AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 526600

1546 questions total · 21pages · All types, answers revealed

Page 7

Page 8 of 21

Page 9
526
MCQeasy

A SysOps administrator notices that an Amazon RDS DB instance is running at 10% CPU utilization consistently. The instance has 8 vCPUs and 32 GB RAM. The application's performance is adequate. Which action will reduce costs without affecting performance?

A.Enable Multi-AZ deployment for the DB instance.
B.Change the DB instance to a smaller instance type.
C.Change the storage type from gp2 to gp3.
D.Increase the provisioned IOPS.
AnswerB

Selecting a smaller instance type reduces the hourly compute cost. Since current utilization is low, a smaller instance will still provide adequate performance.

Why this answer

The DB instance is over-provisioned for the current workload, as evidenced by the consistently low CPU utilization (10%) and adequate application performance. By changing to a smaller instance type, you reduce compute costs directly while maintaining sufficient capacity for the workload. This is the most straightforward cost optimization action when performance requirements are already met.

Exam trap

The trap here is that candidates may confuse cost optimization with performance improvement or high availability, leading them to select Multi-AZ or IOPS changes, which increase costs rather than reduce them.

How to eliminate wrong answers

Option A is wrong because enabling Multi-AZ deployment increases costs by provisioning a standby replica in a different Availability Zone and does not reduce costs; it improves availability and fault tolerance. Option C is wrong because changing storage type from gp2 to gp3 may reduce storage costs but does not address the over-provisioned compute resources (vCPUs and RAM) that are the primary cost driver here. Option D is wrong because increasing provisioned IOPS increases costs and is unnecessary when performance is already adequate and CPU utilization is low.

527
MCQmedium

A SysOps administrator is investigating an unauthorized stop of an EC2 instance. The CloudTrail log entry shows the event. What is the first step to determine if the action was authorized?

A.Check the S3 bucket where CloudTrail logs are stored.
B.Verify the source IP address belongs to the company.
C.Check the EC2 instance's state change history.
D.Check the IAM permissions of the user 'Admin' at the time of the event.
AnswerD

Determine if the action was allowed.

Why this answer

Option B is correct because the event shows an IAM user "Admin" and a source IP. Checking the IAM permissions for that user at the time of the event will show if they had the ec2:StopInstances permission. Option A is wrong because the event is already in CloudTrail.

Option C is wrong because the instance state change is in CloudTrail. Option D is wrong because the user agent shows console.

528
MCQmedium

A company runs a production database on an Amazon RDS for PostgreSQL instance. The company notices that the database is experiencing high CPU utilization during peak hours, causing performance degradation. The company wants to improve performance while minimizing cost. Which solution should the company implement?

A.Create a Multi-AZ deployment for high availability.
B.Implement Amazon ElastiCache in front of the database.
C.Scale up the DB instance class to a larger size.
D.Add an Amazon RDS read replica to offload read traffic.
AnswerD

Read replicas reduce CPU load on the primary by handling read queries.

Why this answer

Adding a read replica offloads read traffic from the primary instance, reducing CPU utilization. Read replicas are cost-effective and can be promoted if needed. Scaling up the instance type increases cost and may not be necessary.

Multi-AZ provides high availability but does not reduce CPU load. ElastiCache would require application changes and adds cost.

529
MCQhard

An application runs on EC2 instances in an Auto Scaling group. The instances process messages from an SQS queue. To ensure high availability, the SysOps administrator has configured the Auto Scaling group to span three Availability Zones. However, during a recent failure of one AZ, the application experienced a temporary increase in processing latency. What is the MOST likely cause of this latency?

A.The SQS queue is configured to use a single AZ for message storage.
B.SQS messages in the failed AZ are temporarily unavailable until they are replicated to other AZs.
C.The application is not configured to process messages from multiple AZs.
D.The Auto Scaling group's minimum size is too low to handle the load after the AZ failure.
AnswerB

Correct: SQS stores messages redundantly across AZs, but if an AZ fails, messages in that AZ may be temporarily unavailable until replication completes, causing a brief latency spike.

Why this answer

Option D is correct because the SQS queue is a regional service, but the messages are distributed across AZs. When one AZ fails, messages in that AZ may become temporarily unavailable until they are replicated, causing a delay in processing. Option A is wrong because the Auto Scaling group is already configured to span three AZs.

Option B is wrong because SQS automatically replicates across AZs. Option C is wrong because the application should be able to process messages from remaining AZs.

530
Multi-Selecthard

A company uses CloudWatch Logs to collect application logs from EC2 instances. The logs are critical for troubleshooting. The operations team notices that some log entries are missing during peak hours. The CloudWatch Logs agent is configured with a batch size of 1 MB and a batch timeout of 10 seconds. Which TWO actions should the administrator take to reduce the chance of missing log events?

Select 2 answers
A.Use PutLogEvents directly from the application.
B.Reduce the retry count for failed requests.
C.Increase the batch size to 5 MB.
D.Increase the batch timeout to 30 seconds.
E.Enable log compression in the agent configuration.
AnswersC, E

Larger batches reduce the number of API calls, lowering the chance of hitting rate limits.

Why this answer

Option C is correct because increasing the batch size from 1 MB to 5 MB allows the CloudWatch Logs agent to buffer more log data before sending a request. During peak hours, log volume spikes can cause the agent to drop events if the batch fills up faster than it can be transmitted. A larger batch size reduces the frequency of API calls and helps ensure that all log entries are successfully delivered.

Exam trap

The trap here is that candidates often think increasing the batch timeout (Option D) will help, but in reality, a longer timeout increases the risk of buffer overflow during peak traffic, whereas increasing batch size and enabling compression directly address throughput and payload limits.

531
MCQhard

The security team requires that no S3 bucket in the account ever has public read or write ACLs enabled. They want non-compliant buckets automatically remediated within 5 minutes of detection without any manual intervention. What is the correct implementation?

A.Create an AWS Config rule for s3-bucket-public-read-prohibited; configure auto-remediation using the AWS-DisableS3BucketPublicReadWrite SSM Automation document
B.Create an EventBridge rule that matches S3 PutBucketAcl API calls and triggers a Lambda function to re-apply a private ACL
C.Enable S3 Block Public Access at the account level to prevent public ACLs from being set in the first place
D.Schedule a daily Lambda function that lists all buckets, checks ACLs, and removes public grants if found
AnswerA

Config evaluates the rule within seconds of a bucket ACL change. The auto-remediation action invokes the SSM document automatically when compliance status changes to NON_COMPLIANT. The SSM document calls PutBucketAcl to remove public grants. The entire cycle completes in 1-3 minutes under normal conditions.

Why this answer

Option A is correct because AWS Config can evaluate S3 bucket ACLs against the `s3-bucket-public-read-prohibited` managed rule and automatically trigger an AWS Systems Manager (SSM) Automation document (`AWS-DisableS3BucketPublicReadWrite`) as a remediation action. This ensures non-compliant buckets are fixed within minutes without manual intervention, meeting the 5-minute requirement.

Exam trap

The trap here is that candidates often choose Option C (Block Public Access) thinking it prevents all public access, but it does not remediate existing non-compliant buckets, which is explicitly required by the question.

How to eliminate wrong answers

Option B is wrong because EventBridge rules matching `PutBucketAcl` API calls only trigger on new ACL changes, not on existing buckets that already have public ACLs; it also cannot detect public ACLs set via other methods (e.g., S3 console or SDK) and does not provide a 5-minute remediation guarantee for all non-compliant buckets. Option C is wrong because S3 Block Public Access at the account level prevents new public ACLs from being set but does not automatically remediate existing buckets that already have public ACLs; it also does not meet the requirement for automatic remediation within 5 minutes of detection. Option D is wrong because a daily Lambda function runs only once per day, which violates the 5-minute remediation requirement; it also relies on a custom script that may miss edge cases or fail to handle all ACL configurations.

532
MCQeasy

A SysOps administrator needs to automate the provisioning of AWS resources using infrastructure as code. The solution must track changes and allow rollbacks. Which AWS service should the administrator use?

A.AWS CloudFormation
B.AWS Config
C.AWS Service Catalog
D.AWS OpsWorks
AnswerA

CloudFormation automates provisioning and supports rollbacks.

Why this answer

Option B is correct because AWS CloudFormation provides infrastructure as code with change tracking and rollback capabilities. Option A is wrong because AWS Config is for compliance and auditing, not provisioning. Option C is wrong because AWS OpsWorks is a configuration management service, not primarily IaC.

Option D is wrong because AWS Service Catalog is for managing approved products, not general IaC.

533
MCQmedium

A web application publishes a custom metric 'FailedLoginAttempts' to Amazon CloudWatch. The SysOps administrator needs to be notified via Amazon SNS when the number of failed login attempts exceeds 100 within a 5-minute period. Which AWS service or feature should be used to create this notification?

A.Amazon CloudWatch Logs metric filter
B.Amazon CloudWatch alarm
C.Amazon CloudWatch dashboard
D.AWS Config rule
AnswerB

A CloudWatch alarm can monitor any CloudWatch metric (including custom ones) and trigger an action, such as sending a message to an SNS topic, when the metric crosses a defined threshold.

Why this answer

An Amazon CloudWatch alarm is the correct service because it monitors a specific CloudWatch metric (such as 'FailedLoginAttempts') and triggers an action (such as sending an SNS notification) when the metric crosses a defined threshold over a specified period. In this case, the alarm evaluates whether the sum of 'FailedLoginAttempts' exceeds 100 within a 5-minute period, and upon breaching, it publishes to the SNS topic to notify the SysOps administrator.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs metric filters (which extract metrics from logs) with CloudWatch alarms (which evaluate metrics and trigger actions), leading them to choose Option A even though the custom metric is already published to CloudWatch and does not require log extraction.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs metric filters are used to extract metric data from log events (e.g., from CloudWatch Logs), not to monitor a custom metric that is already published directly to CloudWatch; they cannot directly trigger SNS notifications without an alarm. Option C is wrong because an Amazon CloudWatch dashboard is a visualization tool for displaying metrics and alarms, not a service that evaluates metric thresholds or triggers notifications. Option D is wrong because AWS Config rules evaluate resource configurations for compliance against desired policies, not real-time metric values like failed login attempts, and they cannot directly trigger SNS notifications based on metric thresholds.

534
MCQeasy

A SysOps administrator needs to ensure that an EC2 instance can access an S3 bucket without storing AWS credentials on the instance. What should the administrator do?

A.Create a bucket policy that allows access from the instance's public IP.
B.Create an IAM role with S3 access and attach it to the instance profile.
C.Store the access key and secret key in a file on the instance.
D.Configure the security group to allow outbound traffic to S3.
AnswerB

The instance can assume the role and obtain temporary credentials.

Why this answer

Option B is correct because an IAM role attached to the EC2 instance provides temporary credentials via the instance profile. Option A is wrong because storing access keys on the instance is insecure. Option C is wrong because security groups do not provide credentials.

Option D is wrong because a bucket policy alone does not provide credentials to the instance.

535
MCQmedium

A company has an Amazon VPC with public and private subnets across two Availability Zones. The company hosts a web application on EC2 instances in the private subnets. The application needs to access an Amazon S3 bucket to upload and download files. The SysOps administrator must ensure that traffic to S3 does not traverse the internet and minimizes data transfer costs. Which solution should the administrator implement?

