AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 10511125

1546 questions total · 21pages · All types, answers revealed

Page 14

Page 15 of 21

Page 16
1051
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to a fleet of Amazon EC2 instances. The SysOps administrator needs to implement a deployment strategy that ensures zero downtime by creating a new set of instances alongside the current ones, then gradually shifting traffic to the new instances after they pass health checks. If a problem is detected, traffic can be instantly redirected back to the original instances. Which deployment configuration should the administrator use?

A.Rolling update
B.Blue/green deployment
C.All at once deployment
D.Canary deployment
AnswerB

Blue/green deployments involve provisioning a new set of instances, testing them, and then switching traffic at the load balancer or DNS level. This provides zero downtime and instant rollback if the new environment fails.

Why this answer

Blue/green deployment is the correct choice because it creates a completely new set of instances (green environment) alongside the existing ones (blue environment), shifts traffic gradually to the new instances after health checks pass, and allows instant rollback by redirecting traffic back to the original instances. AWS CodeDeploy supports this strategy natively with a blue/green deployment configuration, ensuring zero downtime during the transition.

Exam trap

The trap here is that candidates often confuse canary deployments with blue/green deployments, but canary deployments do not create a full parallel environment and lack the instant, full-traffic rollback capability that blue/green provides.

How to eliminate wrong answers

Option A is wrong because a rolling update replaces instances incrementally, which can cause temporary capacity reduction and does not guarantee zero downtime or instant rollback to the original fleet. Option C is wrong because an all-at-once deployment updates all instances simultaneously, causing downtime during the deployment and no ability to instantly redirect traffic back. Option D is wrong because a canary deployment shifts a small percentage of traffic to new instances gradually, but it does not create a full parallel environment for instant rollback; it typically requires manual or automated traffic shifting and may not provide the same instant rollback capability as blue/green.

1052
MCQhard

A company has an application running on Amazon EC2 instances behind an Application Load Balancer (ALB). The application logs show intermittent 503 errors. The ALB access logs show that the errors occur when the target response time exceeds 30 seconds. Which configuration change should the SysOps administrator make to reduce the number of 503 errors without affecting the application's behavior?

A.Increase the deregistration delay on the target group
B.Increase the idle timeout setting on the ALB
C.Enable cross-zone load balancing on the ALB
D.Decrease the health check interval on the target group
AnswerB

ALB idle timeout is the maximum time the load balancer waits for a response. Increasing it allows longer-running requests to complete.

Why this answer

The 503 errors occur when the target response time exceeds 30 seconds, which matches the default idle timeout of the Application Load Balancer. By increasing the idle timeout setting on the ALB to a value higher than the application's maximum expected response time (e.g., 60 or 120 seconds), the ALB will wait longer before closing the connection, preventing premature 503 errors while the backend is still processing the request.

Exam trap

The trap here is that candidates often confuse the ALB idle timeout with the target group deregistration delay or health check settings, mistakenly thinking that adjusting health checks or deregistration will fix timeout-related 503 errors, when the root cause is the ALB's connection timeout parameter.

How to eliminate wrong answers

Option A is wrong because increasing the deregistration delay on the target group controls how long the ALB waits before sending new connections to a deregistering target, which does not address the 30-second response timeout causing 503 errors. Option C is wrong because enabling cross-zone load balancing distributes traffic evenly across all targets in all Availability Zones, which improves load distribution but does not affect the ALB's idle timeout or prevent 503 errors from slow responses. Option D is wrong because decreasing the health check interval on the target group makes health checks more frequent, which can detect unhealthy targets faster but does not change the ALB's connection timeout behavior that is causing the 503 errors.

1053
Multi-Selecteasy

Which TWO AWS services can be used to monitor the performance of an Amazon RDS database and set alarms based on metrics?

Select 2 answers
A.AWS Lambda
B.Amazon RDS Performance Insights
C.Amazon S3
D.Amazon CloudWatch
E.AWS CloudTrail
AnswersB, D

Performance Insights provides database performance metrics and can trigger alarms via CloudWatch.

Why this answer

Amazon CloudWatch (Option D) is the primary monitoring service for AWS resources, including Amazon RDS. It collects metrics like CPU utilization, database connections, and read/write latency, and allows you to set CloudWatch Alarms that trigger actions (e.g., SNS notifications) when thresholds are breached. Amazon RDS Performance Insights (Option B) provides deeper database performance analysis by visualizing database load and identifying bottlenecks, and it can also publish metrics to CloudWatch for alarm purposes.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (audit logging) with CloudWatch (monitoring), or think Lambda can be used for monitoring when it is actually a compute trigger, not a monitoring service.

1054
Multi-Selecteasy

Which TWO options are best practices for automating deployments using AWS CodeDeploy? (Choose two.)

Select 2 answers
A.Use a single deployment group for all environments
B.Use a blue/green deployment strategy
C.Deploy to all instances simultaneously
D.Configure automatic rollback in case of deployment failure
E.Require manual approval for every deployment
AnswersB, D

Blue/green reduces downtime and risk.

Why this answer

Options B and C are correct. Option A is incorrect because automated rollback is better. Option D is incorrect because large batch size increases risk.

Option E is incorrect because manual approval is not a best practice for automation.

1055
Multi-Selecthard

A company uses AWS CloudFormation to manage infrastructure. The SysOps administrator wants to update a stack that contains an Amazon RDS DB instance. The update involves changing the DB instance class. Which THREE steps should the administrator take to perform this update with minimal downtime? (Choose three.)

Select 3 answers
A.Modify the RDS instance class directly in the RDS console and then update the CloudFormation template.
B.Update the CloudFormation stack with a new parameter value for the DB instance class.
C.Delete the existing stack and create a new one with the updated instance class.
D.Take a manual snapshot of the RDS instance before making changes.
E.Enable Multi-AZ on the RDS instance to allow a rolling upgrade.
AnswersB, D, E

Correct: Updating the stack applies the change in a controlled manner.

Why this answer

The correct answers are B, C, and E. Using a snapshot ensures data is backed up (B). Modifying the DB instance class with Multi-AZ enabled allows a rolling update (C).

Updating the CloudFormation stack with the new instance class triggers the change (E). Option A is wrong because deleting the stack is not necessary. Option D is wrong because modifying the DB instance directly outside CloudFormation may cause drift.

1056
MCQeasy

A company is using AWS OpsWorks for configuration management. They have a stack with multiple layers, and they want to automate the deployment of a custom configuration file to all instances in a specific layer. What is the MOST efficient way to achieve this?

A.Define the file in an AWS CloudFormation template using the AWS::OpsWorks::App resource.
B.Create a custom cookbook and assign it to the layer.
C.Use AWS Systems Manager Run Command to execute a script on each instance.
D.Add the configuration file as user data in the layer's Auto Scaling group.
AnswerB

Custom cookbooks can deploy files via recipes.

Why this answer

Option B is correct because OpsWorks custom cookbooks allow you to run recipes that can deploy files to instances in a layer. Option A is incorrect because user data scripts run at boot time, not on demand. Option C is incorrect because AWS Systems Manager Run Command can execute commands but is not specific to OpsWorks layers.

Option D is incorrect because the AWS::OpsWorks::App resource is for deploying applications, not configuration files.

1057
Multi-Selectmedium

A company runs a web application on EC2 instances in an Auto Scaling group behind an ALB. The application uses an RDS MySQL database. The SysOps administrator needs to improve the reliability of the database layer. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Enable Multi-AZ on the RDS instance.
B.Take a manual snapshot every hour.
C.Create a read replica in a different Region.
D.Configure automated backups with a retention period of 30 days.
E.Increase the DB instance class to the largest available.
AnswersA, D

Multi-AZ provides automatic failover to a standby in another AZ.

Why this answer

Multi-AZ provides automatic failover, and automated backups enable point-in-time recovery. Read replicas improve read performance but not high availability. Manual snapshots are not sufficient for automatic recovery.

Larger instance class improves performance, not reliability.

1058
MCQeasy

A company has an on-premises data center connected to an AWS VPC via an AWS Direct Connect connection. The company's SysOps administrator wants to ensure that traffic from the VPC destined for the on-premises network uses the Direct Connect connection instead of the internet. Which configuration should be used?

A.Add a route in the VPC route table pointing to the on-premises network via a virtual private gateway (VGW)
B.Add a route in the VPC route table pointing to the on-premises network via a NAT gateway
C.Add a route in the VPC route table pointing to the on-premises network via an internet gateway
D.Add a route in the VPC route table pointing to the on-premises network via a VPC peering connection
AnswerA

The VGW is attached to the VPC and is the entry/exit point for Direct Connect. By adding a route with the on-premises destination and the VGW as the target, traffic is forced through the Direct Connect connection.

Why this answer

Option A is correct because a virtual private gateway (VGW) is the AWS-side endpoint for an AWS Direct Connect connection when using a private virtual interface. By adding a route in the VPC route table that points the on-premises network CIDR to the VGW, all traffic destined for the on-premises network is forced over the Direct Connect link, bypassing the internet. This ensures private, low-latency, and consistent connectivity as required.

Exam trap

The trap here is that candidates often confuse the VGW with a NAT gateway or internet gateway, mistakenly thinking any gateway can route to on-premises, when only the VGW is designed for private connectivity via Direct Connect or VPN.

How to eliminate wrong answers

Option B is wrong because a NAT gateway is used to enable outbound internet traffic from private subnets, not to route traffic to an on-premises network over Direct Connect; it would send traffic to the internet, not the on-premises network. Option C is wrong because an internet gateway is designed for internet-bound traffic; routing on-premises traffic via an IGW would send it over the public internet, defeating the purpose of using Direct Connect. Option D is wrong because a VPC peering connection allows routing between two VPCs, not between a VPC and an on-premises network; it cannot be used to reach on-premises resources.

1059
MCQmedium

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB) across three Availability Zones. The application stores session data in memory on the EC2 instances. During a deployment, a new version of the application is released by terminating and replacing instances. Users report that they are unexpectedly logged out during the deployment. What should a SysOps administrator do to improve the reliability of the application during deployments?

A.Reduce the deployment to a single Availability Zone to minimize instance churn.
B.Store session data in an RDS Multi-AZ database.
C.Enable sticky sessions (session affinity) on the ALB.
D.Use an ElastiCache cluster to store session state externally.
AnswerD

Externalizing session state to ElastiCache ensures sessions survive instance replacements.

Why this answer

Using an ElastiCache cluster for session state decouples session data from EC2 instances, so instance replacements do not cause session loss. Option A is wrong because sticky sessions still lose sessions when instances are terminated. Option C is wrong because RDS is not designed for transient session data.

Option D is wrong because it reduces reliability by removing AZs.

1060
MCQmedium

A company uses an Application Load Balancer (ALB) to distribute traffic to an Auto Scaling group of EC2 instances. Users report intermittent 503 errors. The SysOps Administrator checks the ALB metrics and sees that the Sum of HTTP 503s correlates with spikes in CPU utilization on the EC2 instances. What is the MOST likely cause and solution?

