AWS Certified SysOps Administrator - AssociateFree trialFree trial

By amazon
Aug, 2025

Verified

25Q per page

Question 1

A company has an infernal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto
Scaling group in a single Availability Zone. A SysOps administrator must make the application highly available.
Which action should the SysOps administrator take to meet this requirement?

  • A: Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
  • B: Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
  • C: Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.
  • D: Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.

Question 2

A SysOps administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code:
AMI [ami-12345678] does not exist
How should the Administrator ensure that the AWS CloudFormation template is working in every region?

  • A: Copy the source region's Amazon Machine Image (AMI) to the destination region and assign it the same ID.
  • B: Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID.
  • C: Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS::EC2::AMI::ImageID control.
  • D: Modify the AWS CloudFormation template by including the AMI IDs in the ג€Mappingsג€ section. Refer to the proper mapping within the template for the proper AMI ID.

Question 3

A company has a policy that requires all Amazon EC2 instances to have a specific set of tags. If an EC2 instance does not have the required tags, the noncompliant instance should be terminated.
What is the MOST operationally efficient solution that meets these requirement?

  • A: Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all EC2 instance state changes to an AWS Lambda function to determine if each instance is compliant. Terminate any noncompliant instances.
  • B: Create an IAM policy that enforces all EC2 instance tag requirements. If the required tags are not in place for an instance, the policy will terminate noncompliant instance.
  • C: Create an AWS Lambda function to determine if each EC2 instance is compliant and terminate an instance if it is noncompliant. Schedule the Lambda function to invoke every 5 minutes.
  • D: Create an AWS Config rule to check if the required tags are present. If an EC2 instance is noncompliant, invoke an AWS Systems Manager Automation document to terminate the instance.

Question 4

A SysOps administrator wants to manage a web server application with AWS Elastic Beanstalk. The Elastic Beanstalk service must maintain full capacity for new deployments at all times.
Which deployment policies satisfy this requirement? (Choose two.)

  • A: All at once
  • B: Immutable
  • C: Rebuild
  • D: Rolling
  • E: Rolling with additional batch

Question 5

A company has an Auto Scaling group of Amazon EC2 instances that scale based on average CPU utilization. The Auto Scaling group events log indicates an
InsufficientInstanceCapacity error.
Which actions should a SysOps administrator take to remediate this issue? (Choose two.)

  • A: Change the instance type that the company is using.
  • B: Configure the Auto Scaling group in different Availability Zones.
  • C: Configure the Auto Scaling group to use different Amazon Elastic Block Store (Amazon EBS) volume sizes.
  • D: Increase the maximum size of the Auto Scaling group.
  • E: Request an increase in the instance service quota.

Question 6

A SysOps administrator needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added.
Which additional actions should the administrator take to control access? (Choose two.)

  • A: Attach an IAM policy to the users or groups that require access to the EC2 instances.
  • B: Attach an IAM role to control access to the EC2 instances.
  • C: Create a placement group for the EC2 instances and add a specific tag.
  • D: Create a service account and attach it to the EC2 instances that need to be controlled.
  • E: Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.

Question 7

A company has an AWS Lambda function in Account A. The Lambda function needs to read the objects in an Amazon S3 bucket in Account B. A SysOps administrator must create corresponding IAM roles in both accounts.
Which solution will meet these requirements?

  • A: In Account A, create a Lambda execution role to assume the role in Account B. In Account B. create a role that the function can assume to gain access to the S3 bucket.
  • B: In Account A, create a Lambda execution role that provides access to the S3 bucket. In Account B, create a role that the function can assume.
  • C: In Account A, create a role that the function can assume. In Account B, create a Lambda execution role that provides access to the S3 bucket.
  • D: In Account A. create a role that the function can assume to gain access to the S3 bucket. In Account B, create a Lambda execution role to assume the role in Account A.

Question 8

An AWS Lambda function is intermittently failing several times a day. A SysOps administrator must find out how often this error has occurred in the last 7 days.
Which action will meet this requirement in the MOST operationally efficient manner?

