AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 76150

1546 questions total · 21pages · All types, answers revealed

Page 1

Page 2 of 21

Page 3
76
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The SysOps administrator notices that the application's response time is increasing during peak hours. The administrator wants to set up a CloudWatch dashboard that displays the average latency of requests across all instances and the number of healthy hosts. Which metrics should be used?

A.Use the ALB's 'TargetResponseTime' metric and the ALB's 'UnhealthyHostCount' metric.
B.Use the ALB's 'TargetResponseTime' metric and the ALB's 'HealthyHostCount' metric.
C.Use the ALB's 'RequestCount' metric and the EC2 Auto Scaling group's 'GroupInServiceInstances' metric.
D.Use the ALB's 'Latency' metric and the EC2 instance's 'CPUUtilization' metric.
AnswerB

These are the correct ALB metrics for latency and healthy host count.

Why this answer

Option B is correct because the ALB's 'TargetResponseTime' metric measures the average time (in seconds) that requests are routed to targets, which directly reflects application latency. The ALB's 'HealthyHostCount' metric shows the number of healthy registered targets, which is the exact metric needed to monitor host health. Together, these two metrics provide the required visibility into average latency and healthy host count across all instances.

Exam trap

The trap here is that candidates confuse 'UnhealthyHostCount' with 'HealthyHostCount' or mistakenly use instance-level metrics (like CPUUtilization) instead of ALB-level metrics, failing to recognize that the ALB's own metrics are the authoritative source for request latency and target health.

How to eliminate wrong answers

Option A is wrong because 'UnhealthyHostCount' tracks unhealthy hosts, not healthy hosts; the question specifically asks for the number of healthy hosts. Option C is wrong because 'RequestCount' measures total requests, not latency, and 'GroupInServiceInstances' is an Auto Scaling group metric, not an ALB metric; the ALB's 'HealthyHostCount' is the correct source for healthy host count. Option D is wrong because 'Latency' is not a valid ALB metric (the correct metric is 'TargetResponseTime'), and 'CPUUtilization' measures instance CPU usage, not host health or latency.

77
MCQmedium

A company requires all S3 uploads to use server-side encryption with a specific customer managed KMS key. What is the most direct enforcement mechanism?

A.Add a bucket policy that denies PutObject unless the required SSE-KMS headers and key ID are present.
B.Enable S3 versioning only.
C.Enable S3 Transfer Acceleration.
D.Create an IAM user for every uploader with console access.
AnswerA

This enforces encryption requirements at write time.

Why this answer

Option A is correct because a bucket policy with a condition that denies `s3:PutObject` unless the required `x-amz-server-side-encryption` header is set to `aws:kms` and the `x-amz-server-side-encryption-aws-kms-key-id` header matches the specific customer managed KMS key ARN is the most direct enforcement mechanism. This policy-based approach ensures that any upload attempt lacking the required SSE-KMS headers and key ID is rejected at the S3 API level, regardless of the IAM permissions of the uploader.

Exam trap

The trap here is that candidates often confuse IAM permissions with bucket policy conditions, assuming that IAM policies alone can enforce encryption headers, when in fact only a bucket policy with the appropriate condition keys can directly deny uploads that lack the required encryption headers.

How to eliminate wrong answers

Option B is wrong because enabling S3 versioning only preserves object versions but does not enforce any encryption requirements on uploads. Option C is wrong because S3 Transfer Acceleration speeds up uploads over long distances but has no effect on encryption enforcement. Option D is wrong because creating an IAM user for every uploader with console access does not enforce server-side encryption; it only provides authentication and does not mandate the use of a specific KMS key or encryption headers.

78
MCQmedium

A company runs a critical production database on Amazon RDS for MySQL with Multi-AZ deployment. The SysOps administrator needs to be automatically notified when a failover event occurs, and also capture the exact time and reason for the failover for compliance purposes. Which AWS service or feature should be used to capture the failover event details with the least operational overhead?

A.Create an Amazon CloudWatch Events rule that matches the 'RDS DB Instance Event' for 'failover' and sends the event to an Amazon SNS topic for notification and logging.
B.Enable detailed monitoring on the RDS instance and stream the logs to Amazon CloudWatch Logs where a metric filter can detect failover patterns.
C.Configure AWS CloudTrail to log all RDS API calls and analyze the logs for the 'Failover' event type.
D.Use AWS Config to create a config rule that evaluates whether the 'DBInstanceStatus' changes to 'failover' and then trigger a remediation action.
AnswerA

This correctly uses CloudWatch Events / EventBridge to capture RDS events including failovers with detailed information such as time and cause. It requires minimal setup and is designed for this purpose.

Why this answer

Amazon CloudWatch Events (now part of Amazon EventBridge) can match RDS DB Instance events, including 'failover', and route them to an SNS topic for notification and to CloudWatch Logs for logging. This approach requires no custom scripting or polling, providing the least operational overhead while capturing the exact time and reason for the failover directly from the RDS event stream.

Exam trap

The trap here is that candidates confuse CloudTrail (which logs API calls) with RDS events (which log internal service events), leading them to choose CloudTrail even though automatic failovers are not API-driven and thus not recorded by CloudTrail.

How to eliminate wrong answers

Option B is wrong because detailed monitoring on RDS provides enhanced metrics (e.g., CPU, memory) but does not generate failover events or detect failover patterns; metric filters on CloudWatch Logs would require RDS to log failover details to CloudWatch Logs, which RDS does not do by default. Option C is wrong because AWS CloudTrail logs API calls (e.g., FailoverDBInstance), not internal failover events triggered by AWS; a Multi-AZ failover is an automatic process, not an API call, so CloudTrail will not capture it. Option D is wrong because AWS Config evaluates resource configuration changes (e.g., DBInstanceStatus) but does not natively detect a 'failover' status change; the DBInstanceStatus transitions through multiple states (e.g., 'creating', 'available', 'resetting-master-credentials') and 'failover' is not a valid status—Config rules would require custom logic and still not capture the exact reason for the failover.

79
MCQmedium

An application running on Amazon ECS with Fargate is experiencing intermittent failures. The application logs show connection timeouts to an RDS MySQL database. The database is in the same VPC but a different subnet. Which CloudWatch metric should be examined first to diagnose the issue?

A.DatabaseConnections for the RDS instance.
B.MemoryUtilization for the RDS instance.
C.CPUUtilization for the ECS tasks.
D.VPC Flow Logs for the ECS task's elastic network interface.
AnswerD

Flow Logs can show if packets are being rejected or dropped, indicating network ACL or security group issues.

Why this answer

Option D is correct because VPC Flow Logs capture metadata about network traffic at the elastic network interface level, including whether packets were accepted or rejected. Since the application logs show connection timeouts (not authentication or resource exhaustion), the most likely cause is a network path issue, such as a missing route or security group rule blocking traffic between the ECS task's subnet and the RDS subnet. VPC Flow Logs will reveal if packets from the ECS task to the RDS database are being dropped, allowing you to pinpoint the exact network failure.

Exam trap

The trap here is that candidates often jump to RDS metrics (DatabaseConnections) or ECS metrics (CPUUtilization) because they seem directly related to the database or application, but the symptom of 'connection timeouts' specifically points to a network-layer issue, which VPC Flow Logs are designed to diagnose.

How to eliminate wrong answers

Option A is wrong because DatabaseConnections measures the number of client connections to the RDS instance, which would not indicate connection timeouts caused by network-layer blocking; a high connection count might cause new connection rejections, but timeouts suggest packets never reached the database. Option B is wrong because MemoryUtilization for RDS reflects the database's memory pressure, which could cause slow queries or crashes but not TCP-level connection timeouts from a different subnet. Option C is wrong because CPUUtilization for ECS tasks measures compute resource usage of the application containers, not network connectivity; high CPU could cause application slowness but not specific connection timeouts to a database in a different subnet.

80
MCQeasy

A SysOps administrator needs to monitor the CPU utilization of an EC2 instance and receive an alert when it exceeds 80% for 10 consecutive minutes. Which AWS service should be used to configure this monitoring and alerting?

A.Amazon EventBridge
B.Amazon CloudWatch Alarms
C.AWS Trusted Advisor
D.AWS Config
AnswerB

CloudWatch Alarms monitor metrics and trigger actions based on threshold breaches.

Why this answer

Amazon CloudWatch Alarms is the correct service because it allows you to monitor a specific metric, such as EC2 CPUUtilization, and trigger an action (e.g., an SNS notification) when the metric crosses a defined threshold (80%) for a specified number of consecutive evaluation periods (10 minutes, which with the default 1-minute period equals 10 datapoints). This directly fulfills the requirement for threshold-based alerting on a single metric over a sustained duration.

Exam trap

The trap here is that candidates confuse Amazon EventBridge (which can trigger actions based on events but cannot natively evaluate sustained metric thresholds) with CloudWatch Alarms, or mistakenly think AWS Config or Trusted Advisor can monitor real-time performance metrics, when they are designed for configuration compliance and best-practice recommendations respectively.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge is a serverless event bus used to route events from sources (e.g., AWS services, custom apps) to targets (e.g., Lambda, Step Functions), but it does not natively evaluate metric thresholds over time or generate alarms based on sustained CPU utilization. Option C is wrong because AWS Trusted Advisor provides best-practice checks and recommendations (e.g., underutilized instances, security gaps) but does not perform real-time metric monitoring or alerting on CPU utilization thresholds. Option D is wrong because AWS Config is a service for recording and evaluating resource configuration changes against rules (e.g., ensuring EBS volumes are encrypted), not for monitoring performance metrics like CPU utilization or generating threshold-based alerts.

81
MCQeasy

A company runs a batch processing job on Amazon EC2 instances that runs for 3 hours each night. The job can be interrupted and can resume from the last checkpoint without data loss. The SysOps administrator wants to minimize compute costs for this workload. Which Amazon EC2 purchasing option should be used?

A.On-Demand Instances
B.Reserved Instances
C.Spot Instances
D.Dedicated Hosts
AnswerC

Spot Instances offer the largest discounts. The batch job can handle interruptions through checkpointing, making Spot Instances the most cost-effective choice.

Why this answer

Spot Instances are correct because the batch job is fault-tolerant (can be interrupted and resume from checkpoints) and runs for a fixed 3-hour window nightly. Spot Instances offer significant cost savings (up to 90% off On-Demand) by using spare EC2 capacity, which can be reclaimed by AWS with a 2-minute interruption notice. Since the workload can handle interruptions gracefully, Spot Instances minimize compute costs while meeting the job's requirements.

Exam trap

The trap here is that candidates may choose On-Demand or Reserved Instances because they assume a nightly 3-hour job requires guaranteed availability, overlooking that Spot Instances are ideal for fault-tolerant, interruptible workloads and offer the lowest cost.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances have no discount and would be the most expensive option for a predictable nightly workload. Option B is wrong because Reserved Instances require a 1- or 3-year commitment and are designed for steady-state workloads, not for a short 3-hour nightly job that can be interrupted; they would lock in costs without leveraging the fault tolerance of the job. Option D is wrong because Dedicated Hosts provide physical server isolation for licensing or compliance needs, which is unnecessary here and incurs additional costs without any benefit for a batch processing job.

