any point within the last 35 days but does not provide real-time failover or cross-Region read/write capability. Option D is wrong because Auto Scaling adjusts provisioned throughput based on traffic but does not replicate data across Regions or ensure availability during a regional outage.

697
MCQmedium

An application writes error logs to Amazon CloudWatch Logs. The SysOps administrator needs to monitor for the occurrence of the string 'ERROR' in the logs and trigger an Amazon SNS notification if more than 10 errors occur within a 5-minute window. The administrator also wants to visualize the error count over time. Which approach should be used to meet these requirements with the least operational overhead?

A.Create a CloudWatch Logs metric filter to count 'ERROR' entries, then create a CloudWatch alarm on that metric with a period of 5 minutes and a threshold of 10.
B.Use CloudWatch Logs Insights to run a query every 5 minutes and send notifications via a scheduled AWS Lambda function.
C.Create an AWS Lambda function that processes log events in real-time and publishes to Amazon SNS when the error count exceeds 10 in 5 minutes.
D.Use Amazon EventBridge to match log events with the pattern 'ERROR' and send them to an SNS topic.
AnswerA

Metric filters convert log data into CloudWatch metrics, enabling alarms and dashboards with minimal overhead.

Why this answer

Option A is correct because CloudWatch Logs metric filters can extract a count of 'ERROR' occurrences from incoming log events and emit a custom metric. A CloudWatch alarm on that metric with a period of 5 minutes and a threshold of 10 directly triggers an SNS notification when the error count exceeds 10 within the window, and the metric itself can be graphed in CloudWatch dashboards for visualization—all with minimal configuration and no custom code.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Lambda or EventBridge, not realizing that CloudWatch Logs metric filters combined with CloudWatch alarms are the native, serverless, and lowest-overhead way to count substring occurrences and trigger alerts on aggregated thresholds.

How to eliminate wrong answers

Option B is wrong because running a CloudWatch Logs Insights query every 5 minutes via a scheduled Lambda function introduces unnecessary complexity, latency, and operational overhead compared to a real-time metric filter and alarm. Option C is wrong because creating a Lambda function to process log events in real-time adds custom code, scaling concerns, and maintenance burden when CloudWatch Logs metric filters and alarms natively provide the same functionality with zero code. Option D is wrong because Amazon EventBridge does not natively parse or count occurrences of a string like 'ERROR' within log events; it matches event patterns at the event level, not substring counts within log messages, and cannot aggregate counts over a time window.

698
MCQhard

A SysOps administrator must grant an IAM user the ability to start and stop specific EC2 instances, but NOT terminate them. The administrator creates a policy with the following statement. However, the user can still terminate instances. What is the MOST likely reason?

A.The policy does not restrict the ec2:TerminateInstances action to specific instances using a condition or ARN
B.The condition key ec2:ResourceTag is not a valid condition key for EC2 actions
C.The ec2:TerminateInstances action is not allowed in a customer-managed policy
D.The policy does not include an explicit deny for ec2:TerminateInstances
AnswerA

The policy allows ec2:TerminateInstances on all instances if the condition is not met, because the condition is only applied if the tag exists; if the tag does not exist, the Allow applies unconditionally.

Why this answer

Option A is correct because EC2 actions like StopInstances and StartInstances require a resource-level permission on the instance, but TerminateInstances also requires a resource-level permission. The policy includes ec2:TerminateInstances with a condition, but if the condition is not met, the effect is Allow (since the condition is not satisfied, the statement might still allow termination if the condition is ignored). However, the key issue is that the policy uses ec2:ResourceTag as a condition key, which is valid, but the condition uses StringEquals, which requires the instance to have that tag.

If the instance does not have the tag, the condition fails and the Allow does not apply, but there might be an implicit deny? Actually, the policy grants ec2:TerminateInstances with a condition that might not match, so the action is not allowed. But the user can still terminate, meaning the policy is too permissive. The most likely reason is that the policy allows ec2:TerminateInstances without proper resource restriction.

Option B is incorrect because the condition key is correct. Option C is incorrect because termination is explicitly allowed with a condition. Option D is incorrect because the policy explicitly allows StartInstances and StopInstances.

699
Multi-Selecteasy

A company wants to use Amazon CloudFront to distribute content globally with low latency. Which TWO features of CloudFront help achieve this?

Select 2 answers
A.Regional edge caches that provide additional caching layers
B.Edge locations that cache content near users
C.Use of S3 Transfer Acceleration
D.VPC peering to connect to origins
E.Integration with AWS Global Accelerator
AnswersA, B

Regional edge caches sit between edge locations and the origin to improve cache hit ratio.

Why this answer

Options A and D are correct. CloudFront uses a global network of edge locations and regional edge caches to cache content close to users. Option B is wrong because CloudFront does not use AWS Global Accelerator; they are separate services.

Option C is wrong because S3 Transfer Acceleration is for uploading to S3, not for CloudFront distribution. Option E is wrong because VPC peering is for network connectivity, not content delivery.

700
MCQeasy

A SysOps administrator is troubleshooting an application that runs on an EC2 instance. The application is experiencing high latency, and the administrator suspects a memory leak. Which metrics should the administrator examine first?

A.Custom CloudWatch metrics published by the CloudWatch agent, such as mem_used_percent.
B.CloudWatch metrics from the Detailed Monitoring feature, such as DiskReadOps.
C.CloudWatch metrics for the instance's Elastic Network Interface.
D.CloudWatch default EC2 metrics, such as CPUUtilization and NetworkIn.
AnswerA

Memory metrics require the CloudWatch agent.

Why this answer

A memory leak causes the application to consume increasing amounts of memory over time, leading to high latency as the OS begins swapping or the kernel reclaims memory. The CloudWatch agent can publish custom metrics like `mem_used_percent`, which directly tracks memory usage percentage and is the most relevant metric to confirm a memory leak. Default EC2 metrics do not include memory utilization, so the administrator must rely on custom metrics from the CloudWatch agent.

Exam trap

The trap here is that candidates assume default EC2 metrics include memory utilization, but AWS does not provide guest OS memory metrics by default; you must install the CloudWatch agent to capture them.

How to eliminate wrong answers

Option B is wrong because DiskReadOps measures disk I/O operations, not memory usage; it would not help identify a memory leak. Option C is wrong because Elastic Network Interface metrics track network throughput and packet counts, which are unrelated to memory consumption. Option D is wrong because default EC2 metrics like CPUUtilization and NetworkIn do not include memory metrics; EC2 does not expose guest OS memory usage without the CloudWatch agent.

701
Multi-Selecthard

A SysOps administrator needs to ensure that all API calls in the AWS account are logged for auditing purposes. The administrator also wants to receive notifications when specific API calls are made. Which THREE services should the administrator use together to achieve this? (Choose THREE.)

Select 3 answers
A.Amazon EventBridge
B.AWS Config
C.Amazon Simple Notification Service (SNS)
D.Amazon CloudWatch Logs
E.AWS CloudTrail
AnswersA, D, E

EventBridge can filter CloudTrail events and trigger actions like SNS notifications.

Why this answer

AWS CloudTrail (Option E) is the primary service for logging all API calls in an AWS account, capturing detailed event records. Amazon CloudWatch Logs (Option D) can receive these CloudTrail events for centralized log storage and monitoring. Amazon EventBridge (Option A) can then be used to create rules that match specific API calls and trigger notifications, such as sending messages to an SNS topic, enabling real-time alerting.

Exam trap

The trap here is that candidates often confuse AWS Config with CloudTrail, thinking Config logs API calls, when in fact Config only tracks configuration changes and compliance, not the API calls that caused those changes.

702
MCQhard

A SysOps administrator deploys the CloudFormation template shown in the exhibit. The stack creation fails with a security group error. What is the most likely cause?

A.The AMI ID is incorrect.
B.The security group ingress rule uses an invalid CIDR.
C.The template uses 'SecurityGroups' instead of 'SecurityGroupIds' for a VPC instance.
D.The security group ingress rule allows SSH from all IPs.
AnswerC

In VPC, you must use SecurityGroupIds.

Why this answer

Option C is correct because the security group ingress rule uses a CIDR that is not a specific IP range; although 10.0.0.0/8 is private, it is allowed, but the error might be due to missing VPC reference. However, more importantly, the security group is created without a VPC ID, which is required for EC2-Classic? Actually, in EC2-VPC, security groups must be in a VPC. The template does not specify a VPC, so it uses the default VPC.

