AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 376450

1546 questions total · 21pages · All types, answers revealed

Page 5

Page 6 of 21

Page 7
376
MCQeasy

A company uses AWS CloudFormation to deploy a web application. The template currently hard-codes the EC2 instance type (e.g., t3.medium). The SysOps administrator wants to make the instance type configurable so that different environments (dev, test, prod) can use different instance types without modifying the template each time. Which CloudFormation feature enables this?

A.Parameters
B.Mappings
C.Conditions
D.Outputs
AnswerA

Parameters allow users to input values when creating or updating a stack, making the template reusable for different environments.

Why this answer

Option A is correct because CloudFormation Parameters allow you to pass custom values into a template at stack creation or update time. By defining a parameter for the instance type (e.g., with allowed values like t3.micro, t3.medium, t3.large), you can reuse the same template across dev, test, and prod environments without editing the template file itself.

Exam trap

The trap here is that candidates often confuse Mappings (which are static and environment-agnostic) with Parameters (which are dynamic and user-supplied), leading them to incorrectly choose Mappings as the way to make values configurable.

How to eliminate wrong answers

Option B is wrong because Mappings are static lookup tables (e.g., mapping environment names to instance types) that are hard-coded in the template and cannot be overridden at deployment time; they do not accept runtime input. Option C is wrong because Conditions control whether certain resources are created based on logical expressions (e.g., create a larger instance only in prod), but they do not make the instance type configurable as a deploy-time variable. Option D is wrong because Outputs are used to return information about deployed resources (e.g., instance ID or public IP) after stack creation; they do not accept input values.

377
MCQeasy

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The application is deployed in us-east-1 with three Availability Zones. The SysOps administrator wants to ensure that the application remains available even if an entire Availability Zone becomes unavailable. The Auto Scaling group is configured with a minimum of 3, maximum of 9, and desired capacity of 3. The instances are distributed evenly across the three AZs. What additional configuration is required to ensure the application can survive an AZ failure?

A.Increase the desired capacity to 6 to ensure enough capacity if one AZ fails.
B.Ensure the load balancer is cross-zone load balancing enabled and the Auto Scaling group has a sufficient maximum size to handle the load of a failed AZ.
C.Configure the Auto Scaling group to launch instances in only two AZs to reduce costs.
D.Place the Auto Scaling group in a single AZ to simplify management.
AnswerB

Cross-zone balancing distributes traffic across healthy instances in all AZs.

Why this answer

Option C is correct. The Auto Scaling group already spans multiple AZs, but to survive an AZ failure, the group should be configured with a sufficient buffer and the load balancer should be cross-zone enabled. However, the simplest answer is to ensure that the Auto Scaling group has a balanced distribution and the load balancer is configured to distribute traffic across all AZs.

Option A is wrong because increasing the desired capacity does not necessarily protect against AZ failure if all instances are in one AZ. Option B is wrong because the group already spans multiple AZs. Option D is wrong because distributing instances evenly is already done.

378
MCQmedium

A SysOps administrator is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance and an Amazon RDS DB instance. The administrator needs to ensure that updates to the stack do not accidentally replace the RDS instance if the RDS configuration is changed in a way that would require replacement. Which CloudFormation attribute should be added to the RDS resource?

A.UpdateReplacePolicy with Retain
B.DeletionPolicy with Retain
C.StackPolicy
D.CreationPolicy
AnswerA

UpdateReplacePolicy with Retain ensures that the existing RDS instance is preserved when the update would otherwise replace it.

Why this answer

Option A is correct because the `UpdateReplacePolicy` attribute with `Retain` tells CloudFormation to preserve the existing RDS DB instance if a stack update would otherwise require its replacement. This prevents accidental deletion and recreation of the RDS instance when its configuration changes in a way that forces a new physical resource, such as modifying the DB engine version or storage type. The `UpdateReplacePolicy` is specifically designed for update scenarios, unlike `DeletionPolicy` which only applies during stack deletion.

Exam trap

The trap here is that candidates confuse `DeletionPolicy` (which only applies to stack deletion) with `UpdateReplacePolicy` (which applies during stack updates), leading them to choose Option B instead of A.

How to eliminate wrong answers

Option B is wrong because `DeletionPolicy` with `Retain` only protects the RDS instance from being deleted when the entire stack is deleted, not during an update that would replace the resource. Option C is wrong because `StackPolicy` controls permissions for stack-level updates (e.g., who can modify resources), not the lifecycle behavior of individual resources during replacement. Option D is wrong because `CreationPolicy` is used to wait for signals or resource creation completion (e.g., with `cfn-signal`), and has no effect on update or replacement behavior.

379
Multi-Selecteasy

A SysOps administrator wants to be alerted when the root user of the AWS account signs in. Which TWO services can be used together to achieve this?

Select 2 answers
A.AWS Lambda
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Events (Amazon EventBridge)
E.AWS Trusted Advisor
AnswersB, D

CloudTrail logs ConsoleLogin events for the root user.

Why this answer

Option B is correct because AWS CloudTrail logs all API calls, including root user sign-ins, as `RootLogin` events in the management events trail. Option D is correct because Amazon CloudWatch Events (now part of Amazon EventBridge) can be configured with a rule that matches these CloudTrail log events and triggers a notification action, such as sending an SNS alert, when the root user signs in.

Exam trap

The trap here is that candidates often pick AWS Config or Trusted Advisor because they associate them with security monitoring, but neither service captures API call events like root sign-ins, which require CloudTrail and EventBridge for event-driven alerting.

380
Multi-Selectmedium

A SysOps administrator needs to set up monitoring for an application that runs on an EC2 instance. The application generates custom metrics that should be available for analysis in CloudWatch. Which steps are required to achieve this? (Select TWO.)

Select 2 answers
A.Attach an IAM role to the EC2 instance with permissions to call PutMetricData.
B.Create an SNS topic and subscribe the application to send metrics.
C.Install the CloudWatch Logs agent to send custom metrics.
D.Use the CloudWatch agent or AWS CLI to publish custom metrics using the put-metric-data command.
E.Enable detailed monitoring on the EC2 instance to collect custom metrics.
AnswersA, D

The instance needs IAM permissions to publish custom metrics.

Why this answer

Option A is correct because the EC2 instance must have an IAM role attached with permissions to call PutMetricData, which authorizes the instance to publish custom metrics to CloudWatch. Without this IAM role, any attempt to send metrics from the instance will fail due to missing credentials.

Exam trap

The trap here is confusing the CloudWatch Logs agent with the CloudWatch agent, as the Logs agent cannot send custom metrics, and assuming detailed monitoring automatically captures application-level metrics rather than just increasing the frequency of default EC2 metrics.

381
MCQmedium

A SysOps administrator is troubleshooting an issue where an Application Load Balancer (ALB) is returning HTTP 503 errors to clients. The target group is healthy, and the instances are passing health checks. What is the most likely cause of the 503 errors?

A.The target instances have reached the maximum number of concurrent connections allowed by the application or operating system.
B.The target instances do not have enough capacity to handle the request volume.
C.The health check settings are configured incorrectly, causing healthy instances to be marked as unhealthy.
D.The security group for the targets does not allow traffic from the ALB.
AnswerA

When the application's connection backlog is full, the ALB receives a 'connection refused' or timeout, resulting in a 503.

Why this answer

Option C is correct because HTTP 503 errors from an ALB typically indicate the load balancer cannot establish a connection to the target due to the target's connection queue being full. Option A is wrong because insufficient capacity usually causes 502 or timeout errors, not 503. Option B is wrong because misconfigured health checks would show unhealthy targets.

Option D is wrong because a missing security group rule would cause 502 or timeout.

382
MCQmedium

A SysOps administrator needs to grant an IAM user the ability to rotate their own access keys. What is the minimum set of permissions required?

A.iam:ListAccessKeys, iam:CreateAccessKey, iam:DeleteAccessKey, iam:PutUserPolicy
B.iam:ListAccessKeys, iam:CreateAccessKey, iam:DeleteAccessKey, kms:*
C.iam:GetUser, iam:CreateAccessKey, iam:DeleteAccessKey, iam:UpdateAccessKey
D.iam:ListAccessKeys, iam:CreateAccessKey, iam:DeleteAccessKey, iam:UpdateAccessKey
AnswerD

These actions allow a user to manage their own access keys.

Why this answer

The minimum permissions are iam:ListAccessKeys, iam:CreateAccessKey, iam:DeleteAccessKey, and iam:UpdateAccessKey. Option B is correct. Option A is wrong because it includes iam:PutUserPolicy which is unnecessary.

Option C is wrong because it grants global key management. Option D is wrong because it includes iam:GetUser which is not needed.

383
Matchingmedium

Match each AWS storage service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage for any data

Block storage for EC2 instances

File storage for Linux instances

Managed file system for Windows or Lustre

Low-cost archival storage

Why these pairings

These are the primary AWS storage services.

384
MCQeasy

A company runs a web application on EC2 instances behind an Application Load Balancer. The application experiences unpredictable traffic spikes. Which AWS service should be used to automatically adjust the number of EC2 instances based on demand, optimizing cost and performance?

A.AWS Auto Scaling
B.Amazon CloudWatch
C.Elastic Load Balancing
D.AWS Lambda
AnswerA

Automatically adjusts number of EC2 instances based on demand.

Why this answer

AWS Auto Scaling is the correct service because it automatically adjusts the number of EC2 instances in response to demand, using scaling policies based on metrics like CPU utilization or request count. This ensures that the application can handle traffic spikes without manual intervention, optimizing both cost (by scaling down during low demand) and performance (by scaling up during spikes). The service integrates directly with the Application Load Balancer to register and deregister instances as needed.

Exam trap

The trap here is that candidates often confuse the monitoring service (CloudWatch) with the scaling service, or assume Elastic Load Balancing can handle scaling by itself, but neither directly adjusts instance count—only AWS Auto Scaling performs the actual scaling actions.

How to eliminate wrong answers

Option B (Amazon CloudWatch) is wrong because it is a monitoring and observability service that collects metrics and logs, but it does not directly adjust EC2 instance counts; it can trigger Auto Scaling actions via alarms, but the scaling itself is performed by AWS Auto Scaling. Option C (Elastic Load Balancing) is wrong because it distributes incoming traffic across existing EC2 instances but does not add or remove instances; it relies on Auto Scaling to manage capacity. Option D (AWS Lambda) is wrong because it is a serverless compute service for running code in response to events, not for managing EC2 instance scaling; it cannot directly adjust the number of EC2 instances behind a load balancer.

385
MCQhard

A containerized API runs on Amazon ECS with an Application Load Balancer. The team wants to deploy new container versions with zero downtime, automatically route traffic to the new version only after health checks pass, and automatically roll back if error rates spike within 10 minutes of the shift. Which deployment strategy and configuration implements all three requirements?

A.Use CodeDeploy with the ECS blue/green deployment type, configure a Canary or Linear traffic shifting strategy, and attach a CloudWatch alarm for error rate as a deployment alarm
B.Update the ECS service with a rolling update deployment configuration and set the minimum healthy percent to 100
C.Create a second ECS service with the new task definition and use Route 53 weighted routing to shift traffic at the DNS level
D.Enable ECS circuit breaker on the service to roll back failed deployments automatically
AnswerA

The ECS blue/green deployment starts the green task set, registers it with a second target group, and uses ALB weighted routing to shift traffic progressively. The deployment alarm monitors a 5xx error rate metric. If the alarm enters ALARM state at any point during traffic shifting or the bake period, CodeDeploy automatically shifts traffic back to the original blue target group. The team defines the 10-minute bake window via the deployment configuration's terminationWaitTimeInMinutes.