82
MCQmedium

An application running on EC2 instances sends custom metrics to CloudWatch using the PutMetricData API. The SysOps admin notices that some metrics are missing from the CloudWatch console. What is the most likely cause?

A.The metric data does not include a unit
B.The metric data does not include a dimension
C.The metric data is being sent with a timestamp older than 14 days
D.The namespace in the PutMetricData call does not match the namespace in the CloudWatch console
AnswerD

Metrics are organized by namespace; a mismatch hides the data.

Why this answer

Option D is correct because custom metrics in CloudWatch are uniquely identified by the combination of namespace, metric name, and dimensions. If the namespace used in the PutMetricData API call does not match the namespace being viewed in the CloudWatch console, the metrics will not appear under that namespace. CloudWatch does not automatically merge or alias namespaces, so mismatched namespaces cause the data to be stored under a different namespace, making it invisible in the console view.

Exam trap

The trap here is that candidates often assume missing metrics are due to timestamp or dimension issues, but the most common real-world cause is a namespace mismatch between the PutMetricData call and the console filter, which CloudWatch does not automatically reconcile.

How to eliminate wrong answers

Option A is wrong because the unit field in PutMetricData is optional; CloudWatch accepts metric data without a unit and displays it without a unit label. Option B is wrong because dimensions are optional for custom metrics; while dimensions help organize metrics, a metric without dimensions is still valid and will appear under the specified namespace. Option C is wrong because CloudWatch accepts metric data with timestamps up to 15 days in the past (not 14), and the question states some metrics are missing, not that all data older than 14 days is missing.

83
MCQhard

Refer to the exhibit. A security group is attached to an Application Load Balancer (ALB) that serves HTTPS traffic on port 443. Users can access the application via HTTPS. However, the ALB's health checks to targets on port 80 are failing. What is the reason?

A.The ALB's security group does not allow HTTPS traffic from the internet.
B.The security group for the target instances does not allow HTTP traffic from the ALB's security group.
C.The ALB's security group does not allow HTTP traffic from the target's IP range.
D.The health check is configured to use HTTPS, but the target only supports HTTP.
AnswerB

Correct because the ALB's health check requests are blocked by the target's security group.

Why this answer

Option D is correct because the security group allows inbound traffic on port 80 only from the 10.0.0.0/16 CIDR, but the ALB's health check requests originate from the ALB's private IP, which is within the VPC CIDR (10.0.0.0/16). However, the target's security group must allow traffic from the ALB's security group. If the target's security group does not allow traffic from the ALB's security group, health checks fail.

But the exhibit shows the ALB's security group, not the target's. The question might be tricky: The ALB's security group allows HTTP from VPC CIDR, which is fine. The issue might be that the target's security group does not allow traffic from the ALB's security group.

However, based on the exhibit, the ALB's security group is correct. The most likely cause is that the target's security group does not allow inbound traffic from the ALB's security group. But since the exhibit is for the ALB, the answer should reference the target's security group.

Option D states "The security group for the target instances does not allow HTTP traffic from the ALB's security group." This is correct because the health checks fail at the target level. Option A is wrong because the ALB's security group allows HTTPS from anywhere. Option B is wrong because the ALB's security group allows HTTP from VPC CIDR.

Option C is wrong because health checks use HTTP, not HTTPS.

84
MCQmedium

Refer to the exhibit. A company has an S3 bucket policy as shown. The SysOps administrator notices that users from the allowed IP range (192.0.2.0/24) can access objects, but users outside that range are denied. However, a CloudFront distribution with an origin access identity (OAI) is also unable to access the bucket and receives 'Access Denied'. What is the MOST likely cause?

A.The policy does not allow 's3:GetObject' for the CloudFront OAI.
B.The CloudFront distribution is not in the allowed IP range.
C.The condition aws:SourceIp restricts access based on the requestor's IP, not the CloudFront IP.
D.The CloudFront OAI is not configured in the bucket policy.
AnswerC

CloudFront's IP is different; the condition should be based on OAI.

Why this answer

Option D is correct. The bucket policy uses aws:SourceIp condition, which blocks CloudFront because CloudFront's IPs are different from the client IP. To allow CloudFront access while restricting direct access, the policy should use aws:SourceArn or refer to the OAI.

Option A is wrong because the OAI is not mentioned in the policy. Option B is wrong because the policy allows GetObject. Option C is wrong because the bucket policy allows from 192.0.2.0/24.

85
Multi-Selecthard

A company runs a web application on EC2 instances with an Auto Scaling group. The application uses an Amazon RDS MySQL database. During a traffic spike, the database CPU utilization reaches 90%. The SysOps team needs to improve database performance cost-effectively. Which THREE actions should they take?

Select 3 answers
A.Enable Multi-AZ for the RDS instance.
B.Upgrade the RDS instance to a larger instance type.
C.Enable RDS Performance Insights to identify slow queries.
D.Add one or more RDS Read Replicas to handle read queries.
E.Enable RDS Proxy to manage database connections efficiently.
AnswersC, D, E

Performance Insights helps pinpoint issues causing high CPU.

Why this answer

Options A, B, and D are correct because adding Read Replicas offloads read traffic, enabling RDS Performance Insights helps identify bottlenecks, and using RDS Proxy reduces connection overhead. Option C is wrong because vertical scaling (upgrading instance) is more expensive than horizontal scaling. Option E is wrong because Multi-AZ does not improve performance; it's for failover.

86
MCQeasy

A company wants to allow an external auditor to assume an IAM role in their AWS account to review resources. What is the minimum information the auditor needs from the company to do this?

A.The Amazon Resource Name (ARN) of the IAM role to assume.
B.The IAM user name and password of the company's admin user.
C.The IAM policy document that grants the auditor access.
D.The AWS account ID and the region where resources are hosted.
AnswerA

The role ARN is necessary for the auditor's account to assume the role.

Why this answer

Option C is correct because the auditor needs the role ARN to assume the role. Option A is wrong because the IAM user name is for direct access, not role assumption. Option B is wrong because the account ID alone is insufficient.

Option D is wrong because the IAM policy is not needed; the auditor's account must have permissions.

87
MCQmedium

A SysOps administrator is managing a fleet of Amazon EC2 instances that run a batch processing job. The job runs for 30 minutes every hour. The administrator wants to optimize costs by using Spot Instances but must ensure that the job completes even if Spot Instances are interrupted. Which configuration should the administrator use?

A.Launch Spot Instances in an Auto Scaling group with a capacity-optimized allocation strategy.
B.Use a mixed instances policy with both On-Demand and Spot Instances, and configure the Spot allocation strategy to 'lowestPrice'.
C.Use a Spot Fleet with a 'persistent' request type.
D.Use only On-Demand Instances to avoid interruptions.
AnswerB

Mixed instances provide reliability; 'lowestPrice' is not ideal but the mix ensures completion.

Why this answer

Option B is correct because using a mixed instances policy with both On-Demand and Spot Instances ensures that the baseline capacity is covered by On-Demand, and any interrupted Spot Instances can be replaced by On-Demand as a fallback. The Spot allocation strategy 'lowestPrice' is not specified but the key is the capacity-optimized or diversified strategy to reduce interruption. However, the question asks for ensuring completion; the best practice is to use a capacity-optimized allocation strategy.

Actually, the correct answer is B: Use a mixed instances policy with a capacity-optimized allocation strategy and specify a percentage of On-Demand instances. But option B says 'lowestPrice', which is common but not best for stability. However, among the options, B is the only one that includes a mix.

Option A is wrong because only Spot is risky. Option C is wrong because the job is not long-running (30 min), so persistence is not needed; but the job must complete, so if Spot is interrupted, it should be able to restart. Option D is wrong because it is wasteful to use only On-Demand.

88
MCQeasy

A company uses Amazon S3 to store critical data. The SysOps administrator needs to protect against accidental deletion of objects. Which combination of actions should the administrator take? (Choose the best answer.)

A.Apply a bucket policy that denies s3:DeleteObject for all principals.
B.Set a lifecycle policy to expire objects after 30 days.
C.Enable S3 Versioning and MFA Delete on the bucket.
D.Configure cross-Region replication to a different bucket.
AnswerC

Versioning preserves overwrites and deletes; MFA Delete adds extra protection.

Why this answer

Option B is correct: Enable S3 Versioning to preserve deleted objects and MFA Delete to require additional authentication for permanent deletions. Option A is incorrect because bucket policies do not prevent deletion by authorized users. Option C is incorrect because replication does not protect against deletion; it copies objects to another bucket.

Option D is incorrect because lifecycle policies can delete objects automatically, increasing risk.

89
MCQeasy

A company wants to receive alerts when their monthly AWS spending exceeds $1,000. Which AWS service should be used?

A.AWS Trusted Advisor
B.AWS CloudWatch
C.AWS Budgets
D.AWS Cost Explorer
AnswerC

AWS Budgets allows setting cost alerts.

Why this answer

Option D is correct because AWS Budgets allows setting cost thresholds and alerts. CloudWatch alarms are for metrics, not budgets. Cost Explorer is for visualization.

Trusted Advisor provides recommendations.

90
MCQeasy

A company wants to monitor the number of messages in an Amazon SQS queue and scale the number of EC2 instance consumers based on queue depth. Which combination of AWS services should be used?

A.Amazon CloudWatch and Amazon EC2 Auto Scaling
B.Amazon Elastic Load Balancing and Amazon EC2 Auto Scaling
C.Amazon CloudWatch and AWS Lambda
D.AWS CloudTrail and Amazon EventBridge
AnswerA

CloudWatch monitors queue depth; Auto Scaling adjusts instance count based on alarms.

Why this answer

Amazon CloudWatch monitors the SQS queue depth (ApproximateNumberOfMessagesVisible metric) and triggers an Amazon EC2 Auto Scaling scaling policy based on a CloudWatch alarm. This allows the number of EC2 consumer instances to dynamically scale in or out in response to the queue depth, ensuring efficient processing without over-provisioning.

Exam trap

The trap here is that candidates often confuse Elastic Load Balancing with queue-based scaling, assuming ELB can scale EC2 instances based on SQS depth, but ELB only handles HTTP/HTTPS traffic distribution and cannot read SQS metrics.

How to eliminate wrong answers

Option B is wrong because Elastic Load Balancing distributes incoming traffic to EC2 instances but does not monitor SQS queue depth or trigger scaling actions; it is not designed for queue-based scaling. Option C is wrong because while AWS Lambda can process SQS messages, it is a serverless compute service and does not manage EC2 instance scaling; using Lambda alone would not scale EC2 instances. Option D is wrong because AWS CloudTrail records API activity for auditing, and Amazon EventBridge routes events between services, but neither directly monitors SQS queue depth nor triggers EC2 Auto Scaling adjustments.

91
MCQmedium

A company runs a file-sharing application on AWS. Users upload files to an S3 bucket, which triggers a Lambda function to process the files and store metadata in a DynamoDB table. Recently, users have reported that some uploaded files are never processed. The SysOps Administrator checks the CloudWatch logs and finds no errors from the Lambda function. The S3 bucket is configured to send events to the Lambda function. The DynamoDB table has sufficient write capacity. The administrator suspects that the event notifications are being lost. Which action should the SysOps Administrator take to ensure that every file upload triggers a Lambda function and that the function processes the file successfully?

