AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 751825

1546 questions total · 21pages · All types, answers revealed

Page 10

Page 11 of 21

Page 12
751
MCQmedium

An application running on an EC2 instance is unable to connect to an Amazon RDS database in the same VPC. The security groups allow traffic from the EC2 instance. What is the most likely cause?

A.The IAM role attached to the EC2 instance does not have permissions to access RDS.
B.VPC Flow Logs are not enabled.
C.The route table does not have a route to the RDS subnet.
D.The network ACL is blocking the traffic.
AnswerC

Without a route in the subnet's route table to the destination subnet, traffic cannot reach RDS.

Why this answer

Option C is correct because security groups are stateful; if inbound is allowed, outbound response is automatically allowed. Option A is wrong because NACLs are stateless but inbound/outbound rules must allow traffic; however, security group statefulness means the issue is likely elsewhere. Option B is wrong because IAM permissions do not affect network connectivity.

Option D is wrong because VPC flow logs are for monitoring, not connectivity.

752
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The instances are in an Auto Scaling group across three Availability Zones. To improve reliability, the company wants to ensure that if an entire Availability Zone fails, the application remains available. Which configuration should be implemented?

A.Remove the load balancer and use Route 53 weighted routing to distribute traffic.
B.Launch all instances in a single Availability Zone to reduce latency.
C.Configure the Auto Scaling group to launch instances in three Availability Zones.
D.Use a Network Load Balancer instead of an Application Load Balancer.
AnswerC

Correct: Distributing across multiple AZs ensures availability if one AZ fails.

Why this answer

Option A is correct because distributing the Auto Scaling group across three Availability Zones ensures that the application can tolerate the failure of one zone. Option B is wrong because using a single AZ would not survive an AZ failure. Option C is wrong because a Network Load Balancer does not inherently provide better zone resilience.

Option D is wrong because removing the load balancer would remove a critical component for distributing traffic.

753
MCQhard

A SysOps administrator receives an alert that a VPN connection between a VPC and an on-premises network is down. The VPN uses static routing. After verifying the on-premises side is functioning, what should the administrator check in AWS?

A.Check the BGP session status.
B.Reboot the virtual private gateway.
C.Ensure the route table has a route to the virtual private gateway.
D.Verify that the customer gateway device is configured with the correct IP address.
AnswerD

Correct. The customer gateway IP is critical for the VPN tunnel.

Why this answer

For static VPNs, the tunnel status and BGP (if dynamic) are irrelevant. The VPN connection's tunnel details and route propagation need to be checked. The most common issue is that the tunnel is down due to misconfiguration or network issues.

754
Multi-Selecthard

A company uses AWS OpsWorks to manage a stack of application servers. The administrator needs to automate the deployment of a new application version. Which of the following are valid methods to trigger a deployment in OpsWorks? (Choose THREE.)

Select 3 answers
A.Configure an Amazon SNS topic to trigger the deployment.
B.Use AWS CodePipeline to directly deploy to OpsWorks.
C.Use OpsWorks lifecycle events like 'Deploy' to run recipes.
D.Use the OpsWorks console to manually start a deployment.
E.Use the AWS CLI to run the create-deployment command.
AnswersC, D, E

Lifecycle events can automate deployments when instances come online.

Why this answer

OpsWorks supports multiple deployment triggers: using the AWS CLI, using lifecycle events, and using the console. Option A, C, and D are correct. Option B is wrong because CloudWatch Events can trigger deployments via custom events, but SNS topics themselves do not directly trigger deployments unless integrated via custom scripts.

Option E is wrong because OpsWorks does not have a direct integration with CodePipeline; it can be done via custom scripts.

755
MCQmedium

A SysOps administrator manages an application that runs on Amazon EC2 instances and stores critical data in Amazon Elastic Block Store (EBS) volumes. The administrator needs to monitor the EBS volumes for any performance bottlenecks. The key metric of interest is the average number of I/O operations per second (IOPS) that are waiting to be completed. Which Amazon CloudWatch metric should the administrator examine?

A.VolumeQueueLength
B.VolumeReadOps
C.VolumeIdleTime
D.VolumeTotalReadTime
AnswerA

This metric shows the number of pending I/O operations waiting to be serviced. A high value indicates a bottleneck.

Why this answer

The VolumeQueueLength metric measures the number of pending I/O requests waiting to be serviced by an EBS volume. A high value indicates that the volume is unable to keep up with the I/O demand, which is the direct indicator of a performance bottleneck related to IOPS waiting. This makes it the correct metric for the administrator's stated goal.

Exam trap

The trap here is that candidates confuse 'operations waiting' (VolumeQueueLength) with 'operations completed' (VolumeReadOps/VolumeWriteOps), assuming a high read count indicates a bottleneck when it actually indicates throughput.

How to eliminate wrong answers

Option B (VolumeReadOps) is wrong because it counts the total number of read I/O operations completed, not the number waiting; it measures throughput, not queue depth. Option C (VolumeIdleTime) is wrong because it indicates the time the volume had no pending I/O, which is the opposite of a bottleneck condition. Option D (VolumeTotalReadTime) is wrong because it aggregates the total time spent on read operations, not the number of operations waiting in the queue.

756
Multi-Selecthard

A company uses AWS Organizations and wants to restrict the use of specific AWS services across all member accounts. Which TWO methods can be used to enforce these restrictions? (Choose TWO.)

Select 2 answers
A.Create IAM policies in each account that deny the service actions and attach them to all IAM users and roles.
B.Use AWS Config rules to automatically disable non-compliant services.
C.Use AWS Service Catalog to block the use of disallowed services.
D.Attach a service control policy to the root organizational unit that denies the service actions.
E.Configure VPC endpoints to block traffic to the disallowed services.
AnswersA, D

IAM policies can deny actions, but must be applied universally.

Why this answer

Option A is correct because SCPs can deny access to services at the organization level. Option C is correct because IAM policies in each account can deny actions, but they need to be applied consistently. Option B is wrong because AWS Config rules can detect but not enforce restrictions.

Option D is wrong because AWS Service Catalog provisions services, it does not restrict them. Option E is wrong because VPC endpoints are for network connectivity, not service restrictions.

757
Multi-Selectmedium

Which TWO actions can a SysOps administrator take to improve the availability of a web application using an Application Load Balancer (ALB) and EC2 instances? (Choose two.)

Select 2 answers
A.Place all instances in a single subnet to reduce latency
B.Configure health checks on the target group
C.Deploy EC2 instances in multiple Availability Zones
D.Use larger instance types to handle more traffic
E.Increase the deregistration delay (connection draining) timeout
AnswersB, C

Health checks allow the ALB to stop sending traffic to unhealthy instances.

Why this answer

Options B and C are correct: Deploying EC2 instances in multiple Availability Zones provides high availability, and configuring health checks allows the ALB to route traffic only to healthy instances. Option A is wrong because using a larger instance type improves performance, not availability. Option D is wrong because a single subnet is a single point of failure.

Option E is wrong because increasing the deregistration delay does not improve availability; it only affects connection draining.

758
Multi-Selecthard

An application writes logs to an S3 bucket. The logs are accessed frequently for the first 30 days, then rarely after that, but must be retained for 7 years. Which THREE steps should be taken to optimize cost? (Choose three.)

Select 3 answers
A.Use an S3 Lifecycle policy to transition objects to S3 Glacier Deep Archive after 90 days.
B.Use an S3 Lifecycle policy to transition objects to S3 Standard-IA after 30 days.
C.Delete logs older than 30 days.
D.Set an S3 Lifecycle policy to expire objects after 7 years.
E.Use S3 Intelligent-Tiering to automatically optimize costs.
AnswersA, B, D

Deep Archive is cheapest for long-term archival.

Why this answer

Options A, C, and E are correct. S3 Lifecycle rules can transition objects to lower-cost storage classes. S3 Standard-IA is for infrequent access, and Glacier Deep Archive is for long-term archiving.

Option B is incorrect because Intelligent-Tiering has monitoring costs. Option D is incorrect because deleting logs violates retention requirement.

759
MCQmedium

A company runs a web application on two EC2 instances in different Availability Zones, each with an Elastic IP address. The SysOps administrator needs to automatically route traffic to the healthy instance and fail over if one instance becomes unhealthy. The application must be accessible via a single DNS name. Which Route 53 routing policy should be used?

A.Weighted routing policy
B.Failover routing policy
C.Geolocation routing policy
D.Simple routing policy
AnswerB

Failover routing policy allows you to configure active-passive failover with health checks, automatically routing traffic to the healthy instance.

Why this answer

The failover routing policy in Amazon Route 53 is designed to route traffic from a primary resource to a secondary resource when the primary becomes unhealthy. In this scenario, the two EC2 instances in different Availability Zones act as primary and secondary endpoints, and Route 53 uses health checks to monitor the primary instance. If the health check fails, Route 53 automatically fails over to the secondary instance, ensuring the application remains accessible via a single DNS name.

Exam trap

The trap here is that candidates often confuse failover routing with weighted routing, assuming weights can be used for active-passive failover, but weighted routing does not automatically remove unhealthy endpoints without additional scripting or Route 53 health check integration.

How to eliminate wrong answers

Option A is wrong because the weighted routing policy distributes traffic across multiple resources based on assigned weights, but it does not provide automatic failover when an instance becomes unhealthy; it requires manual intervention or additional automation to remove unhealthy endpoints. Option C is wrong because the geolocation routing policy routes traffic based on the geographic location of the user, not based on the health of the resources, and it does not support automatic failover between instances in different Availability Zones. Option D is wrong because the simple routing policy routes traffic to a single resource (e.g., one IP address) and does not support health checks or failover to a secondary resource; it cannot automatically switch traffic if the instance becomes unhealthy.

760
Multi-Selectmedium

Which TWO actions can be taken to secure an S3 bucket that contains sensitive data? (Choose two.)

Select 2 answers
A.Enable versioning on the bucket
B.Add a bucket policy that allows only HTTPS requests
C.Enable default encryption for the bucket
D.Enable AWS CloudTrail for the bucket
E.Block all public access at the account level
AnswersC, E

Ensures data is encrypted at rest.

Why this answer

Blocking public access at the account level prevents any public access to buckets. Enabling default encryption ensures data is encrypted at rest. Option A and Option D are correct.

Option B is wrong because versioning does not directly secure data; it protects against accidental deletion. Option C is wrong because enabling CloudTrail only logs access, it does not secure the bucket. Option E is wrong because adding a bucket policy that allows only HTTPS ensures encryption in transit, but it is not the most direct security measure.