A.Disable cross-zone load balancing on the ALB.
B.Configure the Auto Scaling group to scale out based on average CPU utilization and ensure sufficient capacity.
C.Increase the deregistration delay on the ALB target group to allow in-flight requests to complete.
D.Decrease the health check interval to detect unhealthy instances faster.
AnswerB

Scaling out based on CPU utilization adds more instances to handle the load, reducing CPU spikes and preventing 503 errors.

Why this answer

Option C is correct because high CPU utilization on instances can cause them to become unhealthy, leading the ALB to stop sending traffic and returning 503 errors. Option A is wrong because cross-zone load balancing distributes traffic evenly across all zones; disabling it could worsen the issue. Option B is wrong because decreasing the health check interval would make the ALB check more frequently, potentially marking instances unhealthy faster.

Option D is wrong because increasing the deregistration delay only affects instances being deregistered, not the current issue.

1061
MCQeasy

A sysadmin needs to block specific IP addresses from accessing an Application Load Balancer. Which approach is MOST efficient?

A.Modify the security group for the ALB to deny traffic from those IPs.
B.Add a route in the VPC route table to drop traffic from those IPs.
C.Create an AWS WAF web ACL with IP set rules and associate it with the ALB.
D.Update the network ACL for the ALB subnets.
AnswerC

WAF provides IP blocking at the ALB level efficiently.

Why this answer

Option B is correct because AWS WAF can be associated with an ALB to filter traffic based on IP addresses. Option A is wrong because NACLs are stateless and not as efficient for ALB. Option C is wrong because security groups cannot block specific IPs.

Option D is wrong because route tables don't filter traffic.

1062
MCQmedium

A company has a VPN connection between its on-premises network and AWS VPC. The VPN tunnel shows status as UP, but traffic is not flowing from on-premises to the VPC. Which configuration should be checked?

A.The IKE versions on the customer gateway and virtual private gateway match.
B.The route tables in the VPC have routes pointing to the virtual private gateway for the on-premises CIDR.
C.The customer gateway device is configured to forward traffic to the VPC.
D.The security groups allow inbound traffic from the on-premises network.
AnswerB

Without proper routes, the VPC does not know to send traffic for on-premises through the VPN.

Why this answer

Option B is correct because the route tables in the VPC must have routes pointing to the virtual private gateway for the on-premises network. Without them, traffic from the VPC to on-premises will not be routed. Option A is wrong because the tunnel state is UP, indicating Phase 1 and Phase 2 are fine.

Option C is wrong because the customer gateway device must have correct routing, but the question is about VPC side. Option D is wrong because security groups control traffic to/from instances, but if routing is missing, traffic won't reach the VPN.

1063
Multi-Selecthard

A SysOps administrator is designing a highly available architecture for a web application using an Application Load Balancer and an Auto Scaling group across three Availability Zones. The application must be able to withstand the loss of an entire AZ. Which THREE components are necessary to meet this requirement? (Choose THREE.)

Select 3 answers
A.Use a single NAT gateway to provide internet access.
B.Launch EC2 instances in at least two Availability Zones.
C.Configure health checks on the ALB target group.
D.Use a cluster placement group for EC2 instances.
E.Enable cross-zone load balancing on the ALB.
AnswersB, C, E

Multi-AZ deployment is essential for AZ failure tolerance.

Why this answer

Options A, C, and E are correct. Option A: Multi-AZ deployment ensures instances are in multiple AZs. Option C: Cross-zone load balancing ensures ALB can route to instances in any AZ.

Option E: Health checks ensure only healthy instances receive traffic. Option B is wrong because a single NAT gateway in one AZ is a single point of failure. Option D is wrong because placement groups are for low latency within a single AZ, not high availability across AZs.

1064
Multi-Selecthard

A SysOps administrator needs to ensure that an Amazon RDS for MySQL database is compliant with PCI DSS requirements. Which THREE configurations should be implemented?

Select 3 answers
A.Enable Multi-AZ deployment for high availability.
B.Require SSL/TLS connections to the database.
C.Configure automated backups with a retention period of 30 days.
D.Enable RDS audit logging to capture database activities.
E.Enable encryption at rest using AWS KMS.
AnswersB, D, E

PCI DSS requires encryption of cardholder data in transit.

Why this answer

Options A, C, and E are correct. Encryption at rest (RDS encryption), encryption in transit (SSL/TLS), and logging (audit logs) are PCI DSS requirements. Option B is wrong because Multi-AZ is for high availability, not security.

Option D is wrong because automated backups are for data recovery, not security.

1065
Multi-Selectmedium

A company runs a stateless web application on EC2 instances behind an Application Load Balancer. The company wants to improve the application's availability and fault tolerance. Which TWO actions should the SysOps administrator take?

Select 2 answers
A.Configure Auto Scaling to maintain a minimum number of instances.
B.Use Amazon CloudFront as an origin for the ALB.
C.Deploy EC2 instances across multiple Availability Zones.
D.Disable termination protection on EC2 instances.
E.Use larger EC2 instance types.
AnswersA, C

Auto Scaling ensures capacity.

Why this answer

Options B and C are correct. Multi-AZ deployment ensures availability if one AZ fails, and Auto Scaling maintains desired capacity. Option A is wrong because larger instances do not improve fault tolerance.

Option D is wrong because CloudFront is for content delivery, not compute fault tolerance. Option E is wrong because stopping termination protection does not improve availability.

1066
MCQhard

A SysOps administrator notices that the monthly bill for Amazon RDS is higher than expected. The environment includes multiple DB instances with low CPU and memory utilization. Which action will most effectively reduce costs while maintaining performance?

A.Enable Multi-AZ deployment for high availability
B.Resize the DB instances to a smaller instance class
C.Delete unused RDS snapshots
D.Provisioned IOPS (io1) storage for better performance
AnswerB

Matches capacity to actual usage, reducing cost.

Why this answer

Option D is correct because Rightsizing instances down to a smaller instance class can reduce costs when utilization is low. Option A may increase costs by adding read replicas. Option B may improve performance but at higher cost.

Option C reduces storage cost but doesn't address compute waste.

1067
Multi-Selecthard

A SysOps administrator is troubleshooting a slow deployment with AWS CloudFormation. The stack update is taking a long time because it is waiting for a resource to be created. Which TWO CloudFormation features can help speed up the deployment?

Select 2 answers
A.Remove DependsOn clauses to allow parallel resource creation.
B.Set the '--disable-rollback' flag.
C.Use nested stacks to create resources in parallel.
D.Increase the timeout on the WaitCondition.
E.Use a CreationPolicy with a shorter timeout.
AnswersC, E

Nested stacks can create independent resources concurrently.

Why this answer

CreationPolicy with a short timeout can reduce waiting time for signals. WaitCondition can be used with a timeout. '--disable-rollback' does not speed up deployment. Nested stacks can parallelize resource creation.

DependsOn is required for dependencies but does not speed up; it can actually increase time if not needed.

1068
Multi-Selectmedium

A company uses Amazon CloudWatch to monitor its AWS infrastructure. The operations team wants to receive notifications when any EC2 instance's status check fails. Which TWO steps should be taken to achieve this?

Select 2 answers
A.Create a CloudWatch alarm on the CPUUtilization metric with a threshold of 90%.
B.Configure the alarm to send a notification to an Amazon SNS topic.
C.Enable AWS CloudTrail to capture instance state changes.
D.Install the CloudWatch agent on the instance and publish custom memory metrics.
E.Create a CloudWatch alarm on the StatusCheckFailed (or StatusCheckFailed_Instance) metric with a threshold of greater than 0.
AnswersB, E

SNS delivers notifications via email, SMS, etc.

Why this answer

Option B is correct because Amazon CloudWatch alarms can be configured to send notifications to an Amazon SNS topic when the alarm state changes. This allows the operations team to receive immediate notifications (e.g., via email, SMS, or HTTP) when an EC2 instance's status check fails. Option E is also correct because the StatusCheckFailed metric (or StatusCheckFailed_Instance) directly reflects the result of the EC2 status check; setting an alarm with a threshold of greater than 0 triggers when any status check fails.

Exam trap

The trap here is that candidates may confuse CloudWatch metrics like CPUUtilization or custom metrics with the built-in StatusCheckFailed metric, or think that CloudTrail can be used for real-time monitoring and alerting, when in fact it is designed for auditing API activity, not for instance health checks.

1069
MCQhard

A SysOps administrator is reviewing AWS Cost Explorer and notices that data transfer costs from EC2 to the internet are high. The EC2 instances are in a VPC with a NAT Gateway in a public subnet. The route table for private subnets sends 0.0.0.0/0 traffic to the NAT Gateway. The application serves content to users over the internet. Which change will LEAST impact application performance while reducing costs?

A.Replace the NAT Gateway with a smaller NAT Gateway to reduce hourly charges.
B.Use an egress-only Internet Gateway for the private subnets.
C.Implement a VPC Gateway Endpoint for Amazon S3 to keep S3 traffic within AWS.
D.Purchase a Dedicated NAT Gateway in the same region to get lower data processing rates.
AnswerD

Dedicated NAT Gateway offers lower per-GB data processing fees, reducing costs without performance impact.

Why this answer

The correct answer is C. Purchasing a Dedicated NAT Gateway in the same region does not reduce costs; the NAT Gateway itself incurs costs. Option A is wrong because reducing NAT Gateway size limits throughput and may impact performance.

Option B is wrong because an egress-only Internet Gateway is for IPv6 only. Option D is wrong because using a VPC Gateway Endpoint for S3 reduces costs for S3 traffic but not general internet traffic.

1070
MCQmedium

A company has two VPCs in the same AWS account and Region: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). The SysOps administrator needs to establish connectivity between these VPCs so that resources in VPC-A can reach resources in VPC-B using private IP addresses. The solution must be highly available and not involve a third-party appliance. Which solution should the administrator implement?

A.Create an AWS Transit Gateway and attach both VPCs to it. Configure route tables to allow communication.
B.Create a VPC Peering connection between VPC-A and VPC-B. Update the route tables in each VPC to add routes to the other VPC's CIDR.
C.Attach an internet gateway to each VPC and use Amazon Route 53 to resolve private DNS names over the internet.
D.Set up a site-to-site VPN connection between the two VPCs using AWS Virtual Private Gateway.
AnswerB

VPC Peering provides direct, private connectivity between two VPCs. It is highly available by nature and supports cross-account connections. Route tables must be updated to enable traffic flow.

Why this answer

Option B is correct because VPC Peering provides direct, private IP connectivity between two VPCs using the AWS global network, with no bandwidth bottleneck or single point of failure. By creating a peering connection and adding routes to the other VPC's CIDR in each VPC's route table, resources can communicate privately and the solution is highly available as the peering connection itself is redundant within AWS's infrastructure. No third-party appliance is required, and the setup is fully managed by AWS.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing Transit Gateway (Option A) for high availability, forgetting that VPC Peering is inherently highly available within a region and is the simplest, most cost-effective option for connecting just two VPCs.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway, while capable of connecting multiple VPCs, introduces an additional cost and complexity that is unnecessary for a simple two-VPC scenario, and it is not the simplest highly available solution without a third-party appliance. Option C is wrong because attaching internet gateways and using Route 53 to resolve private DNS names over the internet would expose traffic to the public internet, violating the requirement to use private IP addresses and introducing security risks and potential availability issues. Option D is wrong because a site-to-site VPN connection requires a Virtual Private Gateway and a Customer Gateway, which adds complexity and potential single points of failure, and it is not the most straightforward highly available solution for VPC-to-VPC connectivity within the same region and account.

