A multinational company uses an organization in AWS Organizations to manage over 200 member accounts across multiple AWS Regions. The company must ensure that all AWS resources meet specific security requirements.
The company must not deploy any EC2 instances in the ap-southeast-2 Region. The company must completely block root user actions in all member accounts. The company must prevent any user from deleting AWS CloudTrail logs, including administrators.
The company requires a centrally managed solution that the company can automatically apply to all existing and future accounts.
Which solution will meet these requirements?
ACreate AWS Config rules with remediation actions in each account to detect policy violations. Implement IAM permissions boundaries for the account root users.
BEnable AWS Security Hub across the organization. Create custom security standards to enforce the security requirements. Use AWS CloudFormation StackSets to deploy the standards to all the accounts in the organization. Set up Security Hub automated remediation actions.
CUse AWS Control Tower for account governance. Configure Region deny controls. Use service control policies (SCPs) to restrict root user access.
DConfigure AWS Firewall Manager with security policies to meet the security requirements. Use an AWS Config aggregator with organization-wide conformance packs to detect security policy violations.
A company uses hundreds of Amazon EC2 On-Demand Instances and Spot Instances to run production and non-production workloads. The company installs and configures the AWS Systems Manager Agent (SSM Agent) on the EC2 instances.
During a recent instance patch operation, some instances were not patched because the instances were either busy or down. The company needs to generate a report that lists the current patch version of all instances.
Which solution will meet these requirements in the MOST operationally efficient way?
AUse Systems Manager Inventory to collect patch versions. Generate a report of all instances.
BUse Systems Manager Run Command to remotely collect patch version information. Generate a report of all instances.
CUse AWS Config to track EC2 instance configuration changes by using output from the SSM Agents. Create a custom rule to check for patch versions. Generate a report of all unpatched instances.
DUse AWS Config to monitor the patch status of the EC2 instances by using output from the SSM Agents. Create a configuration compliance rule to check whether patches are installed. Generate a report of all instances.
A financial services company stores customer images in an Amazon S3 bucket in the us-east-1 Region. To comply with regulations, the company must ensure that all existing objects are replicated to an S3 bucket in a second AWS Region. If an object replication fails, the company must be able to retry replication for the object.
Which solution will meet these requirements?
AConfigure Amazon S3 Cross-Region Replication (CRR). Use Amazon S3 live replication to replicate existing objects.
BConfigure Amazon S3 Cross-Region Replication (CRR). Use S3 Batch Replication to replicate existing objects.
CConfigure Amazon S3 Cross-Region Replication (CRR). Use S3 Replication Time Control (S3 RTC) to replicate existing objects.
DUse S3 Lifecycle rules to move objects to the destination bucket in a second Region.
A company runs a workload in an Amazon VPC. The company configures Amazon CloudWatch Logs for the workload. The company needs a solution to automatically detect unusual API activity and security events in the company's AWS account.
Which solution will meet this requirement?
AUse Amazon Inspector to scan VPC flow logs.
BUse Amazon GuardDuty to monitor CloudWatch logs.
CImplement AWS CloudTrail Insights.
DUse AWS Config automatic anomaly detection.
A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs to send specific events from all the accounts in the organization to a new receiver account so an AWS Lambda function can process the events.
A CloudOps engineer needs to configure Amazon EventBridge to route the events to a target event bus in the us-west-2 Region in the new receiver account. The CloudOps engineer creates rules in the sender accounts and the receiver account that match the specified events. The rules do not specify an account parameter in the event pattern. The CloudOps engineer creates IAM roles in the sender accounts to allow PutEvents actions on the target event bus.
The first test events that originate from the us-east-1 Region are not being processed by the Lambda function in the receiving account.
What is the likely reason the events are not processed?
AInterface VPC endpoints for EventBridge are required in the sender accounts and receiver accounts.
BThe target Lambda function is in a different AWS Region, which is not supported by EventBridge.
CThe resource-based policy on the target event bus must be modified to allow PutEvents API calls from the sender accounts.
DThe rule in the receiving account must specify {"account": ("sender-account-id"!) in its event pattern and must include the receiving account ID.
A developer enables versioning on an Amazon S3 bucket. When the developer attempts to perform a write operation on the bucket, the developer encounters an HTTP 404 NoSuchKey error.
A CloudOps engineer must resolve this issue.
Which solution will meet this requirement?
ADisable versioning on the S3 bucket and retry the write operation.
BModify the bucket policy to allow write operations on versioned objects.
CWait at least 15 minutes after enabling versioning, and then perform the write operation.
DEnable S3 Transfer Acceleration on the bucket.
A company generates hundreds of images and uploads the images to an Amazon S3 bucket. The company manually copies the images to an always-on Amazon EC2 instance for processing. It usually takes between 30 seconds and 120 seconds to process each image.