But the most likely cause is that the security group ingress rule allows SSH from a large CIDR, which is a security risk but not a failure. Actually, the error is likely because the security group is not associated with a VPC? Wait, the template does not specify VpcId, so it uses the default VPC. But if the default VPC does not exist, it fails.

However, a more common issue is that the security group ingress rule uses a CidrIp that is not valid for the VPC. But the exhibit shows 10.0.0.0/8, which is valid. Actually, the most likely cause is that the security group is not associated with a VPC, but that is automatically handled.

Alternatively, the error could be because the security group name is already used. But the most plausible is that the security group ingress rule is malformed because it should specify CidrIp or SourceSecurityGroup, and it does. I'll go with option C: The security group ingress rule uses a CIDR that is not allowed in the VPC (10.0.0.0/8 is private, but it's allowed).

Hmm, let's reconsider. The template has a bug: it uses "SecurityGroups" (plural) instead of "SecurityGroupIds" or "SecurityGroups" is a list of group names, but it's referencing a Ref to a security group, which returns the group ID, not name. So the correct property is "SecurityGroupIds" for VPC.

That is a common mistake. So option A could be correct. I'll set option A as correct: The template uses "SecurityGroups" instead of "SecurityGroupIds" for a VPC instance.

So the answer is A.

703
MCQmedium

A company uses Amazon CloudFront to deliver its static website hosted on Amazon S3. The security team notices that users are able to access the S3 bucket directly via the S3 endpoint, bypassing CloudFront. What should be done to ensure that content is only accessible through CloudFront?

A.Create an origin access identity (OAI) and update the S3 bucket policy to grant access only to the OAI
B.Use AWS WAF to block requests that do not include the CloudFront distribution's domain name
C.Create an AWS Lambda@Edge function to validate headers
D.Use S3 Block Public Access to prevent all public access
AnswerA

This restricts S3 bucket access to CloudFront only.

Why this answer

Option C is correct because configuring an origin access identity (OAI) and updating the S3 bucket policy to allow access only to the OAI prevents direct S3 access. Option A is wrong because disabling public access on the S3 bucket using S3 Block Public Access would also block legitimate CloudFront requests if not combined with OAI. Option B is wrong because Lambda@Edge can modify requests/responses but does not enforce access control at the bucket level.

Option D is wrong because AWS WAF can filter requests but does not prevent direct S3 access.

704
MCQmedium

A web application is deployed in us-east-1 (primary) and eu-west-1 (standby). Under normal conditions, all traffic should go to us-east-1. If the us-east-1 health check fails, traffic must automatically redirect to eu-west-1 within 30 to 60 seconds. What Route 53 configuration implements this?

A.Create failover routing records for the domain: a Primary record pointing to us-east-1 with a Route 53 health check, and a Secondary record pointing to eu-west-1 with no health check
B.Use weighted routing with 100 weight for us-east-1 and 0 weight for eu-west-1; update the weights via Lambda when a CloudWatch alarm fires
C.Enable Route 53 latency routing with records for both regions; Route 53 will automatically switch to eu-west-1 when us-east-1 becomes unavailable
D.Configure Route 53 geolocation routing to send all US traffic to us-east-1 and all European traffic to eu-west-1
AnswerA

When the health check on the Primary record fails for the configured number of consecutive intervals, Route 53 removes the Primary from DNS responses and serves the Secondary. DNS TTL on the records should be set low (60 seconds or less) to minimize client-side caching delay. The failover is automatic, with no manual intervention or Lambda functions required.

Why this answer

Option A is correct because Route 53 failover routing records, combined with a health check on the primary record, automatically redirect traffic to the secondary (standby) record when the primary health check fails. The health check interval and failure threshold can be configured to detect failure within 30–60 seconds, meeting the requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse failover routing with latency or geolocation routing, assuming that Route 53 automatically considers health in those routing policies, but only failover routing explicitly supports active-passive failover with health checks.

How to eliminate wrong answers

Option B is wrong because weighted routing with 0 weight for eu-west-1 would never send traffic there, even if us-east-1 fails, unless the weights are updated externally; this approach cannot achieve automatic failover within 30–60 seconds without additional automation and introduces latency. Option C is wrong because latency routing selects the region with the lowest latency for each user, not based on health; if us-east-1 is unhealthy but still has low latency, traffic would continue to be sent there, failing the failover requirement. Option D is wrong because geolocation routing directs traffic based on the user's geographic location, not health; it would not redirect traffic from us-east-1 to eu-west-1 if us-east-1 fails, as users outside Europe would still be routed to the unhealthy primary region.

705
MCQeasy

A company has multiple on-premises branch offices, each with a site-to-site VPN connection to a single VPC in AWS. The SysOps administrator needs to enable communication between the branch offices using the AWS cloud as a hub. Which configuration should be implemented to achieve this with the least operational overhead?

A.Configure static routes in the VPC route table pointing to each VPN connection.
B.Use dynamic routing (BGP) on all VPN connections and enable route propagation on the virtual private gateway (VGW).
C.Create a separate Transit VPC with EC2-based VPN appliances to route traffic between branch offices.
D.Place all branch offices in the same IPsec tunnel by configuring identical pre-shared keys.
AnswerB

Dynamic routing with BGP and route propagation on the VGW allows the VPC to automatically exchange routes between VPN connections, enabling branch-to-branch communication without manual intervention.

Why this answer

Option B is correct because enabling dynamic routing (BGP) on all VPN connections and propagating routes from the virtual private gateway (VGW) into the VPC route table allows each branch office to learn the CIDR blocks of all other branch offices automatically. This eliminates the need for manual static route entries and ensures that traffic between branch offices is routed through the VPC hub with minimal operational overhead, as BGP handles failover and route updates dynamically.

Exam trap

The trap here is that candidates often assume static routes are simpler and sufficient for hub-and-spoke communication, overlooking that BGP route propagation on the VGW provides automated, scalable route exchange with minimal ongoing management, which is the key to reducing operational overhead.

How to eliminate wrong answers

Option A is wrong because configuring static routes in the VPC route table pointing to each VPN connection would require manual updates whenever a branch office subnet changes or a VPN connection is added/removed, increasing operational overhead and not scaling well. Option C is wrong because creating a separate Transit VPC with EC2-based VPN appliances introduces significant complexity, cost, and maintenance overhead compared to using the native VGW with BGP route propagation. Option D is wrong because placing all branch offices in the same IPsec tunnel by configuring identical pre-shared keys is not a valid configuration; each site-to-site VPN connection must have unique tunnel settings, and this approach would cause routing conflicts and security issues, not enable inter-branch communication.

706
MCQeasy

Developers are allowed to create IAM roles for their Lambda functions. However, the security team is concerned that developers could create roles with Administrator access, granting Lambda functions more permissions than the developers themselves have. What IAM feature prevents privilege escalation in this scenario?

A.Attach a permission boundary to each developer IAM user that limits them to creating roles with only the permissions they are allowed to grant
B.Enable IAM Access Analyzer to detect when developers create overly permissive roles
C.Require MFA for all IAM API calls so developers must re-authenticate before creating roles
D.Enable CloudTrail logging for all IAM API calls and set up a CloudWatch alarm for iam:CreateRole events
AnswerA

The permission boundary on the developer prevents them from passing permissions they do not have (iam:PassRole with a role whose boundary exceeds their own). When combined with an IAM policy that requires any role they create to have the same boundary attached, privilege escalation is prevented systematically.

Why this answer

Permission boundaries are an IAM feature that allow you to set the maximum permissions that an identity-based policy can grant to a principal. By attaching a permission boundary to each developer IAM user that restricts them to creating roles with only the permissions they are allowed to grant, you prevent the developer from creating a Lambda execution role with AdministratorAccess or any other policy that exceeds the boundary. This directly addresses the privilege escalation concern because the boundary acts as a ceiling on the permissions the developer can delegate to the role.

Exam trap

The trap here is that candidates often confuse detective controls (like Access Analyzer, CloudTrail, or alarms) with preventive controls, thinking that monitoring or alerting can stop the action, when only a preventive mechanism like a permission boundary can block the creation of an overly permissive role at the time of the API call.

