AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 9761050

1546 questions total · 21pages · All types, answers revealed

Data quality score: 70/100 — Review before indexing

2 errors found across 75 questions. This page is set to noindex until issues are resolved.

Page 13

Page 14 of 21

Page 15
976
MCQhard

A company is deploying a critical application using AWS CloudFormation. The deployment must be resilient to failures and ensure that resources are created in a specific order. The template defines a stack that includes an Amazon RDS database and an Auto Scaling group. The Auto Scaling group depends on the database being available. Which CloudFormation feature should the SysOps administrator use to ensure the database is fully created and available before the Auto Scaling group is created?

A.Use the DependsOn attribute on the RDS instance to wait for the Auto Scaling group.
B.Use the DependsOn attribute on the Auto Scaling group to wait for the RDS instance, and also use a CreationPolicy on the RDS instance to signal when it is ready.
C.Use the DependsOn attribute on the Auto Scaling group to wait for the RDS instance, and also use cfn-signal on the Auto Scaling group to wait for the database.
D.Use the DeletionPolicy attribute on the Auto Scaling group to ensure it is not deleted.
AnswerB

DependsOn plus CreationPolicy ensures the Auto Scaling group is created only after the database signals complete readiness.

Why this answer

Use DependsOn to specify that the Auto Scaling group depends on the database resource, and also use CreationPolicy or WaitCondition to wait for the database to be fully ready. DependsOn alone only waits for CloudFormation to mark the resource as created, not for the database to be 'available'. Therefore, combining DependsOn with a CreationPolicy (e.g., AWS::CloudFormation::WaitCondition) ensures the Auto Scaling group is created only after the database signals readiness.

Option A is wrong because DependsOn alone is insufficient. Option B is wrong because cfn-signal is used with Auto Scaling group's CreationPolicy. Option D is wrong because DeletionPolicy affects deletion, not creation.

977
MCQeasy

A company's security policy requires that all IAM user passwords must be at least 12 characters long. The SysOps administrator needs to enforce this requirement across the AWS account. Which action should the administrator take?

A.Create an AWS Config rule to check password length and auto-remediate.
B.Update the IAM account password policy to require a minimum length of 12 characters.
C.Enable AWS CloudTrail to monitor for password changes and alert the administrator.
D.Attach a service control policy (SCP) that denies IAM user creation if the password is less than 12 characters.
AnswerB

The IAM password policy is the native way to enforce password complexity requirements at the account level. When enabled, users must comply when creating or changing their passwords.

Why this answer

The IAM account password policy is the native AWS mechanism for enforcing password requirements across all IAM users in an account. By updating this policy to require a minimum length of 12 characters, the administrator ensures that any new or changed password must comply, and existing passwords are not affected until the next change. This is a direct, account-wide setting that requires no additional services or custom logic.

Exam trap

The trap here is that candidates confuse AWS Config (which can detect but not enforce password length at creation time) with the IAM password policy (which is the correct, built-in enforcement mechanism), or they mistakenly think SCPs can inspect password content when they only control API actions at a high level.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can detect noncompliant passwords but cannot directly enforce password length at the point of creation or change; auto-remediation would require a custom Lambda function to modify the password policy, which is unnecessary when the native IAM password policy already exists. Option C is wrong because CloudTrail logs API calls but does not enforce password requirements; it only provides auditing after the fact, which does not prevent users from setting short passwords. Option D is wrong because service control policies (SCPs) apply to AWS Organizations and can restrict IAM user creation actions, but they cannot evaluate or enforce password length at the time of password creation or change; SCPs operate at the API level and lack the granularity to inspect password content.

978
MCQmedium

A company is using AWS CloudTrail to log API activity in their account. The security team needs to be alerted when an IAM user creates a new access key. Which solution meets this requirement with the least operational overhead?

A.Enable CloudTrail email notifications for management events.
B.Configure the IAM user's permissions to require MFA for access key creation.
C.Create an Amazon EventBridge rule that matches the CreateAccessKey event and targets an SNS topic.
D.Write a Lambda function that periodically scans CloudTrail logs in S3 and sends alerts.
AnswerC

EventBridge can react to CloudTrail events in real time.

Why this answer

Option C is correct because Amazon EventBridge can directly match the `CreateAccessKey` API call from CloudTrail and trigger an SNS topic to send an alert in real time, requiring no custom code or polling. This provides the least operational overhead by using a fully managed, event-driven rule.

Exam trap

The trap here is that candidates may think CloudTrail itself can send email alerts (Option A) or that a security control like MFA (Option B) satisfies the alerting requirement, but neither provides the real-time notification specified in the question.

How to eliminate wrong answers

Option A is wrong because CloudTrail does not support email notifications for management events; it can only deliver log files to S3 or CloudWatch Logs, and email alerts require an additional service like SNS. Option B is wrong because requiring MFA for access key creation is a security control that prevents unauthorized creation but does not generate alerts when a key is created. Option D is wrong because writing a Lambda function to periodically scan CloudTrail logs in S3 introduces unnecessary complexity, latency, and operational overhead compared to a real-time EventBridge rule.

979
MCQeasy

A SysOps administrator wants to deploy a serverless application using AWS Lambda functions, Amazon API Gateway, and Amazon DynamoDB. The deployment must be automated and repeatable. Which AWS service should the administrator use to define and manage this infrastructure as code?

A.AWS CodeDeploy
B.AWS OpsWorks
C.AWS Elastic Beanstalk
D.AWS CloudFormation with the AWS Serverless Application Model (SAM)
AnswerD

SAM is ideal for defining serverless resources as code.

Why this answer

AWS CloudFormation or the AWS Serverless Application Model (SAM) are the best choices for infrastructure as code. SAM is an extension of CloudFormation specifically for serverless applications. Option B is wrong because Elastic Beanstalk is for web applications on EC2, not serverless.

Option C is wrong because OpsWorks is for Chef/Puppet. Option D is wrong because CodeDeploy is for deploying code, not infrastructure.

980
MCQhard

A company uses AWS OpsWorks to manage a stack of EC2 instances running a web application. They recently migrated to AWS Elastic Beanstalk for easier deployments. However, after the migration, some users report that the application is responding slowly during peak hours. The Elastic Beanstalk environment is configured with a load balancer and auto scaling based on average CPU utilization. What should the SysOps Administrator do to troubleshoot the performance issue?

A.Manually scale the environment to add more instances.
B.Revert to the OpsWorks stack configuration.
C.Review the CloudWatch metrics and logs for the Elastic Beanstalk environment.
D.Increase the instance size in the environment configuration.
AnswerC

CloudWatch metrics and logs help diagnose performance issues.

Why this answer

Option C is correct because reviewing CloudWatch metrics and logs from the Elastic Beanstalk environment can identify if the auto scaling policy is not aggressive enough or if there are other bottlenecks. Option A is wrong because OpsWorks is no longer used. Option B is wrong because switching to manual scaling is not a best practice.

Option D is wrong because increasing instance size without analysis may be inefficient.

981
MCQhard

A company has a CloudWatch dashboard that displays custom metrics from an application. Some metrics are missing from the dashboard, but the application is publishing them to CloudWatch. The SysOps administrator confirms the metrics are present in the CloudWatch console under the correct namespace. What could be causing the metrics to not appear on the dashboard?

A.The IAM user viewing the dashboard does not have cloudwatch:GetMetricData permission.
B.The dashboard's time range is set to the last 1 hour, but the metrics were published 2 hours ago.
C.The dashboard widget is configured with a period that is longer than the interval at which metrics are published.
D.The namespace of the custom metrics is misspelled in the dashboard configuration.
AnswerC

If the widget period is 5 minutes but metrics are published every minute, the widget may aggregate and show a single point, but missing? Actually if period is too long, recent data may not be aggregated yet. More likely: the widget's stat (e.g., Sum) might show zero if no data points in that period. But the correct scenario: missing metrics often due to period mismatch.

Why this answer

Option C is correct because if the dashboard widget's period (e.g., 5 minutes) is longer than the metric publication interval (e.g., 1 minute), CloudWatch will aggregate the data points into the larger period. If the metric was published recently, the aggregation may not have completed, or the data points may fall outside the visible range of the widget's period, causing them to not appear even though the raw metrics exist in the namespace.

Exam trap

The trap here is that candidates often assume missing metrics are due to permissions or namespace errors, but the question explicitly states the metrics are visible in the CloudWatch console, pointing to a widget configuration issue like period mismatch.

How to eliminate wrong answers

Option A is wrong because the IAM user can see the metrics in the CloudWatch console under the correct namespace, which requires cloudwatch:GetMetricData permission; thus, the permission is already granted. Option B is wrong because if the metrics were published 2 hours ago, they would still appear in a dashboard set to the last 1 hour only if the dashboard's time range is adjusted; the metrics are missing, not just outside the current range. Option D is wrong because the administrator confirmed the metrics are present under the correct namespace in the CloudWatch console, so the namespace is correctly spelled in the dashboard configuration.

982
Multi-Selectmedium

A SysOps administrator needs to set up automated backups for a production Amazon RDS for PostgreSQL DB instance and copy the snapshots to another AWS Region for disaster recovery. Order the steps the administrator should take to implement this cross-region snapshot copy. (Drag each step to the correct order from first to last.) (Choose 4.)

Select 4 answers
A.Enable automated backups on the source DB instance.
B.Configure cross-region snapshot copy in the RDS console or using AWS Backup.
C.Set a retention policy for the cross-region snapshots.
D.Verify that snapshots are being copied to the target region.
AnswersA, B, C, D

Automated backups must be enabled for the source instance to generate automatic snapshots.

Why this answer

Option A is correct because automated backups must be enabled on the source RDS for PostgreSQL DB instance to generate the necessary snapshots for cross-region copying. Without automated backups, there are no snapshots to copy, and the cross-region copy feature relies on these automated snapshots as the source.

Exam trap

The trap here is that candidates might think cross-region copy can be configured without first enabling automated backups, but automated backups are a prerequisite because the copy operation uses the automated snapshot as the source.

How to eliminate wrong answers

All options are correct steps in the process, so there are no wrong options to eliminate. The question asks to order the steps from first to last, and the provided options (A, B, C, D) are all correct actions that must be taken in sequence.

983
Multi-Selecthard

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that all API calls across all accounts are logged and retained for at least 7 years. Which THREE steps should the SysOps administrator take to meet this requirement? (Choose THREE.)

Select 3 answers
A.Use AWS Config to record API calls and store them in an S3 bucket.
B.Enable AWS CloudTrail in all AWS accounts and all regions.
C.Store CloudTrail logs in Amazon CloudWatch Logs with a retention policy of 7 years.
D.Configure a CloudTrail trail to deliver log files to a centralized Amazon S3 bucket.
E.Configure an S3 lifecycle policy on the centralized bucket to transition logs to Amazon S3 Glacier after 7 years.
AnswersB, D, E

This ensures all API calls are logged across the organization.

Why this answer

AWS CloudTrail is the service designed to record all API calls made within an AWS account. Enabling CloudTrail in all accounts and all regions ensures comprehensive logging of management events across the entire AWS Organization. This is a foundational step for meeting audit and compliance requirements.

