AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 226300

1546 questions total · 21pages · All types, answers revealed

Page 3

Page 4 of 21

Page 5
226
MCQhard

A company uses Amazon CloudWatch Logs to store application logs from EC2 instances. The log volume is 100 GB per day, and logs are retained for 1 year. The SysOps administrator wants to reduce costs while maintaining compliance. Which solution is MOST effective?

A.Reduce the log retention period to 30 days.
B.Disable server-side encryption for the log group to reduce overhead.
C.Use CloudWatch Logs Insights to query logs instead of storing them.
D.Export logs to Amazon S3 and configure a lifecycle policy to transition them to Glacier Deep Archive after 30 days.
AnswerD

Exporting reduces CloudWatch costs and S3 lifecycle policies minimize storage costs.

Why this answer

The correct answer is B. Exporting logs to S3 and using S3 lifecycle policies to transition to cheaper storage classes (e.g., Glacier Deep Archive) is cost-effective for long-term retention. Option A is wrong because CloudWatch Logs Insights is a query tool, not a cost reduction method.

Option C is wrong because reducing retention period violates compliance. Option D is wrong because disabling encryption does not reduce costs significantly and may violate security policies.

227
MCQmedium

A company's compliance team requires that all changes to IAM policies be logged and immediately alerted. Which AWS solution should be used?

A.Use AWS Config rules to monitor IAM policy changes and send notifications.
B.Use Amazon CloudWatch Logs to capture IAM policy changes and create metric filters.
C.Use Amazon GuardDuty to detect unauthorized IAM policy changes.
D.Use AWS CloudTrail to log API calls and Amazon CloudWatch Events to send alerts.
AnswerD

CloudTrail logs the changes, and CloudWatch Events can trigger alerts in real time.

Why this answer

Option A is correct because CloudTrail logs IAM policy changes, and CloudWatch Events can trigger alerts. Option B is wrong because AWS Config records configuration changes but does not provide real-time alerting. Option C is wrong because CloudWatch Logs does not capture API calls.

Option D is wrong because GuardDuty is for threat detection.

228
Multi-Selecthard

A company is using Amazon CloudFront to deliver content to users worldwide. They notice high data transfer costs. Which THREE actions can reduce CloudFront data transfer costs?

Select 3 answers
A.Use Lambda@Edge to customize content.
B.Use a CloudFront price class that only uses the cheapest edge locations.
C.Enable compression for compressible objects.
D.Add more edge locations to improve cache hit ratio.
E.Use CloudFront Origin Shield to reduce requests to the origin.
AnswersB, C, E

Price class restricts to lower-cost edge locations.

Why this answer

Option A is correct because price class selects only the cheapest edge locations. Option B is correct because compressing objects reduces transfer size. Option D is correct because origin shield reduces requests to the origin.

Option C is wrong because Lambda@Edge adds cost. Option E is wrong because more edge locations increase coverage but not necessarily reduce cost.

229
MCQeasy

A company is using AWS CloudTrail to log API activity. They need to ensure that log files are protected from unauthorized modification and can be used to verify the integrity of log files. Which AWS feature should be enabled?

A.Enable CloudTrail log file integrity validation.
B.Enable S3 server-side encryption on the CloudTrail S3 bucket.
C.Stream CloudTrail logs to Amazon CloudWatch Logs.
D.Enable S3 Multi-Factor Authentication (MFA) Delete on the CloudTrail S3 bucket.
AnswerA

Integrity validation uses SHA-256 hashing and digital signatures to verify that log files have not been modified.

Why this answer

CloudTrail log file integrity validation uses a SHA-256 hash chain to create a digest file that can be used to verify that log files have not been modified, deleted, or tampered with after delivery. This feature is specifically designed to provide cryptographic assurance of log file integrity, meeting the requirement to protect against unauthorized modification and enable verification.

Exam trap

The trap here is that candidates often confuse data protection features like encryption or deletion prevention with integrity verification, not realizing that integrity validation specifically requires a cryptographic hash chain to detect modification, not just access control or encryption.

How to eliminate wrong answers

Option B is wrong because enabling S3 server-side encryption protects log files at rest from unauthorized access but does not provide a mechanism to verify that the log files have not been modified or tampered with after they were written. Option C is wrong because streaming CloudTrail logs to CloudWatch Logs enables real-time monitoring and alerting but does not provide cryptographic integrity verification of the original log files stored in S3. Option D is wrong because S3 MFA Delete protects against accidental or unauthorized deletion of objects by requiring multi-factor authentication for delete operations, but it does not provide a hash-based integrity check to detect modification of log file contents.

230
MCQmedium

A company runs a stateful web application on a single Amazon EC2 instance. The SysOps administrator needs to implement a high availability architecture that can tolerate an Availability Zone (AZ) failure. The application stores session state in memory and also writes critical data to an Amazon EBS volume. The administrator wants to use an Auto Scaling group and an Application Load Balancer (ALB). Which combination of steps is required to make the application highly available?

A.Create an Auto Scaling group that spans at least two Availability Zones, attach the existing EBS volume to the new instances, and use an ALB to distribute traffic.
B.Migrate session state to Amazon ElastiCache for Redis, store critical data in Amazon EFS, create an Auto Scaling group across multiple AZs, and place it behind an ALB.
C.Place the EC2 instance in an Auto Scaling group with a minimum and maximum of 1 in the same AZ, and attach an Elastic IP to the instance.
D.Use an ALB with the existing single instance as the target, and enable cross-zone load balancing.
AnswerB

Externalizing session state and data to shared services (ElastiCache, EFS) allows any instance to take over. An Auto Scaling group across multiple AZs and an ALB provide fault tolerance for AZ failures.

Why this answer

Option B is correct because it addresses both the stateless requirement for horizontal scaling and the persistence of critical data across AZ failures. Migrating session state to ElastiCache for Redis removes the dependency on local instance memory, allowing any instance to handle any request. Storing critical data on Amazon EFS provides a shared, NFS-based file system that is accessible from all instances across multiple AZs, unlike EBS which is tied to a single AZ.

Combining these with a multi-AZ Auto Scaling group and an ALB ensures the application can survive an entire AZ outage.

Exam trap

The trap here is that candidates assume EBS volumes can be shared across instances or AZs, or that a single-instance setup with an ALB provides high availability, when in fact EBS is a single-AZ resource and the ALB requires multiple healthy targets to tolerate failures.

How to eliminate wrong answers

Option A is wrong because EBS volumes are AZ-scoped and cannot be attached to instances in a different AZ; attaching the existing EBS volume to new instances in another AZ is impossible without snapshotting and recreating, which defeats high availability. Option C is wrong because keeping a single instance in one AZ with an Elastic IP does not provide fault tolerance for an AZ failure; the Auto Scaling group with min/max of 1 cannot replace the instance in a different AZ automatically, and the Elastic IP does not reroute traffic to a healthy instance. Option D is wrong because using an ALB with a single instance as the target and enabling cross-zone load balancing does not add redundancy; if the instance or its AZ fails, the ALB has no other targets to route traffic to, so the application becomes unavailable.

231
MCQmedium

An administrator needs to be notified when the root user signs in to the AWS Management Console. Which method should be used?

A.Create a CloudWatch Events rule for 'AWS Console Sign-In' events and set the target to an SNS topic.
B.Enable CloudTrail Insights to detect root login anomalies.
C.Create a CloudWatch alarm on the RootAccountUsage metric.
D.Use AWS Config to track IAM password policy changes.
AnswerA

CloudTrail records console sign-ins, and CloudWatch Events can react to them.

Why this answer

Option A is correct because you can create an Amazon CloudWatch Events rule (now called Amazon EventBridge rule) that matches the 'AWS Console Sign-In' event from AWS CloudTrail. When the root user signs in, this event is generated, and the rule can trigger an SNS topic to send a notification to the administrator. This is the recommended approach for real-time alerting on root user activity.

Exam trap

The trap here is that candidates may think CloudWatch alarms can monitor root account usage directly via a metric, but AWS does not expose a 'RootAccountUsage' metric; instead, you must use CloudTrail events as the source for event-driven alerts.

How to eliminate wrong answers

Option B is wrong because CloudTrail Insights analyzes write management events to detect unusual activity patterns, but it does not provide real-time notifications for specific events like root user sign-ins; it focuses on anomaly detection, not event-driven alerts. Option C is wrong because the 'RootAccountUsage' metric is not a standard CloudWatch metric; CloudWatch does not have a built-in metric for root account usage, and you cannot create an alarm on a non-existent metric. Option D is wrong because AWS Config tracks resource configuration changes, such as IAM password policy changes, but it does not monitor or alert on root user sign-in events.

232
MCQmedium

A company has a legacy application that runs on a single Amazon EC2 instance. The SysOps administrator is tasked with migrating the application to an Auto Scaling group behind an Application Load Balancer to improve availability. The application stores session state locally on the instance. What should the administrator do to ensure a seamless migration with minimal changes to the application code?

A.Configure the Application Load Balancer with sticky sessions (session affinity).
B.Disable the feature that stores session state locally.
C.Use Amazon ElastiCache for Redis to store session data externally.
D.Modify the application to store session data in an Amazon RDS database.
AnswerC

Why B is correct

Why this answer

Option B is correct because ElastiCache for Redis provides a centralized session store that can be accessed by any instance, allowing the application to be stateless without code changes if the application is configured to use Redis. Option A is incorrect because Sticky Sessions (session affinity) is a workaround but does not eliminate the dependency on local storage; if an instance fails, sessions are lost. Option C is incorrect because modifying the application to use a database for session storage requires code changes.

Option D is incorrect because disabling the feature does not solve the problem.

233
MCQmedium

A company uses AWS CodePipeline to automate its software release process. The pipeline includes a source stage (Amazon S3), a build stage (AWS CodeBuild), and a deploy stage (AWS CodeDeploy). Recently, a developer committed a change that broke the build. The pipeline failed and the developer fixed the code. The developer wants to rerun the pipeline from the source stage without making another commit. What should the developer do?

A.Create a new commit with an empty message to trigger the pipeline.
B.Use the 'Release change' button in the CodePipeline console to manually rerun the pipeline.
C.Wait for the pipeline to automatically retry after the failure.
D.Re-upload the same artifact to the source S3 bucket to trigger the pipeline.
AnswerB

Why D is correct

Why this answer

Option D is correct because CodePipeline allows you to manually release a change, which re-runs the pipeline from the last successful execution or from the source stage. Option A is incorrect because modifying the S3 object directly might not trigger the pipeline automatically (depending on configuration), but it's not the standard way to retry. Option B is incorrect because commit messages do not affect pipeline execution.

Option C is incorrect because the pipeline will not automatically retry; the developer must manually retry.

234
Multi-Selecthard

A SysOps administrator is monitoring an Amazon ECS cluster running Fargate tasks. The administrator wants to receive a notification when any task fails to start due to insufficient memory. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Enable AWS CloudTrail and create a metric filter for RunTask API calls.
B.Configure the CloudWatch Events rule to send notifications to an SNS topic.
C.Create a CloudWatch Events rule that matches ECS task state changes with a reason of 'RESOURCE:MEMORY'.
D.Create a CloudWatch alarm on the ECS cluster's CPUUtilization metric.
E.Enable CloudWatch Logs for the ECS cluster and filter for error messages.
AnswersB, C

SNS can send email or SMS notifications for alarms.

Why this answer

Option B is correct because Amazon CloudWatch Events (now Events) can trigger an SNS notification when a specific ECS task state change occurs. Option C is correct because you can create a CloudWatch Events rule that matches ECS task state changes with a reason of 'RESOURCE:MEMORY', which indicates the task failed to start due to insufficient memory. Together, these actions ensure you receive a notification when a Fargate task fails to start due to memory constraints.

Exam trap

The trap here is that candidates often confuse CloudTrail (audit logging) with CloudWatch Events (event-driven notifications), or they mistakenly think CPU metrics can indicate memory-related failures, leading them to select options that do not directly capture the specific 'RESOURCE:MEMORY' reason.

