Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

AWS Certified SysOps Administrator - AssociateFree trialFree trial

By amazon
Aug, 2025

Verified

25Q per page

Question 76

A company uses AWS Organizations. A SysOps administrator wants to use AWS Compute Optimizer and AWS tag policies in the management account to govern all member accounts in the billing family. The SysOps administrator navigates to the AWS Organizations console but cannot activate tag policies through the management account.

What could be the reason for this issue?

  • A: All features have not been enabled in the organization.
  • B: Consolidated billing has not been enabled.
  • C: The member accounts do not have tags enabled for cost allocation.
  • D: The member accounts have not manually enabled trusted access for Compute Optimizer.

Question 77

A company is storing media content in an Amazon S3 bucket and uses Amazon CloudFront to distribute the content to its users. Due to licensing terms, the company is not authorized to distribute the content in some countries. A SysOps administrator must restrict access to certain countries.

What is the MOST operationally efficient solution that meets these requirements?

  • A: Configure the S3 bucket policy to deny the GetObject operation based on the S3:LocationConstraint condition.
  • B: Create a secondary origin access identity (OAI). Configure the S3 bucket policy to prevent access from unauthorized countries.
  • C: Enable the geo restriction feature in the CloudFront distribution to prevent access from unauthorized countries.
  • D: Update the application to generate signed CloudFront URLs only for IP addresses in authorized counties.

Question 78

A SysOps administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC, the administrator is unable to connect to any of the domains that reside on the internet.

What additional route destination rule should the administrator add to the route tables?

  • A: Route ::/0 traffic to a NAT gateway
  • B: Route ::/0 traffic to an internet gateway
  • C: Route 0.0.0.0/0 traffic to an egress-only internet gateway
  • D: Route ::/0 traffic to an egress-only internet gateway

Question 79

A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals sudden increases in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A SysOps administrator must find the process ID (PID) of the service or process that is consuming more CPU.
What should the SysOps administrator do to collect the process utilization information with the LEAST amount of effort?

  • A: Configure the Amazon CloudWatch agent procstat plugin to capture CPU process metrics.
  • B: Configure an AWS Lambda function to run every minute to capture the PID and send a notification.
  • C: Log in to the EC2 instance by using a .pem key each night. Then run the top command.
  • D: Use the default Amazon CloudWatch CPU utilization metric to capture the PID in CloudWatch.

Question 80

A company hosts several write-intensive applications. These applications use a MySQL database that runs on a single Amazon EC2 instance. The company asks a SysOps administrator to implement a highly available database solution that is ideal for multi-tenant workloads.

Which solution should the SysOps administrator implement to meet these requirements?

  • A: Create a second EC2 instance for MySQL. Configure the second instance to be a read replica.
  • B: Migrate the database to an Amazon Aurora DB cluster. Add an Aurora Replica.
  • C: Migrate the database to an Amazon Aurora multi-master DB cluster.
  • D: Migrate the database to an Amazon RDS for MySQL DB instance.

Question 81

A company has a memory-intensive application that runs on a fleet of Amazon EC2 instances behind an Elastic Load Balancer (ELB). The instances run in an Auto Scaling group. A SysOps administrator must ensure that the application can scale based on the number of users that connect to the application.

Which solution will meet these requirements?

  • A: Create a scaling policy that will scale the application based on the ActiveConnectionCount Amazon CloudWatch metric that is generated from the ELB.
  • B: Create a scaling policy that will scale the application based on the mem_used Amazon CloudWatch metric that is generated from the ELB.
  • C: Create a scheduled scaling policy to increase the number of EC2 instances in the Auto Scaling group to support additional connections.
  • D: Create and deploy a script on the ELB to expose the number of connected users as a custom Amazon CloudWatch metric. Create a scaling policy that uses the metric.

Question 82

A SysOps administrator creates a new VPC that includes a public subnet and a private subnet. The SysOps administrator successfully launches 11 Amazon EC2 instances in the private subnet. The SysOps administrator attempts to launch one more EC2 instance in the same subnet. However, the SysOps administrator receives an error message that states that not enough free IP addresses are available.

What must the SysOps administrator do to deploy more EC2 instances?

  • A: Edit the private subnet to change the CIDR block to /27.
  • B: Edit the private subnet to extend across a second Availability Zone.
  • C: Assign additional Elastic IP addresses to the private subnet.
  • D: Create a new private subnet to hold the required EC2 instances.

Question 83

A company needs to automatically monitor an AWS account for potential unauthorized AWS Management Console logins from multiple geographic locations.

Which solution will meet this requirement?

