AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 151225

1546 questions total · 21pages · All types, answers revealed

Page 2

Page 3 of 21

Page 4
151
MCQmedium

A company is using Amazon CloudFront to distribute content globally. The origin is an S3 bucket. The SysOps administrator notices that cache hit ratio is low. Which configuration change would MOST improve the cache hit ratio?

A.Use query string parameters to differentiate content.
B.Configure custom error responses for 404 errors.
C.Set longer Cache-Control max-age headers on the S3 objects.
D.Enable Origin Shield for the distribution.
AnswerC

Longer cache durations mean objects are stored in edge caches for longer, increasing the likelihood of cache hits.

Why this answer

Option D is correct because setting appropriate Cache-Control headers (like max-age) on the objects tells CloudFront how long to cache them, directly increasing cache hits. Option A is wrong because enabling Origin Shield can reduce load on the origin but does not directly improve cache hit ratio; it aggregates requests. Option B is wrong because using query string parameters can fragment the cache if not configured properly, potentially reducing hit ratio.

Option C is wrong because custom error responses do not affect caching of successful responses.

152
MCQhard

A company is using Amazon CloudFront to serve static content from an S3 bucket. They want to restrict access so that only CloudFront can access the S3 bucket. How should this be configured?

A.Configure Origin Access Control (OAC) with the S3 bucket policy.
B.Use CloudFront signed URLs or cookies.
C.Attach an IAM role to CloudFront that grants S3 read access.
D.Create a bucket policy that allows access only from the CloudFront distribution's IP addresses.
AnswerA

OAC is the recommended way to restrict S3 access to CloudFront.

Why this answer

Option D is correct because Origin Access Control (OAC) ensures only CloudFront can access the bucket. Option A is wrong because bucket policies can be used but OAC is the modern recommended approach. Option B is wrong because CloudFront key pairs are for signed URLs/cookies, not origin access.

Option C is wrong because IAM roles are used for EC2, not for CloudFront access to S3.

153
MCQeasy

A SysOps administrator needs to audit all changes to IAM policies in an AWS account. Which AWS service should be used to record these changes?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon S3
AnswerC

CloudTrail logs API activity for auditing.

Why this answer

Option A is correct because AWS CloudTrail records API calls, including IAM policy changes. Option B is wrong because AWS Config records resource configuration changes but not all API calls; it can track IAM policy changes via rules but CloudTrail is more direct for auditing API calls. Option C is wrong because CloudWatch Logs can store logs but does not capture them initially.

Option D is wrong because S3 is a storage service, not a logging service.

154
MCQmedium

A company is using AWS CloudFormation to manage infrastructure. They have a stack that creates an EC2 instance and an Elastic IP. The instance is in a VPC with an internet gateway. The stack creation succeeds, but the instance does not have internet connectivity. What is the most likely cause?

A.The subnet's route table does not have a route to the internet gateway.
B.The instance does not have a public IP address.
C.The instance is in a private subnet.
D.The security group does not allow outbound traffic.
AnswerA

Without a route to the IGW, traffic cannot reach the internet.

Why this answer

Option A is correct because the instance must have a public IP to communicate with the internet; an Elastic IP attached to the instance provides that. Option B is wrong because the route table might not have a route to the internet gateway. Option C is wrong because the security group allows outbound traffic by default.

Option D is wrong because the instance might be in a private subnet, but the question says VPC with IGW.

155
MCQmedium

A company runs a critical application on Amazon EC2 instances with data stored on Amazon EBS volumes. The SysOps administrator needs to implement a backup strategy that supports point-in-time recovery with a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) of 4 hours. Which solution meets these requirements with the least operational overhead?

A.Use AWS Backup to schedule hourly EBS snapshots and restore to a new volume when needed.
B.Use Amazon Data Lifecycle Manager (DLM) to take hourly snapshots and create an AWS CloudFormation template to launch a new instance from the snapshot.
C.Use custom scripts to copy snapshots to an Amazon S3 bucket and restore from there.
D.Use Amazon S3 Lifecycle policies to transition data to Amazon S3 Glacier.
AnswerA

AWS Backup provides a centralized way to define backup policies (including hourly schedules) and automates retention. Restoring from a snapshot is straightforward and can be done within the RTO.

Why this answer

AWS Backup provides a fully managed, policy-based backup service that can schedule EBS snapshots hourly, meeting the 1-hour RPO. Restoring from an AWS Backup snapshot to a new EBS volume and attaching it to an EC2 instance can be completed within the 4-hour RTO, with minimal operational overhead as it eliminates the need for custom scripts or lifecycle management.

Exam trap

The trap here is that candidates may choose DLM (Option B) because it can schedule snapshots, but they overlook the operational overhead of manually creating a CloudFormation template for recovery, whereas AWS Backup provides a fully managed restore workflow that meets the least operational overhead requirement.

How to eliminate wrong answers

Option B is wrong because Amazon Data Lifecycle Manager (DLM) can schedule hourly snapshots, but requiring a CloudFormation template to launch a new instance from the snapshot adds unnecessary operational overhead and complexity, whereas AWS Backup can directly restore the volume and instance. Option C is wrong because using custom scripts to copy snapshots to S3 introduces additional complexity, potential for errors, and does not leverage native AWS backup services, increasing operational overhead. Option D is wrong because Amazon S3 Lifecycle policies are designed for object lifecycle management in S3, not for EBS snapshots or point-in-time recovery of EC2 instances, and S3 Glacier is for archival, not rapid recovery with a 4-hour RTO.

156
MCQmedium

A SysOps administrator notices that an Amazon EC2 instance's CPU utilization is consistently above 90% during business hours. The instance is part of an Auto Scaling group with a simple scaling policy based on average CPU utilization. However, the Auto Scaling group is not launching new instances. What is the most likely cause?

A.The scaling policy is in a cooldown period after a previous scaling activity.
B.The Auto Scaling group has a minimum size equal to the current number of instances.
C.The Auto Scaling group has a scheduled scaling action that is overriding the dynamic policy.
D.The instance is not healthy and is being terminated by the Auto Scaling group.
AnswerA

Cooldown prevents additional scaling actions until it expires.

Why this answer

The simple scaling policy in Auto Scaling has a cooldown period (default 300 seconds) that prevents the group from launching or terminating instances immediately after a previous scaling activity. If the policy triggered a scale-out event recently, the cooldown period is still active, so even though CPU utilization remains above 90%, no new instances are launched until the cooldown expires. This is the most likely cause because the cooldown is designed to stabilize metrics and avoid thrashing.

Exam trap

The trap here is that candidates often assume high CPU utilization always triggers a scale-out immediately, forgetting that simple scaling policies enforce a cooldown period that can delay subsequent scaling actions, even when the metric remains elevated.

How to eliminate wrong answers

Option B is wrong because if the minimum size equals the current number of instances, the Auto Scaling group would still launch new instances to meet the desired capacity set by the scaling policy; the minimum size only prevents scaling below that number, not above it. Option C is wrong because a scheduled scaling action overrides dynamic policies only at the scheduled time, but it does not block the dynamic policy from acting during business hours unless the scheduled action explicitly sets the desired capacity to a value that prevents scaling. Option D is wrong because an unhealthy instance is terminated and replaced by the Auto Scaling group, which would launch a new instance, not block scaling; the group would still respond to high CPU utilization with a new launch.

157
MCQmedium

A SysOps administrator is tasked with encrypting data at rest for an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption keys be managed by AWS and rotated automatically. Which encryption solution meets these requirements?

A.Use client-side encryption with AWS KMS.
B.Use server-side encryption with customer-provided keys (SSE-C).
C.Use server-side encryption with Amazon S3-managed keys (SSE-S3).
D.Use server-side encryption with AWS KMS (SSE-KMS).
AnswerC

SSE-S3 uses keys managed and automatically rotated by AWS.

Why this answer

Option B is correct because SSE-S3 provides server-side encryption with Amazon S3-managed keys, and AWS automatically rotates the keys. Option A is wrong because SSE-C requires the customer to manage and provide the encryption keys. Option C is wrong because SSE-KMS uses customer-managed KMS keys, which are not automatically rotated unless enabled.

Option D is wrong because client-side encryption is not managed by AWS.

158
MCQmedium

A SysOps administrator notices that an EC2 instance's CPU utilization is consistently above 90% during business hours. The instance is part of an Auto Scaling group with a scaling policy based on average CPU utilization. Despite high utilization, no scaling events are triggered. What is the most likely cause?

A.The scaling policy has a cooldown period that is too long, preventing new scaling activities.
B.The instance type is not supported by the Auto Scaling group's launch configuration.
C.The CloudWatch alarm is in the ALARM state but the Auto Scaling group has a suspended process for Add instances.
D.The Auto Scaling group's health check type is set to ELB, causing the instance to be marked unhealthy.
AnswerA

A long cooldown period can delay or prevent scaling actions, even if the metric is high.

Why this answer

The most likely cause is that the scaling policy has a cooldown period that is too long. After a scaling activity completes, the Auto Scaling group enters a cooldown period that prevents additional scaling activities from being triggered until the cooldown expires. If the cooldown period is set too long (e.g., 600 seconds or more), the group will not launch new instances even if the CloudWatch alarm remains in ALARM state with high CPU utilization, because the scaling policy is blocked from executing.

Exam trap

The trap here is that candidates often assume a scaling policy will always trigger when the CloudWatch alarm is in ALARM state, overlooking the cooldown period as a deliberate throttling mechanism that can prevent scaling activities from being initiated.

How to eliminate wrong answers

Option B is wrong because if the instance type were not supported by the launch configuration, the instance would fail to launch or would be in an impaired state, but the existing instance would still be running and scaling events would still be triggered (though they might fail). Option C is wrong because if the Add instances process were suspended, the Auto Scaling group would not launch new instances at all, but the question states that no scaling events are triggered, which implies the scaling policy itself is not executing; a suspended process would still allow the CloudWatch alarm to trigger a scaling event (which would then be blocked), but the event would still appear in the scaling activity history. Option D is wrong because the health check type being set to ELB would cause the instance to be marked unhealthy only if the ELB health checks fail, but high CPU utilization alone does not cause an ELB health check failure; the instance would still be considered healthy and scaling events would still be triggered based on the CloudWatch alarm.

159
Drag & Dropmedium

Drag and drop the steps to troubleshoot an unhealthy target in an Application Load Balancer target group into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting starts with security group rules, then health check configuration, then instance and application status, then logs, and finally replacement if needed.

