AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 12761350

1546 questions total · 21pages · All types, answers revealed

Page 17

Page 18 of 21

Page 19
1276
MCQmedium

A SysOps administrator needs to monitor the disk usage on Amazon EC2 instances running Linux. The administrator wants to collect disk utilization metrics every 5 minutes and set up an alarm when disk usage exceeds 80%. Which solution meets these requirements?

A.Use the EC2 detailed monitoring feature to collect disk metrics.
B.Install the Amazon CloudWatch Agent on the instances and configure it to collect disk metrics.
C.Use AWS Systems Manager Patch Manager to check disk space.
D.Configure an Amazon CloudWatch metric filter on the system log.
AnswerB

Correct. The CloudWatch agent collects custom metrics from the OS, including disk utilization, and sends them to CloudWatch for alarming.

Why this answer

The Amazon CloudWatch Agent is required to collect custom metrics like disk utilization from EC2 instances. It can be configured to gather disk space metrics every 5 minutes and publish them to CloudWatch, where an alarm can be set to trigger when usage exceeds 80%. EC2 detailed monitoring only collects hypervisor-level metrics (CPU, network, disk I/O), not guest OS-level disk usage.

Exam trap

The trap here is that candidates confuse EC2 detailed monitoring (which collects hypervisor-level metrics) with the ability to collect guest OS metrics like disk usage, leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because EC2 detailed monitoring provides hypervisor-level metrics such as CPU, network, and disk I/O, but it does not collect guest OS-level disk utilization (e.g., filesystem usage percentage). Option C is wrong because AWS Systems Manager Patch Manager is used for patching operating systems and applications, not for monitoring disk space or setting CloudWatch alarms. Option D is wrong because CloudWatch metric filters parse log data from log groups to create metrics, but they cannot extract disk usage metrics from system logs unless the logs contain structured disk usage data, and they do not replace the need for a CloudWatch agent to collect guest OS metrics.

1277
MCQmedium

A SysOps administrator manages an Amazon RDS for MySQL instance that experiences high CPU utilization during business hours. The application is read-heavy. Which action will most effectively improve performance and reduce cost?

A.Enable Multi-AZ deployment.
B.Scale up the instance size to a larger instance class.
C.Add a read replica.
D.Enable automated backups.
AnswerC

Correct. Read replicas handle read traffic, reducing load on the primary instance and improving performance cost-effectively.

Why this answer

Adding a read replica offloads read traffic from the primary RDS for MySQL instance, directly addressing the read-heavy workload and high CPU utilization. This improves performance by distributing SELECT queries to the replica, and reduces cost because you can use a smaller primary instance and only pay for the replica's resources when needed, rather than scaling up the entire instance.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which is for high availability) with read replicas (which are for read scaling), and assume that any scaling must involve resizing the instance rather than adding a separate read-only endpoint.

How to eliminate wrong answers

Option A is wrong because Multi-AZ deployment provides high availability and automatic failover, but does not offload read traffic or reduce CPU utilization on the primary instance; it only maintains a standby replica that cannot serve reads. Option B is wrong because scaling up to a larger instance class increases cost significantly and may still leave the instance underutilized during off-peak hours, whereas a read replica allows cost-effective scaling of read capacity. Option D is wrong because enabling automated backups adds overhead to the primary instance during backup windows, potentially increasing CPU utilization, and does not improve read performance or reduce cost.

1278
Multi-Selecthard

A company runs a production database on Amazon RDS for PostgreSQL. The SysOps administrator wants to improve query performance for a read-heavy application without increasing costs significantly. Which THREE actions should the administrator take? (Choose three.)

Select 3 answers
A.Enable Multi-AZ deployment
B.Increase the allocated storage size
C.Optimize slow queries by reviewing the slow query log
D.Implement an Amazon ElastiCache cluster to cache frequent query results
E.Add one or more Read Replicas
AnswersC, D, E

Identifies and fixes inefficient queries.

Why this answer

Option C is correct because reviewing the slow query log in RDS for PostgreSQL allows the administrator to identify and optimize poorly performing queries, which directly improves query performance without incurring additional infrastructure costs. This is a standard performance tuning practice that targets the root cause of read-heavy application slowdowns.

Exam trap

The trap here is confusing Multi-AZ deployment with read scaling; candidates often assume Multi-AZ improves read performance, but it only provides a standby replica for failover, not for serving read traffic.

1279
MCQeasy

A SysOps administrator wants to be notified when an Auto Scaling group launches a new instance. Which AWS service can be used to capture the Auto Scaling lifecycle events and send a notification?

A.AWS Config
B.Amazon CloudWatch Logs
C.Amazon Simple Notification Service (SNS)
D.AWS CloudTrail
AnswerC

Auto Scaling can publish notifications to SNS for scale-out events.

Why this answer

Amazon SNS is the correct choice because it can receive lifecycle notifications from Auto Scaling groups via Amazon EventBridge (formerly CloudWatch Events) and then deliver those notifications to subscribers (e.g., email, SMS, HTTP endpoints). Auto Scaling groups emit lifecycle events (e.g., `EC2 Instance-launch Lifecycle Action`) that can be captured by EventBridge rules, which then invoke an SNS topic to send the notification.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which records API calls) with EventBridge (which captures service events), leading them to choose CloudTrail for event-driven notifications, but CloudTrail does not handle lifecycle events or push notifications directly.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against desired policies and tracking configuration changes, not for capturing real-time lifecycle events or sending notifications. Option B is wrong because Amazon CloudWatch Logs is used to store, monitor, and access log files from AWS resources; it does not natively send notifications for Auto Scaling lifecycle events without additional integration (e.g., metric filters to SNS). Option D is wrong because AWS CloudTrail records API calls for auditing and compliance, but it does not capture Auto Scaling lifecycle events (which are not API calls) and cannot directly send notifications.

1280
MCQeasy

A company uses Amazon CloudWatch Logs to store application logs. The SysOps administrator needs to detect when the number of log entries containing the string 'ERROR' exceeds 100 in any 5-minute window. When this threshold is breached, an email should be sent to the operations team. Which combination of AWS services should be used with the least operational overhead?

A.CloudWatch Logs Insights scheduled query with SNS action.
B.Create a metric filter on the log group for 'ERROR', then create a CloudWatch alarm on that metric with an SNS action to send email.
C.Use a Lambda function that reads the log stream and sends an email via Amazon Simple Email Service (SES) when errors exceed 100.
D.Install an agent on the application server that sends logs to Amazon SQS, then poll the queue with a Lambda function to trigger an email.
AnswerB

This approach uses built-in CloudWatch features: metric filter extracts the count, alarm monitors the threshold, and SNS delivers the email. No custom code is needed.

Why this answer

Option B is correct because it uses CloudWatch metric filters to extract the count of 'ERROR' log entries as a custom metric, then a CloudWatch alarm on that metric triggers an SNS topic to send email notifications. This approach requires no custom code or additional infrastructure, minimizing operational overhead while meeting the requirement of detecting >100 errors in any 5-minute period.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing a Lambda-based or custom agent approach, not realizing that CloudWatch metric filters and alarms provide a fully managed, serverless way to monitor log patterns with minimal operational overhead.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs Insights scheduled queries do not natively support triggering actions like SNS; they are designed for ad-hoc analysis and can only output results to S3 or other destinations, not directly invoke SNS. Option C is wrong because using a Lambda function to read log streams and send email via SES introduces unnecessary complexity, custom code, and potential latency, increasing operational overhead compared to the native metric filter and alarm approach. Option D is wrong because installing an agent to send logs to SQS and polling with Lambda adds significant operational overhead, requires managing custom infrastructure, and is not a native CloudWatch solution for real-time log monitoring.

1281
MCQeasy

A company uses Amazon CloudFront to distribute content globally. The operations team notices that the data transfer costs are higher than expected. The origin server is an S3 bucket in us-east-1. Which change would reduce data transfer costs?

A.Use Lambda@Edge to resize images on the fly.
B.Increase the default TTL for objects.
C.Use multiple S3 buckets in different regions as origins.
D.Enable compression for compressible content.
AnswerD

Reduces the size of data transferred from CloudFront to viewers.

Why this answer

Enabling compression reduces the amount of data transferred, lowering costs. Option A is wrong because using multiple S3 buckets increases complexity without reducing transfer costs. Option B is wrong because increasing TTL may reduce origin requests but not data transfer from CloudFront to viewers.

Option D is wrong because Lambda@Edge adds compute cost.

1282
Multi-Selecteasy

A SysOps administrator is setting up an AWS Elastic Beanstalk environment for a Node.js application. The administrator wants to ensure that environment variables are set for the application. Which of the following methods can be used to set environment variables in Elastic Beanstalk? (Choose TWO.)

Select 2 answers
A.Use the AWS CLI command update-environment.
B.Set them in the Elastic Beanstalk environment configuration.
C.Use a CloudFormation template to set environment variables.
D.Include them in the AppSpec file.
E.Define them in the EB CLI configuration file.
AnswersA, B

The CLI can set environment variables using the --option-settings parameter.

Why this answer

Environment variables can be set in the Elastic Beanstalk console under Configuration > Software, or via the AWS CLI using the update-environment command. Option A and D are correct. Option B is wrong because the EB CLI does not support setting environment variables directly; it uses configuration files.

Option C is wrong because the AppSpec file is for CodeDeploy, not Elastic Beanstalk. Option E is wrong because CloudFormation templates are not used directly in Elastic Beanstalk for environment variables.

1283
MCQhard

A SysOps administrator is using AWS OpsWorks to manage a stack of web servers. The administrator wants to automate the installation of custom software on all new instances that are added to the layer. What is the best approach?

A.Assign a custom Chef recipe to the layer's Setup lifecycle event.
B.Use AWS CloudFormation to install software on new instances.
C.Create a custom AMI with the software pre-installed and use that in the layer.
D.Use EC2 user data scripts in the layer configuration.
AnswerA

OpsWorks runs the Setup recipe on new instances, allowing custom software installation.

Why this answer

Custom Chef recipes can be assigned to a layer's lifecycle events, such as Setup, to run on new instances. Option A is correct. Option B is wrong because user data is for EC2 instances directly, not OpsWorks.

Option C is wrong because custom AMIs require manual management and do not integrate with OpsWorks automation. Option D is wrong because CloudFormation is not part of OpsWorks instance lifecycle.

1284
MCQeasy

A SysOps administrator notices that an Amazon RDS instance's CPU utilization is consistently above 90% during peak hours. The application is read-heavy and can tolerate eventual consistency. Which action would MOST effectively reduce CPU load?

A.Increase the instance size from db.r5.large to db.r5.xlarge.
B.Enable Multi-AZ deployment for the RDS instance.
C.Create one or more read replicas and direct read traffic to them.
D.Change the storage type to Provisioned IOPS.
AnswerC

Read replicas handle read queries, reducing load on the primary instance.

Why this answer

The application is read-heavy and can tolerate eventual consistency, making read replicas the ideal solution. By offloading read traffic to one or more read replicas, the primary RDS instance's CPU load is reduced because it no longer has to process all read queries. This directly addresses the high CPU utilization during peak hours without requiring a larger instance or other changes.

Exam trap

The trap here is that candidates often confuse Multi-AZ standby replicas with read replicas, assuming Multi-AZ can also offload read traffic, but AWS explicitly prohibits using the Multi-AZ standby for reads—it only supports failover.

How to eliminate wrong answers

Option A is wrong because increasing the instance size (e.g., from db.r5.large to db.r5.xlarge) adds more CPU and memory capacity, but it does not offload read traffic; it only scales the existing single instance, which may still be overwhelmed by the same read-heavy workload. Option B is wrong because enabling Multi-AZ deployment provides high availability and automatic failover via a synchronous standby replica, but that standby replica cannot serve read traffic (it is not a read replica), so it does not reduce CPU load on the primary instance. Option D is wrong because changing the storage type to Provisioned IOPS improves I/O performance and reduces latency, but it does not directly reduce CPU utilization; CPU load is driven by query processing, not storage throughput.

