NEW QUESTION 1

A user working in the Amazon EC2 console increased the size of an Amazon Elastic Block Store (Amazon EBS) volume attached to an Amazon EC2 Windows instance. The change is not reflected in the file system.
What should a SysOps administrator do to resolve this issue?

• A. Extend the file system with operating system-level tools to use the new storage capacity.
• B. Reattach the EBS volume to the EC2 instance.
• C. Reboot the EC2 instance that is attached to the EBS volume.
• D. Take a snapshot of the EBS volum
• E. Replace the original volume with a volume that is created from the snapshot.

Answer: B

NEW QUESTION 2

A SysOps administrator has used AWS Cloud Formation to deploy a sereness application into a production VPC. The application consists of an AWS Lambda function, an Amazon DynamoOB table, and an Amazon API Gateway API. The SysOps administrator must delete the AWS Cloud Formation stack without deleting the DynamoOB table.
Which action should the SysOps administrator take before deleting the AWS Cloud Formation stack?

• A. Add a Retain deletion policy to the DynamoOB resource in the AWS CloudFormation stack.
• B. Add a Snapshot deletion policy to the DynamoOB resource In the AWS CloudFormation stack.
• C. Enable termination protection on the AWS Cloud Formation stack.
• D. Update the application's IAM policy with a Deny statement for the dynamodb:DeleteTabie action.

Answer: A

NEW QUESTION 3

A SysOps administrator needs to delete an AWS CloudFormation stack that is no longer in use. The CloudFormation stack is in the DELETE_FAILED state. The SysOps administrator has validated the permissions that are required to delete the Cloud Formation stack.

• A. The configured timeout to delete the stack was too low for the delete operation to complete.
• B. The stack contains nested stacks that must be manually deleted fast.
• C. The stack was deployed with the -disable rollback option.
• D. There are additional resources associated with a security group in the stack
• E. There are Amazon S3 buckets that still contain objects in the stack.

Answer: DE

NEW QUESTION 4

A company plans to run a public web application on Amazon EC2 instances behind an Elastic Load Balancer (ELB). The company's security team wants to protect the website by using AWS Certificate Manager (ACM) certificates The ELB must automatically redirect any HTTP requests to HTTPS
Which solution will meet these requirements?

• A. Create an Application Load Balancer that has one HTTPS listener on port 80 Attach an SSLTLS certificate to listener port 80 Create a rule to redirect requests from HTTP to HTTPS
• B. Create an Application Load Balancer that has one HTTP listener on port 80 and one HTTPS protocol listener on port 443 Attach an SSL TLS certificate to listener port 443 Create a rule to redirect requests from port 80 to port 443
• C. Create an Application Load Balancer that has two TCP listeners on port 80 and port 443 Attach an SSLTLS certificate to listener port 443 Create a rule to redirect requests from port 80 to port 443
• D. Create a Network Load Balancer that has two TCP listeners on port 80 and port 443 Attach an SSLTLS certificate to listener port 443 Create a rule to redirect requests from port 80 to port 443

Answer: B

NEW QUESTION 5

A company needs to view a list of security groups that are open to the internet on port 3389. What should a SysOps administrator do to meet this requirement?

• A. Configure Amazon GuardDuty to scan security groups and report unrestricted access on port 3389.
• B. Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389.
• C. Use AWS Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389.
• D. Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389

Answer: D

NEW QUESTION 6

A company plans to migrate several of its high performance computing (MPC) virtual machines (VMs) to Amazon EC2 instances on AWS. A SysOps administrator must identify a placement group for this deployment. The strategy must minimize network latency and must maximize network throughput between the HPC VMs.
Which strategy should the SysOps administrator choose to meet these requirements?

• A. Deploy the instances in a cluster placement group in one Availability Zone.
• B. Deploy the instances in a partition placement group in two Availability Zones
• C. Deploy the instances in a partition placement group in one Availability Zone
• D. Deploy the instances in a spread placement group in two Availably Zones

Answer: A

NEW QUESTION 7

A company wants to use only IPv6 for all its Amazon EC2 instances. The EC2 instances must not be accessible from the internet, but the EC2 instances must be able to access the internet. The company creates a dual-stack VPC and IPv6-only subnets.
How should a SysOps administrator configure the VPC to meet these requirements?