160
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team requires that all API calls made in any account be logged to a centralized S3 bucket in the management account. Additionally, the team wants to be alerted when an IAM user in any account creates a new access key. Currently, CloudTrail is enabled in each account but logs are stored locally. Which solution meets these requirements with the least operational overhead?

A.Use CloudWatch Logs cross-account subscription to send logs from each account's CloudTrail log group to a central account. Create a metric filter and alarm on CreateAccessKey events.
B.Create a CloudTrail trail in each account that sends logs to a centralized S3 bucket in the management account. Create an SNS topic in each account to alert on CreateAccessKey.
C.Enable CloudTrail in all accounts and use an AWS Lambda function to copy logs from each account's S3 bucket to the centralized bucket. Create a CloudWatch Events rule in each account to send alerts on CreateAccessKey.
D.Create a new CloudTrail organization trail in the management account that logs events to a centralized S3 bucket. Then create an Amazon EventBridge rule in the management account that matches the CreateAccessKey event and sends a notification via SNS.
AnswerD

Organization trails simplify logging across accounts; EventBridge can capture events from all accounts.

Why this answer

Option A is correct because an organization trail logs API calls from all accounts to a single S3 bucket, and EventBridge can be set up to alert on CreateAccessKey events across accounts. Option B is wrong because it requires a Lambda function to aggregate logs, adding complexity. Option C is wrong because it replicates the organization trail but uses separate SNS topics per account.

Option D is wrong because it uses CloudWatch Logs cross-account subscription, which is more complex.

161
Multi-Selectmedium

A company wants to automatically remediate an Amazon EC2 instance that becomes unresponsive by rebooting it. The solution should use AWS managed services to minimize custom code. Which combination should a SysOps administrator use? (Choose TWO.)

Select 2 answers
A.Amazon EC2 Auto Scaling and lifecycle hooks
B.Amazon CloudWatch alarm on EC2 status check failures
C.Amazon CloudWatch alarm and AWS Lambda function
D.Amazon EventBridge rule to trigger an SNS notification
E.AWS Systems Manager Automation document to reboot the instance
AnswersB, E

Status checks detect unresponsive instances.

Why this answer

Option B is correct because Amazon CloudWatch can monitor EC2 status check failures (both system and instance checks) and trigger an alarm. When the alarm enters the ALARM state, it can directly invoke an AWS Systems Manager Automation document to reboot the instance, which is a managed, code-free remediation approach. This combination minimizes custom code by using built-in AWS services.

Exam trap

The trap here is that candidates often choose Option C (CloudWatch alarm + Lambda) because it is a common pattern, but the question explicitly requires minimizing custom code, making the managed Systems Manager Automation document the correct choice over a custom Lambda function.

162
MCQmedium

A company is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The database password is stored in AWS Secrets Manager. The CloudFormation template references the secret using a dynamic reference. However, the stack creation fails with an error that the secret cannot be retrieved. What is the most likely cause?

A.The secret is in a different AWS Region.
B.The stack name does not match the secret name.
C.The template uses the wrong dynamic reference syntax.
D.The CloudFormation service role lacks permissions to read the secret.
AnswerD

The role used by CloudFormation must have secretsmanager:GetSecretValue permission.

Why this answer

To use dynamic references, the CloudFormation service role must have permission to read the secret. The stack name and parameters are not related to secret retrieval. The secret must be in the same region.

The template syntax might be incorrect, but the most common issue is missing permissions.

163
Multi-Selectmedium

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The application stores data on an Amazon EBS volume. The SysOps administrator needs to implement a backup strategy that ensures data can be recovered in the event of an AZ failure. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Increase the EBS volume size to maximize I/O performance.
B.Configure automated snapshots using Amazon Data Lifecycle Manager.
C.Create a lifecycle policy to automatically take snapshots of the EBS volume and copy them to another region.
D.Enable EBS encryption using AWS KMS.
E.Enable EBS Multi-Attach to allow the volume to be attached to instances in another AZ.
AnswersB, C

DLM automates snapshot creation and retention.

Why this answer

Options B and D are correct. Option B: Cross-region snapshot copy protects against AZ failure by storing data in another region. Option D: Automating snapshots with a lifecycle policy ensures regular backups.

Option A is wrong because Multi-Attach EBS does not provide backup. Option C is wrong because increasing volume size does not provide backup. Option E is wrong because EBS encryption protects data at rest but not against failure.

164
Multi-Selecthard

A company's security team requires that all API calls to AWS services are encrypted in transit using TLS 1.2 or higher. Which TWO actions should be taken to enforce this?

Select 2 answers
A.Enable AWS CloudTrail to log all API calls.
B.Configure EC2 security groups to only allow HTTPS traffic.
C.Use AWS CloudTrail to monitor for API calls using TLS 1.0 and generate alerts.
D.Create an IAM policy that denies access unless the request uses TLS 1.2.
E.Create an SCP that denies AWS API calls using protocols lower than TLS 1.2.
AnswersC, E

CloudTrail can log TLS version; monitoring and alerting can detect non-compliance.

Why this answer

Option A and Option E are correct. Using an SCP that denies requests without TLS 1.2 and using CloudTrail to monitor for non-compliant requests are effective. Option B is wrong because IAM policies cannot enforce protocol versions.

Option C is wrong because enforcing HTTPS only is not enough; TLS version matters. Option D is wrong because EC2 security groups control network traffic, not API calls.

165
Multi-Selecteasy

Which TWO of the following are features of Amazon Route 53? (Select TWO.)

Select 2 answers
A.SSL/TLS termination
B.Health checking of resources
C.SSL certificate management
D.Domain name registration
E.Content caching at edge locations
AnswersB, D

Route 53 can health check endpoints and route traffic away from unhealthy ones.

Why this answer

Amazon Route 53 is a DNS web service that provides domain name resolution, domain registration, and health checking of resources. Health checking monitors the availability and performance of endpoints (e.g., web servers) via HTTP/HTTPS/TCP requests, and can automatically failover DNS responses to healthy resources, ensuring high availability.

Exam trap

The trap here is that candidates confuse Route 53's DNS-level health checking with application-layer features like SSL termination or caching, leading them to select options that belong to other AWS services like CloudFront or ALB.

166
MCQhard

A SysOps administrator reviews the CloudWatch metric data for an EC2 instance. The instance runs a web application that experiences high traffic between 12:00 and 14:00 UTC daily. The administrator wants to optimize costs while maintaining performance. What should the administrator do?

A.Convert the instance to a Reserved Instance to reduce hourly cost.
B.Replace the instance with a larger instance type and enable detailed monitoring.
C.Create an Auto Scaling group with a scheduled scaling policy to add instances during peak hours.
D.Increase the instance size to handle peak load at all times.
AnswerC

This adds capacity during peaks and reduces during off-peak.

Why this answer

The correct answer is C. The instance has low CPU utilization most of the day but spikes to 90% during peak hours. Using a scheduled Auto Scaling to add instances during peak hours ensures performance without over-provisioning.

Option A is wrong because the instance is not constantly at high utilization. Option B is wrong because upgrading instance size increases cost during off-peak hours. Option D is wrong because a larger instance would be underutilized.

167
MCQeasy

An administrator deploys a CloudFormation template that includes the snippet shown in the exhibit. Later, the administrator deletes the stack. What happens to the S3 bucket?

A.The bucket is deleted only if it contains no objects
B.The bucket is emptied and then deleted
C.The bucket is deleted along with the stack
D.The bucket is retained but no longer managed by CloudFormation
AnswerD

The bucket remains in the account but is not part of the stack.

Why this answer

Option B is correct because DeletionPolicy: Retain preserves the bucket even after stack deletion. Option A is wrong because the bucket is retained. Option C is wrong because the bucket is not deleted.

Option D is wrong because the bucket is retained, not emptied.

168
MCQhard

A company has a web application behind an Application Load Balancer (ALB) with sticky sessions enabled. The ALB's target group contains EC2 instances in an Auto Scaling group. After a deployment, users report that they are being logged out frequently. What is the most likely cause?

A.The deregistration delay is set too low.
B.The ALB's stickiness cookie is not configured or is being overwritten.
C.Health checks are too frequent and marking instances unhealthy.
D.Cross-zone load balancing is disabled.
AnswerB

Without a valid cookie, sessions are not sticky.

Why this answer

Option C is correct because sticky sessions (session affinity) are based on cookies; if the cookie is not set or is invalid, requests may be routed to different instances, causing logout. Option A is wrong because cross-zone load balancing does not affect session stickiness. Option B is wrong because deregistration delay helps but does not cause logouts.

Option D is wrong because health checks do not affect routing of existing sessions.

169
Multi-Selecthard

Which THREE AWS services can be used to improve security and performance for a web application that uses an Application Load Balancer? (Select three.)

Select 3 answers
A.AWS Shield Advanced
B.AWS WAF
C.Amazon Route 53
D.Amazon CloudFront
E.AWS Direct Connect
AnswersA, B, D

Shield Advanced provides enhanced DDoS protection.

Why this answer

Option A (AWS WAF) is correct for security, protecting against web exploits. Option B (Amazon CloudFront) is correct for performance via caching and DDoS protection. Option D (AWS Shield Advanced) is correct for enhanced DDoS protection.

Option C (AWS Direct Connect) is for dedicated connectivity, not directly related. Option E (Amazon Route 53) is DNS, not directly for security/performance of the ALB.

170
MCQhard

Instances in a private subnet need outbound internet access for software updates. The route table sends 0.0.0.0/0 to a NAT gateway, but updates fail. Which condition should you check first?

A.Confirm the NAT gateway is in a public subnet whose route table has 0.0.0.0/0 to an internet gateway.
B.Attach an internet gateway directly to the private subnet instances.
C.Replace all security groups with network ACLs.
D.Enable VPC peering to another account.
AnswerA

Without an IGW route from the NAT gateway subnet, outbound internet access fails.

Why this answer

A NAT gateway must reside in a public subnet with a route table entry directing 0.0.0.0/0 to an internet gateway (IGW). Without this, the NAT gateway cannot translate private IPs to the IGW's public IP, so outbound traffic from private instances fails. This is the most common root cause for failed internet access through a NAT gateway.

Exam trap

The trap here is that candidates assume any subnet with a NAT gateway automatically has internet access, overlooking the requirement that the NAT gateway itself must be in a public subnet with a default route to an internet gateway.

