NEW QUESTION 1

A company migrated an I/O intensive application to an Amazon EC2 general purpose instance. The EC2 instance has a single General Purpose SSD Amazon Elastic Block Store (Amazon EBS) volume attached.
Application users report that certain actions that require intensive reading and writing to the disk are taking much longer than normal or are failing completely. After reviewing the performance metrics of the EBS volume, a SysOps administrator notices that the VolumeQueueLength metric is consistently high during the same times in which the users are reporting issues. The SysOps administrator needs to resolve this problem to restore full performance to the application.
Which action will meet these requirements?

• A. Modify the instance type to be storage optimized.
• B. Modify the volume properties by deselecting Auto-Enable Volume 10.
• C. Modify the volume properties to increase the IOPS.
• D. Modify the instance to enable enhanced networking.

Answer: C

NEW QUESTION 2

An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application.
What is the MOST scalable storage solution to fulfill this requirement?

• A. Connect a large Amazon EBS volume to multiple instances and schedule snapshots.
• B. Deploy Amazon EFS in the VPC and create mount targets in multiple subnets.
• C. Launch an EC2 instance and share data using SMB/CIFS or NFS.
• D. Deploy an AWS Storage Gateway cached volume on Amazon EC2.

Answer: B

NEW QUESTION 3

An Amazon S3 Inventory report reveals that more than 1 million objects in an S3 bucket are not encrypted These objects must be encrypted, and all future objects must be encrypted at the time they are written
Which combination of actions should a SysOps administrator take to meet these requirements? (Select TWO )

• A. Create an AWS Config rule that runs evaluations against configuration changes to the S3 bucket When an unencrypted object is found run an AWS Systems Manager Automation document to encrypt the object in place
• B. Edit the properties of the S3 bucket to enable default server-side encryption
• C. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted Create an S3 Batch Operations job to copy each object in place with en cryption enabled
• D. Filter the S3 Inventory report by using S3 Select to find all objects that are not encrypted Send each object name as a message to an Amazon Simple Queue Service (Amazon SQS) queue Use the SQS queue to invoke an AWS Lambda function to tag each object with a key of "Encryption" and a value of "SSE-KMS"
• E. Use S3 Event Notifications to invoke an AWS Lambda function on all new object-created events for the S3 bucket Configure the Lambda function to check whether the object is encrypted and to run an AWS Systems Manager Automation document to encrypt the object in place when an unencrypted object is found

Answer: BC

Explanation:
https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/

NEW QUESTION 4

A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts.
Which solution will meet these requirements?

• A. Purchase RIs in individual member account
• B. Disable Rl discount sharing in the management account.
• C. Purchase RIs in individual member account
• D. Disable Rl discount sharing in the member accounts.
• E. Purchase RIs in the management accoun
• F. Disable Rl discount sharing in the management account.
• G. Purchase RIs in the management accoun
• H. Disable Rl discount sharing in the member accounts.

Answer: A

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ri-consolidated-billing/
RI discounts apply to accounts in an organization's consolidated billing family depending upon whether RI sharing is turned on or off for the accounts. By default, RI sharing for all accounts in an organization is turned on. The management account of an organization can change this setting by turning off RI sharing for an account. The capacity reservation for an RI applies only to the account the RI was purchased on, no matter whether RI sharing is turned on or off.

NEW QUESTION 5

A company is running an application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are launched by an Auto Scaling group and are automatically registered in a target group. A SysOps administrator must set up a notification to alert application owners when targets fail health checks.
What should the SysOps administrator do to meet these requirements?

• A. Create an Amazon CloudWatch alarm on the UnHealthyHostCount metri
• B. Configure an action to send an Amazon Simple Notification Service (Amazon SNS) notification when the metric is greater than 0.
• C. Configure an Amazon EC2 Auto Scaling custom lifecycle action to send an Amazon Simple Notification Service (Amazon SNS) notification when an instance is in the Pending:Wait state.
• D. Update the Auto Scaling grou
• E. Configure an activity notification to send an Amazon Simple Notification Service (Amazon SNS) notification for the Unhealthy event type.
• F. Update the ALB health check to send an Amazon Simple Notification Service (Amazon SNS) notification when an instance is unhealthy.

Answer: A

NEW QUESTION 6

A SysOps administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet.

What should be added to the private subnet's route table in order to address this issue, given the information provided?

• A. 0.0.0.0/0 IGW
• B. 0.0.0.0/0 NAT
• C. 10.0.1.0/24 IGW
• D. 10.0.1.0/24 NAT

Answer: B

NEW QUESTION 7

A company creates a new member account by using AWS Organizations. A SysOps administrator needs to add AWS Business Support to the new account
Which combination of steps must the SysOps administrator take to meet this requirement? (Select TWO.)