• A. Create and attach a NAT gatewa
• B. Create a custom route table that includes an entry to point all IPv6 traffic to the NAT gatewa
• C. Attach the custom route table to the IPv6-only subnets.
• D. Create and attach an internet gatewa
• E. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gatewa
• F. Attach the custom route table to the IPv6-only subnets.
• G. Create and attach an egress-only internet gatewa
• H. Create a custom route table that includes an entry to point all IPv6 traffic to the egress-only internet gatewa
• I. Attach the custom route table to the IPv6-only subnets.
• J. Create and attach an internet gateway and a NAT gatewa
• K. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway and all IPv4 traffic to the NAT gatewa
• L. Attach thecustom route table to the IPv6-only subnets.

Answer: C

NEW QUESTION 8

An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy. What is likely to be the problem?

• A. The Amazon Machine image used is not available in that region.
• B. The AWS CloudFormation template needs to be updated to the latest version.
• C. The VPC configuration parameters have changed and must be updated in the template.
• D. The account has reached the default limit for VPCs allowed.

Answer: D

NEW QUESTION 9

A company needs to archive all audit logs for 10 years. The company must protect the logs from any future edits.
Which solution will meet these requirements?

• A. Store the data in an Amazon Elastic Block Store (Amazon EBS) volum
• B. Configure AWS Key Management Service (AWS KMS) encryption.
• C. Store the data in an Amazon S3 Glacier vaul
• D. Configure a vault lock policy for write-once, read-many (WORM) access.
• E. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Configure server-side encryption.
• F. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA). Configure multi-factor authentication (MFA).

Answer: B

Explanation:
To meet the requirements of the workload, a company should store the data in an Amazon S3 Glacier vault and configure a vault lock policy for write-once, read-many (WORM) access. This will ensure that the data is stored securely and cannot be edited in the future. The other solutions (storing the data in an Amazon Elastic Block Store (Amazon EBS) volume and configuring AWS Key Management Service (AWS KMS) encryption, storing the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) and configuring server-side encryption, or storing the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) and configuring multi-factor authentication (MFA)) will not meet the requirements, as they do not provide a way to protect the audit logs from future edits.
https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/userguide/object-lock.html

NEW QUESTION 10

A company has an Amazon RDS DB instance. The company wants to implement a caching service while maintaining high availability.
Which combination of actions will meet these requirements? (Choose two.)

• A. Add Auto Discovery to the data store.
• B. Create an Amazon ElastiCache for Memcached data store.
• C. Create an Amazon ElastiCache for Redis data store.
• D. Enable Multi-AZ for the data store.
• E. Enable Multi-threading for the data store.

Answer: CD

Explanation:
https://aws.amazon.com/elasticache/memcached/ https://aws.amazon.com/elasticache/redis/

NEW QUESTION 11

A company uses Amazon Elasticsearch Service (Amazon ES) to analyze sales and customer usage data. Members of the company's geographically dispersed sales team are traveling. They need to log in to Kibana by using their existing corporate credentials that are stored in Active Directory. The company has deployed
Active Directory Federation Services (AD FS) to enable authentication to cloud services. Which solution will meet these requirements?

• A. Configure Active Directory as an authentication provider in Amazon E
• B. Add the Active Directory server's domain name to Amazon E
• C. Configure Kibana to use Amazon ES authentication.
• D. Deploy an Amazon Cognito user poo
• E. Configure Active Directory as an external identity provider for the user poo
• F. Enable Amazon Cognito authentication for Kibana on Amazon ES.
• G. Enable Active Directory user authentication in Kiban
• H. Create an IP-based custom domain access policy in Amazon ES that includes the Active Directory server's IP address.
• I. Establish a trust relationship with Kibana on the Active Directory serve
• J. Enable Active Directory user authentication in Kiban
• K. Add the Active Directory server's IP address to Kibana.