How to eliminate wrong answers

Option B is wrong because attaching an internet gateway directly to a private subnet is not supported; an IGW can only be attached to a VPC and associated with public subnets, and private subnet instances lack public IPs to use it directly. Option C is wrong because replacing security groups with network ACLs does not solve the routing issue; NACLs are stateless and can filter traffic, but they do not provide internet connectivity. Option D is wrong because VPC peering does not provide internet access; it only enables private connectivity between VPCs, and does not route traffic to the internet.

171
MCQmedium

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The SysOps administrator checks the deployment logs and finds that the application installation script exits with a non-zero exit code. What is the MOST likely cause?

A.The Auto Scaling group does not have enough instances to meet the minimum capacity.
B.The security group for the instances blocks outbound traffic to CodeDeploy endpoints.
C.The AppSpec file contains a lifecycle hook that fails.
D.The CodeDeploy agent is outdated on the instances.
AnswerC

A failing lifecycle hook leads to non-zero exit code and deployment failure.

Why this answer

Option D is correct because a non-zero exit code from the AppSpec lifecycle hook (e.g., ApplicationStop, BeforeInstall) causes the deployment to fail. Option A is wrong because insufficient capacity would trigger a different error. Option B is wrong because an outdated agent would show a different error.

Option C is wrong because security groups do not affect script execution exit codes.

172
MCQmedium

A company runs a stateless web application on Amazon EC2 instances in an Auto Scaling group with a minimum of 2 and maximum of 10 instances. The instances are behind an Application Load Balancer (ALB). The SysOps administrator needs to ensure that the application can survive the failure of an entire AWS Availability Zone (AZ) in the region. Which configuration is necessary?

A.Configure the Auto Scaling group with subnets in at least two Availability Zones and ensure the ALB has subnets in the same AZs.
B.Increase the Auto Scaling group minimum to 10 instances to absorb the failure.
C.Use larger instance types to handle the load of a failed AZ.
D.Use multiple Application Load Balancers in different AZs.
AnswerA

This distributes instances across multiple AZs, so if one AZ fails, the other AZ continues serving traffic.

Why this answer

Option A is correct because deploying the Auto Scaling group across multiple Availability Zones (AZs) and ensuring the ALB has subnets in the same AZs allows the application to continue serving traffic even if one entire AZ fails. The ALB can route requests to healthy instances in the remaining AZs, and the Auto Scaling group will replace failed instances in other AZs as needed, maintaining the minimum instance count. This architecture is a fundamental pattern for high availability in AWS.

Exam trap

The trap here is that candidates often think increasing instance count or size alone provides high availability, but without multi-AZ distribution, a single AZ failure can still cause total application downtime.

How to eliminate wrong answers

Option B is wrong because simply increasing the minimum to 10 instances does not provide AZ resilience; all instances could still be in a single AZ, and a failure of that AZ would take down all 10 instances. Option C is wrong because using larger instance types only increases compute capacity per instance, but does not distribute instances across AZs; a single AZ failure would still eliminate all instances if they are all in that AZ. Option D is wrong because using multiple ALBs in different AZs is unnecessary and adds complexity; a single ALB can already distribute traffic across multiple AZs, and multiple ALBs would require additional DNS routing logic (e.g., Route 53) and do not inherently improve AZ failure survival.

173
Multi-Selectmedium

Which TWO actions should a SysOps administrator take to improve the availability and reduce latency for a web application hosted on EC2 instances behind an Application Load Balancer?

Select 2 answers
A.Use larger EC2 instance types to handle more traffic.
B.Configure the ALB health check to have a shorter interval.
C.Use an Amazon CloudFront distribution in front of the ALB to cache content at edge locations.
D.Implement Auto Scaling to add instances based on CPU utilization.
E.Deploy EC2 instances in multiple Availability Zones.
AnswersD, E

Auto Scaling adds instances during high demand, reducing latency by distributing load.

Why this answer

Deploying across multiple Availability Zones increases fault tolerance. Using Auto Scaling helps maintain performance during traffic spikes by adding or removing instances. Option C is incorrect because increasing instance size might help but does not provide the same resilience as distributing across AZs.

Option D is incorrect because reducing health check interval increases load but not availability. Option E is incorrect because using a single EBS volume does not improve availability.

174
MCQhard

A company is running a stateful web application on a single EC2 instance in a public subnet. The instance stores user sessions locally. The company wants to improve availability without rewriting the application. Which design should they use?

A.Create a second EC2 instance in a different AZ and use Route 53 with health checks.
B.Use an Auto Scaling group across multiple AZs but keep sessions on instance.
C.Deploy an Application Load Balancer across multiple AZs, move session storage to ElastiCache, and use an Auto Scaling group.
D.Use an Application Load Balancer with sticky sessions and an Auto Scaling group in a single AZ.
AnswerC

ElastiCache externalizes session state; ALB and Auto Scaling provide high availability.

Why this answer

Option B is correct because using Network Load Balancer with target groups across AZs and storing sessions in ElastiCache allows statelessness and high availability without code changes. Option A is wrong because Route 53 health checks alone do not handle session state. Option C is wrong because an Application Load Balancer with sticky sessions still ties sessions to instances.

Option D is wrong because an Auto Scaling group without session externalization will lose sessions.

175
Multi-Selecteasy

A company uses CloudWatch Logs to monitor application logs. The SysOps administrator wants to search for specific error patterns across multiple log groups. Which THREE AWS services can be used to achieve this?

Select 3 answers
A.CloudWatch Logs Insights
B.Amazon OpenSearch Service
C.Amazon Kinesis Data Analytics
D.Amazon Athena
E.AWS Glue
AnswersA, B, D

Supports querying across multiple log groups.

Why this answer

CloudWatch Logs Insights is correct because it is a native AWS service designed specifically for querying and analyzing log data stored in CloudWatch Logs. It allows you to run SQL-like queries (using a query language) across multiple log groups to search for specific error patterns, making it a direct and efficient solution for this use case without requiring data export or additional infrastructure.

Exam trap

The trap here is that candidates may overlook Amazon OpenSearch Service and Amazon Athena as valid options because they require additional configuration (streaming or exporting logs), but the question asks which services 'can be used' to achieve the goal, not which are the most direct or native, so all three (A, B, D) are technically feasible.

176
MCQmedium

A company runs a batch processing job on Amazon EMR every night. The job runs for 6 hours and requires a cluster of 20 m5.xlarge instances. The company wants to reduce costs while ensuring the job completes on time. Which solution is MOST cost-effective?

A.Use On-Demand instances for all nodes.
B.Purchase Reserved Instances for the entire cluster.
C.Use Spot Instances for core and task nodes and an On-Demand instance for the primary node.
D.Use Spot Instances for the primary node and On-Demand for core and task nodes.
AnswerC

This significantly reduces cost while maintaining reliability.

Why this answer

Using Spot Instances for the core and task nodes can significantly reduce costs, as Spot Instances are often much cheaper than On-Demand. The primary node should be On-Demand to avoid disruption. Using all On-Demand is more expensive.

Reserved Instances are for steady-state workloads, not short-term jobs. Instance fleets can mix instance types but do not inherently reduce costs like Spot.

177
MCQmedium

A team of developers is deploying a new microservice that uses Amazon DynamoDB as its data store. The SysOps administrator must ensure that the application can handle a sudden spike in read traffic without throttling. Which DynamoDB feature can be used to automatically handle increases in read capacity?

A.DynamoDB Global Tables
B.DynamoDB Time to Live (TTL)
C.DynamoDB Auto Scaling
D.DynamoDB Accelerator (DAX)
AnswerC

Auto scaling adjusts capacity automatically.

Why this answer

Option A is correct because DynamoDB auto scaling can adjust provisioned read capacity based on traffic. Option B is wrong because DynamoDB Accelerator (DAX) is a caching layer, not capacity scaling. Option C is wrong because global tables are for multi-region replication.

Option D is wrong because TTL is for item expiration.

178
Multi-Selecteasy

A SysOps administrator needs to monitor the disk space usage on an EC2 instance running Windows Server. Which actions are required to collect this metric? (Select TWO.)

Select 2 answers
A.Install the CloudWatch Logs agent to monitor disk usage logs.
B.Enable EC2 status checks to monitor disk health.
C.Use Windows Performance Monitor to track disk space and send to CloudWatch.
D.Create an IAM role with permissions to publish custom metrics and attach it to the instance.
E.Install the CloudWatch agent on the instance and configure it to collect disk metrics.
AnswersD, E

The instance needs IAM permissions to publish metrics.

Why this answer

Option D is correct because the CloudWatch agent requires permissions to publish custom metrics to CloudWatch. An IAM role with the appropriate policy (e.g., CloudWatchAgentServerPolicy) must be attached to the EC2 instance to allow the agent to send disk space metrics. Option E is correct because the CloudWatch agent must be installed and configured with a JSON configuration file that includes the "disk" section to collect disk space utilization metrics, which are not available by default from EC2.

Exam trap

The trap here is that candidates often confuse the CloudWatch Logs agent with the CloudWatch agent, or assume that EC2 status checks or Performance Monitor can directly send disk metrics to CloudWatch without additional configuration.

179
MCQhard

A SysOps administrator receives an AWS Budgets alert that the monthly cost for an S3 bucket has increased by 300% compared to the previous month. The bucket stores log files and uses S3 Standard storage. The bucket has versioning enabled and lifecycle policies that transition objects to S3 Glacier Deep Archive after 90 days. What is the MOST likely cause of the cost increase?

A.The increased storage costs due to S3 Standard storage for the first 90 days.
B.The cost of lifecycle transition requests to Glacier Deep Archive.
C.Data transfer costs for downloading logs from the bucket.
D.The cost of storing multiple versions of objects due to versioning.
AnswerB

Each transition request costs, and if many objects are being transitioned, costs can add up.

Why this answer

Option B is correct because S3 Lifecycle transition requests cost per object, and the transition to Glacier Deep Archive incurs a cost. Option A is wrong because S3 Standard storage costs are for the first 90 days, not the transition. Option C is wrong because object size is not mentioned as a change.

Option D is wrong because data transfer costs are not typically associated with lifecycle transitions.

180
Multi-Selectmedium

A SysOps administrator is setting up monitoring for an RDS MySQL database. The administrator needs to be notified when the database connection count exceeds 100. Which steps should be taken to achieve this? (Choose TWO.)

