AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 601675

1546 questions total · 21pages · All types, answers revealed

Page 8

Page 9 of 21

Page 10
601
MCQhard

A company has an S3 bucket configured with default encryption using SSE-S3. Users report that objects uploaded without specifying encryption are still encrypted, but some objects are accessible to unauthorized users. What is the most likely cause?

A.The bucket policy is not configured to deny unencrypted uploads.
B.The bucket policy does not restrict access based on user permissions.
C.The bucket does not have MFA Delete enabled.
D.The bucket's block public access settings are not configured.
AnswerB

Default encryption does not replace IAM or bucket policies for access control.

Why this answer

Option B is correct because default encryption only encrypts objects, it does not enforce access policies. Option A is wrong because bucket policies are needed for access control. Option C is wrong because enabling MFA Delete is about deletion, not access.

Option D is wrong because public access block prevents public access, but the issue is unauthorized access from within the account or cross-account.

602
MCQhard

A company runs a stateful web application on a single EC2 instance. The SysOps Administrator wants to improve fault tolerance. Which design should they implement?

A.Create a Multi-AZ RDS instance and attach it to the existing EC2 instance.
B.Add a second EC2 instance in the same Availability Zone and use a Network Load Balancer.
C.Use an Auto Scaling group with a launch configuration that stores session data on instance store.
D.Place instances in an Auto Scaling group across two Availability Zones, use an Application Load Balancer, and store session state in ElastiCache.
AnswerD

Provides high availability and fault tolerance.

Why this answer

Option A is correct because a Multi-AZ deployment with an ALB and Auto Scaling group distributes traffic across instances in multiple AZs, and using ElastiCache for session state provides fault tolerance. Option B is wrong because it still has a single point of failure. Option C is wrong because it lacks load balancing and auto scaling.

Option D is wrong because it uses instance store for session state, which is ephemeral.

603
Multi-Selecthard

A SysOps administrator is designing a VPC for a web application that must be secure. Which THREE security measures should the administrator implement? (Choose THREE.)

Select 3 answers
A.Configure network ACLs to filter traffic at the subnet level.
B.Enable VPC Flow Logs to capture traffic information.
C.Place all resources in public subnets to simplify access.
D.Use security groups to control inbound and outbound traffic at the instance level.
E.Use the default VPC for simplicity.
AnswersA, B, D

NACLs provide stateless filtering.

Why this answer

Option A is correct because security groups act as virtual firewalls. Option C is correct because NACLs provide an additional layer of security at the subnet level. Option E is correct because VPC Flow Logs help monitor traffic.

Option B is wrong because public subnets are not required for web applications. Option D is wrong because default VPC may not be secure.

604
Drag & Dropmedium

Drag and drop the steps to migrate an on-premises application to AWS using AWS Application Migration Service (MGN) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Install the agent, configure replication, sync, test, then cut over.

605
MCQeasy

A SysOps administrator is reviewing the monthly AWS bill and notices a significant cost for data transfer from EC2 to the internet. The EC2 instances are in a VPC and serve content to users. Which action would MOST effectively reduce data transfer costs?

A.Use VPC endpoints to connect to S3 and DynamoDB.
B.Use Amazon CloudFront as a content delivery network (CDN).
C.Move the EC2 instances to a different AWS Region with lower data transfer rates.
D.Use a NAT Gateway to route traffic through a single IP.
AnswerB

CloudFront reduces data transfer from EC2 by serving cached content from edge locations.

Why this answer

Option C is correct because CloudFront caches content at edge locations, reducing data transfer from EC2 to the internet. Option A is wrong because using a NAT Gateway adds cost. Option B is wrong because VPC endpoints are for private connectivity to AWS services, not for reducing internet data transfer.

Option D is wrong because moving to a different region does not reduce data transfer costs.

606
Multi-Selecteasy

A SysOps administrator needs to reduce costs for an Amazon RDS for PostgreSQL database. The database is used for a reporting application that only runs during business hours (9 AM to 5 PM). Which TWO actions would reduce costs without losing data?

Select 2 answers
A.Take a snapshot before stopping to preserve data.
B.Delete the database during off-hours and restore it each morning.
C.Convert the database to a read replica of another database.
D.Use a Multi-AZ cluster for high availability.
E.Stop the database during off-hours.
AnswersA, E

Ensures data is saved and can be restored.

Why this answer

Stopping the database during off-hours stops billing for instance hours. Creating a snapshot before stopping ensures data is preserved. Option A is wrong because deleting the database loses data.

Option B is wrong because converting to a read replica does not reduce cost. Option D is wrong because using a Multi-AZ cluster increases costs.

607
MCQmedium

A company uses an Amazon DynamoDB table with provisioned capacity. The average write usage is 500 write capacity units (WCU) but regularly spikes to 2,000 WCU during business hours. The SysOps administrator wants to reduce costs without affecting performance during the spikes. Which solution should the administrator implement?

A.Enable DynamoDB auto scaling
B.Switch to DynamoDB on-demand capacity mode
C.Purchase reserved capacity for 2,000 WCU
D.Use DynamoDB Time to Live (TTL) to delete old items
AnswerA

Auto scaling adjusts provisioned capacity based on actual usage, handling spikes and reducing cost during low usage.

Why this answer

DynamoDB auto scaling allows the table to automatically adjust its provisioned write capacity between a minimum and maximum range based on actual traffic. By setting the minimum WCU to cover the average usage (500) and the maximum to handle the spikes (2,000), the administrator pays only for the baseline capacity most of the time, while the service scales up during spikes without manual intervention or over-provisioning.

Exam trap

The trap here is that candidates often confuse on-demand mode as a cost-saving measure for spiky workloads, but in reality, on-demand is more expensive than provisioned capacity with auto scaling when there is a predictable baseline, and the question specifically asks to reduce costs without affecting performance.

How to eliminate wrong answers

Option B is wrong because switching to on-demand capacity mode would eliminate the need to manage capacity but would result in significantly higher costs for the described workload, as on-demand charges per write request are higher than provisioned capacity, especially when the baseline usage is predictable. Option C is wrong because purchasing reserved capacity for 2,000 WCU would lock the company into paying for that high capacity 24/7, even during off-peak hours when usage is only 500 WCU, leading to wasted expenditure. Option D is wrong because DynamoDB Time to Live (TTL) is a feature for automatically expiring and deleting old items to manage storage costs, not for handling write capacity spikes or optimizing provisioned throughput costs.

608
MCQmedium

A company uses AWS CodePipeline to deploy a web application to Amazon EC2 instances behind an Application Load Balancer. During a deployment, the pipeline fails at the Deploy stage with an error indicating that the CodeDeploy agent is not responding. The instances are in an Auto Scaling group. What is the MOST likely cause of this issue?

A.The pipeline does not have a VPC endpoint to connect to the instances.
B.The IAM role attached to the instances does not have permissions for CodeDeploy.
C.The CodeDeploy agent is not installed on the EC2 instances.
D.The Application Load Balancer is not configured with a target group.
AnswerC

The CodeDeploy agent must be installed and running on each instance for CodeDeploy to deploy applications.

Why this answer

The CodeDeploy agent must be installed and running on the EC2 instances to receive deployment instructions. If the agent is not installed or is not running, the deployment will fail. Option B is correct because the agent is required for CodeDeploy to deploy to EC2.

Option A is wrong because CodePipeline does not require a VPC endpoint. Option C is wrong because IAM roles are assigned to the instance profile, not directly to instances. Option D is wrong because CodeDeploy can deploy to instances without an Application Load Balancer.

609
MCQeasy

A company has an application that runs on EC2 instances behind an Application Load Balancer. The application uses an RDS Multi-AZ database. The company wants to ensure that the application remains available during a database failover. What should the SysOps administrator do?

A.Ensure the application retries database connections during failover.
B.Create a read replica of the database to offload read traffic.
C.Increase the EC2 instance size to handle the load.
D.Enable termination protection on the EC2 instances.
AnswerA

Application retries handle the brief interruption during failover.

Why this answer

Option A is correct because Multi-AZ automatically fails over to a standby in another AZ, minimizing downtime. Option B is wrong because creating a read replica does not help with failover for writes. Option C is wrong because increasing instance size does not affect database failover.

Option D is wrong because enabling termination protection is for EC2, not database failover.

610
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application uses a custom domain name, 'app.example.com'. The SysOps team configured Amazon Route 53 with an alias record to the ALB DNS name. Users report that occasionally they are directed to a different website. The team suspects DNS resolution issues. They check the Route 53 hosted zone and find the alias record is correctly configured. The ALB is healthy. What is the most likely cause of the intermittent misdirection?

A.There is a conflicting DNS record for 'app.example.com' in the same hosted zone, such as a CNAME pointing elsewhere.
B.The alias record is not of type A but type CNAME.
C.The TTL on the alias record is set too low, causing DNS changes to propagate slowly.
D.The ALB is configured to redirect traffic to another domain.
AnswerA

Conflicting records can cause intermittent resolution to different targets.

Why this answer

Option B is correct. If the alias record points to the ALB DNS name, Route 53 will resolve to the ALB's IP addresses. However, if there is another DNS record (e.g., a CNAME) that is cached or has a different TTL, it may cause misdirection.

Option A is wrong because a missing A record would cause failure, not misdirection. Option C is wrong because ALB does not redirect to other sites. Option D is wrong because TTL being too low would cause frequent changes, but not misdirection.

611
Multi-Selectmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The environment is running in a VPC with public and private subnets. The SysOps administrator needs to update the environment to use a new platform version. Which TWO steps should be taken to ensure a smooth update with minimal downtime? (Select TWO.)

Select 2 answers
A.Update the security groups to allow traffic from the new environment.
B.Take a snapshot of the attached Amazon RDS database before starting the update.
C.Perform a blue/green deployment by cloning the environment and swapping the CNAME.
D.Enable immutable updates in the environment configuration.
E.Manually drain connections from the current environment before swapping.
AnswersB, C

Ensures data is backed up in case of issues.

Why this answer

Options B and C are correct. Option B: Performing a blue/green deployment creates a new environment and swaps CNAMEs, minimizing downtime. Option C: Taking a snapshot of the RDS database ensures data backup before the update.

Option A: Immutable updates are not supported for all platforms. Option D: Updating the security groups is not necessary for the update. Option E: Manually draining connections is not needed if using blue/green.

612
MCQhard

A company has an S3 bucket with versioning enabled. They want to ensure that objects are not permanently deleted by users. What configuration should be applied?

A.Enable MFA Delete on the bucket
B.Configure a lifecycle policy to expire noncurrent versions
C.Enable S3 Object Lock in governance mode
D.Add a bucket policy that denies s3:DeleteObject
AnswerA

MFA Delete requires MFA to permanently delete versions, preventing accidental permanent deletion.

Why this answer

With versioning enabled, a delete request creates a delete marker instead of actually deleting the object. To prevent permanent deletion, you can enable MFA Delete, which requires multi-factor authentication to change the versioning state or permanently delete versions. Option C is correct.

Option A is wrong because a bucket policy cannot prevent deletion of versioned objects; it can only deny the action, but users with delete permissions can still create delete markers. Option B is wrong because a lifecycle policy can delete objects after a period, but it does not prevent user deletions. Option D is wrong because S3 Object Lock prevents deletion during a retention period, but it is not specifically for preventing permanent deletion by users; it is for compliance.