1285
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The application stores session data in a DynamoDB table. To improve reliability, the SysOps administrator needs to ensure that session data is preserved if an EC2 instance fails. Which action should the administrator take?

A.Enable sticky sessions (session affinity) on the ALB.
B.Mount the same EBS volume to all EC2 instances to share session data.
C.Store session data in an ElastiCache Memcached cluster.
D.Use DynamoDB to store session data, making it accessible from any instance.
AnswerD

DynamoDB is a durable, external session store that survives instance failure.

Why this answer

Option A is correct because storing session data externally (e.g., in DynamoDB) ensures it survives instance failure. Option B is incorrect because EBS volumes are tied to a single AZ; mounting the same volume to multiple instances is not supported. Option C is incorrect because ElastiCache sessions are ephemeral and lost on cache node failure.

Option D is incorrect because ELB sticky sessions cause uneven load and do not preserve session data on instance failure.

1286
Multi-Selecteasy

A SysOps administrator needs to monitor the CPU and memory utilization of an EC2 instance running a legacy application that cannot be modified. Which TWO methods can be used to collect this information? (Choose TWO.)

Select 2 answers
A.Enable detailed monitoring on the instance to get memory metrics.
B.Install the CloudWatch agent on the instance and configure it to collect memory metrics.
C.Use a custom script to push memory data to CloudWatch via the PutMetricData API.
D.Use the EC2 hypervisor metrics available from CloudWatch.
E.Use AWS Systems Manager Inventory to collect memory utilization.
AnswersB, C

The agent can collect memory and CPU metrics.

Why this answer

Option B is correct because the CloudWatch agent can be installed on an EC2 instance to collect custom metrics, including memory utilization, which is not available by default from the hypervisor. The agent sends these metrics to CloudWatch using the PutMetricData API, enabling monitoring of in-guest resources like memory and disk.

Exam trap

The trap here is that candidates often assume detailed monitoring or hypervisor metrics include memory utilization, not realizing that memory is an in-guest metric requiring an agent or custom script to collect.

1287
MCQmedium

A company is using Lambda functions to process data from an S3 bucket. The SysOps administrator needs to update the Lambda function code with a new version. The administrator wants to ensure that during the deployment, any in-flight requests are completed with the old code, and new requests use the new code. Which deployment strategy should the administrator use?

A.Update the Lambda function code directly using the AWS CLI.
B.Use AWS CodeDeploy with a canary deployment configuration on the Lambda function.
C.Create a new Lambda function and update the S3 event notification to trigger the new function.
D.Create a new Lambda version and update the alias to gradually shift traffic from the old version to the new version using weighted routing.
AnswerD

Weighted routing allows a percentage of traffic to go to the new version while old requests complete.

Why this answer

Option B is correct because Lambda aliases with weighted routing allow gradual traffic shifting. Option A is incorrect because updating the function directly immediately changes all invocations. Option C is incorrect because a new version can be created but without alias routing, all traffic goes to the new version.

Option D is incorrect because canary deployments are not native to Lambda; weighted routing is the correct method.

1288
MCQmedium

A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application stores session state in memory on each instance. The SysOps administrator wants to make the application highly available across multiple Availability Zones without losing session data when instances are terminated or replaced. The solution must minimize application changes. Which approach should the administrator take?

A.Use sticky sessions (session affinity) on the ALB and configure the Auto Scaling group with a larger min size.
B.Store session data in a shared Amazon ElastiCache cluster and modify the application to read/write session state to ElastiCache.
C.Deploy the application in multiple AWS Regions and use Amazon Route 53 with latency-based routing.
D.Store session data in an Amazon RDS for MySQL database and configure the application to read/write session state to the database.
AnswerB

ElastiCache provides a centralized, highly available in-memory cache that decouples session state from individual EC2 instances. Instances can be replaced or scaled without losing session data.

Why this answer

Option B is correct because storing session state in a shared Amazon ElastiCache cluster decouples session data from individual EC2 instances, allowing any instance in the Auto Scaling group to serve any user request without losing session data when instances are terminated or replaced. This approach requires minimal application changes (only modifying the session handler to point to ElastiCache) and supports high availability across multiple Availability Zones by using a replicated ElastiCache cluster (e.g., Redis with replication).

Exam trap

The trap here is that candidates often choose sticky sessions (Option A) because they seem to solve session affinity without code changes, but they fail to realize that sticky sessions do not persist session data across instance terminations, which is the core requirement for high availability without data loss.

How to eliminate wrong answers

Option A is wrong because sticky sessions (session affinity) bind a user's session to a specific EC2 instance; if that instance is terminated or replaced, the session data stored in memory is lost, violating the requirement to not lose session data. Option C is wrong because deploying across multiple AWS Regions with Route 53 latency-based routing does not address session state persistence within a single region; it introduces cross-region latency and complexity without solving the fundamental issue of in-memory session loss on instance termination. Option D is wrong because while storing session data in Amazon RDS for MySQL would persist session state, it introduces significant overhead (e.g., database connection management, schema design, and slower read/write compared to in-memory caching) and requires more extensive application changes than using ElastiCache, which is purpose-built for session storage.

1289
Multi-Selecthard

A company uses Amazon S3 to store backups and logs. The total data volume is 50 TB and grows by 2 TB per month. The company requires that data be retained for 7 years. Which THREE actions will optimize storage costs? (Choose THREE.)

Select 3 answers
A.Use S3 Lifecycle policies to transition data to S3 Glacier Deep Archive after 30 days.
B.Set up S3 Lifecycle to expire incomplete multipart uploads after 7 days.
C.Store all data in S3 Standard for the first year, then delete.
D.Use S3 Intelligent-Tiering for data that is accessed infrequently but with unknown patterns.
E.Use S3 Glacier Flexible Retrieval to allow data retrieval in minutes.
AnswersA, B, D

Glacier Deep Archive is the cheapest for long-term retention.

Why this answer

The correct answers are A, C, and D. S3 Lifecycle policies automatically transition objects to cheaper storage classes. S3 Glacier Deep Archive is the lowest-cost storage for long-term retention.

S3 Intelligent-Tiering automatically moves data between tiers based on access patterns. Option B is wrong because S3 Standard is expensive for long-term retention. Option E is wrong because requiring retrieval in minutes is not cost-effective for archival data.

1290
Multi-Selectmedium

A company is designing a secure application architecture. They need to ensure that sensitive data stored in Amazon S3 is not accessible from the public internet. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Use an S3 VPC Gateway Endpoint to restrict access to the VPC.
B.Enable default encryption on the bucket.
C.Enable MFA Delete on the bucket.
D.Use Amazon CloudFront with Origin Access Identity (OAI).
E.Block all public access at the bucket level.
AnswersA, E

Restricts access to within the VPC.

Why this answer

Option B is correct because blocking public access at the bucket or account level prevents public access. Option C is correct because using S3 VPC Gateway Endpoint ensures access is only from within the VPC. Option A is wrong because encrypting data does not prevent public access.

Option D is wrong because CloudFront with OAI can provide secure access but does not by itself block public internet access if the bucket is public. Option E is wrong because MFA Delete is for deletion protection, not access control.

1291
MCQmedium

Refer to the exhibit. An IAM policy is attached to a group. A SysOps Administrator in that group tries to terminate an EC2 instance with the tag 'Environment=production'. The action fails. What is the most likely reason?

A.The condition key 'ec2:ResourceTag/Environment' is invalid.
B.The policy does not allow the ec2:TerminateInstances action.
C.The instance does not have the tag 'Environment=production'.
D.The condition uses 'StringEquals' instead of 'StringLike'.
AnswerC

The policy requires the tag to be present for the action to be allowed.

Why this answer

Option A is correct because the policy allows termination only for instances with the tag 'Environment=production', but there might be an explicit deny elsewhere or the instance does not have the tag. Option B is wrong because the policy allows the action. Option C is wrong because the condition uses StringEquals, which is case-sensitive.

Option D is wrong because the condition key is valid.

1292
MCQeasy

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are configured with server-side encryption using AWS KMS (SSE-KMS). The administrator wants to automatically detect any S3 buckets that are not compliant and remediate them by enabling SSE-KMS. Which AWS service should be used to implement this automated compliance enforcement?

A.AWS Config
B.AWS Trusted Advisor
C.AWS Service Catalog
D.AWS CloudFormation
AnswerA

AWS Config can continuously monitor and evaluate S3 bucket encryption settings using managed rules and trigger auto-remediation actions to enable SSE-KMS on non-compliant buckets.

Why this answer

AWS Config is the correct service because it provides managed rules (e.g., s3-bucket-server-side-encryption-enabled) that can continuously evaluate S3 buckets for compliance with SSE-KMS. When a non-compliant bucket is detected, AWS Config can trigger an AWS Systems Manager Automation document or a custom remediation action (via AWS Config Rules remediation) to automatically enable SSE-KMS on the bucket, ensuring automated enforcement without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's reactive compliance monitoring with Trusted Advisor's advisory checks, or assume CloudFormation can handle post-deployment compliance, but only AWS Config provides the continuous evaluation and automated remediation required for this use case.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor only provides reactive recommendations and best-practice checks (e.g., S3 bucket permissions) but does not support automated remediation or custom compliance rules; it cannot automatically enable SSE-KMS on non-compliant buckets. Option C is wrong because AWS Service Catalog is used to create and manage a catalog of approved IT services (e.g., pre-configured S3 bucket templates) but does not perform ongoing compliance monitoring or remediation of existing resources. Option D is wrong because AWS CloudFormation is an infrastructure-as-code service for provisioning resources via templates; it can enforce SSE-KMS at deployment time but cannot automatically detect or remediate non-compliant buckets that already exist or are created outside of CloudFormation stacks.

1293
Multi-Selectmedium

Which TWO actions can be used to protect data in transit between an EC2 instance and an S3 bucket? (Choose two.)

Select 2 answers
A.Configure security group rules on the EC2 instance to allow only S3 traffic.
B.Apply an S3 bucket policy that denies access unless the request includes the x-amz-server-side-encryption header.
C.Use HTTPS instead of HTTP when accessing S3 from the EC2 instance.
D.Enable S3 default encryption (SSE-S3) on the bucket.
E.Use S3 VPC endpoints to ensure traffic between the VPC and S3 does not traverse the internet.
AnswersC, E

HTTPS encrypts the data in transit.

Why this answer

Option C is correct because HTTPS encrypts the data in transit between the EC2 instance and S3 using TLS, protecting it from eavesdropping or tampering. This ensures that the HTTP request and response payload, as well as headers, are encrypted over the network, which is a direct method to protect data in transit.

Exam trap

The trap here is confusing encryption in transit (HTTPS) with encryption at rest (SSE-S3 or bucket policies requiring encryption headers), leading candidates to select options that protect data only after it reaches S3 rather than during network transmission.

1294
MCQhard

A company stores video files in Amazon S3. Files are accessed frequently for the first 30 days, then weekly for the next 6 months, and then rarely after that. Files must be retained for 5 years and any access must be served within minutes. The SysOps administrator wants to minimize storage costs. Which lifecycle policy is most cost-effective?

A.Transition to S3 Standard-Infrequent Access after 30 days, then to S3 Glacier Deep Archive after 6 months.
B.Transition to S3 One Zone-Infrequent Access after 30 days, then to S3 Glacier after 6 months.
C.Transition to S3 Standard-Infrequent Access after 30 days, then to S3 Glacier Instant Retrieval after 6 months.
D.Transition to S3 Intelligent-Tiering after 30 days, then to S3 Glacier Flexible Retrieval after 6 months.
AnswerA

Standard-IA reduces cost for weekly access, and Glacier Deep Archive provides the lowest storage cost for rarely accessed data with retrieval in minutes (expedited) if needed.

Why this answer

Option A is correct because it transitions objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days to match the weekly access pattern at lower cost than S3 Standard, then to S3 Glacier Deep Archive after 6 months for the rarely accessed retention period, meeting the 5-year retention requirement with the lowest storage cost while still allowing retrieval within minutes (Glacier Deep Archive retrieval typically takes 12 hours, but the question states 'within minutes' for any access; however, for rarely accessed files after 6 months, minutes-level retrieval is not required, and the cost savings of Deep Archive outweigh the slower retrieval).