  • A: Configure Amazon Cognito to detect any compromised IAM credentials.
  • B: Set up Amazon Inspector. Scan and monitor resources for unauthorized logins.
  • C: Set up AWS Config. Add the iam-policy-blacklisted-check managed rule to the account.
  • D: Configure Amazon GuardDuty to monitor the UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B finding.

Question 84

A company has an Amazon RDS DB instance. The company wants to implement a caching service while maintaining high availability.

Which combination of actions will meet these requirements? (Choose two.)

  • A: Add Auto Discovery to the data store.
  • B: Create an Amazon ElastiCache for Memcached data store.
  • C: Create an Amazon ElastiCache for Redis data store.
  • D: Enable Multi-AZ for the data store.
  • E: Enable Multi-threading for the data store.

Question 85

A company monitors its account activity using AWS CloudTrail, and is concerned that some log files are being tampered with after the logs have been delivered to the account’s Amazon S3 bucket.

Moving forward, how can the SysOps administrator confirm that the log files have not been modified after being delivered to the S3 bucket?

  • A: Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.
  • B: Enable log file integrity validation and use digest files to verify the hash value of the log file.
  • C: Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
  • D: Enable S3 server access logging to track requests made to the log bucket for security audits.

Question 86

A SysOps administrator is reviewing AWS Trusted Advisor warnings and encounters a warning for an S3 bucket policy that has open access permissions. While discussing the issue with the bucket owner, the administrator realizes the S3 bucket is an origin for an Amazon CloudFront web distribution.

Which action should the administrator take to ensure that users access objects in Amazon S3 by using only CloudFront URLs?

  • A: Encrypt the S3 bucket content with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).
  • B: Create an origin access identity and grant it permissions to read objects in the S3 bucket.
  • C: Assign an IAM user to the CloudFront distribution and grant the user permissions in the S3 bucket policy.
  • D: Assign an IAM role to the CloudFront distribution and grant the role permissions in the S3 bucket policy.

Question 87

A SysOps administrator is reviewing AWS Trusted Advisor recommendations. The SysOps administrator notices that all the application servers for a finance application are listed in the Low Utilization Amazon EC2 Instances check. The application runs on three instances across three Availability Zones. The SysOps administrator must reduce the cost of running the application without affecting the application’s availability or design.

Which solution will meet these requirements?

  • A: Reduce the number of application servers.
  • B: Apply rightsizing recommendations from AWS Cost Explorer to reduce the instance size.
  • C: Provision an Application Load Balancer in front of the instances.
  • D: Scale up the instance size of the application servers.

Question 88

A company hosts its website in the us-east-1 Region. The company is preparing to deploy its website into the eu-central-1 Region. Website visitors who are located in Europe should access the website that is hosted in eu-central-1. All other visitors access the website that is hosted in us-east-1. The company uses Amazon Route 53 to manage the website’s DNS records.

Which routing policy should a SysOps administrator apply to the Route 53 record set to meet these requirements?

  • A: Geolocation routing policy
  • B: Geoproximity routing policy
  • C: Latency routing policy
  • D: Multivalue answer routing policy

Question 89

An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department, it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group membership.

What is the BEST method to allow access using current LDAP credentials?

  • A: Create an AWS Directory Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
  • B: Create a Lambda function to read LDAP groups and automate the creation of IAM users.
  • C: Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server.
  • D: Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.

Question 90

A SysOps administrator configured AWS Backup to capture snapshots from a single Amazon EC2 instance that has one Amazon Elastic Block Store (Amazon
EBS) volume attached. On the first snapshot, the EBS volume has 10 GiB of data. On the second snapshot, the EBS volume still contains 10 GiB of data, but 4
GiB have changed. On the third snapshot, 2 GiB of data have been added to the volume, for a total of 12 GiB.
How much total storage is required to store these snapshots?

  • A: 12 GiB
  • B: 16 GiB
  • C: 26 GiB
  • D: 32 GiB

Question 91

A SysOps administrator has created an Amazon EC2 instance using an AWS CloudFormation template in the us-east-1 Region. The administrator finds that this template has failed to create an EC2 instance in the us-west-2 Region.

What is one cause for this failure?

  • A: Resource tags defined in the CloudFormation template are specific to the us-east-1 Region.
  • B: The Amazon Machine Image (AMI) ID referenced in the CloudFormation template could not be found in the us-west-2 Region.
  • C: The cfn-init script did not run during resource provisioning in the us-west-2 Region.
  • D: The IAM user was not created in the specified Region.

Question 92

A global gaming company is preparing to launch a new game on AWS. The game runs in multiple AWS Regions on a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group behind an Application Load Balancer (ALB) in each Region. The company plans to use Amazon Route 53 for DNS services. The DNS configuration must direct users to the Region that is closest to them and must provide automated failover.

