AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 11261200

1546 questions total · 21pages · All types, answers revealed

Page 15

Page 16 of 21

Page 17
1126
MCQmedium

A company has a production AWS account with a single VPC and multiple subnets across two Availability Zones. The company hosts a web application on EC2 instances in an Auto Scaling group. The application uses an Amazon Aurora MySQL database cluster with one writer and two reader instances in the same VPC. The SysOps administrator configured AWS CloudTrail to log API calls and Amazon CloudWatch alarms for operational monitoring. After a recent network partition event in one Availability Zone, the application became unavailable for several minutes. The administrator wants to improve the application's resilience to such events without changing the database cluster configuration. The administrator has budget for additional resources but wants to minimize costs. What should the administrator do?

A.Enable Multi-AZ for the Aurora cluster, which is already enabled by default. Additionally, increase the instance size of the writer instance.
B.Configure a cross-region read replica for the Aurora cluster and promote it to primary if the primary AZ fails.
C.Create a second VPC in a different AWS Region and set up a second Aurora cluster. Use Route 53 with failover routing to direct traffic to the secondary region if the primary fails.
D.Ensure the Auto Scaling group launches instances in both Availability Zones. Configure the Application Load Balancer to be cross-zone load balancing enabled.
AnswerD

This distributes traffic across AZs, so if one AZ fails, the ALB routes to the other AZ's instances.

Why this answer

Option C is correct because distributing EC2 instances across multiple AZs and configuring the ALB as cross-zone enabled ensures that traffic is routed to healthy instances in any AZ. This provides high availability for the application tier without changing the database. Option A is wrong because adding a second VPC with its own database cluster would be expensive and complex.

Option B is wrong because creating a read replica in another region does not help with AZ failure within the same region. Option D is wrong because Multi-AZ for Aurora is already inherent; the database cluster already has instances in multiple AZs by design.

1127
MCQmedium

Refer to the exhibit. A SysOps administrator runs the AWS CLI command to check the event selectors for a CloudTrail trail. What does the output indicate?

A.The trail logs all management events.
B.The trail logs both management and data events.
C.The trail logs all data events.
D.The trail logs only write management events.
AnswerA

IncludeManagementEvents true and ReadWriteType All.

Why this answer

Option C is correct because the output shows IncludeManagementEvents true and ReadWriteType All, so all management events are logged. Option A is wrong because data events are not logged (DataResources empty). Option B is wrong because read and write events are both logged.

Option D is wrong because data events are not logged.

1128
MCQeasy

A SysOps administrator wants to monitor the cost and usage of AWS resources for different departments. Which AWS service should they use to tag resources and generate cost allocation reports?

A.AWS Trusted Advisor
B.AWS Budgets
C.AWS Config
D.AWS Cost Explorer with cost allocation tags
AnswerD

Cost Explorer provides detailed cost and usage reports filtered by tags.

Why this answer

Option B is correct because AWS Cost Explorer with cost allocation tags allows filtering by tags. Option A is wrong because AWS Budgets sets alerts, not reporting. Option C is wrong because AWS Trusted Advisor provides optimization recommendations.

Option D is wrong because AWS Config tracks configuration, not cost.

1129
Multi-Selecteasy

Which TWO services can be used to centrally manage cryptographic keys for AWS services? (Choose two.)

Select 2 answers
A.AWS CloudHSM
B.AWS Certificate Manager (ACM)
C.AWS Identity and Access Management (IAM)
D.AWS Key Management Service (KMS)
E.AWS Secrets Manager
AnswersA, D

Hardware security module for key management.

Why this answer

Option A is correct because AWS KMS is the managed key service. Option C is correct because AWS CloudHSM provides hardware-based key management. Option B is wrong because ACM manages certificates, not keys.

Option D is wrong because IAM manages identities. Option E is wrong because Secrets Manager manages secrets, not cryptographic keys.

1130
MCQmedium

A SysOps administrator is troubleshooting connectivity issues between two VPCs that are peered using a VPC Peering connection. The instances in VPC A can ping the private IP of instances in VPC B, but not the DNS names. What is the most likely cause?

A.The route tables in VPC A do not have a route to VPC B's CIDR.
B.The security groups in VPC B block DNS traffic (port 53).
C.The VPC Peering connection does not have 'Enable DNS Resolution' enabled.
D.The VPCs have overlapping CIDR blocks.
AnswerC

DNS resolution across VPC peering requires this option.

Why this answer

VPC Peering does not support DNS resolution across VPCs by default unless the 'Enable DNS Resolution' option is enabled in the peering connection. Option A is irrelevant because route tables are correct (ping works). Option B is incorrect because DNS hostnames are separate from resolution.

Option D is incorrect because security groups affect traffic, not DNS resolution.

1131
MCQmedium

A SysOps administrator manages a CloudFormation stack that deploys a web application. The stack includes an Amazon EC2 instance and an Amazon RDS DB instance. The administrator needs to update the stack to change the EC2 instance type. The administrator wants to ensure that the update does not accidentally replace the RDS database. Which CloudFormation feature should the administrator use to protect the RDS resource from being replaced during the stack update?

A.Use a DeletionPolicy of Retain on the RDS resource.
B.Use a stack policy that denies updates to the RDS resource.
C.Use the Resource Signal and CreationPolicy attributes.
D.Use a Change Set to review changes before executing.
AnswerB

A stack policy can explicitly deny update, replace, or delete actions on specific resources. By applying a policy that denies update to the RDS resource, the CloudFormation update will fail if it attempts to modify the RDS instance, thus protecting it from accidental replacement.

Why this answer

A stack policy is an AWS CloudFormation feature that explicitly denies update or replacement actions on specified resources. By applying a stack policy that denies updates to the RDS resource, the administrator prevents any stack update operation (including changing the EC2 instance type) from modifying or replacing the database, even if the template changes would otherwise affect it. This is the correct approach because it provides a guardrail specifically against accidental replacement during updates.

Exam trap

The trap here is that candidates often confuse DeletionPolicy (which only applies on stack deletion) with stack policies (which control updates), leading them to incorrectly choose Option A as a safety measure during updates.

How to eliminate wrong answers

Option A is wrong because a DeletionPolicy of Retain only protects the resource when the stack is deleted, not during a stack update; it does not prevent replacement or modification during an update. Option C is wrong because Resource Signal and CreationPolicy are used to control stack creation behavior (e.g., waiting for signals before marking a resource as created), not to protect resources from being replaced during updates. Option D is wrong because a Change Set only allows you to review proposed changes before executing them; it does not prevent the update from being executed or protect the RDS resource from replacement if the update is applied.

1132
MCQeasy

A company wants to monitor for unauthorized API calls in their AWS account. Which AWS service should they use?

A.Amazon CloudWatch
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerC

CloudTrail logs all API activity for governance and auditing.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made in an AWS account, including the identity, source IP, and timestamp of each call. This enables monitoring for unauthorized API activity by analyzing the logs for suspicious patterns or unexpected actions. CloudTrail is specifically designed for auditing API usage, unlike other services that focus on resource configuration or threat detection.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration changes) with CloudTrail (which tracks API calls), leading them to select Config when the question specifically asks about monitoring API calls rather than resource state.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, but it does not natively capture or record API calls; it can only consume CloudTrail logs if configured. Option B is wrong because AWS Config evaluates and records resource configuration changes and compliance, not API calls; it focuses on resource state, not the actions that changed them. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes CloudTrail logs, VPC Flow Logs, and DNS logs for malicious activity, but it does not directly provide the raw API call history needed for monitoring unauthorized calls; it relies on CloudTrail as a data source.

1133
Drag & Dropmedium

Drag and drop the steps to troubleshoot high CPU usage on an Amazon EC2 instance into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start by checking metrics, then connect, find the process, analyze, and act.

1134
Multi-Selecteasy

Which TWO features are provided by Amazon CloudFront to secure content delivery? (Choose two.)

Select 2 answers
A.Default support for custom SSL certificates without additional configuration
B.AWS WAF integration to filter requests based on rules
C.AWS Shield Advanced for DDoS protection
D.Signed URLs and signed cookies to restrict access to content
E.VPN connection between CloudFront and the origin
AnswersB, D

CloudFront can be associated with a web ACL to filter requests.

Why this answer

Options A and C are correct: AWS WAF integration with CloudFront allows you to filter malicious requests, and signed URLs/cookies provide access control to content. Option B is wrong because CloudFront supports custom SSL certificates via SNI or dedicated IP, not by default. Option D is wrong because CloudFront uses the AWS global network, not a VPN.

Option E is wrong because CloudFront does not provide DDoS protection by default; AWS Shield is the DDoS protection service.

1135
MCQeasy

A company has an AWS account with several IAM users. The SysOps administrator needs to ensure that all users are required to use multi-factor authentication (MFA) to access the AWS Management Console. The administrator has enabled MFA for each user and created an IAM policy that denies all actions unless MFA is present. However, some users report that they can still access the console without MFA. What is the most likely reason?

A.The users are using the root account credentials.
B.The policy is attached to a group instead of the users.
C.The condition key in the policy is incorrect; it should be 'aws:MultiFactorAuthPresent' set to 'true'.
D.The password policy does not require MFA.
AnswerC

The condition key must be correctly specified.

Why this answer

Option D is correct because the policy must use the condition key 'aws:MultiFactorAuthPresent' with a Bool condition. If the condition key is misspelled or not included, the policy does not enforce MFA. Option A is wrong because the policy is applied to users, not groups.

Option B is wrong because the root user is not an IAM user. Option C is wrong because password policy does not enforce MFA.

1136
MCQhard

A company runs a web application on Amazon EC2 instances in an Auto Scaling group. The application uses Amazon EBS volumes (gp2) for data storage. The SysOps administrator notices that the storage costs are high, and the application's IOPS requirements are consistently below 3000. The administrator wants to reduce storage costs without affecting performance. Which action should the administrator take?

A.Modify the EBS volumes to use Provisioned IOPS (io1) volumes and set IOPS to 2000.
B.Convert the EBS volumes from gp2 to gp3 volume type.
C.Implement an Amazon EBS snapshot lifecycle policy to delete old snapshots and reduce storage costs.
D.Enable EBS optimization on the EC2 instances to improve throughput and reduce costs.
AnswerB

gp3 offers baseline 3000 IOPS and 125 MB/s for a lower price than gp2 for many volume sizes. Since the application requires less than 3000 IOPS, gp3 provides sufficient performance at a reduced cost.

Why this answer

Option B is correct because gp3 volumes offer a baseline performance of 3000 IOPS and 125 MB/s throughput at a lower cost than gp2 volumes, making them ideal for workloads with IOPS requirements consistently below 3000. By converting from gp2 to gp3, the administrator can reduce storage costs without any performance impact, as gp3 provides the same or better baseline performance at a lower price per GB.

Exam trap

The trap here is that candidates may confuse cost reduction strategies for EBS volumes with snapshot management or instance-level optimizations, failing to recognize that gp3 is the direct, cost-effective replacement for gp2 when IOPS requirements are below the gp3 baseline.

How to eliminate wrong answers

Option A is wrong because Provisioned IOPS (io1) volumes are designed for high-performance workloads requiring more than 16,000 IOPS and are significantly more expensive than gp2 or gp3, so using io1 with only 2000 IOPS would increase costs unnecessarily. Option C is wrong because deleting old snapshots reduces snapshot storage costs, not the cost of the EBS volumes themselves, and the question specifically asks about reducing storage costs for the EBS volumes used by the application. Option D is wrong because EBS optimization is a feature that provides dedicated network bandwidth for EBS traffic, improving throughput and reducing latency, but it does not directly reduce storage costs; it may even incur additional costs if the instance type requires it.

1137
MCQhard

A SysOps administrator is investigating a security incident where an EC2 instance was used to launch an attack. The administrator needs to determine the source IP addresses that were used to access the instance prior to the attack. Which AWS service and feature should be used to capture this information?

A.Amazon GuardDuty
B.AWS CloudTrail with data events enabled for EC2
C.VPC Flow Logs
D.AWS Config with recording of security groups
AnswerC

Flow Logs capture network traffic metadata, including source IPs.

Why this answer

VPC Flow Logs capture metadata about IP traffic flowing to and from network interfaces in a VPC, including the source IP address, destination IP address, port, protocol, and timestamps. This allows the administrator to identify the source IP addresses that accessed the EC2 instance prior to the attack, as the logs record all accepted and rejected traffic at the network interface level.

