NEW QUESTION 1

A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.
What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?

• A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
• B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
• C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
• D. Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.

Answer: B

Explanation:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
If you're using AWS Organizations, check the service control policies for any statements that explicitly deny Amazon S3 access. In particular, check the service control policies for statements denying the s3:PutBucketPolicy action.
https://aws.amazon.com/tw/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/

NEW QUESTION 2

A global company handles a large amount of personally identifiable information (Pll) through an internal web portal. The company's application runs in a corporate data center that is connected to AWS through an AWS Direct Connect connection. The application stores the Pll in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.
What should a SysOps administrator do to meet the compliance requirement?

• A. Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.
• B. Configure AWS Network Firewall to redirect traffic to the internal S3 address.
• C. Modify the application to use the S3 path-style endpoint.
• D. Set up a range of VPC network ACLs to redirect traffic to the Internal S3 address.

Answer: B

NEW QUESTION 3

A Sysops administrator creates an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that uses AWS Fargate. The cluster is deployed successfully. The Sysops administrator needs to manage the cluster by using the kubect1 command line tool.
Which of the following must be configured on the Sysops administrator's machine so that kubect1 can communicate with the cluster API server?

• A. The kubeconfig file
• B. The kube-proxy Amazon EKS add-on
• C. The Fargate profile
• D. The eks-connector.yaml file

Answer: A

Explanation:
The kubeconfig file is a configuration file used to store cluster authentication information, which is required to make requests to the Amazon EKS cluster API server. The kubeconfig file will need to be configured on the SysOps administrator's machine in order for kubectl to be able to communicate with the cluster API server.
https://aws.amazon.com/blogs/developer/running-a-kubernetes-job-in-amazon-eks-on-aws-fargate-using-aws-ste

NEW QUESTION 4

You need to update an existing AWS CloudFormation stack. If needed, a copy to the CloudFormation template is available in an Amazon SB bucket named cloudformation-bucket
* 1. Use the us-east-2 Region for all resources.
* 2. Unless specified below, use the default configuration settings.
* 3. update the Amazon EQ instance named Devinstance by making the following changes to the stack named 1700182:
* a) Change the EC2 instance type to us-east-t2.nano.
* b) Allow SSH to connect to the EC2 instance from the IP address range 192.168.100.0/30.
* c) Replace the instance profile IAM role with IamRoleB.
* 4. Deploy the changes by updating the stack using the CFServiceR01e role.
* 5. Edit the stack options to prevent accidental deletion.
* 6. Using the output from the stack, enter the value of the Prodlnstanceld in the text box below:

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 5

A company is managing multiple AWS accounts in AWS Organizations The company is reviewing internal security of Its AWS environment The company's security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts
Which solution will meet these requirements in the MOST secure manner?

• A. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to an IAM user Share the user credentials with the security administrator
• B. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions Assign the policy to an IAM user Share the user credentials with the security administrator
• C. Create an IAM policy in each developer account that has administrator access related to VPC resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account
• D. Create an IAM policy m each developer account that has read-only access related to VPC resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account

Answer: D

NEW QUESTION 6

A large company is using AWS Organizations to manage hundreds of AWS accounts across multiple AWS Regions. The company has turned on AWS Config throughout the organization.
The company requires all Amazon S3 buckets to block public read access. A SysOps administrator must generate a monthly report that shows all the S3 buckets and whether they comply with this requirement.
Which combination of steps should the SysOps administrator take to collect this data? {Select TWO).

• A. Create an AWS Config aggregator in an aggregator accoun
• B. Use the organization as the source.Retrieve the compliance data from the aggregator.
• C. Create an AWS Config aggregator in each accoun
• D. Use an S3 bucket in an aggregator account as the destinatio
• E. Retrieve the compliance data from the S3 bucket
• F. Edit the AWS Config policy in AWS Organization
• G. Use the organization's management account to turn on the s3-bucket-public-read-prohibited rule for the entire organization.
• H. Use the AWS Config compliance report from the organization's management accoun
• I. Filter the results by resource, and select Amazon S3.
• J. Use the AWS Config API to apply the s3-bucket-public-read-prohibited rule in all accounts for all available Regions.

