NEW QUESTION 1

A company uses AWS CloudFormation to deploy its application infrastructure Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application A SysOps administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources.
Which solution will meet these requirements?

• A. Set up an AWS Config rule to alert based on changes to any CloudFormation stack An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation
• B. Set up an Amazon CloudWatch Events event with a rule to trigger based on any CloudFormation API call An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation
• C. Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update
• D. Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource Names (ARNs) of the protected resources

Answer: B

NEW QUESTION 2

A company's financial department needs to view the cost details of each project in an AWS account A SysOps administrator must perform the initial configuration that is required to view cost for each project in Cost Explorer
Which solution will meet this requirement?

• A. Activate cost allocation tags Add a project tag to the appropriate resources
• B. Configure consolidated billing Create AWS Cost and Usage Reports
• C. Use AWS Budgets Create AWS Budgets reports
• D. Use cost categories to define custom groups that are based on AWS cost and usage dimensions

Answer: A

NEW QUESTION 3

A software company runs a workload on Amazon EC2 instances behind an Application Load Balancer (ALB) A SysOcs administrator needs to define a custom health check for the EC2 instances. What is the MOST operationally efficient solution?

• A. Set up each EC2 Instance so that it writes its healthy/unhealthy status into a shared Amazon S3 bucket for the ALB to read
• B. Configure the health check on the ALB and ensure that the HeathCheckPath setting s correct
• C. Set up Amazon ElasticCache to track the EC2 instances as they scale in and out
• D. Configure an Amazon API Gateway health check to ensure custom checks on aw of the EC2 instances

Answer: B

NEW QUESTION 4

A company is trying to connect two applications. One application runs in an on-premises data center that has a hostname of hostl .onprem.private. The other application runs on an Amazon EC2 instance that has a hostname of hostl.awscloud.private. An AWS Site-to-Site VPN connection is in place between the on-premises network and AWS.
The application that runs in the data center tries to connect to the application that runs on the EC2 instance, but DNS resolution fails. A SysOps administrator must implement DNS resolution between on-premises and AWS resources.
Which solution allows the on-premises application to resolve the EC2 instance hostname?

• A. Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zon
• B. Associate the resolver with the VPC of the EC2 instanc
• C. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the inbound resolver endpoint.
• D. Set up an Amazon Route 53 inbound resolver endpoin
• E. Associate the resolver with the VPC of the EC2 instanc
• F. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the inbound resolver endpoint.
• G. Set up an Amazon Route 53 outbound resolver endpoint with a forwarding rule for the onprem.private hosted zon
• H. Associate the resolver with the AWS Region of the EC2 instanc
• I. Configure theon-premises DNS resolver to forward onprem.private DNS queries to the outbound resolver endpoint.
• J. Set up an Amazon Route 53 outbound resolver endpoin
• K. Associate the resolver with the AWS Region of the EC2 instanc
• L. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the outbound resolver endpoint.

Answer: C

NEW QUESTION 5

A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times:
"** Error Establishing a Database Connection
Which of the following may be causes of the connectivity problems? {Select TWO.)

• A. The security group for the database does not have the appropriate egress rule from the database to the web server.
• B. The certificate used by the web server is not trusted by the RDS instance.
• C. The security group for the database does not have the appropriate ingress rule from the web server to the database.
• D. The port used by the application developer does not match the port specified in the RDS configuration.
• E. The database is still being created and is not available for connectivity.

Answer: CD

NEW QUESTION 6

A SysOps administrator creates two VPCs, VPC1 and VPC2, in a company’s AWS account The SysOps administrator deploys a Linux Amazon EC2 instance in VPC1 and deploys an Amazon RDS for MySQL DB instance in VPC2. The DB instance is deployed in a private subnet. An application that runs on the EC2 instance needs to connect to the database.
What should the SysOps administrator do to give the EC2 instance the ability to connect to the database?

• A. Enter the DB instance connection string into the VPC1 route table.
• B. Configure VPC peering between the two VPCs.
• C. Add the same IPv4 CIDR range for both VPCs.
• D. Connect to the DB instance by using the DB instance’s public IP address.