613
Multi-Selectmedium

A company is designing a highly available architecture for a web application using AWS services. Which TWO actions should the SysOps administrator take to improve reliability? (Choose TWO.)

Select 2 answers
A.Use a single large EC2 instance to eliminate complexity.
B.Use an Auto Scaling group with an Elastic Load Balancer.
C.Use a single NAT gateway for outbound traffic.
D.Deploy EC2 instances in multiple Availability Zones.
E.Store application data on a single EBS volume.
AnswersB, D

Provides automatic scaling and health checks.

Why this answer

Options A and C are correct. Deploying across multiple AZs ensures that the application can withstand an AZ failure. Using an Auto Scaling group with ELB allows automatic scaling and health checks.

Option B is wrong because a single instance is a single point of failure. Option D is wrong because a single EBS volume in one AZ is not highly available. Option E is wrong because a single NAT gateway in one AZ is a single point of failure.

614
MCQhard

An organization is using OpsWorks to manage a stack of application servers. They need to automatically scale out based on CPU utilization. Which configuration should the SysOps administrator use to achieve this?

A.Enable auto-healing on the layer to replace unhealthy instances automatically.
B.Create a custom Chef recipe that runs on a lifecycle event to launch new instances.
C.Add a load-based layer and configure the scaling thresholds for CPU utilization.
D.Configure a time-based instance with a recurring schedule to add instances during peak hours.
AnswerC

Load-based scaling automatically adjusts instance count based on metrics like CPU.

Why this answer

Option A is correct because OpsWorks uses time-based and load-based instances; load-based uses CloudWatch alarms to automatically add/remove instances. Option B is incorrect because a scheduled scaling is time-based, not based on CPU. Option C is incorrect because auto-healing replaces failed instances, not scales.

Option D is incorrect because a lifecycle event hook is for custom scripts during events, not scaling.

615
Multi-Selectmedium

A SysOps administrator is optimizing costs for an AWS account. The account has multiple EC2 instances running 24/7 with varying utilization. Which TWO actions will help reduce costs without impacting performance? (Choose TWO.)

Select 2 answers
A.Use AWS Compute Optimizer to right-size instances.
B.Use larger instance types to improve performance.
C.Enable detailed CloudWatch monitoring for all instances.
D.Enable termination protection on all instances.
E.Purchase Reserved Instances for instances that run consistently.
AnswersA, E

Compute Optimizer recommends optimal instance sizes based on utilization.

Why this answer

The correct answers are A and D. Converting to reserved instances provides significant discount for steady-state workloads. Right-sizing instances based on CloudWatch metrics ensures you are not over-provisioned.

Option B is wrong because increasing instance size increases costs. Option C is wrong because disabling termination protection does not affect costs. Option E is wrong because detailed monitoring incurs additional charges.

616
MCQmedium

A SysOps administrator needs to reduce costs for a fleet of EC2 instances that run a stateless web application. The instances are currently On-Demand. The workload runs 24/7 for the next 12 months. Which pricing model provides the greatest cost savings?

A.Use Dedicated Hosts.
B.Use Spot Instances.
C.Purchase Standard Reserved Instances for a 1-year term.
D.Purchase Convertible Reserved Instances for a 1-year term.
AnswerC

Provides up to 40% discount for steady-state usage.

Why this answer

Standard Reserved Instances (RIs) for a 1-year term provide a significant discount (up to 40%) over On-Demand pricing for workloads that run continuously 24/7. Since this stateless web application runs constantly for the next 12 months, Standard RIs offer the greatest cost savings among the options, as they are designed for steady-state usage and do not require flexibility in instance family or operating system.

Exam trap

The trap here is that candidates often choose Spot Instances (Option B) thinking they are always cheaper, but they overlook the requirement for 24/7 availability and the risk of interruption, which makes them unsuitable for a stateless web application that must run continuously without disruption.

How to eliminate wrong answers

Option A is wrong because Dedicated Hosts are a physical server dedicated to your use, which incurs additional costs (per-host billing) and does not provide the same discount level as Reserved Instances; they are used for licensing or compliance requirements, not cost savings for a stateless web app. Option B is wrong because Spot Instances can be interrupted with a 2-minute warning, making them unsuitable for a 24/7 stateless web application that requires constant availability; they are designed for fault-tolerant or batch workloads, not always-on production traffic. Option D is wrong because Convertible Reserved Instances offer flexibility to change instance attributes (family, OS, tenancy) but have a lower discount (typically 10-20% less than Standard RIs) for the same 1-year term, making them less cost-effective for a fixed, predictable workload.

617
MCQhard

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest with AWS Key Management Service (AWS KMS) customer managed keys. A SysOps administrator discovers that some buckets are not encrypted. Which combination of AWS services should be used to automatically detect and remediate non-compliant buckets using infrastructure as code?

A.AWS Config with a managed rule and AWS Lambda for automatic remediation.
B.AWS CloudTrail and Amazon GuardDuty.
C.Amazon Inspector and AWS Systems Manager.
D.Amazon Macie and AWS CloudFormation.
AnswerA

AWS Config can continuously evaluate resources against rules and trigger Lambda functions for remediation. The managed rule 's3-bucket-server-side-encryption-enabled' can be configured with a parameter to require SSE-KMS. This fully automates detection and fixing.

Why this answer

AWS Config with a managed rule (e.g., s3-bucket-server-side-encryption-enabled) can continuously evaluate S3 buckets for compliance with the encryption policy. When a non-compliant bucket is detected, AWS Config can automatically invoke an AWS Lambda function to remediate the issue, such as enabling encryption with a customer managed KMS key. This combination provides automated detection and remediation using infrastructure as code, as the Config rule and Lambda function can be defined in AWS CloudFormation or similar IaC tools.

Exam trap

The trap here is that candidates may confuse detection services (like GuardDuty or Macie) with compliance evaluation services (AWS Config), or assume that CloudFormation alone can detect non-compliance without a continuous evaluation mechanism like AWS Config rules.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail and Amazon GuardDuty are used for auditing API activity and threat detection, not for automated compliance detection and remediation of S3 bucket encryption. Option C is wrong because Amazon Inspector is a vulnerability management service for EC2 instances and container workloads, not for S3 bucket encryption compliance, and AWS Systems Manager is for operational management, not automated encryption remediation. Option D is wrong because Amazon Macie is a data discovery and classification service for sensitive data, not for encryption compliance, and AWS CloudFormation alone cannot automatically detect non-compliant buckets without a trigger like AWS Config.

618
MCQmedium

A SysOps administrator is troubleshooting an IAM policy that is not granting the expected permissions. The policy has a Deny effect on a specific action, but the user is still able to perform that action. What is the most likely reason?

A.The Deny statement is listed after an Allow statement in the policy
B.IAM policies do not support deny statements with conditions
C.The Deny statement includes a condition that is not met by the request
D.The user has an attached AWS managed policy that allows the action
AnswerC

If the condition is not satisfied, the Deny statement is not applied.

Why this answer

IAM policy evaluation logic: by default, all requests are denied. An explicit allow overrides the default deny. An explicit deny overrides any allow.

If a Deny is not being enforced, it could be because the policy is not attached to the user, group, or role. However, if the policy is attached, the Deny should work. Another possibility is that the user is assuming a role that has an allow, and the Deny is on a different policy that is not evaluated because the role's trust policy might allow the action.

But the most likely reason in a troubleshooting scenario is that the policy contains a condition that is not being met, so the Deny is not applied. Option B is correct because if the Deny has a condition that is not satisfied, the Deny is not applied. Option A is wrong because the order of statements does not matter in IAM; all statements are evaluated.

Option C is wrong because an explicit Deny always overrides an Allow. Option D is wrong because IAM policies support conditions.

619
MCQmedium

A company's security team requires that all Amazon EC2 instances in a specific AWS account must have the tag 'Environment' set to either 'Production' or 'Test'. Any instance that is launched without this tag or with an invalid value must be automatically terminated within five minutes. Which combination of AWS services can enforce this requirement with minimal manual intervention?

A.AWS Config with a custom rule and AWS Lambda
B.AWS CloudTrail and Amazon CloudWatch Events
C.AWS Service Catalog and AWS Organizations
D.Amazon Inspector and AWS Systems Manager
AnswerA

A custom AWS Config rule can evaluate EC2 instances when they are created (configuration change trigger) and invoke an AWS Lambda function to terminate instances lacking the required tag or having an invalid value. This provides continuous compliance enforcement.

Why this answer

AWS Config with a custom rule can evaluate EC2 instances for the required 'Environment' tag with valid values. When a non-compliant instance is detected, AWS Config triggers an AWS Lambda function that terminates the instance within the required five-minute window. This combination provides automated, event-driven enforcement with minimal manual intervention.

Exam trap

The trap here is that candidates may think CloudTrail and CloudWatch Events alone can enforce tag compliance, but they lack the evaluation logic and automated remediation that AWS Config with a custom Lambda rule provides.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail records API calls and CloudWatch Events can trigger on those events, but they lack native tag validation logic; you would still need a Lambda function to evaluate tag values and terminate instances, making this an incomplete solution. Option C is wrong because AWS Service Catalog enforces compliance at provisioning time through predefined products, but it cannot retroactively terminate instances launched outside the catalog or enforce tag compliance on existing instances. Option D is wrong because Amazon Inspector is a vulnerability assessment service and AWS Systems Manager is for operational management; neither service has the capability to evaluate tags or terminate instances based on tag compliance.

620
Multi-Selecthard

A company uses a Network Load Balancer (NLB) with a static IP address. The SysOps administrator needs to enable client IP preservation for the NLB so that backend instances see the original client IP. Which TWO conditions are required for client IP preservation to work?

Select 2 answers
A.The target group must be of type 'instance'.
B.The NLB must have TLS listeners.
C.Proxy protocol must be enabled on the target group.
D.The NLB must not be integrated with AWS Global Accelerator.
E.Cross-zone load balancing must be enabled.
AnswersA, D

Instance targets preserve client IP; IP targets do not.

Why this answer

Option A is correct because client IP preservation for a Network Load Balancer (NLB) requires the target group to be of type 'instance'. When the target group is instance-based, the NLB can forward packets with the original source IP address intact, allowing backend instances to see the client's IP directly. This is not supported when the target group is of type 'IP' because the NLB must perform NAT to route to the specified IP addresses.

Exam trap

The trap here is that candidates often confuse client IP preservation with Proxy Protocol, thinking that Proxy Protocol must be enabled for client IP preservation to work, when in fact Proxy Protocol is a separate mechanism used when the target group is of type 'IP' or when preservation is not supported.

621
MCQeasy

A company stores large volumes of log data in Amazon S3. The logs are accessed frequently for the first 30 days, then occasionally for the next 60 days, and after 90 days they are rarely accessed but must be retained for 7 years for compliance. The SysOps administrator wants to minimize storage costs while ensuring data is available when needed. Which S3 lifecycle policy configuration should be applied?