Select 2 answers
A.Configure the CloudWatch alarm to send a notification to an SNS topic.
B.Create a CloudWatch alarm on the 'DatabaseConnections' metric.
C.Enable Enhanced Monitoring for RDS.
D.Enable CloudTrail to log RDS API calls.
E.Create an Amazon EventBridge rule that triggers on RDS events.
AnswersA, B

SNS can send email or SMS.

Why this answer

Option A is correct because Amazon CloudWatch alarms can send notifications to an Amazon SNS topic when the alarm state changes. This allows the SysOps administrator to receive alerts (e.g., via email, SMS, or HTTP) when the database connection count exceeds the threshold. Option B is correct because the 'DatabaseConnections' metric is a standard CloudWatch metric for RDS MySQL that tracks the number of current connections to the database instance.

Creating an alarm on this metric with a threshold of 100 will trigger when the connection count exceeds that value.

Exam trap

The trap here is that candidates often confuse Enhanced Monitoring (which provides OS-level metrics) with CloudWatch metrics (which provide database-level metrics like connection counts), leading them to incorrectly select Enhanced Monitoring as a solution for connection-based alarms.

181
MCQhard

A SysOps administrator needs to monitor Amazon EC2 instances for disk space usage. Disk space metrics are not available by default in Amazon CloudWatch. The administrator wants to collect disk space metrics from all EC2 instances across multiple AWS accounts and aggregate them in a single CloudWatch dashboard. Which combination of steps should the administrator take?

A.Install the CloudWatch agent on each instance using SSM Run Command, configure the agent to collect disk metrics, and use CloudWatch cross-account observability to aggregate metrics from multiple accounts.
B.Enable detailed monitoring on the EC2 instances, create a custom metric in CloudWatch for disk space, and use CloudWatch Logs to forward logs to a central account.
C.Use AWS Config to track disk space and send metrics to CloudWatch.
D.Use AWS Trusted Advisor to monitor disk space and send alerts via SNS.
AnswerA

The CloudWatch agent collects custom metrics (e.g., disk space) and sends them to CloudWatch. SSM Run Command automates the installation. Cross-account observability allows a central monitoring account to view metrics from all member accounts.

Why this answer

Option A is correct because the CloudWatch agent is required to collect custom metrics like disk space from EC2 instances, as these are not available by default. SSM Run Command enables scalable, agentless installation across instances. CloudWatch cross-account observability allows you to aggregate metrics from multiple AWS accounts into a single monitoring account, meeting the requirement for a unified dashboard.

Exam trap

The trap here is that candidates assume detailed monitoring or AWS Config can capture OS-level metrics like disk space, when in fact only an in-guest agent (CloudWatch agent) can collect such data, and cross-account aggregation requires a specific feature (cross-account observability) rather than simple log forwarding.

How to eliminate wrong answers

Option B is wrong because enabling detailed monitoring only provides hypervisor-level metrics (CPU, network, etc.) at 1-minute frequency, not disk space metrics; disk space requires an in-guest agent. Option C is wrong because AWS Config tracks resource configuration changes (e.g., instance type, security groups) and can trigger rules, but it does not collect or emit disk space metrics to CloudWatch. Option D is wrong because AWS Trusted Advisor provides best-practice checks and recommendations, but it does not collect real-time disk space metrics or send them to CloudWatch for dashboard aggregation.

182
MCQeasy

A SysOps administrator needs to monitor the CPU utilization of an Amazon EC2 instance and send an alert when it exceeds 90% for 5 consecutive minutes. Which combination of AWS services should the administrator use to meet this requirement?

A.Amazon CloudWatch metric (CPUUtilization), a CloudWatch alarm, and an Amazon SNS topic.
B.Amazon CloudWatch Logs, a metric filter to extract CPU utilization from logs, and an alarm on that metric.
C.A CloudWatch dashboard and an AWS Lambda function that checks the dashboard periodically.
D.Amazon EventBridge (CloudWatch Events) and a Lambda function that calls the EC2 DescribeInstances API.
AnswerA

This combination allows monitoring of the metric, evaluation against a threshold, and notification via SNS. It is the simplest and most direct method.

Why this answer

The correct approach is to use a CloudWatch metric for CPUUtilization, which is automatically published by EC2 instances. A CloudWatch alarm can be configured to evaluate this metric over a period of 5 consecutive minutes with a threshold of 90%, and when the alarm state is triggered, it publishes to an SNS topic to send notifications. This is the native, efficient, and recommended method for monitoring and alerting on EC2 CPU utilization.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs metric filters (used for custom log-based metrics) with the built-in EC2 metrics, or think that EventBridge can directly access CPU utilization data, when in fact CPUUtilization is a CloudWatch metric and must be monitored via CloudWatch alarms.

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs and metric filters are used to extract custom metrics from log data (e.g., application logs), not to monitor the built-in CPUUtilization metric which is already available as a CloudWatch metric without needing log extraction. Option C is wrong because a CloudWatch dashboard is a visualization tool and does not trigger alerts; a Lambda function polling a dashboard periodically is inefficient, introduces latency, and is not a supported pattern for real-time alerting. Option D is wrong because EventBridge and a Lambda function calling DescribeInstances API only retrieves instance metadata and state, not CPU utilization metrics; CPU utilization is a CloudWatch metric, not available via the EC2 DescribeInstances API.

183
MCQeasy

A company runs a web application on a fleet of Amazon EC2 instances that operate 24/7 with a steady and predictable load. The SysOps administrator wants to minimize compute costs while ensuring the required capacity is always available. Which EC2 purchasing option should the administrator use?

A.Reserved Instances
B.Spot Instances
C.On-Demand Instances
D.Dedicated Hosts
AnswerA

Reserved Instances offer the best price for consistent, predictable workloads with a long-term commitment.

Why this answer

Reserved Instances (RIs) are the correct choice because the workload runs 24/7 with steady, predictable load. RIs provide a significant discount (up to 72%) over On-Demand pricing in exchange for a one- or three-year commitment, ensuring cost minimization while guaranteeing capacity availability in the specified Availability Zone.

Exam trap

The trap here is that candidates often choose Spot Instances for any cost-saving scenario, forgetting that Spot Instances can be terminated at any time, making them unsuitable for steady, predictable workloads that require constant availability.

How to eliminate wrong answers

Option B is wrong because Spot Instances are designed for fault-tolerant, flexible workloads and can be interrupted with a 2-minute warning when EC2 needs capacity back, making them unsuitable for a steady, always-on web application. Option C is wrong because On-Demand Instances offer no discount and are the most expensive option for continuous 24/7 usage, failing to minimize compute costs. Option D is wrong because Dedicated Hosts provide physical servers dedicated for your use, which is unnecessary for cost optimization and typically incurs higher costs; they are used for licensing or compliance requirements, not for general cost savings.

184
MCQeasy

A company wants to receive an alert when its AWS spending exceeds $5,000 in a month. The SysOps administrator needs to set up a proactive alert that monitors actual costs. Which AWS service should be used?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerB

AWS Budgets allows you to create a cost budget with a $5,000 limit and configure alerts to notify you when actual or forecasted costs exceed that amount.

Why this answer

AWS Budgets is the correct service because it allows you to set a cost budget that proactively sends alerts when actual costs exceed a specified threshold (e.g., $5,000 per month). Unlike Cost Explorer, which is an analytical tool, Budgets provides real-time notifications via Amazon SNS when costs reach or are forecasted to exceed the budgeted amount, enabling proactive monitoring of actual spending.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer's historical analysis capabilities with proactive alerting, assuming it can send notifications, when in fact it only provides dashboards and reports without automated threshold-based alerts.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a visualization and analysis tool for historical cost data; it does not support proactive alerts based on actual cost thresholds. Option C is wrong because AWS Trusted Advisor inspects your AWS environment for cost optimization, security, and performance best practices, but it does not monitor or alert on actual spending against a specific budget. Option D is wrong because AWS CloudTrail records API activity for auditing and governance, not cost monitoring or alerting.

185
MCQhard

A company uses S3 to store critical data. They need to ensure that data can be recovered in the event of accidental deletion or overwriting by users. Which combination of actions should they take?

A.Enable S3 Cross-Region Replication and S3 Transfer Acceleration.
B.Enable S3 Versioning and S3 Transfer Acceleration.
C.Enable S3 Versioning and MFA Delete.
D.Enable S3 Server Access Logging and S3 Object Lock.
AnswerC

Versioning retains previous versions; MFA Delete prevents unauthorized deletions.

Why this answer

Option C is correct because enabling S3 Versioning allows recovery of previous versions, and enabling MFA Delete adds an extra layer of protection. Option A is wrong because S3 Cross-Region Replication does not prevent deletion. Option B is wrong because S3 Transfer Acceleration is for speed.

Option D is wrong because logging does not prevent deletion.

186
MCQmedium

A SysOps administrator is using AWS CodePipeline to automate the build and deploy process for a Java application. The build stage uses AWS CodeBuild, and the deploy stage uses AWS CodeDeploy to deploy to an Auto Scaling group. The deployment fails intermittently with a 'Timeout' error. What should the administrator check first?

A.The health check grace period on the load balancer.
B.The IAM instance profile for the EC2 instances.
C.The buildspec.yml file for syntax errors.
D.The S3 bucket permissions for CodePipeline artifacts.
AnswerA

If the grace period is too short, new instances may be marked unhealthy and cause deployment timeout.

Why this answer

Option A is correct. The most common cause of timeout in CodeDeploy is the health check grace period on the load balancer being too short. Increasing the grace period allows the new instances to pass health checks.

Option B (buildspec) is for CodeBuild, not deployment. Option C (S3 bucket) would cause a different error. Option D (instance profile) would cause permission errors.

187
MCQhard

A company has a VPC with public and private subnets across two Availability Zones. They have a NAT Gateway in each public subnet for high availability. EC2 instances in the private subnets need to access an external service that requires a fixed IP address for whitelisting. The administrator configured the route tables to use the NAT Gateway in the same Availability Zone. However, when the NAT Gateway in AZ-A fails, instances in AZ-A lose internet connectivity. What should the administrator do to ensure high availability with fixed IP addresses?

A.Use a single NAT Gateway with an Elastic IP and create a route table with a route to the NAT Gateway for all private subnets, but also configure a second NAT Gateway in another AZ and update route tables to failover
B.Configure a proxy server in the private subnets and route traffic through it
C.Replace the NAT Gateways with an Internet Gateway in each public subnet
D.Use a VPN connection to the external service instead of the internet
AnswerA

For fixed IP, use a single NAT Gateway; but for HA, use multiple and use a routing failover mechanism like using a Lambda to update route tables.