A.Create an S3 VPC Gateway Endpoint in the VPC and associate it with the route tables of the private subnets.
B.Create an S3 VPC Interface Endpoint in the VPC and associate it with the security groups of the private subnets.
C.Set up a NAT Gateway in the public subnets and add a route to the private subnets' route tables pointing to the NAT Gateway for S3 traffic.
D.Use AWS PrivateLink with an S3 endpoint service hosted in a different VPC.
AnswerA

Gateway Endpoints provide private connectivity to S3 at no additional cost (only standard data transfer rates apply). By adding a route for the S3 prefix list to the private subnet route tables, traffic destined for S3 is routed through the endpoint.

Why this answer

Option A is correct because an S3 VPC Gateway Endpoint provides a private, cost-effective connection to S3 from within the VPC without traversing the internet. By associating the endpoint with the route tables of the private subnets, traffic destined for S3 is routed directly through AWS's internal network, avoiding data transfer costs and internet egress charges.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints with Interface Endpoints, assuming both are equally suitable for S3, but Gateway Endpoints are free and optimized for S3 and DynamoDB, while Interface Endpoints incur costs and are better for other AWS services.

How to eliminate wrong answers

Option B is wrong because an S3 VPC Interface Endpoint uses AWS PrivateLink with an elastic network interface, incurring per-hour and per-GB data processing costs, which is more expensive than a Gateway Endpoint and unnecessary for S3 access. Option C is wrong because a NAT Gateway routes traffic through the internet to reach S3, incurring data transfer costs and internet egress charges, violating the requirement to avoid internet traversal. Option D is wrong because AWS PrivateLink with an S3 endpoint service hosted in a different VPC is not a standard or supported method for accessing S3; S3 Gateway Endpoints are designed for direct VPC-to-S3 connectivity without cross-VPC complexity.

536
MCQhard

A company's security team wants to ensure that all new S3 buckets created in the AWS account are automatically encrypted with server-side encryption. What should a SysOps administrator do to enforce this?

A.Enable S3 Block Public Access at the account level.
B.Use AWS CloudTrail to monitor bucket creation and trigger a Lambda function to encrypt the bucket.
C.Enable default encryption on each existing bucket.
D.Use a service control policy (SCP) to deny creation of buckets without encryption.
AnswerD

SCPs can prevent creation of unencrypted buckets across the organization.

Why this answer

Option D is correct because a bucket policy can deny creation of buckets without encryption, and SCPs can enforce the policy across the organization. Option A is wrong because default encryption is set per bucket, not globally. Option B is wrong because CloudTrail does not enforce encryption.

Option C is wrong because S3 Block Public Access does not enforce encryption.

537
MCQhard

A company uses AWS Global Accelerator to improve the performance of a web application hosted in multiple AWS regions. The application uses an Application Load Balancer (ALB) in each region as the endpoint. Users report that traffic is not being routed to the closest region. What could be the cause?

A.The Global Accelerator is not configured with a custom routing accelerator.
B.The ALBs are not configured to allow cross-region communication.
C.The health checks for the ALBs are failing, so traffic is diverted to other regions.
D.The endpoints are configured in the same AWS region.
AnswerC

Unhealthy endpoints are excluded from routing.

Why this answer

Global Accelerator uses health checks to determine endpoint availability. If the health checks for an ALB in a user's closest region are failing, Global Accelerator will consider that endpoint unhealthy and route traffic to the next closest healthy region. This causes users to be directed to a region farther away, even though a closer region exists.

Exam trap

The trap here is that candidates often overlook the impact of health checks on routing decisions and assume the issue is a misconfiguration of the accelerator or endpoints, rather than a failure in endpoint health monitoring.

How to eliminate wrong answers

Option A is wrong because custom routing accelerators are used for specific use cases like gaming or VoIP where you need to control traffic routing per client, not for standard HTTP/HTTPS traffic to ALBs; the default routing accelerator is appropriate here. Option B is wrong because ALBs do not need cross-region communication for Global Accelerator to route traffic to the closest region; Global Accelerator itself handles cross-region routing independently of ALB configuration. Option D is wrong because if all endpoints were in the same region, traffic would still be routed to that region, not to a different one, and the reported issue is traffic not going to the closest region, which implies multiple regions are configured.

538
MCQhard

A SysOps administrator is implementing a disaster recovery strategy for an S3 bucket containing critical data. The bucket must be available within 15 minutes if the primary region fails. Data must be replicated with RPO of less than 5 minutes. Which S3 replication configuration should be used?

A.Enable S3 Versioning and S3 Same-Region Replication (SRR)
B.Enable S3 Versioning and configure S3 Event Notifications to trigger a Lambda function that copies objects to another region
C.Enable S3 Versioning and transfer data to another region using AWS DataSync
D.Enable S3 Versioning and S3 Cross-Region Replication (CRR) with replication time control (RTC)
AnswerD

CRR plus RTC ensures replication within minutes and provides cross-region DR.

Why this answer

Correct answer is D. S3 Same-Region Replication (SRR) is for same-region, not DR. Cross-Region Replication (CRR) replicates to another region with RPO typically minutes.

However, to achieve RPO <5 minutes and availability within 15 minutes, CRR is the correct choice. Option A is wrong because SRR does not protect against region failure. Option B is wrong because it uses SRR, which is same-region.

Option C is wrong because versioning alone does not replicate to another region.

539
MCQhard

A company is running a stateful web application on EC2 instances in an Auto Scaling group. The application requires low latency and high throughput. Currently, the application is experiencing performance degradation during peak hours. Which scaling strategy should the SysOps administrator implement to improve performance and optimize cost?

A.Step scaling policy based on memory utilization
B.Scheduled scaling with fixed times
C.Simple scaling policy based on CPU utilization
D.Predictive scaling policy
AnswerD

Proactively scales based on forecast, improving performance and cost.

Why this answer

Option B is correct because predictive scaling uses historical data to forecast capacity needs, scaling in advance to handle peak loads, improving performance and cost. Simple scaling may react too slowly. Step scaling is better than simple but still reactive.

Scheduled scaling works for predictable patterns but not dynamic ones.

540
MCQeasy

Refer to the exhibit. An IAM role has the trust policy shown. Which entity can assume this role?

A.Only the IAM user with the ARN arn:aws:iam::123456789012:user/Admin
B.Any IAM user in any AWS account
C.Any IAM user in the AWS account 123456789012
D.Only users who have MFA enabled
AnswerC

The root principal includes all IAM users in the account.

Why this answer

Option B is correct because the trust policy allows the root user of the same account (arn:aws:iam::123456789012:root) to assume the role. This includes all IAM users in that account. Option A is incorrect because the policy does not specify any user ARN.

Option C is incorrect because the policy does not allow external accounts. Option D is incorrect because the condition is empty and does not require MFA.

541
Multi-Selecthard

A company uses AWS CloudTrail to log API activity. The security team wants to be alerted when an IAM user creates a new access key. Which THREE steps should the SysOps administrator take to meet this requirement?

Select 3 answers
A.Configure the CloudTrail trail to deliver logs directly to an SNS topic.
B.Configure the Lambda function to publish a custom metric to CloudWatch.
C.Set a CloudWatch alarm on the custom metric to send an Amazon SNS notification when the metric exceeds a threshold.
D.Create a CloudWatch Logs subscription filter that sends matching log events to an AWS Lambda function.
E.Create an Amazon EventBridge rule that matches the CreateAccessKey event and triggers an SNS notification.
AnswersB, C, D

Publishing a custom metric allows setting an alarm on the count of access key creations.

Why this answer

Options A, B, and D are correct. CloudTrail logs events in JSON, so a CloudWatch Logs subscription filter can be used to match the event name 'CreateAccessKey' and send matching events to Lambda for processing. The Lambda function can then publish a custom metric to CloudWatch, and a CloudWatch alarm can be set on that metric.

Option C is wrong because EventBridge can directly match events without needing a CloudWatch Logs subscription; but the scenario asks for three steps, and using EventBridge alone is simpler but does not include the metric/alarm path. Option E is wrong because SNS can send notifications but does not provide filtering logic; it would receive all events.

542
MCQeasy

A company is using Amazon CloudFront to deliver content globally. Which feature can help reduce costs by minimizing data transfer from the origin?

A.Enable multiple origins for load balancing.
B.Configure caching to serve content from edge locations.
C.Configure custom SSL certificates.
D.Use Lambda@Edge to process requests.
AnswerB

Caching reduces requests to the origin, lowering data transfer costs.

Why this answer

Option D is correct because caching at edge locations reduces origin requests, lowering data transfer costs. Option A is wrong because using multiple origins increases complexity. Option B is wrong because Lambda@Edge runs code but doesn't reduce origin transfer.

Option C is wrong because custom SSL certificates don't affect transfer costs.

543
MCQmedium

An administrator runs the above command to list EC2 instances. The company wants to optimize costs. Which instance should the administrator consider terminating first?

A.i-0efgh5678 (t3.large, running in us-east-1b)
B.i-0abcd1234 (t3.medium, running in us-east-1a)
C.i-0mnop3456 (t3.medium, stopped in us-east-1c)
D.i-0ijkl9012 (t3.xlarge, running in us-east-1a)
AnswerC

Stopped instances still incur costs for attached resources.

Why this answer

The instance i-0mnop3456 is stopped but still incurs costs for EBS volumes and possibly Elastic IPs. Terminating it will eliminate those costs. The running instances are in use and may be necessary.

The t3.medium instances are smaller and may be needed.

544
MCQhard

A company has a stateful web application that requires session persistence. The application is deployed on EC2 instances behind an Application Load Balancer. The company wants to improve performance by caching frequently accessed data. Which solution is MOST cost-effective?

A.Increase the instance size of the EC2 instances to improve performance.
B.Use Amazon ElastiCache with Memcached to cache session data and frequently accessed data.
C.Use Amazon CloudFront to cache static and dynamic content at the edge.
D.Enable sticky sessions (Session Affinity) on the ALB.
AnswerB

ElastiCache improves performance by caching data and is cost-effective.

Why this answer

ElastiCache with Memcached is a cost-effective in-memory caching solution that can improve performance by caching frequently accessed data. It supports session storage. ELB sticky sessions (Session Affinity) ensure requests from the same user go to the same instance, but do not cache data.

Increasing instance size improves performance but at a higher cost. CloudFront caches content at the edge, not application data.

545
MCQmedium

A SysOps administrator is tasked with automating the creation of IAM roles and policies using AWS CloudFormation. The template includes an IAM role and a managed policy. The stack creation fails with the error 'Policy arn:aws:iam::123456789012:policy/MyManagedPolicy not found'. The policy is created in the same template. What is the MOST likely solution?

A.Add a 'DependsOn' clause to the IAM role resource for the managed policy, and reference the policy ARN using the 'Ref' intrinsic function.
B.Remove the policy document from the template and create the policy separately.
C.Use a custom resource to create the policy before the role.
D.Create the IAM role in a separate stack.
AnswerA

DependsOn ensures the policy is created first; Ref returns the ARN.

Why this answer

Option A is correct because the IAM role has a DependsOn the policy, but the policy ARN is not known until the policy is created; referencing the policy by its logical name in the role's ManagedPolicyArns property resolves this. Option B is wrong because the policy document is not the issue. Option C is wrong because the role name can be specified.

Option D is wrong because the role can be created in the same stack.

