AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 901975

1546 questions total · 21pages · All types, answers revealed

Data quality score: 70/100 — Review before indexing

2 errors found across 75 questions. This page is set to noindex until issues are resolved.

Page 12

Page 13 of 21

Page 14
901
Multi-Selecthard

A company is using Amazon Route 53 as its DNS service. The SysOps team needs to route traffic to multiple resources based on the geographic location of the users. Which THREE routing policies can achieve this? (Select THREE.)

Select 3 answers
A.Geoproximity routing
B.Simple routing
C.Failover routing
D.Latency-based routing
E.Geolocation routing
AnswersA, D, E

Routes based on geographic distance and bias.

Why this answer

Geoproximity routing (Option A) is correct because it allows traffic to be routed based on the geographic location of users and their resources, with the ability to shift traffic using a bias value. This policy is ideal for scenarios where you want to route users to the nearest resource but also have the flexibility to send more traffic to a specific region, such as for load balancing or disaster recovery.

Exam trap

The trap here is that candidates often confuse 'geolocation routing' (which routes based strictly on user location) with 'geoproximity routing' (which adds a bias for traffic shifting), and may incorrectly assume that simple or failover routing can achieve geographic-based distribution when they cannot.

902
MCQhard

Refer to the exhibit. A SysOps administrator runs the AWS CLI command shown. The output shows that the CPUUtilization average over the period is 75%. However, the administrator knows that the instance was idle for the first 15 minutes of the hour. Which explanation best describes why the average might be misleading?

A.The period is too long; a shorter period like 60 seconds would show more granular data.
B.The average statistic over a period of 300 seconds can smooth out spikes, and the overall average of 75% may be due to a high spike after the idle period.
C.The command should include --unit Percent to get accurate data.
D.The --statistics parameter should be set to 'Sum' to capture total usage.
AnswerB

Averaging over 5-minute periods can mask short spikes, and the overall average over the hour can be misleading if the load is not constant.

Why this answer

Option B is correct because the average statistic over a 300-second period can smooth out brief but intense spikes in CPU utilization. In this scenario, the instance was idle for the first 15 minutes, so the average of 75% over the entire hour must be driven by a very high CPU spike later in the period. The period of 300 seconds aggregates data into 5-minute intervals, which can mask the idle period and make the overall average misleading.

Exam trap

The trap here is that candidates assume a high average always indicates consistent high usage, when in fact the 'Average' statistic over a long period can mask idle periods and be heavily skewed by short, intense spikes.

How to eliminate wrong answers

Option A is wrong because while a shorter period like 60 seconds would provide more granular data, it would not change the fact that the average over the hour is 75%—the issue is not the granularity but the smoothing effect of the average statistic over the chosen period. Option C is wrong because the --unit parameter is not required for CPUUtilization metrics; CloudWatch automatically reports CPUUtilization as a percentage, and omitting --unit does not cause inaccurate data. Option D is wrong because using the 'Sum' statistic would accumulate CPU utilization over each period, which is not meaningful for a percentage metric and would not help identify the misleading average caused by the idle period.

903
MCQmedium

A SysOps administrator is configuring a VPC with a public subnet and a private subnet. The private subnet needs to access the internet to download patches. The administrator creates a NAT Gateway in the public subnet and updates the private subnet route table. However, instances in the private subnet cannot reach the internet. What is the most likely cause?

A.The network ACL for the private subnet blocks outbound traffic.
B.The route table for the public subnet does not have a route to an Internet Gateway.
C.The NAT Gateway does not have an Elastic IP address attached.
D.The security group associated with the NAT Gateway blocks outbound traffic.
AnswerB

NAT Gateway needs Internet Gateway route to reach the internet.

Why this answer

The NAT Gateway must be in a public subnet with an Internet Gateway route. If the route table for the public subnet does not have a route to an Internet Gateway, the NAT Gateway cannot send traffic to the internet. Option A is incorrect because EIP is required for NAT Gateway.

Option B is incorrect because security groups do not apply to NAT Gateway. Option D is incorrect because NACLs affect traffic but not the core issue.

904
MCQmedium

A media company stores millions of video files in S3. Some files are accessed heavily after upload (when new) and rarely afterward; others are accessed unpredictably across months. The team cannot predict which files will be accessed and when. They want to minimize storage costs without risking retrieval latency penalties or per-object retrieval fees. Which storage class is appropriate?

A.Use S3 Intelligent-Tiering so objects automatically move between Frequent and Infrequent Access tiers based on access patterns, with no retrieval fees
B.Use S3 Standard-IA and configure a lifecycle policy to move objects back to Standard after every access
C.Use S3 Glacier Instant Retrieval for all objects because it offers the lowest storage cost with millisecond retrieval
D.Use S3 Standard for all objects because it has no retrieval fees and provides the best availability
AnswerA

Intelligent-Tiering handles the unpredictable access pattern automatically. Objects accessed within 30 days stay in Frequent Access. Unaccessed objects move to Infrequent Access (40 percent lower cost). No retrieval fee ensures there is no cost penalty when an old file is accessed unexpectedly. The per-object monitoring fee is offset by storage savings for objects over 128 KB.

Why this answer

S3 Intelligent-Tiering is the correct choice because it automatically moves objects between Frequent Access and Infrequent Access tiers based on changing access patterns, with no retrieval fees and no performance impact (millisecond latency). This matches the unpredictable access pattern described, as the service monitors access at the object level and adjusts storage tier without manual lifecycle rules or retrieval costs.

Exam trap

The trap here is that candidates often confuse S3 Intelligent-Tiering with S3 Standard-IA, assuming both have retrieval fees, or they incorrectly believe Glacier Instant Retrieval is always cheaper despite its retrieval fees and minimum storage duration penalties.

How to eliminate wrong answers

Option B is wrong because S3 Standard-IA charges a per-object retrieval fee (per GB retrieved) and a minimum storage duration fee (30 days), and moving objects back to Standard after every access would incur repeated retrieval fees and lifecycle transition costs, defeating cost minimization. Option C is wrong because S3 Glacier Instant Retrieval has a higher storage cost than Intelligent-Tiering for frequently accessed data and still incurs retrieval fees (per GB) for every access, plus a minimum 90-day storage charge, making it unsuitable for unpredictable access patterns. Option D is wrong because S3 Standard has the highest storage cost among the options, and while it has no retrieval fees, it does not optimize costs for files that become rarely accessed over time, leading to unnecessary expense.

905
MCQmedium

A company runs a batch processing application on Amazon EC2 instances that runs every night for 2 hours. The job can be interrupted and resumed without any issue. The SysOps administrator wants to minimize compute costs for this workload. Which EC2 purchasing option should be used?

A.Spot Instances
B.On-Demand Instances
C.Reserved Instances
D.Dedicated Hosts
AnswerA

Spot Instances offer the deepest discounts and are suitable for workloads that can be interrupted and resumed.

Why this answer

Spot Instances are the correct choice because the workload is fault-tolerant (can be interrupted and resumed) and runs for only 2 hours nightly. Spot Instances offer significant cost savings (up to 90% off On-Demand) but can be reclaimed by AWS with a 2-minute warning, which is acceptable here since the job can resume without issue. This aligns with the goal of minimizing compute costs for a non-critical, interruptible batch process.

Exam trap

The trap here is that candidates often choose Reserved Instances (Option C) thinking they always save money, but they fail to recognize that Reserved Instances are only cost-effective for steady-state, always-on workloads, not for short, interruptible batch jobs where Spot Instances provide greater savings without long-term commitment.

How to eliminate wrong answers

Option B (On-Demand Instances) is wrong because they provide no cost savings for a fault-tolerant workload that can handle interruptions; On-Demand is priced at the standard rate and is intended for unpredictable or critical workloads, not for minimizing costs. Option C (Reserved Instances) is wrong because they require a 1- or 3-year commitment and are designed for steady-state, predictable usage, not for a 2-hour nightly job that could be interrupted; the upfront cost and commitment would not be cost-effective for such a short, interruptible workload. Option D (Dedicated Hosts) is wrong because they are a physical server dedicated to a single customer, incurring high costs regardless of usage, and are intended for compliance or licensing requirements, not for minimizing compute costs for a batch job.

906
MCQhard

A company uses Amazon S3 to serve large files to users. The files are accessed frequently for the first 30 days after upload, then access drops significantly. The SysOps administrator wants to minimize storage costs while ensuring low-latency access for frequently accessed files and automatic optimization for changing access patterns. Which S3 storage class configuration should be used?

A.Use S3 Standard for 30 days, then transition to S3 Glacier Deep Archive.
B.Use S3 Intelligent-Tiering.
C.Use S3 Standard then transition to S3 Glacier Flexible Retrieval after 30 days.
D.Use S3 One Zone-IA for the first 30 days, then transition to S3 Standard-IA.
AnswerB

S3 Intelligent-Tiering automatically optimizes costs by moving objects between access tiers based on usage patterns. It provides low-latency access for frequently accessed objects and automatically moves infrequently accessed objects to a lower-cost tier.

Why this answer

S3 Intelligent-Tiering is the correct choice because it automatically moves objects between three access tiers (frequent, infrequent, and archive instant) based on changing access patterns, without any lifecycle rules or performance impact. This meets the requirement for low-latency access for frequently accessed files and automatic optimization, while minimizing storage costs as access drops after 30 days.

Exam trap

The trap here is that candidates often choose a lifecycle-based solution (like S3 Standard to Glacier) thinking it is automatic, but they overlook that lifecycle rules are static and do not adapt to changing access patterns, whereas S3 Intelligent-Tiering dynamically optimizes without manual intervention.

How to eliminate wrong answers

Option A is wrong because S3 Glacier Deep Archive has a retrieval time of 12-48 hours, which does not provide low-latency access for frequently accessed files, and it requires manual lifecycle rules rather than automatic optimization. Option C is wrong because S3 Glacier Flexible Retrieval has retrieval times of minutes to hours (typically 1-5 minutes for expedited, but with additional cost), which does not guarantee low-latency access, and it requires a lifecycle policy rather than automatic pattern adaptation. Option D is wrong because S3 One Zone-IA does not provide the durability of multiple Availability Zones and is not suitable for frequently accessed files due to retrieval costs, and transitioning to S3 Standard-IA after 30 days still requires manual lifecycle rules and does not automatically optimize for changing access patterns.

907
MCQmedium

A SysOps administrator manages IAM roles for Amazon EC2 instances. The administrator needs to identify permissions that have never been used in the last 90 days to right-size the policies. Which AWS feature should be used to achieve this?

A.AWS CloudTrail Insights
B.IAM Access Analyzer unused access analysis
C.IAM policy simulator
D.AWS Config managed rules
AnswerB

Analyzes service last accessed data to identify unused permissions for least privilege.

Why this answer

IAM Access Analyzer unused access analysis is the correct AWS feature because it specifically analyzes IAM roles and policies to identify permissions that have not been used within a specified time frame (e.g., 90 days). It provides a report of unused actions, allowing the administrator to right-size policies by removing unnecessary permissions. This directly addresses the requirement to identify unused permissions for EC2 instance roles.

Exam trap

The trap here is that candidates may confuse IAM Access Analyzer unused access analysis with AWS CloudTrail Insights, but CloudTrail Insights focuses on anomalous activity patterns rather than a straightforward unused permissions report for policy right-sizing.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail Insights analyzes management and data events to detect unusual activity patterns, not to identify unused permissions over a specific period. Option C is wrong because the IAM policy simulator tests whether a given policy allows or denies specific actions for a user, role, or resource, but it does not analyze historical usage or identify unused permissions. Option D is wrong because AWS Config managed rules evaluate resource configurations against compliance rules, not historical permission usage.