Why this answer

Option D is correct because using a single NAT Gateway with a Network Load Balancer would not provide a fixed IP; a NAT Gateway provides an Elastic IP. For high availability, you can use multiple NAT Gateways and configure route tables to failover, but that changes the source IP. Using a NAT Gateway per AZ with route tables pointing to the local NAT Gateway is the best practice for HA.

However, if a NAT Gateway fails, instances in that AZ lose internet. To maintain fixed IPs, the administrator could use a single NAT Gateway but that is a single point of failure. Option A is wrong because an Internet Gateway is not a NAT device.

Option B is wrong because a VPN does not provide internet access. Option C is wrong because a proxy would have the same issue.

188
Multi-Selectmedium

A SysOps administrator is automating the deployment of a web application using AWS CloudFormation. The application requires an Application Load Balancer (ALB) and an Auto Scaling group. The administrator wants to ensure that the Auto Scaling group registers instances with the ALB automatically. Which of the following are required? (Choose TWO.)

Select 2 answers
A.A launch template or launch configuration that defines the AMI and instance type.
B.A health check grace period set in the Auto Scaling group.
C.A security group that allows traffic from the ALB.
D.A target group ARN specified in the Auto Scaling group's configuration.
E.An Application Load Balancer created in the same stack.
AnswersA, D

The launch template/configuration is required for the Auto Scaling group to launch instances.

Why this answer

To automatically register instances with an ALB, the Auto Scaling group must have a target group ARN specified, and the launch template or configuration must use an AMI that supports the ALB's health checks. Option B and D are correct. Option A is wrong because a load balancer is created separately, but the Auto Scaling group needs the target group.

Option C is wrong because the health check grace period is optional. Option E is wrong because the security group is not directly related to automatic registration.

189
Multi-Selectmedium

A company needs to restrict access to an S3 bucket so that only users from a specific VPC can read objects. Which THREE configurations are required?

Select 3 answers
A.Create a bucket policy that denies access unless the request comes from a specific VPC endpoint.
B.Update the route table in the VPC to route S3 traffic through the VPC endpoint.
C.Create IAM users and assign them permissions to access the bucket.
D.Create a VPC endpoint for S3 in the specified VPC.
E.Attach a security group to the S3 bucket.
AnswersA, B, D

Bucket policy can use aws:SourceVpce condition key.

Why this answer

Options A, B, and D are correct. A bucket policy with a condition for vpc:SourceVpce, a VPC endpoint for S3, and the route table updates are required. Option C is wrong because S3 does not require a security group for VPC endpoints; network ACLs are not needed.

Option E is wrong because IAM users alone do not restrict by VPC.

190
MCQhard

A company has two VPCs in different AWS regions (us-east-1 and eu-west-1) that are peered. Applications in both VPCs need to communicate using private IP addresses. The ping tests are successful, but the latency is significantly higher than expected. Which change is most likely to improve the latency between the VPCs?

A.Enable DNS resolution for the VPC peering connection.
B.Use a Transit Gateway instead of VPC Peering for cross-region connectivity.
C.Increase the MTU on the instances' network interfaces to 9001.
D.Configure ECMP (Equal-Cost Multi-Path) routing on the VPC peering connection.
AnswerA

Correct. When DNS resolution is enabled, instances can resolve private DNS names of instances in the peered VPC, ensuring traffic stays within the AWS backbone and avoids unnecessary hops or public internet routing.

Why this answer

Option A is correct because enabling DNS resolution for the VPC peering connection allows instances to resolve public DNS hostnames to the private IP addresses of the peered VPC. Without this, DNS queries may return public IP addresses, forcing traffic to traverse the internet or NAT gateways, which adds significant latency. By resolving to private IPs, traffic stays within the AWS backbone, reducing latency.

Exam trap

The trap here is that candidates often assume latency is caused by network path or bandwidth issues (leading them to choose Transit Gateway or MTU changes), but the real culprit is DNS resolution misconfiguration forcing traffic over the public internet instead of the private AWS backbone.

How to eliminate wrong answers

Option B is wrong because using a Transit Gateway instead of VPC Peering for cross-region connectivity does not inherently reduce latency; both use the AWS global backbone, and latency is primarily affected by physical distance and routing, not the service type. Option C is wrong because increasing the MTU to 9001 (jumbo frames) improves throughput for large packets but does not reduce latency; in fact, jumbo frames can increase serialization delay for small packets and are not supported over VPC peering connections (MTU is limited to 1500). Option D is wrong because ECMP routing is not configurable on VPC peering connections; VPC peering does not support multiple paths or load balancing, and ECMP is a feature of Transit Gateway or Direct Connect, not VPC peering.

191
MCQmedium

A SysOps administrator is designing a disaster recovery plan for a web application that runs on EC2 instances with data stored in an RDS MySQL database. The application requires a Recovery Point Objective (RPO) of 5 minutes and a Recovery Time Objective (RTO) of 1 hour. Which solution meets these requirements most cost-effectively?

A.Use a single RDS instance with daily snapshots and EC2 instance store.
B.Use EC2 Auto Scaling across Regions with an RDS standby instance.
C.Use RDS Multi-AZ with read replicas in another Region.
D.Use RDS Multi-AZ with automated backups and EC2 AMI backups.
AnswerD

Multi-AZ provides quick failover; AMI backups allow fast instance recovery.

Why this answer

Option C is correct: RDS Multi-AZ with automatic backups provides synchronous standby replication and point-in-time recovery, meeting RPO of 5 minutes. AMI backups of EC2 can be used to launch instances quickly, meeting RTO of 1 hour. Option A is incorrect because read replicas are not used for failover by default; promoting a read replica takes time.

Option B is incorrect because standby EC2 in another Region incurs higher costs and complexity. Option D is incorrect because a single RDS instance is a single point of failure.

192
MCQmedium

A company has two Amazon VPCs (VPC-A and VPC-B) in the same AWS Region with non-overlapping CIDR blocks. The SysOps administrator needs to establish private IP connectivity between the two VPCs with high throughput and minimal cost. Which solution should the administrator implement?

A.VPC Peering
B.AWS Transit Gateway
C.AWS VPN CloudHub
D.AWS Direct Connect
AnswerA

VPC peering allows private connectivity between two VPCs using AWS's private network. It is simple to set up, has no bandwidth limitations, and incurs no hourly cost. It is the most cost-effective solution for connecting two VPCs in the same region.

Why this answer

VPC Peering is the correct solution because it allows direct private IP connectivity between two VPCs in the same AWS Region using the AWS global network backbone, with no bandwidth bottlenecks, no single point of failure, and no additional cost beyond data transfer charges. Since the VPCs have non-overlapping CIDR blocks, they can be peered without route conflicts, and traffic flows entirely within AWS without traversing the public internet or requiring a transit hub.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing AWS Transit Gateway for its centralized routing features, forgetting that for a simple two-VPC peering scenario with non-overlapping CIDRs, VPC Peering is the most cost-effective and high-performance option without the overhead of a transit hub.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it introduces unnecessary complexity and cost (hourly per-attachment charges and data processing fees) for a simple two-VPC scenario where VPC Peering provides the same high throughput at lower cost. Option C (AWS VPN CloudHub) is wrong because it requires VPN connections over the public internet, which adds latency, reduces throughput, and incurs hourly VPN connection charges, making it less performant and more expensive than VPC Peering. Option D (AWS Direct Connect) is wrong because it is designed for hybrid connectivity between on-premises networks and AWS, not for VPC-to-VPC communication, and involves significant setup costs, long lead times, and monthly port fees that are unnecessary for this use case.

193
MCQmedium

A SysOps administrator needs to monitor memory utilization on an Amazon EC2 instance. Memory metrics are not available by default in Amazon CloudWatch for EC2 instances. Which action should the administrator take to collect memory utilization metrics?

A.Install the CloudWatch agent on the EC2 instance
B.Enable detailed monitoring on the EC2 instance
C.Use an AWS Lambda function to query the EC2 instance for memory metrics
D.Use Amazon Inspector to collect memory metrics
AnswerA

The CloudWatch agent can collect memory and other system-level metrics from the EC2 instance and publish them to CloudWatch custom metrics.

Why this answer

The CloudWatch agent is the correct solution because it can collect custom metrics, including memory utilization, from EC2 instances. Unlike the default hypervisor-level metrics (CPU, network, disk), memory metrics require an in-guest agent to read the operating system's memory counters and publish them to CloudWatch.

Exam trap

The trap here is that candidates confuse 'detailed monitoring' (which increases metric frequency) with the ability to collect new metric types, assuming it will magically include memory metrics when it only affects existing hypervisor-level metrics.

How to eliminate wrong answers

Option B is wrong because enabling detailed monitoring only increases the frequency of default EC2 metrics (e.g., CPU, disk I/O) from 5 minutes to 1 minute; it does not add memory metrics. Option C is wrong because AWS Lambda cannot directly query an EC2 instance's OS-level memory metrics without an agent or API endpoint installed inside the instance. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposures, not a tool for collecting OS-level performance metrics like memory utilization.

194
MCQhard

A company is running a critical application on EC2 instances in a VPC. The instances are in an Auto Scaling group across multiple Availability Zones. The application needs to maintain a fixed, private IP address for each instance. Which approach should be used to ensure each instance receives a consistent private IP address?

A.Use an Elastic Network Interface (ENI) with a predefined private IP and attach it to the instance
B.Configure the DHCP option set to assign a static IP
C.Assign an Elastic IP to each instance and use that as the private IP
D.Use a custom AMI that configures a static private IP address via user data
AnswerA

An ENI has a fixed private IP that can be reassigned to another instance if needed.

Why this answer

Option D is correct because an Elastic Network Interface (ENI) can be created with a specific private IP and attached to an instance; upon instance termination, the ENI can be reattached to a new instance. Option A is wrong because private IP addresses are assigned at launch and released upon termination. Option B is wrong because Elastic IPs are public IPs.

Option C is wrong because DHCP option sets do not assign IP addresses.