Answer: CD

NEW QUESTION 7

A company's SysOps administrator needs to change the AWS Support plan for one of the company's AWS accounts. The account has multi-factor authentication (MFA) activated, and the MFA device is lost.
What should the SysOps administrator do to sign in?

• A. Sign in as a root user by using email and phone verificatio
• B. Set up a new MFA devic
• C. Change the root user password.
• D. Sign in as an 1AM user with administrator permission
• E. Resynchronize the MFA token by using the 1AM console.
• F. Sign in as an 1AM user with administrator permission
• G. Reset the MFA device for the root user by adding a new device.
• H. Use the forgot-password process to verify the email addres
• I. Set up a new password and MFA device.

Answer: A

NEW QUESTION 8

An organization with a large IT department has decided to migrate to AWS With different job functions in the IT department it is not desirable to give all users access to all AWS resources Currently the organization handles access via LDAP group membership
What is the BEST method to allow access using current LDAP credentials?

• A. Create an AWS Directory Service Simple AD Replicate the on-premises LDAP directory to Simple AD
• B. Create a Lambda function to read LDAP groups and automate the creation of IAM users
• C. Use AWS CloudFormation to create IAM roles Deploy Direct Connect to allow access to the on-premises LDAP server
• D. Federate the LDAP directory with IAM using SAML Create different IAM roles to correspond to different LDAP groups to limit permissions

Answer: D

NEW QUESTION 9

A company is using Amazon Elastic File System (Amazon EFS) to share a file system among several Amazon EC2 instances. As usage increases, users report that file retrieval from the EFS file system is slower than normal.
Which action should a SysOps administrator take to improve the performance of the file system?

• A. Configure the file system for Provisioned Throughput.
• B. Enable encryption in transit on the file system.
• C. Identify any unused files in the file system, and remove the unused files.
• D. Resize the Amazon Elastic Block Store (Amazon EBS) volume of each of the EC2 instances.

Answer: A

NEW QUESTION 10

A company has a new requirement stating that all resources In AWS must be tagged according to a set policy. Which AWS service should be used to enforce and continually Identify all resources that are not in compliance with the policy?

• A. AWS CloudTrail
• B. Amazon Inspector
• C. AWS Config
• D. AWS Systems Manager

Answer: C

NEW QUESTION 11

A SysOps administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company’s account. The administrator must be alerted to potential issues.
What should the administrator do to receive email alerts before low storage space affects EC2 instance performance?

• A. Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications
• B. Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic.
• C. Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic.
• D. Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space

Answer: C

NEW QUESTION 12

A company's VPC has connectivity to an on-premises data center through an AWS Site-to-Site VPN. The company needs Amazon EC2 instances in the VPC to send DNS queries for example com to the DNS servers in the data center.
Which solution will meet these requirements?

• A. Create an Amazon Route 53 Resolver inbound endpoint Create a conditional forwarding rule on the on-primes DNS servers to forward DNS requests for example.com to the inbound endpoints.
• B. Create an Amazon Route 53 Resolver inbound endpoint Create a forwarding rule on the resolver that sends all queries for example.com to the on-premises DNS server
• C. Associate this rule with the VPC.
• D. Create an Amazon Route 53 Resolver outbound endpoint Create a conditional forwarding rule on the on-premises DNS servers to forward DNS requests for example.com to the outbound endpoints
• E. Create an Amazon Route 53 Resolver outbound endpoin
• F. Create a forwarding rule on the resolver that sends all queries for exarrc4e.com to the on-premises DNS servers Associate this rule with the VPC.

Answer: C

NEW QUESTION 13

A company is planning to host its stateful web-based applications on AWS A SysOps administrator is using an Auto Scaling group of Amazon EC2 instances The web applications will run 24 hours a day 7 days a week throughout the year The company must be able to change the instance type within the same instance family later in the year based on the traffic and usage patterns
Which EC2 instance purchasing option will meet these requirements MOST cost-effectively?

• A. Convertible Reserved Instances
• B. On-Demand instances
• C. Spot instances
• D. Standard Reserved instances

Answer: A

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-convertible-exchange.html

NEW QUESTION 14

A SysOps administrator receives notification that an application that is running on Amazon EC2 instances has failed to authenticate to an Amazon RDS database To troubleshoot, the SysOps administrator needs to investigate AWS Secrets Manager password rotation
Which Amazon CloudWatch log will provide insight into the password rotation?