Exam trap

The trap here is that candidates confuse AWS CloudTrail (which logs API calls) with network traffic logging, mistakenly thinking CloudTrail captures IP-level traffic data, when in fact only VPC Flow Logs record the actual source IP addresses of network connections to an EC2 instance.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes logs (like VPC Flow Logs, DNS logs, and CloudTrail events) to identify malicious activity, but it does not natively store or provide raw source IP address logs for historical analysis of traffic to an instance. Option B is wrong because AWS CloudTrail with data events for EC2 records API calls (e.g., RunInstances, DescribeInstances) and does not capture network-level traffic metadata such as source IP addresses of packets reaching the instance. Option D is wrong because AWS Config records configuration changes to resources like security groups, but it does not log network traffic flows or the source IP addresses of connections to an instance.

1138
MCQhard

A company has a production application running on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application uses an RDS MySQL database in the same VPC. The SysOps team recently implemented a change to the network ACLs to improve security. After the change, the application became unreachable from the internet, but the EC2 instances can still communicate with the RDS database. The ALB is in a public subnet, and the EC2 instances and RDS are in private subnets. The ALB's security group allows inbound HTTP/HTTPS from 0.0.0.0/0. The EC2 instances' security group allows inbound from the ALB's security group. The RDS security group allows inbound from the EC2 instances' security group. The network ACLs for the public subnet allow inbound HTTP/HTTPS from 0.0.0.0/0 and all outbound traffic. The network ACLs for the private subnets were modified to deny all inbound traffic except from the public subnet CIDR (10.0.1.0/24) and allow all outbound traffic. Which change should be made to restore internet access to the application?

A.Add a route to the private subnet route table pointing 0.0.0.0/0 to the Internet Gateway.
B.Modify the EC2 instance security group to allow inbound traffic from 0.0.0.0/0 on port 80.
C.Add an inbound rule to the private subnet NACL to allow ephemeral ports (1024-65535) from the public subnet CIDR (10.0.1.0/24).
D.Add an inbound rule to the public subnet NACL to allow HTTP/HTTPS from the ALB's security group.
AnswerC

The ALB uses ephemeral ports to forward traffic to targets; the NACL must allow return traffic.

Why this answer

Option C is correct. The private subnet NACL should allow inbound traffic from the ALB's security group, but NACLs do not support security group references; they use CIDR. The ALB's subnet CIDR is 10.0.1.0/24, but the ALB also uses ephemeral ports for health checks and traffic.

However, the issue is that the private subnet NACL currently denies all inbound except from 10.0.1.0/24, which should allow traffic from the ALB. But the problem states that EC2 can communicate with RDS, so the NACL is not blocking that. The application is unreachable from the internet, meaning the ALB cannot forward traffic to EC2.

The ALB's health checks might be failing because the private subnet NACL is blocking health check traffic from the ALB on ephemeral ports. The correct action is to allow inbound traffic on ephemeral ports from the ALB subnet. Option A is wrong because the public subnet NACL already allows HTTP/HTTPS inbound.

Option B is wrong because the EC2 security group is correct. Option D is wrong because adding a route to the private subnet would not help; the issue is NACL.

1139
MCQeasy

A company runs a batch processing application on Amazon EC2 instances. The application runs for 3 hours every night and can tolerate interruptions. The SysOps administrator needs to minimize compute costs. Which purchasing option should the administrator use?

A.Spot Instances
B.On-Demand Instances
C.Reserved Instances
D.Dedicated Instances
AnswerA

Spot Instances provide large cost savings and are suitable for short-lived, fault-tolerant workloads like batch processing that can be interrupted and resumed.

Why this answer

Spot Instances are ideal for this workload because the application is fault-tolerant (can tolerate interruptions) and runs on a fixed schedule (3 hours nightly). Spot Instances offer significant cost savings (up to 90% compared to On-Demand) by using spare EC2 capacity, and the batch processing can be designed to resume from checkpoints if interrupted.

Exam trap

The trap here is that candidates often choose Reserved Instances for any scheduled workload, failing to recognize that the application's fault tolerance and short nightly duration make Spot Instances the most cost-effective choice despite the risk of interruption.

How to eliminate wrong answers

Option B (On-Demand Instances) is wrong because they are priced at the full rate and do not offer the cost savings needed for a batch workload that can tolerate interruptions. Option C (Reserved Instances) is wrong because they require a 1- or 3-year commitment and are designed for steady-state workloads, not for a 3-hour nightly job that could be run on cheaper Spot capacity. Option D (Dedicated Instances) is wrong because they are the most expensive option, intended for regulatory or licensing requirements, and provide no cost benefit for a fault-tolerant batch application.

1140
MCQeasy

A company uses AWS Config to track resource changes. The security team wants to receive notifications whenever an IAM policy is changed. Which AWS service should be used with AWS Config to send notifications?

A.Amazon CloudWatch Logs
B.Amazon Simple Queue Service (SQS)
C.AWS CloudTrail
D.Amazon Simple Notification Service (SNS)
AnswerD

AWS Config can publish notifications to SNS.

Why this answer

Option D is correct because AWS Config can send configuration change notifications to Amazon SNS, which can then trigger emails or other notifications. Option A is incorrect because CloudWatch Logs is for log data, not notifications. Option B is incorrect because CloudTrail is for API activity, not configuration changes.

Option C is incorrect because SQS is a queue, not a notification service.

1141
MCQeasy

A SysOps administrator wants to receive a notification when an EC2 instance's status check fails. Which AWS service should the administrator use to set up an alarm based on the status check metric?

A.Amazon CloudWatch Alarms
B.Amazon EventBridge
C.AWS Config
D.AWS Systems Manager
AnswerA

CloudWatch Alarms can monitor StatusCheckFailed metric and send notifications.

Why this answer

Amazon CloudWatch Alarms is the correct service because EC2 instance status checks are published as CloudWatch metrics (e.g., StatusCheckFailed, StatusCheckFailed_Instance, StatusCheckFailed_System). A CloudWatch Alarm can be configured to monitor these metrics and trigger an action, such as sending a notification via Amazon SNS, when the alarm state changes to ALARM. This directly meets the requirement to receive a notification when a status check fails.

Exam trap

The trap here is that candidates may confuse EventBridge's ability to react to EC2 instance state changes (e.g., running, stopped) with the need to monitor a continuous metric like status check failures, which requires CloudWatch Alarms for threshold-based evaluation.

How to eliminate wrong answers

Option B (Amazon EventBridge) is wrong because EventBridge is a serverless event bus used to route events from AWS services or custom sources to targets like Lambda or SQS; it does not natively evaluate metric thresholds or trigger alarms based on status check metrics. Option C (AWS Config) is wrong because Config is used for resource inventory, configuration history, and compliance auditing, not for real-time monitoring of operational metrics like status checks. Option D (AWS Systems Manager) is wrong because Systems Manager provides operational management capabilities (e.g., patching, automation, Run Command) but does not offer metric-based alarm functionality for EC2 status checks.

1142
Multi-Selecthard

A company uses Amazon CloudFront to distribute content globally. They need to restrict access to premium content to only authenticated users. Which THREE methods can be used to achieve this?

Select 3 answers
A.AWS WAF IP set rules to allow only known IPs
B.AWS Shield Advanced to protect against DDoS
C.Lambda@Edge to validate JWT tokens
D.CloudFront signed cookies
E.CloudFront signed URLs
AnswersC, D, E

Lambda@Edge can run authentication logic at edge locations.

Why this answer

Options A, C, and D are correct. Signed URLs, signed cookies, and Lambda@Edge for authentication are valid methods. Option B is wrong because IP whitelisting does not authenticate users.

Option E is wrong because WAF is used to block threats, not to authenticate users.

1143
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. Which statement about the user's access is correct?

A.The user can get objects over HTTP.
B.The user can list objects in the bucket over HTTP.
C.The user can list objects only over HTTPS.
D.The user can get objects only over HTTPS.
AnswerD

GetObject requires SecureTransport true.

Why this answer

Option B is correct because the GetObject action requires HTTPS (SecureTransport true). Option A is wrong because ListBucket does not have the condition so HTTP is allowed. Option C is wrong because the condition applies to GetObject only.

Option D is wrong because the policy allows ListBucket with HTTP.

1144
MCQhard

An application hosted on EC2 instances behind an ALB is experiencing intermittent connectivity errors. The ALB target group is configured with health checks on port 80. The SysOps team notices that the EC2 instances pass health checks but clients still receive 503 errors. What is the most likely cause?

A.The deregistration delay is too high
B.The ALB is only configured in one Availability Zone
C.The target group is empty
D.Security groups or network ACLs are blocking traffic from the ALB to the instances
AnswerD

If health checks use a different source (e.g., from the ALB's private IP) but client traffic is blocked, the ALB returns 503.

Why this answer

Option D is correct because if security groups or network ACLs block traffic from the ALB to the instances, the ALB may still mark them as healthy if the health check is coming from a different source IP, but actual client traffic is blocked. Option A is wrong because if health checks pass, the target group is not empty. Option B is wrong because deregistration delay does not cause 503s.

Option C is wrong because if the ALB is not in multiple AZs, it would not cause 503 errors specifically.

1145
MCQmedium

A company has an application running on EC2 instances behind an Application Load Balancer. Users report intermittent timeout errors. The ALB target group shows healthy instances, and CloudWatch metrics show no spikes in CPU or memory. Which configuration is most likely causing the timeouts?

A.Connection draining is set too low
B.The ALB idle timeout is set too low
C.The target group health check interval is too long
D.Cross-zone load balancing is disabled
AnswerB

A low idle timeout can cause the ALB to close connections before the application responds, leading to timeouts.

Why this answer

Option D is correct because idle timeout settings on the ALB can cause connections to be dropped if the application takes longer to respond than the configured timeout. Option A is wrong because connection draining only affects deregistering targets, not active connections. Option B is wrong because cross-zone load balancing distributes traffic evenly but doesn't cause timeouts.

Option C is wrong because if instances were unhealthy, they'd be marked as such.

1146
Multi-Selectmedium

A company is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance and an Amazon RDS DB instance. The SysOps administrator wants to ensure that the RDS instance is created before the EC2 instance and that the EC2 instance receives the database endpoint as a user data parameter. Which THREE steps should be taken? (Select THREE.)

Select 3 answers
A.Use the AWS::CloudFormation::Init metadata to set the creation order.
B.Add a DependsOn attribute to the EC2 instance resource referencing the RDS instance.
C.Use the cfn-init helper script to process the UserData and configure the application.
D.Add a DependsOn attribute to the RDS instance resource referencing the EC2 instance.
E.Use the Fn::GetAtt intrinsic function to retrieve the RDS endpoint and pass it to the EC2 instance's UserData property.
AnswersB, C, E

Ensures RDS is created before EC2.

Why this answer

Options A, C, and D are correct. Option A: Using DependsOn ensures the RDS instance is created first. Option C: Using Fn::GetAtt retrieves the endpoint.

Option D: Using CloudFormation helper scripts (cfn-init) can process the metadata and write user data. Option B: Not necessary because DependsOn is used. Option E: Not necessary because DependsOn ensures order.

1147
MCQmedium

An application running on EC2 instances in an Auto Scaling group is experiencing intermittent errors. The errors correlate with periods of high memory usage. The SysOps administrator wants to set up a CloudWatch alarm to scale out when memory usage exceeds 80%. What should the administrator do to enable monitoring of memory usage?

A.Enable detailed monitoring on the Auto Scaling group.
B.Install the CloudWatch agent on the EC2 instances to publish memory metrics.
C.Use the default EC2 memory metric provided by CloudWatch.
D.Create a Lambda function to pull memory data from the EC2 instances.
AnswerB

The CloudWatch agent collects memory and other custom metrics.

Why this answer

The CloudWatch agent is required to publish custom memory metrics from EC2 instances because memory utilization is not a standard metric provided by default. By installing and configuring the agent, the administrator can collect memory usage data and create a CloudWatch alarm to trigger Auto Scaling actions when usage exceeds 80%.

Exam trap

The trap here is that candidates often assume memory metrics are automatically available in CloudWatch like CPU utilization, but AWS intentionally excludes guest-level metrics (memory, disk, swap) by default, requiring the CloudWatch agent to be installed and configured.