Exam trap

The trap here is that candidates often choose S3 Glacier Instant Retrieval (Option C) because they see 'within minutes' and assume all access must be instant, but they overlook that after 6 months the access is rare and minutes-level retrieval is not needed, making Glacier Deep Archive the most cost-effective choice for long-term retention.

How to eliminate wrong answers

Option B is wrong because S3 One Zone-Infrequent Access (One Zone-IA) does not provide the same durability as Standard-IA (data is stored in a single Availability Zone) and is not recommended for data that must be retained for 5 years with high durability requirements; also, transitioning to S3 Glacier (now S3 Glacier Flexible Retrieval) after 6 months is less cost-effective than Glacier Deep Archive for rarely accessed data. Option C is wrong because S3 Glacier Instant Retrieval is designed for data accessed once per quarter with millisecond retrieval, but after 6 months the files are rarely accessed, making Glacier Deep Archive more cost-effective; Glacier Instant Retrieval has higher storage costs than Deep Archive. Option D is wrong because S3 Intelligent-Tiering adds a monitoring and automation cost per object (approximately $0.0025 per 1,000 objects) and does not automatically transition to the lowest-cost tier for rarely accessed data after 6 months; it only moves between tiers based on access patterns, and the final tier (Deep Archive Access) is not included in Intelligent-Tiering by default, requiring a manual lifecycle rule anyway.

1295
MCQmedium

A company runs a gaming application that uses Amazon EC2 instances to handle real-time multiplayer sessions. The application requires low-latency communication with users around the world. The SysOps administrator needs to accelerate content delivery for non-cacheable, dynamic content (such as real-time game state updates) and also provide static asset delivery. The solution must support both TCP and UDP traffic. Which AWS service should be used?

A.AWS Global Accelerator
B.Amazon CloudFront with origins configured for both dynamic and static content
C.AWS Shield Advanced
D.AWS App Mesh
AnswerA

Global Accelerator uses the AWS global network to optimize the path from users to applications. It supports both TCP and UDP traffic, making it suitable for real-time gaming applications that require low latency for both dynamic data and static assets (if static assets are served from the same endpoint).

Why this answer

AWS Global Accelerator is the correct choice because it uses the AWS global network and Anycast IPs to route TCP and UDP traffic to the optimal endpoint, providing low-latency performance for non-cacheable dynamic content like real-time game state updates. It also supports static asset delivery by directing traffic to origins such as Application Load Balancers or EC2 instances, and it handles both TCP and UDP protocols natively, which is essential for real-time multiplayer gaming.

Exam trap

The trap here is that candidates often assume CloudFront can handle all content delivery scenarios, but it does not support UDP traffic and is designed for cacheable HTTP/HTTPS content, making it unsuitable for real-time multiplayer games that require low-latency UDP communication.

How to eliminate wrong answers

Option B is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for cacheable content (HTTP/HTTPS) and does not support UDP traffic; it cannot accelerate non-cacheable dynamic content with low-latency UDP requirements. Option C is wrong because AWS Shield Advanced is a DDoS protection service that provides mitigation against volumetric attacks, but it does not accelerate content delivery or handle TCP/UDP traffic routing for performance. Option D is wrong because AWS App Mesh is a service mesh for microservices communication within a cluster (e.g., ECS/EKS) and does not provide global traffic acceleration or support for UDP traffic at the edge.

1296
MCQeasy

A SysOps administrator needs to deploy a web application stack consisting of an Amazon EC2 instance, an Amazon RDS database, and an Application Load Balancer. The administrator wants to define the infrastructure as code and version control it. Which AWS service should the administrator use?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerB

CloudFormation allows you to define all resources in a template, enabling version-controlled, repeatable deployments.

Why this answer

AWS CloudFormation is the correct choice because it is an Infrastructure as Code (IaC) service that allows you to define and provision AWS resources—such as EC2 instances, RDS databases, and Application Load Balancers—using declarative templates (JSON or YAML). These templates can be version-controlled in a repository like Git, enabling repeatable, auditable deployments. Elastic Beanstalk abstracts infrastructure management but does not give you the same level of granular control over individual resources as CloudFormation.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk (a PaaS that automates deployment) with Infrastructure as Code, but Elastic Beanstalk does not allow you to version-control the raw infrastructure definition; CloudFormation is the dedicated IaC service for that purpose.

How to eliminate wrong answers

Option A is wrong because AWS Elastic Beanstalk is a Platform as a Service (PaaS) that automates deployment and scaling of applications but does not provide native version control for the underlying infrastructure definition; it manages resources behind the scenes, not as a user-defined IaC template. Option C is wrong because AWS OpsWorks is a configuration management service based on Chef and Puppet, designed for managing server configurations and application stacks, not for declaratively provisioning and version-controlling infrastructure resources like EC2, RDS, and ALB as code. Option D is wrong because AWS CodeDeploy is a deployment automation service that handles code deployment to compute services (e.g., EC2, Lambda) but does not define or provision the underlying infrastructure resources themselves.

1297
MCQmedium

A SysOps administrator needs to ensure that all API calls made to AWS are logged for auditing purposes. Which AWS service should be enabled to capture management events?

A.AWS CloudTrail
B.S3 server access logs
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerA

CloudTrail records API activity in the AWS account.

Why this answer

Option B is correct because AWS CloudTrail logs all API calls for governance, compliance, and auditing. Option A is wrong because CloudWatch Logs stores logs but does not capture API calls. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because S3 access logs capture requests to S3, not all AWS API calls.

1298
MCQeasy

A SysOps administrator needs to reduce costs for a non-production environment that runs 24/7 but is only used during business hours. What is the MOST effective action?

A.Create a schedule to stop instances after business hours and start them before.
B.Switch all instances to Spot Instances.
C.Purchase Reserved Instances for the environment.
D.Reduce the instance sizes to the smallest available.
AnswerA

Stopping instances eliminates compute costs during idle time.

Why this answer

Option B is correct because stopping instances during off-hours reduces compute costs significantly. Using Reserved Instances is not ideal for non-production environments. Switching to Spot Instances could cause interruptions.

Reducing instance size might not be enough.

1299
Multi-Selectmedium

Which TWO methods can be used to secure an S3 bucket that is used as an origin for Amazon CloudFront? (Select two.)

Select 2 answers
A.Write a bucket policy that allows only the CloudFront distribution’s OAI.
B.Use bucket ACLs to grant public read access.
C.Enable S3 server-side encryption.
D.Configure an origin access identity (OAI) and restrict bucket access.
E.Generate pre-signed URLs for all objects.
AnswersA, D

Bucket policy can restrict access to the OAI.

Why this answer

Option A is correct because OAI ensures only CloudFront can access the bucket. Option C is correct because a bucket policy can restrict access to CloudFront. Option B is wrong because bucket ACLs are legacy.

Option D is wrong because pre-signed URLs grant temporary access, not a security method for the origin. Option E is wrong because encryption protects data at rest, not access control.

1300
Multi-Selecteasy

A SysOps administrator is configuring a new VPC and wants to ensure that only traffic from a specific IP address range can access an EC2 instance via SSH. Which TWO components should be configured? (Choose two.)

Select 2 answers
A.VPC endpoint
B.Network ACL (NACL)
C.Security group
D.Internet gateway
E.Route table
AnswersB, C

NACLs control traffic at the subnet level and can allow/deny inbound SSH from specific IP ranges.

Why this answer

To restrict SSH access to a specific IP range, you configure a network ACL at the subnet level and a security group at the instance level. NACLs are stateless and evaluate rules in order; security groups are stateful. Both can allow inbound SSH from the specific IP range.

Internet gateway enables internet access but does not filter by IP. Route tables direct traffic but do not filter. VPC endpoint is for private connectivity to AWS services.

1301
MCQeasy

A company uses CloudFront to distribute content globally. They want to reduce data transfer costs and improve performance for users. What feature should they enable?

A.Configure multiple origins with failover.
B.Enable Lambda@Edge to modify requests and responses.
C.Enable Origin Shield to create a central caching layer.
D.Increase the TTL for cache behaviors to the maximum allowed value.
AnswerC

Origin Shield increases cache hit ratio, reducing origin requests and transfer costs.

Why this answer

Option B is correct because Origin Shield increases cache hit ratio by centralizing requests, reducing origin load and data transfer cost. Option A is wrong because Lambda@Edge adds processing but does not directly reduce transfer. Option C is wrong because it increases cache hits but does not reduce origin requests as effectively as Origin Shield.

Option D is wrong because origin failover is for availability, not cost.

1302
MCQeasy

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. Which configuration ensures that traffic is distributed evenly across all healthy targets?

A.Enable cross-zone load balancing on the ALB
B.Configure sticky sessions (session affinity) on the target group
C.Use a Network Load Balancer with path-based routing
D.Enable connection draining on the target group
AnswerA

Cross-zone load balancing distributes traffic evenly across all registered targets in all AZs.

Why this answer

Cross-zone load balancing enables the ALB to distribute incoming traffic evenly across all healthy targets in all enabled Availability Zones, rather than sending traffic only to targets within the same zone as the requesting client. By default, ALBs distribute traffic equally across zones first, then round-robin within each zone, which can lead to uneven load if target counts differ per zone. Enabling cross-zone load balancing overrides this behavior, ensuring each healthy target receives an equal share of requests regardless of its zone.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing with sticky sessions or connection draining, assuming that session affinity or graceful termination will improve distribution, when in fact only cross-zone load balancing ensures even traffic spread across all healthy targets.

How to eliminate wrong answers

Option B is wrong because sticky sessions (session affinity) bind a client to a specific target for the duration of its session, which can cause uneven traffic distribution and does not ensure even distribution across all healthy targets. Option C is wrong because a Network Load Balancer (NLB) does not support path-based routing; path-based routing is a feature of Application Load Balancers, and using an NLB would not address the requirement for even distribution across healthy targets. Option D is wrong because connection draining (deregistration delay) allows in-flight requests to complete before a target is removed from service, but it does not influence how traffic is distributed among healthy targets during normal operation.

1303
MCQmedium

Refer to the exhibit. A SysOps administrator creates the CloudWatch Alarm shown. However, the alarm never enters ALARM state even though the CPU utilization of the EC2 instance is consistently above 90%. What is the most likely reason?

A.The alarm is missing the InstanceId dimension.
B.The threshold is set too high; it should be 80%.
C.The evaluation periods are too few.
D.The statistic should be Maximum instead of Average.
AnswerA

Without a dimension, the alarm does not know which instance to monitor.

Why this answer

The alarm never enters ALARM state because it is missing the required `InstanceId` dimension. CloudWatch metrics for EC2, such as `CPUUtilization`, are published with the `InstanceId` dimension to uniquely identify the data stream. Without specifying this dimension in the alarm configuration, CloudWatch cannot match the alarm to the metric data emitted by the EC2 instance, so the alarm remains in INSUFFICIENT_DATA or OK state regardless of actual CPU usage.

Exam trap

The trap here is that candidates focus on tuning threshold or evaluation periods, overlooking the fundamental requirement that CloudWatch alarms must include the correct dimensions to match the metric data stream.

How to eliminate wrong answers

Option B is wrong because the threshold being set to 90% is not the issue; the alarm never evaluates the metric at all due to the missing dimension, so adjusting the threshold would not fix the problem. Option C is wrong because the evaluation periods being too few would cause the alarm to take longer to trigger or require more consecutive datapoints, but it would still eventually enter ALARM state if the metric were being evaluated; here the alarm never evaluates due to the missing dimension. Option D is wrong because using Average vs Maximum might affect sensitivity, but the alarm is not receiving any metric data to evaluate, so changing the statistic would not resolve the missing dimension issue.

1304
MCQeasy

A company wants to ensure that its Amazon RDS database can withstand the loss of an entire Availability Zone. Which feature should the SysOps administrator enable?