235
Multi-Selecteasy

A SysOps administrator is creating a CloudFormation template to provision an Amazon S3 bucket with versioning enabled and server access logging. Which TWO properties must be configured in the AWS::S3::Bucket resource?

Select 2 answers
A.Tags
B.VersioningConfiguration
C.LoggingConfiguration
D.LifecycleConfiguration
E.AccessControl
AnswersB, C

Required to enable versioning.

Why this answer

VersioningConfiguration enables versioning, and LoggingConfiguration enables server access logging. AccessControl, Tags, and LifecycleConfiguration are optional and not required for the described purpose.

236
MCQhard

A company uses a Multi-AZ RDS for MySQL instance for its production database. During a maintenance window, the primary instance fails and a failover occurs. However, the application experiences a 5-minute downtime. The application uses a DNS CNAME record pointing to the RDS endpoint. What is the MOST likely cause of the downtime?

A.The application was using a cached DNS resolution for the RDS endpoint.
B.The application was not configured to retry connections after a failover.
C.The RDS endpoint changed after failover and the application did not update.
D.The failover process took longer than expected due to a large transaction log.
AnswerA

DNS caching can cause continued use of old IP.

Why this answer

Option B is correct because DNS caching at the client or resolver level can cause the application to continue using the old IP address until the TTL expires. Option A is wrong because Multi-AZ failover typically completes within minutes. Option C is wrong because RDS endpoints automatically update.

Option D is wrong because Multi-AZ failover is automatic.

237
MCQmedium

A company uses Amazon CloudFront to serve content from a custom origin. A SysOps administrator needs to detect IP addresses that generate a high rate of HTTP 403 (Forbidden) errors, which may indicate malicious bots attempting to access restricted content. The administrator wants to automatically add these IP addresses to a AWS WAF IP set to block them. Which solution meets this requirement with the least operational overhead?

A.Configure CloudFront access logs to be delivered to an Amazon S3 bucket, and use Amazon Athena to query logs for IPs with many 403 errors. Then manually add those IPs to a WAF IP set.
B.Enable AWS CloudTrail for CloudFront and create a CloudWatch metric filter for 'Forbidden' events. Use a CloudWatch alarm to notify the administrator via email, who then manually updates the WAF IP set.
C.Use AWS Config to monitor CloudFront distributions and trigger an AWS Lambda function when a high number of 403 errors is detected by evaluating access logs stored in S3.
D.Enable CloudFront standard logs and stream them to Amazon CloudWatch Logs. Create a metric filter for 403 status codes, grouped by source IP. Set a CloudWatch alarm on the metric that triggers an AWS Lambda function to update the WAF IP set.
AnswerD

This solution automates detection and remediation. CloudWatch Logs processes the logs in near real-time, the metric filter counts 403 error responses per IP, and the alarm invokes Lambda to block the IP via WAF. This is fully automated and requires minimal operational overhead.

Why this answer

Option D is correct because it provides a fully automated, serverless solution with minimal operational overhead. By streaming CloudFront standard logs to CloudWatch Logs, you can create a metric filter that counts 403 errors grouped by source IP, then use a CloudWatch alarm to trigger a Lambda function that programmatically updates the WAF IP set. This eliminates manual intervention and leverages native AWS integrations.

Exam trap

The trap here is that candidates may confuse CloudTrail (which logs API calls) with CloudFront access logs (which log HTTP requests), leading them to choose Option B, which is technically incorrect for detecting HTTP 403 errors.

How to eliminate wrong answers

Option A is wrong because it requires manual querying with Athena and manual updates to the WAF IP set, which introduces significant operational overhead and delays in blocking malicious IPs. Option B is wrong because CloudTrail does not capture HTTP 403 error events from CloudFront; CloudTrail records API calls, not HTTP request-level responses. Option C is wrong because AWS Config is designed for resource compliance and configuration tracking, not for real-time log analysis or triggering actions based on error rates from access logs.

238
MCQmedium

A company uses Amazon CloudFront to deliver static content from an S3 bucket. The SysOps administrator wants to restrict access so that only CloudFront can access the S3 bucket. Which solution should be used?

A.Use pre-signed URLs for all objects.
B.Use an S3 bucket policy that allows access from any AWS service.
C.Generate CloudFront key pairs and configure signed URLs.
D.Configure an origin access control (OAC) and update the S3 bucket policy to allow CloudFront access.
AnswerD

OAC is the current best practice.

Why this answer

Option D is correct because Origin Access Control (OAC) is the recommended method to restrict S3 bucket access exclusively to CloudFront. OAC uses a CloudFront-owned service principal to sign requests, and the S3 bucket policy must explicitly grant the `s3:GetObject` action to that principal, ensuring no direct S3 access from other sources.

Exam trap

The trap here is confusing origin security (restricting S3 bucket access to CloudFront) with viewer security (restricting who can view content via signed URLs or cookies), leading candidates to incorrectly choose signed URLs or key pairs.

How to eliminate wrong answers

Option A is wrong because pre-signed URLs grant temporary access to specific objects but do not restrict the bucket to CloudFront; they are used for individual object access, not for origin access control. Option B is wrong because allowing access from any AWS service would permit any AWS service or principal to access the bucket, violating the requirement to restrict access solely to CloudFront. Option C is wrong because CloudFront key pairs and signed URLs are used to restrict viewer access to content, not to secure the origin; they control who can view content, not which origin can fetch from S3.

239
MCQeasy

A company wants to monitor the health of its web application running on EC2 instances behind an Application Load Balancer (ALB). Which CloudWatch metric from the ALB can indicate that requests are failing due to server errors?

A.HTTPCode_Target_5XX_Count
B.HTTPCode_Target_4XX_Count
C.HTTPCode_Target_2XX_Count
D.HTTPCode_Target_3XX_Count
AnswerA

This counts server-side errors from targets.

Why this answer

The correct answer is A because the HTTPCode_Target_5XX_Count metric from the Application Load Balancer (ALB) specifically counts the number of HTTP response codes in the 5xx range returned by the target (EC2 instances). A 5xx status code indicates a server-side error, such as an internal server error (500), gateway timeout (504), or service unavailable (503), which directly reflects that requests are failing due to issues on the EC2 instances themselves.

Exam trap

The trap here is that candidates often confuse HTTPCode_Target_5XX_Count with HTTPCode_ELB_5XX_Count, mistakenly thinking any 5xx error is from the target, when in fact the ELB can also generate 5xx errors (e.g., 502 from a malformed response) that are tracked separately.

How to eliminate wrong answers

Option B is wrong because HTTPCode_Target_4XX_Count tracks client-side errors (e.g., 400 Bad Request, 403 Forbidden, 404 Not Found), which indicate issues with the request from the client, not server failures. Option C is wrong because HTTPCode_Target_2XX_Count counts successful responses (e.g., 200 OK), which indicate healthy application behavior, not failures. Option D is wrong because HTTPCode_Target_3XX_Count counts redirection responses (e.g., 301 Moved Permanently, 302 Found), which are not errors and do not indicate server-side problems.

240
Multi-Selecthard

A SysOps administrator is troubleshooting an issue where an EC2 instance running a web server is becoming unresponsive under high load. The administrator has enabled detailed monitoring and set up CPUUtilization alarms. Which THREE additional steps could help diagnose the root cause? (Choose THREE.)

Select 3 answers
A.Install the CloudWatch agent and collect disk space metrics.
B.Place the instance behind an Auto Scaling group.
C.Install the CloudWatch agent and collect memory metrics.
D.Increase the instance size to handle more load.
E.Enable access logs on the load balancer to analyze request patterns.
AnswersA, C, E

Disk full can cause failures.

Why this answer

Option A is correct because under high load, the web server could become unresponsive due to disk space exhaustion (e.g., from log files filling the root partition). The CloudWatch agent can collect disk space metrics, which are not available by default, allowing the administrator to correlate disk usage with performance degradation.

Exam trap

The trap here is that candidates confuse reactive scaling actions (like resizing the instance or adding Auto Scaling) with diagnostic steps, failing to recognize that the question asks for steps to diagnose the root cause, not to mitigate the symptom.

241
MCQmedium

A CloudFormation template creates an S3 bucket with encryption and a bucket policy as shown in the exhibit. An administrator tries to upload an object using the AWS CLI without specifying any encryption. What will happen?

A.The upload succeeds because the bucket has default encryption enabled.
B.The upload fails because the bucket policy allows only objects with AES256 encryption, but the default encryption is sufficient.
C.The upload fails because the bucket policy denies PutObject without the encryption header.
D.The upload succeeds because the default encryption automatically adds the AES256 header.
AnswerC

The Deny statement explicitly denies PutObject when encryption is not AES256.

Why this answer

Option C is correct. The bucket policy denies PutObject if the encryption header is not AES256. Since the request has no encryption header, it does not equal AES256, so the Deny applies and the upload fails.

The bucket's default encryption (AES256) applies only if the request does not specify encryption; however, the bucket policy is evaluated before the default encryption is applied, so the Deny takes effect. Option A is wrong because the policy denies it. Option B is wrong because default encryption does not satisfy the policy condition.

Option D is wrong because the policy explicitly denies.

242
MCQeasy

A company wants to automate the creation of AWS resources based on tags. When a user tags an S3 bucket with 'Deploy: True', a Lambda function should trigger to create a corresponding CloudFront distribution. Which AWS service should be used to invoke the Lambda function when the tag is applied?

A.AWS CloudTrail
B.Amazon CloudWatch Events
C.Amazon S3 Events
D.AWS Config
AnswerD

AWS Config can use managed or custom rules to evaluate resource tags and trigger remediation actions via Lambda.

Why this answer

Option B is correct. AWS Config rules can be configured to trigger on resource changes, including tag changes. CloudTrail (A) logs API calls but does not directly trigger Lambda.

CloudWatch Events (C) can match API calls, but Config is more straightforward for tag compliance. S3 Events (D) only trigger on object-level events, not bucket tagging.

243
MCQmedium

A company uses AWS CloudFormation to deploy its infrastructure. The SysOps administrator needs to be notified if a stack creation fails. Which method is the most efficient way to achieve this?

A.Use Amazon Simple Email Service (SES) to send emails on stack failure.
B.Specify an SNS topic ARN in the 'NotificationARNs' parameter of the stack.
C.Create a Lambda function that polls the CloudFormation API for stack status changes.
D.Enable CloudTrail and create a metric filter for 'CreateStack' events.
AnswerB

CloudFormation sends events to the SNS topic automatically.

Why this answer

Option B is correct because CloudFormation natively supports specifying an Amazon SNS topic ARN in the 'NotificationARNs' parameter of the stack. When a stack creation fails, CloudFormation automatically publishes a notification to the SNS topic, which can then deliver the message via email, SMS, or other protocols without any custom polling or additional services.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing CloudTrail or Lambda polling, missing the fact that CloudFormation has a built-in, efficient notification mechanism via SNS that requires no additional services or custom code.

How to eliminate wrong answers

Option A is wrong because Amazon SES is an email sending service, not a notification delivery mechanism integrated with CloudFormation; it would require custom logic to trigger on stack failure. Option C is wrong because polling the CloudFormation API for stack status changes is inefficient, introduces latency, and incurs additional API call costs compared to the native push-based notification via SNS. Option D is wrong because CloudTrail and metric filters are used for auditing and monitoring API calls, not for real-time notification of stack failures; they would require additional setup with CloudWatch Alarms and SNS to achieve similar functionality, making it less efficient than the direct SNS integration.

244
MCQhard

A web application on EC2 instances behind an ALB experiences increased latency during peak hours. The SysOps administrator notices that the ALB's RequestCount per target is high. What design change should improve performance?

