A company website contains a web tier and a database tier on AWS. The web tier consists
of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones.
The database tier runs on an Amazon ROS for MySQL Multi-AZ DB instance. The
database subnet network ACLs are restricted to only the web subnets that need access to
the database. The web subnets use the default network ACL with the default rules.
The company's operations team has added a third subnet to the Auto Scaling group
configuration. After an Auto Scaling event occurs, some users report that they intermittently
receive an error message. The error message states that the server cannot connect to the
database. The operations team has confirmed that the route tables are correct and that the
required ports are open on all security groups.
Which combination of actions should a SysOps administrator take so that the web servers
can communicate with the DB instance? (Select TWO.)

A.

On the default ACL. create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets.

B.

On the default ACL, create outbound Allow rules of type MySQL/Aurora (3306). Specify
the destinations as the database subnets.

C.

On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet.

D.

On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet.

E.

On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet.

A company is trying to connect two applications. One application runs in an on-premises
data center that has a hostname of hostl .onprem.private. The other application runs on an
Amazon EC2 instance that has a hostname of hostl.awscloud.private. An AWS Site-to-Site
VPN connection is in place between the on-premises network and AWS.
The application that runs in the data center tries to connect to the application that runs on
the EC2 instance, but DNS resolution fails. A SysOps administrator must implement DNS
resolution between on-premises and AWS resources.
Which solution allows the on-premises application to resolve the EC2 instance hostname?

A.

Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the inbound resolver endpoint.

B.

Set up an Amazon Route 53 inbound resolver endpoint. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the inbound resolver endpoint.

C.

Set up an Amazon Route 53 outbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the AWS Region of the EC2
instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries
to the outbound resolver endpoint.

D.

Set up an Amazon Route 53 outbound resolver endpoint. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the outbound resolver endpoint

A company's backend infrastructure contains an Amazon EC2 instance in a private subnet.
The private subnet has a route to the internet through a NAT gateway in a public subnet.
The instance must allow connectivity to a secure web server on the internet to retrieve data
at regular intervals.
The client software times out with an error message that indicates that the client software
could not establish the TCP connection.
What should a SysOps administrator do to resolve this error?

A.

Add an inbound rule to the security group for the EC2 instance with the following parameters: Type - HTTP, Source - 0.0.0.0/0.

B.

Add an inbound rule to the security group for the EC2 instance with the following parameters: Type - HTTPS, Source - 0.0.0.0/0.

C.

Add an outbound rule to the security group for the EC2 instance with the following parameters: Type - HTTP, Destination - 0.0.0.0/0.

D.

Add an outbound rule to the security group for the EC2 instance with the following parameters: Type - HTTPS. Destination - 0.0.0.0/0.

A company manages an application that uses Amazon ElastiCache for Redis with two extra-large nodes spread across two different Availability Zones. The company's IT team discovers that the ElastiCache for Redis cluster has 75% freeable memory. The application must maintain high availability. What is the MOST cost-effective way to resize the cluster?

A.

Decrease the number of nodes in the ElastiCache for Redis cluster from 2 to 1.

B.

Deploy a new ElastiCache for Redis cluster that uses large node types. Migrate the data from the original cluster to the new cluster. After the process is complete, shut down the original duster.

C.

Deploy a new ElastiCache for Redis cluster that uses large node types. Take a backup from the original cluster, and restore the backup in the new cluster. After the process is complete, shut down the original cluster.

D.

Perform an online resizing for the ElastiCache for Redis cluster. Change the node types from extra-large nodes to large nodes.

A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts. Which solution will meet these requirements?

A.

Purchase RIs in individual member accounts. Disable Rl discount sharing in the management account.

B.

Purchase RIs in individual member accounts. Disable Rl discount sharing in the member accounts.

C.

Purchase RIs in the management account. Disable Rl discount sharing in the
management account.

D.

Purchase RIs in the management account. Disable Rl discount sharing in the member
accounts.

A company has an Amazon CloudFront distribution that uses an Amazon S3 bucket as its origin. During a review of the access logs, the company determines that some requests are
going directly to the S3 bucket by using the website hosting endpoint. A SysOps
administrator must secure the S3 bucket to allow requests only from CloudFront.
What should the SysOps administrator do to meet this requirement?

A.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the
distribution. Remove access to and from other principals in the S3 bucket policy. Update the S3 bucket policy to allow access only from the OAI.

B.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the
distribution. Update the S3 bucket policy to allow access only from the OAI. Create a new
origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use
the new origin. Remove the existing origin.