A.Configure an SQS queue as the event destination for the S3 bucket, and have the Lambda function process messages from the queue.
B.Use DynamoDB Streams to capture file metadata changes instead of Lambda invocation.
C.Increase the Lambda function's reserved concurrency to handle more invocations.
D.Increase the write capacity of the DynamoDB table to avoid throttling.
AnswerA

SQS provides reliable message delivery and retries.

Why this answer

Option B is correct because enabling SQS as the event destination provides a durable queue that can retry failed deliveries. The Lambda function can poll the queue and process messages reliably. Option A is wrong because adding more Lambda concurrency does not solve event loss.

Option C is wrong because DynamoDB Streams are not triggered by S3 events. Option D is wrong because increasing DynamoDB capacity does not address event notification issues.

92
MCQmedium

A company is deploying a new web application using AWS Elastic Beanstalk. The application requires a custom Amazon Machine Image (AMI) with specific software pre-installed. The SysOps administrator creates a custom AMI and configures Elastic Beanstalk to use it. However, during deployment, the instances fail to pass the health check. The health check endpoint is a simple 'index.html' file. What is the MOST likely cause?

A.The Elastic Beanstalk environment was created before the custom AMI was registered.
B.The custom AMI does not have a web server installed and configured to serve the application.
C.The custom AMI is not registered with the same account that owns the Elastic Beanstalk environment.
D.The custom AMI does not have the latest patches, causing the instance to fail the EC2 status checks.
AnswerB

Why B is correct

Why this answer

Option B is correct because Elastic Beanstalk expects the web server (e.g., Apache, Nginx) to be installed and configured to serve the application. If the custom AMI does not have a web server installed, the health check endpoint will not respond. Option A is incorrect because the health check is based on HTTP response, not instance status checks.

Option C is incorrect because Elastic Beanstalk does not require a specific AMI ID; it uses the one provided. Option D is incorrect because the environment URL is created regardless of the AMI.

93
MCQeasy

A SysOps administrator needs to deploy a new version of a web application to Amazon EC2 instances using AWS Elastic Beanstalk. The administrator wants to deploy the new version with zero downtime and validate the new version before routing production traffic to it. Which deployment policy should be used?

A.All at once
B.Rolling
C.Immutable
D.Traffic splitting
AnswerC

The immutable deployment policy launches a completely new set of instances with the new application version. Once healthy, the environment's CNAME is switched to the new instances, providing zero downtime and the ability to validate the new version before traffic is routed.

Why this answer

Immutable deployment is correct because it launches a completely new set of EC2 instances in a separate Auto Scaling group, deploys the new application version to them, and passes health checks before swapping the environment's CNAME record to point to the new instances. This ensures zero downtime and allows validation of the new version before any production traffic is routed to it, as the old instances remain untouched until the swap is complete.

Exam trap

The trap here is that candidates confuse 'Traffic splitting' with 'canary testing' and assume it allows pre-validation, but in Elastic Beanstalk, traffic splitting immediately routes a percentage of live traffic to the new version, whereas immutable deployment keeps all traffic on the old version until the new version is fully validated and swapped.

How to eliminate wrong answers

Option A is wrong because All at once deploys the new version to all instances simultaneously, causing downtime during the deployment and no ability to validate before traffic is routed. Option B is wrong because Rolling deploys the new version in batches across existing instances, which can cause a brief period of reduced capacity and does not allow full validation of the new version before all traffic is switched; it also does not guarantee zero downtime if health checks fail mid-batch. Option D is wrong because Traffic splitting (canary deployment) routes a percentage of traffic to the new version immediately, which does not allow validation before any production traffic is sent; it is designed for gradual traffic shifting, not pre-validation with zero initial traffic.

94
Multi-Selecteasy

Which TWO AWS services can be used to improve the security of a VPC? (Choose TWO.)

Select 2 answers
A.Security Groups
B.Internet Gateway
C.Route Tables
D.Network ACLs
E.VPC Peering
AnswersA, D

Correct because security groups act as virtual firewalls for instances.

Why this answer

Option A is correct because Network ACLs provide stateless filtering. Option D is correct because Security Groups provide stateful filtering. Option B is wrong because Route Tables control traffic routing, not security.

Option C is wrong because Internet Gateway provides internet access. Option E is wrong because VPC Peering connects VPCs but does not add security.

95
MCQmedium

An organization requires that all Amazon S3 buckets be encrypted at rest by default. A SysOps administrator needs to enforce this using AWS Config. Which AWS Config managed rule should be used?

A.s3-bucket-encryption-enabled
B.s3-bucket-ssl-requests-only
C.s3-bucket-public-read-prohibited
D.s3-bucket-logging-enabled
AnswerA

Correct. This rule evaluates whether default encryption is configured on the bucket, meeting the requirement for encryption at rest.

Why this answer

The AWS Config managed rule `s3-bucket-encryption-enabled` checks whether S3 buckets have default encryption enabled (SSE-S3, SSE-KMS, or SSE-C). This directly enforces the requirement that all buckets are encrypted at rest by default, as it evaluates each bucket's encryption configuration and flags non-compliant resources.

Exam trap

The trap here is that candidates often confuse encryption in transit (SSL/TLS) with encryption at rest, leading them to select `s3-bucket-ssl-requests-only` instead of the correct rule for default encryption.

How to eliminate wrong answers

Option B is wrong because `s3-bucket-ssl-requests-only` enforces that bucket policies deny HTTP requests, not encryption at rest. Option C is wrong because `s3-bucket-public-read-prohibited` checks for public read access, not encryption. Option D is wrong because `s3-bucket-logging-enabled` verifies that server access logging is enabled, which is unrelated to encryption at rest.

96
Multi-Selecteasy

A company wants to ensure that their Amazon S3 bucket policy only allows access from a specific VPC endpoint. Which TWO condition keys can be used in the bucket policy? (Choose TWO.)

Select 2 answers
A.s3:SourceVpce
B.aws:SourceIp
C.aws:SourceVpc
D.ec2:Vpc
E.aws:SourceVpce
AnswersC, E

Restricts to a specific VPC.

Why this answer

Option B is correct because 'aws:SourceVpce' restricts to a specific VPC endpoint. Option C is correct because 'aws:SourceVpc' restricts to a specific VPC (all endpoints in that VPC). Option A is wrong because 'aws:SourceIp' is for IP addresses, not VPC endpoints.

Option D is wrong because 's3:SourceVpce' is not a valid condition key. Option E is wrong because 'ec2:Vpc' is for EC2, not S3.

97
MCQmedium

A company has a production Amazon RDS for MySQL DB instance in a single Availability Zone. The SysOps administrator needs to improve database availability to ensure automatic failover in the event of a database failure or an Availability Zone outage. Which configuration should the administrator enable?

A.Enable Multi-AZ deployment
B.Create a read replica in another Availability Zone
C.Enable automated backups
D.Change the DB instance to a larger instance class
AnswerA

Multi-AZ provides a standby instance in another AZ with automatic failover, meeting the high availability requirement.

Why this answer

Enabling a Multi-AZ deployment for Amazon RDS for MySQL automatically provisions and maintains a synchronous standby replica in a different Availability Zone. In the event of a database failure or an AZ outage, Amazon RDS automatically fails over to the standby replica, typically within 60–120 seconds, without requiring manual intervention. This configuration meets the requirement for automatic failover and improved availability.

Exam trap

The trap here is that candidates often confuse a read replica with a Multi-AZ standby, mistakenly believing that a read replica can provide automatic failover, but read replicas require manual promotion and do not maintain synchronous replication.

How to eliminate wrong answers

Option B is wrong because a read replica is an asynchronous copy used for offloading read traffic, not for automatic failover; while it can be promoted to a standalone instance, this requires manual action and does not provide automatic failover. Option C is wrong because automated backups only enable point-in-time recovery and do not provide any failover capability or high availability. Option D is wrong because changing the DB instance to a larger instance class improves performance and scalability but does not provide redundancy or automatic failover across Availability Zones.

98
MCQeasy

A SysOps administrator wants to automate the creation of an AWS Lambda function and its associated IAM role using infrastructure as code. Which AWS service should be used?

A.AWS CloudFormation
B.AWS Elastic Beanstalk
C.AWS CodeDeploy
D.AWS Systems Manager
AnswerA

CloudFormation enables you to define and provision AWS infrastructure using templates. It can manage Lambda functions, IAM roles, and many other resources in a repeatable and automated way.

Why this answer

AWS CloudFormation is the correct service because it allows you to define both the Lambda function and its IAM role as infrastructure as code using a template (JSON or YAML). CloudFormation handles the creation, updating, and deletion of these resources in an orderly, repeatable manner, ensuring the IAM role is created before the Lambda function due to dependency management.

Exam trap

The trap here is that candidates often confuse AWS CodeDeploy (which can deploy Lambda code) with the ability to create the Lambda function and its IAM role, but CodeDeploy does not provision the underlying infrastructure resources—it only handles the deployment of the code to an existing function.

How to eliminate wrong answers

Option B (AWS Elastic Beanstalk) is wrong because it is a PaaS service designed for deploying and scaling web applications, not for creating individual Lambda functions and IAM roles via infrastructure as code. Option C (AWS CodeDeploy) is wrong because it automates code deployments to EC2, Lambda, or on-premises instances, but it does not provision the underlying IAM roles or Lambda function resources; it only deploys the code. Option D (AWS Systems Manager) is wrong because it provides operational management and automation for AWS resources (e.g., patching, runbooks), but it is not designed for declarative infrastructure provisioning of Lambda functions and IAM roles.

99
Multi-Selecteasy

An administrator is using AWS CloudFormation to create a stack that includes an Auto Scaling group and a launch template. The launch template specifies an AMI ID. Which TWO changes to the launch template will trigger an update to the Auto Scaling group? (Choose TWO.)

Select 2 answers
A.Modifying the security group IDs.
B.Changing the key pair name.
C.Changing the instance type.
D.Changing the AMI ID.
E.Adding a new tag to the launch template.
AnswersC, D

Instance type change requires new instances.

Why this answer

Changing the AMI ID or the instance type will trigger an update because they affect the instances launched. Options A and B are correct. Option C is wrong because tag changes do not trigger a replacement.

Option D is wrong because the security group is part of the launch template but changes to it do not trigger an update of the Auto Scaling group; they update the instances. Option E is wrong because the key pair does not trigger an update.

100
MCQeasy

A company is designing a disaster recovery plan for its on-premises database. They need to replicate the database to AWS with low latency. Which AWS service should they use?

A.Amazon S3 with Cross-Region Replication.
B.AWS Storage Gateway with volume gateway.
C.AWS Database Migration Service (DMS) with ongoing replication.
D.AWS Direct Connect to establish a dedicated network connection.
AnswerC

DMS can replicate databases continuously to RDS.

Why this answer

Option B is correct because AWS Database Migration Service (DMS) supports continuous replication from on-premises to AWS RDS. Option A is wrong because S3 is object storage. Option C is wrong because Direct Connect is a network connection, not a replication service.

Option D is wrong because Storage Gateway is for file/volume storage, not database replication.

101
MCQeasy

A company uses Amazon Route 53 for DNS resolution. The company wants to ensure that if a web server becomes unhealthy, traffic is automatically routed to a healthy server in another Availability Zone. Which routing policy should be used?