761
MCQmedium

A SysOps administrator is troubleshooting an issue where an EC2 instance running a web server is unreachable. The instance passes status checks and is in a healthy state. Security groups and network ACLs are configured correctly. CloudWatch metrics show CPU utilization is 5%. The administrator can SSH into the instance but cannot connect to the web server on port 443. What is the most likely cause?

A.The security group inbound rule for HTTPS is misconfigured.
B.The instance has an incorrect route table entry.
C.The web server service is not running or crashed.
D.The instance has insufficient CPU credits.
AnswerC

The application may have failed to start after boot or crashed, which would not be detected by EC2 status checks.

Why this answer

The instance passes both status checks and is healthy, and the administrator can SSH into it, confirming that the operating system and network stack are functional. Since the web server is unreachable on port 443 despite correct security group and network ACL configurations, and CPU utilization is low (5%), the most likely cause is that the web server service (e.g., Apache, Nginx) has stopped or crashed. This would prevent the instance from listening on port 443, even though the underlying infrastructure is sound.

Exam trap

The trap here is that candidates often assume a reachability issue must be a network configuration problem (security group or route table), but the combination of successful SSH and failed HTTPS on a low-CPU, healthy instance points directly to the application service not running.

How to eliminate wrong answers

Option A is wrong because the security group inbound rule for HTTPS is explicitly stated to be configured correctly, and SSH (port 22) works, indicating no network-level filtering issue. Option B is wrong because an incorrect route table entry would affect all traffic to/from the instance, not just port 443, and SSH connectivity would also fail. Option D is wrong because CPU utilization is only 5%, which is well below the threshold for credit exhaustion, and the instance passes status checks, ruling out a performance-based bottleneck.

762
MCQeasy

A SysOps administrator needs to track changes to IAM policies in the AWS account for auditing purposes. Which service should be used?

A.IAM Access Analyzer
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerC

CloudTrail logs all API calls for auditing.

Why this answer

AWS CloudTrail is the correct service because it records API calls made to IAM, including changes to IAM policies (e.g., CreatePolicy, PutRolePolicy, AttachUserPolicy). These logs are stored in a CloudTrail trail and can be delivered to Amazon S3 for long-term auditing. CloudTrail is specifically designed for auditing API activity, making it the appropriate choice for tracking policy modifications.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration changes) with CloudTrail (which tracks API calls), leading them to choose Config for auditing IAM policy changes when Config only records the resulting state, not the action that caused it.

How to eliminate wrong answers

Option A is wrong because IAM Access Analyzer analyzes resource-based policies to identify unintended public or cross-account access, but it does not track changes to IAM policies over time. Option B is wrong because AWS Config evaluates resource configurations and compliance rules, but it does not record API-level changes to IAM policies; it tracks configuration state, not the history of policy modifications. Option D is wrong because Amazon CloudWatch monitors metrics and logs, but it is not designed to capture IAM API calls or policy changes; it can consume CloudTrail logs for alerting, but it is not the primary auditing service.

763
Multi-Selecthard

A company runs a critical application on EC2 instances with EBS volumes. The SysOps administrator must ensure that EBS snapshots are taken every hour and retained for 7 days. Which THREE steps should be taken to achieve this? (Choose THREE.)

Select 3 answers
A.Create a CloudWatch Events rule to trigger a Lambda function that creates snapshots
B.Use AWS Backup to create a backup plan with hourly frequency
C.Create an IAM role for DLM with permissions to create and delete snapshots
D.Create a DLM lifecycle policy with a schedule for hourly snapshots and retention of 7 days
E.Tag the EBS volumes with a specific tag (e.g., Backup=true) to include them in the policy
AnswersC, D, E

DLM needs an IAM role to operate.

Why this answer

Correct answers are A, C, and D. Amazon Data Lifecycle Manager (DLM) can automate EBS snapshot creation and retention. IAM roles are needed for DLM to manage snapshots.

Tags can be used to select volumes. Option B is wrong because AWS Backup can also manage EBS snapshots, but it is not required if DLM is used; the question asks for steps to achieve the goal, and DLM is sufficient. However, AWS Backup is also a valid service, but the question expects DLM as primary.

Option E is wrong because CloudWatch Events can trigger Lambda, but DLM is the managed solution.

764
MCQeasy

A SysOps administrator needs to deploy an application to a set of EC2 instances in an Auto Scaling group. The deployment must be performed in batches, with each batch health-checked before proceeding. Which AWS CodeDeploy deployment configuration should be used?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.AllAtOnce
C.CodeDeployDefault.HalfAtATime
D.CodeDeployDefault.Custom
AnswerA

OneAtATime deploys to one instance at a time, with health checks between each.

Why this answer

CodeDeploy has predefined deployment configurations. 'CodeDeployDefault.OneAtATime' deploys one instance at a time, allowing health checks. 'AllAtOnce' deploys to all simultaneously, 'HalfAtATime' deploys to half, and 'Custom' is a user-defined configuration.

765
MCQeasy

A company wants to host a static website on AWS with high availability and low latency for global users. Which service should be used to serve the static content?

A.AWS Lambda with API Gateway.
B.Amazon Route 53 with a simple routing policy.
C.EC2 instances behind an Application Load Balancer.
D.Amazon S3 bucket configured for static website hosting, with Amazon CloudFront.
AnswerD

S3 + CloudFront is the recommended architecture for static websites.

Why this answer

Option B is correct because S3 can host static websites and CloudFront provides CDN with low latency and high availability. Option A is wrong because EC2 is not necessary for static content. Option C is wrong because Route 53 is DNS, not content delivery.

Option D is wrong because Lambda is for compute, not serving static files.

766
MCQmedium

A company runs a production database on an Amazon RDS for PostgreSQL DB instance in a single Availability Zone. The SysOps administrator needs to improve the database's availability to meet an SLA of 99.99% and ensure automatic failover in case of a database failure. Which configuration change should be made?

A.Enable a Multi-AZ deployment
B.Create a read replica in a different AWS Region
C.Configure automated backups with cross-region copy
D.Enable deletion protection on the DB instance
AnswerA

Multi-AZ provides automatic failover to a standby in another AZ, offering high availability without manual intervention.

Why this answer

Enabling a Multi-AZ deployment for an Amazon RDS PostgreSQL DB instance automatically provisions and maintains a synchronous standby replica in a different Availability Zone. In the event of a database failure or an Availability Zone outage, Amazon RDS automatically fails over to the standby replica, typically within 60-120 seconds, meeting the 99.99% SLA requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse read replicas (which are for read scaling and disaster recovery) with Multi-AZ deployments (which are for high availability and automatic failover), leading them to incorrectly select the cross-region read replica option.

How to eliminate wrong answers

Option B is wrong because creating a read replica in a different AWS Region provides read scalability and disaster recovery, but it does not support automatic failover for the primary DB instance; failover requires manual promotion of the read replica, which cannot meet a 99.99% SLA. Option C is wrong because configuring automated backups with cross-region copy protects against data loss by storing backups in another region, but it does not provide automatic failover or high availability for the database instance itself. Option D is wrong because enabling deletion protection on the DB instance only prevents accidental deletion of the database; it has no effect on availability, failover, or resilience against failures.

767
MCQeasy

A company wants to allow its employees to access internal applications using a custom domain name (app.example.com) that resolves to an internal ALB. Which AWS service should be used?

A.AWS Global Accelerator
B.Application Load Balancer
C.Amazon Route 53
D.Amazon CloudFront
AnswerC

Route 53 provides DNS resolution for custom domains.

Why this answer

Option A is correct because Route 53 is the DNS service to route traffic to internal resources. Option B is wrong because CloudFront is for content delivery, not DNS resolution. Option C is wrong because Global Accelerator improves performance but is not primarily for internal DNS.

Option D is wrong because ALB does not provide DNS resolution.

768
MCQeasy

Refer to the exhibit. A SysOps administrator creates a CloudFormation stack with the template shown. After 30 days, what happens to noncurrent versions of objects in the bucket?

A.They are permanently deleted.
B.They are moved to Amazon S3 Glacier.
C.They become the current version.
D.They are moved to Amazon S3 Standard-Infrequent Access.
AnswerA

Lifecycle rule expires noncurrent versions.

Why this answer

Option A is correct because the lifecycle rule deletes noncurrent versions after 30 days. Option B is wrong because they are deleted, not archived. Option C is wrong because they are deleted, not transitioned.

Option D is wrong because they are deleted after 30 days, not immediately.

769
MCQhard

An organization uses AWS Systems Manager to manage a fleet of EC2 instances. The SysOps administrator needs to run a script on all instances that have a specific tag (Environment: Production). The script must be executed immediately and only once. Which approach should be used?

A.Use Patch Manager to apply the script as a patch baseline.
B.Create an Automation document and execute it.
C.Use Run Command with a target based on the tag.
D.Create a State Manager association with the script.
AnswerC

Run Command can target instances by tag and execute immediately.

Why this answer

The correct answer is D because Run Command allows immediate execution of commands on targeted instances by tag. Option A is incorrect because State Manager is for recurring configurations. Option C is incorrect because Patch Manager is for patching.

Option B is incorrect because Automation is for multi-step workflows, not simple script execution.

770
MCQhard

A company uses AWS CloudTrail to log API activity. The security team needs to be alerted when an IAM user creates a new access key. Which combination of services should the SysOps administrator use to meet this requirement?

A.CloudWatch Logs Insights query on CloudTrail logs with an alarm
B.An AWS Config rule that checks for new access keys and sends an SNS notification
C.A CloudWatch Events rule that matches the CreateAccessKey API call and sends an SNS notification
D.S3 event notifications to an SNS topic
AnswerC

CloudWatch Events can filter CloudTrail events and trigger actions like SNS.

Why this answer

Option C is correct because CloudWatch Events (now Amazon EventBridge) can match CloudTrail events (like CreateAccessKey) and trigger an SNS notification. Option A is wrong because S3 events are not triggered by CloudTrail logs. Option B is wrong because Config rules evaluate resource configurations, not API calls.

Option D is wrong because CloudWatch Logs Insights is a query tool, not an alerting mechanism.

771
MCQeasy

A company wants to distribute content with low latency to users globally. The content is static and stored in an S3 bucket. Which AWS service should be used?