1071
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application stores session data locally on each instance. During a traffic spike, the Auto Scaling group launches new instances, but users report that they are logged out and lose session data. Which solution addresses this issue without modifying the application?

A.Modify the application to use ElastiCache for session storage.
B.Enable sticky sessions (session affinity) on the Application Load Balancer.
C.Increase the cooldown period for the Auto Scaling group.
D.Use larger EC2 instance types to handle the traffic spike.
AnswerB

Sticky sessions route users to the same instance, maintaining session data during scaling.

Why this answer

Option D is correct because enabling sticky sessions on the ALB ensures that users are routed to the same instance, preserving session data even as instances are added or removed. Option A is wrong because increasing the cooldown period does not preserve sessions during scaling. Option B is wrong, while it offloads state to ElastiCache, it requires application changes.

Option C is wrong because a larger instance size reduces scaling frequency but does not prevent session loss when instances are terminated.

1072
MCQhard

A SysOps administrator notices that traffic from an Application Load Balancer to EC2 instances is failing intermittently. Security groups for the instances allow traffic from the ALB security group on port 80. The ALB target group health checks are failing. What is the most likely cause?

A.The network ACL for the instance's subnet is blocking inbound traffic from the ALB's subnet.
B.The instance security group does not allow outbound traffic to the ALB.
C.The ALB security group does not allow outbound traffic to the instances.
D.The ALB is in a public subnet without an internet gateway.
AnswerA

Network ACLs are stateless; if they deny inbound health check traffic from the ALB subnet, health checks will fail.

Why this answer

Option C is correct because ALB health checks originate from the ALB's private IP addresses within the VPC, not from the internet or the ALB's public IP. If the subnet's network ACL does not allow inbound traffic from the ALB's subnet CIDR, health checks will fail. Option A is incorrect because security groups are stateful; return traffic is allowed automatically.

Option B is incorrect because the ALB can communicate within the VPC without an internet gateway. Option D is incorrect because the ALB uses its own security group, not the instance's.

1073
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The application uses an Amazon RDS database. The company wants to ensure that database credentials are not hard-coded in the application code. Which approach should be used?

A.Pass the credentials via EC2 user data when the instance launches.
B.Store the credentials in a configuration file in the application source code.
C.Use Elastic Beanstalk environment properties to pass the credentials, referencing them from AWS Secrets Manager.
D.Store the credentials in an S3 bucket and retrieve them at runtime.
AnswerC

Secrets Manager securely stores and rotates credentials; environment properties can reference them.

Why this answer

Option D is correct because Elastic Beanstalk can pass environment properties to the application, and these can be stored securely using AWS Systems Manager Parameter Store or Secrets Manager. Option A is wrong because storing in the source code is not secure. Option B is wrong because storing in S3 requires access management and is not best practice.

Option C is wrong because EC2 user data is not encrypted and is visible in the console.

1074
MCQmedium

A company uses Amazon CloudFront to deliver video content to users worldwide. The content is stored in an S3 bucket. The SysOps administrator notices that users in some geographic regions experience high latency when loading the video. The administrator wants to improve the performance for these users without changing the existing infrastructure. The CloudFront distribution is configured with the default cache behavior. What is the MOST cost-effective solution to reduce latency for users in those regions?

A.Increase the cache TTL for the content.
B.Change the CloudFront distribution's price class to include all edge locations.
C.Add additional S3 buckets in different regions and configure multiple origins.
D.Use multiple CloudFront distributions for different geographic regions.
AnswerB

Using all edge locations reduces latency.

Why this answer

Option A is correct. CloudFront's Price Class All uses all edge locations, reducing latency for users worldwide. If the distribution is currently using a limited price class, changing to Price Class All improves performance.

Option B is wrong because adding more origins does not reduce latency. Option C is wrong because multiple distributions increase complexity and cost. Option D is wrong because increasing TTL does not reduce latency for initial requests.

1075
MCQeasy

A SysOps administrator is deploying a new version of an application using AWS CodeDeploy. The deployment to an Auto Scaling group fails, and the instances are rolled back. What is the most likely reason for the failure?

A.The instances are in a private subnet without a NAT gateway.
B.The instances do not have internet access.
C.The IAM instance profile does not have permission to download the revision from S3.
D.The application's health check is failing on the target group.
AnswerC

CodeDeploy agent on the instance needs s3:GetObject permission for the revision bucket.

Why this answer

The correct answer is B because CodeDeploy requires the IAM instance profile to have permissions to read from the S3 bucket where the revision is stored. Option A is incorrect because CodeDeploy agent does not need internet access if using VPC endpoints. Option C is incorrect because the application's load balancer health check is separate.

Option D is incorrect because CodeDeploy does not require the instance to be in a public subnet.

1076
MCQmedium

A company is using AWS CodeDeploy to automate deployments to an Auto Scaling group of Amazon EC2 instances. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The instances are running Amazon Linux 2 and the CodeDeploy agent is installed. Which of the following is the MOST likely cause of this failure?

A.The CodeDeploy agent requires ruby and wget, which are not installed by default on Amazon Linux 2.
B.The S3 bucket containing the deployment artifacts has a bucket policy that denies access to the instances.
C.The deployment configuration is set to 'OneAtATime', causing insufficient healthy instances during the first deployment.
D.The Auto Scaling group has a minimum of 0 instances, so the deployment cannot start.
AnswerA

Why A is correct

Why this answer

Option A is correct because the CodeDeploy agent needs the ruby and wget packages to function correctly on Amazon Linux 2. Without them, the agent may fail to download or execute the deployment scripts, causing instance failures. Option B is incorrect because S3 bucket policies do not affect CodeDeploy agent functionality directly; the agent uses HTTPS to download revision files.

Option C is incorrect because the deployment configuration controls how many instances can fail, but does not cause individual instance failures. Option D is incorrect because the deployment group can be configured with any number of instances; the error is not due to group size but individual instance failures.

1077
MCQeasy

A SysOps administrator needs to deploy a microservices application using AWS Elastic Beanstalk. The application consists of multiple services that need to communicate with each other. Which Elastic Beanstalk environment type should the administrator choose?

A.Worker environment
B.Web server environment
C.Load-balanced environment
D.Single-instance environment
AnswerC

Load-balanced environment provides an ELB for distributing traffic and allows services to communicate.

Why this answer

A load-balanced environment provides an ELB for distributing traffic and is suitable for microservices that need to communicate via HTTP/HTTPS. Option C is correct. Option A is wrong because a single-instance environment does not provide load balancing.

Option B is wrong because a web server environment is for web applications, but the question is about environment type (single vs load-balanced). Option D is wrong because worker environments are for background tasks.

1078
MCQhard

A company has an Amazon RDS for PostgreSQL DB instance with Multi-AZ deployment in us-east-1. The SysOps administrator must design a disaster recovery strategy to recover from a regional outage. The Recovery Time Objective (RTO) is 1 hour and the Recovery Point Objective (RPO) is 5 minutes. Which solution meets these requirements at the lowest cost?

A.Create a Read Replica in a different region and promote it during a disaster.
B.Take daily snapshots and copy them to another region.
C.Use cross-region automated backups.
D.Deploy a second Multi-AZ DB instance in another region.
AnswerA

A cross-region Read Replica provides low replication lag (often <5 minutes) and can be promoted quickly, meeting both RTO and RPO at a lower cost than a full standby instance.

Why this answer

A cross-region Read Replica meets the RPO of 5 minutes because replication is continuous (asynchronous) with minimal lag, and the RTO of 1 hour is achievable by promoting the replica during a disaster. This is the lowest-cost option because it uses a single standby instance in another region without the overhead of a full Multi-AZ deployment or frequent snapshot transfers.

Exam trap

The trap here is that candidates confuse 'cross-region automated backups' (which do not exist as a native feature) with automated snapshot copying, or assume that daily snapshots can meet a 5-minute RPO by increasing snapshot frequency, ignoring the fundamental limitation of snapshot scheduling and transfer time.

How to eliminate wrong answers

Option B is wrong because daily snapshots cannot achieve an RPO of 5 minutes (snapshots are taken at most every 24 hours, and copying to another region adds latency). Option C is wrong because cross-region automated backups are not a native RDS feature; automated backups are region-specific and cannot be automatically copied to another region without manual or scripted snapshot copy operations. Option D is wrong because deploying a second Multi-AZ DB instance in another region incurs the cost of a full primary and standby pair, which is significantly more expensive than a single Read Replica, and does not provide a faster RTO/RPO than a promoted Read Replica.

1079
MCQeasy

An organization wants to allow an on-premises data center to access an Amazon RDS database in a VPC. Which AWS service should be used to establish a dedicated, private, and high-bandwidth connection?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.VPC Peering
AnswerA

Direct Connect is a dedicated private network connection.

Why this answer

Option A (AWS Direct Connect) is correct because it provides a dedicated private connection from on-premises to AWS. Option B (VPN) is encrypted but over the internet, not dedicated. Option C (VPC Peering) is between VPCs.

Option D (Transit Gateway) connects multiple VPCs and on-premises, but Direct Connect is the dedicated connection service.

1080
MCQmedium

Refer to the exhibit. A SysOps administrator runs this CloudWatch Logs Insights query against an application log group. The query returns no results, even though the administrator knows that errors occurred in the last hour. What is the most likely cause?

A.The 'stats' command requires a 'by' clause with a field name, but 'bin(5m)' is invalid.
B.The log group contains too many log events, causing the query to time out.
C.The @message field is not a valid field in CloudWatch Logs Insights.
D.The log group's retention policy is set to 1 day and the data is older than the retention period.
AnswerD

Data outside retention is not queryable.

Why this answer

Option D is correct because CloudWatch Logs Insights queries only return results from log events that are still present in the log group. If the log group's retention policy is set to 1 day, any data older than that retention period is automatically deleted. The administrator knows errors occurred in the last hour, but if the query is incorrectly scoped to a time range that includes data beyond the retention period, or if the errors were logged exactly at the boundary and have since been purged, the query will return no results.

This is the most likely cause given that the query syntax appears valid and the administrator confirms errors exist.

Exam trap

The trap here is that candidates often assume a query returns no results due to syntax errors or data volume issues, overlooking the fact that the log data may have been deleted by a short retention policy, which is a subtle but critical operational detail in AWS monitoring.

How to eliminate wrong answers

Option A is wrong because the 'stats' command in CloudWatch Logs Insights does not require a 'by' clause; 'bin(5m)' is a valid function that groups timestamps into 5-minute intervals, so the syntax is correct. Option B is wrong because CloudWatch Logs Insights queries have a 10,000-event limit per query, but they do not time out due to too many log events; instead, they return partial results or a message indicating the limit was reached. Option C is wrong because @message is a reserved field in CloudWatch Logs Insights that contains the raw log event text, and it is always available for querying.