A.Latency routing policy
B.Weighted routing policy
C.Geolocation routing policy
D.Failover routing policy
AnswerD

Routes to primary unless unhealthy, then to secondary.

Why this answer

Option A is correct because failover routing policy directs traffic to a primary resource, and if it is unhealthy, to a secondary resource. Option B is wrong because weighted routing distributes traffic proportionally, not based on health. Option C is wrong because latency routing routes based on latency, not health.

Option D is wrong because geolocation routes based on geographic location.

102
MCQhard

A company has a production environment with multiple EC2 instances that send logs to CloudWatch Logs. The operations team wants to search across all log groups for a specific error pattern. What is the most efficient way to achieve this?

A.Use CloudWatch Logs Insights to query across all log groups.
B.Set up a subscription filter to stream logs to an Amazon ES domain.
C.Use CloudWatch Logs filter patterns on each log group.
D.Download all logs to an S3 bucket and use Amazon Athena to query.
AnswerA

CloudWatch Logs Insights can query multiple log groups with a single query.

Why this answer

CloudWatch Logs Insights allows you to run SQL-like queries across multiple log groups in a single query, making it the most efficient way to search for a specific error pattern across all log groups without needing to set up additional infrastructure or manually query each group individually.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing a more complex architecture (like streaming to Elasticsearch or using Athena) when CloudWatch Logs Insights provides a native, serverless, and efficient way to query across multiple log groups directly.

How to eliminate wrong answers

Option B is wrong because setting up a subscription filter to stream logs to an Amazon ES domain adds unnecessary complexity, latency, and cost; it requires provisioning and managing an Elasticsearch cluster, which is overkill for a simple cross-log-group search. Option C is wrong because CloudWatch Logs filter patterns operate on a single log group at a time, so you would need to configure and run separate queries for each log group, which is inefficient and not scalable for searching across all log groups. Option D is wrong because downloading all logs to an S3 bucket and using Amazon Athena introduces significant overhead, including export delays, storage costs, and the need to define a schema; it is not the most efficient approach for real-time or ad-hoc searching across log groups.

103
Multi-Selecthard

A company uses CloudWatch Logs to store application logs. The logs must be retained for 3 years for compliance. Which TWO steps should be taken to achieve this? (Choose TWO.)

Select 2 answers
A.Configure an S3 lifecycle policy to transition objects to Glacier after 3 years.
B.Enable CloudWatch Logs Insights.
C.Set the log group retention period to 3 years.
D.Use CloudWatch Logs subscription filter to stream logs to Amazon Kinesis Firehose.
E.Export logs to an Amazon S3 bucket using CloudWatch Logs export tasks.
AnswersA, E

Lifecycle policies manage long-term retention.

Why this answer

Option A is correct because S3 lifecycle policies can transition objects to Glacier after a specified number of days, which allows long-term archival storage at low cost. This is a common approach for retaining logs beyond the CloudWatch Logs maximum retention period of 10 years, but here the requirement is 3 years, which is within CloudWatch Logs' capabilities. However, exporting to S3 and then applying a lifecycle policy is a valid method to ensure compliance with the 3-year retention requirement.

Option E is correct because CloudWatch Logs export tasks can export log data to an S3 bucket, where it can be stored indefinitely and managed with lifecycle policies for long-term retention.

Exam trap

The trap here is that candidates might think setting the log group retention period to 3 years is sufficient, but that actually causes logs to be deleted after 3 years, whereas the requirement is to retain them for 3 years, so exporting to S3 and using lifecycle policies is the correct approach to ensure logs are available for the full compliance period.

104
Multi-Selecteasy

Which TWO are valid methods to secure traffic between a client and an Application Load Balancer?

Select 1 answer
A.Configure a listener on port 443 with an SSL certificate from AWS Certificate Manager.
B.Use a security group that only allows HTTPS traffic from the client's IP.
C.Set up an IPsec VPN connection between the client and the ALB.
D.Configure a network ACL to allow only port 443.
E.Enable the ALB's built-in SSL/TLS encryption without a certificate.
AnswersA

This enables HTTPS encryption between client and ALB.

Why this answer

HTTPS listeners terminate SSL/TLS at the ALB, ensuring encryption between client and ALB. Using an SSL certificate from AWS Certificate Manager (ACM) is required for HTTPS. Option C is incorrect because security groups restrict traffic based on IP, not encryption.

Option D is incorrect because network ACLs are stateless and do not encrypt. Option E is incorrect because a VPN connection is for site-to-site, not client-to-ALB.

105
MCQeasy

A SysOps administrator manages an Application Load Balancer (ALB) that distributes traffic to an Auto Scaling group of EC2 instances. The administrator needs to receive a notification whenever the number of unhealthy targets in the ALB target group exceeds a threshold of 2 for at least 5 consecutive minutes. Which solution meets this requirement with the least operational overhead?

A.Create a CloudWatch alarm on the 'UnHealthyHostCount' metric for the ALB target group, with a threshold of 2 and an evaluation period of 5 minutes. Configure the alarm to send an Amazon SNS notification.
B.Enable AWS CloudTrail logging for the ALB and create a CloudWatch metric filter for 'UnHealthyHostCount' events. Then create an alarm on that metric to notify via SNS.
C.Use an AWS Config rule to evaluate the health of the ALB target group and trigger an SNS notification when non-compliant.
D.Create an Amazon EventBridge rule that triggers every minute to call the AWS CLI command describe-target-health and send a notification via Lambda if unhealthy count exceeds 2.
AnswerA

CloudWatch automatically collects the 'UnHealthyHostCount' metric from the ALB. The alarm triggers when the metric exceeds the threshold, and SNS delivers notifications directly. This requires no custom code and is the simplest approach.

Why this answer

Option A is correct because CloudWatch natively publishes the 'UnHealthyHostCount' metric for ALB target groups, allowing a direct alarm with a threshold of 2 and an evaluation period of 5 minutes. This alarm can trigger an SNS notification with minimal configuration, requiring no custom scripts or additional services. The requirement for 'at least 5 consecutive minutes' is satisfied by setting the evaluation period to 5 minutes (or using 5 datapoints with a 1-minute period).

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing custom polling (Option D) or misapplying services like CloudTrail or Config, failing to recognize that CloudWatch metrics already provide the exact functionality needed with zero additional code.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail logs API calls, not real-time metric data like 'UnHealthyHostCount'; creating a metric filter for 'UnHealthyHostCount' events is invalid as CloudTrail does not emit such events. Option C is wrong because AWS Config rules evaluate resource compliance against desired configurations (e.g., security groups, tags), not real-time health metrics like unhealthy host counts; Config cannot trigger based on dynamic metric thresholds. Option D is wrong because it introduces unnecessary operational overhead by requiring a custom Lambda function and EventBridge rule to poll the describe-target-health CLI command every minute, whereas CloudWatch provides a built-in, simpler solution.

106
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. A SysOps admin wants to receive a notification when a stack update fails. Which approach is the most efficient?

A.Write a script that polls the CloudFormation API and sends notifications
B.Use AWS Config to monitor stack resources
C.Create an EventBridge rule that matches CloudFormation stack events
D.Enable CloudTrail and create a metric filter for stack update failures
AnswerC

EventBridge can filter on stack events like ROLLBACK_IN_PROGRESS.

Why this answer

Option C is correct because Amazon EventBridge can directly capture CloudFormation stack events (e.g., CREATE_FAILED, UPDATE_FAILED) in real time and trigger a notification via SNS or Lambda. This approach is serverless, requires no polling, and is the most efficient method for reacting to stack update failures as they occur.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing CloudTrail or polling, missing the fact that EventBridge provides native, real-time event capture for CloudFormation stack status changes without additional overhead.

How to eliminate wrong answers

Option A is wrong because polling the CloudFormation API introduces latency, consumes unnecessary compute resources, and is less efficient than an event-driven approach. Option B is wrong because AWS Config is designed to evaluate resource compliance against rules, not to monitor CloudFormation stack lifecycle events or send failure notifications. Option D is wrong because CloudTrail logs API calls, but creating a metric filter for stack update failures requires additional steps (e.g., setting up a CloudWatch alarm) and introduces delay compared to native EventBridge event matching.

107
Multi-Selecthard

A SysOps administrator is designing a deployment pipeline using AWS CodePipeline. The pipeline must deploy a serverless application using AWS SAM. The administrator wants to run integration tests after the deployment. Which THREE services should be used together? (Choose THREE.)

Select 3 answers
A.AWS CodeCommit
B.AWS CodePipeline
C.AWS CodeBuild
D.AWS CodeDeploy
E.AWS SAM
AnswersB, C, E

Orchestrates the deployment pipeline.

Why this answer

Option A is correct because CodePipeline orchestrates the pipeline. Option B is correct because AWS SAM is used to deploy serverless applications. Option C is correct because CodeBuild can run integration tests as part of the pipeline.

Option D is wrong because CodeDeploy is for EC2/Lambda, but SAM is more appropriate for serverless. Option E is wrong because CodeCommit is a source repository, not for testing.

108
MCQmedium

Refer to the exhibit. A SysOps administrator runs the command to find 'CreateKeyPair' events in January 2023 but gets an empty list. The administrator knows that key pairs were created during that time. What is the most likely reason?

A.The events occurred in a different AWS region.
B.The start and end times are outside the 90-day retention period.
C.CloudTrail is not enabled in the account.
D.The IAM user does not have 'cloudtrail:LookupEvents' permission.
AnswerA

The lookup is for us-east-1, but the trail might be single-region.

Why this answer

The `aws cloudtrail lookup-events` command returns events only from the region specified in the AWS CLI configuration (or the `--region` parameter). If the administrator did not specify a region, the command defaults to the region set in the CLI profile. Since `CreateKeyPair` events are regional (each key pair is created in a specific region), the empty result indicates the events occurred in a different AWS region than the one queried.

Exam trap

The trap here is that candidates assume CloudTrail events are globally visible by default, but in reality, `lookup-events` is region-scoped unless the `--region` parameter is explicitly set to the correct region.

How to eliminate wrong answers

Option B is wrong because the 90-day retention period applies to CloudTrail event history, and January 2023 is well within 90 days from the current date (assuming the exam is set in 2023 or later), so the start and end times are not outside the retention period. Option C is wrong because CloudTrail is enabled by default in all AWS accounts, and the `lookup-events` command works with the default event history even without a specific trail. Option D is wrong because if the IAM user lacked `cloudtrail:LookupEvents` permission, the command would return an access denied error, not an empty list.

109
MCQmedium

A SysOps administrator needs to implement a backup strategy for an Amazon RDS for PostgreSQL database. The database is 500 GB and experiences heavy write traffic. Which solution provides the most cost-effective backup with the least impact on database performance?

A.Enable automated backups with a retention period of 7 days.
B.Create a Multi-AZ deployment and use the standby for backups.
C.Use AWS Database Migration Service to continuously replicate data to an S3 bucket.
D.Take manual DB snapshots daily during off-peak hours.
AnswerA

Automated backups have minimal performance impact and provide point-in-time recovery.

Why this answer

Option B is correct because automated backups are enabled by default with minimal performance impact and include transaction logs for point-in-time recovery. Option A is wrong because manual snapshots require a brief I/O suspension and are less automated. Option C is wrong because read replicas are for read scaling, not backups.