Exam trap

The trap here is confusing AWS Config (which tracks configuration changes) with CloudTrail (which records API calls), leading candidates to incorrectly select AWS Config as a logging solution for API activity.

984
MCQmedium

A SysOps administrator needs to audit all changes to security groups in an AWS account. Which AWS service should be used to capture these changes?

A.VPC Flow Logs
B.AWS CloudTrail
C.CloudWatch Logs
D.AWS Config
AnswerB

CloudTrail logs all API calls, including security group modifications.

Why this answer

AWS CloudTrail is the correct service because it records API calls made to the AWS environment, including all CreateSecurityGroup, AuthorizeSecurityGroupIngress, RevokeSecurityGroupEgress, and DeleteSecurityGroup API actions. By enabling CloudTrail trail logging, the SysOps administrator can capture a complete audit trail of who made changes, when, and from which source IP, which is essential for security group change auditing.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration state changes) with CloudTrail (which tracks API call provenance), leading them to choose Config for auditing changes when only CloudTrail provides the identity and source of the change.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) at the network interface level, not API-level changes to security group configurations. Option C is wrong because CloudWatch Logs is a service for storing, monitoring, and accessing log files from various sources (e.g., application logs, system logs), but it does not natively capture AWS API calls; it can only store CloudTrail logs if they are streamed to it, but it is not the primary service for capturing the changes. Option D is wrong because AWS Config evaluates resource configurations against desired rules and tracks configuration changes over time, but it does not capture the API caller identity or the source of the change; it records the state of the security group after the change, not the who and how of the API call.

985
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team requires that all logs be encrypted at rest and stored in an S3 bucket that blocks public access. The SysOps administrator configures the bucket with default encryption (SSE-S3) and a bucket policy that denies all actions unless the request includes the x-amz-server-side-encryption header with value AES256. However, CloudTrail delivery fails. What is the MOST likely cause?

A.The bucket policy requires the x-amz-server-side-encryption header, but CloudTrail does not include this header
B.CloudTrail does not support SSE-S3 encryption
C.The bucket policy does not grant CloudTrail the s3:PutObject permission
D.The bucket has default encryption enabled, which conflicts with CloudTrail's encryption
AnswerA

CloudTrail uses SSE-S3 automatically but does not set the header; the policy denies the request.

Why this answer

Option C is correct because CloudTrail delivers logs using SSE-S3 by default, but it does not include the x-amz-server-side-encryption header in the PutObject requests. The bucket policy requires that header, so the requests are denied. Option A is incorrect because CloudTrail can deliver to buckets with default encryption.

Option B is incorrect because the bucket policy does not need to allow CloudTrail explicitly; the service has permissions via the trail's bucket policy. Option D is incorrect because SSE-S3 is supported by CloudTrail.

986
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team requires that all Amazon S3 buckets in every account be encrypted at rest using AWS KMS customer managed keys. The SysOps administrator needs to enforce this requirement centrally without requiring changes in each account individually. Which approach should the administrator use?

A.Create an IAM policy in each account that denies creation of unencrypted S3 buckets
B.Configure an S3 bucket policy on each bucket to require encryption
C.Create a service control policy (SCP) in the management account that denies creation of S3 buckets without KMS encryption
D.Enable AWS Config rules in each account to detect and remediate non-compliant buckets
AnswerC

SCPs apply to all accounts in the organization and can deny actions that do not meet encryption requirements, enforcing compliance centrally.

Why this answer

Option C is correct because a service control policy (SCP) applied at the AWS Organizations management account can centrally deny the creation of S3 buckets that do not have AWS KMS encryption enabled, affecting all member accounts without requiring individual account changes. SCPs act as a permission guardrail that restricts what actions accounts can perform, even for account administrators, making them ideal for enforcing organization-wide security policies like mandatory KMS encryption on S3 bucket creation.

Exam trap

The trap here is that candidates often confuse detective controls like AWS Config rules (which alert or remediate after the fact) with preventive controls like SCPs (which block the action at the API level), leading them to choose a reactive solution instead of the correct proactive, centrally enforced SCP.

How to eliminate wrong answers

Option A is wrong because IAM policies are account-specific and must be applied in each account individually, failing the requirement for a central, no-change-per-account approach; additionally, IAM policies cannot enforce encryption settings on S3 bucket creation because the encryption requirement is a resource-level condition, not an identity-based permission. Option B is wrong because S3 bucket policies are configured per bucket and require manual changes on each existing and new bucket, which does not meet the central enforcement requirement and does not prevent creation of unencrypted buckets. Option D is wrong because AWS Config rules operate within each account and require individual setup and remediation actions per account, which violates the central enforcement without per-account changes; Config rules are detective and reactive, not preventive at the point of bucket creation.

987
Multi-Selectmedium

A company is designing a disaster recovery strategy for its production database hosted on Amazon RDS for MySQL. The primary database is in us-east-1. The company requires an RPO of less than 5 minutes and an RTO of less than 1 hour in the event of a Regional failure. Which TWO actions should the company take to meet these requirements?

Select 2 answers
A.Take daily manual snapshots and copy them to us-west-2.
B.Create a cross-Region Read Replica in us-west-2 and promote it during a disaster.
C.Enable cross-Region automated backups.
D.Enable Multi-AZ deployment for the RDS instance.
E.Use a single-AZ RDS instance with automated backups.
AnswersB, C

Correct: A cross-Region Read Replica can be promoted to a primary, providing fast failover with low RTO.

Why this answer

Options B and D are correct. Enabling cross-Region automated backups (Option B) provides continuous backup to another Region with low RPO. Option D, creating a cross-Region Read Replica and promoting it, allows fast failover with low RTO.

Option A (Multi-AZ) is for AZ-level failure, not regional. Option C (snapshots) has higher RPO. Option E (single-AZ) does not provide failover.

988
MCQmedium

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which solution meets this requirement with minimal administrative overhead?

A.Create a new encrypted DB instance and migrate the data.
B.Use application-level encryption to encrypt data before storing it in the DB.
C.Enable encryption on the existing DB instance by modifying the DB instance.
D.Store the data in an S3 bucket with encryption enabled and use RDS to access it.
AnswerA

Encryption must be enabled at creation time.

Why this answer

Option B is correct because RDS encryption at rest is enabled at launch and cannot be added later. Option A is wrong because enabling encryption after launch is not supported. Option C is wrong because application-level encryption adds overhead.

Option D is wrong because RDS does not use S3 for storage.

989
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The administrator needs to update a stack that includes an Amazon RDS DB instance. The update requires replacing the DB instance with a new one. What is the most efficient way to achieve this with minimal downtime?

A.Modify the stack template to change the DB instance identifier and update the stack.
B.Use a custom resource to create a new DB instance and delete the old one.
C.Delete the stack and create a new one with the updated DB instance.
D.Use CloudFormation's UpdateReplace policy by modifying a property that requires replacement, such as DBInstanceClass, and take a snapshot before update.
AnswerD

This triggers a replacement with minimal downtime if you use a snapshot and update DNS.

Why this answer

Option C is correct. Using CloudFormation's UpdateReplace policy with a snapshot creation and then updating the stack with a new DB instance, then updating DNS to point to the new instance, minimizes downtime. Option A would cause downtime during creation.

Option B (DeletionPolicy Retain) would not create a new instance. Option D (custom resource) is overly complex.

990
MCQeasy

A SysOps administrator needs to generate a report of all IAM users and their last activity. Which AWS service can provide this information?

A.AWS Config
B.IAM Credential Report
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerB

The IAM Credential Report contains last activity for users.

Why this answer

Option D is correct because IAM Credential Report includes details about IAM users, including password last used and access key last used. Option A is wrong because CloudTrail logs API calls but does not generate a consolidated report. Option B is wrong because Trusted Advisor does not provide IAM activity reports.

Option C is wrong because AWS Config tracks resource changes, not user activity.

991
MCQeasy

Refer to the exhibit. The command returns no datapoints for CPUUtilization for the specified instance. What is the most likely reason?

A.The instance was stopped or did not emit metrics during the specified time range.
B.The metric name is incorrect.
C.The instance does not have detailed monitoring enabled.
D.The period of 300 seconds is too short.
AnswerA

If the instance is stopped, no metrics are emitted.

Why this answer

The most likely reason for no datapoints is that the instance was stopped or did not emit metrics during the specified time range. CloudWatch only retains and returns metric data when the instance is running and the CloudWatch agent or EC2 hypervisor is actively publishing CPUUtilization. If the instance was in a stopped state, no metrics are generated, resulting in an empty response from the GetMetricStatistics API call.

Exam trap

The trap here is that candidates often assume missing datapoints are due to a configuration issue (like detailed monitoring not enabled or wrong period), when in fact the instance simply wasn't running during the queried time window.

How to eliminate wrong answers

Option B is wrong because CPUUtilization is a standard EC2 metric name; if the metric name were incorrect, the API would return an error message (e.g., 'InvalidParameterValue') rather than an empty dataset. Option C is wrong because basic monitoring (5-minute granularity) still emits CPUUtilization datapoints; detailed monitoring only affects the frequency (1-minute granularity), not the existence of data. Option D is wrong because a period of 300 seconds is a valid and common value for basic monitoring (matching the default 5-minute interval) and does not cause missing datapoints.

992
MCQmedium

A SysOps administrator is troubleshooting an application that runs on AWS Lambda. The application occasionally fails with timeout errors. The administrator needs to identify the exact lines of code that are causing the delays. Which AWS service or feature should be used to gather this information?

A.Enable detailed CloudWatch Logs and search for 'timeout' strings.
B.Use AWS X-Ray to trace the Lambda function and view segment details.
C.Set a CloudWatch Metric Filter for 'Duration' and create an alarm.
D.Enable AWS CloudTrail data events for the Lambda function.
AnswerB

Correct. X-Ray traces function executions and can be instrumented to capture subsegments for each function call, helping identify which lines or api calls are slow.

Why this answer

AWS X-Ray provides end-to-end tracing for Lambda functions, capturing segment details and subsegments that pinpoint the exact lines of code causing delays. By analyzing the trace timeline and annotations, the administrator can identify which specific function calls or operations exceed the timeout threshold, unlike CloudWatch Logs which only show aggregate duration or error strings without code-level granularity.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs or Metrics (which show aggregate data) with the code-level tracing capability of X-Ray, assuming that searching for 'timeout' strings or monitoring 'Duration' metrics will reveal the exact lines of code causing the delay.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs can show 'timeout' strings but cannot trace the exact lines of code causing delays; they only log output from the function, not internal execution flow. Option C is wrong because a CloudWatch Metric Filter for 'Duration' and an alarm only monitors the overall execution time, not the specific code segments or lines responsible for the timeout. Option D is wrong because AWS CloudTrail data events record API calls to the Lambda service (e.g., Invoke, UpdateFunctionCode) but do not capture the internal execution trace or code-level timing within the function.