C.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the
distribution. Update the S3 bucket policy to allow access only from the OAI. Disable
website hosting. Create a new origin, and specify the S3 bucket as the new origin. Update
the distribution behavior to use the new origin. Remove the existing origin.

D.

Update the S3 bucket policy to allow access only from the CloudFront distribution.
Remove access to and from other principals in the S3 bucket policy. Disable website
hosting. Create a new origin, and specify the S3 bucket as the new origin. Update the
distribution behavior to use the new origin. Remove the existing origin.

An Amazon EC2 instance needs to be reachable from the internet. The EC2 instance is in a subnet with the following route table:

Which entry must a SysOps administrator add to the route table to meet this requirement?

A.

A route for 0.0.0.0/0 that points to a NAT gateway

B.

A route for 0.0.0.0/0 that points to an egress-only internet gateway

C.

A route for 0.0.0.0/0 that points to an internet gateway

D.

A route for 0.0.0.0/0 that points to an elastic network interface

An AWS Lambda function is intermittently failing several times a day A SysOps
administrator must find out how often this error has occurred in the last 7 days Which action will meet this requirement in the MOST operationally efficient manner?

A.

Use Amazon Athena to query the Amazon CloudWatch logs that are associated with the Lambda function

B.

Use Amazon Athena to query the AWS CloudTrail logs that are associated with the Lambda function

C.

Use Amazon CloudWatch Logs Insights to query the associated Lambda function logs

D.

Use Amazon Elasticsearch Service (Amazon ES) to stream the Amazon CloudWatch logs for the Lambda function

A company is using an AWS KMS customer master key (CMK) with imported key material
The company references the CMK by its alias in the Java application to encrypt data The
CMK must be rotated every 6 months
What is the process to rotate the key?

A.

Enable automatic key rotation for the CMK and specify a period of 6 months

B.

Create a new CMK with new imported material, and update the key alias to point to the new CMK.

C.

Delete the current key material, and import new material into the existing CMK

D.

Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months

A company is tunning a website on Amazon EC2 instances thai are in an Auto Scaling group When the website traffic increases, additional instances lake several minutes to become available because ot a long-running user data script that installs software A SysOps administrator must decrease the time that is required (or new instances to become available Which action should the SysOps administrator take to meet this requirement?

A.

Reduce the scaling thresholds so that instances are added before traffic increases

B.

Purchase Reserved Instances to cover 100% of the maximum capacity of the Auto Scaling group

C.

Update the Auto Scaling group to launch instances that have a storage optimized instance type

D.

Use EC2 Image Builder to prepare an Amazon Machine Image (AMI) that has preinstalled software

A company runs a stateless application that is hosted on an Amazon EC2 instance. Users are reporting performance issues. A SysOps administrator reviews the Amazon CloudWatch metrics for the application and notices that the instance's CPU utilization frequently reaches 90% during business hours.
What is the MOST operationally efficient solution that will improve the application's
responsiveness?

A.

Configure CloudWatch logging on the EC2 instance. Configure a CloudWatch alarm for
CPU utilization to alert the SysOps administrator when CPU utilization goes above 90%.

B.

Configure an AWS Client VPN connection to allow the application users to connect
directly to the EC2 instance private IP address to reduce latency.

C.

Create an Auto Scaling group, and assign it to an Application Load Balancer. Configure
a target tracking scaling policy that is based on the average CPU utilization of the Auto
Scaling group.

D.

Create a CloudWatch alarm that activates when the EC2 instance's CPU utilization goes
above 80%. Configure the alarm to invoke an AWS Lambda function that vertically scales
the instance.

A company runs us Infrastructure on Amazon EC2 Instances that run In an Auto Scaling group. Recently, the company promoted faulty code to the entire EC2 fleet. This faulty code
caused the Auto Scaling group to scale the instances before any of the application logs could be retrieved. What should a SysOps administrator do to retain the application logs after instances are terminated?

A.

Configure an Auto Scaling lifecycle hook to create a snapshot of the ephemeral storage
upon termination of the instances.

B.

Create a new Amazon Machine Image (AMI) that has the Amazon CloudWatch agent installed and configured to send logs to Amazon CloudWatch Logs. Update the launch template to use the new AMI.

C.

Create a new Amazon Machine Image (AMI) that has a custom script configured to send
logs to AWS CloudTrail. Update the launch template to use the new AMI.

D.

Install the Amazon CloudWatch agent on the Amazon Machine Image (AMI) that is defined in the launch template. Configure the CloudWatch agent to back up the logs to ephemeral storage.