A.Enable automated backups with a retention period of 35 days.
B.Enable Multi-AZ deployment.
C.Take manual snapshots and copy them to another Region.
D.Create a read replica in a different Availability Zone.
AnswerB

Multi-AZ provides automatic failover to a standby in another AZ.

Why this answer

Option B is correct: Multi-AZ deployment creates a standby in a different AZ; if the primary AZ fails, RDS automatically fails over to the standby. Option A is incorrect because read replicas can be in a different AZ but are not used for automatic failover. Option C is incorrect because manual snapshots require manual restoration.

Option D is incorrect because automated backups are stored in S3 and do not provide automatic failover.

1305
Multi-Selectmedium

A company has a CloudWatch dashboard that displays metrics for several EC2 instances. The SysOps administrator wants to share the dashboard with external stakeholders who do not have AWS accounts. Which actions should the administrator take? (Select TWO.)

Select 2 answers
A.Use the CloudWatch dashboard sharing feature to make the dashboard public.
B.Create a web application that reads CloudWatch metrics and host it on EC2.
C.Create IAM users for each stakeholder and assign appropriate permissions.
D.Generate a shareable URL for the dashboard and send it to the stakeholders.
E.Export the dashboard to Amazon QuickSight and share it via email.
AnswersA, D

Public sharing allows anyone with the link to view the dashboard.

Why this answer

Option A is correct because CloudWatch dashboards have a built-in sharing feature that allows you to make a dashboard public by generating a shareable URL. This URL can be accessed by anyone, even without an AWS account, and the dashboard data is encrypted in transit using HTTPS. The feature also supports time-range and time-zone customization via URL parameters.

Exam trap

The trap here is that candidates often confuse the CloudWatch dashboard sharing feature with IAM-based access, assuming external users must have AWS credentials, when in fact the public URL mechanism is designed specifically for sharing with non-AWS users.

1306
MCQhard

An organization uses AWS OpsWorks for configuration management. The SysOps administrator notices that a stack's instances are not receiving the updated custom cookbooks after a new deployment. The cookbooks are stored in a private GitHub repository. What is the most likely cause?

A.The cookbooks are not stored in an S3 bucket.
B.The OpsWorks agent is not running on the instances.
C.The instances do not have internet access.
D.The SSH key for the Git repository is not configured in the stack.
AnswerD

OpsWorks needs the private SSH key to access private repositories.

Why this answer

The correct answer is D because OpsWorks uses the SSH key stored in the stack to clone private repositories. If the key is missing or invalid, the cookbook update fails silently. Option A is incorrect because the agent typically checks periodically.

Option B is incorrect because cookbooks are downloaded via Git, not S3, unless using S3 archives. Option C is incorrect because instances need outbound access to GitHub, but that would be a different symptom.

1307
MCQeasy

A SysOps administrator needs to centralize logs from multiple AWS accounts into a single S3 bucket for analysis. Which solution is the MOST operationally efficient?

A.Use S3 replication to copy logs from each account's bucket to a central bucket.
B.Use CloudWatch Logs subscription filter to stream logs to a central account.
C.Use Amazon Kinesis Data Firehose to deliver logs from each account to a central S3 bucket.
D.Configure CloudTrail in each account to deliver logs to the same S3 bucket in the central account.
AnswerD

This is the standard method for centralizing CloudTrail logs.

Why this answer

Option D is correct because AWS CloudTrail can be configured in each account to deliver logs directly to the same S3 bucket in a central account by specifying the central bucket's ARN and setting appropriate bucket policies. This approach is operationally efficient as it eliminates the need for intermediate services or replication, reducing complexity and cost while ensuring logs are centralized without manual intervention.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing Kinesis or replication, missing that CloudTrail natively supports cross-account S3 delivery, which is the simplest and most cost-effective method for centralizing logs.

How to eliminate wrong answers

Option A is wrong because S3 replication requires logs to first be delivered to separate buckets in each account, then replicated to a central bucket, adding latency, storage costs, and management overhead; it is not the most operationally efficient. Option B is wrong because CloudWatch Logs subscription filters are designed to stream logs to a central account for real-time processing, but they require additional configuration and do not directly deliver to S3 without an intermediary like Kinesis or Lambda, making it less efficient for simple centralized storage. Option C is wrong because Amazon Kinesis Data Firehose introduces an unnecessary streaming layer and additional cost for a batch-logging use case, whereas CloudTrail can directly write to S3 without extra services.

1308
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. A developer accidentally deletes a resource from the stack template, and the next stack update attempts to delete the resource. The SysOps administrator wants to prevent accidental deletion of critical resources. Which CloudFormation feature should be used?

A.Enable termination protection on the stack.
B.Stack policy to deny delete actions.
C.Set a DeletionPolicy attribute to 'Retain' on the resource.
D.Attach an IAM policy that denies cloudformation:DeleteStack.
AnswerC

DeletionPolicy: Retain retains the resource when it's removed from the template.

Why this answer

The correct answer is C because DeletionPolicy: Retain preserves the resource when the stack is deleted or the resource is removed from the template. Option A is incorrect because StackPolicy controls updates, not deletions. Option B is incorrect because TerminationProtection is for EC2 instances, not CloudFormation.

Option D is incorrect because ResourcePolicy is not a CloudFormation feature.

1309
Multi-Selectmedium

A company wants to use AWS Elastic Beanstalk to deploy a web application. The application requires a custom Amazon Linux 2 AMI with specific security agents installed. The company wants to ensure that all environment instances use this custom AMI. Which combination of steps should be taken? (Choose three.)

Select 3 answers
A.Configure the Elastic Beanstalk environment to use the custom AMI by specifying the AMI ID in the .ebextensions configuration.
B.Create a CloudFormation template to deploy the environment with the custom AMI.
C.Create a custom AMI using the Elastic Beanstalk platform image as the base.
D.Create a custom AMI using AWS Image Builder.
E.Use a configuration file in the .ebextensions folder to set the AMI ID for the Auto Scaling launch configuration.
AnswersA, C, E

This tells the environment to use the custom AMI.

Why this answer

Options B, C, and D are correct. The custom AMI must be built from the Elastic Beanstalk platform image to ensure compatibility, then the AMI ID must be specified in the environment configuration via .ebextensions or the console. Option A is wrong because the company does not need to manage their own AMI builder.

Option E is wrong because CloudFormation is not required for this task.

1310
MCQmedium

A company runs a batch processing application on Amazon EC2 instances every night. The job takes exactly 1 hour to complete and is time-sensitive. The SysOps administrator wants to minimize compute costs while ensuring the job can be interrupted and resumed if needed. Which EC2 purchasing option is most cost-effective?

A.On-Demand Instances
B.Reserved Instances (Standard 1-year)
C.Spot Instances
D.Dedicated Hosts
AnswerC

Spot Instances are the cheapest option. They can be interrupted, but because the job can be interrupted and resumed (checkpointed), this is acceptable and yields the highest cost savings.

Why this answer

Spot Instances are the most cost-effective option because the batch job is fault-tolerant (can be interrupted and resumed) and runs for exactly 1 hour nightly. Spot Instances offer up to 90% discount compared to On-Demand, and with the ability to handle interruptions via checkpointing, they meet the requirement for cost minimization while supporting resumption.

Exam trap

The trap here is that candidates often assume Spot Instances are unsuitable for time-sensitive jobs due to potential interruptions, but the question explicitly states the job can be interrupted and resumed, making Spot the correct cost-effective choice over Reserved Instances or On-Demand.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances provide no discount and are the most expensive option for a predictable nightly workload, failing to minimize costs. Option B is wrong because Reserved Instances require a 1-year commitment and are not cost-effective for a job that runs only 1 hour per night, as the upfront cost would not be amortized efficiently. Option D is wrong because Dedicated Hosts are designed for licensing or compliance requirements, not for cost savings, and are significantly more expensive than other options for this use case.

1311
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to centralize logs from multiple EC2 instances. The SysOps administrator needs to ensure that log data is encrypted at rest and in transit. Which TWO actions should the administrator take? (Choose TWO.)

Select 2 answers
A.Encrypt the CloudWatch Logs log group using an AWS KMS customer managed key.
B.Enable server-side encryption with S3-managed keys (SSE-S3) on the CloudWatch Logs log group.
C.Apply an S3 bucket policy that requires encryption for objects uploaded to the bucket.
D.Configure the CloudWatch Logs agent to use TLS/SSL for log delivery.
E.Install an AWS Certificate Manager (ACM) certificate on the EC2 instances.
AnswersA, D

KMS encryption on the log group encrypts log data at rest.

Why this answer

Option A is correct because CloudWatch Logs supports encryption at rest using AWS KMS customer managed keys (CMKs). By associating a KMS key with a log group, all log data stored in that log group is encrypted at rest, meeting the encryption-at-rest requirement. Option D is correct because the CloudWatch Logs agent can be configured to use TLS/SSL (port 443) for log delivery, ensuring encryption in transit between the EC2 instances and CloudWatch Logs.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs encryption with S3 server-side encryption options (SSE-S3 or SSE-KMS) or assume that ACM certificates are needed for agent-to-service encryption, when in fact the CloudWatch Logs agent uses AWS SDK-managed TLS automatically.

1312
MCQmedium

A SysOps administrator needs to monitor Amazon S3 for object-level operations such as PUT and DELETE events in a specific bucket. The administrator wants these events to be sent to an Amazon SQS queue for downstream processing by an application. Which solution should be used to achieve this with the least operational overhead?

A.Use Amazon CloudWatch Events to match S3 API calls from CloudTrail and route to an SQS queue.
B.Configure an S3 event notification on the bucket to send events to an SQS queue.
C.Deploy an application that periodically polls S3 for changes using ListObjects.
D.Use AWS CloudTrail to deliver logs to CloudWatch Logs, then create a metric filter and trigger a Lambda function to send to SQS.
AnswerB

This is the simplest and most efficient method. S3 can publish object-level events directly to SQS with minimal delay.

Why this answer

Option B is correct because Amazon S3 can directly publish event notifications for object-level operations (e.g., PUT, DELETE) to an SQS queue without any intermediate services. This native integration requires no custom code or additional infrastructure, minimizing operational overhead while meeting the requirement to send events to SQS for downstream processing.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing CloudTrail or Lambda-based approaches, forgetting that S3 has a built-in, direct event notification feature for SQS that requires no additional services.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Events can match S3 API calls from CloudTrail, but this approach requires enabling CloudTrail and incurs additional cost and complexity; it also introduces latency and is not the simplest native method for S3 event delivery to SQS. Option C is wrong because periodically polling S3 with ListObjects is inefficient, does not capture real-time events, and introduces significant operational overhead for an application that must detect changes. Option D is wrong because it chains CloudTrail logs to CloudWatch Logs, then uses a metric filter and Lambda to send to SQS, adding multiple layers of complexity, cost, and potential failure points compared to the direct S3 event notification.

1313
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission regarding the s3:DeleteObject action on the example-bucket?

A.Denied because of the explicit Deny statement
B.Denied because the action is not allowed explicitly
C.Allowed because the Allow statement is listed first
D.Allowed because the Deny statement has a typo
AnswerA

Explicit Deny overrides any Allow.

Why this answer

In IAM, an explicit Deny overrides any Allow. So even though the first statement allows all S3 actions, the second statement explicitly denies DeleteObject. Thus DeleteObject is denied.

Option B is correct. Options A, C, D are incorrect because Deny prevails.

1314
MCQhard

An organization wants to enforce that all IAM users have multi-factor authentication (MFA) enabled before they can perform any action except changing their own password. Which IAM policy element is MOST appropriate?

A.Use a Condition element with 'aws:MultiFactorAuthPresent' set to 'true' in a Deny policy.
B.Use an Action element to allow only MFA actions.
C.Use a NotAction element to allow password change without MFA.
D.Use a Resource element to limit access to MFA-enabled users.
AnswerA

Denies access if MFA is not present.

Why this answer

Option A is correct because a Condition with 'aws:MultiFactorAuthPresent':'true' can be used to require MFA. Option B is wrong because Resource doesn't enforce MFA. Option C is wrong because Action specifies actions.