A.Switch to a Network Load Balancer.
B.Add more EC2 instances to the target group.
C.Enable sticky sessions on the ALB.
D.Reduce the idle timeout on the ALB.
AnswerB

Correct. More instances reduce per-target load.

Why this answer

Increasing the number of targets (EC2 instances) spreads the load and reduces latency.

245
MCQeasy

A company has an S3 bucket that contains sensitive customer data. The security team requires that all data in transit to and from the bucket must be encrypted. Which bucket policy condition should be used?

A.aws:SecureTransport
B.s3:x-amz-server-side-encryption-aws-kms-key-id
C.s3:x-amz-server-side-encryption
D.aws:TLSSupport
AnswerA

This condition ensures that requests are made over HTTPS.

Why this answer

The correct condition is aws:SecureTransport, which checks if the request was sent over HTTPS. Option C is correct. Option A is wrong because it checks for encryption at rest.

Option B is wrong because it checks for TLS version. Option D is wrong because it checks for a specific cipher.

246
MCQhard

A company uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment strategy is set to CodeDeployDefault.HalfAtATime. The lifecycle hooks for the Auto Scaling group include a test hook that runs during instance launch. During a recent deployment, the deployment failed because the new instances failed the test hook and were not marked as healthy. The SysOps administrator needs to ensure that failed instances are automatically terminated and replaced with new ones from the Auto Scaling group. Which configuration change should the administrator make?

A.Modify the Auto Scaling group's health check type to ELB
B.Modify the CodeDeploy deployment configuration to use an increased minimum healthy instance count
C.Modify the Auto Scaling group's health check grace period to a lower value
D.Modify the CodeDeploy deployment to ignore the lifecycle hook failure
AnswerA

When the health check type is set to ELB, the Auto Scaling group uses the Application Load Balancer's health checks. If the test hook fails, the instance will be marked unhealthy by the ALB, and the Auto Scaling group will terminate and replace it, ensuring only healthy instances remain.

Why this answer

Option A is correct because setting the Auto Scaling group's health check type to ELB (Elastic Load Balancer) ensures that the Auto Scaling group uses the ELB's health check status to determine instance health. When the test lifecycle hook fails, the new instances are not marked as healthy by the ELB, causing the Auto Scaling group to automatically terminate and replace them. This aligns with the requirement to automatically replace failed instances, as the default EC2 health check only considers instance status (e.g., running vs. stopped) and does not reflect application-level health.

Exam trap

The trap here is that candidates often assume the default EC2 health check is sufficient for detecting application-level failures, but it only monitors instance status (e.g., running/stopped), not the success of lifecycle hooks or application health, so the ELB health check type is required to trigger automatic replacement.

How to eliminate wrong answers

Option B is wrong because increasing the minimum healthy instance count in the CodeDeploy deployment configuration (e.g., using CodeDeployDefault.AllAtOnce or a custom configuration) does not cause failed instances to be terminated and replaced; it only adjusts the number of instances that must remain healthy during the deployment, which could actually reduce the deployment's tolerance for failures. Option C is wrong because reducing the health check grace period would cause the Auto Scaling group to check instance health sooner, but it does not change the health check type; with the default EC2 health check, the test hook failure is not detected, so a shorter grace period has no effect on terminating failed instances. Option D is wrong because ignoring the lifecycle hook failure would allow the deployment to proceed despite the test failure, but it would not trigger automatic termination and replacement of the failed instances; the instances would remain in service, potentially causing application issues.

247
MCQhard

A company runs a critical web application on Amazon EC2 instances that are part of an Auto Scaling group. The application receives unpredictable traffic spikes. The SysOps administrator needs to ensure that when a scale-out event occurs, new instances are ready to serve traffic quickly to minimize latency spikes. Currently, the instance launch and configuration process (including software installs and cache warming) takes about 5 minutes. The administrator wants to reduce the time it takes for new instances to start serving traffic. Which combination of Auto Scaling features should be used?

A.Use a launch template that includes a pre-warmed Amazon Machine Image (AMI) with all software pre-installed, and configure the Auto Scaling group to use a larger instance type to reduce initialization time.
B.Implement an Auto Scaling warm pool with a minimum number of pre-initialized instances in a 'Stopped' state. Configure the scaling policy to move instances from the warm pool to the Auto Scaling group when needed.
C.Use scheduled scaling to predictively launch instances before the traffic spikes based on historical patterns.
D.Configure lifecycle hooks to add a wait time during instance launch so that the instance is fully configured before it is placed behind the load balancer.
AnswerB

A warm pool maintains instances that have been fully launched and configured but are stopped or in a standby state. When scale-out occurs, instances from the warm pool are started or moved into service quickly, drastically reducing the time to handle traffic.

Why this answer

Option B is correct because an Auto Scaling warm pool maintains a pool of pre-initialized instances in a 'Stopped' state that are fully configured (software installed, cache warmed) and ready to serve traffic. When a scale-out event occurs, instances from the warm pool are moved to the Auto Scaling group and transitioned to 'Running' state, bypassing the 5-minute launch and configuration delay, thereby minimizing latency spikes.

Exam trap

The trap here is that candidates often confuse warm pools with lifecycle hooks or pre-warmed AMIs, assuming that reducing software install time alone is sufficient, when the real bottleneck is the entire instance initialization process that warm pools bypass.

How to eliminate wrong answers

Option A is wrong because using a pre-warmed AMI reduces software installation time but does not eliminate the instance launch and initialization overhead (e.g., kernel boot, network setup, cache warming), and using a larger instance type does not inherently reduce initialization time—it may even increase it due to more hardware resources to initialize. Option C is wrong because scheduled scaling relies on predictable traffic patterns and cannot handle unpredictable traffic spikes; it would either over-provision or under-provision for unexpected demand. Option D is wrong because lifecycle hooks add a wait time during instance launch, which would increase the time before the instance is ready to serve traffic, contradicting the goal of reducing latency spikes.

248
Multi-Selecteasy

A SysOps admin needs to set up centralized logging for multiple AWS accounts. Which TWO services should be used together to aggregate logs into a single S3 bucket? (Choose 2.)

Select 2 answers
A.Amazon VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon S3 cross-region replication
E.Amazon CloudWatch Logs subscription filter
AnswersB, C

Config can deliver configuration history and snapshots to a central S3 bucket.

Why this answer

AWS Config and AWS CloudTrail are the correct pair because CloudTrail records API activity across accounts, and AWS Config records resource configuration changes. Both can be configured to deliver log files to a centralized S3 bucket by setting up a trail (CloudTrail) or a delivery channel (Config) that points to the same bucket, often using a bucket policy that grants cross-account write permissions. This enables aggregated logging for multiple AWS accounts in a single S3 bucket.

Exam trap

The trap here is that candidates often confuse log delivery services (CloudTrail, Config) with log generation services (VPC Flow Logs) or data movement services (S3 replication, CloudWatch subscription filters), failing to recognize that only CloudTrail and Config natively support direct cross-account S3 delivery without additional infrastructure.

249
MCQmedium

A company has a VPC with public and private subnets across two Availability Zones. An application running on EC2 instances in the private subnets needs to access the internet for updates. Which configuration should be used to provide internet access while minimizing administrative overhead?

A.Assign public IP addresses to the private instances and update route tables accordingly.
B.Set up AWS Direct Connect to an internet gateway.
C.Deploy a NAT Gateway in a public subnet and update private route tables to point to it.
D.Launch a NAT instance in the private subnet and configure routing.
AnswerC

NAT Gateway is a managed service that provides outbound internet for private instances.

Why this answer

Option C is correct because a NAT Gateway, deployed in a public subnet with an Elastic IP, allows instances in private subnets to initiate outbound traffic to the internet (e.g., for updates) while preventing inbound traffic from the internet. This is a fully managed AWS service, so it requires no patching or scaling management, minimizing administrative overhead. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway's network interface.

Exam trap

The trap here is that candidates confuse a NAT Gateway with a NAT instance, assuming both require similar administrative effort, or they mistakenly think assigning public IPs to private instances is sufficient for outbound-only internet access.

How to eliminate wrong answers

Option A is wrong because assigning public IP addresses to instances in private subnets would not automatically provide internet access; you would also need an Internet Gateway in the VPC and a route from the private subnet to it, which would expose the instances to inbound traffic, violating the private subnet's purpose. Option B is wrong because AWS Direct Connect is a dedicated private network connection from on-premises to AWS, not a service for providing internet access to VPC resources; it does not replace an Internet Gateway or NAT Gateway for outbound internet traffic. Option D is wrong because a NAT instance is a self-managed EC2 instance that requires manual configuration, patching, and scaling, which increases administrative overhead compared to the managed NAT Gateway.

250
MCQhard

A company runs a critical web application on a fleet of EC2 instances behind an Application Load Balancer (ALB) across multiple Availability Zones. The application is deployed using AWS Elastic Beanstalk with a rolling update deployment policy. Recently, the development team pushed a new application version that introduced a memory leak. Within minutes, the instances started failing health checks, and Elastic Beanstalk initiated a replacement of the instances. However, during the replacement, the application experienced downtime because the new instances were not passing health checks, and the old instances were already terminated. The SysOps Administrator must modify the deployment to prevent downtime during future failed deployments. Which solution should the administrator implement?

A.Increase the Auto Scaling group's minimum and maximum size to handle more instances.
B.Implement a Blue/Green deployment using a separate Elastic Beanstalk environment and swap CNAMEs after testing.
C.Replace the ALB with a Classic Load Balancer to reduce complexity.
D.Change the deployment policy to All at once to speed up the deployment.
AnswerB

Blue/Green deployment avoids downtime by keeping old environment active.

Why this answer

Option B is correct. Using a Blue/Green deployment with an immutable environment ensures that the new environment is fully tested before traffic is switched. If the new environment fails health checks, the old environment remains serving traffic, preventing downtime.

Option A is wrong because All at once deployment would cause downtime even without failure. Option C is wrong because a classic load balancer does not provide the same health check granularity. Option D is wrong because Auto Scaling alone does not control deployment strategy.

251
Multi-Selectmedium

A SysOps administrator is designing a cost-effective architecture for a batch processing workload that runs once per day and can tolerate interruptions. The workload uses EC2 instances. Which TWO purchasing options should the administrator consider? (Choose two.)

Select 2 answers
A.Dedicated Hosts
B.Spot Instances
C.On-Demand Instances
D.Reserved Instances (Standard)
E.Capacity Reservations
AnswersB, C

Provide significant cost savings for interruptible workloads.

Why this answer

Option B and Option D are correct. Spot Instances are ideal for fault-tolerant, interruptible workloads at a steep discount. On-Demand Instances can be used as a fallback if Spot capacity is unavailable.

Option A is wrong because Reserved Instances require a 1- or 3-year commitment for a once-daily job. Option C is wrong because Dedicated Hosts are expensive. Option E is wrong because Capacity Reservations incur costs even when not running.

252
MCQhard

A SysOps Administrator manages a VPC with public and private subnets. The private subnets need to access the internet for software updates. The Administrator creates a NAT Gateway in a public subnet and updates the private subnet route table to point 0.0.0.0/0 to the NAT Gateway. However, instances in the private subnet still cannot reach the internet. What is the MOST likely reason?

A.The security group on the private instances blocks outbound HTTPS traffic.
B.The internet gateway is not attached to the NAT Gateway.
C.The NAT Gateway does not have an Elastic IP address assigned.
D.The NAT Gateway's security group is blocking inbound traffic from the private subnet.
AnswerC

A NAT Gateway requires an Elastic IP to communicate with the internet; without one, it cannot route traffic.

Why this answer

Option B is correct because the NAT Gateway must have a public IP and the route table for the private subnet must point to the NAT Gateway ID. Option A is wrong because security group rules for private instances should allow outbound traffic (e.g., HTTPS), but by default outbound is allowed; the issue is likely the route. Option C is wrong because the NAT Gateway's security group is not used; NAT Gateways do not have security groups.

Option D is wrong because the internet gateway must be attached to the VPC, not to the NAT Gateway.