A.Application Load Balancer
B.AWS Global Accelerator
C.Amazon CloudFront
D.S3 Transfer Acceleration
AnswerC

Correct because CloudFront caches static content at edge locations.

Why this answer

Option A is correct because Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations for low latency. Option B is wrong because S3 Transfer Acceleration is for fast uploads. Option C is wrong because Global Accelerator is for dynamic content and TCP/UDP traffic.

Option D is wrong because an ALB is for load balancing, not caching.

772
MCQmedium

A company wants to allow an external auditor to read objects in a specific S3 bucket for 30 days. The auditor does not have an AWS account. Which method should be used?

A.Create a bucket policy that allows the auditor's IP address.
B.Create an IAM user for the auditor and share the credentials.
C.Generate presigned URLs for the objects.
D.Use CloudFront signed URLs.
AnswerC

Provides time-limited access.

Why this answer

Option C is correct because presigned URLs grant temporary access to specific objects without requiring AWS credentials. Option A is wrong because bucket policies require the auditor to have AWS credentials. Option B is wrong because IAM users require credentials.

Option D is wrong because CloudFront does not provide temporary access by itself.

773
MCQmedium

A company has multiple VPCs in the same account that need to communicate with each other. The VPCs are in the same region. Which solution provides the simplest and most scalable connectivity?

A.Set up AWS Direct Connect and route through a single VPC.
B.Use AWS PrivateLink to connect the VPCs.
C.Create a Transit Gateway and attach all VPCs.
D.Create VPC Peering connections between each pair of VPCs.
AnswerC

Transit Gateway acts as a hub-and-spoke model for scalable VPC connectivity.

Why this answer

Option A is correct because a Transit Gateway allows you to connect multiple VPCs and on-premises networks through a central hub, simplifying management. Option B is incorrect because VPC Peering is a one-to-one connection and becomes complex with many VPCs. Option C is incorrect because Direct Connect is for on-premises connectivity, not VPC-to-VPC.

Option D is incorrect because PrivateLink is for exposing services, not general VPC connectivity.

774
MCQhard

An application running on EC2 instances behind an Application Load Balancer (ALB) is experiencing increased latency. The SysOps administrator checks CloudWatch and sees that the ALB's TargetResponseTime is high, but the backend EC2 instance's CPUUtilization and MemoryUtilization are low. What is the most likely cause?

A.The ALB is experiencing connection queuing due to a high number of concurrent requests.
B.The application is CPU-bound on the EC2 instances.
C.The EC2 instances are throttled due to a burst balance limit.
D.The application is waiting on a database query that is slow.
AnswerA

High concurrency can cause the ALB to queue requests, increasing response time without backend load.

Why this answer

When TargetResponseTime is high but backend CPU and memory are low, the bottleneck is not the compute capacity of the instances but rather the ALB's ability to forward requests. The ALB has a default connection queue limit (typically 1024 pending connections per target group), and when concurrent requests exceed that, new requests are queued, increasing response time without stressing the backend. This is a classic sign of connection queuing at the load balancer level.

Exam trap

The trap here is that candidates assume high latency always means the backend is overloaded, but the question deliberately shows low CPU/memory to force you to consider load balancer-level queuing as the root cause.

How to eliminate wrong answers

Option B is wrong because if the application were CPU-bound, CPUUtilization would be high, not low. Option C is wrong because EC2 instances do not have a 'burst balance limit' — that concept applies to EBS volumes (burst balance for gp2/gp3) or T2/T3 instances (CPU credits), not to throttling of the instance itself. Option D is wrong because a slow database query would cause high CPU or memory on the EC2 instance while waiting (e.g., connection pool exhaustion or thread blocking), not low utilization.

775
MCQmedium

A SysOps administrator notices that an Amazon CloudWatch Logs log group is growing rapidly and suspects that an EC2 instance is sending sensitive data to the logs. What is the most effective way to detect and redact sensitive data in real-time?

A.Use CloudWatch Logs Insights to query and mask sensitive data.
B.Enable S3 event notifications to trigger a Lambda function for redaction.
C.Create a CloudWatch Logs subscription filter that invokes a Lambda function for redaction.
D.Send logs to Amazon Kinesis Data Firehose and use Lambda for redaction.
AnswerC

CloudWatch Logs subscription filters can stream logs to Lambda in real-time for processing.

Why this answer

Option D is correct because CloudWatch Logs subscription filters can send logs to Lambda for real-time processing, including redaction. Option A is wrong because CloudWatch Logs Insights is for querying, not real-time redaction. Option B is wrong because Kinesis Data Firehose can transform data but requires a Lambda function for custom redaction.

Option C is wrong because S3 event notifications are not real-time for log streams.

776
MCQhard

A CloudFormation stack creation failed. The administrator runs the command shown in the exhibit. What is the most likely reason for the failure?

A.The IAM role for CloudFormation does not have permission to launch EC2 instances
B.The stack is being created in a region that does not support the specified AMI
C.The AMI ID specified in the template does not exist in the region
D.The instance type t2.micro is not supported in the target Availability Zone
AnswerC

The error says the AMI ID is invalid.

Why this answer

Option A is correct because the error explicitly states the AMI ID is invalid. Option B is wrong because the error mentions the AMI ID, not instance type. Option C is wrong because there is no indication of missing permissions.

Option D is wrong because the error is about the AMI, not the region.

777
MCQmedium

A company uses AWS CloudFormation to deploy a stack that includes an EC2 instance and an S3 bucket. The SysOps administrator needs to monitor the stack for any changes to the S3 bucket's bucket policy. Which AWS service should be used?

A.Amazon CloudWatch
B.AWS Config
C.AWS CloudTrail
D.AWS Trusted Advisor
AnswerB

AWS Config can track changes to S3 bucket policies and trigger rules.

Why this answer

Option C is correct because AWS Config can monitor changes to S3 bucket policies and trigger notifications. Option A is incorrect because CloudTrail logs API calls to change the policy, but does not monitor the policy itself. Option B is incorrect because CloudWatch is for performance metrics.

Option D is incorrect because Trusted Advisor does not monitor bucket policies.

778
MCQmedium

A company has an Application Load Balancer (ALB) that routes traffic to Amazon EC2 instances in private subnets of a VPC. The SysOps administrator needs to ensure that the EC2 instances can download software updates from the internet, but they must not be directly accessible from the internet. The solution should minimize operational overhead. Which solution should the administrator implement?

A.Place the EC2 instances in a public subnet and configure security group inbound rules to block all traffic.
B.Attach a NAT Gateway to a public subnet and configure the private subnet route table to send 0.0.0.0/0 traffic to the NAT Gateway.
C.Launch a NAT instance in a public subnet with an Elastic IP address and configure route tables accordingly.
D.Attach an Internet Gateway to the VPC and add a route to the private subnet route table pointing 0.0.0.0/0 to the Internet Gateway.
AnswerB

A NAT Gateway enables outbound internet connectivity for instances in private subnets while blocking unsolicited inbound connections. It is fully managed, reducing operational overhead.

Why this answer

A NAT Gateway (option B) allows EC2 instances in private subnets to initiate outbound connections to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. It is a fully managed AWS service that automatically scales and requires no patching, minimizing operational overhead compared to a NAT instance. The private subnet route table directs 0.0.0.0/0 traffic to the NAT Gateway, which is placed in a public subnet with an Elastic IP address to enable internet access.

Exam trap

The trap here is that candidates may confuse a NAT Gateway with a NAT instance, thinking the latter is acceptable, but the question explicitly requires minimizing operational overhead, which disqualifies the self-managed NAT instance in favor of the fully managed NAT Gateway.

How to eliminate wrong answers

Option A is wrong because placing EC2 instances in a public subnet with security group rules blocking all inbound traffic still leaves them with public IP addresses, making them theoretically reachable from the internet (security groups are stateful and can be misconfigured), and it violates the requirement that instances must not be directly accessible from the internet. Option C is wrong because launching a NAT instance requires manual management (patching, scaling, high availability setup), increasing operational overhead, which contradicts the 'minimize operational overhead' requirement. Option D is wrong because adding a route to the private subnet route table pointing 0.0.0.0/0 to an Internet Gateway would make the private subnet effectively public, allowing direct inbound internet access to the EC2 instances, which violates the requirement that they must not be directly accessible from the internet.

779
MCQmedium

A SysOps administrator needs to ensure that an S3 bucket can recover from accidental deletions by users. The bucket stores versioned objects. What additional configuration should be enabled to prevent permanent deletion?

A.Enable S3 Server-Side Encryption.
B.Enable S3 Lifecycle rules to expire objects.
C.Enable MFA Delete on the bucket.
D.Configure a bucket policy to deny s3:DeleteObject.
AnswerC

MFA Delete requires extra authentication to delete versions.

Why this answer

Option C is correct because MFA Delete requires multi-factor authentication to delete versions, preventing accidental permanent deletion. Option A is wrong because lifecycle policies do not protect against deletion. Option B is wrong because encryption does not prevent deletion.

Option D is wrong because bucket policies can allow/deny but not require MFA for deletion of versions without additional configuration.

780
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The stack includes an Application Load Balancer, Auto Scaling group, and RDS database. The SysOps administrator receives a notification that a stack update has failed. The administrator wants to investigate the failure and understand which resource caused the issue. The stack is in the UPDATE_ROLLBACK_IN_PROGRESS state. What should the administrator do to identify the failed resource?

A.Review the stack's template in the CloudFormation console to check for syntax errors.
B.Check the CloudWatch Logs for the EC2 instances in the Auto Scaling group.
C.Manually re-run the update with the same parameters to see if the error recurs.
D.View the stack events in the CloudFormation console to see which resource failed and the error message.
AnswerD

Stack events provide detailed information about each resource operation.

Why this answer

When a CloudFormation stack update fails and enters UPDATE_ROLLBACK_IN_PROGRESS, the most direct way to identify the failed resource is to view the stack events in the CloudFormation console. Each event includes a status reason field that contains the specific error message and the logical resource ID of the resource that caused the failure, allowing the administrator to pinpoint the issue without additional investigation.

Exam trap

The trap here is that candidates may assume the failure is due to a template syntax error (Option A) or that application logs (Option B) would reveal the issue, when in fact CloudFormation events are the authoritative source for resource-level failure details during stack operations.