Why this answer

Option A is correct because CodeDeploy's ECS blue/green deployment type supports canary or linear traffic shifting, which automatically routes traffic to the new version only after health checks pass. By attaching a CloudWatch alarm for error rate as a deployment alarm, CodeDeploy can automatically trigger a rollback if error rates spike within the specified monitoring period (e.g., 10 minutes), meeting all three requirements: zero downtime, health-check-gated traffic shifting, and automatic rollback on error rate spikes.

Exam trap

The trap here is that candidates often confuse the ECS circuit breaker (which only handles task-level failures during deployment) with the need for post-deployment error rate monitoring and traffic shifting, leading them to select Option D without realizing it lacks the canary/linear traffic shifting and CloudWatch alarm integration required for automatic rollback based on error spikes.

How to eliminate wrong answers

Option B is wrong because a rolling update with minimum healthy percent set to 100 does not provide automatic rollback based on error rate spikes; it only ensures availability during the update but lacks the traffic-shifting and alarm-based rollback capabilities. Option C is wrong because using Route 53 weighted routing at the DNS level does not provide health-check-gated traffic shifting at the application layer, and DNS caching can cause delayed or uneven traffic distribution, failing to ensure zero downtime and immediate rollback on error spikes. Option D is wrong because the ECS circuit breaker only rolls back a service if tasks fail to start or become unhealthy during deployment, but it does not monitor post-deployment error rates or support canary/linear traffic shifting.

386
Multi-Selectmedium

Which TWO actions should a SysOps administrator take to secure an AWS account root user? (Choose two.)

Select 2 answers
A.Delete the root user after creating an admin IAM user.
B.Apply a service control policy (SCP) to restrict the root user.
C.Enable multi-factor authentication (MFA) for the root user.
D.Enable CloudTrail to monitor root user activity.
E.Do not create access keys for the root user.
AnswersC, E

Adds an extra layer of security.

Why this answer

Option A is correct because MFA on root user is a best practice. Option C is correct because access keys should not be created for root user; instead use IAM users. Option B is wrong because CloudTrail is not specific to root user.

Option D is wrong because root user cannot be deleted. Option E is wrong because SCPs do not apply to root user in management account.

387
MCQeasy

A company uses Amazon CloudWatch Logs to store application logs. The SysOps administrator needs to count the occurrences of the string 'ERROR' in the logs and trigger an Amazon SNS notification when more than 10 errors occur within a 5-minute window. Which steps should the administrator take?

A.Create a metric filter on the log group and then create a CloudWatch alarm on the resulting metric
B.Create a CloudWatch alarm directly on the log group
C.Create an AWS Lambda function to parse the logs and send a notification to Amazon SNS
D.Create an Amazon EventBridge rule to filter log events and send to SNS
AnswerA

Creating a metric filter on the log group produces a metric that can be used in a CloudWatch alarm. This is the standard, low-operational-overhead approach.

Why this answer

A metric filter on a CloudWatch Logs log group extracts a numeric metric (e.g., count of 'ERROR' occurrences) and publishes it to a CloudWatch custom metric. A CloudWatch alarm can then be configured on that metric to evaluate a threshold (e.g., >10) over a specified period (e.g., 5 minutes) and trigger an SNS notification when breached. This is the native, serverless, and cost-effective approach for counting log patterns and alerting.

Exam trap

The trap here is that candidates may think they can directly alarm on a log group (Option B) or assume a Lambda function is required for custom log parsing (Option C), but the exam expects knowledge of CloudWatch Logs metric filters as the native solution for counting patterns and triggering alarms.

How to eliminate wrong answers

Option B is wrong because CloudWatch alarms cannot be created directly on a log group; alarms require a numeric metric as input, not raw log data. Option C is wrong because while a Lambda function could parse logs and send to SNS, it introduces unnecessary complexity, cost, and potential latency compared to the built-in metric filter and alarm mechanism. Option D is wrong because Amazon EventBridge rules can filter log events from CloudWatch Logs but cannot perform aggregation (e.g., count occurrences over a time window) to trigger an alarm based on a threshold; EventBridge is designed for event-driven patterns, not metric-based alerting.

388
MCQhard

A SysOps administrator needs to restrict access to an Amazon S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy statement should be added to the bucket policy?

A.Condition: { StringEquals: { 'aws:SourceVpc': 'vpc-12345' } }
B.Condition: { StringEquals: { 'ec2:Vpc': 'vpc-12345' } }
C.Condition: { IpAddress: { 'aws:VpcSourceIp': '10.0.0.0/16' } }
D.Condition: { StringEquals: { 'aws:SourceVpce': 'vpce-12345' } }
AnswerD

'aws:SourceVpce' restricts to a specific VPC endpoint.

Why this answer

Option B is correct because the condition 'aws:SourceVpce' with the VPC endpoint ID restricts access to requests originating from that endpoint. Option A is wrong because 'aws:SourceVpc' restricts to a VPC, not a specific endpoint. Option C is wrong because 'aws:VpcSourceIp' is not a valid condition key.

Option D is wrong because 'ec2:Vpc' is not a valid condition key for S3.

389
MCQhard

A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that only specific IAM roles can decrypt the volumes. Which configuration meets this requirement?

A.Use a service control policy to deny kms:Decrypt for all users.
B.Apply a bucket policy on the EBS snapshot bucket.
C.Modify the KMS key policy to allow only specific IAM roles to use kms:Decrypt.
D.Attach an instance profile with a policy that denies ec2:DetachVolume.
AnswerC

KMS key policies can restrict decryption to specific IAM roles.

Why this answer

Option D is correct because a key policy in KMS can define which IAM roles can use the key for decryption. Option A is wrong because instance profiles do not control decrypt permissions. Option B is wrong because bucket policies are for S3, not EBS.

Option C is wrong because SCPs can restrict but are not granular for specific roles.

390
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application needs to serve HTTPS content. The SysOps administrator wants to offload SSL termination to the ALB and automatically renew the certificate before expiration. Which solution should the administrator implement?

A.Use AWS Certificate Manager (ACM) to request a public certificate and associate it with the ALB.
B.Upload a third-party certificate to IAM and associate it with the ALB.
C.Store the certificate in Amazon S3 and configure the ALB to read from S3.
D.Use a self-signed certificate on each EC2 instance and configure the ALB for TCP passthrough.
AnswerA

Correct. ACM public certificates are automatically renewed, and SSL termination is offloaded to the ALB.

Why this answer

AWS Certificate Manager (ACM) integrates natively with Application Load Balancers to handle SSL/TLS termination. ACM can automatically renew public certificates issued by Amazon's trusted certificate authority, eliminating the need for manual renewal. By associating the ACM certificate with the ALB's HTTPS listener, the administrator offloads SSL termination and ensures automatic certificate renewal before expiration.

Exam trap

The trap here is that candidates may confuse ACM's automatic renewal with manual certificate upload methods (IAM or S3) or incorrectly think self-signed certificates can be used with ACM, when in fact ACM only manages certificates from its own public CA or imported certificates that must be manually renewed.

How to eliminate wrong answers

Option B is wrong because uploading a third-party certificate to IAM is a legacy approach that does not support automatic renewal; IAM certificates must be manually re-uploaded before expiration. Option C is wrong because Amazon S3 cannot be used as a certificate store for ALB; ALB does not support reading certificates from S3. Option D is wrong because using a self-signed certificate on each EC2 instance with TCP passthrough would require the instances to handle SSL termination, defeating the requirement to offload SSL to the ALB, and self-signed certificates are not trusted by browsers and cannot be automatically renewed by ACM.

391
MCQmedium

An application running on EC2 instances in an Auto Scaling group uses an SQS queue for decoupling. The application experiences increased latency when the queue has a high number of messages. The SysOps Administrator needs to maintain responsiveness. Which solution is the most cost-effective?

A.Increase the desired capacity of the Auto Scaling group.
B.Configure a CloudWatch alarm on the queue depth to trigger Auto Scaling policies.
C.Use a larger instance type for the EC2 instances.
D.Increase the visibility timeout of the SQS queue.
AnswerB

Cost-effectively scales consumers based on demand.

Why this answer

Option D is correct because using CloudWatch alarms on the queue depth to trigger Auto Scaling policies automatically scales out when needed and scales in when not, balancing cost and responsiveness. Option A is wrong because it may be cost-inefficient. Option B is wrong because it does not change the number of consumers.

Option C is wrong because increasing batch size may help but does not scale capacity.

392
Matchingmedium

Match each AWS support plan to its key feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Account and billing support only

Business hours email access

24/7 phone, chat, and email; <1 hour response

Concierge support team; <30 min response

Technical Account Manager; <15 min response

Why these pairings

These are the AWS support plan tiers.

393
MCQeasy

A SysOps administrator needs to create a custom metric to track the number of active connections to an EC2 instance. Which steps should be taken? (Select TWO.)

A.Enable detailed monitoring on the EC2 instance.
B.Use the AWS CLI to call put-metric-data and publish the custom metric.
C.Store the metric data in an S3 bucket and configure CloudWatch to read from it.
D.Use the EC2 console to enable custom metric collection.
E.Install and configure the Amazon CloudWatch agent on the EC2 instance.
AnswerB, E

You can publish custom metrics using the CLI.

Why this answer

Option B is correct because the AWS CLI `put-metric-data` command allows you to publish custom metrics directly to CloudWatch, which is the standard method for sending application-level or OS-level metrics that are not automatically provided by AWS. Option E is correct because the Amazon CloudWatch agent can collect custom metrics from the EC2 instance (e.g., active connection counts from netstat or a script) and publish them to CloudWatch, making it the recommended approach for in-guest metric collection.

Exam trap

The trap here is that candidates often confuse 'detailed monitoring' (which only increases frequency of existing metrics) with the ability to create new custom metrics, leading them to select Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because enabling detailed monitoring on an EC2 instance only increases the frequency of standard hypervisor-level metrics (CPU, disk, network) from 5 minutes to 1 minute; it does not enable collection of custom metrics like active connections. Option C is wrong because CloudWatch cannot directly read metric data from an S3 bucket; you would need to use a Lambda function or other service to ingest the data into CloudWatch via PutMetricData. Option D is wrong because the EC2 console does not have a feature to enable custom metric collection; custom metrics must be published programmatically via the CloudWatch API, CLI, or an agent.

394
MCQeasy

A SysOps administrator needs to automate the deployment of a three-tier web application. The application consists of an Application Load Balancer, a fleet of EC2 instances running a web server, and an Amazon RDS MySQL database. The administrator must ensure that the database credentials are securely stored and automatically rotated. The administrator also needs to version the infrastructure configuration. Which combination of AWS services should the administrator use?

A.AWS CloudFormation for infrastructure and AWS Systems Manager Parameter Store for secrets.
B.AWS OpsWorks for infrastructure and AWS Secrets Manager for secrets.
C.AWS CodeCommit for infrastructure versioning and AWS KMS for secrets.
D.AWS CloudFormation for infrastructure and AWS Secrets Manager for secrets.
AnswerD

CloudFormation versions infrastructure; Secrets Manager rotates credentials.