How to eliminate wrong answers

Option A is wrong because enabling detailed monitoring on the Auto Scaling group only increases the frequency of standard EC2 metrics (e.g., CPU, network) to 1-minute intervals, but does not add memory metrics. Option C is wrong because CloudWatch does not provide a default EC2 memory metric; memory is a guest-level metric that must be explicitly reported by an agent. Option D is wrong because while a Lambda function could theoretically pull memory data, it is an unnecessarily complex and indirect approach compared to the straightforward, supported method of using the CloudWatch agent, and it would require custom code and permissions management.

1148
MCQhard

The monitoring team needs to collect per-process CPU and memory utilization for a specific Java process (named 'app.jar') running on EC2 Linux instances. Standard EC2 metrics show aggregate CPU but not per-process details. Which CloudWatch agent configuration section enables this?

A.Add a procstat section under metrics_collected in the CloudWatch agent config, specifying process_name = 'app.jar' to collect per-process CPU and memory
B.Enable enhanced monitoring on the EC2 instance and select 'per-process metrics' from the console
C.Configure a CloudWatch Logs metric filter on the Java GC log output to derive CPU and memory figures
D.Use the aws ec2 describe-instance-status API on a schedule to pull process metrics from the instance's system status checks
AnswerA

The procstat plugin uses the Linux /proc filesystem to sample per-process resource usage. With process_name set to 'app.jar', the agent matches the running JVM process and publishes metrics like procstat_cpu_usage and procstat_memory_rss to CloudWatch every collection interval. These metrics carry instance ID and process name dimensions.

Why this answer

The CloudWatch agent's `procstat` plugin is specifically designed to collect per-process metrics such as CPU and memory utilization. By adding a `procstat` section under `metrics_collected` in the agent configuration file and specifying the process name (e.g., `process_name = 'app.jar'`), the agent will gather the required per-process metrics and send them to CloudWatch. This is the only native method within the CloudWatch ecosystem to achieve per-process monitoring on EC2 Linux instances.

Exam trap

The trap here is that candidates may confuse 'enhanced monitoring' (a hypervisor-level feature) with OS-level per-process monitoring, or incorrectly assume that CloudWatch Logs metric filters can derive CPU/memory metrics from application logs, when in fact only the CloudWatch agent's `procstat` plugin can collect actual OS-level per-process resource utilization.

How to eliminate wrong answers

Option B is wrong because 'enhanced monitoring' is a feature of EC2 that provides additional hypervisor-level metrics (e.g., CPU credit usage, network throughput) but does not expose per-process metrics; it cannot see inside the guest OS. Option C is wrong because CloudWatch Logs metric filters can parse log patterns and create numerical metrics from log data, but Java GC logs do not contain CPU or memory utilization figures for the process; they only contain garbage collection timing and heap usage, not OS-level resource consumption. Option D is wrong because the `aws ec2 describe-instance-status` API returns instance health and status checks (e.g., system reachability, instance status) and has no capability to retrieve per-process metrics from within the instance.

1149
MCQmedium

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB) in the us-west-2 Region. Users are distributed globally and experience high latency. The SysOps administrator wants to improve latency and offload SSL termination to the edge. Which AWS service should be used with the ALB as the origin?

A.Amazon CloudFront
B.AWS Global Accelerator
C.AWS WAF (Web Application Firewall)
D.Amazon Route 53 with Latency Based Routing
AnswerA

CloudFront is a CDN that reduces latency by serving content from edge locations. It can terminate SSL at the edge, improving performance and reducing load on the origin.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations worldwide, reducing latency for global users. It can offload SSL termination at the edge by accepting HTTPS requests from clients and forwarding them to the ALB over HTTP or HTTPS, thereby reducing the load on the origin. This directly addresses the requirements of improving latency and offloading SSL termination.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with CloudFront, thinking both provide caching, but Global Accelerator only optimizes network path routing and does not cache content or terminate SSL at the edge.

How to eliminate wrong answers

Option B (AWS Global Accelerator) is wrong because it improves latency by routing traffic over the AWS global network using Anycast IPs, but it does not cache content or offload SSL termination at the edge; SSL termination still occurs at the ALB or EC2 instances. Option C (AWS WAF) is wrong because it is a web application firewall that filters malicious traffic, not a service for reducing latency or offloading SSL termination. Option D (Amazon Route 53 with Latency Based Routing) is wrong because it only directs DNS queries to the lowest-latency endpoint, but it does not cache content or terminate SSL at the edge; the actual traffic still goes directly to the ALB, and SSL termination remains at the origin.

1150
MCQmedium

A SysOps administrator deploys a web application using AWS Elastic Beanstalk. The administrator wants to deploy a new application version with zero downtime and minimize the risk of failure by launching a completely new set of instances before swapping traffic. Which deployment policy should the administrator choose?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerD

Deploys a full new Auto Scaling group with the new version, tests it, and then swaps traffic, ensuring zero downtime and easy rollback.

Why this answer

The Immutable deployment policy (Option D) is correct because it launches a completely new set of instances in a separate Auto Scaling group, deploys the new application version to them, and then swaps the Elastic Load Balancer (ELB) traffic from the old instances to the new ones in a single, atomic swap. This ensures zero downtime and minimizes risk by keeping the original environment fully intact until the new instances pass health checks, allowing an immediate rollback by simply swapping traffic back.

Exam trap

The trap here is that candidates often confuse 'Rolling with additional batch' (Option C) with immutable deployments because both add new instances, but they fail to recognize that only Immutable launches a completely separate fleet and swaps traffic atomically, while Rolling with additional batch still modifies the existing environment and does not provide a full isolation or instant rollback capability.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all existing instances simultaneously, causing downtime during the deployment and a full outage if the deployment fails. Option B is wrong because 'Rolling' deploys the new version in batches across existing instances, which reduces capacity during the update and does not launch a completely new set of instances, thus not providing the isolation required to minimize failure risk. Option C is wrong because 'Rolling with additional batch' adds a batch of new instances before starting the rolling update, but it still modifies existing instances and does not swap traffic from a fully separate environment; it only partially reduces capacity impact compared to standard rolling, but does not achieve the zero-downtime, full-isolation swap that Immutable provides.

1151
MCQmedium

A company's security policy requires that all Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled. The SysOps administrator needs to automatically detect any existing or new S3 bucket that does not have SSE-KMS enabled and automatically apply the encryption configuration. The solution must use managed AWS services with minimal custom code. Which combination of AWS services should be used?

A.Use AWS Config with a custom rule backed by an AWS Lambda function that checks if 'x-amz-server-side-encryption' is 'aws:kms' and auto-remediates by attaching a bucket policy that denies PUTs without SSE-KMS.
B.Enable default encryption on the AWS account's S3 buckets using an S3 account-level setting in the S3 console, which automatically applies SSE-KMS to all new buckets.
C.Create an AWS CloudTrail event that triggers an AWS Lambda function when a bucket is created, and the Lambda applies SSE-KMS encryption. Use AWS Config to periodically scan existing buckets and apply encryption.
D.Use AWS Identity and Access Management (IAM) with a Service Control Policy (SCP) that denies any S3 bucket creation without SSE-KMS enabled, and use AWS Config to detect and notify on non-compliance.
AnswerA

This uses AWS Config for detection and Lambda for remediation, which is a standard pattern. Bucket policy approach prevents future unencrypted uploads but does not encrypt existing objects; however, the requirement is to apply encryption configuration, which can be done via put-bucket-encryption API. The Lambda can call that API. This is a valid solution with managed services and minimal custom code (only the Lambda).

Why this answer

Option A is correct because it uses AWS Config with a custom Lambda-backed rule to detect non-compliant S3 buckets (those missing SSE-KMS) and auto-remediate by attaching a bucket policy that denies PUT requests without the 'x-amz-server-side-encryption: aws:kms' header. This satisfies the requirement for minimal custom code (only the Lambda function) and uses managed AWS services (AWS Config, Lambda, S3) to automatically detect and fix both existing and new buckets.

Exam trap

The trap here is that candidates often confuse S3 default encryption settings (which apply to objects, not buckets) with bucket policies or AWS Config rules, leading them to choose Option B or D, which cannot automatically remediate existing non-compliant buckets.

How to eliminate wrong answers

Option B is wrong because S3 account-level default encryption settings apply only to new objects uploaded to existing buckets, not to new buckets themselves, and cannot retroactively enforce encryption on existing buckets or detect non-compliant buckets. Option C is wrong because it requires creating a CloudTrail event trigger and a separate AWS Config periodic scan, which introduces more custom code and complexity than necessary, and the CloudTrail approach only catches bucket creation events, not modifications to existing buckets. Option D is wrong because IAM Service Control Policies (SCPs) can only deny bucket creation based on tags or conditions at creation time, but they cannot detect or remediate existing buckets that lack SSE-KMS, and AWS Config alone without a remediation action cannot automatically apply encryption.

1152
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to send logs to CloudWatch Logs. Which steps are necessary to allow this without traversing the internet? (Select TWO.)

A.Place the instance in a public subnet with a public IP.
B.Attach an IAM role to the instance with permissions to call PutLogEvents.
C.Create a VPC endpoint for CloudWatch Logs (com.amazonaws.region.logs).
D.Ensure the instance is in the default VPC.
E.Attach a NAT gateway to the private subnet's route table.
AnswerB, C

The instance needs IAM permissions to send logs to CloudWatch Logs.

Why this answer

Option B is correct because the EC2 instance must have an IAM role attached that includes permissions for `logs:PutLogEvents` to authenticate and authorize log delivery to CloudWatch Logs. Without this role, the instance cannot sign API requests, even if network connectivity exists. Option C is correct because a VPC endpoint for CloudWatch Logs (com.amazonaws.region.logs) provides private connectivity via AWS PrivateLink, allowing the instance to send logs without traversing the internet or a NAT gateway.

Exam trap

The trap here is that candidates often assume a NAT gateway is required for private subnet outbound traffic, but for AWS services like CloudWatch Logs, a VPC endpoint provides a more secure and direct path without internet traversal.

How to eliminate wrong answers

Option A is wrong because placing the instance in a public subnet with a public IP would expose it to the internet, which violates the requirement to avoid traversing the internet and introduces unnecessary security risks. Option D is wrong because being in the default VPC does not inherently provide private connectivity to CloudWatch Logs; the default VPC still requires either a NAT gateway or a VPC endpoint for outbound traffic to AWS services. Option E is wrong because a NAT gateway provides internet access for private subnets, but it forces traffic to traverse the internet, which contradicts the requirement to avoid internet traversal; a VPC endpoint is the correct solution for private connectivity.

1153
Multi-Selectmedium

A SysOps administrator is designing a deployment pipeline using AWS CodePipeline. The pipeline must include a build stage, a test stage, and a deployment stage. The administrator wants to ensure that if the build stage fails, the pipeline stops and notifies the team. Which TWO actions should the administrator take to meet these requirements? (Choose two.)

Select 2 answers
A.Configure the pipeline to stop on failure in the build stage.
B.Configure an Amazon SNS topic to send notifications on pipeline stage failures.
C.Set up an Amazon CloudWatch Events rule to detect build failures and send an email.
D.Add a manual approval action after the build stage to review results.
E.Use AWS CodeBuild as the build provider and configure it to stop the pipeline on failure.
AnswersA, B

Correct: CodePipeline can be configured to stop on failure.

Why this answer

The correct answers are A and D. CodePipeline automatically stops on failure (A). Amazon SNS can be used to send notifications (D).

Option B is wrong because CodeBuild does not stop the pipeline; it only runs the build. Option C is wrong because CloudWatch Events can trigger notifications but are not the only way; SNS is simpler. Option E is wrong because manual approval is not automatic.

1154
MCQeasy

A SysOps administrator uses AWS CodeDeploy to deploy a new version of an application to an Auto Scaling group. The deployment uses the 'CodeDeployDefault.OneAtATime' deployment configuration. During the deployment, the first instance succeeds, but subsequent instances fail because the new application version has a bug that causes the application health check to fail. The administrator wants to immediately roll back the change and restore the previous working version on all instances. Which action should the administrator take?

A.Initiate a rollback from the CodeDeploy console to redeploy the previous working revision.
B.Stop the deployment immediately; the instances that have already been updated will revert automatically.
C.Edit the deployment group settings to pause deployments after a failure, then manually fix the instances.
D.Redeploy the same failing revision but with a different deployment configuration.
AnswerA

Rollback automatically deploys the previously successful revision to all instances, restoring the working version.

