A SysOps administrator must set up notifications for whenever combined billing exceeds a
certain threshold for all AWS accounts within a company. The administrator has set up
AWS Organizations and enabled Consolidated Billing.
Which additional steps must the administrator perform to set up the billing alerts?

A.

In the payer account: Enable billing alerts in the Billing and Cost Management console;
publish an Amazon SNS message when the billing alert triggers.

B.

In each account: Enable billing alerts in the Billing and Cost Management console; set
up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm
triggers.

C.

In the payer account: Enable billing alerts in the Billing and Cost Management console;
set up a billing alarm in the Billing and Cost Management console to publish an SNS
message when the alarm triggers.

D.

In the payer account: Enable billing alerts in the Billing and Cost Management console;
set up a billing alarm in Amazon CloudWatch; publish an SNS message when the alarm
triggers.

A SysOps administrator developed a Python script that uses the AWS SDK to conduct
several maintenance tasks. The script needs to run automatically every night.
What is the MOST operationally efficient solution that meets this requirement?

A.

Convert the Python script to an AWS Lambda (unction. Use an Amazon EventBridge
(Amazon CloudWatch Events) rule to invoke the function every night.

B.

Convert the Python script to an AWS Lambda function. Use AWS CloudTrail to invoke
the function every night.

C.

Deploy the Python script to an Amazon EC2 Instance. Use Amazon EventBridge
(Amazon CloudWatch Events) to schedule the instance to start and stop every night.

D.

Deploy the Python script to an Amazon EC2 instance. Use AWS Systems Manager to
schedule the instance to start and stop every night

A team of On-call engineers frequently needs to connect to Amazon EC2 Instances In a private subnet to troubleshoot and run commands. The Instances use either the latest
AWS-provided Windows Amazon Machine Images (AMIs) or Amazon Linux AMIs.
The team has an existing IAM role for authorization. A SysOps administrator must provide
the team with access to the Instances by granting IAM permissions to this
Which solution will meet this requirement?

A.

Add a statement to the IAM role policy to allow the ssm:StartSession action on the
instances. Instruct the team to use AWS Systems Manager Session Manager to connect to
the Instances by using the assumed IAM role.

B.

Associate an Elastic IP address and a security group with each instance. Add the engineers' IP addresses to the security group inbound rules. Add a statement to the IAM
role policy to allow the ec2:AuthoflzeSecurityGroupIngress action so that the team can
connect to the Instances.

C.

Create a bastion host with an EC2 Instance, and associate the bastion host with the
VPC. Add a statement to the IAM role policy to allow the ec2:CreateVpnConnection action
on the bastion host. Instruct the team to use the bastion host endpoint to connect to the
instances.

D.

Create an internet-facing Network Load Balancer. Use two listeners. Forward port 22 to a
target group of Linux instances. Forward port 3389 to a target group of Windows Instances.
Add a statement to the IAM role policy to allow the ec2:CreateRoute action so that the
team can connect to the Instances.

A SysOps administrator needs to configure a solution that will deliver digital content to a set
of authorized users through Amazon CloudFront. Unauthorized users must be restricted
from access.
Which solution will meet these requirements?

A.

Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed URLs to access the S3 bucket through CloudFront.

B.

Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Restrict S3 bucket access with signed URLs in CloudFront.

C.

Store the digital content in an Amazon S3 bucket that has public access blocked. Use
an origin access identity (OAI) to deliver the content through CloudFront. Enable field-level
encryption.

D.

Store the digital content in an Amazon S3 bucket that does not have public access

A company has an internal web application that runs on Amazon EC2 instances behind an
Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group in a
single Availability Zone. A SysOps administrator must make the application highly
available.
Which action should the SysOps administrator take to meet this requirement?

A.

Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.

B.

Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage. • C. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.

C.

Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.

A company has launched a social media website that gives users the ability to upload
images directly to a centralized Amazon S3 bucket. The website is popular in areas that
are geographically distant from the AWS Region where the S3 bucket is located. Users are
reporting that uploads are slow. A SysOps administrator must improve the upload speed.
What should the SysOps administrator do to meet these requirements?

