Scribd Logo
Upload

Welcome to Scribd!

  • Aws Certified Sysops Administrator Associate

    Uploaded by

    Lorem Ipsum
    45 views44 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    Download as pdf
    45 views44 pages

    Aws Certified Sysops Administrator Associate

    Uploaded by

    Lorem Ipsum

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    Download as pdf
    of 44
    Amazon (AWS Cortified SysOps Administrator - Associato) AWS Certified SysOps Administrator - Associate (SOA-CO2) Total: 378 Questions Link: https:/icertyia.com/papers?provider=amezon&exam=aws-certitied-sysops-administrator~ Question: 1 Certyia ‘A company has an infernal web application that runs on Amazon EC2 instances behind an Applicaton Load Balancor The instances runin an Amazon €C2 Auto Scaling group ne ingle Availablity Zone. SysOps administrator must make the application highly avaible, ‘Which ection should the SysOp admiitratr take tomest thi requirement? ‘A. Inereae the maximum number af instances inthe Auto Scaling group to meet the capacity that is ecuired a oak usage. B Increase the minimum number of instances inthe Auto Scaling group to meat the capacity that ls requlred at oak usage. Update the Auto Scaling group to launch new instances na second Avalabilty Zone Inthe same AWS. Rogen. , Update the Auto Scaling group to launch new instances in an Avalallty Zone ina second AWS Region Answer Explanation: Cis th anewer. Spreading it across zones. ‘and 8 doesnt make it hight avalabe if a zone goes down, Dis false 2s ASG is region bound, as seen here: hpss/idocsaws amazon com/autoscaling/ec2/usergude/aute-caling- benefits hint quest Cortyia ‘company has deployed a web aplication ina VPC that has subnets in three Avelaity Zones. The company launches three Amazon EC2 instances from an EG2 Auto Scaling group bohind an Applicaton Load Balancor (ALB). 1 Sys0ps administrator nics that two ofthe EC2 instances are the same Availabilty Zone, rather then being itrbuted evenly arose al tee Avaabilty “Zanes There are no arrorsin the Auto Sealing group's activity history ‘What isthe MOST tkelyreacen for the unexpectod placement of EC2 instances? vested EO2 instance type ‘A.One Aveilabiity Zone didnot have sufficient capacity forthe The ALB wos configured fr only two Availity Zones. (. The Auto Sealing group was configured fr only two Avallability Zones. . Amazon 2 Auto Scaling randomly placed the instances in Avaitablity Zones. Answer Explanation: Correct Answers the eutscaling group Is responsable to add the instances in the subnets. Srlously, get someone qualified to reviow your anewors. This one was a VERY EASY one and yet the wrong answer deployed. Question: 3 Certyi ‘company is running a website on Amazon E02 instances bshind an Applicaton Load Balancer (ALB). Tho ‘company configured an Amazon CloudFrentcetribution and aot the AL asthe eign Th company ereated an Amazon Route 5S CNAME record to send ll affetrough the CloudFront distribution. Asan unintended side teffect, mobile users are now being served the desktop version ofthe website ‘Which action shoul @Sys0ps administrator take to resolve tis ise? |A. Configure the CloudFontcstrbution behavior to forward the User-Agent header. 8. Configure the CloudFront distribution orign settings. Add a User-Agent heads to thelist of origin custom headers ©. Enable PV6 onthe ALB. Update the CloudFrontdtibution origin settings to use the duslatack endpoint . Enable Pv6 onthe CloudFront distribution, Update the Route 3 record touse the dualstack endpoint Anewee A Explanation: ‘agree itis A because. Bis wrong ince you are modifying origin custom headers thet are values that you set unilaterally, independant oth Hoader ofthe request that you received from lion. As the documentation states, the uses cases for foreign custom headers araidentiying requests from CioudFrentDetermining which requests come trom a particular clistributionEnebling eross-riginresoure shoring (CORSIControing access to contenthttps://docs aus. amazon cony/AmazonCloudFrontfatest/DeveloperGuide/edd- origin: custor-headershtri) By defeult,CloudFront does nt forward the User-Agent header, which can cause issues when serving content todiferent devices or browsers. By configuring the CloudFrent distribution behavior to forward the User ‘Agent header, the ALB can determine the type of device or browser making the request and serve the appropriate version ofthe website. This can be done by creating a naw behavior forthe distribution and configuring it to forward the User-Agent header to the rin. Quest certyia {8 Sys0ps administrator has enabled AWS CloudTralin an AWS eccount I CloudTralis dlssbled, must bee enabled immocitay, ‘What should the 5y20ps administrator do to meet these requirements WITHOUT writing custom code? A. Add the AWS eccount to AWS Organizations, Enebe CloudTeal nthe management account. 2. Create an AWS Config ule thats invoked when CloudTail configuration changes. Apply the AWS- ConfigureCloudTrall ogaing automaticremedation ation ©. Greate an AWS Config ule thats invoked when Cloudral configuration changes. Configure the rulo to invoke an AWS Lambda function to enable CloudTrai. Greate an Amazon EventGrdge Amon ClousWtch Event} hourly rule with @echedule pattern to run an [AWS Systems Manager Automation document to snable lousTra Answer 8 Explanation: '8-"Tognsure that CloudTral remains enabedin your account, AWS Config provides the cloudtrall- enabled managed ul. f CoudTral is tuned off, the loudtal-ensbed ule automatically re-enabesitby using automatic remediation” https/idoes.aws amazon com/prescriptiv-guidance/latestpattens/automatialy-e-enable-aws-cloudtrat- by-ubing-2-custom remacietioneul-in-awsconfintml Question: 5 Certyia ‘A company host its website on Amazon EC2 instances behind an Application Load Balancer. The company ‘manages its ONS with Amazon Route 83, and wants to pins domain's Zone apex to the website. Which typeof record should be used to meet these requirements? |A.An ARAA record forthe domain's zone apex B.An Arecord or the domsin's zone apex .A.CNAME rocord forthe domain's zone apex . An alias record forthe domin's zane apex Answer: Explanation: Dis correct. Rou '53 supports redirection of zone apex to the ALB via alias. R hupss/idoes. ows amazon com/RouteSS/ltest/DeveloperGuideresource-ecord-sets-choosing-liss-non- aliashtmt https/ldocs.aws amazon Access control list (ACL) overview POF | RSS ‘Amazon 3 access control lists (ACLs) enable you to manage access to buckets and objects. Each bucket and abject has an ACL attached to it as a subresource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon $3 checks the corresponding ACL to verify that the requester has the necessary access permissions. By default, when another AWS account uploads an object to your S3 bucket, that account (the abject writer) owns the object, has access to it, and can grant other users access to it through ACLs. You can use Object Ownership to change this default behavior so that ACLs are disabled and you, as the bucket owner, automatically own every object in your bucket. As a result, access control for your data is based on policies, such as 1AM policies, $3 bucket policies, virtual private cloud (VPC) endpoint policies, and AWS Organizations service control policies (scPs) Question:7 erty ‘A company hes» statetu web application thtshosted on Amazon EG2 stances in on Auto Sealing group. The Instances fun behind an Application Load Balancer (ALB) that hes a single target group. The ALBs configured as the origin aan Amazon CloudFront Gstribution, Users ae parting random ogous from the web appeaton. ‘Which combination of actions shoulda SysOps administrator take to resolve ths problem? (Choose two) A. Change tothe east outstanding requests algorithm on the ALB target group, 8B. Configure cookie forwarding inthe GloudF ont datbution cache behavior. €. Configure header forwarsing inthe CloudFrent stitution cache behavior Enable group-tevel stickiness onthe ALB stone ule, Enable sticky sessions onthe ALB target group. newer: BE Explanation: httpsildoes.aws.amazon.com/mazonCloudFrontlatest/DeveloperGuide/Cookies hl Yeu can configure each cache behavior to done of the fllowing Forward all cookies to your origin -CloudFront includes ll cookies sent bythe viewer whon it forwards requests to the origin. ttpa/idacs. awa amazon com/elasticloadbalancing/latest/epplicaionsticky-sesions Mtl ‘By default an Application Load Balancer routes each request independently to a registered target based on the chosen load-balancing algorithm, Question: erty ‘Acompany host its wobsis in tho us-cast1Rogion. The company is preparing to deploy its website into the a ita-1 Region Websita visitors who ae ocatedin Europe should access the website that is hestd in eu ‘entra Altother vistors acces the website that x hostedinsis-oas-, The company ures ‘Amazon Rauto 3 to manage the wobstes DNS records ‘Which routing policy shoulda SysOps administrator app fo the Route $9 recordset to meet these requirements? 