Why this answer

Option A is correct because CodeDeploy supports automatic and manual rollbacks to a previous working revision. When a deployment fails, the administrator can initiate a rollback from the CodeDeploy console, which redeploys the last successful revision to all instances in the deployment group, including those that were already updated. This ensures the previous working version is restored across the entire Auto Scaling group.

Exam trap

The trap here is that candidates mistakenly think stopping a deployment automatically reverts instances, but in CodeDeploy, stopping only halts the deployment process without rolling back already-updated instances.

How to eliminate wrong answers

Option B is wrong because stopping a deployment does not trigger an automatic revert; instances that have already been updated remain on the new (failing) revision and require a manual rollback or redeployment of the previous version. Option C is wrong because editing the deployment group to pause after failures does not fix the already-failed instances; it only affects future deployments, and manual fixes are not an automated rollback solution. Option D is wrong because redeploying the same failing revision, even with a different deployment configuration, will still deploy the buggy version and cause the same health check failures.

1155
Multi-Selecthard

A company wants to back up its on-premises file servers to AWS for disaster recovery. The data changes frequently, and the company needs to minimize data loss. Which THREE steps should the company take? (Select THREE.)

Select 3 answers
A.Use AWS Backup to create backup plans for the Storage Gateway.
B.Use S3 Transfer Acceleration for uploads.
C.Configure the file gateway to cache data locally for frequently accessed files.
D.Set up S3 Cross-Region Replication from the backup bucket.
E.Deploy an AWS Storage Gateway file gateway on-premises.
AnswersA, C, E

AWS Backup automates backups of gateway data to S3.

Why this answer

Options A, C, and E are correct. AWS Storage Gateway with cached volumes stores data in AWS and caches frequently accessed data locally. Option B is wrong because S3 Transfer Acceleration is for upload speed, not backup.

Option D is wrong because S3 Replication is for copying between buckets, not for initial backup.

1156
Multi-Selecthard

A company is designing a multi-tier application in a VPC. The web tier must be in public subnets and the application tier in private subnets. The application tier needs to receive traffic only from the web tier. Which TWO configurations are required?

Select 2 answers
A.Configure the security group for the application tier to allow inbound traffic from the web tier's security group.
B.Ensure the web tier instances have a route to an Internet Gateway for user traffic.
C.Use a network ACL on the private subnet to deny all inbound traffic except from the public subnet CIDR.
D.Add a route to the Internet Gateway in the private subnet's route table.
E.Assign public IP addresses to the application tier instances for outbound access.
AnswersA, B

Security group referencing allows traffic from specific sources.

Why this answer

Option A is correct because security groups support stateful, rule-based traffic control using logical references to other security groups. By specifying the web tier's security group as the source in the application tier's inbound rule, traffic is allowed only from instances associated with that web tier security group, regardless of IP address changes. This provides a more secure and manageable configuration than using CIDR blocks, as it automatically adapts to scaling or instance replacements.

Exam trap

The trap here is that candidates often confuse security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and incorrectly assume that a network ACL rule denying all inbound traffic except from the public subnet CIDR is sufficient, overlooking the need for outbound rules and the dynamic, logical grouping benefits of security groups.

1157
MCQhard

A company's security policy requires that all Amazon S3 buckets must be non-publicly accessible. The SysOps administrator needs to automatically detect any bucket that becomes publicly accessible and automatically remediate it by applying a bucket policy that blocks public access. The solution should use AWS managed services with minimal custom code. Which combination of services should be used?

A.AWS IAM Access Analyzer with Amazon EventBridge
B.AWS Config with managed rule and automatic remediation via SSM Automation
C.AWS CloudTrail and AWS Lambda
D.AWS Trusted Advisor and Amazon SNS
AnswerB

Evaluates compliance and automatically applies remediation using managed automation.

Why this answer

AWS Config with a managed rule (e.g., s3-bucket-public-read-prohibited or s3-bucket-public-write-prohibited) can continuously evaluate S3 bucket configurations against the security policy. When a bucket becomes publicly accessible, AWS Config triggers an automatic remediation action using an SSM Automation document that applies a bucket policy to block public access, all without custom code.

Exam trap

The trap here is that candidates often choose AWS IAM Access Analyzer (Option A) because it detects public access, but they overlook that it lacks built-in automatic remediation, requiring additional services and custom code to achieve the full requirement.

How to eliminate wrong answers

Option A is wrong because AWS IAM Access Analyzer analyzes resource-based policies to identify external access, but it does not provide automatic remediation; it only generates findings and requires separate automation via EventBridge and custom logic. Option C is wrong because AWS CloudTrail records API calls but does not evaluate bucket configurations or trigger remediation; using Lambda would require custom code, violating the 'minimal custom code' requirement. Option D is wrong because AWS Trusted Advisor checks for publicly accessible S3 buckets but only provides recommendations and alerts via SNS; it cannot automatically remediate the issue.

1158
MCQmedium

A company has a VPC with public and private subnets. An Amazon EC2 instance in a private subnet needs to access an Amazon S3 bucket in the same AWS Region. The SysOps administrator wants to ensure the traffic does not traverse the internet. Which solution should be implemented?

A.Create a VPC Gateway Endpoint for S3.
B.Deploy a NAT Gateway in the public subnet and add a route to the private subnet's route table.
C.Attach an Internet Gateway to the VPC and add a default route in the private subnet's route table.
D.Set up an AWS Direct Connect connection to the S3 bucket.
AnswerA

Correct. A VPC Gateway Endpoint provides private connectivity to S3 within the same region without internet exposure.

Why this answer

A VPC Gateway Endpoint for S3 allows instances in a private subnet to access S3 without traversing the internet. It uses AWS's internal network, routing traffic through a prefix list in the route table, ensuring data stays within the AWS backbone. This meets the requirement of no internet traversal while providing secure, low-latency access to S3.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints with Interface Endpoints or assume a NAT Gateway is required for private subnet outbound traffic, overlooking that S3 and DynamoDB can be accessed via Gateway Endpoints without internet connectivity.

How to eliminate wrong answers

Option B is wrong because a NAT Gateway enables outbound internet access for private instances, but traffic would still traverse the internet to reach S3, violating the requirement. Option C is wrong because attaching an Internet Gateway and adding a default route to the private subnet would route all traffic (including S3 requests) through the internet, which is not allowed. Option D is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a solution for VPC-to-S3 access within the same region; it adds unnecessary complexity and cost.

1159
MCQeasy

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The SysOps administrator receives reports that some users are experiencing intermittent HTTP 503 errors. What is the most likely cause?

A.The security group attached to the ALB does not allow inbound traffic on port 443.
B.The health checks are failing for the target group, causing the ALB to stop sending traffic to all instances.
C.The EC2 instances do not have the correct IAM role to register with the ALB.
D.The ALB idle timeout is set too low.
AnswerB

If all targets are unhealthy, ALB returns 503.

Why this answer

HTTP 503 errors from an Application Load Balancer typically indicate that the target group has no healthy registered targets. When health checks fail for all instances in the target group, the ALB cannot route traffic to any backend, resulting in a 503 response. This is the most common cause of intermittent 503 errors in ALB architectures.

Exam trap

The trap here is that candidates often confuse HTTP 503 errors with connectivity or timeout issues, but the ALB specifically returns 503 only when no healthy targets exist, not for security group or timeout misconfigurations.

How to eliminate wrong answers

Option A is wrong because if the ALB security group did not allow inbound traffic on port 443, users would receive connection timeouts or 504 errors, not HTTP 503 errors. Option C is wrong because EC2 instances do not require an IAM role to register with an ALB; registration is handled by the Auto Scaling group or manual attachment, and IAM roles are used for API calls, not for target registration. Option D is wrong because a low idle timeout would cause the ALB to close idle connections, resulting in 504 Gateway Timeout errors, not 503 Service Unavailable errors.

1160
MCQeasy

A SysOps administrator needs to deploy a new version of an application that runs on Amazon EC2 instances in an Auto Scaling group. The deployment should minimize downtime and roll back automatically if health checks fail. Which deployment method should the administrator use?

A.Canary deployment
B.Blue/green deployment using a new Auto Scaling group and an Application Load Balancer
C.Rolling update via an Auto Scaling group
D.In-place deployment
AnswerB

Blue/green minimizes downtime and allows easy rollback.

Why this answer

Blue/green deployment with an Auto Scaling group and an Application Load Balancer allows switching traffic to the new version and rolling back if health checks fail. Option A is wrong because in-place deployments update existing instances and can cause downtime. Option C is wrong because rolling update is an in-place method.

Option D is wrong because canary deployment is a type of blue/green but typically used for canary testing, not automatic rollback based on health checks.

1161
MCQmedium

A company uses AWS CloudFormation to manage its infrastructure. The SysOps Administrator needs to update a stack that contains an Amazon RDS DB instance. The update requires changing the DB instance class from db.t2.medium to db.t3.medium. The RDS instance has a deletion policy of 'Snapshot' in the current template. The administrator wants to minimize downtime and ensure no data loss. The current stack update fails because CloudFormation attempts to replace the DB instance, causing a long downtime. What should the administrator do to successfully update the stack with minimal downtime?

A.Modify the DB instance class directly in RDS using the AWS CLI or console, then update the CloudFormation stack to match.
B.Change the deletion policy to 'Retain' in the template and then update the stack.
C.Create a new CloudFormation stack with the new instance class and migrate the data.
D.Delete the stack, modify the template, and recreate the stack.
AnswerA

This avoids replacement by bringing the resource into compliance.

Why this answer

Option C is correct. Modifying the RDS instance directly via the AWS CLI or console and then performing a stack update with the new instance class will cause CloudFormation to detect that the instance already matches the desired state, avoiding replacement. Option A is wrong because changing the deletion policy does not prevent replacement.

Option B is wrong because deleting the stack causes downtime and potential data loss. Option D is wrong because creating a new stack does not update the existing resources.

1162
MCQmedium

A SysOps administrator notices that an IAM user can access the AWS Management Console but cannot use the AWS CLI. The user has a password and an access key. What is the most likely cause?

A.The secret access key was not saved during creation
B.The user's access key is inactive
C.The user is using the wrong password for the CLI
D.The IAM policy denies CLI access unless MFA is present
AnswerD

A condition requiring MFA for CLI access would cause this issue.

Why this answer

If the user can access the console but not the CLI, it suggests that the IAM policy allows console access but denies CLI access. This could be due to a condition in the policy that checks for an MFA device. If the user has not configured an MFA device for CLI access but has for console, the CLI requests might be denied.

Option D is correct. Option A is wrong because if the access key were inactive, the user would not be able to make any CLI calls. Option B is wrong because the secret access key is not visible after creation, but that does not prevent use if the user has it.

Option C is wrong because the CLI does not require the console password.

1163
MCQmedium

A SysOps administrator is investigating a security incident and needs to determine who deleted an S3 bucket. Which AWS service should be used to find this information?

A.AWS CloudTrail
B.AWS Trusted Advisor
C.S3 server access logs
D.CloudWatch Logs for the S3 service
AnswerA

CloudTrail records all management events, including DeleteBucket.

Why this answer

AWS CloudTrail is the correct service because it records API activity across AWS services, including S3 bucket deletion events. When a user or role deletes an S3 bucket, CloudTrail logs the `DeleteBucket` API call with details such as the IAM user or role, source IP address, and timestamp, enabling the administrator to identify the responsible entity.

Exam trap

The trap here is that candidates often confuse S3 server access logs (which log object-level requests) with CloudTrail (which logs management-plane API calls), leading them to incorrectly choose S3 server access logs for bucket deletion events.

How to eliminate wrong answers

Option B (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost, performance, security, and fault tolerance, but does not record or log API calls like S3 bucket deletions. Option C (S3 server access logs) is wrong because these logs record object-level access requests (e.g., GET, PUT, DELETE on objects) and HTTP status codes, but they do not capture management-plane API calls such as `DeleteBucket`; they are also not enabled by default and require a target bucket. Option D (CloudWatch Logs for the S3 service) is wrong because CloudWatch Logs can ingest log data from various sources, but S3 does not natively emit management-plane API logs to CloudWatch Logs; CloudTrail logs are the source for such events, and CloudWatch Logs can be used as a destination for CloudTrail, but the service itself does not directly capture `DeleteBucket` events.

1164
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts have encryption enabled. What is the most efficient way to enforce this policy?