Why this answer

Option C is correct because AWS CloudFormation provides infrastructure as code for versioning, and AWS Secrets Manager securely stores and rotates database credentials. Option A is wrong because AWS Systems Manager Parameter Store can store secrets but does not natively rotate RDS credentials. Option B is wrong because AWS OpsWorks is a configuration management service, not primarily for IaC.

Option D is wrong because AWS CodeCommit is a source control service, not for secret management.

395
MCQmedium

A company's security policy requires that all Amazon S3 buckets must have server-side encryption (SSE-S3 or SSE-KMS) enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and remediate it by enabling SSE-S3. Which AWS service should be used to implement this automated compliance enforcement?

A.AWS Config
B.Amazon Inspector
C.AWS Trusted Advisor
D.Amazon Macie
AnswerA

AWS Config with a managed rule can detect non-compliant buckets and trigger automatic remediation via Systems Manager or Lambda.

Why this answer

AWS Config is the correct service because it provides managed rules (e.g., s3-bucket-server-side-encryption-enabled) that can continuously evaluate S3 bucket configurations against the security policy. When a non-compliant bucket is detected, AWS Config can trigger an automatic remediation action via Systems Manager Automation to enable SSE-S3, enforcing compliance without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation and remediation capabilities with Trusted Advisor's advisory checks, leading them to choose Trusted Advisor despite its lack of automated enforcement.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and unintended network exposure, not for evaluating S3 bucket encryption settings. Option C is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not offer automated remediation or continuous compliance enforcement; it is a reactive advisory tool. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data in S3, not to enforce encryption policies or remediate non-compliant buckets.

396
MCQeasy

A company hosts a static website on Amazon S3 with public read access. The website content is updated weekly. The SysOps administrator notices that the monthly S3 costs are higher than expected. The website receives about 10,000 requests per day, and each object is small (average 50 KB). The administrator wants to reduce costs without affecting the user experience. The website does not require HTTPS or custom domain at this time. Which action should the administrator take?

A.Enable default encryption for the S3 bucket.
B.Transition the objects to S3 Glacier Flexible Retrieval.
C.Place an Amazon CloudFront distribution in front of the S3 bucket.
D.Enable S3 Versioning to prevent accidental deletions.
AnswerC

CloudFront reduces S3 request costs and provides caching.

Why this answer

Option A is correct because placing a CloudFront distribution in front of the S3 bucket can reduce costs by serving requests from edge caches, which reduces the number of GET requests to S3. Additionally, CloudFront offers a free tier for data transfer. Option B is wrong because enabling versioning increases storage costs.

Option C is wrong because transitioning to S3 Glacier Standard (which doesn't exist; Glacier Flexible Retrieval) would increase retrieval costs and latency, and is not suitable for a website. Option D is wrong because encryption adds overhead but does not reduce costs.

397
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to connect to an on-premises network with a CIDR of 10.0.0.0/8. What is the issue?

A.The on-premises CIDR is private and cannot be used with AWS.
B.AWS does not support /8 CIDR blocks.
C.The CIDR blocks overlap, causing routing conflicts.
D.The VPC CIDR is too large.
AnswerC

Overlapping CIDRs cause ambiguous routing.

Why this answer

Overlapping CIDR blocks prevent VPC peering or VPN connections because routes conflict. Option A is not the issue. Option B is not the primary issue.

Option D is not directly a problem.

398
MCQmedium

A company uses AWS Systems Manager to manage a fleet of EC2 instances. The Security Team requires that all instances have a specific security patch installed. A SysOps administrator needs to verify compliance across all instances. What is the MOST efficient way to accomplish this?

A.Use AWS Config rules to check for the patch.
B.Use AWS Systems Manager State Manager to enforce the patch.
C.Use AWS Systems Manager Inventory to collect software inventory.
D.Use AWS Systems Manager Patch Manager to scan and generate a compliance report.
AnswerD

Patch Manager can scan instances and report patch compliance status.

Why this answer

AWS Systems Manager Patch Manager can scan instances for missing patches and report compliance. State Manager and Inventory collect data but do not specifically report patch compliance. OpsCenter is for operational issues.

Config rules can check compliance but require custom rules.

399
MCQhard

A SysOps administrator is troubleshooting a CodeDeploy deployment that uploads artifacts to an S3 bucket. The deployment fails with an 'AccessDenied' error. The IAM policy for the CodeDeploy service role includes the statement shown in the exhibit. What is the most likely cause of the failure?

A.The upload does not set the ACL to 'bucket-owner-full-control'.
B.The resource ARN does not include the bucket itself.
C.The policy does not allow encryption headers.
D.The policy does not allow the s3:PutObject action.
AnswerA

The condition requires this ACL; if not set, the request is denied.

Why this answer

The policy requires that the object's ACL be set to 'bucket-owner-full-control'. If the upload does not specify this ACL, the request fails. Option C is correct.

Option A is wrong because the action is allowed. Option B is wrong because the resource includes the bucket. Option D is wrong because the condition is about ACL, not encryption.

400
MCQeasy

A company wants to provide low-latency access to static content (images, CSS) for global users. The content is stored in an S3 bucket. Which service should be used to cache content at edge locations?

A.Amazon ElastiCache
B.Amazon CloudFront
C.S3 Transfer Acceleration
D.AWS Global Accelerator
AnswerB

CloudFront is a content delivery network (CDN) that caches at edge locations.

Why this answer

Option A is correct because Amazon CloudFront is a CDN that caches content at edge locations for low-latency delivery. Option B is incorrect because S3 Transfer Acceleration speeds up uploads, not downloads. Option C is incorrect because Global Accelerator improves TCP/UDP performance but does not cache content.

Option D is incorrect because ElastiCache is a caching layer for databases, not for static content delivery.

401
Multi-Selecthard

A SysOps administrator needs to securely transfer a large dataset from an on-premises server to an Amazon S3 bucket. The data is sensitive and must be encrypted in transit and at rest. Which THREE steps should the administrator take? (Choose three.)

Select 3 answers
A.Create an S3 endpoint policy that only allows access from the on-premises IP range
B.Enable default encryption on the S3 bucket using SSE-KMS
C.Use the AWS CLI with the --sse aws:kms option to enforce encryption during upload
D.Disable public access to the S3 bucket
E.Use an S3 bucket policy that denies requests unless they are made over HTTPS
AnswersA, B, C

This restricts access to the bucket to only the on-premises network, enhancing security.

Why this answer

To securely transfer data, you should enable S3 bucket-side encryption (SSE-KMS or SSE-S3) for encryption at rest, use an S3 endpoint policy to restrict access (e.g., only allow from specific VPC), and use AWS CLI with --sse flag to enforce server-side encryption during upload. While HTTPS is mandatory, it's implicitly used; the explicit steps are the other three. Using public endpoints would expose data; disabling HTTPS would break encryption in transit.

402
MCQeasy

A company has deployed a web application across multiple Availability Zones using an Application Load Balancer. The application experiences increased latency during peak hours. Which action would be MOST effective in reducing latency?

A.Add more EC2 instances to the target group.
B.Update the health check to use a more frequent interval.
C.Enable cross-zone load balancing on the ALB.
D.Increase the deregistration delay for the target group.
AnswerA

Adding more instances increases capacity, reducing load per instance and thus reducing latency.

Why this answer

Option C is correct because enabling connection idle timeout can help free up resources by closing idle connections, but the most effective for latency is to add more targets. Option A is wrong because enabling cross-zone load balancing is already default and helps distribute traffic evenly. Option B is wrong because increasing the deregistration delay does not reduce latency.

Option D is wrong because updating health checks does not directly reduce latency.

403
MCQeasy

A company uses Amazon CloudWatch to monitor its Amazon EC2 instances. The SysOps administrator wants to receive an email notification when any EC2 instance's CPUUtilization metric exceeds 90% for 5 consecutive minutes. Which combination of services should be used to meet this requirement with the least operational overhead?

A.Create a CloudWatch Logs metric filter and a Lambda function that sends email via SES
B.Create a CloudWatch metric alarm that sends a notification to an Amazon SNS topic subscribed with email endpoints
C.Create a CloudWatch Events rule that matches EC2 instance state changes and sends to SQS with a Lambda consumer
D.Configure a CloudWatch dashboard that displays CPU utilization and share it with the team
AnswerB

This directly meets the requirement. The alarm monitors the metric and triggers SNS to send emails.

Why this answer

Option B is correct because it directly uses a CloudWatch metric alarm configured to trigger when CPUUtilization exceeds 90% for 5 consecutive minutes, which then publishes to an Amazon SNS topic with email endpoints. This combination requires no custom code, no Lambda functions, and no additional services, minimizing operational overhead while meeting the requirement precisely.

Exam trap

The trap here is that candidates may overcomplicate the solution by introducing Lambda, SQS, or SES, when a native CloudWatch alarm with SNS is the simplest and most operationally efficient approach for metric-based threshold notifications.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs metric filters are designed to parse log data, not to evaluate EC2 metrics like CPUUtilization, and adding a Lambda function with SES introduces unnecessary complexity and overhead. Option C is wrong because CloudWatch Events rules that match EC2 instance state changes (e.g., running, stopped) cannot evaluate CPUUtilization thresholds, and using SQS with a Lambda consumer adds complexity without benefit. Option D is wrong because a CloudWatch dashboard only visualizes metrics and does not trigger any notifications or actions when thresholds are breached.

404
MCQmedium

A company uses an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The administrator notices that the ALB returns 503 errors during peak traffic. The instances are healthy according to the ALB health checks. What is the MOST likely cause and what metric should the administrator check?

A.The SSL certificate has expired; check the TLS handshake errors.
B.The ALB is overloaded; check the ALB's CPUUtilization metric.
C.The targets are failing health checks; check the HealthyHostCount metric.
D.The ALB's surge queue is full; check the SurgeQueueLength metric.
AnswerD

The SurgeQueueLength metric indicates the number of pending requests waiting to be routed. A high value can cause 503 errors.

Why this answer

The ALB returns 503 errors despite healthy targets, which indicates that the ALB itself is overwhelmed and cannot process incoming requests. The ALB uses a surge queue to buffer requests when traffic exceeds its capacity; when the queue is full, new requests are rejected with a 503. The SurgeQueueLength metric directly measures this queue depth, making it the correct metric to check.

Exam trap

The trap here is that candidates confuse ALB overload (surge queue full) with target health issues, but the question explicitly states healthy targets, so the root cause is the ALB's own capacity limit, not the targets.

How to eliminate wrong answers

Option A is wrong because an expired SSL certificate would cause TLS handshake failures (e.g., 502 or 525 errors), not 503 errors, and the ALB would still forward requests to healthy targets. Option B is wrong because ALBs are managed services that do not expose a CPUUtilization metric; they scale automatically and 503s from overload are indicated by SurgeQueueLength, not CPU. Option C is wrong because the question explicitly states that instances are healthy according to health checks, so HealthyHostCount would be normal and not explain 503 errors.

