AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 14261500

1546 questions total · 21pages · All types, answers revealed

Page 19

Page 20 of 21

Page 21
1426
MCQhard

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to restrict access to a specific AWS service (Amazon EC2) in all accounts except for the 'production' account. The SysOps administrator needs to implement this restriction centrally. Which approach should the administrator use?

A.Create an IAM policy that denies Amazon EC2 actions and attach it to all users and roles in non-production accounts.
B.Attach a service control policy (SCP) to the organization root or to the OUs of non-production accounts that denies access to Amazon EC2.
C.Use AWS Config to create a rule that detects EC2 usage in non-production accounts and automatically terminates instances.
D.Create a resource-based policy on each EC2 instance that denies access from non-production accounts.
AnswerB

SCPs are a centralized way to set permission boundaries for all accounts in the organization. By denying EC2 actions via SCP on non-production OUs, the restriction is enforced even for the root user of those accounts, and it applies to all IAM principals.

Why this answer

Service control policies (SCPs) are the correct mechanism for centrally restricting permissions across accounts in AWS Organizations. By attaching an SCP that denies EC2 actions to the organization root or to the OUs containing non-production accounts, the security team can enforce this restriction at the account level, overriding any IAM policies within those accounts. This approach ensures that even if a user or role in a non-production account has an IAM policy granting EC2 access, the SCP will block it.

Exam trap

The trap here is that candidates often confuse IAM policies (which are identity-based and account-specific) with SCPs (which are account-wide and centrally managed), leading them to choose Option A because they think attaching a deny policy to users is sufficient, but they overlook that SCPs provide the only centralized, preventive control across multiple accounts in AWS Organizations.

How to eliminate wrong answers

Option A is wrong because IAM policies attached to users and roles are not centrally managed across multiple accounts; they must be applied individually in each account, which is not a centralized solution and can be bypassed by local administrators. Option C is wrong because AWS Config is a detective service that can detect and react to EC2 usage (e.g., via auto-remediation), but it does not prevent the initial creation or use of EC2 resources; it only responds after the fact, which is not a preventive restriction. Option D is wrong because resource-based policies on EC2 instances control access to the instance itself (e.g., who can start/stop it), not the ability to launch or manage EC2 services in an account; they are also not centrally managed across accounts.

1427
Multi-Selecteasy

A company uses Amazon S3 to store backup data. The SysOps administrator needs to ensure that the data is encrypted at rest and that access is limited to only authorized users. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Enable default encryption on the S3 bucket using SSE-S3 or AWS KMS.
B.Block all public access to the S3 bucket.
C.Create a bucket policy that allows only specific IAM roles or users.
D.Enable S3 Versioning on the bucket.
E.Enable S3 Transfer Acceleration.
AnswersA, C

Default encryption ensures all objects are encrypted.

Why this answer

Options A and D are correct. Option A: Enabling S3 default encryption ensures all objects are encrypted at rest. Option D: Using bucket policies with conditions like aws:SourceIp or aws:PrincipalArn restricts access.

Option B is wrong because S3 Transfer Acceleration is for faster uploads, not encryption. Option C is wrong because blocking public access is a security best practice but does not guarantee authorized user access. Option E is wrong because versioning is for data protection, not encryption or access control.

1428
MCQhard

A CloudFormation stack manages an RDS database, an S3 bucket, and several Lambda functions. During a recent stack update, a property change caused CloudFormation to replace the RDS instance, deleting the database and re-creating it — resulting in data loss. The team wants to prevent any future stack update from replacing or deleting the RDS instance without an explicit override. What CloudFormation feature accomplishes this?

A.Set a stack policy that denies Replace and Delete actions on the RDS resource; require an override policy to be explicitly provided when a replacement is intentional
B.Enable deletion protection on the RDS instance to prevent CloudFormation from deleting it
C.Use CloudFormation change sets to preview the update and manually reject any change set that includes a replacement
D.Add a DeletionPolicy: Retain attribute to the RDS resource in the template
AnswerA

The stack policy evaluates each update action per resource. A Deny on Replace for the RDS logical resource ID prevents CloudFormation from completing any update that would recreate the database — the update fails with a clear policy error. A temporary override policy passed via --stack-policy-during-update can explicitly allow the replacement for a deliberate migration.

Why this answer

Option A is correct because a CloudFormation stack policy can explicitly deny Update (which includes replacement) and Delete actions on specific resources, such as the RDS instance. To intentionally perform a replacement, the user must provide an override stack policy during the update that allows the action, ensuring that no accidental replacement occurs without explicit consent.

Exam trap

The trap here is that candidates confuse RDS deletion protection or DeletionPolicy: Retain with stack policies, mistakenly believing those features can block CloudFormation from replacing a resource during an update, when in fact they only protect against deletion in specific scenarios (e.g., stack deletion or direct API calls).

How to eliminate wrong answers

Option B is wrong because RDS deletion protection prevents the database from being deleted via the RDS API or console, but CloudFormation can still replace the instance (which involves creating a new one and deleting the old one) if the template triggers a replacement; deletion protection does not block CloudFormation from performing a replacement. Option C is wrong because change sets only provide a preview of changes and require manual approval, but they do not prevent a user from accidentally executing a change set that includes a replacement; the team wants a guardrail that blocks replacement without an explicit override, not just a manual review step. Option D is wrong because DeletionPolicy: Retain only preserves the resource when the stack is deleted, but it does not prevent CloudFormation from replacing the resource during a stack update; a replacement still deletes the original resource and creates a new one, and the Retain policy does not block that deletion.

1429
MCQeasy

A company has multiple VPCs in the same AWS Region that need to communicate with each other. The SysOps administrator wants to avoid the complexity of a full mesh of VPC peering connections. Which AWS service should the administrator use to connect all VPCs with a central hub?

A.AWS Direct Connect
B.AWS Transit Gateway
C.VPC peering
D.AWS PrivateLink
AnswerB

Correct. Transit Gateway provides a scalable hub-and-spoke model, allowing you to attach many VPCs and manage routing centrally.

Why this answer

AWS Transit Gateway acts as a central hub that allows you to connect multiple VPCs and on-premises networks through a single gateway, eliminating the need for a full mesh of VPC peering connections. It uses a star topology where each VPC attaches to the Transit Gateway, and routing is managed via route tables, simplifying network management and scaling.

Exam trap

The trap here is that candidates often confuse VPC peering (which is point-to-point) with a hub-and-spoke solution, or mistakenly think AWS PrivateLink can route general traffic between VPCs, when it is actually designed for service-specific endpoints.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a service for interconnecting multiple VPCs within the same Region. Option C is wrong because VPC peering creates a one-to-one connection between two VPCs, requiring a full mesh of N*(N-1)/2 connections for multiple VPCs, which adds complexity and does not provide a central hub. Option D is wrong because AWS PrivateLink enables private connectivity between VPCs and services (like endpoints), but it is designed for accessing specific services rather than routing traffic between multiple VPCs as a hub-and-spoke model.

1430
MCQeasy

A company's security policy requires that only traffic from the corporate office IP range (203.0.113.0/24) can access an Amazon S3 bucket that stores internal reports. The SysOps administrator must enforce this restriction. Which policy type should be modified to implement this requirement?

A.IAM identity-based policy
B.VPC endpoint policy
C.S3 bucket policy
D.AWS Organizations SCP
AnswerC

S3 bucket policies can use a condition with aws:SourceIp to allow access only from specified IP ranges.

Why this answer

An S3 bucket policy is the correct choice because it allows you to explicitly deny or allow access to the S3 bucket based on the source IP address using the `aws:SourceIp` condition key. This policy is attached directly to the bucket and can restrict access to only the corporate office IP range (203.0.113.0/24), regardless of the IAM user or role making the request. It enforces the security requirement at the resource level, which is the most direct and effective method for controlling network-based access to an S3 bucket.

Exam trap

The trap here is that candidates often confuse IAM identity-based policies with resource-based policies, mistakenly thinking they can use IAM policies to restrict by source IP, when in fact only S3 bucket policies (or similar resource-based policies) support the `aws:SourceIp` condition for network-level access control.

How to eliminate wrong answers

Option A is wrong because IAM identity-based policies are attached to users, groups, or roles and control what actions those identities can perform, but they cannot restrict access based on the source IP address of the requestor; they lack the `aws:SourceIp` condition key for network-level control. Option B is wrong because a VPC endpoint policy controls access to S3 from a specific VPC endpoint, but it does not allow you to specify a source IP range like 203.0.113.0/24; it only restricts access based on the VPC or endpoint ID, not the client's IP address. Option D is wrong because AWS Organizations SCPs are used to set permission boundaries across accounts in an organization, but they cannot enforce IP-based restrictions on a specific S3 bucket; they operate at the account or organizational unit level, not at the resource level.

1431
MCQeasy

Refer to the exhibit. A SysOps administrator runs the command shown to investigate a CloudWatch alarm named 'HighCPU'. What does the output indicate?

A.The alarm entered the ALARM state and then returned to OK.
B.The alarm was deleted and recreated.
C.The alarm is currently in INSUFFICIENT_DATA state.
D.The alarm never entered the ALARM state.
AnswerA

The history shows transition to ALARM then to OK.

Why this answer

The output shows two state transition datapoints: one at timestamp 2021-03-15T10:30:00Z with 'oldState' OK and 'newState' ALARM, and another at 2021-03-15T10:35:00Z with 'oldState' ALARM and 'newState' OK. This sequence confirms the alarm entered the ALARM state and then returned to OK, which is exactly what the describe-alarm-history command reveals when an alarm has experienced a full ALARM-to-OK cycle.

Exam trap

The trap here is that candidates may misinterpret the two datapoints as separate unrelated events rather than recognizing them as a complete ALARM-to-OK cycle, leading them to incorrectly choose that the alarm never entered ALARM state or that it was recreated.

How to eliminate wrong answers

Option B is wrong because deleting and recreating an alarm would produce a new alarm name or ARN, and the history would show a creation event, not a transition from OK to ALARM and back to OK. Option C is wrong because INSUFFICIENT_DATA state would appear as a transition from OK to INSUFFICIENT_DATA or ALARM to INSUFFICIENT_DATA, but the output only shows transitions between OK and ALARM. Option D is wrong because the first datapoint explicitly shows a transition from OK to ALARM, proving the alarm did enter the ALARM state.

1432
MCQmedium

A company runs a multi-tier web application in a VPC with public and private subnets. The web servers (EC2 instances) are in public subnets, and the database servers (RDS MySQL) are in private subnets. The web servers need to connect to the database servers on port 3306. The security group for the RDS instances (sg-db) has an inbound rule allowing TCP port 3306 from the security group of the web servers (sg-web). The web servers can connect to the database, but the connection is intermittent and slow. The SysOps administrator checks the network ACLs and finds that both the public and private subnet network ACLs have default allow all entries. What is the most likely cause of the issue?

A.The RDS instances are in a private subnet and cannot receive traffic from public subnets
B.The security group for the RDS instances is missing an inbound rule for port 3306 from the web servers' IP range
C.The network ACL for the private subnet does not have an outbound rule to allow return traffic on ephemeral ports
D.The network ACLs are stateful and require an outbound rule for ephemeral ports
AnswerC

Without an outbound rule for ephemeral ports (1024-65535), the DB cannot send response packets back to the web servers.

Why this answer

Option D is correct because the network ACL for the private subnet has no outbound rule to allow return traffic (ephemeral ports) from the database back to the web servers. Network ACLs are stateless, so despite the inbound rule allowing traffic from the web servers, the outbound rule must allow return traffic. Option A is wrong because the security group rule is correct.

Option B is wrong because RDS is not a web server; it doesn't need a public subnet. Option C is wrong because NACLs are stateless, not stateful.

1433
MCQmedium

A company has a VPC with an Internet Gateway and a NAT Gateway. They launch an EC2 instance in a private subnet. The instance needs to download updates from the internet, but the security team wants to prevent any inbound traffic from the internet. Which route table configuration is correct for the private subnet?