1. Geolocaton routing paticy 8B. Geoproximity routing policy ©. Latoney routing policy D. Multivalue answer routing palcy Answer: A Explanation: ‘The answers & when you want to route traffic based on the location of your users https/ldocs.aws amazon com/Route5/latest/DeveloperGuidlrouting-policy html ALL users in Europe must be drected tothe site hosted in Europe Question: 9 certyia ‘Acompany'srunring a website on Amazon EC2 instances that are in an Auto Scaling group. When the website ‘rat nreasos, aalional instances tako several minutes to become avalable because of afong-runring user ata seit that installs cottware. A SysOpe administrator must doeroase the timo tha is required or now Instances to become avaiable ‘Wich acton shoud the SysOp administrator take to meet this requirement? ‘A Reduce the scaling teosholds to that instances are addod bofors traffic ineroasos, 2 Purchate Reserved instances to cover 100% ofthe maximum capacity of the Auto Sealing group. ©. Update the Auto Sealing group to louneh instances tht eve o storage optimized instonce type. , Use EG2 mage Builder o prepare an Amazon Machine mage (AM that has pre-installod software Answer Explanation: '-autometad way to update your image. Have a ppaline to update your mage. Whon you boot from your AM! Updates = sents ae already pre-installed, sono need to complete boot scripts in boot process. Reference: ttp/awaamazon comimone-bulder! Question: 10 Certyia [A SysOps administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 Instances are being created. The template s working in us-e0st-1, butts align ut-west-2 with the error ede: SSM [ami2345678) does nate” How should the Administrtor ensure tht the AWS CloudFermation templates working in evry region? ‘A. Copy the source region's Amazon Machine Image (AMI tothe destination region and asignit the same ID. ait the AWS ClousFarmation template to specty the region code as port ofthe fully qualified AMID. Cait he AWS CioudFormstion template to offer 3 drop-down list of all AMIst tho usr by Using the /AWS:EC2-AMElmagelD conta . Meet the AWS CloudFormatin tomplat by including the AMI IDsin the Mappings section Refer tthe proper mapping within the template for the proper AMD Answer Explanation: Parameters EnvironmentType: Deseriotion: The environment ype Type: Sting Default: test Allowedveluee prod ConsrantDescrition: must bea prodor test Mepoings: RegionAndinstonceTypsToAMID: 4 teat:"om8#71002" prod: "omi-5441308" ve.west2 tent"amiettiozer Prod: “ami-dors06bo other reglons and AMIIDS_ Resources: other resources outputs: Testoutput: Description: Return the nam ofthe AMIID that matches the region and enviranment type keys Value:FincinMap [RegionAndinstancsTypeToAMID, Ret “AWS:-Region’, Ret EnvronmantTyp0] Question: 11 Certyia [8 8ys0ps administrator is provisioning an Amazon Elastic Fle System (Amazon EFS) file systom to provide shared Storage across multiple Amazon EC2 instances, Te instances all oxic in the same VPC across multiple Availabilty Zones There are two nstanes in each Avaldilty Zane. The SysOps odministrator must make the fe system ecestble to ench natence withthe lowest posse atency. ‘Which solution wil meet there requirements? ‘A Greate a mount target for the EFS tle systom in the VPC, Uso the mount targot to mount the ile systom on tach of the instances 8. Create a mount targat forthe EFS fle system in one Avalablty Zona of the VPC. Use the mount target to ‘mount the fle system onthe instances in that Availabilty Zone, Share the dvactory with the other instances. C. create a mount targat for each instance U got to mount the EFS fle system on sach . Greate a mount targetin each Availabilty Zon ofthe VPC. Use the mount target to mount the EFS fle systom onthe instances in the respective Availabilty Zone eh meunt Answer Explanation: Reference: http:idoes.aws.amazon com/etslatestus/accessing html "target blank’ styl Creating and managing mount targets Por | RSs After you create an Amazon EFS filesystem, you can create mount targets. For Amazon EFS filesystems that use Standard storage classes, you can create a mount target in each Availability Zone in an AWS Region. For EFS file systems that use One Zone storage classes, you can oniy create a single mount target in the same Availability Zone as the file system. Then you can mount the file system on compute instances, including Amazon EC2, Amazon ECS, and AWS Lambda in your virtual private cloud (VPC). ‘The following diagram shows an Amazan EFS file system that uses Standard storage classes, with mount targets created in all Availabilty Zonesin the VPC. Question: 12 Cortyia A $ys0ps administrator has successfully depioyed a VPC with an AWS CloudFormation template. The Sys0pe ‘administrator wants to deploy the same template seoss multiple accounts that are managed through AWS. Organizations ‘Which solution wil moet tis requirement with the LEAST operational overhead? A. Assume the rganizationAecountAecessRole IAM ole from the management account. Deploy the template Ineach ofthe account 8B. create on AWS Lamba function to essume# ale in each acount. Deploy the template by using the AWS. CioudFormation reateStack API eal. ©. Greate an AWS Lambda function to quer for alist of accounts. Deplcy the template by using the AWS. ClousFormation CreateStack #t call. , Use AWS CloudFormation StackSot rom the management account to dopoy the template in each ofthe sozounts Answer: Explanation: AWS CloudFormation tackSets extends the copa stacks seross multiple accounts and AWS Regions ty of stacks by enabling youto create, update, o delete R itp /laws.mazancom/blogaws/new-use-ws-cloudformation-stackets-fr-mulliple-eecounts-io-an- aws-orgaization! Question: 13 certyia company running dstrbuted computing sttwore to menage o fleet of 20 Amazon EC? instances for ‘alelationa The fleet includes 2 contrl nades end 8 task nadestarun the calculations. Conta nades can futomatically start he task nodes. (Currarty all the nodes run on demand, The control nodes must be available 24 hours day. 7 days a week. The {ask nodes run for 4 hours each day. SysOps administrator needs to optimize the cost ofthis solution. Which combination of actions wil meet those requirement? (Choose two) ‘A Purchase EC2 instance Savings Pans forthe control nodes 8. Use Daicated Hosts fr the control nodes, Use Reservas Instances for the task nodes , Use Spot Instances forthe control nodes, Use On-Demand Instanesf theres no Spot avelabilty, . Use Spot Instances forthe task nodes. Use On-Demand instances if there is no Spot avait. newer: AE Explanation: [ARE bocauseit asks forthe most cost effective soutien, EC2 instance savings plan ia bettr option than reserved instance. Question: 14 Certyia ‘Acompary is supposed to receive a datafile every hour in an Amazon S3 bucket. An S3 event notiieaton Invokes {an AWS Lambda funtion each time aie arivos. Tha function procesces th data for use by an eppication ‘The application team notices that sometimes the fle doesnot arrive. The apglicaton team wants to receive 2 notification whonovar the file doesnot ave, ‘Whats the MOST opertienslyeticent solution that meets these requirements? A. Addan SS Lifecycle rule on the $3 bucket witha scope thats limited to objects that were created inthe last hour. Configure another $3 event tification tobe invoked by the fecycle transition when the number of objects vanstioned is zor Publish a messago to an Amazon Simple Noiietion Service (Amazon SNS) opie to natty the appliestion team, 8 Configure another $3 event notification to |nvoke 2 Lambda function that posta massage to an Amazon Simple Guove Servic (Amazon SOS) queue. Create an Amazon ClouaWatch alarm to publish