993
MCQmedium

A company uses Amazon CloudFront to deliver content from an Application Load Balancer (ALB) origin. The SysOps administrator needs to restrict access to the content so that only users from a specific geographic location can view it. Which CloudFront feature should be used?

A.Geographic restrictions (geo-blocking) in CloudFront
B.Origin Access Identity (OAI)
C.Signed URLs
D.AWS WAF web ACL associated with the CloudFront distribution
AnswerA

CloudFront supports geo-restriction natively. You can create a whitelist or blacklist of allowed countries using the CloudFront console or API. This directly meets the requirement.

Why this answer

CloudFront's geographic restrictions (geo-blocking) feature allows you to restrict access to content based on the geographic location of the viewer's IP address. This is the simplest and most direct method to ensure only users from a specific country or region can access the content delivered through CloudFront, without requiring any changes to the origin or additional authentication mechanisms.

Exam trap

The trap here is that candidates often confuse AWS WAF's geo-match rules with CloudFront's built-in geographic restrictions, but the question asks for a CloudFront feature, and the native geo-blocking feature is the correct, simpler answer without requiring an additional service.

How to eliminate wrong answers

Option B is wrong because Origin Access Identity (OAI) is used to restrict access to an S3 bucket origin, not to an ALB origin, and it controls access based on identity rather than geography. Option C is wrong because Signed URLs provide time-limited access to individual files for specific users, but they do not restrict access based on geographic location; they are used for authorization, not geo-blocking. Option D is wrong because while AWS WAF can be used with CloudFront to create geo-match conditions, it is an additional service that incurs extra cost and complexity; CloudFront's built-in geographic restrictions are the native, simpler solution for this requirement.

994
MCQeasy

A company uses AWS CloudFormation to deploy a stack that includes an Amazon S3 bucket. The stack creation fails because the S3 bucket name already exists. What should the administrator do to resolve this issue?

A.Add a tag to the existing bucket to make it available for the stack.
B.Change the S3 bucket name in the CloudFormation template to a unique name.
C.Delete the existing S3 bucket and recreate the stack.
D.Update the bucket policy to allow the stack to use the bucket.
AnswerB

Using a unique bucket name avoids the conflict.

Why this answer

Option B is correct because S3 bucket names must be globally unique, so using a different name resolves the conflict. Option A is wrong because deleting the bucket is not viable if it's in use. Option C is wrong because policies do not affect bucket name uniqueness.

Option D is wrong because tags do not affect bucket names.

995
Multi-Selectmedium

A SysOps administrator sets up an alarm to monitor the CPU utilization of an Auto Scaling group. The alarm should trigger a scaling policy when CPU exceeds 80% for 5 consecutive minutes. The alarm state remains 'INSUFFICIENT_DATA' even though instances are running. Which THREE are possible causes?

Select 3 answers
A.The EC2 instances are not sending CPU utilization metrics to CloudWatch.
B.The alarm is configured with the wrong metric namespace.
C.The Auto Scaling group does not have a health check grace period configured.
D.The alarm's period is shorter than the evaluation period.
E.The Auto Scaling group uses ELB health checks.
AnswersA, B, D

If the CloudWatch agent is not installed or configured, no metrics are sent.

Why this answer

Option A is correct because if EC2 instances are not sending CPU utilization metrics to CloudWatch, the alarm will remain in INSUFFICIENT_DATA state. This can happen if the CloudWatch agent is not installed or configured on the instances, or if the instances lack the necessary IAM permissions to publish metrics. Without metric data, CloudWatch cannot evaluate the alarm condition.

Exam trap

The trap here is that candidates often assume INSUFFICIENT_DATA is always due to missing metrics, but they overlook misconfigured namespaces or mismatched period/evaluation windows as equally valid causes.

996
MCQhard

A company is using AWS CloudFormation to manage infrastructure. A recent stack update failed, and the SysOps administrator needs to roll back to the previous known good state. However, the stack is in UPDATE_ROLLBACK_FAILED state. What should the administrator do to recover the stack?

A.Use the ContinueUpdateRollback API or AWS Management Console to resume the rollback after addressing the failure cause
B.Delete the stack and recreate it from the previous template
C.Contact AWS Support to enable automatic rollback recovery
D.Execute another stack update with the same parameters to overwrite the failed state
AnswerA

This is the correct procedure to recover from a UPDATE_ROLLBACK_FAILED state.

Why this answer

Option B is correct because when a stack is in UPDATE_ROLLBACK_FAILED, you can continue the rollback by fixing the underlying issue (e.g., deleting a resource that cannot be rolled back) and then executing ContinueUpdateRollback. Option A is wrong because deleting the stack would remove all resources, causing data loss. Option C is wrong because updating the stack again may not resolve the rollback failure and could compound errors.

Option D is wrong because CloudFormation does not have an automatic rollback recovery feature; manual intervention is required.

997
Multi-Selectmedium

Which TWO of the following are benefits of using Amazon CloudFront in front of an Application Load Balancer? (Select TWO.)

Select 2 answers
A.Simplify VPC endpoint configuration
B.Protect the application against DDoS attacks
C.Offload SSL/TLS termination from the ALB
D.Reduced latency for users by caching content at edge locations
E.Provide a static IP address for the application
AnswersB, D

CloudFront integrates with AWS Shield for DDoS protection.

Why this answer

Amazon CloudFront provides AWS Shield Standard automatically, which mitigates common Layer 3/4 DDoS attacks at the edge before traffic reaches the ALB. By absorbing volumetric attacks at CloudFront's globally distributed edge locations, the ALB is shielded from malicious traffic, ensuring application availability. This is a key benefit because ALBs alone do not have built-in DDoS protection beyond basic security group rules.

Exam trap

The trap here is that candidates often select 'Offload SSL/TLS termination from the ALB' (Option C) thinking it is a benefit of using CloudFront in front of an ALB, but this is a general CloudFront feature that applies to any origin, not a specific advantage of the ALB combination, and the ALB can already handle SSL/TLS termination efficiently.

998
Multi-Selectmedium

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails because the instances do not have the CodeDeploy agent installed. Which THREE actions are required to resolve this issue?

Select 3 answers
A.Install the CodeDeploy agent on the instances using user data in the launch configuration.
B.Create a new AMI that includes the CodeDeploy agent.
C.Use AWS Systems Manager Run Command to install the agent on existing instances.
D.Change the deployment configuration to 'OneAtATime'.
E.Update the Auto Scaling group's launch configuration to use a different instance type.
AnswersA, B, C

User data can install the agent at launch.

Why this answer

The CodeDeploy agent must be installed on each instance. This can be done by installing it via user data, using a pre-built AMI with the agent, or using AWS Systems Manager Run Command. Changing the deployment configuration does not install the agent.

Updating the Auto Scaling group launch configuration alone does not install the agent on existing instances.

999
MCQmedium

A company needs to continuously scan Amazon EC2 instances for software vulnerabilities and unintended network exposure. Which AWS service should be used?

A.AWS Config
B.Amazon Inspector
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

Amazon Inspector is designed specifically to assess vulnerabilities and network exposure on EC2 instances.

Why this answer

Amazon Inspector is the correct service because it is specifically designed to automatically scan Amazon EC2 instances for software vulnerabilities (CVEs) and unintended network exposure (network reachability). It uses a combination of a managed agent (for OS-level assessment) and network configuration analysis to produce a detailed findings report, directly meeting the requirement for continuous scanning.

Exam trap

The trap here is that candidates often confuse Amazon Inspector with Amazon GuardDuty, mistakenly thinking GuardDuty performs vulnerability scanning when it actually focuses on threat detection from network and account activity, not on scanning EC2 instances for CVEs or network exposure.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and auditing the configuration of AWS resources against desired policies (e.g., compliance rules), not for scanning for software vulnerabilities or network exposure. Option C is wrong because AWS Trusted Advisor provides high-level best-practice recommendations across cost, performance, security, and fault tolerance, but it does not perform deep vulnerability scanning of EC2 instances. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity, not for scanning EC2 instances for software vulnerabilities or unintended network exposure.

1000
Multi-Selecthard

A company is designing a disaster recovery strategy for its AWS environment. The primary Region is us-east-1, and the secondary Region is us-west-2. The application uses Amazon RDS for MySQL, Amazon S3 for static assets, and EC2 instances in an Auto Scaling group. The RTO is 30 minutes, and the RPO is 15 minutes. Which TWO actions should the SysOps administrator take to meet these requirements? (Choose two.)

Select 2 answers
A.Configure a cross-Region read replica for the RDS instance in us-west-2.
B.Deploy a single RDS instance in us-west-2 as a standby.
C.Create AMI backups of EC2 instances every hour and copy to us-west-2.
D.Take daily EBS snapshots and copy them to us-west-2.
E.Enable S3 cross-Region replication for the static assets bucket.
AnswersA, E

A read replica can be promoted to a standalone DB in minutes, meeting RTO and RPO.

Why this answer

Options A and D are correct. A cross-Region read replica in us-west-2 can be promoted to a primary in case of disaster, providing an RPO of seconds and RTO of minutes. S3 cross-Region replication ensures assets are available in the secondary Region with minimal RPO.

Option B is incorrect because EBS snapshots are incremental and copying a snapshot would not meet RPO of 15 minutes if done daily. Option C is incorrect because AMI backups are for EC2 instances, not for database recovery. Option E is incorrect because a single RDS instance does not provide cross-Region failover.

1001
MCQeasy

A company has an AWS Lambda function that processes files uploaded to an S3 bucket. The function fails intermittently with a timeout error. What should the SysOps administrator do to monitor and resolve this issue?

A.Place the S3 bucket in a different AWS region to reduce latency.
B.Enable provisioned concurrency for the Lambda function.
C.Increase the Lambda function timeout and review the function logs in CloudWatch Logs.
D.Configure EC2 Auto Scaling to launch more instances for the Lambda function.
AnswerC

Increasing timeout may fix the timeout error, and logs help identify the cause.

Why this answer

Option C is correct because increasing the Lambda function timeout directly addresses the intermittent timeout error by allowing the function more time to complete execution before Lambda terminates it. Reviewing CloudWatch Logs is essential to identify the root cause, such as slow downstream dependencies or inefficient code, enabling targeted optimization. This approach aligns with standard troubleshooting for Lambda timeout issues.

Exam trap

The trap here is that candidates may confuse Lambda's scaling behavior with EC2 Auto Scaling, or assume that provisioned concurrency fixes execution duration issues, when in fact it only addresses cold start latency.

How to eliminate wrong answers

Option A is wrong because moving the S3 bucket to a different region does not resolve Lambda timeout errors; it may increase latency due to cross-region data transfer and does not affect the function's execution duration. Option B is wrong because provisioned concurrency initializes execution environments to reduce cold starts, but it does not extend the maximum execution time allowed by the Lambda timeout setting. Option D is wrong because EC2 Auto Scaling manages EC2 instances, not Lambda functions; Lambda scales automatically based on incoming requests, and Auto Scaling has no role in Lambda execution.

