All About Virtual AWS-SysOps Testing Material

NEW QUESTION 1

An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, an Amazon RDS PostgreSQL database, an Amazon EFS file system, and static objects stored in an Amazon S3 bucket. The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime.
To satisfy the requirements, which one of these services can the SysOps administrator enable at-rest encryption on?

• A. EBS General Purpose SSD volumes
• B. RDS PostgreSQL database
• C. Amazon EFS file systems
• D. S3 objects within a bucket

Answer: D

Explanation:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html

NEW QUESTION 2

A company uses an Amazon Simple Queue Service (Amazon SQS) standard queue with its application. The application sends messages to the queue with unique message bodies The company decides to switch to an SQS FIFO queue
What must the company do to migrate to an SQS FIFO queue?

• A. Create a new SQS FIFO gueue Turn on content based deduplication on the new FIFO queue Update the application to include a message group ID in the messages
• B. Create a new SQS FIFO queue Update the application to include the DelaySeconds parameter in the messages
• C. Modify the queue type from SQS standard to SQS FIFO Turn off content-based deduplication on the queue Update the application to include a message group ID in the messages
• D. Modify the queue type from SQS standard to SQS FIFO Update the application to send messages with identical message bodies and to include the DelaySeconds parameter in the messages

Answer: A

Explanation:
FIFO queues don't support per-message delays, only per-queue delays. If your application sets the same value of the DelaySeconds parameter on each message, you must modify your application to remove the
per-message delay and set DelaySeconds on the entire queue instead.
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues-moving.html

NEW QUESTION 3

A company is expanding its use of AWS services across its portfolios The company wants to provision AWS accounts for each team to ensure a separation of business processes for security compliance and billing Account creation and bootstrapping should be completed m a scalable and efficient way so new accounts are created with a defined baseline and governance guardrails in place A SysOps administrator needs to design a provisioning process that saves time and resources
Which action should be taken to meet these requirements?

• A. Automate using AWS Elastic Beanstalk to provision the AWS accounts set up infrastructure and integrate with AWS Organizations
• B. Create bootstrapping scripts in AWS OpsWorks and combine them with AWS CloudFormation templates to provision accounts and infrastructure
• C. Use AWS Config to provision accounts and deploy instances using AWS Service Catalog
• D. Use AWS Control Tower to create a template in Account Factory and use the template to provision new accounts

Answer: D

NEW QUESTION 4

A data storage company provides a service that gives users the ability to upload and download files as needed. The files are stored in Amazon S3 Standard and must be immediately retrievable for 1 year. Users access files frequently during the first 30 days after the files are stored. Users rarely access files after 30 days.
The company's SysOps administrator must use S3 Lifecycle policies to implement a solution that maintains object availability and minimizes cost.
Which solution will meet these requirements?

• A. Move objects to S3 Glacier after 30 days.
• B. Move objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
• C. Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
• D. Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) immediately.

Answer: C

Explanation:
https://aws.amazon.com/s3/storage-classes/

NEW QUESTION 5

A large multinational company has a core application that runs 24 hours a day, 7 days a week on Amazon EC2 and AWS Lambda. The company uses a combination of operating systems across different AWS Regions. The company wants to achieve cost savings and wants to use a pricing model that provides the most flexibility.
What should the company do to MAXIMIZE cost savings while meeting these requirements?

• A. Establish the compute expense by the hou
• B. Purchase a Compute Savings Plan.
• C. Establish the compute expense by the hou
• D. Purchase an EC2 Instance Savings Plan.
• E. Purchase a Reserved Instance for the instance types, operating systems, Region, and tenancy.
• F. Use EC2 Spot Instances to match the instances that run in each Region.

Answer: D

NEW QUESTION 6

A SysOps administrator is responsible for a company's security groups. The company wants to maintain a documented trail of any changes that are made to the security groups. The SysOps administrator must receive notification whenever the security groups change.
Which solution will meet these requirements?

