AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 826900

1546 questions total · 21pages · All types, answers revealed

Page 11

Page 12 of 21

Page 13
826
MCQhard

A company has a web application behind an Application Load Balancer (ALB) in a VPC. The application needs to authenticate users using an external identity provider (IdP). The SysOps Administrator recommends using Amazon Cognito as an identity broker. Which ALB action should be configured to authenticate users before forwarding requests to the target group?

A.An authenticate action using Amazon Cognito as the user pool.
B.A fixed-response action to return a 401 status code.
C.A redirect action to the IdP login page.
D.A forward action to the target group.
AnswerA

ALB supports an authenticate action that integrates with Cognito to handle user authentication.

Why this answer

Amazon Cognito integrates directly with Application Load Balancers via an authenticate action. When you configure an ALB rule with an authenticate action using a Cognito user pool, the ALB handles the OAuth 2.0 / OpenID Connect flow with the external IdP, obtains tokens, and only forwards authenticated requests to the target group. This eliminates the need for custom authentication logic in the application.

Exam trap

The trap here is that candidates may think a simple redirect action (Option C) is sufficient, but they miss that the ALB must actively participate in the token exchange and validation, which only the authenticate action provides.

How to eliminate wrong answers

Option B is wrong because a fixed-response action returning a 401 status code would simply reject all requests without any authentication flow, failing to integrate with the external IdP. Option C is wrong because a redirect action to the IdP login page would send users to the IdP but the ALB would not handle the callback or validate tokens, leaving authentication incomplete and unmanaged. Option D is wrong because a forward action to the target group would bypass authentication entirely, allowing unauthenticated requests to reach the application.

827
MCQhard

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The company notices that data transfer costs are increasing. The company wants to reduce data transfer costs without impacting performance. Which action should the company take?

A.Increase the bandwidth of the Direct Connect connection to improve performance.
B.Use Direct Connect gateway to connect to multiple VPCs across regions.
C.Set up a VPN connection over the Direct Connect to encrypt traffic.
D.Use VPC endpoints for S3 and DynamoDB to reduce data transfer costs.
AnswerB

Direct Connect gateway enables connecting to multiple VPCs with a single connection, reducing costs.

Why this answer

Direct Connect gateway allows you to connect to multiple VPCs in different regions using a single Direct Connect connection, reducing the need for multiple connections and thus lowering costs. VPC endpoints reduce data transfer costs for traffic to S3 and DynamoDB but not general data transfer. VPN over Direct Connect adds complexity and does not reduce costs.

Increasing bandwidth would increase costs.

828
MCQhard

A company has a critical application running on EC2 instances in an Auto Scaling group behind an ALB. The application uses a custom health check endpoint at /health. The SysOps administrator notices that the ALB occasionally marks instances as unhealthy even though the application is running correctly. The health check settings are: HealthCheckIntervalSeconds=30, HealthyThresholdCount=5, UnhealthyThresholdCount=2. What is the most likely cause of the intermittent health check failures?

A.The health check endpoint returns 5xx errors, which are ignored by the ALB.
B.The UnhealthyThresholdCount is set too low.
C.The HealthyThresholdCount is set too high, causing instances to remain unhealthy after transient issues.
D.The health check is using TCP instead of HTTP.
AnswerC

A high healthy threshold makes the system slow to recover after temporary errors.

Why this answer

Option C is correct: With HealthyThresholdCount=5, an instance must pass 5 consecutive health checks to be marked healthy. If the health check endpoint returns a single 5xx error due to a transient issue, the instance may be considered unhealthy for a prolonged period. Option A is incorrect because TCP health checks are less granular but would not cause intermittent failures if the instance is reachable.

Option B is incorrect because an UnhealthyThresholdCount of 2 is standard and not too low. Option D is incorrect because 5xx errors are not ignored by ALB health checks.

829
MCQhard

A SysOps administrator uses AWS CloudFormation to deploy infrastructure. The admin has a template that creates an EC2 instance with a custom software stack. The software stack must be installed and configured using PowerShell scripts. The admin wants to minimize operational overhead by automating the creation of an AMI that includes the software stack, and the AMI should be rebuilt on a weekly basis to include the latest security patches. Which combination of AWS services should be used?

A.Use EC2 Image Builder to define a component with the PowerShell scripts, create a recipe, and schedule a pipeline to run weekly.
B.Use AWS Systems Manager Automation to run a PowerShell script on an existing EC2 instance, then manually create an AMI each week.
C.Use AWS CodePipeline with CodeBuild to run the PowerShell scripts and create an AMI using the AWS CLI, triggered by a weekly CloudWatch Events schedule.
D.Use Amazon EC2 Auto Scaling with a lifecycle hook to run the PowerShell script on instance launch, and schedule a weekly instance refresh.
AnswerA

EC2 Image Builder is purpose-built for creating golden AMIs with custom scripts. It handles the entire process, including patching, testing, and scheduling, with minimal operational overhead.

Why this answer

EC2 Image Builder is purpose-built for automating the creation, patching, and testing of custom AMIs. By defining a component that encapsulates the PowerShell scripts, creating a recipe that references that component, and scheduling a pipeline to run weekly, the administrator achieves fully automated, repeatable AMI builds with minimal operational overhead. This directly meets the requirement for weekly rebuilds with the latest security patches.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing a multi-service orchestration (like CodePipeline + CodeBuild) when a single, purpose-built service (EC2 Image Builder) is designed exactly for this use case, leading to unnecessary complexity and operational overhead.

How to eliminate wrong answers

Option B is wrong because it requires manual intervention each week to create the AMI, which contradicts the goal of minimizing operational overhead and does not provide automation. Option C is wrong because while CodePipeline and CodeBuild can automate AMI creation, they are not the simplest or most purpose-built solution for this task; EC2 Image Builder is specifically designed for image lifecycle management, reducing complexity and maintenance. Option D is wrong because EC2 Auto Scaling with lifecycle hooks and instance refresh is designed for managing running instances and fleet updates, not for building and maintaining a golden AMI; it does not provide a mechanism to create a new AMI on a weekly schedule.

830
MCQeasy

A company wants to grant an IAM role in Account A access to an S3 bucket in Account B. What must be configured?

A.A trust policy in Account B allowing the IAM role to access the bucket.
B.A bucket policy in Account B granting access to the IAM role, and a trust policy in Account A allowing the role to assume the permissions.
C.A bucket policy in Account B allowing access from the IAM role.
D.An IAM role in Account A with a policy allowing access to the bucket.
AnswerB

This is the standard cross-account access setup.

Why this answer

Option D is correct because both a bucket policy in Account B and a trust policy in Account A are required for cross-account access. Option A is wrong because a bucket policy alone is insufficient; the role must trust the bucket. Option B is wrong because an IAM role policy in Account A alone is insufficient; the bucket policy must allow access.

Option C is wrong because a trust policy is needed in Account A, not Account B.

831
MCQmedium

A SysOps administrator needs to monitor AWS CloudTrail logs for any calls to the 'CreateUser' API in AWS Identity and Access Management (IAM). When such an API call is detected, the administrator wants to receive a notification within a few minutes and also log the event to a central log group in Amazon CloudWatch Logs. The solution should use minimal custom code. Which combination of services should be used?

A.Configure AWS CloudTrail to deliver logs to Amazon CloudWatch Logs, create a metric filter for the 'CreateUser' API call, and set up a CloudWatch alarm that sends an Amazon SNS notification.
B.Use AWS CloudTrail with Amazon EventBridge by creating an event rule that matches the 'CreateUser' API call via the 'aws.cloudtrail' event source, and set the targets to an Amazon SNS topic and a CloudWatch Logs log group.
C.Write an AWS Lambda function that is triggered by Amazon S3 events when a new CloudTrail log is delivered to S3. The Lambda parses the log file for 'CreateUser' and if found, sends an SNS notification.
D.Enable AWS Config and create a custom rule that evaluates CloudTrail trail configurations for events.
AnswerB

Amazon EventBridge natively listens for AWS service events, including CloudTrail API calls. By creating a rule with a custom event pattern that matches the specific API call, you can directly send the event to multiple targets (SNS, CloudWatch Logs, Lambda, etc.) without needing metric filters or alarms. This is the recommended low-overhead solution.

Why this answer

Option B is correct because Amazon EventBridge can directly consume CloudTrail events in near-real time via the 'aws.cloudtrail' event source, allowing you to create a rule that matches the 'CreateUser' API call. This rule can then target both an Amazon SNS topic for immediate notification and a CloudWatch Logs log group for centralized logging, all without custom code.

Exam trap

The trap here is that candidates often assume CloudTrail-to-CloudWatch Logs delivery is the fastest method, but they overlook the inherent delivery latency and the fact that EventBridge provides a more immediate, event-driven path for real-time monitoring.

How to eliminate wrong answers

Option A is wrong because while CloudTrail can deliver logs to CloudWatch Logs, this delivery has a latency of up to 15 minutes, which does not meet the 'within a few minutes' requirement; also, metric filters and alarms operate on the delivered logs, not on the event stream. Option C is wrong because it requires custom Lambda code to parse S3-delivered CloudTrail logs, which violates the 'minimal custom code' requirement and introduces additional latency and complexity. Option D is wrong because AWS Config evaluates resource configurations, not real-time API call events; a custom Config rule cannot detect individual 'CreateUser' API calls as they occur.

832
MCQhard

A SysOps administrator is troubleshooting a failed AWS CodeBuild build. The build project uses an Amazon S3 source. The buildspec.yml file includes commands that require internet access to download dependencies. The build is failing with a timeout error when trying to download from an external repository. The VPC configuration for the build project uses a private subnet with no NAT gateway. What change should be made to resolve the issue?

A.Attach a NAT gateway to the private subnet's route table.
B.Configure an HTTP proxy in the build project.
C.Create a VPC endpoint for the external repository.
D.Move the build project to a public subnet with an internet gateway.
AnswerA

NAT gateway allows outbound internet access from private subnet.

Why this answer

Option B is correct because a NAT gateway or NAT instance is required to allow instances in a private subnet to access the internet. Option A is incorrect because a public subnet would provide internet access directly, but the question implies the build must be in a private subnet. Option C is incorrect because VPC endpoints are for accessing AWS services, not the internet.

Option D is incorrect because a proxy is not the standard solution; NAT is.

833
MCQmedium

A SysOps administrator notices that traffic to an Application Load Balancer (ALB) is being rejected. The ALB has a security group that allows inbound HTTP (80) and HTTPS (443) from 0.0.0.0/0. The target group health checks are failing. What could be the issue?

A.The target instances' security group does not allow inbound traffic from the ALB security group.
B.The ALB security group does not allow outbound traffic to the targets.
C.The ALB’s security group is blocking health check traffic from the targets.
D.The target instances' security group does not allow inbound HTTP/HTTPS from the internet.
AnswerA

The target security group must allow inbound from the ALB for health checks to succeed.