195
Multi-Selectmedium

A company is designing a disaster recovery strategy for its primary AWS region. The application runs on EC2 instances with an RDS database. The RPO is 15 minutes and RTO is 2 hours. Which TWO actions should the SysOps Administrator take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Create AMIs of the EC2 instances and share them with the DR region.
B.Configure RDS cross-region replication to a second region.
C.Take manual RDS snapshots every 15 minutes and copy them to the DR region.
D.Use AWS Backup to copy backups to a second region daily.
E.Store CloudFormation templates in S3 with cross-region replication.
AnswersB, E

Provides near real-time replication, meeting RPO.

Why this answer

Option A is correct because RDS cross-region replication can achieve RPO of seconds to minutes. Option D is correct because using CloudFormation with a template stored in S3 allows quick provisioning of resources in the DR region, meeting RTO. Option B is wrong because AMIs are region-specific; they must be copied to the DR region.

Option C is wrong because it does not meet RPO. Option E is wrong because manual snapshots cannot achieve 15-minute RPO.

196
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block to the VPC and ensure that EC2 instances can communicate over IPv6. Which step is necessary?

A.Attach an internet gateway that supports IPv6.
B.Create a new VPC with an IPv6 CIDR block and migrate resources.
C.Associate an Amazon-provided IPv6 CIDR block with the VPC.
D.Enable DNS64 in the VPC.
AnswerC

Correct. Then assign IPv6 CIDRs to subnets.

Why this answer

To use IPv6, the VPC must be associated with an Amazon-provided IPv6 CIDR block, and subnets must have IPv6 CIDR blocks assigned. Instances must be launched with IPv6 addresses.

197
MCQhard

A SysOps administrator is managing a fleet of EC2 instances in an Auto Scaling group. The instances are behind an Application Load Balancer. The administrator notices that the 'SurgeQueueLength' metric for the ALB is frequently high. What does this indicate, and what is the BEST remediation action?

A.The targets are unhealthy; decrease the desired capacity to reduce load.
B.The targets are not able to handle the request rate; increase the desired capacity or add scaling policies.
C.The load balancer is accepting too many connections; increase the idle timeout.
D.The load balancer is overloaded; replace it with a Network Load Balancer.
AnswerB

High SurgeQueueLength indicates requests are waiting for targets to become available.

Why this answer

The SurgeQueueLength metric measures the number of requests that are queued by the Application Load Balancer (ALB) because no healthy target is available to process them. A frequently high value indicates that the targets (EC2 instances) are overwhelmed and cannot keep up with the incoming request rate. The best remediation is to increase the desired capacity of the Auto Scaling group or add scaling policies (e.g., based on SurgeQueueLength or RequestCountPerTarget) to automatically add more instances to handle the load.

Exam trap

The trap here is that candidates confuse SurgeQueueLength with connection-level metrics (like idle timeout) or assume the load balancer itself is the bottleneck, when in fact the metric directly indicates insufficient target capacity.

How to eliminate wrong answers

Option A is wrong because decreasing desired capacity would reduce the number of targets, worsening the queue length, and unhealthy targets are indicated by the 'UnHealthyHostCount' metric, not SurgeQueueLength. Option C is wrong because increasing the idle timeout only affects how long the ALB keeps idle connections open, not the rate of incoming requests or the queue depth; SurgeQueueLength is about request backlog, not connection persistence. Option D is wrong because replacing the ALB with a Network Load Balancer (NLB) does not address the root cause—the targets are under-provisioned; an NLB operates at Layer 4 and does not provide the same request queuing behavior, but the underlying capacity issue remains.

198
MCQeasy

A SysOps administrator wants to receive alerts when the estimated charges for an AWS account exceed a certain threshold. Which AWS service should be used?

A.AWS Trusted Advisor
B.AWS Cost Explorer
C.Amazon CloudWatch (billing metric)
D.AWS Budgets
AnswerD

Creates budget thresholds and sends alerts.

Why this answer

AWS Budgets allows you to set cost budgets and receive alerts when actual or forecasted costs exceed thresholds. Option A is wrong because CloudWatch metrics for billing are available, but alerts are set via Budgets. Option B is wrong because Cost Explorer does not send alerts.

Option D is wrong because Trusted Advisor provides cost optimization recommendations but not budget alerts.

199
MCQeasy

A company uses AWS Key Management Service (KMS) to encrypt data in S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which of the following is the MOST effective way to achieve this?

A.Create a separate KMS key for each bucket and assign the IAM role as a key user
B.Configure an S3 bucket policy that allows only the IAM role to perform s3:GetObject
C.Use a KMS key policy with a condition that requires the encryption context to match the bucket ARN, and grant the IAM role decrypt permissions
D.Use an S3 bucket policy that denies s3:GetObject unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header
AnswerC

Encryption context can restrict key usage to specific buckets.

Why this answer

Option B is correct because by adding a condition in the KMS key policy that requires the encryption context to match the bucket name, you can restrict decryption to only requests that include that context. The IAM role can then be allowed to use the key with that context. Option A is incorrect because bucket policies cannot restrict decrypt actions; they can only enforce encryption.

Option C is incorrect because S3 bucket policies do not control KMS decrypt permissions. Option D is incorrect because using a different key for each bucket is cumbersome and does not restrict to a specific role.

200
MCQmedium

An organization needs to enforce that all Amazon EC2 instances launched in a specific AWS account are created from a baseline Amazon Machine Image (AMI) that includes required security patches. The AMI ID is ami-0abcdef1234567890. What is the MOST efficient way to enforce this requirement?

A.Use an AWS Config rule to mark non-compliant instances and automatically terminate them.
B.Use an AWS Lambda function that is triggered by EC2 launch events to terminate non-compliant instances.
C.Use AWS CloudTrail to monitor and alert on any instance launched with a different AMI.
D.Use an IAM policy that denies the ec2:RunInstances action unless the AMI ID matches the approved one.
AnswerD

This prevents any non-compliant launch attempt.

Why this answer

Option C is correct because using an IAM policy with a condition that denies launching instances unless the specified AMI ID is used is the most efficient way to enforce the requirement. Option A is incorrect because CloudTrail logs after the fact and does not prevent launches. Option B is incorrect because Config rules can detect non-compliance but do not block the action.

Option D is incorrect because Lambda would need to be triggered and could delay the launch.

201
MCQhard

A company has a VPC with public and private subnets. A NAT Gateway is in the public subnet, and a private EC2 instance needs to download patches from the internet. The instance can reach the internet after a reboot. Which action should the SysOps administrator take to make the internet access persistent?

A.Update the route table of the private subnet to point 0.0.0.0/0 to the NAT Gateway.
B.Attach an internet gateway to the private subnet.
C.Associate an Elastic IP with the NAT Gateway.
D.Enable DNS resolution in the VPC.
AnswerA

Correct. Missing route causes intermittent access.

Why this answer

Route tables must be manually updated after adding a NAT Gateway. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway.

202
MCQhard

A company uses AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance with automated backups enabled. The stack is deleted and then recreated. The administrator wants to restore data from the backup of the original DB instance. How can this be achieved?

A.Restore from the latest automated backup stored in S3.
B.Restore from the automated backup snapshot that is retained after deletion.
C.Use the RDS recycle bin to recover the deleted DB instance.
D.Data cannot be restored because automated backups are deleted when the DB instance is deleted.
AnswerD

Without a final snapshot, the automated backups are lost.

Why this answer

Option D is correct because automated backups are deleted when the DB instance is deleted; however, final snapshots can be taken before deletion. Since the stack was deleted without a final snapshot, the data is lost. Option A is wrong because snapshots from automated backups are deleted with the instance.

Option B is wrong because RDS does not have a recycle bin. Option C is wrong because automated backups are deleted.

203
Multi-Selecthard

A company runs a stateless web application on EC2 instances behind an Application Load Balancer. The application is deployed in an Auto Scaling group with a minimum of 2 and maximum of 10 instances. During a traffic spike, the Auto Scaling group launches new instances, but the new instances are immediately marked as unhealthy by the ALB and terminated. What could be the cause? (Choose TWO.)

Select 2 answers
A.The health check path is misconfigured.
B.The Auto Scaling group does not have sufficient capacity in the target AZ.
C.The instances do not have the required IAM role to register with the ALB.
D.The security group for the instances does not allow inbound traffic from the ALB.
E.The instances are launched with a larger instance type than expected.
AnswersA, D

A misconfigured health check path causes the ALB to consider instances unhealthy.

Why this answer

Options B and D are correct. If the health check path is incorrect, the ALB marks instances as unhealthy. If the security group does not allow traffic from the ALB, the health check fails.

Option A is wrong because a missing IAM role does not cause health check failures. Option C is wrong because insufficient capacity would prevent launch, not cause health check failures. Option E is wrong because a larger instance would not cause health check failures.

204
MCQmedium

A company runs a critical web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application uses session stickiness (sticky sessions) to maintain user sessions. The SysOps administrator notices that when instances are replaced during a scale-in or failure event, users lose their session data. The administrator needs to preserve session data across instance failures without losing stickiness benefits. What should the administrator do?

A.Disable sticky sessions on the ALB and configure the application to store session data in an external session store like Amazon ElastiCache for Redis.
B.Increase the stickiness duration to a very high value so that sessions are not lost during brief interruptions.
C.Change the Auto Scaling group to use a larger instance type to handle more sessions per instance, reducing the likelihood of session loss.
D.Configure the Auto Scaling group to use a larger minimum size and a lower maximum, so instances are less likely to be terminated.
AnswerA

This decouples session state from the EC2 instance. If an instance fails, any other instance can retrieve the session from ElastiCache, preserving the session for the user.

Why this answer

Option A is correct because storing session data externally in a service like Amazon ElastiCache for Redis decouples session state from the EC2 instance lifecycle. This allows the ALB to continue using sticky sessions to route a user to the same instance, but if that instance fails or is replaced, the new instance can retrieve the session data from the shared Redis cache, preserving the user's session without interruption.

Exam trap

The trap here is that candidates may think sticky sessions alone preserve session data, but they only preserve routing affinity, not the session state itself, which must be stored externally to survive instance failures.

How to eliminate wrong answers

Option B is wrong because increasing the stickiness duration does not preserve session data when an instance is terminated or fails; it only controls how long the ALB remembers the routing cookie, but the session data stored locally on the instance is still lost. Option C is wrong because using a larger instance type does not solve the fundamental problem of session data being stored locally; it only reduces the frequency of scale-in events but does not protect against instance failures or replacements. Option D is wrong because adjusting the Auto Scaling group's minimum and maximum sizes does not prevent session loss during scale-in or failure events; it only changes the number of instances running, but any instance that is terminated or replaced will still lose its locally stored session data.