• A. AWS CloudTrail logs
• B. EC2 instance application logs
• C. AWS Lambda function logs
• D. RDS database logs

Answer: B

NEW QUESTION 15

A data storage company provides a service that gives users the ability to upload and download files as needed. The files are stored in Amazon S3 Standard and must be immediately retrievable for 1 year. Users access files frequently during the first 30 days after the files are stored. Users rarely access files after 30 days.
The company's SysOps administrator must use S3 Lifecycle policies to implement a solution that maintains object availability and minimizes cost.
Which solution will meet these requirements?

• A. Move objects to S3 Glacier after 30 days.
• B. Move objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days.
• C. Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
• D. Move objects to S3 Standard-Infrequent Access (S3 Standard-IA) immediately.

Answer: C

Explanation:
https://aws.amazon.com/s3/storage-classes/

NEW QUESTION 16

A team of On-call engineers frequently needs to connect to Amazon EC2 Instances In a private subnet to troubleshoot and run commands. The Instances use either the latest AWS-provided Windows Amazon Machine Images (AMIs) or Amazon Linux AMIs.
The team has an existing IAM role for authorization. A SysOps administrator must provide the team with
access to the Instances by granting IAM permissions to this Which solution will meet this requirement?

• A. Add a statement to the IAM role policy to allow the ssm:StartSession action on the instance
• B. Instruct the team to use AWS Systems Manager Session Manager to connect to the Instances by using the assumed IAM role.
• C. Associate an Elastic IP address and a security group with each instanc
• D. Add the engineers' IP addresses to the security group inbound rule
• E. Add a statement to the IAM role policy to allow the ec2:AuthoflzeSecurityGroupIngress action so that the team can connect to the Instances.
• F. Create a bastion host with an EC2 Instance, and associate the bastion host with the VP
• G. Add a statement to the IAM role policy to allow the ec2:CreateVpnConnection action on the bastion hos
• H. Instruct the team to use the bastion host endpoint to connect to the instances.D Create an internet-facing Network Load Balance
• I. Use two listener
• J. Forward port 22 to a target group of Linux instance
• K. Forward port 3389 to a target group of Windows Instance
• L. Add a statement to the IAM role policy to allow the ec2:CreateRoute action so that the team can connect to the Instances.

Answer: A

NEW QUESTION 17

A company must migrate its applications to AWS The company is using Chef recipes for configuration management The company wants to continue to use the existing Chef recipes after the applications are migrated to AWS.
What is the MOST operationally efficient solution that meets these requirements?

• A. Use AWS Cloud Format ion to create an Amazon EC2 instance, install a Chef server, and add Chefrecipes.
• B. Use AWS CloudFormation to create a stack and add layers for Chef recipes.
• C. Use AWS Elastic Beanstalk with the Docker platform to upload Chef recipes.
• D. Use AWS OpsWorks to create a stack and add layers with Chef recipes.

Answer: D

NEW QUESTION 18

A company has an application that customers use to search for records on a website. The application's data is stored in an Amazon Aurora DB cluster. The application's usage varies by season and by day of the week.
The website's popularity is increasing, and the website is experiencing slower performance because of increased load on the DB cluster during periods of peak activity. The application logs show that the performance issues occur when users are searching for information. The same search is rarely performed multiple times.
A SysOps administrator must improve the performance of the platform by using a solution that maximizes resource efficiency.
Which solution will meet these requirements?

• A. Deploy an Amazon ElastiCache for Redis cluster in front of the DB cluste
• B. Modify the application to check the cache before the application issues new queries to the databas
• C. Add the results of any queries to the cache.
• D. Deploy an Aurora Replica for the DB cluste
• E. Modify the application to use the reader endpoint for search operation
• F. Use Aurora Auto Scaling to scale the number of replicas based on loa
• G. Most Voted
• H. Use Provisioned IOPS on the storage volumes that support the DB cluster to improve performance sufficiently to support the peak load on the application.
• I. Increase the instance size in the DB cluster to a size that is sufficient to support the peak load on the applicatio
• J. Use Aurora Auto Scaling to scale the instance size based on load.

Answer: B

Explanation:
https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/aurora-replicas-adding.html

NEW QUESTION 19
......