How to eliminate wrong answers

Option A is wrong because syntax errors in the template would typically cause the update to fail before it begins (e.g., during validation), not during the update process itself; the stack is already in UPDATE_ROLLBACK_IN_PROGRESS, meaning the template was valid enough to start the update. Option B is wrong because CloudWatch Logs for EC2 instances in the Auto Scaling group would only show application-level or OS-level logs, not CloudFormation resource provisioning failures; the failure is at the infrastructure layer, not within the instances. Option C is wrong because manually re-running the update with the same parameters is risky and inefficient; it could cause the same failure again or trigger additional rollbacks, and it does not leverage the existing event data that already contains the error details.

781
MCQmedium

An administrator attempts to deploy an application using AWS CodeDeploy. The deployment fails with 'Access Denied' when trying to download the revision from the S3 bucket 'example-bucket'. The IAM policy attached to the instance profile is shown in the exhibit. What is the cause of the failure?

A.The policy does not include s3:ListBucket
B.The policy is missing the s3:GetObjectVersion action for the bucket
C.The policy grants s3:ListBucket but not s3:GetObject
D.The policy is attached to the wrong IAM role
AnswerB

CodeDeploy may use versioned S3 objects; the policy lacks GetObjectVersion.

Why this answer

Option A is correct because the policy grants s3:GetObject on the bucket contents, but CodeDeploy also needs s3:GetObjectVersion for versioned buckets or the deployment may be using a specific version. However, the exhibit shows only s3:GetObject, not s3:GetObjectVersion. Additionally, the policy does not include s3:GetObjectTagging or other actions that might be required.

But the most common issue is that the policy is missing s3:GetObjectVersion. Option B is wrong because the policy does have s3:ListBucket. Option C is wrong because the policy is attached to the instance profile.

Option D is wrong because s3:ListBucket is present.

782
MCQmedium

A company has a production RDS for PostgreSQL database with a db.r5.large instance. The database experiences high read traffic during business hours. The SysOps administrator needs to improve read performance and ensure high availability at minimal cost. Which solution should the administrator implement?

A.Upgrade the instance to db.r5.xlarge and enable automatic backups.
B.Create a Multi-AZ deployment and then add a Read Replica in a different Availability Zone.
C.Enable Multi-AZ on the existing instance to provide automatic failover but no read scaling.
D.Use Amazon ElastiCache for Redis to cache frequent queries.
AnswerB

Multi-AZ provides failover, Read Replica offloads read traffic, and both improve availability.

Why this answer

The correct answer is A. A Multi-AZ deployment with a Read Replica in another AZ provides both high availability and read scaling. Option B is wrong because increasing instance size is costly and does not provide HA.

Option C is wrong because Multi-AZ alone does not offload read queries. Option D is wrong because ElastiCache adds complexity and cost, and is not directly a database solution.

783
MCQmedium

A SysOps administrator needs to ensure that all traffic between an on-premises data center and the AWS VPC is encrypted and goes over the internet. Which AWS service should be used?

A.AWS Site-to-Site VPN
B.VPC Peering
C.AWS Transit Gateway
D.AWS Direct Connect
AnswerA

VPN encrypts traffic over the internet.

Why this answer

AWS Site-to-Site VPN creates an encrypted tunnel between an on-premises data center and an AWS VPC using IPsec (IKEv1/IKEv2) over the public internet. This meets the requirement for encryption and internet-based connectivity, as the VPN traffic traverses the internet but is secured by IPsec tunnels.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN with AWS Direct Connect, assuming Direct Connect provides encryption by default, but Direct Connect is a private connection that does not include encryption unless a VPN is layered on top.

How to eliminate wrong answers

Option B (VPC Peering) is wrong because it connects VPCs within AWS using private AWS infrastructure, not over the internet, and does not support encryption by default. Option C (AWS Transit Gateway) is wrong because it is a network transit hub that connects VPCs and on-premises networks, but it does not itself provide encryption; it requires a Site-to-Site VPN or Direct Connect for on-premises connectivity. Option D (AWS Direct Connect) is wrong because it uses a dedicated private network connection, not the internet, and does not inherently encrypt traffic unless combined with a VPN.

784
Multi-Selectmedium

A company is running a production web application on EC2 instances. Which TWO actions would improve both cost efficiency and performance?

Select 2 answers
A.Enable detailed monitoring on all instances.
B.Purchase Reserved Instances for the baseline capacity.
C.Terminate all idle instances.
D.Use larger instance types for all instances.
E.Implement Auto Scaling to adjust capacity based on demand.
AnswersB, E

Reserved Instances reduce cost for steady load.

Why this answer

Option A and D are correct. Auto Scaling adjusts capacity to match demand, reducing cost during low traffic and maintaining performance during peaks. Purchasing Reserved Instances for baseline reduces cost.

Terminating idle instances saves cost but doesn't improve performance. Using larger instances may improve performance but increases cost.

785
MCQeasy

Refer to the exhibit. An application running on EC2 is using the AWS SDK to publish custom metrics to CloudWatch. The application fails to publish metrics. The IAM role attached to the EC2 instance has this policy. What is the issue?

A.The condition key 'cloudwatch:namespace' is misspelled.
B.The policy does not specify a specific resource ARN.
C.The application may be using a different namespace than 'MyApp'.
D.The action 'cloudwatch:PutMetricData' is not allowed for custom metrics.
AnswerC

The condition restricts to a specific namespace.

Why this answer

The IAM policy explicitly allows 'cloudwatch:PutMetricData' on the condition that the namespace is 'MyApp'. If the application's AWS SDK code publishes metrics under a different namespace (e.g., 'AWS/EC2' or a custom namespace like 'MyOtherApp'), the condition fails and the API call is denied. This is the most likely cause of the failure, as the policy is otherwise correctly configured for the specified namespace.

Exam trap

The trap here is that candidates often assume a policy with a condition key is always correct, overlooking that the application's actual namespace value must exactly match the condition value for the API call to succeed.

How to eliminate wrong answers

Option A is wrong because 'cloudwatch:namespace' is a valid condition key for CloudWatch PutMetricData; it is not misspelled. Option B is wrong because CloudWatch PutMetricData does not require a resource ARN in the policy; it uses a 'Resource': '*' by convention and the condition key provides the necessary restriction. Option D is wrong because the action 'cloudwatch:PutMetricData' is explicitly allowed for custom metrics when the namespace condition is met; the issue is not that the action is disallowed entirely.

786
MCQeasy

An organization wants to block traffic from specific IP addresses at the edge of the AWS network before it reaches the application. Which service should be used?

A.AWS WAF
B.Security groups
C.AWS Shield Advanced
D.Network ACLs
AnswerA

Correct. AWS WAF can block IPs at the edge when used with CloudFront or ALB.

Why this answer

AWS WAF integrates with CloudFront and ALB to filter traffic based on IP addresses. For edge blocking, CloudFront with WAF is the best choice.

787
MCQhard

A company uses Amazon Route 53 as its DNS service. They have a domain example.com with an alias record pointing to an Application Load Balancer (ALB). Recently, they updated the ALB's DNS name, but the Route 53 record was not updated. Users are still being directed to the old ALB, which has been decommissioned. The SysOps administrator updates the alias record to point to the new ALB DNS name. However, users still experience errors for several hours. What is the most likely reason?

A.Route 53 requires time to propagate changes globally
B.The alias record was not saved correctly
C.The TTL on the DNS record is set too high, causing client-side caching
D.The domain is using DNSSEC, which delays updates
AnswerC

A high TTL means clients cache the old IP until the TTL expires.

Why this answer

Option D is correct because the TTL (Time to Live) on the DNS record determines how long resolvers cache the response. If the TTL is high, clients and intermediate DNS resolvers will continue to use the old IP for the duration of the TTL. Option A is wrong because the alias record was updated.

Option B is wrong because propagation is instant for alias records. Option C is wrong because DNSSEC does not cause caching issues.

788
MCQmedium

A company has a CloudFront distribution with an S3 bucket as the origin. The S3 bucket contains sensitive data that should only be accessible through CloudFront. Which configuration is required to ensure that direct access to the S3 bucket is blocked?

A.Attach an IAM role to CloudFront that allows S3 access
B.Set the S3 bucket policy to deny all access except from CloudFront's IP ranges
C.Create an Origin Access Identity (OAI) and add a bucket policy that grants access only to the OAI
D.Use signed URLs for all requests
AnswerC

The OAI is a virtual identity that CloudFront uses to access S3; the bucket policy restricts access to only that OAI.

Why this answer

Option A is correct because Origin Access Identity (OAI) prevents direct S3 access by allowing only CloudFront to access the bucket. Option B is wrong because signed URLs control viewer access, not origin access. Option C is wrong because bucket policies alone can restrict access, but OAI is the standard way.

Option D is wrong because CloudFront does not use IAM roles for origin access.

789
MCQeasy

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application stores session data on local instance storage. Users report that they are unexpectedly logged out during peak traffic. Which action should the SysOps Administrator take to improve reliability?

A.Move the session storage to an instance store volume.
B.Enable sticky sessions on the Application Load Balancer.
C.Increase the size of the Auto Scaling group to handle peak traffic.
D.Configure an ElastiCache Redis cluster to store session state externally.
AnswerD

Provides a central, durable session store.

Why this answer

Option C is correct because storing session state in a shared Elasticache cluster provides a central, durable location that survives instance termination. Option A is wrong because it does not address session loss. Option B is wrong because instance store is ephemeral.

Option D is wrong because it does not solve the session persistence issue.

790
MCQmedium

A company uses AWS CodeDeploy to deploy a new version of a web application to a fleet of Amazon EC2 instances. The SysOps administrator wants to shift 10% of traffic to the new version first, monitor for errors, and then after manual approval, deploy to the remaining 90%. Which CodeDeploy deployment configuration should be used?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.Canary10Percent5Minutes
D.Custom configuration with 10% and manual approval
AnswerC

Shifts 10% of traffic and waits 5 minutes before proceeding.

Why this answer

Option C is correct because the Canary10Percent5Minutes deployment configuration shifts 10% of traffic to the new version, waits 5 minutes for monitoring, and then automatically deploys to the remaining 90%. This matches the requirement for a 10% traffic shift with a monitoring window, though the question specifies manual approval—CodeDeploy does not natively support manual approval within a deployment configuration; instead, you would combine this configuration with a manual approval step in a CodePipeline or use a lifecycle hook. However, among the given options, this is the only one that provides the 10% traffic shift and a built-in wait period.