205
MCQeasy

A company uses Amazon Route 53 for DNS. They want to ensure that if the primary web server fails, traffic is automatically routed to a secondary server in another region. Which routing policy should be used?

A.Simple routing policy
B.Failover routing policy
C.Latency routing policy
D.Weighted routing policy
AnswerB

Failover routing automatically routes to secondary when primary is unhealthy.

Why this answer

Correct answer is C. Failover routing policy allows you to configure active-passive failover. Option A is wrong because simple routing does not support health checks.

Option B is wrong because weighted routing distributes traffic based on weights, not failover. Option D is wrong because latency routing routes based on latency, not failover.

206
MCQhard

A company's web application is hosted on EC2 instances behind a Network Load Balancer (NLB) with a static IP address. The application receives a sudden spike in traffic, and some clients report connection timeouts. Which NLB feature should the SysOps administrator configure to handle the increased load?

A.Enable sticky sessions.
B.Enable cross-zone load balancing.
C.Enable deletion protection.
D.Enable health checks to mark unhealthy instances.
AnswerB

Cross-zone load balancing allows distribution across AZs.

Why this answer

Option B is correct. NLB cross-zone load balancing distributes traffic across all registered instances in all AZs, improving capacity. Option A is wrong because health checks help identify unhealthy instances but do not increase capacity.

Option C is wrong because stickiness is for session persistence. Option D is wrong because deletion protection prevents accidental deletion.

207
MCQmedium

A company is using AWS Organizations with SCPs to restrict access to services. The security team wants to ensure that no IAM user can create access keys, but the SCP is not working as expected. What is the most likely cause?

A.The SCP is applied to the root OU but not inherited by the account.
B.The SCP is applied to a member account, but the IAM user is in the management account.
C.The SCP has a Deny effect, but it takes 24 hours to apply.
D.The SCP only applies to root users, not IAM users.
AnswerB

SCPs do not affect the management account.

Why this answer

Option B is correct because SCPs apply only to member accounts, not the management account. Option A is wrong because SCPs do not affect service control policies themselves. Option C is wrong because SCPs do not take time to propagate.

Option D is wrong because SCPs affect all users in member accounts.

208
MCQmedium

A company runs a critical production database on Amazon RDS for MySQL with a Multi-AZ deployment. The database experiences a primary instance failure. The SysOps administrator needs to understand exactly how the failover process worked and why the application experienced a longer-than-expected downtime. Which AWS service or feature should the administrator use to review detailed events and actions during the failover?

A.AWS Personal Health Dashboard
B.Amazon RDS Performance Insights
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerA

The Personal Health Dashboard shows relevant events and notifications specific to the customer's RDS Multi-AZ failover, including timing and causes.

Why this answer

AWS Personal Health Dashboard provides a personalized view of the health of AWS services and resources, including detailed event logs for RDS Multi-AZ failovers. It surfaces the exact sequence of actions (e.g., DNS record update, failover initiation, completion) and any underlying AWS infrastructure issues that caused the extended downtime, such as degraded hardware or network latency. This is the correct tool because it gives the administrator a chronological, AWS-side account of the failover process, which is not available through other services.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which records API calls) with the ability to view internal service events, but CloudTrail does not capture automatic failover processes or infrastructure health events that are only available through AWS Personal Health Dashboard.

How to eliminate wrong answers

Option B is wrong because Amazon RDS Performance Insights focuses on database performance metrics (e.g., CPU, memory, SQL query load) and does not log failover events or infrastructure-level actions. Option C is wrong because Amazon CloudWatch Logs can capture RDS log files (e.g., error logs, slow query logs) but does not inherently record the failover process steps or AWS-side infrastructure events; it would require custom agent configuration to capture such data. Option D is wrong because AWS CloudTrail records API calls made to the RDS service (e.g., ModifyDBInstance) but does not capture internal failover events or DNS propagation details that occur automatically during a Multi-AZ failover.

209
MCQhard

A company has a production RDS for PostgreSQL instance. They need to recover from a logical corruption that occurred 2 hours ago. Which recovery method will minimize data loss?

A.Restore from the latest automated snapshot taken 1 hour ago.
B.Use pg_dump to export the database and restore it.
C.Fail over to the read replica in another AZ.
D.Perform a point-in-time recovery to a time just before the corruption occurred.
AnswerD

PITR uses automated backups and transaction logs to restore to a specific point in time within seconds.

Why this answer

Option A is correct because point-in-time recovery can restore to any time within the backup retention period, allowing recovery to just before the corruption. Option B is wrong because a snapshot from 1 hour ago would include the corruption. Option C is wrong because a read replica contains the corruption if it was replicated.

Option D is wrong because a full database restore from backup is less precise.

210
Multi-Selecteasy

A SysOps administrator is implementing an automated backup solution for Amazon RDS databases. The solution must support point-in-time recovery and cross-region disaster recovery. Which TWO AWS services or features should be used?

Select 2 answers
A.Manual DB snapshots.
B.Cross-region read replicas.
C.Automated backups with a retention period.
D.Amazon S3 lifecycle policies.
E.Automated cross-region snapshot copy.
AnswersC, E

Automated backups enable point-in-time recovery within retention.

Why this answer

The correct answers are A and E. A is correct because automated backups enable point-in-time recovery. E is correct because cross-region snapshot copy allows DR in another region.

B is incorrect because manual snapshots do not automate. C is incorrect because Read Replicas are for read scaling, not backups. D is incorrect because S3 is not used for RDS backups natively.

211
MCQmedium

Refer to the exhibit. A company has a CloudTrail trail in us-east-1 that logs events for that region only. The company operates in multiple regions and wants to ensure all API calls from all regions are logged. What is the most efficient way to achieve this?

A.Use Amazon CloudWatch Events to capture API calls from all regions.
B.Use S3 event notifications to trigger a Lambda function that logs API calls.
C.Create a new CloudTrail trail in each region.
D.Update the existing trail to be a multi-region trail.
AnswerD

A multi-region trail logs events from all regions.

Why this answer

Option C is correct because updating the trail to be multi-region is the most efficient way to log events from all regions. Option A is wrong because creating new trails in each region is less efficient. Option B is wrong because using S3 event notifications does not capture API calls.

Option D is wrong because CloudWatch Events is not used for logging API calls.

212
MCQhard

A company has a production RDS for PostgreSQL instance with Multi-AZ enabled. During a recent failover test, the application experienced a 5-minute downtime. The company requires that failover be completed within 2 minutes. Which action should be taken to meet this requirement?

A.Migrate the database to Amazon Aurora with Multi-AZ.
B.Enable automated backups with a short retention period.
C.Increase the DB instance class to a larger size.
D.Configure an RDS Proxy in front of the database.
AnswerD

RDS Proxy pools connections and reduces failover time.

Why this answer

Option C is correct because RDS Proxy reduces failover time by pooling database connections and maintaining them during failover. Option A is wrong because increasing instance size does not directly reduce failover time. Option B is wrong because enabling automatic backups does not affect failover speed.

Option D is wrong because switching to Aurora may help but is a larger architectural change; RDS Proxy is a simpler solution for RDS.

213
MCQmedium

A SysOps administrator manages a web application hosted on EC2 instances behind an Application Load Balancer. The application uses sticky sessions (session affinity) based on cookies. Recently, the development team deployed a new version that increases the load time for certain pages. Users report that they are randomly seeing other users' data. The administrator suspects that the sticky session configuration is not working correctly. The ALB target group is configured with stickiness enabled using the AWSALB cookie. What should the administrator do to verify that sticky sessions are being honored?

A.Increase the stickiness duration to 7 days and test again
B.Check the ALB access logs for the presence of the stickiness cookie
C.Use a browser's developer tools to inspect the cookies on the client side and verify the AWSALB cookie is being set and includes the correct target group identifier
D.Check the target group health check settings to ensure all instances are healthy
AnswerC

The AWSALB cookie indicates which target group the client is sticky to.

Why this answer

Option B is correct because using a browser's developer tools to inspect cookies on the client side confirms that the AWSALB cookie is present and contains the correct target group endpoint. Option A is wrong because CloudWatch metrics do not show individual session affinity. Option C is wrong because changing stickiness duration does not verify current behavior.

Option D is wrong because checking target group health does not indicate sticky session behavior.

214
Multi-Selecteasy

A SysOps administrator is deploying a CloudFormation stack that includes an Amazon EC2 instance. The instance needs to have the latest patch level at launch. Which TWO methods can accomplish this? (Choose TWO.)

Select 2 answers
A.Create a custom AMI with the latest patches.
B.Include a user data script that runs the patch command.
C.Use AWS CodeDeploy to run a patch script.
D.Use a CloudFormation creation policy to run a Systems Manager command for patching.
E.Configure an AWS Config rule to enforce patching.
AnswersA, D

A custom AMI ensures the instance is already patched at launch.

Why this answer

Options B and D are correct. Using a Systems Manager patch baseline with the AWS-RunPatchBaseline document in a CloudFormation creation policy allows patching at launch. Alternatively, using a custom AMI that already includes the latest patches ensures the instance is patched from the start.

Option A (user data script) might not run before the instance becomes available. Option C (AWS Config rules) is for compliance, not patching during deployment. Option E (CodeDeploy) is for application deployment, not OS patching.

215
MCQhard

An application running on Amazon EC2 needs to access an S3 bucket. The SysOps administrator wants to ensure that only that specific EC2 instance can access the bucket, without storing any long-term credentials on the instance. What is the most secure way to achieve this?

A.Attach an IAM role to the EC2 instance using an instance profile and grant the role S3 access
B.Configure a resource-based policy on the EC2 instance to allow S3 access
C.Create an IAM user with S3 access and store the access keys in the instance's user data
D.Generate pre-signed URLs for each S3 object the application needs to access
AnswerA

This is the best practice: temporary credentials are automatically rotated, and no long-term keys are stored on the instance.

Why this answer

Using an instance profile with an IAM role is the most secure method. The instance profile is attached to the EC2 instance, and the role provides temporary credentials via the metadata service. The S3 bucket policy can then restrict access to that specific IAM role.

Storing access keys on the instance is insecure. Using pre-signed URLs is for individual objects, not ongoing access. A resource-based policy on the EC2 instance is not applicable.