  • A: Use Amazon Athena to query the Amazon CloudWatch logs that are associated with the Lambda function.
  • B: Use Amazon Athena to query the AWS CloudTrail logs that are associated with the Lambda function.
  • C: Use Amazon CloudWatch Logs Insights to query the associated Lambda function logs.
  • D: Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to stream the Amazon CloudWatch logs for the Lambda function.

Question 9

A company is using Amazon CloudFront to serve static content for its web application to its users. The CloudFront distribution uses an existing on-premises website as a custom origin.
The company requires the use of TLS between CloudFront and the origin server. This configuration has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.
What should a SysOps administrator do to resolve this problem?

  • A: Examine the expiration date on the certificate on the origin site. Validate that the certificate has not expired. Replace the certificate if necessary.
  • B: Examine the hostname on the certificate on the origin site. Validate that the hostname matches one of the hostnames on the CloudFront distribution. Replace the certificate if necessary.
  • C: Examine the firewall rules that are associated with the origin server. Validate that port 443 is open for inbound traffic from the internet. Create an inbound rule if necessary.
  • D: Examine the network ACL rules that are associated with the CloudFront distribution. Validate that port 443 is open for outbound traffic to the origin server. Create an outbound rule if necessary.

Question 10

An Amazon CloudFront distribution has a single Amazon S3 bucket as its origin. A SysOps administrator must ensure that users can access the S3 bucket only through requests from the CloudFront endpoint.
Which solution will meet these requirements?

  • A: Configure S3 Block Public Access on the S3 bucket. Update the S3 bucket policy to allow the GetObject action from only the CloudFront distribution.
  • B: Configure Origin Shield in the CloudFront distribution. Update the CloudFront origin to include a custom Origin_Shield header.
  • C: Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Update the S3 bucket policy to restrict access to the OAI.
  • D: Create an origin access identity (OAI). Assign the OAI to the S3 bucket. Update the CloudFront origin to include a custom Origin header with the OAI value.

Question 11

A SysOps administrator is designing a solution for an Amazon RDS for PostgreSQL DB instance. Database credentials must be stored and rotated monthly. The applications that connect to the DB instance send write-intensive traffic with variable client connections that sometimes increase significantly in a short period of time.
Which solution should a SysOps administrator choose to meet these requirements?

  • A: Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS Proxy to handle the increases in database connections.
  • B: Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS read replicas to handle the increases in database connections.
  • C: Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS Proxy to handle the increases in database connections.
  • D: Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS read replicas to handle the increases in database connections.

Question 12

A company wants to reduce costs for jobs that can be completed at any time. The jobs currently run by using multiple Amazon EC2 On-Demand Instances and the jobs take slightly less than 2 hours to complete. If a job falls for any reason it must be restarted from the beginning.
Which solution will meet these requirements MOST cost-effectively?

  • A: Purchase Reserved Instances for the jobs.
  • B: Submit a request for a one-time Spot Instance for the jobs.
  • C: Submit a request for Spot Instances with a defined duration for the jobs.
  • D: Use a mixture of On-Demand Instances and Spot Instances for the jobs.

Question 13

A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances. The instances all exist in the same VPC across multiple Availability Zones. There are two instances in each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.
Which solution will meet these requirements?

  • A: Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances.
  • B: Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances.
  • C: Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance.
  • D: Create a mount target in each Availability Zone of the VPC. Use the mount target to mount the EFS file system on the instances in the respective Availability Zone.

Question 14

An environment consists of 100 Amazon EC2 Windows instances. The Amazon CloudWatch agent is deployed and running on all EC2 Instances with a baseline configuration file to capture log files. There is a new requirement to capture the DHCP log files that exist on 50 of the instances.
What is the MOST operationally efficient way to meet this new requirement?