1002
Multi-Selecthard

A SysOps administrator is troubleshooting an issue where an EC2 instance has failed a status check. The instance is still running but is unresponsive. Which THREE actions should the administrator take to diagnose and resolve the issue? (Choose THREE.)

Select 3 answers
A.Reboot the instance.
B.Check the system status checks in the EC2 console.
C.Review the instance system log (console output).
D.Restore the instance from the latest AMI.
E.Stop and start the instance (recovery action).
AnswersB, C, E

System status checks indicate underlying hardware/network issues.

Why this answer

System status checks (Option B) monitor the underlying physical host for issues like network or power loss, while instance status checks (like system log in Option C) detect OS-level problems. Reviewing the system log helps identify kernel panics or boot failures. Stopping and starting the instance (Option E) forces a migration to a new physical host, which can resolve host-level impairments without losing the instance's configuration or data.

Exam trap

The trap here is that candidates confuse 'reboot' with 'stop/start' — rebooting does not change the underlying host, while stopping and starting does, which is the key recovery action for host-level failures.

1003
Multi-Selectmedium

Which THREE steps are required to deploy a serverless application using AWS CloudFormation? (Choose three.)

Select 3 answers
A.Use the AWS::Serverless::Transform to enable SAM
B.Specify the path to the source code in the template
C.Define the AWS::Serverless::Function resource in the template
D.Define a VPC and subnets for the Lambda function
E.Create an S3 bucket for the deployment artifact
AnswersA, B, C

The SAM transform is required to use serverless resources.

Why this answer

Options A, C, and E are correct. Option B is incorrect because it is not a step; it is a prerequisite. Option D is incorrect because a VPC is optional.

1004
MCQeasy

A company runs a static website on Amazon S3 with a custom domain name (www.example.com). The website is accessed via Amazon CloudFront. The company's marketing team recently updated the website content, but users are reporting that they still see the old content. The SysOps administrator checks the S3 bucket and confirms that the new files are present. The administrator also checks CloudFront and finds that the default TTL for the cache behavior is 24 hours. The marketing team needs the new content to be visible immediately. What should the administrator do to make the new content available to users as quickly as possible?

A.Disable the CloudFront distribution and re-enable it after 5 minutes.
B.Change the default TTL for the CloudFront cache behavior to 0 seconds.
C.Create a CloudFront invalidation for the path '/*' to remove all cached files.
D.Change the S3 bucket's lifecycle policy to expire objects after 1 day.
AnswerC

Invalidation immediately removes cached objects, forcing CloudFront to fetch updated content.

Why this answer

Option A is correct because creating a CloudFront invalidation for the path '/*' removes all cached objects, so subsequent requests fetch the new content from the origin. Option B is wrong because disabling and re-enabling the distribution would cause downtime. Option C is wrong because changing the default TTL to 0 would require waiting for TTL to expire or invalidations.

Option D is wrong because S3 lifecycle policies do not affect cache.

1005
MCQmedium

A company runs a stateful web application on EC2 instances behind a Network Load Balancer. The application requires that client requests from a particular session are always sent to the same target instance. Which feature should the SysOps administrator configure on the NLB to meet this requirement?

A.Configure path-based routing rules
B.Enable health checks on the target group
C.Configure sticky sessions using a cookie
D.Enable cross-zone load balancing
AnswerC

Sticky sessions ensure client requests go to the same target.

Why this answer

Option B is correct because NLB supports sticky sessions (session affinity) using a cookie or source IP. Option A is wrong because cross-zone load balancing distributes traffic across AZs, not stickiness. Option C is wrong because NLB does not support path-based routing; that's ALB.

Option D is wrong because health checks do not affect stickiness.

1006
MCQeasy

A SysOps administrator needs to route traffic for a domain name 'example.com' to an Application Load Balancer. Which AWS service should be used to create the DNS record?

A.Amazon EC2
B.Application Load Balancer
C.Amazon Route 53
D.Amazon CloudFront
AnswerC

Route 53 is the DNS service for record management.

Why this answer

Option A is correct. Amazon Route 53 is the DNS service to manage domain records. Option B is wrong because CloudFront is a CDN.

Option C is wrong because ALB is the load balancer itself. Option D is wrong because EC2 is compute.

1007
Multi-Selecteasy

A SysOps administrator is setting up monitoring for an Amazon RDS instance. Which TWO metrics are available by default in Amazon CloudWatch for RDS?

Select 2 answers
A.DatabaseConnections
B.CPUUtilization
C.FreeableMemory
D.FailedLoginAttempts
E.WriteLatency
AnswersA, B

Default metric for RDS.

Why this answer

Amazon RDS automatically publishes a set of metrics to CloudWatch at no additional cost. DatabaseConnections is one of these default metrics, as it tracks the number of database client connections to the RDS instance. This metric is essential for monitoring connection limits and application connectivity health.

Exam trap

AWS often tests the distinction between default CloudWatch metrics and Enhanced Monitoring metrics, trapping candidates who assume all performance-related metrics (like FreeableMemory or WriteLatency) are automatically available without additional configuration.

1008
MCQhard

A company is using AWS CodePipeline with a multi-branch strategy. They have a pipeline that deploys to a development environment. They want to create a new pipeline for a production environment that only deploys when code is merged to the 'main' branch. What is the most efficient way to set up the production pipeline?

A.Clone the existing pipeline and modify the source stage to use the main branch.
B.Create a new pipeline using a CloudFormation template that defines the pipeline with the main branch as the source.
C.Use CodeCommit triggers to start the pipeline only on pushes to main.
D.Modify the existing pipeline to include both development and production stages, with the production stage only running on manual approval.
AnswerB

Infrastructure as code ensures consistency and automated deployment.

Why this answer

Option C is correct because using a CloudFormation template to create the pipeline allows for infrastructure as code and easy replication. Option A is wrong because cloning the pipeline manually is error-prone. Option B is wrong because this is not a feature of CodeCommit.

Option D is wrong because a single pipeline with multiple stages would deploy to both environments on every push to main, which may not be desired.

1009
MCQmedium

A company has deployed a web application on EC2 instances with an Auto Scaling group. The SysOps administrator needs to automatically replace any instance that is in a 'failed' status as reported by the EC2 status checks. Which action should the administrator take?

A.Create an AWS Config rule to detect failed status checks and trigger a remediation action.
B.Create an AWS Lambda function that stops and starts the failed instance.
C.Configure the Auto Scaling group to use EC2 status checks for health checks.
D.Create a CloudWatch alarm on the StatusCheckFailed metric and trigger an SNS notification.
AnswerC

Auto Scaling can automatically replace instances based on health checks.

Why this answer

Option C is correct because an Auto Scaling group can be configured to use EC2 status checks (both system and instance) as the health check type. When the status check reports a failed status, the Auto Scaling group automatically terminates the unhealthy instance and launches a new one to replace it, ensuring self-healing without manual intervention.

Exam trap

The trap here is that candidates often confuse monitoring (CloudWatch alarms or SNS notifications) with automated remediation, forgetting that Auto Scaling groups have a built-in health check replacement feature that directly addresses the requirement to automatically replace failed instances.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are designed for compliance and resource configuration auditing, not for real-time health monitoring or automatic replacement of failed instances; they lack the native ability to trigger instance replacement in an Auto Scaling group. Option B is wrong because stopping and starting a failed instance does not replace it; the instance retains its private IP and may still be unhealthy, and this approach bypasses the Auto Scaling group's lifecycle management, potentially causing state inconsistencies. Option D is wrong because a CloudWatch alarm on StatusCheckFailed with an SNS notification only sends an alert; it does not automatically replace the instance, requiring manual or additional automation to trigger the replacement.

1010
Multi-Selectmedium

Which TWO AWS services can be used to provide a static IP address for an Application Load Balancer? (Choose two.)

Select 2 answers
A.Amazon Route 53 with static DNS name
B.Elastic IP address assigned to the ALB
C.Network Load Balancer (with Elastic IP)
D.AWS Global Accelerator
E.Application Load Balancer (with Elastic IP)
AnswersC, D

NLB supports Elastic IP per AZ and can forward to ALB.

Why this answer

Option A is correct because AWS Global Accelerator provides static anycast IP addresses that can be associated with an ALB. Option D is correct because Network Load Balancer provides a static IP per AZ and can be used in front of an ALB. Option B is wrong because ALB itself does not have static IPs.

Option C is wrong because Elastic IP is for EC2 instances, not directly for ALB. Option E is wrong because Route 53 provides DNS, not static IP.

1011
MCQhard

Refer to the exhibit. A SysOps administrator has attached the bucket policy shown to an S3 bucket. Users from the IP range 192.0.2.0/24 report that they can access objects, but users from other IP ranges also report they can access objects. What is the most likely reason?

A.The bucket is not configured to use the bucket policy.
B.The bucket policy is malformed and is not being applied.
C.The Condition element in the Allow statement is incorrectly formatted.
D.The bucket ACL allows public read access, overriding the bucket policy Deny.
AnswerD

Bucket ACLs are evaluated before bucket policies, and if an ACL grants access, it can override a Deny in the policy.

Why this answer

The Deny statement uses NotIpAddress condition, which denies access unless the source IP is not in the specified range. However, the Allow statement allows access from the specified IP range. But the Deny statement as written denies all actions (including GetObject) if the IP is NOT in the range.

This should block all other IPs. The issue might be that the bucket policy has an explicit deny, but if the bucket is also configured with a bucket ACL that allows public access, the effective permissions may be confusing. However, the most common mistake is that the Deny statement is missing the effect on the same action? Actually, the Deny statement will override any Allow for IPs not in the range.

The only scenario where other IPs can access is if the bucket policy is not the only authorization method, or if there is a separate bucket ACL that allows access. But given the options, the most plausible is that the bucket ACL allows public read access. Option A is plausible because bucket ACLs can grant access to everyone.

Option B is not shown. Option D is not shown.

1012
MCQmedium

A SysOps administrator is updating an AWS CloudFormation stack that contains an Amazon RDS DB instance. The administrator wants to prevent accidental replacement of the database during the update. Which CloudFormation feature should be used?

A.Change sets
B.Stack policies
C.Resource signals
D.Nested stacks
AnswerB

Stack policies can explicitly deny updates or replacements for specific resources. By configuring a stack policy that denies update for the RDS instance, the administrator ensures the database is not replaced during the update.

Why this answer

Stack policies are the correct feature because they allow you to define explicit deny statements that prevent CloudFormation from updating or replacing specific resources, such as an RDS DB instance, during a stack update. By setting a stack policy that denies replacement actions on the database resource, the administrator ensures that even if the template changes would normally trigger a replacement, the update will fail rather than accidentally recreate the database.

Exam trap

The trap here is that candidates often confuse change sets (which only preview changes) with stack policies (which enforce guardrails), leading them to incorrectly select change sets as the mechanism to prevent accidental replacement.

How to eliminate wrong answers

Option A is wrong because change sets allow you to preview the changes that will be made to a stack before executing them, but they do not prevent the changes from being applied; they only provide visibility. Option C is wrong because resource signals are used to coordinate the creation or update of resources by sending success/failure signals (e.g., via cfn-signal), but they have no mechanism to block replacement of a specific resource. Option D is wrong because nested stacks help organize and reuse templates by embedding one stack within another, but they do not provide any resource-level protection against accidental replacement during updates.