Option D is wrong because exporting to S3 via AWS DMS incurs additional cost and complexity.

110
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application requires very low latency and high availability. The SysOps administrator notices that the application experiences increased latency during traffic spikes even though the Auto Scaling group is scaling out. Which solution would MOST effectively reduce latency?

A.Change the launch configuration to use a larger instance type with more CPU and memory.
B.Pre-warm the load balancer by contacting AWS Support.
C.Increase the Auto Scaling cooldown period.
D.Deploy the instances in multiple Availability Zones.
AnswerA

Larger instances can process more requests, reducing latency.

Why this answer

Using a larger instance type (A) can handle more requests per instance, reducing latency. Pre-warming ELB (B) is not needed for ALB. Multi-AZ (C) improves availability but not necessarily latency.

Increasing cooldown (D) would slow scaling, increasing latency.

111
MCQhard

A SysOps administrator is troubleshooting an issue where an IAM user is unable to launch an EC2 instance in a specific subnet. The user has the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:Subnet": "subnet-12345" } } } ] } What is the likely cause of the failure?

A.The policy does not allow the 'ec2:DescribeSubnets' action, so the user cannot list subnets.
B.The user is not specifying the subnet ID when launching the instance.
C.The policy denies all subnets except subnet-12345.
D.The condition key 'ec2:Subnet' is not supported for RunInstances.
AnswerB

The condition requires the subnet ID to be provided.

Why this answer

Option B is correct because the 'ec2:Subnet' condition key requires the user to specify the subnet ID in the RunInstances call. If the user does not specify a subnet (e.g., using the default VPC), the condition fails. Option A is wrong because the policy allows RunInstances, not just Describe.

Option C is wrong because the condition is explicitly for subnet-12345, so it does not deny all subnets. Option D is wrong because the condition key 'ec2:Subnet' is valid for RunInstances.

112
MCQeasy

A company has an Amazon CloudFront distribution with an S3 bucket as origin. The bucket contains sensitive data. Which configuration ensures that users access the content only through CloudFront and not directly via the S3 URL?

A.Enable S3 server-side encryption
B.Configure an Origin Access Identity (OAI) in CloudFront and update the bucket policy
C.Use CloudFront signed URLs or signed cookies
D.Enable S3 Block Public Access on the bucket
AnswerB

OAI allows CloudFront to access the bucket while blocking direct access.

Why this answer

Option B is correct by using an Origin Access Identity (OAI) to restrict S3 bucket access to only CloudFront. Option A is wrong because blocking public access alone doesn't allow CloudFront access. Option C is wrong because CloudFront signed URLs control access to CloudFront, but the bucket still needs permission.

Option D is wrong because server-side encryption doesn't restrict access paths.

113
MCQmedium

A company runs a web application on EC2 instances with Elastic Load Balancing. They notice that costs are higher than expected. What is the MOST cost-effective way to optimize costs while maintaining high availability?

A.Use Spot Instances for all traffic.
B.Use On-Demand instances for all traffic.
C.Use a combination of Reserved Instances for baseline traffic and On-Demand for spikes.
D.Reduce the number of instances to one.
AnswerC

Reserved Instances reduce cost for steady load; On-Demand handles variability.

Why this answer

Option C is correct because Reserved Instances provide significant discounts for steady-state workloads. On-Demand is more expensive, and Spot Instances may not ensure high availability. Scaling down instances reduces capacity.

114
Multi-Selectmedium

A company is designing a disaster recovery plan for its critical applications. The plan must minimize data loss and recovery time. Which TWO measures should the SysOps administrator implement?

Select 2 answers
A.Perform regular backups to Amazon S3.
B.Set a recovery time objective (RTO) of 24 hours.
C.Use manual procedures to restore from backups.
D.Run all workloads in a single AWS region.
E.Replicate data to another AWS region.
AnswersA, E

Backups provide data recovery.

Why this answer

Options A and C are correct. Regular backups to S3 provide data durability, and multi-region replication ensures availability in another region. Option B is wrong because a single region does not protect against region failure.

Option D is wrong because manual failover is slow. Option E is wrong because RTO is about time, not backup frequency.

115
MCQmedium

A company has deployed a web application behind an Application Load Balancer (ALB) across multiple Availability Zones. Users in some regions report slow page load times. Which action should the SysOps Administrator take to improve performance for all users?

A.Use AWS Global Accelerator to route traffic over the AWS global network.
B.Increase the ALB capacity by adding more target instances.
C.Enable Amazon CloudFront to cache dynamic content.
D.Move the application to a single Availability Zone to reduce network hops.
AnswerA

Correct because Global Accelerator uses the AWS backbone to improve latency and availability.

Why this answer

Option C is correct because using AWS Global Accelerator can improve performance by directing traffic through the AWS global network and optimizing the path to the application. Option A is wrong because increasing ALB capacity does not address latency from distant users. Option B is wrong because CloudFront is for static content, not dynamic web apps.

Option D is wrong because moving to a single AZ reduces fault tolerance and may not improve latency for all users.

116
MCQeasy

A company runs a web application on Amazon EC2 instances that run 24/7. The application has a predictable and steady load. The SysOps administrator wants to minimize compute costs while ensuring the required capacity is always available. Which purchasing option should be used?

A.On-Demand Instances
B.Reserved Instances
C.Spot Instances
D.Dedicated Hosts
AnswerB

Reserved Instances offer a substantial discount (up to 72%) in exchange for a 1- or 3-year commitment, making them the most cost-effective choice for continuous predictable workloads.

Why this answer

Reserved Instances (RIs) are the correct choice because the workload runs 24/7 with a predictable and steady load. By committing to a 1- or 3-year term, the company can achieve a significant discount (up to 72%) compared to On-Demand pricing, while ensuring capacity is always available. This aligns with the goal of minimizing compute costs without sacrificing availability.

Exam trap

The trap here is that candidates often choose On-Demand Instances for simplicity, overlooking that Reserved Instances provide substantial cost savings for predictable, always-on workloads without any risk of interruption.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances are billed per hour with no upfront commitment, making them more expensive for a steady 24/7 workload that could benefit from a reservation discount. Option C is wrong because Spot Instances can be interrupted with a 2-minute warning when AWS needs capacity back, making them unsuitable for a production web application that requires always-on availability. Option D is wrong because Dedicated Hosts provide physical server isolation for licensing or compliance needs, not cost savings for a standard web application, and they incur additional per-host charges.

117
MCQhard

A company has a production AWS account with multiple VPCs connected via a transit gateway. The security team requires that all cross-VPC traffic be inspected by a centralized network firewall appliance. The firewall is deployed in a dedicated inspection VPC. The SysOps administrator must ensure that traffic from VPC A to VPC B is routed through the inspection VPC. Which configuration achieves this?

A.Create a VPC peering connection between VPC A and VPC B, and use route tables to send traffic through the inspection VPC.
B.Configure the transit gateway route tables to propagate a blackhole route for VPC A and VPC B CIDRs to the inspection VPC attachment, then have the firewall forward traffic.
C.Use security groups in the inspection VPC to filter traffic between VPC A and VPC B.
D.Attach a NAT gateway in the inspection VPC and configure route tables in VPC A and B to point to the NAT gateway.
AnswerB

TGW route tables can force traffic through inspection VPC.

Why this answer

Option D is correct because a blackhole route to the inspection VPC forces traffic to go through it, and then the firewall forwards it. Option A is wrong because NAT gateways do not inspect traffic. Option B is wrong because VPC peering does not route through a central inspection point.

Option C is wrong because Security Groups are stateful and not designed for centralized inspection.

118
MCQmedium

A company stores application logs in Amazon S3. The logs are rarely accessed after the first 30 days, but must be retained for 7 years for compliance. The SysOps administrator wants to minimize storage costs while ensuring logs are available for retrieval within 12 hours if needed. Which S3 lifecycle configuration is the most cost-effective?

A.S3 Standard for 30 days, then transition to S3 Glacier Deep Archive
B.S3 Standard for 30 days, then transition to S3 Glacier (Flexible Retrieval)
C.Use S3 Intelligent-Tiering from the start
D.S3 Standard for 30 days, then transition to S3 One Zone-IA
AnswerA

Provides lowest cost for archival with retrieval within 12 hours.

Why this answer

Option A is correct because it transitions logs from S3 Standard (for frequent access during the first 30 days) to S3 Glacier Deep Archive, which offers the lowest storage cost for long-term retention. Since logs must be retained for 7 years and only need retrieval within 12 hours, Glacier Deep Archive's 12-hour standard retrieval time meets the requirement while minimizing costs.

Exam trap

The trap here is that candidates may choose S3 Glacier (Flexible Retrieval) because it is a well-known archival tier, but they overlook the specific 12-hour retrieval requirement and the lower cost of Glacier Deep Archive for long-term retention.

How to eliminate wrong answers

Option B is wrong because S3 Glacier (Flexible Retrieval) has higher storage costs than Glacier Deep Archive for 7-year retention, and its standard retrieval time (1-5 minutes) is faster than needed, making it less cost-effective. Option C is wrong because S3 Intelligent-Tiering incurs a monthly monitoring and automation fee per object, and for data that is rarely accessed after 30 days, the cost savings from tiering do not offset the monitoring fee over 7 years. Option D is wrong because S3 One Zone-IA is not designed for long-term archival; it offers lower durability (99.5% vs 99.999999999%) and is not cost-effective for 7-year retention compared to Glacier Deep Archive.

119
MCQhard

A company has a VPC with a public subnet and a private subnet. An Amazon EC2 instance in the private subnet needs to download security patches from the internet, but the instance must not be directly accessible from the internet. The SysOps administrator configured a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. The instance's security group allows all outbound traffic. However, the instance still cannot reach the internet. What is the most likely missing configuration?

A.Attach an Elastic IP to the NAT gateway
B.Enable DNS resolution in the VPC
C.Add a route in the public subnet's route table that directs 0.0.0.0/0 traffic to an internet gateway
D.Modify the network ACL of the private subnet to allow inbound ephemeral ports from the NAT gateway's private IP
AnswerC

The NAT gateway resides in the public subnet; that subnet's route table must have a route to an internet gateway for the NAT gateway to reach the internet.

Why this answer

The NAT gateway is in the public subnet, but for it to route traffic to the internet, the public subnet must have a route table entry that directs 0.0.0.0/0 traffic to an internet gateway (IGW). Without this route, the NAT gateway cannot forward outbound traffic to the IGW, so the private instance's traffic is dropped. Option C correctly identifies this missing route.

Exam trap

The trap here is that candidates assume configuring the private subnet's route table to point to the NAT gateway is sufficient, forgetting that the NAT gateway itself needs a route to the internet via an internet gateway in its own subnet.

How to eliminate wrong answers

Option A is wrong because a NAT gateway automatically gets an Elastic IP assigned at creation; if it were missing, the NAT gateway would fail to provision, not silently fail to route traffic. Option B is wrong because DNS resolution controls the ability to resolve domain names to IP addresses, not the underlying network path for outbound traffic; the instance can still fail to reach the internet even with DNS working. Option D is wrong because the network ACL of the private subnet must allow outbound ephemeral ports for return traffic, not inbound; the default NACL already allows all inbound/outbound traffic, and the issue is the missing route in the public subnet, not NACL rules.