A CloudOps engineer wants to automate the image processing solution to process the images as soon as they arrive in the S3 bucket.
Which solution will meet these requirements MOST cost-effectively?
AConfigure S3 Event Notifications to invoke the EC2 instance when images are uploaded to the S3 bucket. Run the image processing solution on the EC2 instance to process the images.
BConfigure S3 Event Notifications to invoke an Amazon EventBridge rule. Configure the EventBridge rule to start a preconfigured AWS Glue ETL job to process images.
CConfigure S3 Event Notifications to invoke an AWS Lambda function that runs image processing logic when new images are uploaded on the source S3 bucket.
DConfigure S3 Event Notifications to invoke a task on an Amazon Elastic Container Service (Amazon ECS) container that is backed by EC2 instances when the images are uploaded to the S3 bucket. Configure the ECS task to process the images.
A company uses memory-optimized Amazon EC2 instances behind a Network Load Balancer (NLB) to run an application. The company launched the EC2 instances from an AWS provided Red Hat Enterprise Linux (RHEL) Amazon Machine Image (AMI).
A CloudOps engineer must monitor RAM utilization in 5-minute intervals. The CloudOps engineer must ensure that the EC2 instances scale in and out appropriately based on incoming load.
Which solution will meet these requirements?
AConfigure detailed monitoring for the EC2 instances. Configure the Amazon CloudWatch agent on the EC2 instances. Create an EC2 Auto Scaling group and Auto Scaling policy that is based on the mem_active metric.
BConfigure detailed monitoring for the EC2 instances. Use the mem_used_percent metric that the detailed monitoring feature provides. Create an IAM role that allows the CloudWatch agent to upload data. Create an EC2 Auto Scaling group and Auto Scaling policy that is based on the mem_used_percent metric.
CConfigure basic monitoring for the EC2 instances. Configure the Amazon CloudWatch agent on the EC2 instances. Create an IAM role that allows the CloudWatch agent to upload data. Create an EC2 Auto Scaling group and Auto Scaling policy that is based on the mem_used_percent metric.
DConfigure basic monitoring for the EC2 instances. Use the standard mem_used_percent metric for monitoring. Create an EC2 Auto Scaling group and Auto Scaling policy that is based on the mem_used_percent metric.
A CloudOps engineer is using AWS Compute Optimizer to generate recommendations for a fleet of Amazon EC2 instances. Some of the instances use newly released instance types, while other instances use older instance types.
After the analysis is complete, the CloudOps engineer notices that some of the EC2 instances are missing from the Compute Optimizer dashboard.
What is the likely cause of this issue?
AThe missing instances have insufficient historical Amazon CloudWatch metric data for analysis.
BCompute Optimizer does not support the instance types of the missing instances.
CCompute Optimizer already considers the missing instances to be optimized.
DThe missing instances are running a Windows operating system.
A company's website runs on an Amazon EC2 Linux instance. The website needs to serve PDF files from an Amazon S3 bucket. All public access to S3 bucket is blocked at the account level. The company needs to allow website users to download the PDF files.
Which solution will meet these requirements with the LEAST administrative effort?
ACreate an IAM role that has a policy that allows s3:list* and s3:get* permissions. Assign the role to the EC2 instance. Assign a company employee to download requested PDF file to the EC2 instance and to deliver the files to website users. Create an AWS Lambda function to periodically delete local files.
BCreate an Amazon CloudFront distribution that uses an origin access control (OAC) that points to the S3 bucket. Apply a bucket policy to the bucket to allow connections from the CloudFront distribution. Assign a company employee to provide a download URL that contains the distribution URL and the object path to users when users request PDF files.
CChange the S3 bucket permissions to allow public access on the source S3 bucket. Assign a company employee to provide a PDF file URL to users when users request the PDF files.
DDeploy an EC2 instance that has an 1AM instance profile to a public subnet. Use a signed URL from the EC2 instance to provide temporary access to the S3 bucket for website users.
A CloudOps engineer is examining the following AWS CloudFormation template:
Why will the stack creation fail?
AThe Outputs section of the CloudFormation template was omitted.
BThe Parameters section of the CloudFormation template was omitted.
CThe PrivateDnsName cannot be sot from a CloudFormation template.
DThe VPC was not specified in the CloudFormation template.
A company applies user-defined tags to resources that are associated with the company's AWS workloads. Twenty days after applying the tags, the company notices that it cannot use the tags to filter views in the AWS Cost Explorer console.
What is the reason for this issue?
AIt takes at least 30 days to be able to use tags to filter views in Cost Explorer.
BThe company has not activated the user-defined tags for cost allocation.
CThe company has not created an AWS Cost and Usage Report.
DThe company has not created a usage budget in AWS Budgets.