Exam trap

The trap here is that candidates may assume a custom deployment configuration can include manual approval, but CodeDeploy deployment configurations only control traffic shifting percentages and timing, not approval gates, which must be handled externally.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, with no traffic shifting or gradual rollout, which does not meet the requirement to shift only 10% first. Option B is wrong because CodeDeployDefault.HalfAtATime deploys to 50% of instances at a time, not 10%, and does not include a monitoring or approval window. Option D is wrong because while a custom configuration can specify a 10% traffic shift, CodeDeploy deployment configurations do not support manual approval natively; manual approval must be implemented externally via CodePipeline or lifecycle hooks, making this option technically incorrect as described.

791
MCQhard

A SysOps administrator notices that an EC2 instance is not receiving traffic from an Application Load Balancer (ALB). The ALB is healthy and the target group shows the instance as healthy. The exhibit shows the network interface attached to the instance. What is the likely cause of the issue?

A.The source/destination check is enabled on the network interface
B.The network interface is in a private subnet
C.The instance's security group does not allow inbound traffic from the ALB
D.The network ACL of the subnet denies inbound traffic
AnswerC

If the instance's security group blocks traffic from the ALB, the ALB will receive 503 errors.

Why this answer

Option A is correct because the source/destination check is enabled (true) on the ENI. When an ALB sends traffic to an instance, the instance must have source/destination check disabled if it is acting as a NAT or routing device, but in this case the ALB's ENI is attached to the instance. Actually, the exhibit shows the ENI of the ALB? Wait, the description says "ELB app/alb-..." which indicates it's an ALB ENI.

The issue is that the ALB's ENI has source/dest check enabled, which is normal for ALB? No, ALB ENIs are managed by AWS and source/dest check is typically disabled. However, the question states that the instance is not receiving traffic. The correct answer is that the security group of the instance may be blocking traffic.

But the exhibit shows the ENI group is "default". Option A is correct because the source/destination check being enabled on the instance's ENI could cause the instance to drop traffic if it's not the intended destination. But more likely, the security group of the instance (sg-12345678) may not allow traffic from the ALB.

However, given the options, Option A is the only one that fits. Let's choose A. Explanation: The source/destination check must be disabled for the instance to accept traffic from the ALB? Actually, that's wrong.

The source/destination check is for the instance to process traffic that isn't destined to its own IP. For ALB traffic, the destination IP is the instance's IP, so source/dest check doesn't matter. The real issue is that the security group of the instance does not allow traffic from the ALB.

But the exhibit shows the ENI's group is "default", which likely doesn't allow HTTP/HTTPS. Option C is also plausible. To align with the exhibit, let's pick Option C.

I'll correct: The exhibit shows the network interface of the ALB, not the instance. The instance's ENI is not shown. The ALB ENI has source/dest check enabled, which is normal.

The issue is that the instance's security group may not allow traffic. Option C is correct: The instance's security group is blocking traffic. Explanation: Option C is correct because the security group associated with the instance must allow inbound traffic from the ALB.

Option A is wrong because source/dest check on the ALB ENI is fine. Option B is wrong because the ALB ENI is in a public subnet? Not necessarily. Option D is wrong because network ACLs are stateless and if inbound is allowed, outbound must also be allowed.

792
MCQmedium

A company uses AWS CodePipeline to automate the deployment of a web application. The pipeline has three stages: Source (Amazon S3), Build (AWS CodeBuild), and Deploy (AWS CodeDeploy). Recently, the deployment stage started failing with the error 'The deployment failed because a deployment already exists for the deployment group'. The SysOps Administrator needs to fix the pipeline to allow deployments to proceed without manual intervention. The pipeline should only deploy if the previous deployment is successful. What should the administrator do?

A.Disable the concurrent deployment setting in the CodeDeploy deployment group.
B.Configure the CodePipeline Deploy action to wait for the previous deployment to finish before starting a new one.
C.Modify the pipeline to use a new deployment group for each execution.
D.Enable automatic rollback in the CodeDeploy deployment group.
AnswerB

This ensures that the pipeline does not start a new deployment while one is in progress.

Why this answer

Option D is correct. Configuring the deployment stage to wait for the previous deployment to complete before starting a new one ensures no concurrent deployments. Option A is wrong because disabling concurrent deployments does not prevent the pipeline from triggering a new deployment while one is in progress.

Option B is wrong because enabling rollback does not address the concurrency issue. Option C is wrong because using a different deployment group for each pipeline execution is not practical.

793
MCQmedium

A company uses S3 to store sensitive data. To meet compliance requirements, all S3 buckets must be encrypted at rest. The security team notices that some objects in a bucket are not encrypted. What is the MOST efficient way to enforce encryption for all future objects?

A.Use AWS Config managed rule to identify unencrypted objects and re-upload them manually
B.Use S3 Inventory to list unencrypted objects and apply encryption via S3 Batch Operations
C.Enable default encryption on the bucket using AES-256
D.Create an S3 bucket policy that denies PutObject if the x-amz-server-side-encryption header is not present
AnswerD

Bucket policy enforces encryption at upload time, rejecting unencrypted requests.

Why this answer

Option D is correct because using a bucket policy to deny PutObject requests without the x-amz-server-side-encryption header ensures that any object uploaded without encryption is rejected. Option A is incorrect because S3 default encryption applies only to new objects, but objects can still be uploaded without encryption if the request explicitly specifies otherwise. Option B is incorrect because S3 inventory does not enforce encryption; it only reports.

Option C is incorrect because manually re-uploading is not efficient and does not prevent future violations.

794
MCQhard

A company is using AWS Elastic Beanstalk to deploy a web application. The application uses a custom Amazon Machine Image (AMI) that must be updated periodically. The SysOps administrator creates a new AMI and updates the Elastic Beanstalk environment's configuration. However, new instances are still launched with the old AMI. What is the most likely cause?

A.The environment is configured to use a launch template, and the AMI was not updated in the launch template.
B.The environment is using an immutable update policy.
C.The environment's platform version is pinned to an older version.
D.The old AMI was not deregistered.
AnswerA

If using a launch template, the AMI must be updated in the template itself.

Why this answer

Elastic Beanstalk uses a launch configuration or launch template. If the environment is configured to use a launch template, updating the AMI in the environment configuration may not update the template. The environment's platform version is separate from the AMI.

The old AMI might not be deregistered, but that doesn't cause new instances to use it. Immutable updates are not relevant.

795
MCQeasy

A company uses AWS CodeDeploy to automate deployments to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment'. The logs on a failed instance show that the 'BeforeInstall' lifecycle event script exited with a non-zero exit code. What is the MOST likely cause?

A.The BeforeInstall script has a bug that causes it to exit with a non-zero exit code.
B.The instance does not have the required permissions to download the application revision.
C.The instance is not healthy according to the Elastic Load Balancer health checks.
D.The CodeDeploy agent is not running on the instance.
AnswerA

A non-zero exit code indicates failure in the script.

Why this answer

Option B is correct because the BeforeInstall hook script failed, causing the instance to fail deployment. Option A is wrong because Agent log errors indicate agent issues, not script failures. Option C is wrong because the instance is unhealthy, but the specific error is a script exit code.

Option D is wrong because the IAM role would cause a different error.

796
MCQhard

A company uses AWS Organizations with SCPs to restrict member accounts. The security team wants to prevent all users in the 'Developers' OU from deleting S3 buckets, except for the root user of the management account. How should this be implemented?

A.Create an IAM policy that denies s3:DeleteBucket and attach it to all IAM users. The root user is not affected by IAM policies.
B.Attach an SCP that denies s3:DeleteBucket to the Developers OU. The management account root is not affected by SCPs.
C.Attach an SCP that denies s3:DeleteBucket except when called by root user.
D.Attach an SCP that denies s3:DeleteBucket to the Developers OU. The root user in member accounts is not affected.
AnswerB

SCPs do not apply to the management account.

Why this answer

Option A is correct because SCPs can deny actions to all principals including root, but the management account is not affected by SCPs. Option B is wrong because IAM policies cannot block root user. Option C is wrong because SCPs cannot exclude root user in member accounts.

Option D is wrong because SCPs apply to all IAM users, not just non-root.

797
MCQeasy

A company wants to provide temporary security credentials to a mobile application so it can access an S3 bucket. Which AWS service should be used to issue these credentials?

A.Amazon Cognito
B.AWS Key Management Service (KMS)
C.AWS Security Token Service (STS)
D.AWS Identity and Access Management (IAM)
AnswerC

STS issues temporary credentials for IAM roles or federated users.

Why this answer

Option A is correct because AWS STS (Security Token Service) generates temporary credentials. Option B is wrong because IAM users have long-term credentials. Option C is wrong because Amazon Cognito can issue credentials but is typically used for user pools; STS is the direct service.

Option D is wrong because KMS is for encryption keys.

798
MCQmedium

A SysOps administrator needs to audit all IAM user activity in the AWS account for the last 90 days. Which AWS service should be used?

A.AWS Config
B.AWS Trusted Advisor
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerC

CloudTrail records all API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail records API calls including IAM actions for the last 90 days by default in the event history. Option A is wrong because AWS Config records resource configuration changes, not user activity. Option B is wrong because Amazon GuardDuty is for threat detection.

Option D is wrong because AWS Trusted Advisor is for cost optimization and best practices.

799
MCQmedium

A SysOps administrator runs the AWS CLI command shown in the exhibit. What is the purpose of this command?

A.To retrieve details about the most recent console login events.
B.To count the number of console logins in the last 5 minutes.
C.To retrieve a list of all API calls made by the user john.doe.
D.To disable CloudTrail logging for console login events.
AnswerA

The command retrieves ConsoleLogin events with a limit of 5.

Why this answer

Option D is correct. The command looks up CloudTrail events with the event name 'ConsoleLogin', which are sign-in events to the AWS Management Console. Option A is wrong because it filters by event name, not user.

Option B is wrong because it looks up events, not modifies. Option C is wrong because it returns events, not just counts.

800
MCQmedium

A company uses AWS CloudFormation to deploy its infrastructure. The SysOps administrator needs to ensure that the application stack can be recreated in another AWS Region in the event of a disaster. The stack includes an RDS MySQL database and an EC2 instance running a web server. The administrator wants to automate the backup of the RDS database and the EC2 instance configuration. What is the MOST efficient way to achieve this?