How to eliminate wrong answers

Option B is wrong because IAM Access Analyzer is a post-creation analysis tool that identifies resources shared with external principals; it does not prevent a developer from creating an overly permissive role in the first place. Option C is wrong because requiring MFA for IAM API calls adds an authentication step but does not restrict the permissions that can be assigned to a role; a developer with valid MFA could still create an AdministratorAccess role. Option D is wrong because CloudTrail logging and CloudWatch alarms are detective controls that only alert after the role has been created; they do not prevent the privilege escalation from occurring.

707
Multi-Selectmedium

A company wants to use AWS KMS to encrypt data at rest for an S3 bucket. The security policy requires that the CMK be rotated every year. Which of the following are true about automatic key rotation for AWS KMS customer master keys (CMKs)? (Choose TWO.)

Select 1 answer
A.Automatic key rotation is supported for asymmetric CMKs
B.Automatic key rotation is supported for symmetric CMKs created in KMS
C.Automatic key rotation can be enabled for any CMK at any time
D.Automatic key rotation is supported for imported CMKs
E.When a CMK is rotated, the previous backing key is deleted
AnswersB

KMS can automatically rotate symmetric CMKs every year.

Why this answer

Automatic key rotation is supported only for symmetric CMKs created in KMS (option B). It is not supported for asymmetric CMKs (option A) or imported keys (option C). Option D is wrong because rotation creates new backing keys but does not delete old ones.

Option E is wrong because rotation is not automatic for imported keys.

708
MCQeasy

A company wants to centrally manage access to AWS accounts for its employees. Which AWS service should be used to create and manage users and groups across multiple accounts?

A.AWS IAM
B.AWS Directory Service
C.AWS IAM Identity Center
D.AWS Organizations
AnswerC

IAM Identity Center provides centralized user management across multiple accounts.

Why this answer

AWS IAM Identity Center (successor to AWS SSO) allows you to create users and groups and assign them access to multiple AWS accounts with a single sign-on. Option B is correct. Option A is wrong because IAM is per-account, not cross-account.

Option C is wrong because AWS Organizations manages accounts and policies, not users. Option D is wrong because AWS Directory Service is used for Microsoft Active Directory, not for cross-account access management.

709
MCQhard

A company runs a production application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application uses an RDS for PostgreSQL database. The SysOps administrator has configured a read replica in a different AWS Region for disaster recovery. During a disaster, the primary region becomes unavailable. The administrator promotes the read replica to a standalone instance. After promoting, the application fails to connect to the new database because the endpoint changed. The administrator needs to minimize downtime. What should the administrator do to handle the endpoint change automatically?

A.Assign an Elastic IP address to the RDS instance.
B.Use Amazon Route 53 with a weighted alias record that points to the primary database endpoint, and configure a health check to fail over to the secondary endpoint.
C.Update the application configuration files to point to the new endpoint.
D.Use an RDS proxy and configure it to automatically failover to the promoted replica.
AnswerB

Automates DNS failover.

Why this answer

Option C is correct. By using Route 53 weighted records with health checks, the administrator can set up a DNS alias that points to the primary database endpoint. When the primary fails, the health check fails, and Route 53 can fail over to a secondary record pointing to the promoted replica.

Option A is wrong because updating the application configuration manually takes time and increases downtime. Option B is wrong because an RDS proxy does not eliminate the need to update the endpoint. Option D is wrong because using an Elastic IP is not applicable to RDS.

710
MCQmedium

An organization uses Amazon CloudFront to serve static content from an S3 bucket. The content is updated frequently, but users are seeing stale files. What is the most efficient way to invalidate the cache for updated objects?

A.Create a CloudFront invalidation for the updated files.
B.Use the S3 console to set a new cache-control header.
C.Change the origin path in the CloudFront distribution.
D.Delete and recreate the CloudFront distribution.
AnswerA

Correct. Invalidation removes cached objects.

Why this answer

CloudFront supports file invalidation to remove objects from edge caches. Using the console or API to create an invalidation for the specific paths is the direct method.

711
MCQmedium

A SysOps administrator needs to monitor application logs stored in Amazon CloudWatch Logs for the term 'CRITICAL'. When more than 5 'CRITICAL' entries appear in a 5-minute window, the administrator wants to automatically restart the underlying Amazon EC2 instance. Which solution should the administrator implement?

A.Create a CloudWatch Logs metric filter, then a CloudWatch alarm that triggers an AWS Systems Manager Automation document to restart the instance.
B.Create a CloudWatch Logs metric filter, then a CloudWatch alarm that triggers an EC2 Reboot Instances action.
C.Create a CloudWatch Logs metric filter, then use Amazon CloudWatch Events (Amazon EventBridge) to trigger an AWS Lambda function that restarts the instance.
D.Use Amazon CloudWatch Synthetics canary to monitor the logs and automatically stop the instance.
AnswerB

CloudWatch alarms support EC2 actions including reboot, which is the simplest way to restart the instance based on a metric.

Why this answer

Option B is correct because CloudWatch Logs metric filters can count occurrences of the term 'CRITICAL' in log data, and a CloudWatch alarm can be configured to trigger an EC2 Reboot Instances action directly when the metric exceeds a threshold of 5 in a 5-minute period. This provides a native, simple, and fully managed solution without requiring additional services like Lambda or Systems Manager.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Lambda or Systems Manager, not realizing that CloudWatch alarms have a built-in EC2 action for reboot, stop, terminate, or recover, which is the simplest and most cost-effective method for this use case.

How to eliminate wrong answers

Option A is wrong because while a CloudWatch alarm can trigger an AWS Systems Automation document, the EC2 Reboot Instances action is a direct alarm target and does not require Systems Manager Automation, which adds unnecessary complexity and potential latency. Option C is wrong because using CloudWatch Events (EventBridge) to invoke a Lambda function to restart the instance is an over-engineered approach; the EC2 Reboot Instances action is a built-in alarm target that eliminates the need for custom code. Option D is wrong because CloudWatch Synthetics canaries are designed for synthetic monitoring of endpoints and web applications, not for analyzing existing CloudWatch Logs for specific terms like 'CRITICAL'.

712
Multi-Selecthard

A SysOps administrator is designing an automated deployment pipeline for a web application using AWS CodePipeline. The application is deployed to an Auto Scaling group behind an Application Load Balancer. The administrator wants to ensure zero downtime during deployments. Which TWO strategies should be combined? (Choose TWO.)

Select 2 answers
A.Use CodeDeploy with an all-at-once deployment.
B.Use CodeDeploy with a canary deployment.
C.Use a blue/green deployment with CodeDeploy and an Elastic Load Balancer.
D.Use CodeDeploy with an in-place update and a rolling batch configuration.
E.Use CodeDeploy with an immutable update.
AnswersC, E

Blue/green provides zero downtime by shifting traffic.

Why this answer

Options A and D are correct because an immutable update launches new instances with the new version, then swaps them into the load balancer and terminates old ones, providing zero downtime. A blue/green deployment (option D) does the same by creating a new environment and shifting traffic. Option B is wrong because an in-place update with rolling batches may cause brief downtime if health checks fail.

Option C is wrong because canary deployments are not zero downtime by default but can be used with blue/green. Option E is wrong because all-at-once causes downtime.

713
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users in any member account can create access keys for themselves. What is the MOST efficient way to enforce this policy across all accounts?

A.Create an SCP that denies the iam:CreateAccessKey action and attach it to the root organizational unit.
B.Apply an IAM policy to the master account's root user that denies access key creation.
C.Enable AWS Trusted Advisor security checks and follow the recommendations.
D.Use AWS Config to detect access key creation and automatically delete the keys using a Lambda function.
AnswerA

SCPs can deny actions across all accounts in the organization.

Why this answer

A service control policy (SCP) can be applied at the root or to specific OUs to deny IAM actions across all member accounts. Option A is correct because it centrally restricts the action. Option B is wrong because it only works for the master account.

Option C is wrong because it requires individual account configuration. Option D is wrong because Trusted Advisor only provides recommendations, not enforcement.

714
MCQmedium

An organization has a VPC peering connection between VPC A and VPC B. Instances in VPC A can reach instances in VPC B, but not vice versa. What is the most likely cause?

A.The route table in VPC B does not have a route to VPC A's CIDR.
B.DNS resolution is not enabled for the VPC peering connection.
C.Security groups in VPC B block inbound traffic from VPC A.
D.The VPC peering connection is in a 'pending-acceptance' state.
AnswerA

Correct because peering requires routes in both directions.