1013
MCQhard

A company uses Amazon CloudWatch Logs to collect logs from multiple EC2 instances. The SysOps administrator needs to create a metric filter that counts the number of ERROR-level log entries per hour and triggers an alarm when the count exceeds 100 in any 5-minute period. Which metric filter pattern should be used?

A.Use the pattern "ERROR" and set the metric value to 100.
B.Use the pattern "ERROR" and set the metric value to 1.
C.Use the pattern "ERROR *" to match any log entry starting with ERROR.
D.Use the pattern "[ERROR, 5]" to match 5 consecutive ERROR entries.
AnswerB

Each log entry containing ERROR increments the metric by 1, allowing accurate counting.

Why this answer

Option B is correct because a CloudWatch Logs metric filter counts each log event that matches the pattern. Setting the metric value to 1 ensures that each matching log entry increments the metric by 1, allowing the alarm to evaluate the sum over a 5-minute period against the threshold of 100. The pattern "ERROR" matches any log entry containing the string "ERROR" anywhere in the message.

Exam trap

The trap here is that candidates often think the metric value should match the alarm threshold (e.g., 100) or that wildcards or special syntax are needed, when in fact the metric value should be 1 and the threshold is set in the alarm definition.

How to eliminate wrong answers

Option A is wrong because setting the metric value to 100 would cause each matching log entry to increment the metric by 100, making the alarm trigger after a single ERROR entry (100/100 = 1), not after 100 entries. Option C is wrong because the pattern "ERROR *" uses a wildcard that is not valid in CloudWatch Logs metric filter syntax; CloudWatch Logs uses space-delimited token matching with brackets for positional patterns, not glob-style wildcards. Option D is wrong because the pattern "[ERROR, 5]" is not valid metric filter syntax; CloudWatch Logs does not support counting consecutive entries or specifying a count within the pattern itself.

1014
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The application experiences variable traffic patterns. The operations team notices that during low traffic periods, there are still a large number of running instances, leading to higher costs. What should the team do to reduce costs while maintaining performance?

A.Replace the existing instances with larger instance types to handle peak load.
B.Implement a target tracking scaling policy based on average CPU utilization.
C.Manually scale down the number of instances during off-peak hours.
D.Purchase Reserved Instances for the baseline capacity.
AnswerB

Automatically adjusts capacity based on demand, lowering costs during low traffic.

Why this answer

Using a target tracking scaling policy based on average CPU utilization allows the Auto Scaling group to automatically adjust the number of instances based on demand, reducing costs during low traffic. Option A is wrong because manual scaling does not automate cost optimization. Option B is wrong because Reserved Instances do not address variable traffic.

Option D is wrong because increasing instance size may not reduce the number of instances during low traffic.

1015
MCQeasy

A company wants to ensure that its S3 bucket is accessible only from a VPC. Which configuration should the SysOps Administrator implement?

A.Create an S3 VPC endpoint and attach a bucket policy that restricts access to that endpoint.
B.Configure a bucket policy that allows access from the public internet.
C.Make the bucket public and rely on IAM roles.
D.Attach a security group to the S3 bucket.
AnswerA

Ensures access only from within the VPC.

Why this answer

Option B is correct because S3 bucket policies can restrict access to a specific VPC or VPC endpoint. Option A is wrong because it does not restrict to a VPC. Option C is wrong because it grants public access.

Option D is wrong because S3 does not support security group associations.

1016
MCQeasy

A SysOps administrator is troubleshooting an issue where an EC2 instance in a private subnet cannot connect to the internet. The instance has a security group allowing outbound HTTPS traffic. The subnet’s route table has a default route (0.0.0.0/0) to a NAT Gateway. The NAT Gateway is in a public subnet with an Elastic IP and a route to an internet gateway. What is a likely cause of the issue?

A.The subnet’s network ACL is blocking outbound ephemeral ports.
B.The NAT Gateway does not have an Elastic IP.
C.The private subnet has a route to an internet gateway.
D.The security group is blocking inbound traffic from the NAT Gateway.
AnswerA

NACL must allow outbound ephemeral ports (1024-65535) for responses.

Why this answer

Option D is correct because the network ACL (NACL) is stateless and must allow both inbound and outbound traffic. Even if the default NACL allows all outbound, a custom NACL might block outbound ephemeral ports. Option A is wrong because security groups are stateful.

Option B is wrong because the NAT Gateway has an EIP. Option C is wrong because the subnet is private, no IGW.

1017
MCQhard

Refer to the exhibit. A SysOps administrator creates this CloudFormation template. The stack creation fails with the error: 'The security group 'default' does not exist'. What is the most likely cause?

A.The VPC does not have a default security group.
B.The instance is launched in EC2-Classic, which does not support security groups.
C.The instance is launched in a VPC, but the security group is specified by name instead of group ID.
D.The 'default' security group is not present in the account.
AnswerC

In a VPC, security groups are referenced by ID, not name.

Why this answer

The correct answer is B because the default security group exists in a VPC, but the EC2 instance is launched in EC2-Classic (default) which uses the 'default' security group name. However, if the instance is launched in a VPC, the security group must be specified by GroupId, not by name. The template uses a name, which is only valid for EC2-Classic.

Since most AWS accounts now use VPC, the security group name 'default' is not recognized. Option A is incorrect because the VPC does have a default security group, but it's identified by ID. Option C is incorrect because the default group exists.

Option D is incorrect because the instance is launched in the default VPC, but the security group reference is incorrect.

1018
MCQmedium

A company wants to receive alerts when an Auto Scaling group launches or terminates instances. They already have a CloudTrail trail enabled. What is the simplest way to achieve this?

A.Create a CloudWatch Events rule that matches Auto Scaling event patterns and sends notifications to an SNS topic.
B.Write a script on each EC2 instance to call the CloudWatch Logs API on launch/termination.
C.Configure the Auto Scaling group to publish lifecycle hooks and use Lambda to send notifications.
D.Enable CloudWatch detailed monitoring on the Auto Scaling group and create alarms.
AnswerA

Simplest approach using existing CloudTrail and CloudWatch Events.

Why this answer

Option A is correct because CloudWatch Events (now part of Amazon EventBridge) can automatically capture Auto Scaling group state changes (launch and terminate) via CloudTrail API calls. By creating a rule that matches the specific event pattern for Auto Scaling events (e.g., 'EC2 Instance Launch Successful' and 'EC2 Instance Terminate Successful'), you can directly route those events to an SNS topic, which then sends notifications (e.g., email or SMS). This requires no custom code, lifecycle hooks, or additional monitoring configuration, making it the simplest solution.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing lifecycle hooks (Option C) or custom scripts (Option B), not realizing that CloudWatch Events can directly consume CloudTrail API events for Auto Scaling without additional infrastructure.

How to eliminate wrong answers

Option B is wrong because writing a script on each EC2 instance to call the CloudWatch Logs API on launch/termination is overly complex, requires custom code on every instance, and does not inherently trigger alerts; it only logs data, not send notifications. Option C is wrong because lifecycle hooks are designed for custom actions during scaling events (e.g., running a script before termination), but they add unnecessary complexity and cost (Lambda execution) when the goal is simply to receive alerts; CloudWatch Events can do this without hooks. Option D is wrong because CloudWatch detailed monitoring on an Auto Scaling group provides metrics like CPU utilization, not instance launch/termination events; alarms based on these metrics cannot detect scaling actions directly, and they would require threshold-based logic that is indirect and unreliable for this use case.

1019
MCQhard

Refer to the exhibit. A SysOps administrator is troubleshooting internet connectivity for an EC2 instance in subnet subnet-0a1b2c3d4e5f6g7h8. The instance can reach other instances in the VPC but cannot access the internet. Based on the route table output, what is the most likely cause?

A.The default route (0.0.0.0/0) is missing
B.The route table is not associated with the subnet
C.The NAT gateway does not have a route to an internet gateway
D.The VPC CIDR route is misconfigured
AnswerC

The NAT gateway's subnet must have a route to an IGW for the NAT to work.

Why this answer

Option C is correct because the route table has a default route to a NAT gateway, but the exhibit does not show that the NAT gateway is in a public subnet with an internet gateway route. If the NAT gateway lacks internet access, private instances cannot reach the internet. Option A is wrong because the route table is associated with the subnet.

Option B is wrong because the route exists. Option D is wrong because the VPC CIDR is local, which is fine.

1020
MCQeasy

A company wants to receive a notification when the root account is used to perform any action in the AWS account. Which service should be used to monitor this?

A.AWS Config
B.Amazon CloudWatch Logs
C.AWS CloudTrail with Amazon CloudWatch Events
D.AWS Trusted Advisor
AnswerC

CloudTrail records API calls; CloudWatch Events can trigger notifications on specific events.

Why this answer

AWS CloudTrail logs all API activity in the account, including root user actions. By creating a CloudTrail trail and sending those logs to Amazon CloudWatch Events (now part of Amazon EventBridge), you can define a rule that matches the `RootAccess` event or any API call where `userIdentity.type` is `Root` and trigger a notification via SNS or Lambda. This combination provides real-time monitoring and alerting for root account usage.

Exam trap

The trap here is that candidates confuse AWS Config (which audits resource configurations) with CloudTrail (which audits API activity), or they think CloudWatch Logs alone can trigger alerts without CloudWatch Events, missing the requirement for event-driven notification.

How to eliminate wrong answers

Option A is wrong because AWS Config is designed for resource inventory, configuration history, and compliance rules (e.g., checking if S3 buckets are public), not for monitoring real-time API calls or user actions. Option B is wrong because Amazon CloudWatch Logs can store and query log data, but it cannot directly generate notifications from CloudTrail events without a CloudWatch Events rule or metric filter; the question requires a service that monitors root actions, and CloudWatch Logs alone lacks the event-driven alerting capability. Option D is wrong because AWS Trusted Advisor provides best-practice checks for cost optimization, performance, security, and fault tolerance, but it does not monitor or alert on specific user actions like root account usage.

1021
MCQhard

An organization has a requirement to prevent any IAM user from deleting an S3 bucket that contains critical data. The SysOps administrator needs to implement a preventive control that works even if the user has full administrative privileges. Which solution should the administrator implement?

A.Attach an IAM policy to the user that explicitly denies s3:DeleteBucket.
B.Enable MFA Delete on the bucket.
C.Apply a service control policy (SCP) that denies s3:DeleteBucket for the account.
D.Add a bucket policy that denies s3:DeleteBucket for the user.
AnswerC

SCPs can restrict actions even for administrators.

Why this answer

Option D is correct because an SCP can deny the s3:DeleteBucket action at the organizational level, overriding any allow. Option A is wrong because an IAM policy with deny can be overridden if the user has admin privileges (except with explicit deny, but if the user has full admin, they might have permissions to change policy). Option B is wrong because bucket policies cannot prevent IAM users from deleting the bucket if they have s3:DeleteBucket permission.