908
MCQmedium

An administrator uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with an error: "The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems." The deployment group has a minimum of 2 instances. What should the administrator check first?

A.The application revision's compatibility with the instance operating system.
B.The Auto Scaling group's health check settings.
C.The deployment group's deployment configuration settings.
D.The deployment logs on the individual EC2 instances.
AnswerD

The logs reveal why the deployment failed on each instance, such as script errors.

Why this answer

Option D is correct because the deployment logs on the instances will show specific failure reasons. Option A is wrong because the issue is not necessarily the deployment group configuration. Option B is wrong because the Auto Scaling group health checks are for instance health, not deployment success.

Option C is wrong because the application revision might be valid for other environments.

909
Multi-Selecthard

A SysOps administrator is tasked with setting up a solution that automatically terminates EC2 instances that have been running for more than 24 hours. Which steps should the administrator take? (Select THREE.)

Select 3 answers
A.Configure an Auto Scaling group lifecycle hook to terminate instances after 24 hours.
B.Create a CloudWatch alarm on the InstanceAge metric and set it to trigger the Lambda function.
C.Tag each EC2 instance with its launch time (e.g., key: LaunchTime, value: timestamp).
D.Create an Amazon EventBridge rule that triggers the Lambda function on a schedule (e.g., every hour).
E.Create an AWS Lambda function that uses the EC2 API to terminate instances older than 24 hours.
AnswersC, D, E

Tags allow the Lambda function to calculate age.

Why this answer

Options A, B, and D are correct. Option A creates a Lambda function to terminate instances. Option B creates an EventBridge rule that triggers the Lambda function.

Option D tags instances with a launch time for the function to evaluate. Option C is wrong because CloudWatch alarms are for metric thresholds, not time-based. Option E is wrong because Auto Scaling lifecycle hooks are for lifecycle actions, not time-based termination.

910
MCQeasy

A company wants to allow a developer to deploy applications using AWS CloudFormation but restrict the developer from creating or modifying IAM resources. Which IAM policy should be used?

A.Allow iam:*
B.Deny cloudformation:*
C.Allow cloudformation:* and deny iam:*
D.Allow cloudformation:* only
AnswerC

This enables CloudFormation actions while explicitly blocking IAM actions.

Why this answer

Option A is correct because it allows all CloudFormation actions but denies IAM-related actions. Option B is wrong because it does not explicitly deny IAM actions, so the developer could still create IAM resources if the policy allows it. Option C is wrong because it denies all actions on CloudFormation stacks, which is too restrictive.

Option D is wrong because it allows all actions on IAM, which is the opposite of what is needed.

911
MCQmedium

The finance team was surprised by a $12,000 spike in EC2 costs last month caused by a runaway Auto Scaling group. They want to receive an email alert within hours whenever any AWS service cost behaves unexpectedly, without manually setting fixed dollar thresholds for each service. Which AWS cost management feature provides this?

A.Enable Cost Anomaly Detection with an AWS services monitor and create an alert subscription to email the finance team when an anomaly is detected
B.Create an AWS Budget with a monthly EC2 cost threshold of $10,000 and an alert at 80 percent of the threshold
C.Enable AWS Cost Explorer and review the daily cost breakdown each morning to spot unexpected charges
D.Configure CloudWatch Billing alarms with a static threshold for each AWS service individually
AnswerA

Cost Anomaly Detection's ML model learns the historical spending pattern for each service. When EC2 (or any service) starts spending at an anomalous rate, the model detects it within hours. The alert subscription can notify via email or SNS with the anomaly amount, affected service, and percentage deviation. No manual threshold tuning is needed — the model self-calibrates.

Why this answer

Cost Anomaly Detection uses machine learning to model historical spending patterns for each AWS service and automatically detects unusual spikes without requiring manual thresholds. By creating an AWS services monitor and linking an alert subscription, the finance team receives email notifications within hours when any service deviates from its expected cost behavior, directly addressing the need for service-agnostic, threshold-free alerts.

Exam trap

The trap here is that candidates often confuse AWS Budgets or CloudWatch Billing alarms with anomaly detection, but those tools require manual static thresholds and do not automatically adapt to changing spending patterns across multiple services.

How to eliminate wrong answers

Option B is wrong because an AWS Budget with a fixed monthly EC2 cost threshold of $10,000 and an 80% alert requires manual threshold setting and only monitors EC2, not all services, and cannot detect unexpected behavior that stays under the threshold. Option C is wrong because manually reviewing AWS Cost Explorer daily is not an automated alerting mechanism and does not provide timely notification within hours of a spike. Option D is wrong because CloudWatch Billing alarms require configuring a static dollar threshold for each individual service, which is exactly what the finance team wants to avoid, and they do not adapt to changing spending patterns.

912
MCQmedium

Refer to the exhibit. An IAM policy is attached to an EC2 instance role. The application on the instance attempts to write logs to a log group named 'MyAppLogs' in CloudWatch Logs but fails. What is the likely cause?

A.The EC2 instance does not have an internet gateway to reach CloudWatch Logs.
B.The log group name in the policy does not match the application's log group.
C.The policy does not grant permission to create the log group because the resource for CreateLogGroup is specified as the log stream ARN.
D.The policy lacks permission for 'logs:DescribeLogGroups'.
AnswerC

CreateLogGroup requires the resource to be the log group ARN, not the stream.

Why this answer

The policy grants `logs:CreateLogGroup` but specifies the resource as the log stream ARN (`arn:aws:logs:us-east-1:123456789012:log-group:MyAppLogs:log-stream:*`). CloudWatch Logs requires the resource for `CreateLogGroup` to be the log group ARN (`arn:aws:logs:us-east-1:123456789012:log-group:*` or a specific log group name), not a log stream. Since the application is attempting to write logs to a log group that does not yet exist, the `CreateLogGroup` call fails due to the incorrect resource ARN, causing the overall write operation to fail.

Exam trap

The trap here is that candidates often overlook the resource ARN mismatch for `CreateLogGroup` and assume the failure is due to a missing permission or network issue, but the policy explicitly includes the action with an incorrectly scoped resource.

How to eliminate wrong answers

Option A is wrong because EC2 instances can reach CloudWatch Logs via a VPC endpoint or NAT gateway; an internet gateway is not strictly required, and the question does not indicate any network connectivity issue. Option B is wrong because the exhibit shows the log group name in the policy is 'MyAppLogs', which matches the application's log group, so a mismatch is not the cause. Option D is wrong because `logs:DescribeLogGroups` is not required to write logs; the necessary permissions for writing are `CreateLogGroup`, `CreateLogStream`, and `PutLogEvents`, and the failure is specifically due to the `CreateLogGroup` resource misconfiguration.

913
MCQeasy

An organization wants to automate the creation of AWS resources using AWS CloudFormation. They need to ensure that certain resources, such as an Amazon S3 bucket, are not accidentally deleted when the stack is deleted. Which CloudFormation feature should they use?

A.DeletionPolicy attribute with value 'Retain'
B.DeletionPolicy attribute with value 'Protect'
C.DeletionPolicy attribute with value 'Delete'
D.Stack policy
AnswerA

Setting DeletionPolicy to Retain preserves the resource when the stack is deleted.

Why this answer

The DeletionPolicy attribute with value 'Retain' ensures that the resource is retained even if the stack is deleted. Option D is correct. Option A is wrong because the stack policy controls updates, not deletion.

Option B is wrong because 'Protect' is not a valid DeletionPolicy value. Option C is wrong because 'Delete' is the default behavior, which would delete the bucket.

914
MCQmedium

An organization wants to ensure that all changes to an S3 bucket policy are logged and immediately trigger a notification to the security team. What is the most efficient way to achieve this?

A.Create a CloudWatch Events rule that matches PutBucketPolicy API call and triggers an SNS topic.
B.Create a CloudWatch Alarm that monitors the S3 bucket's policy.
C.Use AWS Config with a managed rule to detect policy changes.
D.Enable S3 event notifications on the bucket for 'PutBucketPolicy' events.
AnswerA

CloudWatch Events can respond to API calls in near-real-time.

Why this answer

Option A is correct because CloudWatch Events (now Amazon EventBridge) can capture the PutBucketPolicy API call via a service-specific event pattern and route it to an SNS topic for immediate notification. This approach is the most efficient as it directly monitors the API call in real-time without polling or additional configuration, ensuring the security team is alerted the moment the policy changes.

Exam trap

The trap here is that candidates confuse S3 event notifications (which only cover object-level events) with CloudWatch Events (which can capture management API calls via CloudTrail), leading them to incorrectly select option D.

How to eliminate wrong answers

Option B is wrong because a CloudWatch Alarm monitors metric data (e.g., bucket size, request count) and cannot directly detect or react to S3 bucket policy changes; it lacks the ability to match specific API calls. Option C is wrong because AWS Config evaluates resource configurations against rules and can detect policy changes, but it operates on a periodic or configuration-change basis (typically minutes delay) and does not provide immediate, real-time notification via SNS. Option D is wrong because S3 event notifications support object-level events (e.g., s3:ObjectCreated, s3:ObjectRemoved) and not management API calls like PutBucketPolicy; S3 event notifications cannot be configured for bucket policy changes.

915
Multi-Selectmedium

A SysOps administrator is responsible for an Auto Scaling group that runs a critical application. The administrator wants to ensure that the application can recover from an AZ failure. Which THREE steps should the administrator take? (Choose three.)

Select 3 answers
A.Use EC2 instances in a single Availability Zone to reduce latency.
B.Place subnets in each Availability Zone used by the Auto Scaling group.
C.Configure the Auto Scaling group to launch instances in at least two Availability Zones.
D.Attach an Application Load Balancer that is enabled for multiple Availability Zones.
E.Use a single subnet in one Availability Zone to simplify network design.
AnswersB, C, D

Subnets must exist in each AZ for the Auto Scaling group to use.

Why this answer

Options A, B, and D are correct. Launching instances in multiple AZs ensures that if one AZ fails, instances in other AZs continue. Distributing subnets across AZs is necessary for that.

Using an ALB in multiple AZs distributes traffic. Option C is incorrect because a single subnet in one AZ does not provide AZ-level redundancy. Option E is incorrect because using only one AZ defeats the purpose.

916
MCQhard

A SysOps administrator monitors a custom business metric published to Amazon CloudWatch. The metric exhibits irregular spikes that are not predictable. The administrator needs to be alerted when the metric deviates significantly from its normal pattern. Which CloudWatch feature should be used to set up the alarm with the least manual tuning?

A.CloudWatch Logs metric filter
B.CloudWatch Metric Math with standard deviation
C.CloudWatch Anomaly Detection
D.AWS CloudTrail Insights
AnswerC

Uses ML to create dynamic thresholds that adapt to the metric's normal behavior.

Why this answer

CloudWatch Anomaly Detection uses machine learning to automatically establish a baseline for a metric's normal pattern and create a band of expected values. When the metric deviates outside this band, it triggers an alarm without requiring manual threshold tuning, making it ideal for unpredictable, irregular spikes.

Exam trap

The trap here is that candidates often confuse CloudWatch Metric Math with standard deviation (Option B) as a way to detect anomalies, but it requires manual formula creation and does not automatically adapt to pattern changes, unlike Anomaly Detection which learns and adjusts the baseline over time.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs metric filters extract metrics from log data, not from custom business metrics published directly to CloudWatch, and they require manual threshold configuration. Option B is wrong because CloudWatch Metric Math with standard deviation requires manual calculation and setup of the standard deviation formula, and it does not automatically adapt to changing patterns over time. Option D is wrong because AWS CloudTrail Insights analyzes API activity for unusual patterns in AWS management events, not custom business metrics published to CloudWatch.