546
MCQhard

A SysOps administrator is troubleshooting a slow web application running on EC2 instances behind an ALB. The application uses an RDS MySQL database. The administrator checks CloudWatch metrics and sees that the ALB's latency is high, the RDS CPU is high, and the EC2 CPU is moderate. The application team reports that the database queries are slow. The administrator suspects that the database is the bottleneck. However, the RDS instance is already a db.r5.large and the administrator wants to avoid increasing instance size due to cost. What should the administrator do to improve performance without increasing instance size?

A.Increase the number of EC2 instances to reduce the load on the database.
B.Add an ElastiCache Redis cluster to cache database queries.
C.Create a Read Replica and offload read traffic to it.
D.Enable Performance Insights on the RDS instance to identify slow queries.
AnswerD

Performance Insights helps pinpoint the exact queries causing high load for optimization.

Why this answer

Option D is correct because enabling Performance Insights on the RDS instance allows the administrator to identify the specific slow queries causing the bottleneck. This diagnostic tool provides a database load analysis, showing which queries consume the most resources, enabling targeted optimization (e.g., adding indexes or rewriting queries) without increasing instance size. Since the EC2 CPU is moderate and the ALB latency is high due to slow database queries, resolving the query performance directly addresses the root cause.

Exam trap

The trap here is that candidates often assume scaling out (more EC2 instances) or adding caching/read replicas will solve a database performance issue, when the real problem is unoptimized queries that need to be identified and fixed first.

How to eliminate wrong answers

Option A is wrong because increasing the number of EC2 instances would not reduce the load on the database; it would increase the number of concurrent connections and queries, potentially worsening the database bottleneck. Option B is wrong because adding an ElastiCache Redis cluster caches only specific query results and requires application-level changes to implement caching logic; it does not fix the underlying slow queries that are already identified as the issue. Option C is wrong because creating a Read Replica offloads read traffic but does not improve the performance of the existing slow queries; the replica would execute the same slow queries, and the primary instance would still be impacted by write operations or unoptimized queries.

547
MCQeasy

A SysOps administrator needs to ensure that an Amazon RDS instance is encrypted at rest. The instance is already provisioned unencrypted. What is the correct approach to enable encryption?

A.Create a snapshot of the instance and restore it with encryption enabled
B.Use AWS KMS to encrypt the underlying EBS volumes of the RDS instance
C.Enable encryption using the AWS CLI command modify-db-instance
D.Modify the RDS instance and enable encryption in the configuration
AnswerA

This is the correct procedure: snapshot, copy with encryption, restore from encrypted snapshot.

Why this answer

RDS encryption can only be enabled at creation time. For an existing unencrypted instance, you must create a snapshot, copy it with encryption, and restore from that encrypted snapshot. Modifying the instance or enabling encryption on the fly is not supported.

548
MCQhard

A SysOps administrator is automating the creation of Amazon RDS DB instances using AWS CloudFormation. The template includes a DB instance with a Multi-AZ deployment. During a stack update, the administrator changes the DB instance class from db.t3.small to db.t3.medium. What is the expected behavior during the update?

A.RDS will create a new DB instance with the new class and delete the old one.
B.RDS will modify both instances simultaneously, causing a brief outage.
C.The update will fail because CloudFormation cannot modify a Multi-AZ DB instance class.
D.RDS will modify the standby instance first, then fail over to it, and finally modify the original primary, resulting in minimal downtime.
AnswerD

This is the standard behavior for Multi-AZ RDS instance class modifications.

Why this answer

When modifying a DB instance class for a Multi-AZ deployment, AWS RDS performs a rolling upgrade: it modifies the standby first, then triggers a failover to make the standby the new primary, and then modifies the old primary. Option B correctly describes this process with minimal downtime. Option A is wrong because a reboot is required after the modification.

Option C is wrong because the modification does not happen without downtime. Option D is wrong because RDS does not create a new instance for a class change.

549
MCQmedium

A company runs a web application on Amazon EC2 instances in private subnets across multiple Availability Zones. The instances need to download software patches from the internet. The SysOps administrator requires a highly available, fully managed solution for outbound internet connectivity. Which solution should be implemented?

A.Deploy a NAT gateway in each Availability Zone and update the route tables for each private subnet to point to the NAT gateway in the same Availability Zone.
B.Attach an Internet Gateway to the VPC and add a default route (0.0.0.0/0) to the Internet Gateway in the private subnet route tables.
C.Create a VPC endpoint for Amazon S3 and route traffic through it.
D.Set up an AWS Direct Connect connection and route all internet-bound traffic through it.
AnswerA

This configuration provides highly available outbound connectivity: if one AZ fails, instances in other AZs continue to have internet access through their local NAT gateway.

Why this answer

A NAT gateway in each Availability Zone provides highly available outbound internet connectivity for instances in private subnets. By placing a NAT gateway in each AZ and routing private subnet traffic to the NAT gateway in the same AZ, you eliminate a single point of failure and ensure that internet-bound traffic remains within the same AZ for low latency and fault tolerance. This is a fully managed AWS service that handles scaling and failover automatically.

Exam trap

The trap here is that candidates often confuse NAT gateways with Internet Gateways, thinking that a single NAT gateway in one AZ provides high availability, but the correct design requires a NAT gateway in each AZ to avoid cross-AZ data transfer costs and single points of failure.

How to eliminate wrong answers

Option B is wrong because attaching an Internet Gateway to the VPC and adding a default route to it in private subnet route tables would allow direct outbound traffic from private instances, but private subnets do not have a route to the Internet Gateway by design; instances in private subnets cannot reach the Internet Gateway directly without a NAT device or a transit gateway. Option C is wrong because a VPC endpoint for Amazon S3 only provides private connectivity to S3, not general internet access for downloading software patches from arbitrary internet hosts. Option D is wrong because AWS Direct Connect is a dedicated private connection to AWS, not a solution for outbound internet connectivity; it does not provide a route to the public internet unless combined with a NAT device or a virtual private gateway with internet access.

550
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all new S3 buckets created in any account have encryption enabled. Which approach should be used to enforce this policy?

A.Create a service control policy (SCP) that denies the s3:CreateBucket action unless the request includes the x-amz-server-side-encryption header with a valid encryption algorithm.
B.Create an IAM role in each member account with a policy that denies s3:CreateBucket without encryption, and require all users to assume that role.
C.Use AWS Config managed rule 's3-bucket-server-side-encryption-enabled' to detect non-compliant buckets and automatically remediate.
D.Enable AWS CloudTrail and create a CloudWatch Events rule that triggers a Lambda function to delete any bucket created without encryption.
AnswerA

SCPs allow central governance over actions across accounts, and can enforce conditions on API calls.

Why this answer

Option A is correct because SCPs can be applied to all accounts in the organization to deny creation of S3 buckets without encryption. Option B is wrong because IAM roles are per account and not centrally enforced. Option C is wrong because CloudTrail is for logging, not enforcement.

Option D is wrong because Config rules detect non-compliance but do not prevent creation.

551
MCQeasy

A SysOps administrator is troubleshooting an Amazon RDS for MySQL instance that is experiencing high CPU utilization. The administrator wants to identify the specific queries consuming the most CPU. What is the MOST efficient way to achieve this?

A.Use CloudWatch metrics for RDS and create a dashboard for CPU utilization.
B.Enable Performance Insights for the RDS instance and view the top SQL queries.
C.Enable Enhanced Monitoring for the RDS instance and view the CPU metrics.
D.Enable CloudWatch Logs for the RDS instance and filter for slow query logs.
AnswerB

Performance Insights provides a visual representation of database load and identifies top SQL queries.

Why this answer

Performance Insights provides a built-in database load visualization and a dashboard that directly shows the top SQL queries consuming the most resources, including CPU. This is the most efficient method because it requires no additional configuration beyond enabling the feature and immediately surfaces the specific queries causing high CPU utilization.

Exam trap

The trap here is confusing Enhanced Monitoring (OS-level metrics) with Performance Insights (database-level query analysis), leading candidates to choose Enhanced Monitoring when it cannot identify specific queries.

How to eliminate wrong answers

Option A is wrong because CloudWatch metrics for RDS show aggregate CPU utilization but do not identify which specific queries are consuming the CPU. Option C is wrong because Enhanced Monitoring provides OS-level metrics (e.g., CPU, memory, disk I/O) but does not correlate those metrics to individual SQL queries. Option D is wrong because enabling CloudWatch Logs for slow query logs only captures queries that exceed a defined execution time threshold, not necessarily the queries consuming the most CPU, and it requires additional parsing to identify top CPU consumers.

552
MCQmedium

A company runs a web application on Amazon EC2 instances in an Auto Scaling group that spans two Availability Zones. The application uses an Application Load Balancer (ALB) that is deployed across the same Availability Zones. The SysOps administrator wants to ensure the application remains available if an entire Availability Zone fails. Which configuration is essential for this high availability?

A.Configure the Auto Scaling group with at least one instance in each Availability Zone.
B.Enable cross-zone load balancing on the Application Load Balancer.
C.Use an Amazon Route 53 health check to route traffic away from a failed AZ.
D.Attach an Elastic IP address to each instance in the Auto Scaling group to ensure IP persistence.
AnswerA

Correct. The Auto Scaling group must have instances in multiple AZs to survive an AZ failure. AZ rebalancing will maintain capacity.

Why this answer

Option A is correct because for high availability across an Availability Zone (AZ) failure, the Auto Scaling group must have at least one healthy instance in each AZ. This ensures that if one AZ becomes unavailable, the ALB can route traffic to instances in the remaining AZ. Without this minimum distribution, a single AZ failure could leave the application with zero healthy targets if all instances were in the failed AZ.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing (which balances traffic) with instance distribution across AZs (which ensures survival), leading them to select Option B instead of recognizing that without instances in each AZ, no load balancing can save the application.

How to eliminate wrong answers

Option B is wrong because cross-zone load balancing distributes traffic evenly across all registered instances in all AZs, but it does not protect against an entire AZ failure—it only balances load, not ensures instance survival. Option C is wrong because Route 53 health checks can route traffic away from a failed AZ at the DNS level, but they do not guarantee that instances exist in the surviving AZ; the Auto Scaling group must already have instances there. Option D is wrong because Elastic IP addresses are not used with Auto Scaling groups (which use dynamic scaling and replacement) and do not provide high availability; they are static IPs for individual instances, not for AZ failure resilience.

553
MCQhard

A company has an S3 bucket that stores millions of small objects (1-10 KB) and uses S3 Standard storage. The bucket receives frequent PUT requests and occasional GET requests. The monthly bill shows high costs for S3 PUT requests. Which action would reduce costs?

A.Move the objects to S3 Glacier Deep Archive to reduce storage cost.
B.Aggregate small objects into larger files (e.g., 1 MB) before uploading to S3.
C.Move the objects to S3 Intelligent-Tiering to optimize storage costs.
D.Use S3 Lifecycle policies to transition objects to S3 Standard-IA after 30 days.
AnswerB

Fewer PUT requests reduce request costs.

Why this answer

Option C is correct because aggregating small objects into larger files reduces the number of PUT requests, which are billed per request. Option A is wrong because S3 Intelligent-Tiering is for storage cost, not request cost. Option B is wrong because S3 Glacier is for archival, and PUT requests to Glacier cost more.

Option D is wrong because lifecycle policies do not reduce PUT request costs.

554
MCQmedium

A company uses AWS CloudTrail to log API activity. The SysOps administrator needs to receive an email notification whenever a new IAM user is created. Which AWS services should be used together to meet this requirement with the least operational overhead?