253
MCQmedium

A company runs a batch processing job on Amazon EC2 that runs for 2 hours every night. The job can tolerate interruptions and can resume from the last checkpoint. The SysOps administrator needs to minimize compute costs. Which EC2 purchasing option should be used?

A.On-Demand Instances
B.Spot Instances
C.Reserved Instances
D.Compute Savings Plans
AnswerB

Spot Instances offer significant discounts and are ideal for fault-tolerant, interruptible workloads like batch processing with checkpointing.

Why this answer

Spot Instances are ideal for fault-tolerant, interruptible workloads like this batch processing job because they offer significant cost savings (up to 90% off On-Demand prices) in exchange for being reclaimable by AWS with a 2-minute warning. Since the job can resume from the last checkpoint, interruptions do not cause data loss or restart from scratch, making Spot Instances the most cost-effective choice.

Exam trap

The trap here is that candidates often choose Reserved Instances or Savings Plans because they assume any long-running workload needs a commitment, but the question explicitly states the job is interruptible and runs only 2 hours nightly, making Spot Instances the correct cost-optimization choice.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances provide no discount and are not cost-minimizing for a predictable, interruptible workload. Option C is wrong because Reserved Instances require a 1- or 3-year commitment and are designed for steady-state, always-on workloads, not a 2-hour nightly job that can be interrupted. Option D is wrong because Compute Savings Plans offer discounts (up to 66%) but still require a 1- or 3-year commitment and are less cost-effective than Spot Instances for this specific use case.

254
MCQeasy

A company runs a critical application on an EC2 instance backed by Amazon EBS. To protect against data loss, the company wants to create a backup strategy that allows for point-in-time recovery. Which solution should be used?

A.Configure an S3 Lifecycle policy to move data to Glacier.
B.Create an Amazon Machine Image (AMI) of the instance.
C.Use Amazon EFS to store data.
D.Create automated EBS snapshots.
AnswerD

Correct: EBS snapshots provide point-in-time backups of volumes.

Why this answer

Option B is correct because Amazon EBS snapshots provide point-in-time backups of EBS volumes, stored in S3. Option A is wrong because S3 lifecycle policies do not back up EBS volumes. Option C is wrong because AMIs include snapshots but are not the primary backup mechanism for data.

Option D is wrong because EFS is a file system, not a backup service.

255
MCQmedium

A company wants to ensure that an EC2 instance can access an S3 bucket without storing AWS credentials on the instance. What should the SysOps administrator do?

A.Create an IAM role with permissions to the S3 bucket and attach it to the EC2 instance profile.
B.Attach an S3 bucket policy that grants access to the EC2 instance's public IP address.
C.Generate access keys for an IAM user and store them on the instance.
D.Use AWS STS to generate temporary credentials and store them in the instance's user data.
AnswerA

IAM roles grant temporary credentials to EC2 instances.

Why this answer

Option B is correct because an IAM role can be attached to the EC2 instance, granting temporary credentials. Option A is wrong because access keys are long-term credentials and should not be stored on instances. Option C is wrong because bucket policies cannot be attached to instances.

Option D is wrong because STS does not directly grant permissions without a role.

256
MCQmedium

A SysOps administrator receives an alert that an EC2 instance in an Auto Scaling group is unhealthy. The instance fails the EC2 status check. What is the BEST course of action to restore availability automatically?

A.Use AWS Systems Manager to replace the underlying host.
B.Manually reboot the instance from the EC2 console.
C.Create a CloudWatch alarm that triggers an SNS notification to the administrator.
D.Configure the Auto Scaling group to use EC2 status checks for health checks and set the health check grace period appropriately.
AnswerD

ASG can automatically terminate and replace unhealthy instances based on EC2 status checks.

Why this answer

Auto Scaling groups can automatically replace unhealthy instances based on EC2 status checks. Option A is wrong because manually rebooting does not scale. Option C is wrong because CloudWatch alarms can trigger actions but the ASG health check is the direct mechanism.

Option D is wrong because replacing the underlying host is not necessary and not automatic.

257
MCQhard

A company has a CloudFormation stack that creates an Amazon EC2 instance with a user data script that installs software from the internet. The stack creation is failing with a timeout. The SysOps administrator suspects that the user data script is taking too long or failing. How can the administrator configure the stack to wait for the user data script to complete successfully before marking the instance as CREATE_COMPLETE?

A.Add a CreationPolicy with a resource signal to the EC2 instance resource and have the user data script send a success signal using cfn-signal.
B.Add a DependsOn attribute to the EC2 instance resource to wait for another resource.
C.Add an UpdatePolicy with a resource signal to the EC2 instance resource.
D.Add a WaitCondition resource and a WaitHandle, and have the user data script send a signal to the WaitHandle.
AnswerA

CreationPolicy with signal ensures CloudFormation waits for the user data script to complete and signal success.

Why this answer

Use a CreationPolicy with a resource signal on the EC2 instance. The user data script must send a success signal (e.g., via cfn-signal) to CloudFormation. Option B is wrong because WaitCondition is used for external signals but requires a separate wait handle.

Option C is wrong because UpdatePolicy is for updates, not creation. Option D is wrong because DependsOn only waits for resource creation, not for user data completion.

258
MCQhard

A company runs a critical database workload on an Amazon RDS for MySQL DB instance with Multi-AZ deployment in the us-east-1 region. The SysOps administrator must design a disaster recovery strategy that can recover from a complete regional outage. The Recovery Time Objective (RTO) is 2 hours and the Recovery Point Objective (RPO) is 1 hour. Which solution meets these requirements at the lowest cost?

A.Create manual snapshots of the DB instance every hour and copy them to another AWS Region.
B.Enable automated backups with a retention period of 35 days and restore to a different Region when needed.
C.Create a cross-Region read replica in another Region and promote it to a standalone DB instance during a disaster.
D.Use AWS Database Migration Service (DMS) to continuously replicate data to a DB instance in another Region.
AnswerC

A cross-Region read replica provides continuous asynchronous replication with low lag (typically seconds). In a disaster, promoting the replica to a primary instance takes only minutes, meeting the RTO and RPO requirements with minimal cost.

Why this answer

Option C is correct because a cross-Region read replica continuously replicates data from the primary RDS MySQL instance to another Region with minimal lag, typically achieving an RPO of seconds to minutes, well within the 1-hour requirement. Promoting the replica to a standalone instance during a disaster can be done in minutes, meeting the 2-hour RTO. This approach is the lowest cost among the viable options as it uses existing replication infrastructure without additional data transfer fees for snapshots or DMS replication instances.

Exam trap

The trap here is that candidates often choose Option B (automated backups) because they assume backups can be restored cross-Region, but automated backups are Region-specific and do not support cross-Region restore without additional snapshot copy configuration, which is not mentioned in the option.

How to eliminate wrong answers

Option A is wrong because manual snapshots taken every hour would incur significant storage costs for storing and copying snapshots across Regions, and the copy process can take longer than 1 hour, potentially exceeding the RPO. Option B is wrong because automated backups with a 35-day retention period are stored only in the source Region and cannot be restored to a different Region; cross-Region snapshot copy must be explicitly configured and is not part of automated backups. Option D is wrong because AWS DMS incurs additional costs for a replication instance and data transfer, making it more expensive than a cross-Region read replica, and it adds operational complexity for continuous replication that is unnecessary when native MySQL replication can achieve the same RPO/RTO.

259
MCQhard

A SysOps administrator is managing a multi-account AWS environment using AWS Organizations. The security team has mandated that all Amazon S3 buckets across all accounts must be encrypted with SSE-KMS using a centrally managed KMS key. The administrator has created a KMS key in the master account and enabled key rotation. The key policy allows the root user of each member account to use the key. However, users in member accounts report that they cannot upload objects to their S3 buckets with SSE-KMS using the central key, even though they have s3:PutObject permissions. The administrator verifies that the KMS key policy includes the necessary permissions for the member accounts. What should the administrator do to resolve the issue?

A.Create a new KMS key in each member account and configure S3 bucket default encryption accordingly.
B.Ensure that the KMS key policy allows the master account to administer the key.
C.Attach an IAM policy to the users/roles in the member accounts that allows kms:GenerateDataKey using the central KMS key.
D.Update the S3 bucket policy to allow the s3:PutObject action only when encryption is set to SSE-KMS.
AnswerC

The IAM principal needs explicit KMS permission to use the key for encryption.

Why this answer

Option D is correct because the KMS key policy allows the root user, but that alone is insufficient; the IAM role or user in the member account must have explicit kms:GenerateDataKey permission. Option A is wrong because the key is already in the master account. Option B is wrong because enabling cross-account access is already done via key policy.

Option C is wrong because the issue is not about bucket policy (which may allow encryption but not KMS actions).

260
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. The VPC has two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). The VPC has an Internet Gateway (IGW) attached. The public subnets have a route to the IGW, and the private subnets have a route to a NAT Gateway in the public subnet 10.0.1.0/24. The SysOps administrator deploys a new EC2 instance in the private subnet 10.0.4.0/24. The instance needs to download software from the internet, but the download fails. The administrator can successfully ping the NAT Gateway from the instance. What is the MOST likely cause of the failure?

A.The security group for the EC2 instance blocks outbound internet traffic.
B.The route table for the private subnet does not have a default route to the NAT Gateway.
C.The network ACL for the private subnet blocks outbound traffic.
D.The NAT Gateway is not associated with an Elastic IP address.
AnswerB

Missing route prevents internet-bound traffic from reaching the NAT Gateway.

Why this answer

Option D is correct. The route table for the private subnet 10.0.4.0/24 is missing a default route (0.0.0.0/0) to the NAT Gateway. The ping to the NAT Gateway works because it is within the VPC, but internet traffic is not routed.

Option A is wrong because the NAT Gateway is in the public subnet and has internet access. Option B is wrong because the security group only controls inbound/outbound for the instance, not routing. Option C is wrong because the NACL for the private subnet should allow outbound traffic, but the issue is routing.

261
Multi-Selecteasy

A company wants to reduce costs for their Amazon RDS for PostgreSQL database. Which TWO actions would help achieve this?

Select 2 answers
A.Enable Multi-AZ deployment for high availability.
B.Stop the database instance during non-business hours.
C.Enable deletion protection to prevent accidental deletion.
D.Increase the backup retention period to 35 days.
E.Purchase a Reserved Instance for the database instance.
AnswersB, E

Stopping the instance stops compute charges.

Why this answer

Options B and D are correct because stopping idle DB instances saves compute costs, and using Reserved Instances for predictable workloads reduces hourly costs. Option A is wrong because Multi-AZ increases costs. Option C is wrong because enabling deletion protection does not reduce costs.

Option E is wrong because increasing backup retention increases storage costs.

262
MCQhard

A company is using AWS Lambda functions to process incoming messages from Amazon SQS. The Lambda function sometimes fails due to a transient error, and the message is not processed. The team wants to automatically retry failed messages and send them to a dead-letter queue (DLQ) after three failed attempts. Which configuration meets these requirements?

A.Set the Lambda function's reserved concurrency to 1 and enable 'maximumRetryAttempts' to 2.
B.Create an SQS queue with a visibility timeout that allows three retries before sending to a DLQ.
C.Configure the SQS queue as an event source for Lambda with a DLQ specified in the Lambda function's dead-letter configuration.
D.Configure the SQS queue with a redrive policy that allows three maximum receives before sending to a DLQ.
AnswerC

Lambda's asynchronous invocation automatically retries twice and then sends the event to the DLQ after three total attempts.

Why this answer

Option C is correct because when an SQS queue is configured as an event source for Lambda, the Lambda service manages the polling and deletion of messages. By specifying a dead-letter queue (DLQ) in the Lambda function's dead-letter configuration (not the SQS redrive policy), failed invocations are retried based on the Lambda function's 'maximumRetryAttempts' setting (default 2, plus the initial attempt equals 3 total). After exhausting retries, the message is sent to the DLQ specified in the Lambda configuration, ensuring automatic retry and DLQ routing without relying on SQS's visibility timeout or redrive policy.