A.Transition objects to S3 Standard-IA after 30 days, and to S3 Glacier after 60 days. Delete after 7 years.
B.Transition objects to S3 Glacier Deep Archive after 30 days, and delete after 7 years.
C.Transition objects to S3 One Zone-IA after 30 days, and to S3 Glacier Deep Archive after 90 days. Delete after 7 years.
D.Transition objects to S3 Standard-IA after 30 days, and to S3 Glacier Deep Archive after 90 days. Delete after 7 years.
AnswerD

This lifecycle policy matches the access patterns: frequent access -> Standard-IA after 30 days, occasional access for next 60 days (still in IA), then rarely accessed -> Deep Archive after 90 days. Deep Archive is the lowest-cost storage option for long-term retention. Deleting after 7 years meets compliance. This is the most cost-effective configuration.

Why this answer

Option D is correct because it aligns the lifecycle transitions with the access patterns: frequent access for the first 30 days (S3 Standard), occasional access for the next 60 days (S3 Standard-IA), and rare access after 90 days (S3 Glacier Deep Archive, the lowest-cost storage class for long-term retention). The deletion after 7 years meets compliance requirements while minimizing costs by using progressively cheaper storage classes.

Exam trap

The trap here is that candidates may choose Option A because they think S3 Glacier is the standard archival tier, but they overlook that S3 Glacier Deep Archive is cheaper for 7-year retention and that the occasional-access period (days 31–90) is better served by S3 Standard-IA, not S3 Glacier.

How to eliminate wrong answers

Option A is wrong because transitioning to S3 Glacier after 60 days (instead of 90) would incur unnecessary retrieval costs and slower access during the occasional-access period (days 31–90), and S3 Glacier is more expensive than S3 Glacier Deep Archive for long-term retention. Option B is wrong because moving directly to S3 Glacier Deep Archive after 30 days ignores the frequent-access period, causing high retrieval costs and latency for logs that are still accessed often. Option C is wrong because S3 One Zone-IA is not resilient to AZ failures and is unsuitable for compliance data that must be retained for 7 years; also, transitioning after 30 days to One Zone-IA does not match the occasional-access pattern (days 31–90) as well as Standard-IA.

622
MCQhard

A company runs a production Amazon DynamoDB table with provisioned capacity of 1000 write capacity units (WCU). The table experiences unpredictable spikes up to 2000 WCU, causing throttling. The SysOps administrator wants to minimize cost while handling the spikes. Which solution should be used?

A.Switch to on-demand capacity mode.
B.Increase provisioned WCU to 2000 to cover the peak.
C.Enable DynamoDB Auto Scaling with minimum 1000, maximum 2000 WCU.
D.Use a DynamoDB Accelerator (DAX) cache.
AnswerA

On-demand mode instantly accommodates usage spikes without capacity planning. While typically more expensive for steady-state workloads, for unpredictable spikes it can be cost-effective because you don't pay for unused capacity. It eliminates throttling.

Why this answer

Switching to on-demand capacity mode eliminates throttling during unpredictable spikes by automatically scaling write capacity up to the required 2000 WCU without any manual intervention or pre-provisioning. This minimizes cost because you pay only for the actual reads and writes consumed, avoiding the fixed cost of over-provisioning for peak capacity that may be rarely used.

Exam trap

The trap here is that candidates often choose DynamoDB Auto Scaling (Option C) thinking it handles spikes instantly, but they overlook the inherent scaling delay and the fact that it still requires a maximum capacity setting that may not cover sudden bursts, leading to throttling.

How to eliminate wrong answers

Option B is wrong because increasing provisioned WCU to 2000 permanently incurs higher base costs even during low-traffic periods, which contradicts the goal of minimizing cost. Option C is wrong because DynamoDB Auto Scaling adjusts capacity based on utilization metrics, but it cannot react instantly to sudden spikes up to 2000 WCU, leading to throttling during the scaling delay. Option D is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that improves read performance, not write capacity, and does not address write throttling caused by insufficient WCU.

623
MCQhard

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot access an S3 bucket using an instance profile. The instance profile has an IAM role with a policy that allows s3:GetObject on the bucket. The S3 bucket policy has a Deny for all principals except a specific service role. What is the most likely reason for the access failure?

A.The IAM role trust policy does not allow EC2 to assume the role.
B.The instance profile is not correctly attached to the EC2 instance.
C.The S3 bucket requires a VPC endpoint.
D.The S3 bucket policy Deny overrides the IAM role permissions.
AnswerD

Explicit Deny in bucket policy takes precedence.

Why this answer

Option C is correct because when a bucket policy explicitly denies access, it overrides any IAM permissions. Option A is wrong because instance profiles can be used with S3. Option B is wrong because S3 does not require a VPC endpoint.

Option D is wrong because the Deny in the bucket policy applies regardless of trust policy.

624
MCQhard

A SysOps team manages a fleet of EC2 instances used for batch processing. The workload runs daily, taking approximately 6 hours. The instances are launched via an Auto Scaling group using On-Demand instances from a custom AMI. The team has noticed that while the instances are running, the CPU utilization is moderate, but the memory usage is high. After the batch completes, the instances are terminated. The team wants to reduce costs without changing the architecture. Which solution would be MOST cost-effective?

A.Modify the Auto Scaling group to use a mixed instances policy with a percentage of Spot Instances and a fallback to On-Demand.
B.Use a Compute Savings Plan covering the entire compute usage across the account.
C.Change the instance type to a memory-optimized family to reduce the number of instances needed.
D.Purchase Reserved Instances for the expected daily usage to get a lower hourly rate.
AnswerA

Spot Instances are ideal for fault-tolerant workloads like batch processing, offering large discounts.

Why this answer

Option A is correct because Spot Instances can provide significant discounts (up to 90%) for fault-tolerant batch workloads, and the team can use a mixed instances policy with On-Demand as a fallback. Option B (memory optimized instances) would likely increase cost. Option C (reserved instances) is not suitable for short-lived, sporadic workloads.

Option D (savings plan) could help but still requires committing to a consistent amount, which may not align with the varying batch size. Option A offers the most flexibility and cost savings.

625
MCQhard

Refer to the exhibit. A SysOps administrator deployed the CloudFormation template. Which statement is true about data protection?

A.Deleted objects are immediately and permanently removed.
B.The bucket cannot be deleted by anyone.
C.Objects cannot be deleted from the bucket.
D.Deleted objects become noncurrent versions and are retained for 30 days.
AnswerD

With versioning enabled, object deletion creates a delete marker and the previous version becomes noncurrent, which expires after 30 days.

Why this answer

Option D is correct because the bucket policy only denies the DeleteBucket action, not DeleteObject. Users can still delete objects. Versioning is enabled, so deleted objects become noncurrent versions and are retained for 30 days.

Option A is wrong because the bucket can be deleted by the account root user if not explicitly denied. Option B is wrong because the bucket policy does not block object deletion. Option C is wrong because versioning is enabled, so deleted objects become noncurrent versions, not permanently deleted immediately.

626
Multi-Selecthard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is configured with a target group that has health checks. The application is experiencing intermittent 503 errors. The SysOps administrator needs to identify the root cause. Which THREE steps should the administrator take to diagnose the issue? (Choose THREE.)

Select 3 answers
A.Check the security group rules for the ALB.
B.Monitor the CloudWatch metric 'HealthyHostCount' for the target group.
C.Increase the unhealthy threshold count in the health check settings.
D.Enable and review the ALB access logs.
E.Check the target group health check logs for failed health checks.
AnswersB, D, E

This metric shows the number of healthy targets.

Why this answer

Correct options: A, B, D. Option A is correct because checking the ALB access logs can reveal the HTTP response codes and client IPs. Option B is correct because reviewing the target group health check logs helps determine if instances are failing health checks.

Option D is correct because CloudWatch metrics like HealthyHostCount can show if the number of healthy instances drops. Option C is wrong because increasing the unhealthy threshold will make the ALB less sensitive, but it does not diagnose the cause. Option E is wrong because checking the security group of the ALB is not directly related to 503 errors; 503 errors typically indicate that there are no healthy targets.

627
Multi-Selecthard

A SysOps administrator is investigating a performance issue where an Amazon RDS for MySQL instance's ReadIOPS metric is consistently high. The database is used by a web application. Which THREE actions should the administrator take to improve performance?

Select 3 answers
A.Increase the InnoDB buffer pool size to cache more data in memory.
B.Enable query caching in MySQL to avoid repeated reads of the same data.
C.Add read replicas to offload read queries from the primary instance.
D.Change the storage type to Provisioned IOPS for better performance.
E.Enable Multi-AZ deployment for high availability.
AnswersA, B, C

A larger buffer pool reduces the need to read from disk, lowering ReadIOPS.

Why this answer

Increasing the InnoDB buffer pool size allows more data and indexes to be cached in memory, reducing the need for disk reads and thus lowering ReadIOPS. This is a direct and effective tuning action for MySQL on RDS when read I/O is the bottleneck.

Exam trap

The trap here is that candidates often confuse Provisioned IOPS with reducing I/O demand, when it only improves I/O performance, and Multi-AZ with read scaling, when it is solely for failover and availability.

628
MCQmedium

A company is using an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances. Users report intermittent 503 errors. Which of the following is the MOST likely cause?

A.The health check interval is set too low, causing the ALB to mark instances as unhealthy prematurely.
B.The SSL certificate on the ALB has expired.
C.The security group for the ALB is blocking incoming traffic.
D.The target instances are not healthy or are overloaded.
AnswerD

Unhealthy or overloaded targets cause the ALB to return 503 errors because no healthy targets are available to handle the request.

Why this answer

Option C is correct because 503 errors from an ALB typically indicate that the target instances are not healthy or are overwhelmed, causing the ALB to return a 503 Service Unavailable response. Option A is wrong because security group rules blocking traffic would result in 504 errors, not 503. Option B is wrong because incorrect health check configuration can cause targets to be marked unhealthy, but the symptom is still 503; however, the most direct cause is unhealthy targets.

Option D is wrong because SSL certificate issues cause 502 errors, not 503.

629
MCQhard

Refer to the exhibit. The security team wants to ensure that all objects uploaded to the S3 bucket 'my-secure-bucket' are encrypted at rest. Based on the CloudTrail log entry, what can be concluded about the object 'confidential.pdf'?

A.The object is encrypted with AWS KMS
B.The object is not encrypted
C.The object is encrypted with SSE-S3
D.The object was uploaded without an encryption header
AnswerC

The AES256 value corresponds to SSE-S3.

Why this answer

Option D is correct because the requestParameters show that the object was uploaded with the x-amz-server-side-encryption header set to AES256, and the response confirms encryption was applied. Option A is incorrect because the log does not indicate the key used; it could be SSE-S3. Option B is incorrect because the object is encrypted, as shown.

Option C is incorrect because the log shows the encryption header was provided.

630
Multi-Selecteasy

A company wants to monitor the performance of its application running on EC2. Which TWO metrics should be monitored to detect performance bottlenecks? (Choose TWO.)

Select 2 answers
A.Network Packets In
B.CPU Utilization
C.Status Check Failed
D.Disk Space Utilization
E.Memory Utilization
AnswersB, E

High CPU indicates a bottleneck.

Why this answer

Options A and C are correct. CPU utilization (A) and Memory utilization (C) are key performance metrics. Option B is wrong because Disk space is not a metric by default; it requires custom scripts.

Option D is wrong because Network packets in is not a standard performance metric. Option E is wrong because Status check is for health, not performance.