216
MCQhard

A company uses an Application Load Balancer (ALB) to route traffic to a web application. The security team requires that all traffic be encrypted in transit. The ALB currently uses a TLS certificate from AWS Certificate Manager (ACM). Users report that some browsers show a certificate warning. What is the MOST likely cause?

A.The listener is using a different certificate for each target group.
B.The ALB is configured to use TLS 1.0 only.
C.The certificate is self-signed or issued by an untrusted CA.
D.The ALB is not configured to terminate TLS.
AnswerC

Self-signed certificates cause browser warnings.

Why this answer

Option A is correct because if the certificate is self-signed, browsers will show a warning. Option B is wrong because TLS 1.0 is not supported by modern browsers anyway. Option C is wrong because ALB supports TLS termination.

Option D is wrong because the listener can handle multiple certificates.

217
Multi-Selecthard

A company is using AWS KMS to encrypt data. The security team wants to ensure that a specific IAM role can use a KMS key, but only when the request comes from a specific VPC. Which THREE conditions should be included in the KMS key policy? (Choose three.)

Select 3 answers
A.aws:SourceSubnet equals the subnet ID.
B.aws:SourceArn equals the IAM role ARN.
C.aws:SourceVpc equals the VPC ID.
D.aws:SourceIp equals the VPC CIDR.
E.aws:SourceVpce equals the VPC endpoint ID.
AnswersB, C, E

Identifies the role.

Why this answer

Option A is correct to specify the role. Option B is correct to restrict to the VPC endpoint. Option D is correct to restrict to the VPC.

Option C is wrong because source IP is not specific to VPC. Option E is wrong because subnet ID is not a condition key for KMS.

218
MCQeasy

A company has an application that requires UDP traffic to be distributed across multiple EC2 instances. Which AWS load balancer type should be used?

A.Network Load Balancer
B.Classic Load Balancer
C.Amazon CloudFront
D.Application Load Balancer
AnswerA

NLB supports TCP, UDP, and TLS.

Why this answer

Option C is correct because Network Load Balancer (NLB) supports UDP traffic. Application Load Balancer (ALB) only supports HTTP/HTTPS. Option A is incorrect because ALB does not support UDP.

Option B is incorrect because Classic Load Balancer supports TCP/SSL but not UDP. Option D is incorrect because CloudFront is a CDN, not a load balancer.

219
MCQeasy

A SysOps administrator needs to deploy a set of AWS Lambda functions and an Amazon API Gateway API using infrastructure as code. The administrator wants to manage the deployment across multiple environments (dev, test, prod) with consistent resource configurations. Which AWS service should the administrator use?

A.AWS CloudFormation
B.AWS CodeDeploy
C.AWS Elastic Beanstalk
D.AWS OpsWorks
AnswerA

AWS CloudFormation is the correct choice because it provides infrastructure as code capabilities, enabling you to define resources in a template and deploy them consistently across environments.

Why this answer

AWS CloudFormation is the correct choice because it is an Infrastructure as Code (IaC) service that allows you to define and provision AWS resources, including Lambda functions and API Gateway APIs, using templates. It supports managing deployments across multiple environments (dev, test, prod) by using parameters, mappings, and stacks, ensuring consistent resource configurations through repeatable, version-controlled templates.

Exam trap

The trap here is that candidates often confuse AWS CodeDeploy (which deploys application code) with CloudFormation (which provisions infrastructure), leading them to choose CodeDeploy because they think of 'deploying' Lambda functions, but the question specifically requires managing infrastructure as code across environments, which is CloudFormation's role.

How to eliminate wrong answers

Option B (AWS CodeDeploy) is wrong because it is a deployment service for automating code deployments to compute services like EC2, Lambda, or ECS, but it does not manage the provisioning of infrastructure resources like API Gateway or Lambda functions themselves; it focuses on deploying application code, not defining the underlying infrastructure. Option C (AWS Elastic Beanstalk) is wrong because it is a Platform as a Service (PaaS) that abstracts infrastructure management for web applications, but it does not provide the granular, template-based control over individual resources like Lambda and API Gateway that IaC requires; it is designed for application deployment, not for defining and versioning infrastructure components. Option D (AWS OpsWorks) is wrong because it is a configuration management service that uses Chef or Puppet to manage EC2 instances and on-premises servers, but it is not designed for defining serverless resources like Lambda functions or API Gateway APIs; it focuses on server-based configurations, not declarative IaC for serverless services.

220
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to prevent any IAM user from creating access keys for themselves across all accounts. What is the most effective way to enforce this policy?

A.Attach an IAM policy to the root user that denies iam:CreateAccessKey.
B.Configure an IAM password policy that requires strong passwords.
C.Apply a service control policy (SCP) that denies iam:CreateAccessKey to all accounts in the organization.
D.Use AWS CloudTrail to monitor and alert on CreateAccessKey events.
AnswerC

SCPs can enforce restrictions across accounts in AWS Organizations.

Why this answer

Option C is correct because a service control policy (SCP) can deny the CreateAccessKey action across all accounts in the organization. Option A is wrong because an IAM policy on the root user only affects the root user, not IAM users. Option B is wrong because password policies do not control access keys.

Option D is wrong because CloudTrail can log but not prevent the action.

221
MCQhard

An organization uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any member account can create access keys that are more than 90 days old. What is the most efficient way to enforce this?

A.Use a service control policy (SCP) to deny the iam:CreateAccessKey action unless a condition is met
B.Use CloudTrail to monitor CreateAccessKey events and trigger a Lambda function to disable old keys
C.Use AWS Config rules in each account to detect keys older than 90 days and automatically delete them
D.Create an IAM policy that denies CreateAccessKey if the user has any key older than 90 days
AnswerA

SCPs can be applied at the OU level to prevent key creation across accounts.

Why this answer

The most efficient way is to use a service control policy (SCP) that denies the creation of access keys if the user does not have an existing key older than 90 days, or by using a condition on the CreateAccessKey action. Option D is correct. Option A is wrong because it requires per-account Config rules.

Option B is wrong because CloudTrail does not enforce. Option C is wrong because it is reactive, not preventive.

222
MCQeasy

An administrator needs to grant an IAM user the ability to stop and start EC2 instances, but only for instances tagged with 'Environment:Production'. Which IAM policy element should be used to enforce this condition?

A.Effect
B.Resource
C.Action
D.Condition
AnswerD

Condition allows tag-based restrictions.

Why this answer

Option C is correct because the Condition element in an IAM policy allows specifying conditions like tags. Option A is wrong because Action specifies the allowed actions. Option B is wrong because Resource specifies the resources.

Option D is wrong because Effect specifies Allow or Deny.

223
MCQmedium

A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using keys managed by the company. Which encryption option should the SysOps administrator choose?

A.Server-Side Encryption with AWS KMS (SSE-KMS)
B.Server-Side Encryption with S3-Managed Keys (SSE-S3)
C.Server-Side Encryption with Customer-Provided Keys (SSE-C)
D.Client-Side Encryption
AnswerC

The company provides and manages the encryption keys.

Why this answer

Option D is correct because SSE-C allows the customer to provide their own encryption keys. Option A is wrong because SSE-S3 uses AWS-managed keys. Option B is wrong because SSE-KMS uses AWS KMS-managed keys.

Option C is wrong because client-side encryption is managed by the client, but not at-rest encryption managed by AWS.

224
MCQmedium

A company manages multiple AWS accounts under AWS Organizations. The SysOps administrator needs to deploy a baseline set of AWS Config rules and an Amazon SNS topic to each account in the organization. The deployment must be centrally managed from the management account and automatically applied to any new member account added in the future. Which solution should the administrator use?

A.Create an AWS CloudFormation StackSet with the template containing the AWS Config rules and SNS topic. Configure the StackSet to deploy to the organization and enable automatic deployment to new accounts.
B.Use AWS Service Catalog to create a product that bundles the AWS Config rules and SNS topic. Grant each account access to launch the product.
C.Configure AWS Config conformance packs in the management account and use AWS Resource Access Manager to share them with member accounts.
D.Create an AWS Organizations Service Control Policy (SCP) that enforces the creation of AWS Config rules and SNS topics in every account.
AnswerA

CloudFormation StackSets can centrally deploy stacks to accounts in AWS Organizations. With automatic deployment enabled, new accounts added to the organization will automatically receive the stack.

Why this answer

AWS CloudFormation StackSets can be deployed to an entire AWS Organizations organization or organizational units (OUs), and they support automatic deployment to new accounts added to the organization. By creating a StackSet with a template that defines the AWS Config rules and SNS topic, and enabling automatic deployment, the administrator ensures that every current and future member account receives the baseline configuration without manual intervention.

Exam trap

The trap here is that candidates often confuse Service Control Policies (SCPs) with resource enforcement, not realizing that SCPs only control permissions and cannot create or configure resources like AWS Config rules or SNS topics.

How to eliminate wrong answers

Option B is wrong because AWS Service Catalog requires each account to manually launch the product, which does not provide automatic deployment to new accounts and is not centrally enforced. Option C is wrong because AWS Config conformance packs can be deployed to multiple accounts via StackSets, but AWS Resource Access Manager (RAM) is used to share resources like subnets or license configurations, not to deploy conformance packs; conformance packs themselves are deployed using StackSets or directly per account. Option D is wrong because Service Control Policies (SCPs) are used to restrict permissions and cannot enforce the creation of specific resources like AWS Config rules or SNS topics; they only control what actions are allowed or denied.

225
MCQhard

A SysOps administrator is troubleshooting a failed AWS CloudFormation stack creation. The stack includes an Amazon RDS DB instance with a custom DB parameter group. The error message states: 'The following resource(s) failed to create: [DBParameterGroup].' The administrator checks the CloudFormation template and sees that the DBParameterGroup resource has a property 'Parameters' with a list of parameters. What is the MOST likely reason for the failure?

A.The parameter group name contains invalid characters.
B.The parameter group is configured with parameters that are not compatible with the DB engine version.
C.The DB subnet group specified for the DB instance does not exist.
D.The VPC does not have an RDS VPC endpoint enabled.
AnswerB

If the custom parameter group sets parameters that are not supported by the engine version, creation fails.

Why this answer

Custom DB parameter groups must be associated with an engine version that matches the DB instance. A mismatch can cause creation failure. Option D is correct.

Option A is wrong because the DB subnet group is not involved. Option B is wrong because RDS does not require a VPC endpoint. Option C is wrong because the parameter group name can be any valid name.

Page 2

Page 3 of 21

Page 4