917
MCQmedium

A company has an S3 bucket that stores sensitive data. The security team requires an alert whenever an object in the bucket is deleted. What is the MOST efficient way to achieve this?

A.Configure S3 access logs and stream them to CloudWatch Logs, then create a metric filter.
B.Use S3 Inventory to generate a daily report and check for deletes.
C.Enable AWS CloudTrail data events for the S3 bucket and create a CloudWatch metric filter.
D.Enable S3 event notifications and send them to Amazon EventBridge, then create a rule to publish to SNS.
AnswerD

S3 events can be sent to EventBridge with low overhead and trigger notifications.

Why this answer

Option D is correct because S3 event notifications can be sent directly to Amazon EventBridge, which allows you to create a rule that triggers an SNS topic for real-time alerts on object deletions. This approach is the most efficient as it avoids the overhead of log analysis or polling, providing immediate notification with minimal latency.

Exam trap

The trap here is that candidates often assume CloudTrail data events (Option C) are the best for monitoring S3 operations, but they overlook the latency and cost implications, whereas S3 event notifications via EventBridge provide the most efficient real-time alerting for object deletions.

How to eliminate wrong answers

Option A is wrong because S3 access logs are delivered on a best-effort basis, typically with a delay of several hours, making them unsuitable for real-time alerting on deletions. Option B is wrong because S3 Inventory generates daily or weekly CSV reports, which are not real-time and cannot trigger immediate alerts for individual delete events. Option C is wrong because while CloudTrail data events can capture S3 object-level operations, they are not the most efficient due to the overhead of enabling data events across all objects and the potential cost of CloudTrail logs; moreover, CloudTrail logs are typically delivered with a delay of up to 15 minutes, whereas EventBridge provides near-instantaneous notification.

918
MCQhard

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The security team reports that the ALB is receiving a high number of requests with suspicious User-Agent strings. The SysOps team needs to block these requests at the load balancer level without changing the application code. Which action should be taken?

A.Modify the security group of the ALB to deny traffic from User-Agent strings.
B.Update the target group health check to filter out suspicious User-Agent strings.
C.Add a listener rule on the ALB that checks the User-Agent header and returns a fixed response.
D.Deploy AWS WAF and associate it with the ALB.
AnswerC

ALB listener rules can inspect headers and return a 403 or fixed response.

Why this answer

Option C is correct because ALB supports rules that evaluate conditions like User-Agent header and perform actions such as fixed-response to block requests. Option A is wrong because WAF is a separate service, not directly on ALB rules. Option B is wrong because modifying target group health checks does not block requests.

Option D is wrong because security group rules do not inspect HTTP headers.

919
MCQhard

A company is using Amazon Route 53 for DNS and wants to route traffic to multiple endpoints based on the geographic location of the user. Which routing policy should the SysOps Administrator use?

A.Geolocation routing
B.Weighted routing
C.Failover routing
D.Latency routing
AnswerA

Geolocation routing allows you to route traffic based on the geographic location of the user.

Why this answer

Geolocation routing (Option A) is correct because it allows Route 53 to route traffic based on the geographic location of the DNS query's source IP address. This is ideal for scenarios where you need to direct users to specific endpoints based on their country, continent, or even US state, such as complying with data sovereignty laws or delivering localized content.

Exam trap

The trap here is that candidates often confuse geolocation routing with latency routing, assuming that lower latency correlates with geographic proximity, but latency routing uses actual network performance data, not geographic boundaries.

How to eliminate wrong answers

Option B (Weighted routing) is wrong because it distributes traffic across multiple endpoints based on assigned weights (e.g., 80% to one, 20% to another), not based on the user's geographic location. Option C (Failover routing) is wrong because it is designed for active-passive failover scenarios where traffic is routed to a primary endpoint unless it is unhealthy, then it fails over to a secondary endpoint; it does not consider user location. Option D (Latency routing) is wrong because it routes traffic to the endpoint with the lowest latency for the user, which is determined by network performance measurements, not by the user's geographic location.

920
MCQhard

Refer to the exhibit. A SysOps administrator needs to restore the database 'mydb' to the most recent restorable time shown. However, the administrator cannot restore to that time. What is the MOST likely reason?

A.The database engine does not support point-in-time recovery.
B.Automated backups are disabled (BackupRetentionPeriod is 0).
C.The backup window has already passed.
D.The database is not Multi-AZ.
AnswerB

No backups available for restoration.

Why this answer

Option C is correct because BackupRetentionPeriod is 0, which disables automated backups. Without backups, point-in-time recovery is not possible. Option A is wrong because Multi-AZ is false but does not prevent restores.

Option B is wrong because the backup window has passed; restores can still happen. Option D is wrong because engine is MySQL, which supports restores.

921
MCQmedium

Refer to the exhibit. A SysOps administrator created this S3 bucket policy to allow CloudFront to access objects in the bucket using an origin access identity (OAI). However, users are still receiving 403 Access Denied errors when accessing the CloudFront distribution. What is the most likely cause?

A.The CloudFront distribution uses the S3 bucket's regional domain name instead of the distribution domain name
B.The CloudFront distribution is in a different region than the S3 bucket
C.The S3 bucket has Block Public Access settings enabled that deny all access
D.The OAI ARN in the policy is incorrect
AnswerC

Block Public Access can override bucket policies and deny access even to authorized principals.

Why this answer

Option B is correct because the bucket policy only grants read access to the OAI, but if the bucket itself has Block Public Access settings enabled, it can override the policy and deny access. Option A is wrong because the OAI ARN is correctly formatted. Option C is wrong because CloudFront can use the OAI with S3 regardless of region.

Option D is wrong because the distribution domain name does not affect the OAI access.

922
Multi-Selecteasy

A SysOps administrator needs to ensure that an Amazon S3 bucket is not publicly accessible. Which THREE actions should be taken to prevent public access?

Select 3 answers
A.Enable versioning on the bucket.
B.Delete the bucket policy if it exists.
C.Configure the bucket to block new public ACLs using S3 Object Ownership.
D.Review and remove any public ACLs on the bucket and objects.
E.Use the S3 Block Public Access feature at the bucket level.
AnswersC, D, E

Prevents future public ACLs.

Why this answer

Correct options: A, C, E. Option A is correct because blocking public access at the bucket level prevents any public policies or ACLs. Option C is correct because removing public ACLs ensures no objects are publicly accessible.

Option E is correct because disabling public ACLs via S3 Object Ownership prevents future public ACLs. Option B is wrong because deleting the bucket policy does not address public ACLs. Option D is wrong because enabling versioning does not affect public access.

923
Multi-Selectmedium

Which TWO IAM policy conditions can be used to enforce multi-factor authentication (MFA) for API calls? (Choose two.)

Select 2 answers
A.aws:PrincipalType
B.aws:MultiFactorAuthPresent
C.aws:MultiFactorAuthAge
D.aws:TokenIssueTime
E.aws:SourceIp
AnswersB, C

This condition checks whether MFA was used to authenticate the request.

Why this answer

Options A and C are correct. The condition key 'aws:MultiFactorAuthPresent' checks if MFA was used. The condition key 'aws:MultiFactorAuthAge' checks how long ago MFA was authenticated.

Option B is wrong because 'aws:TokenIssueTime' is not a valid condition key. Option D is wrong because 'aws:SourceIp' is for IP address. Option E is wrong because 'aws:PrincipalType' is for principal type.

924
MCQeasy

A SysOps administrator is responsible for an AWS account that hosts a development environment. The environment includes several EC2 instances that are used only during business hours (9 AM to 5 PM) on weekdays. The administrator wants to reduce costs by stopping the instances during off-hours. Which action should the administrator take to automate this process?

A.Manually stop the instances at 5 PM and start them at 9 AM each weekday.
B.Create an Auto Scaling group with a scheduled scaling action to set desired capacity to 0 during off-hours.
C.Set up a CloudWatch alarm that stops instances when CPU utilization is below 1% for 30 minutes.
D.Use the AWS Instance Scheduler to define a schedule that stops instances at 5 PM and starts them at 9 AM on weekdays.
AnswerD

Correct: Instance Scheduler automates start/stop on a schedule, reducing costs.

Why this answer

Option A is correct because AWS Instance Scheduler is a solution that automatically starts and stops instances based on a schedule. Option B (manual stop) is not automated. Option C (Auto Scaling) does not stop instances, it adds/removes based on demand.

Option D (CloudWatch alarm) can stop instances based on CPU, but not a fixed schedule.

925
MCQeasy

A SysOps administrator needs to route traffic to multiple AWS regions for a global application with low latency. Which AWS service should be used?

A.Amazon CloudFront
B.Amazon Route 53 with latency routing policy
C.Application Load Balancer
D.AWS Global Accelerator
AnswerB

Route 53 latency routing directs users to the region with the best performance.

Why this answer

Option B (Amazon Route 53 with latency routing policy) is correct because latency-based routing directs traffic to the region with the lowest latency for the user. Option A (AWS Global Accelerator) also improves latency but is more for TCP/UDP traffic. Option C (CloudFront) is for content delivery, not dynamic routing.

Option D (ALB) is a regional service.

926
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create access keys for themselves. Which is the MOST effective way to enforce this policy across all accounts?

A.Set an IAM permissions boundary on all users that denies 'iam:CreateAccessKey'.
B.Attach a service control policy to the root organizational unit that denies 'iam:CreateAccessKey'.
C.Create an S3 bucket policy that denies access to IAM users with access keys.
D.Create an IAM group with a policy that denies 'iam:CreateAccessKey' and add all users to that group.
AnswerB

SCPs affect all accounts in the organization, including root users.

Why this answer

Option D is correct because a service control policy (SCP) can deny the IAM action 'iam:CreateAccessKey' for all users in all accounts. Option A is wrong because a bucket policy is for S3, not IAM actions. Option B is wrong because an IAM group policy only applies to users in that group, and users could be added outside the group.

Option C is wrong because an IAM permissions boundary limits the maximum permissions a user can have but does not prevent the root user from creating access keys.

927
MCQhard

Refer to the exhibit. A SysOps administrator applies this S3 bucket policy to a bucket named 'my-bucket'. The root user of account 123456789012 attempts to upload an object to the bucket without specifying encryption. What will happen?

A.The upload succeeds because the root user has full access.
B.The upload is denied because the request does not meet the condition.
C.The upload succeeds because the bucket has default encryption enabled.
D.The upload is denied because the policy explicitly denies all actions.
AnswerB

The condition requires the encryption header to be set to aws:kms.

Why this answer

Option A is correct because the policy allows s3:* only when the condition s3:x-amz-server-side-encryption equals aws:kms. Since the upload does not specify encryption, the condition is not met, so the request is denied (implicit deny). Option B is wrong because default encryption would not apply if the request does not include the header.

Option C is wrong because the condition explicitly requires aws:kms. Option D is wrong because the policy does not deny; it allows conditionally.

928
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The SysOps administrator needs to update a stack that contains a critical database. The update may require a replacement of the database resource. The administrator wants to review the changes before they are applied. What is the BEST way to achieve this?

A.Use the AWS CloudFormation update-stack command with the --no-fail-on-empty-changeset flag.
B.Apply a stack policy that prevents replacement of the database resource.
C.Use the AWS CloudFormation create-change-set command and then review the changes before executing.
D.Use the AWS CloudFormation detect-stack-drift command to check for differences.
AnswerC

Change sets allow you to review proposed changes.

Why this answer

Option C is correct because creating a change set allows you to review all changes, including replacements, before executing them. Option A is incorrect because the '--no-fail-on-empty-changeset' flag does not provide a review. Option B is incorrect because a stack policy can protect resources but does not allow reviewing changes.

Option D is incorrect because the drift detection feature detects drift, not planned changes.