A.Apply a service control policy (SCP) to the root organizational unit that denies S3 actions without encryption.
B.Configure an IAM role in the master account to enforce encryption via cross-account access.
C.Create an IAM policy in each account that denies s3:PutObject without encryption.
D.Use AWS CloudFormation StackSets to deploy a bucket policy to each account.
AnswerA

SCPs are used to centrally control permissions across all accounts in an organization.

Why this answer

Option D is correct because using a service control policy (SCP) in AWS Organizations allows you to centrally enforce permissions across all accounts. Option A is wrong because SCPs are the tool for this, not individual account policies. Option B is wrong because CloudFormation StackSets would require manual deployment.

Option C is wrong because IAM roles don't enforce bucket encryption.

1165
MCQeasy

A company is using Amazon S3 to store critical data with versioning enabled. The SysOps administrator needs to implement a solution that automatically transitions objects to S3 Glacier Deep Archive after 90 days and permanently deletes them after 7 years. Which S3 feature should be used?

A.S3 Lifecycle policies
B.S3 Intelligent-Tiering
C.S3 Object Lock
D.S3 Cross-Region Replication
AnswerA

Lifecycle policies can transition and expire objects.

Why this answer

Option C is correct because S3 Lifecycle policies can transition objects to different storage classes and expire (delete) objects after a specified number of days. Option A is wrong because S3 Object Lock is for write-once-read-many (WORM) protection. Option B is wrong because S3 Intelligent-Tiering moves data between access tiers but does not delete.

Option D is wrong because S3 Replication replicates objects, not lifecycle management.

1166
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application reads data from an Amazon RDS for MySQL database. During peak hours, the database CPU utilization is consistently high, and the application experiences increased latency. The SysOps administrator observes that 90% of database queries are read-only. Which combination of actions will both improve performance and optimize costs?

A.Enable Multi-AZ for the RDS instance and scale up the instance size
B.Implement a read replica for the RDS instance and modify the application to route read queries to the read replica
C.Enable Amazon RDS Performance Insights and increase the storage allocation
D.Implement Amazon ElastiCache for Memcached in front of the database and migrate read-heavy queries to cache
AnswerB

Read replicas can handle read traffic, reducing load on the primary instance. This improves performance and, by avoiding unnecessary scale-up, can be more cost-effective. Only the primary instance needs to be sized for writes.

Why this answer

Option B is correct because implementing a read replica offloads read-heavy (90%) queries from the primary RDS instance, reducing CPU utilization and latency. Modifying the application to route read queries to the replica distributes the workload, improving performance while avoiding costly vertical scaling. This optimizes costs by using a smaller primary instance and paying only for the replica's resources.

Exam trap

The trap here is that candidates often confuse Multi-AZ (high availability) with read replicas (performance scaling), or assume caching (ElastiCache) is always the best choice for read-heavy workloads without considering the simplicity and cost-effectiveness of read replicas for database-level offloading.

How to eliminate wrong answers

Option A is wrong because enabling Multi-AZ provides high availability, not performance improvement, and scaling up the instance size increases costs without addressing the read-heavy workload. Option C is wrong because Performance Insights is a monitoring tool that does not reduce CPU utilization or latency, and increasing storage allocation does not improve query performance. Option D is wrong because ElastiCache for Memcached is a caching layer that can reduce database load, but it requires application code changes to cache read queries and does not directly offload read queries like a read replica; it is more suitable for caching specific data, not all read queries.

1167
Multi-Selectmedium

An EC2 Auto Scaling group runs a stateless web application with predictable daily peaks. Which two actions can reduce cost while preserving capacity during peak periods? (Choose 2.)

Select 2 answers
A.Configure scheduled scaling actions for the known peak window.
B.Use a mixed instances policy with some Spot capacity where interruption is acceptable.
C.Run all instances as On-Demand at maximum peak size all day.
D.Disable health checks to avoid instance replacement.
AnswersA, B

Scheduled scaling adds capacity before predictable demand.

Why this answer

Option A is correct because scheduled scaling allows you to proactively increase capacity before the predictable daily peak and reduce it afterward, ensuring you only pay for the resources needed during the peak window. This avoids over-provisioning for the entire day, directly reducing costs while maintaining performance during high-demand periods.

Exam trap

The trap here is that candidates may think disabling health checks saves money by avoiding instance replacements, but this actually risks application availability and can increase costs due to undetected failures, while the real cost-saving mechanisms are proactive scaling and using cheaper instance types like Spot.

1168
MCQmedium

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment'. The SysOps administrator checks the deployment logs and finds that the BeforeInstall lifecycle event script is failing on some instances. The instances are Amazon Linux 2. What should the administrator do to troubleshoot this issue?

A.Verify that the CodeDeploy agent on the instances is running and can communicate with the CodeDeploy service.
B.Ensure that the CodeDeploy deployment configuration is set to 'OneAtATime' to reduce instance failures.
C.Check the appspec.yml file for syntax errors in the hooks section.
D.Review the BeforeInstall script's output and exit code in the deployment logs or on the instance.
AnswerD

The script's exit code and output will indicate why it failed.

Why this answer

The BeforeInstall script is failing; checking the script's exit code and logs on the instance is the correct approach. Option A is wrong because the appspec.yml file is likely fine if it runs the script. Option B is wrong because the issue is script execution, not agent connectivity.

Option D is wrong because the issue is not about configuration file format.

1169
MCQmedium

A company has a single AWS account with multiple IAM users. The security team wants to ensure that no IAM user can create or modify VPC resources. The SysOps administrator creates a managed policy that denies ec2:CreateVpc, ec2:DeleteVpc, ec2:ModifyVpcAttribute, and similar actions. The policy is attached to all IAM users via a group. However, after a week, a user reports that they were able to create a VPC. The administrator checks CloudTrail and confirms that the user created the VPC. What is the most likely cause?

A.The user used the AWS Management Console, which does not enforce IAM policies.
B.The user had an inline policy that allowed ec2:CreateVpc, overriding the group policy.
C.The policy was attached to the user's group, but the user was not a member of that group.
D.The user created the VPC using AWS CloudFormation with a service role that had full EC2 access.
AnswerD

If the user had permissions to pass a role, CloudFormation could create resources using that role's permissions.

Why this answer

Option D is correct because if the user has a service control policy (SCP) attached to the account that allows VPC creation, the SCP would override the IAM policy if the IAM policy is not properly denying. However, SCPs are for Organizations. Option A is correct because if the user has an inline policy that allows CreateVpc, that would override the deny from the group policy? Actually, an explicit allow would not override a deny; deny always wins.

So Option A is wrong. Option B is wrong because the policy was attached to the group. Option C is wrong because the user was using the console.

The correct answer is that the user might have an inline policy that explicitly allows the action, but since deny overrides allow, that cannot be the cause. Actually, if the user has an inline policy that allows, the deny from the group policy would still prevent it. So the most likely cause is that the policy was not attached to the user or the policy did not include all necessary actions.

However, the question says the policy denies VPC creation. The user could have used a different API call like RunInstances with VPC creation? No. The most plausible is that the user used an AWS service that creates VPCs on behalf of the user, such as AWS CloudFormation or AWS Service Catalog, and the user had permissions to those services.

Option D is correct because the user might have used AWS CloudFormation with a role that allows VPC creation.

1170
Multi-Selectmedium

A company runs a critical application on EC2 instances in an Auto Scaling group. The group uses a dynamic scaling policy based on CPU utilization. The SysOps administrator wants to ensure that the application remains available during a planned maintenance event that will take down one of the Availability Zones. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Update the Auto Scaling group to remove the affected Availability Zone from the list of enabled AZs.
B.Manually terminate all instances in the affected Availability Zone.
C.Increase the desired capacity of the Auto Scaling group to account for the lost capacity.
D.Create a new launch configuration with a different AMI.
E.Disable the dynamic scaling policy to prevent scaling.
AnswersA, C

Removing the AZ prevents the ASG from launching instances in the affected AZ.

Why this answer

Updating the ASG to use only the remaining AZs and rebalancing ensures capacity is maintained. Increasing desired capacity preemptively provides a buffer. Terminating instances prematurely reduces capacity.

Updating the AMI does not help with AZ maintenance.

1171
MCQmedium

A company runs a web application on Amazon EC2 instances. The SysOps administrator needs to monitor two metrics: high CPU utilization (greater than 90%) and high memory utilization (greater than 85%). An alarm should trigger when both conditions are true simultaneously for a period of 5 minutes. Which CloudWatch feature should the administrator use to create this alarm?

A.Metric math
B.Composite alarm
C.Anomaly detection
D.Logs Insights
AnswerB

Composite alarms can combine multiple underlying alarms with AND logic, triggering only when all conditions are met.

Why this answer

A composite alarm in Amazon CloudWatch allows you to create an alarm that evaluates multiple conditions using logical operators (AND, OR, NOT). In this scenario, the administrator needs the alarm to trigger only when both CPU utilization > 90% AND memory utilization > 85% are true simultaneously for 5 minutes. Composite alarms evaluate the state of underlying metric alarms (e.g., two separate simple alarms for CPU and memory) and combine them with an AND condition, making it the correct feature for this requirement.

Exam trap

The trap here is that candidates often confuse Metric Math with composite alarms, thinking that arithmetic operations can simulate logical AND, but Metric Math cannot evaluate alarm states or combine them with logical operators—it only produces a new numeric metric series.

How to eliminate wrong answers

Option A is wrong because Metric Math is used to perform arithmetic operations on multiple metrics (e.g., sum, average, rate) to create a single time series, but it cannot evaluate logical conditions like AND across separate alarms; it only produces a new metric, not an alarm with combined states. Option C is wrong because Anomaly Detection uses machine learning to detect deviations from expected behavior based on historical patterns, but it does not support combining two separate conditions with an AND operator; it creates a single band for a metric. Option D is wrong because Logs Insights is a query engine for analyzing CloudWatch Logs data, not for creating alarms based on real-time metric thresholds; it cannot trigger alarms directly and does not support composite logic.

1172
MCQmedium

A SysOps administrator is testing the failover of an Amazon RDS for PostgreSQL Multi-AZ DB instance. The application currently writes to the primary instance in us-east-1a. Which action will manually trigger a failover to the standby instance in us-east-1b?

A.Reboot the DB instance and select 'Reboot with failover'.
B.Modify the DB instance to Single-AZ and then back to Multi-AZ.
C.Reboot the DB instance without selecting any failover option.
D.Promote the standby instance using the Amazon RDS console.
AnswerA

Correct. This explicitly triggers a failover to the standby instance.

Why this answer

Option A is correct because the 'Reboot with failover' option in the Amazon RDS console explicitly triggers a failover by rebooting the primary DB instance and forcing the Multi-AZ configuration to promote the standby instance in us-east-1b to become the new primary. This is the designed method for manually testing or initiating a failover in a Multi-AZ deployment.

Exam trap

The trap here is that candidates confuse Amazon RDS Multi-AZ failover with Amazon Aurora's reader promotion, where you can explicitly promote a read replica to primary, leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B is wrong because modifying the DB instance to Single-AZ and back to Multi-AZ would delete the standby instance and then create a new one, which is not a failover but a reconfiguration that causes downtime and does not test the existing standby. Option C is wrong because rebooting the DB instance without selecting 'Reboot with failover' will simply restart the primary instance without promoting the standby, so no failover occurs. Option D is wrong because Amazon RDS does not support manually promoting a standby instance via the console; the standby is not directly accessible and failover is controlled only through the primary instance's reboot with failover option or an automatic failure.

1173
Multi-Selecthard

Which THREE configurations are required to enable an EC2 instance in a private subnet to access the internet for software updates while preventing inbound internet traffic?

Select 3 answers
A.Attach an Internet Gateway to the VPC.
B.Assign an Elastic IP address to the EC2 instance.
C.Add a route to the private subnet's route table with destination 0.0.0.0/0 pointing to the NAT Gateway.
D.Deploy a bastion host in the private subnet.
E.Place a NAT Gateway in a public subnet.
AnswersA, C, E

The internet gateway is required for the NAT gateway to access the internet.

Why this answer

A NAT gateway in a public subnet provides outbound internet access. The private subnet route table must have a default route to the NAT gateway. The NAT gateway itself needs an internet gateway in the public subnet route table.

Option D is incorrect because an elastic IP is assigned to the NAT gateway, not the instance. Option E is incorrect because a bastion host is for administrative access, not for outbound internet.