Answer: B

Explanation:
VPC peering allows two VPCs to communicate with each other securely. By configuring VPC peering between the two VPCs, the SysOps administrator will be able to give the EC2 instance in VPC1 the ability to connect to the database in VPC2. Once the VPC peering is configured, the EC2 instance will be able to communicate with the database using the private IP address of the DB instance in the private subnet.

NEW QUESTION 7

A company runs an application on an Amazon EC2 instance A SysOps administrator creates an Auto Scaling group and an Application Load Balancer (ALB) to handle an increase in demand However, the EC2 instances are failing tie health check.
What should the SysOps administrator do to troubleshoot this issue?

• A. Verity that the Auto Scaling group is configured to use all AWS Regions.
• B. Verily that the application is running on the protocol and the port that the listens is expecting.
• C. Verify the listener priority in the ALB Change the priority if necessary.
• D. Verify the maximum number of instances in the Auto Scaling group Change the number if necessary

Answer: B

NEW QUESTION 8

A SysOps administrator needs to develop a solution that provides email notification and inserts a record into a database every time a file is put into an Amazon S3 bucket.
What is the MOST operationally efficient solution that meets these requirements?

• A. Set up an S3 event notification that targets an Amazon Simple Notification Service (Amazon SNS) topic Create two subscriptions for the SNS topic Use one subscription to send the email notification Use the other subscription to invoke an AWS Lambda function that inserts the record into the database
• B. Set up an Amazon CloudWatch alarm that enters ALARM state whenever an object is created in the S3 bucket Configure the alarm to invoke an AWS Lambda (unction that sends the email notification and inserts the record into the database
• C. Create an AWS Lambda function to send the email notification and insert the record into the database whenever a new object is detected in the S3 bucket invoke the function every minute with an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule.
• D. Set up two S3 event notifications Target a separate AWS Lambda function with each notification Configure one function to send the email notification Configure the other function to insert the record into the database

Answer: C

NEW QUESTION 9

A SysOps administrator is reviewing VPC Flow Logs to troubleshoot connectivity issues in a VPC. While reviewing the togs the SysOps administrator notices that rejected traffic is not listed.
What should the SysOps administrator do to ensure that all traffic is logged?

• A. Create a new flow tog that has a titter setting to capture all traffic
• B. Create a new flow log set the tog record format to a custom format Select the proper fields to include in the tog
• C. Edit the existing flow log Change the fitter setting to capture all traffic
• D. Edit the existing flow lo
• E. Set the log record format to a custom format Select the proper fields to include in the tog

Answer: A

NEW QUESTION 10

A SysOps administrator needs to automate the invocation of an AWS Lambda function. The Lambda function must run at the end of each day to generate a report on data that is stored in an Amazon S3 bucket.
What is the MOST operationally efficient solution that meets these requirements?

• A. Create an Amazon EventBridge {Amazon CloudWatch Events) rule that has an event pattern for Amazon S3 and the Lambda function as a target.
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that has a schedule and the Lambda function as a target.
• C. Create an S3 event notification to invoke the Lambda function whenever objects change in the S3 bucket.
• D. Deploy an Amazon EC2 instance with a cron job to invoke the Lambda function.

Answer: C

NEW QUESTION 11

A SysOps administrator has launched a large general purpose Amazon EC2 instance to regularly process large data files. The instance has an attached 1 TB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume. The instance also is EBS-optimized. To save costs, the SysOps administrator stops the instance each evening and restarts the instance each morning.
When data processing is active, Amazon CloudWatch metrics on the instance show a consistent 3.000 VolumeReadOps. The SysOps administrator must improve the I/O performance while ensuring data integrity.
Which action will meet these requirements?

• A. Change the instance type to a large, burstable, general purpose instance.
• B. Change the instance type to an extra large general purpose instance.
• C. Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume.
• D. Move the data that resides on the EBS volume to the instance store.

Answer: C

NEW QUESTION 12

A company is expanding its fleet of Amazon EC2 instances before an expected increase of traffic. When a SysOps administrator attempts to add more instances, an InstanceLimitExceeded error is returned.
What should the SysOps administrator do to resolve this error?