1081
MCQeasy

A company has two Amazon VPCs in the same AWS Region with non-overlapping CIDR blocks. The SysOps administrator needs to establish private connectivity between the two VPCs with high throughput and minimal cost. Which solution should the administrator implement?

A.AWS Transit Gateway
B.VPC peering
C.AWS Direct Connect
D.AWS VPN CloudHub
AnswerB

Simple, low cost, high throughput private connectivity for two VPCs.

Why this answer

VPC peering is the correct solution because it establishes private connectivity between two VPCs in the same AWS Region using the AWS backbone network, with no bandwidth limits and no single point of failure. It incurs no additional cost beyond data transfer charges, making it the most cost-effective option for high-throughput connectivity between two VPCs with non-overlapping CIDR blocks.

Exam trap

The trap here is that candidates often choose AWS Transit Gateway because they assume it is required for any multi-VPC connectivity, but VPC peering is simpler and cheaper for connecting exactly two VPCs with non-overlapping CIDRs.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that connects multiple VPCs and on-premises networks, which introduces additional hourly charges and is overkill for connecting only two VPCs. Option C is wrong because AWS Direct Connect is a dedicated physical connection from on-premises to AWS, not designed for VPC-to-VPC connectivity, and it incurs significant monthly port fees. Option D is wrong because AWS VPN CloudHub connects multiple VPN sites to a single virtual private gateway, but it requires VPN tunnels and is not optimized for high-throughput VPC-to-VPC connectivity within the same Region.

1082
Multi-Selecthard

A company runs a web application on EC2 instances behind an Application Load Balancer. The instances are in an Auto Scaling group. The SysOps administrator wants to ensure that the application can handle a sudden increase in traffic without downtime. Which THREE actions should be taken?

Select 3 answers
A.Configure the Auto Scaling group to launch instances in multiple Availability Zones.
B.Configure a target tracking scaling policy based on the ALB's RequestCountPerTarget metric.
C.Configure the Auto Scaling group with a dynamic scaling policy.
D.Configure a scheduled scaling policy to add instances during known peak hours.
E.Use Spot Instances to reduce costs.
AnswersA, B, C

Correct: Multiple AZs provide high availability and fault tolerance.

Why this answer

Options B, C, and E are correct. Configuring the Auto Scaling group with a dynamic scaling policy (Option B) allows it to scale based on demand. Placing instances in multiple Availability Zones (Option C) provides high availability.

Configuring a target tracking scaling policy based on ALB RequestCountPerTarget (Option E) ensures the group scales based on traffic. Option A (scheduled scaling) is not reactive. Option D (spot instances) can be interrupted, causing potential downtime.

1083
Multi-Selecthard

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires a custom Amazon Linux 2 AMI with specific security agents installed. The company wants to ensure that all environment instances use this custom AMI. Which combination of steps should be taken? (Choose two.)

Select 2 answers
A.Set the AMI ID in a CloudFormation template and associate it with the environment.
B.Use AWS CodeDeploy to deploy the application to the custom AMI.
C.Create a custom AMI using the Elastic Beanstalk platform as the base.
D.Configure the .ebextensions folder to set the AMI ID for the Auto Scaling launch configuration.
E.Use Packer to create the custom AMI from any base image.
AnswersC, D

This ensures compatibility with the platform.

Why this answer

Option A and D are correct. A custom AMI must be created and used in a launch template or configuration. The .ebextensions folder can configure the platform to use the custom AMI via the aws:autoscaling:launchconfiguration namespace.

Option B is wrong because Packer can be used to create the AMI, but it is not a required step. Option C is wrong because the AMI must be built from the base Elastic Beanstalk platform to ensure compatibility. Option E is wrong because the AMI ID is set in the environment configuration, not in a CloudFormation template.

1084
MCQmedium

An application logs user authentication attempts to Amazon CloudWatch Logs. The SysOps administrator needs to create a custom metric that counts the number of failed authentication attempts every 5 minutes and trigger an alarm when the count exceeds 5. Which combination of actions should the administrator take?

A.Use the PutMetricData API in the application to publish the number of failed attempts as a custom metric, then create an alarm.
B.Create a metric filter on the log group for the string 'FAILED_AUTH', set the metric value to 1, then create an alarm on the resulting metric.
C.Use AWS CloudTrail to track authentication events and create a metric filter on the CloudTrail log group.
D.Use Amazon Athena to query the logs every 5 minutes and publish results to a CloudWatch metric.
AnswerB

A metric filter counts occurrences of a pattern in log events and publishes a metric that can be alarmed on, without requiring application changes.

Why this answer

Option B is correct because CloudWatch Logs metric filters allow you to extract a numeric value from log events and publish it as a custom metric. By creating a filter that matches the string 'FAILED_AUTH' and setting the metric value to 1, each failed attempt increments the metric. You can then set the metric's period to 5 minutes and create an alarm that triggers when the sum exceeds 5, meeting the requirement without modifying the application code.

Exam trap

The trap here is that candidates often confuse CloudTrail (which logs AWS API calls) with application-level logging, leading them to choose Option C, or they assume the application must be modified to publish metrics (Option A), missing the serverless metric filter approach.

How to eliminate wrong answers

Option A is wrong because it requires modifying the application to call the PutMetricData API, which adds complexity and couples the application to CloudWatch, whereas the requirement can be met without application changes using a metric filter. Option C is wrong because CloudTrail logs management events, not application-level authentication logs; it tracks API calls to AWS services, not user authentication attempts within an application. Option D is wrong because Amazon Athena is an interactive query service for analyzing data in S3, not a real-time or scheduled metric publisher; it cannot automatically publish results to CloudWatch every 5 minutes without custom orchestration, and it introduces unnecessary latency and cost.

1085
MCQmedium

A SysOps administrator is designing a disaster recovery strategy for a critical application that runs on EC2 instances. The application data is stored on EBS volumes. The recovery point objective (RPO) is 15 minutes, and the recovery time objective (RTO) is 1 hour. Which solution meets these requirements MOST cost-effectively?

A.Use AWS CloudEndure to continuously replicate the EC2 instances to another Region.
B.Use AWS Backup to back up the application data to Amazon S3 every 15 minutes.
C.Take hourly AMIs of the instances and copy them to another Region.
D.Take EBS snapshots every 15 minutes and copy them to another Region using cross-region snapshot copy.
AnswerD

Meets RPO of 15 minutes and RTO of 1 hour cost-effectively.

Why this answer

Option D is correct because EBS snapshots can be taken every 15 minutes (or via Data Lifecycle Manager) and restored quickly to new volumes in another region. Option A is wrong because cross-region replication of EC2 instances is more expensive and complex. Option B is wrong because AMIs do not capture data changes frequently enough.

Option C is wrong because S3 is not suitable for live application data.

1086
MCQeasy

A company needs to deploy a new version of an application to an Auto Scaling group. The deployment must ensure that the new version is deployed to all instances, and if any instance fails, the deployment should roll back. Which deployment strategy should be used?

A.Blue/green deployment
B.Rolling deployment with rollback
C.All-at-once deployment
D.Canary deployment
AnswerB

Rolling deployment updates instances in batches; rollback reverts changes if failures occur.

Why this answer

Option D is correct because CodeDeploy's rolling deployment with rollback allows gradual replacement and automatic rollback on failure. Option A is wrong because all-at-once would replace all instances at once, risking full outage. Option B is wrong because canary is for Lambda.

Option C is wrong because blue/green is for full environment swap.

1087
MCQmedium

A company is running a stateful web application on EC2 instances behind an Application Load Balancer (ALB). Users report intermittent errors. The SysOps admin notices that the ALB's healthy host count is fluctuating. The admin wants to improve the health check configuration to reduce false positives. Which configuration change is most likely to help?

A.Increase the unhealthy threshold count
B.Reduce the health check interval
C.Increase the health check interval
D.Lower the healthy threshold count
AnswerC

A longer interval gives the application more time to recover from transient issues.

Why this answer

Increasing the health check interval reduces the frequency of health checks, which helps prevent transient issues (e.g., brief CPU spikes or network jitter) from causing false positives. With a longer interval, the ALB waits longer between checks, giving the instance more time to recover before being marked unhealthy. This stabilizes the healthy host count and reduces unnecessary instance replacement.

Exam trap

The trap here is that candidates often assume reducing the interval (more frequent checks) improves accuracy, but in reality it increases sensitivity to transient issues, causing more false positives and fluctuating health status.

How to eliminate wrong answers

Option A is wrong because increasing the unhealthy threshold count would make the ALB require more consecutive failed checks before marking an instance unhealthy, which can delay detection of truly unhealthy instances and does not address the root cause of false positives from frequent checks. Option B is wrong because reducing the health check interval increases the frequency of checks, which amplifies the impact of transient issues and makes false positives more likely, worsening the fluctuating healthy host count. Option D is wrong because lowering the healthy threshold count makes it easier for an instance to be marked healthy after fewer successful checks, which can mask underlying instability and does not prevent false positives caused by frequent checks.

1088
MCQmedium

A SysOps administrator needs to analyze application logs stored in Amazon CloudWatch Logs to find specific error patterns across multiple log groups. The administrator wants to run queries to filter and parse the logs. Which feature should the administrator use?

A.CloudWatch Logs subscriptions
B.CloudWatch Logs Insights
C.CloudWatch Metric Filters
D.CloudWatch Contributor Insights
AnswerB

Correct. CloudWatch Logs Insights enables you to query your logs using a SQL-like syntax, filter results, and visualize findings across multiple log groups.

Why this answer

CloudWatch Logs Insights is the correct feature because it enables you to interactively search and analyze log data stored in CloudWatch Logs using a purpose-built query language. It allows you to run queries across multiple log groups, filter, parse, and aggregate logs to identify specific error patterns, making it ideal for ad-hoc log analysis and troubleshooting.

Exam trap

The trap here is that candidates often confuse CloudWatch Metric Filters (which can filter logs for metric extraction) with the interactive querying capability of CloudWatch Logs Insights, but Metric Filters cannot parse or analyze log content across multiple log groups in a query-like manner.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs subscriptions are used to stream log data in real-time to other services like Lambda, Kinesis, or Elasticsearch for processing or storage, not for running interactive queries to filter and parse logs. Option C is wrong because CloudWatch Metric Filters extract metric data from logs to create CloudWatch metrics and trigger alarms, but they do not support running queries to parse and analyze log content for error patterns across multiple log groups. Option D is wrong because CloudWatch Contributor Insights analyzes time-series data to identify top contributors and understand traffic patterns, but it is not designed for querying and parsing raw log messages to find specific error patterns.

1089
MCQmedium

A SysOps administrator is troubleshooting an issue where an Auto Scaling group is not launching EC2 instances despite having a scaling policy that should trigger when CPU utilization exceeds 80%. The CloudWatch alarm shows that the metric is breaching the threshold, but no instances are launched. What is the most likely cause?