A.10.0.0.0/16 -> local; 0.0.0.0/0 -> VPC Peering
B.0.0.0.0/0 -> Internet Gateway
C.0.0.0.0/0 -> NAT Gateway
D.No default route; only local routes.
AnswerC

NAT Gateway enables outbound traffic only, preventing inbound.

Why this answer

Option C is correct because the private subnet route table should have a default route (0.0.0.0/0) pointing to the NAT Gateway for outbound traffic, and no route to the Internet Gateway. Option A is wrong because pointing to the Internet Gateway would allow inbound traffic. Option B is wrong because no route would block all traffic.

Option D is wrong because directing to the VPC CIDR is for internal traffic.

1434
MCQhard

A company's S3 bucket contains critical data. The bucket policy allows s3:PutObject and s3:GetObject for all authenticated users in the account. A SysOps administrator needs to ensure that if the bucket is accidentally deleted, the objects can be recovered. Which solution meets this requirement?

A.Set a bucket policy that requires MFA for any s3:DeleteObject action.
B.Add a bucket policy that denies s3:DeleteBucket for all principals.
C.Enable versioning on the bucket and enable MFA delete.
D.Enable cross-region replication on the bucket.
AnswerC

Versioning preserves all object versions, and MFA delete adds an extra layer of protection, requiring a second factor to permanently delete versions.

Why this answer

Option D is correct because S3 versioning combined with MFA delete protection prevents accidental deletion of versions. Option A is wrong because cross-region replication replicates objects but does not protect against bucket deletion; the replicated bucket could also be deleted. Option B is wrong because a bucket policy cannot prevent deletion of the bucket itself; deletion is controlled by IAM.

Option C is wrong because bucket policies do not prevent deletion of the bucket; they only control access to objects.

1435
Multi-Selectmedium

A company is using AWS KMS to encrypt data at rest. Which TWO actions can be taken to audit the usage of a customer managed key?

Select 2 answers
A.Enable AWS CloudTrail to log KMS API calls.
B.Enable Amazon S3 server access logs to track KMS operations.
C.Use IAM Access Analyzer to review KMS key policies.
D.Stream CloudTrail logs to Amazon CloudWatch Logs and create metric filters for KMS events.
E.Use AWS Config rules to monitor KMS key usage.
AnswersA, D

CloudTrail records all KMS API operations for auditing.

Why this answer

Correct options: A and C. Option A is correct because CloudTrail logs KMS API calls like Encrypt and Decrypt. Option C is correct because CloudWatch Logs can be used to store and monitor KMS API logs.

Option B is wrong because AWS Config does not track KMS key usage; it tracks configuration changes. Option D is wrong because IAM access analyzer identifies resources shared with external entities, not key usage. Option E is wrong because S3 server access logs are for S3 access, not KMS.

1436
MCQeasy

A SysOps administrator wants to receive a notification when an EC2 instance's status check fails. Which AWS service should be used to achieve this?

A.Amazon CloudWatch Alarms
B.AWS Config
C.AWS CloudTrail
D.AWS Trusted Advisor
AnswerA

CloudWatch can monitor StatusCheckFailed metric and trigger an alarm.

Why this answer

Amazon CloudWatch Alarms can monitor EC2 instance status checks (both system and instance checks) and trigger an action, such as sending a notification via Amazon SNS, when a status check fails. This is the native AWS service designed for real-time monitoring and alerting on metric thresholds, making it the correct choice for this use case.

Exam trap

The trap here is that candidates often confuse AWS Config (which evaluates configuration compliance) with CloudWatch Alarms (which monitor metric thresholds), leading them to select AWS Config for real-time health alerts instead of the correct monitoring service.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it is used for evaluating and recording resource configurations against desired policies, not for monitoring real-time status check failures. Option C (AWS CloudTrail) is wrong because it captures API activity and management events, not instance-level health metrics like status checks. Option D (AWS Trusted Advisor) is wrong because it provides best-practice recommendations and cost optimization checks, not real-time monitoring or alerting on EC2 status checks.

1437
Multi-Selecthard

A SysOps administrator is troubleshooting a high error rate on an Application Load Balancer (ALB). The ALB is configured with two target groups: one for EC2 instances and one for Lambda functions. The administrator notices that the EC2 target group is unhealthy. Which THREE steps should the administrator take to resolve the issue?

Select 3 answers
A.Review the ALB's DNS resolution for the target instances.
B.Verify that the EC2 instances' security groups allow traffic from the ALB.
C.Increase the size of the Auto Scaling group to distribute load.
D.Check the health check settings on the target group for correct path and interval.
E.Inspect the application logs on the EC2 instances for errors.
AnswersB, D, E

Security group misconfiguration can block health checks.

Why this answer

Options A, B, and D are correct. Checking security groups ensures traffic from ALB is allowed, health check configuration ensures correct path and interval, and instance logs help identify application errors. Option C is wrong because DNS issues are not related to health checks.

Option E is wrong because scaling does not fix health check failures.

1438
Multi-Selectmedium

A SysOps administrator needs to monitor the disk space utilization on a fleet of EC2 instances running Windows Server. Which TWO steps should the administrator take to collect and visualize this data? (Choose TWO.)

Select 2 answers
A.Enable detailed monitoring on the EC2 instances.
B.Install the CloudWatch agent on each EC2 instance to collect disk space metrics.
C.Use AWS CloudTrail to log disk space changes.
D.Enable default EC2 monitoring to collect disk space metrics automatically.
E.Create a CloudWatch dashboard to visualize the disk space metrics.
AnswersB, E

The CloudWatch agent can collect custom metrics like disk space.

Why this answer

The CloudWatch agent is required to collect custom metrics like disk space utilization from EC2 instances running Windows Server. Default EC2 monitoring only collects hypervisor-level metrics (CPU, network, disk I/O), not guest OS metrics such as disk space. Installing the CloudWatch agent and configuring it to collect disk space metrics is the correct step.

Creating a CloudWatch dashboard then allows visualization of those collected metrics.

Exam trap

The trap here is that candidates assume default or detailed EC2 monitoring includes guest OS metrics like disk space, when in fact those metrics require the CloudWatch agent to be installed and configured on the instance.

1439
MCQmedium

A SysOps administrator applies the IAM policy shown in the exhibit to an IAM user. The user tries to upload an object to the S3 bucket without specifying encryption. What will happen?

A.The upload succeeds without encryption.
B.The upload succeeds with SSE-KMS encryption.
C.The upload fails with an Access Denied error.
D.The upload succeeds with default encryption.
AnswerC

Condition not met.

Why this answer

Option B is correct because the policy requires SSE-S3 (AES256), and if the user does not specify encryption, the request does not satisfy the condition, so the action is denied. Option A is wrong because the condition is not met. Option C is wrong because the policy does not allow unencrypted uploads.

Option D is wrong because the condition is not met.

1440
MCQhard

An application writes logs to a file on an EC2 instance. The SysOps team needs to send these logs to Amazon CloudWatch Logs in real time. The logs must be encrypted at rest in CloudWatch Logs using a customer-managed KMS key. Which steps are required?

A.Use AWS CloudTrail to deliver logs to CloudWatch Logs with KMS encryption.
B.Store logs in S3 with KMS encryption and use S3 event notifications to trigger Lambda to put logs in CloudWatch Logs.
C.Install the CloudWatch Logs agent and enable encryption on the EC2 instance volume using KMS.
D.Install the CloudWatch Logs agent and associate a KMS key with the log group using the 'associate-kms-key' API.
AnswerD

This enables encryption at rest with a customer-managed key.

Why this answer

Option D is correct because the CloudWatch Logs agent can send log data from an EC2 instance to CloudWatch Logs in real time, and the 'associate-kms-key' API (or the equivalent AWS CLI command 'put-log-group-encryption') allows you to associate a customer-managed KMS key with a log group, encrypting the logs at rest. This meets both the real-time delivery and customer-managed KMS encryption requirements without additional services or workarounds.

Exam trap

The trap here is that candidates often confuse encrypting the log file on the EC2 instance volume (Option C) with encrypting the logs at rest in CloudWatch Logs, or they overcomplicate the solution by introducing unnecessary services like S3 and Lambda (Option B) instead of using the native KMS integration with CloudWatch Logs.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail delivers API activity logs, not application log files from an EC2 instance, and it cannot be used to send arbitrary application logs to CloudWatch Logs in real time. Option B is wrong because storing logs in S3 and using S3 event notifications to trigger a Lambda function introduces latency and complexity, and does not provide real-time streaming to CloudWatch Logs; it also requires additional services and is not the standard method for real-time log ingestion. Option C is wrong because enabling encryption on the EC2 instance volume using KMS encrypts the log file at rest on the instance, but does not encrypt the logs at rest in CloudWatch Logs; the CloudWatch Logs agent sends data over the network, and the log group itself must be encrypted with a KMS key to meet the requirement.

1441
MCQmedium

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The SysOps administrator notices that the DB instance's CPU utilization spikes to 100% every few minutes. CloudWatch alarms have been set to trigger when CPU exceeds 90% for 5 minutes, but no alarm state changes are observed. The administrator checks the CloudWatch metrics and sees that the CPU utilization metric shows periodic spikes but they last only 2-3 minutes each. What is the most likely cause and what should the administrator do to receive notifications?

A.Set the alarm to evaluate over 1 minute instead of 5 minutes.
B.The Multi-AZ failover is causing the spikes; disable Multi-AZ.
C.The DB instance is not publishing CPU metrics at a high enough resolution.
D.The CPU metric is not accurate; use the CPU credit metric instead.
AnswerA

Shorter evaluation period will detect the short-duration spikes.

Why this answer

The CPU utilization spikes last only 2-3 minutes, which is shorter than the alarm's evaluation period of 5 consecutive minutes. Since the alarm requires the metric to exceed the 90% threshold for 5 minutes before triggering, these brief spikes never satisfy the alarm's duration condition. Setting the alarm to evaluate over 1 minute will match the spike duration and allow the alarm to trigger on these short-lived bursts.

Exam trap

The trap here is that candidates assume the alarm should trigger because the metric exceeds the threshold, but they overlook the requirement that the breach must persist for the entire evaluation period, not just momentarily.

How to eliminate wrong answers

Option B is wrong because Multi-AZ failover does not cause periodic CPU spikes; failover is a rare event triggered by planned maintenance or failure, not a recurring every-few-minutes pattern, and disabling Multi-AZ would reduce availability without addressing the underlying CPU issue. Option C is wrong because Amazon RDS for MySQL publishes CPU utilization metrics at 1-minute resolution by default (with detailed monitoring enabled), and the administrator can already see the spikes in CloudWatch, so resolution is not the problem. Option D is wrong because CPU credit metrics apply only to burstable performance instances (e.g., T2/T3), not to standard RDS instances, and the CPU metric is accurate; the issue is the alarm evaluation period, not the metric's validity.

1442
MCQeasy

A company hosts a static website on Amazon EC2 instances behind an Application Load Balancer. They want to improve latency for users around the world by caching content at edge locations. Which AWS service should they use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.AWS Direct Connect
D.Amazon Route 53
AnswerA

Correct. CloudFront caches content at edge locations, reducing latency and offloading origin servers.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static content (e.g., HTML, CSS, images) at edge locations worldwide, reducing latency for global users by serving cached responses from the nearest edge rather than the origin EC2 instances behind the Application Load Balancer. It integrates directly with ALB as a custom origin, offloading traffic and improving response times for repeated requests.

Exam trap

The trap here is confusing AWS Global Accelerator (which optimizes network path but does not cache) with CloudFront (which caches at edge), leading candidates to pick Global Accelerator for latency improvement without recognizing the requirement for content caching.

How to eliminate wrong answers

Option B (AWS Global Accelerator) is wrong because it improves latency by directing traffic over the AWS global network using Anycast IPs, but it does not cache content at edge locations—it only optimizes routing to the origin. Option C (AWS Direct Connect) is wrong because it establishes a dedicated private network connection from on-premises to AWS, which does not cache content or serve edge locations; it is used for hybrid connectivity, not global content delivery. Option D (Amazon Route 53) is wrong because it is a DNS service that resolves domain names to IP addresses and can route users to the nearest endpoint via latency-based routing, but it does not cache or store content at edge locations.