A.Use S3 to store database dump files and instance configuration scripts.
B.Create manual snapshots of the RDS database and EC2 instance every day and copy them to the secondary region.
C.Store the CloudFormation template in S3 and use it to recreate the stack in the secondary region.
D.Use AWS Backup to create backup plans that include the RDS instance and EC2 instance, and copy backups to the secondary region.
AnswerD

AWS Backup automates backups and supports cross-region copy.

Why this answer

Option A is correct. AWS Backup provides a centralized backup service that can back up RDS databases and EC2 instances (via AMIs). It supports cross-region copy, which is ideal for disaster recovery.

Option B is wrong because manual snapshots are not automated and require manual intervention. Option C is wrong because CloudFormation templates do not capture data in the database or EC2 instance state. Option D is wrong because S3 is not an appropriate backup target for RDS or EC2 instances directly.

801
MCQeasy

A company wants to use Amazon CloudFront to serve content from an Application Load Balancer (ALB) that is internet-facing. Which type of origin should be configured in CloudFront?

A.S3 origin with the ALB's DNS name as the bucket name.
B.Custom origin with Origin Access Identity (OAI) to restrict access.
C.Custom origin (HTTP/HTTPS) pointing to the ALB DNS name.
D.Custom origin pointing to the ALB's private IP address.
AnswerC

CloudFront can use any HTTP server as a custom origin.

Why this answer

CloudFront requires a custom origin (HTTP/HTTPS) when the origin is an Application Load Balancer (ALB) because ALBs are not S3 buckets and do not support S3 origin configurations. The custom origin type allows CloudFront to forward requests to the ALB's public DNS name, which resolves to the ALB's IP addresses, enabling proper load balancing and content delivery.

Exam trap

The trap here is that candidates may mistakenly think an ALB can be configured as an S3 origin or that OAI applies to non-S3 origins, but CloudFront strictly requires a custom origin for ALBs and OAI is only valid for S3 bucket origins.

How to eliminate wrong answers

Option A is wrong because an S3 origin expects an S3 bucket endpoint, not an ALB DNS name; using an ALB DNS name as a bucket name would cause a configuration error. Option B is wrong because Origin Access Identity (OAI) is used exclusively with S3 origins to restrict access to S3 content, not with ALB origins; for ALBs, you would use custom headers or AWS WAF to restrict access. Option D is wrong because CloudFront cannot use private IP addresses as origins; the ALB must be internet-facing with a public DNS name for CloudFront to reach it over the internet.

802
MCQmedium

A company has an Amazon DynamoDB table with on-demand capacity mode. The SysOps administrator needs to ensure that the table can survive a regional outage. The table is currently in us-east-1. Which feature should be configured to achieve regional resilience with minimal data loss?

A.DynamoDB Accelerator (DAX)
B.DynamoDB global tables
C.DynamoDB point-in-time recovery
D.DynamoDB auto scaling
AnswerB

Global tables replicate data across Regions automatically, allowing the table to remain available during a regional outage with minimal data loss (eventual consistency).

Why this answer

DynamoDB global tables provide multi-Region, fully replicated tables that automatically propagate writes to all configured Regions, enabling the table to survive a regional outage with minimal data loss. This feature uses DynamoDB Streams to replicate data asynchronously across Regions, offering recovery point objectives (RPO) of typically under one second. For the requirement of regional resilience, global tables are the correct choice because they maintain active copies in multiple AWS Regions.

Exam trap

The trap here is that candidates often confuse point-in-time recovery (PITR) with cross-Region disaster recovery, not realizing that PITR only protects against accidental deletes or corruption within a single Region, not a full regional outage.

How to eliminate wrong answers

Option A is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that improves read performance but does not provide any cross-Region replication or regional resilience. Option C is wrong because point-in-time recovery (PITR) enables restoring a table to any point within the last 35 days within the same Region, but it does not protect against a regional outage since the backups are stored in the same Region. Option D is wrong because DynamoDB auto scaling adjusts read/write capacity based on traffic but does not replicate data across Regions or provide any disaster recovery capability.

803
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. They want to ensure that if a stack update fails, the stack automatically rolls back to the last known good state. Which CloudFormation stack policy should be used?

A.Use the default 'Rollback on failure' setting.
B.Enable termination protection on the stack.
C.Use a stack policy that prevents specific resources from being updated.
D.Set 'DisableRollback' to false.
AnswerA

Automatically rolls back to the previous working state.

Why this answer

Option A is correct because the 'Rollback on failure' setting (default behavior) causes CloudFormation to roll back failed stack updates. Option B is wrong because DisableRollback would leave the stack in a failed state. Option C is wrong because it is not a valid stack policy.

Option D is wrong because it prevents stack updates, not rollback.

804
MCQeasy

A company needs to deploy a new version of a Lambda function. The deployment must be gradual, shifting 10% of traffic to the new version every 10 minutes until all traffic is served by the new version. If errors occur, the deployment should roll back immediately. Which deployment strategy should be used?

A.Blue/green deployment with AWS CodeDeploy
B.All-at-once deployment
C.Rolling deployment with Amazon ECS
D.Canary deployment with AWS Lambda
AnswerD

Lambda supports canary deployments with traffic shifting and automatic rollback.

Why this answer

Option C is correct because Lambda canary deployments allow specifying traffic shifting and automatic rollback. Option A is wrong because blue/green is not natively supported for Lambda without additional services. Option B is wrong because rolling is for EC2/ECS.

Option D is wrong because all-at-once is immediate, not gradual.

805
MCQeasy

A DevOps engineer wants to automate the creation of an Amazon EC2 instance with a specific security group and IAM role. Which AWS service should be used to define the infrastructure as code?

A.AWS Elastic Beanstalk
B.AWS CodeDeploy
C.AWS CloudFormation
D.AWS OpsWorks
AnswerC

CloudFormation allows you to define and provision AWS infrastructure using templates.

Why this answer

AWS CloudFormation is the correct service for provisioning infrastructure as code. AWS OpsWorks is for configuration management, CodeDeploy is for application deployment, and Elastic Beanstalk is a PaaS service.

806
MCQhard

A company operates a web application behind an Application Load Balancer (ALB). The SysOps administrator needs to block incoming requests from specific geographic locations (countries X and Y) and also enforce a rate limit of 100 requests per IP address per 5-minute window to mitigate DDoS attacks. The solution must be centrally configured and apply to all requests handled by the ALB. Which AWS service should be used to implement these requirements?

A.AWS WAF
B.Amazon CloudFront geo restriction
C.AWS Shield Advanced
D.Security Groups
AnswerA

AWS WAF offers both geo-match conditions to block requests from specific countries and rate-based rules to limit request rates from an IP address. It integrates directly with ALB and provides a single, centrally managed solution.

Why this answer

AWS WAF is the correct service because it provides both geographic (geo-match) blocking and rate-based rules that can be associated directly with an Application Load Balancer. Geo-match conditions allow you to block requests from specific countries (X and Y), while rate-based rules can limit requests to 100 per 5-minute window per source IP. This solution is centrally configured at the ALB level, applying to all incoming requests without requiring additional infrastructure.

Exam trap

The trap here is that candidates often confuse AWS WAF with CloudFront geo restriction or AWS Shield Advanced, not realizing that only WAF provides both geo-blocking and rate-based rules that can be directly associated with an ALB without requiring CloudFront.

How to eliminate wrong answers

Option B (Amazon CloudFront geo restriction) is wrong because CloudFront geo restriction only works when CloudFront is the front-end service, not directly with an ALB; it cannot be applied to an ALB alone and does not support rate limiting. Option C (AWS Shield Advanced) is wrong because while it provides enhanced DDoS protection and cost protection, it does not offer granular geo-blocking or configurable rate-based rules; it is a managed threat protection service, not a web application firewall. Option D (Security Groups) is wrong because security groups operate at the network layer (Layer 3/4) and cannot inspect application-layer attributes like geographic origin or enforce rate limits based on HTTP request counts.

807
MCQhard

Refer to the exhibit. An S3 bucket policy is configured for a CloudFront distribution using an OAI. The policy allows the OAI to get objects. Additionally, it allows anyone from the IP range 203.0.113.0/24 to get objects directly. Users from other IPs report they can still access objects directly via S3 URLs. What is the most likely cause?

A.The policy allows public access from the specified IP range, overriding the OAI restriction.
B.The OAI is not correctly associated with the CloudFront distribution.
C.The CloudFront distribution is using a custom origin instead of S3.
D.The S3 bucket has a bucket ACL that grants public read access.
AnswerD

Bucket ACLs can grant public access even if the policy restricts.

Why this answer

Option C is correct because the policy allows the OAI, but the second statement allows all principals from a specific IP. The issue is that the policy does not explicitly deny public access; it only allows the OAI and a specific IP range. However, the OAI statement allows the OAI, but if the bucket is not properly configured to block public access, the default may allow public read.

Actually, the bucket policy has two Allow statements. The second statement allows all principals from the IP range, but for other IPs, there is no explicit allow or deny. The default is implicit deny, so other IPs should not have access.

However, the exhibit shows that users from other IPs can still access. This suggests that the bucket ACL might allow public read, or the bucket policy is not the only access control. Option A is wrong because the OAI is specified.

Option B is wrong because the OAI is allowed. Option D is wrong because the policy is valid.

808
MCQhard

A SysOps admin is investigating why a CloudWatch alarm did not trigger an SNS notification when a metric breached the threshold. The alarm state is visible in the console as 'ALARM'. What is the most likely reason the notification was not sent?

A.The SNS topic's subscription is not confirmed
B.The alarm name contains special characters
C.The alarm's evaluation period is set to 1 minute
D.The metric has a resolution of 1 minute
AnswerA

Email subscriptions require confirmation; if not confirmed, notifications are not delivered.

Why this answer

The most likely reason the notification was not sent is that the SNS topic's subscription is not confirmed. When an SNS topic sends a notification to an endpoint such as email, HTTP, or SMS, the subscription must first be confirmed by the subscriber. If the subscription remains in a 'Pending confirmation' state, SNS will not deliver messages to that endpoint, even if the CloudWatch alarm transitions to the ALARM state and publishes to the topic.

Exam trap

The trap here is that candidates assume any alarm in ALARM state will automatically trigger its configured SNS action, overlooking the requirement that the SNS subscription must be in a confirmed state before messages can be delivered.