Why this answer

Option C is correct because VPC peering requires route table entries in both VPCs for bidirectional traffic. Option A is wrong because security groups are stateful but only affect inbound/outbound; the issue is routing. Option B is wrong because the peering connection is already established.

Option D is wrong because DNS resolution settings don't affect basic connectivity.

715
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer (ALB). Users report intermittent timeouts. The web server logs show HTTP 503 errors. Which configuration is MOST likely causing the issue?

A.The ALB idle timeout is set too low.
B.The target group is not configured with enough capacity.
C.The target group health checks are misconfigured or the instances are unhealthy.
D.The security group for the ALB does not allow inbound traffic on port 80.
AnswerC

Unhealthy targets cause ALB to stop routing traffic, resulting in 503.

Why this answer

HTTP 503 errors from an ALB indicate that the load balancer cannot route requests to healthy targets. Misconfigured health checks or unhealthy instances cause the ALB to mark targets as unhealthy, leading to 503 responses even if the instances are running. This is the most direct cause of intermittent timeouts when the web server logs show 503 errors.

Exam trap

The trap here is that candidates often confuse HTTP 503 errors with capacity issues (Option B) or timeout settings (Option A), but the specific presence of 503 errors in web server logs points directly to health check failures or unhealthy targets, not general capacity or idle timeout misconfigurations.

How to eliminate wrong answers

Option A is wrong because the ALB idle timeout controls how long the load balancer keeps a connection open without data transfer; a low idle timeout would cause 504 (gateway timeout) errors, not 503 (service unavailable) errors. Option B is wrong because insufficient target group capacity (e.g., too few instances or undersized instance types) would cause 503 errors only if all targets are overwhelmed, but the question describes intermittent timeouts and 503 errors specifically tied to health check failures, not capacity exhaustion. Option D is wrong because if the ALB security group did not allow inbound traffic on port 80, the ALB would not accept any traffic at all, resulting in connection timeouts or 504 errors, not intermittent 503 errors with web server logs showing 503 responses.

716
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. Users report slow load times. The SysOps team notices that all traffic goes to a single availability zone. Which action should be taken to improve performance and reliability?

A.Configure the ALB to use subnets in at least two Availability Zones
B.Add more EC2 instances in the same Availability Zone
C.Replace the ALB with a Network Load Balancer (NLB)
D.Enable cross-zone load balancing on the ALB
AnswerA

This ensures the ALB can route traffic to instances in multiple AZs, improving performance and fault tolerance.

Why this answer

The correct action is to configure the ALB to use subnets in at least two Availability Zones. An ALB is a regional service that requires subnets in multiple AZs to distribute incoming traffic across healthy targets in those zones. When all traffic goes to a single AZ, it indicates the ALB is only attached to one subnet, creating a single point of failure and limiting the pool of EC2 instances that can serve traffic, which directly causes slow load times and reduced reliability.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing (which distributes traffic across instances within an AZ) with multi-AZ subnet configuration (which enables the ALB to route traffic to instances in different AZs), leading them to incorrectly select option D.

How to eliminate wrong answers

Option B is wrong because adding more EC2 instances in the same Availability Zone does not address the root cause—the ALB is only routing traffic to one AZ, so all new instances would still be in that same AZ, failing to distribute load or improve fault tolerance. Option C is wrong because replacing the ALB with a Network Load Balancer (NLB) does not solve the single-AZ issue; an NLB also requires subnets in multiple AZs for high availability, and the problem is about AZ configuration, not load balancer type. Option D is wrong because cross-zone load balancing on an ALB is enabled by default and controls distribution of traffic across instances within the same AZ, not across AZs; it does not fix the issue of the ALB only having subnets in one AZ.

717
MCQmedium

Refer to the exhibit. The command returns no events for RunInstances during the specified time period. The administrator knows that instances were launched during that time. What is the most likely cause?

A.CloudTrail logs are being delivered to an S3 bucket, not to CloudWatch Logs.
B.The command is run in the wrong AWS Region.
C.CloudTrail is not configured to log management events.
D.The IAM user does not have permission to view CloudTrail events.
AnswerC

If management events are not logged, RunInstances won't appear.

Why this answer

Option C is correct because CloudTrail can be configured to log either management events, data events, or both. If only data events are logged, management events such as RunInstances will not appear in the CloudTrail event history. The command `aws cloudtrail lookup-events` queries the CloudTrail event history, which only contains events that CloudTrail is configured to record.

Since the administrator knows instances were launched but no events are returned, the most likely cause is that CloudTrail is not configured to log management events.

Exam trap

The trap here is that candidates assume CloudTrail always logs all API calls by default, but they overlook that CloudTrail can be configured to exclude management events, and the `lookup-events` command only returns events that CloudTrail is actually recording.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs are delivered to an S3 bucket for long-term storage, but the `lookup-events` command queries the CloudTrail event history, which is a separate, queryable view of the last 90 days of events regardless of whether they are also delivered to S3 or CloudWatch Logs. Option B is wrong because if the command were run in the wrong AWS Region, it would return events from that region, but the administrator knows instances were launched in the region where the command is run; the issue is that no events are returned at all, not that events from a different region appear. Option D is wrong because the IAM user needs permission to call `cloudtrail:LookupEvents`, but if the user lacked that permission, the command would return an access denied error, not an empty result set.

718
MCQmedium

A company stores critical data in an Amazon S3 bucket in the us-west-2 Region. The SysOps administrator needs to ensure that all objects are automatically replicated to another AWS Region for disaster recovery. The Recovery Point Objective (RPO) must be less than 15 minutes, and existing objects must also be replicated. Which S3 feature should the administrator use?

A.S3 Cross-Region Replication (CRR) with Replication Time Control (RTC)
B.S3 Same-Region Replication (SRR)
C.S3 Event Notifications with an AWS Lambda function to copy objects to another region
D.S3 Transfer Acceleration
AnswerA

CRR replicates objects to a different region. With RTC, it meets the 15-minute RPO and can replicate existing objects when configured.

Why this answer

S3 Cross-Region Replication (CRR) with Replication Time Control (RTC) is the correct choice because it provides automatic, asynchronous replication of objects to a different AWS Region, meeting the RPO of less than 15 minutes by guaranteeing replication within 15 minutes for most objects (99.99% of objects are replicated within 15 minutes). Additionally, CRR can replicate existing objects when configured with the appropriate replication rule and batch operations, satisfying the requirement to replicate all objects.

Exam trap

The trap here is that candidates may choose S3 Event Notifications with Lambda (Option C) because it seems like a flexible custom solution, but they overlook the lack of a guaranteed RPO, the inability to replicate existing objects without additional effort, and the operational overhead compared to the managed, SLA-backed CRR with RTC.

How to eliminate wrong answers

Option B (S3 Same-Region Replication) is wrong because it replicates objects within the same AWS Region, not across regions, so it does not meet the disaster recovery requirement for cross-region replication. Option C (S3 Event Notifications with Lambda) is wrong because it is a custom, event-driven approach that introduces latency, complexity, and potential failure points, and it cannot guarantee the 15-minute RPO or reliably replicate existing objects without additional scripting. Option D (S3 Transfer Acceleration) is wrong because it is designed to speed up uploads over long distances using edge locations, not to replicate objects between buckets or regions.

719
Multi-Selectmedium

A SysOps administrator needs to troubleshoot connectivity between two EC2 instances in the same VPC but different subnets. The instances cannot communicate. Which THREE checks should the administrator perform? (Choose three.)

Select 3 answers
A.Verify that the network ACLs for both subnets allow the required traffic
B.Enable VPC Flow Logs to analyze traffic
C.Verify that the security groups of both instances allow inbound/outbound traffic on the required ports
D.Verify that the NAT Gateway is configured correctly
E.Verify that the route tables for both subnets have routes to each other's CIDR
AnswersA, C, E

Network ACLs are stateless and filter traffic at the subnet boundary.

Why this answer

Correct answers: A, B, and D. Option A is correct because security groups control traffic at the instance level. Option B is correct because network ACLs control traffic at the subnet level.

Option D is correct because route tables determine if the subnets can route to each other. Option C is wrong because NAT Gateways are for internet access, not internal VPC communication. Option E is wrong because flow logs are for monitoring, not a direct cause.