631
MCQmedium

A company has an EC2-based application that runs at inconsistent times. The workloads are fault-tolerant and can be interrupted. Which purchasing option provides the most cost savings?

A.Reserved Instances
B.On-Demand Instances
C.Dedicated Hosts
D.Spot Instances
AnswerD

Spot Instances offer significant discounts for fault-tolerant workloads.

Why this answer

Option B is correct because Spot Instances offer the largest discount (up to 90%) for interruptible workloads. Option A is wrong because On-Demand has no discount. Option C is wrong because Reserved Instances require a commitment and are for steady-state workloads.

Option D is wrong because Dedicated Hosts are expensive and unnecessary.

632
MCQhard

A company has an AWS account with multiple VPCs connected via a transit gateway. The security team wants to centrally manage VPC security group rules and ensure compliance. Which approach is most effective?

A.Use AWS Firewall Manager to centrally define and enforce security group rules across all VPCs.
B.Create a single security group and attach it to all VPCs.
C.Define security group rules in AWS CloudFormation templates and deploy them to each VPC.
D.Use network ACLs instead of security groups for centralized management.
AnswerA

Firewall Manager provides centralized security group management across accounts and VPCs.

Why this answer

Option C is correct because AWS Firewall Manager allows centralized management of security group rules across accounts and VPCs. Option A is wrong because security groups are per-VPC and cannot be applied across multiple VPCs. Option B is wrong because network ACLs are stateless and not a replacement for security groups; also, they are per-subnet.

Option D is wrong because CloudFormation can deploy but not centrally manage ongoing rule enforcement.

633
MCQmedium

A SysOps administrator needs to ensure that all S3 buckets in the account have server access logging enabled. The administrator wants to be notified if a bucket is created without logging. What is the most efficient solution?

A.Periodically run a script to list all buckets and check logging configuration.
B.Enable S3 event notifications on the bucket creation event and trigger a Lambda function.
C.Use CloudWatch Events to detect CreateBucket API calls and trigger a Lambda function.
D.Use AWS Config with a managed rule to evaluate S3 buckets for server access logging.
AnswerD

AWS Config continuously evaluates resources against rules and can send notifications on non-compliant resources.

Why this answer

AWS Config with the managed rule 's3-bucket-server-access-logging-enabled' continuously evaluates all S3 buckets against the desired configuration. When a bucket is created without server access logging, AWS Config automatically flags it as noncompliant and can trigger an SNS notification. This is the most efficient solution because it provides ongoing, automated compliance monitoring without requiring custom scripts or event-driven remediation.

Exam trap

The trap here is that candidates confuse event-driven detection (CloudWatch Events or S3 event notifications) with continuous compliance evaluation, mistakenly believing that a single trigger at creation time is sufficient to meet the requirement of being notified if a bucket is created without logging.

How to eliminate wrong answers

Option A is wrong because periodically running a script is reactive, not proactive; it introduces latency between bucket creation and detection, and requires manual maintenance. Option B is wrong because S3 event notifications are triggered by object-level events (e.g., PUT, POST) within a bucket, not by the CreateBucket API call itself, so they cannot detect bucket creation. Option C is wrong because CloudWatch Events (now Amazon EventBridge) can detect CreateBucket API calls, but this approach only triggers a Lambda function at creation time; it does not provide ongoing compliance evaluation if logging is later disabled, and it requires custom code to check the logging configuration.

634
MCQmedium

A company has deployed an Application Load Balancer (ALB) in a VPC. The ALB is configured with a target group pointing to EC2 instances in a private subnet. Clients receive HTTP 503 errors. What is the likely cause?

A.The ALB does not have an Elastic IP address.
B.The security group for the ALB does not allow inbound HTTP traffic.
C.The target instances are unhealthy and the target group has zero healthy hosts.
D.The route table for the private subnet does not have a route to the ALB.
AnswerC

Correct because 503 Service Unavailable indicates no healthy targets.

Why this answer

Option B is correct because 503 indicates the target group has no healthy instances. Option A is wrong because security group not allowing HTTP would cause timeout or 502. Option C is wrong because a missing route table would cause no connectivity at all.

Option D is wrong because the ALB does not need an Elastic IP.

635
MCQhard

A company uses AWS Lambda functions to process messages from an SQS queue. The Lambda function is configured with a reserved concurrency of 100. The SQS queue receives unpredictable spikes of up to 10,000 messages per second. The function takes about 1 second to process a message. The SysOps team notices that during spikes, messages are being throttled and appear in the DLQ. How can the team resolve this while optimizing cost?

A.Reduce the reserved concurrency to 10 to force the function to process messages more slowly.
B.Increase reserved concurrency to 1000 and enable batch processing with a batch size of 10 in the SQS event source mapping.
C.Provision an EC2 fleet to poll the SQS queue and invoke the Lambda function.
D.Increase the Lambda function memory and timeout to use a larger instance type.
AnswerB

Higher concurrency allows handling spikes, batch processing reduces invocations.

Why this answer

Option D is correct because increasing reserved concurrency allows Lambda to scale to handle the spike, and using batch processing reduces the number of invocations, lowering cost. Option A is wrong because reducing concurrency would worsen throttling. Option B is wrong because a larger instance type might not be available and increases cost per invocation.

Option C is wrong because Lambda cannot be run on EC2 in a serverless manner.

636
Multi-Selectmedium

A company wants to monitor AWS API calls for suspicious activity. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.VPC Flow Logs
B.Amazon CloudWatch Logs
C.Amazon Inspector
D.AWS Config
E.AWS CloudTrail
AnswersB, E

CloudWatch Logs can analyze CloudTrail logs for suspicious patterns.

Why this answer

Options B and C are correct. CloudTrail logs API calls, and CloudWatch Logs can ingest those logs and use metric filters to detect suspicious patterns. Option A (AWS Config) records resource changes, not API calls.

Option D (VPC Flow Logs) captures network traffic. Option E (Amazon Inspector) is for security assessments.

637
MCQeasy

A SysOps administrator needs to monitor the memory utilization of an EC2 instance running Amazon Linux 2. Which of the following is required to publish memory metrics to CloudWatch?

A.Use the CloudWatch Logs agent to parse memory usage from system logs.
B.Install and configure the CloudWatch agent on the instance.
C.Enable detailed monitoring on the instance.
D.Install the AWS Systems Manager Agent (SSM Agent) and configure it to send metrics.
AnswerB

The CloudWatch agent can collect custom metrics like memory.

Why this answer

The CloudWatch agent is specifically designed to collect custom metrics, such as memory utilization, from EC2 instances and publish them to CloudWatch. Unlike the default EC2 monitoring, which only captures hypervisor-level metrics (CPU, network, disk), memory utilization requires an in-guest agent to read from the operating system's /proc/meminfo or similar interfaces. The CloudWatch agent can be configured via a JSON file to collect memory metrics and send them to CloudWatch using the PutMetricData API.

Exam trap

The trap here is that candidates confuse 'detailed monitoring' (which increases frequency of existing hypervisor metrics) with the ability to collect in-guest metrics, or they assume the SSM Agent or CloudWatch Logs agent can perform metric collection, when only the CloudWatch agent is designed for that purpose.

How to eliminate wrong answers

Option A is wrong because the CloudWatch Logs agent is used to send log data to CloudWatch Logs, not to parse and publish custom metrics like memory utilization to CloudWatch Metrics. Option C is wrong because enabling detailed monitoring only increases the frequency of standard EC2 metrics (e.g., CPU, disk I/O) from 5 minutes to 1 minute; it does not enable collection of in-guest metrics such as memory. Option D is wrong because the SSM Agent is used for Systems Manager features like Run Command, Patch Manager, and Inventory, not for publishing custom metrics to CloudWatch; it lacks the metric collection and publishing capabilities of the CloudWatch agent.

638
Multi-Selecthard

Which TWO options are valid ways to send custom metrics to Amazon CloudWatch?

Select 2 answers
A.Use the CloudWatch agent to collect and publish custom metrics.
B.Use the PutMetricData API call.
C.Use Amazon SQS to send metric data to CloudWatch.
D.Use AWS CloudTrail to log custom metrics.
E.Use Amazon Kinesis Data Firehose to deliver metrics to CloudWatch.
AnswersA, B

The agent can collect custom metrics from the OS and applications.

Why this answer

Option A is correct because the CloudWatch agent can be installed on EC2 instances or on-premises servers to collect system-level metrics (like memory and disk usage) and custom application metrics, then publish them to CloudWatch. Option B is correct because the PutMetricData API call allows direct programmatic ingestion of custom metrics into CloudWatch, supporting up to 1,000 metrics per call with a maximum payload of 1 MB.

Exam trap

The trap here is that candidates may think SQS or Kinesis Data Firehose can natively push data to CloudWatch, but neither service has a direct integration for custom metric ingestion—only PutMetricData or the CloudWatch agent (which uses that API) are valid methods.

639
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. The administrator wants to ensure that the database layer is fully provisioned and available before the application layer starts. How can this be achieved?

A.Create separate stacks for the database and application layers.
B.Use a CloudFormation creation policy on the application instances.
C.Use the DependsOn attribute on the application layer resources to depend on the database layer.
D.Use a CloudFormation wait condition in the database stack.
AnswerC

DependsOn explicitly sets resource creation order.

Why this answer

Option D is correct. Using CloudFormation's DependsOn attribute ensures that the database resource is created before the application resource. Option A (wait conditions) is used for external signals, not for resource dependencies.

Option B (creation policy) is for signaling from within an instance. Option C (nested stacks) does not inherently order resources across stacks.

640
MCQhard

A SysOps administrator is investigating a cost increase in a production AWS account. They notice that an EC2 instance with a Reservation has been running continuously for months. The instance type is m5.large in us-east-1. The administrator sees that the instance is using a Standard Reserved Instance (RI) that was purchased 6 months ago for a 1-year term. However, the current utilization shows that the instance is only used for 4 hours per day. What should the administrator do to optimize costs without affecting availability?

A.Stop the instance during off-hours using Instance Scheduler, but keep the RI as-is.
B.Sell the current RI on the Reserved Instance Marketplace and purchase a new Convertible RI for a smaller instance type.
C.Modify the existing RI to a smaller instance size (e.g., m5.large to m5.xlarge? no, smaller: e.g., t3.medium) and use Auto Scaling with a schedule to start/stop the instance during business hours.
D.Convert the RI to a Convertible RI and exchange it for a larger instance family to get more compute per hour.
AnswerC

Modifying RI to a smaller size matches usage; scheduled stop reduces running hours.

Why this answer

Option B is correct because modifying the RI to a smaller size can better match the usage pattern, and using Auto Scaling with a scheduled scaling puts the instance to sleep when not needed. Option A is wrong because selling on the Reserved Instance Marketplace would lose the upfront payment and not address the over-provisioning. Option C is wrong because converting to On-Demand is more expensive for the hours used.

Option D is wrong because simply stopping the instance during off-hours does not change the RI benefit; the RI will still be applied to the stopped instance (though RI cannot be applied to stopped instances; it would be wasted).

641
MCQhard

A company is running a critical application on Amazon RDS for MySQL. The database is experiencing high read traffic, causing performance issues. The SysOps administrator needs to improve read performance while keeping costs low. Which solution should the administrator choose?