929
MCQeasy

A company has an S3 bucket that stores critical financial data. The bucket versioning is enabled. A SysOps administrator needs to ensure that data can be recovered after accidental deletion by users. What is the MOST effective way to protect against accidental deletion?

A.Configure a lifecycle policy to transition objects to Glacier after 30 days.
B.Apply a bucket policy that denies s3:DeleteObject for all users.
C.Replicate objects to another S3 bucket in a different AWS Region.
D.Enable MFA Delete on the S3 bucket.
AnswerD

MFA Delete requires additional authentication to permanently delete objects, preventing accidental deletions.

Why this answer

Option C is correct because MFA Delete adds an extra layer of protection, requiring multi-factor authentication to permanently delete objects. Option A is wrong because lifecycle policies automate transitions, not deletion prevention. Option B is wrong because bucket policies control access but do not prevent deletion by authorized users.

Option D is wrong because cross-region replication provides disaster recovery, not protection against accidental deletion.

930
MCQmedium

Refer to the exhibit. A SysOps administrator creates an IAM policy to allow an EC2 instance to upload objects to an S3 bucket. However, the instance is unable to upload objects. What is the MOST likely reason?

A.The S3 bucket has server-side encryption enabled.
B.The policy does not include s3:GetObject permission.
C.The bucket policy denies all access.
D.The IAM role is not attached to the EC2 instance.
AnswerD

Without the role, the instance cannot assume permissions.

Why this answer

Option A is correct because the policy allows s3:PutObject only, but the EC2 instance likely needs to assume the role via sts:AssumeRole. However, the policy does not include that action. More commonly, the issue is that the policy is missing s3:PutObjectAcl or the bucket policy denies access.

But among the options, the most likely is that the policy does not include s3:ListBucket, which is often required for PUT operations? Actually, s3:PutObject does not require ListBucket. However, the typical issue is that the IAM role is not attached to the instance. Option B is correct: The role is not attached to the EC2 instance.

Option A is wrong because s3:PutObject is allowed. Option C is wrong because there is no bucket policy shown. Option D is wrong because S3 server-side encryption does not block uploads.

931
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The SysOps Administrator needs to deploy a standardized set of baseline resources (VPC, subnets, security groups, and an S3 bucket for logs) into each new member account as soon as the account is created. The administrator wants to automate this process using AWS CloudFormation and ensure that the baseline resources are deployed without manual intervention. The organization uses AWS CloudTrail and AWS Config for governance. What solution should the administrator implement?

A.Use AWS CloudFormation StackSets with automatic deployment to accounts in the organization.
B.Create an AWS Config rule that triggers an AWS Lambda function to deploy the baseline resources when a new account is created.
C.Store the CloudFormation template in Amazon S3 and use S3 event notifications to trigger a Lambda function that deploys the stack into the new account.
D.Use AWS Service Catalog to create a portfolio with the baseline products and grant access to the organization.
AnswerA

StackSets can automatically deploy to new accounts.

Why this answer

Option C is correct. AWS CloudFormation StackSets allow deploying stacks across multiple accounts and regions from a management account. Combined with AWS Organizations, StackSets can automatically deploy to new accounts when they join the organization.

Option A is wrong because AWS Config rules do not deploy resources. Option B is wrong because AWS CloudFormation templates deployed via S3 events require manual triggering. Option D is wrong because AWS Service Catalog allows provisioning but requires users to launch products manually.

932
Multi-Selecteasy

A SysOps administrator wants to reduce the cost of storing infrequently accessed data in Amazon S3. The data must be retained for 10 years for compliance. Which TWO actions should the administrator take? (Choose TWO.)

Select 2 answers
A.Use S3 Glacier Deep Archive as the destination for the lifecycle transition.
B.Store the data in S3 Standard.
C.Enable S3 Versioning to protect against accidental deletion.
D.Configure an S3 Lifecycle policy to transition objects to S3 Glacier Deep Archive after 30 days.
E.Use S3 Intelligent-Tiering to automatically optimize costs.
AnswersA, D

Deep Archive is the lowest-cost storage class for long-term retention.

Why this answer

Correct options: B and D. Option B is correct because S3 Lifecycle policies can transition objects to lower-cost storage classes over time. Option D is correct because S3 Glacier Deep Archive is the cheapest storage class for long-term archival.

Option A is wrong because S3 Standard is expensive for infrequent access. Option C is wrong because S3 Intelligent-Tiering has a monitoring cost and is best for unknown access patterns. Option E is wrong because enabling versioning increases storage costs due to multiple versions.

933
MCQmedium

A company has deployed a web application across multiple AWS regions and wants to use Amazon Route 53 to direct users to the region with the lowest latency. Which routing policy should the SysOps administrator use?

A.Latency routing policy
B.Geolocation routing policy
C.Geoproximity routing policy
D.Weighted routing policy
AnswerA

Latency routing directs users to the region with the lowest latency.

Why this answer

Latency routing policy is correct because it directs user traffic to the AWS region that provides the lowest network latency for the end user. Route 53 measures latency between the user's DNS resolver and each region's edge location, then responds with the IP of the region that has the lowest latency. This is ideal for multi-region deployments where the goal is to minimize response time.

Exam trap

The trap here is that candidates confuse 'geolocation' (based on user's physical location) with 'latency' (based on actual network performance), assuming that the closest geographic region always has the lowest latency, which is not true due to network routing and peering differences.

How to eliminate wrong answers

Option B is wrong because geolocation routing policy routes traffic based on the geographic location of the user (e.g., country or continent), not on real-time network latency, so it cannot guarantee the lowest latency. Option C is wrong because geoproximity routing policy routes traffic based on the physical distance between the user and the resource, optionally using a bias value, but it does not measure actual network latency. Option D is wrong because weighted routing policy distributes traffic across resources based on assigned weights (e.g., 80% to one region, 20% to another), which is used for load balancing or testing, not for latency optimization.

934
MCQeasy

A company uses AWS OpsWorks for configuration management. The SysOps administrator needs to deploy a new application version to a stack. What is the recommended way to update the application on the instances?

A.Create a new CloudFormation stack to replace the OpsWorks stack.
B.Update the custom cookbook and run the 'deploy' recipe on the stack.
C.Use the OpsWorks built-in 'deploy' command on each instance.
D.SSH into each instance and manually update the application files.
AnswerB

Correct: Custom cookbooks allow automated application deployment.

Why this answer

The correct answer is D because OpsWorks uses recipes and custom cookbooks to manage application deployment. By updating the custom cookbook and running the appropriate recipe, the administrator can deploy the new version. Option A is wrong because the built-in deploy command may not support custom application logic.

Option B is wrong because SSH access is not recommended for automation. Option C is wrong because CloudFormation is a separate service; OpsWorks has its own deployment mechanism.

935
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. The administrator wants to update a stack that contains an RDS DB instance. The update requires replacing the DB instance. What should the administrator do to minimize downtime?

A.Delete the stack and create a new one with the updated template
B.Disable deletion protection on the DB instance before the update
C.Modify the DB instance endpoint in the application configuration after update
D.Use a CloudFormation stack update with a Replacement update policy and a snapshot
AnswerD

CloudFormation can create a new instance with a snapshot and then delete the old one, minimizing downtime.

Why this answer

Option C is correct because using CloudFormation's update policy with a snapshot and replacement can minimize downtime. Option A is wrong because deletion will cause downtime. Option B is wrong because modifying the endpoint manually is not automated.

Option D is wrong because disabling deletion protection is not enough.

936
MCQmedium

A company uses AWS Organizations with multiple accounts. The SysOps administrator needs to centralize the monitoring of all API calls made in any account for security analysis. The solution must collect logs from all accounts, both existing and future, and deliver them to a centralized S3 bucket in the management account. Which AWS service should the administrator use?

A.AWS Config aggregator
B.Amazon CloudWatch Logs with cross-account subscription
C.AWS CloudTrail organization trail
D.Amazon Detective
AnswerC

An organization trail automatically logs API calls for all accounts in the organization and can deliver to a centralized S3 bucket.

Why this answer

AWS CloudTrail organization trails allow you to log all API calls across all accounts in an AWS Organization from a single management account. When you create an organization trail, it automatically applies to all existing and future accounts, delivering logs to a centralized S3 bucket in the management account without requiring per-account configuration.

Exam trap

The trap here is that candidates confuse AWS Config aggregator (which centralizes configuration data) with CloudTrail (which centralizes API call logs), or assume cross-account CloudWatch Logs subscriptions are the simpler solution, missing the automatic future-account coverage of an organization trail.

How to eliminate wrong answers

Option A is wrong because AWS Config aggregator collects configuration snapshots and compliance data, not API call logs; it is designed for resource inventory and rule evaluation, not security analysis of API activity. Option B is wrong because Amazon CloudWatch Logs with cross-account subscription requires manual setup for each account and does not automatically include future accounts; it also does not natively capture all API calls (CloudTrail is the service for API logging). Option D is wrong because Amazon Detective analyzes and visualizes security data from existing logs (like VPC Flow Logs and CloudTrail), but it does not collect or centralize API call logs itself; it relies on other services to deliver the data.

937
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company has a NAT gateway in the public subnet. Which of the following route table configurations is required for the private subnet to enable internet access through the NAT gateway?

A.Add a route to 0.0.0.0/0 pointing to the internet gateway in the private subnet route table
B.Add a route to 0.0.0.0/0 pointing to the NAT gateway in the private subnet route table
C.Add a route to 0.0.0.0/0 pointing to the NAT gateway in the public subnet route table
D.Add a route to the NAT gateway's private IP in the private subnet route table
AnswerB

This directs all internet-bound traffic from the private subnet to the NAT gateway, which then forwards it to the internet gateway.

Why this answer

Option C is correct because the private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT gateway. Option A is wrong because a route to the internet gateway would bypass the NAT gateway. Option B is wrong because the NAT gateway is in the public subnet.

Option D is wrong because the private subnet does not need a direct route to the internet gateway.

938
Multi-Selectmedium

A SysOps administrator is designing a highly available web application across multiple AWS regions. The application uses an Application Load Balancer in each region. Which TWO services can be used to route traffic to the closest regional load balancer based on latency?

Select 2 answers
A.AWS Global Accelerator
B.Amazon Route 53 geoproximity routing
C.Amazon Route 53 weighted routing
D.Amazon Route 53 latency-based routing
E.Amazon CloudFront with origin groups
AnswersB, D

Geoproximity routing routes based on user location.

Why this answer

Option A (Route 53 latency routing) and Option E (Route 53 geoproximity routing) are correct. Latency routing directs traffic to the region with lowest latency. Geoproximity routing can also optimize based on user location.

Option B is wrong because CloudFront with origin groups is for failover, not latency-based routing. Option C is wrong because Global Accelerator uses Anycast, not latency routing. Option D is wrong because Route 53 weighted routing distributes based on weights.

939
Multi-Selectmedium

A SysOps administrator is configuring a CloudWatch dashboard to monitor an application. Which TWO of the following are valid widget types that can be added to a CloudWatch dashboard?

Select 2 answers
A.Line
B.Alarm
C.Bar chart
D.Number
E.Time Series
AnswersD, E

Number widget displays a single metric value.

Why this answer

Option D (Number) is correct because CloudWatch dashboards support the Number widget type, which displays a single metric value as a numeric statistic (e.g., sum, average, or sample count) and can optionally show a trend arrow. This widget is ideal for showing key performance indicators like current error count or latency.

Exam trap

The trap here is that candidates confuse the visual sub-types (like 'Line' or 'Bar chart') with the actual widget types, leading them to select those as valid options when only 'Time Series' and 'Number' are the correct top-level widget types in the CloudWatch dashboard widget JSON schema.