• A. Set up Amazon Detective to record security group change
• B. Specify an Amazon CloudWatch Logs log group to store configuration history log
• C. Create an Amazon Simple Queue Service (Amazon SOS) queue for notifications about configuration change
• D. Subscribe the SysOps administrator's email address to the SQS queue.
• E. Set up AWS Systems Manager Change Manager to record security group change
• F. Specify an Amazon CloudWatch Logs log group to store configuration history log
• G. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration change
• H. Subscribe the SysOps administrator's email address to the SNS topic.
• I. Set up AWS Config to record security group change
• J. Specify an Amazon S3 bucket as the location for configuration snapshots and history file
• K. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration change
• L. Subscribe the SysOps administrator's email address to the SNS topic.
• M. Set up Amazon Detective to record security group change
• N. Specify an Amazon S3 bucket as the location for configuration snapshots and history file
• O. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration change
• P. Subscribe the SysOps administrator's email address to the SNS topic.

Answer: D

NEW QUESTION 7

A company has a stateless application that is hosted on a fleet of 10 Amazon EC2 On-Demand Instances in an Auto Scaling group. A minimum of 6 instances are needed to meet service requirements.
Which action will maintain uptime for the application MOST cost-effectively?

• A. Use a Spot Fleet with an On-Demand capacity of 6 instances.
• B. Update the Auto Scaling group with a minimum of 6 On-Demand Instances and a maximum of 10 On-Demand Instances.
• C. Update the Auto Scaling group with a minimum of 1 On-Demand Instance and a maximum of 6 On-Demand Instances.
• D. Use a Spot Fleet with a target capacity of 6 instances.

Answer: A

NEW QUESTION 8

A SysOps administrator is testing an application mat is hosted on five Amazon EC2 instances The instances run in an Auto Scaling group behind an Application Load Balancer (ALB) High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.
Which action should the SysOps administrator take to meet these requirements?

• A. Enable instance scale-in protection.
• B. Place the instance into the Standby stale.
• C. Remove the listener from the ALB
• D. Suspend the Launch and Terminate process types.

Answer: A

NEW QUESTION 9

A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.
Which solution will meet this requirement?

• A. Create a new security group to block traffic to the external IP addres
• B. Assign the new security group to the EC2 instance.
• C. Use VPC flow logs with Amazon Athena to block traffic to the external IP address.
• D. Create a network AC
• E. Add an outbound deny rule for traffic to the external IP address.
• F. Create a new security group to block traffic to the external IP addres
• G. Assign the new security group to the entire VPC.

Answer: C

Explanation:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

NEW QUESTION 10

A company stores sensitive data in an Amazon S3 bucket. The company must log all access attempts to the S3 bucket. The company's risk team must receive immediate notification about any delete events.
Which solution will meet these requirements?

• A. Enable S3 server access logging for audit log
• B. Set up an Amazon Simple Notification Service (Amazon SNSJ notification for the S3 bucke
• C. Select DeleteObject tor the event type for the alert system.
• D. Enable S3 server access logging for audit log
• E. Launch an Amazon EC2 instance for the alert system.Run a cron job on the EC2 instance to download the access logs each day and to scan for a DeleteObject event.
• F. Use Amazon CloudWatch Logs for audit log
• G. Use Amazon CloudWatch alarms with an Amazon Simple Notification Service (Amazon SNS) notification for the alert system.
• H. Use Amazon CloudWatch Logs for audit log
• I. Launch an Amazon EC2 instance for The alert system.Run a cron job on the EC2 Instance each day to compare the list of the items with the list from the previous da
• J. Configure the cron job to send a notification if an item is missing.

Answer: A

Explanation:
To meet the requirements of logging all access attempts to the S3 bucket and receiving immediate notification about any delete events, the company can enable S3 server access logging and set up an Amazon Simple Notification Service (Amazon SNS) notification for the S3 bucket. The S3 server access logs will record all access attempts to the bucket, including delete events, and the SNS notification can be configured to send an alert when a DeleteObject event occurs.

NEW QUESTION 11

A SysOps administrator receives notification that an application that is running on Amazon EC2 instances has failed to authenticate to an Amazon RDS database To troubleshoot, the SysOps administrator needs to investigate AWS Secrets Manager password rotation
Which Amazon CloudWatch log will provide insight into the password rotation?