Which combination of steps should a SysOps administrator take to configure Route 53 to meet these requirements? (Choose two.)

  • A: Create Amazon CloudWatch alarms that monitor the health of the ALB in each Region. Configure Route 53 DNS failover by using a health check that monitors the alarms.
  • B: Create Amazon CloudWatch alarms that monitor the health of the EC2 instances in each Region. Configure Route 53 DNS failover by using a health check that monitors the alarms.
  • C: Configure Route 53 DNS failover by using a health check that monitors the private IP address of an EC2 instance in each Region.
  • D: Configure Route 53 geoproximity routing. Specify the Regions that are used for the infrastructure.
  • E: Configure Route 53 simple routing. Specify the continent, country, and state or province that are used for the infrastructure.

Question 93

A SysOps administrator is investigating a company’s web application for performance problems. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The application receives large traffic increases at random times throughout the day. During periods of rapid traffic increases, the Auto Scaling group is not adding capacity fast enough. As a result, users are experiencing poor performance.

The company wants to minimize costs without adversely affecting the user experience when web traffic surges quickly. The company needs a solution that adds more capacity to the Auto Scaling group for larger traffic increases than for smaller traffic increases.

How should the SysOps administrator configure the Auto Scaling group to meet these requirements?

  • A: Create a simple scaling policy with settings to make larger adjustments in capacity when the system is under heavy load.
  • B: Create a step scaling policy with settings to make larger adjustments in capacity when the system is under heavy load.
  • C: Create a target tracking scaling policy with settings to make larger adjustments in capacity when the system is under heavy load.
  • D: Use Amazon EC2 Auto Scaling lifecycle hooks. Adjust the Auto Scaling group’s maximum number of instances after every scaling event.

Question 94

A company has a compliance requirement that no security groups can allow SSH ports to be open to all IP addresses. A SysOps administrator must implement a solution that will notify the company’s SysOps team when a security group rule violates this requirement. The solution also must remediate the security group rule automatically.

Which solution will meet these requirements?

  • A: Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a security group changes. Configure the Lambda function to evaluate the security group for compliance, remove all inbound security group rules on all ports, and notify the SysOps team if the security group is noncompliant.
  • B: Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm to notify the SysOps team through an Amazon Simple Notification Service (Amazon SNS) topic when the metric is greater than 0. Subscribe an AWS Lambda function to the SNS topic to remediate the security group rule by removing the rule.
  • C: Activate the AWS Config restricted-ssh managed rule. Add automatic remediation to the AWS Config rule by using the AWS Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the SysOps team when the rule is noncompliant.
  • D: Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm for when the metric is greater than 0. Add an AWS Systems Manager action to the CloudWatch alarm to suspend the security group by using the Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook when the alarm is in ALARM state. Add an Amazon Simple Notification Service (Amazon SNS) topic as a second target to notify the SysOps team.

Question 95

A company has an application that runs only on Amazon EC2 Spot Instances. The instances run in an Amazon EC2 Auto Scaling group with scheduled scaling actions. However, the capacity does not always increase at the scheduled times, and instances terminate many times a day. A SysOps administrator must ensure that the instances launch on time and have fewer interruptions.

Which action will meet these requirements?

  • A: Specify the capacity-optimized allocation strategy for Spot Instances. Add more instance types to the Auto Scaling group.
  • B: Specify the capacity-optimized allocation strategy for Spot Instances. Increase the size of the instances in the Auto Scaling group.
  • C: Specify the lowest-price allocation strategy for Spot Instances. Add more instance types to the Auto Scaling group.
  • D: Specify the lowest-price allocation strategy for Spot Instances. Increase the size of the instances in the Auto Scaling group.

Question 96

A company plans to deploy a database on an Amazon Aurora MySQL DB cluster. The database will store data for a demonstration environment. The data must be reset on a daily basis.

What is the MOST operationally efficient solution that meets these requirements?

  • A: Create a manual snapshot of the DB cluster after the data has been populated. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to restore the snapshot and then delete the previous DB cluster.
  • B: Enable the Backtrack feature during the creation of the DB cluster. Specify a target backtrack window of 48 hours. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to perform a backtrack operation.
  • C: Export a manual snapshot of the DB cluster to an Amazon S3 bucket after the data has been populated. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to restore the snapshot from Amazon S3.
  • D: Set the DB cluster backup retention period to 2 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to restore the DB cluster to a point in time and then delete the previous DB cluster.

That’s the end of your free questions

You’ve reached the preview limit for AWS Certified SysOps Administrator - Associate

Consider upgrading to gain full access!

Page 4 of 20 • Questions 76-100 of 477
23456

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!