Answer: B

Explanation:
https://aws.amazon.com/blogs/security/how-to-enable-secure-access-to-kibana-using-aws-single-sign-on/ https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html

NEW QUESTION 12

A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application's performance. A SysOps administrator must scale the application to meet the increased traffic. Which solution meets these requirements?

• A. Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance if the desired threshold is reached.
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.
• C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy.Attach the ALB to the Auto Scaling group.
• D. Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy.Attach the ALB to the Auto Scaling group.

Answer: C

NEW QUESTION 13

A SysOps administrator is using Amazon EC2 instances to host an application. The SysOps administrator needs to grant permissions for the application to access an Amazon DynamoDB table.
Which solution will meet this requirement?

• A. Create access keys to access the DynamoDB tabl
• B. Assign the access keys to the EC2 instance profile.
• C. Create an EC2 key pair to access the DynamoDB tabl
• D. Assign the key pair to the EC2 instance profile.
• E. Create an IAM user to access the DynamoDB tabl
• F. Assign the IAM user to the EC2 instance profile.
• G. Create an IAM role to access the DynamoDB tabl
• H. Assign the IAM role to the EC2 instance profile.

Answer: D

NEW QUESTION 14

A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53. and wants to point its domain's zone apex to the website.
Which type of record should be used to meet these requirements?

• A. A CNAME record for the domain's zone apex
• B. An A record for the domain's zone apex
• C. An AAAA record for the domain's zone apex
• D. An alias record for the domain's zone apex

Answer: D

Explanation:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.htm https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

NEW QUESTION 15

A company website contains a web tier and a database tier on AWS. The web tier consists of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones. The database tier runs on an Amazon ROS for MySQL Multi-AZ DB instance. The database subnet network ACLs are restricted to only the web subnets that need access to the database. The web subnets use the default network ACL with the default rules.
The company's operations team has added a third subnet to the Auto Scaling group configuration. After an Auto Scaling event occurs, some users report that they intermittently receive an error message. The error message states that the server cannot connect to the database. The operations team has confirmed that the route tables are correct and that the required ports are open on all security groups.
Which combination of actions should a SysOps administrator take so that the web servers can communicate with the DB instance? (Select TWO.)

• A. On the default AC
• B. create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets.
• C. On the default ACL, create outbound Allow rules of type MySQL/Aurora (3306). Specify the destinations as the database subnets.
• D. On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet.
• E. On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet.
• F. On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet.

Answer: CD

NEW QUESTION 16

A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template it installs and configure necessary software through AWS OpsWorks and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours but at limes the process stalls due to installation errors.
The SysOps administrator must modify the CloudFormation template so if the process stalls, the entire stack will tail and roil back.
Based on these requirements what should be added to the template?

• A. Conditions with a timeout set to 4 hours.
• B. CreationPolicy with timeout set to 4 hours.
• C. DependsOn a timeout set to 4 hours.
• D. Metadata with a timeout set to 4 hours

Answer: B

NEW QUESTION 17

A company has a VPC with public and private subnets. An Amazon EC2 based application resides in the private subnets and needs to process raw .csv files stored in an Amazon S3 bucket. A SysOps administrator has set up the correct IAM role with the required permissions for the application to access the S3 bucket, but the application is unable to communicate with the S3 bucket.
Which action will solve this problem while adhering to least privilege access?

• A. Add a bucket policy to the S3 bucket permitting access from the IAM role.
• B. Attach an S3 gateway endpoint to the VP
• C. Configure the route table for the private subnet.
• D. Configure the route table to allow the instances on the private subnet access through the internet gateway.
• E. Create a NAT gateway in a private subnet and configure the route table for the private subnets.

Answer: B

Explanation:
Technology to use is a VPC endpoint - "A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network." S3 is an example of a gateway endpoint. We want to see services in AWS while not leaving the VPC.

NEW QUESTION 18

While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS The customer gateway device resides in a data center with a NAT gateway in front of it
What address should be used to create the customer gateway resource?

• A. The private IP address of the customer gateway device
• B. The MAC address of the NAT device in front of the customer gateway device
• C. The public IP address of the customer gateway device
• D. The public IP address of the NAT device in front of the customer gateway device

Answer: D

NEW QUESTION 19
......