• A. Sign in to the new account by using 1AM credential
• B. Change the support plan.
• C. Sign in to the new account by using root user credential
• D. Change the support plan.
• E. Use the AWS Support API to change the support plan.
• F. Reset the password of the account root user.
• G. Create an IAM user that has administrator privileges in the new account.

Answer: BE

Explanation:
The best combination of steps to meet this requirement is to sign in to the new account by using root user credentials and change the support plan, and to create an IAM user that has administrator privileges in the new account.
Signing in to the new account by using root user credentials will allow the SysOps administrator to access the account and change the support plan to AWS Business Support. Additionally, creating an IAM user that has administrator privileges in the new account will ensure that the SysOps administrator has the necessary access to manage the account and make changes to the support plan if necessary.
Reference:
[1] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_ma

NEW QUESTION 8

A development team recently deployed a new version of a web application to production After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data
Which AWS service will mitigate this issue?

• A. AWS Shield Standard
• B. AWS WAF
• C. Elastic Load Balancing
• D. Amazon Cognito

Answer: B

Explanation:
https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

NEW QUESTION 9

While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS. The customer gateway device resides in a data center with a NAT gateway in front of it.
What address should be used to create the customer gateway resource?

• A. The private IP address of the customer gateway device
• B. The MAC address of the NAT device in front of the customer gateway device
• C. The public IP address of the customer gateway device
• D. The public IP address of the NAT device in front of the customer gateway device

Answer: D

NEW QUESTION 10

A company has an application that runs only on Amazon EC2 Spot Instances. The instances run in an Amazon EC2 Auto Scaling group with scheduled scaling actions.
However, the capacity does not always increase at the scheduled times, and instances terminate many times a day. A Sysops administrator must ensure that the instances launch on time and have fewer interruptions.
Which action will meet these requirements?

• A. Specify the capacity-optimized allocation strategy for Spot Instance
• B. Add more instance types to the Auto Scaling group.
• C. Specify the capacity-optimized allocation strategy for Spot Instance
• D. Increase the size of the instances in the Auto Scaling group.
• E. Specify the lowest-price allocation strategy for Spot Instance
• F. Add more instance types to the Auto Scaling group.
• G. Specify the lowest-price allocation strategy for Spot Instance
• H. Increase the size of the instances in the Auto Scaling group.

Answer: A

Explanation:
Specifying the capacity-optimized allocation strategy for Spot Instances and adding more instance types to the Auto Scaling group is the best action to meet the requirements. Increasing the size of the instances in the Auto Scaling group will not necessarily help with the launch time or reduce interruptions, as the Spot Instances could still be interrupted even with larger instance sizes.

NEW QUESTION 11

A company hosts a website on multiple Amazon EC2 instances that run in an Auto Scaling group. Users are reporting slow responses during peak times between 6 PM and 11 PM every weekend. A SysOps administrator must implement a solution to improve performance during these peak times.
What is the MOST operationally efficient solution that meets these requirements?

• A. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to increase the desired capacity before peak times.
• B. Configure a scheduled scaling action with a recurrence option to change the desired capacity before and after peak times.
• C. Create a target tracking scaling policy to add more instances when memory utilization is above 70%.
• D. Configure the cooldown period for the Auto Scaling group to modify desired capacity before and after peak times.

Answer: B

Explanation:
"Scheduled scaling helps you to set up your own scaling schedule according to predictable load changes. For example, let's say that every week the traffic to your web application starts to increase on Wednesday, remains high on Thursday, and starts to decrease on Friday. You can configure a schedule for Amazon EC2 Auto Scaling to increase capacity on Wednesday and decrease capacity on Friday." https://docs.aws.amazon.com/autoscaling/ec2/userguide/schedule_time.html

NEW QUESTION 12

A SysOps administrator is creating an Amazon EC2 Auto Scaling group in a new AWS account. After adding some instances, the SysOps administrator notices that the group has not reached the minimum number of instances. The SysOps administrator receives the following error message:

Which action will resolve this issue?

• A. Adjust the account spending limits for Amazon EC2 on the AWS Billing and Cost Management console
• B. Modify the EC2 quota for that AWS Region in the EC2 Settings section of the EC2 console.
• C. Request a quota Increase for the Instance type family by using Service Quotas on the AWS Management Console.
• D. Use the Rebalance action In the Auto Scaling group on the AWS Management Console.

Answer: C

NEW QUESTION 13

A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company's security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts.
Which solution will meet these requirements in the MOST secure manner?

• A. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to an IAM use
• B. Share the user credentials with the security administrator.
• C. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC action
• D. Assign the policy to an IAMuse
• E. Share the user credentials with the security administrator.
• F. Create an IAM policy in each developer account that has administrator access related to VPC resources.Assign the policy to a cross-account IAM rol
• G. Ask the security administrator to assume the role from their account.
• H. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account.