Exam trap

The trap here is that candidates confuse the SQS redrive policy (which works at the queue level based on receive count) with the Lambda dead-letter configuration (which works at the function level based on invocation failures), leading them to choose Option D, which would send messages to a DLQ after three receives regardless of whether Lambda actually processed them or not.

How to eliminate wrong answers

Option A is wrong because setting reserved concurrency to 1 does not control retry behavior; 'maximumRetryAttempts' is a property of the Lambda event source mapping, not a direct function configuration, and setting it to 2 would only allow 2 retries (total 3 attempts), but the reserved concurrency limit is irrelevant for retry logic. Option B is wrong because the SQS visibility timeout controls how long a message is hidden after being polled, but it does not inherently trigger retries or send messages to a DLQ after three failures; the redrive policy on the SQS queue is needed for that. Option D is wrong because configuring the SQS queue with a redrive policy that allows three maximum receives sends messages to the DLQ after three receives, but this does not integrate with Lambda's automatic retry mechanism; Lambda would need to delete the message after successful processing, and the redrive policy would only trigger if the message is not deleted, which may not align with the requirement for Lambda to retry on transient errors.

263
MCQmedium

A company uses AWS KMS to encrypt data stored in S3. The security team wants to rotate the KMS key automatically every year. The SysOps administrator enabled automatic key rotation for the KMS key. However, after a year, the security team finds that the key has not been rotated. What is the most likely cause?

A.The KMS key is disabled.
B.The KMS key policy does not allow rotation.
C.The KMS key has not been used in the last year.
D.The KMS key was created by importing key material.
AnswerD

Imported keys cannot be automatically rotated.

Why this answer

Option C is correct because automatic key rotation is not supported for imported key material. Option A is wrong because the key is enabled. Option B is wrong because the policy does not affect rotation.

Option D is wrong because rotation does not require deletion of old keys.

264
MCQmedium

A SysOps administrator is creating a CloudFormation stack that requires an IAM role to be passed to EC2 instances. The administrator is using the IAM policy shown in the exhibit. The stack creation fails with an error indicating insufficient permissions to pass the role. What is the most likely cause?

A.The cloudformation:* action does not include permission to create stacks.
B.The policy does not include the cloudformation:CreateStack action.
C.The ec2:RunInstances permission is missing from the policy.
D.The iam:PassRole permission is restricted to a specific role ARN that does not match the role the administrator is trying to pass.
AnswerD

The policy only allows passing the role 'Admin', but the stack may need a different role.

Why this answer

Option B is correct because the iam:PassRole action is allowed only for the role 'Admin', but the stack may be using a different role. Option A is incorrect because the cloudformation:* action allows all CloudFormation operations. Option C is incorrect because the policy allows cloudformation:* which includes creating stacks.

Option D is incorrect because the policy allows ec2:RunInstances and ec2:Create*.

265
MCQhard

A company has a VPC with public and private subnets. The private subnets need outbound internet access to download software updates while preventing any inbound internet traffic. The SysOps administrator must minimize costs. Which solution should the administrator implement?

A.Create a NAT Gateway in a public subnet and update the private subnet route table to use it
B.Launch a NAT instance in a public subnet with an Elastic IP and disable source/destination check, then update private subnet route tables
C.Attach an Internet Gateway to the VPC and add a default route to the Internet Gateway in the private subnets
D.Use AWS Transit Gateway with a VPN connection to an on-premises data center for internet access
AnswerB

A NAT instance costs less per hour than a NAT Gateway, making it the more cost-effective option when minimizing costs is the primary goal.

Why this answer

Option B is correct because a NAT instance, when launched in a public subnet with an Elastic IP and source/destination check disabled, can route outbound traffic from private subnets to the internet while blocking unsolicited inbound connections. This solution minimizes costs compared to a NAT Gateway, as NAT instances use existing EC2 instance pricing and can be further reduced with spot instances or smaller instance types.

Exam trap

The trap here is that candidates often choose the NAT Gateway (Option A) because it is fully managed and simpler, overlooking the explicit cost-minimization requirement that favors the cheaper, self-managed NAT instance.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway incurs hourly charges and data processing fees, making it more expensive than a NAT instance, which is contrary to the requirement to minimize costs. Option C is wrong because attaching an Internet Gateway directly to private subnets and adding a default route would expose those subnets to inbound internet traffic, violating the security requirement to prevent inbound traffic. Option D is wrong because AWS Transit Gateway with a VPN connection to an on-premises data center is over-engineered and costly for simple outbound internet access, and it does not directly provide internet access without additional routing and infrastructure.

266
MCQeasy

A SysOps administrator wants to receive an email when the average CPU utilization of an EC2 instance exceeds 90% for 5 minutes. What should the administrator create?

A.A CloudWatch Logs metric filter on the instance logs.
B.An AWS Config rule to detect high CPU usage.
C.A CloudWatch Events rule on the EC2 instance state change.
D.A CloudWatch alarm on the CPUUtilization metric with an SNS notification.
AnswerD

Standard approach for metric-based alerts.

Why this answer

Option D is correct because a CloudWatch alarm on the CPUUtilization metric can be configured to evaluate the average CPU usage over a 5-minute period and trigger an action when it exceeds 90%. The alarm can send a notification via Amazon SNS, which can deliver an email to subscribed endpoints. This directly meets the requirement for email notification based on a sustained metric threshold.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs metric filters (which require log data) with CloudWatch metrics (which are numeric time-series data), or think AWS Config can monitor performance metrics instead of configuration compliance.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs metric filters analyze log data (e.g., application logs) for specific patterns, not numeric metrics like CPU utilization; CPU utilization is a standard EC2 metric emitted by the hypervisor, not a log entry. Option B is wrong because AWS Config rules evaluate resource configurations (e.g., instance type, tags) for compliance, not real-time performance metrics like CPU usage; Config does not monitor metric thresholds or trigger SNS notifications for metric breaches. Option C is wrong because a CloudWatch Events rule on EC2 instance state changes (e.g., running, stopped) does not monitor CPU utilization; it only reacts to lifecycle events, not metric-based conditions.

267
MCQeasy

Refer to the exhibit. A SysOps administrator runs the describe-target-health command and sees that an EC2 instance in the target group is unhealthy with a timeout error. What is the most likely cause?

A.The target group is configured with an incorrect port
B.The instance's security group does not allow traffic from the ALB on the health check port
C.The instance is in a private subnet without a NAT gateway
D.The instance does not have a route to the internet
AnswerB

The ALB's health check requests are being blocked, causing timeouts.

Why this answer

Option B is correct because the health check is timing out, which indicates that the instance is not responding to health check requests on port 80. The security group must allow inbound traffic from the ALB on the health check port. Option A is wrong because the target group is configured with port 80, which matches.

Option C is wrong because the route table is less likely to cause a timeout; it would cause unreachability. Option D is wrong because the instance is in a public subnet? Not necessarily; but the health check timeout is most often a security group issue.

268
MCQhard

An IAM user has the policy shown in the exhibit. The user is trying to download an object from example-bucket from an IP address of 192.0.2.50. However, the request is denied. What is the most likely reason?

A.The condition key aws:SourceIp should be aws:SourceIpAddress.
B.The bucket has a bucket policy that denies access from the user's IP address.
C.The resource ARN does not include the bucket itself.
D.The condition syntax is incorrect because it should use StringEquals.
AnswerB

A bucket policy with an explicit Deny would override the IAM policy allow.

Why this answer

Option C is correct because the condition uses aws:SourceIp, which is valid for IAM policies but the bucket policy must also allow the action. Option A is wrong because the condition is correct for IAM policies. Option B is wrong because the action includes all objects.

Option D is wrong because the condition is syntactically correct.

269
MCQmedium

A SysOps administrator notices that an EC2 instance's CPU utilization has been at 100% for the past hour. The administrator checks CloudWatch metrics and sees no anomalies in network or disk I/O. Which step should the administrator take to investigate further?

A.Install the CloudWatch Logs agent on the instance to capture system logs.
B.Check the EC2 instance's CPU credit balance in CloudWatch.
C.Stop the EC2 instance and start it again to reset the CPU.
D.Enable detailed monitoring on the EC2 instance to get 1-minute CloudWatch metrics.
AnswerD

Detailed monitoring provides higher-resolution data to diagnose the issue.

Why this answer

Detailed monitoring (1-minute metrics) provides higher-resolution data than the default 5-minute metrics, allowing the administrator to identify short-lived CPU spikes or patterns that might be averaged out in the standard 5-minute interval. Since network and disk I/O appear normal, the issue is likely a process or application consuming CPU, and finer-grained metrics help pinpoint the timing and correlate with specific events or logs.

Exam trap

The trap here is that candidates assume CPU credit balance (Option B) is always the answer for high CPU utilization, but credits only apply to T-series instances, and the question does not specify the instance type, making detailed monitoring the more universally correct first step for investigation.

How to eliminate wrong answers

Option A is wrong because the CloudWatch Logs agent captures system logs (e.g., /var/log/messages) but does not provide CPU utilization metrics; the administrator already has CPU metrics and needs higher resolution, not logs. Option B is wrong because CPU credit balance is only relevant for burstable performance instance types (e.g., T2/T3); the question does not specify the instance type, and 100% CPU utilization for an hour on a non-burstable instance would not involve credits. Option C is wrong because stopping and starting the instance does not reset CPU utilization; it only changes the underlying host, and the root cause (e.g., a runaway process) would persist unless the instance is configured to terminate and relaunch.

270
MCQhard

A SysOps administrator needs to detect when an IAM user attempts to modify an Amazon S3 bucket policy in the production AWS account. The administrator wants to receive an email notification within 5 minutes of such an event. The solution must use AWS managed services with no custom code. Which combination of services should the administrator use?

A.AWS CloudTrail, Amazon CloudWatch Events (Amazon EventBridge), and Amazon SNS
B.AWS CloudTrail, Amazon CloudWatch Logs metric filter, and Amazon SNS
C.Amazon S3 event notifications and Amazon SNS
D.AWS CloudTrail, AWS Lambda, and Amazon SNS
AnswerA

CloudTrail logs the API call, EventBridge matches the event and triggers an SNS topic to send email. No custom code needed.

Why this answer

Option A is correct because AWS CloudTrail captures the S3 bucket policy modification as a management event, which can be sent to Amazon EventBridge (formerly CloudWatch Events) as a real-time event. EventBridge can then trigger an SNS topic to send an email notification within minutes, all using fully managed services with no custom code required.

Exam trap

The trap here is that candidates often confuse S3 event notifications (object-level) with CloudTrail (management-level), or they assume CloudWatch Logs metric filters are the only way to trigger alarms from logs, overlooking EventBridge's direct event-driven capability for real-time notification without custom code.

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs metric filters operate on log data with a latency of up to 5 minutes for the metric to be created, and then an alarm must be evaluated, which can add additional delay; this does not guarantee notification within 5 minutes and is more complex. Option C is wrong because S3 event notifications are designed for object-level events (e.g., PUT, DELETE) and cannot detect IAM user attempts to modify bucket policies, which are management-level events. Option D is wrong because it requires AWS Lambda custom code to process the CloudTrail event and send the notification, violating the requirement to use only managed services with no custom code.

271
Multi-Selecthard

A CloudFormation stack update fails and enters UPDATE_ROLLBACK_FAILED. Which two actions are appropriate next steps? (Choose 2.)

Select 2 answers
A.Review stack events to identify the resource that blocked rollback.
B.Use continue-update-rollback after resolving the underlying issue or specifying resources to skip when appropriate.
C.Delete the CloudFormation service role from IAM.
D.Rename the stack to force rollback completion.
AnswersA, B

Stack events show the specific resource and failure reason.