Why this answer

Option C is correct because the ALB security group must allow inbound traffic from clients, but the target instances' security group must allow inbound traffic from the ALB security group. If the target security group does not allow traffic from the ALB, health checks fail. Option A is wrong because health checks come from the ALB, not the internet.

Option B is wrong because the ALB does not have a security group on the target side. Option D is wrong because the ALB's security group already allows HTTP/S.

834
MCQhard

An application runs on EC2 instances behind an ALB. Users report slow response times. CPU utilization averages 90% during peak hours. What is the MOST effective way to improve performance?

A.Enable detailed monitoring on CloudWatch.
B.Switch to a memory-optimized instance type.
C.Add more Security Group rules.
D.Increase the instance size to a larger type.
AnswerD

Larger instances provide more CPU capacity.

Why this answer

Option A is correct because increasing instance size directly addresses high CPU utilization. Auto Scaling handles load changes but may not fix underlying performance. Changing instance type to compute-optimized can help but scaling out is more cost-effective.

835
MCQmedium

A company runs a batch processing job every night on Amazon EC2 instances. The job takes exactly 2 hours to complete and can be interrupted and resumed later. The SysOps administrator wants to minimize compute costs. Which purchasing option should be used?

A.Spot Instances
B.Reserved Instances
C.On-Demand Instances
D.Dedicated Instances
AnswerA

Spot Instances provide the highest discount and are suitable for flexible, interruptible workloads like batch processing.

Why this answer

Spot Instances are the correct choice because the batch job is fault-tolerant (can be interrupted and resumed) and runs for a fixed 2-hour window nightly. Spot Instances offer up to 90% cost savings compared to On-Demand, and with the ability to handle interruptions via checkpointing, they minimize compute costs without requiring a long-term commitment.

Exam trap

The trap here is that candidates often choose On-Demand Instances due to a mistaken belief that any interruptible workload requires guaranteed availability, ignoring that Spot Instances are explicitly designed for fault-tolerant, stateless, or checkpointable workloads like batch processing.

How to eliminate wrong answers

Option B (Reserved Instances) is wrong because they require a 1- or 3-year commitment and are cost-effective only for steady-state workloads, not for a nightly 2-hour job that can be interrupted. Option C (On-Demand Instances) is wrong because they are the most expensive option and provide no cost savings for a fault-tolerant, interruptible workload. Option D (Dedicated Instances) is wrong because they are designed for regulatory or licensing requirements that demand physical isolation, not for cost optimization, and they incur additional per-instance fees.

836
MCQmedium

A company requires that all Amazon S3 buckets in its AWS account must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to detect any bucket that does not have KMS encryption enabled and automatically remediate it by enabling encryption. Which AWS service should be used to implement this automated compliance enforcement?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerA

AWS Config can continuously monitor and evaluate S3 bucket configurations. With a managed rule for server-side encryption, it can detect non-compliant buckets. Combined with automatic remediation actions, AWS Config can enable encryption on non-compliant buckets without manual intervention.

Why this answer

AWS Config is the correct service because it can continuously monitor S3 bucket configurations against a desired encryption state using managed rules like 's3-bucket-server-side-encryption-enabled' or custom Lambda rules. When a non-compliant bucket is detected, AWS Config can trigger an automatic remediation action via Systems Manager Automation to enable SSE-KMS encryption, enforcing compliance without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's detective and remediation capabilities with CloudTrail's logging or Trusted Advisor's advisory-only checks, assuming any 'security' service can enforce compliance, but only AWS Config provides automated remediation via rules and Systems Manager.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail is a service for auditing API calls and logging activity, not for detecting or remediating configuration drift in real time. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS, VPC flow logs, and CloudTrail events for malicious activity, not for enforcing encryption policies on S3 buckets. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations and checks for cost optimization, security, and performance, but it cannot automatically remediate non-compliant resources; it only reports findings.

837
MCQhard

A company has a VPC with public and private subnets. A NAT Gateway is deployed in the public subnet. Private EC2 instances need to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instances cannot reach the internet. What is the most likely cause?

A.The private subnet’s network ACL is blocking outbound traffic.
B.The NAT Gateway is not placed in a public subnet with a route to an internet gateway.
C.The security group for the private instances does not allow outbound HTTPS.
D.The NAT Gateway does not have an Elastic IP address assigned.
AnswerB

NAT Gateway must be in a public subnet with IGW route to translate and forward traffic.

Why this answer

Option C is correct because the NAT Gateway must be in a public subnet with an internet gateway route. If the NAT Gateway's subnet's route table does not have a default route to an internet gateway, the NAT Gateway cannot forward traffic to the internet. Option A is wrong because the NAT Gateway does not need a public IP for outbound-only traffic (though it helps).

Option B is irrelevant to internet access. Option D is wrong because security groups for private instances should allow outbound traffic.

838
MCQeasy

A SysOps administrator needs to automate the creation of an Amazon S3 bucket with versioning enabled and default encryption using AWS CloudFormation. Which CloudFormation resource type should the administrator use?

A.AWS::S3::Bucket
B.AWS::S3::BucketPolicy
C.AWS::KMS::Key
D.AWS::S3::BucketVersioning
AnswerA

This is the correct resource type to create an S3 bucket.

Why this answer

AWS::S3::Bucket is the resource type for creating S3 buckets. Option B is correct. Option A is wrong because AWS::S3::BucketPolicy is for bucket policies.

Option C is wrong because AWS::S3::BucketVersioning is not a valid resource type; versioning is a property of AWS::S3::Bucket. Option D is wrong because AWS::KMS::Key is for KMS keys, not S3 buckets.

839
Multi-Selectmedium

A company is using AWS CloudFormation to manage its infrastructure. The SysOps administrator wants to update a stack that includes an Amazon RDS database. The administrator needs to modify the DB instance class but wants to avoid downtime. Which TWO options should the administrator consider? (Choose two.)

Select 2 answers
A.Apply the change during the RDS maintenance window to control when the modification occurs.
B.Deploy the RDS instance as Multi-AZ to allow a failover during the modification.
C.Set the DeletionPolicy attribute to Retain on the RDS instance.
D.Delete the current RDS instance and create a new one with the desired instance class.
E.Take a snapshot of the database and restore it with the new instance class.
AnswersA, B

Applying during maintenance window ensures it happens at a scheduled time, but may still cause a brief downtime.

Why this answer

Option A is correct because a Multi-AZ deployment allows modifications with minimal downtime by applying the change to the standby first. Option B is correct because applying the change during a maintenance window can also reduce impact. Option C is wrong because deleting and recreating causes downtime.

Option D is wrong because using a snapshot does not help with modifying the instance class. Option E is wrong because setting DeletionPolicy to Retain does not affect updates.

840
MCQeasy

A SysOps administrator needs to monitor application logs in Amazon CloudWatch Logs for the occurrence of the string 'ERROR'. The administrator wants to create a custom metric that counts the number of 'ERROR' occurrences per 5-minute window and trigger an Amazon CloudWatch alarm when the count exceeds 10. Which action should the administrator take to create the custom metric?

A.Create a CloudWatch Events rule that triggers on 'ERROR' and publishes a metric.
B.Create a metric filter on the CloudWatch Logs log group that matches the term 'ERROR'.
C.Create a CloudWatch dashboard that displays the log group and set an alarm on the dashboard.
D.Enable AWS CloudTrail on the log group and select the 'ERROR' pattern.
AnswerB

A metric filter is the correct way to define a pattern to look for in log events. CloudWatch Logs uses the filter to publish a numeric metric to CloudWatch, which can then be used for alarms.

Why this answer

Option B is correct because metric filters in CloudWatch Logs allow you to define a pattern (e.g., 'ERROR') that is evaluated against incoming log events. The filter counts occurrences and publishes a custom metric to CloudWatch, which can then be used to set an alarm with a period of 5 minutes and a threshold of 10.

Exam trap

The trap here is that candidates confuse CloudWatch Logs metric filters with CloudWatch Events or CloudTrail, thinking those services can parse log content, when in fact only metric filters can extract and count patterns from log data.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events (now Amazon EventBridge) is used to trigger actions based on events, not to parse log content and create custom metrics; it cannot count string occurrences in log streams. Option C is wrong because a CloudWatch dashboard is a visualization tool and cannot directly create a custom metric or trigger an alarm; alarms are set on metrics, not dashboards. Option D is wrong because AWS CloudTrail records API activity, not application log content; it cannot be enabled on a CloudWatch Logs log group or used to count 'ERROR' strings in application logs.

841
Multi-Selecthard

Which THREE components are required to establish a site-to-site VPN connection between an AWS VPC and an on-premises network? (Choose three.)

Select 3 answers
A.Customer gateway (CGW)
B.Transit gateway
C.VPN connection
D.Virtual private gateway (VGW)
E.AWS Direct Connect
AnswersA, C, D

The CGW represents the on-premises VPN device.

Why this answer

Options A, C, and D are correct. A virtual private gateway is the VPN concentrator on the AWS side. A customer gateway represents the on-premises VPN device.

A VPN connection ties them together with IPsec tunnels. Option B is wrong because a transit gateway is not required; it is used for complex network topologies. Option E is wrong because Direct Connect is a dedicated physical connection, not part of a VPN.

842
MCQeasy

A SysOps administrator maintains an AWS CloudFormation stack for a web application. The administrator needs to update the stack to change the instance type of an Amazon EC2 instance. The administrator wants to review the changes before applying them and ensure that any updates that would replace the instance are clearly identified. Which CloudFormation feature should the administrator use?

A.Change Sets
B.Stack Policies
C.Resource Signals
D.Nested Stacks
AnswerA

Change Sets allow you to review the proposed changes, including resource replacement, before executing the stack update.

Why this answer

Change Sets allow the administrator to preview the proposed changes to a CloudFormation stack before executing them. They clearly indicate whether a resource will be updated without replacement (e.g., modifying an attribute that supports in-place update) or replaced (e.g., changing the instance type of an EC2 instance, which requires recreation). This gives the administrator the ability to review the exact impact and identify any resource replacements before applying the update.

Exam trap

The trap here is that candidates may confuse Change Sets with Stack Policies, thinking that Stack Policies can preview changes, when in reality Stack Policies only enforce guardrails during updates and do not provide any preview or replacement identification.

How to eliminate wrong answers

Option B (Stack Policies) is wrong because stack policies are used to prevent accidental updates or deletions of specific stack resources during an update operation, not to preview changes or identify replacements. Option C (Resource Signals) is wrong because resource signals (using cfn-signal or wait conditions) are used to synchronize resource creation or configuration, not to review or preview stack updates. Option D (Nested Stacks) is wrong because nested stacks are used to compose a stack from multiple stacks for modularity and reuse, not to preview changes or identify resource replacements during an update.