An environment consists of 100 Amazon EC2 Windows instances. The Amazon CloudWatch agent is deployed and running on all EC2 instances with a baseline configuration file to capture log files. There is a new requirement to capture the DHCP log files that exist on 50 of the instances.
What is the MOST operationally efficient way to meet this new requirement?
ACreate an additional CloudWatch agent configuration filo to capture the DHCP logs. Use the AWS Systems Manager Run Command to restart the CloudWatch agent on each EC2 instance with the append-config option to apply the additional configuration file.
BLog in to each EC2 instance with administrator rights. Create a PowerShell script to push the needed baseline log files and DHCP log files to CloudWatch.
CRun the CloudWatch agent configuration file wizard on each EC2 instance. Verify that the baseline log files are included and add the DHCP log files during the wizard creation process.
DRun the CloudWatch agent configuration file wizard on each EC2 instance and select the advanced detail level. This will capture the operating system log files.
A company's CloudOps engineer is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs However, there are no logs in CloudWatch Logs.
What could be blocking the VPC flow logs from being published to CloudWatch Logs?
AThe IAM policy that is attached to the IAM role for the flow log is missing the logs:CreateLogGroup permission.
BThe IAM policy that is attached to the IAM role for the flow log is missing the logs:CreateExportTask permission.
CThe VPC is configured for IPv6 addresses.
DThe VPC is peered with another VPC in the AWS account
A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created.
What should a CloudOps engineer do to meet this requirement?
AConfigure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy.
BEnable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
CEnable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups.
DEnable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
A company is migrating a legacy application to AWS. The company manually installs and configures the legacy application on Amazon EC2 instances across multiple Availability Zones. The company sets up an Application Load Balancer (ALB) for the application. The company sets the target group routing algorithm to weighted random. The application requires session affinity.
After the company deploys the application, users report random application errors that were not present in the legacy version of the application. The target group health checks do not show any failures. The company must resolve the application errors.
Which solution will meet this requirement?
ASet the routing algorithm of the target group to least outstanding requests.
BTurn on anomaly mitigation for the target group.
CTurn off the cross-zone load balancing attribute of the target group.
DIncrease the deregistration delay attribute of the target group.
A company is using an Amazon Aurora MySQL DB cluster that has point-in-time recovery, backtracking, and automatic backup enabled. A CloudOps engineer needs to be able to roll back the DB cluster to a specific recovery point within the previous 72 hours. Restores must be completed in the same production DB cluster.
Which solution will meet these requirements?
ACreate an Aurora Replica. Promote the replica to replace the primary DB instance.
BCreate an AWS Lambda function to restore an automatic backup to the existing DB cluster.
CUse backtracking to rewind the existing DB cluster to the desired recovery point.
DUse point-in-time recovery to restore the existing DB duster to the desired recovery point.
A CloudOps engineer is troubleshooting an AWS CloudFormation stack creation that failed. Before the CloudOps engineer can identify the problem, the stack and its resources are deleted. For future deployments, the CloudOps engineer must preserve any resources that CloudFormation successfully created.
What should the CloudOps engineer do to meet this requirement?
ASet the value of the DisableRollback parameter to False during stack creation.
BSet the value of the OnFailure parameter to DO_NOTHING during stack creation.
CSpecify a rollback configuration that has a rollback trigger of DO_NOTHING during stack creation
DSet the value of the OnFailure parameter to ROLLBACK during stack creation.
A company plans to run a public web application on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. The company’s security team wants to protect the website by using AWS Certificate Manager (ACM) certificates. The load balancer must automatically redirect any HTTP requests to HTTPS.
Which solution will meet these requirements?
ACreate an Application Load Balancer that has one HTTPS listener on port 80. Attach an SSL/TLS certificate to listener port 80. Create a rule to redirect requests from HTTP to HTTPS.
BCreate an Application Load Balancer that has one HTTP listener on port 80 and one HTTPS protocol listener on port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.
CCreate an Application Load Balancer that has two TCP listeners on port 80 and port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.
DCreate a Network Load Balancer that has two TCP listeners on port 80 and port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.
A company runs a business application on more than 300 Linux-based instances. Each instance has the AWS Systems Manager Agent (SSM Agent) installed. The company expects the number of instances to grow in the future. All business application instances have the same user-defined tag.
A CloudOps engineer wants to run a command on all the business application instances to download and install a package from a private repository. To avoid overwhelming the repository, the CloudOps engineer wants to ensure that no more than 30 downloads occur at one time.
Which solution will meet this requirement in the MOST operationally efficient way?
AUse a secondary tag to create 10 batches of 30 instances each. Use a Systems Manager Run Command document to download and install the package. Specify the target as part of the RunCommand document by using the secondary tag. Run each batch one time.