Option D is wrong because NotAction is not for MFA enforcement.

1315
MCQmedium

A company uses Amazon CloudFront to serve static content from an S3 bucket. They want to restrict access to content based on geographic location. Some countries should be blocked entirely. The administrator configured a CloudFront geographic restriction (whitelist/blacklist) and updated the S3 bucket policy to allow only CloudFront access via Origin Access Identity (OAI). However, users from blocked countries are still able to access some content. What is the most likely cause?

A.CloudFront geographic restrictions only block access to the CloudFront distribution, but the S3 bucket is still publicly accessible
B.The S3 bucket policy does not include a condition to restrict access to only CloudFront
C.The geographic restriction is configured as a whitelist instead of a blacklist
D.CloudFront geographic restrictions are applied at the edge location, but some edge locations may not have the restriction updated
AnswerA

If the S3 bucket is publicly accessible, users can bypass CloudFront and access directly.

Why this answer

Option C is correct because CloudFront geographic restrictions only apply to edge locations; if the content is cached at an edge location, the restriction is enforced at that edge. However, if the origin is directly accessible (bypassing CloudFront), the restriction is not applied. But the question says users from blocked countries can access some content, suggesting that the OAI might not be configured correctly or the bucket policy allows direct access.

Option A is wrong because the S3 bucket policy is correct. Option B is wrong because geographic restriction is global. Option D is wrong because the bucket policy is set correctly.

1316
MCQmedium

An organization requires that all Amazon S3 buckets be encrypted with AES-256 server-side encryption. A SysOps administrator needs to enforce this policy across the entire AWS account. Which action should be taken?

A.Enable default encryption on all existing and future S3 buckets.
B.Use AWS CloudTrail to monitor uploads without encryption and alert the administrator.
C.Use S3 Inventory to list unencrypted objects and remediate them manually.
D.Apply an S3 bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header set to AES256.
AnswerD

This policy enforces encryption at upload time.

Why this answer

Option D is correct because a bucket policy that denies PutObject without the x-amz-server-side-encryption header set to AES256 will enforce encryption. Option A is wrong because default encryption does not prevent objects from being uploaded without encryption header. Option B is wrong because CloudTrail logs but does not enforce.

Option C is wrong because S3 Inventory does not enforce.

1317
Multi-Selecthard

A company is using AWS CloudTrail to log all API calls. The security team wants to ensure that logs are tamper-proof and stored securely. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Write logs to a different AWS account.
B.Encrypt the CloudTrail log files with SSE-KMS.
C.Enable MFA Delete on the S3 bucket.
D.Enable S3 server access logs.
E.Enable CloudTrail log file validation.
AnswersB, E

Protects data at rest.

Why this answer

Option A is correct because enabling log file validation creates a digest file that can be used to verify integrity. Option C is correct because SSE-KMS encrypts the log files. Option B is wrong because S3 access logs are separate.

Option D is wrong because CloudTrail already logs to S3. Option E is wrong because MFA Delete is for versioning, not tamper-proofing.

1318
MCQeasy

A company runs containerized applications on Amazon ECS using the Fargate launch type. The SysOps administrator needs to monitor CPU and memory utilization at the task level. Which AWS service provides pre-built dashboards and metrics for this purpose?

A.Amazon CloudWatch Container Insights
B.Amazon CloudWatch custom metrics
C.Amazon CloudWatch Logs
D.Amazon CloudWatch Synthetics
AnswerA

Container Insights provides out-of-the-box dashboards and metrics for container workloads on ECS and EKS.

Why this answer

Amazon CloudWatch Container Insights provides pre-built dashboards and metrics specifically for monitoring containerized applications, including CPU and memory utilization at the task level for Amazon ECS with the Fargate launch type. It automatically collects, aggregates, and summarizes metrics and logs from containerized applications, offering out-of-the-box visualizations without requiring custom setup.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs (which stores logs) with Container Insights (which provides pre-built dashboards and metrics), or assume custom metrics are required when a managed solution already exists.

How to eliminate wrong answers

Option B is wrong because Amazon CloudWatch custom metrics require manual creation and publishing of metrics via the PutMetricData API, which is not a pre-built dashboard solution and adds operational overhead. Option C is wrong because Amazon CloudWatch Logs is designed for log storage, search, and analysis, not for providing pre-built dashboards or metrics for CPU and memory utilization. Option D is wrong because Amazon CloudWatch Synthetics is used for monitoring application endpoints and APIs through canary tests, not for collecting or visualizing CPU and memory metrics from ECS tasks.

1319
Multi-Selecthard

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot pull secrets from AWS Secrets Manager. The instance has an IAM role with a policy that allows secretsmanager:GetSecretValue. The secret is in the same account and region. What are possible reasons for the failure? (Choose THREE.)

Select 3 answers
A.The EC2 instance is in a private subnet with no route to the internet or a VPC endpoint for Secrets Manager
B.The secret is in a different AWS account
C.The IAM role is not attached to the instance profile
D.The VPC endpoint for Secrets Manager has a policy that denies access from the instance's security group
E.The secret is encrypted with a customer managed KMS key, and the IAM role does not have kms:Decrypt permission
AnswersA, D, E

Without a route to the Secrets Manager service, the request will fail.

Why this answer

Possible reasons include: the secret is encrypted with a KMS CMK that the role does not have access to (A), the VPC endpoint policy for Secrets Manager denies the action (B), and the instance is in a private subnet without a VPC endpoint or NAT gateway (C). Option D is wrong because cross-account is not needed. Option E is wrong because the instance profile is already associated with the role.

1320
MCQhard

An organization has a production AWS environment with multiple VPCs and hundreds of EC2 instances. The security team wants to be alerted when any security group is modified. Which approach should a SysOps administrator use to meet this requirement with minimal overhead?

A.Enable CloudTrail and create a CloudWatch alarm for each security group modification event.
B.Use AWS Config rules to detect security group changes and trigger an SNS notification.
C.Enable VPC Flow Logs and analyze them with Amazon Athena for security group changes.
D.Deploy Amazon GuardDuty to monitor for security group modifications.
AnswerB

AWS Config can monitor security group resources and trigger notifications on changes.

Why this answer

Option B is correct because AWS Config rules can continuously evaluate security group configurations against desired settings and trigger an SNS notification when a change is detected. This approach provides automated, event-driven monitoring with minimal operational overhead, as it does not require custom scripts or manual log analysis.

Exam trap

The trap here is confusing CloudTrail event monitoring with AWS Config's configuration change detection, leading candidates to choose CloudTrail-based alarms despite the higher overhead and lack of direct compliance evaluation.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs API calls for security group modifications, but creating a CloudWatch alarm for each event would require custom metric filters and alarms, adding complexity and overhead; it also does not provide direct configuration compliance evaluation. Option C is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols), not security group configuration changes, so they cannot detect modifications to security group rules. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes network and account activity for malicious behavior, not for tracking configuration changes like security group modifications.

1321
Multi-Selecteasy

Which TWO security measures should be implemented to protect a VPC from DDoS attacks? (Choose two.)

Select 2 answers
A.Use AWS WAF with rate-based rules
B.Enable AWS Shield Advanced
C.Apply network ACLs with deny rules
D.Use restrictive security groups
E.Enable VPC Flow Logs
AnswersA, B

Rate-based rules can block DDoS traffic.

Why this answer

AWS Shield Advanced provides DDoS protection. Using a web application firewall (WAF) at the edge helps filter malicious traffic. Security groups and NACLs are not effective against DDoS at scale.

1322
Multi-Selecteasy

A company is using Amazon S3 to store media files. The files are accessed frequently for the first 90 days, then rarely after that. The company wants to optimize storage costs. Which TWO actions should the SysOps administrator take? (Choose two.)

Select 2 answers
A.Configure a lifecycle policy to delete incomplete multipart uploads after 7 days
B.Enable S3 Object Lock to prevent deletion
C.Create a lifecycle policy to transition objects to S3 Standard-IA after 90 days
D.Enable S3 Versioning to keep multiple versions
E.Enable Requester Pays on the bucket
AnswersA, C

Prevents storage costs from failed uploads.

Why this answer

Option A and Option D are correct. A lifecycle policy to transition to S3 Standard-IA after 90 days reduces cost for infrequent access. Deleting incomplete multipart uploads prevents orphaned parts from incurring storage costs.

Option B is wrong because enabling versioning may increase costs. Option C is wrong because S3 Object Lock does not help with cost. Option E is wrong because Requester Pays shifts costs but not storage optimization.

1323
MCQeasy

A SysOps administrator uses AWS CodeDeploy to deploy applications to Amazon EC2 instances. The administrator wants to ensure that during deployment, traffic is shifted from the original instances to the new instances incrementally in 10-minute intervals. The deployment should automatically roll back if any health check fails. Which deployment configuration should the administrator choose?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.OneAtATime
C.CodeDeployDefault.HalfAtATime
D.Custom deployment configuration with 25% every 10 minutes and traffic routing enabled
AnswerD

A custom deployment configuration allows you to define the exact percentage of traffic to shift and the interval between shifts (e.g., 25% every 10 minutes). Combined with automatic rollback on health check failure, this meets the requirements.

Why this answer

Option D is correct because it allows a custom deployment configuration that shifts traffic in 10-minute intervals (e.g., 25% every 10 minutes) with automatic rollback on health check failure. The built-in configurations (AllAtOnce, OneAtATime, HalfAtATime) do not support incremental traffic shifting with time-based intervals; only a custom configuration can achieve the specified 10-minute interval requirement.

Exam trap

The trap here is that candidates assume built-in configurations like HalfAtATime or OneAtATime can be customized with time intervals, but only a custom deployment configuration allows specifying both the percentage and the interval in minutes for traffic shifting.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, not incrementally in 10-minute intervals. Option B is wrong because CodeDeployDefault.OneAtATime deploys to one instance at a time but does not use 10-minute intervals; it shifts traffic immediately per instance without a fixed time delay. Option C is wrong because CodeDeployDefault.HalfAtATime deploys to half the instances at once, not in incremental 10-minute steps, and lacks the time-based interval control.

1324
MCQmedium

A company runs a data analytics platform on AWS that processes large datasets using Amazon EMR. The EMR cluster consists of 1 master node (m5.xlarge) and 10 core nodes (r5.2xlarge). The cluster runs batch jobs that last 4 hours each, and the cluster is terminated after each job. The SysOps administrator notices that the cluster takes 15 minutes to provision and bootstrap before each job, which increases the total runtime and cost. The administrator wants to reduce the time and cost associated with cluster provisioning. The data is stored in Amazon S3, and the job scripts are stored in an S3 bucket. The administrator has considered using long-running clusters but is concerned about cost. Which approach should the administrator take to optimize both time and cost?

A.Switch the core nodes to Spot Instances to reduce costs.
B.Use EMR Managed Scaling and keep the cluster running between jobs.
C.Use a larger master node instance type to speed up bootstrapping.
D.Use Amazon FSx for Lustre as the data store to reduce I/O time.
AnswerB

Managed scaling reduces idle cost and eliminates provisioning time.

Why this answer

Option C is correct because using EMR Managed Scaling with a long-running cluster can reduce provisioning time because the cluster stays up, and managed scaling adjusts the number of core nodes based on the workload, minimizing idle costs. Option A is wrong because using Spot Instances reduces cost but does not reduce provisioning time. Option B is wrong because using a larger master node does not reduce provisioning time.

Option D is wrong because using a different file system (Lustre) adds complexity and cost without addressing provisioning time.

1325
MCQeasy

A company wants to host a static website on AWS with high availability and low latency for global users. Which combination of services should be used?

A.Amazon EC2 and Elastic Load Balancing
B.Amazon S3 and Amazon CloudFront
C.Amazon Route 53 and Amazon S3
D.Elastic Load Balancing and Amazon CloudFront
AnswerB

S3 hosts static content and CloudFront distributes it globally with low latency.