843
MCQmedium

A SysOps administrator is creating a CloudFormation stack and receives the error shown in the exhibit. The template snippet for the Auto Scaling group is: "MyAutoScalingGroup": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": { "MinSize": "1", "MaxSize": "5", "DesiredCapacity": "2", ... } }

A.The DesiredCapacity value must be less than MinSize.
B.The MinSize value exceeds the MaxSize value.
C.The Auto Scaling group must have a scaling policy.
D.The MinSize value must be specified as an integer, not a string.
AnswerD

CloudFormation requires numeric fields to be integers, not strings.

Why this answer

The error states that MinSize must be of type Number, but the template provides a string value '1'. CloudFormation expects integer values for MinSize, MaxSize, and DesiredCapacity. Option B is correct.

Option A is wrong because the desired capacity is also a string, but the error specifically mentions MinSize. Option C is wrong because the metric type is not relevant. Option D is wrong because the values are within range.

844
MCQmedium

A SysOps administrator needs to ensure that all traffic to an Application Load Balancer (ALB) uses encryption. How can this be enforced?

A.Configure the security group to allow only HTTPS traffic (port 443).
B.Create a listener that redirects HTTP requests (port 80) to HTTPS (port 443).
C.Use AWS WAF to block HTTP requests.
D.Configure the ALB to use a custom SSL certificate.
AnswerB

Correct. An ALB listener rule can redirect HTTP to HTTPS, ensuring clients use encrypted connections.

Why this answer

Option B is correct because an Application Load Balancer can be configured with a listener rule that redirects incoming HTTP (port 80) requests to HTTPS (port 443). This ensures that all traffic to the ALB is encrypted in transit, as any unencrypted HTTP request is automatically redirected to the secure HTTPS protocol. The redirect action is a native ALB feature and does not require additional services or complex configurations.

Exam trap

The trap here is that candidates often confuse security group rules with application-layer behavior, mistakenly believing that restricting the security group to port 443 alone will enforce encryption, when in fact it only controls network access and does not prevent unencrypted traffic on that port.

How to eliminate wrong answers

Option A is wrong because security groups operate at the network layer and can only allow or deny traffic based on IP addresses, ports, and protocols; they cannot enforce encryption or redirect traffic. Even if the security group allows only port 443, a client could still send unencrypted HTTP traffic to that port, and the ALB would accept it if a listener exists for HTTP on port 443. Option C is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS requests for malicious patterns, but it cannot enforce encryption or redirect HTTP to HTTPS; it operates after the listener has accepted the connection.

Option D is wrong because configuring a custom SSL certificate on the ALB enables HTTPS but does not automatically redirect HTTP traffic to HTTPS; without a redirect rule, clients can still send unencrypted HTTP requests to the ALB.

845
Multi-Selecthard

A company is using AWS Elastic Beanstalk to manage a web application. The SysOps administrator needs to update the application to a new version with zero downtime. Which THREE steps should the administrator take to achieve this? (Choose three.)

Select 3 answers
A.Terminate all existing instances and replace them with new ones.
B.Create a new Elastic Beanstalk environment with the new application version, then swap the environment URLs.
C.Set the load balancer's health check interval to 300 seconds to allow more time for the new instances to become healthy.
D.Set the Elastic Beanstalk environment's health check grace period to a sufficient time to allow new instances to warm up.
E.Perform a rolling update with a batch size of 1 and set the deployment policy to 'Rolling based on Health' with a pause time.
AnswersB, D, E

Blue/green deployment with URL swap provides zero downtime.

Why this answer

To achieve zero downtime with Elastic Beanstalk, the administrator should use a blue/green deployment or rolling update with a batch size of 1 and pause. Option A is correct because creating a new environment and swapping URLs is blue/green, which provides zero downtime. Option C is correct because rolling updates with a batch size of 1 ensure only one instance is replaced at a time, minimizing impact.

Option E is correct because setting a health check grace period prevents premature termination. Option B is wrong because terminating instances causes downtime. Option D is wrong because increasing the load balancer's health check interval to 300 seconds would cause longer delays in detecting healthy instances, potentially causing issues.

846
MCQmedium

A company runs a batch processing job every night that takes exactly 2 hours to complete. The job is time-sensitive and cannot tolerate interruptions. The SysOps administrator needs to minimize compute costs for the Amazon EC2 instances used during this job. The job runs every day and has predictable resource requirements. Which purchasing option should the administrator choose?

A.Reserved Instances (Standard)
B.Spot Instances
C.On-Demand Instances
D.Dedicated Hosts
AnswerA

Reserved Instances provide a substantial discount for a steady-state workload and guarantee capacity, meeting both cost and reliability requirements.

Why this answer

A Standard Reserved Instance is the best choice because the job runs every night for exactly 2 hours with predictable resource requirements, making it ideal for a 1-year or 3-year commitment that provides a significant discount (up to 72%) over On-Demand pricing. Since the job cannot tolerate interruptions, Reserved Instances offer capacity reservation and cost savings without the risk of termination that Spot Instances carry.

Exam trap

The trap here is that candidates often choose Spot Instances for cost savings without recognizing the 'cannot tolerate interruptions' constraint, or they incorrectly assume Reserved Instances require a full-time workload, when in fact they can be applied to any predictable usage pattern, even a 2-hour daily window.

How to eliminate wrong answers

Option B is wrong because Spot Instances can be interrupted with a 2-minute warning when AWS reclaims capacity, which violates the requirement that the job cannot tolerate interruptions. Option C is wrong because On-Demand Instances are the most expensive option and do not minimize costs for a predictable, recurring workload. Option D is wrong because Dedicated Hosts are used for licensing or compliance requirements (e.g., Windows Server with per-socket licensing) and are significantly more expensive than Reserved Instances, providing no cost benefit for this batch processing job.

847
Multi-Selecthard

A SysOps Administrator is configuring VPC Flow Logs to monitor network traffic. Which THREE pieces of information are included in VPC Flow Log records?

Select 3 answers
A.HTTP status code
B.Protocol number
C.Source IP address
D.DNS query name
E.Destination IP address
AnswersB, C, E

The protocol number (e.g., 6 for TCP, 17 for UDP) is recorded.

Why this answer

Options A, B, and D are correct. VPC Flow Logs capture source and destination IPs, protocol number, and packet/byte counts. Option C is wrong because VPC Flow Logs do not include the DNS query name.

Option E is wrong because they do not include the HTTP status code.

848
MCQeasy

A SysOps administrator needs to automatically deploy a new version of an application to a fleet of Amazon EC2 instances every time changes are pushed to the main branch of a code repository hosted on AWS CodeCommit. Which combination of AWS services should be used?

A.AWS CodePipeline, AWS CodeBuild, and AWS CodeDeploy.
B.AWS CloudFormation and AWS CodeDeploy.
C.Amazon EventBridge and AWS Systems Manager.
D.AWS CloudTrail and AWS Lambda.
AnswerA

Correct. CodePipeline orchestrates the flow from CodeCommit (source), to CodeBuild (build), to CodeDeploy (deploy), fully automating deployment on each push.

Why this answer

AWS CodePipeline orchestrates the continuous delivery workflow by detecting changes in the CodeCommit repository, then automatically triggering AWS CodeBuild to compile and package the application, and finally deploying the new version to EC2 instances using AWS CodeDeploy. This combination provides a fully managed, end-to-end CI/CD pipeline that meets the requirement of deploying on every push to the main branch.

Exam trap

The trap here is that candidates often confuse AWS CloudFormation (infrastructure provisioning) with CI/CD pipeline services, or assume EventBridge and Lambda can replace the full pipeline, but they lack built-in artifact management, deployment strategies, and rollback capabilities that CodePipeline, CodeBuild, and CodeDeploy provide together.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation is an infrastructure-as-code service for provisioning resources, not a CI/CD pipeline orchestrator; it cannot automatically detect CodeCommit pushes or trigger deployments without an external event source. Option C is wrong because Amazon EventBridge can capture CodeCommit events but AWS Systems Manager is primarily for operational management and patching, not for orchestrating a multi-stage build-and-deploy pipeline with artifact management. Option D is wrong because AWS CloudTrail records API activity for auditing, not for triggering deployments, and AWS Lambda alone cannot manage the full build, test, and deployment lifecycle required for application updates.

849
MCQhard

A SysOps administrator is tasked with designing a disaster recovery strategy for an Amazon RDS for PostgreSQL database. The database is currently in us-east-1. The recovery point objective (RPO) is 5 seconds, and the recovery time objective (RTO) is 1 minute. Which solution meets these requirements?

A.Create a cross-region read replica in us-west-2 and promote it during a disaster.
B.Take daily automated snapshots and copy them to another region.
C.Enable Multi-AZ deployment with automatic failover.
D.Deploy the database in a single AZ and use point-in-time recovery.
AnswerC

Multi-AZ provides synchronous replication and fast failover.

Why this answer

Option D is correct because Multi-AZ with automatic failover provides a standby in a different AZ within the same region, with RTO typically 1-2 minutes and RPO of seconds. Option A is wrong because cross-region read replicas have asynchronous replication with potential lag >5 seconds. Option B is wrong because snapshots have RPO of hours.

Option C is wrong because single-AZ does not provide automatic failover.

850
MCQeasy

A company needs a dedicated private network connection from its on-premises data center to AWS that provides consistent network performance and high bandwidth. The connection must bypass the public internet. Which AWS service should the SysOps administrator use?

A.AWS Site-to-Site VPN
B.AWS Client VPN
C.AWS Direct Connect
D.AWS Transit Gateway
AnswerC

Correct. AWS Direct Connect provides a dedicated private circuit that bypasses the internet, ensuring consistent network performance and high bandwidth.

Why this answer

AWS Direct Connect is the correct choice because it provides a dedicated, private network connection from an on-premises data center to AWS, bypassing the public internet entirely. This ensures consistent network performance, low latency, and high bandwidth, which are critical for workloads requiring predictable throughput and a private link.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN with a private connection, overlooking that it still traverses the public internet and cannot guarantee consistent performance or bypass it, whereas Direct Connect provides a dedicated physical link.

How to eliminate wrong answers

Option A is wrong because AWS Site-to-Site VPN uses the public internet to establish an encrypted tunnel (IPsec) between the on-premises network and AWS, which cannot guarantee consistent performance or bypass the public internet. Option B is wrong because AWS Client VPN is a managed remote access VPN service for individual clients (e.g., laptops) connecting over the internet, not for dedicated private network connections between data centers and AWS. Option D is wrong because AWS Transit Gateway is a network transit hub that connects VPCs and on-premises networks via VPN or Direct Connect, but it is not a connection service itself; it requires a separate underlying connection like Direct Connect or VPN to provide the private link.

851
MCQhard

A SysOps administrator notices that an S3 bucket's storage costs have increased significantly. The bucket stores log files and is configured with S3 Standard storage class. Most logs are accessed only once after 30 days. Which action will reduce costs without affecting data retrieval?