405
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group across two Availability Zones. The application uses an Application Load Balancer. The SysOps administrator receives an alert that the application is returning 503 errors. The administrator checks the CloudWatch metrics and sees that the ALB's RequestCount is normal, but the HealthyHostCount is zero. The EC2 instances are in running state and pass the EC2 status checks. What is the MOST likely cause and what should the administrator do to resolve the issue?

A.The ALB health check configuration is incorrect; verify the health check path and port.
B.The instances are out of memory; increase the instance size.
C.The Auto Scaling group's scaling policy is not launching new instances; update the policy.
D.The security group on the instances is blocking traffic from the ALB; update the security group.
AnswerA

Health checks fail, causing HealthyHostCount to be zero.

Why this answer

Option C is correct. The ALB health checks are failing. The most likely cause is that the health check path is wrong or the application is not responding on the configured port.

The administrator should verify the health check settings. Option A is wrong because the instances are running and passing EC2 checks. Option B is wrong because security group rules would affect connectivity, but the instances are running.

Option D is wrong because scaling policies do not affect health checks.

406
MCQeasy

A SysOps administrator needs to ensure that an Amazon EC2 instance can access an Amazon S3 bucket without storing long-term credentials on the instance. Which approach should be used?

A.Configure a security group rule that allows outbound traffic to S3.
B.Assign a bucket policy that grants access to the EC2 instance's public IP address.
C.Create an IAM role with S3 permissions and attach it to the EC2 instance profile.
D.Create an IAM user with programmatic access and store the credentials in a file on the instance.
AnswerC

IAM role provides temporary credentials via instance metadata.

Why this answer

Option B is correct because an IAM role attached to an EC2 instance allows the instance to obtain temporary credentials from the instance metadata service. Option A is wrong because storing IAM user credentials on the instance is insecure and not a best practice. Option C is wrong because a bucket policy alone does not grant access to a specific EC2 instance without the instance having AWS credentials.

Option D is wrong because security groups control network traffic, not API-level access to S3.

407
MCQmedium

A SysOps administrator notices that traffic to an Amazon EC2 instance is being blocked even though the security group allows all inbound traffic. The subnet's network ACL allows all inbound and outbound traffic. What could be the issue?

A.The instance's operating system firewall is blocking the traffic.
B.The network ACL is not associated with the subnet correctly.
C.VPC Flow Logs are misconfigured.
D.The route table does not have a default route to an internet gateway.
AnswerA

OS-level firewalls (e.g., iptables, Windows Firewall) can block traffic even if AWS firewalls allow it.

Why this answer

Option C is correct because the operating system's firewall can block traffic at the instance level. Option A is wrong because NACLs are permissive. Option B is wrong because route tables do not block traffic.

Option D is wrong because VPC Flow Logs only log traffic, they do not block it.

408
MCQmedium

A company runs a critical web application on Amazon EC2 instances in an Auto Scaling group across three Availability Zones in us-east-1. The application stores data in an Amazon RDS for MySQL DB instance with Multi-AZ deployment. The SysOps administrator needs to design a disaster recovery strategy that can recover from a complete regional outage. The Recovery Time Objective (RTO) is 2 hours and the Recovery Point Objective (RPO) is 1 hour. Which solution should the administrator implement?

A.Create a read replica of the RDS instance in a second region. Configure an Amazon CloudFront distribution with the ALB as origin. Use Route53 failover routing policy to route traffic to the CloudFront distribution.
B.Take daily manual snapshots of the RDS instance and copy them to a second region. Store the AWS CloudFormation template for the infrastructure in an S3 bucket with cross-region replication. In the event of a disaster, manually deploy the stack and restore the snapshot.
C.Configure cross-region automated backups for the RDS instance with a backup window. Deploy an identical infrastructure stack in a second region using AWS CloudFormation StackSets. Create an Amazon Route53 DNS failover record set with health checks to automatically fail over to the second region.
D.Use AWS Database Migration Service (DMS) to continuously replicate data to a second region. Use an Application Load Balancer in the primary region and a Network Load Balancer in the secondary region. Create a Route53 weighted routing policy to distribute traffic.
AnswerC

Cross-region automated backups (with a 1-hour backup window) can meet RPO. StackSets ensure consistent infrastructure deployment. Route53 failover automatically redirects traffic, meeting RTO.

Why this answer

Option C is correct because it meets both the RTO of 2 hours and RPO of 1 hour. Cross-region automated backups for RDS provide an RPO of 1 hour or less by continuously backing up transaction logs to a secondary region. Deploying an identical infrastructure stack via CloudFormation StackSets ensures rapid provisioning in the secondary region, and Route53 DNS failover with health checks automates traffic redirection within the RTO window.

Exam trap

The trap here is that candidates often confuse a read replica with a Multi-AZ standby, not realizing that a cross-region read replica cannot be promoted to a primary instance for disaster recovery, and that manual snapshots cannot meet a 1-hour RPO.

How to eliminate wrong answers

Option A is wrong because a read replica in a second region does not support failover to become a standalone writer; it is read-only and cannot be promoted in a disaster scenario, and CloudFront with an ALB origin does not provide regional failover. Option B is wrong because daily manual snapshots cannot achieve an RPO of 1 hour (snapshots are taken at most once per day), and manual deployment of CloudFormation stacks in a disaster exceeds the 2-hour RTO. Option D is wrong because AWS DMS continuous replication can meet RPO but the use of a Network Load Balancer in the secondary region (which does not support path-based routing or health checks for HTTP applications) and weighted routing policy (which is not designed for automatic failover) fails to meet the RTO requirement.

409
MCQhard

Refer to the exhibit. A SysOps administrator runs the command and sees the output. The administrator then creates a CloudWatch alarm on the CPUUtilization metric for this instance, but the alarm state remains 'INSUFFICIENT_DATA'. What is a likely cause?

A.Detailed monitoring is not enabled.
B.The EC2 instance is stopped or terminated.
C.The instance is in a different AWS region.
D.The metric name is misspelled.
AnswerB

No data is emitted when the instance is stopped.

Why this answer

The command output shows the instance state is 'stopped'. CloudWatch cannot retrieve metrics from a stopped or terminated EC2 instance because the hypervisor is no longer running the instance's operating system or collecting CPU utilization data. When no metric data points are received for the configured alarm period, the alarm transitions to 'INSUFFICIENT_DATA' state.

Exam trap

The trap here is that candidates assume INSUFFICIENT_DATA always means a configuration issue (like missing detailed monitoring or wrong region), when in fact it often indicates the resource itself is not running and therefore not emitting any metrics.

How to eliminate wrong answers

Option A is wrong because detailed monitoring (1-minute granularity) is not required for basic CPUUtilization metrics; standard 5-minute monitoring still provides data points. Option C is wrong because CloudWatch alarms can monitor metrics across regions if the alarm is created in the same region as the instance; the command output shows the instance is in us-east-1, and the alarm would be created in that same region. Option D is wrong because the metric name 'CPUUtilization' is a standard AWS/EC2 namespace metric and is correctly spelled; a misspelling would cause a validation error at alarm creation time, not an INSUFFICIENT_DATA state.

410
MCQeasy

A company wants to ensure that it receives notifications whenever any AWS Identity and Access Management (IAM) user in the account creates a new access key. Which AWS service should be used to achieve this?

A.AWS Config
B.AWS CloudTrail
C.AWS Trusted Advisor
D.Amazon CloudWatch Events
AnswerD

EventBridge can match CloudTrail events and trigger SNS notifications.

Why this answer

Amazon CloudWatch Events (now part of Amazon EventBridge) can capture API calls from AWS CloudTrail and trigger a notification (e.g., via SNS) when an IAM user creates a new access key. By setting up a rule that matches the `CreateAccessKey` API call, the company can receive real-time alerts for this specific action.

Exam trap

The trap here is that candidates often choose AWS CloudTrail because it logs API calls, but they overlook that CloudTrail alone cannot send notifications—it requires an event-driven service like CloudWatch Events/EventBridge to trigger alerts.

How to eliminate wrong answers

Option A is wrong because AWS Config is used for evaluating resource configurations against desired policies (e.g., compliance rules), not for real-time event-driven notifications on API actions. Option B is wrong because AWS CloudTrail only logs API calls for auditing and does not natively send notifications; it requires an external service like CloudWatch Events to trigger alerts. Option C is wrong because AWS Trusted Advisor provides best-practice checks and recommendations (e.g., security, cost optimization), but it does not monitor or notify on specific IAM user actions like creating access keys.

411
Multi-Selecthard

A company uses AWS CloudFormation to deploy a three-tier web application. The template includes an EC2 instance, an RDS database, and an Application Load Balancer. The SysOps administrator wants to ensure that the database is not replaced during an update if the administrator accidentally changes a property that requires replacement. Which THREE actions should the administrator take?

Select 3 answers
A.Use a custom resource backed by a Lambda function to manage the database.
B.Set a DeletionPolicy attribute of 'Retain' on the RDS resource.
C.Place the RDS instance in a separate nested stack.
D.Enable termination protection on the CloudFormation stack.
E.Apply a stack policy that denies update to the RDS instance.
AnswersA, B, E

Custom resources give you control over update behavior.

Why this answer

The correct answers are A, C, and E. A is correct because a stack policy can prevent updates to critical resources. C is correct because DeletionPolicy: Retain preserves the database if the resource is deleted.

E is correct because using a custom resource to manage the database allows more control. B is incorrect because enabling termination protection on the stack prevents stack deletion, not resource replacement. D is incorrect because the database should not be in a nested stack just for protection; it might be anyway.

412
MCQmedium

A company's critical application uses an EBS-backed EC2 instance. They want to back up the instance daily with a retention policy of 30 days. What is the MOST efficient way to achieve this?

A.Use Amazon Data Lifecycle Manager (DLM) to schedule EBS snapshots with a 30-day retention.
B.Use AWS Backup to schedule EBS snapshots and set the retention policy.
C.Schedule a Lambda function to create an EBS snapshot daily and delete snapshots older than 30 days.
D.Create an AMI daily using AWS Backup and set the retention to 30 days.
AnswerA

DLM automates the creation and deletion of EBS snapshots based on a schedule, meeting the requirement efficiently.

Why this answer

Option C is correct because Amazon Data Lifecycle Manager can automate EBS snapshots with retention rules. Option A is wrong because AMI backups include additional metadata and are heavier; also DLM supports snapshots only. Option B is wrong because AWS Backup can handle this but DLM is more lightweight for EBS-only backups.

Option D is wrong because creating snapshots manually via Lambda is less reliable and more complex.

413
MCQeasy

A SysOps administrator needs to share an encrypted AMI with a different AWS account. The AMI uses an AWS KMS key (customer managed key) for EBS encryption. What must be done to allow the target account to launch EC2 instances from the AMI?

A.Share the underlying EBS snapshot with the target account.
B.Re-encrypt the AMI using a new KMS key that is shared with the target account.
C.Modify the AMI launch permissions and add the target account as a principal in the KMS key policy with kms:Decrypt permission.
D.Modify the AMI launch permissions to include the target account.
AnswerC

Both AMI and KMS permissions are required.

Why this answer

To share an encrypted AMI with a different account, both the AMI permissions and the KMS key permissions must be updated. Option C is correct because it grants the required permissions. Option A is wrong because modifying launch permissions is not enough; KMS key permissions are also needed.