940
MCQmedium

A company has deployed a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application's IP addresses are used by a third-party service to allowlist traffic. The EC2 instances are part of an Auto Scaling group that may scale up and down. The SysOps administrator needs to ensure that the third-party service always has the current IP addresses of the ALB without requiring manual updates. Which solution should the administrator implement?

A.Use AWS Global Accelerator and provide the static IP addresses to the third party
B.Use Amazon Route 53 with a simple routing policy pointing to the ALB DNS name
C.Use an Amazon CloudFront distribution with the ALB as the origin and provide the CloudFront IP addresses
D.Use an AWS Network Load Balancer (NLB) with static IP addresses in front of the ALB
AnswerA

Global Accelerator provides two static IP addresses that serve as a fixed entry point. You can add the ALB as an endpoint, and traffic will be directed to the ALB's current healthy instances, while the static IPs remain unchanged.

Why this answer

AWS Global Accelerator provides two static anycast IP addresses that serve as a fixed entry point for traffic. By pointing the ALB as an endpoint behind Global Accelerator, the third-party service can allowlist these static IPs, and any changes to the underlying EC2 instances (due to Auto Scaling) are handled transparently without requiring updates to the allowlist.

Exam trap

The trap here is that candidates often think an NLB with static IPs (Option D) is the correct solution, but they overlook that Global Accelerator is the intended AWS service for providing static IPs in front of an ALB while maintaining layer 7 functionality and simplifying allowlist management.

How to eliminate wrong answers

Option B is wrong because Amazon Route 53 with a simple routing policy resolves to the ALB's DNS name, which can change over time and does not provide static IP addresses for allowlisting. Option C is wrong because CloudFront distributions do not have static IP addresses that can be reliably allowlisted; CloudFront IP ranges are shared and can change without notice. Option D is wrong because placing an NLB with static IPs in front of the ALB introduces unnecessary complexity and cost, and the NLB's static IPs would still need to be provided to the third party, but the ALB's IPs remain dynamic; the correct approach is to use Global Accelerator to front the ALB directly.

941
MCQeasy

A company wants to distribute content globally with low latency and high transfer speeds. The content is stored in S3 buckets in multiple regions. Which AWS service should be used to accelerate content delivery?

A.Amazon Route 53
B.Amazon CloudFront
C.AWS Global Accelerator
D.S3 Transfer Acceleration
AnswerB

CloudFront is a CDN for low-latency content delivery.

Why this answer

Option A (Amazon CloudFront) is correct because it is a CDN that caches content at edge locations. Option B (Global Accelerator) improves TCP/UDP performance but not primarily for caching static content. Option C (S3 Transfer Acceleration) speeds up uploads to S3, not distribution.

Option D (Route 53) is DNS.

942
MCQmedium

An organization uses AWS OpsWorks to manage a stack of application servers. The stack uses a custom cookbook that is stored in a private GitHub repository. When deploying new instances, the cookbook download fails. What should the administrator do to resolve this?

A.Upload the cookbook to Amazon S3 and reference the S3 URL
B.Make the GitHub repository public
C.Configure an SSH key in the OpsWorks stack to access the private repository
D.Store the GitHub credentials in the OpsWorks stack settings
AnswerC

OpsWorks supports SSH key-based authentication for private Git repositories.

Why this answer

Option B is correct because OpsWorks can use a deploy key or SSH key for private repository access. Option A is wrong because OpsWorks does not support HTTPS authentication easily. Option C is wrong because making the cookbook public is a security risk.

Option D is wrong because S3 is for static content, not dynamic cookbook versions.

943
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer (ALB). The application experiences variable traffic patterns with occasional spikes. The current setup uses On-Demand instances in an Auto Scaling group with a simple scaling policy based on average CPU utilization. The team wants to optimize cost while ensuring that the application can handle spikes in traffic. What should the team do to reduce cost?

A.Switch to a target tracking scaling policy based on request count per target.
B.Implement scheduled scaling to add capacity during known peak hours.
C.Configure the Auto Scaling group to use a mixed instances policy with Spot Instances for a portion of the capacity and On-Demand for the remainder.
D.Purchase Reserved Instances for the minimum expected capacity to get a discount.
AnswerC

Spot Instances can reduce costs significantly while maintaining availability through On-Demand fallback.

Why this answer

Option B is correct because Spot Instances are cost-effective and can be used alongside On-Demand for variable workloads; the Auto Scaling group can use a mixed instances policy to maintain availability while reducing cost. Option A (reserved instances) locks in cost for steady usage but does not help with spikes. Option C (scheduled scaling) is not suitable for unpredictable traffic.

Option D (target tracking) improves scaling but does not directly reduce cost; it uses On-Demand instances which are more expensive.

944
MCQmedium

Refer to the exhibit. A SysOps administrator is troubleshooting a CloudFront distribution that serves content from an S3 bucket. Users are receiving 'Access Denied' errors when trying to access objects. The exhibit shows the distribution configuration. What is the most likely cause?

A.The S3 bucket policy does not grant read access to CloudFront.
B.The distribution is not enabled.
C.The CloudFront distribution is not using an Origin Access Identity (OAI) to authenticate with the S3 bucket.
D.The viewer protocol policy is set to 'redirect-to-https', but users are using HTTP.
AnswerC

Without OAI, CloudFront cannot access private S3 buckets.

Why this answer

The OriginAccessIdentity is empty, meaning CloudFront is not using an OAI to access the S3 bucket. The S3 bucket is not publicly accessible (by default), so CloudFront cannot access the objects. Option B is incorrect because the bucket policy is not shown.

Option C is incorrect because the protocol policy is correct. Option D is incorrect because the distribution is enabled.

945
Multi-Selectmedium

A company runs a stateless web application on EC2 instances in an Auto Scaling group. To improve reliability during a traffic spike, which THREE actions should the SysOps administrator take? (Choose three.)

Select 3 answers
A.Configure a target tracking scaling policy based on average CPU utilization.
B.Enable detailed monitoring for EC2 instances.
C.Use a larger instance type to handle more traffic per instance.
D.Configure the Auto Scaling group to launch instances in multiple Availability Zones.
E.Place the instances behind an Application Load Balancer with health checks.
AnswersA, D, E

Automatically scales out during traffic spikes.

Why this answer

Options A, C, and D are correct. Using multiple Availability Zones ensures high availability. A target tracking scaling policy adjusts capacity based on load.

An Application Load Balancer distributes traffic and performs health checks. Option B is wrong because a larger instance size does not improve elasticity. Option E is wrong because detailed monitoring is not required for scaling, though it helps.

946
MCQmedium

A SysOps administrator is deploying a new version of an application using AWS CodeDeploy with an in-place deployment configuration. The deployment group consists of EC2 instances behind an Application Load Balancer. The administrator wants to ensure that traffic is gradually shifted to the new version. Which CodeDeploy feature should be used?

A.Use a canary deployment instead of in-place.
B.Define a BeforeInstall hook to deregister instances.
C.Use a linear deployment configuration.
D.Configure the load balancer deregistration delay and re-registration in the deployment group.
AnswerD

CodeDeploy can automatically deregister and re-register instances with the load balancer.

Why this answer

The load balancer deregistration delay and re-registration are configured in the deployment group settings. By enabling load balancing and setting the deregistration delay, CodeDeploy will deregister instances from the load balancer, deploy the new version, and re-register them after a health check. Option C is correct.

Option A is wrong because the deployment configuration sets the speed, not traffic shifting. Option B is wrong because the AppSpec file defines hooks, not traffic shifting. Option D is wrong because a canary deployment is a different deployment type, not a feature of in-place.

947
MCQmedium

A company is using Amazon RDS for MySQL. The SysOps administrator needs to monitor the number of database connections and set an alarm when connections exceed 80% of the maximum. Which CloudWatch metric and alarm threshold should be used?

A.Metric: DBConnections; Threshold: 80
B.Metric: DatabaseConnections; Threshold: 80
C.Metric: FreeableMemory; Threshold: 20%
D.Metric: DatabaseConnections; Threshold: 0.8 * max_connections (using a math expression)
AnswerD

This uses a metric math expression to set a dynamic threshold based on instance max connections.

Why this answer

Option D is correct because Amazon RDS for MySQL does not expose a direct 'DatabaseConnections' metric that represents the current connection count relative to the maximum. Instead, you must use the 'DatabaseConnections' CloudWatch metric (which reports the number of client connections) and create a CloudWatch math expression to compare it against the RDS instance's 'max_connections' parameter (e.g., 0.8 * max_connections). This allows you to set an alarm that triggers when connections exceed 80% of the configured maximum, which is the accurate way to monitor connection utilization.

Exam trap

The trap here is that candidates assume a static threshold like 80 is sufficient, but the exam tests whether you understand that 'DatabaseConnections' must be compared against the dynamic 'max_connections' value using a math expression to accurately detect 80% utilization.

How to eliminate wrong answers

Option A is wrong because 'DBConnections' is not a valid CloudWatch metric name for RDS; the correct metric is 'DatabaseConnections'. Option B is wrong because while 'DatabaseConnections' is the correct metric name, setting a static threshold of 80 is meaningless—80 connections could be far below or above 80% of max_connections depending on the instance size and configuration. Option C is wrong because 'FreeableMemory' measures available memory, not database connections, and a threshold of 20% is unrelated to connection utilization; it monitors memory pressure, not connection limits.

948
Multi-Selecteasy

Which TWO AWS services can be used to encrypt data at rest in Amazon RDS? (Choose TWO.)

Select 2 answers
A.AWS Certificate Manager (ACM)
B.AWS CloudHSM
C.AWS Identity and Access Management (IAM)
D.Amazon RDS encryption feature
E.AWS Key Management Service (AWS KMS)
AnswersD, E

RDS supports encryption at rest using KMS.

Why this answer

Option B is correct because AWS KMS can be used to manage keys for RDS encryption. Option C is correct because RDS supports encryption at rest using AWS KMS. Option A is wrong because AWS Certificate Manager is for SSL/TLS certificates.

Option D is wrong because CloudHSM is a hardware security module but not directly integrated with RDS for encryption at rest. Option E is wrong because IAM is for access control.

949
MCQhard

A company runs a critical stateful web application on Amazon EC2 instances in a single AWS region. The application stores user session data in an Amazon ElastiCache for Redis cluster. The SysOps administrator must design a disaster recovery (DR) strategy that can survive a complete regional outage with a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The application must be able to redirect users to the DR region with minimal manual effort. Which combination of actions meets these requirements?

A.Use Amazon Route 53 with weighted routing to distribute traffic between the two regions. Use a global DynamoDB table for session data, and launch EC2 instances in the DR region only when a failure is detected using AWS CloudFormation StackSets.
B.Create a read replica of the ElastiCache Redis cluster in the DR region using the native cross-region replication feature. Use Route 53 with failover routing to point to the DR region ALB when the primary health check fails. Pre-configure EC2 instances in an Auto Scaling group in the DR region.
C.Use an Amazon CloudFront distribution with multiple origins (primary and DR). Enable session stickiness at the CloudFront level. Use EC2 instances in both regions behind separate ALBs. No special data replication is needed because sessions are stored in Redis.
D.Use EC2 instances with an Auto Scaling group in both regions. Schedule a Lambda function to take snapshots of the Redis cluster every 15 minutes and copy them to the DR region. Use Route 53 latency routing to direct users to the nearest region.
AnswerB

Global Datastore for Redis provides cross-Region replication with low RPO. Pre-configured Auto Scaling groups in the DR region ensure that compute capacity is ready. Route 53 failover routing automatically redirects traffic when the primary ALB health check fails. This combination meets the RPO and RTO requirements with minimal manual effort.