A.CloudTrail, Amazon SNS, and AWS Lambda
B.CloudTrail, Amazon CloudWatch Logs, and a metric filter with an alarm
C.CloudTrail, Amazon EventBridge, and Amazon SNS
D.AWS Config and Amazon SNS
AnswerC

EventBridge can directly consume CloudTrail events and route them to SNS without custom code, providing the simplest solution.

Why this answer

Option C is correct because Amazon EventBridge can directly capture CloudTrail API events (such as CreateUser) and route them to an SNS topic for email notification without needing any custom code or additional infrastructure. This pattern minimizes operational overhead by using a fully managed event bus with built-in filtering and target routing, eliminating the need for Lambda functions or metric filter configurations.

Exam trap

The trap here is that candidates often overcomplicate the solution by adding Lambda or CloudWatch Logs, not realizing that EventBridge provides a direct, serverless integration between CloudTrail and SNS for real-time event-driven notifications.

How to eliminate wrong answers

Option A is wrong because while CloudTrail and SNS are used, adding AWS Lambda introduces unnecessary custom code and operational overhead when EventBridge can directly invoke SNS without a Lambda intermediary. Option B is wrong because using CloudWatch Logs with a metric filter and alarm requires sending CloudTrail logs to CloudWatch Logs, creating a metric filter, and setting an alarm — this adds complexity and latency compared to EventBridge's real-time event routing. Option D is wrong because AWS Config tracks resource configuration changes, not API-level events like IAM user creation; it would require additional rules and custom remediation to trigger SNS, making it less direct and more overhead than EventBridge.

555
Multi-Selectmedium

A SysOps administrator is automating the creation of an Amazon ECS cluster with Fargate launch type using AWS CloudFormation. The template must define the task definition, service, and cluster. Which THREE resources are required to be in the template? (Choose THREE.)

Select 3 answers
A.AWS::EC2::VPC
B.AWS::ECS::TaskDefinition
C.AWS::ECS::Service
D.AWS::ECS::Cluster
E.AWS::ElasticLoadBalancingV2::LoadBalancer
AnswersB, C, D

Task definition defines the container.

Why this answer

Options A, B, and D are correct. An ECS cluster (A) is required to run tasks. A task definition (B) defines the container specification.

A service (D) manages the desired count and scheduling. Option C is wrong because a VPC is not a resource within ECS; it's an EC2 resource but is required for Fargate; however, the question asks for resources that must be in the template, and VPC is typically created separately. Option E is wrong because a load balancer is optional.

556
Multi-Selecthard

Which THREE components are required to set up a site-to-site VPN connection between an on-premises network and an AWS VPC? (Choose three.)

Select 3 answers
A.Virtual private gateway
B.Internet gateway
C.VPN connection
D.Customer gateway
E.Direct Connect virtual interface
AnswersA, C, D

AWS-side endpoint for the VPN.

Why this answer

A site-to-site VPN requires a virtual private gateway (or transit gateway) attached to the VPC, a customer gateway representing the on-premises device, and a VPN connection that ties them together. The VPN connection includes two tunnels.

557
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a Node.js application. The application requires a specific version of Node.js that is not the default version provided by the Elastic Beanstalk platform. How can the administrator ensure that the correct Node.js version is installed on the environment's EC2 instances?

A.Use the AWS CLI to run a command on each instance to install the desired Node.js version.
B.Use the Elastic Beanstalk console to change the platform version after the environment is created.
C.Set an environment property 'NODE_VERSION' to the desired version.
D.Include a configuration file in the .ebextensions folder that specifies the desired Node.js version.
AnswerD

.ebextensions files can modify the platform version or install additional packages.

Why this answer

Elastic Beanstalk allows customization via configuration files in the .ebextensions folder. Option A is correct. Option B is wrong because the environment properties are for environment variables, not platform settings.

Option C is wrong because you cannot change the platform version after environment creation; you would need to create a new environment. Option D is wrong because the AWS CLI is not used for instance-level configuration.

558
MCQmedium

A company stores database credentials in AWS Secrets Manager. The security policy requires that the credentials be rotated automatically every 30 days. Which action should the SysOps administrator take to enforce this requirement?

A.Configure an AWS Lambda function to rotate the secret and set a CloudWatch Events rule to trigger it every 30 days.
B.Enable automatic rotation in the Secrets Manager console and specify a rotation interval of 30 days using a Lambda rotation function.
C.Use AWS Systems Manager Parameter Store to store the credentials and configure a State Manager association for rotation.
D.Create an IAM policy that forces users to rotate the secret manually every 30 days.
AnswerB

Correct. Secrets Manager natively supports automatic rotation with a configurable interval. You attach a Lambda function to perform the rotation, and the service handles scheduling.

Why this answer

Option B is correct because AWS Secrets Manager natively supports automatic rotation using a Lambda function. By enabling automatic rotation in the console and specifying a 30-day interval, the administrator meets the security policy without manual intervention. Secrets Manager handles the rotation schedule and invokes the Lambda function automatically.

Exam trap

The trap here is that candidates may think any automated scheduling (like CloudWatch Events) is sufficient, but AWS Secrets Manager's native rotation feature is the correct and simplest way to enforce automatic rotation without custom infrastructure.

How to eliminate wrong answers

Option A is wrong because while a Lambda function and CloudWatch Events rule could rotate the secret, this approach bypasses Secrets Manager's built-in rotation mechanism and requires custom scheduling logic, making it less reliable and harder to maintain. Option C is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it is designed for configuration management, not secret rotation. Option D is wrong because creating an IAM policy that forces manual rotation does not enforce automated rotation and relies on user compliance, which violates the requirement for automatic rotation every 30 days.

559
MCQmedium

A SysOps administrator uses AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance. The administrator wants to ensure that if the stack is updated, the EC2 instance is not accidentally replaced if its properties change. The administrator wants the stack update to fail when a property change would require replacement. Which CloudFormation feature should the administrator use?

A.CreationPolicy
B.DeletionPolicy
C.StackPolicy
D.UpdateReplacePolicy
AnswerC

StackPolicy allows you to explicitly deny update actions (including replacement) on specific resources, causing updates that require replacement to fail.

Why this answer

Option C, StackPolicy, is correct because a stack policy is a JSON document that defines which stack resources can be updated or replaced during a stack update. By setting a Deny effect on update actions for the EC2 instance, the administrator can prevent any property change that would cause replacement, causing the update to fail instead of replacing the instance. This directly meets the requirement to block accidental replacement.

Exam trap

The trap here is that candidates often confuse UpdateReplacePolicy (which manages what happens to the old resource after replacement) with a mechanism to prevent replacement, but UpdateReplacePolicy does not block the update—it only controls the disposition of the replaced resource.

How to eliminate wrong answers

Option A is wrong because a CreationPolicy is used to wait for signals (e.g., from cfn-signal) before declaring the resource creation complete; it does not control update behavior or prevent replacement. Option B is wrong because a DeletionPolicy defines what happens to a resource when the stack is deleted (e.g., retain, snapshot, delete), not during an update. Option D is wrong because an UpdateReplacePolicy controls the behavior of a resource when it is replaced during an update (e.g., retain the old resource), but it does not prevent the update from occurring or failing; it only dictates what happens to the replaced resource.

560
MCQmedium

A company runs a stateful web application on a single EC2 instance. To improve reliability, the company wants to implement a highly available architecture. What should the SysOps administrator do?

A.Refactor the application to store session state externally (e.g., ElastiCache), then deploy it across multiple AZs with an Application Load Balancer.
B.Migrate the application to a larger instance type.
C.Create a standby EC2 instance and use an Elastic IP to fail over manually.
D.Use Route 53 health checks to route traffic to a secondary instance if the primary fails.
AnswerA

Correct: Externalizing session state allows the application to be stateless, enabling horizontal scaling and high availability.

Why this answer

Option C is correct because making the application stateless and distributing instances across multiple AZs with a load balancer provides high availability. Option A is wrong because a larger instance is still a single point of failure. Option B is wrong because a standby instance is not automatically used; failover is manual.

Option D is wrong because Route 53 health checks alone do not handle failover automatically if the instance is stateful.

561
MCQmedium

Refer to the exhibit. A SysOps administrator runs the commands shown. Which key(s) have automatic key rotation enabled?

A.Only the first key
B.Only the second key
C.Neither key
D.Both keys
AnswerA

KeyRotationEnabled is true for the first key.

Why this answer

The output shows that key 1234abcd-12ab-34cd-56ef-1234567890ab has KeyRotationEnabled set to true, so it has automatic rotation enabled. Key 0987fedc-87fe-65dc-43ba-abcdef123456 has false. Option A is correct.

Options B, C, D are incorrect.

562
MCQeasy

A company is using AWS OpsWorks for configuration management of their EC2 instances. The SysOps Administrator wants to migrate to AWS Systems Manager for a more modern approach. The administrator needs to ensure that existing instances running Amazon Linux 2 can be managed by Systems Manager without downtime. The instances are currently in a running state and are critical to operations. What should the administrator do?

A.Change the OpsWorks stack configuration to use Systems Manager instead of OpsWorks agent.
B.Create a custom AMI with the SSM Agent pre-installed and launch new instances from it.
C.Delete the OpsWorks stack and recreate it with Systems Manager integration.
D.Install the SSM Agent on the existing instances using a script or AWS Systems Manager Run Command.
AnswerD

Installation can be done without downtime.

Why this answer

Option B is correct. Installing the AWS Systems Manager Agent (SSM Agent) on the existing instances allows them to be managed by Systems Manager without downtime. Option A is wrong because creating a new AMI and launching new instances would cause downtime.

Option C is wrong because replacing OpsWorks with Systems Manager is not a simple switch; the agent must be installed. Option D is wrong because recreating the stack would be disruptive.

563
MCQeasy

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest. The administrator wants to automatically remediate any bucket that is created without default encryption. Which AWS service should be used to achieve this with the least operational overhead?

A.AWS Config with a managed rule and auto-remediation via AWS Systems Manager Automation
B.AWS CloudTrail with Amazon CloudWatch Events and AWS Lambda
C.AWS Trusted Advisor with Amazon Simple Notification Service (SNS)
D.Amazon Inspector with AWS Systems Manager Patch Manager
AnswerA

AWS Config can evaluate resources against managed rules and trigger automated remediation actions, such as enabling S3 default encryption via SSM Automation.

Why this answer

AWS Config with the managed rule 's3-bucket-default-encryption-enabled' can detect S3 buckets that lack default encryption. By attaching an AWS Systems Manager Automation document (e.g., 'AWS-EnableS3BucketEncryption') as an auto-remediation action, the administrator can automatically apply AES-256 or AWS-KMS encryption to noncompliant buckets without manual intervention, minimizing operational overhead.

Exam trap

The trap here is that candidates may assume AWS Config only provides detection and not remediation, overlooking the auto-remediation integration with Systems Manager Automation, or they may confuse AWS Config's managed rules with Trusted Advisor's advisory checks.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail with CloudWatch Events and Lambda requires custom code and event-driven architecture, which introduces more operational overhead than AWS Config's built-in auto-remediation. Option C is wrong because AWS Trusted Advisor only provides recommendations and alerts via SNS, not automated remediation. Option D is wrong because Amazon Inspector is designed for vulnerability assessment of EC2 instances and container workloads, not for S3 bucket encryption compliance.