a message to an ‘Amazon Simple Notification Service Amazon SNS) topic to natiy the application team whon the /ApprorimateAgeorOldesiMessage metic of the queue i greater than Thou, ©. Greate an Amazon laudWatchialarm to publish a message toan Amazon Simple Notification Service [amazon SNS) tpi to aletY Spica team when theinwseations mete of the Lambda funetion zero for an hour. Configure the arm to treat missing date es breaching. . Greate @ now Lamba function to got the tiastamp ofthe nowest fein the SS bucket Ifthe timestamp I ‘more thant hour ago, publish a message to an Amazon Simple Notation Sarvice (Amazon SNS) topic ‘oty the application tear. Create an Amazon EventBrige (Amazon CloudWateh Events] rule to invoke the row function hour Anewer Explanation: Create an Amazon GloudWatch alarm to publish a message to an Amazon Simple Notiiaton Service (Amazee SNS) topic to slet the application team when the locations metric ofthe Lamba functions 2er0 for an hour. Configure the alarm to treat missing data a breaching Question: 15 certyia ‘company recenty aeauired enather corporation and al of tht corporation’ AWS accounts. inonla analyst feeds the Coat data from these secount A 'Sys0ps aemnistrator uses Cost Explorer to generate cost and usage reprts The SysOps administrator notices that "No Taghoy"roprosents 20% ofthe monthly cot. ‘What should the Sys0ps administrator do to tag the" No Tagkey" resources? A. Add the accounts to AWS Organizations. Use a service contol polic (SCP) to tag ll the untagged resources. Use an AWS Config rule to find the untagged resources. Set the remediation scton to terminate the ©. Use Cost Explorer to find and tg all tho untagged resources. , Use Teg Editor to fn nd tag all the untagged resources, newer Explanation: "You con ade tags to resources when you crete the resource You con use the resources service consol or [API to add change, or remove those tag one resource at time, To add tags to —or editor delete tags of — multiple resources at once, use Tag Editor. With Tag Editr, you search forthe resources that you want to ag. and then manage tags forthe resources in your search results” R hupsi/idocs.ows amazon com/ARGIIatest/usergude/tag-editr hint Question: 16 Cortyia White setting up an AWS managed VPN connection, a SysOps administrator creates a customer gatoway resource in AWS. Th customer gateway device resides ina data conter wih a NAT gateway in ron ft ‘What addross shouldbe used to eveate the customer gateway resource? {A Tho privat Padross of the customer gateway dovieo The MAC address ofthe NAT device in front ofthe customer gateway device ©. The public IP adres of the customer gateway device . The public IP address ofthe NAT device infront the customer gotewey device newer Explanation: lH your customer gateway device Is behind a network adress translation (NAT) device, use the IP address ot yourNAT device httpsiidocs.aws amazon com/ypafatestis2svpnlegw-options html Question: 17 certyia ‘company hes 8 web application thats experiencing pertormence problems meny tines each ight root couse {analysis raveals sudden increases in CPU ulllzaton that ast 5 minutes onan Amazon EC2 Linux nstance, A ‘5ysOps edmnistratr must find th process D (PD) of the saris ox procoss that Is consuming mora CPU. ‘Whar shoul the 5ys0ps administrator do to collect the process uiizaton information withthe LEAST amount of ttt? ‘A Configure the Amazon CloudWatch agent procstat plugin to capture CPU process matics, 8. Configure an AWS Lambda funtion to run every minute to capture the PID and senda notification ©. Login to the E02 nstance by using a.5em key each night. Then run the top command. , Uso the detault Amazon ClousWatch CPU ulization moti to capture th PID in ClouaWatch, newer: A Explanation: ‘The procstat plugin enables you tocolleet metres from individual processes. It is supported on Linux servers ‘anon servers running Windows Server 2012 or lat. https/Idocs.aws.amazon com/AmazonGloudWatchlatestmonitring/CloudWatch-Agentprocstat process: metres html Question: 18 erty |ASys0ps administrator configured AWS Backup to capture snapshets from a single Amazon EC2 instance that has ane Amazon Elastic Block Store (Amazon E85) volume attached. On the frst snapshot the EBS volume has 10 GiB of data On the socond snapshot, the EBS. ‘volume sil contains 10 GiB of data, but 4 [GiBhove changed On the third snopehot, 2.GIB of detaheve been added tothe volume, for total of 2 GB. How much total storage srequred to store these snapshots? Aree a16ce cscs bwzae Anewor:B Explanation: httpsfdocs aus. amazon com/AWSEC2/atoct/UserGulde/EBSSnapchotshtmlshow_ snapshots. work Question: 19 Certyia | team e managing an AWS secount that isa member ofan organization in AWS Organizations. The organization has conslidatod piling features enabled. The account hosts several applications. 185ys0ps administrator has applied tags toresourees within the account to reflect the environment. The team rede a report ofthe breakdown of charges by envirenment ‘What should the Sy80ps administrator do tomeet ths requirement? A Filter, map, and categorize resource groups in Tag Editor. B.Encue that the organization's service contol policies SCP) allow access te cost allocation tags. ©. Ensure that the IAM credentials that are used to access Cost Explorer have permissions to graup cost by . Activate the tag keys for cost allocation onthe organization's management sccount. Answer D Explanation: You must activate both types of tage separately before they can appear in Cost Explor allocation report httpsiidoes.aws.amazon com/awsaccounthilinglatestaboutv2eost-alloe-tags html Question: 20, Certyia ‘company uses an AWS CloudFocmation template to provision an Amszon EC2 Instance and an Amazon ROS D8 Instance. A ysOps administrator must update the template to ensure that the DB instance Is cestad before the £62 intanea euncned ‘What should the 5y50ps administrator do to meet ths requirement? ‘A Adda wait coniton to the template, Update the EC2 instance user data script to senda signal after the EC2 inctance started, 8. Add the DependsOn attribute tothe ECZinstance resource, and provide the logical name of the ROS ©. Change the order of tho resourcesin the template so that the RS resource is listed bofore the instance . Create multiple templates. Use AWS CloudFormation tackSets to walt fr one stack to complete before the second stack rested. Bis the answer With the DependOn attribute you cen specify thatthe cretion of specific resource follows another. Wen you aia DepandsOn attribute to a resource, that resource is created only after the creation ofthe resource spacifiad inthe DependsOn attribute Question: 21 Cortyia ‘Acompary hosts state website on Amazon S3. The websites sarved by an Amazon CloudFrent distribution with {Getault TL of 86,400 soconds. ‘The company reconty uploaded an pated version of tho website to Amazon S3, Howover user tills the old content when they tolvesh the” SyeOpe administrator must make the now version of th wobsit vibe to Lsers as soon as possible Wich solution meets these requirements? ‘A Adjust the TTL value forthe ONS CNAME record thats pointing tothe CloudFront dstbution. Create an invalidation on the CloudFrontdstributlon for he old $2 abject, ©. Greate # new CloudFront sstibution Update the ONS records to pont to the new Gloudront ation, Update the DNS record for the website to point to the $3 bucket. Bis correct. nvalidations can be crested forthe ene bucket content or speci eth. Question: 22 Certyia [A $ys0ps administrators responsible for managing 8 company's cloud infrastructure with AWS ClougFormation. “he $ys0ps administrator needs to create a single resource that consists of multiple AWS services. The resource ‘must supprt cretion and dloton through the CloudFormation console, ‘Which ctoudFormation resource type should the SysOps administrator oats to mest those requirements? | AWS2EC2-Iatance with acfn-init helper seri B.AWS:OpsWorksInstance ©. AWS:SSM:Document . Custom-MyCustorType Anewor:D Explanation: ‘custom resources enable you to write custom provisioning logic in templates thet AWS CloudFormation runs anytime you create, update if you changed the custom resource, or delete stacks. For example, you might wont to inlude resources that aren't avaliable as AWS CloudFormation resource types. You can Include those resources by using custom resources. That way you cen stil manage ll your related resources in asngle stack https/idocs.aws amazon com/AWSCloudFormtionates/UserGuide/template-custom-resources hl Question: 23 certyia ‘Anew website wil un on Amazon EG2 instances behind an Apoliction Load Balancer. Amazon Route 53 wil be Used to manage DNS records ‘Whar type of record chould bo sstn Route 83 to point the website's px domainname (fr example, ‘company.com tthe Application Load Balancer? A.CHAME 8.508 ctxt D.ALIAS Answer: Explanation: Route 53 supports the alla resource record se, which ets you map your Zone apex (2g. example com) ONS rare to your load balancer DNS nar.” Reference: hitps/ldocs.aws.amazon com/goveloud-us/atest!serGuidelsetting-up-reuteS3.zoneapex-elb html Question: 24 certyia |Acompany'isimplementing secunty and compliance by using AWS Trusted Advisor. The company's Sys0ps team isvalidating thelist of Trustd Advisor checks that itcan access. Which factor wil affect the quantity of avaiable Trustod Advisor checks? 