120
Multi-Selectmedium

A SysOps administrator is optimizing an AWS Lambda function that processes data from an S3 bucket. The function currently runs with 128 MB memory and a 5-second timeout. The function experiences timeouts for large files. The administrator wants to improve performance and reduce cost. Which TWO actions should they take?

Select 2 answers
A.Increase the function timeout to 15 minutes.
B.Enable provisioned concurrency to reduce cold starts.
C.Configure the S3 event notification to use S3 Standard-IA for the input files.
D.Create multiple Lambda functions to process different files concurrently.
E.Increase the function memory to 512 MB or higher.
AnswersB, E

Provisioned concurrency reduces latency, improving performance for the function.

Why this answer

Options A and D are correct because increasing memory often reduces execution time and cost due to faster processing, and enabling reserved concurrency prevents cold starts and ensures capacity. Option B is wrong because increasing timeout alone does not improve performance and may increase cost. Option C is wrong because provisioning more functions does not affect a single function's performance.

Option E is wrong because moving to S3 Standard-IA is for storage cost, not compute.

121
MCQhard

A company runs a production database on a db.r5.large RDS instance with Multi-AZ enabled. They notice that the CPU utilization is consistently below 10% and memory usage is below 20%. The application is not expected to grow significantly. Which action would optimize costs without sacrificing high availability?

A.Remove Multi-AZ and use a single-AZ deployment to reduce costs.
B.Purchase a Reserved Instance for the current instance type to get a discount.
C.Change the instance type to a smaller size, such as db.t3.medium, and keep Multi-AZ.
D.Change the instance type to a larger size, such as db.r5.xlarge, to improve performance.
AnswerC

Downsizing reduces cost while Multi-AZ maintains high availability.

Why this answer

Option C is correct because the instance is over-provisioned; downsizing to a smaller instance type (e.g., db.r5.large to db.t3.medium) reduces cost. Multi-AZ should be retained for high availability. Option A is wrong because removing Multi-AZ sacrifices high availability.

Option B is wrong because Reserved Instances require a commitment and may not be cost-effective if the instance type is changed. Option D is wrong because moving to a larger instance increases costs.

122
MCQhard

A SysOps administrator updates a CloudFormation stack to change the EC2 instance type from t2.micro to t3.medium. The update fails with the error shown. What is the MOST likely cause?

A.The account does not have service limits to launch a t3.medium instance.
B.The AMI used does not support the t3.medium instance type.
C.The CloudFormation template has a parameter constraint that rejects t3.medium.
D.The t3.medium instance type is not available in the specified Availability Zone.
AnswerD

The error clearly states the instance type is not supported in the AZ.

Why this answer

Option A is correct because the error message explicitly states that the instance type is not supported in the Availability Zone. Option B is wrong because the error does not mention insufficient capacity. Option C is wrong because the error does not mention AMI.

Option D is wrong because the error does not mention parameter validation.

123
MCQmedium

A company is running a web application on EC2 instances behind an Application Load Balancer. They want to ensure that if an entire Availability Zone fails, the application remains available. Which configuration should they implement?

A.Configure the Auto Scaling group to launch instances in multiple Availability Zones.
B.Use an RDS Multi-AZ deployment for the application.
C.Use a larger EC2 instance type.
D.Enable detailed monitoring on the EC2 instances.
AnswerA

Distributing instances across AZs ensures availability if one AZ fails.

Why this answer

Option B is correct because deploying EC2 instances across multiple Availability Zones (AZs) ensures that if one AZ fails, traffic can be routed to healthy instances in other AZs. Option A is wrong because an Auto Scaling group with a single AZ does not protect against AZ failure. Option C is wrong because a larger instance type improves performance but not availability.

Option D is wrong because read replicas are for databases, not EC2 instances.

124
Multi-Selectmedium

Which THREE AWS services can be used to centrally manage and audit user permissions across multiple AWS accounts in AWS Organizations? (Choose THREE.)

Select 3 answers
A.AWS WAF
B.AWS CloudTrail
C.AWS Config
D.AWS Organizations
E.AWS IAM Access Analyzer
AnswersB, D, E

Logs API calls and can be aggregated across accounts.

Why this answer

Option A is correct because AWS CloudTrail logs API calls across accounts and can be aggregated. Option B is correct because AWS IAM Access Analyzer helps identify resources shared with external entities. Option D is correct because AWS Organizations provides a central view of accounts and SCPs.

Option C is wrong because AWS Config is for resource compliance, not user permissions. Option E is wrong because AWS WAF is a web application firewall.

125
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets in the organization have server-side encryption enabled. What is the MOST efficient way to achieve this?

A.Attach a service control policy (SCP) that denies s3:PutBucketEncryption and s3:CreateBucket actions unless encryption is specified.
B.Use AWS Trusted Advisor to check for unencrypted buckets and notify the account owners.
C.Use AWS Config rules to automatically remediate non-compliant buckets.
D.Apply a bucket policy to each bucket requiring server-side encryption for all uploads.
AnswerA

SCPs can deny actions that do not include encryption parameters, enforcing encryption across all accounts.

Why this answer

Option B is correct because SCPs can be applied to the root OU or specific accounts to deny actions that create or modify S3 buckets without encryption. Option A is wrong because service control policies only prevent actions; they don't automatically enable encryption. Option C is wrong because Config rules can detect non-compliant buckets but cannot enforce encryption automatically.

Option D is wrong because bucket policies are per-bucket and cannot be applied globally across all accounts.

126
MCQmedium

A company has an Application Load Balancer (ALB) that routes traffic to targets in private subnets. The SysOps administrator needs to log detailed information about HTTP requests, including client IP, request path, and response time. Which ALB feature should be enabled?

A.CloudWatch metrics
B.Access logs
C.Connection logs
D.Request tracing
AnswerB

Access logs capture detailed information for each request, including client IP, request path, and response time, fulfilling the requirement.

Why this answer

Access logs capture detailed information about each HTTP request processed by the ALB, including client IP, request path, response time, and many other fields. This feature stores the logs in an S3 bucket, providing a persistent, queryable record of all requests. CloudWatch metrics aggregate data but do not provide per-request details, making access logs the correct choice for the required granularity.

Exam trap

The trap here is that candidates confuse CloudWatch metrics (aggregated data) with access logs (per-request data), or mistakenly think connection logs exist for ALBs when they are specific to NLB, leading to incorrect choices that do not provide the detailed HTTP request logging required.

How to eliminate wrong answers

Option A is wrong because CloudWatch metrics provide aggregated statistics (e.g., request count, latency averages) and do not log individual HTTP request details such as client IP or request path. Option C is wrong because connection logs are not a feature of ALB; they exist for Network Load Balancers to capture TCP connection-level information, not HTTP request-level data. Option D is wrong because request tracing (AWS X-Ray integration) adds trace headers to requests for distributed tracing but does not log the full HTTP request details like client IP and response time in a persistent log file.

127
MCQeasy

A company uses S3 Standard for all data, but some objects are accessed only once per year. Which storage class provides the lowest cost for this use case while maintaining the same durability?

A.S3 Glacier Deep Archive
B.S3 One Zone-Infrequent Access (S3 One Zone-IA)
C.S3 Intelligent-Tiering
D.S3 Standard-Infrequent Access (S3 Standard-IA)
AnswerA

Lowest cost for rarely accessed data with same durability.

Why this answer

Option B is correct because S3 Glacier Deep Archive is the lowest-cost storage class for long-term archival data accessed rarely. S3 Standard is expensive for infrequent access. S3 One Zone-IA is cheaper but not as durable.

S3 Intelligent-Tiering has monitoring costs and may not be ideal.

128
MCQeasy

A company wants to visualize the geographic distribution of failed login attempts to their web application. The application runs on EC2 instances behind an ALB. They have access logs enabled for the ALB. Which service should be used to create the visualization?

A.Amazon CloudWatch Dashboard with a custom widget.
B.Amazon Kinesis Data Analytics with a Lambda function.
C.Amazon S3 Select with Athena.
D.Amazon QuickSight with S3 as a data source.
AnswerD

QuickSight can directly connect to ALB access logs in S3 and create geospatial charts.

Why this answer

Amazon QuickSight is a fully managed business intelligence service that can directly query ALB access logs stored in Amazon S3, enabling the creation of geospatial visualizations (e.g., heat maps) of failed login attempts. ALB access logs are delivered to S3 in a structured format, and QuickSight can parse and visualize this data without additional processing. This makes QuickSight with S3 as a data source the correct choice for building the required geographic visualization.

Exam trap

The trap here is that candidates confuse data querying (Athena) with data visualization (QuickSight), or assume CloudWatch can handle geospatial log analysis, when in fact QuickSight is the only option that natively provides interactive geospatial dashboards from S3 data.

How to eliminate wrong answers

Option A is wrong because CloudWatch Dashboards with custom widgets are designed for real-time metrics and logs, not for ad-hoc geospatial analysis of historical ALB access logs stored in S3; they lack native geospatial visualization capabilities. Option B is wrong because Kinesis Data Analytics is a real-time stream processing service, not suited for batch visualization of historical log data, and adding a Lambda function introduces unnecessary complexity and cost for a simple query-and-visualize task. Option C is wrong because S3 Select is a server-side filtering tool that returns only a subset of data from an object, not a visualization service; Athena can query the logs but does not create visualizations—it would require an additional BI tool to render the geographic map.

129
MCQhard

A company is using Amazon EBS volumes for a high-performance database. The volumes are gp2 type. The database workload is write-intensive, and the company is experiencing high costs due to provisioned IOPS. The database team wants to maintain performance while reducing costs. Which EBS volume type should the company use?

A.sc1 (Cold HDD)
B.st1 (Throughput Optimized HDD)
C.io2 Block Express
D.gp3
AnswerD

Provides baseline IOPS and throughput; pay only for additional IOPS.

Why this answer

gp3 volumes provide baseline performance independent of volume size, and customers pay only for provisioned IOPS above baseline, offering cost savings for write-intensive workloads. Option A is wrong because io2 volumes are more expensive. Option B is wrong because st1 is not suitable for database workloads.

Option D is wrong because sc1 is lowest cost but poor performance.

130
Multi-Selectmedium

A SysOps administrator is designing a highly available architecture for a web application using an Application Load Balancer (ALB) with EC2 instances in an Auto Scaling group. Which TWO configurations are required to ensure high availability? (Choose TWO.)

Select 2 answers
A.Launch all EC2 instances in a single Availability Zone to reduce latency
B.Use t2.micro instances to reduce cost
C.Configure the ALB with health checks for the target group
D.Disable health checks to reduce load on the ALB
E.Configure the Auto Scaling group to launch instances in at least two Availability Zones
AnswersC, E

Health checks ensure traffic is only sent to healthy instances.

Why this answer

Correct answers are A and C. Spreading instances across multiple Availability Zones ensures zone failure doesn't take down the application. Using an ALB with health checks ensures that unhealthy instances are removed from rotation.

Option B is wrong because placing instances in the same AZ creates a single point of failure. Option D is wrong because disabling health checks prevents the ALB from detecting failures. Option E is wrong because using t2.micro instances is not a high availability consideration.