A.Enable Multi-AZ deployment
B.Increase the DB instance class to a larger size
C.Use Amazon ElastiCache to cache read results
D.Add one or more Read Replicas in the same Region
AnswerD

Offloads reads effectively and is cost-efficient.

Why this answer

Option A is correct because adding Read Replicas offloads read traffic from the primary DB, improving performance at low cost. Multi-AZ is for high availability, not read scaling. Larger instance class increases cost.

ElastiCache can help but may be overkill and adds complexity and cost.

642
MCQmedium

A SysOps team is using CloudWatch to monitor CPU utilization of EC2 instances. They want to receive a notification when average CPU exceeds 80% for 5 consecutive minutes. Which combination of services should they use?

A.CloudWatch Metrics, CloudWatch Alarm, and AWS Lambda
B.AWS Config, CloudWatch Alarm, and Amazon SNS
C.CloudWatch Metrics, CloudWatch Alarm, and Amazon SNS
D.CloudWatch Logs, CloudWatch Alarm, and AWS Lambda
AnswerC

Standard pattern for metric-based alerts.

Why this answer

Option A is correct because CloudWatch Metrics collect CPU data, CloudWatch Alarm triggers when threshold is breached, and SNS sends notifications. CloudWatch Logs is for log data, not metrics. Lambda is not needed for simple notification.

Systems Manager is for management, not monitoring.

643
MCQmedium

A company's security team notices that an IAM user has access keys that have not been rotated in over a year. Which action should the SysOps administrator take to enforce key rotation automatically?

A.Set up an AWS Config rule to detect old keys and trigger an AWS Lambda function to rotate them.
B.Apply a service control policy (SCP) that requires key rotation.
C.Configure an IAM policy that automatically rotates keys every 90 days.
D.Use AWS Trusted Advisor to automatically rotate the keys.
AnswerA

This is a best practice using Config and Lambda to automate key rotation.

Why this answer

Option C is correct because IAM access key rotation can be automated using an AWS Config rule that checks key age and triggers a Lambda function to rotate or disable old keys. Option A is wrong because IAM does not support automatic key rotation natively. Option B is wrong because Trusted Advisor provides recommendations but does not automate rotation.

Option D is wrong because SCPs are for organizational policies, not key rotation.

644
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The connection is redundant with two virtual interfaces (VIFs). Recently, one VIF failed, and the administrator notices that traffic is not automatically failing over. What must be configured to enable automatic failover?

A.Configure BGP metrics to prefer the primary VIF.
B.Create a VPN connection as a backup and configure route propagation with a lower priority.
C.Place both VIFs in the same VLAN.
D.Enable equal-cost multi-path (ECMP) routing.
AnswerB

Correct. A VPN backup with BGP metrics ensures automatic failover.

Why this answer

AWS Direct Connect does not automatically failover. Using BGP with AS_PATH prepending or using a Direct Connect gateway with multiple VIFs can help, but the simplest approach is to use a VPN as a backup or configure BGP metrics. However, the question implies the need for active/backup.

The common solution is to use a VPN connection as a backup and configure route propagation.

645
MCQmedium

A SysOps administrator is troubleshooting a failed AWS CloudFormation stack update. The error message indicates that a resource failed to create due to insufficient IAM permissions. The administrator used a service role for CloudFormation. What should the administrator do to resolve the issue?

A.Add the required permissions to the administrator's IAM user.
B.Request a limit increase for IAM roles in the AWS account.
C.Update the IAM policy attached to the CloudFormation service role to include the necessary permissions.
D.Modify the resource's IAM policy to allow CloudFormation to create it.
AnswerC

Correct: The service role's policy must grant the required permissions.

Why this answer

The correct answer is B because CloudFormation service roles allow the stack to assume a role that grants necessary permissions. The administrator must ensure the service role's policy includes the required actions for the resource. Option A is wrong because the administrator's own permissions are not used when a service role is specified.

Option C is wrong because resource policies are for access to the resource, not for CloudFormation actions. Option D is wrong because the account's IAM limits are not likely the issue.

646
Multi-Selecthard

A SysOps administrator is designing a monitoring solution for a critical application running on EC2 instances. The application requires that all API calls to the environment are logged for security analysis. Which TWO services should the administrator use to meet this requirement?

Select 2 answers
A.Amazon GuardDuty
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.AWS Config
E.VPC Flow Logs
AnswersB, C

CloudWatch Logs can store and monitor CloudTrail log files.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to the AWS environment, including calls made via the AWS Management Console, AWS CLI, SDKs, and other services. CloudTrail logs provide the identity of the caller, the time of the call, the source IP address, and the request parameters, which are essential for security analysis. Option B (Amazon CloudWatch Logs) is also correct because CloudTrail logs can be delivered to CloudWatch Logs for centralized monitoring, alerting, and retention, enabling real-time analysis and integration with other AWS services.

Exam trap

The trap here is confusing AWS CloudTrail (which logs API calls) with VPC Flow Logs (which log network traffic) or GuardDuty (which detects threats but does not generate logs), leading candidates to select services that analyze logs rather than capture them.

647
MCQeasy

A company has an Amazon S3 bucket that stores critical data. The security team wants to be notified whenever an object in the bucket is deleted. Which solution should the SysOps administrator implement?

A.Configure an S3 event notification for 's3:ObjectRemoved:*' events to trigger an AWS Lambda function that sends an email.
B.Enable CloudTrail data events for the S3 bucket, create a CloudWatch Events rule for 'DeleteObject' API calls, and send notifications via SNS.
C.Use AWS Config to monitor S3 bucket resources and trigger an SNS notification on configuration changes.
D.Enable S3 server access logs and use Amazon Athena to query for delete events, then send notifications.
AnswerB

This setup captures all delete operations and sends real-time alerts.

Why this answer

Option B is correct because it uses CloudTrail data events to capture 'DeleteObject' API calls specifically for the S3 bucket, then routes those events via CloudWatch Events to an SNS topic for notification. This provides a reliable, real-time notification mechanism for object deletions without requiring custom code or post-hoc analysis.

Exam trap

The trap here is that candidates often assume S3 event notifications are sufficient for all object operations, but they do not capture all delete scenarios (e.g., versioned object deletions) and lack the integration flexibility of CloudTrail with CloudWatch Events for centralized monitoring and alerting.

How to eliminate wrong answers

Option A is wrong because S3 event notifications for 's3:ObjectRemoved:*' are triggered asynchronously and may not capture all delete scenarios (e.g., versioned object deletions or MFA delete failures), and they require a Lambda function to send email, adding complexity and potential failure points. Option C is wrong because AWS Config monitors configuration changes to the bucket itself (e.g., policy changes), not object-level operations like deletions, so it cannot detect object deletion events. Option D is wrong because S3 server access logs are delivered on a best-effort basis with potential delays (often hours), and querying with Athena is a reactive, post-hoc approach that does not provide real-time notifications.

648
MCQmedium

A company has a fleet of EC2 instances that are part of an Auto Scaling group. The SysOps team wants to automatically replace any instance that fails the status check for 2 consecutive minutes. Which configuration should be used?

A.Configure an EC2 Auto Scaling group to use EC2 status checks and set the health check grace period to 2 minutes.
B.Use AWS Systems Manager Automation to run a script that reboots the instance.
C.Configure an Amazon EventBridge rule to trigger an AWS Lambda function that terminates the instance.
D.Configure a CloudWatch Alarm on StatusCheckFailed metric to reboot the instance.
AnswerA

Auto Scaling will automatically terminate and replace instances that fail status checks.

Why this answer

Option A is correct because an Auto Scaling group can use EC2 status checks to determine instance health. By setting the health check grace period to 2 minutes, the Auto Scaling group will wait 2 minutes after an instance enters the InService state before starting health checks, and then if the instance fails status checks for 2 consecutive minutes, the Auto Scaling group will mark it as unhealthy and automatically terminate and replace it.

Exam trap

The trap here is that candidates often confuse the health check grace period with the time window for detecting failures, or they mistakenly think that rebooting or terminating via CloudWatch or Lambda is equivalent to replacing the instance within an Auto Scaling group.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Automation can reboot an instance, but it does not automatically replace the instance; it only attempts to recover it, and the requirement is to replace the instance, not reboot it. Option C is wrong because an EventBridge rule triggering a Lambda function to terminate the instance would require custom code and does not integrate with the Auto Scaling group's lifecycle to automatically launch a replacement instance. Option D is wrong because a CloudWatch Alarm on the StatusCheckFailed metric can be configured to reboot the instance, but it does not replace the instance; the requirement is to automatically replace the instance, not reboot it.

649
MCQmedium

An application running on EC2 instances stores session data in an attached EBS volume. The company wants to ensure session data is not lost if an instance fails. Which solution should the administrator implement?

A.Move session storage to Amazon ElastiCache for Redis with replication.
B.Use EBS Multi-Attach to attach the volume to multiple instances.
C.Take frequent EBS snapshots of the volume.
D.Use a larger EC2 instance type with more memory.
AnswerA

ElastiCache provides a durable, highly available session store.

Why this answer

Option C is correct because ElastiCache provides a highly available, in-memory data store outside the EC2 instance, preserving session data on instance failure. Option A is wrong because an EBS snapshot is not real-time. Option B is wrong because EBS Multi-Attach is for shared block storage, not session data.

Option D is wrong because scaling up does not provide durability.

650
MCQhard

A company has a VPC with public and private subnets. The private subnets host application servers that need to make outbound HTTPS connections to the internet. The SysOps administrator must implement a solution that provides outbound internet connectivity while preventing inbound connections from the internet. Additionally, the solution must allow the company to control which domains the application servers can access. Which solution should the administrator implement?

A.Configure a NAT Gateway and use security group outbound rules to restrict destinations.
B.Configure a NAT instance with proxy software and use route tables to direct traffic from private subnets to the NAT instance.
C.Configure an egress-only Internet Gateway and route private subnet traffic to it.
D.Configure a VPC endpoint for HTTPS and route private subnet traffic to it.
AnswerB

A NAT instance can run proxy software (e.g., Squid) that allows domain-based access control. It provides outbound connectivity while preventing inbound traffic, meeting all requirements.

Why this answer

Option B is correct because a NAT instance with proxy software (e.g., Squid) allows outbound HTTPS connections from private subnets while blocking inbound connections, and the proxy software can enforce domain-level access control via allow/deny lists. This meets the requirement to restrict which domains the application servers can access, which a standard NAT Gateway cannot do because it only translates IP addresses and cannot filter by domain name.

Exam trap

The trap here is that candidates often assume a NAT Gateway with security group rules can control domain access, but security groups cannot filter by domain name—only by IP address—so the proxy-based NAT instance is required for domain-level restriction.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway translates private IPs to a public IP for outbound traffic, but security group outbound rules can only filter by IP address or CIDR, not by domain name, so it cannot control which domains are accessed. Option C is wrong because an egress-only Internet Gateway is used for IPv6 traffic only, and the question does not specify IPv6; it also cannot filter by domain. Option D is wrong because a VPC endpoint for HTTPS (e.g., interface endpoint) provides private connectivity to specific AWS services (like S3 or DynamoDB) via AWS PrivateLink, not general internet access, and cannot route traffic to arbitrary internet domains.