A.The scaling policy is incorrectly configured to use a simple scaling policy instead of a step scaling policy.
B.The health check grace period is too long.
C.The Auto Scaling group has reached its maximum size.
D.The CloudWatch alarm is in insufficient data state.
AnswerC

Max size prevents scaling out.

Why this answer

Option A is correct because if the Auto Scaling group has reached its maximum size, it cannot launch new instances. Option B is wrong because the alarm is breaching, so it's not in insufficient data. Option C is wrong because health check grace period affects instance health, not launching.

Option D is wrong because if the policy is properly configured and alarm triggers, instances should launch unless max size is reached.

1090
MCQeasy

A company needs to retain API call logs for 7 years for compliance. Which AWS service should be used to store these logs?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon VPC Flow Logs
AnswerA

CloudTrail records API activity and can deliver logs to S3 for long-term retention.

Why this answer

AWS CloudTrail is the correct service because it records API activity across your AWS infrastructure and can be configured to store logs in an S3 bucket with lifecycle policies that retain data for 7 years. CloudTrail is specifically designed for auditing and compliance, capturing management and data plane API calls, and supports long-term retention via S3 object locking or lifecycle rules.

Exam trap

The trap here is that candidates confuse CloudTrail (API auditing) with CloudWatch Logs (operational logs) or Config (configuration history), but only CloudTrail captures the specific API call logs required for compliance retention.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it tracks resource configuration changes and compliance over time, not API call logs; it stores configuration history, not API activity. Option C (Amazon CloudWatch Logs) is wrong because it is intended for real-time monitoring and operational logging from applications and services, with a default retention of indefinite but not optimized for 7-year compliance archiving; it lacks native long-term retention controls like S3 lifecycle policies. Option D (Amazon VPC Flow Logs) is wrong because it captures IP traffic metadata (source/destination IPs, ports, protocols) for network analysis, not API call logs; it is not designed for auditing API-level actions.

1091
MCQhard

A company manages multiple AWS accounts under AWS Organizations. The security team requires that all Amazon S3 buckets in the organization must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect any bucket that is not compliant and remediate it by enabling SSE-KMS. Which AWS feature or service should be used to implement this automated compliance enforcement?

A.AWS Config with the s3-bucket-server-side-encryption-enabled managed rule and automatic remediation using an AWS Systems Manager Automation document.
B.AWS CloudTrail to log bucket creation events and trigger an AWS Lambda function that applies SSE-KMS.
C.Amazon Inspector to scan S3 buckets for encryption compliance and automatically apply SSE-KMS.
D.AWS Trusted Advisor to check S3 bucket encryption and send notifications but not auto-remediate.
AnswerA

Correct. AWS Config evaluates compliance, and automatic remediation can apply a Systems Manager Automation document that enables SSE-KMS on the bucket.

Why this answer

AWS Config's `s3-bucket-server-side-encryption-enabled` managed rule can evaluate S3 buckets for encryption compliance. When a non-compliant bucket is detected, AWS Config can trigger automatic remediation via an AWS Systems Manager Automation document that applies SSE-KMS encryption to the bucket. This provides a fully automated, policy-driven enforcement mechanism without manual intervention.

Exam trap

The trap here is that candidates may confuse AWS Config's evaluation and remediation capabilities with CloudTrail's logging or Trusted Advisor's advisory-only checks, failing to recognize that only AWS Config provides native automated remediation through Systems Manager Automation documents.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail logs API calls but does not evaluate compliance or trigger remediation directly; while you could build a custom solution using Lambda, it is not a native automated compliance enforcement feature. Option C is wrong because Amazon Inspector is designed for vulnerability management and network assessments of EC2 instances and containers, not for S3 bucket encryption compliance. Option D is wrong because AWS Trusted Advisor can check encryption settings and send notifications, but it cannot automatically remediate non-compliant resources.

1092
MCQeasy

A company uses AWS Elastic Beanstalk for application deployments. The administrator needs to update the environment's configuration to use a larger instance type. Which method should be used to minimize downtime?

A.Terminate all instances and let the Auto Scaling group launch new ones.
B.Perform an immutable update.
C.Clone the environment with the new configuration and swap URLs.
D.Perform a rolling update based on health.
AnswerD

Rolling updates replace instances in batches, minimizing downtime.

Why this answer

Option B is correct because a rolling update replaces instances in batches, minimizing downtime. Option A is wrong because an immutable update launches new instances in a separate Auto Scaling group and swaps them, which can be faster but may cause brief downtime. Option C is wrong because terminating all instances causes downtime.

Option D is wrong because environment cloning creates a separate environment, not an update.

1093
Multi-Selectmedium

A company wants to receive real-time notifications when specific API calls are made in their AWS account. Which TWO services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.AWS Lambda
D.Amazon CloudWatch Logs
E.Amazon CloudWatch Events
AnswersA, E

CloudTrail delivers API call logs.

Why this answer

AWS CloudTrail captures all API calls made in the AWS account and can deliver those events to CloudWatch Logs. Amazon CloudWatch Events (now part of Amazon EventBridge) can then process those log entries in real time using event rules that match specific API calls, triggering a target such as an SNS notification or Lambda function. This combination provides real-time notification without polling or custom code.

Exam trap

The trap here is that candidates often pick AWS Lambda alone, thinking it can directly monitor API calls, but Lambda requires a triggering event source such as CloudWatch Events or S3, not raw CloudTrail logs.

1094
Multi-Selectmedium

A company wants to optimize costs for its Amazon EC2 instances. Which TWO strategies are effective for reducing costs?

Select 2 answers
A.Use Spot Instances for fault-tolerant workloads.
B.Rightsize instances based on utilization metrics.
C.Increase the provisioned IOPS for EBS volumes.
D.Use EBS General Purpose SSD (gp2) volumes instead of gp3.
E.Use Dedicated Hosts to meet compliance requirements.
AnswersA, B

Spot Instances offer substantial discounts.

Why this answer

Using Spot Instances for fault-tolerant workloads can reduce costs significantly (up to 90%). Rightsizing instances ensures you are not paying for unused capacity. Dedicated Hosts increase costs.

Increasing provisioned IOPS increases costs. Using EBS General Purpose SSD (gp3) is cost-effective but not a primary cost reduction strategy.

1095
MCQmedium

A SysOps Administrator attached the IAM policy shown in the exhibit to a user. The user is unable to terminate an EC2 instance. What is the MOST likely reason?

A.The policy does not include ec2:TerminateInstances in the Allow statement.
B.The policy does not specify the correct resource ARN.
C.The policy does not allow ec2:* actions.
D.An explicit Deny statement overrides the Allow statement.
AnswerD

Explicit Deny always overrides Allow.

Why this answer

Option C is correct. The Deny statement explicitly denies the ec2:TerminateInstances action, and an explicit Deny overrides any Allow. Option A is wrong because the policy allows ec2:* but the Deny takes precedence.

Option B is wrong because ec2:* includes all ec2 actions. Option D is wrong because the policy allows all ec2 actions; the Deny is the cause.

1096
Multi-Selecteasy

A SysOps administrator is tasked with automating the provisioning of EC2 instances that must be able to access an Amazon S3 bucket. The administrator needs to ensure that the instances have the necessary permissions without using long-term access keys. Which TWO actions should the administrator take? (Choose TWO.)

Select 2 answers
A.Store AWS access keys in a configuration file on the instances.
B.Attach the IAM role to the EC2 instances using an instance profile.
C.Create an S3 bucket policy that allows access from the instances' private IP addresses.
D.Create an IAM role that grants the necessary S3 permissions.
E.Store the access keys in AWS Systems Manager Parameter Store.
AnswersB, D

Why E is correct

Why this answer

Options A and E are correct. The best practice is to create an IAM role with S3 access (A) and assign it to the EC2 instances via an instance profile (E). Option B is incorrect because storing access keys in a file is insecure.

Option C is incorrect because S3 bucket policies control access at the bucket level, not directly for EC2 instances. Option D is incorrect because storing keys in Systems Manager Parameter Store is better than hardcoding, but an IAM role is still the preferred approach.

1097
MCQmedium

A company has an AWS Lambda function that processes S3 events. The function is critical and must be available even if one Availability Zone fails. How can a SysOps administrator ensure high availability for the Lambda function?

A.Use an Application Load Balancer to distribute events to multiple Lambda functions.
B.No action is required; Lambda functions are inherently highly available within a region.
C.Configure the Lambda function to run in two subnets in different Availability Zones.
D.Deploy the Lambda function in two separate regions and use Route 53 failover.
AnswerB

Lambda runs across multiple AZs automatically.

Why this answer

Option D is correct because AWS Lambda automatically runs across multiple Availability Zones in a region; no additional configuration is needed. Option A is wrong because Lambda is inherently multi-AZ. Option B is wrong because Lambda functions are not tied to AZs.

Option C is wrong because the Lambda service itself handles availability.

1098
MCQmedium

A company runs a critical database on an Amazon RDS for MySQL DB instance. The SysOps administrator needs to ensure that the database can survive a single Availability Zone failure with minimal downtime. Which configuration should the administrator implement?

A.Enable automatic backups.
B.Deploy a read replica in a different AZ.
C.Enable Multi-AZ deployment.
D.Take a manual snapshot and copy it to another AZ.
AnswerC

Correct. Multi-AZ provides a synchronous standby in another AZ and automatic failover, minimizing downtime during an AZ failure.

Why this answer

Multi-AZ deployment for Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. If the primary AZ fails, Amazon RDS automatically fails over to the standby, typically within 60–120 seconds, minimizing downtime without manual intervention. This meets the requirement for surviving a single AZ failure with minimal downtime.

Exam trap

The trap here is that candidates often confuse read replicas (which require manual promotion and are for read scaling) with Multi-AZ (which provides automatic failover for high availability), leading them to select Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because automatic backups only provide point-in-time recovery to restore data to a new instance, not automatic failover or high availability during an AZ failure. Option B is wrong because a read replica in a different AZ is designed for read scaling and can be promoted to a primary, but promotion is a manual process that takes time and does not provide automatic failover with minimal downtime. Option D is wrong because taking a manual snapshot and copying it to another AZ requires manual restoration steps, which results in significant downtime and does not provide automatic failover.

1099
MCQeasy

A company runs a mix of Amazon EC2 instances and AWS Fargate tasks that are used for both production and development workloads. The usage is steady and predictable. The SysOps administrator wants to maximize cost savings across both compute services without having to manage specific instances or sizes. Which purchasing option should the administrator recommend?

A.Purchase Compute Savings Plans for a 1-year or 3-year term with a commitment that covers the expected compute spend.
B.Purchase EC2 Instance Savings Plans for the most commonly used instance family and region.
C.Purchase Standard Reserved Instances for the EC2 instances and convert Fargate tasks to use Spot Instances.
D.Use On-Demand instances for both EC2 and Fargate because the administrator does not want to make a commitment.
AnswerA

Compute Savings Plans apply to EC2, Fargate, and Lambda usage, regardless of instance size, family, OS, or region (within the plan's scope). This provides maximum flexibility and significant discounts.