1443
Multi-Selecthard

A company wants to use AWS WAF to protect a web application behind an Application Load Balancer. Which of the following can AWS WAF inspect? (Choose THREE.)

Select 3 answers
A.HTTP headers
B.Query string parameters
C.SSL certificate of the client
D.Request body of HTTPS requests
E.URI path
AnswersA, B, E

WAF can inspect headers like User-Agent.

Why this answer

AWS WAF can inspect HTTP headers (A), URI paths (B), and query string parameters (C). Option D is wrong because WAF does not inspect the body of HTTPS requests by default; it can inspect the body if the request is HTTP. Option E is wrong because WAF does not inspect SSL certificate details.

1444
MCQeasy

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket to store logs. The instance currently has no internet access. The SysOps administrator has created a VPC endpoint for S3 (gateway type) and attached it to the VPC. The instance still cannot reach S3. What additional step is required?

A.Attach an Internet Gateway to the VPC and add a route to it
B.Add a security group rule to allow outbound HTTPS traffic to S3
C.Modify the endpoint policy to allow all S3 actions
D.Add a route in the private subnet's route table pointing to the S3 endpoint
AnswerD

The endpoint uses a prefix list, and the route table must have a route for S3 traffic to go through the endpoint.

Why this answer

Option A is correct because the route table for the private subnet must have a route to the S3 endpoint (prefix list). Option B is wrong because S3 endpoints do not require internet access. Option C is wrong because the endpoint policy is not the issue if it allows all actions.

Option D is wrong because the instance's security group does not block traffic to S3 by default.

1445
MCQmedium

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The deployment uses AWS CodeDeploy with an in-place update. During a deployment, the new application version fails health checks, and CodeDeploy automatically rolls back. However, the rollback also fails. What is the MOST likely cause?

A.The Auto Scaling group's minimum size is too low for a rollback.
B.The load balancer is configured with an incorrect target group for the Elastic Beanstalk environment.
C.The CodeDeploy agent on the EC2 instances is not running the latest version.
D.The health check path specified in the AppSpec file is not valid for the previous application version.
AnswerD

If the health check path is not valid for the previous version, the rollback will also fail health checks.

Why this answer

Option D is correct because if the health check configuration in the CodeDeploy AppSpec file points to a path that is not valid in the previous version, the rollback will also fail health checks. Option A is incorrect because insufficient capacity would cause a different error. Option B is incorrect because CodeDeploy does not use Elastic Beanstalk.

Option C is incorrect because the issue is with health checks, not with the agent.

1446
MCQeasy

A SysOps administrator uses AWS CloudFormation to deploy a three-tier application. The administrator has a single template that can be used for development, test, and production environments. The only differences between environments are the EC2 instance type and the RDS DB instance class. Which CloudFormation feature should the administrator use to define these environment-specific values without duplicating the template?

A.Parameters
B.Conditions
C.Mappings
D.Outputs
AnswerA

Parameters enable you to input custom values for instance types and DB classes when creating or updating a stack. The same template can be reused for multiple environments.

Why this answer

Parameters allow you to input environment-specific values (e.g., EC2 instance type, RDS DB instance class) at stack creation or update time without modifying the template. This is the correct feature because the question explicitly requires defining values that differ per environment while reusing a single template.

Exam trap

The trap here is that candidates confuse Conditions (which toggle resource creation) with Parameters (which supply variable values), leading them to think Conditions can handle environment-specific instance types when they cannot.

How to eliminate wrong answers

Option B (Conditions) is wrong because conditions control whether to create or include specific resources or properties based on a condition (e.g., environment type), but they cannot inject variable values like instance types; they only toggle existence. Option C (Mappings) is wrong because mappings provide static lookup tables (e.g., mapping environment names to instance types) but require hardcoded keys and values in the template, which still requires template duplication if the values change per deployment; parameters are more flexible for runtime input. Option D (Outputs) is wrong because outputs are used to return information about the stack (e.g., endpoint URLs) after creation, not to define input values for resources.

1447
Multi-Selecteasy

A SysOps administrator is planning to deploy a web application using AWS Elastic Beanstalk. The application requires high availability across multiple Availability Zones. The administrator needs to configure the environment to automatically replace a failed instance. Which TWO configuration options should the administrator enable? (Choose TWO.)

Select 2 answers
A.Enable the environment's health check and set the health check path to a valid endpoint.
B.Attach an Application Load Balancer to distribute traffic to healthy instances.
C.Configure the environment's Auto Scaling group with a minimum of 2 instances spread across multiple Availability Zones.
D.Use AWS OpsWorks Stacks to manage the instance lifecycle.
E.Create a CloudWatch alarm that triggers an SNS notification when an instance fails.
AnswersA, C

Health checks allow the load balancer to detect unhealthy instances and Auto Scaling to replace them.

Why this answer

Option A (Auto Scaling group with a minimum of 2 instances) is correct for high availability. Option B (Load balancer) is correct for distributing traffic. Option D (Health check) is correct for detecting failures.

Option C is incorrect because OpsWorks is a different service. Option E is incorrect because CloudWatch alarms alert but do not automatically replace instances without Auto Scaling.

1448
Multi-Selectmedium

A company is designing a VPC with public and private subnets. The private subnets need internet access for patching, but must not be directly reachable from the internet. Which TWO components should be used together?

Select 2 answers
A.VPC Peering connection
B.Private subnet route table with a route to the Internet Gateway
C.Internet Gateway attached to the VPC
D.Private subnet route table with a route to the NAT Gateway
E.NAT Gateway in a public subnet
AnswersD, E

This route directs traffic from private subnets to the NAT Gateway.

Why this answer

Option A (NAT Gateway) and Option D (Private route table with route to NAT) are correct. A NAT Gateway in a public subnet provides outbound internet access, and a private route table directs traffic to the NAT Gateway. Option B is wrong because Internet Gateway is for public subnets.

Option C is wrong because VPC Peering is for connecting VPCs, not internet access. Option E is wrong because a direct route to IGW would make the subnet public.

1449
MCQhard

A company runs a stateful web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. Users report that their sessions are frequently lost during scaling events. What is the MOST effective solution to maintain session persistence?

A.Increase the cooldown period for the Auto Scaling group.
B.Modify the application to store session data in an external data store such as ElastiCache or DynamoDB.
C.Enable sticky sessions (session affinity) on the Application Load Balancer.
D.Use larger EC2 instance types to reduce the frequency of scaling.
AnswerC

Sticky sessions route a user's requests to the same instance, preserving sessions during scaling if the instance is not terminated.

Why this answer

Option D is correct because enabling sticky sessions (session affinity) on the ALB ensures that a user's requests are routed to the same instance during a session. Option A is wrong because increasing the cooldown delay does not solve session loss during scale-in. Option B is wrong while helpful for state offloading, it does not address the immediate issue of session persistence; a full rewrite may be needed.

Option C is wrong because a larger instance size does not prevent session loss when instances are terminated.

1450
MCQeasy

An organization uses AWS Service Catalog to manage approved IT services. A SysOps administrator needs to update a CloudFormation template used by a product. The administrator wants to ensure that existing provisioned products are updated with the new template version. What step must the administrator take after updating the product?

A.Update the portfolio that contains the product.
B.Create a new product version and update the provisioned products to use the new version.
C.Update the product's CloudFormation template directly in the Service Catalog console.
D.Terminate the existing provisioned products and reprovision them.
AnswerB

Why B is correct

Why this answer

Option B is correct because in Service Catalog, to update existing provisioned products, you need to create a new product version and update the provisioned product to that version. Simply updating the template does not automatically trigger updates. Option A is incorrect because Service Catalog uses versions, not direct template updates.

Option C is incorrect because terminating and reprovisioning is disruptive and not recommended. Option D is incorrect because updating the portfolio does not update provisioned products.

1451
MCQeasy

A SysOps administrator needs to monitor the application logs of a web server and receive an email notification when the number of 'ERROR' log entries exceeds 100 in a 5-minute window. The logs are already being sent to Amazon CloudWatch Logs. Which combination of AWS services should be used to meet this requirement with the least operational overhead?

A.CloudWatch Logs metric filter, CloudWatch alarm, and Amazon SNS
B.Amazon Kinesis Data Firehose and AWS Lambda
C.AWS CloudTrail and Amazon EventBridge
D.AWS Config managed rule and Amazon SNS
AnswerA

Uses managed features to filter logs, set threshold, and notify via email.

Why this answer

Option A is correct because CloudWatch Logs metric filters can parse log events for the string 'ERROR' and count them in real time. A CloudWatch alarm can then trigger when the metric exceeds 100 in a 5-minute period, and Amazon SNS sends the email notification. This combination requires no custom code or additional infrastructure, minimizing operational overhead.

Exam trap

The trap here is that candidates may confuse CloudTrail (which logs API calls) with CloudWatch Logs (which stores application logs), leading them to choose Option C, but CloudTrail cannot inspect application log content.

How to eliminate wrong answers

Option B is wrong because Amazon Kinesis Data Firehose is designed for streaming large volumes of data to destinations like S3 or Redshift, not for real-time metric extraction and alerting; adding AWS Lambda would introduce custom code and increase complexity. Option C is wrong because AWS CloudTrail records API activity, not application log entries, and Amazon EventBridge is for event-driven workflows, not for counting log patterns. Option D is wrong because AWS Config managed rules evaluate resource compliance against desired configurations, not log content; they cannot parse log entries for 'ERROR' strings.

1452
MCQeasy

A company uses AWS OpsWorks for configuration management of EC2 instances. The administrator needs to ensure that a custom recipe runs on all instances after the instance is fully configured. Which lifecycle event should the recipe be associated with?

A.Undeploy
B.Deploy
C.Configure
D.Setup
AnswerC

Configure runs on instance state changes and after setup.

Why this answer

Option C is correct because the Configure lifecycle event occurs after the instance is fully set up and runs whenever the instance enters a new state. Option A is wrong because Setup runs only once when the instance boots. Option B is wrong because Deploy runs when a deploy command is issued.

Option D is wrong because Undeploy runs when the instance is removed.

1453
MCQeasy

A company uses AWS CodeDeploy to deploy applications to Amazon EC2 instances. The SysOps administrator wants to deploy a new version of the application by first shifting 10% of traffic to the new version, monitoring for errors, and then after manual approval, shifting the remaining 90%. Which deployment configuration should be used?

A.In-place deployment
B.Blue/green deployment with Canary10Percent configuration
C.Blue/green deployment with Linear10PercentEvery10Minutes configuration
D.Blue/green deployment with AllAtOnce configuration
AnswerB

This configuration shifts 10% of traffic to the new instances, then the remaining 90% after a manual approval (or after a set time if automated).

Why this answer

Option B is correct because a Blue/green deployment with Canary10Percent configuration shifts 10% of traffic to the new version, waits for a specified period (default 10 minutes), and then requires manual approval to shift the remaining 90%. This matches the requirement of shifting 10% first, monitoring, and then manually approving the full traffic shift.

Exam trap

The trap here is that candidates may confuse 'Canary10Percent' with 'Linear10PercentEvery10Minutes' because both shift 10% increments, but only Canary10Percent supports manual approval between shifts, while Linear10PercentEvery10Minutes is fully automated.

How to eliminate wrong answers

Option A is wrong because in-place deployment updates existing instances without traffic shifting, so it cannot shift 10% of traffic to a new version. Option C is wrong because Linear10PercentEvery10Minutes automatically shifts 10% every 10 minutes without requiring manual approval, which does not meet the manual approval requirement. Option D is wrong because AllAtOnce shifts 100% of traffic immediately, which does not allow for a 10% initial shift and monitoring.

1454
MCQmedium

A SysOps administrator uses AWS CloudFormation to deploy infrastructure. The administrator has a template that creates an Amazon EC2 instance and an Amazon RDS DB instance. The administrator needs to reuse the same template for development, test, and production environments, where the only differences are the EC2 instance type and the RDS DB instance class. Which CloudFormation feature should be used to define these environment-specific values?