Option C is wrong because MFA delete only applies to objects, not bucket deletion.

1022
MCQeasy

A company wants to securely store database credentials used by an application running on Amazon EC2. Which AWS service should be used to rotate and manage access to these secrets?

A.AWS Identity and Access Management (IAM)
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerC

Secrets Manager is designed to securely store secrets and automatically rotate them, meeting the requirement.

Why this answer

AWS Secrets Manager provides automatic rotation of secrets, while Systems Manager Parameter Store does not offer native rotation. KMS is for encryption keys, not secrets. IAM is for access management, not secret storage.

1023
MCQeasy

A company wants to reduce latency for global users accessing static content stored in Amazon S3. Which AWS service should be used?

A.Amazon Route 53
B.Amazon CloudFront
C.S3 Transfer Acceleration
D.AWS Global Accelerator
AnswerB

CloudFront caches content at edge locations, reducing latency for static content.

Why this answer

Option B is correct because Amazon CloudFront is a CDN that caches content at edge locations to reduce latency. Option A is wrong because Global Accelerator improves TCP/UDP performance but not primarily for static content. Option C is wrong because S3 Transfer Acceleration speeds up uploads to S3.

Option D is wrong because Amazon Route 53 is DNS, not a content delivery service.

1024
MCQeasy

A company has an Application Load Balancer (ALB) that routes traffic to an Auto Scaling group of EC2 instances. The security group for the ALB allows inbound HTTP traffic from 0.0.0.0/0. The EC2 instances have a security group that allows inbound traffic from the ALB's security group. Users report intermittent 503 errors. What is the most likely cause?

A.The EC2 instances are not passing the ALB health checks.
B.The ALB is deployed in a private subnet without a NAT gateway.
C.The target group is configured with an incorrect protocol or port.
D.The security group on the ALB does not allow inbound traffic from the internet.
AnswerA

Healthy instances are required for the ALB to forward traffic; if health checks fail, the instances are marked unhealthy and the ALB returns 503.

Why this answer

The 503 Service Unavailable error from an Application Load Balancer typically indicates that the target instances are not healthy and are not passing the configured health checks. When the ALB's health checks fail, it stops routing traffic to those instances, resulting in 503 errors for users. Since the security group configurations appear correct (ALB allows inbound HTTP from 0.0.0.0/0 and EC2 allows traffic from the ALB's security group), the most likely cause is that the EC2 instances are failing health checks due to application-level issues, such as the web server not responding on the health check path or port.

Exam trap

The trap here is that candidates often focus on security group misconfigurations (like option D) or network connectivity issues (like option B), but the intermittent nature of the 503 error is a key clue pointing to health check failures rather than a permanent configuration mistake.

How to eliminate wrong answers

Option B is wrong because the ALB is an internet-facing load balancer, which requires public subnets with a route to an internet gateway, not a NAT gateway; deploying it in a private subnet without a NAT gateway would cause it to fail to receive traffic from the internet, but the users are already reporting intermittent 503 errors, not a complete lack of connectivity. Option C is wrong because if the target group were configured with an incorrect protocol or port, the health checks would consistently fail and the ALB would not route any traffic to the instances, leading to persistent 503 errors rather than intermittent ones; the intermittent nature suggests the instances are sometimes healthy. Option D is wrong because the security group on the ALB already allows inbound HTTP traffic from 0.0.0.0/0, so inbound traffic from the internet is permitted; this is explicitly stated in the question scenario.

1025
Multi-Selecthard

A company uses AWS CodePipeline with AWS CodeBuild and AWS CodeDeploy. The pipeline is failing because the build stage produces artifacts that are too large for CodeDeploy. Which TWO actions can resolve this issue? (Select TWO.)

Select 2 answers
A.Increase the timeout for the CodeBuild stage.
B.Use Amazon S3 as the source for CodeDeploy instead of the pipeline artifact.
C.Store the artifacts in an AWS CodeCommit repository.
D.Compress the application files before creating the artifact.
E.Increase the maximum artifact size limit in CodeDeploy.
AnswersB, D

S3 can store large files and CodeDeploy can pull from S3.

Why this answer

Options B and D are correct. Option B: Using Amazon S3 as the source for CodeDeploy allows large files to be stored in S3 instead of the artifact. Option D: Compressing the artifact reduces its size.

Option A: Increasing the timeout does not help with size. Option C: CodeDeploy has a fixed artifact size limit. Option E: Storing artifacts in CodeCommit does not reduce size.

1026
MCQmedium

A SysOps Administrator is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance with an AWS Systems Manager Association that installs software. The stack creation fails because the association fails to apply, and the stack rolls back. The administrator needs to ensure that the stack creation succeeds even if the association fails, and then fix the association later. What should the administrator do?

A.Add a 'DependsOn' attribute to the association to ensure it runs after the instance is fully ready.
B.Modify the CloudFormation template to set the AWS::SSM::Association resource's 'ComplianceSeverity' or 'WaitForSuccessTimeout' to a value that allows the stack to continue.
C.Remove the association from the CloudFormation template and apply it manually after stack creation.
D.Set the deletion policy of the association to 'Retain' in the template.
AnswerB

These settings can prevent the association failure from failing the stack.

Why this answer

Option A is correct. Setting the association's failure target to a value that allows the stack to proceed (e.g., 'All') or using 'no error' will prevent the stack from failing. Option B is wrong because the deletion policy does not affect creation.

Option C is wrong because removing the association does not meet the requirement to fix it later. Option D is wrong because adding a depends on does not change the failure behavior.

1027
MCQmedium

Refer to the exhibit. An EC2 instance is running the CloudWatch Logs agent and uses the IAM policy shown. The agent is configured to send logs to the log group 'MyAppLogGroup'. However, logs are not appearing. What is the MOST likely cause?

A.The log group name in the policy does not match the agent configuration.
B.The policy does not allow the 'logs:PutLogEvents' action.
C.The policy is missing permission to create the log group if it does not exist.
D.The Resource ARN incorrectly specifies a wildcard after the log group name.
AnswerC

The agent may need 'logs:CreateLogGroup' permission to create the log group.

Why this answer

Option C is correct because the CloudWatch Logs agent cannot automatically create a log group; it requires explicit permission via the `logs:CreateLogGroup` action in the IAM policy. Without this permission, if the log group 'MyAppLogGroup' does not already exist, the agent will fail to send logs, even though the `logs:PutLogEvents` action is allowed. The policy shown only grants `logs:PutLogEvents` and `logs:DescribeLogStreams`, missing the necessary `logs:CreateLogGroup` and `logs:CreateLogStream` actions for initial setup.

Exam trap

The trap here is that candidates assume `logs:PutLogEvents` alone is sufficient for sending logs, overlooking the fact that the agent must first create the log group and log stream if they do not exist, which requires additional permissions.

How to eliminate wrong answers

Option A is wrong because the log group name in the policy ('MyAppLogGroup') matches the agent configuration, so there is no mismatch. Option B is wrong because the policy explicitly includes the `logs:PutLogEvents` action, so that permission is present. Option D is wrong because the Resource ARN `arn:aws:logs:us-east-1:123456789012:log-group:MyAppLogGroup:*` correctly uses a wildcard after the log group name to match all log streams within that group, which is standard practice.

1028
MCQmedium

A company has multiple AWS accounts and wants to centrally track costs and usage across all accounts. Which AWS service should the SysOps administrator use?

A.AWS Budgets
B.AWS Config
C.AWS Trusted Advisor
D.AWS Organizations
AnswerD

Provides consolidated billing and central cost management.

Why this answer

Option B is correct because AWS Organizations allows you to consolidate billing and get a single bill for all accounts, enabling cost tracking. AWS Budgets and Cost Explorer help analyze costs but require consolidated view. AWS Config tracks configuration, not costs.

Trusted Advisor provides recommendations but not central cost tracking.

1029
MCQeasy

A company wants to provide temporary credentials to an application running on an on-premises server so it can access AWS resources. The credentials must be rotated automatically. Which IAM feature should be used?

A.Use an EC2 instance profile and attach it to the on-premises server.
B.Configure a SAML 2.0 identity provider and federate the application.
C.Create an IAM user with programmatic access and share the access key.
D.Use IAM Roles Anywhere with a certificate authority to issue temporary credentials.
AnswerD

IAM Roles Anywhere provides temporary credentials for on-premises workloads.

Why this answer

Option C is correct because IAM Roles Anywhere allows workloads outside of AWS to assume an IAM role and obtain temporary credentials using X.509 certificates. Option A is wrong because IAM users have long-term credentials. Option B is wrong because instance profiles are for EC2 instances only.

Option D is wrong because federation with SAML is for user identities, not machine identities.

1030
MCQhard

A SysOps administrator is automating the creation of Amazon RDS instances using AWS CloudFormation. The template includes a DBInstance resource with a DBSubnetGroupName property referencing a subnet group created in the same template. The stack creation fails with the error 'DBSubnetGroup not found'. What is the MOST likely reason?

A.The VPC ID is incorrect or does not exist.
B.The DBSubnetGroup is not associated with a public subnet.
C.A DependsOn clause is missing between the DBInstance and the DBSubnetGroup.
D.The DBSubnetGroup is defined in a different CloudFormation stack.
AnswerC

Without DependsOn, CloudFormation may create resources in parallel, causing a dependency error.

Why this answer

Option C is correct because CloudFormation creates resources in parallel by default, and the DBSubnetGroup may not be created before the DBInstance if there is no DependsOn clause. Option A is wrong because subnet groups can be created in the same template. Option B is wrong because the VPC exists.

Option D is wrong because the database subnet group is not required to be public.

1031
MCQhard

A company runs a critical microservices application on Amazon ECS with Fargate launch type. The application consists of several services that communicate via internal HTTP calls. The SysOps Administrator notices that during periods of increased load, some services become unresponsive and the health checks fail. The ECS service auto scaling is configured based on CPU utilization, but it does not scale quickly enough. The administrator needs to improve the reliability and responsiveness of the application. The services are stateless and can be scaled horizontally. The current architecture uses a single Application Load Balancer for each service. The ALB health checks are set to a 30-second interval with a 5-second timeout and 2 unhealthy thresholds. The administrator has observed that when a service instance becomes unhealthy, it takes too long for the ALB to stop sending traffic to it, causing errors. What should the SysOps Administrator do to improve the reliability and responsiveness of the application?

A.Increase the ALB health check interval to 60 seconds and unhealthy threshold to 5.
B.Configure the ALB health check to have a 5-second interval, 2-second timeout, and 2 unhealthy threshold.
C.Increase the ECS service auto scaling target CPU utilization to 90%.
D.Replace the ALB with a Network Load Balancer and use TCP health checks.
AnswerB

Faster health checks detect failures quickly and reduce error rates.

Why this answer

Option A is correct because reducing the health check interval and unhealthy threshold will detect failures faster and stop routing traffic sooner, improving responsiveness. Option B is wrong because increasing the interval and threshold would make detection slower. Option C is wrong because using a Network Load Balancer does not change health check behavior and may not support HTTP health checks.