Why this answer

Option B is correct because ElastiCache for Redis supports cross-region replication via a read replica in the DR region, which can keep session data synchronized with minimal lag, meeting the 15-minute RPO. Route 53 failover routing with health checks on the primary region's ALB automatically redirects traffic to the pre-configured DR region EC2 instances and ALB, achieving the 1-hour RTO with minimal manual effort. Pre-configuring the DR region with an Auto Scaling group ensures compute capacity is ready, while the read replica provides the required data availability.

Exam trap

The trap here is that candidates may assume snapshot-based replication (Option D) is sufficient for a 15-minute RPO, but they overlook the inherent latency and potential data loss from periodic snapshots, and that latency routing (Option D) does not provide health-based failover, while weighted routing (Option A) lacks automatic failover capability.

How to eliminate wrong answers

Option A is wrong because weighted routing does not automatically fail over during a regional outage; it distributes traffic based on weights, not health, and using a global DynamoDB table for session data is unnecessary since the application uses ElastiCache for Redis, not DynamoDB. Option C is wrong because CloudFront does not natively support session stickiness based on ElastiCache session data, and without cross-region replication of Redis, the DR region would have no session data, violating the RPO. Option D is wrong because scheduling snapshots every 15 minutes and copying them to the DR region cannot guarantee an RPO of 15 minutes due to snapshot timing and transfer delays, and latency routing does not provide automatic failover during a regional outage; it routes based on latency, not health.

950
Multi-Selecthard

An organization uses Amazon CloudWatch Synthetics canaries to monitor its web application endpoints. A SysOps administrator needs to be alerted when a canary run fails. Which THREE steps are required to set up this alerting?

Select 3 answers
A.Create a custom CloudWatch metric for canary failures.
B.Configure a CloudWatch alarm on the canary's `SuccessPercent` metric.
C.Create a canary in CloudWatch Synthetics.
D.Configure the alarm to send a notification to an SNS topic.
E.Enable detailed monitoring on the canary.
AnswersB, C, D

The alarm will trigger when success rate drops below threshold.

Why this answer

Option B is correct because CloudWatch Synthetics canaries automatically publish a `SuccessPercent` metric to CloudWatch. By configuring a CloudWatch alarm on this metric (e.g., when `SuccessPercent` drops below 100), the administrator can trigger an alert whenever a canary run fails. This is the standard method for monitoring canary health without needing custom metrics.

Exam trap

The trap here is that candidates assume they must create a custom metric (Option A) or enable detailed monitoring (Option E) because they confuse Synthetics canaries with EC2 detailed monitoring, when in fact the built-in `SuccessPercent` metric is sufficient and automatically available.

951
MCQhard

A company has an application running on EC2 instances that sends logs to CloudWatch Logs. The operations team wants to receive a notification when a specific error pattern appears in the logs. Which combination of steps should the team take? (Select TWO.)

A.Create a CloudWatch alarm on the metric to trigger an SNS notification.
B.Enable CloudTrail to capture the log events and send to S3.
C.Create an SNS topic and subscribe the operations team's email addresses.
D.Create a subscription filter to send logs to Lambda for analysis.
E.Create a metric filter on the log group to count occurrences of the error pattern.
AnswerA, E

An alarm on the metric can send notifications via SNS.

Why this answer

Option A is correct because a CloudWatch alarm can be configured to trigger an SNS notification when a metric crosses a defined threshold. In this scenario, the metric is derived from a metric filter that counts occurrences of the specific error pattern in the log group. The alarm monitors that metric and sends an SNS notification to subscribed endpoints, such as the operations team's email addresses, providing the required alert.

Exam trap

The trap here is that candidates often select Option D (subscription filter to Lambda) thinking it is necessary for custom processing, but the combination of a metric filter and CloudWatch alarm directly provides the notification without additional compute resources.

How to eliminate wrong answers

Option B is wrong because CloudTrail captures API activity and management events, not application log data from EC2 instances; sending logs to S3 does not provide real-time notification for error patterns. Option C is wrong because creating an SNS topic and subscribing email addresses alone does not trigger a notification; the SNS topic must be integrated with a CloudWatch alarm or another event source to send messages. Option D is wrong because a subscription filter sending logs to Lambda for analysis is an indirect approach that requires custom Lambda code to parse logs and send notifications, whereas the question asks for a notification when a specific error pattern appears, which is more directly achieved with a metric filter and CloudWatch alarm.

952
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a Python web application. The administrator needs to update the environment's configuration to use a larger instance type. What is the correct way to perform this update with minimal downtime?

A.Use the Elastic Beanstalk console to change the instance type and select a rolling update policy.
B.Create a new Elastic Beanstalk environment with the larger instance type and swap the environment URLs.
C.Use the Elastic Beanstalk console to change the instance type and apply the change immediately.
D.Terminate all instances and launch new ones with the larger instance type.
AnswerA

Rolling updates update instances in batches, minimizing downtime.

Why this answer

Elastic Beanstalk supports rolling updates to change instance types without downtime. Option D is correct. Option A is wrong because terminating instances causes downtime.

Option B is wrong because you cannot change the instance type in an existing environment's configuration without a rolling update. Option C is wrong because creating a new environment is more disruptive than a rolling update.

953
MCQmedium

A company runs a stateless web application on Amazon EC2 instances in an Auto Scaling group across two Availability Zones. The SysOps administrator needs to ensure that the application can tolerate a failure of an entire Availability Zone. Which configuration is required?

A.Use an Application Load Balancer (ALB) that spans both Availability Zones with health checks enabled.
B.Enable termination protection on all Amazon EC2 instances.
C.Place the Amazon EC2 instances in a cluster placement group.
D.Associate an Elastic IP address with the primary instance.
AnswerA

The ALB distributes incoming traffic across instances in multiple AZs. With health checks, it detects failures and routes traffic only to healthy instances. Combined with Auto Scaling across AZs, this provides zone-failure tolerance.

Why this answer

An Application Load Balancer (ALB) that spans both Availability Zones with health checks enabled distributes incoming traffic across EC2 instances in multiple AZs. If an entire AZ fails, the ALB automatically routes traffic only to healthy instances in the remaining AZ, ensuring the stateless web application remains available. Health checks detect instance or AZ failure and remove unhealthy targets from the load balancer's target group, which is essential for fault tolerance.

Exam trap

The trap here is that candidates often confuse high availability with data durability or instance protection, leading them to choose termination protection or Elastic IPs, when the core requirement is automatic traffic rerouting across AZs, which only a load balancer with health checks can provide.

How to eliminate wrong answers

Option B is wrong because termination protection prevents accidental deletion of an instance but does not provide any resilience against an Availability Zone failure; it does not reroute traffic or maintain application availability. Option C is wrong because a cluster placement group is designed for low-latency, high-throughput networking within a single AZ; it actually increases the risk of simultaneous failure if that AZ goes down, as all instances are in the same AZ. Option D is wrong because associating an Elastic IP with the primary instance only provides a static public IP, which does not survive an AZ failure and does not offer automatic failover or load balancing across AZs.

954
Multi-Selectmedium

Which TWO actions should a SysOps administrator take to set up centralized logging from multiple Amazon EC2 instances running Amazon Linux 2 to Amazon CloudWatch Logs?

Select 2 answers
A.Attach an IAM role to each EC2 instance that includes permission for logs:PutLogEvents.
B.Create an S3 bucket and configure the EC2 instances to write logs directly to the bucket.
C.Install and configure the unified CloudWatch agent on each EC2 instance.
D.Create a VPC endpoint for CloudWatch Logs to allow private connectivity.
E.Export the logs from CloudWatch Logs to an Amazon S3 bucket for long-term retention.
AnswersA, C

The IAM role must allow the CloudWatch agent to call PutLogEvents to send log data to CloudWatch Logs.

Why this answer

Options A and C are correct. Installing and configuring the CloudWatch Logs agent on each EC2 instance is required to send logs to CloudWatch. The IAM role must grant the logs:PutLogEvents permission to allow the agent to write log events.

Option B is wrong because CloudWatch Logs does not support S3 as a direct target for real-time log ingestion; S3 is a destination for log exports. Option D is wrong because there is no 'export' action needed; the agent pushes logs. Option E is wrong because CloudWatch Logs does not require VPC endpoints for internet-facing instances; it uses public endpoints.

955
Multi-Selecthard

A SysOps administrator is setting up a CloudWatch dashboard to monitor an application. The application runs on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The administrator wants to track the number of healthy hosts and the request count per target group. Which two metrics should be used? (Choose TWO.)

Select 2 answers
A.HealthyHostCount (per TargetGroup)
B.RequestCount (per ALB)
C.ActiveConnectionCount
D.RequestCount (per TargetGroup)
E.HealthyHostCount (per ALB)
AnswersA, D

This metric shows healthy hosts per target group.

Why this answer

Option A is correct because `HealthyHostCount` (per TargetGroup) is a CloudWatch metric that reports the number of healthy EC2 instances in a specific target group, which directly indicates the health of the backend fleet. Option D is correct because `RequestCount` (per TargetGroup) tracks the number of requests routed to that target group, allowing the administrator to correlate traffic load with host health. Together, these two metrics provide the exact visibility needed for an Auto Scaling group behind an ALB.

Exam trap

The trap here is that candidates confuse ALB-level metrics (like `RequestCount` per ALB or `ActiveConnectionCount`) with target-group-level metrics, or assume `HealthyHostCount` exists at the ALB level, when in fact it is only available per target group.

956
MCQeasy

A SysOps administrator sees the deployment failure shown in the exhibit. The deployment group has a minimum of 1 healthy instance. The Auto Scaling group has 2 instances. What is the most likely cause of the failure?

A.The deployment configuration only deploys to one instance at a time, and that instance failed.
B.The Auto Scaling group's health check grace period is too long.
C.The deployment group does not have enough instances.
D.The deployment configuration is set to deploy to all instances at once.
AnswerA

OneAtATime deploys to one instance; if it fails, the deployment stops.

Why this answer

With CodeDeployDefault.OneAtATime, only one instance is deployed at a time. If that instance fails, the deployment fails because there are no other instances to deploy (the other instance is not deployed yet). Option A is correct.

Option B is wrong because the deployment configuration is correct. Option C is wrong because the health check grace period is not relevant. Option D is wrong because the deployment group has 2 instances, which is enough.

957
MCQmedium

A company is running a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application stores session data on the local instance storage. Users are experiencing session loss during scaling events. What should a SysOps administrator do to maintain session persistence?

A.Move session data to an ElastiCache for Redis cluster.
B.Increase the EC2 instance size to reduce the frequency of scaling events.
C.Attach an Amazon EBS volume to each instance and store session data there.
D.Enable sticky sessions on the Application Load Balancer.
AnswerA

ElastiCache provides a centralized, durable session store that survives instance termination.

Why this answer

Option B is correct because using ElastiCache for session state allows instances to be terminated and replaced without losing session data. Option A is wrong because sticky sessions (session affinity) can cause uneven load and do not protect against instance failure. Option C is wrong because EBS volumes are not shared across instances.

Option D is wrong because increasing instance size does not solve the session loss issue.

958
MCQhard

A SysOps administrator is troubleshooting a cost overrun in an AWS account. The cost explorer shows that data transfer costs have significantly increased. The architecture includes an Application Load Balancer (ALB) internet-facing, EC2 instances in private subnets, and an S3 bucket for static assets. Which action will MOST effectively reduce data transfer costs?

A.Enable Amazon CloudFront to cache static assets and reduce direct requests to the ALB.
B.Implement a VPC Gateway Endpoint for S3 so that traffic from EC2 to S3 stays within the AWS network.
C.Replace the NAT Gateway with a NAT instance to reduce hourly charges.
D.Change the ALB to internal (private) and use AWS Direct Connect for user access.
AnswerB

Gateway endpoints are free and reduce data transfer costs to S3.