1A Whether at east one Amazon EC2 instance is inthe running ta The AWS Support plan ©. An AWS Orgnrizatons senice contol policy (SCP) Whether tha AWS secount root usr ha mult factor authentication (MEA enabled newer Explanation: “Which Trusted Advisor checks and features ae avaiable to all AWS customers? [AWS Basic Support and AWS Developer Support customers got access to 6 security checks {53 Bucket Permissions. Security Groups - Specie Ports Unrestricted, IAM Use, MFA on Root Account, EBS Public ‘Snapshots, ROS Public Snapshots) and 50 service limit checks. AWS Business Support, AWS Enterprise On- Ramp, and AWS Enterprise Support customers get access tall 15 Trusted Advisor checks (14 cost optimization, 17 security, 24 fut toleranea, 10 pertormance, and 50 service iis] end recommendations Reference: hitps:/aws amazoncom/premiumsuppestifags/?ncteh Is Question: 25 Cortyia |ASys0ps administrator is invastigating issues on an Armazon RDS for MaraDB DB instance. The Sys0ps administrator wants to spay the database load catogoized by detailed wait events. How can the Sy20ps administrator accomplish this got? 1A. Create an Amazon CloudWatch dashboard 8B. Enable Amazon RDS Performance Insights ©. Enable and configure Enhanced Monitoring, , Review the database logs in Amazon CloudWatch Logs Retorence: httpd. awa.amazon com/AmazonS/latect/UserGuide/USER PerfinsightsEnableMySQLntm\ * arget= blank” style= word beak: break a> Overview of the Performance Schema ‘The Performance Schema monitors server events. In this context, an event is @ server action that consumes time. Performance Schema events are distinct from binlog events and scheduler events. ‘The PERFORMANCE_SCHENA storage engine collects event data using instrumentation in the database source code. The engine stores collected events in tables in the performance schema database. You can query performance_schema just as you can, ‘query any other tables. For more information, see MySQL Performance Schema (2 in ‘MySQL Reference Manual. When the Performance Schema is enabled for Amazon RDS for MariaDB or MySQL, Performance Insights uses it to provide more detailed information. For example, Performance Insights displays DB load categorized by detailed wait events. You can use wait events to identify bottlenecks. Without the Performance Schema, Performance Insights reports user states such as inserting and sending, which don't help you identify bottlenecks. Question: 26 Certyia [company is planing to host an application on a st of Amazon EC2 instances that are distributed across multiple ‘vallabity Zones. The application must be able to seal to lions of roquoste each cond, 'Sys0ps administrator must deslzna solution to distibute the rate tote EC2 stances. The solution must be optimized tohandle sudden and valatte vaffle patterns while using a single stale I address fr each Avalalty Zone, ‘Which solution will meet these requirements? ‘A. Amazon Simple Queue Service (Amazon SOS) queue 8 Application Load 8 ©. AWS Global Acc , Network Loed Balancer newer Explanation: “Network Load Balancer le optimized to handle aucden and volatile trafic patterns while using a single state IP adross por Avalablity Zone Reference: https/taws.amazon comvelastictoadbalancing/networkctoad-balancer/ Question: 27 Certyia ‘company wants to be alerted through oma when AM CreateUsor AP calls are mado within is AWS account ‘Which combination of actions shavlda SyeOpe administrator tke tomost this requirement? (chooto two) ‘A.Groate an Amazon EventSridge (Amazon ClousWatch Events) ‘and IAM CreateUser a the specific API call forthe event pattern, 8B. create an Amazon Eventridge(Amezon CloudWatch Events ule with Amazon GloudSeareh a the event Source and IAM CreateUser as the speciic AP call for the event pattern ©. Greate an Amazon Eventridge (Amazon CloudWstch Events ule with AWS IAM Access Analyzer es the vent source snd IAM CreateUser asthe spect: AP eal fr the event pattern, , Use an Amazon Simple Notation Series (Amazon SNS} topic aan event target with an omall, subscription Use an Amazon Simple Email Service (Amazon SES) notification as an oven target with an oral subscription lo with AWS CloudTrai as the event source Answer: AD. Explanation: ClousTral then assumes the IAM role you created {se0 3 above), which allows CloudTral to publish events to your ClousWatch logs. CloudWatch allows you trun after on thse events and generate a GioudWatch ‘metric on any matches, I’ up to you to dete when thaee metic trigger an alarm, but when enough evente ‘occur ha specie time period you will receive an alert either va an SNS topic or emai” hutpe/tawsamazoncomt/blogs/socurtyhowto-receive-lets-whon your am-configuration-changes! Question: 28 Certyia [8 Sys0ps administrator must configure Amazon 83 to host a simple nonprodction webpage. The SysOps administrator ha croatod an ompty 83 bucket from the [AWS Management Console. Tho 3 bucket hes the deutt configuration in place. ‘Which combination of actions should the ys0ps administrate take to complete iis process? (Choose A. Configure tho 53 bucket by using the "Redirect requests for an object” functionality to pont to the bucket root UR 8B. Tum off the "Block al public access setting. Allow public accoss by using a bucket ACL that contains Permission» WEBSITE«/Pormission™. ©. Tum off the "Block al ube access” setting. Allow public access by using a bucket ACL that allows access to the AuthontestedUsrs aranto .Tumott the "Bock al publc access” setting. Sata bucket pole that allows "Principal the s&GetObject €. Create an indexhtmi document. Configure statle websitehosting, and upload the index dacument tothe $2 bucket Anewor: DE Explanation: ‘Step Create a bucket Stop 2 Enable static wobsite hosting ‘Stop 3 Edt Block Public Acboseeetinas ‘Stop 4: Adda bucket policy that makes your buckot content publily avaiable Stop 5: Configu nindex document ‘Stop 6 Configure an error document ‘Step 7 Test your website endpoint Stop &:Clean up Reference: https/Idocs.aws. amazon com/AmazonS./latest/userguideHostingWabsiteOnS3Setuphtml Question: 29 certyia ‘Acompany host its website on Amazon EC2 instances behind an Application Load Balancor. The company ‘monages its ONS with Amazon Route 53, end wants to point its domain's Zone apex to the website. Which typeof record should be used tore these requirements? |. An ARAA record forthe domain's zone apex B.An Arecord forthe domain's rane px .A.CNAME record forthe domain’ zone apex . Analias record forthe domain's zane apex Answer: Explanation: Reference: https/faws.amazoncomrouteSSifags "target="_blank" style="word-break break-al> Q. Can | point my zone apex (example.com versus www.example.com) at my Elastic Load Balancer? ‘Yes. Amazon Route 53 offers a special type of record called an ‘Alias’ record that lets you map your zone apex (example.com) DNS,name to the DNS name for your ELB load balancer (such as my-loadbalancer-1234567890.us- ‘west-2.elb.amazonaws.com). IP addresses associated with load balancers can ‘change at any time due to scaling up, scaling down, or software updates. Route 53 responds to each request for an Alias record with one or more IP addresses for the load balancer, Route.53 supports alias records for three types of load balancers: Application Load Balancers, Network Load Balancers, and Classic Load Balancers. There is no additional charge for queries to Alias records that ‘are mapped to AWS ELB load balancers. These queries are listed as “Intra-AWS- DNS-Queries” on the Amazon Route 53 usage report. Question: 30 Certyia ‘user wotkingin the Amazon EC2 console increased the size ofan Amazon Elastic Block Store (Amazon EBS) ‘volume attached to an Amazon EC2 Windows instance. Th change not refiacted in he fle syetom, {What shoulda Sys0ps administrator do to resave thisistue? ‘A Exton the filesystem with operating syst ovel tools to use the new storage capacity. 