Option D is wrong because increasing CPU threshold delays scaling, which would worsen the problem.

1032
MCQmedium

A SysOps administrator needs to automatically restart an Amazon RDS DB instance when the 'DatabaseConnections' metric exceeds a threshold of 200 for 5 consecutive minutes. The administrator wants a solution that uses minimal custom code and leverages AWS managed services. Which combination of services should be used?

A.Amazon CloudWatch alarm with an Auto Scaling policy.
B.Amazon CloudWatch alarm with an Amazon Simple Notification Service (SNS) topic that triggers an AWS Lambda function to restart the instance.
C.Amazon CloudWatch alarm with an AWS Systems Manager Automation action.
D.Amazon RDS event subscription that triggers an AWS Lambda function.
AnswerC

Systems Manager Automation has a pre-built runbook 'AWS-RestartRDSInstance' that can be triggered directly from a CloudWatch alarm via the 'Systems Manager Automation' action. No custom code is needed.

Why this answer

Option C is correct because AWS Systems Manager Automation provides a built-in 'AWSSupport-StartRDSInstance' or 'AWSSystemsManager-RestartRDSInstance' runbook that can be triggered directly by a CloudWatch alarm action, requiring no custom code. This leverages a managed service to restart the RDS instance automatically when the 'DatabaseConnections' metric exceeds 200 for 5 consecutive minutes, meeting the minimal custom code requirement.

Exam trap

The trap here is that candidates often assume a Lambda function is always required for custom remediation actions, but AWS Systems Manager Automation provides a no-code alternative for many common operations like restarting RDS instances, which directly meets the 'minimal custom code' constraint.

How to eliminate wrong answers

Option A is wrong because Auto Scaling policies are designed to scale EC2 instances or other Auto Scaling group resources, not to restart RDS instances; they cannot directly trigger a database restart. Option B is wrong because while it uses a Lambda function to restart the instance, it introduces custom code (the Lambda function logic) which violates the 'minimal custom code' requirement. Option D is wrong because RDS event subscriptions are for notification of events like instance creation or failure, not for triggering automated remediation based on CloudWatch metric thresholds; they lack the direct integration with CloudWatch alarms needed for this metric-based condition.

1033
MCQhard

A SysOps administrator manages a fleet of 50 EC2 instances running a batch processing application. The instances are launched via an Auto Scaling group with a dynamic scaling policy based on CPU utilization. The company recently switched to a new workload that is memory-intensive, causing frequent scale-out events. The administrator notices that the CPU utilization remains below 40%, but memory usage is consistently above 80%. The scaling policy does not trigger appropriately, leading to performance degradation. The administrator must optimize the solution to respond to memory pressure without incurring unnecessary costs. Which action should the administrator take?

A.Create a custom CloudWatch metric for memory utilization and configure a target tracking scaling policy using that metric.
B.Increase the minimum size of the Auto Scaling group to 10 instances and use manual scaling for peak times.
C.Change the dynamic scaling policy to a step scaling policy based on CPU utilization with a wider cooldown period.
D.Replace the current instance type with a memory-optimized instance type such as r5.large.
AnswerA

Correct: Custom metrics allow Auto Scaling to respond to memory pressure, optimizing performance and cost.

Why this answer

Option C is correct because creating a custom CloudWatch metric for memory utilization and using a target tracking policy allows Auto Scaling to respond to the actual bottleneck. Option A (changing to step scaling with CPU) does not address memory. Option B (manual scaling) is not automated.

Option D (t3.large) is a reactive instance type change, not a scaling solution.

1034
MCQhard

A company runs a production workload on a fleet of EC2 instances in an Auto Scaling group (ASG). The ASG spans three Availability Zones. To avoid regional failure, the company wants to replicate the infrastructure in a second AWS Region and be able to fail over within 30 minutes. The application state is stored in an RDS MySQL database. What is the MOST cost-effective and reliable solution?

A.Create a cross-Region read replica of the RDS database. In the secondary Region, deploy a duplicate ASG and ALB. In a disaster, promote the read replica to a standalone instance and update Route 53 DNS.
B.Use an Application Load Balancer with cross-Region load balancing to distribute traffic to both Regions.
C.Use RDS Multi-AZ in both Regions and configure synchronous replication between them.
D.Take daily snapshots of the RDS database and copy them to the secondary Region. In the event of a failure, restore the latest snapshot.
AnswerA

Cross-Region read replicas provide near real-time replication and can be promoted in minutes.

Why this answer

RDS cross-Region read replicas can be promoted to a standalone instance in the secondary Region during failover, providing a recovery point objective (RPO) of seconds. Option A is wrong because snapshot restore takes longer than 30 minutes. Option C is wrong because synchronous replication is not possible cross-Region.

Option D is wrong because it does not address the database replication.

1035
MCQeasy

A company wants to receive an email notification when an EC2 instance's status check fails. What AWS service should be used?

A.AWS CloudTrail
B.Amazon CloudWatch Alarm
C.AWS Config
D.AWS Trusted Advisor
AnswerB

CloudWatch Alarms can monitor status check metrics and send SNS notifications.

Why this answer

Amazon CloudWatch Alarms can monitor EC2 instance status checks (both system and instance checks) and trigger an action, such as sending an email via Amazon SNS, when a status check fails. This is the correct service because it directly integrates with EC2 metrics and supports alarm-based notifications for status check failures.

Exam trap

The trap here is that candidates often confuse AWS Config or CloudTrail with monitoring services, but only CloudWatch Alarms can directly monitor EC2 status check metrics and trigger notifications.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and management events, not instance-level health metrics or status checks; it cannot trigger email notifications for status check failures. Option C is wrong because AWS Config evaluates resource configurations against rules and tracks configuration changes, but it does not monitor real-time operational metrics like EC2 status checks or send direct email alerts. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations and checks for cost optimization, security, and fault tolerance, but it does not monitor EC2 status checks or send notifications for status check failures.

1036
MCQmedium

A company uses AWS OpsWorks for configuration management. The SysOps administrator needs to deploy a new application version to existing EC2 instances managed by OpsWorks. Which OpsWorks lifecycle event should the administrator trigger to install the new application?

A.Configure
B.Deploy
C.Shutdown
D.Setup
AnswerB

Deploy is the event for deploying applications.

Why this answer

The 'Deploy' lifecycle event is specifically designed for deploying applications. Option A is wrong because 'Setup' runs only once when the instance boots. Option B is wrong because 'Configure' runs when instances join or leave the stack.

Option D is wrong because 'Shutdown' runs when an instance is terminated.

1037
MCQeasy

A security team applied Network ACL rules to a subnet to allow inbound TCP traffic on port 443 (HTTPS). Users connecting from the internet can initiate connections, but they never receive responses. The NACL is applied to the subnet containing the web servers. What is missing?

A.Add an outbound NACL rule allowing TCP on destination ports 1024–65535 to permit response traffic to clients' ephemeral ports
B.Enable stateful packet inspection on the NACL by toggling the 'track connections' setting in the VPC console
C.Add a security group outbound rule allowing all traffic because NACL rules only apply to inbound traffic
D.Change port 443 to allow both TCP and UDP protocols in the inbound NACL rule
AnswerA

Ephemeral ports are the temporary high-numbered ports clients open for receiving responses. Because NACLs are stateless, return traffic must be explicitly allowed by an outbound rule. The rule 'Allow TCP outbound to 0.0.0.0/0 on ports 1024–65535' covers all client ephemeral port ranges and allows the web server's responses to flow back to the client.

Why this answer

Network ACLs are stateless, meaning they evaluate each packet independently without tracking connection state. While the inbound rule allows HTTPS traffic (TCP 443) to reach the web servers, the outbound response traffic from the servers to the clients' ephemeral ports (typically 1024–65535) is blocked by the default deny-all outbound rule. Adding an outbound NACL rule allowing TCP traffic on destination ports 1024–65535 permits the response traffic to flow back to the clients, resolving the issue.

Exam trap

The trap here is that candidates often confuse stateless NACLs with stateful security groups, assuming that allowing inbound traffic automatically permits outbound responses, when in fact NACLs require explicit outbound rules for return traffic.

How to eliminate wrong answers

Option B is wrong because NACLs are inherently stateless and do not support a 'track connections' setting; stateful packet inspection is a feature of security groups, not NACLs. Option C is wrong because NACL rules apply to both inbound and outbound traffic; adding a security group outbound rule would not affect NACL behavior, and the statement that NACL rules only apply to inbound traffic is factually incorrect. Option D is wrong because HTTPS uses TCP only (port 443), and adding UDP would not fix the missing outbound response rule; the issue is statelessness, not protocol mismatch.

1038
MCQhard

Refer to the exhibit. A VPC Gateway Endpoint for S3 is created and associated with route table rtb-11111111. However, an EC2 instance in a subnet that uses route table rtb-22222222 cannot access S3. What is the most likely cause?

A.The VPC endpoint is not in the 'available' state.
B.The subnet's route table (rtb-22222222) does not have a route to the VPC endpoint.
C.The endpoint policy does not allow the s3:GetObject action.
D.The VPC endpoint is in a different region from the S3 bucket.
AnswerB

Correct because the endpoint is only associated with rtb-11111111.

Why this answer

Option B is correct because the Gateway Endpoint is only associated with rtb-11111111, not rtb-22222222. Option A is wrong because the state is available. Option C is wrong because the policy allows s3:GetObject.

Option D is wrong because S3 is a regional service, but the endpoint is in the correct region.

1039
MCQhard

A SysOps administrator runs the above command for an EC2 instance. The instance is running but the system status check is impaired. What does this indicate?

A.The instance is still running but the application is not responding.
B.The instance is unreachable due to a misconfigured security group.
C.There is a problem with the underlying physical host that requires stopping and starting the instance.
D.The operating system on the instance has crashed.
AnswerC

System status checks detect problems like loss of network connectivity, power loss, or hardware failure on the host.

Why this answer

Option C is correct because a system status check failure indicates a problem with the underlying physical host or AWS systems. Option A is wrong because instance status checks are separate. Option B is wrong because system status checks cover the host, not the OS.

Option D is wrong because the instance status is 'ok', so the OS is reachable.

1040
MCQhard

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. Users report intermittent 502 errors. What is the most likely cause?

A.The CloudFront distribution does not have Cache-Control headers configured.
B.AWS WAF is blocking requests from CloudFront.
C.The ALB is experiencing health check failures or scaling issues.
D.The SSL/TLS certificate on the ALB is expired.
AnswerC

If the ALB returns errors, CloudFront returns 502 Bad Gateway.

Why this answer

Option D is correct because if the ALB is overwhelmed or unhealthy, CloudFront returns 502 errors. Option A is wrong because missing cache headers cause performance issues, not 502 errors. Option B is wrong because SSL/TLS issues cause 4xx errors.

Option C is wrong because WAF blocking would cause 403 errors.

1041
MCQhard

A company uses Amazon CloudFront to distribute content globally. The SysOps administrator notices that the origin load is high and the cache hit ratio is low. What should the administrator do to improve the cache hit ratio and reduce origin load?