131
MCQmedium

A company's security policy requires that all Amazon EC2 instances must have a specific tag 'Environment' with a value of either 'Production' or 'Development'. The SysOps administrator needs to detect any instance that is missing this tag or has an invalid value, and automatically email the operations team. Which AWS service should be used to achieve this with the least operational overhead?

A.AWS Config with the 'required-tags' managed rule and Amazon SNS
B.Amazon CloudWatch Events with an EC2 instance state change rule and AWS Lambda
C.AWS Trusted Advisor with a custom check
D.Amazon Inspector with a network assessment
AnswerA

AWS Config evaluates EC2 instances for the required tag and sends compliance changes to SNS, which can email the team.

Why this answer

AWS Config's 'required-tags' managed rule continuously evaluates EC2 instances against the specified tag key and allowed values, triggering an SNS notification when non-compliant resources are detected. This provides automated detection and alerting with minimal operational overhead, as it requires no custom code or infrastructure management.

Exam trap

The trap here is that candidates may confuse AWS Config's continuous compliance evaluation with event-driven services like CloudWatch Events, assuming that a state change rule can also check tags, but Config is purpose-built for resource configuration auditing without custom code.

How to eliminate wrong answers

Option B is wrong because CloudWatch Events with an EC2 instance state change rule only triggers on state transitions (e.g., running, stopped), not on tag compliance; it would require a custom Lambda function to check tags, adding operational overhead. Option C is wrong because AWS Trusted Advisor does not support custom checks; it only provides predefined best-practice checks. Option D is wrong because Amazon Inspector performs network assessments for vulnerabilities and unintended network access, not tag compliance.

132
MCQhard

A SysOps administrator needs to deploy a new version of a web application using AWS Elastic Beanstalk. The deployment must achieve zero downtime and allow the administrator to validate the new version by running tests before routing production traffic to it. Which deployment policy should the administrator choose?

A.Rolling
B.Rolling with additional batch
C.Immutable
D.All at once
AnswerC

Immutable deployment creates a completely new Auto Scaling group, allowing validation before the CNAME swap, achieving zero downtime.

Why this answer

The Immutable deployment policy (Option C) is correct because it launches a completely new set of instances in a new Auto Scaling group, deploys the new application version to them, and then swaps the environment's CNAME record from the old instances to the new ones only after all health checks pass. This ensures zero downtime and allows the administrator to run validation tests against the new instances before any production traffic is routed to them, as the old environment remains fully operational during the process.

Exam trap

The trap here is that candidates often confuse 'Rolling with additional batch' with a zero-downtime solution, but it does not provide an isolated validation environment before traffic is routed, whereas Immutable deployment explicitly does.

How to eliminate wrong answers

Option A (Rolling) is wrong because it updates instances in batches by taking them out of service one batch at a time, which reduces capacity during the deployment and does not provide a separate environment for pre-production validation; traffic continues to be served from partially updated instances. Option B (Rolling with additional batch) is wrong because while it launches an extra batch of instances to maintain full capacity during the rolling update, it still does not create an isolated environment for testing the new version before any production traffic is routed to it; the new instances are immediately added to the load balancer. Option D (All at once) is wrong because it deploys the new version to all instances simultaneously, causing downtime as all instances are replaced at the same time, and there is no opportunity to validate the new version before traffic is routed to it.

133
MCQeasy

A SysOps administrator needs to ensure that an EC2 instance automatically recovers from an underlying hardware failure. Which action should be taken?

A.Launch a second instance in a different Availability Zone.
B.Assign an Elastic IP address to the instance.
C.Create a CloudWatch alarm on the StatusCheckFailed metric and configure the recovery action.
D.Place the instance in an Auto Scaling group with a min size of 1.
AnswerC

CloudWatch alarm can initiate instance recovery.

Why this answer

Option B is correct because configuring the EC2 instance with a CloudWatch alarm based on StatusCheckFailed will trigger a recovery action that stops and starts the instance on new hardware. Option A is wrong because Auto Scaling groups manage instance counts but do not recover a specific instance. Option C is wrong because Elastic IP reassignment does not recover the instance.

Option D is wrong because a second instance does not automatically recover the original.

134
MCQmedium

A company runs a web application on Amazon EC2 instances. The application logs are sent to Amazon CloudWatch Logs. The SysOps administrator needs to monitor the logs for an increasing number of HTTP 500 errors. The administrator wants to create a metric filter that will count the number of lines containing 'HTTP 500' in the log group. Which syntax should the administrator use for the metric filter pattern?

A.[error, HTTP, 500]
B."HTTP 500"
C."HTTP" && "500"
D.[HTTP, 500, ...]
AnswerB

This is the correct syntax for matching the exact string 'HTTP 500' anywhere in the log line.

Why this answer

Option B is correct because CloudWatch Logs metric filter patterns use literal string matching by enclosing the exact text in double quotes. The pattern "HTTP 500" will match any log line that contains the exact substring 'HTTP 500', which is the simplest and most reliable way to count occurrences of HTTP 500 errors.

Exam trap

The trap here is that candidates confuse the space-delimited token pattern syntax (square brackets) with literal string matching, leading them to choose options like A or D that only match specific token positions rather than any occurrence of 'HTTP 500' in the log line.

How to eliminate wrong answers

Option A is wrong because the syntax [error, HTTP, 500] is a space-delimited token pattern that would match a log line starting with three space-separated tokens like 'error HTTP 500', not a substring anywhere in the line. Option C is wrong because "HTTP" && "500" is not valid CloudWatch Logs metric filter syntax; the && operator is not supported in metric filter patterns. Option D is wrong because [HTTP, 500, ...] is a token-based pattern that expects 'HTTP' and '500' as the first two tokens in the log line, and it would not match lines where 'HTTP 500' appears later in the line or with additional text before it.

135
MCQmedium

A SysOps administrator is setting up monitoring for an application that runs on Amazon ECS with Fargate launch type. The application's performance degrades when memory utilization exceeds 80%. The administrator wants to receive a notification when memory usage approaches this threshold. What should the administrator do?

A.Install the CloudWatch agent on each Fargate task
B.Use Amazon CloudWatch Container Insights to view ReservedMemory metric
C.Enable Service Auto Scaling with a target tracking policy based on MemoryUtilization
D.Create a CloudWatch alarm on the ECS service's MemoryUtilization metric
AnswerD

ECS provides MemoryUtilization metric for services, and an alarm can trigger notifications.

Why this answer

Option D is correct because Amazon ECS services automatically publish a `MemoryUtilization` metric to CloudWatch for Fargate tasks. By creating a CloudWatch alarm on this metric with a threshold of 80%, the administrator can trigger an SNS notification when memory usage approaches the threshold, enabling proactive remediation before performance degrades.

Exam trap

The trap here is that candidates often assume they need to install an agent or use Container Insights to get memory metrics, but ECS Fargate automatically publishes `MemoryUtilization` and `CPUUtilization` metrics to CloudWatch without any extra setup.

How to eliminate wrong answers

Option A is wrong because the CloudWatch agent cannot be installed on Fargate tasks; Fargate is a serverless compute engine that does not allow direct access to the underlying host or installation of agents. Option B is wrong because Container Insights provides aggregated metrics and logs for cluster-level visibility, but it does not expose a `ReservedMemory` metric; the relevant metric for memory usage is `MemoryUtilization`, which is already available without Container Insights. Option C is wrong because Service Auto Scaling with a target tracking policy based on `MemoryUtilization` would automatically adjust the number of tasks to maintain a target utilization, but the question asks for a notification when memory approaches 80%, not for automatic scaling.

136
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The environment is running a single instance. The SysOps administrator needs to update the application to a new version with zero downtime. What should the administrator do?

A.Perform a rolling update with a batch size of 1.
B.Perform a Blue/Green deployment by swapping environment URLs.
C.Perform an immutable update in the Elastic Beanstalk environment.
D.Update the application version and swap the RDS database.
AnswerC

An immutable update replaces the instance with zero downtime.

Why this answer

Option A is correct because an immutable update launches a new instance with the new version and then swaps the old instance, ensuring zero downtime. Option B is wrong because rolling updates on a single instance still cause a brief downtime. Option C is wrong because Blue/Green deployment requires two environments.

Option D is wrong because the RDS instance is separate; swapping it does not update the application.

137
Multi-Selecthard

A SysOps administrator is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC Peering connection. An EC2 instance in VPC-A cannot ping an EC2 instance in VPC-B. The route tables and security groups are correctly configured. Which THREE steps should the administrator take to resolve the issue?

Select 3 answers
A.Add a route in VPC-A's subnet route table pointing to the VPC Peering connection for VPC-B's CIDR
B.Configure VPC Peering as a transit gateway
C.Verify that VPC-B does not have a VPN connection to an on-premises network
D.Ensure the VPC Peering connection is in the 'active' state
E.Check the Network ACLs in both VPCs to ensure inbound/outbound ICMP traffic is allowed
AnswersC, D, E

VPC Peering does not support transitive routing; if VPC-B uses a VPN, traffic from VPC-A cannot route to on-premises.

Why this answer

Option A, Option C, and Option E are correct. VPC Peering does not support transitive routing (Option A), so a VPN Gateway is needed for on-premises connectivity. Option C: Network ACLs are stateless and may block ICMP; allowing inbound/outbound ICMP is necessary.

Option E: Check that the VPC Peering connection is in the 'active' state; if not, accept the request. Option B is wrong because VPC Peering does not support transitive routing. Option D is wrong because VPC Peering does not support transitive routing.

138
Multi-Selectmedium

A company is deploying a microservices application on Amazon ECS with Fargate. The SysOps administrator needs to implement a deployment strategy that minimizes downtime and allows for automated rollbacks if the new version fails health checks. Which TWO options should the administrator choose? (Choose TWO.)

Select 2 answers
A.Use a rolling update with the ECS service scheduler.
B.Configure the ECS service to automatically roll back on deployment failure.
C.Use an immutable deployment by replacing the entire Auto Scaling group.
D.Use a blue/green deployment with AWS CodeDeploy.
E.Use a canary deployment with AWS CodeDeploy.
AnswersB, D

Why D is correct

Why this answer

Options B and D are correct. Blue/green deployments (B) reduce downtime by shifting traffic gradually. Automated rollbacks (D) are supported by CodeDeploy when health checks fail.

Option A is incorrect because canary deployments are a variation of blue/green but not a separate deployment type in ECS. Option C is incorrect because rolling updates can cause downtime and are not the best for minimizing downtime. Option E is incorrect because immutable deployments are not natively supported in ECS with Fargate.

139
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent 502 errors. The SysOps administrator checks the ALB access logs and sees that the error occurs when the target group has 'unhealthy' targets. What is the MOST likely cause of the 502 errors?

A.The SSL certificate on the ALB is expired.
B.The ALB does not have enough capacity to handle the traffic.
C.The client request exceeds the idle timeout.
D.The target instances are not passing health checks.
AnswerD

Unhealthy targets cause 502 errors when the ALB fails to connect.

Why this answer

Option B is correct because unhealthy targets cause the ALB to return 502 errors when it cannot establish a connection or receive a valid response. Option A is wrong because certificate issues cause 503 errors. Option C is wrong because client request timeout causes 408 errors.

Option D is wrong because insufficient capacity causes 503 errors.

140
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The database is an RDS MySQL instance with Multi-AZ enabled. The application experiences intermittent 5xx errors that correlate with database failover events. What is the MOST likely cause and solution?