Why this answer

Option A is correct because Amazon S3 can host static websites and Amazon CloudFront provides a CDN with edge locations for low latency and high availability. Option B is wrong because EC2 instances are not ideal for static websites and require more management. Option C is wrong because ELB is for dynamic content and not needed for static sites.

Option D is wrong because Route 53 is a DNS service, not for hosting content.

1326
Multi-Selecthard

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no one can disable AWS CloudTrail or delete CloudTrail log files from the S3 bucket. Which THREE actions should be taken? (Choose three.)

Select 3 answers
A.Enable CloudTrail log file validation
B.Send CloudTrail logs to CloudWatch Logs for real-time monitoring
C.Create a service control policy (SCP) that denies the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions
D.Enable MFA delete on the S3 bucket
E.Configure an S3 bucket policy that denies s3:DeleteObject actions on the CloudTrail log bucket
AnswersA, C, E

Log file validation creates a digest file that can be used to verify that log files have not been modified or deleted.

Why this answer

To protect CloudTrail logs, you should configure an SCP to deny CloudTrail disabling, enable log file validation to detect tampering, and use an S3 bucket policy that denies delete object permissions to all principals except the CloudTrail service. MFA delete adds another layer but is not a direct step for CloudTrail. CloudWatch Logs is for monitoring, not protection.

1327
MCQhard

A company runs a web application on Amazon EC2 instances. The application's traffic pattern is unpredictable, often spiking to 3x normal load for short periods. The SysOps administrator needs to ensure that the application can handle spikes without performance degradation while minimizing costs. Which combination of purchasing options and scaling strategies should the administrator use?

A.Use all Spot Instances with a simple scaling policy.
B.Use all On-Demand Instances with a scheduled scaling policy.
C.Use a mix of Reserved Instances for baseline and On-Demand for spikes, with a target tracking scaling policy.
D.Use only Reserved Instances with a manual scaling policy.
AnswerC

Correct. Reserved Instances cover steady-state load at a discount, On-Demand handles spikes, and target tracking auto-scales to maintain utilization.

Why this answer

Option C is correct because it combines Reserved Instances for the predictable baseline load, which reduces costs through a significant discount, with On-Demand Instances to handle unpredictable spikes. The target tracking scaling policy automatically adjusts capacity based on a target metric (e.g., average CPU utilization), ensuring performance is maintained during spikes without manual intervention or over-provisioning.

Exam trap

The trap here is that candidates might choose all Spot Instances (Option A) thinking they are cheapest, but they overlook the risk of interruption during spikes, which violates the requirement to 'handle spikes without performance degradation.'

How to eliminate wrong answers

Option A is wrong because using all Spot Instances risks interruption when AWS reclaims capacity, which can cause performance degradation or application failure during spikes, and a simple scaling policy does not dynamically adjust to unpredictable load. Option B is wrong because using all On-Demand Instances is cost-inefficient for the baseline load, and a scheduled scaling policy cannot handle unpredictable spikes since it relies on fixed time schedules. Option D is wrong because using only Reserved Instances with a manual scaling policy cannot scale to meet unpredictable spikes without over-provisioning (wasting cost) or under-provisioning (causing degradation), and manual scaling is slow and error-prone.

1328
MCQmedium

An organization requires that all Amazon S3 buckets block public access entirely. A SysOps administrator needs to ensure that no bucket can be made public, even accidentally. Which approach enforces this control at the organizational level?

A.Apply an S3 Bucket Policy on each bucket that denies public access.
B.Use an AWS Config managed rule 's3-bucket-public-read-prohibited' to detect and remediate public buckets.
C.Enable S3 Block Public Access at the account level and attach an SCP to deny changes to it.
D.Create an IAM policy that denies s3:PutBucketPolicy for all users.
AnswerC

Correct. Account-level block public access prevents all public access, and an SCP prevents users from disabling it.

Why this answer

Option C is correct because S3 Block Public Access at the account level provides a centralized, immutable control that prevents any bucket in the account from being made public, regardless of bucket policies or ACLs. Attaching an SCP (Service Control Policy) to deny changes to these settings ensures that even administrators with full IAM permissions cannot disable the block, enforcing the control at the organizational level across all accounts in the organization.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs and account-level Block Public Access), assuming that detecting and auto-remediating public buckets is equivalent to preventing them from ever becoming public.

How to eliminate wrong answers

Option A is wrong because applying an S3 Bucket Policy on each bucket is not an organizational-level control; it is per-bucket and can be overridden or omitted by users with sufficient permissions, failing to enforce the requirement across all buckets. Option B is wrong because AWS Config managed rules are detective and reactive, not preventive; they can detect and auto-remediate public buckets, but there is a window of exposure before remediation occurs, and the rule can be disabled or modified by authorized users, so it does not enforce a hard block at the organizational level. Option D is wrong because an IAM policy that denies s3:PutBucketPolicy for all users does not prevent public access via bucket ACLs (e.g., granting public read/write via ACLs), and it can be bypassed by users with full administrative privileges who can modify or detach the IAM policy.

1329
MCQeasy

A SysOps administrator wants to identify Amazon EC2 instances that are underutilized to reduce costs. The administrator needs recommendations for rightsizing instances based on historical CPU and memory usage. Which AWS service provides these recommendations?

A.AWS Cost Explorer
B.AWS Trusted Advisor
C.AWS Compute Optimizer
D.AWS CloudTrail
AnswerC

Compute Optimizer uses machine learning to analyze historical utilization (CPU, memory, network) and delivers instance type and size recommendations that reduce costs and improve performance.

Why this answer

AWS Compute Optimizer is the correct service because it analyzes historical utilization metrics (CPU, memory, I/O, and network throughput) from Amazon CloudWatch and generates rightsizing recommendations for EC2 instances. It uses machine learning to identify underutilized instances and suggests instance types that better match workload requirements, directly addressing the need to reduce costs through rightsizing.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor's cost checks (like idle instances) with Compute Optimizer's rightsizing recommendations, but Trusted Advisor does not analyze historical CPU and memory usage for instance type changes.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides cost and usage data visualization and forecasting, but it does not analyze historical CPU or memory utilization to generate instance-specific rightsizing recommendations. Option B is wrong because AWS Trusted Advisor offers cost optimization checks (e.g., idle instances, underutilized EBS volumes) but does not provide detailed rightsizing recommendations based on historical CPU and memory usage patterns. Option D is wrong because AWS CloudTrail records API activity for auditing and governance, not resource utilization metrics or rightsizing advice.

1330
MCQmedium

A company's security policy requires that all Amazon RDS for PostgreSQL instances be encrypted at rest using AWS Key Management Service (KMS) customer managed keys and have automated backups enabled with a retention period of at least 30 days. A SysOps administrator needs to use AWS Config to automatically detect any RDS instance that is non-compliant with either requirement and automatically remediate it. Which combination of AWS Config managed rules and remediation actions should be used?

A.Use two AWS Config managed rules: 'rds-instance-encrypted' and 'rds-backup-enabled'. Configure each rule with an automatic remediation action that triggers an Amazon CloudWatch alarm, which then invokes an AWS Lambda function to enable encryption and backups.
B.Create custom AWS Config rules as AWS Lambda functions that evaluate the RDS instance configuration. In the Lambda function, if a resource is non-compliant, call the RDS API to enable encryption and modify backup settings.
C.Use the AWS Config managed rules 'rds-instance-encrypted' and 'rds-backup-enabled'. Configure automatic remediation for each rule using the corresponding AWS Systems Manager Automation runbook: 'AWSConfigRemediation-EnableRDSInstanceEncryption' and 'AWSConfigRemediation-EnableRDSInstanceBackup'.
D.Use a single custom AWS Config rule that checks both encryption and backup settings. If non-compliant, trigger an AWS Lambda function that uses the RDS API to configure both settings.
AnswerC

This is the correct approach. Managed rules evaluate compliance, and automatic remediation using Systems Manager Automation runbooks applies the fix without custom code. The runbooks perform the necessary API calls to enable encryption and backups, meeting the policy requirements.

Why this answer

Option C is correct because AWS Config managed rules 'rds-instance-encrypted' and 'rds-backup-enabled' natively evaluate encryption and backup compliance. The corresponding AWS Systems Manager Automation runbooks ('AWSConfigRemediation-EnableRDSInstanceEncryption' and 'AWSConfigRemediation-EnableRDSInstanceBackup') provide built-in, automatic remediation without custom code, aligning with the requirement to use managed rules and automatic remediation.

Exam trap

The trap here is that candidates may assume custom Lambda functions are required for complex remediation, but AWS provides pre-built Systems Manager Automation runbooks that integrate directly with AWS Config managed rules for common RDS compliance issues, making custom code unnecessary.

How to eliminate wrong answers

Option A is wrong because triggering a CloudWatch alarm to invoke a Lambda function is an indirect, custom remediation path; AWS Config supports direct automatic remediation via Systems Manager Automation runbooks, making this approach unnecessarily complex and not leveraging native capabilities. Option B is wrong because creating custom AWS Config rules as Lambda functions violates the requirement to use AWS Config managed rules; the question explicitly asks for managed rules, not custom ones. Option D is wrong because using a single custom rule that checks both encryption and backups is not a managed rule, and it requires custom Lambda code for remediation, which contradicts the directive to use managed rules and automatic remediation actions.

1331
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. The company wants to connect two subnets: one in the VPC (10.0.1.0/24) and one in an on-premises network (192.168.1.0/24) via a Site-to-Site VPN. The VPN connection is established. However, instances in the VPC subnet cannot ping the on-premises server at 192.168.1.10. What is a possible cause?

A.The VPN tunnel is not in the UP state
B.The route table for the VPC subnet does not have a route to the on-premises network via the VPN gateway
C.The security group for the VPC instances does not allow ICMP traffic
D.The VPC does not have a VPC endpoint for the VPN service
AnswerB

Without a route to 192.168.1.0/24 pointing to the virtual private gateway, traffic will not be sent through the VPN.

Why this answer

Option B is correct because the VPC subnet's route table must have a route for the on-premises CIDR pointing to the VPN gateway. Option A is wrong because the VPN connection uses the internet, not a VPC endpoint. Option C is wrong because security groups control traffic to/from instances, but the route is missing.

Option D is wrong because the VPN is established, so tunnel is up.

1332
MCQmedium

A company requires that all API calls to AWS services be logged for compliance. The logs must be stored in a centralized S3 bucket with server-side encryption enabled. Which AWS service should be used to capture the API calls?

A.AWS Config
B.AWS CloudTrail
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerB

CloudTrail logs API calls and delivers to S3.

Why this answer

Option B is correct because AWS CloudTrail logs all API calls and can deliver logs to an S3 bucket with SSE. Option A is wrong because AWS Config records resource configuration changes, not API calls. Option C is wrong because CloudWatch Logs can store logs but is not the primary service for capturing API calls.

Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

1333
MCQeasy

A company wants to monitor the performance of its EC2 instances and receive alerts when CPU utilization exceeds 80% for 10 minutes. Which AWS service should be used?

A.Amazon CloudWatch
B.AWS CloudTrail
C.AWS Config
D.VPC Flow Logs
AnswerA

CloudWatch monitors metrics and sends alarms.

Why this answer

Option B is correct because CloudWatch can monitor EC2 metrics and trigger alarms. Option A is wrong because AWS Config is for configuration auditing. Option C is wrong because CloudTrail is for API logging.

Option D is wrong because VPC Flow Logs capture network traffic.

1334
MCQmedium

A company is running a critical web application on EC2 instances behind an Application Load Balancer. The instances are in an Auto Scaling group across two Availability Zones. The company needs to ensure that if an entire Availability Zone fails, the application remains available. Which configuration meets this requirement?

A.Use larger EC2 instance types to handle the load during a failure.
B.Use Amazon CloudFront to distribute traffic across multiple regions.
C.Launch all instances in the same Availability Zone to reduce latency.
D.Configure the Auto Scaling group to launch instances in at least two Availability Zones.
AnswerD

Multiple AZs provide redundancy if one AZ fails.