BUse an AWS Lambda function to automatically run a Systems Manager Run Command document that roads a list of instance IDs that have the user-defined tag. Set reserved concurrency for the Lambda function to 30.
CUse a Systems Manager Run Command document to download and install the package. Use rate control to set concurrency to 30. Specify the target by using the user-defined tag as part of the Run Command document.
DUse a parallel workflow state in AWS Step Functions to automatically run a Systems Manager Run Command document that reads a list of instance IDs that have the user-defined tag. Set the number of parallel states to 30. Run the Step Functions workflow 10 times.
A company uses Amazon Route 53 with latency-based routing across multiple AWS Regions to provide resiliency. The company uses Route 53 with latency-based routing to direct traffic to the nearest Region. Within each Region, weighted A records distribute traffic across multiple Availability Zones.
During a recent update, some Availability Zone endpoints became unhealthy. Route 53 continued to route traffic to the unhealthy endpoints. The company must prevent this issue from occurring in the future.
Which solution will meet this requirement?
AAdd a Route 53 health check for each of the weighted records that received traffic during the recent update.
BIncrease the weight of Route 53 records in the Region where traffic must go during updates.
CReconfigure all records to use latency-based routing across all Regions uniformly.
DReduce the TTL value for latency-based routing to detect changes more quickly.
A company must ensure that all Amazon EC2 Windows instances that are launched in an AWS account have a third-party agent installed. The company uses AWS Systems Manager, and the Windows instances are tagged appropriately. The company must deploy periodic updates to the third-party agent when the updates become available.
Which combination of steps will meet these requirements with the LEAST operational effort? (Choose two.)
ACreate a Systems Manager Distributor package for the third-party agent.
BCreate a Systems Manager OpsItem that includes the tag value for Windows. Attach the Systems Manager inventory to the OpsItem.
CCreate an AWS Lambda function. Program the Lambda function to log in to each instance and to install or update the third-party agent as needed.
DCreate a Systems Manager State Manager association to run the AWS-RunRemoteScript document Populate the details of the third-party agent package.
ECreate a Systems Manager State Manager association to run the AWS-ConfigureAWSPackage document. Populate the details of the third-party agent package. Specify instance tags based on the appropriate tag value for Windows.
A company has deployed Amazon EC2 instances from custom Amazon Machine Images (AMIs) in two AWS Regions. The company registered all the instances with AWS Systems Manager.
The company discovers that the operating system on some instances has a significant zero-day exploit. However, the company does not know how many instances are affected.
A CloudOps engineer must implement a solution to deploy operating system patches for the affected EC2 instances.
Which solution will meet this requirement with the LEAST operational overhead?
ADefine a patch baseline in Systems Manager Patch Manager. Use a Patch Manager scan to identify the affected instances. Use the Patch Now option in each Region to update the affected instances.
BUse AWS Config to identify the affected instances. Define a patch baseline in Systems Manager Patch Manager. Use the Patch Now option in Patch Manager to update the affected instances.
CCreate an Amazon EventBridge rule to react to Systems Manager Compliance events. Configure the EventBridge rule to run a patch baseline on the affected instances.
DUse AWS Config to identify the affected instances. Update the existing EC2 AMIs with the desired patch Manually launch instances from the new AMIs to replace the affected instances in both Regions.
A company hosts an FTP server on Amazon EC2 instances. In the company’s AWS environment, AWS Security Hub sends findings for the EC2 instances to Amazon EventBridge because the FTP port has become publicly exposed in the security groups that are attached to the instances.
A CloudOps engineer wants an automated solution to remediate the Security Hub finding and any similar exposed port findings. The CloudOps engineer wants to use an event-driven approach.
Which solution will meet these requirements?
AConfigure the existing EventBridge event to stop the EC2 instances that have the exposed port.
BCreate a cron job for the FTP server to invoke an AWS Lambda function. Configure the Lambda function to modify the security group of the identified EC2 instances and to remove the instances that allow public access.
CCreate a cron job for the FTP server that invokes an AWS Lambda function. Configure the Lambda function to modify the server to use SFTP instead of FTP.
DConfigure the existing EventBridge event to invoke an AWS Lambda function. Configure the function to remove the security group rule that allows public access.
A company plans to migrate several of its high performance computing (HPC) virtual machines (VMs) to Amazon EC2 instances on AWS. A CloudOps engineer must identify a placement group for this deployment. The strategy must minimize network latency and must maximize network throughput between the HPC VMs.
Which strategy should the CloudOps engineer choose to meet these requirements?
ADeploy the instances in a cluster placement group in one Availability Zone.
BDeploy the instances in a partition placement group in two Availability Zones.
CDeploy the instances in a partition placement group in one Availability Zone.
DDeploy the instances in a spread placement group in two Availability Zones.
Preview