• A. Add an additional CIDR block to the VPC.
• B. Launch the EC2 instances in a different Availability Zone.
• C. Launch new EC2 instances in another VPC.
• D. Use Service Quotas to request an EC2 quota increase.

Answer: D

NEW QUESTION 13

A company is migrating its production file server to AWS. All data that is stored on the file server must remain accessible if an Availability Zone becomes unavailable or when system maintenance is performed. Users must be able to interact with the file server through the SMB protocol. Users also must have the ability to manage file permissions by using Windows ACLs.
Which solution will net these requirements?

• A. Create a single AWS Storage Gateway file gateway.
• B. Create an Amazon FSx for Windows File Server Multi-AZ file system.
• C. Deploy two AWS Storage Gateway file gateways across two Availability Zone
• D. Configure an Application Load Balancer in front of the file gateways.
• E. Deploy two Amazon FSx for Windows File Server Single-AZ 2 file system
• F. Configure Microsoft Distributed File System Replication (DFSR).

Answer: B

Explanation:
https://aws.amazon.com/fsx/windows/

NEW QUESTION 14

A new website will run on Amazon EC2 instances behind an Application Load Balancer. Amazon Route 53 will be used to manage DNS records.
What type of record should be set in Route 53 to point the website’s apex domain name (for example.company.com to the Application Load Balancer?

• A. CNAME
• B. SOA
• C. TXT
• D. ALIAS

Answer: D

NEW QUESTION 15

A recent audit found that most resources belonging to the development team were in violation of patch compliance standards The resources were properly tagged Which service should be used to quickly remediate the issue and bring the resources back into compliance?

• A. AWS Config
• B. Amazon Inspector
• C. AWS Trusted Advisor
• D. AWS Systems Manager

Answer: D

NEW QUESTION 16

A SysOps administrator is creating two AWS CloudFormation templates. The first template will create a VPC with associated resources, such as subnets, route tables, and an internet gateway. The second template will deploy application resources within the VPC that was created by the first template. The second template should refer to the resources created by the first template.
How can this be accomplished with the LEAST amount of administrative effort?

• A. Add an export field to the outputs of the first template and import the values in the second template.
• B. Create a custom resource that queries the stack created by the first template and retrieves the required values.
• C. Create a mapping in the first template that is referenced by the second template.
• D. Input the names of resources in the first template and refer to those names in the second template as a parameter.

Answer: A

Explanation:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html

NEW QUESTION 17

A company's SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instance are encrypted with AWS managed keys.
The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI with the company's other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs.
Which solution will securely share the AMI with the other AWS accounts?

• A. In the account where the AMI was created, create a customer master key (CMK). Modify the key policyto provide kms:DescribeKey, kms ReEncrypf, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared wit
• B. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
• C. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*. kms:CreateGrant, and kms;Decrypt permissions to the AWS accounts that the AMI will be shared wit
• D. Create a copy of the AM
• E. and specify the CM
• F. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with.
• G. In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescrlbeKey, kms:ReEncrypt\ kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared wit
• H. Create a copy of the AM
• I. and specify the CM
• J. Modify the permissions on the copied AMI to make it public.
• K. In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescnbeKe
• L. kms:ReEncrypt\ kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared wit
• M. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.

Answer: B

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html

NEW QUESTION 18

A company hosts its website in the us-east-1 Region. The company is preparing to deploy its website into the eu-central-1 Region. Website visitors who are located in Europe should access the website that is hosted in eu-central-1. All other visitors access the website that is hosted in us-east-1. The company uses Amazon Route 53 to manage the website's DNS records.
Which routing policy should a SysOps administrator apply to the Route 53 record set to meet these requirements?

• A. Geolocation routing policy
• B. Geoproximity routing policy
• C. Latency routing policy
• D. Multivalue answer routing policy

Answer: A

Explanation:
geolocation "Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region."
Could be confused with geoproximity - "Geoproximity routing lets Amazon Route 53 route traffic to your resources based on the geographic location of your users and your resources. You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias. A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource" the use case is not needed as per question.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

NEW QUESTION 19
......