651
MCQeasy

A company has an Auto Scaling group of EC2 instances behind an Application Load Balancer. The SysOps administrator notices that the healthy host count is lower than expected. The instances are in service, and security groups allow traffic. What is a likely cause?

A.The instances are not registered with the target group.
B.The security group for the load balancer does not allow inbound traffic.
C.The health check path is returning HTTP 503.
D.The target group is not associated with the load balancer.
AnswerC

A non-200 response causes the instance to be unhealthy.

Why this answer

The correct answer is C because a health check path returning HTTP 503 (Service Unavailable) indicates that the target instances are reachable but the application is failing to respond correctly. The Application Load Balancer (ALB) marks instances as unhealthy when the health check receives any non-2xx or non-3xx response, which reduces the healthy host count even though the instances are in service and security groups are properly configured.

Exam trap

The trap here is that candidates often assume a low healthy host count is always due to network-level issues (security groups or registration), but the question explicitly states instances are 'in service' and security groups allow traffic, pointing to an application-level health check failure like a 503 response.

How to eliminate wrong answers

Option A is wrong because instances that are 'in service' in the Auto Scaling group are automatically registered with the target group when the group is associated with the ALB; if they were not registered, they would not appear as 'in service'. Option B is wrong because the security group for the load balancer controls inbound traffic from clients, not health check traffic from the load balancer to instances; health check traffic is governed by the instance security group allowing traffic from the load balancer's security group or CIDR. Option D is wrong because if the target group were not associated with the load balancer, the instances would not be receiving traffic from the ALB at all, and the healthy host count would be zero or the target group would not appear in the ALB configuration.

652
MCQhard

A SysOps administrator is troubleshooting a slow-running RDS MySQL instance. The administrator notices that the ReadIOPS metric is consistently high, but the WriteIOPS is low. The instance type is db.m5.large with 300 GB of General Purpose SSD (gp2). What is the most likely cause?

A.The instance type is too small for the workload.
B.The database is experiencing write contention.
C.The network bandwidth is insufficient.
D.The gp2 volume is experiencing I/O credit exhaustion.
AnswerD

Exceeding baseline IOPS depletes credits, causing throttling.

Why this answer

The correct answer is D because a db.m5.large instance with 300 GB of gp2 storage has a baseline IOPS of 900 (3 IOPS per GB) and a burst balance of 5.4 million I/O credits. With consistently high ReadIOPS and low WriteIOPS, the volume is likely exhausting its I/O credit balance, causing performance throttling. This is a classic symptom of gp2 I/O credit exhaustion, where read-heavy workloads deplete the burst bucket, leading to degraded performance.

Exam trap

The trap here is that candidates often assume a slow database is always due to an undersized instance type, overlooking that gp2 volumes have a burst credit mechanism that can be exhausted by sustained high read I/O even with low write activity.

How to eliminate wrong answers

Option A is wrong because the instance type (db.m5.large) is not the primary bottleneck; the issue is with the storage layer's I/O credits, not compute or memory. Option B is wrong because write contention would manifest as high WriteIOPS or increased latency on writes, but the metric shows low WriteIOPS, indicating writes are not the problem. Option C is wrong because network bandwidth is unrelated to storage I/O metrics; insufficient bandwidth would cause network latency or throughput issues, not high ReadIOPS on the EBS volume.

653
MCQeasy

A company uses AWS CloudFormation to deploy a VPC with public and private subnets. The stack creation fails with the error 'The maximum number of VPCs has been reached.' The SysOps administrator needs to deploy the stack as soon as possible. What should the administrator do?

A.Delete unused VPCs to free up capacity.
B.Modify the CloudFormation template to use an existing VPC.
C.Request a VPC limit increase from AWS Support.
D.Deploy the stack in a different AWS region.
AnswerC

Increasing the limit allows creation of additional VPCs.

Why this answer

Option C is correct because the error 'The maximum number of VPCs has been reached' indicates the AWS account has hit the default VPC limit (5 per region). Requesting a service limit increase from AWS Support is the fastest way to raise this soft limit without modifying existing infrastructure or templates, allowing the stack to deploy in the same region.

Exam trap

The trap here is that candidates may choose to delete unused VPCs (Option A) thinking it's faster, but AWS Support limit increases are often quicker and safer than auditing and deleting resources, especially in production environments.

How to eliminate wrong answers

Option A is wrong because deleting unused VPCs is an alternative but may not be the fastest solution if no VPCs are truly unused, and it requires identifying and safely removing resources, which could delay deployment. Option B is wrong because modifying the CloudFormation template to use an existing VPC changes the architecture and may not meet the requirement for deploying a new VPC as specified in the question. Option D is wrong because deploying in a different region may avoid the limit but introduces latency, compliance, or service availability issues, and is not the most direct fix for a soft limit that can be increased.

654
MCQeasy

A company has deployed a static website on Amazon S3 with public read access. They want to use Amazon CloudFront to serve the content with HTTPS. They create a CloudFront distribution with the S3 bucket as an origin. After configuring the distribution, users report that they are unable to access the website via the CloudFront URL. The CloudFront distribution status is 'Deployed'. The S3 bucket policy allows GetObject for any principal. What is the most likely reason for the issue?

A.The S3 bucket is not configured for static website hosting; CloudFront should use the bucket's website endpoint as the origin.
B.The S3 bucket policy does not grant CloudFront access.
C.The CloudFront distribution is not configured to use HTTPS.
D.The CloudFront distribution is not associated with an origin access identity (OAI).
AnswerA

For static website hosting, the origin must be the S3 website endpoint, not the bucket's REST endpoint.

Why this answer

Option A is correct. By default, CloudFront does not cache HTTPS traffic from S3 if the origin protocol policy is set to 'Match Viewer'. If the viewer uses HTTP, CloudFront will use HTTP to fetch from S3, but S3 does not support HTTPS for static website hosting unless configured.

However, the most common issue is that the CloudFront distribution does not have an SSL certificate for the custom domain. But the question says 'CloudFront URL', so likely the default CloudFront domain (xxxx.cloudfront.net) is used. That domain supports HTTPS by default.

The actual issue is that the S3 bucket is configured for static website hosting, and the CloudFront origin domain name should be the S3 website endpoint, not the bucket's REST endpoint. If they used the bucket endpoint, CloudFront might not be able to access it properly. Option B is wrong because the bucket policy allows public read.

Option C is wrong because CloudFront automatically encrypts to S3 if using HTTPS. Option D is wrong because CloudFront can serve content from S3 without OAI.

655
MCQhard

A company uses Amazon Route 53 for DNS and wants to ensure that its web application is highly available across two AWS Regions. The application runs behind an Application Load Balancer in each Region. Which routing policy should be used?

A.Weighted routing policy
B.Failover routing policy
C.Geolocation routing policy
D.Latency routing policy
AnswerB

Correct: Failover routing policy is designed for active-passive failover using health checks.

Why this answer

Option D is correct because the failover routing policy allows you to configure an active-passive setup with health checks, routing traffic to the secondary Region only if the primary fails. Option A is wrong because weighted routing distributes traffic based on weights, not for failover. Option B is wrong because latency-based routing routes based on lowest latency, not failover.

Option C is wrong because geolocation routing routes based on user location, not for failover.

656
MCQhard

A company has a VPC with public and private subnets in two Availability Zones. An Application Load Balancer (ALB) in the public subnets routes traffic to EC2 instances in the private subnets. The EC2 instances need to access the internet for software updates. Which solution is MOST secure and cost-effective?

A.Deploy a NAT Gateway in a public subnet and add a route in the private subnet route tables pointing 0.0.0.0/0 to the NAT Gateway.
B.Set up a VPN connection to an on-premises network and route internet traffic through it.
C.Assign public IP addresses to the EC2 instances and route traffic directly.
D.Attach an internet gateway to the private subnets and route 0.0.0.0/0 to it.
AnswerA

NAT Gateway provides secure outbound internet access without inbound access.

Why this answer

A NAT Gateway in a public subnet allows EC2 instances in private subnets to initiate outbound connections to the internet (e.g., for software updates) while preventing inbound connections from the internet. This is the most secure and cost-effective solution because it uses a managed AWS service that scales automatically and incurs charges only for usage and hourly uptime, avoiding the need for a bastion host or VPN.

Exam trap

The trap here is that candidates often confuse NAT Gateways with Internet Gateways, assuming an IGW can be attached to private subnets, or they overlook that assigning public IPs to private instances breaks the subnet's isolation and security model.

How to eliminate wrong answers

Option B is wrong because routing internet traffic through a VPN to an on-premises network adds unnecessary latency, complexity, and cost (e.g., VPN connection charges, bandwidth costs) and is not designed for general internet access—it is intended for hybrid connectivity. Option C is wrong because assigning public IP addresses to EC2 instances in private subnets exposes them directly to the internet, violating the security principle of private subnets and increasing the attack surface; it also requires managing Elastic IPs and security groups. Option D is wrong because an internet gateway (IGW) cannot be attached to private subnets—IGWs are attached to VPCs and route traffic only from subnets with route tables pointing to the IGW; attaching an IGW to a private subnet would require making the subnet public, defeating its purpose.

657
MCQmedium

A company uses AWS CodePipeline to automate deployments. The pipeline has a source stage that pulls code from an Amazon S3 bucket. The company wants to automatically trigger the pipeline when a new object is uploaded to the S3 bucket. How should this be configured?

A.Configure a CloudWatch Events rule that matches S3 object creation events and triggers the pipeline.
B.Use an AWS Lambda function to poll the S3 bucket and start the pipeline.
C.Configure the S3 bucket to send events to an Amazon SNS topic that triggers the pipeline.
D.Configure the S3 bucket to send events to an Amazon SQS queue that triggers the pipeline.
AnswerA

CloudWatch Events can directly trigger CodePipeline.

Why this answer

Option C is correct because S3 can send events to CloudWatch Events (EventBridge) or directly to CodePipeline via a CloudWatch Events rule. Option A is wrong because SQS is not needed. Option B is wrong because SNS is not needed.

Option D is wrong because Lambda is not required.

658
MCQhard

A company is using AWS Elastic Beanstalk with a Blue/Green deployment strategy. After deploying a new version to the green environment and verifying it, the administrator wants to swap the CNAMEs to route production traffic to the green environment. However, the swap operation fails due to a CNAME already in use error. What is the MOST likely cause?

A.The green environment is using the same environment URL as the blue environment.
B.The CNAME prefix for the green environment is already in use by another environment in the same region.
C.The load balancer is not configured to handle the traffic.
D.The green environment has failing health checks.
AnswerB

CNAME prefixes must be unique; if the green environment tries to use the blue's prefix, it fails if already taken.

Why this answer

Option D is correct because Elastic Beanstalk environment CNAMEs must be unique within a region. If the green environment's CNAME is the same as the blue environment's CNAME, the swap fails. Option A is incorrect because health checks are not directly related to CNAME swap.

Option B is incorrect because load balancer health checks do not prevent CNAME swap. Option C is incorrect because the environment URL is not used for swap; it's the CNAME prefix that matters.

659
MCQeasy

A SysOps administrator manages a web application running on Amazon EC2 instances that run 24/7 for the next 12 months. The workload is steady and predictable. Which EC2 purchasing option provides the highest cost savings for this use case?