1B Reattoch the EBS volume tothe EC2 instance, Reboot the £2 instance thats atached to the EBS volume. . Tako snapshot of the EBS volume, Replace the orignal volume with a volume thats reated from the snapshot newer A Explanation: ‘After you increase th sze of an EBS volume, use the Windows Dik Management uty or PowerShell to extend the disk size to the new size ofthe volume. You een begin resizing the fe system 9s 200098 the volume enters the optimizing stte R hutpssdocs.ows.amazen com/AWSEGZ/atestiWindowsGuidelrecognie- expanded walume- windows hm Question: 31 Certyi {A Sys0ps administrator suing Amazon EC2 instances to host en apoiction. The SyzOpe administrator neds to {rant permissions for te application to access an Amazon DynamoD8 table, ‘Which solution will moet this eauirement? A. Create access keys to access the DynamaD8 table. Asign the access kay tothe EC2 instance profi 8 create an E02 hey par to access the DynameDB table. Assign the key parte the EC2 instance profile, ©. Greate an 1AM usor to secess tha Dynamo08 table, Assign the IAM user othe EC2 instance profile . Create an IAM rleto access the DynamaD8 table Assign the IAM ale tothe EC2 instance profile Anewer:D Explanation: [Access to Amazon DynameD8 requires credentisls Those credentials must have permissions to accoes AWS resource, such as an Amazen DynamaD8 table or an Amazon Elastic Compute Cloud (Amazon EC2 instance, The following sections provide details onhow you can use AWS ldentty and Access Management (AM and ‘BynamoD8 to help secure secess to your resources R httpsides.aws.amazon com/amazondynamodbistest/developerguide/suthentication and-sccess: contrountm Question: 32 certyia {8 SysOps administrator wants to protect objects in an Amazon S3 bucket from accidental overwrite and elation. NNoncuerent objects must be kept ne 90 des and then must be permanently deleted, Objets must reide witha the same AWS Region as the orignal SS bucket Which solution masta these requirements? let ‘A. create an Amazon Data Lifecycle Manager {Amazon DL) ifecycle pliy forthe SS bucket. Add the ifecyle policy to delete nancurront objects ater 90 days 8. Create an AWS Backup pole forthe $2 bucket. Create a backup ru that Includes fecyce to expire oncurentobjcts attr 90 days ©. Enable $3 Cross-Region Replication on the SS bucket. Crea oncurrant objects attr 90 days. , Enable S3 Versioning onthe $3 bucket. Crate an $8 Lifecyele policy forthe bucket to expire nancurront objects ter 90 days 7 83 Lifecycle policy forthe bucket 10 expire AnewerD Explanation: Reference: https:/ctoudecademy comtblog/s3tecyclepolicies-versioning-eneryption-ews-secuty! Certyia application that customers us to search for records ona website. The applications datas Stored in an Amazon Aurora DE cluster. The applications usage varies by season and by day ofthe weak ‘The website's popularity is increasing, and the websites exparioncingslowor performance becauso of increased load onthe DB cluster during periods of peak activity The application ogs show that the performance esues occur hen users re esrehing for information, The same seareh rarely performed multiple tines 3Sys0ps administrator must Improve the perfocmance ofthe platform by Using solution that maximizes Feeoureeeticiency Wich solution wil me these requirements? ‘A Deploy an mezon Elstiache for Rel cluster infront of the DB cluster Modify the aplication to check the cache before the appleation issues new queries to the database Add the results of any queries tthe coche, 8 Deploy an Aurora Replica forthe DB cluster. Mody the applicstion to use the reader endpoint fr search ‘operations. Use Aurora Auto Scaling to scale the numberof replicas based onload ©. Use Provsioned IOPS onthe storage volumes that support the DB cluster ‘improve performance surficinty to support the peak Leadon the application D Increase te instance siz inthe O8 cluster to sze that i sufficient to support the peak oadon the application Use Aurora Auto Scaling to eal th instance size based onload. newer Explanation: £8. Caching wil nt solve th performance issue inthis scenario, as the same searchis rarely performed multiple times, Thus read relics wil be better. erty |Acompany usos AWS Organizations to manage mulisle AWS accounts. Corporate policy mandates tht only Spectic AWS Regions canbe used to store and process customer dota. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regione by anyone inthe company. ‘What ie the MOST operationally efficient solution that meets these requirements? ‘A Connigure AWS CloudTral in lt Region to record all API act. Create an Amazon EventBrdg (Amazon CioutWatch Events rule yall unouthorized Regions fr ec2Runinatonces events Use AWS Lambo 10 terminate the launched EC2 instances B.Ineach AWS account, ceste a managed IAM pole that uses Region condition ta deny the s:2Runinstances action nll unautharted Regions. Altach ths pole tal IAM groups each AWS account C.lneach AWS secount.creste an AM permissions boundery pole thet uses Region condition to deny the fs:2Runinstances action in all unguthorzed Regions. Altach the permissions boundary pally ta all AM Users in toch AWS account. . Great a srvice contrat policy [SCP) in AWS Organizations to deny the eRunlnstances action in all ‘unauthorized Regions. Attach this policy te tho o0t level ofthe organization Answer Explanation: It this question has something ke "Use Control Tower and setup the Landing zane with provisioned regions” ‘that woul toke be correct but there so Control Tower epton on this ane. Question: 35 Certyia company’s puble websites hosted in an Amazon S3 bucket inthe us east Region behind an Amazon Ctouarontcstibtion. The company wants to ensure that the websites protected from DDeS attacks A SysOps administrator needs to deploy a solution that gives the company the ability to maintain contol over tho rate Limit at ‘which DDeS protections are apple. Which solution wil meet these requirements? |. Deploy» global-scoped AWS WAF web ACL with an allow default ction. Configure an AWS WA rate-baced rule to block matching Waffi. Associate the web ACL with the CloudFront distribution. Deploy an AWS WAF we ACL with an allow default action in uteastt. Configure an AWS WAF rate-based rule fo block matching wai. Associate the web ACL with the SS bucket. ©. Deploy sloba-scoped AWS WAF web ACL with ablock default action. Configure an AWS WAF rate-based rule tallow metching wai. Associate the web ACL with the ClouFront distribution, . Deploy sn AWS WAF web ACL with block doaut ction in u-east1, Configure an AWS WAF rate bosed ‘let allow matching afi Associate the web ACL with the S3 bucket. Answer: Explanation: R hutpsi/idocsaws.amazon.com/watlatestdeveloperguide/lasslc-web-act-dofault-action ml Question: 36 Certyia [8 Sys0ps administrator developed a Python srit that uses the AWS SDK to conduct soveral maintenance tasks. ‘Te erik needs to run automatiealy every night. Whats the MOST operatenaly efficient solution thet meets this requirement? ‘A Convert the Python scrip oan AWS Lamb function, Use an Amazon EventBridge (Amazon CloudWatch Events rule to invoke the function everynight. B. Convert the Python sit toon AWS Lambie function. Use AWS ClaudTral to invoke the function every ight C. Deploy the Python serpt tim Amzon C2 instance, Use Amazon Eventide (Amazon CloudWateh Events) to schedule the instance to start and stop every night . Deploy the Python script to an Amazon EC? instance. Use AWS Systems Manager to schedule the instance to Start and stop everynight Answer: A Explanation: Hore a lembda function wil be the most effeient solution R hutpss/idoes. ows amazon com/RimazonCloudWatelatestevents/RunLombdaScheduleltnk Question: 37 Certyia |A$ys0ps administrator must function experiences an ero. Which solution wil moet tis auiroment? 