720
MCQeasy

A SysOps administrator needs to audit all API calls made in the AWS account, including actions performed by the root user. Which service should be enabled?

A.AWS Config
B.VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records all API activity in the account, including root user actions, and is the correct service for auditing.

Why this answer

AWS CloudTrail records all API calls, including those by the root user, and delivers log files to an S3 bucket. CloudWatch Logs is for log monitoring, not auditing API calls. AWS Config records resource configuration changes, not API calls.

VPC Flow Logs capture network traffic, not API calls.

721
MCQmedium

A SysOps administrator is asked to ensure that all objects in an S3 bucket are encrypted at rest using a customer-managed KMS key. The bucket currently has default encryption set to SSE-S3. What must be done to meet the requirement?

A.Update the bucket's default encryption to SSE-KMS using the customer-managed key, and re-upload existing objects.
B.Add a bucket policy that denies s3:PutObject without the x-amz-server-side-encryption header.
C.Apply a service control policy to enforce SSE-KMS across the organization.
D.Enable S3 Versioning and set the bucket's default encryption to SSE-KMS.
AnswerA

Default encryption must be changed, and existing objects need to be copied to be encrypted with the new key.

Why this answer

Option B is correct because changing the default encryption to SSE-KMS with the customer key will encrypt new objects. Existing objects must be copied to re-encrypt with the new key. Option A is wrong because bucket policies can enforce encryption but do not change default encryption.

Option C is wrong because SCPs are not for bucket-level settings. Option D is wrong because enabling versioning does not change encryption.

722
MCQeasy

A SysOps administrator notices that an EC2 instance's CPU utilization has been above 90% for the past hour. The instance is part of an Auto Scaling group with a CPU utilization-based scaling policy. However, no new instances have been launched. What is the most likely cause?

A.The Auto Scaling cooldown period is preventing additional scaling activities.
B.The EC2 instance is in a private subnet and cannot communicate with the Auto Scaling service.
C.The CloudWatch alarm is publishing to an S3 bucket that is full.
D.The scaling policy is based on memory utilization, not CPU.
AnswerA

A cooldown period after a previous scaling event can prevent new scaling actions.

Why this answer

The most likely cause is that the Auto Scaling cooldown period is preventing additional scaling activities. When a scaling activity completes, a cooldown period (default 300 seconds) starts during which the Auto Scaling group ignores additional CloudWatch alarms to allow metrics to stabilize. If the instance has been above 90% CPU for an hour but no new instances launched, the cooldown period may have been triggered by a previous scaling event and is still active, blocking further scale-out actions despite sustained high utilization.

Exam trap

The trap here is that candidates often assume high CPU utilization always triggers immediate scaling, overlooking the cooldown period that can delay or block subsequent scaling activities even when alarms are in ALARM state.

How to eliminate wrong answers

Option B is wrong because EC2 instances in a private subnet can still communicate with the Auto Scaling service via a VPC endpoint or NAT gateway; the instance's subnet type does not prevent the Auto Scaling group from launching new instances. Option C is wrong because CloudWatch alarms publish to SNS topics, not S3 buckets; an S3 bucket being full has no impact on alarm delivery or scaling policy execution. Option D is wrong because the question explicitly states the scaling policy is CPU utilization-based, so a memory-based policy would not trigger on CPU metrics, but the policy is correctly configured for CPU.

723
MCQeasy

A company uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. Which configuration step is required?

A.Configure the ALB listener to use HTTPS with a security policy.
B.Configure the target group to use HTTPS protocol and install SSL/TLS certificates on the instances.
C.Place the instances in a private subnet and use a NAT gateway for outbound traffic.
D.Create a security group rule that allows only HTTPS traffic from the ALB to the instances.
AnswerB

This ensures traffic from ALB to instances is encrypted over HTTPS.

Why this answer

Option B is correct because configuring the target group with HTTPS health checks and expecting HTTPS traffic ensures that the ALB communicates with the instances over HTTPS. Option A is wrong because the listener handles client-facing encryption, not backend. Option C is wrong because security groups control access but not encryption.

Option D is wrong because the ALB does not have a NAT gateway.

724
MCQhard

A SysOps administrator is investigating a failed CloudFormation stack creation. The describe-stack-events output shows that the stack creation failed with the reason 'Resource creation cancelled'. What is the most likely cause of this failure?

A.The stack template contains an invalid parameter value.
B.The IAM role used by CloudFormation does not have sufficient permissions to create the resources.
C.A WaitCondition resource did not receive the required signal within the specified timeout period.
D.A nested stack within the parent stack failed to create.
AnswerC

The event shows WaitCondition failed with timeout, which caused CloudFormation to cancel the stack creation.

Why this answer

Option C is correct because the WaitCondition timed out before receiving the required signal, causing CloudFormation to cancel the stack creation. Option A is incorrect because there is no indication of missing IAM permissions. Option B is incorrect because a parameter validation error would appear as a different reason.

Option D is incorrect because the stack creation was cancelled due to the wait condition timeout, not a nested stack failure.

725
MCQhard

A SysOps administrator is investigating a security incident where an unauthorized key pair was created. The CloudTrail lookup command output is shown. The administrator wants to find the source IP address of the 'admin' user who created the key pair. Which field in the 'CloudTrailEvent' JSON should the administrator examine?

A.requestParameters
B.userIdentity
C.sourceIPAddress
D.eventTime
AnswerC

Contains the source IP of the request.

Why this answer

Option B is correct because the source IP address is contained in the 'sourceIPAddress' field within the CloudTrail event JSON. Option A is wrong because 'userIdentity' contains information about the user, not the IP. Option C is wrong because 'eventTime' is the timestamp.

Option D is wrong because 'requestParameters' contains the parameters of the API call, not the IP.

726
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB) across three Availability Zones. Each AZ has one public and one private subnet. The EC2 instances are in the private subnets. The ALB is internet-facing. Recently, during a traffic spike, some users experienced intermittent timeouts. The SysOps administrator reviews the ALB access logs and finds that the timeouts correspond to periods when the target group had 'unhealthy' instances. The health check is configured to check a health endpoint on port 80 with a path of '/health'. The SysOps administrator checks the EC2 instances and finds that the health endpoint responds correctly. However, the health checks are failing intermittently. The administrator notices that the security group for the EC2 instances allows inbound traffic from the ALB's security group on port 80. The network ACL for the private subnets allows inbound HTTP and outbound ephemeral ports. What is the MOST likely cause of the health check failures?

A.The health check endpoint on the EC2 instances is not responding correctly.
B.The security group on the EC2 instances is blocking health check traffic from the ALB.
C.The ALB does not have cross-zone load balancing enabled.
D.The network ACL for the private subnets is blocking the return traffic from health checks.
AnswerD

NACL must allow inbound ephemeral ports for health check responses.

Why this answer

Option B is correct. The NACL is stateless and must allow inbound ephemeral ports for the return traffic from health checks. The current NACL allows inbound HTTP (port 80) but does not explicitly allow inbound ephemeral ports (1024-65535) from the ALB's IP range.

This causes the health check responses to be dropped. Option A is wrong because the security group is configured correctly. Option C is wrong because the health endpoint works when tested locally.

Option D is wrong because cross-zone load balancing does not affect health checks.

727
MCQeasy

A SysOps administrator wants to deploy a new version of an application to an existing Auto Scaling group of Amazon EC2 instances. The deployment must minimize disruption by launching new instances, performing health checks, and shifting traffic to the new instances before terminating the old ones. Which AWS CodeDeploy deployment configuration should the administrator choose?

A.Blue/green
B.Rolling
C.AllAtOnce
D.Canary
AnswerA

Blue/green deployments create a new set of instances, shift traffic to them after health checks, and then tear down the old ones, providing minimal disruption and easy rollback.

Why this answer

The blue/green deployment configuration in AWS CodeDeploy is designed to minimize disruption by provisioning a new set of instances (green environment), performing health checks against them, and then shifting traffic from the old instances (blue environment) to the new ones before terminating the old instances. This matches the requirement of launching new instances, health-checking, and shifting traffic before termination, which is not possible with in-place deployment types like rolling or all-at-once.

Exam trap

The trap here is that candidates often confuse 'rolling' with 'blue/green' because both involve gradual updates, but rolling updates modify the existing Auto Scaling group in-place without creating a separate environment or shifting traffic before termination.