How to eliminate wrong answers

Option B is wrong because CloudWatch alarm names can contain special characters (e.g., hyphens, underscores, spaces) without affecting notification delivery; the alarm name is simply a label and does not impact SNS publishing. Option C is wrong because setting the evaluation period to 1 minute does not prevent notifications; it only affects how quickly the alarm evaluates metric data and transitions state. Option D is wrong because a metric resolution of 1 minute (standard resolution) is normal and does not interfere with alarm actions or SNS notifications; high-resolution metrics (1 second) are also supported without issue.

809
MCQmedium

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest using server-side encryption. Which combination of actions should be taken to enforce this policy?

A.Enable default encryption on each S3 bucket and create a CloudWatch alarm to notify if unencrypted objects are uploaded.
B.Use an S3 bucket policy with a Deny statement for s3:PutObject without encryption applied to all buckets via a single policy.
C.Use AWS CloudTrail to monitor PutObject calls and trigger an AWS Lambda function to delete unencrypted objects.
D.Use an S3 bucket policy on each bucket that denies s3:PutObject if the x-amz-server-side-encryption header is not present.
AnswerD

This denies uploads without encryption, enforcing encryption at upload.

Why this answer

Option D is correct because using an S3 bucket policy with a Deny for s3:PutObject without the x-amz-server-side-encryption header enforces encryption at upload time. Option A is wrong because bucket policies cannot be applied to all buckets at once; each bucket needs its own policy. Option B is wrong because enabling default encryption on existing buckets does not prevent unencrypted uploads (default applies if no header is specified).

Option C is wrong because CloudTrail can log but not enforce encryption.

810
MCQeasy

A company needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used to track these changes?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch
D.AWS Trusted Advisor
AnswerB

CloudTrail logs all API calls for audit.

Why this answer

AWS CloudTrail logs all API calls, including IAM policy changes. Option B is correct. Option A is wrong because AWS Config records resource configuration but not API calls.

Option C is wrong because CloudWatch is for monitoring metrics. Option D is wrong because Trusted Advisor provides best practice checks.

811
Multi-Selecteasy

A SysOps administrator is creating a monitoring solution for a web application that uses an Application Load Balancer (ALB) and an Auto Scaling group of EC2 instances. The administrator wants to monitor the average request count per minute and the number of healthy hosts. Which TWO CloudWatch metrics should the administrator use? (Choose TWO.)

Select 2 answers
A.AWS/ApplicationELB Latency
B.AWS/ApplicationELB HealthyHostCount
C.AWS/EC2 CPUUtilization
D.AWS/AutoScaling GroupInServiceInstances
E.AWS/ApplicationELB RequestCount
AnswersB, E

HealthyHostCount indicates the number of healthy registered targets.

Why this answer

Option B, AWS/ApplicationELB HealthyHostCount, is correct because it directly reports the number of registered instances that are passing health checks, which is exactly what the administrator needs to monitor the number of healthy hosts behind the ALB. Option E, AWS/ApplicationELB RequestCount, is correct because it tracks the total number of requests handled by the ALB, and by dividing by the time period, the administrator can calculate the average request count per minute.

Exam trap

The trap here is that candidates often confuse Auto Scaling group metrics (like GroupInServiceInstances) with ALB health check metrics (HealthyHostCount), not realizing that an instance can be InService but still unhealthy to the ALB if it fails health checks.

812
MCQmedium

A company has an S3 bucket policy as shown. A developer tries to upload an object using the AWS CLI without the --no-verify-ssl flag. What will happen?

A.The upload will succeed only if the developer uses HTTP.
B.The upload will fail because the policy denies all s3:* actions.
C.The upload will fail because the policy requires explicit HTTPS.
D.The upload will succeed because the CLI uses HTTPS by default.
AnswerD

Default CLI uses HTTPS, which satisfies the policy condition.

Why this answer

Option A is correct because the policy denies requests that are not using secure transport (HTTPS). Since the CLI uses HTTPS by default, the request is allowed. Option B is wrong because the default is HTTPS.

Option C is wrong because the policy denies HTTP, not HTTPS. Option D is wrong because the policy allows HTTPS requests.

813
Matchingmedium

Match each AWS database service to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Relational database

NoSQL key-value and document

In-memory caching

Data warehousing

Graph database

Why these pairings

These are the primary AWS database services.

814
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. The stack includes an RDS DB instance with automated backups enabled. The SysOps administrator needs to ensure that the database can be recovered to any point within the last 35 days with minimal data loss. What should the administrator do?

A.Create a manual snapshot daily and retain 35 snapshots.
B.Set the backup retention period to 35 days.
C.Enable Multi-AZ on the RDS instance.
D.Configure AWS Backup with a 35-day backup plan.
AnswerB

Automated backups with a 35-day retention allow point-in-time recovery to any second within that window.

Why this answer

RDS automated backups support point-in-time recovery (PITR) within the backup retention period, which can be set up to 35 days. Option A is wrong because manual snapshots are not automatically continuous. Option C is wrong because Multi-AZ provides high availability, not granular recovery.

Option D is wrong because the default backup retention is 1 day, not 35.

815
MCQmedium

A company runs an e-commerce application on Amazon EC2 instances behind an Auto Scaling group. The application has a predictable baseline load from 8 AM to 8 PM daily and low load overnight. The SysOps administrator wants to optimize costs while ensuring sufficient capacity for the baseline load. Which purchasing option and scaling strategy should the administrator use?

A.Use On-Demand instances for the baseline and Spot Instances for any additional capacity.
B.Use Reserved Instances for the predicted baseline and On-Demand for any unexpected spikes.
C.Use Dedicated Hosts for all instances to maximize cost savings.
D.Use Spot Instances for all instances to minimize costs.
AnswerB

Reserved Instances offer up to 72% discount for consistent usage. On-Demand covers variable capacity needs, providing a cost-effective and flexible solution.

Why this answer

Option B is correct because Reserved Instances provide a significant discount (up to 72%) over On-Demand for predictable, steady-state workloads like the 8 AM to 8 PM baseline. On-Demand instances then cover any unexpected spikes without requiring upfront commitment, ensuring cost optimization while maintaining capacity for the predictable load.

Exam trap

The trap here is that candidates assume Spot Instances are always the cheapest option, but they fail to recognize that the predictable baseline load requires guaranteed availability, which Spot Instances cannot provide due to potential interruptions.

How to eliminate wrong answers

Option A is wrong because Spot Instances can be interrupted with a 2-minute warning when AWS needs capacity back, making them unsuitable for a baseline load that must be reliably available during business hours. Option C is wrong because Dedicated Hosts are a physical server dedicated to your use, which is far more expensive than Reserved Instances and provides no cost optimization benefit for a standard e-commerce application that does not require license compliance or physical isolation. Option D is wrong because Spot Instances are not suitable for all instances due to their potential for interruption, which would cause the application to fail during the predictable baseline load.

816
Multi-Selectmedium

A company is designing a highly available architecture using an Application Load Balancer (ALB) with multiple target groups. Which TWO statements are correct regarding ALB routing?

Select 2 answers
A.An ALB can route requests based on the client IP address.
B.An ALB can route requests based on the source TCP port.
C.An ALB can only be configured with an IPv4 listener.
D.An ALB can route requests to different target groups based on the URL path.
E.An ALB can route requests to different target groups based on the host header.
AnswersD, E

Path-based routing is a supported feature of ALB.

Why this answer

Option D is correct because an Application Load Balancer (ALB) supports path-based routing, allowing you to define rules that forward requests to different target groups based on the URL path (e.g., /api to one group and /images to another). Option E is correct because ALB also supports host-based routing, enabling you to route traffic based on the Host header in the HTTP/HTTPS request, which is essential for multi-domain or multi-tenant architectures.

Exam trap

The trap here is that candidates often confuse ALB's Layer 7 capabilities with Network Load Balancer (NLB) features, mistakenly thinking ALB can route based on IP or port, or that ALB is IPv4-only, when in fact ALB supports IPv6 via dual-stack mode and only routes on application-layer content.

817
MCQhard

A company runs a stateful web application on EC2 instances in an Auto Scaling group across two Availability Zones. The application uses an Application Load Balancer for traffic distribution. Users report that their sessions are frequently lost during scale-in events. The SysOps administrator needs to minimize session loss without introducing significant latency. What should the administrator do?

A.Replace the Application Load Balancer with a Network Load Balancer. Enable proxy protocol v2 to pass client IP addresses.
B.Enable sticky sessions (session affinity) on the ALB. Configure a lifecycle hook on the Auto Scaling group with a wait time equal to the ALB's connection draining timeout.
C.Increase the Auto Scaling group's cooldown period to 600 seconds. Configure the ALB to have a deregistration delay of 600 seconds.
D.Configure the Auto Scaling group to scale based on memory utilization instead of CPU. Set the cooldown period to 300 seconds.
AnswerB

Sticky sessions route requests to the same instance; lifecycle hooks delay termination until draining completes, preserving sessions.

Why this answer

Option C is correct because using an ALB with sticky sessions (session affinity) and a connection draining timeout that matches the lifecycle hook's wait time ensures that in-flight requests complete before instance termination. Option A is wrong because scaling based on memory does not address session stickiness. Option B is wrong because a larger cooldown delay helps but does not ensure session persistence across instances.

Option D is wrong because a Network Load Balancer does not support sticky sessions by cookie in the same way and is not ideal for HTTP traffic.

818
MCQmedium

A company uses AWS CodePipeline to deploy a web application. The pipeline includes a stage that runs a database migration script. The SysOps administrator wants to ensure that if the migration script fails, the entire pipeline stops and the previous version of the application remains deployed. Which pipeline stage configuration should be used to achieve this behavior?

A.Use a parallel action group for the migration step so other steps continue.
B.Configure the migration step as a sequential action and set the OnFailure to ABORT.
C.Configure the migration step as a sequential action and set the OnFailure to ROLLBACK.
D.Use a manual approval step after the migration to verify success.
AnswerB

ABORT stops the pipeline immediately upon stage failure, preventing any further actions. The previous deployment remains intact because no subsequent deploy stages are triggered.

Why this answer

Option B is correct because setting the migration step as a sequential action with OnFailure set to ABORT ensures that if the migration script fails, the pipeline immediately stops and does not proceed to any subsequent stages. This prevents the deployment of a new application version that depends on a failed database migration, thereby keeping the previous version deployed.

Exam trap

The trap here is that candidates confuse the OnFailure ROLLBACK option with a full infrastructure rollback (like AWS CloudFormation stack rollback), not realizing that CodePipeline's ROLLBACK only affects the pipeline execution state and does not automatically revert the deployed application or database changes.