0a solution that immediately notitios software developers if an AWS Lamba ‘A Greate an Amszon Simple Notifieation Service (Amazon SNS) topic with an emall subscription for esch ‘developer. Create an Amazon CloudWatch elarm by using the Errors metric and the Lembde function name as @ ‘imension Configure the alarm to send anaiication tothe SNS topic when the alarm state reaches ALARM 8B. create on Amazon Simple Notification Service (Amazon SNS} toie with 9 mati subscription for eseh ‘developer Create an Amazon Event Bridge (imazon Clouatch Events) alarm by using the LambdaEor asthe ‘vant pattern and the SNS topic namo as e resource. Configure the alarm to cond snetifcaion tothe SNS topic whan the alarm state reaches ALARM €. Verity each developer email adcrss in Amazon Simple Emal Service (Amazon SES).Create an Amazon ClouaWetch rule by using the Lambdatrror metric nd doveloper oma addresses as dimensions Configure the rule to send an emai throug Amazon SES when therule state reaches ALARM, . Verity each devsloper mobile phone in Amazon Simple Ema Service (Amazon SES). Create an Amazon EvontBrige (Amazon CloudWatch Events) rule by using Error asthe event patter and the Lamba function name ae 3 resource, Configure thereto send a push notation trough Amazon SES when the re state reaches ALARM newer: Explanation: httpsi/aws amazoncomblogsimt/getnotified-specifi-lambda-functionerror-patters-sing-cloudwatchd Question: 38 certyia ‘A company hes» private Amazon 83 bucket thet contains sensitive information A Sys0ns administrator needs to keep logs ofthe P addresses from authenticetion falares that esl from attempt to access objects inthe bucket. The loge must be stored so that they eannot be overwitien or deleted fr 80 days Wich solution wil moat these requirements? ‘A create an AWS CloudTrall tal Configure the log les to be saved to Amazon CioudWatch Logs Contigure the log group witha retention peried a 80 days 8. reate an AWS GloudTral tal Configure the logfiles tobe saved toa diferent $3 bucket. Turn on ClousTral og fie integrity validation for 90 days ©. Tum on access logging for tho $3 bucket. Configure the access logs tobe saved to Amazon CloudWatch Logs Configure thelog group with retention period of 0 days, Tum on access logging for**S3 bucket, Configure the access logs tobe saved in second 83 bucket. Tum ‘0n 83 Object Lock on the second SSbucket. end configure del retention period of 80 days. Answers Explanation: £8 -ClousTrail og file integrity validation wil NOT prevent logs tobe overwritten or deleted. 53 Server Access Logglng ony uses 83 buckets othe destination 'D- SS uckets with Objct Lock enabled cannot be used as target buckets for Server Access Logging Question: 39 certyia |Acompany is migrating its production fs server to AWS. All dota thats stored on the file server must main accessible an Availablity Zone bocomes unavailable or when systom maintenance is performed. Usors must be ble to interact wth the il corver though the SMB protocol. Usor alco must havo the ability to manage Me permissions by using Windows ACLS. Wich solution wil met these requirements? A create single AWS Storage Gateway file gateway, B.create an Amazon FSx for Windows File Serve Mult-AZ fle system. ©. Deploy two AWS Storage Gatoway file gateways acros two Avaliability Zones. Configure an Application {ood Balancer infront of the fe gateways , Deploy two Amazon FSx fr Windows File Server Single-AZ2 filesystems. Configure Microsoft Distributed File System Replication (OFS) Anower| Explanation: To support SMB, FSi the choice:https/ldocsawsamazoncomifexlatostWindowsGuidelwhat ishiml. For ‘supporting fal-over across AZ, can tun on Mult-AZ option. R hutpssidocs. ows amazon com/fed/letestWindowsGuidelahetis hl Question: 40 Cortyia [Acompany runs an application on an Amazon EC2 instance. A SysOpe administrator creates an Auto Scaling group and an Application Laed Balancer (ALB) te handle anncrease in demand. However, the EC2 instances are aiing {heheatth check, ‘What should the Sys0ps administrator do to troubleshoot this issue? A. Verity that the Auto Scaling groups configured to use all AWS Regions. 8 Vority tha the application isrunning onthe protocol and the prt thatthe stoner is expecting ©. arity the stoner priority inthe ALB. Change tho priority if nocessary, . erly the meximum numberof instances in the Auto Sealing group. Chenge the number necessary. Answer: 8 Explanation: TorgotFalledHealthchooks Verity thatthe targets stoning for traffic onthe health check port. You can use the ss command on Linux targets to verity which ports your server listening on, For Windows targets you ean use the netstat command ‘ttp//awa.amazoncom/premkumsupportknowledge-canter/elb-ix-faling-health-checks-lb/ Question: 41 Cortyia, {8 Sys0ps administrator has crested an AWS Service Catalog portfolio and hs shared the portfolio witha second, [AWS account inthe company. The socond sccount is controllag by aforont adminstratr. ‘Which action wil the administrater ofthe second account be able to perform? ‘Add product fram the imported potato toca portfolio. 8B, Add now protuets to tho imported portfolio €. Change the launch role fr the products contained inthe Imported portfolio Customize the productsin the imported portal Answers, Explanation: When you shar a portfolio using account-t-account sharing or AWS Organizations you allow an AWS Serve Catalog administrator of another AWS account to import your portfolio inthis orher account and {istibuto the products to ond usrsin that account https/idoes.aws.amazon com/sorvicecatalog/atesadminguid/catalogs. portfolios. sharing html Question: 42 certyia _Acompany has migrated its application to AWS. The company wil hos the application on Amazon EC2instances ‘ot multiple instance faioe During ntl testing. © 5y#0ps administrator denties performenceasues on selected EG2 instances. The company has a strit budget allocation policy, so the ‘SysOps acministrator must use the right resource types withthe performance characteristics tomatch the woroad ‘What should the Sys0ps administrator do to meet ths requirement? A Purchase regional Reserved instances (Ris fr immediate cost savings Review and ake action on the EC2 Fighting recommendations in Cost Explorer. Exchange the Rs forthe optimal instance family ster renting, 8. Purchase onal Reserved Instances (Rs) for the existing instances: Monitor the Rl tlization inthe AWS. Biling and Gast Managemant console. Make edustments to nstance sos to optimize utlization. © Roviw and tak action on AWS Compute Optiizer recommendations Purchase Compute Savings Plans to reduce the cost that requred to run the compute resburees, Review resource utization matics in the AWS Cost and Usage Report. ghtsize the EC2instances. Create (On-Demand Capscity Reservations for he rightszed resources newer Explanation: Reference: hutpsdoes.sws amazon com/AWSECZ/atest/UserGuide/e:2.nstance-cecommendationshtmi Question: 43 Cortyia 28ys0ps administrator is tasked wth deploying company's infrastructure as code. The SysOps administrator ‘want to write a single template that can be reused for multiple environments. How should the SysOps administrator use AWS CloudFormation toc olution? | Use Amezon EC2 user data ina CloudFormation template Uso nested stacks to provision resources. ©. Use parematersin # CloudFormation template , Use stack polices to provision resources. Anewen © Explanation: Reuse templates to replicate stacks in multiple environments After you have your stacks and resources setup, you can reuse your templates to replicate your infrastructure mutilo environments. For example, you can create environments for development testing, and production so that you can test changes before implomenting them ino production. To make templates ‘reusable, use the parameter, mapping nd cencltons sections eo that you can customize your stacks when youeroate them. For examplo, for your davolopment nvrenments, you can specity a lower-cost instance type compared to your production environment, but all ether configurations and setings main th samo. hpss/docs.aws.amazen.com/AWSCloudFormaton/lates/UserGuide/best practices himl#rou Question: 44 certyia | Sys0ps administrator is responsible fora large lest of Amazon EC2 instances an must know whothor any Instances willbe attected by upcoming hardware maintenance. ‘Which option