Option B is wrong because sharing the snapshot separately does not grant KMS access. Option D is wrong because re-encrypting with a new key is unnecessary if permissions are properly set.

414
MCQmedium

A company runs a production RDS for PostgreSQL instance with Multi-AZ enabled. The database experiences a failover due to an AZ outage. After the failover, the application experiences high latency on write operations. What is the most likely cause?

A.The application is now reading from the standby instance, which has higher read latency.
B.Synchronous replication to the standby instance in the other AZ is causing additional latency.
C.The failover switched to a read replica in a different AZ.
D.The failover switched to asynchronous replication mode.
AnswerB

Multi-AZ uses synchronous replication, so every write must be committed on both the primary and standby, which adds latency.

Why this answer

Option A is correct because synchronous replication in Multi-AZ requires acknowledgment from the standby before the transaction is committed, increasing write latency. Option B is incorrect because the standby is in a different AZ and is not used for reads automatically. Option C is incorrect because synchronous replication does not use asynchronous replication.

Option D is incorrect because the Multi-AZ feature does not use a read replica; it uses a standby in a different AZ.

415
Multi-Selecthard

A company uses AWS CloudTrail to log API calls. The SysOps team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and triggers an automated response. Which combination of services should be used? (Choose two.)

Select 2 answers
A.AWS Config
B.AWS Lambda
C.Amazon Inspector
D.Amazon Simple Queue Service (SQS)
E.Amazon EventBridge (CloudWatch Events)
AnswersB, E

Lambda can be triggered by EventBridge to automatically re-enable CloudTrail logging.

Why this answer

The correct answer is A and D. CloudWatch Events (Amazon EventBridge) can match a pattern for StopLogging API calls and trigger a Lambda function to take corrective action (e.g., re-enable logging). Options B and C are wrong because AWS Config records resource changes but is not real-time for event-driven responses.

Option E is wrong because SQS alone does not process events.

416
Multi-Selecteasy

Which THREE security best practices should be followed when managing IAM users? (Choose three.)

Select 3 answers
A.Attach policies directly to users
B.Rotate access keys regularly
C.Use the root user for daily administration
D.Grant least privilege permissions
E.Enable MFA for all users
AnswersB, D, E

Limits exposure of compromised keys.

Why this answer

Granting least privilege, enabling MFA, and rotating access keys regularly are key security best practices. Option A, Option B, and Option D are correct. Option C is wrong because using the root user for daily tasks is a security risk.

Option E is wrong because IAM policies should be attached to groups or roles, not directly to users, to simplify management.

417
Multi-Selecthard

A company is using AWS CloudTrail to log API activity. The security team wants to be notified when an IAM user attempts to modify an S3 bucket policy. Which actions should be taken to meet this requirement? (Select THREE.)

Select 3 answers
A.Create a CloudWatch alarm on the number of PutBucketPolicy calls.
B.Enable CloudTrail data events for S3 to capture bucket policy changes.
C.Create an Amazon EventBridge rule that matches the PutBucketPolicy API call via CloudTrail.
D.Configure the EventBridge rule to send events to an SNS topic.
E.Ensure CloudTrail is logging management events for the S3 service.
AnswersC, D, E

EventBridge can filter CloudTrail events.

Why this answer

Option C is correct because Amazon EventBridge can match specific API calls (like PutBucketPolicy) by using CloudTrail as an event source. This allows the security team to trigger a notification when an IAM user attempts to modify an S3 bucket policy, without needing to poll or set up custom monitoring.

Exam trap

The trap here is that candidates may confuse CloudWatch alarms (which are metric-based) with EventBridge rules (which are event-driven), leading them to select Option A instead of understanding that EventBridge provides immediate, per-event notification for specific API calls.

418
MCQhard

An organization has a CloudWatch dashboard that displays metrics for multiple AWS services. The dashboard is shared with the operations team. Recently, some team members reported that the dashboard is not loading for them. Which action should the SysOps administrator take to troubleshoot the issue?

A.Confirm that the team members have the necessary IAM permissions for cloudwatch:GetDashboard.
B.Verify that the team members have subscribed to the metric streams.
C.Ensure the CloudWatch agent is installed on the instances displaying the dashboard.
D.Check that the dashboard is in the same region as the resources.
AnswerA

Without GetDashboard permission, users cannot load the dashboard.

Why this answer

The most likely cause of the dashboard not loading is that the team members lack the required IAM permission to retrieve the dashboard definition. CloudWatch dashboards are stored as JSON objects, and the `cloudwatch:GetDashboard` action is necessary to fetch and render that data in the console. Without this permission, the API call fails silently, resulting in a blank or non-loading dashboard.

Exam trap

The trap here is that candidates often assume the issue is related to the CloudWatch agent or regional configuration, but the root cause is almost always an IAM permissions problem when a dashboard fails to load for users who previously had access.

How to eliminate wrong answers

Option B is wrong because metric streams are used to send CloudWatch metrics to destinations like AWS Lambda or Kinesis Data Firehose; they are not related to viewing or loading a CloudWatch dashboard. Option C is wrong because the CloudWatch agent is installed on EC2 instances to collect custom metrics and logs, but it has no role in rendering or loading a dashboard in the AWS Management Console. Option D is wrong because CloudWatch dashboards can display metrics from multiple regions, and the dashboard itself is a global resource; the dashboard not loading is not caused by a region mismatch.

419
MCQeasy

A SysOps administrator is troubleshooting an application that intermittently fails to connect to an RDS database. The error logs show 'Too many connections'. What CloudWatch metric should the administrator monitor to proactively detect this issue?

A.CPUUtilization
B.DatabaseConnections
C.NetworkThroughput
D.FreeableMemory
AnswerB

Directly tracks the number of database connections.

Why this answer

The 'Too many connections' error indicates that the RDS database has reached its maximum allowed number of simultaneous client connections. The DatabaseConnections CloudWatch metric tracks the current number of connections to the DB instance, so monitoring this metric allows the administrator to set an alarm when connections approach the instance's max_connections limit, enabling proactive scaling or connection management before errors occur.

Exam trap

The trap here is that candidates may confuse performance metrics like CPU or memory with the specific connection limit error, overlooking that the 'Too many connections' error is directly tied to the DatabaseConnections metric and the max_connections configuration.

How to eliminate wrong answers

Option A (CPUUtilization) is wrong because high CPU usage does not directly cause connection limit errors; it may indicate query performance issues but not the specific 'Too many connections' error. Option C (NetworkThroughput) is wrong because network throughput measures data transfer volume, not the number of database connections, and a connection limit error is unrelated to bandwidth. Option D (FreeableMemory) is wrong because low freeable memory can affect performance but does not directly trigger a connection limit error; the error is explicitly tied to the connection count exceeding the configured max_connections parameter.

420
MCQeasy

A company wants to back up its on-premises file server to AWS. The backup must be encrypted in transit and at rest. Which AWS service should the company use to meet these requirements?

A.AWS Storage Gateway (File Gateway) backed by Amazon S3.
B.Amazon EBS volumes attached to an EC2 instance acting as a file server.
C.AWS CloudFormation to replicate the file server configuration.
D.Amazon S3 with server-side encryption and a custom script to upload files.
AnswerA

Managed service that handles encryption and transfer.

Why this answer

Option B is correct because AWS Storage Gateway's File Gateway can back up on-premises files to S3 with encryption in transit (using TLS) and at rest (using S3 server-side encryption). Option A is wrong because S3 alone does not provide a backup agent for on-premises. Option C is wrong because EBS volumes are for EC2, not on-premises.

Option D is wrong because CloudFormation is for infrastructure as code.

421
MCQmedium

A company has an application running on EC2 instances behind an Application Load Balancer. They want to receive an email notification when the average latency exceeds 2 seconds. Which combination of steps should the SysOps administrator take? (Select TWO.)

A.Enable AWS CloudTrail to capture API calls and monitor latency.
B.Use CloudWatch Logs to stream logs to Amazon ES for latency analysis.
C.Create a CloudWatch alarm on the EC2 instance's CPUUtilization metric.
D.Configure the alarm to send a notification to an Amazon SNS topic.
E.Create a CloudWatch alarm on the ALB's TargetResponseTime metric.
AnswerD, E

SNS can send email notifications.

Why this answer

Option D is correct because Amazon CloudWatch alarms can be configured to send notifications to an Amazon SNS topic when a metric threshold is breached. By creating an SNS topic and subscribing an email endpoint to it, the SysOps administrator can receive email alerts when the alarm state changes, such as when the average latency exceeds 2 seconds.

Exam trap

The trap here is that candidates often confuse CloudTrail (audit logging) with CloudWatch (monitoring and alarming), or mistakenly think CPUUtilization is a proxy for latency, when the correct approach is to use the ALB's TargetResponseTime metric with a CloudWatch alarm and SNS notification.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail captures API calls for auditing and governance, not application-level latency metrics; it cannot monitor or alarm on latency. Option B is wrong because streaming CloudWatch Logs to Amazon ES provides log analysis and visualization, but it does not directly trigger email notifications for latency thresholds. Option C is wrong because the CPUUtilization metric on EC2 instances measures compute resource usage, not application latency; it is unrelated to the ALB's TargetResponseTime metric.

422
MCQmedium

A company's security policy requires that all IAM users must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to automatically detect IAM users without MFA and generate a compliance report. Which AWS service should be used to meet this requirement with minimal operational overhead?

A.AWS Config
B.AWS CloudTrail
C.IAM Access Analyzer
D.AWS Trusted Advisor
AnswerA

AWS Config has a managed rule for IAM user MFA that can automatically evaluate and report compliance.

Why this answer

AWS Config provides managed rules such as `iam-user-mfa-enabled` that can continuously evaluate IAM users against the requirement for MFA. When a user is found without MFA, AWS Config can trigger an automatic remediation action or generate a compliance report via its dashboard or Amazon SNS notifications, meeting the detection and reporting need with minimal operational overhead.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation with CloudTrail's auditing or Trusted Advisor's checks, not realizing that only AWS Config offers a managed rule specifically for IAM user MFA enforcement with automated reporting.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail records API activity and does not perform ongoing resource configuration compliance checks; it cannot detect the absence of MFA on IAM users. Option C is wrong because IAM Access Analyzer analyzes resource policies for external access, not user-level MFA status. Option D is wrong because AWS Trusted Advisor provides best-practice checks but does not have a specific check for IAM user MFA enforcement; it focuses on root account MFA and other high-level recommendations.

423
Multi-Selecteasy

A SysOps Administrator needs to automate the deployment of a three-tier web application on AWS. The application consists of a web tier, application tier, and database tier. The administrator wants to use AWS CloudFormation to provision the infrastructure. Which TWO resources should be included in the CloudFormation template to ensure the application is highly available across multiple Availability Zones?

Select 2 answers
A.Auto Scaling group
B.NAT Gateway
C.Amazon S3 bucket
D.Amazon Route 53 hosted zone
E.Application Load Balancer
AnswersA, E

Auto Scaling group ensures instances are distributed across AZs.

Why this answer

Option A and Option D are correct. An Auto Scaling group is used to maintain a desired number of instances across AZs, and an Application Load Balancer distributes traffic across those instances. Option B (NAT Gateway) is for outbound internet access, not high availability.

Option C (S3 bucket) is for storage, not compute. Option E (Route 53 hosted zone) is for DNS, not directly for high availability of the application tiers.

