NEW QUESTION 1

An environment consists of 100 Amazon EC2 Windows instances The Amazon CloudWatch agent Is deployed and running on at EC2 instances with a baseline configuration file to capture log files There is a new requirement to capture the DHCP tog tiles that exist on 50 of the instances
What is the MOST operational efficient way to meet this new requirement?

• A. Create an additional CloudWatch agent configuration file to capture the DHCP logs Use the AWS Systems Manager Run Command to restart the CloudWatch agent on each EC2 instance with the append-config option to apply the additional configuration file
• B. Log in to each EC2 instance with administrator rights Create a PowerShell script to push the needed baseline log files and DHCP log files to CloudWatch
• C. Run the CloudWatch agent configuration file wizard on each EC2 instance Verify that the base the log files are included and add the DHCP tog files during the wizard creation process
• D. Run the CloudWatch agent configuration file wizard on each EC2 instance and select the advanced detail leve
• E. This wifi capture the operating system log files.

Answer: A

NEW QUESTION 2

A company has multiple Amazon EC2 instances that run a resource-intensive application in a development environment. A SysOps administrator is implementing a solution to stop these EC2 instances when they are not in use.
Which solution will meet this requirement?

• A. Assess AWS CloudTrail logs to verify that there is no EC2 API activit
• B. Invoke an AWS Lambda function to stop the EC2 instances.
• C. Create an Amazon CloudWatch alarm to stop the EC2 instances when the average CPU utilization is lower than 5% for a 30-minute period.
• D. Create an Amazon CloudWatch metric to stop the EC2 instances when the VolumeReadBytes metric is lower than 500 for a 30-minute period.
• E. Use AWS Config to invoke an AWS Lambda function to stop the EC2 instances based on resource configuration changes.

Answer: B

Explanation:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html#AddingStopActi

NEW QUESTION 3

A company uses AWS Cloud Formation templates to deploy cloud infrastructure. An analysis of all the company's templates shows that the company has declared the same components in multiple templates. A SysOps administrator needs to create dedicated templates that have their own parameters and conditions for these common components.
Which solution will meet this requirement?

• A. Develop a CloudFormaiion change set.
• B. Develop CloudFormation macros.
• C. Develop CloudFormation nested stacks.
• D. Develop CloudFormation stack sets.

Answer: C

NEW QUESTION 4

A SysOps administrator developed a Python script that uses the AWS SDK to conduct several maintenance tasks. The script needs to run automatically every night.
What is the MOST operationally efficient solution that meets this requirement?

• A. Convert the Python script to an AWS Lambda (unctio
• B. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the function every night.
• C. Convert the Python script to an AWS Lambda functio
• D. Use AWS CloudTrail to invoke the function every night.
• E. Deploy the Python script to an Amazon EC2 Instanc
• F. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule the instance to start and stop every night.
• G. Deploy the Python script to an Amazon EC2 instanc
• H. Use AWS Systems Manager to schedule the instance to start and stop every night.

Answer: A

NEW QUESTION 5

A company has an application that is running on Amazon EC2 instances in a VPC. The application needs access to download software updates from the internet. The VPC has public subnets and private signets. The company's security policy requires all ECS instances to be deployed in private subnets
What should a SysOps administrator do to meet those requirements?

• A. Add an internet gateway to the VPC In the route table for the private subnets, odd a route to the interne; gateway.
• B. Add a NAT gateway to a private subne
• C. In the route table for the private subnets, add a route to the NAT gateway.
• D. Add a NAT gateway to a public subnet in the route table for the private subnets, add a route to the NAT gateway.
• E. Add two internet gateways to the VP
• F. In The route tablet for the private subnets and public subnets, add a route to each internet gateway.

Answer: C

NEW QUESTION 6

The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in use and the total available IAM policies.
Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?

• A. AWS Trusted Advisor
• B. Amazon Inspector
• C. AWS Config
• D. AWS Organizations

Answer: A

NEW QUESTION 7

A company has attached the following policy to an IAM user:


Which of the following actions are allowed for the IAM user?