A.Mappings
B.Conditions
C.Parameters
D.Outputs
AnswerC

Parameters accept input values at stack creation, making it easy to reuse the template across environments.

Why this answer

Parameters are the correct CloudFormation feature to define environment-specific values because they allow you to input custom values (e.g., EC2 instance type and RDS DB instance class) at stack creation or update time without modifying the template. This enables reuse of the same template across development, test, and production environments by simply passing different parameter values for each environment.

Exam trap

The trap here is that candidates often confuse Parameters with Mappings, thinking Mappings can handle environment-specific values, but Mappings are static and cannot accept runtime input, whereas Parameters are designed exactly for this purpose.

How to eliminate wrong answers

Option A is wrong because Mappings are static lookup tables used to define fixed key-value pairs (e.g., mapping AWS regions to AMI IDs) and cannot accept dynamic user input per environment. Option B is wrong because Conditions control whether certain resources or properties are created based on logical expressions (e.g., create a resource only in production), but they do not define variable values like instance types. Option D is wrong because Outputs are used to return information about the created stack (e.g., endpoint URLs or resource IDs) and cannot be used to pass input values into the template.

1455
Multi-Selecthard

A company uses AWS CloudFormation to deploy infrastructure. The SysOps administrator needs to ensure that if a stack update fails, the stack is automatically rolled back to the last known good state. Which THREE steps should the administrator take? (Choose three.)

Select 3 answers
A.Create a manual snapshot of the database before each update.
B.Configure the stack to use a service role with permissions to perform rollback actions.
C.Use rollback triggers to monitor CloudWatch metrics and automatically roll back the stack if a metric breache.
D.Enable termination protection on the stack.
E.Define a stack policy that prevents updates to the database resources.
AnswersB, C, E

A service role ensures CloudFormation has the necessary permissions to roll back resources.

Why this answer

CloudFormation stack policies protect critical resources from accidental updates. Rollback triggers monitor stack metrics and initiate rollback if a threshold is breached. IAM permissions are necessary to allow CloudFormation to perform rollback.

Manual snapshots and SNS notifications do not automate rollback.

1456
MCQhard

A SysOps administrator has created the IAM policy shown in the exhibit. The policy is attached to a role used by an automation script that manages Amazon EBS snapshots. The script is failing when it tries to delete snapshots. What is the likely cause?

A.The script does not have permission to delete any snapshots.
B.The script is trying to delete snapshots in a different region or account.
C.The script does not have permission to describe snapshots.
D.The script does not have permission to create tags on snapshots.
AnswerB

Correct: The resource ARN restricts deletion to snapshots in us-east-1 and account 123456789012.

Why this answer

The correct answer is D because the 'ec2:DeleteSnapshot' action is allowed only for snapshots in the specified account and region, but the script may be trying to delete snapshots in another region. Option A is wrong because 'ec2:Describe*' can describe snapshots. Option B is wrong because 'ec2:CreateTags' is allowed on any resource.

Option C is wrong because the policy allows 'ec2:DeleteSnapshot' but with a resource restriction.

1457
MCQmedium

An RDS Multi-AZ DB instance fails over to the standby. The application uses the DB instance endpoint. What should the SysOps administrator usually do in the application after failover?

A.Ensure the application retries/reconnects using the same DB endpoint.
B.Manually change the application to the standby instance IP address.
C.Restore from the latest snapshot before reconnecting.
D.Create a new read replica and promote it immediately.
AnswerA

The endpoint remains the abstraction for the active database instance.

Why this answer

When an RDS Multi-AZ DB instance fails over to the standby, the DNS record for the DB instance endpoint is automatically updated to point to the new primary instance. The application should simply retry or reconnect using the same endpoint; no manual changes are needed because the endpoint remains valid. This is the standard behavior for Multi-AZ deployments, ensuring minimal disruption.

Exam trap

The trap here is that candidates may think they need to manually update the connection string or IP address, but the DNS endpoint automatically resolves to the new primary after failover, so only retry logic is required.

How to eliminate wrong answers

Option B is wrong because the application should use the DNS endpoint, not the IP address; the IP address can change after failover, and relying on it would break connectivity. Option C is wrong because restoring from a snapshot is unnecessary and would cause data loss; Multi-AZ failover preserves data without requiring a restore. Option D is wrong because creating and promoting a read replica is not the correct recovery action for a Multi-AZ failover; the standby is already promoted automatically by RDS.

1458
MCQhard

An application stores its RDS PostgreSQL credentials in AWS Secrets Manager. The security policy requires credentials to be rotated every 30 days automatically. During rotation, the application must continue to serve traffic with zero downtime. The application retrieves credentials by calling GetSecretValue at the start of each database connection. What must be configured to satisfy all requirements?

A.Enable automatic rotation in Secrets Manager with a 30-day schedule; use the AWS-provided Lambda rotation function for RDS PostgreSQL; ensure the application calls GetSecretValue per connection rather than caching credentials
B.Rotate credentials manually every 30 days by updating the secret value in the console and restarting the application
C.Create an EventBridge scheduled rule every 30 days that triggers a Lambda to generate a new RDS password and update both the database and the secret
D.Store credentials in an environment variable on the application's EC2 instance and rotate by updating the environment variable and reloading the application
AnswerA

The AWS-provided rotation Lambda handles the full four-step lifecycle. The 30-day rotation schedule triggers the Lambda automatically. Because the application fetches credentials fresh per connection, it starts using the new credentials immediately after AWSCURRENT switches, with no restart needed. Secrets Manager's rotation is designed for zero downtime — the new password is validated on the database before the old version is retired.

Why this answer

Option A is correct because AWS Secrets Manager's automatic rotation, combined with the AWS-provided Lambda rotation function for RDS PostgreSQL, ensures credentials are rotated every 30 days without manual intervention. The application's practice of calling GetSecretValue at the start of each database connection guarantees it always retrieves the current secret, avoiding stale credentials and achieving zero downtime during rotation.

Exam trap

The trap here is that candidates may think any automated rotation (like EventBridge + Lambda) suffices, but the question specifically tests the integration of Secrets Manager's native rotation with its versioning and staging labels to achieve zero downtime.

How to eliminate wrong answers

Option B is wrong because manual rotation every 30 days with a console update and application restart violates the zero-downtime requirement; restarting the application causes service interruption. Option C is wrong because while it implements rotation via EventBridge and Lambda, it does not use Secrets Manager's built-in rotation mechanism, missing the automatic version management and staging labels (AWSCURRENT, AWSPREVIOUS) that ensure seamless credential transition. Option D is wrong because storing credentials in an environment variable on EC2 and rotating by updating the variable and reloading the application introduces downtime and bypasses Secrets Manager's secure storage, auditing, and rotation capabilities.

1459
MCQhard

Refer to the exhibit. A SysOps administrator runs the CloudWatch Logs Insights query shown. What does this query do?

A.Groups ERROR and FATAL entries by log stream name.
B.Counts the number of ERROR and FATAL log entries per 5-minute interval and displays them in descending order by time.
C.Displays the full log messages of all ERROR and FATAL entries.
D.Deletes all log entries containing ERROR or FATAL older than 5 minutes.
AnswerB

The query uses stats count() by bin(5m) and sorts by @timestamp desc.

Why this answer

The CloudWatch Logs Insights query uses `stats count(*) by bin(5m)` to aggregate log events into 5-minute time buckets, then filters with `filter @message like /ERROR|FATAL/` to include only those severity levels. The `sort @timestamp desc` orders the resulting time buckets in descending chronological order, producing a count of ERROR and FATAL entries per 5-minute interval. This matches option B exactly.

Exam trap

The trap here is that candidates see `ERROR|FATAL` and `sort @timestamp desc` and assume the query returns raw log messages in reverse chronological order, overlooking that `stats count(*)` aggregates the data into counts per time bucket.

How to eliminate wrong answers

Option A is wrong because the query does not include `by @logStream` or any grouping on log stream name; it groups only by the 5-minute time bin. Option C is wrong because the query uses `stats count(*)` which returns counts, not the full log messages; to display full messages you would use `fields @message` without aggregation. Option D is wrong because CloudWatch Logs Insights is a read-only query engine that cannot delete log entries; deletion requires a separate API call or retention policy.

1460
MCQmedium

A company runs a production Amazon RDS for PostgreSQL DB instance in a single Availability Zone (AZ). The SysOps administrator needs to improve database availability so that in the event of a database failure or AZ outage, a standby instance is automatically promoted with minimal downtime. Which configuration should the administrator enable?

A.Enable automated backups with a retention period of 35 days.
B.Create a read replica in another Availability Zone.
C.Enable Multi-AZ deployment on the DB instance.
D.Schedule manual snapshots to be taken every hour and restore from the latest snapshot when needed.
AnswerC

Multi-AZ deployment creates a standby in a different AZ with synchronous replication. AWS handles automatic failover, ensuring high availability with minimal disruption.

Why this answer

Multi-AZ deployment automatically creates and maintains a synchronous standby replica in a different Availability Zone. In the event of a failure or AZ outage, Amazon RDS automatically fails over to the standby, typically within 60–120 seconds, with no manual intervention required. This meets the requirement for automatic promotion with minimal downtime.

Exam trap

The trap here is that candidates confuse read replicas (which are for read scaling and require manual promotion) with Multi-AZ (which provides automatic failover), or they overestimate the speed and automation of backups and snapshots for disaster recovery.

How to eliminate wrong answers

Option A is wrong because automated backups only provide point-in-time recovery (PITR) to restore the database to a specific time, not automatic failover with minimal downtime; restoration is a manual process that can take hours. Option B is wrong because a read replica is designed for read scaling and asynchronous replication, not automatic failover; promoting a read replica requires manual intervention and can result in data loss due to replication lag. Option D is wrong because manual snapshots require scheduling and manual restoration, which involves significant downtime and does not provide automatic failover or minimal disruption.

1461
MCQmedium

A company is using AWS CloudFormation to manage its infrastructure. A stack update fails because a change set includes a modification to an RDS database that triggers a replacement. The engineer needs to allow updates that may cause a replacement but wants to be warned first. What should the engineer do?

A.Use the '--disable-rollback' flag when updating the stack.
B.Use a nested stack to isolate the RDS resource.
C.Create a change set and review it before executing the update.
D.Use the '--parameters' option to specify a parameter that controls replacement.
AnswerC

Change sets allow you to preview changes, including replacements, before applying them.

Why this answer

Using a change set allows the engineer to review the changes before executing them. Disabling rollback on failure is not a warning mechanism, and using a nested stack does not provide a warning. The '--parameters' option does not warn about replacements.

1462
Multi-Selectmedium

A SysOps administrator is configuring CloudTrail to log all management events and data events for S3 buckets. Which of the following are true about CloudTrail logging? (Choose THREE.)

Select 3 answers
A.Data events for S3 are logged by default for all buckets
B.CloudTrail logs include the identity of the user who made the API call
C.Management events are logged by default
D.CloudTrail can log events for all AWS services automatically
E.CloudTrail can deliver log files to CloudWatch Logs for real-time analysis
AnswersB, C, E

CloudTrail records the IAM user or role that made the call.

Why this answer

Data events for S3 can be logged, but they incur additional costs (option A). Management events are logged by default (option B). CloudTrail cannot log events across all AWS services automatically; it must be configured per service (option C is wrong).

Option D is correct because CloudTrail logs include API caller identity. Option E is correct because logs can be delivered to CloudWatch Logs.

1463
MCQmedium

A company has a web application deployed in a VPC with both public and private subnets. The web servers are in public subnets and the database servers are in private subnets. The web servers need to access the internet for updates. Which configuration is required to provide internet access to the web servers while keeping the database servers private?

A.Place both web and database servers in private subnets and use a NAT Gateway for outbound internet access.
B.Attach an Internet Gateway to the VPC and add a route to it in the route tables for both public and private subnets.
C.Attach an Internet Gateway to the VPC and add a route to it only in the route tables for the public subnets.
D.Use a VPC Gateway Endpoint to provide internet access to the web servers.
AnswerC

This provides inbound and outbound internet to public subnets while private subnets remain isolated.