Why this answer

Option A is correct because when a CloudFormation stack update fails and enters UPDATE_ROLLBACK_FAILED, the stack events provide detailed error messages for each resource that failed during rollback. Reviewing these events is essential to identify the specific resource that blocked the rollback, such as a resource that could not be deleted or updated due to permissions, dependencies, or configuration issues. This diagnosis is the first step before attempting a continue-update-rollback operation.

Exam trap

The trap here is that candidates may think deleting the service role or renaming the stack are valid recovery actions, but AWS CloudFormation requires explicit rollback continuation or manual intervention via the continue-update-rollback API, not workarounds that break IAM or naming conventions.

272
MCQmedium

A SysOps administrator suspects that an Amazon Linux 2 EC2 instance has been compromised. The instance is part of an Auto Scaling group and is currently running. The administrator needs to preserve the root volume for forensic analysis while minimizing the impact to the application. Which action should the administrator take FIRST?

A.Create an Amazon Machine Image (AMI) of the instance while it is running.
B.Stop the instance and create an Amazon EBS snapshot of the root volume.
C.Detach the root volume from the instance and create a snapshot of the volume for analysis.
D.Terminate the instance immediately to stop any malicious activity.
AnswerC

Detaching preserves the volume and allows forensic snapshot; Auto Scaling will launch a replacement instance.

Why this answer

Detaching the root volume and creating a snapshot preserves the evidence while the instance can be terminated and replaced by the Auto Scaling group. Option A (terminate) loses the volume. Option C (stop) leaves the volume attached to a stopped instance.

Option D (AMI) creates a new image but does not preserve the exact state if the instance continues running.

273
MCQeasy

A SysOps administrator needs to provide temporary access to an S3 bucket for a third-party auditor. The access must expire after 24 hours. Which solution should the administrator use?

A.Create an IAM user for the auditor and attach a policy granting access to the bucket.
B.Create a bucket policy that grants access to the auditor's AWS account.
C.Use AWS Security Token Service (STS) to issue temporary credentials that expire after 24 hours.
D.Generate a pre-signed URL for the bucket.
AnswerC

STS issues temporary credentials that can be configured to expire.

Why this answer

Option D is correct because STS is designed to issue temporary credentials with a specified expiration. Option A is wrong because IAM users have long-term credentials. Option B is wrong because bucket policies grant access to IAM principals, not temporary credentials.

Option C is wrong because pre-signed URLs grant access to a specific object, not the bucket.

274
MCQeasy

A company has a VPC with both IPv4 and IPv6 CIDR blocks. They have a public subnet with an EC2 instance that needs to be accessible over IPv6 from the internet. The instance has an IPv6 address assigned. The SysOps administrator has attached an Internet Gateway (IGW) to the VPC and added a route to the IGW for the public subnet's IPv6 route table. However, the instance is not reachable over IPv6. What is the missing configuration?

A.The instance does not have a public IPv6 address assigned
B.The route table for the subnet does not have a default route (::/0) to the IGW
C.An egress-only Internet Gateway is required for IPv6
D.The security group attached to the instance does not allow inbound IPv6 traffic
AnswerD

By default, security groups deny all inbound traffic; an explicit rule for IPv6 is needed.

Why this answer

Option B is correct because for IPv6 traffic, an egress-only Internet Gateway (EIGW) is required for outbound, but for inbound, an IGW supports both IPv4 and IPv6. Actually, IGW supports IPv6 inbound. The issue might be that the route table needs a route for ::/0 to the IGW.

Option A is correct: The route table must have a route for all IPv6 traffic (::/0) to the IGW. Option B is wrong because EIGW is for outbound only. Option C is wrong because security groups allow inbound by default? No, they block inbound by default.

So the security group must allow IPv6 traffic. Actually, both A and C could be correct. But the stem says they added a route to the IGW, but maybe they added a specific route? The most likely missing configuration is the security group rule.

Let's check: The question says they added a route to the IGW for the public subnet's IPv6 route table. But the route must be for ::/0. If they added a specific route, that might be the issue.

But the most common oversight is the security group. I'll go with Option C as the most likely. Option A is also plausible.

To differentiate, the question says they added a route to the IGW, but doesn't specify if it's a default route. If they added a specific route, the instance might still be unreachable. However, the typical missing step is updating the security group.

So I'll choose C.

275
MCQhard

An application uses Amazon Route 53 weighted routing to distribute traffic across two AWS regions. After a deployment, users in one region are experiencing errors. What should the administrator do to mitigate the issue immediately?

A.Update the alias record to point to a different load balancer.
B.Change the routing policy from weighted to latency-based.
C.Restart the EC2 instances in the affected region.
D.Set the weight of the affected region's record to 0 and verify health checks are configured.
AnswerD

Setting weight to 0 stops traffic to that region, and health checks will fail automatically.

Why this answer

Option D is correct because setting the weight of the unhealthy region to 0 stops traffic to it, and health checks will automatically remove unhealthy endpoints. Option A is wrong because changing routing policy requires DNS propagation time. Option B is wrong because restarting instances may not resolve the issue immediately.

Option C is wrong because changing alias records can cause propagation delays.

276
MCQmedium

A company's security policy requires that all new Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled by default. A SysOps administrator wants to enforce this requirement for all current and future S3 buckets in the account. Which AWS service or feature should be used to automatically apply this configuration?

A.Enable S3 default encryption at the account level in the S3 console.
B.Create an AWS CloudTrail trail that captures S3 API calls and triggers a Lambda function to enable encryption on any bucket that is created without it.
C.Use an AWS Organizations Service Control Policy (SCP) to deny the s3:PutBucketPublicAccessBlock action, forcing users to enable encryption.
D.Use AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule and configure automatic remediation to apply SSE-KMS when a non-compliant bucket is detected.
AnswerD

AWS Config can evaluate all buckets (current and future) against the rule. Automatic remediation can invoke an SSM Automation document or a Lambda function to enable SSE-KMS on the bucket, meeting the requirement with a managed service.

Why this answer

Option D is correct because AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule can evaluate S3 buckets for compliance with server-side encryption requirements. When a non-compliant bucket is detected, automatic remediation can be configured to apply SSE-KMS using an AWS Systems Manager Automation document, ensuring all current and future buckets meet the security policy without manual intervention.

Exam trap

The trap here is that candidates confuse S3 default encryption (which is bucket-level only) with account-level enforcement, or they mistakenly think SCPs can directly enable encryption rather than just deny actions, leading them to pick options that are reactive or misaligned with the requirement.

How to eliminate wrong answers

Option A is wrong because S3 default encryption can only be set at the bucket level, not at the account level; there is no account-level setting in the S3 console to enforce encryption on all buckets. Option B is wrong because while CloudTrail and Lambda can reactively fix buckets after creation, this approach is event-driven and not a proactive enforcement mechanism; it also relies on custom code and may introduce latency or gaps. Option C is wrong because the s3:PutBucketPublicAccessBlock action controls public access block settings, not server-side encryption; denying this action does nothing to enforce SSE-KMS, and SCPs cannot directly enable encryption on resources.

277
MCQmedium

A SysOps administrator needs to grant cross-account access to an S3 bucket in Account A for an IAM user in Account B. The bucket policy in Account A allows the IAM user's account root principal. What additional configuration is required?

A.Modify the AWS KMS key policy to allow the user in Account B
B.Add a bucket ACL granting access to the user in Account B
C.Add an AWS Organizations service control policy to allow access
D.Attach an IAM policy to the user in Account B that allows the required S3 actions
AnswerD

The user needs an IAM policy that grants the S3 actions.

Why this answer

D is correct because cross-account access to an S3 bucket requires both a bucket policy that grants access to the root principal of the target account (Account B) and an IAM policy attached to the user in Account B that explicitly allows the desired S3 actions. Without the IAM policy, the user in Account B has no permissions to perform any S3 operations, even though the bucket policy in Account A permits the account root. The IAM policy acts as the identity-based permission that authorizes the specific user to invoke the S3 API calls.

Exam trap

The trap here is that candidates assume the bucket policy alone is sufficient for cross-account access, forgetting that the IAM user in the target account must also have an explicit IAM policy allowing the S3 actions, as AWS requires both resource-based and identity-based permissions to be evaluated and both must allow the operation.

How to eliminate wrong answers

Option A is wrong because AWS KMS key policies are only relevant if the S3 bucket uses SSE-KMS encryption; the question does not mention encryption, and modifying the KMS key policy is not a general requirement for cross-account S3 access. Option B is wrong because bucket ACLs are legacy and cannot grant access to an IAM user in another account; they only support granting access to AWS accounts or predefined groups, not individual IAM users. Option C is wrong because AWS Organizations service control policies (SCPs) apply to all principals within an organization and are used to set permission boundaries, not to grant cross-account access; they cannot be used to allow a specific IAM user in another account.

278
MCQhard

A SysOps administrator is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a permissions policy that allows sts:AssumeRole. However, the user still gets an access denied error. What is the MOST likely cause?

A.The trust policy specifies the user's ARN instead of the account ARN
B.The user's permissions policy does not include sts:AssumeRole for the specific role ARN
C.The role requires MFA, but the user does not have MFA configured
D.The role's permissions policy does not include an external ID
AnswerB

The user must have an IAM policy that allows sts:AssumeRole on the target role.

Why this answer

Option C is correct because even if the trust policy allows the account, the role's permissions policy must grant the user the necessary actions. In this case, the role's permissions policy might not include the required permissions for the services the user is trying to use after assuming the role. However, the question is about the error being access denied at the AssumeRole call itself.

That would be due to the trust policy or the user's permissions. Option A is incorrect because MFA is not mentioned. Option B is incorrect because the role's trust policy allows the account.

Option D is incorrect because external ID is optional.

279
MCQeasy

A company has a fleet of EC2 instances that need to be patched monthly. The SysOps administrator must ensure that the patching process does not affect the availability of the application. Which strategy should the administrator use?

A.Patch one instance at a time manually by stopping and starting.
B.Use an Auto Scaling group with a rolling update strategy.
C.Use AWS Systems Manager Patch Manager to patch all instances at once.
D.Stop all instances, apply patches, then start them.
AnswerB

A rolling update replaces instances incrementally, maintaining availability.

Why this answer

Option B is correct because using an Auto Scaling group with a rolling update will replace instances one at a time, ensuring that the application remains available. Option A is wrong because stopping all instances at once causes downtime. Option C is wrong because patching one instance manually is not automated and still risks downtime if the instance is needed.

Option D is wrong because AWS Systems Manager Patch Manager can patch instances but without rolling update, it may cause downtime if all instances are patched simultaneously.

280
MCQmedium

A company runs a web application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application has predictable traffic patterns with high traffic during business hours and low traffic at night. The SysOps administrator wants to reduce compute costs while ensuring the application remains responsive during peak hours. The administrator has already implemented Auto Scaling based on CPU utilization. Which additional action should the administrator take to optimize costs?

A.Use On-Demand instances only
B.Purchase Reserved Instances for the baseline capacity and use Spot Instances for the additional capacity during peak hours
C.Increase the minimum number of instances in the Auto Scaling group
D.Use Dedicated Hosts to reduce licensing costs
AnswerB

This approach minimizes costs by applying the highest discount (Reserved Instances) to the steady-state capacity and leveraging the cost savings of Spot Instances for the flexible, peak-demand capacity. Auto Scaling can be configured to launch Spot Instances as needed, providing both cost efficiency and performance.

Why this answer

Option B is correct because it combines Reserved Instances for predictable baseline capacity (lower cost per hour) with Spot Instances for elastic peak demand, leveraging Auto Scaling to handle variable traffic. This hybrid approach reduces compute costs compared to using On-Demand instances for all capacity, while maintaining responsiveness during peak hours.

Exam trap

The trap here is that candidates may think increasing the minimum instance count (Option C) improves responsiveness, but it actually increases costs during low-traffic periods without addressing the cost optimization goal.