A.Standard Reserved Instances
B.Spot Instances
C.On-Demand Instances
D.Savings Plans (Compute)
AnswerA

Correct. Standard Reserved Instances offer the highest discount for a steady, predictable 24/7 workload with a 1-year or 3-year term.

Why this answer

Standard Reserved Instances provide the highest cost savings for a steady, predictable 24/7 workload over a 12-month period because they offer a significant discount (up to 72% compared to On-Demand) in exchange for a commitment to a specific instance family, region, and term length. Since the workload runs continuously without interruption, the upfront payment or partial upfront payment for a 1-year term maximizes savings without the risk of interruption or the need for flexibility.

Exam trap

The trap here is that candidates often choose Savings Plans (Compute) because they offer flexibility across instance families, but for a predictable, steady-state workload with a fixed instance type, Standard Reserved Instances provide the highest discount and capacity guarantee, making them the optimal choice for cost savings.

How to eliminate wrong answers

Option B is wrong because Spot Instances are designed for fault-tolerant, flexible workloads that can handle interruptions, not for a steady 24/7 production web application that requires reliability. Option C is wrong because On-Demand Instances offer no upfront commitment but have the highest per-hour cost, making them the least cost-effective for a predictable, always-on workload. Option D is wrong because Savings Plans (Compute) provide flexibility across instance families and regions but typically offer slightly lower discounts than Standard Reserved Instances for a specific, steady-state workload with a known instance type and region.

660
MCQhard

A company uses this IAM policy to restrict S3 uploads to the STANDARD storage class only. A developer tries to upload an object to the bucket using the CLI without specifying a storage class. What will happen?

A.The upload will fail because the condition does not allow PutObject.
B.The upload will succeed if the bucket has a default storage class of STANDARD-IA.
C.The upload will succeed because the default storage class is STANDARD.
D.The upload will fail because the condition requires explicit specification of the storage class.
AnswerC

Default storage class is STANDARD, which matches the condition.

Why this answer

Option A is correct because the condition requires the storage class to be STANDARD. When no storage class is specified, the default is STANDARD, so the upload succeeds. Option B is wrong because the condition is satisfied.

Option C is wrong because the default is STANDARD, not STANDARD-IA. Option D is wrong because the policy allows PutObject.

661
MCQmedium

A company uses AWS CodeBuild to compile code and run unit tests. The build environment requires a specific version of Java that is not available in the default build images. What should the administrator do?

A.Request AWS Support to add the Java version to the default build image.
B.Use an AWS Lambda function to set up the build environment before CodeBuild runs.
C.Install the required Java version in the buildspec file using a command.
D.Create a custom build image with the required Java version and push it to Amazon ECR.
AnswerD

Custom images allow full control over the build environment.

Why this answer

Option D is correct because the administrator can create a custom build image and push it to Amazon ECR, then reference it in the buildspec. Option A is wrong because installing Java in the buildspec is possible but inefficient and may not persist. Option B is wrong because the default images cannot be modified.

Option C is wrong because using a Lambda function is not the right approach.

662
MCQeasy

A company hosts a static website on Amazon S3 with public read access enabled. The website is accessed via a custom domain name that uses Amazon Route 53. The domain name points to the S3 bucket's website endpoint. Users report that they can access the website using the S3 bucket URL but not the custom domain name. What is the most likely cause?

A.The S3 bucket policy does not allow public access.
B.The website does not support HTTPS and the browser blocks it.
C.The Route 53 alias record points to the S3 bucket's regional endpoint instead of the website endpoint.
D.The DNS TTL is too long and the changes have not propagated.
AnswerC

For static website hosting, the alias target must be the S3 website endpoint (e.g., bucket-name.s3-website-region.amazonaws.com), not the bucket's regional endpoint (s3.amazonaws.com).

Why this answer

The Route 53 alias record must point to the S3 website endpoint, not the bucket's regional endpoint. Option A is incorrect because DNS resolution might be working but the record points to the wrong target. Option C is incorrect because the bucket policy allows public reads.

Option D is incorrect because S3 website hosting does not require HTTPS by default.

663
MCQeasy

A SysOps administrator is configuring Amazon CloudFront to serve content from an Amazon S3 bucket. The content is sensitive and should be encrypted at rest. Which option ensures that content is encrypted at rest in S3?

A.Enable server-side encryption (SSE-S3) on the S3 bucket
B.Enable CloudFront HTTPS-only access to the S3 bucket
C.Configure signed URLs for the distribution
D.Use CloudFront field-level encryption
AnswerA

SSE-S3 encrypts objects at rest in S3.

Why this answer

Option D is correct because enabling SSE-S3 on the S3 bucket encrypts objects at rest. CloudFront does not handle encryption at rest. Option A is wrong because CloudFront does not provide encryption at rest; it encrypts data in transit.

Option B is wrong because field-level encryption is for encrypting specific fields at the edge. Option C is wrong because signed URLs control access, not encryption at rest.

664
MCQmedium

A company uses AWS CodeDeploy to deploy an application to Amazon EC2 instances. The SysOps administrator wants to implement a deployment strategy that minimizes risk by deploying the new version to a small number of instances first, verifying that the deployment is successful, and then deploying to the remaining instances. If the initial deployment fails, the process should stop and roll back. Which CodeDeploy deployment configuration should be used?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.OneAtATime
D.CodeDeployDefault.Canary10Percent10Minutes
AnswerC

OneAtATime deploys to a single instance at a time, verifies that it is healthy, and then proceeds to the next. This is the most cautious approach and matches the requirement of deploying to a small number (one) first, then continuing to the rest.

Why this answer

Option C, CodeDeployDefault.OneAtATime, is correct because it deploys the new application revision to one instance at a time, checking for success before proceeding to the next. If any deployment step fails, the process stops and automatically rolls back, minimizing risk by limiting the blast radius of a bad deployment.

Exam trap

The trap here is that candidates often confuse CodeDeployDefault.Canary10Percent10Minutes (a traffic-shifting configuration for Lambda/ECS) with a linear EC2 deployment strategy, or they mistakenly think HalfAtATime provides sufficient risk mitigation when the requirement explicitly calls for deploying to a 'small number' first and stopping on failure.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, which does not minimize risk — a failure would affect all instances at once. Option B is wrong because CodeDeployDefault.HalfAtATime deploys to half the instances at a time, which still exposes a large portion of the fleet to a potential failure before verification is complete. Option D is wrong because CodeDeployDefault.Canary10Percent10Minutes is a canary deployment configuration that shifts 10% of traffic for 10 minutes, but this is a traffic-shifting strategy for Lambda or ECS deployments, not for EC2/On-Premises instances, and it does not stop on failure by default.

665
MCQmedium

A SysOps administrator manages a fleet of Amazon EC2 instances that run critical software. The administrator needs to automatically apply security patches every Tuesday at 2 AM. The instances are part of an Auto Scaling group and must be patched without downtime. Which AWS Systems Manager feature should be used?

A.State Manager
B.Patch Manager
C.Maintenance Windows
D.Run Command
AnswerC

Maintenance Windows are purpose-built for scheduling and executing tasks like patching during specific windows, with built-in support for Auto Scaling groups and capacity management.

Why this answer

Maintenance Windows is the correct choice because it allows you to schedule a recurring window (every Tuesday at 2 AM) during which Systems Manager actions, such as patching, can be executed on EC2 instances. This feature is specifically designed to coordinate patching across Auto Scaling groups without downtime by ensuring instances are patched in a controlled manner, often using a patching rate or concurrency limit to maintain availability.

Exam trap

The trap here is that candidates confuse Patch Manager (the patching engine) with Maintenance Windows (the scheduler), assuming Patch Manager alone can handle recurring schedules, when in fact it requires Maintenance Windows or a separate cron-like trigger to run at a specific time.

How to eliminate wrong answers

Option A is wrong because State Manager is used to define and maintain consistent configuration of instances over time (e.g., ensuring a specific software state), not to schedule one-time or recurring patching tasks with a defined window. Option B is wrong because Patch Manager is the service that actually scans for and installs patches, but it lacks the scheduling and windowing capabilities needed to run at a specific time (2 AM) without additional orchestration. Option D is wrong because Run Command is designed for ad-hoc, immediate execution of commands on instances, not for recurring scheduled operations with a defined maintenance window.

666
MCQmedium

A company is using AWS CodePipeline to automate their CI/CD pipeline. The pipeline includes a deployment stage that uses AWS CloudFormation to deploy infrastructure. The company wants to add a manual approval step before the CloudFormation deployment. How should this be configured?

A.Add a CloudFormation change set action before the deployment.
B.Configure an Amazon SNS topic to send a notification and require a confirmation.
C.Add a manual approval action in the pipeline before the CloudFormation deployment stage.
D.Use an AWS Lambda function to send an email and wait for a response.
AnswerC

CodePipeline supports manual approval actions that pause the pipeline until approval is granted.

Why this answer

Option B is correct because CodePipeline has a built-in approval action that pauses the pipeline until manually approved. Option A is wrong because CloudFormation change sets allow review but do not pause the pipeline. Option C is wrong because Lambda cannot block the pipeline.

Option D is wrong because SNS alone does not pause the pipeline.

667
MCQmedium

A SysOps administrator uses AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance and a security group. The administrator wants to ensure that when the stack is updated, the security group is not accidentally replaced if its properties change. The administrator wants to receive a failure if an update would require replacement of the security group. Which CloudFormation feature should the administrator use?

A.Add a 'DeletionPolicy' attribute set to 'Retain' on the security group resource.
B.Add a 'CreationPolicy' attribute to the security group resource.
C.Define a stack policy that denies replacement of the security group resource.
D.Use an 'UpdatePolicy' attribute with 'AutoScalingReplacingUpdate' on the security group.
AnswerC

A stack policy can specify the allowed update actions per resource. By denying the 'Replace' action for the security group, CloudFormation will fail updates that would require recreating the security group, protecting it from accidental replacement.

Why this answer

Option C is correct because a stack policy can explicitly deny update actions that would replace a resource, such as the security group. By defining a stack policy with a Deny statement for the 'Replace' effect on the security group's logical resource ID, CloudFormation will fail the update if any property change triggers a replacement, preventing accidental deletion and recreation.

Exam trap

The trap here is that candidates confuse 'DeletionPolicy' (which only applies on stack deletion) with preventing replacement during updates, or mistakenly think 'UpdatePolicy' or 'CreationPolicy' can control resource replacement behavior.

How to eliminate wrong answers

Option A is wrong because the 'DeletionPolicy' attribute set to 'Retain' only preserves the security group when the stack is deleted, not during an update; it does not prevent replacement during an update. Option B is wrong because 'CreationPolicy' is used to wait for signals or resource creation success, not to control update behavior or prevent replacement. Option D is wrong because 'UpdatePolicy' with 'AutoScalingReplacingUpdate' is specific to Auto Scaling groups to control rolling updates, not applicable to security groups.

668
MCQeasy

A SysOps administrator configures AWS CloudTrail to log all management events in a company's AWS account. The administrator needs to ensure that CloudTrail logs are not deleted for at least 5 years to meet compliance requirements. Which configuration should the administrator apply?

A.Enable CloudTrail log file validation.
B.Enable CloudTrail data events for S3.
C.Apply an S3 bucket policy that prohibits deletion of log files.
D.Enable S3 Object Lock on the CloudTrail S3 bucket.
AnswerD

Correct. S3 Object Lock enforces a retention period, preventing object deletion or overwrite for the specified duration, meeting the 5-year compliance requirement.