• A. Amazon RDS DescribeDBInstances action in the us-east-1 Region
• B. Amazon S3 Putobject operation in a bucket named testbucket
• C. Amazon EC2 Describe Instances action in the us-east-1 Region
• D. Amazon EC2 AttachNetworkinterf ace action in the eu-west-1 Region

Answer: C

NEW QUESTION 8

A company requires that all IAM user accounts that have not been used for 90 days or more must have their access keys and passwords immediately disabled A SysOps administrator must automate the process of disabling unused keys using the MOST operationally efficient method.
How should the SysOps administrator implement this solution?

• A. Create an AWS Step Functions workflow to identify IAM users that have not been active for 90 days Run an AWS Lambda function when a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule is invoked to automatically remove the AWS access keys and passwords for these IAM users
• B. Configure an AWS Config rule to identify IAM users that have not been active for 90 days Set up an automatic weekly batch process on an Amazon EC2 instance to disable the AWS access keys and passwords for these IAM users
• C. Develop and run a Python script on an Amazon EC2 instance to programmatically identify IAM users that have not been active for 90 days Automatically delete these 1AM users
• D. Set up an AWS Config managed rule to identify IAM users that have not been active for 90 days Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users

Answer: D

NEW QUESTION 9

A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded: however, upon navigating to the site, the following error message is received:
403 Forbidden - Access Denied
What change should be made to fix this error?

• A. Add a bucket policy that grants everyone read access to the bucket.
• B. Add a bucket policy that grants everyone read access to the bucket objects.
• C. Remove the default bucket policy that denies read access to the bucket.
• D. Configure cross-origin resource sharing (CORS) on the bucket.

Answer: B

NEW QUESTION 10

A large company is using AWS Organizations to manage its multi-account AWS environment. According to company policy, all users should have read-level access to a particular Amazon S3 bucket in a central account. The S3 bucket data should not be available outside the organization. A SysOps administrator must set up the permissions and add a bucket policy to the S3 bucket.
Which parameters should be specified to accomplish this in the MOST efficient manner?

• A. Specify '*' as the principal and PrincipalOrgld as a condition.
• B. Specify all account numbers as the principal.
• C. Specify PrincipalOrgld as the principal.
• D. Specify the organization's management account as the principal.

Answer: C

NEW QUESTION 11

A SysOps administrator is trying to set up an Amazon Route 53 domain name to route traffic to a website hosted on Amazon S3. The domain name of the website is www.anycompany.com and the S3 bucket name is anycompany-static. After the record set is set up in Route 53, the domain name www.anycompany.com does not seem to work, and the static website is not displayed in the browser.
Which of the following is a cause of this?

• A. The S3 bucket must be configured with Amazon CloudFront first.
• B. The Route 53 record set must have an IAM role that allows access to the S3 bucket.
• C. The Route 53 record set must be in the same region as the S3 bucket.
• D. The S3 bucket name must match the record set name in Route 53.

Answer: D

NEW QUESTION 12

A SysOps administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the internet.
Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)

• A. Add a NAT gateway to a public subnet.
• B. Attach a private address to the elastic network interface on the EC2 instance.
• C. Attach an Elastic IP address to the internet gateway.
• D. Add an entry to the route table for the subnet that points to an internet gateway.
• E. Create an internet gateway and attach it to a VPC.

Answer: DE

Explanation:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html

NEW QUESTION 13

A company needs to restrict access to an Amazon S3 bucket to Amazon EC2 instances in a VPC only. All traffic must be over the AWS private network.
What actions should the SysOps administrator take to meet these requirements?

• A. Create a VPC endpoint for the S3 bucket, and create an IAM policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
• B. Create a VPC endpoint for the S3 bucket, and create an S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
• C. Create a service-linked role for Amazon EC2 that allows the EC2 instances to interact directly with Amazon S3, and attach an IAM policy to the role that allows the EC2 instances full access to the S3 bucket.
• D. Create a NAT gateway in the VPC, and modify the VPC route table to route all traffic destined for Amazon S3 through the NAT gateway.

