A gaming application is deployed on four Amazon EC2 instances in a default VPC. The
SysOps administrator has noticed consistently high latency in responses as data is
transferred among the four instances. There is no way for the administrator to alter the
application code.
The MOST effective way to reduce latency is to relaunch the EC2 instances in:

A.

a dedicated VPC.

B.

a single subnet inside the VPC.

C.

a placement group.

D.

a single Availability Zone.

A company needs to restrict access to an Amazon S3 bucket to Amazon EC2 instances in
a VPC only. All traffic must be over the AWS private network.
What actions should the SysOps administrator take to meet these requirements?

A.

Create a VPC endpoint for the S3 bucket, and create an IAM policy that conditionally
limits all S3 actions on the bucket to the VPC endpoint as the source.

B.

Create a VPC endpoint for the S3 bucket, and create an S3 bucket policy that
conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

C.

Create a service-linked role for Amazon EC2 that allows the EC2 instances to interact directly with Amazon S3, and attach an IAM policy to the role that allows the EC2 instances
full access to the S3 bucket.

D.

Create a NAT gateway in the VPC, and modify the VPC route table to route all traffic

A company has a new requirement stating that all resources in AWS must be tagged
according to a set policy.
Which AWS service should be used to enforce and continually identify all resources that
are not in compliance with the policy?

A.

AWS CloudTrail

B.

Amazon Inspector

C.

AWSConfig

D.

AWS Systems Manager

A company is running an application on a fleet of Amazon EC2 instances behind an
Application Load Balancer (ALB). The EC2 instances are launched by an Auto Scaling
group and are automatically registered in a target group. A SysOps administrator must set
up a notification to alert application owners when targets fail health checks.
What should the SysOps administrator do to meet these requirements?

A.

Create an Amazon CloudWatch alarm on the UnHealthyHostCount metric. Configure an
action to send an Amazon Simple Notification Service (Amazon SNS) notification when the
metric is greater than 0.

B.

Configure an Amazon EC2 Auto Scaling custom lifecycle action to send an Amazon
Simple Notification Service (Amazon SNS) notification when an instance is in the
Pending:Wait state.

C.

Update the Auto Scaling group. Configure an activity notification to send an Amazon
Simple Notification Service (Amazon SNS) notification for the Unhealthy event type.

D.

Update the ALB health check to send an Amazon Simple Notification Service (Amazon

A company's SysOps administrator has created an Amazon EC2 instance with custom
software that will be used as a template for all new EC2 instances across multiple AWS
accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the
EC2 instance are encrypted with AWS managed keys.
The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2
instance and plans to share the AMI with the company's other AWS accounts. The
company requires that all AMIs are encrypted with AWS Key Management Service (AWS
KMS) keys and that only authorized AWS accounts can access the shared AMIs.
Which solution will securely share the AMI with the other AWS accounts?

A.

In the account where the AMI was created, create a customer master key (CMK). Modify
the key policy to provide kms:DescribeKey, kms ReEncrypf, kms:CreateGrant, and
kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the
AMI permissions to specify the AWS account numbers that the AMI will be shared with.

B.

In the account where the AMI was created, create a customer master key (CMK). Modify
the key policy to provide kms:DescribeKey, kms:ReEncrypt*. kms:CreateGrant, and
kms;Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a
copy of the AMI. and specify the CMK. Modify the permissions on the copied AMI to specify
the AWS account numbers that the AMI will be shared with.

C.

In the account where the AMI was created, create a customer master key (CMK). Modify
the key policy to provide kms:DescrlbeKey, kms:ReEncrypt\ kms:CreateGrant, and
kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a
copy of the AMI. and specify the CMK. Modify the permissions on the copied AMI to make
it public.

D.

In the account where the AMI was created, modify the key policy of the AWS managed
key to provide kms:DescnbeKey. kms:ReEncrypt\ kms:CreateGrant, and kms:Decrypt
permissions to the AWS accounts that the AMI will be shared with. Modify the AMI
permissions to specify the AWS account numbers that the AMI will be shared with.

A company needs to create a daily Amazon Machine Image (AMI) of an existing Amazon
Linux EC2 instance that hosts the operating system, application, and database on multiple
attached Amazon Elastic Block Store (Amazon EBS) volumes. File system integrity must
be maintained.
Which solution will meet these requirements?

A.

Create an AWS Lambda function to call the CreateImage API operation with the EC2
instance ID and the no-reboot parameter enabled. Create a daily scheduled Amazon
EventBridge (Amazon CloudWatch Events) rule that invokes the function.

B.

Create an AWS Lambda function to call the CreateImage API operation with the EC2
instance ID and the reboot parameter enabled. Create a daily scheduled Amazon
EventBridge (Amazon CloudWatch Events) rule that invokes the function.