A.Configure the application to use the RDS reader endpoint.
B.Use a read replica to offload read traffic and reduce failover impact.
C.Increase the database connection pool size to handle retries.
D.Enable DNS caching with a low TTL in the application and use the RDS instance endpoint with a retry mechanism.
AnswerD

Low TTL and retries ensure the application reconnects to the new primary quickly after failover.

Why this answer

Option D is correct because during a database failover, the DNS record for the RDS endpoint changes, and if the application caches the DNS resolution, it may try to connect to the old primary. Enabling TTL-aware caching forces the application to re-resolve DNS quickly. Option A is wrong because Multi-AZ already provides a standby; using a read replica does not address write failures.

Option B is wrong because the issue is DNS caching, not missing read replicas. Option C is wrong because increasing connection pool size does not handle DNS changes.

141
MCQmedium

A company's security policy requires that IAM users rotate their access keys every 90 days. The SysOps administrator must automatically identify users whose access keys are older than 90 days and notify the security team. Which combination of AWS services should be used to meet this requirement with the least operational overhead?

A.AWS Config with the 'access-keys-rotated' managed rule and Amazon SNS
B.AWS CloudTrail and Amazon CloudWatch Logs with metric filters and alarms
C.IAM Access Analyzer and AWS Lambda
D.Amazon GuardDuty and Amazon EventBridge
AnswerA

AWS Config evaluates IAM access keys against the rule and sends compliance notifications to SNS, which can email the security team.

Why this answer

AWS Config's 'access-keys-rotated' managed rule checks whether IAM user access keys have been rotated within the specified number of days (default 90). When a non-compliant resource is detected, AWS Config can trigger an Amazon SNS notification directly, without any custom code or additional infrastructure. This combination provides a fully managed, serverless solution with the least operational overhead.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing custom Lambda or CloudTrail-based approaches, missing that AWS Config provides a fully managed, built-in rule specifically designed for this exact compliance check with zero custom code.

How to eliminate wrong answers

Option B is wrong because CloudTrail logs API calls but does not evaluate the age of access keys; metric filters and alarms would require custom log parsing and lack the built-in compliance check. Option C is wrong because IAM Access Analyzer focuses on analyzing resource-based policies for external access, not on key rotation age; using Lambda would add custom code and maintenance overhead. Option D is wrong because GuardDuty is a threat detection service for malicious activity, not for tracking key rotation compliance; EventBridge alone cannot perform the age evaluation.

142
MCQmedium

A company has a requirement to store audit logs for a minimum of 7 years to comply with regulatory standards. The logs are currently stored in Amazon S3. The SysOps administrator needs to ensure that logs are not deleted before the retention period expires. Which solution should be implemented?

A.Enable MFA Delete on the bucket to require multi-factor authentication for deletions.
B.Enable versioning on the bucket and use lifecycle policies to transition objects to S3 Glacier.
C.Create an S3 bucket policy that denies s3:DeleteObject for all principals.
D.Enable S3 Object Lock with a retention mode of GOVERNANCE or COMPLIANCE and set a retention period of 7 years.
AnswerD

Object Lock prevents deletion during retention period.

Why this answer

Option A is correct because S3 Object Lock with a retention period prevents deletion or overwrite until the period expires. Option B is wrong because MFA delete prevents accidental deletion but can be bypassed with root credentials. Option C is wrong because versioning alone does not prevent deletion; versions can be deleted after enabling versioning.

Option D is wrong because lifecycle policies can delete objects, not protect them.

143
MCQmedium

An application running on EC2 instances sends large amounts of data to an S3 bucket. The SysOps administrator wants to reduce data transfer costs while ensuring the traffic stays within AWS. What is the most cost-effective solution?

A.Set up an AWS Direct Connect connection.
B.Use S3 Transfer Acceleration.
C.Create a VPC Endpoint for S3 (Gateway type) and use it from the EC2 instances.
D.Route traffic through a NAT Gateway in a public subnet.
AnswerC

VPC Endpoints allow private connectivity to S3 at no additional cost for data transfer.

Why this answer

Option B is correct because using a VPC Endpoint for S3 allows traffic to stay within the AWS network, avoiding internet data transfer costs. Option A is incorrect because NAT Gateways incur charges for data processing and transfer. Option C is incorrect because S3 Transfer Acceleration is for faster uploads, not cost savings.

Option D is incorrect because Direct Connect is a dedicated connection that incurs monthly fees and is overkill for this use case.

144
MCQmedium

A company has a VPC with multiple subnets. An EC2 instance in a public subnet needs to communicate with an RDS database in a private subnet. The RDS security group allows inbound traffic from the EC2 instance's security group. However, the EC2 instance cannot connect. What is the most likely cause?

A.The VPC does not have DNS resolution enabled, so the RDS endpoint cannot be resolved.
B.The network ACL for the private subnet blocks inbound traffic from the public subnet.
C.The security group of the RDS database does not allow outbound traffic.
D.The EC2 instance does not have a public IP address.
AnswerA

Correct because RDS endpoints are DNS names; without DNS resolution, the instance cannot connect.

Why this answer

Option C is correct because if the RDS is in a private subnet, it may not have a route to the internet or to the public subnet, but the issue is likely that the VPC does not have DNS resolution enabled, causing name resolution failure. Option A is wrong because the security group is already configured. Option B is wrong because the instance has a public IP.

Option D is wrong because NACLs are stateless but default allows all.

145
Multi-Selecteasy

Which TWO actions should a SysOps administrator take to ensure high availability of a web application running on EC2 instances? (Choose two.)

Select 2 answers
A.Enable termination protection on all EC2 instances.
B.Launch all EC2 instances in a single Availability Zone.
C.Use a larger instance type for all EC2 instances.
D.Configure an Auto Scaling group with a health check to replace unhealthy instances.
E.Deploy EC2 instances across multiple Availability Zones.
AnswersD, E

Auto Scaling automatically replaces unhealthy instances.

Why this answer

Options B and D are correct. Deploying across multiple Availability Zones ensures that an AZ failure does not take down the entire application. Using an Auto Scaling group with a health check automatically replaces unhealthy instances.

Option A is incorrect because a single AZ is a single point of failure. Option C is incorrect because a larger instance type does not provide high availability. Option E is incorrect because termination protection does not automatically replace instances; it only prevents accidental termination.

146
MCQeasy

A company wants to securely store secrets such as database credentials and API keys used by applications running on Amazon EC2. Which AWS service should be used to manage and rotate these secrets automatically?

A.AWS Identity and Access Management (IAM)
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager is designed for secrets management with built-in rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed to manage secrets, including automatic rotation. Option A is wrong because AWS Systems Manager Parameter Store can store secrets but does not support automatic rotation natively (requires custom Lambda). Option C is wrong because AWS KMS is for encryption keys, not secrets management.

Option D is wrong because IAM stores credentials for AWS users, not application secrets.

147
MCQhard

A company stores sensitive data in an S3 bucket. The security team requires that any access to the bucket from outside the corporate network be logged and immediately alerted. Which solution meets these requirements?

A.Enable S3 server access logging and store logs in a separate bucket for later analysis.
B.Enable S3 server access logging, stream logs to CloudWatch Logs, create a metric filter for external IP addresses, and set a CloudWatch alarm.
C.Enable AWS CloudTrail and create a metric filter for 'GetObject' events, then set a CloudWatch alarm.
D.Use AWS Config rules to detect when the bucket policy is changed to allow public access.
AnswerB

This provides both logging and real-time alerting for external access.

Why this answer

Option B is correct because it combines S3 server access logging with CloudWatch Logs streaming, metric filtering for external IP addresses, and a CloudWatch alarm. This provides both logging and immediate alerting for any access from outside the corporate network, meeting the security team's requirements.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with S3 server access logs (which log object-level access), leading them to choose Option C without realizing CloudTrail requires explicit data event logging and does not provide the same granularity for immediate alerting on external IP access.

How to eliminate wrong answers

Option A is wrong because it only enables logging to a separate bucket for later analysis, but does not provide immediate alerting as required. Option C is wrong because AWS CloudTrail logs management events (like bucket configuration changes) by default, not data events like 'GetObject' for S3; enabling data events would incur additional costs and still requires a metric filter and alarm setup, but the core issue is that CloudTrail is not the primary service for logging object-level access in real-time. Option D is wrong because AWS Config rules detect configuration changes (like bucket policy modifications) but do not log or alert on actual access events from external IPs.

148
MCQeasy

Refer to the exhibit. An IAM policy allows a user to run instances only of type t2.micro. What happens when the user tries to run a t2.small instance?

A.The request is allowed because the policy allows ec2:RunInstances.
B.The request is denied because there is an explicit deny on ec2:RunInstances.
C.The request is allowed because the condition only applies to the resource ARN, not the instance type.
D.The request is denied because t2.small does not match the condition.
AnswerD

The condition requires t2.micro, so t2.small is not allowed.

Why this answer

Option B is correct because the policy only allows t2.micro; any other instance type is implicitly denied. Option A is wrong because the policy does not allow t2.small. Option C is wrong because there is no explicit deny.

Option D is wrong because the policy does not allow all actions.

149
Multi-Selecteasy

A company wants to use Amazon Route 53 to route traffic to multiple endpoints for high availability. Which THREE routing policies can be used for this purpose?

Select 3 answers
A.Geoproximity routing policy
B.Simple routing policy
C.Latency routing policy
D.Weighted routing policy
E.Failover routing policy
AnswersC, D, E

Routes to the endpoint with the lowest latency.

Why this answer

Options A, B, and D are correct. Weighted, Latency, and Failover routing policies distribute traffic across multiple endpoints. Option C (Simple) can only route to a single endpoint.

Option E (Geoproximity) can route to multiple endpoints but is more for location-based routing.

150
MCQhard

A company uses Amazon MQ (RabbitMQ) for messaging between microservices. The SysOps administrator needs to ensure the message broker is highly available with automatic failover and no data loss. Which deployment mode should be used?

A.Single-instance broker
B.Active/standby broker
C.Cluster deployment
D.Multi-AZ broker with read replicas
AnswerB

Active/standby provides automatic failover and synchronous replication, meeting the high availability and data loss prevention requirements.

Why this answer

Amazon MQ for RabbitMQ supports an active/standby deployment mode that provides automatic failover and no data loss. In this mode, one broker instance is active and a second is a synchronous standby; if the active fails, the standby takes over without losing messages because all data is replicated synchronously across both instances. This meets the high availability and data durability requirements specified in the question.

Exam trap

The trap here is that candidates confuse Amazon MQ's cluster deployment (which is for scaling) with active/standby (which is for high availability and data durability), or they incorrectly apply RDS Multi-AZ concepts to Amazon MQ.

How to eliminate wrong answers

Option A is wrong because a single-instance broker has no redundancy or automatic failover; if it fails, all messages are lost until manual recovery. Option C is wrong because RabbitMQ cluster deployment in Amazon MQ is designed for horizontal scaling and throughput, not for automatic failover with zero data loss; it uses asynchronous replication and can lose messages during a node failure. Option D is wrong because Amazon MQ does not support Multi-AZ brokers with read replicas; that concept applies to Amazon RDS, not to message brokers.

Page 1

Page 2 of 21

Page 3