Why this answer

Option D is correct because S3 Object Lock provides a Write-Once-Read-Many (WORM) model that prevents objects from being deleted or overwritten for a specified retention period. By enabling S3 Object Lock on the CloudTrail S3 bucket and setting a retention mode (e.g., Compliance or Governance) with a 5-year retention period, the administrator ensures that CloudTrail log files cannot be deleted, meeting the compliance requirement.

Exam trap

The trap here is that candidates confuse S3 bucket policies with immutable storage, not realizing that bucket policies can be overridden by IAM permissions or root user actions, whereas S3 Object Lock provides true WORM protection that even the root user cannot bypass in Compliance mode.

How to eliminate wrong answers

Option A is wrong because CloudTrail log file validation uses SHA-256 hashing to verify the integrity of log files, not to prevent deletion; it ensures logs have not been tampered with but does not enforce retention. Option B is wrong because enabling CloudTrail data events for S3 captures object-level API activity (e.g., GetObject, PutObject) but does not protect log files from deletion; it increases logging scope but does not enforce retention. Option C is wrong because an S3 bucket policy that prohibits deletion of log files can be bypassed by the root user or by an IAM policy that grants s3:DeleteObject permissions; bucket policies alone cannot enforce immutable retention against authorized users.

669
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application is deployed in a single Availability Zone. The SysOps administrator notices that during peak hours, the application becomes slow and some requests fail. CloudWatch metrics show that CPU utilization on the instances reaches 90%, but the Auto Scaling group does not scale out. The administrator has configured a target tracking scaling policy based on average CPU utilization with a target value of 75%. The Auto Scaling group has a minimum of 2, maximum of 10, and desired capacity of 2. What is the MOST likely reason the Auto Scaling group is not scaling out?

A.The Auto Scaling group is configured with a single Availability Zone, and the target tracking policy cannot scale out beyond the capacity of that single AZ.
B.The target tracking policy uses a target value of 75%, but the average CPU is above that, so it should scale out.
C.The target tracking policy requires detailed monitoring to be enabled on the instances.
D.The Auto Scaling group has reached its maximum capacity of 10 instances.
AnswerA

Auto Scaling can scale out within a single AZ, but may be limited by instance types or quotas.

Why this answer

Option B is correct. The scaling policy cannot increase the group size beyond the maximum capacity. Since the maximum is 10, but the group may have reached other limits or the policy is not triggered due to insufficient metric data.

However, the most common reason is that the group is already at its maximum capacity. But the maximum is 10, so it's not that. Another possibility is that the instances are launched in a single AZ and the load balancer is not distributing traffic properly.

Option A is wrong because the target value is 75%, so it should scale out. Option C is wrong because the group is not at max capacity. Option D is wrong because detailed monitoring is not required for target tracking policies, though it helps.

Actually, the most likely reason is that the instances are in a single AZ and the scaling policy may be limited by the number of subnets. However, let's reconsider: The question says the group does not scale out. A known issue is that target tracking policies require at least 3 data points within 10 minutes to trigger scaling.

Option B is plausible. Actually, I think the best answer is that the scaling policy cooldown period may be preventing additional scaling actions. Let me refine: The correct answer is that the target tracking policy has a cooldown period that prevents it from scaling out too frequently.

But the stem says 'does not scale out', not that it scales slowly. Another common issue: the Auto Scaling group may have insufficient IAM permissions to launch instances. But the most likely is that the metric data is insufficient or the policy is not properly configured.

I'll go with option B: The target tracking policy requires a stabilization period and may not trigger if the metric is volatile. Actually, I'll choose option A: The target value is set too low. Wait, let's pick the best: The policy may be in a cooldown period.

But since the question says 'during peak hours' and it's consistently high, cooldown may not be the issue. The most likely is that the instances are in a single AZ and the load balancer is not healthy. Hmm.

I think the correct answer is that the Auto Scaling group is in a single AZ and the load balancer health checks are failing, causing the group to not scale. Actually, the question implies the instances are healthy. Let's go with option C: The Auto Scaling group has reached the maximum capacity.

But max is 10, so not. I'll go with option D: The scaling policy is not configured correctly. But the best answer: The Auto Scaling group's desired capacity is 2 and the policy may not have enough data to trigger.

I'll select option B.

670
Multi-Selecthard

A SysOps administrator needs to detect unauthorized changes to security groups and automatically notify the operations team. Which two AWS services should be part of the solution? (Choose 2.)

Select 2 answers
A.AWS CloudTrail.
B.Amazon EventBridge.
C.Amazon S3 Transfer Acceleration.
D.AWS Snowball Edge.
AnswersA, B

CloudTrail records API calls such as AuthorizeSecurityGroupIngress.

Why this answer

AWS CloudTrail is correct because it records API calls made to create, modify, or delete security groups, providing the audit trail needed to detect unauthorized changes. By enabling CloudTrail on the account and configuring a trail to deliver logs to Amazon S3, the administrator can monitor security group events such as AuthorizeSecurityGroupIngress or RevokeSecurityGroupEgress. This log data is essential for identifying when a change occurred, who made it, and from which source IP.

Exam trap

The trap here is that candidates often confuse Amazon S3 Transfer Acceleration with S3 event notifications or S3 server access logging, mistakenly thinking it can trigger alerts, when in fact it is solely a performance optimization for uploads.

671
Multi-Selectmedium

Which TWO actions can be taken to improve the availability of a web application hosted on EC2 instances behind an Application Load Balancer? (Select two.)

Select 2 answers
A.Configure an Auto Scaling group with health checks to replace unhealthy instances.
B.Use larger EC2 instance types.
C.Deploy the EC2 instances across multiple Availability Zones.
D.Use a single AWS Region for all instances.
E.Place all EC2 instances in a single subnet.
AnswersA, C

Auto Scaling automatically replaces unhealthy instances.

Why this answer

Option A is correct because multi-AZ deployment distributes instances across Availability Zones for fault tolerance. Option B is correct because an Auto Scaling group can replace unhealthy instances automatically. Option C is wrong because a single subnet is a single point of failure.

Option D is wrong because a larger instance type improves performance, not availability. Option E is wrong because a single region is more susceptible to regional failures.

672
MCQmedium

A company hosts a web application behind an Application Load Balancer (ALB) in us-east-1. Users in Europe report high latency. The SysOps administrator decides to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. However, the application logs require the original client IP addresses of users. The ALB currently provides the client IP via the X-Forwarded-For header, but the development team warns that Global Accelerator may change the source IP. Which configuration should the administrator choose to meet both performance and logging requirements?

A.Configure Global Accelerator with an endpoint group that points directly to the ALB. The ALB will continue to receive the original client IP in the X-Forwarded-For header.
B.Place a Network Load Balancer (NLB) in front of the ALB, and configure Global Accelerator to point to the NLB. The NLB preserves the client IP, and the ALB can still see it in the X-Forwarded-For header.
C.Enable Proxy Protocol v2 on the ALB to ensure client IP addresses are preserved through Global Accelerator.
D.Use Amazon CloudFront instead of Global Accelerator and configure it to forward the client IP in a custom header.
AnswerB

Global Accelerator preserves the client source IP when the endpoint is an NLB. The NLB passes traffic to the ALB, which can see the original client IP in the X-Forwarded-For header. This satisfies both performance (using Global Accelerator) and logging requirements.

Why this answer

Option B is correct because placing a Network Load Balancer (NLB) in front of the ALB allows Global Accelerator to terminate the TCP connection at the edge, then forward traffic to the NLB. The NLB preserves the original client IP address by default (since it operates at Layer 4 and does not terminate the connection), and the ALB can still read the client IP from the X-Forwarded-For header. This setup meets both the performance requirement (via Global Accelerator's edge routing) and the logging requirement (preserving the original client IP).

Exam trap

The trap here is that candidates assume Global Accelerator preserves the client IP like a transparent proxy, but in reality it terminates the TCP connection at the edge, so the source IP changes unless an NLB is used to preserve it.

How to eliminate wrong answers

Option A is wrong because Global Accelerator terminates the TCP connection at the edge location and then creates a new connection to the ALB, so the source IP seen by the ALB becomes the Global Accelerator's internal IP, not the original client IP; the X-Forwarded-For header will contain the Global Accelerator's IP, not the user's IP. Option C is wrong because Proxy Protocol v2 is a feature of Network Load Balancers and TCP listeners, not Application Load Balancers; ALBs do not support Proxy Protocol v2, and enabling it on the ALB would not preserve client IP through Global Accelerator. Option D is wrong because CloudFront does not preserve the original client IP in the X-Forwarded-For header by default; it adds the CloudFront edge IP as the last entry, and while you can forward a custom header, this requires additional configuration and does not guarantee the original client IP is preserved in the same way as the NLB+ALB solution.

673
MCQeasy

A SysOps administrator wants to monitor the cost of EC2 instances. Which AWS service should be used to visualize and track costs over time?

A.AWS CloudWatch
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Cost Explorer
AnswerD

Cost Explorer provides graphs and cost trends.

Why this answer

Option D is correct because AWS Cost Explorer is designed for cost visualization and analysis. CloudWatch is for performance metrics, Trusted Advisor provides recommendations, and Budgets sets alerts.

674
MCQmedium

A SysOps administrator is configuring a new AWS account and wants to set up a secure password policy for IAM users. The policy must require at least 12 characters, one uppercase letter, one number, and must prevent password reuse. Where should this policy be configured?

A.Apply a service control policy (SCP) that enforces password complexity.
B.In the IAM console under Account settings, set the password policy.
C.Set a password policy on the AWS account root user.
D.Create an IAM role with a password policy attached.
AnswerB

The account password policy applies to all IAM users.

Why this answer

Option A is correct because AWS IAM password policies are configured at the account level in the IAM console or via the update-account-password-policy API. Option B is wrong because there is no password policy for the root user. Option C is wrong because SCPs can restrict IAM actions but do not set password policy.

Option D is wrong because IAM roles do not have passwords.

675
MCQeasy

A SysOps administrator needs to automate the creation of an Amazon RDS for MySQL database instance. The administrator wants to use AWS CloudFormation and ensure that the database password is not stored in plaintext in the template. Which solution meets these requirements?

A.Store the password as a CloudFormation parameter with a default value and use the Ref intrinsic function.
B.Generate a password manually and store it in a text file in Amazon S3; reference the S3 URL in the template.
C.Use AWS Secrets Manager to generate a random password and reference it in the CloudFormation template using a dynamic reference (resolve:secretsmanager).
D.Use AWS Systems Manager Parameter Store (String type) and reference it with the dynamic reference resolve:ssm.
AnswerC

Secrets Manager generates a password and CloudFormation resolves it at deploy time without exposing it in the template.

Why this answer

Using AWS Secrets Manager to generate a password and referencing it with a dynamic reference is the secure, automated way. Option B is wrong because CloudFormation parameters also store values in plaintext in the template. Option C is wrong because it requires manual retrieval.

Option D is wrong because Parameter Store also stores plaintext unless using SecureString, but the reference would still be resolved to plaintext in the template.

Page 8

Page 9 of 21

Page 10