A.Create a lifecycle policy to transition objects to S3 Standard-IA after 30 days.
B.Create a lifecycle policy to transition objects to S3 Glacier Deep Archive after 30 days.
C.Create a lifecycle policy to transition objects to S3 Glacier Instant Retrieval after 30 days.
D.Create a lifecycle policy to transition objects to S3 One Zone-IA after 30 days.
AnswerC

Glacier Instant Retrieval has lower storage cost and millisecond retrieval for one-time access.

Why this answer

Option C is correct because transitioning to S3 Glacier Instant Retrieval after 30 days reduces storage cost while maintaining millisecond access. Option A is wrong because S3 Standard-IA has retrieval fees that might increase cost for single access. Option B is wrong because S3 One Zone-IA is cheaper but less durable.

Option D is wrong because S3 Glacier Deep Archive has long retrieval times.

852
MCQmedium

A company's web application uses an Application Load Balancer (ALB) in front of multiple EC2 instances in an Auto Scaling group. Users report intermittent 503 errors. The ALB health checks are configured to check the /health endpoint every 30 seconds with a threshold of 2 successful checks to mark healthy. The Auto Scaling group’s health check grace period is set to 60 seconds. What is the most likely cause of the 503 errors?

A.The ALB’s idle timeout is set too low.
B.The Auto Scaling group health check grace period is too short.
C.The EC2 instances are of a small instance type and are overloaded.
D.The health check endpoint is returning a 500 status code intermittently.
AnswerD

Intermittent health check failures cause targets to be marked unhealthy, leading to 503 errors.

Why this answer

Option A is correct because 503 errors from an ALB typically indicate that all targets are unhealthy. If the health check endpoint returns a non-2xx status for even a short period, the ALB will stop routing traffic to those instances, causing 503 errors. Option B is wrong because if the application is not responding, the health check would fail, but the symptom is 503, not timeout.

Option C is wrong because the health check grace period only applies during instance launch. Option D is wrong because a small instance type would cause performance issues, not necessarily health check failures.

853
Multi-Selectmedium

A company has a VPC with a public subnet and a private subnet. An Amazon RDS for MySQL database is deployed in the private subnet. Which TWO steps are required to allow an EC2 instance in the public subnet to connect to the database? (Choose two.)

Select 2 answers
A.Update the security group for the RDS instance to allow inbound traffic on port 3306 from the EC2 instance's security group.
B.Deploy a NAT Gateway in the public subnet to allow the EC2 instance to communicate with the RDS instance.
C.Assign a public IP address to the RDS instance.
D.Ensure that the EC2 instance's security group allows outbound traffic to the RDS instance's security group on port 3306.
E.Add a route to the public subnet's route table for the RDS subnet CIDR.
AnswersA, D

This allows the EC2 instance to connect to the database.

Why this answer

Options B and D are correct: The security group for the RDS instance must allow inbound MySQL traffic (port 3306) from the EC2 instance (or its security group). The route table for the private subnet does not need a NAT Gateway because the connection is initiated from the public subnet; however, the public subnet instance needs a route to the private subnet, which is automatically there because both are in the same VPC. Option A is wrong because the RDS instance does not need a public IP; it can be accessed from within the VPC using its private IP.

Option C is wrong because the EC2 instance already has a public IP or can be accessed via internet, but the route to the private subnet is implicit. Option E is wrong because a NAT Gateway is for outbound internet access from private subnets, not for inbound connections.

854
MCQmedium

A company is using Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The operations team needs to receive an alert when the number of healthy hosts drops below 50% of the desired capacity for more than 5 minutes. Which CloudWatch metric and alarm configuration should be used?

A.Use the 'RequestCount' metric with a statistic of 'Sum' and a threshold of 50% of the average request count.
B.Use the 'HealthyHostCount' metric with a statistic of 'Sum' and a threshold of 0.5 * desired capacity.
C.Use the 'UnhealthyHostCount' metric with a threshold of 50% of desired capacity.
D.Use the 'TargetResponseTime' metric with a statistic of 'p90' and a threshold of 2 seconds.
AnswerB

This directly measures the number of healthy hosts and can be compared to half the desired capacity.

Why this answer

The correct answer is B because the 'HealthyHostCount' metric from the Application Load Balancer (ALB) directly reports the number of registered instances that are passing health checks. By setting the statistic to 'Sum' and the threshold to 0.5 * desired capacity, the alarm triggers when the count of healthy hosts falls below 50% of the Auto Scaling group's desired capacity for the specified evaluation period of 5 minutes, meeting the exact requirement.

Exam trap

The trap here is that candidates often confuse 'UnhealthyHostCount' with 'HealthyHostCount', assuming that a threshold on unhealthy hosts (e.g., >50% of desired capacity) is equivalent, but this fails because the alarm would not trigger correctly when the total number of hosts changes or when both healthy and unhealthy counts shift simultaneously.

How to eliminate wrong answers

Option A is wrong because 'RequestCount' measures the total number of requests processed, not the health of hosts; it cannot determine the percentage of healthy hosts relative to desired capacity. Option C is wrong because 'UnhealthyHostCount' reports the number of unhealthy hosts, but the requirement is to alert when healthy hosts drop below 50% of desired capacity, which is not directly equivalent to a threshold on unhealthy count (e.g., if desired capacity changes, the unhealthy count threshold would not scale dynamically). Option D is wrong because 'TargetResponseTime' measures latency, not host health status; a p90 threshold of 2 seconds is unrelated to the percentage of healthy hosts.

855
MCQmedium

A company uses AWS CloudFormation to deploy EC2 instances across multiple environments. The operations team notices that stack updates fail when parameter values change. What is the MOST likely cause?

A.The parameter uses the AWS::NoValue condition.
B.The parameter has the NoEcho property set to true, and the previous value is not provided.
C.A change set is required but not generated.
D.A stack policy prevents parameter updates.
AnswerB

When NoEcho is true, the parameter value must be re-specified during updates.

Why this answer

Option B is correct because in CloudFormation, parameters with NoEcho set to true cannot be updated without specifying the previous value; the default behavior is to require the parameter to be provided again. Option A is wrong because stack policies protect resources from updates, not parameter changes. Option C is wrong because change sets allow updates, not prevent them.

Option D is wrong because the condition function affects resource creation, not parameter updates.

856
MCQhard

A company runs a critical application on a fleet of EC2 instances managed by an Auto Scaling group. The application is deployed using a custom AMI that is updated monthly. The SysOps administrator uses a launch template that references the latest AMI ID via an AWS Systems Manager parameter. During a recent deployment, the administrator updated the AMI ID in the parameter, but the new instances launched by the Auto Scaling group still use the old AMI. The administrator confirms that the launch template is configured to reference the parameter. The Auto Scaling group has a desired capacity of 5, and the administrator manually terminates one instance to trigger a replacement. The new instance also uses the old AMI. What is the MOST likely cause?

A.The Amazon CloudWatch alarm that triggers scaling is not configured correctly.
B.The IAM role associated with the Auto Scaling group does not have permission to read the Systems Manager parameter.
C.The Auto Scaling group is using a cached version of the launch template and needs to be updated or have its instances replaced.
D.The instance metadata service (IMDS) is disabled on the launch template.
AnswerC

Why B is correct

Why this answer

Option B is correct because the Auto Scaling group caches the resolved AMI ID from the launch template at the time of creation or when the launch template is updated. If the launch template is not updated or the group is not refreshed, the group continues to use the cached value. Option A is incorrect because the Systems Manager parameter does not need special permissions for the launch template to reference it; the launch template resolution happens at the account level.

Option C is incorrect because instance metadata does not affect which AMI is used for launch. Option D is incorrect because Amazon CloudWatch does not control AMI resolution.

857
Matchingmedium

Match each AWS networking concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Isolated virtual network

IP address range within a VPC

Set of rules for traffic routing

Stateful instance-level firewall

Stateless subnet-level firewall

Why these pairings

These are fundamental VPC components.

858
MCQhard

A company has a production application running on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer. The SysOps administrator notices that during deployments, the application experiences a brief period of downtime. Which combination of actions should the administrator take to achieve zero-downtime deployments?

A.Configure the ECS service to use a rolling update with a minimum healthy percent of 0 and a maximum percent of 100.
B.Increase the deregistration delay on the ALB target group to 300 seconds.
C.Use a blue/green deployment with CodeDeploy and set the 'Minimum healthy percent' to 50.
D.Configure the ECS service to use a rolling update with a minimum healthy percent of 100 and a maximum percent of 200.
AnswerD

Correct: This ensures new tasks are started before old ones are terminated, allowing zero downtime.

Why this answer

Option C is correct because configuring the ECS service to use rolling updates with a minimum healthy percent of 100 and a maximum percent of 200 ensures that new tasks are started before old ones are stopped, avoiding downtime. Option A is wrong because it limits the number of new tasks. Option B is wrong because it stops old tasks first.

Option D is wrong because deregistration delay alone does not prevent downtime during deployment.

859
Multi-Selectmedium

A company is using Amazon S3 to store data for analytics. The data is accessed frequently for the first 30 days, then rarely after that. The company wants to optimize storage costs. Which THREE actions should the SysOps administrator recommend?

Select 3 answers
A.Use S3 Intelligent-Tiering to automatically optimize storage costs.
B.Use S3 One Zone-IA for all data after 30 days to reduce costs.
C.Create a lifecycle policy to transition objects to S3 Glacier Deep Archive after 90 days.
D.Create a lifecycle policy to transition objects to S3 Standard-IA after 30 days.
E.Use S3 Standard storage for all data to ensure high performance.
AnswersA, C, D

Intelligent-Tiering moves data between tiers based on access patterns.

Why this answer

Option B is correct because S3 Intelligent-Tiering automatically moves data between tiers. Option C is correct because lifecycle policies can transition objects to colder storage. Option E is correct because S3 Glacier Deep Archive is the cheapest for long-term archival.

Option A is wrong because S3 Standard is more expensive than Standard-IA for infrequent access. Option D is wrong because S3 One Zone-IA is for infrequent access but does not provide high availability.

860
Matchingmedium

Match each AWS cost management tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Visualize and analyze costs

Set custom cost and usage alerts

Detailed billing data

Discount in exchange for commitment

Flexible pricing model

Why these pairings

These are AWS cost management features.

861
Multi-Selecthard

A company has a centralized logging solution where CloudTrail logs from multiple accounts are delivered to a single S3 bucket. The security team needs to be alerted when an IAM user is created in any of the accounts. Which steps should be taken? (Choose THREE.)

Select 3 answers
A.Create a CloudWatch Logs metric filter for 'CreateUser' event.
B.Configure CloudTrail to deliver logs to CloudWatch Logs.
C.Create an AWS Config rule to detect IAM user creation.
D.Configure S3 event notification on the central bucket to trigger a Lambda function.
E.Create a CloudWatch alarm on the metric filter that publishes to an SNS topic.
AnswersA, B, E

Metric filter detects the API call.

Why this answer

Option A is correct because a CloudWatch Logs metric filter can parse CloudTrail logs delivered to CloudWatch Logs and match the 'CreateUser' event pattern. This filter creates a metric that can be used to trigger an alarm. Option B is correct because CloudTrail must be configured to deliver logs to CloudWatch Logs in each account so that the metric filter can be applied to the log group.