A.Change the origin protocol policy to HTTPS only.
B.Add an additional origin server.
C.Enable compression for the content.
D.Increase the minimum, maximum, and default TTL values for the cache behavior.
AnswerD

Longer TTLs improve cache hit ratio.

Why this answer

Option C is correct because increasing the TTL allows objects to be cached for longer, which increases the likelihood of cache hits. Option A is wrong because enabling compression reduces transfer size but does not affect cache hit ratio. Option B is wrong because using a different origin protocol does not change caching behavior.

Option D is wrong because adding more origins does not improve cache hit ratio; it can actually complicate caching.

1042
Multi-Selecthard

A company is using AWS Organizations and wants to delegate administration of a specific member account to a user in the management account. Which TWO steps are required?

Select 2 answers
A.Create an IAM user in the member account with the same name as the management account user.
B.Grant the user in the management account permissions to assume the role in the member account.
C.Enable AWS Single Sign-On (SSO) for the member account.
D.Create a service control policy (SCP) that allows the member account to be administered.
E.Create an IAM role in the member account with a trust policy that allows the management account to assume it.
AnswersB, E

User needs sts:AssumeRole permission.

Why this answer

Correct options: A and D. Option A is correct because you need to create an IAM role in the member account with a trust policy allowing the management account to assume it. Option D is correct because the user must have permissions to assume that role.

Option B is wrong because SCPs do not grant permissions; they restrict. Option C is wrong because AWS SSO is not required; IAM roles suffice. Option E is wrong because the management account already has full access; delegation is about giving specific users access.

1043
MCQeasy

A company hosts a web application on Amazon EC2 instances in two AWS regions: us-east-1 and eu-west-1. The application is behind an Application Load Balancer (ALB) in each region. The SysOps administrator wants to direct users to the region that provides the lowest latency, automatically routing traffic away from a region if it becomes unhealthy. Which Amazon Route 53 routing policy should be used?

A.Geolocation routing
B.Latency routing
C.Weighted routing
D.Failover routing
AnswerB

Latency routing uses measurements of latency between AWS regions and the user to direct traffic to the region with the lowest latency. When health checks are attached to the ALBs, latency routing automatically avoids unhealthy endpoints by excluding them from responses.

Why this answer

Latency routing (B) is correct because it directs users to the region with the lowest network latency based on real-time measurements between the user and the AWS endpoints. When a region becomes unhealthy, Route 53 automatically stops routing traffic to that region's ALB, ensuring failover to the next lowest-latency healthy region. This meets the requirement of both low-latency and automatic health-based rerouting.

Exam trap

The trap here is that candidates often confuse Geolocation routing with Latency routing, assuming geographic proximity equals low latency, but Geolocation routing does not measure actual network performance and lacks automatic health-based rerouting without additional failover records.

How to eliminate wrong answers

Option A (Geolocation routing) is wrong because it routes traffic based on the user's geographic location (e.g., country or continent), not on actual network latency, and it does not automatically reroute traffic away from an unhealthy region unless a failover record is explicitly configured. Option C (Weighted routing) is wrong because it distributes traffic based on assigned weights to multiple records, not on latency or health status; it does not automatically shift traffic away from an unhealthy region. Option D (Failover routing) is wrong because it uses an active-passive model with a primary and secondary record, but it does not consider latency; it only fails over to the secondary when the primary is unhealthy, which does not satisfy the requirement to direct users to the lowest-latency region.

1044
Multi-Selecteasy

A SysOps administrator is troubleshooting an issue where an EC2 instance in a private subnet cannot connect to the internet via a NAT Gateway. Which TWO components must be correctly configured for this to work? (Select TWO.)

Select 2 answers
A.The network ACL for the private subnet must have a rule allowing inbound traffic from the NAT Gateway.
B.The NAT Gateway must be placed in a public subnet with a route to an Internet Gateway.
C.The route table for the private subnet must have a default route (0.0.0.0/0) pointing to the NAT Gateway.
D.The EC2 instance must have a public IP address.
E.The security group for the EC2 instance must allow inbound traffic on port 80.
AnswersB, C

NAT Gateway needs internet access.

Why this answer

The NAT Gateway must reside in a public subnet because it needs a direct route to an Internet Gateway (IGW) to translate private IP addresses to the NAT Gateway's Elastic IP for outbound internet traffic. Without this placement and route, the NAT Gateway cannot forward traffic to the internet, breaking connectivity for instances in private subnets.

Exam trap

The trap here is that candidates often confuse the placement requirement for a NAT Gateway with that of a NAT Instance, thinking a NAT Gateway can be in a private subnet, or they incorrectly assume the private subnet's NACL needs an inbound rule from the NAT Gateway instead of focusing on outbound rules and route tables.

1045
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores sensitive user data in an S3 bucket. The security team requires that traffic between the ALB and the EC2 instances be encrypted, and that the EC2 instances only accept traffic from the ALB. Currently, the ALB terminates HTTPS and forwards HTTP to the instances. The SysOps administrator needs to implement the required security controls. Which solution should the administrator implement?

A.Use an AWS Global Accelerator to route traffic to the instances and enable encryption.
B.Create a network ACL that allows inbound HTTPS traffic from the ALB subnet and outbound HTTPS responses. Use AWS Certificate Manager to install a certificate on the instances.
C.Enable S3 VPC endpoint and configure the ALB to forward traffic to the instance via the endpoint.
D.Configure the target group to use HTTPS protocol, install a TLS certificate on the EC2 instances, and update the security group on the instances to allow inbound traffic only from the ALB's security group.
AnswerD

This ensures encryption and restricts traffic source.

Why this answer

Option A is correct because using HTTPS on the target group and a security group that allows traffic only from the ALB's security group encrypts traffic and restricts access. Option B is wrong because a network ACL is stateless and not the best for this; also, encrypting with ACM on instances is complex. Option C is wrong because a Load Balancer cannot be used as a source in a security group rule.

Option D is wrong because using a VPC endpoint for S3 does not encrypt traffic between ALB and instances.

1046
MCQeasy

A company runs a development Amazon EC2 instance that is only used during business hours (9 AM to 5 PM). The SysOps administrator wants to reduce compute costs. Which action should be taken?

A.Use On-Demand instances
B.Use a Reserved Instance
C.Schedule the instance to automatically stop during off-hours and start before business hours
D.Use a Spot instance
AnswerC

This directly reduces costs by paying only for the hours the instance is running, aligning with the usage pattern.

Why this answer

Option C is correct because the instance is only needed during business hours (9 AM to 5 PM), so automatically stopping it during off-hours and starting it before business hours eliminates compute charges for idle time. Stopped instances incur no EC2 instance running costs (only storage and EBS volume costs), directly reducing the compute bill. AWS Instance Scheduler or a simple cron-based Lambda function can enforce this schedule reliably.

Exam trap

The trap here is that candidates often confuse cost reduction strategies and choose Reserved Instances (Option B) for any recurring workload, failing to recognize that a development instance with limited daily usage does not justify a long-term commitment and that stopping the instance when idle is the most direct way to eliminate compute costs.

How to eliminate wrong answers

Option A is wrong because On-Demand instances are already the default and do not reduce costs; they are the most expensive pricing model for predictable workloads. Option B is wrong because Reserved Instances require a 1- or 3-year commitment and are designed for steady-state, always-on usage, not for a development instance that is only used 8 hours a day. Option D is wrong because Spot instances can be terminated by AWS with only a 2-minute warning, making them unsuitable for a development instance that must be available during business hours without interruption.

1047
Matchingmedium

Match each AWS service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monitoring and observability

API activity logging

Resource compliance and configuration tracking

Best practice recommendations

Operational management and automation

Why these pairings

These are core AWS management and governance services.

1048
MCQmedium

An application uses an Amazon DynamoDB table with on-demand capacity. The SysOps administrator needs to ensure the table remains available during an AWS regional outage. Which strategy should be used?

A.Enable DynamoDB Accelerator (DAX).
B.Create a read replica in another region.
C.Use DynamoDB global tables.
D.Increase read and write capacity units.
AnswerC

Correct. Global tables replicate data across multiple AWS Regions and provide automatic failover for high availability.

Why this answer

DynamoDB global tables provide multi-region, multi-active replication, ensuring the table remains available during an AWS regional outage by automatically replicating data across selected AWS Regions. This is the only option that addresses regional fault tolerance by design, as it uses DynamoDB's built-in replication to maintain availability and data durability across regions.

Exam trap

The trap here is that candidates often confuse read replicas (an RDS concept) with DynamoDB's global tables, or assume that DAX or scaling capacity can provide regional resilience, when in fact only global tables offer multi-region active-active replication for DynamoDB.

How to eliminate wrong answers

Option A is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that improves read performance but operates within a single region and does not provide any cross-region availability or disaster recovery. Option B is wrong because DynamoDB does not support read replicas in the traditional RDS sense; the correct multi-region replication feature is global tables, not read replicas. Option D is wrong because increasing read and write capacity units (even with on-demand scaling) only affects performance within a single region and cannot protect against a regional outage.

1049
Multi-Selecthard

Which THREE steps are required to enable AWS CloudTrail log file integrity validation? (Choose three.)

Select 3 answers
A.Enable CloudTrail to log management events and data events for all resources.
B.Ensure that the S3 bucket for CloudTrail logs has the appropriate bucket policy to allow CloudTrail to write digest files.
C.Create a customer-managed KMS key to encrypt the digest files.
D.Create a new CloudTrail trail or update an existing one to enable log file integrity validation.
E.Configure CloudTrail to deliver logs to CloudWatch Logs for real-time analysis.
AnswersA, B, D

The trail must be logging events to generate digest files.

Why this answer

Option A is correct because enabling CloudTrail to log management events and data events for all resources is a prerequisite for log file integrity validation. The integrity validation process relies on digest files that contain hashes of the log files, and these digest files are only generated for trails that capture events. Without logging events, there are no log files to validate, making this step essential for the integrity validation feature to function.

Exam trap

The trap here is that candidates often confuse encryption (KMS) with integrity validation (hashing), assuming that enabling encryption is a required step for integrity, when in fact CloudTrail handles digest file signing and hashing independently of any KMS encryption settings.

1050
MCQeasy

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The application is deployed across multiple Availability Zones. The SysOps administrator wants to ensure that the application remains available even if an entire Availability Zone fails. What is the MOST effective way to achieve this?

A.Configure the Auto Scaling group to launch instances in at least two Availability Zones.
B.Create a CloudWatch alarm to reboot instances when they become unhealthy.
C.Use a single Availability Zone to reduce complexity.
D.Use a larger instance type to handle more traffic.
AnswerA

Distributing instances across AZs provides fault tolerance.

Why this answer

Configuring the Auto Scaling group to use multiple Availability Zones ensures that instances are distributed, so failure of one AZ does not affect all instances. Option A is wrong because it does not provide redundancy. Option B is wrong because it does not automatically recover.

Option D is wrong because a single AZ does not protect against AZ failure.

Page 13

Page 14 of 21

Page 15