would provide this information with the LEAST administrative overhoed? ‘A Deploy third-party monitoring solution to prove real-time EC2 instance monitoring. B List any instances wth filed system status checks using tha AWS Management Consol. ©. Monitor AWS ClousTral for topinstancesAPt cll. Review the AWS Personal Health Dashboard newer D Explanation: ta hardware malfunction occurs then Amazon EC2 tags the specific hardware as faulty. Any instances that are running onthe hypervisor ofthe faulty hardware ae movod te heathy hardware. During the transition to now hardware, the Amazon EBS-backed instances are stopped and instance stoe-backedinstancos re terminated Amazon EC2 sends anotfication trough email an to your Personal Health Dashboard informing you! thehardaare degradation and of the upcoming instance stop or termination ttps/aws.amazoncom/premumeupportknowledge-center/se2nux-degradec-hardware) Question: 45, Certyia |8Sys0ps administrator i attempting to deploy resources by using an AWS CloudFormation tomplats. An Amazon £Ec2intanco that ie dotined in the torplate fast launch and produces an neufictontnstancseapaciyoror. ‘Which aetons should the SysOps administrator tke to reaave this eror? (Choose wo) A. create a separate AWS CloudFormaton template forthe EC2 instance, B. Mocity the AWS CloudFormation templat to not specty an Avalibllty Zone forthe EC2 instance, ©. Mosity the AWS CloudFormation tamplate to use a diferent EC2 instance type, . Use aitforent Amazon Machine image (AMI forthe EC2 instance, Use the AWS CL's validate template command before creating a stock trom the template newer: BC Explanation: you're tunehing an instance, submit anew request without speciying an Avalabilty Zon, lt you're taunching an instance, submit new request using a iferent instance type which you ean resize at alate stage) For more information, see Change the instance type. hitpssdoes.ows.amazen com/AWSEG2/atet/serGuide/toubleshooting launch htmintroublesheoting: launch-capacty| Question: 46 certyia ‘A company hosts web aplieation on Amazon EG2 instances behind on Application Load Balancer (ALS). The Company uses Amaron Route 53 to route trafic. ‘The company also hae = static webete that configured in an Amazon $9 bucket. [ASys0ps administrator must us the static website asa backup to tha web application. The fallover tothe static abst must be fuly automated, ‘Which combination of actions wil meet those requirments? (Choose two) ‘A. create apimaryfaliover routing policy record. Configure the value tobe the ALB, 8. createan AWS Lambda function to switch from the primary website tothe secondary website when the oath chock fe ©. Crete a primary failover routing policy record Configure the value tobe the ALB. Associate the record with ‘Route 83 health check . Create «secondary fllover outing policy record. Configute the value tobe the sttie website. Associate the record with a Route 38 heath check Create. secondary falover outing policy record. Conigue the value tobe the state website. Answer: CE Explanation: cannot be “CO” Plea read your ink Create the fatoverendpalnt For Falover Record Type, choose Secondary. For Associate with Health Check, choose No. Question: 47 certyia ‘A data analytics applications runing onan Amazon EC2 instance A SysOps administrator must add custom ‘dimensions tothe metrics collected by tho Amazon {louawatch agent ow can the Sy80ps administrator meet this requirement? A. Greate a custom shell script to extract the dimensions and collet the metrics using the Amazon CloudWatch agent 8. create an Amazon EventBridge Amazon CloudWatch Events) ule to evaluate the requied custom ‘mension and send the metrics to Amazon Simple Notification Service (Amazon SNS) C. Greate an AWS Lambda function to collet the mets from AWS CloudTral and send the metres toon ‘Amazon CloudWatch Logs group, . Greate en append. dimensions faldin the ArnazonCloudWatch agent configuration file to cllet the Anewer:D Explanation: ‘mensions parameter i common. dimencion further clarifies what the moti sand ons assigned to one metric. nd esch dimension i defined Incustom metrics th hat dati stores. You can have upto 30 me bya name and value pair Reference: hpss/ldocs.aws.amazen com/AmazonGloudWatchlatestmenitring/publshingMtrisihmt Question: 48 certyia ‘company stores its data in an Amazon S3 bucket. Tho company is aquired to classy the data and in any onsitve personal information inite $3 ios. ‘Wich solation will meet these requirements? A. Greate an AWS Config ul to discover sensitiv personal nformationin the 83 files and mark them as roncompiiant B Create an $3 event riven atta intlligencelmachine learning (AUML) pipeline to classify sensitive personal information by using Amazon Rekogniton. Enable Amezon GuardDuty.Cantigure SS protection to monitor all data inside Amazon $3. , Enable Amazon Mecie. Create a discovery jb thet uses the managed data identi, newer Explanation: To discover sensitive data wth Amazon Maco, you create and run sensitive data discovery jobs. A sensitive ata discovery jb analyzes object in Amazon Simple Storage Service (Amazon Sa) buckets to determine hethor th objects contain sonsive data andi provides detailed reports ofthe sani data tha finds ‘and the enlysis thot it performs, By cresting and running jobs, you can automste discovery logging, and reporting of sensitive data in S3 buckets hitpdocs.ows.amazon.comimecieiatestiuseridae-classieation html Question: 49 Certyia ‘company hosts a wab portal on Amazon €2instances. The web portal uses an Elastic Load Balancer EL.) and ‘Amazon Route 53 forte pubic DNS service ‘The ELB and the EC2 Instances are deployed by way of a single AWS CloudFormation stackn the us-east-1 Region. The web portal must be highly avaliable across mulple Regions Which configuration wll moot these requirements? ‘A Deploy «copy ofthe stackin the us-west-2 Region. Greate single stat of authority (SOA) recordin Route '53 tht includes the IP addres from each ELB. Configure the SOA ecard with health checks Use tne ELB Ia Uup-cact-1as ho primary rocord and tho ELB in us wost2 as the socondary racers 'B Deploy 2 copy ofthe stack nthe us-west-2 Reglan Create an ational A recordin Route 83 that includes ‘the ELB nuswest-2 9s an alias target Configure the A ocords with afalover routing palcy and heath checks. Use the ELB in us-east- asthe primary record andthe ELB nus west2 as the secondary record ©. Deploy a now group of EC2 instancesin the us-wost-2 Region. Associate the now EC2 instances with tho fxistng ELB, ond configure ood baloneer Neath checks ona EC2 instances Configure the ELB to upsate Route 3 when EGP instances in urwest2 fall health checks. Deploy new group of C2 instances in the us-west-2 Region. Configure EG2 health checks on all EC2 instancesin each Region. Configure a peering connection between the PCs, Use the VPC inus-east- the primary record andthe VPC In ur-west 2a the secondary record Answer: B Explanation: ‘The answer ie 8. When you crate hosted zone, Route 53 automatiealy creates 9 nome server (NS) record anda star of authority (SOA) record forthe zone, Reference: htpss/idocs.aws.amazon.com/RouteS3/latest/DeveloperGuide/mira reste hosted-zene cine dmaln-n-usentmlmigrete-dho Question: 50, certyia {A Sys0ps administrator is investigating why 2 sor has beonunsble to use ROP to connect aver the internet fom "heir home compute to bastion server tuning on sn Amazon C2 Windows instonce. Which ofthe folowing oe posible causes of ths issue? (Choose two), ‘A Anotwork ACL associated with tho bastion’ subnets blocking the network traffic. 