564
MCQeasy

A SysOps administrator wants to automate the creation of an Amazon RDS database instance using AWS CloudFormation. The database must be created in a specific VPC and must be Multi-AZ. Which CloudFormation resource property should the administrator configure to meet these requirements?

A.DBSubnetGroupName and MultiAZ
B.Engine
C.DBInstanceClass
D.DBInstanceIdentifier
AnswerA

Correct: These properties control VPC placement and Multi-AZ configuration.

Why this answer

The correct answer is D because the AWS::RDS::DBInstance resource has properties for DBSubnetGroupName (to specify VPC subnets) and MultiAZ (to enable Multi-AZ). Option A is wrong because the DBInstanceIdentifier is just a name. Option B is wrong because the DBInstanceClass determines the instance type, not the VPC or Multi-AZ.

Option C is wrong because the Engine property specifies the database engine type.

565
MCQhard

A company runs a critical database on an EC2 instance with an EBS volume. The administrator wants to create a disaster recovery plan that can recover the database in a different AWS Region within 4 hours. The database size is 1 TB. What is the MOST efficient approach to meet the RTO?

A.Share the AMI with the target region.
B.Copy the AMI and underlying EBS snapshots to the DR region.
C.Use EBS snapshots directly in the DR region.
D.Configure AWS Backup to copy backups to the DR region.
AnswerB

Copying the AMI and snapshots to the DR region allows launching an instance in that region, meeting the RTO.

Why this answer

Option D is correct because copying the AMI and snapshot to another region allows launching an instance there. Option A is incorrect because sharing does not copy to another region. Option B is incorrect because EBS snapshots are regional, not global.

Option C is incorrect because AWS Backup can copy to another region, but the process is similar to manual copy; however, the key is to have the AMI/snapshot available in the DR region.

566
Multi-Selectmedium

A company is using AWS Elastic Beanstalk to deploy a web application. The application experiences high traffic during business hours and low traffic at night. The administrator wants to minimize costs while ensuring performance. Which THREE actions should the administrator take? (Choose THREE.)

Select 3 answers
A.Enable enhanced health reporting and monitoring for the environment.
B.Configure the Auto Scaling group with a scheduled scaling policy to increase capacity during business hours.
C.Use a launch template to define instance configuration.
D.Set up CloudWatch alarms to trigger scaling based on response time.
E.Deploy the application in multiple Elastic Beanstalk environments.
AnswersA, B, D

Enhanced health reporting provides detailed metrics for better scaling decisions.

Why this answer

Options A, C, and E are correct. Configuring the Auto Scaling group with a scheduled scaling policy to increase capacity during business hours and decrease at night optimizes cost. Enabling enhanced health reporting provides better insights.

Setting up CloudWatch alarms to trigger scaling based on response time ensures performance during unexpected spikes. Option B (launch template) is not needed for scaling. Option D (multiple environments) may increase costs.

567
MCQeasy

A company runs a batch processing job on a single EC2 instance that runs for 2 hours every night. The job is fault-tolerant and can be interrupted. The SysOps administrator wants to minimize compute costs. What is the MOST cost-effective solution?

A.Use an On-Demand instance to ensure the job runs every night.
B.Purchase a Reserved Instance for 1 year to get a discount.
C.Launch a Dedicated Host to ensure consistent performance.
D.Use a Spot Instance that can be interrupted but is significantly cheaper.
AnswerD

Spot Instances provide large cost savings for fault-tolerant jobs.

Why this answer

A Spot Instance is the most cost-effective choice because the job is fault-tolerant and can be interrupted, allowing you to leverage unused AWS EC2 capacity at up to 90% discount compared to On-Demand pricing. Since the job runs for only 2 hours nightly and can handle interruptions, Spot Instances provide the lowest compute cost while meeting the workload requirements.

Exam trap

The trap here is that candidates often choose Reserved Instances for any recurring workload, failing to recognize that the short duration (2 hours/night) and interruptibility of the job make Spot Instances far more cost-effective without the long-term commitment.

How to eliminate wrong answers

Option A is wrong because using an On-Demand instance incurs the highest per-hour cost with no discount, which is not cost-effective for a fault-tolerant batch job that can be interrupted. Option B is wrong because purchasing a Reserved Instance for 1 year requires a long-term commitment and upfront payment, which is wasteful for a job that runs only 2 hours per night (approximately 730 hours per year) and does not benefit from the steady-state usage discount. Option C is wrong because a Dedicated Host is a physical server dedicated to your use, which is significantly more expensive and unnecessary for a single batch processing job that does not require dedicated hardware or licensing compliance.

568
MCQeasy

A SysOps administrator wants to identify underutilized Amazon EC2 instances that could be downsized to reduce costs. The administrator needs a tool that provides recommendations based on historical utilization data. Which AWS service should the administrator use?

A.AWS Trusted Advisor
B.AWS Compute Optimizer
C.AWS Cost Explorer
D.AWS Budgets
AnswerB

Compute Optimizer provides specific recommendations to downsize or terminate underutilized EC2 instances based on usage patterns.

Why this answer

AWS Compute Optimizer is the correct service because it analyzes historical utilization metrics (CPU, memory, network, and storage) for EC2 instances and generates specific downsizing recommendations to reduce cost without sacrificing performance. It uses machine learning to identify underutilized resources and provides actionable guidance, making it the ideal tool for this use case.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor's idle instance check with Compute Optimizer's detailed, ML-driven downsizing recommendations, but Trusted Advisor only flags instances with low average CPU utilization (e.g., below 10%) without considering memory, network, or storage patterns.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides general best-practice checks (e.g., idle instances, security groups) but does not offer granular, ML-based downsizing recommendations based on historical utilization data. Option C is wrong because AWS Cost Explorer focuses on visualizing and analyzing cost and usage trends, not on providing specific EC2 instance type recommendations for downsizing. Option D is wrong because AWS Budgets allows you to set cost thresholds and alerts, but it does not analyze historical utilization or generate downsizing recommendations.

569
MCQmedium

A SysOps administrator needs to monitor the CPU utilization of an Amazon RDS for PostgreSQL instance and receive an alert if the usage exceeds 80% for 5 consecutive minutes. The database is in a production environment. What is the MOST efficient way to achieve this?

A.Configure an Amazon Simple Notification Service (SNS) topic to subscribe to CloudWatch alarms for all RDS metrics and filter for CPUUtilization.
B.Create an AWS Lambda function that queries the RDS performance schema every minute and publishes a custom metric to CloudWatch, then set an alarm.
C.Create an Amazon CloudWatch alarm on the CPUUtilization metric with a threshold of 80 and an evaluation period of 5 minutes.
D.Use a third-party monitoring tool such as Datadog because CloudWatch cannot monitor RDS CPU utilization.
AnswerC

CloudWatch directly monitors RDS metrics and can trigger an alarm based on the metric's value over a specified period.

Why this answer

Option C is correct because Amazon CloudWatch natively publishes the CPUUtilization metric for RDS instances every minute (standard monitoring) or every 5 minutes (enhanced monitoring). Creating a CloudWatch alarm with a threshold of 80% and an evaluation period of 5 consecutive minutes directly meets the requirement without additional infrastructure. This is the most efficient approach as it uses built-in RDS monitoring capabilities with no custom code or third-party tools.

Exam trap

The trap here is that candidates may overcomplicate the solution by assuming CloudWatch cannot natively monitor RDS CPU utilization or that custom code is required, when in fact RDS automatically publishes CPUUtilization to CloudWatch and alarms can be configured directly.

How to eliminate wrong answers

Option A is wrong because subscribing an SNS topic to all CloudWatch alarms for RDS metrics would require filtering at the SNS level, which is inefficient and does not directly create the alarm; the alarm must be created first, and SNS is a notification target, not a monitoring configuration tool. Option B is wrong because querying the RDS performance schema every minute via Lambda is unnecessarily complex, introduces latency, and incurs additional cost; CloudWatch already provides the CPUUtilization metric natively for RDS without custom instrumentation. Option D is wrong because CloudWatch fully supports monitoring RDS CPU utilization; a third-party tool like Datadog adds cost and complexity without solving the stated requirement.

570
MCQmedium

A company is using Amazon CloudWatch Logs to monitor application logs from EC2 instances. The operations team wants to receive a notification when a specific error pattern appears in the logs. Which solution requires the least operational overhead?

A.Install the CloudWatch agent on EC2 instances and configure it to stream logs to CloudWatch Logs. Create a metric filter for the error pattern and set a CloudWatch alarm that sends an SNS notification.
B.Use Amazon Kinesis Data Firehose to stream all logs to Amazon S3, then run an AWS Glue job to search for the error pattern and trigger an SNS notification.
C.Install the CloudWatch agent on EC2 instances, stream logs to CloudWatch Logs, and use a subscription filter to invoke an AWS Lambda function that publishes a message to an SNS topic.
D.Configure the application to write logs to a file, use the CloudWatch agent to send logs to CloudWatch Logs, set a metric filter, and use the filter to send data to Amazon EventBridge, which then triggers a Lambda function to send an SNS notification.
AnswerC

Subscription filters provide serverless, real-time processing without managing additional resources.

Why this answer

Option C is correct because it uses a CloudWatch Logs subscription filter to directly invoke a Lambda function when a log event matches the error pattern, which then publishes an SNS notification. This approach avoids the overhead of creating and managing metric filters and alarms, and it provides real-time, event-driven processing with minimal configuration.

Exam trap

The trap here is that candidates often assume metric filters and alarms are the simplest solution, but they overlook the real-time, event-driven nature of subscription filters, which actually require less overhead for immediate notification.

How to eliminate wrong answers

Option A is wrong because while it uses metric filters and alarms, this approach requires polling and incurs additional latency; metric filters are evaluated on a schedule, not in real-time, and the alarm must transition through states, adding operational overhead. Option B is wrong because it introduces unnecessary complexity by streaming logs to S3 and running AWS Glue jobs, which are batch-oriented and not designed for real-time notification; this adds significant operational overhead and latency. Option D is wrong because it adds an unnecessary intermediate step by sending data to EventBridge before triggering Lambda; the subscription filter can directly invoke Lambda, making the EventBridge hop redundant and increasing overhead.

571
MCQeasy

A company hosts a web application on multiple EC2 instances behind an Application Load Balancer (ALB). The SysOps administrator receives a report that the application is experiencing intermittent 503 errors. The ALB target group health checks are configured to check the /health endpoint every 30 seconds with a healthy threshold of 2 and an unhealthy threshold of 2. The administrator checks the ALB metrics and notices that the number of healthy hosts occasionally drops to zero. The EC2 instances are normal and the application logs show no errors. What is the most likely cause and solution?

A.Increase the health check interval to 60 seconds.
B.Increase the health check timeout to 10 seconds.
C.Add more EC2 instances to the target group.
D.Decrease the healthy threshold to 1.
AnswerB

A longer timeout accommodates momentary slowdowns in the health check endpoint response.

Why this answer

The intermittent 503 errors and healthy hosts dropping to zero indicate that health checks are timing out before the application can respond. With a default health check timeout of 5 seconds and a 30-second interval, if the /health endpoint occasionally takes longer than 5 seconds (e.g., due to transient load), the ALB marks instances unhealthy after two consecutive failures (unhealthy threshold of 2). Increasing the timeout to 10 seconds gives the endpoint more time to respond, preventing false negatives without changing the check frequency.

Exam trap

The trap here is that candidates often confuse increasing the health check interval (Option A) with giving more time for the application to respond, when in fact the timeout parameter directly controls how long the ALB waits for a response before marking the check as failed.