Why this answer

The correct answer is D. Data transfer from EC2 to S3 within the same region is free when using a VPC endpoint (gateway endpoint). Option A is wrong because CloudFront reduces latency but does not eliminate data transfer costs from ALB to EC2.

Option B is wrong because moving to private ALB would require a VPN and may increase costs. Option C is wrong because NAT Gateway charges for data processing and transfer.

959
Multi-Selectmedium

Match each AWS service with its primary security compliance function. (Drag each service to its correct function.) (Choose 4.)

Select 4 answers
A.AWS CloudTrail -> Detect unauthorized API calls
B.AWS Config -> Monitor resource configuration changes
C.Amazon GuardDuty -> Identify malicious activity
D.Amazon Macie -> Discover sensitive data in S3
AnswersA, B, C, D

CloudTrail logs all API calls and can be used to detect unauthorized or unusual activity.

Why this answer

AWS CloudTrail is the service that records API activity in your AWS account, including both management and data events. By enabling CloudTrail, you can detect unauthorized API calls by analyzing the recorded events for actions that were not initiated by authorized users or services, such as an IAM user making a call from an unexpected IP address or using an unknown user agent.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail with AWS Config, thinking both are for monitoring configuration changes, but CloudTrail focuses on API activity logging while Config tracks resource configuration state changes.

How to eliminate wrong answers

Option A is correct because AWS CloudTrail specifically logs API calls and is used to detect unauthorized activity. Option B is correct because AWS Config continuously monitors and records changes to AWS resource configurations, enabling compliance auditing. Option C is correct because Amazon GuardDuty uses machine learning and threat intelligence to identify malicious activity such as unusual API calls or compromised instances.

Option D is correct because Amazon Macie uses machine learning and pattern matching to discover and protect sensitive data, such as personally identifiable information (PII), stored in Amazon S3 buckets.

960
MCQhard

A company uses Amazon S3 for static website hosting. The website serves thousands of users globally, and the company wants to reduce latency and lower data transfer costs. Which solution should the SysOps administrator implement?

A.Set up Amazon CloudFront as a content delivery network (CDN) in front of the S3 bucket.
B.Use S3 Intelligent-Tiering storage class.
C.Enable cross-region replication and serve from multiple buckets.
D.Enable S3 Transfer Acceleration on the bucket.
AnswerA

CloudFront caches content at edge locations, reducing latency and data transfer costs.

Why this answer

Amazon CloudFront is a global content delivery network (CDN) that caches static content at edge locations closer to users, reducing latency and lowering data transfer costs by minimizing direct requests to the S3 origin. By serving cached objects from edge locations, CloudFront also reduces the amount of data transferred from S3, which can significantly decrease S3 data transfer egress charges.

Exam trap

The trap here is that candidates confuse S3 Transfer Acceleration (which speeds up uploads) with a CDN solution for download performance, or they think cross-region replication alone solves latency without considering the need for a global caching layer.

How to eliminate wrong answers

Option B is wrong because S3 Intelligent-Tiering optimizes storage costs by moving objects between access tiers based on usage patterns, but it does not reduce latency or data transfer costs for global users. Option C is wrong because cross-region replication creates copies in multiple regions, but users still access a single bucket directly unless a routing mechanism like Route 53 latency-based routing is added, and it increases storage costs without providing edge caching benefits. Option D is wrong because S3 Transfer Acceleration uses AWS edge locations to speed up uploads to S3 over long distances, but it does not cache content for downloads or reduce latency for end users retrieving static website content.

961
MCQmedium

A company is using CloudWatch Logs to centralize logs from multiple EC2 instances. The operations team notices that some log entries are missing from CloudWatch Logs. The CloudWatch agent is installed and running on all instances. What is the most likely cause?

A.The CloudWatch agent is not configured to send logs to the correct log group.
B.The CloudWatch agent is sending logs to a different AWS Region.
C.The log group has been encrypted with a KMS key that the agent does not have access to.
D.The IAM role attached to the EC2 instance does not have the 'logs:PutLogEvents' permission.
AnswerD

Missing IAM permissions is a common cause of missing logs.

Why this answer

The most likely cause is that the IAM role attached to the EC2 instance lacks the 'logs:PutLogEvents' permission. Without this permission, the CloudWatch agent can authenticate and connect to CloudWatch Logs but cannot actually write log data to the log stream, resulting in missing entries. The agent may appear to be running and healthy, but API calls to PutLogEvents will fail silently or log errors, leading to gaps in the centralized logs.

Exam trap

The trap here is that candidates assume the agent's installation and running status guarantee log delivery, but the missing permission causes silent failures that are easy to overlook, especially when the agent reports no obvious errors.

How to eliminate wrong answers

Option A is wrong because if the agent were configured to send logs to the wrong log group, log entries would still appear in CloudWatch Logs, just in a different log group; the issue is missing entries entirely, not misrouting. Option B is wrong because sending logs to a different AWS Region would still result in log entries appearing in that region's CloudWatch Logs, not missing entries; the agent's configuration specifies the region, and logs would be visible elsewhere. Option C is wrong because KMS encryption on the log group does not block the agent from writing logs; the agent uses the same IAM permissions to decrypt the KMS key (if needed) and write logs, and missing logs are not caused by encryption access issues unless the agent explicitly fails to write due to a KMS permission error, which is less common than missing PutLogEvents.

962
MCQeasy

An application is running on an EC2 instance and is experiencing intermittent connection timeouts. The SysOps administrator wants to capture network traffic to analyze the issue. Which AWS service should be used?

A.CloudWatch Logs
B.AWS CloudTrail
C.AWS Config
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture network traffic metadata.

Why this answer

VPC Flow Logs capture IP traffic information for network interfaces in a VPC, including accepted and rejected connection attempts. This allows the SysOps administrator to analyze the source/destination IPs, ports, protocols, and whether the traffic was allowed or denied, which is essential for diagnosing intermittent connection timeouts.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which capture network traffic metadata) with CloudWatch Logs (which capture application/system logs) or CloudTrail (which captures API activity), leading them to choose a logging service that cannot diagnose network-level issues.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs is a service for storing, monitoring, and accessing log files from AWS resources (e.g., application logs, system logs), but it does not capture raw network traffic or packet-level data. Option B is wrong because AWS CloudTrail records API calls and user activity for auditing and governance, not network traffic flows. Option C is wrong because AWS Config evaluates resource configurations against desired policies and tracks configuration changes, but it does not capture or analyze network traffic.

963
MCQmedium

A company runs a mix of Amazon EC2 instances, Amazon RDS databases, and AWS Lambda functions for production workloads. The workloads are steady-state and predictable. The SysOps administrator wants to reduce costs while maintaining flexibility to change instance families and regions. Which pricing model should be recommended?

A.EC2 Instance Savings Plans
B.Compute Savings Plans
C.Standard Reserved Instances
D.Spot Instances
AnswerB

Applies to EC2, Fargate, and Lambda across families and regions.

Why this answer

Compute Savings Plans provide the most flexibility because they automatically apply to EC2 instances, AWS Lambda, and AWS Fargate usage across any instance family, size, or region, as long as the compute spend stays within the committed hourly amount. This matches the requirement to reduce costs on steady-state workloads while retaining the ability to change instance families and regions, unlike EC2 Instance Savings Plans which are limited to a specific instance family in a region.

Exam trap

The trap here is that candidates often confuse Compute Savings Plans with EC2 Instance Savings Plans, assuming both offer the same flexibility, but Compute Savings Plans are the only option that covers Lambda and Fargate while allowing cross-region and cross-family changes.

How to eliminate wrong answers

Option A is wrong because EC2 Instance Savings Plans are restricted to a specific instance family (e.g., m5) within a chosen region, so changing instance families or regions would break the commitment and lose the discount. Option C is wrong because Standard Reserved Instances lock you into a specific instance type, size, and Availability Zone for a 1- or 3-year term, offering no flexibility to change families or regions without incurring modification fees or forfeiting the discount. Option D is wrong because Spot Instances are designed for fault-tolerant, interruptible workloads and are not suitable for steady-state, predictable production workloads due to the risk of termination when capacity is reclaimed.

964
Multi-Selectmedium

A SysOps administrator is investigating a security incident where an unauthorized user accessed an S3 bucket. Which TWO AWS services can the administrator use to collect and analyze the relevant logs?

Select 2 answers
A.AWS WAF logs
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.Amazon Route 53 resolver logs
E.Amazon S3 server access logs
AnswersC, E

CloudTrail can log S3 data events if enabled.

Why this answer

AWS CloudTrail is correct because it records API calls made to S3, including who made the request, the source IP address, and the time of the action. This allows the administrator to trace the unauthorized access to a specific IAM user or role and identify the exact API operations performed, such as GetObject or PutObject.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs with S3 access logs, thinking network-level logs can capture S3 API calls, but VPC Flow Logs only show IP traffic metadata and not the application-level S3 operations.

965
MCQmedium

An organization requires that all data in transit between EC2 instances and the internet be encrypted. Which AWS service can be used to enforce this requirement?

A.Use a network ACL to allow only port 443.
B.Use an Application Load Balancer (ALB) with a TLS listener.
C.Use a security group to allow only TLS traffic.
D.Use AWS Direct Connect to route all traffic.
AnswerB

An ALB can terminate TLS and encrypt traffic between clients and the load balancer.

Why this answer

Option B is correct because an ALB can terminate TLS and enforce encrypted connections. Option A is wrong because Security Groups do not encrypt traffic. Option C is wrong because NACLs are stateless and do not provide encryption.

Option D is wrong because Direct Connect provides a dedicated connection but does not inherently encrypt traffic.

966
MCQhard

A SysOps administrator examines the output of the describe-alarms command for the 'HighCPU' alarm. The alarm is in ALARM state. What action will be taken automatically?

A.Recover the EC2 instance using EC2 instance recovery.
B.Launch a new EC2 instance in an Auto Scaling group.
C.Reboot the EC2 instance.
D.Send a notification to an SNS topic.
AnswerA

The alarm action is an EC2 recover action.

Why this answer

The 'HighCPU' alarm is in ALARM state, and the question specifies that the alarm is configured with an EC2 instance recovery action. EC2 instance recovery automatically restarts the instance on a new healthy host when a status check failure (such as impaired hardware or network connectivity) is detected, preserving the instance ID, private IP addresses, and Elastic IP addresses. This is a built-in CloudWatch alarm action that triggers recovery, not a reboot or scaling action.

Exam trap

The trap here is that candidates confuse EC2 instance recovery (which moves the instance to a new host) with a simple reboot or Auto Scaling replacement, but the question's context of 'HighCPU' alarm and ALARM state implies a status check failure recovery action, not a scaling or notification action.

How to eliminate wrong answers

Option B is wrong because launching a new EC2 instance in an Auto Scaling group is an Auto Scaling action triggered by a CloudWatch alarm configured with an Auto Scaling policy, not a direct EC2 recovery action. Option C is wrong because rebooting the EC2 instance is a separate CloudWatch alarm action (EC2 Reboot) that does not recover the instance from underlying hardware issues; it only restarts the OS. Option D is wrong because sending a notification to an SNS topic is a separate alarm action that does not perform any automated remediation; it only alerts via email, SMS, or other endpoints.

967
MCQhard

A company has a VPC with public and private subnets across three Availability Zones. The public subnets host NAT Gateways, and the private subnets host EC2 instances that need to access the internet. The SysOps administrator notices that EC2 instances in one private subnet cannot reach the internet, while others can. What is the MOST likely cause?

A.The EC2 instances have a secondary private IP address that is not registered.
B.The NAT Gateway is not in a public subnet.
C.The network ACL for the private subnet blocks outbound traffic.
D.The route table for the private subnet does not have a default route to the NAT Gateway.
AnswerD

Missing route to NAT Gateway prevents internet access.