Why this answer

Option C is correct because an Internet Gateway (IGW) is required for any subnet that needs direct internet access. By attaching an IGW to the VPC and adding a default route (0.0.0.0/0) pointing to the IGW only in the public subnet route tables, web servers in those subnets can reach the internet. Database servers in private subnets remain isolated because their route tables lack the IGW route, preventing direct inbound or outbound internet traffic.

Exam trap

The trap here is that candidates often confuse the role of an Internet Gateway with a NAT Gateway, assuming that adding an IGW route to all subnets is necessary for outbound access, but this would break the isolation of private subnets by allowing direct inbound traffic.

How to eliminate wrong answers

Option A is wrong because placing both web and database servers in private subnets would require a NAT Gateway for outbound internet access, but the question specifies web servers are already in public subnets and need direct internet access, not NAT-mediated access. Option B is wrong because adding a route to the Internet Gateway in private subnet route tables would expose database servers to the internet, violating the requirement to keep them private. Option D is wrong because a VPC Gateway Endpoint provides private connectivity to AWS services (e.g., S3, DynamoDB) via the AWS network, not general internet access for web servers.

1464
MCQeasy

A SysOps administrator wants to automate the creation of an Amazon RDS MySQL instance using AWS CloudFormation. Which CloudFormation resource type should be used?

A.AWS::RDS::DBInstance
B.AWS::DynamoDB::Table
C.AWS::AppStream::DirectoryConfig
D.AWS::Redshift::Cluster
AnswerA

This is the correct resource for an RDS database instance.

Why this answer

Option B is correct because AWS::RDS::DBInstance is the resource for creating an RDS instance. Option A is wrong because that is for AppStream. Option C is wrong because that is for DynamoDB.

Option D is wrong because that is for Redshift.

1465
Drag & Dropmedium

Drag and drop the steps to set up an AWS Site-to-Site VPN connection into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create and attach the virtual private gateway, then define the customer gateway, then create the VPN connection, configure the on-premises router, and verify the tunnel.

1466
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB) in a single Availability Zone. The application stores session data in an RDS MySQL DB instance. To improve reliability, the company wants to deploy the application across multiple Availability Zones. Which combination of actions should the company take to achieve this? (Choose the correct course of action.)

A.Deploy EC2 instances in a single Availability Zone behind an Application Load Balancer. Enable Multi-AZ for the RDS MySQL DB instance.
B.Deploy EC2 instances in two Availability Zones and place them behind a Network Load Balancer. Keep RDS MySQL as a single-AZ deployment.
C.Deploy EC2 instances in two Availability Zones. Configure an RDS MySQL Read Replica in a second Availability Zone and route read traffic to it.
D.Deploy EC2 instances in two Availability Zones and place them behind an Application Load Balancer. Enable Multi-AZ for the RDS MySQL DB instance.
AnswerD

This provides high availability for both compute and database layers.

Why this answer

Option B is correct because deploying EC2 instances in multiple AZs behind an ALB and using Multi-AZ RDS improves availability and fault tolerance. Option A is wrong because a Network Load Balancer is not required for HTTP traffic. Option C is wrong because RDS replication alone does not distribute application traffic.

Option D is wrong because RDS Read Replicas are for read scaling, not failover.

1467
MCQhard

A company runs a critical application on Amazon EC2 instances across multiple Availability Zones. The application stores state data on a shared Amazon EFS file system. The SysOps administrator needs to ensure that the file system remains available if an entire Availability Zone fails. The file system must also provide low-latency access from all instances. Which configuration meets these requirements?

A.Create an EFS file system with the One Zone storage class and mount it from all instances.
B.Create an EFS file system with the Standard storage class, enable replication to another Region, and use DNS failover.
C.Create an EFS file system with the Standard storage class in the same Region, and mount it from all instances using the regional mount target.
D.Create an EFS file system with the Standard storage class, and enable Multi-AZ deployment.
AnswerC

EFS Standard automatically replicates data across multiple AZs in the Region. Mounting via the regional mount target ensures low-latency access from all AZs and availability during an AZ outage.

Why this answer

Option C is correct because the EFS Standard storage class stores data redundantly across multiple Availability Zones (AZs) within a Region, ensuring high availability and durability even if an entire AZ fails. By mounting the file system using the regional mount target (which resolves to the EFS file system's regional DNS name), instances in any AZ can access the file system with low latency, as EFS automatically routes traffic to the most appropriate mount target in the same AZ. This configuration meets both the availability and low-latency requirements without additional replication or failover complexity.

Exam trap

The trap here is that candidates confuse EFS's Standard storage class with RDS's Multi-AZ deployment feature, or incorrectly assume that cross-Region replication is necessary for AZ-level fault tolerance, when in fact EFS's regional storage class already provides Multi-AZ redundancy within a single Region.

How to eliminate wrong answers

Option A is wrong because the One Zone storage class stores data only within a single Availability Zone, so if that AZ fails, the file system becomes unavailable, violating the requirement for continued availability during an AZ failure. Option B is wrong because enabling cross-Region replication does not provide low-latency access from all instances within the same Region; it introduces additional latency for cross-Region data access and requires DNS failover, which is not designed for intra-Region AZ failures and adds unnecessary complexity. Option D is wrong because EFS does not support a 'Multi-AZ deployment' configuration; the term 'Multi-AZ' applies to Amazon RDS, not EFS, and EFS inherently provides Multi-AZ redundancy through the Standard storage class, not through a separate deployment option.

1468
MCQeasy

A company has an Auto Scaling group that launches EC2 instances in private subnets. The instances need to download software patches from the internet. Which component must be added to the VPC to allow outbound internet traffic while keeping the instances private?

A.An internet gateway attached to the VPC
B.A VPC peering connection to a VPC with internet access
C.An egress-only internet gateway
D.A NAT gateway in a public subnet
AnswerD

NAT gateway enables outbound internet for private instances.

Why this answer

Option A is correct because a NAT gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet. Option B is wrong because internet gateway alone does not allow private instances to reach the internet. Option C is wrong because VPC peering does not provide internet access.

Option D is wrong because an egress-only internet gateway is for IPv6 traffic.

1469
MCQeasy

A SysOps administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance. The user has a policy that allows ec2:RunInstances. What is the most likely cause of the failure?

A.The user does not have permissions for supporting actions like CreateNetworkInterface.
B.The user is not using multi-factor authentication (MFA).
C.The user does not have permission to use the KMS key for encryption.
D.The policy is attached to a group instead of the user.
AnswerA

Launching an instance requires permissions for multiple EC2 actions.

Why this answer

Option D is correct because launching an EC2 instance requires permissions for multiple actions beyond RunInstances, such as creating network interfaces, volumes, etc. Option A is wrong because MFA would cause an access denied error, not a permissions issue. Option B is wrong because the policy allows the action; the issue is other required actions.

Option C is wrong because RunInstances does not require KMS keys unless encrypted volumes are specified.

1470
MCQmedium

A SysOps administrator needs to monitor the CPU utilization of an Amazon EC2 instance fleet and send an alert when the average CPU utilization exceeds 80% for 10 consecutive minutes. The administrator also wants to automatically stop the instance if the CPU utilization remains above 90% for 30 minutes to prevent runaway costs. Which combination of AWS services should be used?

A.Amazon CloudWatch alarm + AWS Lambda + AWS Systems Manager Automation
B.Amazon CloudWatch alarm + Amazon Simple Notification Service (SNS) + AWS Lambda
C.Amazon CloudWatch Logs + Amazon EventBridge + AWS Step Functions
D.AWS CloudTrail + Amazon EventBridge + AWS CodePipeline
AnswerB

A CloudWatch alarm monitors the CPU metric and publishes to an SNS topic when the threshold is breached. The SNS topic triggers a Lambda function that calls the EC2 StopInstances API to stop the instance. This is a clean, low-overhead solution.

Why this answer

Option B is correct because it uses Amazon CloudWatch alarms to monitor CPU utilization metrics and trigger an SNS topic, which then invokes an AWS Lambda function. The Lambda function can execute the logic to stop the EC2 instance when the alarm state indicates CPU utilization above 90% for 30 minutes, providing automated cost control without manual intervention.

Exam trap

The trap here is that candidates may assume Systems Manager Automation (Option A) is required for instance stop actions, but Lambda is simpler and directly triggered by SNS, while Automation is better suited for complex multi-step workflows like patching or AMI creation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Automation is designed for predefined runbook-style remediation (e.g., patching, configuration changes) and is not directly triggered by CloudWatch alarms to stop an instance based on a metric threshold; it requires additional orchestration and does not natively support the stop action from an alarm. Option C is wrong because Amazon CloudWatch Logs is for log data, not metric monitoring, and Amazon EventBridge with Step Functions is overkill for a simple stop action; CloudWatch Logs cannot directly trigger alarms on CPU utilization metrics. Option D is wrong because AWS CloudTrail records API activity, not CPU metrics, and Amazon EventBridge with CodePipeline is for CI/CD pipelines, not for monitoring or stopping instances based on utilization thresholds.

1471
MCQhard

A SysOps administrator is setting up Amazon Route 53 for a domain that will be used for a web application. The application requires failover to a backup data center in another region if the primary becomes unhealthy. The administrator creates a failover routing policy with two records (primary and secondary) associated with health checks. After testing, the failover does not occur when the primary endpoint fails. What is the most likely cause?

A.The primary record is not an alias record
B.The domain registrar's nameservers are not pointing to Route 53
C.The health check is configured to monitor the secondary endpoint instead of the primary
D.The TTL on the primary record is set too high
AnswerC

The health check must monitor the primary endpoint to trigger failover.

Why this answer

Option B is correct because if the health check is set to evaluate the health of the secondary endpoint instead of the primary, Route 53 will not detect the primary failure. Option A is wrong because DNS TTL affects caching but not failover behavior. Option C is wrong because the failover routing policy is independent of the domain registrar's nameservers.

Option D is wrong because an alias record is not required for failover with non-AWS endpoints.

1472
MCQhard

An S3 bucket policy is shown in the exhibit. The AdminRole attempts to upload an object to my-bucket without specifying any server-side encryption header. What will happen?

A.The upload fails because the Allow statement requires encryption, but the Deny statement is evaluated first.
B.The upload succeeds because the Allow statement grants permission to the AdminRole.
C.The upload succeeds because the Deny statement does not apply to the AdminRole.
D.The upload fails because the Deny statement denies PutObject without encryption.
AnswerD

The Deny statement explicitly denies PutObject when encryption is not aws:kms.

Why this answer

Option C is correct. The Deny statement denies PutObject when encryption is not aws:kms. Since the request has no encryption header, it does not equal aws:kms, so the Deny applies and the upload fails.

The Allow statement allows the action only when encryption is aws:kms, so without encryption, it does not apply. Because the Deny overrides Allow, the upload is denied. Option A is wrong because the Allow does not apply.

Option B is wrong because the Deny applies. Option D is wrong because the Deny does not depend on the Allow.

1473
MCQmedium

A SysOps administrator is troubleshooting a failed AWS Elastic Beanstalk environment update. The update changed the configuration of the EC2 instances in the Auto Scaling group, but the new instances fail to launch. The administrator checks the Auto Scaling group's scaling activities and sees a 'Failed' status with the message: 'Instance failed to reach the desired state.' What should the administrator check next?

A.Check the IAM role attached to the environment's EC2 instances for missing permissions.
B.Check the account service quotas for EC2 instances.
C.Check the CloudWatch logs for the failed instance to identify application or configuration errors.
D.Check the termination protection setting on the Auto Scaling group.
AnswerC

The instance likely launched but failed health checks due to application errors; logs will show the root cause.

Why this answer

The error 'failed to reach desired state' often indicates an issue with the instance's health checks, such as ELB health check failures. Checking the CloudWatch logs for the instance's application is the most direct way to diagnose why the instance is not passing health checks. Option A is wrong because IAM roles would cause a different error.

Option B is wrong because the error is not about termination protection. Option D is wrong because the error is not about scaling limits.