How to eliminate wrong answers

Option A is wrong because increasing the health check interval to 60 seconds would reduce the frequency of checks, delaying detection of actual failures and not addressing the root cause of timeouts. Option C is wrong because adding more EC2 instances does not fix the underlying health check timeout issue; the new instances would also fail the same timeout-based health checks. Option D is wrong because decreasing the healthy threshold to 1 would make the target group more sensitive to transient failures, potentially causing even more frequent flapping and 503 errors.

572
MCQhard

A SysOps administrator is troubleshooting an issue where an EC2 instance is not sending logs to CloudWatch Logs. The instance has the CloudWatch agent installed, but no logs appear in the log group. The IAM role assigned to the instance has the following policy: {"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"], "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:MyAppLogs:*"}]}. What is the most likely cause?

A.The log group name in the agent configuration does not match the policy resource.
B.The CloudWatch agent is not running on the instance.
C.The IAM role does not have permission to describe log groups.
D.The instance does not have outbound internet access to reach CloudWatch Logs.
AnswerA

The policy allows only actions on MyAppLogs; mismatch causes failure.

Why this answer

The IAM policy grants permissions only for the log group named 'MyAppLogs' (with a wildcard for streams). If the CloudWatch agent configuration specifies a different log group name, the agent's API calls to CreateLogGroup, CreateLogStream, or PutLogEvents will fail with an AccessDenied error because the resource ARN in the policy does not match the actual log group being targeted. This is the most common cause when the agent is installed and running but no logs appear.

Exam trap

The trap here is that candidates often assume the agent is not running or lacks internet access, but the real issue is a mismatch between the IAM policy resource and the log group name in the agent configuration, which causes an implicit deny.

How to eliminate wrong answers

Option B is wrong because if the CloudWatch agent were not running, the instance would not be able to send any logs at all, but the question states the agent is installed and the issue is that no logs appear—the agent could be running but failing due to permissions. Option C is wrong because the logs:DescribeLogGroups action is not required for sending logs; the agent only needs CreateLogGroup, CreateLogStream, and PutLogEvents to write logs. Option D is wrong because EC2 instances can reach CloudWatch Logs via the AWS public endpoint or a VPC endpoint without requiring internet access; the policy mismatch is a more specific and likely cause.

573
MCQeasy

A company wants to receive alerts when its AWS costs exceed a certain threshold. Which AWS service should be used?

A.Amazon CloudWatch
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Budgets
AnswerD

Allows setting cost budgets and sending alerts.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets and receive alerts when actual or forecasted costs exceed a defined threshold. It directly supports cost-based alerting with actions such as sending an SNS notification or applying an IAM policy to restrict resources when the budget limit is breached.

Exam trap

The trap here is that candidates confuse AWS Budgets with AWS Cost Explorer, assuming Cost Explorer can send alerts, when in fact Cost Explorer is only a reporting and analysis tool without native alerting capabilities.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch monitors AWS resource utilization and application performance metrics, not cost thresholds; while it can trigger alarms on billing metrics if you enable detailed billing metrics, it is not the primary service for cost-based budget alerts. Option B is wrong because AWS Cost Explorer provides visualization and analysis of historical cost data but does not support proactive threshold-based alerts. Option C is wrong because AWS Trusted Advisor offers cost optimization recommendations and checks for idle resources, but it does not allow you to set custom cost thresholds or send alerts when costs exceed a specific amount.

574
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They have a public subnet 10.0.1.0/24 and a private subnet 10.0.2.0/24. They launch an EC2 instance in the private subnet and need it to have a predictable, static private IP address for database replication. Which action should be taken?

A.Modify the subnet's IP assignment settings to make all IPs static.
B.Create an Elastic IP and associate it with the primary network interface of the instance.
C.Use a custom DHCP option set to assign a static IP.
D.Enable auto-assign public IP on the private subnet.
AnswerB

Elastic IP is static and can be associated with an ENI for a fixed private IP.

Why this answer

Option B is correct because an Elastic IP attached to an ENI in the private subnet provides a static private IP (through the ENI). Option A is wrong because auto-assign public IP does not affect private IP. Option C is wrong because DHCP option set does not assign static IP.

Option D is wrong because modifying the subnet does not assign a specific IP to an instance.

575
MCQmedium

A company has multiple AWS accounts managed under AWS Organizations. The SysOps administrator needs to deploy a common AWS CloudFormation template to all accounts in a specific organizational unit (OU), ensuring consistent security group configurations across the organization. Which AWS service should the administrator use to perform this deployment?

A.AWS CloudFormation StackSets
B.AWS CodePipeline with cross-account actions
C.AWS Service Catalog portfolio
D.AWS Systems Manager Automation
AnswerA

StackSets are designed for deploying CloudFormation templates across multiple accounts and regions, and integrate with AWS Organizations to target OUs.

Why this answer

AWS CloudFormation StackSets extends the functionality of CloudFormation by allowing you to deploy a common template across multiple accounts and regions from a single management account. In this scenario, the administrator can target the specific organizational unit (OU) within AWS Organizations, ensuring consistent security group configurations are applied to all member accounts without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Service Catalog as a deployment mechanism for multi-account rollouts, but it is a governance tool for end-user provisioning, not an automated push deployment service like StackSets.

How to eliminate wrong answers

Option B is wrong because AWS CodePipeline with cross-account actions is a CI/CD service that orchestrates build, test, and deploy stages, but it does not natively support deploying a single template to multiple accounts in an OU with built-in drift detection and rollback; it would require custom scripting and manual account targeting. Option C is wrong because AWS Service Catalog portfolios allow you to create and manage a catalog of approved products (including CloudFormation templates) that users can launch, but it does not automatically deploy templates to all accounts in an OU; it relies on end-user self-service provisioning. Option D is wrong because AWS Systems Manager Automation is designed for operational tasks like patching, configuration management, and remediation across instances, not for deploying CloudFormation templates to multiple AWS accounts; it lacks the multi-account, multi-region orchestration capabilities of StackSets.

576
MCQmedium

A company uses Amazon S3 to store sensitive data. The SysOps administrator needs to ensure that any attempt to upload an object with server-side encryption disabled is immediately detected and the administrator is notified. The administrator has enabled AWS CloudTrail and is logging S3 data events. Which approach should the administrator use to achieve this?

A.Enable S3 event notifications to send events to SNS for all PutObject operations.
B.Create a CloudWatch Events rule that matches PutObject API calls without the encryption header and triggers an SNS notification.
C.Create an AWS Config rule to detect objects without encryption.
D.Use S3 Inventory to generate a daily report of unencrypted objects.
AnswerB

CloudTrail logs contain the request parameters; CloudWatch Events can filter and act.

Why this answer

Option B is correct because CloudWatch Events (now Amazon EventBridge) can filter API calls captured by CloudTrail for PutObject operations that lack the x-amz-server-side-encryption header, and then trigger an SNS notification in near real-time. This ensures immediate detection and notification of any upload with server-side encryption disabled, meeting the requirement for instant alerting.

Exam trap

The trap here is that candidates may confuse S3 event notifications (which trigger on all PutObject operations without filtering) with CloudWatch Events (which can filter on API call details), leading them to choose Option A despite its inability to detect missing encryption headers.

How to eliminate wrong answers

Option A is wrong because S3 event notifications for PutObject operations do not inspect the encryption header; they trigger on all PutObject events regardless of encryption status, so they cannot distinguish between encrypted and unencrypted uploads. Option C is wrong because AWS Config rules evaluate resource configurations periodically or on configuration changes, not in real-time for each API call, and they would detect unencrypted objects at rest rather than the act of uploading without encryption. Option D is wrong because S3 Inventory generates a daily report of objects and their metadata, which is not immediate and cannot provide real-time detection or notification of the upload attempt.

577
MCQmedium

A company uses AWS Key Management Service (KMS) to encrypt data in Amazon S3. They want to ensure that the KMS key can only be used from within a specific VPC. How can this be accomplished?

A.Add a condition in the S3 bucket policy to allow only requests from the VPC.
B.Add a condition in the KMS key policy using 'aws:SourceVpc' to restrict usage to the VPC.
C.Use an IAM policy with a condition that requires the request to come from the VPC.
D.Configure a network ACL that blocks all traffic to KMS except from the VPC.
AnswerB

KMS key policy supports 'aws:SourceVpc' condition.

Why this answer

Option D is correct because a KMS key policy can use the 'aws:SourceVpc' condition to restrict usage to requests originating from a specific VPC. Option A is wrong because S3 bucket policies cannot restrict KMS key usage. Option B is wrong because IAM policies cannot restrict based on VPC for KMS actions.

Option C is wrong because network ACLs control network traffic, not KMS API calls.

578
MCQeasy

EC2 instances in private subnets need to access S3 buckets. Currently the instances use a NAT Gateway to reach S3 over the internet. The team wants to keep S3 traffic private (within the AWS network) and reduce NAT Gateway data processing costs. What is the correct solution?

A.Create an S3 Gateway VPC endpoint and add it to the private subnet's route table; S3 traffic will bypass the NAT Gateway
B.Create an S3 Interface VPC endpoint in the private subnet to route S3 traffic privately
C.Add a route in the private subnet's route table directing all traffic (0.0.0.0/0) to an Internet Gateway
D.Use S3 Transfer Acceleration to route traffic over AWS edge locations instead of NAT
AnswerA

After the Gateway endpoint is created and the route table updated, the AWS networking layer automatically routes S3 API calls from instances in those subnets through the private endpoint path. The NAT Gateway processes zero S3 bytes, eliminating the per-GB data processing cost for S3 traffic. No code changes are required.

Why this answer

Option A is correct because an S3 Gateway VPC endpoint allows EC2 instances in private subnets to access S3 privately using AWS’s internal network, bypassing the NAT Gateway entirely. This eliminates NAT data processing costs and keeps traffic within the AWS backbone, as the endpoint is added to the private subnet’s route table with a prefix list for S3, directing traffic directly to S3 without internet routing.

Exam trap

The trap here is that candidates confuse Gateway VPC endpoints with Interface VPC endpoints, assuming both incur costs, but S3 Gateway endpoints are free and designed specifically for S3 and DynamoDB, while Interface endpoints are for other AWS services and have associated charges.

How to eliminate wrong answers

Option B is wrong because an S3 Interface VPC endpoint uses AWS PrivateLink with an elastic network interface in the subnet, incurring hourly charges and per-GB data processing costs, which does not reduce costs compared to a NAT Gateway and is unnecessary for S3 access when a Gateway endpoint (free of charge) is available. Option C is wrong because adding a route directing all traffic (0.0.0.0/0) to an Internet Gateway would expose private instances directly to the internet, violating security requirements and not keeping traffic private within AWS. Option D is wrong because S3 Transfer Acceleration uses AWS edge locations and the public internet to speed up uploads, but it does not keep traffic private within the AWS network and still requires internet connectivity, failing to reduce NAT Gateway costs.

579
MCQeasy

A company wants to monitor the performance of its Amazon RDS for MySQL database. The database is experiencing high CPU utilization during peak hours. The SysOps administrator needs to identify the queries causing the load. Which AWS service should be used?

A.Amazon RDS Performance Insights
B.AWS CloudTrail
C.Amazon Inspector
D.Amazon CloudWatch Logs
AnswerA

Performance Insights identifies top queries by load.