424
MCQeasy

A SysOps administrator notices that an EC2 instance's CPU utilization is consistently above 90% during peak hours. Which action will improve performance without over-provisioning resources?

A.Use Spot Instances instead of On-Demand.
B.Increase the number of EBS volumes attached to the instance.
C.Change the instance type to a larger size, such as moving from t3.medium to t3.large.
D.Configure Auto Scaling to add more instances during peak hours.
AnswerC

Larger instance type provides more CPU capacity.

Why this answer

Option C is correct because changing the instance type to a larger size (e.g., from t3.medium to t3.large) vertically scales the instance, providing more vCPUs and memory to handle the increased CPU load during peak hours. This directly addresses the high CPU utilization without over-provisioning, as you are only scaling up the specific resource that is constrained. Spot Instances (A) do not improve performance; they offer lower cost but same performance.

Increasing EBS volumes (B) does not affect CPU performance. Auto Scaling (D) adds more instances (horizontal scaling), which can over-provision if the single instance's capacity is sufficient after a vertical scale-up.

Exam trap

The trap here is that candidates often confuse horizontal scaling (Auto Scaling) with vertical scaling, assuming adding more instances is always the best performance fix, but the question explicitly asks to avoid over-provisioning, making a single larger instance the more efficient choice.

How to eliminate wrong answers

Option A is wrong because Spot Instances provide the same CPU performance as On-Demand instances; they are a pricing model, not a performance enhancement, and do not reduce CPU utilization. Option B is wrong because increasing the number of EBS volumes does not affect CPU utilization; EBS volumes handle storage I/O, not compute processing. Option D is wrong because Auto Scaling adds more instances horizontally, which can lead to over-provisioning if the workload can be handled by a single larger instance; it also introduces additional complexity and cost for managing multiple instances.

425
Multi-Selectmedium

Which TWO steps should a SysOps administrator take to ensure that an RDS for MySQL instance can withstand an Availability Zone failure? (Choose 2)

Select 2 answers
A.Enable Multi-AZ deployment.
B.Create a read replica in a different AZ.
C.Enable automated backups with a short retention period.
D.Enable deletion protection on the DB instance.
E.Enable provisioned IOPS for the DB instance.
AnswersA, C

Multi-AZ automatically provisions a standby instance in a different AZ and handles failover automatically.

Why this answer

Options A and D are correct. Multi-AZ creates a standby in another AZ, and automated backups with PITR allow recovery to a point in time. Option B is wrong because read replicas are for read scaling, not failover.

Option C is wrong because provisioned IOPS improve performance, not availability. Option E is wrong because deletion protection prevents accidental deletion, not AZ failure.

426
MCQeasy

A SysOps administrator needs to centrally collect operating system-level metrics from a fleet of Amazon EC2 instances running Amazon Linux 2. The metrics should include memory usage and disk I/O. Which solution should the administrator implement?

A.Install and configure the CloudWatch agent on the EC2 instances.
B.Enable detailed monitoring on the EC2 instances.
C.Use AWS CloudTrail to log OS-level metrics.
D.Use AWS Systems Manager Inventory to collect metrics.
AnswerA

The CloudWatch agent can collect custom metrics like memory and disk I/O.

Why this answer

The CloudWatch agent is the correct solution because it can collect custom OS-level metrics such as memory usage and disk I/O from EC2 instances running Amazon Linux 2. Unlike the default CloudWatch metrics, which only capture hypervisor-level metrics (e.g., CPU, network), the CloudWatch agent uses the procstat and disk plugins to gather detailed system metrics and publish them to CloudWatch as custom namespaces.

Exam trap

The trap here is that candidates often confuse 'detailed monitoring' (which only increases frequency of existing hypervisor metrics) with the ability to collect new OS-level metrics, leading them to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because enabling detailed monitoring on EC2 instances only increases the frequency of hypervisor-level metrics (e.g., CPU, network) from 5 minutes to 1 minute, but it does not collect OS-level metrics like memory usage or disk I/O. Option C is wrong because AWS CloudTrail is designed to log API calls and account activity, not OS-level metrics from EC2 instances. Option D is wrong because AWS Systems Manager Inventory collects software inventory and configuration data (e.g., installed applications, patches), not real-time performance metrics like memory or disk I/O.

427
Multi-Selecthard

Which THREE components are required to set up a site-to-site VPN connection between a VPC and an on-premises network? (Choose three.)

Select 3 answers
A.Virtual private gateway or transit gateway
B.NAT Gateway
C.VPN connection
D.Customer gateway
E.Internet gateway
AnswersA, C, D

AWS side endpoint for VPN.

Why this answer

A virtual private gateway or transit gateway is required as the AWS-side VPN concentrator that terminates the VPN tunnels and routes traffic between the VPC and the on-premises network. It provides the target for the VPN connection and must be attached to the VPC to enable site-to-site VPN functionality.

Exam trap

The trap here is that candidates often confuse a NAT Gateway or Internet Gateway as necessary for VPN connectivity, but neither is involved in IPsec tunnel establishment; the correct components are the virtual private gateway (or transit gateway), the VPN connection, and the customer gateway.

428
MCQmedium

A SysOps administrator notices that traffic from an Application Load Balancer to targets is failing intermittently. The targets are EC2 instances in an Auto Scaling group. The health check settings on the target group are: ping path '/health', healthy threshold 2, unhealthy threshold 2, timeout 5 seconds, interval 30 seconds. Which change would most likely improve the stability of the health checks?

A.Increase the interval to 60 seconds.
B.Decrease the healthy threshold to 1.
C.Decrease the timeout to 2 seconds.
D.Increase the unhealthy threshold to 5.
AnswerD

Requires more failures to mark unhealthy, reducing flapping.

Why this answer

Option D is correct because increasing the unhealthy threshold reduces flapping; currently 2 consecutive failures mark an instance unhealthy, which may be too sensitive. Option A is wrong because a longer interval would delay detection. Option B is wrong because a shorter timeout may cause false positives.

Option C is wrong because decreasing healthy threshold increases sensitivity.

429
MCQmedium

A SysOps administrator needs to deploy the same AWS CloudFormation template across multiple AWS accounts and Regions in a single operation. The administrator wants to manage the deployment from a single management account. Which AWS service should the administrator use?

A.AWS CodeDeploy
B.AWS Elastic Beanstalk
C.AWS CloudFormation StackSets
D.AWS Service Catalog
AnswerC

Correct. CloudFormation StackSets allow you to deploy CloudFormation stacks across multiple accounts and Regions from a central account, with automated rollbacks.

Why this answer

AWS CloudFormation StackSets extends the functionality of CloudFormation by allowing you to deploy the same template across multiple accounts and Regions from a single management account. StackSets uses a self-managed or service-managed permission model to create, update, and delete stacks across target accounts in a single operation, making it the correct choice for this multi-account, multi-Region deployment requirement.

Exam trap

The trap here is that candidates often confuse AWS Service Catalog (which can provision CloudFormation stacks but only within a single account or via StackSets integration) with the native multi-account deployment capability of CloudFormation StackSets, leading them to select Service Catalog as the answer.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy is a service for automating code deployments to EC2 instances, on-premises instances, or Lambda functions, not for deploying CloudFormation templates across multiple accounts and Regions. Option B is wrong because AWS Elastic Beanstalk is a PaaS service for deploying and scaling web applications, not for managing multi-account, multi-Region infrastructure deployments via CloudFormation templates. Option D is wrong because AWS Service Catalog allows you to create and manage a catalog of approved IT services (including CloudFormation products), but it does not natively deploy a single template across multiple accounts and Regions in one operation; it requires additional orchestration or StackSets integration for that capability.

430
MCQhard

A company runs a critical web application on Amazon EC2 instances in an Auto Scaling group across three Availability Zones. The application uses an Application Load Balancer (ALB) for traffic distribution. The SysOps administrator has configured a CloudWatch alarm to monitor the ALB's `TargetResponseTime` metric, with a threshold of 5 seconds. The alarm triggers when the average response time exceeds 5 seconds for 2 consecutive periods. Recently, the alarm has been triggering frequently during peak hours, but the application team reports that the response time is acceptable and the application is performing normally. The administrator investigates and finds that a small number of requests are taking a very long time (over 30 seconds), skewing the average. The administrator needs to reduce the number of false alarms while still being alerted if the overall application performance degrades. Which course of action should the administrator take?

A.Change the statistic to p95 and keep the threshold at 5 seconds
B.Increase the threshold to 30 seconds
C.Decrease the period to 60 seconds and lower the threshold to 3 seconds
D.Increase the evaluation periods to 5 consecutive periods
AnswerA

p95 excludes the top 5% slowest requests, so it reflects the experience of the majority.

Why this answer

The correct answer is A because using the p95 (95th percentile) statistic instead of the average filters out the impact of the small number of outlier requests that take over 30 seconds. The p95 metric shows the response time below which 95% of requests fall, providing a more accurate representation of typical application performance. This reduces false alarms from skewed averages while still alerting if the majority of users experience degraded response times exceeding 5 seconds.

Exam trap

The trap here is that candidates may think increasing the threshold or evaluation periods is the solution, but they fail to recognize that the average metric is inherently sensitive to outliers, and the correct fix is to change the statistic to a percentile like p95 or p99.

How to eliminate wrong answers

Option B is wrong because increasing the threshold to 30 seconds would mask genuine performance degradation for the majority of requests, as the alarm would only trigger when the average exceeds 30 seconds, which is far beyond acceptable performance. Option C is wrong because decreasing the period to 60 seconds and lowering the threshold to 3 seconds would make the alarm more sensitive, likely increasing false alarms due to short-term spikes or noise. Option D is wrong because increasing evaluation periods to 5 consecutive periods would delay the alarm response, potentially missing transient performance issues that affect users, and does not address the root cause of outliers skewing the average.

431
Multi-Selectmedium

Which THREE AWS services can be used to monitor and optimize costs? (Choose THREE.)

Select 3 answers
A.AWS Trusted Advisor
B.AWS Cost Explorer
C.AWS Budgets
D.AWS Shield
E.AWS CloudFormation
AnswersA, B, C

Provides cost optimization recommendations.

Why this answer

AWS Trusted Advisor provides cost optimization recommendations by analyzing your AWS environment and identifying idle resources, underutilized instances, and reserved instance opportunities. It offers specific checks like 'Low Utilization Amazon EC2 Instances' and 'Idle Load Balancers' that directly help reduce spending.

Exam trap

The trap here is that candidates may confuse AWS Shield (a security service) with cost-related services due to its name similarity to 'Shield' implying protection, or assume CloudFormation's resource management includes cost tracking, but neither provides cost monitoring or optimization capabilities.

432
MCQeasy

A SysOps administrator is tasked with automating the deployment of an application across multiple AWS accounts. Which AWS service should be used to orchestrate the deployment across accounts?

A.AWS CodeDeploy
B.AWS CloudFormation StackSets
C.AWS Service Catalog
D.AWS Systems Manager
AnswerB

CloudFormation StackSets enables you to deploy stacks across multiple accounts and regions with a single operation.

