AWS Certified SysOps Administrator - Associate

Question#31

A SysOps administrator is using AWS Systems Manager Patch Manager to patch a fleet of Amazon EC2 instances. The SysOps administrator has configured a patch baseline and a maintenance window. The SysOps administrator also has used an instance tag to identify which instances to patch.
The SysOps administrator must give Systems Manager the ability to access the EC2 instances.
Which additional action must the SysOps administrator perform to meet this requirement?

A. Add an inbound rule to the instances' security group.
B. Attach an IAM instance profile with access to Systems Manager to the instances.
C. Create a Systems Manager activation. Then activate the fleet of instances.
D. Manually specify the instances to patch instead of using tag-based selection.

Discover Answer

B

Question#32

A company hosts its website on Amazon EC2 instances in the us-east-1 Region. The company is preparing to extend its website into the eu-central-1 Region, but the database must remain only in us-east-1. After deployment, the EC2 instances in eu-central-1 are unable to connect to the database in us-east-1.
What is the MOST operationally efficient solution that will resolve this connectivity issue?

A. Create a VPC peering connection between the two Regions. Add the private IP address range of the instances to the inbound rule of the database security group.
B. Create a VPC peering connection between the two Regions. Add the security group of the instances in eu-central-1 to the outbound rule of the database security group.
C. Create a VPN connection between the two Regions. Add the private IP address range of the instances to the outbound rule of the database security group.
D. Create a VPN connection between the two Regions. Add the security group of the instances in eu-central-1 to the inbound rule of the database security group.

Discover Answer

A

Question#33

A company wants to create an automated solution for all accounts managed by AWS Organizations to detect any security groups that use 0.0.0.0/0 as the source address for inbound traffic. The company also wants to automatically remediate any noncompliant security groups by restricting access to a specific CIDR block that corresponds with the company's intranet.
Which set of actions should the SysOps administrator take to create a solution?

A. Create an AWS Config rule to detect noncompliant security groups. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.
B. Create an IAM policy to deny the creation of security groups that have 0.0.0.0/0 as the source address. Attach this IAM policy to every user in the company.
C. Create an AWS Lambda function to inspect new and existing security groups. Check for a noncompliant 0.0.0.0/0 source address and change the source address to the approved CIDR block.
D. Create a service control policy (SCP) for the organizational unit (OU) to deny the creation of security groups that have the 0.0.0.0/0 source address. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.

Discover Answer

A

Question#34

A company requires that all activity in its AWS account be logged using AWS CloudTrail. Additionally, a SysOps administrator must know when CloudTrail log files are modified or deleted.
How should the SysOps administrator meet these requirements?

A. Enable log file integrity validation. Use the AWS CLI to validate the log files.
B. Enable log file integrity validation. Use the AWS CloudTrail Processing Library to validate the log files.
C. Use CloudTrail Insights to monitor the log files for modifications.
D. Use Amazon CloudWatch Logs to monitor the log files for modifications.

Discover Answer

B

Question#35

A company is planning to host its stateful web-based applications on AWS. A SysOps administrator is using an Auto Scaling group of Amazon EC2 instances. The web applications will run 24 hours a day, 7 days a week throughout the year. The company must be able to change the instance type within the same instance family later in the year based on the traffic and usage patterns.
Which EC2 instance purchasing option will meet these requirements MOST cost-effectively?

A. Convertible Reserved Instances
B. On-Demand Instances
C. Spot Instances
D. Standard Reserved Instances

Discover Answer

A

Question#36

An application runs on Amazon EC2 instances in an Auto Scaling group. Following the deployment of a new feature on the EC2 instances, some instances were marked as unhealthy and then replaced by the Auto Scaling group. The EC2 instances terminated before a SysOps administrator could determine the cause of the health status changes. To troubleshoot this issue, the SysOps administrator wants to ensure that an AWS Lambda function is invoked in this situation.
How should the SysOps administrator meet these requirements?

A. Activate the instance scale-in protection setting for the Auto Scaling group. Invoke the Lambda function through Amazon EventBridge (Amazon CloudWatch Events).
B. Activate the instance scale-in protection setting for the Auto Scaling group. Invoke the Lambda function through Amazon Route 53.
C. Add a lifecycle hook to the Auto Scaling group to invoke the Lambda function through Amazon EventBridge (Amazon CloudWatch Events).
D. Add a lifecycle hook to the Auto Scaling group to invoke the Lambda function through Amazon Route 53.

Discover Answer

C

Question#37

A company runs an application that hosts critical data for several clients. The company uses AWS CloudTrail to track user activities on various AWS resources. To meet new security requirements, the company needs to protect the CloudTrail log files from being modified, deleted, or forged.
Which solution will meet these requirement?

A. Enable CloudTrail log file integrity validation.
B. Use Amazon S3 MFA Delete on the S3 bucket where the CloudTrail log files are stored.
C. Use Amazon S3 Versioning to keep all versions of the CloudTrail log files.
D. Use AWS Key Management Service (AWS KMS) security keys to secure the CloudTrail log files.

Discover Answer

C

Question#38

A global company operates out of five AWS Regions. A SysOps administrator wants to identify all the company's tagged and untagged Amazon EC2 instances.
The company requires the output to display the instance ID and tags.
What is the MOST operationally efficient way for the SysOps administrator to meet these requirements?

A. Create a tag-based resource group in AWS Resource Groups.
B. Use AWS Trusted Advisor. Export the EC2 On-Demand Instances check results from Trusted Advisor.
C. Use Cost Explorer. Choose a service type of EC2-Instances, and group by Resource.
D. Use Tag Editor in AWS Resource Groups. Select all Regions, and choose a resource type of AWS::EC2::Instance.

Discover Answer

D

Question#39

A company needs to upload gigabytes of files every day. The company need to achieve higher throughput and upload speeds to Amazon S3.
Which action should a SysOps administrator take to meet this requirement?

A. Create an Amazon CloudFront distribution with the GET HTTP method allowed and the S3 bucket as an origin.
B. Create an Amazon ElastiCache cluster and enable caching for the S3 bucket.
C. Set up AWS Global Accelerator and configure it with the S3 bucket.
D. Enable S3 Transfer Acceleration and use the acceleration endpoint when uploading files.

Discover Answer

D

Question#40

A SysOps administrator maintains the security and compliance of a company's AWS account. To ensure the company's Amazon EC2 instances are following company policy, a SysOps administrator wants to terminate any EC2 instance that do not contain a department tag. Noncompliant resources must be terminated in near-real time.
Which solution will meet these requirements?

A. Create an AWS Config rule with the required-tags managed rule to identify noncompliant resources. Configure automatic remediation to run the AWS- TerminateEC2Instance automation document to terminate noncompliant resources.
B. Create a new Amazon EventBridge (Amazon CloudWatch Events) rule to monitor when new EC2 instances are created. Send the event to a Simple Notification Service (Amazon SNS) topic for automatic remediation.
C. Ensure all users who can create EC2 instances also have the permissions to use the ec2:CreateTags and ec2:DescribeTags actions. Change the instance's shutdown behavior to terminate.
D. Ensure AWS Systems Manager Compliance is configured to manage the EC2 instances. Call the AWS-StopEC2Instances automation document to stop noncompliant resources.

Discover Answer

A