Why this answer

Compute Savings Plans offer the most flexibility, automatically applying to EC2 instances (regardless of instance family, size, or region) and Fargate tasks. Since the company has a mix of both services and wants to maximize savings without managing specific instances or sizes, a 1-year or 3-term Compute Savings Plan with a commitment matching expected spend provides up to 66% savings while covering all compute usage. This aligns with the steady and predictable workload described.

Exam trap

AWS often tests the distinction between Compute Savings Plans and EC2 Instance Savings Plans, where candidates mistakenly choose the latter thinking it covers all EC2 usage, but fail to recognize that Compute Savings Plans also include Fargate and Lambda, making them the only option for a mixed compute environment.

How to eliminate wrong answers

Option B is wrong because EC2 Instance Savings Plans are restricted to a specific instance family within a region, which does not cover Fargate tasks and would not provide the cross-service flexibility needed for the mixed workload. Option C is wrong because Standard Reserved Instances apply only to EC2 instances and require a specific instance family and size commitment, while converting Fargate tasks to Spot Instances introduces interruption risk and does not guarantee cost savings for steady workloads. Option D is wrong because On-Demand pricing offers no discount, and the administrator explicitly wants to maximize cost savings, which requires a commitment-based purchasing option.

1100
MCQhard

A company runs a stateful application on a single Amazon EC2 instance with a 200 GB EBS volume. The application data changes frequently. The SysOps administrator needs a disaster recovery (DR) plan with a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) of 15 minutes. The DR region is us-west-2. Which combination of steps should the administrator implement?

A.Take hourly EBS snapshots and copy them to us-west-2. In a disaster, launch a new instance from the snapshot and attach it.
B.Use Amazon Data Lifecycle Manager (DLM) to take snapshots every hour and use AWS Backup to copy them to us-west-2. In a disaster, restore the snapshot as a volume and attach to a new instance in us-west-2.
C.Enable Amazon S3 Cross-Region Replication for the EBS volume's snapshot repository.
D.Attach an additional EBS volume configured with RAID 1, and use rsync to replicate data every hour to a volume in us-west-2.
AnswerB

DLM automates hourly snapshot creation, and AWS Backup can automate cross-region copy. This meets RPO of 1 hour. With a pre-prepared instance, RTO of 15 minutes is achievable.

Why this answer

Option B is correct because AWS Backup can copy EBS snapshots across regions, meeting the RPO of 1 hour via hourly snapshots, and restoring a volume from a snapshot in us-west-2 and attaching it to a new instance can achieve the RTO of 15 minutes. Amazon Data Lifecycle Manager (DLM) automates the snapshot creation, while AWS Backup handles cross-region copy, ensuring the DR region has the latest data within the RPO window.

Exam trap

The trap here is that candidates may assume EBS snapshots can be directly replicated across regions using S3 Cross-Region Replication, but snapshots are managed through EC2 and require explicit cross-region copy actions via AWS Backup or the EC2 API.

How to eliminate wrong answers

Option A is wrong because while hourly EBS snapshots can be taken and copied to us-west-2, the process of copying snapshots manually or via scripting is not automated and reliable for meeting the RPO/RTO as described; AWS Backup provides managed cross-region copy with lifecycle policies, which is more robust. Option C is wrong because Amazon S3 Cross-Region Replication applies to S3 buckets, not to EBS snapshots; EBS snapshots are stored in S3 but are managed via the EC2 snapshot API, and S3 replication cannot be directly enabled for the snapshot repository. Option D is wrong because using rsync to replicate data every hour to a volume in us-west-2 would require a separate EC2 instance in the DR region to receive the data, and RAID 1 on the source instance does not provide cross-region replication; this approach also introduces complexity and potential latency that may not meet the 15-minute RTO.

1101
MCQmedium

A company uses AWS CloudFormation to deploy a multi-tier application. The template uses nested stacks. One of the nested stacks creates an Auto Scaling group. The administrator wants to update the Auto Scaling group's launch configuration to use a new AMI ID. The AMI ID is stored in AWS Systems Manager Parameter Store. The administrator wants to ensure that the stack update automatically uses the latest AMI ID value from Parameter Store. What should the administrator do?

A.Use a CloudFormation dynamic reference to the parameter store in the template.
B.Use a CloudFormation mapping to map the AMI ID.
C.Use a custom resource to call Systems Manager to retrieve the AMI ID.
D.Use a CloudFormation parameter with a default value that matches the AMI ID.
AnswerA

Correct. The {{resolve:ssm:...}} syntax fetches the latest parameter value during stack operations, automatically including the updated AMI ID.

Why this answer

Option A is correct because CloudFormation dynamic references for Systems Manager Parameter Store (using the `{{resolve:ssm:/parameter-name}}` syntax) automatically resolve the latest parameter value at stack creation or update time. This ensures that the launch configuration always uses the current AMI ID from Parameter Store without manual intervention or hardcoding.

Exam trap

The trap here is that candidates may think a CloudFormation parameter with a default value or a mapping can achieve dynamic updates, but both are static unless manually changed, whereas dynamic references automatically pull the latest value from Parameter Store during stack operations.

How to eliminate wrong answers

Option B is wrong because CloudFormation mappings are static key-value pairs defined in the template; they do not dynamically fetch values from external services like Parameter Store at update time. Option C is wrong because a custom resource would require additional Lambda function code and complexity, and it is unnecessary when CloudFormation natively supports dynamic references to Parameter Store. Option D is wrong because a CloudFormation parameter with a default value is static; it does not automatically update when the underlying AMI ID in Parameter Store changes, and the user would need to manually provide a new value during each stack update.

1102
Multi-Selectmedium

A company wants to reduce costs for a production Amazon RDS for MySQL DB instance that is running 24/7 but only heavily used during business hours (9 AM to 5 PM). Which TWO actions would be MOST effective in optimizing costs without significantly impacting performance during peak hours?

Select 2 answers
A.Enable Multi-AZ deployment for high availability.
B.Purchase Reserved Instances for the DB instance.
C.Migrate from Provisioned IOPS (io1) storage to General Purpose (gp3) storage.
D.Use AWS Application Auto Scaling to schedule scale-down of the instance size outside business hours.
E.Enable Auto Scaling for the DB instance.
AnswersB, D

Reserved Instances offer a significant discount over On-Demand for steady-state usage.

Why this answer

Option A (Multi-AZ) increases cost and is not needed for cost optimization. Option B (reserved instances) provides a discount for consistent usage. Option C (auto scaling) is not applicable to RDS without additional services like Aurora Auto Scaling.

Option D (scheduled scaling) can reduce instance size during off-peak hours, saving cost. Option E (gp3 storage) can be more cost-effective than provisioned IOPS for many workloads. Correct answers: B and D.

1103
MCQmedium

A SysOps administrator is troubleshooting an issue where an Amazon EC2 instance running Amazon Linux 2 is not sending logs to CloudWatch Logs. The CloudWatch agent is installed and configured. Which step should the administrator take FIRST to diagnose the issue?

A.Reinstall the CloudWatch agent from the AWS Systems Manager.
B.Update the IAM role attached to the instance to include CloudWatch Logs permissions.
C.Verify the EC2 instance status in the AWS Management Console.
D.Check the CloudWatch agent status and review its log files on the instance.
AnswerD

The agent logs often contain error messages about configuration or connectivity.

Why this answer

The CloudWatch agent is already installed and configured, so the first step is to check its operational status and review its own log files (typically in /var/log/aws/amazon-cloudwatch-agent/). This directly reveals whether the agent is running, encountering configuration errors, or failing to connect to the CloudWatch Logs service endpoint, without making unnecessary changes.

Exam trap

The trap here is that candidates assume the IAM role is the most common cause of log delivery failure and jump to updating it, but the question specifies the agent is already installed and configured, so the first logical step is to check the agent's own logs to confirm the exact error before making any changes.

How to eliminate wrong answers

Option A is wrong because reinstalling the agent from Systems Manager is a disruptive step that should only be taken after verifying the agent is not functioning due to corruption or misconfiguration, not as a first diagnostic step. Option B is wrong because updating the IAM role is a valid fix if permissions are missing, but the question states the agent is installed and configured; checking the agent's logs first will confirm whether the issue is permission-related (e.g., an AccessDeniedException) before modifying the role. Option C is wrong because verifying the EC2 instance status in the console only confirms the instance is running and reachable, but does not provide any insight into the CloudWatch agent's internal state or log delivery failures.

1104
MCQeasy

A SysOps administrator is designing a backup strategy for an Amazon EFS file system. The file system stores critical data that must be recoverable within 15 minutes of a failure. Which solution meets these requirements?

A.Use AWS Backup to create automated backups of the EFS file system and restore to a new file system if needed.
B.Configure EFS lifecycle management to move files to Infrequent Access storage class.
C.Take periodic EBS snapshots of the EC2 instance that mounts the EFS volume.
D.Create a Lambda function that copies files to an S3 bucket every hour.
AnswerA

AWS Backup supports EFS and allows quick restore.

Why this answer

Option A is correct because EFS-to-EFS replication using AWS Backup allows point-in-time recovery and meets the 15-minute RTO. Option B is wrong because lifecycle policies do not create backups. Option C is wrong because Lambda functions must be custom-built.

Option D is wrong because EBS snapshots cannot be used for EFS directly.

1105
MCQmedium

A SysOps administrator uses AWS Systems Manager Run Command to install software on a fleet of EC2 instances. The command fails on some instances with the error 'Instance ID not found'. What is the MOST likely cause?

A.The user data script has overridden the SSM Agent.
B.The instances are not tagged with the correct key-value pair.
C.The SSM Agent is not installed or configured on the instances, or the instances lack the required IAM role.
D.The instances are in a stopped state.
AnswerC

Without SSM Agent and proper IAM role, the instance is not registered with Systems Manager.

Why this answer

Option D is correct because Run Command requires the SSM Agent to be installed and running, and the instance must have an IAM role that allows communication with Systems Manager. Option A is wrong because the command can target instances by tags. Option B is wrong because the SSM Agent is separate from the user data script.

Option C is wrong because the instances are likely running.

1106
Multi-Selecthard

A company uses AWS KMS to encrypt EBS volumes. Which TWO statements about using KMS with EBS are correct? (Choose two.)

Select 2 answers
A.You can import key material for EBS encryption
B.AWS managed KMS keys are automatically rotated each year
C.EBS can use either customer managed or AWS managed KMS keys
D.EBS supports asymmetric KMS keys
E.You must specify a KMS key when creating a snapshot
AnswersB, C

AWS managed keys are rotated annually.

Why this answer

EBS can use both customer managed and AWS managed KMS keys. AWS managed keys are automatically rotated. Option A and Option D are correct.

Option B is wrong because EBS does not support asymmetric KMS keys. Option C is wrong because you cannot specify a KMS key when creating a snapshot; you can only encrypt snapshots with a key. Option E is wrong because EBS does not support importing key material.