1174
MCQhard

A company runs a critical MySQL database on an Amazon RDS DB instance in a single Availability Zone. The SysOps administrator needs to implement a disaster recovery solution with a Recovery Point Objective (RPO) of 5 minutes and a Recovery Time Objective (RTO) of 1 hour, while minimizing costs. Which solution meets these requirements?

A.Enable Multi-AZ deployment with a synchronous standby replica in another Availability Zone
B.Create a cross-Region read replica and promote it to a standalone DB instance during a disaster
C.Enable cross-Region automated backups to another Region
D.Take daily automated snapshots and copy them to another Region manually
AnswerC

Cross-Region automated backups replicate snapshots and transaction logs to another region, achieving an RPO of about 5 minutes and RTO of under 1 hour, with no extra compute cost until recovery.

Why this answer

Option C is correct because cross-Region automated backups replicate transaction logs to another AWS Region with a typical lag of a few minutes, enabling point-in-time recovery (PITR) that can meet an RPO of 5 minutes. When a disaster occurs, you can restore the automated backup to a new DB instance in the destination Region, and the RTO depends on the restore time, which can be under 1 hour for a properly sized instance. This solution minimizes costs by avoiding the continuous compute and storage overhead of a standby replica or read replica.

Exam trap

The trap here is that candidates often confuse cross-Region read replicas (asynchronous, higher RPO) with cross-Region automated backups (log-based, lower RPO), or assume Multi-AZ provides cross-Region disaster recovery when it only covers AZ failures within a single Region.

How to eliminate wrong answers

Option A is wrong because Multi-AZ with a synchronous standby replica only protects against an Availability Zone failure within the same Region, not a cross-Region disaster, and it incurs the cost of a full standby instance. Option B is wrong because a cross-Region read replica is asynchronous and can have replication lag exceeding 5 minutes, making it unable to guarantee an RPO of 5 minutes; additionally, promoting a read replica to a standalone instance can take longer than 1 hour due to the need to stop replication and apply pending changes. Option D is wrong because daily automated snapshots provide an RPO of up to 24 hours, far exceeding the required 5-minute RPO, and manual copying adds operational overhead and delay.

1175
MCQeasy

A company runs a critical web application on a single Amazon EC2 instance with a 100 GiB gp2 EBS volume. The SysOps administrator needs to ensure data durability by taking automated snapshots of the root volume every hour. The snapshots should be retained for 7 days. Which AWS service can be used to automate this task with minimal configuration?

A.Amazon Data Lifecycle Manager (DLM)
B.AWS Backup
C.Amazon CloudWatch Events
D.AWS Systems Manager
AnswerA

DLM provides built-in automation for creating and retaining EBS snapshots according to a schedule, making it the ideal choice.

Why this answer

Amazon Data Lifecycle Manager (DLM) is the correct choice because it is specifically designed to automate the creation, retention, and deletion of EBS snapshots with minimal configuration. It supports custom schedules (e.g., every hour) and retention policies (e.g., 7 days) directly on EBS volumes, making it ideal for this task without requiring additional scripting or infrastructure.

Exam trap

The trap here is that candidates often choose AWS Backup because it is a centralized backup service, but they overlook that DLM is the simpler, purpose-built service for EBS snapshot lifecycle automation with minimal configuration, especially for a single volume and a straightforward retention policy.

How to eliminate wrong answers

Option B (AWS Backup) is wrong because while it can automate EBS snapshots, it requires setting up a backup plan and vault, which introduces unnecessary overhead for a simple hourly snapshot retention policy that DLM handles natively. Option C (Amazon CloudWatch Events) is wrong because it can trigger a Lambda function or Systems Manager Automation to create snapshots, but it does not natively manage snapshot retention or deletion, requiring custom code and additional configuration. Option D (AWS Systems Manager) is wrong because it is primarily for operational management (e.g., patching, inventory) and does not provide a built-in, automated snapshot lifecycle management feature; any snapshot automation would require custom Automation documents or scripts.

1176
MCQmedium

A company wants to enforce that all Amazon S3 buckets in their AWS account are encrypted at rest. They have enabled AWS CloudTrail and want to automatically remediate any non-compliant bucket created by users. Which AWS service should they use to achieve this?

A.AWS Trusted Advisor
B.Amazon Inspector
C.AWS Config
D.AWS Service Catalog
AnswerC

AWS Config can evaluate S3 bucket encryption and trigger auto-remediation.

Why this answer

Option C is correct because AWS Config can evaluate resource configurations against rules and trigger automated remediation using Systems Manager Automation or Lambda. Option A is wrong because AWS Service Catalog is used for creating and managing approved IT services, not for monitoring or remediation. Option B is wrong because AWS Trusted Advisor provides best-practice checks but does not automate remediation.

Option D is wrong because Amazon Inspector is for vulnerability assessment, not S3 bucket encryption enforcement.

1177
MCQhard

A company has a CloudWatch alarm that monitors the CPU utilization of an EC2 instance. The alarm is set to trigger when CPU utilization exceeds 80% for 5 consecutive minutes. The alarm state is 'INSUFFICIENT_DATA'. What does this mean?

A.The CPU utilization is below 80% for 5 minutes.
B.The CPU utilization has exceeded 80% for 5 minutes.
C.The alarm does not have enough data to determine the state.
D.The alarm is missing data points for the past 5 minutes.
AnswerC

INSUFFICIENT_DATA indicates that the metric has not provided enough data points for evaluation.

Why this answer

The INSUFFICIENT_DATA state in CloudWatch indicates that the alarm has not received enough metric data points to evaluate whether the threshold (CPU utilization > 80% for 5 consecutive minutes) has been breached. This typically occurs when the EC2 instance is newly launched, the CloudWatch agent is not reporting, or there are gaps in metric collection due to network issues or instance stops. It does not imply any conclusion about the CPU utilization level itself.

Exam trap

The trap here is that candidates confuse INSUFFICIENT_DATA with missing data points for the exact evaluation period, but the state actually means the alarm cannot determine whether the threshold is breached due to a lack of sufficient data across the configured evaluation periods, not just the last 5 minutes.

How to eliminate wrong answers

Option A is wrong because INSUFFICIENT_DATA does not mean the CPU utilization is below 80%; that would correspond to the ALARM state being false (OK state). Option B is wrong because exceeding 80% for 5 minutes would trigger the ALARM state, not INSUFFICIENT_DATA. Option D is wrong because while missing data points can cause INSUFFICIENT_DATA, the alarm state specifically indicates insufficient data to determine the state, not merely that data points are missing for the past 5 minutes—the alarm evaluates based on the configured evaluation periods and may have partial data.

1178
MCQmedium

A company runs a critical application on a single Amazon EC2 instance. The SysOps administrator needs to ensure that if the instance fails, a new instance is automatically provisioned in a different Availability Zone. Which configuration should the administrator implement?

A.Create an Auto Scaling group with the instance in multiple Availability Zones
B.Create a placement group and launch the instance in it
C.Place the instance behind an Elastic Load Balancer
D.Configure an Amazon Route 53 health check with failover routing
AnswerA

An Auto Scaling group with instances in multiple AZs and a desired capacity of 1 will automatically launch a new instance in another AZ if the existing one fails.

Why this answer

Option A is correct because an Auto Scaling group (ASG) can be configured with a minimum, desired, and maximum size of 1, spanning multiple Availability Zones (AZs). When the EC2 instance fails, the ASG health check replacement mechanism automatically terminates the unhealthy instance and launches a new one in a different AZ, ensuring the application remains available across AZ boundaries without manual intervention.

Exam trap

The trap here is that candidates often confuse the health-check and failover capabilities of Route 53 or ELB with the automatic instance provisioning provided by Auto Scaling groups, mistakenly thinking DNS or load balancer health checks alone can replace a failed instance.

How to eliminate wrong answers

Option B is wrong because a placement group is designed to influence the physical placement of instances for low-latency or high-throughput networking (e.g., cluster, spread, or partition groups), but it does not provide automatic instance replacement or cross-AZ failover. Option C is wrong because an Elastic Load Balancer (ELB) distributes traffic across healthy instances but does not automatically provision a new instance when an existing one fails; it only routes traffic away from unhealthy targets. Option D is wrong because an Amazon Route 53 health check with failover routing can redirect DNS traffic to a different endpoint (e.g., a static website or another resource) but does not automatically launch a new EC2 instance; it requires a pre-provisioned secondary resource.

1179
MCQmedium

A SysOps administrator is deploying a new web application using AWS Elastic Beanstalk. The application requires a high-performance relational database that can scale read capacity. The administrator needs to ensure that the database is highly available and can handle read replicas. The administrator creates an Elastic Beanstalk environment and adds an Amazon RDS DB instance. However, the database is deployed in a single Availability Zone. The administrator wants to modify the environment to use a Multi-AZ deployment for high availability and add read replicas. The administrator has the following options. Which option should the administrator choose?

A.Increase the DB instance class size to improve performance and then create a read replica.
B.Create a read replica of the existing DB instance and then modify the environment to use the replica.
C.Create a new Multi-AZ RDS DB instance with read replicas outside of Elastic Beanstalk. Update the environment's environment properties to point to the new database. Then delete the old DB instance.
D.Modify the Elastic Beanstalk environment configuration to enable Multi-AZ for the existing DB instance.
AnswerC

Decoupling the database allows full control over configuration.

Why this answer

Option A is correct because Elastic Beanstalk cannot add Multi-AZ or read replicas to an RDS instance that was created as part of the environment; the recommended approach is to decouple the database by creating a separate RDS instance outside of Elastic Beanstalk and then configuring the environment to connect to it. Option B is wrong because Elastic Beanstalk does not support converting a single-AZ DB to Multi-AZ after creation. Option C is wrong because read replicas require Multi-AZ or single-AZ with backups, but the environment's DB is not easily modified.

Option D is wrong because increasing DB instance class does not provide Multi-AZ.

1180
MCQhard

A company uses an IAM policy that allows s3:GetObject for a specific bucket. However, an IAM user is getting an Access Denied error when trying to download an object. The bucket policy also allows s3:GetObject for the user's account. What is the most likely cause?

A.The IAM policy does not include the s3:GetObjectVersion action.
B.The bucket policy has a Deny statement that applies to the user.
C.The object is encrypted with a customer-managed KMS key, and the user does not have kms:Decrypt permissions.
D.The user's account is part of an AWS Organization with an SCP that denies s3:GetObject.
AnswerB

An explicit Deny in the bucket policy overrides allows.

Why this answer

Option C is correct because if the bucket policy explicitly denies access, that denial overrides any allow. Option A is wrong because if both policies allow, access is allowed. Option B is wrong because KMS permissions are separate.

Option D is wrong because SCPs apply to all accounts in the organization.

1181
MCQhard

A company runs a containerized application on Amazon ECS with the Fargate launch type. The application is deployed across two Availability Zones and uses an Application Load Balancer (ALB) to distribute traffic. The application stores state in an Amazon ElastiCache Redis cluster. Recently, the development team deployed a new version of the application that introduced a memory leak. The leak causes the ECS tasks to consume more memory over time until they are OOM-killed. The SysOps administrator is asked to ensure that the application remains available and responsive. The administrator has configured an ECS service auto scaling based on average CPU utilization, but the memory leak causes tasks to fail before CPU utilization triggers scaling. Which action should the administrator take to automatically detect and replace failing tasks?

A.Increase the task memory limit to the maximum allowed for the Fargate task size. This will prevent OOM-kills.
B.Configure an ECS service auto scaling with a target tracking policy based on average CPU utilization. Set the target value to 50%.
C.Configure the ALB health check to use a more sensitive path that fails when memory is low. The ECS service will automatically replace unhealthy tasks.
D.Create a custom CloudWatch metric for memory utilization and configure an ECS service auto scaling with a step scaling policy that adds tasks when memory exceeds a threshold.
AnswerD

This proactively scales out before tasks fail, maintaining availability.

Why this answer

Option B is correct because configuring an ECS service auto scaling with a step scaling policy based on a custom CloudWatch metric for memory utilization (e.g., from CloudWatch agent) allows scaling out before tasks are OOM-killed. Option A is wrong because increasing task memory limit does not prevent the leak; it only delays failure. Option C is wrong because using a target tracking policy based on CPU does not address memory issues.

Option D is wrong because an ALB health check only detects HTTP failures, not memory exhaustion if the process is still responding.

1182
MCQhard

A company's S3 bucket contains critical data. The bucket policy accidentally allowed public write access, and a malicious actor uploaded several objects. The company needs to recover the bucket to a known good state as quickly as possible. What should the SysOps administrator do?