Answer: D

NEW QUESTION 14

A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of the application have been divided in a separate microservice running on a different Amazon EC2 instance. The administrator has been tasked with reconfiguring the infrastructure to support this approach.
How can the administrator accomplish this with the LEAST administrative overhead?

• A. Use Amazon CloudFront to log the URL and forward the request.
• B. Use Amazon CloudFront to rewrite the header based on the microservice and forward the request.
• C. Use an Application Load Balancer (ALB) and do path-based routing.
• D. Use a Network Load Balancer (NLB) and do path-based routing.

Answer: C

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/elb-achieve-path-based-routing-alb/

NEW QUESTION 15

A company has a high-performance Windows workload. The workload requires a storage volume mat provides consistent performance of 10.000 KDPS. The company does not want to pay for additional unneeded capacity to achieve this performance.
Which solution will meet these requirements with the LEAST cost?

• A. Use a Provisioned IOPS SSD (lol) Amazon Elastic Block Store (Amazon EBS) volume that is configured with 10.000 provisioned IOPS
• B. Use a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume that is configured with 10.000 provisioned IOPS.
• C. Use an Amazon Elastic File System (Amazon EFS) file system w\ Max I/O mode.
• D. Use an Amazon FSx for Windows Fife Server foe system that is configured with 10.000 IOPS

Answer: A

NEW QUESTION 16

A company is tunning a website on Amazon EC2 instances thai are in an Auto Scaling group When the website traffic increases, additional instances lake several minutes to become available because ot a
long-running user data script that installs software A SysOps administrator must decrease the time that is required (or new instances to become available
Which action should the SysOps administrator take to meet this requirement?

• A. Reduce the scaling thresholds so that instances are added before traffic increases
• B. Purchase Reserved Instances to cover 100% of the maximum capacity of the Auto Scaling group
• C. Update the Auto Scaling group to launch instances that have a storage optimized instance type
• D. Use EC2 Image Builder to prepare an Amazon Machine Image (AMI) that has pre-installed software

Answer: D

Explanation:
automated way to update your image. Have a pipeline to update your image. When you boot from your AMI updates = scrits are already pre-installed, so no need to complete boot scripts in boot process. https://aws.amazon.com/image-builder/

NEW QUESTION 17

A company's web application is available through an Amazon CloudFront distribution and directly through an internet-facing Application Load Balancer (ALB) A SysOps administrator must make the application accessible only through the CloudFront distribution and not directly through the ALB. The SysOps administrator must make this change without changing the application code
Which solution will meet these requirements?

• A. Modify the ALB type to internal Set the distribution's origin to the internal ALB domain name
• B. Create a Lambda@Edge function Configure the function to compare a custom header value in the request with a stored password and to forward the request to the origin in case of a match Associate the function with the distribution.
• C. Replace the ALB with a new internal ALB Set the distribution's origin to the internal ALB domain name Add a custom HTTP header to the origin settings for the distribution In the ALB listener add a rule to forward requests that contain the matching custom header and the header's value Add a default rule to return a fixed response code of 403.
• D. Add a custom HTTP header to the origin settings for the distribution in the ALB listener add a rule to forward requests that contain the matching custom header and the header's value Add a default rule to return a fixed response code of 403.

Answer: D

Explanation:
To make the application accessible only through the CloudFront distribution and not directly through the Application Load Balancer (ALB), you can add a custom HTTP header to the origin settings for the CloudFront distribution. You can then create a rule in the ALB listener to forward requests that contain the matching custom header and its value to the origin. You can also add a default rule to the ALB listener to return a fixed response code of 403 for requests that do not contain the matching custom header. This will allow you to redirect all requests to the CloudFront distribution and block direct access to the application through the ALB.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

NEW QUESTION 18

A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance A SysOps administrator must update the template to ensure that the DB instance is created before the EC2 instance is launched
What should the SysOps administrator do to meet this requirement?

• A. Add a wait condition to the template Update the EC2 instance user data script to send a signal after the EC2 instance is started
• B. Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource
• C. Change the order of the resources in the template so that the RDS resource is listed before the EC2 instance resource
• D. Create multiple templates Use AWS CloudFormation StackSets to wait for one stack to complete before the second stack is created

Answer: B

Explanation:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html Syntax The DependsOn attribute can take a single string or list of strings. "DependsOn" : [ String, ... ]
Example The following template contains an AWS::EC2::Instance resource with a DependsOn attribute that specifies myDB, an AWS::RDS::DBInstance. When CloudFormation creates this stack, it first creates myDB, then creates Ec2Instance.

NEW QUESTION 19
......