1474
MCQmedium

A company is using AWS CloudFormation to deploy a web application. The stack creation fails with the error 'Resource creation cancelled' for an EC2 instance. The instance type is t3.micro, and the AMI ID is specified in the template. Which of the following is the most likely cause of the failure?

A.The instance type 't3.micro' is not available in the region.
B.The instance type is invalid for the specified AMI.
C.The AMI ID is not specified for the region.
D.The account has reached the vCPU limit for On-Demand Instances in the region.
AnswerD

CloudFormation cancels resource creation if the account exceeds its vCPU limit. The limit must be increased via a support request.

Why this answer

The error 'Resource creation cancelled' indicates that the instance launch was aborted, likely due to reaching the vCPU limit (On-Demand Instance limit per region). The t3.micro instance consumes vCPUs; if the account has a standard limit of 5 vCPUs, launching a t3.micro (2 vCPUs) might exceed the limit if other instances are running. Option A is correct because CloudFormation does not automatically request a limit increase.

Option B is wrong because the AMI ID is specified, so no default AMI is used. Option C is wrong because t3.micro is supported. Option D is wrong because the instance type is valid.

1475
Multi-Selectmedium

A company has a production application running on Amazon ECS with Fargate. The application must be highly available across multiple Availability Zones. Which TWO configurations should be implemented?

Select 2 answers
A.Configure the ECS service to run tasks in a single Availability Zone to reduce network latency.
B.Configure the ECS service to run tasks in at least two Availability Zones.
C.Use the awsvpc network mode for the task definition.
D.Place the ECS service behind an Application Load Balancer.
E.Use Fargate Spot capacity providers to reduce costs.
AnswersB, D

Correct: Running tasks in multiple AZs provides fault tolerance.

Why this answer

Options A and C are correct. Using an Application Load Balancer (Option A) distributes traffic across tasks. Running tasks in multiple Availability Zones (Option C) ensures availability if one AZ fails.

Option B (single AZ) is not highly available. Option D (network mode) is not related to AZ distribution. Option E (spot) is not for high availability.

1476
MCQmedium

A company wants to provide temporary access to an S3 bucket for a third-party vendor. The vendor needs to upload files for one hour. Which approach should be used?

A.Create an IAM role and allow the vendor to assume it using their AWS account.
B.Create an IAM user with programmatic access and share the credentials with the vendor.
C.Create an S3 bucket policy that allows the vendor's IP address for one hour.
D.Generate a presigned URL for the S3 bucket that expires in one hour.
AnswerD

Presigned URLs provide temporary access to put objects in S3.

Why this answer

Option A is correct because presigned URLs can grant temporary access to a specific S3 object for a limited time. Option B is wrong because a bucket policy with a condition on the source IP would provide permanent access. Option C is wrong because creating an IAM user for the vendor is a long-term credential.

Option D is wrong because cross-account roles require the vendor to have an AWS account.

1477
Multi-Selecthard

A SysOps administrator is designing a disaster recovery strategy for a production RDS MySQL database. The database must be recoverable within 15 minutes with a Recovery Point Objective (RPO) of less than 5 seconds. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Create a read replica in the same AWS Region.
B.Enable Multi-AZ deployment for the RDS instance.
C.Create a cross-Region read replica in another AWS Region.
D.Enable automated backups with a retention period of 35 days.
E.Take manual snapshots every hour.
AnswersB, C

Provides low RPO failover within region.

Why this answer

Options B and C are correct. Enabling Multi-AZ provides automatic failover to a standby in a different AZ, and using a cross-Region read replica allows replication to a different region for disaster recovery. Option A is wrong because automated backups have an RPO of up to 5 minutes, not <5 seconds.

Option D is wrong because a single-Region read replica does not protect against regional failure. Option E is wrong because manual snapshots are not automated and have higher RPO.

1478
MCQeasy

A SysOps administrator needs to deploy a new application version to an Auto Scaling group without causing any downtime. The application runs on EC2 instances behind an Application Load Balancer. Which deployment method should the administrator use?

A.Perform an in-place update by updating the launch template and manually replacing instances one by one.
B.Use a rolling update with a batch size of 100% of the instances.
C.Use a rolling update with a batch size of 1 instance and enable the health check grace period.
D.Create a new Auto Scaling group with the new launch template and gradually shift traffic using a load balancer target group.
AnswerC

This replaces one instance at a time, maintaining capacity and availability.

Why this answer

Option C is correct because a rolling update with a batch size of 1 instance at a time minimizes impact and can be done without downtime if health checks are configured. Option A is incorrect because it does not use Auto Scaling. Option B is incorrect because it terminates all instances at once.

Option D is incorrect because immutable updates launch new instances in a new Auto Scaling group, which is also zero-downtime but not the only option.

1479
Multi-Selecthard

A company wants to audit all AWS account activity for compliance. Which THREE AWS services should be used together to achieve this? (Choose three.)

Select 3 answers
A.Amazon CloudWatch Logs
B.AWS Config
C.AWS Trusted Advisor
D.Amazon GuardDuty
E.AWS CloudTrail
AnswersA, B, E

Stores and monitors log files.

Why this answer

Options A, B, and E are correct. AWS CloudTrail records API activity, Amazon CloudWatch Logs can store logs, and AWS Config tracks resource configuration changes. Option C is incorrect because AWS Trusted Advisor is for recommendations, not auditing.

Option D is incorrect because Amazon GuardDuty is for threat detection.

1480
MCQmedium

An administrator is using AWS CodePipeline to deploy a web application. The pipeline includes a build stage using AWS CodeBuild and a deploy stage using AWS Elastic Beanstalk. The build succeeds, but the deployment fails with 'Access Denied' when Elastic Beanstalk tries to read the artifact from S3. What should the administrator check?

A.The IAM role assumed by the Elastic Beanstalk environment
B.The IAM role used by CodeBuild
C.Whether the artifact bucket is in the same region as the pipeline
D.The S3 bucket policy for the artifact bucket
AnswerA

The service role must have s3:GetObject on the artifact bucket.

Why this answer

Option A is correct because the Elastic Beanstalk service role needs permissions to read the artifact bucket. Option B is wrong because the CodeBuild role is for building, not deploying. Option C is wrong because S3 bucket policies are not the most likely issue.

Option D is wrong because the artifact bucket is internal.

1481
MCQmedium

A SysOps Administrator is setting up a VPC peering connection between two VPCs (VPC-A and VPC-B) in different AWS accounts. After the peering connection is accepted, instances in VPC-A cannot ping instances in VPC-B. Both VPCs have non-overlapping CIDR blocks. What is the MOST likely cause?

A.The route tables in both VPCs do not have routes to the peer VPC CIDR.
B.VPC peering does not support cross-account connections.
C.The CIDR blocks overlap, causing routing conflicts.
D.The security groups in VPC-B do not allow inbound ICMP traffic from VPC-A.
AnswerA

Without routes pointing to the peering connection, traffic cannot be forwarded between VPCs.

Why this answer

The most likely cause is that the route tables in both VPCs do not have routes to the peer VPC CIDR. Even after a VPC peering connection is accepted, traffic cannot flow between the VPCs unless explicit routes are added to each VPC's route table pointing to the CIDR block of the peer VPC, with the VPC peering connection as the target. Without these routes, instances in VPC-A have no path to reach instances in VPC-B, so ping fails.

Exam trap

The trap here is that candidates often assume security groups or NACLs are the primary cause of connectivity issues, but the foundational routing layer must be correctly configured first for any traffic to flow across a VPC peering connection.

How to eliminate wrong answers

Option B is wrong because VPC peering does support cross-account connections; you simply need to accept the peering request from the other account. Option C is wrong because the question explicitly states that the CIDR blocks are non-overlapping, so routing conflicts from overlap are not the issue. Option D is wrong because while security group rules could block ICMP, the most likely cause is the missing route tables, as routing is a prerequisite for any traffic to reach the destination before security groups are evaluated.

1482
MCQhard

A SysOps administrator manages multiple AWS accounts and wants to create a single Amazon CloudWatch dashboard that displays real-time metrics from all accounts in one view. The administrator needs to avoid managing separate dashboards for each account. Which solution should the administrator implement?

A.Use CloudWatch cross-account observability by setting up a monitoring account and sharing metrics from source accounts.
B.Export CloudWatch metrics to Amazon QuickSight and create a dashboard there.
C.Use AWS Config aggregator to collect metrics and display in CloudWatch.
D.Create a Lambda function that periodically pulls metrics from each account and publishes to a central account's CloudWatch.
AnswerA

Correct. CloudWatch cross-account observability enables you to search, visualize, and create dashboards using metrics from multiple accounts, all from a single monitoring account.

Why this answer

CloudWatch cross-account observability allows you to designate a monitoring account that can view metrics, logs, and traces from multiple source accounts. This feature uses AWS Organizations or CloudWatch cross-account links to share observability data in real time, enabling a single dashboard that aggregates metrics from all accounts without needing separate dashboards.

Exam trap

The trap here is that candidates may confuse AWS Config aggregator (which aggregates configuration data) with CloudWatch cross-account observability (which aggregates monitoring metrics), leading them to choose a service that does not handle real-time metric visualization.

How to eliminate wrong answers

Option B is wrong because Amazon QuickSight is a business analytics service for interactive dashboards, not a real-time CloudWatch metrics viewer; it requires exporting metrics via API calls and cannot provide the low-latency, native CloudWatch dashboard experience. Option C is wrong because AWS Config aggregator collects configuration and compliance data, not real-time CloudWatch metrics; it is designed for resource inventory and rule evaluation, not for monitoring metric streams. Option D is wrong because creating a Lambda function to periodically pull metrics introduces latency, complexity, and potential data staleness; CloudWatch cross-account observability provides native, real-time streaming without custom code or polling overhead.

1483
MCQhard

A company runs a production web application on AWS using Auto Scaling groups (ASGs) behind an Application Load Balancer (ALB). The application state is stored in an Amazon RDS for MySQL Multi-AZ DB instance. The application experiences periodic traffic spikes, and the current ASG uses a simple scaling policy based on average CPU utilization. Recently, during a spike, the application became unresponsive for several minutes. The CloudWatch metrics show that the CPU utilization on the RDS instance peaked at 80%, and the DB Connections metric reached the maximum allowed. The read replica lag increased to over 10 seconds during the spike. The web servers are stateless and scale out quickly. The operations team needs to improve the reliability and performance of the application to handle future spikes. Which solution should the team implement?

A.Increase the desired capacity of the ASG and add more read replicas to distribute the database load.
B.Increase the DB instance size to a larger instance class and implement an Amazon ElastiCache cluster to cache frequent database queries.
C.Migrate the database to Amazon DynamoDB with auto scaling and rewrite the application to use a serverless architecture with AWS Lambda.
D.Reduce the maximum connections parameter on the RDS instance to prevent connection exhaustion and modify the application code to reduce the number of database queries.
AnswerB

Larger DB instance provides more CPU and connections. ElastiCache reduces read load on the database by caching results, lowering CPU and connection usage.

Why this answer

Option B is correct because increasing the DB instance size provides more CPU and memory capacity to handle the load, and caching with ElastiCache reduces read load on the database by serving frequent queries from cache. This directly addresses high CPU and connection limits on RDS, and reduces read replica lag. Option A is wrong because increasing ASG size and adding more read replicas may increase database load further due to more connections and replication overhead.

Option C is wrong because switching to DynamoDB and Lambda would require significant application changes and DynamoDB may not be suitable for complex queries. Option D is wrong because reducing MaxConnections on RDS would make the problem worse, and modifying application code to reduce queries is not a quick fix.

1484
MCQmedium

Refer to the exhibit. An IAM user has this policy attached. The user tries to start an EC2 instance that has no tags. What will happen?

A.The user will be allowed because the condition only applies if the tag exists
B.The user will be allowed because the resource ARN includes a wildcard
C.The user will be allowed because the policy does not explicitly deny the action
D.The user will be denied because the instance does not have the required tag
AnswerD

Condition requires the tag to be present and equal to 'Production'.