Why this answer

Option C is correct because Amazon RDS Performance Insights provides a dashboard that visualizes database load and helps identify the queries that are causing high CPU usage. Option A is wrong because Amazon CloudWatch Logs only collects log files, not query performance data. Option B is wrong because AWS CloudTrail records API activity, not database queries.

Option D is wrong because Amazon Inspector is a vulnerability management service, not a database performance tool.

580
Multi-Selectmedium

A company wants to ensure that its AWS resources are compliant with the CIS AWS Foundations Benchmark. Which TWO AWS services can be used to automate compliance checks and remediation?

Select 2 answers
A.AWS CloudTrail
B.Amazon Inspector
C.AWS Config
D.AWS Security Hub
E.Amazon GuardDuty
AnswersC, D

AWS Config allows you to create rules that evaluate resource configurations and can trigger remediation actions.

Why this answer

AWS Config rules can evaluate resource configurations against desired policies (e.g., CIS benchmarks) and trigger automatic remediation actions via Systems Manager Automation. AWS Security Hub provides a consolidated view of security findings across accounts and can also perform automated checks against standards like CIS. CloudTrail and GuardDuty are not specifically for compliance automation; Inspector is for vulnerability assessment, not compliance.

581
MCQhard

A SysOps administrator is troubleshooting high CPU utilization on an RDS for MySQL instance. The application is read-heavy. Which optimization technique would improve performance and potentially reduce costs?

A.Delete unused indexes from the database.
B.Implement RDS Read Replicas to offload read traffic.
C.Increase the allocated storage size.
D.Enable Multi-AZ deployment for failover support.
AnswerB

Read Replicas reduce load on the primary instance, improving performance and allowing cost savings.

Why this answer

Option A is correct because adding Read Replicas offloads read queries, reducing CPU on the primary and allowing use of smaller instance types. Option B is wrong because Multi-AZ is for high availability, not performance. Option C is wrong because increasing storage doesn't improve CPU.

Option D is wrong because deleting unused indexes reduces storage but not CPU.

582
MCQmedium

A company uses AWS Elastic Beanstalk for a Java web application. The SysOps administrator needs to deploy a new version of the application with zero downtime and minimize the risk of failure. The administrator wants to deploy the new version to a completely new set of instances, test them, and then swap the environment's CNAME to point to the new instances. Which deployment policy should the administrator choose?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerD

Immutable deployment launches a completely new set of instances, allows testing, then swaps the CNAME, achieving zero downtime and easy rollback.

Why this answer

The Immutable deployment policy (Option D) is correct because it launches a completely new set of instances in a separate Auto Scaling group, deploys the new application version to them, and then swaps the environment's CNAME to point to the new instances. This ensures zero downtime and minimizes risk by allowing full testing of the new instances before traffic is switched, and if the deployment fails, the original instances remain untouched.

Exam trap

The trap here is that candidates often confuse 'Rolling with additional batch' with creating a completely new set of instances, but it still modifies the existing fleet in batches rather than deploying to an entirely separate environment for a CNAME swap.

How to eliminate wrong answers

Option A is wrong because the 'All at once' deployment policy deploys the new version to all instances simultaneously, causing downtime and no ability to test before traffic is served. Option B is wrong because the 'Rolling' deployment policy updates instances in batches, which does not create a completely new set of instances and can cause partial downtime or mixed versions during the process. Option C is wrong because 'Rolling with additional batch' adds a temporary batch of instances during the rolling update, but it still updates existing instances in batches rather than deploying to a completely new set, and it does not perform a full CNAME swap.

583
MCQeasy

A company uses Amazon S3 to store critical data. They need to protect against accidental deletion of objects. Which feature should the SysOps Administrator enable?

A.Create a lifecycle policy to transition objects to Glacier.
B.Configure cross-region replication.
C.Enable versioning on the bucket.
D.Enable MFA Delete on the bucket.
AnswerC

Allows recovery of deleted objects by accessing previous versions.

Why this answer

Option C is correct because S3 Versioning allows you to recover from accidental deletions by preserving previous versions. Option A is wrong because MFA Delete adds an extra layer but is not sufficient alone. Option B is wrong because cross-region replication does not prevent deletion.

Option D is wrong because lifecycle policies automate transitions, not protection.

584
MCQmedium

A SysOps administrator needs to ensure that all traffic to an Amazon S3 bucket is encrypted in transit. Which configuration should be used?

A.Use Amazon CloudFront with the S3 bucket as origin and require HTTPS.
B.Create a VPC endpoint for S3 and route all traffic through it.
C.Enable default encryption on the S3 bucket.
D.Add a bucket policy that denies requests where aws:SecureTransport is false.
AnswerD

This condition ensures all requests use HTTPS.

Why this answer

Option B is correct because an S3 bucket policy with a condition for aws:SecureTransport enforces HTTPS. Option A is wrong because encryption at rest does not enforce encryption in transit. Option C is wrong because CloudFront does not enforce end-to-end encryption.

Option D is wrong because VPC endpoints do not guarantee encryption in transit.

585
MCQhard

A company uses Amazon Route 53 for DNS and has a domain registered with Route 53. The company wants to ensure that if the primary web server fails, traffic is automatically routed to a secondary server in a different region. The health check must consider both the server response and the application response time. Which routing policy should be used?

A.Failover routing policy
B.Weighted routing policy
C.Geolocation routing policy
D.Latency routing policy
AnswerA

Failover routing with health checks automatically routes traffic to the secondary when the primary is unhealthy.

Why this answer

Option C is correct because failover routing with health checks directs traffic to the primary if healthy, otherwise to the secondary. Option A is incorrect because latency routing does not provide automatic failover based on health. Option B is incorrect because weighted routing distributes traffic regardless of health.

Option D is incorrect because geolocation routing is based on the user's location, not health.

586
MCQeasy

A company uses Amazon S3 to store log files. The logs are accessed frequently for the first 30 days, then rarely accessed after that. The company must retain logs for 7 years for compliance. What is the MOST cost-effective storage solution?

A.Use S3 Standard for 30 days and then transition to S3 Glacier Deep Archive.
B.Use S3 Standard for 7 years.
C.Use S3 One Zone-IA for 30 days and then transition to S3 Glacier Flexible Retrieval.
D.Use S3 Intelligent-Tiering for the entire 7 years.
AnswerA

This minimizes cost by using low-cost deep archive for long-term retention.

Why this answer

S3 Lifecycle policies can transition objects from S3 Standard to S3 Glacier Deep Archive after 30 days, minimizing costs while meeting compliance. S3 Glacier Flexible Retrieval is more expensive than Deep Archive for long-term archival. S3 Intelligent-Tiering adds monitoring costs.

S3 One Zone-IA is not suitable for long-term archival due to lower durability.

587
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet-A (10.0.1.0/24) and subnet-B (10.0.2.0/24). An EC2 instance in subnet-A needs to send traffic to an EC2 instance in subnet-B. Both instances are in the same VPC and have appropriate security group rules. However, traffic is not reaching the destination. What is the MOST likely cause?

A.The route table for subnet-A does not have a route for subnet-B's CIDR.
B.The network ACL associated with subnet-B is denying inbound traffic from subnet-A.
C.The security group on the destination instance does not allow inbound traffic from the source instance.
D.The VPC peering connection is not established between the two subnets.
AnswerB

Network ACLs are stateless; if the inbound rule does not allow traffic from subnet-A, it will be blocked.

Why this answer

Option C is correct because network ACLs are stateless and must allow both inbound and outbound traffic for ephemeral ports. If the NACL on subnet-B does not allow inbound traffic from subnet-A, the traffic will be blocked. Option A is wrong because VPC peering is not needed; both subnets are in the same VPC.

Option B is wrong because the route table already has a local route for the VPC CIDR, so no additional routes are needed. Option D is wrong because security groups are stateful; if outbound is allowed, return traffic is automatically allowed.

588
Multi-Selectmedium

Which TWO actions improve the availability of an application running on EC2 instances in a single Auto Scaling group? (Choose 2)

Select 2 answers
A.Use an Elastic Load Balancer with health checks to route traffic only to healthy instances.
B.Increase the instance size to handle higher load.
C.Create a CloudWatch alarm to notify when the CPU utilization exceeds 80%.
D.Enable EBS optimization on the instances.
E.Configure the Auto Scaling group to launch instances in multiple Availability Zones.
AnswersA, E

Health checks automatically remove unhealthy instances from the load balancer target group.

Why this answer

Options A and B are correct. Distributing instances across multiple AZs and configuring ELB health checks are fundamental high availability practices. Option C is wrong because increasing instance size does not improve availability.

Option D is wrong because CloudWatch alarms alert but do not automatically improve availability. Option E is wrong because EBS optimization improves performance, not availability.

589
MCQmedium

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

A.AWS Config and AWS Lambda
B.Amazon GuardDuty and AWS Lambda
C.AWS CloudTrail and Amazon EventBridge
D.Amazon Macie and AWS Step Functions
AnswerA

AWS Config continuously evaluates S3 buckets against the managed rule for encryption. Non-compliant buckets can trigger a remediation action via an AWS Lambda function that applies SSE-S3 configuration. This minimizes custom code and uses managed services.

Why this answer

AWS Config can evaluate S3 bucket configurations against a managed rule (s3-bucket-server-side-encryption-enabled) to detect non-compliant buckets. When a non-compliant bucket is detected, AWS Config can trigger an AWS Lambda function via an Amazon EventBridge rule or a custom remediation action to automatically enable SSE-S3 encryption on the bucket. This combination uses managed services and minimizes custom code, meeting the security policy requirement.

Exam trap

The trap here is that candidates may confuse AWS Config's compliance evaluation with GuardDuty's threat detection or Macie's data classification, leading them to choose a service that cannot detect or remediate encryption settings.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not for checking or enforcing S3 bucket encryption configurations. Option C is wrong because AWS CloudTrail records API activity but does not evaluate resource compliance or trigger automated remediation; Amazon EventBridge can route events but requires a separate service like AWS Config to detect non-compliance. Option D is wrong because Amazon Macie is a data discovery and protection service that uses machine learning to identify sensitive data, not to detect or enforce encryption settings; AWS Step Functions is an orchestration service that would require custom code to implement the detection logic.

590
MCQmedium

An organization has a policy requiring that all Amazon EC2 instances launched in the production account must have detailed monitoring enabled for Amazon CloudWatch. A SysOps administrator needs to enforce this rule automatically. Which solution will ensure that any EC2 instance launched without detailed monitoring is automatically remediated?

A.Use AWS Config with the managed rule 'ec2-instance-detailed-monitoring-enabled' and configure an automatic remediation action using AWS Systems Manager Automation to enable detailed monitoring on non-compliant instances.
B.Use AWS Trusted Advisor to check for instances without detailed monitoring and send a notification to the administrator via email.
C.Use an Amazon CloudWatch Events rule to detect RunInstances API calls and trigger a Lambda function that enables detailed monitoring on newly launched instances.
D.Use an IAM policy that denies the ec2:RunInstances action unless the user specifies the parameter to enable detailed monitoring.
AnswerA

This solution automatically detects and remediates non-compliant instances using native AWS Config features.

Why this answer

AWS Config with the managed rule 'ec2-instance-detailed-monitoring-enabled' continuously evaluates EC2 instances against the policy. When an instance is non-compliant (i.e., launched without detailed monitoring), the automatic remediation action uses an AWS Systems Manager Automation document to enable detailed monitoring on that instance, ensuring enforcement without manual intervention.