• A. AWS CloudTrail logs
• B. EC2 instance application logs
• C. AWS Lambda function logs
• D. RDS database logs

Answer: B

NEW QUESTION 12

A company hosts an online shopping portal in the AWS Cloud. The portal provides HTTPS security by using a TLS certificate on an Elastic Load Balancer (ELB). Recently, the portal suffered an outage because the TLS certificate expired. A SysOps administrator must create a solution to automatically renew certificates to avoid this issue in the future.
What is the MOST operationally efficient solution that meets these requirements?

• A. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the EL
• B. Write a scheduled AWS Lambda function to renew the certificate every 18 months.
• C. Request a public certificate by using AWS Certificate Manager (ACM). Associate the certificate from ACM with the EL
• D. ACM will automatically manage the renewal of the certificate.
• E. Register a certificate with a third-party certificate authority (CA). Import this certificate into AWS Certificate Manager (ACM). Associate the certificate from ACM with the EL
• F. ACM will automatically manage the renewal of the certificate.
• G. Register a certificate with a third-party certificate authority (CA). Configure the ELB to import the certificate directly from the C
• H. Set the certificate refresh cycle on the ELB to refresh when the certificate is within 3 months of the expiration date.

Answer: B

Explanation:
"A certificate is eligible for automatic renewal subject to the following considerations: ELIGIBLE if associated with another AWS service, such as Elastic Load Balancing or CloudFront. ELIGIBLE if exported since being issued or last renewed. ELIGIBLE if it is a private certificate issued by calling the ACM RequestCertificate API and then exported or associated with another AWS service. ELIGIBLE if it is a private certificate issued through the management console and then exported or associated with another AWS service." https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html

NEW QUESTION 13

A company has a web application with a database tier that consists of an Amazon EC2 instance that runs MySQL. A SysOps administrator needs to minimize potential data loss and the time that is required to recover in the event of a database failure.
What is the MOST operationally efficient solution that meets these requirements?

• A. Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric to invoke an AWS Lambda function that stops and starts the EC2 instance.
• B. Create an Amazon RDS for MySQL Multi-AZ DB instanc
• C. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new databas
• D. Update the connection string in the web application.
• E. Create an Amazon RDS for MySQL Single-AZ DB instance with a read replic
• F. Use a MySQL native backup that is stored in Amazon S3 to restore the data to the new databas
• G. Update the connection string in the web application.
• H. Use Amazon Data Lifecycle Manager (Amazon DLM) to take a snapshot of the Amazon Elastic Block Store (Amazon EBS) volume every hou
• I. In the event of an EC2 instance failure, restore the EBS volume from a snapshot.

Answer: D

NEW QUESTION 14

A SysOps administrator launches an Amazon EC2 Linux instance in a public subnet. When the instance is running, the SysOps administrator obtains the public IP address and attempts to remotely connect to the instance multiple times. However, the SysOps administrator always receives a timeout error.
Which action will allow the SysOps administrator to remotely connect to the instance?

• A. Add a route table entry in the public subnet for the SysOps administrator's IP address.
• B. Add an outbound network ACL rule to allow TCP port 22 for the SysOps administrator's IP address.
• C. Modify the instance security group to allow inbound SSH traffic from the SysOps administrator's IP address.
• D. Modify the instance security group to allow outbound SSH traffic to the SysOps administrator's IP address.

Answer: C

NEW QUESTION 15

A company uses AWS Organizations. A SysOps administrator wants to use AWS Compute Optimizer and AWS tag policies in the management account to govern all member accounts in the billing family. The SysOps administrator navigates to the AWS Organizations console but cannot activate tag policies through the management account.
What could be the reason for this issue?

• A. All features have not been enabled in the organization.
• B. Consolidated billing has not been enabled.
• C. The member accounts do not have tags enabled for cost allocation.
• D. The member accounts have not manually enabled trusted access for Compute Optimizer.

Answer: C

NEW QUESTION 16
......