1107
Multi-Selectmedium

A SysOps administrator is optimizing costs for an Amazon RDS for PostgreSQL instance. The database is used for a reporting application that runs only during business hours (9 AM to 5 PM). Which TWO actions should the administrator take to reduce costs? (Choose TWO.)

Select 2 answers
A.Stop the database instance during non-business hours.
B.Move to a larger instance type to handle peaks.
C.Increase the provisioned IOPS for better performance.
D.Purchase a Reserved Instance for the database instance.
E.Configure the database as a Single-AZ deployment instead of Multi-AZ.
AnswersA, E

Stopping the instance eliminates compute charges during off-hours.

Why this answer

Correct options: B and C. Option B is correct because using a Multi-AZ deployment is not necessary if the database can be stopped during off-hours; a Single-AZ deployment reduces costs. Option C is correct because stopping the instance during off-hours saves compute costs.

Option A is wrong because Reserved Instances require a 1 or 3-year commitment and may not be cost-effective if the database is only used part-time; also, the question asks for cost reduction, not commitment. Option D is wrong because increasing instance size increases cost. Option E is wrong because increasing provisioned IOPS increases cost.

1108
MCQeasy

A company's security policy requires that all IAM users must change their passwords every 90 days. The SysOps administrator needs to enforce this requirement. Which IAM setting should the administrator configure?

A.IAM password policy
B.IAM user permissions boundary
C.IAM role trust policy
D.IAM group policy
AnswerA

The IAM account password policy allows you to set password expiration, requiring users to change their passwords every 90 days.

Why this answer

The IAM password policy is the correct setting because it allows the SysOps administrator to define password rotation requirements, such as a mandatory password change every 90 days. This policy is applied at the account level and enforces the security requirement for all IAM users, ensuring compliance without needing to modify individual user permissions.

Exam trap

The trap here is that candidates may confuse IAM password policy with IAM user permissions or group policies, thinking that password rotation can be enforced through permission boundaries or role trust policies, which are unrelated to authentication settings.

How to eliminate wrong answers

Option B is wrong because an IAM user permissions boundary defines the maximum permissions a user can have, but it does not control password rotation or expiration settings. Option C is wrong because an IAM role trust policy defines which entities (users or services) can assume the role, not password policies for IAM users. Option D is wrong because an IAM group policy grants permissions to a group of users but does not enforce password expiration or rotation requirements.

1109
Multi-Selecthard

A company is using Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The ALB is configured with HTTPS listeners. Users report that some requests are failing with a 502 error. Which THREE steps should the SysOps administrator take to troubleshoot the issue? (Choose three.)

Select 3 answers
A.Check that the ALB's security group allows inbound traffic from the CloudFront IP ranges.
B.Verify that the ALB's health check is configured correctly and that the targets are healthy.
C.Configure the CloudFront distribution to use a custom error response for 502 errors.
D.Ensure that the SSL certificate on the ALB is valid and trusted by CloudFront.
E.Verify that the ALB is configured to use the X-Forwarded-For header to route requests.
AnswersA, B, D

CloudFront uses a set of IP addresses; the ALB must allow traffic from those IPs.

Why this answer

The ALB's security group must allow inbound traffic from CloudFront's IP ranges, because CloudFront forwards requests to the ALB using its own IP addresses. Without this rule, the ALB will reject the connection, resulting in a 502 error (Bad Gateway) as CloudFront cannot reach the origin. You can obtain the current CloudFront IP ranges from the AWS IP Address Ranges list and update the security group accordingly.

Exam trap

The trap here is that candidates may think a custom error response (Option C) resolves the root cause, when in fact it only masks the symptom, or they may confuse the X-Forwarded-For header (Option E) with routing logic, which is unrelated to 502 errors.

1110
MCQmedium

A company has an AWS account that contains multiple Amazon S3 buckets with sensitive data. A SysOps administrator needs to ensure that all S3 buckets in the account have versioning enabled to protect against accidental deletions. The administrator wants to automatically remediate any bucket that is created without versioning enabled. Which solution should be used?

A.Use AWS Config with a managed rule (s3-bucket-versioning-enabled) and an automatic remediation action that uses an AWS Systems Manager Automation document to enable versioning
B.Use Amazon CloudWatch Events to detect CreateBucket API calls and trigger an AWS Lambda function to enable versioning
C.Use AWS CloudTrail to monitor CreateBucket events and send an alert to the SysOps administrator for manual action
D.Use AWS Service Catalog to enforce versioning on all buckets provisioned through it
AnswerA

AWS Config evaluates resources against the rule. When a noncompliant bucket is detected (whether newly created or changed), the automatic remediation using Systems Manager Automation enables versioning on the bucket, ensuring continuous compliance.

Why this answer

AWS Config with the managed rule `s3-bucket-versioning-enabled` continuously evaluates S3 buckets against the desired configuration. When a noncompliant bucket is detected, an automatic remediation action can be configured to invoke an AWS Systems Manager Automation document that enables versioning on the bucket. This provides a fully automated, event-driven remediation without manual intervention, ensuring all buckets—including those created outside of AWS Config's initial evaluation—are brought into compliance.

Exam trap

The trap here is that candidates often choose CloudWatch Events + Lambda (Option B) thinking it provides real-time remediation, but they overlook that it only catches new buckets and fails to remediate existing noncompliant buckets or buckets that have versioning disabled after creation, whereas AWS Config provides continuous compliance monitoring and automatic remediation for both new and existing resources.

How to eliminate wrong answers

Option B is wrong because Amazon CloudWatch Events (now Amazon EventBridge) can detect `CreateBucket` API calls, but triggering a Lambda function to enable versioning only remediates buckets at creation time; it does not detect or fix buckets that were created before the rule was enabled or buckets that have versioning disabled after creation. Option C is wrong because AWS CloudTrail monitoring and sending an alert requires manual action by the SysOps administrator, which is not an automatic remediation and does not meet the requirement to automatically remediate. Option D is wrong because AWS Service Catalog only enforces versioning on buckets provisioned through it; buckets created directly via the S3 console, CLI, or SDK bypass Service Catalog and remain noncompliant.

1111
MCQmedium

A SysOps administrator needs to monitor the amount of data transferred through a VPC’s internet gateway. Which Amazon CloudWatch metric should be used?

A.InternetGatewayBytes (AWS/VPC namespace)
B.NetworkPackets (AWS/EC2 namespace)
C.NetworkIn (AWS/EC2 namespace)
D.BytesOutToSource (AWS/VPC namespace)
AnswerD

This metric is available for internet gateways.

Why this answer

Option A is correct because the AWS/VPC namespace provides metrics for internet gateways, including BytesOutToSource. Option B is wrong because NetworkIn is an EC2 metric. Option C is wrong because NetworkPackets is an EC2 metric.

Option D is wrong because there is no such metric.

1112
MCQmedium

Refer to the exhibit. An IAM user has this policy attached. What is the effect when the user attempts to get an object from my-bucket from an IP address in the range 198.51.100.0/24?

A.Allowed because the Deny condition does not match
B.Denied because there is no explicit Allow for that IP range
C.Allowed because there is an Allow statement
D.Denied because the Deny statement applies
AnswerD

The Deny statement explicitly denies access from IPs not in the range.

Why this answer

The policy has an Allow statement that grants s3:GetObject only from IP range 192.0.2.0/24. It also has a Deny statement that denies s3:GetObject from any IP not in that range (via NotIpAddress). Since the request comes from 198.51.100.0/24, which is not in the allowed range, the Deny statement applies and overrides any Allow.

The request will be denied. Option C is correct. Option A is wrong because the Deny explicitly denies it.

Option B is wrong because the Allow only applies to the specified range. Option D is wrong because the Deny is explicit.

1113
MCQmedium

A SysOps administrator is designing a disaster recovery plan for a critical RDS MySQL database. The database must be available with a Recovery Point Objective (RPO) of less than 1 hour and a Recovery Time Objective (RTO) of less than 2 hours. The primary region is us-east-1. Which solution meets these requirements?

A.Enable Multi-AZ deployment in the primary region
B.Enable automated backups and restore to a new region when needed
C.Take daily manual snapshots and copy them to another region
D.Create a cross-Region read replica in us-west-2 and promote it during a disaster
AnswerD

Replica replication is fast and promotion meets RTO.

Why this answer

Correct answer is C. Cross-Region read replicas provide asynchronous replication with RPO typically seconds to minutes, and promoting a replica can be done in minutes, meeting both RPO and RTO. Option A is wrong because automated backups have RPO of up to 5 minutes but restoring in another region takes longer than 2 hours.

Option B is wrong because Multi-AZ is for high availability within a region, not cross-region DR. Option D is wrong because manual snapshots require manual intervention and restore time is unpredictable.

1114
Multi-Selectmedium

A company is designing a highly available architecture for a web application. The application uses an Application Load Balancer (ALB) and an Auto Scaling group of EC2 instances. Which TWO steps should the company take to ensure the architecture is resilient to an Availability Zone failure? (Select TWO.)

Select 2 answers
A.Set the Auto Scaling group's desired capacity to a high number.
B.Create a CloudWatch alarm that triggers if the ALB has elevated 5xx errors.
C.Configure the Auto Scaling group to launch instances in at least two Availability Zones.
D.Use a single EC2 instance type for all instances.
E.Configure the ALB to be internet-facing and enable cross-zone load balancing.
AnswersC, E

Distributing instances across AZs ensures availability if one AZ fails.

Why this answer

Options A and C are correct. Option A ensures the ALB can route traffic to targets in other AZs. Option C ensures EC2 instances are distributed across AZs.

Option B is wrong because a single instance type does not improve availability. Option D is wrong because increasing min size in one AZ does not protect against AZ failure. Option E is wrong because CloudWatch alarms do not provide AZ redundancy.

1115
MCQeasy

A company uses AWS CloudFormation to deploy a three-tier web application. The SysOps administrator wants to update a critical parameter, such as the instance type, and ensure that the change is applied without recreating the EC2 instance, if possible. Which CloudFormation stack update feature should be used to achieve this?

A.Change sets
B.Stack policy
C.Update with drift detection
D.Directly edit the stack template and use the update stack action
AnswerA

Change sets allow you to preview how changes will affect your resources, including whether an update will cause replacement or in-place modification, giving you control to avoid unnecessary recreation.

Why this answer

Change sets allow you to preview the changes that will be made to your stack resources before executing them. For an update that modifies an instance type, CloudFormation will attempt to perform an update without replacement if the resource supports it (e.g., AWS::EC2::Instance supports in-place updates for the InstanceType property). By using a change set, you can confirm that the update will not recreate the EC2 instance before applying it.

Exam trap

The trap here is that candidates confuse change sets with simply updating the stack directly, not realizing that change sets provide a critical preview to avoid unintended resource replacement, especially for properties that may or may not require replacement depending on the resource type.

How to eliminate wrong answers

Option B is wrong because a stack policy is used to prevent specific stack resources from being updated or deleted during a stack update, not to control how updates are applied or to preview changes. Option C is wrong because drift detection identifies differences between the stack's actual resource configuration and the expected template configuration, but it does not perform or preview updates. Option D is wrong because directly editing the template and using the update stack action applies changes immediately without a preview, which could inadvertently cause resource replacement if the property change requires it; change sets provide the necessary preview to avoid this.