Exam trap

The trap here is that candidates often choose Option C (CloudWatch Events + Lambda) because it seems reactive and automatic, but they overlook that CloudWatch Events may not reliably capture all RunInstances API calls (e.g., when instances are launched by Auto Scaling or other services) and that the Lambda function would need to handle race conditions and permissions, whereas AWS Config remediation is purpose-built for continuous compliance enforcement.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor only provides recommendations and notifications; it cannot automatically remediate non-compliant resources. Option C is wrong because a CloudWatch Events rule triggered by RunInstances API calls cannot reliably catch instances launched without detailed monitoring if the monitoring parameter is not explicitly set in the API call (e.g., instances launched via Auto Scaling or other services may not trigger the rule as expected). Option D is wrong because an IAM policy that denies ec2:RunInstances unless the user specifies the detailed monitoring parameter can be bypassed by users who have permissions to modify the instance after launch, and it does not automatically remediate instances that are already running without detailed monitoring.

591
MCQmedium

A company hosts a static website on Amazon S3 and uses Amazon CloudFront for content delivery. The marketing team wants to know how many users visit the website each day, including the geographic distribution. Which solution requires the LEAST operational overhead?

A.Use CloudWatch metrics for CloudFront to view request counts and enable detailed metrics.
B.Enable CloudFront access logs and use Amazon Athena to query the logs in S3.
C.Enable AWS CloudTrail for CloudFront and query the event history.
D.Enable CloudFront real-time logs and send them to Amazon Kinesis Data Analytics for analysis.
AnswerB

Athena is serverless and can easily query S3 logs for daily counts and geography.

Why this answer

Option B is correct because enabling CloudFront access logs and querying them with Amazon Athena provides detailed user visit counts and geographic distribution with minimal operational overhead. Access logs contain client IP addresses and request details, which Athena can analyze using SQL without managing servers or complex pipelines. This approach is serverless and cost-effective for periodic analysis.

Exam trap

The trap here is that candidates may confuse CloudWatch metrics (which show request counts but lack geographic detail) with access logs (which provide the raw data needed for geographic analysis), or overcomplicate the solution by choosing real-time streaming when batch analysis is sufficient.

How to eliminate wrong answers

Option A is wrong because CloudWatch metrics for CloudFront provide aggregated request counts but do not include geographic distribution data, and enabling detailed metrics increases cost without solving the requirement. Option C is wrong because AWS CloudTrail records API calls made to CloudFront (e.g., configuration changes), not user requests to the website, so it cannot provide visitor counts or geographic distribution. Option D is wrong because CloudFront real-time logs with Kinesis Data Analytics introduce significant operational overhead for stream processing, which is unnecessary for daily, batch-oriented analysis of user visits.

592
Multi-Selectmedium

A company uses AWS CloudFormation to deploy infrastructure. The operations team wants to be notified when a stack enters a ROLLBACK_IN_PROGRESS state. Which TWO methods can achieve this?

Select 2 answers
A.Use AWS Config rules to evaluate the stack state.
B.Create an Amazon CloudWatch Events rule that matches the CloudFormation stack status change.
C.Configure a CloudWatch Logs subscription filter to detect the stack state.
D.Create a CloudTrail trail and monitor the UpdateStack API call.
E.Configure CloudFormation stack notifications to send events to an Amazon SNS topic.
AnswersB, E

CloudFormation emits events to CloudWatch Events for stack status changes.

Why this answer

Option B is correct because Amazon CloudWatch Events (now Amazon EventBridge) can capture CloudFormation stack status changes, including ROLLBACK_IN_PROGRESS, by matching the 'CloudFormation Stack Status Change' event pattern. This allows you to trigger a notification action (e.g., via SNS or Lambda) in real time when the stack enters that state.

Exam trap

The trap here is that candidates may confuse CloudTrail API logging (which records the API call but not the asynchronous state transition) with event-driven notifications, or assume CloudWatch Logs subscription filters can parse CloudFormation events, when in fact CloudFormation does not write stack state changes to CloudWatch Logs.

593
MCQeasy

A SysOps administrator is tasked with ensuring that an Amazon S3 bucket can withstand the loss of an entire AWS Region. The bucket stores critical data that must be accessible with minimal latency from multiple regions. Which solution meets these requirements?

A.Enable S3 Versioning and configure a lifecycle policy to transition objects to S3 Glacier Deep Archive.
B.Configure S3 Cross-Region Replication to a bucket in another AWS Region. Use Amazon CloudFront with multiple origins pointing to both buckets.
C.Enable S3 Versioning and MFA Delete on the bucket. Use S3 Object Lock to prevent object deletion.
D.Enable S3 Transfer Acceleration on the bucket and use a CloudFront distribution with the bucket as the origin.
AnswerB

CRR replicates objects to another region, and CloudFront can route requests to the closest available origin.

Why this answer

Option C is correct because S3 Cross-Region Replication replicates objects to a bucket in another region, providing regional resilience, and using a CloudFront distribution with multiple origins can route requests to the nearest replica. Option A is wrong because versioning alone does not provide cross-region resilience. Option B is wrong because S3 Transfer Acceleration does not replicate data.

Option D is wrong because MFA Delete does not provide geographic redundancy.

594
Multi-Selectmedium

A SysOps administrator is troubleshooting a failed AWS CloudFormation stack update. The update attempted to modify an Amazon RDS DB instance's storage type from gp2 to io1. The error message indicates that the modification is not supported. Which TWO reasons could cause this error? (Choose TWO.)

Select 2 answers
A.The DB instance is using an Oracle DB engine version that does not support storage type modification.
B.The DB instance does not have automated backups enabled.
C.The DB instance has a DeletionPolicy of 'Retain', and the update requires replacement.
D.The stack update is occurring during the DB instance's maintenance window.
E.The allocated storage size is below the minimum required for io1.
AnswersA, C

Some older engine versions have limitations.

Why this answer

Option A is correct because CloudFormation stack updates that require replacement will fail if 'DeletionPolicy' is set to 'Retain' and the resource is replaced. Option C is correct because some storage modifications require a migration that is not supported for certain DB engine versions. Option B is wrong because storage type changes are generally allowed without enabling backup.

Option D is wrong because maintenance windows do not affect the feasibility of modification. Option E is wrong because the allocated storage size can be changed during modification.

595
MCQhard

A company uses IAM roles to grant EC2 instances access to S3 buckets. After a recent security audit, the SysOps administrator must ensure that only instances with a specific tag (Environment=Production) can assume the role. How can this be achieved?

A.Create a new IAM role for each instance and attach the tag.
B.Use a service control policy (SCP) to deny the ec2:AssumeRole action for instances without the required tag.
C.Modify the instance profile to include the tag requirement.
D.Add a condition in the role's trust policy that checks for the instance's tag using the aws:ResourceTag condition key.
AnswerD

The trust policy can evaluate the instance's tags at the time of AssumeRole.

Why this answer

Option D is correct because IAM role trust policies can use the aws:ResourceTag condition key to restrict which EC2 instances (based on their tags) can assume the role. Option A is wrong because tags are not automatically included in the session; the trust policy must explicitly check tags. Option B is wrong because SCPs apply to accounts, not instances.

Option C is wrong because instance profiles cannot be modified to check tags.

596
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The company wants to update the application to a new version with zero downtime. Which deployment policy should be used?

A.Rolling deployment
B.Immutable deployment
C.All at once deployment
D.Canary deployment
AnswerA

Rolling deployment updates batches of instances, ensuring some instances remain serving traffic.

Why this answer

Option A is correct because rolling deployment updates instances in batches, maintaining capacity. Option B is wrong because all at once causes downtime. Option C is wrong because immutable creates a new environment and swaps, which is also zero downtime, but rolling is also acceptable.

However, the question specifies 'zero downtime' and rolling is a common choice. Option D is wrong because canary is for Lambda.

597
MCQhard

A company runs a stateful application on EC2 instances in an Auto Scaling group. The application maintains state in memory. The SysOps administrator wants to ensure that when an instance is terminated, the state is preserved and a new instance can resume operation. Which approach should the administrator use?

A.Use an Auto Scaling lifecycle hook to offload state before termination.
B.Use a warm standby instance that takes over when the primary fails.
C.Configure the EC2 instance to run a script on shutdown to save state locally.
D.Enable connection draining on the ALB.
AnswerA

Lifecycle hooks allow a script to save state to external storage before instance termination.

Why this answer

Option B is correct: A lifecycle hook can intercept the termination event and run a script to offload state to S3 or another durable store. Option A is incorrect because ELB connection draining only stops new connections; it does not preserve state. Option C is incorrect because graceful shutdown scripts can run on termination, but they may not complete if the instance is terminated quickly.

Option D is incorrect because a warm standby is costly and not designed for state offloading.

598
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate. They need to ensure that if a task fails, it is automatically restarted. Which configuration is required?

A.Configure a CloudWatch alarm to restart the task
B.Define tasks using the ECS RunTask API
C.Use an Auto Scaling group for the Fargate tasks
D.Create an ECS service with a desired count and task definition
AnswerD

ECS service maintains desired count and replaces failed tasks.

Why this answer

Correct answer is B. ECS services with a desired count maintain the number of tasks; if a task fails, the service scheduler replaces it. Option A is wrong because ECS tasks launched standalone are not automatically restarted.

Option C is wrong because CloudWatch alarms can trigger actions but not directly restart tasks. Option D is wrong because Auto Scaling groups are for EC2, not Fargate tasks.

599
MCQmedium

A company runs a batch processing job every night that takes 2 hours on a single m5.xlarge EC2 instance. The job is fault-tolerant and can be interrupted. The SysOps administrator wants to reduce costs. Which solution is MOST cost-effective?

A.Use an On-Demand instance and set up a CloudWatch alarm to stop it when the job completes.
B.Use a Spot Instance with a Spot Fleet that includes a fallback to On-Demand if Spot is not available.
C.Use a Dedicated Host to run the job.
D.Purchase a Reserved Instance for the m5.xlarge instance.
AnswerB

Spot Instances are cost-effective for fault-tolerant jobs, and the fallback ensures completion.

Why this answer

Option D is correct because using Spot Instances with a fleet and fallback to On-Demand provides cost savings while ensuring the job completes. Option A is wrong because Reserved Instances require a commitment and may not be cost-effective for a 2-hour daily job. Option B is wrong because Dedicated Hosts are expensive.

Option C is wrong because using only On-Demand is more expensive than using Spot.

600
Multi-Selecteasy

A SysOps administrator needs to ensure high availability for a web application running on EC2 instances across multiple Availability Zones. Which TWO actions should the administrator take?

Select 2 answers
A.Launch EC2 instances in at least two different Availability Zones.
B.Place a CloudFront distribution in front of the instances.
C.Launch all EC2 instances in a single Availability Zone for consistency.
D.Register the instances with an Application Load Balancer that has health checks enabled.
E.Attach an EBS volume to each instance and replicate data in real-time.
AnswersA, D

Distributing instances across AZs provides fault tolerance.

Why this answer

Options A and C are correct. Distributing instances across multiple AZs and registering them with a load balancer that routes to healthy instances ensures high availability. Option B is incorrect because a single instance in one AZ is a single point of failure.

Option D is incorrect because EBS volumes are tied to a single AZ. Option E is incorrect because CloudFront does not replace a load balancer for high availability.

Page 7

Page 8 of 21

Page 9