Why this answer

Option A is correct because the policy allows actions only on instances with the tag Environment=Production. Since the instance has no tags, the condition is not met, and the action is not allowed. The user will be denied.

Option B is incorrect because the condition uses StringEquals, which requires the tag to exist and match. Option C is incorrect because without the tag, the condition fails, resulting in implicit deny. Option D is incorrect because the policy does not allow all instances; it has a condition.

1485
MCQmedium

A SysOps administrator creates the above IAM policy for a user. The user reports that they cannot delete an object in the bucket 'my-bucket' even though they are using MFA. What is the likely cause?

A.The resource ARN is missing the bucket-level permission.
B.The condition key aws:MultiFactorAuthPresent is incorrectly spelled.
C.The user is not using MFA when making the API call.
D.The policy does not include s3:DeleteObjectVersion.
AnswerC

The condition requires MFA to be present; if the user is not using an MFA device, the request is denied.

Why this answer

Option D is correct because the condition requires MFA, but the user might not be presenting MFA in the API call. Option A is wrong because the policy allows DeleteObject. Option B is wrong because the resource specifies the bucket.

Option C is wrong because the condition is for all actions.

1486
MCQhard

A company stores application log files in an Amazon S3 bucket. The logs are accessed frequently for the first 30 days, then rarely accessed but must be retrievable within 12 hours. After 1 year, the logs must be archived for compliance with a retention period of 5 years, during which retrievals are expected to be extremely rare (one or two per year) and retrieval time of 12 hours is acceptable. The SysOps administrator wants to minimize storage costs. Which S3 lifecycle policy configuration should be used?

A.After 30 days, transition to S3 Standard-IA; after 365 days, transition to S3 Glacier Deep Archive; delete after 5 years.
B.After 30 days, transition to S3 Glacier Flexible Retrieval; after 365 days, transition to S3 Glacier Deep Archive; delete after 5 years.
C.After 30 days, transition to S3 Glacier Flexible Retrieval; delete after 5 years.
D.After 30 days, transition to S3 Glacier Deep Archive; delete after 5 years.
AnswerB

This lifecycle provides cost-optimized storage: S3 Standard for the first 30 days (frequent access), S3 Glacier Flexible Retrieval for the next 335 days (rare access, 12-hour retrieval acceptable), and S3 Glacier Deep Archive for the final 4+ years (extremely rare access, lowest cost). This minimizes overall costs while meeting retrieval requirements.

Why this answer

Option B is correct because it uses S3 Glacier Flexible Retrieval for the first year after the initial 30 days, which meets the 12-hour retrieval requirement at lower cost than S3 Standard-IA, then transitions to S3 Glacier Deep Archive for the remaining 4 years to minimize storage costs for extremely rare retrievals. The lifecycle policy transitions objects after 30 days to S3 Glacier Flexible Retrieval (retrieval time minutes to 12 hours), then after 365 days to S3 Glacier Deep Archive (retrieval time 12 hours), and deletes after 5 years, aligning with the access patterns and compliance retention.

Exam trap

The trap here is that candidates often choose S3 Standard-IA (Option A) because it seems logical for infrequent access, failing to recognize that S3 Glacier Flexible Retrieval provides lower storage costs for data that is rarely accessed but still needs retrieval within 12 hours, and that a multi-tier lifecycle (Option B) is more cost-effective than a single transition.

How to eliminate wrong answers

Option A is wrong because transitioning to S3 Standard-IA after 30 days is not cost-optimal for data that is rarely accessed after the first 30 days; S3 Glacier Flexible Retrieval offers lower storage costs for infrequent access with a 12-hour retrieval window. Option C is wrong because it does not transition to S3 Glacier Deep Archive after 1 year, missing the opportunity to further reduce storage costs for the 4-year archival period where retrievals are extremely rare. Option D is wrong because transitioning directly to S3 Glacier Deep Archive after 30 days is premature and more expensive than using S3 Glacier Flexible Retrieval for the first year, as Deep Archive has higher retrieval costs and is designed for long-term archival, not for data that may still be accessed occasionally within 12 hours.

1487
MCQeasy

A company is using Amazon RDS for MySQL and needs to encrypt data at rest. Which action should be taken to enable encryption?

A.Use the RDS console to enable encryption on the existing DB instance.
B.Use AWS KMS to create a customer master key and assign it to the existing DB instance.
C.Modify the existing RDS DB instance and enable encryption.
D.Create a new RDS DB instance with encryption enabled.
AnswerD

Encryption can only be enabled when the DB instance is created.

Why this answer

Amazon RDS for MySQL does not support enabling encryption on an existing DB instance. Encryption at rest must be enabled at the time of instance creation. Therefore, the correct action is to create a new RDS DB instance with encryption enabled, and then migrate the data from the unencrypted instance to the new encrypted one.

Exam trap

The trap here is that candidates assume encryption can be toggled on an existing RDS instance via a modification, similar to enabling encryption on an EBS volume, but RDS requires encryption to be set at launch and cannot be added later.

How to eliminate wrong answers

Option A is wrong because the RDS console does not allow enabling encryption on an existing DB instance; encryption can only be enabled during creation. Option B is wrong because while AWS KMS customer master keys are used for RDS encryption, you cannot assign a KMS key to an existing unencrypted DB instance; encryption must be enabled at launch. Option C is wrong because modifying an existing RDS DB instance does not support enabling encryption; the 'Modify' action does not include an encryption toggle for existing instances.

1488
MCQhard

A SysOps administrator is responsible for deploying a critical application using AWS CloudFormation. The stack creation fails during the creation of an Amazon EC2 instance. The error message indicates that the instance type is not supported in the specified Availability Zone. What should the administrator do to prevent this issue in future deployments?

A.Hardcode the Availability Zone in the template to one that supports the instance type.
B.Use a different instance type that is available in all Availability Zones.
C.Change the AWS region to one where the instance type is supported.
D.Use an AWS Systems Manager parameter to dynamically select an available instance type based on the Availability Zone.
AnswerD

Correct: SSM parameters can store and retrieve instance type availability.

Why this answer

The correct answer is A because using an AWS Systems Manager parameter can provide the latest supported instance types per Availability Zone. Option B is wrong because specifying a specific Availability Zone does not solve the unsupported instance type issue. Option C is wrong because changing the region may not be feasible.

Option D is wrong because selecting a different instance type may not meet requirements.

1489
MCQeasy

A company has two VPCs in the same AWS region. VPC A hosts a web application, and VPC B hosts a database. The SysOps administrator needs to enable private IP communication between the two VPCs without using the public internet. The administrator wants a simple, low-cost solution that uses the AWS network backbone. Which AWS service should be used?

A.VPC Peering
B.AWS Transit Gateway
C.AWS Direct Connect
D.AWS Site-to-Site VPN
AnswerA

VPC Peering directly connects two VPCs using private IPs over the AWS network, simple and cost-effective for a pair of VPCs.

Why this answer

VPC Peering allows direct, private IP connectivity between two VPCs using the AWS network backbone without traversing the public internet. It is the simplest and most cost-effective solution for connecting exactly two VPCs in the same region, as there are no additional hourly charges beyond data transfer costs, and no intermediate devices or bandwidth limitations are introduced.

Exam trap

The trap here is that candidates may choose AWS Transit Gateway because it is a powerful networking hub, but the question explicitly asks for a simple, low-cost solution for only two VPCs, making VPC Peering the correct choice despite Transit Gateway's broader capabilities.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it is designed for hub-and-spoke connectivity across many VPCs and incurs an hourly attachment fee, making it unnecessarily complex and more expensive for a simple two-VPC connection. Option C (AWS Direct Connect) is wrong because it is a dedicated physical connection from an on-premises data center to AWS, not a service for connecting two VPCs within the same region, and it involves significant setup costs and lead times. Option D (AWS Site-to-Site VPN) is wrong because it establishes encrypted tunnels over the public internet between on-premises networks and AWS, not between two VPCs, and it introduces additional latency and complexity compared to VPC Peering.

1490
MCQeasy

A company has enabled AWS CloudTrail in all regions and is logging to an S3 bucket. The security team needs to be alerted within minutes if any IAM user creates a new access key. What is the MOST efficient way to achieve this?

A.Enable S3 event notifications on the CloudTrail bucket to trigger a Lambda function that parses logs and sends an alert.
B.Use AWS Config rules to detect changes to IAM access keys and trigger an SNS notification.
C.Configure CloudTrail to send logs to CloudWatch Logs. Create a metric filter for the IAM event 'CreateAccessKey' and set a CloudWatch alarm that sends an SNS notification.
D.Run a script on an EC2 instance that polls CloudTrail API for new events every minute and sends alerts.
AnswerC

This provides near-real-time alerting with minimal overhead.

Why this answer

Option C is correct because CloudTrail can be configured to deliver events to CloudWatch Logs, where a metric filter can be created to match the 'CreateAccessKey' event. A CloudWatch alarm based on that metric filter can then trigger an SNS notification within minutes, providing the most efficient and native AWS solution for real-time alerting without custom code or polling.

Exam trap

The trap here is that candidates often choose S3 event notifications (Option A) because they think it's the simplest, but they overlook the built-in CloudWatch Logs integration which provides faster, more reliable, and fully managed alerting without custom code.

How to eliminate wrong answers

Option A is wrong because S3 event notifications on the CloudTrail bucket are not real-time; they can have delays and require a Lambda function to parse logs, which is less efficient than using CloudWatch metric filters. Option B is wrong because AWS Config rules are designed for compliance and configuration tracking, not for real-time event-driven alerting; they evaluate resources periodically or on configuration changes, not within minutes of an API call. Option D is wrong because running a script on an EC2 instance that polls the CloudTrail API every minute introduces latency, operational overhead, and a single point of failure, making it less efficient than the serverless, event-driven approach in option C.

1491
MCQmedium

A company uses AWS CloudFormation to deploy its infrastructure. The SysOps administrator needs to be notified when a stack creation fails. Which solution meets this requirement with the LEAST effort?

A.Create a CloudWatch alarm that triggers when the CloudFormation stack status is 'CREATE_FAILED'.
B.Use AWS CloudTrail to monitor CreateStack API calls and trigger an SNS notification.
C.Configure an SNS topic in the CloudFormation stack's 'NotificationARNs' parameter.
D.Write a custom script that polls the CloudFormation API every minute and sends an SNS notification on failure.
AnswerC

This is a built-in feature to send stack events to SNS.

Why this answer

Option C is correct because CloudFormation natively supports specifying an SNS topic in the 'NotificationARNs' parameter, which automatically sends notifications on stack events such as creation failure. This requires no additional infrastructure, scripting, or monitoring setup, making it the least-effort solution.

Exam trap

The trap here is that candidates often overthink and choose CloudWatch alarms or CloudTrail, not realizing that CloudFormation's built-in SNS notification parameter provides a zero-configuration, event-driven solution for stack failure alerts.

How to eliminate wrong answers

Option A is wrong because CloudWatch cannot directly alarm on CloudFormation stack status; CloudWatch alarms are designed for metrics (e.g., EC2 CPU utilization) and not for CloudFormation stack state changes. Option B is wrong because CloudTrail logs API calls but does not trigger SNS notifications directly; you would need additional services like EventBridge to route the event to SNS, adding complexity. Option D is wrong because writing a custom script to poll the CloudFormation API every minute introduces unnecessary overhead, latency, and maintenance effort, contradicting the 'least effort' requirement.

1492
MCQeasy

A SysOps Administrator needs to allow an EC2 instance in a private subnet to access the internet for software updates. Which AWS service should be used?

A.VPN Connection
B.NAT Gateway
C.Internet Gateway
D.VPC Peering
AnswerB

Correct because a NAT Gateway enables outbound internet access for private subnets.

Why this answer

Option B is correct because a NAT Gateway allows instances in private subnets to access the internet. Option A is wrong because an Internet Gateway is for public subnets. Option C is wrong because a VPC Peering connection does not provide internet access.

Option D is wrong because a VPN connection is for on-premises connectivity.