A.Enable S3 Object Lock on the bucket to prevent further modifications.
B.Enable MFA Delete on the bucket to secure delete operations.
C.Use S3 Versioning to restore the bucket to a previous version.
D.Configure S3 Cross-Region Replication to replicate data to another region.
AnswerC

Versioning retains old versions for restoration.

Why this answer

Option B is correct because S3 Versioning, when enabled, retains all object versions, allowing restoration to a previous state by deleting the current version. Option A is wrong because S3 Object Lock prevents deletion but does not allow rollback to a prior version. Option C is wrong because MFA Delete does not help with restoring prior versions.

Option D is wrong because S3 Cross-Region Replication does not provide version rollback capability.

1183
MCQeasy

A SysOps administrator uses AWS CloudFormation to manage a stack that includes an Amazon EC2 instance. The administrator wants to update the instance type from t3.medium to t3.large without recreating the instance. The instance type change is supported as a simple update in CloudFormation. Which stack update method should the administrator use to apply this change with the least disruption?

A.Directly update the stack by modifying the template and submitting the update via the AWS Management Console, AWS CLI, or API.
B.Create a change set to review the changes, then execute the change set.
C.Apply a stack policy to the EC2 instance to allow the update, then update the stack.
D.Delete the existing stack and create a new stack with the updated instance type.
AnswerA

Direct update applies changes immediately. Since the update is a simple attribute change that does not require replacement, this is the fastest and least disruptive method.

Why this answer

Option A is correct because changing an EC2 instance type from t3.medium to t3.large is a supported simple update in CloudFormation, meaning the resource can be updated in-place without replacement. By directly updating the stack via the AWS Management Console, AWS CLI, or API, the administrator applies the change immediately with minimal disruption, as CloudFormation will stop the instance, modify the instance type, and restart it. This method avoids the overhead of creating a change set or deleting and recreating the stack, which would cause unnecessary downtime or complexity.

Exam trap

The trap here is that candidates often assume a change set is required for all updates or that it reduces disruption, when in fact it is only a review mechanism and does not change the update behavior; the direct update is equally safe and faster for simple, supported changes.

How to eliminate wrong answers

Option B is wrong because creating a change set is an optional review step that adds delay and does not reduce disruption; executing a change set still performs the same in-place update as a direct update, so it is not the least disruptive method. Option C is wrong because stack policies are used to prevent updates to specific resources, not to allow them; applying a stack policy to allow the update is unnecessary and could inadvertently block other updates if misconfigured. Option D is wrong because deleting and recreating the stack would destroy the existing EC2 instance and create a new one, causing complete disruption and data loss (unless data is stored externally), which is far more disruptive than an in-place update.

1184
MCQmedium

A company has an Amazon CloudFront distribution that delivers static content from an Amazon S3 bucket. The SysOps administrator needs to ensure that the content can only be accessed through CloudFront and not directly from the S3 bucket URL. The solution should use AWS managed services with minimal configuration. Which solution should the administrator implement?

A.Configure the S3 bucket policy to deny all access except from the CloudFront distribution's origin access identity (OAI).
B.Make the S3 bucket private and use pre-signed URLs for CloudFront.
C.Use AWS WAF on CloudFront to block direct access to S3 by checking the Referer header.
D.Create a VPC endpoint for S3 and restrict access to the bucket from the CloudFront IP addresses.
AnswerA

This is the recommended AWS solution. Create an OAI, associate it with the CloudFront distribution, and update the S3 bucket policy to allow only the OAI's access. Direct S3 URLs will be denied.

Why this answer

Option A is correct because configuring the S3 bucket policy to deny all access except from the CloudFront distribution's origin access identity (OAI) ensures that only CloudFront can retrieve objects from the S3 bucket. The OAI is a special CloudFront user that authenticates requests to S3, and the bucket policy explicitly grants GetObject access only to that principal, blocking any direct S3 URL access. This uses AWS managed services (CloudFront and S3) with minimal configuration—no custom code or additional infrastructure.

Exam trap

The trap here is that candidates often choose Option C (AWS WAF with Referer header) because it seems like a simple web-application-layer control, but they overlook that the Referer header is easily spoofed and does not provide cryptographic authentication, unlike the OAI-based approach which uses AWS Signature Version 4 to verify the request origin.

How to eliminate wrong answers

Option B is wrong because making the S3 bucket private and using pre-signed URLs for CloudFront adds unnecessary complexity; CloudFront does not natively generate pre-signed URLs for origin requests, and this would require custom logic to sign each request, defeating the 'minimal configuration' requirement. Option C is wrong because using AWS WAF to block direct access by checking the Referer header is unreliable—the Referer header can be spoofed or omitted by clients, and it does not prevent direct S3 URL access from scripts or tools that don't send a Referer. Option D is wrong because creating a VPC endpoint for S3 and restricting access to CloudFront IP addresses is not feasible; CloudFront uses a large, dynamic set of global IP addresses that are not static, and maintaining an allow list of those IPs would require constant updates and is not a 'minimal configuration' solution.

1185
MCQmedium

A company uses CloudWatch Logs to store application logs from EC2 instances. The SysOps team needs to search for specific error patterns across all log groups. What is the most efficient way to perform this search?

A.Define a CloudWatch metric filter to count errors and view the metric.
B.Use CloudWatch Logs Insights to run a query across the log groups.
C.Create a subscription filter to stream logs to Amazon ES and use Kibana.
D.Export the logs to Amazon S3 and use S3 Select to search.
AnswerB

CloudWatch Logs Insights is designed for interactive querying across log groups.

Why this answer

CloudWatch Logs Insights is purpose-built for ad-hoc querying and analysis of log data across multiple log groups. It allows you to run SQL-like queries (using a query language) to search for specific patterns, filter results, and aggregate data without needing to set up additional infrastructure. This is the most efficient method for the SysOps team's requirement because it provides immediate, interactive search capabilities directly within the AWS Management Console or via the AWS CLI.

Exam trap

The trap here is that candidates often confuse metric filters (which only aggregate counts) with the ability to search actual log content, leading them to choose Option A, or they over-engineer the solution by selecting Option C or D, not realizing that CloudWatch Logs Insights provides a native, serverless, and cost-effective query capability for exactly this scenario.

How to eliminate wrong answers

Option A is wrong because a metric filter only counts occurrences of a pattern and stores the count as a CloudWatch metric; it does not allow you to view the actual log events or search for specific error messages across log groups. Option C is wrong because creating a subscription filter to stream logs to Amazon Elasticsearch Service (now Amazon OpenSearch Service) and using Kibana adds significant setup overhead, latency, and cost; it is overkill for a simple search task and not the most efficient approach for an ad-hoc search. Option D is wrong because exporting logs to S3 and using S3 Select is inefficient for this use case: S3 Select is designed for querying structured data in files (like CSV or JSON) and requires a full export of logs, which is time-consuming and not suitable for real-time or frequent searches across multiple log groups.

1186
Multi-Selectmedium

Which THREE actions can be taken to remediate an EC2 instance that has been compromised according to security best practices? (Select THREE.)

Select 3 answers
A.Terminate the instance after taking a forensic snapshot.
B.Create an AMI of the instance for forensic analysis.
C.Reboot the instance to clear the compromise.
D.Isolate the instance by removing it from security groups.
E.Apply any pending patches and restart the application.
AnswersA, B, D

Termination stops the compromised instance after evidence is preserved.

Why this answer

Terminating the instance after taking a forensic snapshot (Option A) is correct because it ensures the compromised instance is removed from the environment, preventing further malicious activity, while the snapshot preserves the volatile data (memory, disk state) for offline forensic analysis. This aligns with the AWS security best practice of 'preserve evidence, then contain and eradicate' by using EBS snapshots to capture the root volume and any additional data volumes before termination.

Exam trap

The trap here is that candidates often confuse 'forensic analysis' with 'creating an AMI' (Option B) instead of using a snapshot, or they mistakenly believe that rebooting (Option C) or patching (Option E) can remediate a compromise, when in fact these actions destroy evidence and fail to remove the attacker's foothold.

1187
MCQhard

A SysOps administrator is troubleshooting a failed AWS CloudFormation stack creation. The stack includes an AWS::Lambda::Function resource that depends on an AWS::IAM::Role. The error message is 'Resource handler returned message: "The role defined for the function cannot be assumed by Lambda" (Service: Lambda, Status Code: 400).' What is the most likely cause?

A.The Lambda function name conflicts with an existing function
B.The trust policy of the IAM role does not include 'lambda.amazonaws.com' as a trusted entity
C.The IAM role does not have sufficient permissions to execute the Lambda function
D.The Lambda function has a resource-based policy that denies access
AnswerB

The trust policy must allow Lambda to assume the role.

Why this answer

Option C is correct because the role's trust policy must allow the Lambda service principal to assume the role. Option A is wrong because permissions are about actions, not trust. Option B is wrong because resource-based policies are for the function, not the role.

Option D is wrong because the function name is not the issue.

1188
Multi-Selecteasy

A SysOps administrator needs to track changes to security group rules in a VPC. Which AWS services can be used to monitor and log these changes? (Choose TWO.)

Select 2 answers
A.VPC Flow Logs.
B.AWS Trusted Advisor.
C.AWS CloudTrail.
D.AWS Config.
E.Amazon CloudWatch Logs.
AnswersC, D

CloudTrail logs API calls that modify security groups.

Why this answer

AWS CloudTrail is correct because it records API calls made to the Amazon EC2 service, including AuthorizeSecurityGroupIngress, RevokeSecurityGroupEgress, and CreateSecurityGroup. These events capture the identity, source IP, and timestamp of every change to security group rules, providing an audit trail for compliance and troubleshooting.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (which monitor traffic flows) with CloudTrail (which monitors API calls), or assume CloudWatch Logs alone can capture changes without a source like CloudTrail or Config.

1189
Multi-Selecthard

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The SysOps administrator needs to detect and automatically replace an instance that is not responding to health checks. Which THREE steps should the administrator take? (Choose THREE.)

Select 2 answers
A.Manually terminate the unhealthy instance after the alarm triggers.
B.Configure the CloudWatch alarm to take the action of terminating the instance.
C.Configure the CloudWatch alarm to send a notification to an SNS topic.
D.Configure the Auto Scaling group to use ELB health checks.
E.Create a CloudWatch alarm on the 'StatusCheckFailed' metric for each instance.
AnswersB, E

Termination triggers the Auto Scaling group to launch a replacement instance.

Why this answer

Option B is correct because a CloudWatch alarm configured on the 'StatusCheckFailed' metric can directly trigger an Auto Scaling action to terminate the unhealthy instance. This integrates with the Auto Scaling group's lifecycle to automatically replace the instance without manual intervention, meeting the requirement for automated detection and replacement.

Exam trap

The trap here is that candidates often confuse sending an SNS notification (Option C) with automated remediation, but notifications alone do not trigger instance replacement; the action must be a direct termination or scaling action.

1190
MCQmedium

An application running on Amazon EC2 needs to encrypt data before writing to Amazon S3. The encryption key must be rotated every 90 days and access to the key must be auditable. Which solution meets these requirements?

A.Use AWS KMS customer master key (CMK) with automatic rotation enabled and client-side encryption.
B.Use client-side encryption with a master key stored on the EC2 instance.
C.Use SSL/TLS to encrypt data in transit from EC2 to S3.
D.Use Amazon S3 server-side encryption with SSE-S3.
AnswerA

KMS provides key rotation and auditing via CloudTrail.

Why this answer

Option C is correct because AWS KMS provides managed keys with automatic rotation (optional) and integrates with CloudTrail for auditing. Option A is wrong because S3 server-side encryption with SSE-S3 does not allow customer-controlled key rotation. Option B is wrong because client-side encryption with a master key stored on the instance is not auditable and key rotation is manual.

Option D is wrong because SSL/TLS is for encryption in transit, not at rest.

1191
MCQmedium

A company runs a critical application on an Amazon RDS for MySQL DB instance. The company needs to ensure high availability and automatic failover in the event of a failure. The company also wants to optimize costs. Which solution should the company implement?

A.Create a read replica in a different Availability Zone and manually promote it during failure.
B.Create a Multi-AZ deployment for the RDS instance.
C.Use Amazon RDS Proxy to manage connections and improve failover.
D.Use a larger DB instance class to improve performance and reliability.
AnswerB

Multi-AZ provides automatic failover and is cost-effective.