Why this answer

Spreading instances across multiple Availability Zones ensures that if one AZ fails, the other AZ continues to serve traffic. Option B is correct because it explicitly uses multiple AZs. Option A is wrong because using a single AZ does not provide AZ-level fault tolerance.

Option C is wrong because Amazon CloudFront is a CDN, not a solution for AZ failure. Option D is wrong because increasing instance size does not provide AZ redundancy.

1335
MCQeasy

A company wants to ensure that all S3 buckets are encrypted by default. Which AWS service can be used to automatically enforce encryption on newly created S3 buckets?

A.AWS Config with a managed rule and auto-remediation
B.S3 bucket policies
C.IAM policies
D.AWS CloudTrail
AnswerA

AWS Config can enforce encryption on buckets automatically.

Why this answer

AWS Config can evaluate resources against rules and take remediation actions. Using a managed rule like 's3-bucket-server-side-encryption-enabled' and an auto-remediation action, AWS Config can automatically apply encryption to buckets that are non-compliant. Option B is correct.

Option A is wrong because S3 does not have a bucket-level setting to enforce encryption by default; it must be configured per bucket. Option C is wrong because AWS CloudTrail logs API calls but does not enforce configurations. Option D is wrong because IAM policies can require encryption in requests but cannot automatically apply encryption to buckets.

1336
MCQmedium

A company wants to enforce that all Amazon EC2 instances launched in the AWS account must have a specific termination protection setting enabled. The SysOps administrator needs to automatically remediate any instances that are launched without termination protection. Which AWS service should be used to achieve this?

A.AWS Config with a managed rule ec2-instance-no-public-ip and an SSM Automation remediation.
B.AWS Config with a custom rule using AWS Lambda to evaluate and enable termination protection.
C.Amazon Inspector to scan instances and trigger a remediation action.
D.AWS Systems Manager Patch Manager to apply a policy for termination protection.
AnswerB

A custom AWS Config rule can use a Lambda function to check if an EC2 instance has termination protection enabled. If not, the function can call the EC2 API to enable it. This provides automatic remediation for non-compliant resources.

Why this answer

AWS Config can evaluate resources against desired configurations using managed or custom rules. A custom AWS Config rule can invoke a Lambda function to check if termination protection is enabled on EC2 instances and automatically enable it if missing, providing the required remediation. This approach directly addresses the requirement to enforce termination protection on all launched instances.

Exam trap

The trap here is that candidates may confuse AWS Config's managed rules (which cover common compliance checks) with the need for a custom rule and Lambda function to enforce a specific setting like termination protection, or mistakenly think services like Inspector or Patch Manager can handle configuration enforcement.

How to eliminate wrong answers

Option A is wrong because the ec2-instance-no-public-ip rule checks for public IPs, not termination protection, and SSM Automation remediation is not designed to enable termination protection on EC2 instances. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposures, not for enforcing instance configuration settings like termination protection. Option D is wrong because AWS Systems Manager Patch Manager is used to automate patching of operating systems and applications, not to apply termination protection policies to EC2 instances.

1337
Multi-Selectmedium

Which TWO actions should a SysOps admin take to troubleshoot an Amazon RDS instance that is experiencing high CPU utilization? (Choose 2.)

Select 2 answers
A.Enable Enhanced Monitoring to view OS-level metrics
B.Enable Multi-AZ to distribute the load
C.Delete the slow query log to free up CPU
D.Enable Performance Insights to identify high-load queries
E.Increase the instance size to reduce CPU utilization
AnswersA, D

Enhanced Monitoring gives per-process CPU usage.

Why this answer

Option A is correct because Enhanced Monitoring provides OS-level metrics (e.g., CPU, memory, disk I/O) for the RDS instance, which helps identify resource contention at the operating system level. This granularity is essential for diagnosing high CPU utilization that may be caused by OS processes (e.g., backup, patching) rather than database queries alone.

Exam trap

The trap here is that candidates often confuse Multi-AZ with read replicas, assuming it distributes load, or they think deleting logs frees CPU, when in fact logs are written asynchronously and have negligible CPU impact.

1338
MCQmedium

A SysOps administrator notices that an Amazon RDS for MySQL instance's CPU utilization has been consistently above 80% for the past hour. Which CloudWatch metric should the administrator examine to determine whether the high CPU is due to a specific SQL query?

A.WriteIOPS
B.FreeableMemory
C.DatabaseConnections
D.ReadLatency
AnswerC

A high number of database connections can cause high CPU due to query processing.

Why this answer

The correct answer is C, DatabaseConnections, because a high number of database connections can indicate that many concurrent queries are running, which could be caused by a specific SQL query that is inefficient or blocking others. However, to directly identify a specific SQL query causing high CPU, you would need to use Performance Insights or the slow query log, not a CloudWatch metric alone. DatabaseConnections is the closest metric among the options that correlates with query activity, as a sudden spike in connections often points to problematic queries.

Exam trap

The trap here is that candidates assume a CloudWatch metric like DatabaseConnections directly identifies a specific SQL query, but in reality, CloudWatch metrics only show aggregate behavior, and you need additional tools like Performance Insights or slow query logs to pinpoint the exact query.

How to eliminate wrong answers

Option A is wrong because WriteIOPS measures the number of write operations per second to the storage volume, which relates to disk I/O, not directly to CPU usage caused by a specific SQL query. Option B is wrong because FreeableMemory tracks the amount of available RAM, which can affect performance but does not indicate which SQL query is consuming CPU. Option D is wrong because ReadLatency measures the time for read operations to complete, which is a storage performance metric and does not pinpoint a specific SQL query as the cause of high CPU.

1339
MCQmedium

A company uses multiple AWS accounts and needs to generate a detailed cost and usage report that can be queried using Amazon Athena for custom analysis. Which AWS service should the administrator enable?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Reports
D.AWS Application Cost Profiler
AnswerC

Correct. The Cost and Usage Reports can be delivered to an S3 bucket in CSV or Parquet format, and can be queried with Athena for granular analysis.

Why this answer

AWS Cost and Usage Reports (CUR) is the correct service because it generates detailed cost and usage data in CSV or Parquet format, which can be directly queried using Amazon Athena via integration with AWS Glue and Amazon QuickSight. This enables custom analysis and ad-hoc queries on the full billing dataset, unlike other services that provide pre-aggregated views or alerts.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer's interactive dashboard with the raw, queryable data format of CUR, assuming Cost Explorer can export data in a format suitable for Athena, when in fact it only provides CSV exports of aggregated views, not the full normalized dataset.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides a pre-built visualization and filtering interface for cost data, but it does not generate a downloadable report that can be queried with Athena for custom analysis. Option B is wrong because AWS Budgets is used to set cost or usage thresholds and send alerts, not to produce detailed cost and usage reports for Athena querying. Option D is wrong because AWS Application Cost Profiler is designed to track and allocate costs at the application or software feature level, not to generate comprehensive account-level cost and usage reports for Athena.

1340
Multi-Selecthard

A company uses AWS CloudTrail to log API activity. The security team needs to be notified immediately when an IAM user creates a new access key. Which combination of steps should a SysOps administrator take? (Choose TWO.)

Select 2 answers
A.Create a CloudWatch Logs metric filter for the 'CreateAccessKey' event.
B.Enable AWS Config rules to detect changes to IAM users.
C.Configure CloudTrail to send notifications directly to Amazon SNS.
D.Create a CloudWatch alarm based on the metric filter and publish to an SNS topic.
E.Create an Amazon EventBridge rule to match the 'CreateAccessKey' API call.
AnswersA, D

Metric filters can detect specific log events.

Why this answer

Option A is correct because CloudWatch Logs metric filters allow you to extract specific patterns from CloudTrail log data, such as the 'CreateAccessKey' event, and convert them into a metric. This enables you to monitor for this specific API call and trigger an alarm when it occurs, meeting the requirement for immediate notification.

Exam trap

The trap here is that candidates often think CloudTrail can directly send notifications to SNS (Option C) or that AWS Config rules are suitable for real-time event-driven alerts (Option B), but neither is correct for immediate notification of a specific API call.

1341
MCQeasy

A company requires that all Amazon EC2 instances launched in its AWS account must have termination protection enabled. The SysOps administrator needs to automatically remediate any instance launched without termination protection. The solution should use AWS managed services without custom scripts. Which AWS service should be used?

A.Configure AWS Config with a managed rule 'ec2-termination-protection-check' and set an auto-remediation action using an AWS Systems Manager Automation document that enables termination protection on the instance.
B.Use Amazon EC2 Auto Scaling to automatically apply termination protection to all launched instances.
C.Enable AWS Trusted Advisor to send notifications when instances lack termination protection, and have administrators manually fix them.
D.Create an IAM policy that denies the RunInstances action unless termination protection is enabled.
AnswerA

AWS Config can evaluate resources against a rule and automatically remediate non-compliant resources using Systems Manager Automation. This meets the requirement without custom scripts.

Why this answer

Option A is correct because AWS Config's managed rule 'ec2-termination-protection-check' can detect instances without termination protection, and you can attach an auto-remediation action using an AWS Systems Manager Automation document (e.g., AWS-EnableTerminationProtection) to automatically enable termination protection on noncompliant instances. This solution uses only AWS managed services and requires no custom scripts, meeting the company's requirements.

Exam trap

The trap here is that candidates may confuse AWS Config's detection-only capability with its auto-remediation feature, or assume that IAM policies can enforce instance-level attributes at launch time, when in fact IAM conditions like 'ec2:DisableApiTermination' are not supported for the RunInstances action.

How to eliminate wrong answers

Option B is wrong because Amazon EC2 Auto Scaling does not have a native feature to automatically apply termination protection to all launched instances; it manages scaling policies and health checks, not instance attribute remediation. Option C is wrong because AWS Trusted Advisor only provides notifications and recommendations, not automated remediation; it requires manual intervention by administrators, which violates the requirement for automatic remediation. Option D is wrong because an IAM policy that denies RunInstances unless termination protection is enabled would prevent launching instances without termination protection, but it does not remediate instances already launched without it; additionally, IAM policies cannot enforce instance-level attributes like termination protection at launch time in a granular way, and the requirement is to remediate after launch, not prevent.

1342
MCQeasy

A company wants to provide low-latency access to a web application for users in North America and Europe. The application runs on EC2 instances in us-east-1 and eu-west-1. Which AWS service should be used to route users to the nearest region?

A.Application Load Balancer with cross-region load balancing
B.Amazon CloudFront
C.AWS Global Accelerator
D.Amazon Route 53 with latency-based routing
AnswerD

Latency-based routing directs traffic to the region that provides the lowest latency for the user.

Why this answer

Option D is correct because Amazon Route 53 with latency-based routing directs traffic to the region with the lowest latency for the user. Option A is wrong because Global Accelerator improves performance but does not route based on latency to nearest region; it uses Anycast. Option B is wrong because CloudFront is a CDN for content delivery, not for routing to regional endpoints.

Option C is wrong because ALB is region-specific and cannot route across regions.

1343
MCQhard

An administrator attaches the above IAM policy to a user. The user needs to stop an EC2 instance to save costs. The user reports that they are unable to stop the instance. What is the MOST likely cause?

A.The instance has termination protection enabled.
B.The instance is part of an Auto Scaling group.
C.The IAM policy does not allow ec2:StopInstances.
D.The user does not have permission to describe instances.
AnswerB

Stopping an instance in an Auto Scaling group will cause the group to launch a new instance, defeating the purpose of stopping.

Why this answer

The policy allows ec2:StopInstances but the Deny statement for ec2:TerminateInstances might not affect stopping. However, the issue could be that the user does not have permissions to describe instances if the resource is not specified correctly. But the policy has Allow for DescribeInstances on all resources.

The problem might be that the instance has termination protection enabled. IAM policy does not explicitly deny stop, so the Deny on terminate should not affect stop. Termination protection prevents both stop and terminate if it is configured to protect against accidental termination, but stop is not prevented unless specified.

Actually, termination protection only protects against termination, not stop. The most likely cause is that the instance has termination protection enabled, but that does not prevent stop. Alternatively, the user might not have the ec2:StopInstances permission if there is an implicit deny? But the policy explicitly allows it.

