A company stores files on 50 Amazon S3 buckets in the same AWS Region The company
wants to connect to the S3 buckets securely over a private connection from its Amazon
EC2 instances The company needs a solution that produces no additional cost
Which solution will meet these requirements?

A.

Create a gateway VPC endpoint lor each S3 bucket Attach the gateway VPC endpoints to each subnet inside the VPC

B.

Create an interface VPC endpoint (or each S3 bucket Attach the interface VPC
endpoints to each subnet inside the VPC

C.

Create one gateway VPC endpoint for all the S3 buckets Add the gateway VPC
endpoint to the VPC route table

D.

Create one interface VPC endpoint for all the S3 buckets Add the interface VPC endpoint to the VPC route table

A company has multiple AWS Site-to-Site VPN connections between a VPC and its branch
offices. The company manages an Amazon Elasticsearch Service (Amazon ES) domain
that is configured with public access. The Amazon ES domain has an open domain access
policy. A SysOps administrator needs to ensure that Amazon ES can be accessed only
from the branch offices while preserving existing data.
Which solution will meet these requirements?

A.

Configure an identity-based access policy on Amazon ES. Add an allow statement to the
policy that includes the Amazon Resource Name (ARN) for each branch office VPN
connection.

B.

Configure an IP-based domain access policy on Amazon ES. Add an allow statement to
the policy that includes the private IP CIDR blocks from each branch office network.

C.

Deploy a new Amazon ES domain in private subnets in a VPC, and import a snapshot
from the old domain. Create a security group that allows inbound traffic from the branch
office CIDR blocks.

D.

Reconfigure the Amazon ES domain in private subnets in a VPC. Create a security group

A large multinational company has a core application that runs 24 hours a day, 7 days a
week on Amazon EC2 and AWS Lambda. The company uses a combination of operating
systems across different AWS Regions. The company wants to achieve cost savings and
wants to use a pricing model that provides the most flexibility.
What should the company do to MAXIMIZE cost savings while meeting these
requirements?

A.

Establish the compute expense by the hour. Purchase a Compute Savings Plan.

B.

Establish the compute expense by the hour. Purchase an EC2 Instance Savings Plan.

C.

Purchase a Reserved Instance for the instance types, operating systems, Region, and
tenancy.

D.

Use EC2 Spot Instances to match the instances that run in each Region.

A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53. and wants to point its domain's zone apex to the website.
Which type of record should be used to meet these requirements?

A.

A CNAME record for the domain's zone apex

B.

An A record for the domain's zone apex

C.

An AAAA record for the domain's zone apex

D.

An alias record for the domain's zone apex

An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, an Amazon RDS PostgreSQL database, an Amazon EFS file system, and static objects stored in an Amazon S3 bucket. The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime. To satisfy the requirements, which one of these services can the SysOps administrator enable at-rest encryption on?

A.

EBS General Purpose SSD volumes

B.

RDS PostgreSQL database

C.

Amazon EFS file systems

D.

S3 objects within a bucket

The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in use and the total available IAM policies. Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?

A.

AWS Trusted Advisor

B.

Amazon Inspector

C.

AWS Config

D.

AWS Organizations

A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?

A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR ranges. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Logs. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target.

B. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instances. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation document to terminate the instances.

C. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requests from noncorporate CIDR ranges. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups.

D. Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by tag. Tag the EC2 instances with an identifier. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.

A company has deployed AWS Security Hub and AWS Config in a newly implemented organization in AWS Organizations. A SysOps administrator must implement a solution to restrict all member accounts in the organization from deploying Amazon EC2 resources in the ap-southeast-2 Region. The solution must be implemented from a single point and must govern an current and future accounts. The use of root credentials also must be restricted in member accounts.
Which AWS feature should the SysOps administrator use to meet these requirements?

A. AWS Config aggregator

B. IAM user permissions boundaries

C. AWS Organizations service control policies (SCPs)

D. AWS Security Hub conformance packs

A company migrated an I/O intensive application to an Amazon EC2 general purpose instance. The EC2 instance has a single General Purpose SSD Amazon Elastic Block Store (Amazon EBS) volume attached.

A. Modify the instance type to be storage optimized.

B. Modify the volume properties by deselecting Auto-Enable Volume 10.

C. Modify the volume properties to increase the IOPS.

D. Modify the instance to enable enhanced networking.

A company has a VPC with public and private subnets. An Amazon EC2 based application resides in the private subnets and needs to process raw .csv files stored in an Amazon S3 bucket. A SysOps administrator has set up the correct IAM role with the required permissions for the application to access the S3 bucket, but the application is unable to communicate with the S3 bucket.
Which action will solve this problem while adhering to least privilege access?

A. Add a bucket policy to the S3 bucket permitting access from the IAM role.

B. Attach an S3 gateway endpoint to the VPC. Configure the route table for the private subnet.

C. Configure the route table to allow the instances on the private subnet access through the internet gateway.

D. Create a NAT gateway in a private subnet and configure the route table for the private subnets.

A SysOps administrator is notified that an Amazon EC2 instance has stopped responding The AWS Management Console indicates that the system status checks are failing What should the administrator do first to resolve this issue?

A. Reboot the EC2 instance so it can be launched on a new host

B. Stop and then start the EC2 instance so that it can be launched on a new host

C. Terminate the EC2 instance and relaunch it

D. View the AWS CloudTrail log to investigate what changed on the EC2 instance

A SysOps administrator noticed that a large number of Elastic IP addresses are being created on the company's AWS account, but they are not being associated with Amazon EC2 instances, and are incurring Elastic IP address charges in the monthly bill. How can the administrator identify who is creating the Elastic IP addresses?

A. Attach a cost-allocation tag to each requested Elastic IP address with the IAM user name of the developer who creates it.

B. Query AWS CloudTrail logs by using Amazon Athena to search for Elastic IP address events.

C. Create a CloudWatch alarm on the ElPCreated metric and send an Amazon SNS notification when the alarm triggers.

D. Use Amazon Inspector to get a report of all Elastic IP addresses created in the last 30 days.