8B. The instance does not havea private Padres. The route table associated with the bastions subnet does not havea route tothe Internet gateway. The security group forthe instance doesnot have an inbound re on port 22. The security group forthe instance doos net have an outbound rule on port 3388, Answer AC Explanation: [A Anetwork ACL eeseclated with the bactin's subnets blocking the network trate ©. Tho route table associated withthe bastions subnet doesnot havea rout to the internet gateway. Question: 51 Cortyia [Sys0ps administrate is exomining the flowing AWS CloudFormatian template: AWSTemplateFormatVersion: '2010-09-09" ‘creates an EC2 Instance’ Description: Resource: EC2Instanct Type: AWS::EC2:: Instance Properties ImageId: ami-79fd7ece InstanceType: m5n.large SubnetId: subnet-labe3d3£g PrivateDnsName: ip-10-24-34-0.ec2 Tags: - Key: Name Value: !Sub "${AWS Why wl the stack creation fat? StackName} Instance" ‘A Tho Outputs section ofthe ClousFormation template was omitted, 8B. The Parameters section of tho CloudFormaton template was omitted ©. The PrvateDnsName cannot be st from a CloudFormation template. The VPC was net specified inthe ClousFormation tomplate, Anewen Explanation: PrvateDNSEndpointis an output nota parameter Question: 52 certyia ‘A now application runs on Amazon EC2 instances and accessos data in an Amazon RDS database instance. When {ully deployed in production the applestion fas, The databose canbe querled Irom a console ons bastion host, When ooking at the web server age, the fllowing eros repeated maliple times ‘or Establishing a Database Connection. Which ofthe folowing may be causes a the connectivity problems? (Choose two) A. The security group forthe database does not have the appropriate ress rule from the database tothe web B. The cetiteate use by the web server ie not trusted by the RDS instance, ©The security aroun fr the database doos not have the appropriate ingress rule trom the webserver tothe satabese, , The port us by the application developer does not match the pot speciid in tho RDS configuration The databasois stil boing created and isnot avaiable for connectivity Answer: 0 Explanation: Database can be queried from Bastion, so Eis cut Securty groups are stateful so you don't have to bether With th ogres rls inthis situation, astong as you have the proper ingrss rule Question: 53 Certyia, ‘compliance team requires al administrator passwords for Amazon ROS DB instances to be changed at last annually ‘Wich solution meets this equicement inthe MOST operationally efficient menner? A Store the database credentialsin AWS Secrets Manager. Configure automatic rotation forthe secret every 365 days. 8. tore the database credentials as a parametorin the RDS parameter group. Create a database tigger to rotate the password every 385 days. C. Store the databese credentiasin a private Amazon SS bucket. Schedule an AWS Lambda funtion [Renerate anew aot of redentials every 265 day=, . Store the database cradentials in AWS Syaterns Manager Parameter Store as a secure sting parameter. Configure automatic rotation forthe parameter every S65 days Answer: Explanation: ‘To plement password rotation iteeyees, use AWS Secrets Manager. You con rotate, manage, and retrieve Gatabase credentials, AP! keys, and other secrets throughout thai ifecycle using Seorets Manager. For more Informatio, see What is AWS Secrets Manager? i the AWS Secrets Menoger User Gude, Question: 54 Certyia |ASys0ps administrators responsible for managing fleet of Amazon EC2 instances. These EC2instancos upload buld artifacts toa tira-party sevice. Tha tiré-party service recently implemented strict Palow ist that Fequies all build uploads to come froma siglo IP address, ‘What change should the eystoms administrator mako tothe existing bul float to comply with this now requsement? A Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service 'B. Move al ofthe EC2 instances behind en nternet gateway and provide the gateway Padres tothe sevice ©. Move all of the £2 instances into single Availability Zone and provide the Availability Zon IP address to theserdee. . Move all ofthe £2 instances to peered VPC and provide the VPC IP addr othe servic, newer: A Explanation: NAT atoway isthe choles Lettor A hpss/idocs. aus amazon com/ype/atestuserguidevpe-nat-gateway Atm Question: 55 Certyia | company uses an Amazon Cloudron distribution to deliver its website. Traffic logs forthe website must be Centrally stored, anal data must be anerypted at rst ‘Which solution wil meet these requirements? ‘A. create an Amazon OpanSearch Service (Amazon Elasticsearch Service) domain wthinternet access and ferver-ide encryption that ures the default AWS managed customer matter key (CMA) Configure CloudFront to use the Amazon OpenSeareh Service (Amazon Elasticsearch Service) domsin 9 log destination 8. Create an Amazon OponSsarch Servic (Amazon Elasticsearch Service) domain with VPC access and server- Side encryption that ures AES 256. Configure CloudFrot to use the Amazon OpenSoarch Serves Amazon Elasteseareh Service] domoin 9 sig destination (Create an Amazon $3 bucket that isconigurad with default server-side encryption tht uses AES. 256 Configure Cloud? ont ta use the 2 bucket as log destination. . Create an Amazon $3 bucket thats configured with no default encryption Enable encryption nthe Clousront distribution, andusa the S3 buckot asa log destination, Answer Explanation: CtoudFront logs can be sent to an 83 bucket, ond 83 buckets can be encrypted. Reference: hutpssidocs.ows.amazen.com/AmezonGloudFrontlatesvDeveloperGulde/Accesslogs htm Certyia ‘An organization created an Amazon Elastic File Systam (Amazon EFS) volume with le system ID of f-8Sbedtt, and ts actively used by 10 Amazon EG2 hosts. The organization has Become concerned that the file systems not snerypted. How can thisbe resolved? ‘A. Enable encryption on each host's connection tothe Amazon EFS volume, EBch connection must be crested for enerypton io take eect 'B, Enable encryption onthe existing EFS volume by using the AWS Gommand Line Intertace © Enable encryption on each host's local rive. Restart each host o encrypt the drive, . Enable encryption on a newly create volume and copy all data from the orignal volume. Reconnect each host tothe new volume, Answer: Explanation: hupssdocs.ows.amazen com/et/ltestus/eneryption tm ‘Amazon EFS supports two forms of encryption for systems, encryption of data in transit and enerytion st rest, Yu can enable encryption of data at rest when creating an Amazon EFS te system. You can enable encryption of data in transit whan you mount the filesystem. Question: 57 Certyia ‘company uees an AWS Service Catalog portfolio to erento and manage resources. A SysOpe administrator must reste replica af the compony existing AWS iniastrscturein anew AWS aecount. Whats the MOST operetanelly effet way to meet ths requvement? |. Create an AWS CloudFormation template to use the AWS Service Catalog pertain the new AWS account B Inthe new AWS oczount, menully erate an AWS Service Catalog portfli that duplicates the exginl porta. Run an AWS Lambda function to ereate a new AWS Service Catalog portfolio based on the output ofthe DeseribePortfalia AP! operation . Shar the AWS Service Catalog portfolio with the new AWS account. Import the prtfels inte the new AWS, Answer Explanation: hpss/idocs.aws.amazon.com/sorvicecatslog/atestsdminguldlcatalogs_portflis.sharing.himl certyia [8 Sys0ps administrator must manage the security of an AWS account, Recently, an AM user's accesskey was mistakenly uploaded toa public code ropoitoy. ‘The $ys0ps administatar mast ently anything thet was chonged by using this access ke. How should the SysOps administrator mect these requirements? ‘A. create an Amazon Eventridge (Amazon CloueWatch Events) ul to send all AM events to an AWS Lambda function fr analysis. 8B. quory Amazon EC2 logs by using Amazon CloudWatch Logs Insights fr all events tiated with the compromised access key within th suspected timotrame, {Search AWS CioudTall event history forall events intiated withthe compromised accesskey within the Suspected timetrame , Search VPC Flow Logs forall events initiated with the compromised access key within the suspected timeframe, newer Explanation: "You cen troubleshoot operational and security indents ove the past 90 days in the Cloud console by vowing Event history” Reference: ttps/idocs.aws.amazon com/awscloudtrei/atestluserguide/view-clouctrai-eventsm| Question: 59 certyia ‘Acompany runs retail website on multiple Amazon EC2 instances behind an Application Load Balancer (ALB) The company must secure trafic tothe webste over an HTTPS connection. \Which combination of actions shea SysOpr administrator take foment these requirement (Choose twa) 1A. Attach the certiieate to each EC2 instance, B Attach the certificate tothe ALB. ©. Greate a private certificate in AWS Certificate Manager (ACM. , Create a public cortiicaten AWS Certificate Manager (ACM). Export the certificate, and attach tt the website, Answer: BD Explanation: £80 chow article about crtiestes hutpsvlwwa-sslconvbiog/tho

    You might also like