How to eliminate wrong answers

Option A is wrong because using a parallel action group would allow other steps to continue even if the migration fails, which contradicts the requirement to stop the entire pipeline and preserve the previous deployment. Option C is wrong because setting OnFailure to ROLLBACK would attempt to revert the pipeline to a previous state, but CodePipeline does not natively support automatic rollback of deployed application versions; ROLLBACK only retries the failed action or transitions to a failed state without restoring the prior application version. Option D is wrong because a manual approval step after the migration only adds a gate to verify success but does not automatically stop the pipeline or prevent deployment if the migration fails; it relies on human intervention and does not enforce the required behavior.

819
MCQhard

A SysOps administrator notices that a Lambda function is timing out after 30 seconds. The function processes large files from S3. How can the administrator improve performance while minimizing cost?

A.Increase the timeout value to 5 minutes.
B.Enable Provisioned Concurrency.
C.Increase the memory allocation of the Lambda function.
D.Deploy the function on an EC2 instance.
AnswerC

More memory provides more CPU, reducing execution time.

Why this answer

Option A is correct because increasing memory also increases CPU and network, which can speed up processing. Increasing timeout alone won't improve speed. Using a larger instance type is not applicable.

Provisioned Concurrency adds cost.

820
MCQhard

An application running on EC2 instances sends custom metrics to CloudWatch using the PutMetricData API. The metrics are not appearing in the CloudWatch console. The IAM role attached to the instances has the following policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*" } ] }. What is the most likely cause?

A.The metric timestamp is older than 14 days.
B.The metric namespace must start with 'AWS/'.
C.The metric data is being sent to a different AWS region.
D.The IAM policy does not allow the 'cloudwatch:PutMetricData' action.
AnswerC

If the region in the PutMetricData call differs from the console, metrics won't appear.

Why this answer

The most likely cause is that the metric data is being sent to a different AWS region than the one displayed in the CloudWatch console. The PutMetricData API call includes a regional endpoint, and if the EC2 instance is configured to send metrics to a region other than the one you are viewing, the metrics will not appear. The IAM policy correctly allows the action, so authentication is not the issue.

Exam trap

The trap here is that candidates often assume the issue is a missing IAM permission or an invalid namespace, but the real problem is a region mismatch between where the data is sent and where it is viewed.

How to eliminate wrong answers

Option A is wrong because CloudWatch accepts metric data with timestamps up to 15 days in the past (and 2 hours in the future), so a timestamp older than 14 days is still within the acceptable range and would not prevent the metric from appearing. Option B is wrong because custom metric namespaces can be any string and do not need to start with 'AWS/'; the 'AWS/' prefix is reserved for AWS services, but custom metrics can use any namespace. Option D is wrong because the IAM policy explicitly allows 'cloudwatch:PutMetricData' on all resources, so there is no permission issue.

821
MCQeasy

A company has an EC2 instance that needs to have a static public IP address that does not change even if the instance is stopped and started. Which AWS resource should be attached to the instance?

A.An Elastic IP address
B.An automatically assigned public IP address
C.A secondary private IP address
D.A static private IP address
AnswerA

An Elastic IP is a static public IPv4 address that can be associated with an instance.

Why this answer

Option C is correct because an Elastic IP address is a static public IP that can be associated with an instance and remains with the account until released. Option A is wrong because public IPs assigned by AWS change when the instance is stopped. Option B is wrong because private IPs are not public.

Option D is wrong because a secondary private IP is not public.

822
MCQeasy

A SysOps administrator uses AWS CloudFormation to deploy infrastructure. The administrator needs to store and reference sensitive data such as database passwords in the stack without hardcoding them in the template. Which CloudFormation feature should be used?

A.Use AWS Systems Manager Parameter Store secure strings and dynamic references in the CloudFormation template
B.Use AWS Secrets Manager and reference the secret using a static reference in the template
C.Define plaintext parameters in the template and mark them as NoEcho
D.Store the secrets in an encrypted S3 object and reference it via a URL in the template
AnswerA

CloudFormation dynamic references (e.g., '{{resolve:ssm-secure:MyParameter}}') securely retrieve secure string parameters at stack operation time.

Why this answer

Option A is correct because AWS CloudFormation supports dynamic references (using the `resolve:ssm` or `resolve:ssm-secure` syntax) that allow you to reference Systems Manager Parameter Store secure strings directly in the template. This keeps sensitive data like database passwords out of the template and the stack's metadata, ensuring they are not exposed in plaintext during stack operations or in the console.

Exam trap

The trap here is that candidates confuse `NoEcho` (which only hides display output) with actual secure storage, or they assume static references work with Secrets Manager when only dynamic references are supported for both Parameter Store secure strings and Secrets Manager secrets.

How to eliminate wrong answers

Option B is wrong because AWS Secrets Manager secrets cannot be referenced using a static reference in CloudFormation; they require a dynamic reference (e.g., `resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id`) to retrieve the secret value at deploy time, not a static reference. Option C is wrong because marking a parameter as `NoEcho` only hides its value in console output and logs, but the plaintext value is still passed to the CloudFormation template and can be exposed in the stack's metadata or API responses; it does not provide encryption or secure storage. Option D is wrong because storing secrets in an encrypted S3 object and referencing it via a URL in the template requires the S3 object to be publicly accessible or the template to include IAM permissions to read it, and the URL itself could be exposed in the template or stack metadata, defeating the purpose of secure handling.

823
MCQmedium

A company has an Application Load Balancer (ALB) in the us-east-1 region. Users in Asia report high latency. The SysOps administrator wants to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. Which step is required to integrate Global Accelerator with the ALB?

A.Create a CloudFront distribution and point it to the ALB as an origin.
B.Configure the ALB as an endpoint group in a Global Accelerator accelerator.
C.Set up a Route 53 geoproximity routing policy for the ALB.
D.Use AWS WAF to allow traffic from Global Accelerator edge locations.
AnswerB

Global Accelerator uses endpoint groups that contain endpoints such as ALBs, NLBs, or EC2 instances. Adding the ALB as an endpoint in an endpoint group registers it for traffic routing.

Why this answer

AWS Global Accelerator uses the AWS global network to route traffic to the closest edge location, then forwards it over the AWS backbone to the ALB endpoint. To integrate, you must configure the ALB as an endpoint in an endpoint group within the accelerator, which allows Global Accelerator to direct traffic to the ALB based on proximity and health. This reduces latency for users in Asia by minimizing internet hops.

Exam trap

The trap here is that candidates often confuse Global Accelerator with CloudFront or Route 53 routing policies, assuming any CDN or DNS-based solution can achieve the same latency reduction, but Global Accelerator uniquely provides static IP addresses and optimized network pathing without caching or DNS caching delays.

How to eliminate wrong answers

Option A is wrong because CloudFront is a content delivery network (CDN) optimized for caching static and dynamic content, not for TCP/UDP traffic acceleration to an ALB; it adds unnecessary complexity and does not provide the anycast IP-based global acceleration that Global Accelerator offers. Option C is wrong because Route 53 geoproximity routing is a DNS-based routing policy that can direct users to different endpoints based on geographic location, but it does not provide the static anycast IP addresses or the optimized network path that Global Accelerator uses to reduce latency; DNS-based routing is also subject to client-side caching and does not offer the same performance improvements. Option D is wrong because AWS WAF is a web application firewall that filters HTTP/S traffic based on rules, not a mechanism to integrate or allow traffic from Global Accelerator edge locations; Global Accelerator automatically handles traffic routing without requiring WAF configuration for integration.

824
Multi-Selectmedium

A company is using AWS CloudFormation to manage infrastructure. The administrator needs to update a stack that contains a critical Amazon RDS database. The administrator wants to prevent accidental updates to the database while allowing updates to other resources. Which TWO steps should the administrator take? (Choose TWO.)

Select 2 answers
A.Use a condition to prevent the RDS resource from being updated.
B.Apply a stack policy that denies updates to the RDS resource.
C.Enable termination protection on the CloudFormation stack.
D.Set the DeletionPolicy attribute to 'Snapshot' on the RDS resource.
E.Remove the RDS resource from the CloudFormation template.
AnswersB, D

Stack policy can protect RDS from updates.

Why this answer

Options A and C are correct because a stack policy can protect specific resources from updates, and setting a deletion policy of Snapshot ensures backups before deletion. Option B is wrong because disabling updates entirely is not desired. Option D is wrong because the RDS resource can be updated if the policy allows.

Option E is wrong because termination protection is for preventing deletion of the stack, not specific resources.

825
MCQmedium

A security policy prohibits opening SSH port 22 on any EC2 instance. The operations team needs to run a shell script on 150 Linux instances to collect configuration inventory data. The script output must be captured for review. How should the team execute the script?

A.Use SSM Run Command with the AWS-RunShellScript document targeting all 150 instances; send output to an S3 bucket
B.Create a bastion host with SSH access and use a for loop to SSH into each instance and run the script
C.Use EC2 Instance Connect to establish a temporary SSH session for each instance and run the script
D.Terminate all instances and re-launch them from a new AMI that includes the configuration inventory already baked in
AnswerA

Run Command invocations use the SSM Agent's existing outbound HTTPS connection (port 443) — no inbound rule changes are needed. The command output for each instance is stored separately in S3, allowing the team to review per-instance results. Commands can target instances by tag (e.g., Environment=production) to avoid listing all 150 instance IDs manually.

Why this answer

SSM Run Command with the AWS-RunShellScript document allows you to execute shell scripts on multiple EC2 instances without opening SSH port 22, as it operates over the AWS Systems Manager agent (SSM Agent) using HTTPS (port 443). The output can be directed to an S3 bucket for centralized review, satisfying both the security policy and the requirement to capture script output.

Exam trap

The trap here is that candidates may assume EC2 Instance Connect or a bastion host are acceptable workarounds, but both still rely on SSH (port 22), which is explicitly prohibited by the security policy, whereas SSM Run Command operates over HTTPS and fully complies.

How to eliminate wrong answers

Option B is wrong because it requires opening SSH port 22 on the instances or the bastion host, which directly violates the security policy prohibiting SSH access. Option C is wrong because EC2 Instance Connect still relies on SSH (port 22) to establish a temporary session, which is also prohibited by the policy. Option D is wrong because terminating and re-launching instances from a new AMI is an overly destructive and inefficient approach that does not capture runtime configuration inventory data from the existing instances.

Page 10

Page 11 of 21

Page 12