How to eliminate wrong answers

Option A is wrong because using only On-Demand instances ignores cost-saving opportunities from Reserved or Spot Instances, leading to higher costs for predictable baseline traffic. Option C is wrong because increasing the minimum number of instances raises baseline costs unnecessarily, as the application has low traffic at night and does not require a higher minimum. Option D is wrong because Dedicated Hosts are designed for licensing or compliance requirements, not for general cost optimization, and they incur additional costs without addressing variable traffic patterns.

281
Multi-Selecthard

A SysOps administrator needs to receive alerts when an S3 bucket is publicly accessible. Which TWO AWS services can be used to monitor and detect this configuration?

Select 2 answers
A.AWS CloudTrail
B.AWS Security Hub
C.AWS Trusted Advisor
D.AWS Config
E.Amazon CloudWatch
AnswersB, D

Security Hub aggregates findings from Config and other services.

Why this answer

AWS Security Hub (B) is correct because it aggregates security findings from multiple AWS services, including Amazon GuardDuty and AWS Config, and can detect publicly accessible S3 buckets via its built-in security standards (e.g., CIS AWS Foundations Benchmark). AWS Config (D) is correct because it can evaluate S3 bucket configurations against rules, such as the managed rule 's3-bucket-public-read-prohibited' or 's3-bucket-public-write-prohibited', and trigger alerts when a bucket becomes publicly accessible.

Exam trap

The trap here is that candidates often choose AWS Trusted Advisor (C) because it has a 'S3 Bucket Permissions' check, but they overlook that it does not provide real-time alerts or continuous monitoring, unlike AWS Config which can trigger immediate notifications via Amazon SNS.

282
MCQeasy

An application uploads files to an S3 bucket. The SysOps administrator needs to ensure that the files are automatically replicated to another bucket in a different AWS Region for disaster recovery. Which action should be taken?

A.Enable Cross-Region Replication on the source bucket.
B.Use S3 Transfer Acceleration for faster uploads.
C.Enable versioning on the source bucket.
D.Configure a lifecycle policy to transition objects to Glacier.
AnswerA

CRR automatically replicates objects to a specified destination bucket in a different region.

Why this answer

Option C is correct because S3 Cross-Region Replication (CRR) automatically replicates objects to a destination bucket in another region. Option A is wrong because versioning alone does not replicate data. Option B is wrong because lifecycle policies only manage storage tiers, not replication.

Option D is wrong because S3 Transfer Acceleration speeds up uploads but does not replicate.

283
Multi-Selectmedium

A company is running a high-performance computing (HPC) workload on EC2. The workload is time-sensitive and runs for 2 hours every night. The company wants to minimize costs. Which THREE options should they consider? (Choose THREE.)

Select 3 answers
A.Purchase Reserved Instances for the nightly run.
B.Use an EFS or S3 as shared storage instead of EBS volumes.
C.Use smaller instance types and distribute the workload.
D.Use Dedicated Instances for performance isolation.
E.Use Spot Instances to take advantage of lower pricing.
AnswersB, C, E

Shared storage can reduce EBS costs.

Why this answer

Options B, C, and D are correct. B is correct because Spot Instances offer huge discounts for fault-tolerant HPC. C is correct because using smaller instances in parallel may be cheaper.

D is correct because using an EFS or S3 for shared storage reduces costs vs. EBS. Option A is wrong because Reserved Instances require 1-3 year commitment.

Option E is wrong because Dedicated Instances are expensive.

284
MCQhard

A company runs a critical application on a fleet of EC2 instances in an Auto Scaling group. The application is deployed using a blue/green deployment strategy with AWS CodeDeploy. The green environment fails immediately after deployment, and the deployment is automatically rolled back. However, the rollback also fails because the original blue environment's Auto Scaling group has been scaled down. What should the SysOps administrator do to prevent this issue in future deployments?

A.Configure the deployment to automatically delete the green environment after rollback.
B.Increase the minimum size of the Auto Scaling group.
C.Change the deployment type to in-place.
D.Set the original environment termination delay to a longer duration in the CodeDeploy deployment group.
AnswerD

This ensures the blue environment is retained for rollback.

Why this answer

Option D is correct because the blue/green deployment in CodeDeploy allows you to specify how long to keep the original (blue) environment after a successful deployment. Setting this to a sufficient duration ensures the blue environment is available for rollback. Option A is incorrect because it changes the deployment type, not the root cause.

Option B is incorrect because increasing the minimum size does not guarantee the blue environment retains instances. Option C is incorrect because it deletes the green environment, which may be needed for rollback.

285
MCQmedium

A SysOps Administrator is troubleshooting connectivity issues between two EC2 instances in the same VPC but different subnets. The instances can communicate over private IP addresses when security groups are set to allow all traffic, but fail when security groups are configured with specific rules. The Administrator wants to allow HTTP (port 80) and HTTPS (port 443) traffic from the client instance to the server instance. What security group rules are needed?

A.Add inbound rules on the server to allow HTTP and HTTPS from the client security group.
B.Add inbound rules on both the client and server.
C.Add outbound rules on both the client and server.
D.Add inbound rules on the client and outbound rules on the server.
AnswerA

Security groups are stateful; inbound rules on the server allow the request, and the response is automatically allowed.

Why this answer

Option D is correct because security groups are stateful; you only need inbound rules on the server to allow HTTP/HTTPS from the client. The outbound response is automatically allowed. Option A is wrong because outbound rules on the client are not needed for response.

Option B is wrong because inbound rules on the client are not needed. Option C is wrong because outbound rules on the server are not needed for response.

286
MCQeasy

A company is using Amazon S3 to host a static website. The website receives millions of requests per month from users around the world. The company wants to reduce latency and S3 data transfer costs. Which solution should the company implement?

A.Enable S3 replication to multiple regions.
B.Use Amazon CloudFront as a content delivery network in front of the S3 bucket.
C.Enable S3 Transfer Acceleration.
D.Use S3 Cross-Region Replication to replicate objects to all regions.
AnswerB

CloudFront reduces latency and data transfer costs.

Why this answer

Amazon CloudFront is a content delivery network that caches content at edge locations, reducing latency and data transfer costs from S3. S3 Transfer Acceleration speeds up uploads but not downloads. S3 Replication does not reduce latency.

S3 Cross-Region Replication is for data redundancy, not performance.

287
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group behind an ALB. The application experiences variable traffic, with peak usage during business hours and low traffic at night. The SysOps administrator wants to reduce costs while maintaining performance. The current setup uses On-Demand instances only. The application is stateful and stores session data in an ElastiCache Redis cluster. The administrator has identified that the application can handle Spot Instance interruptions gracefully by redirecting users to a fallback page. The company has a budget of $10,000 per month for EC2 instances, and current costs are $8,000 per month. The administrator wants to reduce costs further without compromising availability for most users. Which solution is MOST cost-effective?

A.Increase the On-Demand base capacity to handle peak load and use Spot for any additional capacity.
B.Purchase Reserved Instances for the minimum expected capacity and use On-Demand for the rest.
C.Use only Spot Instances at all times to maximize savings, and rely on the fallback page for interruptions.
D.Use a mixed instances policy with Spot Instances during off-peak hours and On-Demand during peak hours, using Auto Scaling scheduled scaling.
AnswerD

This combines cost savings from Spot with reliability of On-Demand during peak.

Why this answer

Option C is correct because using Spot Instances only during off-peak hours reduces costs, and moving back to On-Demand during peak ensures performance. Option A is wrong because Spot Instances only during peak could cause interruptions during high traffic. Option B is wrong because Reserved Instances require commitment and may not cover variable traffic.

Option D is wrong because a larger base On-Demand capacity increases costs.

288
MCQeasy

A development team uses AWS CloudFormation to deploy infrastructure. They want to update a stack but first need to review how the changes will impact existing resources before applying them. Which CloudFormation feature should they use?

A.Change sets
B.Stack policies
C.Condition functions
D.Custom resources
AnswerA

Correct. Change sets provide a preview of the changes that will be made to the stack, enabling review before execution.

Why this answer

Change sets allow you to preview how proposed changes to a CloudFormation stack will affect your running resources before you apply them. They generate a summary of the changes (additions, modifications, deletions) based on the new template and parameters, enabling you to assess impact such as resource replacement or updates without executing the changes. This directly addresses the team's requirement to review changes before applying them.

Exam trap

The trap here is that candidates confuse stack policies (which guard resources during updates) with change sets (which preview changes), or assume condition functions or custom resources can simulate change impact, but only change sets provide a declarative diff before execution.

How to eliminate wrong answers

Option B is wrong because stack policies are used to prevent accidental updates or deletions of specific stack resources during a stack update, not to preview changes. Option C is wrong because condition functions (e.g., Fn::If) control whether certain resources are created or properties are set based on conditions in the template, but they do not provide a preview of change impact. Option D is wrong because custom resources allow you to handle provisioning logic for resources not natively supported by CloudFormation, but they do not offer a mechanism to review changes before an update.

289
MCQhard

A company stores video files in Amazon S3. The files are accessed frequently for the first week, then weekly for the next month, and then rarely after that. The files must be retained for 5 years and any access must be served within minutes. The SysOps administrator needs to minimize storage costs while meeting these requirements. Which lifecycle policy configuration is the most cost-effective?

A.Transition to S3 Standard-IA after 7 days, then to S3 Glacier Flexible Retrieval after 30 days.
B.Transition to S3 One Zone-IA after 7 days, then to S3 Glacier Deep Archive after 30 days.
C.Transition to S3 Standard-IA after 7 days, then to S3 Glacier Instant Retrieval after 30 days.
D.Transition to S3 Intelligent-Tiering after 7 days.
AnswerC

Standard-IA provides low-latency access for the weekly access period, and Glacier Instant Retrieval provides the lowest storage cost for long-term, rarely accessed data that still needs millisecond retrieval, meeting the requirements cost-effectively.

Why this answer

Option C is correct because it transitions to S3 Standard-IA after 7 days (matching the frequent first-week access), then to S3 Glacier Instant Retrieval after 30 days (matching the weekly access for the next month). Glacier Instant Retrieval provides millisecond retrieval for rarely accessed data, meeting the 'within minutes' requirement while minimizing costs compared to Standard-IA or Intelligent-Tiering.

Exam trap

The trap here is that candidates often confuse S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive as cost-effective options without verifying the retrieval time requirement, assuming 'Glacier' always means cheap but slow, while the question explicitly requires access 'within minutes'.

How to eliminate wrong answers

Option A is wrong because S3 Glacier Flexible Retrieval has retrieval times of minutes to hours (not within minutes), failing the access requirement. Option B is wrong because S3 One Zone-IA does not provide the durability needed for long-term retention (5 years) and S3 Glacier Deep Archive has retrieval times of 12-48 hours, violating the 'within minutes' requirement. Option D is wrong because S3 Intelligent-Tiering incurs monitoring and automation costs that are not cost-effective for a predictable access pattern, and it does not transition to a cold storage tier that minimizes costs for rarely accessed data after 30 days.

290
MCQhard

A company uses an Amazon DynamoDB table with on-demand capacity mode for a variable workload. The SysOps administrator notices high costs and wants to reduce them without affecting application performance. Which action should the administrator take?

A.Switch the table to provisioned capacity mode with auto scaling.
B.Enable DynamoDB Accelerator (DAX) for caching.
C.Implement DynamoDB Global Tables to distribute data across regions.
D.Set a Time to Live (TTL) attribute to automatically expire old items.
AnswerA

Provisioned mode with auto scaling adjusts capacity based on actual usage and is generally cheaper than on-demand for predictable or moderate variability, as long as you don't have extreme spikes.

Why this answer

Switching from on-demand to provisioned capacity with auto scaling reduces costs for variable workloads by allowing you to set a lower base capacity and scale only when needed, avoiding the premium per-request pricing of on-demand mode. Auto scaling adjusts read/write capacity based on actual utilization, ensuring application performance is maintained while eliminating the cost overhead of paying for every request at on-demand rates.