Option E is correct because a CloudWatch alarm on the metric filter can publish to an SNS topic, which sends notifications (e.g., email, SMS) to the security team when an IAM user is created.

Exam trap

The trap here is that candidates confuse AWS Config rules (which assess resource compliance) with CloudWatch metric filters (which monitor log events), leading them to select Config for event detection instead of the correct CloudWatch-based approach.

862
MCQeasy

A company hosts a static website on Amazon S3. Users access the website from around the world. The SysOps administrator needs to deliver content with low latency and support HTTPS with a custom domain. Which AWS service should be used?

A.AWS Global Accelerator
B.Amazon CloudFront
C.Amazon Route 53 latency-based routing
D.S3 Transfer Acceleration
AnswerB

CDN with edge caching, HTTPS, and custom domain support.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static content at edge locations worldwide, reducing latency for global users. It natively supports HTTPS with custom domains via SSL/TLS certificates from AWS Certificate Manager (ACM) and integrates with S3 as an origin. This combination of low-latency delivery and HTTPS termination makes CloudFront the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with CloudFront because both improve performance, but Global Accelerator does not cache content or terminate HTTPS for static websites, making it unsuitable for this use case.

How to eliminate wrong answers

Option A is wrong because AWS Global Accelerator improves TCP/UDP traffic performance using the AWS global network but does not cache content or terminate HTTPS for static website delivery; it is designed for dynamic applications, not static content caching. Option C is wrong because Amazon Route 53 latency-based routing only directs DNS queries to the region with the lowest latency, but it does not cache content or provide HTTPS termination; the origin S3 bucket would still serve content directly without edge caching. Option D is wrong because S3 Transfer Acceleration speeds up uploads to S3 using edge locations, but it does not cache content for downloads, does not support custom domain HTTPS, and is intended for large object uploads, not global static website delivery.

863
MCQmedium

A company is using AWS Elastic Beanstalk to deploy a web application. The application experiences high traffic during peak hours. The SysOps administrator wants to automatically scale the environment based on CPU utilization. Which configuration change is required?

A.Manually add EC2 instances to the Auto Scaling group.
B.Configure a scaling trigger based on a CloudWatch alarm for CPU utilization.
C.Modify the instance type to a larger size.
D.Increase the number of load balancers.
AnswerB

Auto Scaling uses CloudWatch alarms to trigger scaling actions.

Why this answer

The correct answer is A because Elastic Beanstalk uses Auto Scaling triggers based on CloudWatch alarms. Option B is incorrect because the load balancer handles traffic distribution, not scaling. Option C is incorrect because Elastic Beanstalk manages the Auto Scaling group automatically.

Option D is incorrect because modifying the instance type manually does not enable auto scaling.

864
MCQmedium

A company wants to restrict access to an AWS Systems Manager Parameter Store parameter to only requests originating from the corporate network IP range (10.0.0.0/8). The SysOps administrator needs to implement this restriction using an IAM policy. Which condition key should be used?

A.aws:SourceIp
B.aws:SourceVpc
C.aws:RequestedRegion
D.aws:UserAgent
AnswerA

This condition key checks the IP address of the requester, making it suitable for IP-based access restrictions.

Why this answer

The correct answer is A because the `aws:SourceIp` condition key is designed to restrict access based on the requester's IP address. In this scenario, the corporate network IP range is 10.0.0.0/8, which is a private IPv4 address range. When used in an IAM policy, `aws:SourceIp` evaluates the source IP of the request as seen by AWS, allowing you to permit or deny access to Systems Manager Parameter Store based on that IP range.

Exam trap

The trap here is that candidates often confuse `aws:SourceIp` with `aws:SourceVpc`, mistakenly thinking that restricting by VPC is equivalent to restricting by IP range, but `aws:SourceVpc` requires the request to originate from a VPC endpoint or VPC, not a specific IP range.

How to eliminate wrong answers

Option B is wrong because `aws:SourceVpc` is used to restrict access based on the VPC from which the request originates, not the IP address range; it requires the request to come from a specific VPC endpoint or VPC, not a corporate network IP range. Option C is wrong because `aws:RequestedRegion` restricts access based on the AWS Region specified in the request, not the source IP address; it is used for regional access control, not network-based restrictions. Option D is wrong because `aws:UserAgent` restricts access based on the user agent string in the request, which identifies the client application or tool (e.g., AWS CLI, SDK), not the network IP range.

865
MCQmedium

Refer to the exhibit. The output shows the health status of two targets in a target group. One target is unhealthy with a 502 error. What is the most likely cause?

A.The target instance’s security group is blocking the health check traffic.
B.The target instance is not allowing outbound traffic to the ALB.
C.The web server on the target instance is returning HTTP 502 status codes.
D.The ALB health check is misconfigured with an incorrect path.
AnswerC

502 indicates a bad gateway from the target instance.

Why this answer

Option B is correct because a 502 error from the target indicates that the application on the instance is returning an invalid response or is not functioning correctly, possibly due to an application error. Option A is wrong because if the port were blocked, the health check would fail with a connection timeout or refused, not a 502. Option C is wrong because the security group is stateful and outbound is allowed.

Option D is wrong because the ALB health check itself does not cause 502; it's the target's response.

866
MCQmedium

A company uses AWS Elastic Beanstalk for a Java application. The environment uses a custom platform. The SysOps administrator wants to update the environment's configuration to use a larger instance type to handle increased load. What is the correct way to perform this change with minimal downtime?

A.Use the Elastic Beanstalk console to update the instance type and choose a rolling update strategy.
B.SSH into each instance and modify the instance type manually.
C.Terminate all instances and launch new ones with the larger instance type.
D.Create a new environment with the larger instance type and swap the environment URLs.
AnswerA

Correct: Rolling updates update instances without downtime.

Why this answer

The correct answer is C because Elastic Beanstalk supports rolling updates or immutable updates that update instances gradually, minimizing downtime. Option A is wrong because terminating all instances causes downtime. Option B is wrong because manually updating each instance is not recommended and may not persist.

Option D is wrong because creating a new environment and swapping URLs can work but is more complex than necessary.

867
MCQmedium

A company has a production RDS MySQL instance with 500 GB of gp2 storage. The database experiences high read traffic. The SysOps team needs to improve read performance at minimal cost. What should they do?

A.Migrate the database to Amazon Aurora with Auto Scaling enabled.
B.Change the storage type to gp3 and increase IOPS.
C.Upgrade the DB instance to a larger instance type with more vCPUs.
D.Create one or more RDS Read Replicas in the same region and direct read traffic to them.
AnswerD

Read Replicas distribute read load at a low cost.

Why this answer

Option A is correct because adding Read Replicas offloads read queries from the primary instance, improving performance cost-effectively. Option B is wrong because migrating to Aurora is more expensive. Option C is wrong because gp3 might not provide enough IOPS for read-heavy workloads.

Option D is wrong because vertical scaling is more costly than horizontal scaling.

868
Multi-Selectmedium

A company is designing a backup strategy for its on-premises file servers to AWS. Which TWO services can be used to back up data to AWS? (Choose TWO.)

Select 2 answers
A.AWS Backup
B.AWS Snowball
C.AWS Storage Gateway (File Gateway)
D.Amazon EFS
E.S3 Transfer Acceleration
AnswersA, C

AWS Backup can back up on-premises workloads using the AWS Backup gateway.

Why this answer

Correct answers are A and D. AWS Storage Gateway File Gateway provides on-premises caching with backup to S3. AWS Backup can be used for on-premises workloads via the AWS Backup gateway.

Option B is wrong because S3 Transfer Acceleration is for speeding up uploads, not a backup service. Option C is wrong because Amazon EFS is a network file system, not a backup target for on-premises. Option E is wrong because Snowball is for large data transfer, not ongoing backups.

869
MCQmedium

A company is using Amazon Route 53 as its DNS service. The company has a web application running on an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). The company wants to ensure that if the ALB fails, traffic is automatically redirected to a static error page hosted on an Amazon S3 bucket. Which Route 53 routing policy should be used to achieve this?

A.Geolocation routing policy
B.Failover routing policy
C.Latency routing policy
D.Weighted routing policy
AnswerB

Failover routing policy enables active-passive failover, where the primary resource is used and traffic is redirected to a secondary resource (S3 bucket) if the primary fails.

Why this answer

Option B is correct because a failover routing policy allows you to configure active-passive failover with primary and secondary records. Option A is wrong because weighted routing distributes traffic based on weights. Option C is wrong because latency routing routes to the region with the lowest latency.

Option D is wrong because geolocation routing routes based on the user's geographic location.

870
MCQeasy

A SysOps administrator is configuring an Amazon RDS for MySQL Multi-AZ deployment. What is the primary benefit of using Multi-AZ?

A.Improved read performance by distributing queries across multiple instances.
B.Automatic failover to a standby instance in a different Availability Zone.
C.Synchronous replication across AWS Regions.
D.Automatic creation of read replicas for disaster recovery.
AnswerB

This is the primary benefit of Multi-AZ.

Why this answer

Option B is correct: Multi-AZ provides automatic failover to a standby in a different AZ, improving availability. Option A is incorrect because Multi-AZ does not increase write performance; writes are synchronous to standby. Option C is incorrect because Multi-AZ does not create read replicas (that's a separate feature).

Option D is incorrect because Multi-AZ does not provide cross-Region replication without additional configuration.

871
Matchingmedium

Match each AWS compute service to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual machines in the cloud

Serverless function execution

Container orchestration with Docker

Managed Kubernetes clusters

Serverless compute for containers

Why these pairings

These are the main AWS compute options.

872
MCQmedium

A company has an S3 bucket that stores critical data. The bucket has versioning enabled. A SysOps administrator accidentally deletes a version of an object. What is the quickest way to recover the deleted version?

A.Use the S3 bucket's 'Undelete' feature.
B.Enable MFA Delete and then restore the object.
C.Contact AWS Support to restore the object.
D.Copy the deleted version from the bucket's version history.
AnswerD

Versioning keeps all versions; copy the previous version.

Why this answer

Option B is correct because S3 versioning allows you to restore a previous version by copying it back to the bucket. Option A is wrong because the object is not permanently deleted; it can be undeleted via versioning. Option C is wrong as long as versioning is on.

Option D is wrong because MFA Delete does not help with recovery.

873
MCQmedium

A company has an on-premises data center connected to AWS via an AWS Direct Connect connection. The SysOps administrator needs to ensure high availability for the connectivity. Which configuration provides the highest availability for the Direct Connect connection?

A.Establish a single Direct Connect connection with a VPN backup.
B.Establish two Direct Connect connections to the same AWS Direct Connect location.
C.Establish two Direct Connect connections to different AWS Direct Connect locations.
D.Use multiple virtual interfaces on a single Direct Connect connection.
AnswerC

This configuration provides the highest availability by avoiding a single point of failure at the location level. If one location fails, traffic can be rerouted to the other connection.