Answer: B

Explanation:
While IAM policy (letter A) also can be used, it does not enforce everyone. The only option that enforces everyone is policy configured directly in the bucket S3.

NEW QUESTION 14

A SysOps administrator wants to upload a file that is 1 TB in size from on-premises to an Amazon S3 bucket using multipart uploads. What should the SysOps administrator do to meet this requirement?

• A. Upload the file using the S3 console.
• B. Use the s3api copy-object command.
• C. Use the s3api put-object command.
• D. Use the s3 cp command.

Answer: D

Explanation:
It's a best practice to use aws s3 commands (such as aws s3 cp) for multipart uploads and downloads, because these aws s3 commands automatically perform multipart uploading and downloading based on the file size. By comparison, aws s3api commands, such as aws s3api create-multipart-upload, should be used only when aws s3 commands don't support a specific upload need, such as when the multipart upload involves multiple servers, a multipart upload is manually stopped and resumed later, or when the aws s3 command doesn't support a required request parameter.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-multipart-upload-cli/

NEW QUESTION 15

A SysOps administrator is unable to launch Amazon EC2 instances into a VPC because there are no available private IPv4 addresses in the VPC. Which combination of actions must the SysOps administrator take to launch the instances? (Select TWO.)

• A. Associate a secondary IPv4 CIDR block with the VPC
• B. Associate a primary IPv6 CIDR block with the VPC
• C. Create a new subnet for the VPC
• D. Modify the CIDR block of the VPC
• E. Modify the CIDR block of the subnet that is associated with the instances

Answer: AD

NEW QUESTION 16

A company has a policy that requires all Amazon EC2 instances to have a specific set of tags. If an EC2 instance does not have the required tags, the noncompliant instance should be terminated.
What is the MOST operationally efficient solution that meets these requirements?

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all EC2 instance state changes to an AWS Lambda function to determine if each instance is complian
• B. Terminate any noncompliant instances.
• C. Create an IAM policy that enforces all EC2 instance tag requirement
• D. If the required tags are not in place for an instance, the policy will terminate noncompliant instance.
• E. Create an AWS Lambda function to determine if each EC2 instance is compliant and terminate an instance if it is noncomplian
• F. Schedule the Lambda function to invoke every 5 minutes.
• G. Create an AWS Config rule to check if the required tags are presen
• H. If an EC2 instance is noncompliant, invoke an AWS Systems Manager Automation document to terminate the instance.

Answer: D

Explanation:
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html

NEW QUESTION 17

A company is partnering with an external vendor to provide data processing services. For this integration, the vendor must host the company's data in an Amazon S3 bucket in the vendor's AWS account. The vendor is allowing the company to provide an AWS Key Management Service (AWS KMS) key to encrypt the company's data. The vendor has provided an IAM role Amazon Resource Name (ARN) to the company for this integration.
What should a SysOps administrator do to configure this integration?

• A. Create a new KMS ke
• B. Add the vendor's IAM role ARN to the KMS key polic
• C. Provide the new KMS key ARN to the vendor.
• D. Create a new KMS ke
• E. Create a new IAM use
• F. Add the vendor's IAM role ARN to an inline policy that is attached to the IAM use
• G. Provide the new IAM user ARN to the vendor.
• H. Configure encryption using the KMS managed S3 ke
• I. Add the vendor's IAM role ARN to the KMS managed S3 key polic
• J. Provide the KMS managed S3 key ARN to the vendor.
• K. Configure encryption using the KMS managed S3 ke
• L. Create an S3 bucke
• M. Add the vendor's IAM role ARN to the S3 bucket polic
• N. Provide the S3 bucket ARN to the vendor.

Answer: C

NEW QUESTION 18

A SysOps administrator is testing an application mat is hosted on five Amazon EC2 instances The instances run in an Auto Scaling group behind an Application Load Balancer (ALB) High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.
Which action should the SysOps administrator take to meet these requirements?

• A. Enable instance scale-in protection.
• B. Place the instance into the Standby stale.
• C. Remove the listener from the ALB
• D. Suspend the Launch and Terminate process types.

Answer: A

NEW QUESTION 19
......