Why this answer

Option B is correct because AWS CloudFormation StackSets allows you to deploy CloudFormation stacks across multiple accounts and regions in a single operation. Option A (CodeDeploy) is for deploying applications to EC2 or on-premises, not across accounts. Option C (Service Catalog) is for creating and managing a catalog of approved IT services, not for multi-account orchestration.

Option D (Systems Manager) is for management and patching, not orchestrated cross-account deployments.

433
MCQhard

A company's security policy requires that all IAM users must authenticate using multi-factor authentication (MFA) before accessing the Amazon S3 bucket containing confidential finance data. The SysOps administrator needs to create an IAM policy that denies access to the S3 bucket if the user has not authenticated using MFA. Which IAM condition key should the administrator include in the policy?

A.aws:MultiFactorAuthPresent
B.aws:UserAgent
C.aws:SourceIp
D.aws:RequestedRegion
AnswerA

This Boolean condition key checks if MFA was used during authentication. Denying access when it evaluates to false enforces MFA.

Why this answer

The `aws:MultiFactorAuthPresent` condition key evaluates to `true` when the requesting IAM user has authenticated using a valid MFA device. By including this key in a `Deny` statement with a condition that it is `false`, the policy effectively blocks any S3 access unless MFA was used. This directly enforces the security policy requirement.

Exam trap

The trap here is that candidates may confuse `aws:MultiFactorAuthPresent` with `aws:MultiFactorAuthAge` or assume that simply having MFA enabled on the user account automatically sets the key, when in fact the key is only present if MFA was used during the current session authentication.

How to eliminate wrong answers

Option B is wrong because `aws:UserAgent` checks the user agent string of the request, which is irrelevant to authentication method. Option C is wrong because `aws:SourceIp` restricts access based on the requester's IP address, not MFA status. Option D is wrong because `aws:RequestedRegion` limits access to specific AWS regions, which does not enforce MFA authentication.

434
MCQeasy

A company has two VPCs: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). The VPCs are in the same AWS region. The SysOps administrator needs to enable private IP connectivity between the two VPCs so that an EC2 instance in VPC-A can communicate with an EC2 instance in VPC-B using their private IP addresses. The administrator wants a simple, low-cost solution with high throughput. Which AWS service should be used?

A.VPC Peering
B.AWS Transit Gateway
C.AWS Direct Connect
D.Internet Gateway
AnswerA

VPC peering is the simplest and cheapest way to connect two VPCs in the same region, enabling private IP communication with low latency and high throughput.

Why this answer

VPC Peering is the correct choice because it enables direct, private IP connectivity between two VPCs in the same AWS region using the existing AWS network infrastructure, with no bandwidth bottlenecks, no single point of failure, and no additional cost beyond data transfer. It meets the requirements for simplicity, low cost, and high throughput, as traffic stays within the AWS backbone and does not require a separate transit hub or VPN.

Exam trap

The trap here is that candidates often choose AWS Transit Gateway for any multi-VPC connectivity, overlooking that VPC Peering is simpler and cheaper for a two-VPC scenario, and that Transit Gateway’s benefits (centralized routing, transitive peering) are only cost-effective with many VPCs.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it introduces unnecessary complexity and cost (hourly charges per attachment) for a simple two-VPC scenario; it is designed for hub-and-spoke topologies with many VPCs. Option C (AWS Direct Connect) is wrong because it provides dedicated on-premises connectivity to AWS, not connectivity between two VPCs, and involves significant setup cost and latency overhead. Option D (Internet Gateway) is wrong because it enables internet-bound traffic, not private VPC-to-VPC communication, and would require public IPs and route traffic over the public internet, violating the private IP requirement.

435
MCQhard

Refer to the exhibit. A SysOps administrator reviews the CloudWatch alarm configuration. The alarm is in ALARM state. Which statement accurately describes the alarm's behavior?

A.The alarm evaluates CPU utilization every 5 minutes and requires 3 consecutive breaches to trigger.
B.The alarm will automatically resolve when CPU utilization drops below 80% for one period.
C.The alarm triggered because the average CPU utilization over 5 minutes exceeded 80% for one consecutive period.
D.The alarm sends a notification to the SNS topic every 5 minutes while in ALARM state.
AnswerC

Exactly correct based on the configuration.

Why this answer

Option C is correct because the alarm configuration shows 'Period: 5 minutes' and 'Statistic: Average' with 'Threshold: 80%' and 'Datapoints to alarm: 1 out of 1'. This means the alarm evaluates the average CPU utilization over a single 5-minute period, and if that average exceeds 80%, the alarm transitions to ALARM state immediately after one period's data point is available.

Exam trap

The trap here is that candidates assume 'Datapoints to alarm' implies multiple consecutive breaches (like 3 out of 3) without reading the actual values, or they confuse the alarm's evaluation period with the notification frequency, leading them to pick Option A or D.

How to eliminate wrong answers

Option A is wrong because the alarm requires only 1 datapoint to alarm (not 3 consecutive breaches), as indicated by 'Datapoints to alarm: 1 out of 1'. Option B is wrong because the alarm does not automatically resolve when CPU utilization drops below 80% for one period; it requires the metric to return to a non-breaching state for the number of datapoints specified in 'Datapoints to alarm' (here 1) to transition to OK state, but the alarm does not auto-resolve—it must be explicitly configured with an alarm actions or left to evaluate. Option D is wrong because the alarm sends a notification to the SNS topic only when the alarm state changes (e.g., from OK to ALARM or ALARM to OK), not every 5 minutes while in ALARM state; continuous notifications would require a custom solution like a Lambda function.

436
MCQmedium

A company runs a production web application on Amazon EC2 instances behind an Application Load Balancer. The application experiences variable traffic patterns, with peak usage during business hours. The company wants to optimize costs while maintaining performance. What should the SysOps administrator do?

A.Increase the EC2 instance sizes to handle peak load at all times.
B.Purchase Reserved Instances for all instances to get the lowest hourly rate.
C.Use a combination of On-Demand and Spot Instances, with On-Demand for baseline traffic and Spot for burst capacity.
D.Use Dedicated Hosts to ensure consistent performance.
AnswerC

This mix optimizes cost while handling traffic spikes.

Why this answer

The correct answer is B. A mixed pricing model with Spot Instances for flexible workloads and On-Demand for steady-state traffic can significantly reduce costs while ensuring availability. Option A is wrong because Reserved Instances require a 1- or 3-year commitment and are not suitable for variable traffic.

Option C is wrong because Dedicated Hosts are expensive and not needed. Option D is wrong because increasing instance size without right-sizing may lead to over-provisioning and increased costs.

437
MCQeasy

A company's security policy requires that all Amazon S3 buckets must have server-side encryption enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and notify the security team. Which AWS service should be used to detect non-compliant buckets?

A.Amazon Inspector
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerB

AWS Config has managed rules to evaluate resource settings, including S3 bucket encryption. It can automatically detect non-compliant buckets and send notifications.

Why this answer

AWS Config is the correct service because it continuously monitors and evaluates the configuration of AWS resources against desired policies. By using an AWS Config managed rule such as `s3-bucket-server-side-encryption-enabled`, you can automatically detect any S3 bucket that lacks server-side encryption and trigger an SNS notification to the security team.

Exam trap

The trap here is confusing AWS Config's configuration compliance monitoring with AWS CloudTrail's API logging or GuardDuty's threat detection, leading candidates to choose a service that records actions rather than one that evaluates resource states.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and unintended network exposure, not for S3 bucket encryption compliance. Option C is wrong because AWS CloudTrail records API activity and provides audit logs, but it does not evaluate resource configurations against compliance rules or detect non-compliant buckets. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, not for checking S3 bucket encryption settings.

438
MCQmedium

A company stores 1 PB of data in Amazon S3 Standard. The data is accessed frequently for the first 30 days, then rarely accessed afterwards. The company needs to optimize storage costs. What should they do?

A.Move all objects to S3 Intelligent-Tiering immediately.
B.Delete objects older than 30 days using S3 Lifecycle expiration.
C.Manually change the storage class of each object to S3 Glacier Deep Archive after 30 days.
D.Configure an S3 Lifecycle policy to transition objects to S3 Standard-IA after 30 days, then to S3 Glacier Deep Archive after 90 days.
AnswerD

Lifecycle policies automate cost-effective storage class transitions.

Why this answer

Option D is correct because an S3 Lifecycle policy automatically transitions objects to colder storage classes based on age. Option A is wrong because deleting data loses it. Option B is wrong because S3 Intelligent-Tiering has a monitoring cost per object.

Option C is wrong because manual transitions are not scalable.

439
MCQeasy

A company is deploying a serverless application using AWS SAM. The SysOps administrator wants to automate the build and deployment process whenever code is pushed to the main branch of an AWS CodeCommit repository. Which service should be used to trigger the pipeline?

A.AWS Lambda.
B.AWS CodeBuild.
C.AWS CodePipeline.
D.Amazon CloudWatch Events.
AnswerC

CodePipeline orchestrates build, test, and deploy stages and can be triggered by CodeCommit.

Why this answer

The correct answer is C because CodePipeline can be configured to start on changes to a CodeCommit repository. Option A is incorrect because CloudWatch Events can trigger but is not the primary service for CI/CD pipelines. Option B is incorrect because CodeBuild is a build service, not a trigger.

Option D is incorrect because Lambda would require custom integration.

440
MCQhard

A company has an Amazon VPC with a CIDR block of 10.0.0.0/16 and an AWS Site-to-Site VPN connection to an on-premises data center. The on-premises DNS servers host a private domain 'corp.example.com'. The SysOps administrator needs to enable EC2 instances in the VPC to resolve DNS names for 'corp.example.com' using the on-premises DNS servers. Which Route 53 feature should be configured?

A.Route 53 Resolver inbound endpoints
B.Route 53 Resolver outbound endpoints with forwarding rules
C.VPC peering between the VPC and the on-premises network
D.Route 53 private hosted zone for corp.example.com
AnswerB

Outbound endpoints forward DNS queries from the VPC to on-premises DNS servers for specified domain names.

Why this answer

Option B is correct because Route 53 Resolver outbound endpoints allow EC2 instances in a VPC to forward DNS queries for a specific domain (e.g., corp.example.com) to on-premises DNS servers via the Site-to-Site VPN connection. By creating a forwarding rule on the outbound endpoint, DNS queries for corp.example.com are sent to the on-premises DNS resolvers, enabling resolution of private DNS names without exposing the VPC to inbound traffic.

Exam trap

The trap here is that candidates often confuse inbound and outbound endpoints: inbound endpoints are for on-premises to query AWS DNS, while outbound endpoints are for AWS to query on-premises DNS, and the question specifically requires EC2 instances to resolve on-premises names, which is an outbound scenario.

How to eliminate wrong answers

Option A is wrong because Route 53 Resolver inbound endpoints are used to allow on-premises DNS resolvers to forward queries to Route 53 Resolver in the VPC, not for EC2 instances to query on-premises DNS servers. Option C is wrong because VPC peering is used to connect VPCs within AWS, not to connect a VPC to an on-premises network; the VPN connection already provides the network path, and peering does not enable DNS resolution across the VPN. Option D is wrong because a Route 53 private hosted zone for corp.example.com would require the domain to be hosted in Route 53, but the question states the domain is hosted on on-premises DNS servers; a private hosted zone would not forward queries to on-premises resolvers.