Why this answer

Option C is correct because establishing two Direct Connect connections to different AWS Direct Connect locations provides geographic redundancy. If one AWS Direct Connect location experiences an outage, the other connection remains operational, ensuring high availability. This configuration eliminates single points of failure at the facility level, which is the most resilient design for hybrid connectivity.

Exam trap

The trap here is that candidates assume multiple connections to the same location provide redundancy, but AWS Direct Connect locations are single points of failure; true high availability requires geographic diversity across different locations.

How to eliminate wrong answers

Option A is wrong because a single Direct Connect connection with a VPN backup does not provide true high availability; the VPN backup relies on the public internet, which introduces variable latency, lower bandwidth, and potential security concerns, and the failover is not seamless. Option B is wrong because two Direct Connect connections to the same AWS Direct Connect location share the same physical facility and power infrastructure, meaning a location-level outage (e.g., fiber cut or power failure) will take down both connections simultaneously. Option D is wrong because multiple virtual interfaces on a single Direct Connect connection still depend on a single physical connection; if that connection fails, all virtual interfaces are lost, providing no redundancy.

874
MCQmedium

A SysOps administrator needs to create a custom Amazon CloudWatch metric to track the number of active user sessions from application logs. The administrator wants to publish this metric to CloudWatch and set an alarm when the count exceeds a threshold. Which solution should be used?

A.Use a CloudWatch Logs Metric Filter on the log group.
B.Use CloudWatch Contributor Insights to extract the metric from logs.
C.Use CloudWatch Synthetics Canary to simulate user sessions and publish metrics.
D.Use CloudWatch Embedded Metric Format to have the application publish metrics directly.
AnswerA

A metric filter scans log entries for a pattern and increments a metric each time the pattern appears. The resulting metric can be used to trigger an alarm. This is the correct and straightforward approach.

Why this answer

Option A is correct because CloudWatch Logs Metric Filters allow you to define a filter pattern that matches specific log events (e.g., 'User session started') and convert them into a custom metric. The metric is automatically published to CloudWatch, where you can set an alarm on the count of matching log entries. This is the standard, cost-effective approach for extracting metrics from application logs without modifying the application code.

Exam trap

The trap here is that candidates often confuse CloudWatch Contributor Insights (which analyzes log data for top contributors) with a simple metric filter, or they assume Embedded Metric Format is required when the question explicitly states no application code changes are desired.

How to eliminate wrong answers

Option B is wrong because CloudWatch Contributor Insights is designed to analyze high-cardinality log data to identify top contributors (e.g., top IP addresses), not to produce a simple count metric for alarm thresholds. Option C is wrong because CloudWatch Synthetics Canaries simulate user interactions to generate traffic and metrics, but they do not parse existing application logs to count active sessions; they create synthetic data, not real session counts. Option D is wrong because CloudWatch Embedded Metric Format requires the application to be modified to emit metrics in a specific JSON format, whereas the requirement is to extract metrics from existing logs without code changes.

875
MCQeasy

A SysOps administrator is provisioning an Auto Scaling group (ASG) for a stateless web application. The ASG should launch EC2 instances in multiple Availability Zones. The administrator needs to ensure that instances are evenly distributed across Availability Zones. Which configuration should the administrator use?

A.Use an 'availability-zone' health check type in the Auto Scaling group.
B.Create subnets in multiple Availability Zones and specify them in the Auto Scaling group.
C.Create the Auto Scaling group with a single subnet in one Availability Zone.
D.Create subnets in multiple Availability Zones but assign them to the same placement group.
AnswerB

This enables multi-AZ distribution.

Why this answer

Option C is correct because setting the Auto Scaling group to use multiple subnets in different Availability Zones and the 'balanced best effort' distribution policy ensures even distribution. Option A is wrong because a single subnet limits to one AZ. Option B is wrong because same-AZ subnets don't provide multi-AZ.

Option D is wrong because 'availability-zone' health check is not a distribution policy.

876
MCQeasy

Refer to the exhibit. A SysOps administrator runs the command to list running EC2 instances. What is the purpose of the '--query' parameter?

A.It filters the results on the server side.
B.It limits the API call to only running instances.
C.It filters the output to show only specified fields.
D.It saves the output to a file.
AnswerC

JMESPath query selects specific fields.

Why this answer

Option D is correct because the '--query' parameter filters and formats the output using JMESPath. Option A is wrong because it does not filter before API call. Option B is wrong because it only formats output, not saves to a file.

Option C is wrong because it does not change the API call.

877
MCQeasy

A company runs 200 EC2 Linux instances across three accounts. The security team requires that critical OS patches are applied automatically every Sunday at 2 AM UTC. Currently patches are applied manually and inconsistently. What is the recommended AWS-native solution?

A.Configure a Patch Manager patch baseline and maintenance window scheduled for Sunday 02:00 UTC; associate the Run Patch Baseline task with all EC2 instance targets
B.Create a cron job on each instance that runs 'yum update -y' every Sunday at 2 AM
C.Use AWS Config managed rules to detect unpatched instances and send SNS notifications for manual remediation
D.Build a CodePipeline that runs weekly, creates new AMIs with the latest patches, and replaces all instances via an Auto Scaling instance refresh
AnswerA

The patch baseline filters patch approvals by severity (e.g., CRITICAL, IMPORTANT). The maintenance window triggers the AWS-RunPatchBaseline SSM document on schedule. All 200 instances receive the same baseline and schedule, replacing manual inconsistency with automated consistency. Patch compliance is recorded in the Patch Manager compliance dashboard.

Why this answer

Option A is correct because AWS Systems Manager Patch Manager, combined with a Maintenance Window, provides a fully AWS-native, automated solution for patching EC2 instances on a schedule. The Patch Manager service uses a patch baseline to define which patches are approved (e.g., critical OS patches), and the Maintenance Window triggers the 'AWS-RunPatchBaseline' SSM document at the specified time (Sunday 02:00 UTC) against all targeted instances. This eliminates manual effort and ensures consistent, auditable patching across multiple accounts and instances.

Exam trap

The trap here is that candidates may choose Option D (AMI refresh) because it seems more 'complete' for patching, but they overlook that Patch Manager with Maintenance Windows is the simplest, most direct AWS-native solution for scheduled patching, and the question explicitly asks for the 'recommended' solution, not the most elaborate one.

How to eliminate wrong answers

Option B is wrong because it requires manual creation and maintenance of cron jobs on each instance, which is not a centralized, AWS-native solution and does not scale across 200 instances and three accounts; it also lacks auditing and compliance tracking. Option C is wrong because AWS Config rules can only detect unpatched instances and send notifications, but they do not automatically apply patches, leaving remediation to manual action, which fails the requirement for automatic application. Option D is wrong because while CodePipeline and AMI refresh can achieve patching, it is an overly complex, non-native approach that requires building and maintaining a pipeline, creating new AMIs, and performing instance refreshes, which is not the recommended AWS-native solution for simple scheduled patching.

878
MCQeasy

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The instances are behind an Application Load Balancer. The Auto Scaling group uses a dynamic scaling policy based on average CPU utilization. During a traffic spike, new instances are launched but take 5 minutes to become healthy. Users experience errors during this time. Which solution would reduce the time to serve traffic from new instances?

A.Use a launch template with a pre-provisioned AMI.
B.Add a lifecycle hook to delay instance termination.
C.Increase the cooldown period for the scaling policy.
D.Use a larger instance type.
AnswerA

Pre-warmed AMIs have the application already initialized, reducing time to become healthy.

Why this answer

Option C is correct because a launch template with a pre-warmed AMI avoids the initialization steps during scale-out. Option A is incorrect because increasing the cooldown period delays scaling, making the problem worse. Option B is incorrect because instance type does not affect startup time significantly.

Option D is incorrect because lifecycle hooks add delay, not reduce it.

879
MCQhard

A company runs a critical application on a single Amazon EC2 instance with an attached Amazon EBS volume. The SysOps administrator needs to implement a disaster recovery solution that meets a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 30 minutes. The application runs continuously and data changes frequently. Which solution should the administrator implement?

A.Use Amazon Data Lifecycle Manager (DLM) to take EBS snapshots every 15 minutes and automate the creation of a new AMI.
B.Use AWS Backup to schedule backups every 15 minutes and restore from the latest backup when needed.
C.Use AWS Elastic Disaster Recovery (AWS DRS) to continuously replicate the instance to a staging area in another region.
D.Use an Auto Scaling group with a custom AMI that is updated every 15 minutes by a Lambda function.
AnswerC

AWS DRS provides continuous replication with low RPO (seconds) and RTO (minutes), meeting the stated requirements.

Why this answer

AWS Elastic Disaster Recovery (AWS DRS) continuously replicates the entire EC2 instance, including the EBS volume, to a staging area in another AWS Region with sub-second data changes. This meets the RPO of 15 minutes and RTO of 30 minutes because you can launch a fully recovered instance in the target region within minutes from the latest consistent point, without relying on periodic snapshots or backups that would miss frequent data changes.

Exam trap

The trap here is that candidates often choose periodic snapshot or backup solutions (like DLM or AWS Backup) because they think 15-minute intervals satisfy the RPO, but they overlook the RTO constraint and the fact that frequent data changes require continuous replication, not periodic snapshots, to avoid data loss between intervals.

How to eliminate wrong answers

Option A is wrong because Amazon Data Lifecycle Manager (DLM) can take EBS snapshots every 15 minutes, but creating a new AMI from those snapshots is not automated by DLM and the process would take longer than 30 minutes to build and register an AMI, failing the RTO. Option B is wrong because AWS Backup scheduled backups every 15 minutes still rely on periodic snapshots, which cannot capture every data change between intervals, and restoring from the latest backup can take longer than 30 minutes due to volume creation and attachment time. Option D is wrong because an Auto Scaling group with a custom AMI updated every 15 minutes by a Lambda function does not provide continuous replication; the AMI creation process itself takes time and the instance launched from an older AMI would miss data changes made in the interim, failing the RPO.

880
MCQhard

An organization is using AWS CodeDeploy with a blue/green deployment configuration for an EC2/On-Premises compute platform. During a deployment, the new instances pass all health checks, but the old instances are not terminated after the deployment completes. What is the most likely cause?

A.The Auto Scaling group has a cooldown period that prevents termination.
B.The new instances failed the initial health check.
C.The deployment configuration specifies 'Reroute traffic to new instances and keep old instances running' with no termination.
D.The deployment was rolled back automatically.
AnswerC

Blue/green deployments can be configured to not terminate old instances automatically.

Why this answer

The correct answer is A because in blue/green deployments, the user must specify how long to wait before terminating old instances. Option B is incorrect because CodeDeploy does not enforce a cooldown. Option C is incorrect because the new instances passed health checks.

Option D is incorrect because the deployment succeeded, so no rollback.