How to eliminate wrong answers

Option B (Rolling) is wrong because it performs an in-place update by gradually replacing instances within the existing Auto Scaling group without creating a separate environment, so traffic is not shifted before termination and health checks occur on the same instances. Option C (AllAtOnce) is wrong because it deploys to all instances simultaneously in-place, causing full downtime or disruption during the update. Option D (Canary) is wrong because it is a traffic-shifting pattern used in AWS CodeDeploy for Lambda or ECS deployments, not for EC2 Auto Scaling groups, and it does not launch new instances in a separate environment.

728
Multi-Selectmedium

A company is running a production web application on EC2 instances behind an Application Load Balancer. The company wants to optimize costs without sacrificing performance. Which TWO actions should the SysOps administrator take?

Select 2 answers
A.Purchase Reserved Instances for the baseline capacity.
B.Use Dedicated Hosts for all instances to control placement.
C.Implement Auto Scaling to match capacity with demand.
D.Enable T2/T3 unlimited to handle spikes without throttling.
E.Use multiple instance types in each Availability Zone.
AnswersA, C

Correct: Reserved Instances offer up to 72% discount for steady-state usage.

Why this answer

Option A (Reserved Instances) provides a significant discount for steady-state workloads, and Option C (Auto Scaling) ensures capacity matches demand, preventing over-provisioning. Option B (Dedicated Hosts) is more expensive and unnecessary. Option D (T3 unlimited) could cause unexpected costs if credits exhausted.

Option E (Multiple instance types per AZ) is not a cost optimization.

729
MCQeasy

A company needs to resolve DNS names for on-premises servers from AWS. They have set up a DHCP options set with the on-premises DNS server IP. Which additional step is required?

A.Create a VPC peering connection and use the on-premises DNS IP as the DHCP option set.
B.Configure Route 53 Resolver outbound endpoint to forward queries to on-premises DNS.
C.Create a VPC peering connection to the on-premises network.
D.Configure Route 53 Resolver inbound endpoint to forward DNS queries from on-premises to AWS.
AnswerD

Inbound endpoint allows on-premises DNS to forward queries.

Why this answer

Option D is correct because the scenario requires resolving DNS names for on-premises servers from AWS. A Route 53 Resolver inbound endpoint allows on-premises DNS servers to forward queries to AWS, enabling resolution of AWS-hosted DNS names from on-premises. The DHCP options set already provides the on-premises DNS server IP to AWS resources, but the missing step is the reverse path: allowing on-premises to query AWS DNS, which the inbound endpoint facilitates.

Exam trap

The trap here is confusing the direction of DNS resolution; candidates often pick the outbound endpoint (Option B) thinking it forwards queries to on-premises, but the requirement is to resolve on-premises names from AWS, which actually requires an inbound endpoint to allow on-premises DNS to query AWS.

How to eliminate wrong answers

Option A is wrong because a VPC peering connection does not inherently forward DNS queries; it only enables network connectivity between VPCs, and using the on-premises DNS IP as a DHCP option set is already done. Option B is wrong because a Route 53 Resolver outbound endpoint forwards queries from AWS to on-premises, which is the opposite direction needed; the requirement is to resolve on-premises DNS names from AWS, not the other way. Option C is wrong because a VPC peering connection cannot be established to an on-premises network; VPC peering is only between VPCs, not between a VPC and an on-premises data center.

730
MCQeasy

A production RDS MySQL database stores financial records. The team needs the ability to restore the database to any point within the last 7 days in case of accidental data deletion. Automated backups are currently disabled. What must be configured?

A.Enable automated backups and set the backup retention period to 7 days
B.Create a manual DB snapshot every night using the AWS CLI on a schedule
C.Enable Multi-AZ to maintain a synchronous standby replica in a second Availability Zone
D.Enable RDS read replicas and promote one if data deletion occurs
AnswerA

Automated backups with a 7-day retention period keep daily snapshots and transaction logs for 7 days. Any point within the retention window is recoverable. Transaction logs allow recovery to any 5-minute interval within that window. Setting the period to 0 disables automated backups and PITR entirely.

Why this answer

To restore an RDS MySQL database to any point within the last 7 days, you must enable automated backups and set the backup retention period to 7 days. Automated backups enable point-in-time recovery (PITR), which allows restoration to any second within the retention window using binary logs. Without automated backups, RDS cannot perform PITR, even if manual snapshots exist.

Exam trap

The trap here is that candidates often confuse manual snapshots with automated backups, not realizing that only automated backups enable point-in-time recovery, while manual snapshots are static and cannot be used for granular restoration.

How to eliminate wrong answers

Option B is wrong because manual DB snapshots capture only a single point in time and do not provide the continuous binary log data needed for point-in-time recovery to any arbitrary moment within 7 days. Option C is wrong because Multi-AZ provides high availability and automatic failover, but it does not create backups or enable point-in-time recovery; it only maintains a synchronous standby replica. Option D is wrong because RDS read replicas are designed for read scaling and, while they can be promoted to a standalone instance, they do not provide point-in-time recovery capabilities and rely on the same backup configuration as the source instance.

731
MCQeasy

A SysOps administrator needs to ensure that data in an S3 bucket is encrypted at rest. The bucket already has server-side encryption with S3 managed keys (SSE-S3) enabled. Which additional step is required to enforce encryption for all objects?

A.Add a bucket policy that denies PutObject without encryption.
B.Enable CloudTrail to log unencrypted uploads.
C.Enable default encryption on the bucket.
D.Enable versioning on the bucket.
AnswerA

Enforces encryption at upload time.

Why this answer

Option B is correct because a bucket policy can deny PutObject requests without the x-amz-server-side-encryption header. Option A is wrong because SSE-S3 is already enabled. Option C is wrong because CloudTrail does not enforce encryption.

Option D is wrong because versioning does not enforce encryption.

732
MCQeasy

Refer to the exhibit. A SysOps Administrator runs the above command and sees that an EC2 instance is unhealthy. The health check is configured to check the HTTP endpoint '/health' on port 80. The instance's security group allows inbound HTTP traffic from the ALB's security group. What is the MOST likely cause?

A.The instance is not associated with the target group.
B.The application on the instance is not configured to respond to the '/health' path.
C.The target group is configured to use port 8080 instead of port 80.
D.The security group on the instance does not allow inbound traffic from the ALB.
AnswerB

The health check is hitting '/health' but the application may not have that endpoint, causing a non-200 response.

Why this answer

Option B is correct because the health check path is '/health', but the application might not have that endpoint. Option A is wrong because the security group allows inbound traffic from ALB. Option C is wrong because the target group is configured with port 80.

Option D is wrong because the instance is running.

733
Multi-Selecthard

A company has a VPC with public and private subnets in two Availability Zones. The private subnets need outbound internet access for EC2 instances to download updates. Which THREE components are required to achieve this? (Choose three.)

Select 3 answers
A.Route table in the private subnets with a default route pointing to the NAT Gateway
B.Internet Gateway attached to the VPC
C.Egress-only Internet Gateway
D.NAT Gateway in a public subnet
E.AWS Site-to-Site VPN connection
AnswersA, B, D

This routes outbound traffic to the NAT Gateway.

Why this answer

Option A is correct because a route table associated with private subnets must have a default route (0.0.0.0/0) pointing to a NAT Gateway to direct outbound internet traffic from EC2 instances through the NAT device. This allows instances in private subnets to initiate outbound connections to the internet (e.g., for software updates) while preventing unsolicited inbound connections from the internet.

Exam trap

The trap here is that candidates often confuse the Egress-Only Internet Gateway (IPv6 only) with the NAT Gateway (IPv4) or think a VPN connection can provide internet access, when in fact a NAT Gateway in a public subnet plus an Internet Gateway are required for IPv4 outbound connectivity from private subnets.

734
Multi-Selectmedium

A SysOps administrator is deploying a critical application using AWS CloudFormation. The stack must be updated frequently. Which TWO strategies should the administrator use to minimize the risk of update failures? (Choose TWO.)

Select 2 answers
A.Use change sets to review the impact of changes before applying them.
B.Disable rollback on failure to avoid stack deletion.
C.Always use the AWS CLI to perform updates instead of the console.
D.Manually approve each resource update through the console.
E.Use a stack policy to protect critical resources from accidental updates.
AnswersA, E

Change sets allow you to preview changes and avoid unintended modifications.