  • A: Create an additional CloudWatch agent configuration file to capture the DHCP logs. Use the AWS Systems Manager Run Command to restart the CloudWatch agent on each EC2 instance with the append-config option to apply the additional configuration file.
  • B: Log in to each EC2 Instance with administrator rights. Create a PowerShell script to push the needed baseline log files and DHCP log files to CloudWatch.
  • C: Run the CloudWatch agent configuration file wizard on each EC2 instance. Verify that the baseline log files are included and add the DHCP log files during the wizard creation process.
  • D: Run the CloudWatch agent configuration file wizard on each EC2 instance and select the advanced detail level. This will capture the operating system log files.

Question 15

A company has 10 Amazon EC2 instances in its production account. A SysOps administrator must ensure that email notifications are sent to administrators each time there is an EC2 instance state change.
Which solution will meet this requirements?

  • A: Configure an Amazon Route 53 simple routing policy that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when an EC2 instance state changes. This SNS topic then sends notifications to its email subscribers.
  • B: Configure an Amazon Route 53 simple routing policy that publishes a message to an Amazon Simple Queue Service (Amazon SQS) queue when an EC2 instance state changes. This SQS queue then sends notifications to its email subscribers.
  • C: Create an Amazon EventBridge (Amazon CloudWatch Events) rule that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when an EC2 instance state changes. This SNS topic then sends notifications to its email subscribers.
  • D: Create an Amazon EventBridge (Amazon CloudWatch Events) rule that publishes a message to an Amazon Simple Queue Service (Amazon SQS) queue when an EC2 instance state changes. This SQS queue then sends notifications to its email subscribers.

Question 16

A company has an application that runs on a fleet of Amazon EC2 instances behind an Elastic Load Balancer. The instances run in an Auto Scaling group. The application's performance remains consistent throughout most of each day. However, an increase in user traffic slows the performance during the same 4-hour period of time each day.
What is the MOST operationally efficient solution that will resolve this issue?

  • A: Configure a second Elastic Load Balancer in front of the Auto Scaling group with a weighted routing policy.
  • B: Configure the fleet of EC2 instances to run on larger instance types to support the increase in user traffic.
  • C: Create a scheduled scaling action to scale out the number of EC2 instances shortly before the increase in user traffic occurs.
  • D: Manually add a few more EC2 instances to the Auto Scaling group to support the increase in user traffic.

Question 17

A company hosts an application on an Amazon EC2 instance in a single AWS Region. The application requires support for non-HTTP TCP traffic and HTTP traffic.
The company wants to deliver content with low latency by leveraging the AWS network. The company also wants to implement an Auto Scaling group with an
Elastic Load Balancer.
How should a SysOps administrator meet these requirements?

  • A: Create an Auto Scaling group with an Application Load Balancer (ALB). Add an Amazon CloudFront distribution with the ALB as the origin.
  • B: Create an Auto Scaling group with an Application Load Balancer (ALB). Add an accelerator with AWS Global Accelerator with the ALB as an endpoint.
  • C: Create an Auto Scaling group with a Network Load Balancer (NLB). Add an Amazon CloudFront distribution with the NLB as the origin.
  • D: Create an Auto Scaling group with a Network Load Balancer (NLB). Add an accelerator with AWS Global Accelerator with the NLB as an endpoint.

Question 18

A SysOps administrator has an AWS CloudFormation template that is used to deploy an encrypted Amazon Machine Image (AMI). The CloudFormation template will be used in a second account so the SysOps administrator copies the encrypted AMI to the second account. When launching the new CloudFormation stack in the second account, it fails.
Which action should the SysOps administrator take to correct the issue?

  • A: Change the AMI permissions to mark the AMI as public.
  • B: Deregister the AMI in the source account.
  • C: Re-encrypt the destination AMI with an AWS Key Management Service (AWS KMS) key from the destination account.
  • D: Update the CloudFormation template with the ID of the AMI in the destination account.

Question 19

A company’s SysOps administrator deploys four new Amazon EC2 instances by using the standard Amazon Linux 2 Amazon Machine Image (AMI). The company needs to be able to use AWS Systems Manager to manage the instances. The SysOps administrator notices that the instances do not appear in the Systems Manager console.