1493
MCQeasy

A SysOps administrator is troubleshooting a Lambda function that does not write logs to CloudWatch Logs. The IAM role attached to the function includes the policy shown. What is the most likely reason the logs are not being created?

A.The log group name in the Resource ARN does not match the actual log group created by the Lambda function.
B.The IAM role is not assigned to the Lambda function's execution role.
C.The Lambda function is in a VPC without a VPC endpoint for CloudWatch Logs.
D.The policy does not include the logs:PutLogEvents permission.
AnswerA

Lambda creates log groups with a specific naming pattern; mismatch in name prevents writing.

Why this answer

Option B is correct because the policy only grants permissions for a specific log group '/aws/lambda/my-function', but the Lambda function likely tries to write to a different log group, such as '/aws/lambda/MyFunction' (case-sensitive). Option A is wrong because PutLogEvents is included. Option C is wrong because the Lambda service role, not user, needs the permissions.

Option D is wrong because CloudWatch Logs does not require VPC endpoints.

1494
MCQmedium

A company's application running on EC2 instances is experiencing intermittent errors. The SysOps team needs to collect and analyze application logs from all instances centrally. The logs must be stored durably and searchable with minimal latency. Which solution meets these requirements?

A.Enable AWS CloudTrail and store logs in an S3 bucket.
B.Use Amazon Kinesis Data Firehose to send logs directly from each instance to Amazon Redshift.
C.Install the CloudWatch Logs agent on each EC2 instance and stream logs to Amazon CloudWatch Logs.
D.Store logs locally on each instance and periodically copy them to Amazon S3.
AnswerC

CloudWatch Logs provides centralized log storage, search, and real-time analysis.

Why this answer

Option C is correct because the CloudWatch Logs agent (or unified CloudWatch agent) installed on each EC2 instance can stream application logs in near real-time to Amazon CloudWatch Logs, which provides durable storage, automatic encryption at rest, and a searchable interface via the console, CLI, or API with minimal latency. This centralized logging solution meets the requirements for collecting logs from all instances, storing them durably, and enabling immediate querying without additional infrastructure.

Exam trap

The trap here is that candidates may confuse CloudTrail (API logging) with application logging, or assume that S3 periodic uploads are sufficient for 'minimal latency' searchability, when in fact CloudWatch Logs is the native AWS service designed for real-time log ingestion and querying from EC2 instances.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity for governance and auditing, not application-level logs generated by processes running on EC2 instances; it cannot capture stdout, stderr, or custom application log files. Option B is wrong because Amazon Kinesis Data Firehose is a streaming ingestion service that delivers data to destinations like S3 or Redshift, but sending logs directly from each instance to Firehose without an agent or SDK is not a standard pattern, and Amazon Redshift is a data warehouse optimized for analytical queries, not a low-latency log search engine; this adds unnecessary complexity and cost. Option D is wrong because storing logs locally on each instance risks data loss on instance termination or failure, and periodically copying logs to S3 introduces latency that prevents real-time searchability, failing the 'minimal latency' requirement.

1495
MCQeasy

A SysOps administrator needs to track changes to security groups in the AWS account. Which AWS service should be used to record configuration changes and provide a history of security group modifications?

A.AWS Trusted Advisor
B.Amazon CloudWatch
C.AWS Config
D.AWS CloudTrail
AnswerC

Config records configuration changes and provides a historical view.

Why this answer

AWS Config is the correct service because it provides a detailed inventory of AWS resources, records configuration changes, and maintains a historical timeline of those changes. For security groups, AWS Config can track modifications such as rule additions, deletions, or updates, and it can trigger evaluations against desired configurations. This makes it the ideal service for auditing and compliance use cases involving security group changes.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which records resource configuration state and history), leading them to choose CloudTrail for change tracking when Config is the service designed for configuration history and compliance auditing.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and makes recommendations based on AWS best practices, but it does not record or maintain a history of configuration changes to resources like security groups. Option B is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms; it can detect and alert on changes via CloudWatch Events, but it does not natively store a historical record of configuration changes or provide a timeline of modifications. Option D is wrong because AWS CloudTrail records API calls and events, including those that modify security groups, but it focuses on who made the call and when, not on the state or configuration history of the resource itself; CloudTrail does not provide a point-in-time configuration snapshot or a change timeline for the resource's configuration.

1496
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores sensitive data in an S3 bucket. The security team has mandated that all data in transit to the S3 bucket must be encrypted using TLS. The SysOps administrator configured the application to use HTTPS endpoints for S3. However, a security audit reveals that some requests to S3 are still being sent over HTTP. The administrator checks the VPC Flow Logs and sees that the EC2 instances are communicating with the S3 bucket via a VPC endpoint. The company also uses an S3 bucket policy that allows access only from the VPC endpoint. What is the most likely reason that some requests are sent over HTTP?

A.The VPC endpoint is not encrypting traffic between the instances and the endpoint.
B.The VPC endpoint is configured for HTTP instead of HTTPS.
C.The S3 bucket policy does not require HTTPS for requests.
D.The application is not configured to use HTTPS for all S3 requests.
AnswerD

The application must use HTTPS endpoints; otherwise, traffic is HTTP.

Why this answer

Option B is correct because the VPC endpoint for S3 uses AWS API calls; the encryption (HTTPS) is handled at the application level, not the endpoint. If the application does not use HTTPS, the traffic will be plain HTTP. Option A is wrong because the bucket policy does not enforce encryption.

Option C is wrong because the endpoint is for S3, not for enforcing encryption. Option D is wrong because the VPC endpoint does not automatically encrypt traffic.

1497
Multi-Selecthard

A SysOps administrator is troubleshooting a Lambda function that is not processing messages from an SQS queue. The function is subscribed to the queue via an event source mapping. The function has a reserved concurrency of 0. Which TWO actions will resolve the issue?

Select 2 answers
A.Add SQS permissions to the Lambda execution role.
B.Configure a dead-letter queue for the Lambda function.
C.Set the reserved concurrency to a value greater than 0.
D.Enable the event source mapping if it is disabled.
E.Increase the batch size in the event source mapping.
AnswersC, D

Reserved concurrency of 0 prevents any invocation; setting it to a positive value enables execution.

Why this answer

Reserved concurrency of 0 means the Lambda function has no available execution capacity, so it cannot process any invocations, including those from SQS. Setting reserved concurrency to a value greater than 0 (e.g., 1 or more) allocates the necessary execution slots for the function to run. This directly resolves the issue because the event source mapping will successfully invoke the function only when concurrency is available.

Exam trap

The trap here is that candidates often overlook reserved concurrency of 0 as a valid configuration that completely blocks invocations, and instead focus on permissions or queue settings, not realizing that a concurrency limit of 0 is a deliberate disablement mechanism.

1498
Multi-Selectmedium

A SysOps administrator needs to design a VPC with public and private subnets for a web application. Which TWO components are required to allow instances in the private subnet to access the internet?

Select 2 answers
A.NAT gateway in a public subnet
B.Route table entry in the private subnet routing 0.0.0.0/0 to the NAT gateway
C.VPC endpoint for S3
D.Internet gateway attached to the VPC
E.Virtual private gateway
AnswersA, B

NAT gateway enables outbound internet access for private instances.

Why this answer

Options B and D are correct. A NAT gateway (or NAT instance) in a public subnet and a route table entry pointing to it allow private instances to access the internet. Option A is wrong because internet gateway is for public subnets.

Option C is wrong because VPC endpoints are for accessing AWS services privately. Option E is wrong because VPN is for hybrid connectivity.

1499
MCQmedium

A company uses Amazon CloudWatch Logs to store application logs. The security team needs to be alerted when any log group contains a specific error pattern. The solution must minimize latency and operational overhead. What should a SysOps administrator do?

A.Stream the logs to Amazon Kinesis Data Firehose, which then triggers a Lambda function to check for errors.
B.Create a CloudWatch metric filter on the log group and set an alarm that triggers an SNS notification.
C.Create a Lambda function subscribed to the CloudWatch Logs log group, which checks for the error pattern and publishes to an SNS topic.
D.Use CloudWatch Logs Insights to run a query every minute and send results via SNS.
AnswerC

Lambda subscription provides real-time processing and can apply custom logic to detect patterns.

Why this answer

Option C is correct because subscribing a Lambda function directly to a CloudWatch Logs log group allows real-time, low-latency processing of log events as they arrive. The Lambda function can parse each log event for the specific error pattern and publish to an SNS topic to alert the security team, minimizing operational overhead by avoiding additional streaming or polling services.

Exam trap

The trap here is that candidates may choose Option B (metric filter and alarm) because it seems simpler, but they overlook that metric filters only count occurrences over time and cannot trigger immediate, per-event alerts, which is required for minimizing latency in security alerting.

How to eliminate wrong answers

Option A is wrong because streaming logs to Kinesis Data Firehose adds unnecessary latency and operational complexity; Firehose is designed for batch delivery to destinations like S3 or Redshift, not for real-time alerting with minimal latency. Option B is wrong because a CloudWatch metric filter counts occurrences of a pattern but cannot trigger an alarm on a per-log-event basis; alarms are evaluated periodically (e.g., every minute) and require a threshold, introducing latency and potential missed alerts for sporadic errors. Option D is wrong because CloudWatch Logs Insights queries are on-demand or scheduled at intervals (minimum 1 minute), not real-time, and require manual or scheduled execution, increasing latency and operational overhead compared to event-driven processing.

1500
MCQmedium

A company uses AWS Systems Manager Patch Manager to automate patching of Amazon EC2 instances. The SysOps administrator needs to configure a maintenance window that will patch instances on the second Tuesday of every month at 2:00 AM. The administrator wants to ensure that patches are automatically applied but reboots are only performed if required. Which combination of configurations should the administrator use?

A.Create a maintenance window with a cron schedule of cron(0 2 ? * TUE#2 *) and use an AWS-RunPatchBaseline document with operation 'Install' and reboot option 'RebootIfNeeded'.
B.Create a maintenance window with a rate schedule of 30 days and use an AWS-ApplyPatchBaseline document with operation 'Scan' and reboot option 'RebootIfNeeded'.
C.Create a maintenance window with a cron schedule of cron(0 2 14 * ? *) and use an AWS-RunPatchBaseline document with operation 'Install' and reboot option 'RebootIfNeeded'.
D.Create a maintenance window with a cron schedule of cron(0 2 2 * 2 *) and use an AWS-InstallPatchBaseline document with operation 'Install' and reboot option 'NoReboot'.
AnswerA

This schedule correctly specifies the second Tuesday of each month at 2 AM. The document and operation apply patches, and RebootIfNeeded only reboots if necessary.

Why this answer

Option A is correct because it uses the cron expression `cron(0 2 ? * TUE#2 *)` to schedule the maintenance window for the second Tuesday of every month at 2:00 AM, and the `AWS-RunPatchBaseline` document with operation `Install` and reboot option `RebootIfNeeded` ensures patches are applied automatically and reboots only occur when required by the patch installation.

Exam trap

The trap here is that candidates often confuse the cron syntax for 'second Tuesday' with simpler day-of-month or day-of-week expressions, or mistakenly use invalid SSM document names like `AWS-ApplyPatchBaseline` or `AWS-InstallPatchBaseline`, which do not exist in AWS Systems Manager.

How to eliminate wrong answers

Option B is wrong because it uses a rate schedule of 30 days, which does not guarantee execution on the second Tuesday of every month and can drift over time; also, `AWS-ApplyPatchBaseline` is not a valid SSM document name (the correct document is `AWS-RunPatchBaseline`), and operation `Scan` only reports missing patches without applying them. Option C is wrong because the cron expression `cron(0 2 14 * ? *)` runs on the 14th day of every month regardless of the day of the week, which does not target the second Tuesday specifically. Option D is wrong because the cron expression `cron(0 2 2 * 2 *)` runs on the 2nd day of the month only when it is also a Tuesday, which is not the second Tuesday; additionally, `AWS-InstallPatchBaseline` is not a valid SSM document name, and reboot option `NoReboot` prevents reboots even when required, contradicting the requirement.

Page 19

Page 20 of 21

Page 21