Why this answer

Option C is correct. The route table for the private subnet must have a default route (0.0.0.0/0) pointing to the NAT Gateway. If missing, internet access fails.

Option A is wrong because NAT Gateways are in public subnets. Option B is wrong because NACLs are stateless but would affect all instances. Option D is wrong because the secondary private IP is irrelevant.

968
MCQmedium

A company has an Amazon VPC with public and private subnets. The private subnets host database instances that should not have direct internet access. However, the database instances need to download patches from an Amazon S3 bucket. The SysOps administrator needs to enable access to S3 from the private subnets without traversing the internet. Which solution should be used?

A.Create a NAT gateway in a public subnet and update the private route tables to point 0.0.0.0/0 to the NAT gateway.
B.Create a VPC endpoint for S3 (Gateway type) and update the private route tables to add a route to the S3 prefix list.
C.Create a VPC endpoint for S3 (Interface type) and assign a security group to the endpoint.
D.Create an AWS Direct Connect connection and route traffic to S3 through the on-premises network.
AnswerB

A Gateway Endpoint enables private connectivity to S3 without using the internet. It is cost-effective and simple to configure.

Why this answer

A VPC endpoint for S3 of Gateway type allows private subnet resources to access S3 without traversing the internet by routing traffic through the AWS network. Adding a route to the S3 prefix list in the private route table directs S3-bound traffic to the endpoint, which is horizontally scaled and highly available. This solution meets the requirement of no direct internet access while enabling patch downloads from S3.

Exam trap

The trap here is that candidates often confuse Gateway endpoints with Interface endpoints, assuming the latter is always required for private access, but Gateway endpoints are the correct and cost-effective choice for S3 within the same VPC.

How to eliminate wrong answers

Option A is wrong because a NAT gateway in a public subnet would route traffic through the internet to reach S3, violating the requirement of no internet traversal and incurring data transfer costs. Option C is wrong because an Interface VPC endpoint for S3 is typically used for on-premises or cross-VPC access via PrivateLink, not for private subnet access within the same VPC, and it requires additional configuration like security groups and incurs hourly charges. Option D is wrong because AWS Direct Connect is a dedicated network connection to on-premises, not a solution for VPC-to-S3 access without internet, and it adds unnecessary complexity and cost for this use case.

969
MCQhard

A company runs a critical application on AWS Lambda functions. The functions are invoked by an API Gateway endpoint. The SysOps administrator needs to ensure that the application continues to work if an entire AWS Region becomes unavailable. What should the administrator do?

A.Use AWS Global Accelerator to route traffic to the closest Region.
B.Configure Lambda functions with provisioned concurrency in multiple Regions.
C.Use Lambda@Edge to run the functions at edge locations.
D.Deploy the same API Gateway and Lambda setup in a second Region and use Route 53 with failover routing.
AnswerD

Route 53 failover routing can redirect traffic to the secondary Region.

Why this answer

Route 53 can route traffic to a second Region where the same infrastructure is deployed. Option A is wrong because Lambda functions are regional. Option B is wrong because API Gateway is also regional.

Option D is wrong because Lambda@Edge is for edge locations, not regional failover.

970
MCQhard

An EC2 instance runs a database on a 2 TB EBS gp3 volume. After a corruption event, the team must restore from a snapshot. When they detach the corrupted volume, attach a new volume restored from the snapshot, and start the database, performance is 10 to 20 times lower than normal for the first two hours. What causes this behavior, and what feature eliminates it?

A.Enable Fast Snapshot Restore (FSR) on the snapshot in the target Availability Zone before creating the replacement volume
B.Use a Provisioned IOPS (io2) volume type instead of gp3 to get higher IOPS during initialization
C.Run a full dd or fio pre-warm pass over the volume after attaching it but before starting the database
D.Increase the EBS volume size to 4 TB when restoring from the snapshot to get double the throughput baseline
AnswerA

FSR fully initializes the volume's block index immediately upon creation. The first I/O to any block is served from EBS at full throughput rather than waiting for lazy initialization from S3. For a 2 TB database volume where I/O latency determines restore time, FSR eliminates the 2-hour performance degradation period entirely.

Why this answer

When you create an EBS volume from a snapshot, the volume's data blocks are lazily loaded from Amazon S3 on first access. This causes high latency and low IOPS until all blocks are fetched. Fast Snapshot Restore (FSR) pre-initializes the volume in a specific Availability Zone, eliminating the need for lazy loading and providing full performance immediately.

Exam trap

The trap here is that candidates assume performance issues are due to volume type (gp3 vs io2) or size, rather than recognizing the fundamental lazy-load initialization behavior of EBS snapshots and the specific feature (FSR) designed to mitigate it.

How to eliminate wrong answers

Option B is wrong because Provisioned IOPS (io2) volumes do not eliminate the lazy-load initialization penalty; they only provide consistent IOPS after the volume is fully initialized, but the initial access still suffers from the same on-demand fetch from S3. Option C is wrong because running dd or fio pre-warms the volume manually, but this is a workaround, not a feature that eliminates the behavior, and it still requires the same time-consuming initialization process. Option D is wrong because increasing the volume size to 4 TB does not change the lazy-load behavior; it only increases the baseline throughput for the volume after initialization, but the initial performance degradation remains until all blocks are loaded.

971
MCQhard

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB). The SysOps administrator needs to be notified if the ALB's error rate exceeds 5% for 5 consecutive minutes. Which solution meets this requirement with the least operational overhead?

A.Enable VPC Flow Logs and analyze them with Amazon Athena to detect error rates.
B.Use a CloudWatch alarm on the ALB's 'HTTPCode_ELB_5XX_Count' metric with a math expression to calculate error rate.
C.Enable CloudTrail for the ALB and create a metric filter for 5xx errors.
D.Use AWS Config rules to monitor the ALB configuration and trigger a notification on changes.
AnswerB

CloudWatch can directly alarm on ALB metrics with math expressions.

Why this answer

Option B is correct because CloudWatch can directly monitor the ALB's 'HTTPCode_ELB_5XX_Count' metric and combine it with the 'RequestCount' metric using a math expression to calculate the error rate as a percentage. This approach requires no additional logging or external services, and a CloudWatch alarm can be configured to trigger an SNS notification when the error rate exceeds 5% for 5 consecutive minutes, minimizing operational overhead.

Exam trap

The trap here is that candidates may confuse CloudTrail (which logs API activity) with CloudWatch metrics (which track performance data), or assume VPC Flow Logs can provide HTTP-level error codes when they only capture network-layer information.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network-level traffic metadata (IP addresses, ports, protocols) and do not include HTTP status codes, making them unsuitable for detecting application-layer 5xx errors; analyzing them with Athena adds unnecessary complexity and cost. Option C is wrong because CloudTrail records API calls to the ALB (e.g., configuration changes) and does not capture HTTP response codes from client requests; metric filters on CloudTrail logs cannot extract 5xx error rates from traffic. Option D is wrong because AWS Config rules evaluate resource configuration compliance (e.g., security group settings, deletion protection) and cannot monitor real-time traffic metrics like error rates; they are designed for drift detection, not performance monitoring.

972
MCQeasy

A company requires that all access to the AWS Management Console be protected by multi-factor authentication (MFA). The SysOps administrator has enabled an IAM policy that denies all actions if the user does not authenticate with MFA. However, some users report they cannot list their own MFA devices. What is the MOST likely cause?

A.The policy denies the iam:ListMFADevices action without an MFA-authenticated session
B.The policy is applied to the root user only
C.Users are not using MFA-enabled access keys
D.The policy is not applied in the us-east-1 region
AnswerA

The policy should allow iam:ListMFADevices without MFA to enable users to set up MFA.

Why this answer

Option B is correct because the policy that denies actions without MFA also blocks the action to list MFA devices, which is needed to set up MFA. The policy should include an exception for the iam:ListMFADevices action. Option A is incorrect because the problem is not that users are not using MFA; it's that they cannot list devices to set up MFA.

Option C is incorrect because the policy is not limited to a specific region. Option D is incorrect because IAM is not region-specific.

973
MCQhard

A company has an S3 bucket that stores sensitive customer data. The security team requires that all objects in the bucket be encrypted at rest using AWS KMS. An administrator notices that some objects are not encrypted. What is the MOST efficient way to enforce encryption for future uploads?

A.Use an SCP to require KMS encryption for all S3 actions.
B.Use AWS Config to detect unencrypted objects and automatically encrypt them.
C.Add a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header set to aws:kms.
D.Enable S3 default encryption on the bucket with KMS.
AnswerC

Bucket policies can conditionally deny uploads without encryption.

Why this answer

Option A is correct because a bucket policy that denies PutObject without the correct encryption header will enforce encryption for all uploads. Option B is wrong because S3 default encryption only applies if no encryption header is provided; it can be overridden. Option C is wrong because SCPs affect IAM permissions, not S3 bucket configurations.

Option D is wrong because encryption is enforced per object upload, not after upload.

974
MCQmedium

A company runs a production application on Amazon EC2 instances in an Auto Scaling group across two Availability Zones. The application uses an Amazon RDS Multi-AZ DB instance. The SysOps administrator wants to test the application's behavior during an Availability Zone failure of the database. Which action should the administrator take to simulate a failure with minimal impact on production?

A.Reboot the DB instance with the 'Reboot with failover' option
B.Modify the DB instance to be a single-AZ deployment
C.Delete the standby replica in the other Availability Zone
D.Stop the DB instance
AnswerA

Rebooting with failover gracefully switches to the standby replica, testing the application's ability to handle an AZ outage.

Why this answer

Rebooting the RDS Multi-AZ DB instance with the 'Reboot with failover' option forces a synchronous failover to the standby replica in the other Availability Zone. This simulates an AZ failure of the primary database with minimal impact because the application's Auto Scaling group spans two AZs and the RDS Multi-AZ deployment provides automatic failover, so the application should experience only a brief interruption during the DNS change to the new primary.

Exam trap

The trap here is that candidates may think stopping or deleting the standby replica simulates an AZ failure, but those actions either cause a full outage or permanently remove redundancy, whereas 'Reboot with failover' is the only option that triggers a controlled failover with minimal production impact.

How to eliminate wrong answers

Option B is wrong because modifying the DB instance to be a single-AZ deployment permanently removes the standby replica and changes the architecture, which does not simulate a transient AZ failure and has a greater impact on production. Option C is wrong because deleting the standby replica in the other AZ is a destructive action that removes high availability entirely, and it does not simulate a failover event; it also requires manual intervention to recreate the standby. Option D is wrong because stopping the DB instance halts the database completely, causing a full outage rather than a controlled failover, and it does not test the application's behavior during an AZ failure of the database.

975
Multi-Selecteasy

A SysOps administrator is troubleshooting a connectivity issue from an EC2 instance to an RDS database in the same VPC. The security groups are configured correctly. Which TWO steps should the administrator take to diagnose the issue?

Select 2 answers
A.Verify the CIDR block of the VPC
B.Enable VPC Flow Logs to capture traffic
C.Check the IAM policy attached to the EC2 instance
D.Check the network ACL associated with the subnets for both instances
E.Verify the route table in the EC2 instance's subnet has a route to the RDS subnet
AnswersD, E

NACLs are stateless and may block traffic if rules are misconfigured.

Why this answer

Options B and D are correct. Checking route tables ensures the subnet routes are correct, and verifying NACL rules ensures they are not blocking traffic. Option A is wrong because flow logs do not affect connectivity.

Option C is wrong because IAM permissions do not control network connectivity. Option E is wrong because subnet CIDR is unrelated to connectivity.

Page 12

Page 13 of 21

Page 14