Why this answer

Stack policies and change sets help manage updates safely. Options B and D are correct. Option A is wrong because disabling rollback on failure is risky; it leaves the stack in a failed state.

Option C is wrong because using the AWS CLI does not inherently reduce risk. Option E is wrong because manual approval is not a feature of CloudFormation directly.

735
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon EC2 instance and an associated security group. The stack creation fails with the error: 'Resource creation cancelled' after the security group is created but before the instance is launched. What is the MOST likely cause?

A.The security group failed to create.
B.The stack was manually deleted during creation.
C.The EC2 instance resource configuration has an error.
D.The stack's rollback trigger was not configured.
AnswerC

The instance likely has a misconfiguration causing creation cancellation.

Why this answer

Option D is correct because CloudFormation typically creates resources in parallel, but if one resource fails, it cancels others. The error indicates a dependency issue or a misconfiguration in the instance resource. Option A is wrong because the security group was created successfully.

Option B is wrong because the stack was not deleted. Option C is wrong because AWS CloudFormation does not require a rollback trigger for a failed resource creation; it automatically rolls back.

736
MCQmedium

A company runs a production Amazon RDS for MySQL DB instance in a single Availability Zone. The SysOps administrator needs to improve database availability to ensure automatic failover if the primary instance fails. Which configuration should the administrator enable?

A.Create a Read Replica in another Availability Zone and promote it on failure.
B.Enable Multi-AZ deployment on the DB instance.
C.Take hourly snapshots and automate restoration in another AZ.
D.Use Amazon RDS Proxy to manage connection failover.
AnswerB

Multi-AZ provides automatic synchronous replication and automatic failover to a standby in another AZ with minimal downtime.

Why this answer

Enabling Multi-AZ deployment on the DB instance automatically provisions and maintains a synchronous standby replica in a different Availability Zone. If the primary instance fails, Amazon RDS automatically fails over to the standby, providing high availability without manual intervention. This is the native AWS solution for automatic failover for RDS MySQL.

Exam trap

The trap here is that candidates often confuse Read Replicas (asynchronous, for read scaling) with Multi-AZ (synchronous, for high availability), assuming promoting a Read Replica provides the same automatic failover guarantee.

How to eliminate wrong answers

Option A is wrong because creating a Read Replica and promoting it on failure is a manual process that introduces downtime and does not provide automatic failover; Read Replicas are designed for read scaling, not synchronous high availability. Option C is wrong because taking hourly snapshots and automating restoration in another AZ would result in significant data loss (up to one hour) and long recovery times, not automatic failover. Option D is wrong because Amazon RDS Proxy manages database connections and connection pooling, but it does not provide automatic failover of the database instance itself; it can work with Multi-AZ but is not a substitute for it.

737
MCQhard

An organization uses AWS KMS to encrypt data in S3. A SysOps administrator needs to ensure that KMS keys cannot be deleted accidentally. What is the MOST effective way to protect against accidental key deletion?

A.Disable the KMS key so it cannot be used but can still be deleted.
B.Create a backup of the KMS key in another AWS Region.
C.Use a service control policy (SCP) to deny the kms:ScheduleKeyDeletion action.
D.Set a high waiting period (e.g., 30 days) for key deletion and require multi-factor authentication (MFA) for the deletion.
AnswerD

The waiting period and MFA provide a safety window and additional authorization.

Why this answer

Option B is correct because enabling key deletion in KMS requires a waiting period (customizable) during which the key is disabled and can be canceled. Option A is wrong because disabling the key does not prevent deletion; the key can still be scheduled for deletion. Option C is wrong because SCPs cannot prevent key deletion if the key is in the same account.

Option D is wrong because a backup of the key is not possible; KMS keys are not exportable.

738
Multi-Selecthard

A SysOps administrator is designing a solution to manage secrets (e.g., database credentials) for a multi-tier application running on EC2 instances. The solution must rotate secrets automatically and provide fine-grained access control. Which TWO services should be used together? (Choose TWO.)

Select 2 answers
A.AWS KMS
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
E.IAM roles for EC2
AnswersC, E

Secrets Manager supports automatic rotation.

Why this answer

Option A is correct: AWS Secrets Manager can rotate secrets automatically. Option D is correct: IAM roles for EC2 provide fine-grained access control without storing credentials on the instance. Option B is wrong because SSM Parameter Store can store secrets but does not support automatic rotation.

Option C is wrong because KMS encrypts but does not rotate. Option E is wrong because CloudHSM is a hardware security module, not a secret management service.

739
Multi-Selecthard

Which TWO configurations can improve the performance of an Amazon RDS for PostgreSQL database that is experiencing high read latency? (Choose TWO.)

Select 2 answers
A.Upgrade to a larger instance size.
B.Enable provisioned IOPS on the DB instance.
C.Create a read replica in the same AWS Region.
D.Enable Multi-AZ deployment.
E.Enable storage auto-scaling.
AnswersB, C

Provisioned IOPS provides consistent and low-latency I/O.

Why this answer

Option B is correct because enabling Provisioned IOPS on an Amazon RDS for PostgreSQL database provides consistent and predictable I/O performance, which directly reduces read latency by ensuring sufficient IOPS for read-intensive workloads. Option C is correct because creating a read replica offloads read traffic from the primary DB instance to the replica, reducing contention and improving read latency for the primary instance.

Exam trap

The trap here is that candidates often confuse Multi-AZ deployment with read replicas, mistakenly thinking Multi-AZ improves read performance, when in fact the standby in Multi-AZ is not accessible for reads and only provides failover redundancy.

740
MCQhard

A company is using Amazon CloudFront with an S3 bucket as the origin. The S3 bucket contains sensitive data that should only be accessible via CloudFront. The SysOps administrator has configured an Origin Access Identity (OAI) and updated the bucket policy to allow access only to the OAI. However, users are still able to access the S3 bucket directly via the S3 URL. What is the most likely reason?

A.The bucket policy does not include a condition to require the OAI.
B.The bucket policy allows public read access in addition to the OAI access.
C.The OAI is not properly associated with the CloudFront distribution.
D.The S3 bucket is configured as a static website.
AnswerB

If the bucket policy grants public read access (e.g., Principal: "*"), users can bypass CloudFront and access the bucket directly. The policy should only allow the OAI and deny all others.

Why this answer

The OAI restricts access to the bucket when accessed via CloudFront, but if the bucket policy allows public read access, users can still access the bucket directly. The OAI restriction must be the only means of access; the bucket policy must deny all other principals. Option B is incorrect because the OAI is properly associated.

Option C is incorrect because the bucket is not set to static website hosting. Option D is incorrect because the bucket policy does not need to include a condition if it denies everyone except the OAI.

741
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must use MFA. They create an SCP that denies all actions if the IAM user does not have MFA. However, the SCP does not apply to the root user. The SysOps administrator finds that some IAM users in member accounts are still able to access the console without MFA. What is the most likely reason?

A.The SCP is applied to an OU that does not contain the affected accounts.
B.The IAM user has a resource-based policy that allows access.
C.The SCP only applies to the root user, not IAM users.
D.The SCP is not inherited by child OUs.
AnswerA

SCP only applies to accounts in the OU.

Why this answer

Option B is correct because SCPs do not affect the management account. The root user is in the management account, but the question says "member accounts". However, if the SCP is applied to an OU that does not include the affected accounts, it will not apply.

Option A is wrong because SCPs are inherited. Option C is wrong because SCPs are not overridden by resource policies. Option D is wrong because SCPs apply to all IAM users and roles.

742
MCQhard

A SysOps administrator is configuring an Application Load Balancer to route traffic to multiple target groups based on the URL path. The ALB is not routing traffic correctly. Which listener rule configuration should be used to route requests with path /api/* to target group A and all other requests to target group B?

A.Create a rule with a host header condition matching 'api.example.com' and forward to target group A, and a default rule forward to target group B.
B.Create one rule with a condition that matches /api/* and forward to target group A, and another condition in the same rule for /* to forward to target group B.
C.Create a rule with path pattern /api/* and forward to target group A with priority 10, and a default rule with path pattern /* and forward to target group B with priority 20.
D.Create two rules with path patterns /api/* and /*, and set priority based on the pattern length.
AnswerC

This ensures /api/* is matched first, and /* acts as a catch-all.