Why this answer

Multi-AZ deployment provides automatic failover to a standby instance in a different Availability Zone, ensuring high availability. It is cost-effective compared to a manual standby. A read replica does not provide automatic failover.

An RDS proxy improves connection pooling but not failover. Using a larger instance increases cost without adding redundancy.

1192
MCQeasy

A company uses S3 standard storage for all data. They have data that is accessed rarely but must be retained for 7 years. Which storage class would be MOST cost-effective?

A.S3 One Zone-IA
B.S3 Standard
C.S3 Glacier Deep Archive
D.S3 Intelligent-Tiering
AnswerC

Deep Archive is designed for long-term retention at low cost.

Why this answer

Option C is correct because S3 Glacier Deep Archive is the lowest-cost storage for long-term archival. S3 Standard is expensive, S3 IA is for infrequent access but not long-term, and S3 One Zone IA is less durable.

1193
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The SysOps team needs to capture detailed HTTP request-level data, including headers and payload, for troubleshooting purposes. The data should be stored in Amazon S3 for analysis. Which solution meets these requirements with the LEAST operational overhead?

A.Install the CloudWatch Logs agent on each EC2 instance and configure it to send Apache access logs to CloudWatch Logs, then export to S3.
B.Enable VPC Flow Logs and send them to an S3 bucket.
C.Enable access logs on the ALB and specify an S3 bucket as the destination.
D.Use AWS CloudTrail with data events enabled for the ALB.
AnswerC

ALB access logs provide detailed HTTP request data and are automatically delivered to S3.

Why this answer

Option C is correct because ALB access logs capture detailed HTTP request-level data, including headers and payload, and can be directly delivered to an S3 bucket without any additional agents or configuration on the EC2 instances. This native integration minimizes operational overhead by eliminating the need to install or manage logging agents on each instance.

Exam trap

The trap here is confusing network-level logs (VPC Flow Logs) or API-level logs (CloudTrail) with application-level HTTP logs, leading candidates to overlook the native ALB access log feature that directly captures the required data with zero instance management.

How to eliminate wrong answers

Option A is wrong because installing the CloudWatch Logs agent on each EC2 instance requires manual setup and maintenance on every instance, increasing operational overhead, and Apache access logs do not capture the full HTTP request payload and headers that the ALB can provide. Option B is wrong because VPC Flow Logs capture network-level metadata (IP addresses, ports, protocols) but not HTTP request-level data such as headers or payload. Option D is wrong because AWS CloudTrail with data events for the ALB records API calls to the ALB (e.g., CreateLoadBalancer, ModifyListener) and does not capture HTTP request-level data like headers or payload.

1194
MCQmedium

Regulatory requirements mandate that all RDS and EBS backups are replicated to a secondary AWS region within 24 hours of creation. The company has workloads in us-east-1 and must replicate backups to eu-west-1. Restoring from the secondary region must be possible without manual copying steps during a disaster. What service and configuration implements this requirement?

A.Create an AWS Backup plan with a cross-Region copy rule that replicates recovery points to a backup vault in eu-west-1 within 24 hours
B.Schedule a Lambda function that calls CreateDBSnapshot and CopyDBSnapshot to replicate RDS snapshots, and CreateSnapshot and CopySnapshot for EBS volumes to eu-west-1
C.Enable RDS automated backups with cross-region replication and configure EBS snapshot copy separately using Data Lifecycle Manager
D.Use S3 Cross-Region Replication to replicate the backup bucket containing RDS and EBS snapshots to eu-west-1
AnswerA

AWS Backup's cross-Region copy rule runs automatically after each successful backup job. The copy is encrypted with the destination vault's KMS key. In a disaster, operators restore directly from the eu-west-1 vault — no manual cross-region data transfer is needed. A single backup plan can cover multiple resource types (RDS and EBS), satisfying the consolidated requirement.

Why this answer

AWS Backup is the correct service because it natively supports cross-Region copy rules that automatically replicate recovery points (including RDS snapshots and EBS snapshots) to a backup vault in a secondary Region within a specified time window. This meets the 24-hour replication requirement and enables direct restores from the secondary Region without manual copying, as the backup vault in eu-west-1 contains the replicated recovery points ready for use.

Exam trap

The trap here is that candidates often assume they need to use separate services (like Lambda or DLM) for each resource type, missing that AWS Backup provides a unified, managed solution that handles both RDS and EBS snapshots with cross-Region replication and direct restore capabilities.

How to eliminate wrong answers

Option B is wrong because while a Lambda function could technically replicate snapshots, it requires custom code, error handling, and scheduling, and does not provide the native, managed cross-Region restore capability without manual steps; it also lacks the built-in compliance tracking of AWS Backup. Option C is wrong because RDS automated backups with cross-Region replication only apply to RDS, not EBS volumes, and Data Lifecycle Manager (DLM) for EBS snapshots does not support cross-Region copy natively; DLM only copies within the same Region, so EBS snapshots would not be replicated to eu-west-1. Option D is wrong because S3 Cross-Region Replication replicates objects in an S3 bucket, but RDS and EBS snapshots are not stored as S3 objects by default; they are stored in AWS-managed snapshot storage, and even if you manually copy snapshots to S3, the replication would not create usable snapshots in the secondary Region for direct restore.

1195
MCQmedium

A company is using AWS CloudFormation to deploy a multi-tier web application. After updating the stack template, the update fails with a stack creation rollback in progress error. The SysOps administrator needs to identify the specific resource that caused the failure. What is the MOST efficient way to accomplish this?

A.Use the AWS Management Console to view the stack status and check the stack policy.
B.Use the aws cloudformation describe-change-set command to review the proposed changes.
C.Check the CloudTrail logs for the UpdateStack API call to see the error message.
D.Run the AWS CLI command aws cloudformation describe-stack-events --stack-name <stack-name> and review the resource status reason.
AnswerD

This command returns all events with failure reasons for each resource.

Why this answer

Option B is correct because the describe-stack-events command lists stack events in reverse chronological order, showing the specific resource failure reason. Option A is incorrect because it only shows the overall status not details. Option C is incorrect because viewing the stack will not show event details.

Option D is incorrect because the change set was not used for the update.

1196
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The application consists of several Docker containers that run on Amazon ECS with Fargate launch type. The engineer wants to automate the deployment of new container versions. Which AWS service should be used to orchestrate the build, test, and deployment stages?

A.AWS CodeDeploy
B.AWS CodePipeline
C.AWS CloudFormation
D.AWS CodeBuild
AnswerB

CodePipeline orchestrates build, test, and deploy stages.

Why this answer

Option B is correct because AWS CodePipeline is a fully managed continuous delivery service that helps automate the build, test, and deploy phases of the release process. Option A is wrong because AWS CodeBuild is for building and testing code, not for orchestrating the entire pipeline. Option C is wrong because AWS CodeDeploy is for deploying applications to compute services but does not orchestrate the entire pipeline.

Option D is wrong because AWS CloudFormation is for infrastructure as code, not CI/CD orchestration.

1197
MCQhard

A company runs a critical application on a fleet of EC2 instances that process real-time financial transactions. The application requires consistent low latency. The SysOps administrator notices that the application's latency increases periodically due to noisy neighbors. The administrator wants to optimize performance predictability. Which instance type should the administrator choose?

A.Burstable Performance Instances (T3)
B.Dedicated Instances
C.Spot Instances
D.Reserved Instances
AnswerB

Dedicated Instances provide physical isolation, eliminating noisy neighbors.

Why this answer

Option D is correct because Dedicated Instances run on hardware dedicated to a single customer, eliminating the noisy neighbor effect. Option A is wrong because Burstable Performance Instances (T2, T3) are designed for variable workloads and do not provide consistent performance. Option B is wrong because Spot Instances are not suitable for critical, latency-sensitive applications.

Option C is wrong because Reserved Instances provide a discount but do not isolate the instance from other customers.

1198
MCQhard

A SysOps administrator is troubleshooting a CloudFormation stack that failed to create. The stack includes an Amazon RDS DB instance. The error message indicates that the DB instance name already exists. The stack uses a parameter for the DB instance identifier. What should the administrator do to resolve this issue and create the stack?

A.Delete the failed stack, change the DB instance identifier parameter to a unique name, and recreate the stack.
B.Manually delete the DB instance from the AWS Management Console and then retry the stack creation.
C.Use the AWS CLI command aws cloudformation update-stack with a new parameter value.
D.Execute ContinueUpdateRollback on the stack to retry the creation.
AnswerA

This resolves the naming conflict and allows the stack to be created successfully.

Why this answer

Option D is correct because the stack creation failed due to a naming conflict. Updating the stack is not possible since it failed. The best approach is to delete the failed stack, change the parameter value to a unique name, and recreate the stack.

Option A is incorrect because updating a failed stack requires a different approach and the parameter change might not be allowed. Option B is incorrect because continuing update rollback does not change the parameter. Option C is incorrect because the stack failed creation; there is no existing resource to update.

1199
MCQmedium

A company has an Amazon DynamoDB table that stores historical data. The table is accessed infrequently but when queried requires consistent single-digit millisecond latency. The SysOps administrator wants to minimize storage costs while maintaining the required performance. Which DynamoDB table class should the administrator use?

A.DynamoDB Standard
B.DynamoDB Standard-IA (Infrequent Access)
C.DynamoDB On-Demand
D.DynamoDB Provisioned
AnswerB

Standard-IA reduces storage costs for infrequently accessed tables while maintaining single-digit millisecond latency, fitting the use case perfectly.

Why this answer

DynamoDB Standard-IA (Infrequent Access) is designed for tables that are accessed less than once per month, offering lower storage costs than DynamoDB Standard while maintaining the same single-digit millisecond latency for queries. Since the table stores historical data with infrequent access but requires consistent performance, Standard-IA minimizes storage costs without sacrificing latency.

Exam trap

The trap here is confusing DynamoDB table classes (Standard vs Standard-IA) with billing modes (On-Demand vs Provisioned), leading candidates to choose a billing mode instead of the correct table class for storage cost optimization.

How to eliminate wrong answers

Option A is wrong because DynamoDB Standard is optimized for frequently accessed data and has higher storage costs, making it suboptimal for infrequently accessed historical data. Option C is wrong because DynamoDB On-Demand is a billing mode (not a table class) that charges per request and is typically more expensive for unpredictable workloads, but it does not address storage cost optimization for infrequent access. Option D is wrong because DynamoDB Provisioned is also a billing mode (not a table class) that requires capacity planning and does not inherently reduce storage costs; it focuses on throughput rather than storage efficiency.

1200
MCQhard

An application running on Amazon ECS (Fargate) is experiencing intermittent failures. The logs show 'CannotPullContainerError: error pulling image configuration: download failed after attempts=6'. The SysOps team has verified that the image exists in Amazon ECR and the task role has permissions to pull from ECR. What is the most likely cause?

A.The container image is corrupted.
B.The ECR repository policy is not allowing the task role.
C.The ECS task definition has an incorrect memory allocation.
D.The ECS tasks are in a private subnet without a NAT gateway or VPC endpoints for ECR and S3.
AnswerD

Fargate tasks in private subnets need internet access or VPC endpoints to pull images.

Why this answer

The error 'CannotPullContainerError: error pulling image configuration: download failed after attempts=6' indicates that the ECS task is unable to download the image layers from Amazon ECR. Since the image exists and the task role has permissions, the most likely cause is a network connectivity issue. When ECS tasks run in a private subnet without a NAT gateway or VPC endpoints for ECR and S3, they cannot reach the public ECR API endpoints or the S3 buckets that store image layers, causing the pull to fail after multiple retries.

Exam trap

The trap here is that candidates often assume the error is due to missing IAM permissions or a corrupted image, overlooking the fact that ECS tasks in private subnets require explicit network paths (NAT gateway or VPC endpoints) to reach ECR and S3, even when permissions are correctly configured.

How to eliminate wrong answers

Option A is wrong because a corrupted image would typically produce a different error, such as a manifest or layer integrity failure, not a download failure after multiple attempts. Option B is wrong because the task role already has permissions to pull from ECR, and the repository policy is a separate mechanism that would cause an authorization error (e.g., 'AccessDeniedException') rather than a download failure. Option C is wrong because incorrect memory allocation would cause the task to fail at launch with a resource-related error (e.g., 'CannotStartContainerError: ResourceInitializationError') or OOM kill, not an image pull failure.

Page 15

Page 16 of 21

Page 17