441
MCQeasy

A company is using AWS CloudFormation to deploy infrastructure. They want to reduce costs by identifying unused resources. Which AWS service should they use to monitor and report on resource utilization and cost?

A.AWS Trusted Advisor
B.AWS Config
C.Amazon CloudWatch
D.AWS CloudTrail
AnswerA

Trusted Advisor provides cost optimization recommendations.

Why this answer

Option D is correct because AWS Trusted Advisor provides cost optimization checks, including idle resources. Option A is wrong because AWS Config tracks configuration changes, not cost. Option B is wrong because CloudTrail logs API activity, not cost.

Option C is wrong because CloudWatch monitors performance, not cost optimization.

442
MCQhard

A company uses AWS Elastic Beanstalk to deploy a web application. During a deployment, the environment's health turns from Green to Red, and the deployment fails. The logs show 'ERROR: Failed to download the application version from Amazon S3.' What is the MOST likely cause?

A.The EC2 instance profile does not have an IAM policy granting s3:GetObject on the application version
B.The Elastic Beanstalk service role does not have permissions to access S3
C.The S3 bucket is in a different AWS Region
D.The S3 bucket containing the application version has public read access disabled
AnswerA

The instance profile needs permissions to download from S3.

Why this answer

Option D is correct because the instance profile must have permissions to read the application version from S3. Option A is wrong because the S3 bucket is internal. Option B is wrong because the service role is for Elastic Beanstalk service, not instances.

Option C is wrong because S3 is highly durable.

443
MCQhard

A company uses AWS CodePipeline with AWS CodeBuild to build and deploy a static website to an S3 bucket. The website is served via Amazon CloudFront. The deployment fails intermittently because the S3 bucket policy does not allow CloudFront access after the bucket is updated. What is the BEST way to automate the bucket policy update during the deployment?

A.Include an AWS CLI command in the buildspec to update the bucket policy after the build.
B.Use AWS CloudFormation to manage the S3 bucket and its policy, and update the stack as part of the pipeline.
C.Add a bucket policy statement in the S3 management console to grant CloudFront access.
D.Use a CloudFront origin access identity (OAI) and configure it in the bucket policy.
AnswerB

Correct: CloudFormation automates infrastructure updates including bucket policies.

Why this answer

The correct answer is D because AWS CloudFormation can manage the S3 bucket and its policy as part of the infrastructure. Using CloudFormation, the bucket policy can be updated automatically when the stack is updated. Option A is wrong because manually adding statements is error-prone and not automated.

Option B is wrong because updating the bucket policy in the buildspec may work but is less robust than using CloudFormation. Option C is wrong because CloudFront origin access identity (OAI) can be configured in the bucket policy, but the policy must be updated accordingly; CloudFormation handles this automatically.

444
MCQeasy

An application running on Amazon EC2 generates a large number of small files that are stored temporarily and deleted after 24 hours. The files are accessed frequently within the first hour and then rarely. Which Amazon S3 storage class is MOST cost-effective for this use case?

A.S3 Glacier Deep Archive
B.S3 Intelligent-Tiering
C.S3 One Zone-Infrequent Access
D.S3 Standard
AnswerB

Automatically moves data between tiers based on access.

Why this answer

S3 Intelligent-Tiering automatically moves objects between tiers based on access patterns, making it cost-effective for unpredictable access. Option A is wrong because S3 Standard is more expensive for rarely accessed data. Option B is wrong because S3 One Zone-IA may have lower durability but not necessarily lower cost for this pattern.

Option D is wrong because S3 Glacier Deep Archive has a minimum storage duration of 180 days.

445
MCQhard

A company runs a data processing pipeline on AWS. The pipeline consists of EC2 instances that process data from an S3 bucket and write results to another S3 bucket. The processing job runs every hour and takes approximately 45 minutes. The current setup uses On-Demand instances. The SysOps administrator wants to reduce costs because the monthly EC2 bill is $5,000. The application is fault-tolerant and can handle interruptions by reprocessing data from the last checkpoint. The administrator has tested Spot Instances and found that they are interrupted about 10% of the time. The company has a strict requirement that the job must complete within 60 minutes every hour. Which solution would reduce costs while ensuring the job completes on time?

A.Purchase Reserved Instances for the expected capacity to get a discount.
B.Use a single larger On-Demand instance to complete the job faster.
C.Use a Spot Fleet with a fallback to On-Demand if Spot capacity is not available.
D.Use Spot Instances only and increase the number of instances to compensate for interruptions.
AnswerC

Spot Fleet can maintain the desired capacity with a mix of Spot and On-Demand, ensuring completion.

Why this answer

Option D is correct because a Spot Fleet with a fallback to On-Demand ensures the job completes even if Spot Instances are interrupted. Option A is wrong because Spot Instances only may not complete within the time if interrupted. Option B is wrong because Reserved Instances require commitment and may not be needed for the full hour.

Option C is wrong because a larger instance increases costs.

446
MCQmedium

A SysOps administrator notices that an Amazon RDS instance's CPU utilization is consistently above 90% during peak hours. The administrator needs to investigate which queries are consuming the most CPU. Which action should the administrator take?

A.Enable Performance Insights for the RDS instance and review the top SQL queries.
B.Use CloudWatch Logs Insights to query the database error log for slow queries.
C.Enable detailed CloudWatch metrics for the RDS instance and analyze the CPUUtilization metric.
D.Enable RDS Enhanced Monitoring and review the 'cpuCreditUsage' metric.
AnswerA

Performance Insights shows the top queries by CPU usage, enabling targeted optimization.

Why this answer

Performance Insights is the correct tool because it provides a database-specific performance schema that visualizes database load and identifies the top SQL queries consuming resources. By enabling Performance Insights on the RDS instance, the administrator can directly view which queries are responsible for the high CPU utilization during peak hours, allowing targeted optimization.

Exam trap

The trap here is confusing aggregate metrics (CloudWatch CPUUtilization) or OS-level metrics (Enhanced Monitoring) with database-specific query performance analysis, leading candidates to choose options that show overall CPU usage but not the root-cause queries.

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs Insights queries the database error log, which typically contains errors, warnings, and startup messages, not a real-time breakdown of query CPU consumption; slow query logs would need to be enabled separately and analyzed with a different tool. Option C is wrong because detailed CloudWatch metrics for CPUUtilization only show the aggregate CPU usage percentage, not which specific queries are causing the load. Option D is wrong because RDS Enhanced Monitoring provides OS-level metrics like CPU credit usage for burstable instances, but it does not identify the top SQL queries consuming CPU.

447
MCQmedium

A SysOps administrator needs to ensure that an Amazon RDS instance automatically reboots if it becomes unavailable due to an operating system crash. The instance is a Multi-AZ deployment. What is the correct approach?

A.Use AWS Systems Manager Run Command to reboot the instance when a health check fails.
B.Create an Amazon EventBridge rule to trigger a Lambda function that reboots the instance.
C.Configure a CloudWatch Alarm on the DatabaseConnections metric to reboot the instance.
D.Enable Multi-AZ on the RDS instance to automatically failover to the standby.
AnswerD

Multi-AZ automatically handles failover without manual intervention.

Why this answer

Option D is correct because Multi-AZ deployments automatically handle failover to a standby replica in a different Availability Zone when the primary instance becomes unavailable due to an OS crash. This built-in mechanism ensures high availability without manual intervention, as the standby takes over with the same endpoint.

Exam trap

The trap here is that candidates may overcomplicate the solution by proposing custom automation (e.g., Lambda or Systems Manager) when the simplest and most robust answer is to leverage the native Multi-AZ failover feature, which is specifically designed for this scenario.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Run Command is designed for ad-hoc or scheduled administrative tasks on EC2 instances, not for automating RDS instance reboots based on health checks; RDS is a managed service that does not support Run Command for rebooting. Option B is wrong because while an EventBridge rule can trigger a Lambda function, using a custom script to reboot an RDS instance is unnecessary and less reliable than the native Multi-AZ failover, which is the intended AWS solution for OS-level crashes. Option C is wrong because the DatabaseConnections metric measures active connections, not instance health or OS crashes; a low connection count does not indicate an OS crash, and rebooting based on this metric could cause unnecessary downtime.

448
MCQhard

A company uses AWS CloudTrail to log API activity. A SysOps administrator discovers that some management events are not being logged. The administrator checks the CloudTrail configuration and confirms that management events are enabled and logging is working for most events. What is the most likely cause of the missing events?

A.The trail excludes specific management events based on read/write filtering
B.The trail is logging only data events for S3
C.The trail is configured to log events only for a single region, and the missing events occurred in a different region
D.The missing events are from unsupported services
AnswerC

CloudTrail must be configured to log events from all regions to capture global events or events in other regions.

Why this answer

Option C is correct because CloudTrail trails can be configured to log events for a single region or all regions. If the trail is set to log only one region, management events occurring in any other region will not be captured. Since the administrator confirmed management events are enabled and logging works for most events, the most likely cause is that the missing events originated from a region not covered by the trail.

Exam trap

The trap here is that candidates often overlook the region scope of CloudTrail and assume that enabling management events globally means all regions are covered, but a single-region trail only captures events from its designated region.

How to eliminate wrong answers

Option A is wrong because read/write filtering applies to data events, not management events; management events are logged regardless of read/write filtering unless explicitly excluded via event selectors, but the question states management events are enabled and logging works for most events, so filtering is not the issue. Option B is wrong because if the trail were logging only data events for S3, management events would not be logged at all, contradicting the statement that logging works for most events. Option D is wrong because AWS CloudTrail supports logging management events for all AWS services; unsupported services would not generate management events in the first place, and the question indicates the missing events are from services that should be logged.

449
MCQhard

A company has a VPC with multiple subnets. The SysOps administrator wants to ensure that EC2 instances in a private subnet can access Amazon S3 without going through a NAT Gateway or internet gateway. Which solution meets this requirement?

A.Set up a NAT Gateway in a public subnet and route traffic through it.
B.Create a VPC Gateway Endpoint for S3.
C.Use S3 Transfer Acceleration.
D.Create a VPC Interface Endpoint for S3.
AnswerB

Gateway Endpoint provides private access to S3.

Why this answer

Option D is correct. VPC Gateway Endpoint for S3 allows private access to S3 without internet. Option A is wrong because NAT Gateway requires an internet gateway.

Option B is wrong because S3 Transfer Acceleration is for speed, not private access. Option C is wrong because VPC Interface Endpoint is for other services, but Gateway Endpoint is more cost-effective for S3.

450
MCQmedium

A company uses AWS Backup to back up its Amazon EFS file systems. The SysOps administrator needs to ensure that backups are retained for 7 years to meet compliance requirements. What should the administrator do?

A.Create a backup plan with a lifecycle policy that retains backups for 7 years.
B.Manually delete backups older than 7 years every month.
C.Increase the backup frequency to daily.
D.Configure cross-region backup to copy backups to another region.
AnswerA

Lifecycle policy allows setting retention duration.

Why this answer

Option C is correct because AWS Backup lifecycle policies allow you to transition backups to cold storage after a specified period and define retention rules up to 100 years. Option A is wrong because increasing backup frequency does not affect retention duration. Option B is wrong because cross-region backup does not extend retention.

Option D is wrong because manual deletion is not automated and does not enforce compliance.

Page 5

Page 6 of 21

Page 7