What must the SysOps administrator do to resolve this issue?

  • A: Connect to each instance by using SSH. Install Systems Manager Agent on each instance. Configure Systems Manager Agent to start automatically when the instances start up.
  • B: Use AWS Certificate Manager (ACM) to create a TLS certificate. Import the certificate into each instance. Configure Systems Manager Agent to use the TLS certificate for secure communications.
  • C: Connect to each instance by using SSH. Create an ssm-user account. Add the ssm-user account to the /etc/sudoers.d directory.
  • D: Attach an IAM instance profile to the instances. Ensure that the instance profile contains the AmazonSSMManagedInstanceCore policy.

Question 20

A SysOps administrator is maintaining a web application using an Amazon CloudFront web distribution, an Application Load Balancer (ALB), Amazon RDS, and Amazon EC2 in a VPC. All services have logging enabled. The administrator needs to investigate HTTP Layer 7 status codes from the web application.

Which log sources contain the status codes? (Choose two.)

  • A: VPC Flow Logs
  • B: AWS CloudTrail logs
  • C: ALB access logs
  • D: CloudFront access togs
  • E: RDS logs

Question 21

A company wants to be alerted through email when IAM CreateUser API calls are made within its AWS account.

Which combination of actions should a SysOps administrator take to meet this requirement? (Choose two.)

  • A: Create an Amazon EventBridge (Amazon CloudWatch Events) rule with AWS CloudTrail as the event source and IAM CreateUser as the specific API call for the event pattern.
  • B: Create an Amazon EventBridge (Amazon CloudWatch Events) rule with Amazon CloudSearch as the event source and IAM CreateUser as the specific API call for the event pattern.
  • C: Create an Amazon EventBridge (Amazon CloudWatch Events) rule with AWS IAM Access Analyzer as the event source and IAM CreateUser as the specific API call for the event pattern.
  • D: Use an Amazon Simple Notification Service (Amazon SNS) topic as an event target with an email subscription.
  • E: Use an Amazon Simple Email Service (Amazon SES) notification as an event target with an email subscription.

Question 22

A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted.

Which approach will resolve the encryption requirement?

  • A: Log in to the RDS console and select the encryption box to encrypt the database.
  • B: Create a new encrypted Amazon EBS volume and attach it to the instance.
  • C: Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
  • D: Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

Question 23

A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.

What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?

  • A: Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.
  • B: Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.
  • C: Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.
  • D: Use AWS Shield to deny the s3:DeleteBucket action on the AWS account instead of all S3 buckets.

Question 24

A SysOps administrator has successfully deployed a VPC with an AWS CloudFormation template. The SysOps administrator wants to deploy the same template across multiple accounts that are managed through AWS Organizations.
Which solution will meet this requirement with the LEAST operational overhead?

  • A: Assume the OrganizationAccountAccessRole IAM role from the management account. Deploy the template in each of the accounts.
  • B: Create an AWS Lambda function to assume a role in each account. Deploy the template by using the AWS CloudFormation CreateStack API call.
  • C: Create an AWS Lambda function to query for a list of accounts. Deploy the template by using the AWS CloudFormation CreateStack API call.
  • D: Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts.

Question 25

A company has an application that is running on Amazon EC2 instances in a VPC. The application needs access to download software updates from the internet. The VPC has public subnets and private subnets. The company’s security policy requires all EC2 instances to be deployed in private subnets.

What should a SysOps administrator do to meet these requirements?

  • A: Add an internet gateway to the VPC. In the route table for the private subnets, add a route to the internet gateway.
  • B: Add aNAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway.
  • C: Add a NAT gateway to public subnet. In the route table for the private subnets, add a route to the NAT gateway.
  • D: Add two internet gateways to the VPC. In the route tables for the private subnets and public subnets, add a route to each internet gateway.
Page 1 of 20 • Questions 1-25 of 477
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!