881
MCQhard

An organization uses AWS CloudFormation to manage infrastructure. They have a stack that includes an Amazon RDS DB instance. The administrator wants to update the DB instance's allocated storage without downtime. The DB instance is currently using gp2 storage. Which action should the administrator take?

A.Create a read replica with the new storage size and promote it.
B.Modify the storage size in the CloudFormation template and update the stack.
C.Stop the DB instance, modify the storage, and start it.
D.Take a manual snapshot and restore it with the new storage size.
AnswerB

RDS allows online storage modification for gp2; applying during maintenance window avoids downtime.

Why this answer

RDS allows modifying allocated storage for gp2 volumes. If the modification does not require a reboot (e.g., increasing storage), it can be applied immediately. However, some modifications might require a reboot.

To avoid downtime, the administrator should apply the change during the maintenance window. Option D is correct. Option A is wrong because snapshots are not required for storage changes.

Option B is wrong because read replicas are not needed for storage modification. Option C is wrong because stopping the DB instance causes downtime.

882
MCQeasy

A SysOps administrator needs to view a graph of the average CPU utilization of an Auto Scaling group over the past 24 hours. The administrator wants to share this graph with the team via a link that does not require AWS console login. Which AWS service should be used to create and share this graph?

A.Amazon CloudWatch Dashboard
B.AWS CloudTrail
C.Amazon QuickSight
D.AWS Trusted Advisor
AnswerA

CloudWatch Dashboards can be shared via a public URL or via IAM permissions, allowing viewing without console login if shared publicly.

Why this answer

Amazon CloudWatch Dashboards allow you to create customizable graphs of metrics like average CPU utilization from an Auto Scaling group. You can share a dashboard via a link that does not require AWS console login by using the 'Share' feature, which generates a public URL that grants read-only access to the dashboard without authentication.

Exam trap

The trap here is that candidates may confuse CloudWatch Dashboards with QuickSight for sharing visualizations, but QuickSight requires user provisioning and login, whereas CloudWatch Dashboards can be shared publicly without authentication.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail records API activity and governance logs, not metric graphs or CPU utilization data. Option C is wrong because Amazon QuickSight is a business analytics service for interactive dashboards and visualizations, but it requires a QuickSight account and login, and is not designed for sharing a simple metric graph without authentication. Option D is wrong because AWS Trusted Advisor provides best-practice checks and recommendations for cost, performance, and security, but does not generate or share metric graphs.

883
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to restrict all accounts from using specific AWS services unless explicitly allowed. Which feature should be used?

A.Service control policies (SCPs)
B.Resource-based policies
C.IAM permissions boundaries
D.AWS Config rules
AnswerA

SCPs allow you to centrally control the maximum available permissions for all accounts in your organization.

Why this answer

Service control policies (SCPs) are used in AWS Organizations to define the maximum permissions for accounts in the organization. SCPs can deny or allow services at the organization, OU, or account level. IAM policies are for individual users/roles, not for account-wide restrictions.

Resource-based policies are for specific resources. AWS Config rules evaluate compliance but do not restrict usage.

884
MCQhard

A company has an EC2 instance that needs to access an S3 bucket. The instance is launched in a private subnet with no internet gateway. What is the most secure way to provide access to S3 without traversing the internet?

A.Use a NAT gateway in a public subnet
B.Create an S3 VPC gateway endpoint
C.Set up an AWS Direct Connect connection
D.Attach an internet gateway to the VPC and a public IP to the instance
AnswerB

S3 VPC endpoint allows private access to S3 without internet.

Why this answer

To provide access to S3 from a private subnet without an internet gateway, you can use an S3 VPC endpoint (Gateway type). This allows instances in the VPC to access S3 privately using the AWS network. Option C is correct.

Option A is wrong because a NAT gateway would route traffic through the internet, which is less secure and requires an internet gateway. Option B is wrong because an internet gateway is needed for a NAT instance. Option D is wrong because AWS Direct Connect does not eliminate the need for a VPC endpoint; it provides a dedicated connection but still requires routing through the internet unless a VPC endpoint is used.

885
MCQmedium

Refer to the exhibit. A SysOps administrator creates this stack. Which of the following is true about the bucket?

A.The bucket has versioning enabled
B.The bucket is publicly accessible
C.The bucket does not have versioning enabled
D.The bucket allows public read access
AnswerA

VersioningConfiguration Status is Enabled.

Why this answer

The template enables versioning and sets all public access block settings to true. This means the bucket is private and cannot be made public. Versioning is enabled.

Option B is correct. Option A is wrong because public access is blocked. Option C is wrong because the bucket is not publicly accessible.

Option D is wrong because versioning is enabled.

886
MCQmedium

A SysOps administrator needs to deploy a new version of an application to an Auto Scaling group using a blue/green deployment strategy. The application runs on EC2 instances behind an Application Load Balancer. Which AWS service should be used to automate this deployment?

A.AWS Elastic Beanstalk
B.AWS CodeDeploy
C.AWS CodePipeline
D.AWS CloudFormation
AnswerB

CodeDeploy supports blue/green deployments with traffic routing options.

Why this answer

Option C is correct. AWS CodeDeploy supports blue/green deployments for EC2 instances behind a load balancer, allowing traffic to be shifted gradually. Option A (Elastic Beanstalk) is a PaaS service, not for existing Auto Scaling groups.

Option B (CloudFormation) can create infrastructure but not manage traffic shifting natively. Option D (CodePipeline) orchestrates steps but relies on CodeDeploy for the deployment.

887
MCQmedium

A SysOps administrator is troubleshooting slow application performance. The application runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. Amazon CloudWatch metrics show that the average CPU utilization across the instances is below 20%, but the application is still slow. What is the MOST likely cause of the performance issue?

A.The Auto Scaling group is scaling too aggressively, causing thrashing.
B.The Application Load Balancer has a sticky session configuration that is not distributing traffic evenly.
C.The application database is under-provisioned and is causing slow query responses.
D.The EC2 instances are using burstable performance and have exhausted their CPU credits.
AnswerC

A database bottleneck can cause slow performance despite low app server CPU.

Why this answer

Option B is correct because if the database is the bottleneck, even if the application servers have low CPU usage, the overall performance can be slow due to database contention. Option A is wrong because if the ALB is not distributing traffic, some instances would have high CPU. Option C is wrong because low CPU utilization indicates that the application servers are not overloaded.

Option D is wrong because burstable performance instances (T-series) have a CPU credit balance; if the balance is depleted, CPU performance is throttled, leading to low CPU but slow performance? Actually, when credits are exhausted, T instances provide baseline performance, which may be low, but CPU utilization would still be limited, not necessarily low; but more importantly, the symptoms match a database bottleneck.

888
MCQmedium

A SysOps administrator notices that an EC2 instance's status check fails intermittently. The instance is part of an Auto Scaling group. What is the most efficient way to automatically recover the instance?

A.Increase the Auto Scaling group's cooldown period.
B.Create a CloudWatch alarm on StatusCheckFailed and configure an EC2 recovery action.
C.Terminate the instance and wait for Auto Scaling to launch a new one.
D.Place the instance in a different Availability Zone.
AnswerB

Recovery action automatically recovers the instance on the same private IP and metadata.

Why this answer

Option B is correct because creating a CloudWatch alarm on the StatusCheckFailed metric and configuring an EC2 recovery action (using the 'recover' alarm action) automatically restarts the instance on a new underlying host if a system status check fails. This is the most efficient recovery method for an instance in an Auto Scaling group, as it preserves the instance ID, private IP, and Elastic IP, while Auto Scaling handles only instance replacement if the instance is terminated.

Exam trap

The trap here is that candidates confuse instance recovery with Auto Scaling replacement, thinking termination and relaunch is the default or only option, but EC2 recovery is a separate, more efficient mechanism that preserves instance identity and is directly configurable via CloudWatch alarms.

How to eliminate wrong answers

Option A is wrong because increasing the Auto Scaling group's cooldown period delays the launch of new instances after scaling activities, but does not recover a failing instance or address the status check failure. Option C is wrong because terminating the instance and waiting for Auto Scaling to launch a new one is less efficient—it loses the instance's metadata, private IP, and Elastic IP, and incurs longer downtime compared to an automatic recovery. Option D is wrong because placing the instance in a different Availability Zone does not automatically recover the instance; it requires manual intervention or a new launch, and does not leverage the built-in EC2 recovery mechanism.

889
MCQhard

A company uses AWS CodePipeline to deploy a serverless application. The pipeline has a source stage (Amazon S3), a build stage (AWS CodeBuild), and a deploy stage (AWS CloudFormation). The deploy stage uses a change set. Recently, the deploy stage fails with the error 'No updates are to be performed.' What is the MOST likely cause?

A.The source code in the S3 bucket has not changed since the last successful deployment.
B.The AWS CloudFormation stack was manually deleted outside of the pipeline.
C.The IAM role for the pipeline does not have sufficient permissions to update the stack.
D.The change set name specified in the pipeline configuration is incorrect.
AnswerA

If the source hasn't changed, CloudFormation finds no updates needed.

Why this answer

Option A is correct because if the source code hasn't changed, CloudFormation detects no changes and reports 'No updates are to be performed.' Option B is incorrect because IAM permissions would cause access denied errors. Option C is incorrect because stack deletion would cause a different error. Option D is incorrect because the change set name is not relevant to this error.

890
MCQeasy

A SysOps administrator needs to ensure that all S3 buckets in the account are configured with server access logging. Which AWS service can evaluate the buckets and automatically remediate non-compliant buckets?

A.Amazon GuardDuty
B.AWS CloudTrail
C.AWS Config
D.AWS Trusted Advisor
AnswerC

AWS Config rules can evaluate resources and trigger remediation actions via Systems Manager Automation.

Why this answer

AWS Config is the correct service because it can continuously evaluate your S3 buckets against a managed rule (s3-bucket-server-access-logging-enabled) and automatically remediate non-compliant buckets using AWS Systems Manager Automation documents. This allows the SysOps administrator to enforce server access logging as a compliance requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's evaluation and remediation capabilities with CloudTrail's logging of API calls, mistakenly thinking CloudTrail can enforce S3 bucket policies, when in fact CloudTrail only records events and cannot modify resource configurations.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using DNS logs, VPC Flow Logs, and CloudTrail events; it does not evaluate S3 bucket configurations for compliance or perform remediation. Option B is wrong because AWS CloudTrail records API activity for auditing and governance but does not evaluate current resource configurations or automatically remediate non-compliant resources. Option D is wrong because AWS Trusted Advisor provides best-practice checks and recommendations, including S3 bucket logging checks, but it cannot automatically remediate non-compliant buckets; it only offers guidance.

891
MCQmedium

Refer to the exhibit. A SysOps administrator deploys this CloudFormation stack. The EC2 instance launches and the web server starts. However, the CloudWatch alarm does not trigger even when CPU utilization exceeds 80%. What is the MOST likely reason?