The answer is that the instance has termination protection enabled, but that is incorrect for stop. Another possibility: the user's session may not have the necessary permissions due to a service control policy (SCP) or resource-based policy. However, based on the policy, the user should be able to stop.

The exhibit shows a Deny for TerminateInstances, which does not affect StopInstances. So the issue might be that the instance is part of an Auto Scaling group and has a scale-in protection? That would prevent termination but not stop. The correct answer is that the instance has termination protection enabled, which does not prevent stop.

I need to think differently. Perhaps the user is trying to stop a stopped instance? Or the instance is an EBS-backed instance, and stopping is allowed. The most common reason for inability to stop is that the instance is part of an Auto Scaling group and the user does not have permission to modify the Auto Scaling group? But the policy does not include Auto Scaling actions.

The answer might be that the instance has termination protection enabled, but that is not correct. Let me re-evaluate: The policy allows StopInstances, so the user should be able to stop. The only Deny is on TerminateInstances.

So why can't they stop? Possibly because the instance is in a running state and there is a conflict with another policy? The most likely cause from the options is that the instance has termination protection enabled, but that is a distractor. Actually, termination protection does not prevent stop. So the correct answer should be that the user does not have permission to stop because the policy does not include the ec2:StopInstances action? But it does.

I'm confused. Let me check AWS documentation: Termination protection prevents termination, not stop. So the user should be able to stop.

Perhaps the issue is that the instance is an instance store-backed instance, which cannot be stopped? But the exhibit does not indicate that. I think the correct answer is that the instance has termination protection enabled, but that is wrong. Maybe the answer is that the IAM policy has a Deny on TerminateInstances which also affects StopInstances? No.

Let me look at the options: A. The IAM policy does not allow StopInstances. B.

The instance has termination protection enabled. C. The instance is part of an Auto Scaling group.

D. The user does not have permission to describe instances. Option A is false because the policy explicitly allows StopInstances.

Option B is plausible but termination protection does not block stop. Option C could be true if the Auto Scaling group has a scale-in protection but that also does not block stop. Option D is false because DescribeInstances is allowed.

So what is correct? I recall that if an instance is part of an Auto Scaling group, you cannot stop it directly because the Auto Scaling group will automatically restart it. But the question says "unable to stop the instance" which might be due to the Auto Scaling group maintaining the desired count. However, the user can still stop the instance, but the Auto Scaling group will immediately start a new one.

So the stop action would succeed, but the user might think it didn't because a new instance appears. The question likely expects that the Auto Scaling group prevents stopping. Actually, you can stop an instance in an Auto Scaling group, but the Auto Scaling group will launch a new one, so the stop is not effective for cost saving.

The user might be trying to stop to save costs, but if the instance is in an Auto Scaling group, stopping it will not save costs because the group will replace it. So the most likely cause is that the instance is part of an Auto Scaling group. I'll go with that.

1344
MCQeasy

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The company needs to ensure that the ALB sends requests to instances that are healthy and can serve traffic. Which feature should be used to monitor the health of the instances?

A.Health checks
B.Sticky sessions
C.Cross-zone load balancing
D.Connection draining
AnswerA

Health checks periodically send requests to instances and mark them unhealthy if they fail.

Why this answer

Option B is correct because health checks are used by the ALB to determine if an instance is healthy. Option A is wrong because stickiness is about session persistence. Option C is wrong because cross-zone load balancing distributes traffic across zones.

Option D is wrong because connection draining ensures in-flight requests complete before instance deregistration.

1345
MCQmedium

A company hosts a critical web application on Amazon EC2 instances in a single AWS Region (us-east-1). The SysOps administrator needs to implement a Disaster Recovery (DR) solution using a different AWS Region (us-west-2). The DR plan requires a Recovery Time Objective (RTO) of 1 hour and a Recovery Point Objective (RPO) of 15 minutes. The application uses an Amazon Aurora MySQL DB cluster and static assets stored in an Amazon S3 bucket. Which combination of actions should the administrator take to meet these requirements?

A.Create an Aurora cross-Region read replica in us-west-2. Configure S3 Cross-Region Replication from the source bucket to a destination bucket in us-west-2. During DR, promote the read replica to a primary cluster and update DNS.
B.Take a manual snapshot of the Aurora DB cluster every 15 minutes and copy it to us-west-2. Use S3 batch operations to copy assets to us-west-2 daily.
C.Enable Aurora Multi-AZ in us-east-1 and configure S3 transfer acceleration to us-west-2.
D.Use AWS Database Migration Service (DMS) for continuous replication to a DB instance in us-west-2. Use S3 versioning to keep previous object versions.
AnswerA

A cross-Region read replica provides continuous replication for the database, achieving RPO seconds. Promoting it can be done in minutes, meeting RTO of 1 hour. S3 CRR replicates objects asynchronously, typically within minutes, satisfying the RPO.

Why this answer

Option A is correct because Aurora cross-Region read replicas provide asynchronous replication with an RPO typically under 1 second, easily meeting the 15-minute RPO requirement. Promoting the read replica to a primary cluster in us-west-2 can be completed within minutes, satisfying the 1-hour RTO. S3 Cross-Region Replication (CRR) automatically replicates static assets to the destination bucket in us-west-2 with near-real-time latency, ensuring the S3 data is also current within the RPO window.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which provides high availability within a single region) with cross-region disaster recovery, or they assume manual snapshots and DMS are simpler alternatives without considering the RPO/RTO constraints and operational overhead.

How to eliminate wrong answers

Option B is wrong because taking manual snapshots every 15 minutes is operationally impractical and cannot guarantee an RPO of 15 minutes due to snapshot creation and copy latency; also, copying assets daily via S3 batch operations far exceeds the 15-minute RPO. Option C is wrong because Aurora Multi-AZ in us-east-1 only provides high availability within a single region, not cross-region disaster recovery, and S3 Transfer Acceleration only improves upload speed to a single bucket, not replication to another region. Option D is wrong because AWS DMS for continuous replication to a DB instance in us-west-2 introduces additional complexity and potential lag that may not meet the 15-minute RPO as reliably as Aurora native replication; S3 versioning alone does not replicate objects to another region, so it fails to provide cross-region DR for static assets.

1346
MCQhard

A SysOps administrator is managing a fleet of EC2 instances that run a batch processing job. The job is completed when a certain metric in CloudWatch reaches a value. Currently, the administrator manually checks the metric and terminates the instances. Which AWS service can automate the termination of the instances when the metric threshold is breached?

A.Use AWS Config to detect the metric and terminate the instance.
B.Create a CloudWatch alarm that publishes to an SNS topic, which triggers a Lambda function to terminate the instance.
C.Place the instances in an Auto Scaling group and use a lifecycle hook.
D.Configure a CloudWatch alarm to terminate the instance directly.
AnswerB

This is a common pattern for automated remediation.

Why this answer

Option B is correct because CloudWatch alarms can trigger an SNS topic when a metric threshold is breached, and a Lambda function subscribed to that topic can execute custom code to terminate the EC2 instances. This provides a fully automated, event-driven remediation workflow without manual intervention.

Exam trap

The trap here is that candidates may think CloudWatch alarms can directly terminate instances (Option D), but CloudWatch only supports direct EC2 actions for reboot, stop, and recover—not terminate—so a Lambda function is required for termination.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource compliance against rules, not for monitoring real-time CloudWatch metrics or directly terminating instances. Option C is wrong because lifecycle hooks in Auto Scaling groups are designed to perform actions during scale-in or scale-out events, not to react to CloudWatch metric alarms. Option D is wrong because CloudWatch alarms cannot directly terminate EC2 instances; they can only publish to SNS, perform EC2 actions like reboot or stop, but not terminate.

1347
MCQmedium

A company has a web application that uses Amazon CloudFront and an Application Load Balancer as origin. The application requires HTTPS between CloudFront and the ALB. The ALB uses a certificate from AWS Certificate Manager (ACM) for the custom domain. The administrator notices that CloudFront returns HTTP 502 errors occasionally. The ALB target group shows healthy instances. What is the most likely cause of the 502 errors?

A.The ALB is not configured to support HTTPS
B.The CloudFront origin response timeout is set too low
C.The ALB security group denies traffic from CloudFront IP addresses
D.The SSL/TLS certificate on the ALB does not match the origin domain name configured in CloudFront
AnswerD

CloudFront validates the certificate against the origin domain name.

Why this answer

Option A is correct because a mismatch in the SSL/TLS certificate domain name will cause CloudFront to fail to connect to the origin. Option B is wrong because the origin response timeout of 30 seconds is generous; if the application responds within that, it should be fine. Option C is wrong because if the ALB is healthy, it can handle requests.

Option D is wrong because CloudFront can connect to ALB over HTTPS.

1348
MCQhard

A company uses AWS OpsWorks for Chef Automate to manage its EC2 instances. The administrator needs to deploy a new cookbook to all instances in a stack. The cookbook is stored in an S3 bucket. What is the MOST efficient way to deploy the cookbook to the instances?

A.Upload the cookbook to the Chef Server and have the instances pull from there.
B.SSH into each instance and manually download the cookbook from S3.
C.Configure the OpsWorks stack to use the S3 bucket as the custom cookbook source and run the 'Update Custom Cookbooks' stack command.
D.Configure a lifecycle event in the OpsWorks layer to run a script that downloads the cookbook from S3.
AnswerC

This method automatically downloads and updates cookbooks on all instances.

Why this answer

OpsWorks can automatically update cookbooks from a custom cookbook source (e.g., S3) by configuring the stack to use that source. Option A is correct. Option B is wrong because manual upload is inefficient.

Option C is wrong because the stack settings can automatically retrieve the cookbook without a separate lifecycle event. Option D is wrong because Chef Server is not used in OpsWorks Chef Automate; it uses Chef Automate server.

1349
Multi-Selecteasy

Which TWO AWS services can be used to monitor the performance of an EC2 instance?

Select 2 answers
A.AWS Systems Manager
B.AWS CloudTrail
C.AWS Trusted Advisor
D.AWS Config
E.Amazon CloudWatch
AnswersA, E

Systems Manager can collect performance data.

Why this answer

Options B and D are correct. CloudWatch provides metrics like CPU utilization. Systems Manager can collect performance data via Inventory and Run Command.

AWS Config tracks configuration, not performance. Trusted Advisor gives recommendations. CloudTrail is for API activity.

1350
MCQmedium

A SysOps administrator is troubleshooting an issue where an Amazon RDS instance's storage space is being consumed rapidly. The administrator wants to identify the specific database or table causing the storage increase. Which AWS service or feature should the administrator use to gather this information?

A.Amazon CloudWatch Logs
B.AWS Config
C.Amazon RDS Enhanced Monitoring
D.AWS CloudTrail
AnswerC

Enhanced Monitoring provides OS-level metrics including disk space used by databases.

Why this answer

Amazon RDS Enhanced Monitoring (option C) provides real-time OS-level metrics for an RDS instance, including per-process CPU, memory, and disk I/O usage. This allows the administrator to drill down into specific database processes or tables to identify which one is consuming storage space rapidly, as it surfaces metrics like write latency and disk queue depth at the database engine level.

Exam trap

The trap here is that candidates often confuse Amazon CloudWatch Logs (which stores logs) with Enhanced Monitoring (which provides OS-level metrics), or they mistakenly think AWS Config or CloudTrail can diagnose storage consumption, when in fact only Enhanced Monitoring offers the per-process granularity needed to identify the offending database or table.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs collects and stores log files (e.g., error logs, slow query logs) but does not provide per-table or per-process storage consumption metrics; it lacks the granular OS-level visibility needed to pinpoint the specific database or table causing storage growth. Option B is wrong because AWS Config is a service for recording and evaluating resource configuration changes (e.g., RDS instance type, security groups), not for monitoring real-time storage usage or database-level performance metrics. Option D is wrong because AWS CloudTrail records API calls and user activity for auditing purposes (e.g., who modified the RDS instance), but it cannot reveal which table or database is consuming storage space.

Page 17

Page 18 of 21

Page 19