Why this answer

Option C is correct because the ALB listener rules are evaluated in order; the first rule with a path pattern /api/* will match, and then a default rule (catch-all) is needed for all other paths. Option A is incorrect because order is not automatically prioritized by pattern. Option B is incorrect because a single rule cannot have two conditions with different paths to different target groups.

Option D is incorrect because wildcards are not allowed in condition keys.

743
MCQhard

A company uses AWS Global Accelerator to improve performance of a TCP application. Users in Asia report higher latency than users in Europe. The endpoints are all in us-east-1. What is the BEST solution?

A.Create a VPC peering connection between us-east-1 and an Asia region.
B.Add more endpoints in us-east-1 to distribute load.
C.Switch to Amazon CloudFront for the TCP application.
D.Deploy additional endpoints in an Asia region and configure Global Accelerator to route traffic to the closest endpoint.
AnswerD

Global Accelerator uses anycast IPs to route to nearest endpoint region.

Why this answer

Option D is correct because Global Accelerator can route traffic to endpoints in multiple regions; adding endpoints in Asia reduces latency. Option A is wrong because CloudFront is for HTTP/HTTPS, not TCP. Option B is wrong because increasing endpoints in us-east-1 doesn't help.

Option C is wrong because VPC peering doesn't change Global Accelerator routing.

744
MCQhard

An application running on EC2 instances behind an Application Load Balancer (ALB) sends custom metrics to CloudWatch. The team wants to set an alarm that triggers when the error rate exceeds 5% over a 5-minute period. The alarm must evaluate the metric every minute. Which configuration is required?

A.Period = 300 seconds, Statistic = Average, Evaluation Periods = 1, Datapoints to Alarm = 1
B.Period = 300 seconds, Statistic = Sum, Evaluation Periods = 1, Datapoints to Alarm = 1
C.Period = 60 seconds, Statistic = Average, Evaluation Periods = 5, Datapoints to Alarm = 5
D.Period = 60 seconds, Statistic = Sum, Evaluation Periods = 5, Datapoints to Alarm = 5
AnswerC

This checks that all 5 datapoints exceed 5% over 5 minutes.

Why this answer

Option C is correct because the alarm must evaluate the error rate every minute (period = 60 seconds) over a 5-minute window. With evaluation periods = 5 and datapoints to alarm = 5, the alarm requires all five 1-minute datapoints to exceed the 5% threshold, ensuring the error rate is sustained for the full 5-minute period. The Average statistic is appropriate because the error rate is a percentage metric that should be averaged over each period.

Exam trap

The trap here is that candidates often confuse 'period' with the total evaluation window, selecting period = 300 seconds (option A or B) thinking it covers the 5-minute window, but this fails the requirement to evaluate every minute, and they may also incorrectly choose Sum instead of Average for a percentage metric.

How to eliminate wrong answers

Option A is wrong because period = 300 seconds means the metric is evaluated only once every 5 minutes, not every minute as required, and evaluation periods = 1 would trigger the alarm on a single 5-minute datapoint, not a sustained condition. Option B is wrong because period = 300 seconds again fails the 1-minute evaluation requirement, and using Sum for a percentage metric would incorrectly aggregate error counts rather than averaging the rate. Option D is wrong because while period = 60 seconds and evaluation periods = 5 are correct, using Sum instead of Average would sum the error rate values across datapoints, which is meaningless for a percentage metric and would not correctly reflect the 5% threshold.

745
MCQhard

A company uses AWS CloudFormation with nested stacks. The parent stack creates a child stack that launches an Auto Scaling group. The child stack fails to create, and the parent stack rolls back. The administrator wants to debug the child stack. What is the most efficient way to view the child stack's events?

A.Navigate to the child stack in the AWS CloudFormation console and view its events.
B.Rerun the parent stack with a different name to see the child stack creation.
C.Check the CloudWatch Logs for the parent stack.
D.View the parent stack's events in the AWS Management Console.
AnswerA

The child stack persists after rollback and its events can be reviewed.

Why this answer

Option C is correct because the child stack events are accessible through the AWS Management Console or CLI by specifying the child stack's name. Option A is wrong because the parent stack's events do not show detailed child resource events. Option B is wrong because the child stack still exists after rollback (in FAILED state).

Option D is wrong because CloudWatch Logs are not automatically configured for CloudFormation stacks.

746
MCQeasy

A company runs a web application on Amazon EC2 instances in a single Availability Zone. The SysOps administrator wants to increase the availability of the application so that it can survive an Availability Zone failure. Which action is the most effective?

A.Deploy an additional EC2 instance in the same Availability Zone.
B.Launch EC2 instances in two different Availability Zones and place them behind an Application Load Balancer.
C.Enable termination protection on all EC2 instances.
D.Use an Amazon RDS Multi-AZ deployment for the database tier.
AnswerB

Correct. Spreading instances across AZs with a load balancer ensures continued availability if one AZ becomes unavailable.

Why this answer

Option B is correct because deploying EC2 instances across two different Availability Zones and placing them behind an Application Load Balancer (ALB) provides fault isolation. If one AZ fails, the ALB automatically routes traffic to the healthy instances in the other AZ, ensuring the application remains available. This architecture directly addresses the goal of surviving an AZ failure by eliminating the single point of failure at the AZ level.

Exam trap

The trap here is that candidates often confuse high availability with fault tolerance at a single component level, mistakenly thinking that adding more instances in the same AZ or enabling termination protection improves availability, when in fact only distributing resources across multiple isolated Availability Zones can survive an AZ failure.

How to eliminate wrong answers

Option A is wrong because adding more instances in the same Availability Zone does not protect against an AZ failure; all instances would still be affected if that single AZ goes down. Option C is wrong because termination protection only prevents accidental deletion of instances, it does not provide any redundancy or fault tolerance for an AZ outage. Option D is wrong because while an Amazon RDS Multi-AZ deployment improves database availability, it does not address the availability of the web application tier running on EC2; the question asks for the most effective action to increase application availability, which requires a multi-AZ architecture for the compute layer.

747
MCQeasy

A SysOps administrator is automating the deployment of an application across multiple AWS accounts using AWS CodePipeline. The pipeline must deploy to different environments (dev, test, prod) sequentially. Which deployment approach should be used?

A.Use AWS CodeCommit repositories in each account and trigger builds.
B.Use AWS CLI scripts with cross-region replication.
C.Use separate CodePipeline stages with cross-account actions using IAM roles.
D.Create a single pipeline with all deployment stages in the same account.
AnswerC

Cross-account actions allow deployment to different accounts via assumed roles.

Why this answer

The correct answer is B because CodePipeline supports cross-account actions by assuming a role in the target account. Option A is incorrect because it would be insecure. Option C is incorrect because CodeCommit is for source code, not deployment targets.

Option D is incorrect because cross-region replication is for S3, not deployment.

748
MCQeasy

Refer to the exhibit. An IAM policy is attached to an IAM user. Which action can the user perform?

A.Start an EC2 instance.
B.Describe EC2 instances.
C.Stop an EC2 instance.
D.Terminate an EC2 instance.
AnswerC

StopInstances is explicitly allowed and not denied.

Why this answer

Option C is correct because the IAM policy allows ec2:StopInstances and does not deny it. The denial is only for ec2:TerminateInstances. Option A is wrong because StartInstances is allowed.

Option B is wrong because Describe* actions are allowed. Option D is wrong because TerminateInstances is explicitly denied.

749
Drag & Dropmedium

Drag and drop the steps to configure an Amazon Route 53 failover routing policy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create health checks first, then create primary and secondary records with failover types, then test.

750
MCQmedium

A company is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to maintain user session state. Which configuration ensures session stickiness with minimal performance impact?

A.Use Amazon CloudFront with origin stickiness enabled.
B.Use a Network Load Balancer (NLB) with target group stickiness.
C.Enable sticky sessions on the Application Load Balancer using a load balancer-generated cookie.
D.Store session state in Amazon DynamoDB and have each instance read from DynamoDB.
AnswerC

ALB sticky sessions with a generated cookie are designed for this purpose and have minimal overhead.

Why this answer

Option B is correct because ALB sticky sessions use a cookie to bind a user's session to a specific target, which is the simplest and most efficient method. Option A is incorrect because an NLB does not natively support sticky sessions with cookies. Option C is incorrect because DynamoDB would add latency and complexity.

Option D is incorrect because CloudFront is for content delivery, not session stickiness.

Page 9

Page 10 of 21

Page 11