C.

Use AWS Backup to create a backup plan with a backup rule that runs daily. Assign the
resource ID of the EC2 instance with the no-reboot parameter enabled.

D.

Use AWS Backup to create a backup plan with a backup rule that runs daily. Assign the
resource ID of the EC2 instance with the reboot parameter enabled.

A SysOps administrator needs to create alerts that are based on the read and write metrics
of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to an Amazon
EC2 instance. The SysOps administrator creates and enables Amazon CloudWatch alarms
for the DiskReadBytes metric and the DiskWriteBytes metric.
A custom monitoring tool that is installed on the EC2 instance with the same alarm
configuration indicates that the volume metrics have exceeded the threshold. However, the
CloudWatch alarms were not in ALARM state.
Which action will ensure that the CloudWatch alarms function correctly?

A.

Install and configure the CloudWatch agent on the EC2 instance to capture the desired
metrics.

B.

Install and configure AWS Systems Manager Agent on the EC2 instance to capture the
desired metrics.

C.

Reconfigure the CloudWatch alarms to use the VolumeReadBytes metric and the
VolumeWriteBytes metric for the EBS volumes.

D.

Reconfigure the CloudWatch alarms to use the VolumeReadBytes metric and the VolumeWriteBytes metric for the EC2 instance.

A SysOps administrator is maintaining a web application using an Amazon CloudFront web
distribution, an Application Load Balancer (ALB), Amazon RDS, and
Amazon EC2 in a VPC. All services have logging enabled. The administrator needs to
investigate HTTP Layer 7 status codes from the web application.
Which log sources contain the status codes? (Choose two.)

A.

VPC Flow Logs

B.

AWS CloudTrail logs

C.

ALB access logs

D.

CloudFront access logs

E.

RDS logs

A company hosts an online shopping portal in the AWS Cloud. The portal provides HTTPS
security by using a TLS certificate on an Elastic Load Balancer (ELB). Recently, the portal
suffered an outage because the TLS certificate expired. A SysOps administrator must
create a solution to automatically renew certificates to avoid this issue in the future.
What is the MOST operationally efficient solution that meets these requirements?

A.

Request a public certificate by using AWS Certificate Manager (ACM). Associate the
certificate from ACM with the ELB. Write a scheduled AWS Lambda function to renew the
certificate every 18 months.

B.

Request a public certificate by using AWS Certificate Manager (ACM). Associate the
certificate from ACM with the ELB. ACM will automatically manage the renewal of the
certificate.

C.

Register a certificate with a third-party certificate authority (CA). Import this certificate
into AWS Certificate Manager (ACM). Associate the certificate from ACM with the ELB.
ACM will automatically manage the renewal of the certificate.

D.

Register a certificate with a third-party certificate authority (CA). Configure the ELB to
import the certificate directly from the CA. Set the certificate refresh cycle on the ELB to

A company is using an Amazon Aurora MySQL DB cluster that has point-in-time recovery,
backtracking, and automatic backup enabled. A SysOps administrator needs to be able to
roll back the DB cluster to a specific recovery point within the previous 72 hours. Restores
must be completed in the same production DB cluster.
Which solution will meet these requirements?

A.

Create an Aurora Replica. Promote the replica to replace the primary DB instance.

B.

Create an AWS Lambda function to restore an automatic backup to the existing DB
cluster.

C.

Use backtracking to rewind the existing DB cluster to the desired recovery point.

D.

Use point-in-time recovery to restore the existing DB cluster to the desired recovery
point.

With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?

A.

Deny Post. Put. and Delete on the bucket.

B.

Enable server-side encryption on the bucket.

C.

Enable Amazon S3 versioning on the bucket.

D.

Enable snapshots on the bucket.

An Amazon EC2 instance is running an application that uses Amazon Simple Queue
Service (Amazon SQS} queues A SysOps administrator must ensure that the application
can read, write, and delete messages from the SQS queues
Which solution will meet these requirements in the MOST secure manner?

A.

Create an IAM user with an IAM policy that allows the sqs SendMessage permission,
the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the
appropriate queues Embed the IAM user's credentials in the application's configuration

B.

Create an IAM user with an IAM policy that allows the sqs SendMessage permission,
the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the
appropriate queues Export the IAM user's access key and secret access key as
environment variables on the EC2 instance

C.

Create and associate an IAM role that allows EC2 instances to call AWS services Attach
an IAM policy to the role that allows sqs." permissions to the appropriate queues

D.

Create and associate an IAM role that allows EC2 instances to call AWS services Attach
an IAM policy to the role that allows the sqs SendMessage permission, the sqs
ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate
queues