A.

Create S3 access points in Regions that are closer to the users.

B.

Create an accelerator in AWS Global Accelerator for the S3 bucket.

C.

Enable S3 Transfer Acceleration on the S3 bucket.

D.

Enable cross-origin resource sharing (CORS) on the S3 bucket.

A company hosts a web application on an Amazon EC2 instance in a production VPC.
Client connections to the application are failing. A SysOps administrator inspects the VPC
flow logs and finds the following entry:
2 111122223333 eni-<###> 192.0.2.15 203.0.113.56 40711 443 6 1 40 1418530010
1418530070 REJECT OK
What is a possible cause of these failed connections?

A.

A security group is denying traffic on port 443.

B.

The EC2 instance is shut down.

C.

The network ACL is blocking HTTPS traffic.

D.

The VPC has no internet gateway attached.

A SysOps administrator has enabled AWS CloudTrail in an AWS account. If CloudTrail is
disabled, it must be re-enabled immediately. What should the SysOps administrator do to
meet these requirements WITHOUT writing custom code?

A.

Add the AWS account to AWS Organizations. Enable CloudTrail in the management
account.

B.

Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action.

C.

Create an AWS Config rule that is invoked when CloudTrail configuration changes. Configure the rule to invoke an AWS Lambda function to enable CloudTrail.

D.

Create an Amazon EventBridge (Amazon CloudWatch Events) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail.

A company is managing multiple AWS accounts in AWS Organizations The company is
reviewing internal security of Its AWS environment The company's security administrator
has their own AWS account and wants to review the VPC configuration of developer AWS
accounts
Which solution will meet these requirements in the MOST secure manner?

A.

Create an IAM policy in each developer account that has read-only access related to
VPC resources Assign the policy to an IAM user Share the user credentials with the
security administrator

B.

Create an IAM policy in each developer account that has administrator access to all
Amazon EC2 actions, including VPC actions Assign the policy to an IAM user Share the
user credentials with the security administrator

C.

Create an IAM policy in each developer account that has administrator access related to
VPC resources Assign the policy to a cross-account IAM role Ask the security administrator
to assume the role from their account

D.

Create an IAM policy m each developer account that has read-only access related to
VPC resources Assign the policy to a cross-account IAM role Ask the security administrator
to assume the role from their account

A SysOps administrator has enabled AWS CloudTrail in an AWS account If CloudTrail is
disabled it must be re-enabled immediately What should the SysOps administrator do to
meet these requirements WITHOUT writing custom code

A.

Add the AWS account to AWS Organizations Enable CloudTrail in the management
account

B.

Create an AWS Config rule that is invoked when CloudTrail configuration changes Apply the AWS-ConfigureCloudTrailLogging automatic remediation action

C.

Create an AWS Config rule that is invoked when CloudTrail configuration changes Configure the rule to invoke an AWS Lambda function to enable CloudTrail

D.

Create an Amazon EventBridge (Amazon CloudWatch Events) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail

A company's financial department needs to view the cost details of each project in an AWS
account A SysOps administrator must perform the initial configuration that is required to
view cost for each project in Cost Explorer
Which solution will meet this requirement?

A.

Activate cost allocation tags Add a project tag to the appropriate resources

B.

Configure consolidated billing Create AWS Cost and Usage Reports

C.

Use AWS Budgets Create AWS Budgets reports

D.

Use cost categories to define custom groups that are based on AWS cost and usage dimensions

An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba4Kc. and it is actively used by 10 Amazon EC2 hosts The organization has become concerned that the file system is not encrypted How can this be resolved?

A.

Enable encryption on each host's connection to the Amazon EFS volume Each
connection must be recreated for encryption to take effect

B.

Enable encryption on the existing EFS volume by using the AWS Command Line Interface

C.

Enable encryption on each host's local drive Restart each host to encrypt the drive

D.

 Enable encryption on a newly created volume and copy all data from the original volume
Reconnect each host to the new volume