Exam trap

The trap here is that candidates assume on-demand mode is always the most cost-effective for variable workloads, but the exam tests that provisioned capacity with auto scaling can be cheaper for predictable variability, and that options like DAX or TTL address different cost components (latency or storage) rather than the per-request compute cost.

How to eliminate wrong answers

Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory caching service that reduces read latency and costs for repeated reads, but it does not address the core issue of high write costs or the per-request pricing model of on-demand mode; it adds an additional service cost. Option C is wrong because DynamoDB Global Tables replicate data across regions for disaster recovery and low-latency global access, which increases costs due to cross-region replication and additional storage, not reduces them. Option D is wrong because setting a Time to Live (TTL) attribute automatically expires old items to reduce storage costs, but it does not reduce the compute cost of read/write operations, which is the primary driver of high costs in on-demand mode.

291
MCQmedium

A company is running a web application on EC2 instances behind an Application Load Balancer. The application experiences variable traffic patterns. The SysOps team wants to optimize costs without impacting performance. Which EC2 purchasing option should the team use for the instances?

A.Savings Plans
B.Spot Instances
C.On-Demand Instances
D.Reserved Instances
AnswerC

No upfront commitment, fits variable traffic patterns perfectly.

Why this answer

Option C is correct because On-Demand instances provide flexibility and no upfront commitment, suitable for variable traffic. Savings Plans offer lower prices but require a 1- or 3-year commitment, which may not align with variable patterns. Reserved Instances also require commitment.

Spot Instances are not suitable for a web application that needs consistent availability.

292
MCQhard

A SysOps administrator is troubleshooting a failed AWS CloudFormation stack creation. The stack includes an AWS::Lambda::Function resource. The error message states: 'The runtime parameter of nodejs8.10 is no longer supported.' The administrator needs to resolve this with minimal changes. What should the administrator do?

A.Modify the Lambda function code to use Python 3.8.
B.Manually update the runtime in the AWS Lambda console after the stack creation fails.
C.Update the CloudFormation template to use a supported Node.js runtime, such as nodejs14.x.
D.Wait for AWS to re-enable the nodejs8.10 runtime.
AnswerC

This directly addresses the deprecation error.

Why this answer

Option B is correct because the error indicates the runtime is deprecated; updating the runtime to a supported version (e.g., nodejs14.x) resolves the issue. Option A is wrong because the Lambda function code is likely compatible with a newer runtime. Option C is wrong because the runtime is specified in the CloudFormation template, not in the Lambda console.

Option D is wrong because waiting will not fix the deprecated runtime.

293
Multi-Selecthard

Which THREE measures help protect an S3 bucket from accidental data loss? (Choose 3)

Select 3 answers
A.Enable MFA Delete on the bucket.
B.Create a lifecycle policy to transition objects to S3 Glacier.
C.Enable server-side encryption on the bucket.
D.Configure cross-region replication to a destination bucket.
E.Enable versioning on the bucket.
AnswersA, D, E

MFA Delete requires an additional authentication factor to permanently delete object versions, reducing accidental deletion risk.

Why this answer

Options A, C, and E are correct. Versioning preserves multiple versions, MFA Delete adds protection, and cross-region replication provides a copy in another region. Option B is wrong because encryption does not prevent data loss.

Option D is wrong because lifecycle policies can delete objects, increasing risk.

294
MCQmedium

Refer to the exhibit. An EC2 instance is registered with an ALB target group. The health check returns 502. What is the most likely cause?

A.The instance is not reachable from the ALB due to a network ACL.
B.The instance is not registered with the target group.
C.The web server on the instance is returning an HTTP 502 response.
D.The health check path is configured for HTTPS but the instance only supports HTTP.
AnswerC

Correct because the health check receives a 502 from the target application.

Why this answer

Option C is correct because a 502 error from the target indicates the application on the instance is failing or not responding correctly to the health check. Option A is wrong because a 502 is not a connection timeout. Option B is wrong because the health check is on port 80, not 443.

Option D is wrong because the instance is in the target group (but unhealthy).

295
MCQmedium

A company has an application that writes logs to CloudWatch Logs. The SysOps administrator needs to search for a specific error pattern across multiple log groups. Which solution is the most efficient?

A.Create a CloudWatch dashboard to visualize log data.
B.Use CloudWatch Logs Insights to query the log groups.
C.Create a metric filter to count the error pattern.
D.Create a subscription filter to stream logs to Amazon ES.
AnswerB

Logs Insights is designed for interactive log analysis.

Why this answer

CloudWatch Logs Insights is purpose-built for interactive ad-hoc querying of log data across multiple log groups, enabling efficient pattern matching and filtering without requiring pre-configured infrastructure. It uses a dedicated query language optimized for searching, aggregating, and analyzing log events, making it the most efficient solution for searching a specific error pattern across multiple log groups.

Exam trap

The trap here is that candidates often confuse metric filters (which only count occurrences) with the ability to search and retrieve actual log events, leading them to choose Option C instead of the correct query-based solution.

How to eliminate wrong answers

Option A is wrong because CloudWatch dashboards are designed for visualizing metrics and log data in pre-defined widgets, not for performing ad-hoc searches or queries across multiple log groups. Option C is wrong because metric filters only count occurrences of a pattern and emit a metric, but they do not allow you to search or retrieve the actual log events containing the error pattern. Option D is wrong because subscription filters stream logs to Amazon ES (now OpenSearch Service) for long-term analysis and visualization, which adds latency, cost, and operational overhead compared to directly querying the log groups with Logs Insights.

296
MCQhard

An IAM policy is attached to an EC2 instance role to allow sending logs to CloudWatch Logs. The application running on the instance fails to send logs to the log group 'MyAppLogGroup'. Which change is required to fix the issue?

A.Install the CloudWatch agent on the instance.
B.Attach the policy to the EC2 instance instead of the instance role.
C.Add a new statement allowing logs:PutLogEvents on 'arn:aws:logs:us-east-1:123456789012:log-group:MyAppLogGroup:log-stream:*'.
D.Change the log group ARN in the policy to include the log stream name.
AnswerC

PutLogEvents requires permissions on the log stream resource, not just the log group.

Why this answer

The IAM policy attached to the EC2 instance role is missing the `logs:PutLogEvents` permission for the specific log stream within the log group. Even if the policy allows `logs:CreateLogStream` and `logs:DescribeLogGroups`, the application cannot send log events without `logs:PutLogEvents` on the log stream resource. Option C adds the required statement with the correct ARN pattern to resolve the failure.

Exam trap

The trap here is that candidates assume the CloudWatch agent is required for any log delivery, or that attaching a policy directly to the instance is possible, when the real issue is a missing `PutLogEvents` permission on the log stream resource.

How to eliminate wrong answers

Option A is wrong because the CloudWatch agent is not required for sending logs via the AWS SDK or CLI; the application can use the `PutLogEvents` API directly, and the issue is a permissions problem, not a missing agent. Option B is wrong because IAM policies cannot be attached directly to an EC2 instance; they must be attached to an IAM role that is then associated with the instance profile. Option D is wrong because the log group ARN in the policy does not need to include the log stream name; the policy can use a wildcard for the log stream (e.g., `log-stream:*`) to allow `PutLogEvents` on any stream within the group.

297
MCQmedium

A company's security policy requires that all IAM users must authenticate with multi-factor authentication (MFA) before they can perform any actions on Amazon EC2 instances. The SysOps administrator needs to enforce this requirement using IAM policies. Which IAM policy condition key should the administrator use in the policy?

A.aws:MultiFactorAuthPresent
B.aws:SourceIp
C.iam:PassedToService
D.ec2:SourceInstanceARN
AnswerA

Using the condition 'aws:MultiFactorAuthPresent': 'true' in an IAM policy ensures that the caller must have authenticated with MFA to allow the action.

Why this answer

Option A is correct because the `aws:MultiFactorAuthPresent` condition key allows the administrator to enforce MFA authentication by checking whether the user authenticated with a valid MFA device before allowing the action. When set to `true`, the policy denies access to EC2 actions unless the user has completed MFA. This directly satisfies the security policy requirement.

Exam trap

The trap here is that candidates confuse `aws:MultiFactorAuthPresent` with `aws:SourceIp` or `iam:PassedToService`, mistakenly thinking IP-based or role-passing conditions can enforce MFA, when only the MFA-specific condition key works.

How to eliminate wrong answers

Option B is wrong because `aws:SourceIp` is used to restrict access based on the originating IP address, not to enforce MFA authentication. Option C is wrong because `iam:PassedToService` is used to control which roles can be passed to AWS services (e.g., EC2), not to enforce MFA for user actions. Option D is wrong because `ec2:SourceInstanceARN` is a condition key for EC2-to-EC2 traffic or resource-based policies, not for IAM user authentication requirements.

298
MCQeasy

A company's security policy requires that the AWS account root user must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to continuously verify compliance and automatically notify the security team if the root user is not configured with MFA. Which AWS service can be used to create a compliance rule for this requirement?

A.AWS Trusted Advisor
B.AWS Config with the managed rule 'root-account-mfa-enabled'
C.AWS Identity and Access Management (IAM) Access Analyzer
D.Amazon Inspector
AnswerB

AWS Config continuously evaluates resources against rules. The 'root-account-mfa-enabled' managed rule checks if MFA is enabled on the root user and can trigger custom actions (e.g., SNS notification) when non-compliant.

Why this answer

AWS Config provides a managed rule called 'root-account-mfa-enabled' that continuously evaluates whether the root user has an MFA device configured. When the rule detects non-compliance, it can trigger an Amazon SNS notification to alert the security team, meeting the requirement for automated compliance verification and alerting.

Exam trap

The trap here is that candidates confuse AWS Trusted Advisor's security checks (which include a root MFA check but lack continuous evaluation and automated notification) with AWS Config's managed rules that provide ongoing compliance monitoring and event-driven alerts.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not offer continuous compliance rules with automated notifications for root user MFA status. Option C is wrong because IAM Access Analyzer analyzes resource policies for external access, not root user MFA configuration compliance. Option D is wrong because Amazon Inspector assesses vulnerabilities in EC2 instances and container workloads, not IAM user configurations.

299
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group. The application stores state information locally on the instance. The SysOps administrator needs to ensure that if an instance fails, the state is not lost. What should the administrator do?

A.Move the state data to an external data store such as ElastiCache or RDS.
B.Attach an EBS volume and set the 'DeleteOnTermination' flag to false.
C.Use instance store volumes for the state data.
D.Use Amazon SQS to store the state data.
AnswerA

Makes the application stateless and resilient.

Why this answer

Option B is correct because offloading state to ElastiCache or RDS makes the application stateless and resilient to instance failure. Option A is wrong because instance store is ephemeral and data is lost on failure. Option C is wrong because EBS volumes can be preserved but take time to attach, and the state may be outdated.

Option D is wrong because SQS is for message queues, not general state storage.

300
MCQeasy

A company is using AWS CloudFormation to deploy a web application. The stack creation fails with the error 'CREATE_FAILED - Resource handler returned message: 'Invalid instance type specified'. The template uses a parameter for InstanceType. What is the most likely cause of this failure?

A.The VPC specified in the template does not have internet access.
B.The Auto Scaling group's desired capacity exceeds the instance limit.
C.The InstanceType parameter is set to a value that is not allowed in the parameter's AllowedValues list.
D.The template uses a DependsOn clause that creates a circular dependency.
AnswerC

CloudFormation validates parameters against AllowedValues and rejects invalid types.

Why this answer

The error indicates the instance type is invalid. Checking the allowed values in the parameter definition is the correct first step. Option A is wrong because Auto Scaling groups don't directly cause this error.

Option B is wrong because the error is about instance type, not VPC. Option D is wrong because the error is not about template syntax or permissions.

Page 3

Page 4 of 21

Page 5