1116
MCQhard

A company has a multi-tier application with a web tier, application tier, and database tier. All tiers are in the same VPC. The web tier is in public subnets, application tier in private subnets, and database tier in private subnets. The security groups are configured as follows: Web SG allows HTTP/HTTPS from 0.0.0.0/0; App SG allows HTTP from Web SG; DB SG allows MySQL from App SG. The application tier instances cannot connect to the database tier. What is the most likely cause?

A.The VPC CIDR blocks overlap and cause routing issues
B.The route tables in the private subnets do not have a route to the database subnets
C.The network ACLs on the database subnets are blocking inbound MySQL traffic
D.The security group for the database tier does not allow return traffic from the application tier
AnswerC

NACLs are stateless; they must allow both directions.

Why this answer

Option D is correct because network ACLs are stateless and must allow both inbound and outbound traffic for the connection to work. Even if security groups allow traffic, NACLs can block it. Option A is wrong because security groups are stateful and allow return traffic automatically.

Option B is wrong because the VPC CIDR is large enough. Option C is wrong because route tables are not the issue if all are in the same VPC.

1117
Drag & Dropmedium

Drag and drop the steps to enable AWS CloudTrail logging for a specific S3 bucket into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create a log bucket with proper policy, then create the trail and configure it to log events for the target bucket.

1118
MCQeasy

A company requires that all data stored in Amazon S3 be encrypted at rest. Which S3 feature should be enabled to meet this requirement without changing the application code?

A.Use an S3 bucket policy to deny unencrypted uploads.
B.Enable default encryption on the S3 bucket.
C.Enable S3 Object Lock.
D.Use client-side encryption.
AnswerB

Automatically encrypts objects on PUT.

Why this answer

Option A is correct because default encryption automatically encrypts all new objects. Option B is wrong because it requires bucket policies. Option C is wrong because it is a client-side feature.

Option D is wrong because it is not a standard S3 feature.

1119
Multi-Selecteasy

A company wants to ensure that its Amazon S3 data is resilient to an accidental deletion of an entire bucket. Which two actions should the company take? (Choose TWO.)

Select 2 answers
A.Configure Cross-Region Replication to replicate objects to a bucket in another AWS Region.
B.Configure a lifecycle policy to transition objects to S3 Glacier after 30 days.
C.Enable MFA Delete on the bucket.
D.Enable S3 Versioning on the bucket.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersA, D

CRR provides a copy of data in a different region, protecting against region-wide failures.

Why this answer

Options A and D are correct. Cross-Region Replication (A) copies objects to another bucket, ensuring data survives regional issues. S3 Versioning (D) allows recovery of deleted objects within the same bucket.

Option B is wrong because MFA Delete requires multi-factor authentication to delete objects, but does not protect against bucket deletion. Option C is wrong because lifecycle policies delete objects, not protect them. Option E is wrong because Transfer Acceleration is for speed, not durability.

1120
Multi-Selecteasy

A SysOps administrator needs to reduce data transfer costs for a web application hosted on EC2 instances in a VPC. The application serves content to users over the internet. Which TWO actions will help reduce data transfer costs? (Choose TWO.)

Select 2 answers
A.Move all instances to private subnets and use AWS Direct Connect for user access.
B.Use a VPC Gateway Endpoint for Amazon S3 to keep S3 traffic within AWS.
C.Use Amazon CloudFront to cache and serve static content.
D.Use an Application Load Balancer to distribute traffic.
E.Use a larger NAT Gateway to improve throughput.
AnswersB, C

Gateway endpoints are free and reduce data transfer costs to S3.

Why this answer

The correct answers are A and B. Amazon CloudFront caches content at edge locations, reducing data transfer from origin to users. Using a VPC Gateway Endpoint for S3 keeps S3 traffic within AWS, avoiding internet data transfer costs.

Option C is wrong because using a larger NAT Gateway increases costs. Option D is wrong because moving to a private subnet and using Direct Connect adds cost. Option E is wrong because using an ALB does not reduce data transfer costs.

1121
MCQmedium

The CISO asks for a centralized dashboard showing security findings from GuardDuty, Macie, Inspector, and Firewall Manager across 30 AWS accounts. Findings must be normalized into a single format so they can be prioritized by severity without switching between services. Which AWS service provides this capability?

A.Enable AWS Security Hub with an administrator account in the organization; integrate GuardDuty, Macie, Inspector, and Firewall Manager as finding providers
B.Deploy a custom Lambda function that polls each service's API and writes findings to a DynamoDB table for a custom dashboard
C.Enable Amazon Detective to investigate and correlate security findings across all accounts
D.Configure AWS Config conformance packs to evaluate security compliance checks across all accounts and report to an aggregator account
AnswerA

Security Hub's organization integration automatically enables member accounts and routes their findings to the designated administrator account. All findings — regardless of source service — are normalized to ASFF with a consistent severity schema. The security team sees one consolidated dashboard instead of five separate consoles.

Why this answer

AWS Security Hub is designed to aggregate, normalize, and prioritize security findings from multiple AWS services (GuardDuty, Macie, Inspector, Firewall Manager) and third-party tools across accounts. By designating an administrator account in AWS Organizations, you can centrally view all findings in a single dashboard, with a standardized findings format (AWS Security Finding Format, ASFF) that includes severity, resource, and remediation fields. This directly meets the CISO's requirement for a centralized, normalized, severity-prioritized view without switching between services.

Exam trap

The trap here is that candidates often confuse Amazon Detective (a visualization/investigation tool) with Security Hub (a centralized finding aggregation and prioritization service), or they assume a custom Lambda solution is acceptable despite the exam's emphasis on managed, scalable services that reduce operational burden.

How to eliminate wrong answers

Option B is wrong because deploying a custom Lambda function to poll APIs and write to DynamoDB is a manual, brittle approach that does not provide the native normalization, cross-account aggregation, or built-in severity prioritization that Security Hub offers out of the box; it also introduces operational overhead and potential latency. Option C is wrong because Amazon Detective is a service for investigating and visualizing security data (e.g., VPC Flow Logs, GuardDuty findings) but it does not aggregate findings from multiple services into a single normalized dashboard for prioritization; it focuses on root-cause analysis after an alert. Option D is wrong because AWS Config conformance packs evaluate resource compliance against rules (e.g., PCI DSS, CIS benchmarks) and report compliance status, but they do not ingest or normalize security findings from GuardDuty, Macie, Inspector, or Firewall Manager; they are for configuration compliance, not security finding aggregation.

1122
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The SysOps administrator creates a CloudWatch alarm on the ALB's HTTPCode_ELB_5XX_Count metric to trigger an SNS notification when there are many 5xx errors. However, the alarm remains in INSUFFICIENT_DATA state. What is a likely cause?

A.The HTTPCode_ELB_5XX_Count metric is not available for ALBs.
B.The ALB and the CloudWatch alarm are in different AWS Regions.
C.The IAM role for CloudWatch does not have permission to read the ALB metrics.
D.The alarm's period is set to 1 minute, but the metric is published every 5 minutes.
AnswerB

CloudWatch alarms cannot monitor metrics from a different region unless using cross-region functionality.

Why this answer

CloudWatch alarms can only evaluate metrics from the same AWS Region in which the alarm is created. If the ALB and the CloudWatch alarm are in different Regions, the alarm will never receive metric data points, causing it to remain in INSUFFICIENT_DATA state. This is a common cross-Region limitation for CloudWatch metrics.

Exam trap

The trap here is that candidates often overlook the regional scope of CloudWatch metrics and alarms, assuming that metrics are globally accessible, when in fact they are strictly regional.

How to eliminate wrong answers

Option A is wrong because HTTPCode_ELB_5XX_Count is a standard metric emitted by Application Load Balancers and is fully available in CloudWatch. Option C is wrong because CloudWatch does not require a separate IAM role to read ALB metrics; metrics are published automatically by AWS services, and the alarm uses the service-linked role or the caller's permissions, which are not the cause of INSUFFICIENT_DATA. Option D is wrong because even if the alarm's period is shorter than the metric's publication interval, CloudWatch will still receive data points (just less frequently) and the alarm would eventually show OK or ALARM, not remain in INSUFFICIENT_DATA indefinitely.

1123
MCQhard

A SysOps administrator is troubleshooting a failed Auto Scaling group launch. The group uses a launch template that specifies an Amazon Linux 2 AMI. The instances fail to pass the EC2 health check and are terminated. The administrator checks the system log and finds that the instance boots but the cloud-init script fails due to a missing package repository. What is the most likely cause?

A.The launch template is using an incorrect version.
B.The IAM instance profile does not have sufficient permissions.
C.The Auto Scaling group is in a private subnet without a NAT gateway.
D.The AMI used by the launch template is outdated and the repositories are no longer valid.
AnswerD

Outdated AMIs have deprecated repo URLs, causing cloud-init to fail.

Why this answer

If the AMI is outdated, the package repository URLs may be deprecated, causing cloud-init failures. The launch template version is not directly related to repository access. User data script problems could cause failures but the log points to a missing repository, which is often due to an outdated AMI.

IAM role issues would affect API calls, not package repos.

1124
Multi-Selecteasy

A company wants to reduce costs for its Amazon S3 storage. Which TWO strategies are effective?

Select 2 answers
A.Enable S3 Object Tagging to categorize data.
B.Enable S3 Replication to another region for disaster recovery.
C.Use S3 Lifecycle policies to transition objects to S3 Glacier Deep Archive after a period.
D.Use S3 Intelligent-Tiering for data with unknown or changing access patterns.
E.Enable S3 Transfer Acceleration for faster uploads.
AnswersC, D

Lifecycle policies reduce storage costs.

Why this answer

S3 Lifecycle policies transition objects to lower-cost storage classes. S3 Object Tagging helps organize data but does not directly reduce costs. S3 Transfer Acceleration increases costs.

S3 Replication increases costs. S3 Intelligent-Tiering can be cost-effective for unknown access patterns.

1125
MCQeasy

A company is running a stateful web application on a single EC2 instance with a 500 GB gp2 EBS volume. The instance is currently at 80% CPU and memory utilization during peak hours. The company wants to improve performance and scalability without incurring high costs. What should the SysOps administrator do?

A.Implement an Application Load Balancer with an Auto Scaling group to distribute traffic across multiple instances.
B.Upgrade the instance to a larger size (vertical scaling).
C.Increase the swap space on the instance to handle memory pressure.
D.Migrate the EBS volume from gp2 to gp3 to improve I/O performance.
AnswerA

Horizontal scaling improves performance and availability while optimizing cost.

Why this answer

The correct answer is B. Using an Application Load Balancer and Auto Scaling group allows the application to scale out based on demand, improving performance and cost efficiency. Option A is wrong because vertical scaling may cause downtime and is limited.

Option C is wrong because converting to gp3 provides performance at lower cost but does not address scalability. Option D is wrong because increasing swap space is a temporary fix and does not improve performance.

Page 14

Page 15 of 21

Page 16