A.The alarm action is missing a valid SNS topic ARN.
B.The alarm statistic should be 'Maximum' instead of 'Average' to catch CPU spikes that may not sustain the average above 80% for 5 minutes.
C.The alarm dimension is incorrect; it should use the instance's private IP.
D.The user data script fails to start the web server, causing the instance to be unhealthy.
AnswerB

Using Average over 5 minutes can mask short spikes; Maximum would trigger on any 5-minute period where the maximum is above 80%.

Why this answer

Option B is correct because the alarm is configured with the 'Average' statistic, which smooths out CPU utilization over the 5-minute period. If CPU utilization spikes above 80% but does not sustain an average above that threshold for the entire duration, the alarm will not trigger. Using the 'Maximum' statistic would catch any single data point exceeding 80% within the period, making it appropriate for detecting short-lived spikes.

Exam trap

The trap here is that candidates often assume any CPU utilization above the threshold will trigger an alarm, overlooking how the chosen statistic (Average vs. Maximum) and evaluation period affect whether a spike is detected.

How to eliminate wrong answers

Option A is wrong because the alarm action missing a valid SNS topic ARN would cause a different issue (e.g., failure to send notifications), but it would not prevent the alarm from triggering based on the metric threshold; the alarm state would still change. Option C is wrong because the alarm dimension should use the instance ID, not the private IP; CloudWatch metrics for EC2 are dimensioned by InstanceId, and using a private IP would cause the alarm to not match the metric data. Option D is wrong because the user data script failing to start the web server would affect the instance's health but has no bearing on the CloudWatch alarm's ability to trigger based on CPU utilization; the alarm monitors CPU, not web server status.

892
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group with a minimum of 2 instances. The instances are in a single Availability Zone. The company wants to achieve 99.99% availability. Which change should they make?

A.Modify the Auto Scaling group to launch instances in multiple Availability Zones and place an Application Load Balancer in front.
B.Increase the minimum size of the Auto Scaling group to 4 instances.
C.Use a larger EC2 instance type to handle more traffic.
D.Configure the Auto Scaling group to scale based on memory utilization.
AnswerA

Multi-AZ deployment with ALB ensures availability if an AZ fails.

Why this answer

Option D is correct because using multiple Availability Zones with an Application Load Balancer distributes traffic and provides high availability. Option A is wrong because a single AZ cannot achieve 99.99% availability. Option B is wrong because increasing instance size does not improve availability.

Option C is wrong because scaling based on memory does not provide AZ redundancy.

893
MCQeasy

A company is using AWS Cost Explorer to analyze spending. They want to receive an email alert when costs exceed a certain threshold. Which service should they use?

A.AWS Trusted Advisor
B.AWS Cost Explorer
C.Amazon CloudWatch
D.AWS Budgets
AnswerD

AWS Budgets can send notifications when costs exceed thresholds.

Why this answer

Option D is correct because AWS Budgets can send alerts when costs exceed thresholds. Option A is wrong because Cost Explorer is for analysis, not alerts. Option B is wrong because CloudWatch does not natively monitor AWS costs.

Option C is wrong because Trusted Advisor provides recommendations, not cost alerts.

894
MCQmedium

A company requires that all S3 buckets be tagged with a 'CostCenter' tag. A SysOps administrator needs to enforce this and prevent creation of untagged buckets. Which approach should be used?

A.Apply a service control policy (SCP) that denies s3:CreateBucket unless the request includes the required tag
B.Create an IAM policy that allows s3:CreateBucket only if the bucket has the tag, and attach it to all users
C.Enable AWS CloudTrail to log bucket creation and review logs daily
D.Use an AWS Config rule to automatically delete untagged buckets
AnswerA

SCPs can enforce tagging at the organizational level by denying bucket creation without the required tag.

Why this answer

AWS Organizations SCPs can be used to deny actions that do not meet certain conditions, such as requiring specific tags. An SCP with a condition for 'aws:RequestTag' can enforce tagging at bucket creation. IAM policies can also enforce tagging for specific users, but SCPs apply to all accounts in the organization.

AWS Config rules can detect non-compliant resources but cannot prevent creation. CloudTrail is for logging, not enforcement.

895
MCQeasy

A SysOps administrator is deploying a new application using AWS CloudFormation. The template includes an EC2 instance with a UserData script that installs software from a private S3 bucket. What is the BEST way to ensure the EC2 instance can access the S3 bucket without storing long-term credentials on the instance?

A.Create an IAM user with S3 access and attach the access key to the instance profile.
B.Store the access key ID and secret access key in the UserData script.
C.Create an IAM role with S3 access and associate it with the instance profile.
D.Configure a security group rule that allows the instance to reach S3 via VPC endpoint.
AnswerC

This grants temporary credentials to the instance, a best practice.

Why this answer

Option D is correct because assigning an IAM role to the EC2 instance allows it to obtain temporary credentials via the instance metadata service, which is the recommended secure method. Option A is wrong because storing access keys in UserData is insecure. Option B is wrong because instance profiles require IAM roles, not direct IAM user credentials.

Option C is wrong because security groups control network access, not authentication to S3.

896
MCQeasy

A company wants to ensure that all Amazon S3 buckets have versioning enabled to protect against accidental deletion of objects. A SysOps administrator needs to automatically detect any buckets that do not have versioning enabled and receive notifications. Which AWS service should the administrator use?

A.AWS CloudTrail
B.AWS Config
C.Amazon Inspector
D.AWS Trusted Advisor
AnswerB

Correct. AWS Config evaluates resource configurations against desired policies using managed or custom rules. The 's3-bucket-versioning-enabled' managed rule will flag buckets that do not have versioning enabled.

Why this answer

AWS Config is the correct service because it provides managed rules, such as 's3-bucket-versioning-enabled', that continuously evaluate your S3 buckets against desired configuration states. When a bucket is non-compliant (versioning disabled), AWS Config can trigger an Amazon SNS notification to alert the administrator, enabling automated detection and remediation.

Exam trap

The trap here is that candidates confuse AWS Config (continuous configuration auditing) with AWS CloudTrail (API activity logging), thinking that CloudTrail can detect non-compliant states when it only records actions that change the state.

How to eliminate wrong answers

Option A (AWS CloudTrail) is wrong because it records API activity (e.g., PutBucketVersioning calls) but does not continuously evaluate the current configuration state of resources; it cannot proactively detect buckets with versioning disabled unless an API call is made. Option C (Amazon Inspector) is wrong because it is designed for vulnerability assessment of EC2 instances and container workloads, not for auditing S3 bucket configurations. Option D (AWS Trusted Advisor) is wrong because while it can check S3 bucket versioning as part of its cost optimization and security checks, it does not provide automated, real-time notifications for configuration drift; it is a manual, periodic review tool.

897
Multi-Selecthard

A company uses Amazon S3 to store backup data. The SysOps administrator needs to ensure that the data is protected against accidental deletion by users with administrative privileges. Which combination of actions should the administrator take? (Choose TWO.)

Select 2 answers
A.Enable MFA Delete on the S3 bucket.
B.Apply an S3 bucket policy that denies s3:DeleteObject for all users.
C.Enable versioning on the S3 bucket.
D.Configure a lifecycle policy to transition objects to S3 Glacier.
E.Enable AWS CloudTrail to log all S3 API calls.
AnswersA, C

MFA Delete requires multi-factor authentication to permanently delete objects.

Why this answer

Options B and D are correct because enabling MFA Delete requires additional authentication to delete objects, and enabling versioning allows recovery of deleted objects via previous versions. Option A is wrong because bucket policies cannot differentiate between accidental and intentional deletion by authorized users. Option C is wrong because lifecycle policies manage storage classes, not deletion protection.

Option E is wrong because CloudTrail logs provide auditing but do not prevent deletion.

898
MCQmedium

A company runs a stateless web application on EC2 instances in an Auto Scaling group across multiple Availability Zones. The application experiences increased latency during peak hours. The SysOps administrator needs to improve the application's performance and reliability. Which action should be taken?

A.Use larger EC2 instance types instead of smaller ones.
B.Reduce the Auto Scaling group's cooldown period to scale out faster.
C.Change the scaling metric from CPU utilization to memory utilization.
D.Increase the maximum instance count in the Auto Scaling group.
AnswerD

Allows scaling out to handle more traffic.

Why this answer

Option D is correct because adding more instances via a higher max size allows the ASG to scale out to handle increased load, improving performance and reliability. Option A is wrong because changing the scaling metric to memory utilization may not reflect the actual load. Option B is wrong because switching to a larger instance type is less elastic than scaling out.

Option C is wrong because reducing the cooldown period could cause thrashing.

899
MCQmedium

A SysOps admin notices that an EC2 instance's status check fails intermittently. The instance is part of an Auto Scaling group. What is the most appropriate first step to diagnose the issue?

A.Stop and start the instance
B.Terminate the instance and let Auto Scaling replace it
C.Reboot the instance
D.Review the instance's status check history in the EC2 console
AnswerD

Status checks reveal whether the issue is system-level or instance-level.

Why this answer

The most appropriate first step is to review the instance's status check history in the EC2 console (Option D). This allows the SysOps admin to determine whether the failures are due to system status checks (e.g., underlying hardware issues) or instance status checks (e.g., OS-level problems). Since the instance is part of an Auto Scaling group, understanding the root cause is critical before taking any corrective action, as premature termination or reboot could mask the issue or lead to unnecessary replacements.

Exam trap

The trap here is that candidates often jump to terminating or rebooting the instance immediately, but the SOA-C02 exam emphasizes a methodical troubleshooting approach where reviewing status check history is the first step to differentiate between recoverable and irrecoverable failures.

How to eliminate wrong answers

Option A is wrong because stopping and starting the instance would move it to new hardware, which is only appropriate if the issue is a system status check failure (hardware problem), but this action is not the first diagnostic step and could disrupt the instance without confirming the cause. Option B is wrong because terminating the instance and letting Auto Scaling replace it is a reactive measure that bypasses diagnosis; it could lead to repeated failures if the underlying issue (e.g., a misconfigured application) persists in the replacement instance. Option C is wrong because rebooting the instance only addresses transient software issues and does not resolve hardware-level failures; it also does not provide diagnostic information about the intermittent status check failures.

900
MCQeasy

A company wants to deploy a new version of a web application to an Auto Scaling group of EC2 instances behind an Application Load Balancer. The deployment should be automated and must not cause downtime. Which AWS service should be used?

A.AWS CloudFormation
B.AWS OpsWorks
C.AWS Elastic Beanstalk
D.AWS CodeDeploy
AnswerD

CodeDeploy automates application deployments to EC2 instances, including Auto Scaling groups.

Why this answer

AWS CodeDeploy integrates with Auto Scaling groups and supports rolling updates to minimize downtime. CloudFormation can manage infrastructure but not application deployment directly. OpsWorks and Elastic Beanstalk are options but CodeDeploy is the dedicated service for application deployment.

Page 11

Page 12 of 21

Page 13