CREAR TEST

TEST BORRADO, QUIZÁS LE INTERESE: SysOpsGG_02

COMENTARIOS	ESTADÍSTICAS	RÉCORDS

REALIZAR TEST

Título del Test: SysOpsGG_02 Descripción: Mas de sysOps Autor: GonGG OTROS TESTS DEL AUTOR Fecha de Creación: 13/09/2024 Categoría: Otros Número Preguntas: 55

COMPARTE EL TEST

Comentar

No hay ningún comentario sobre este test.

Temario:

A SysOps administrator creates a custom Amazon Machine Image (AMI) in the eu-west-2 Region and uses the AMI to launch Amazon EC2 instances. The SysOps administrator needs to use the same AMI to launch EC2 instances in two other Regions: us-east-1 and us-east-2. What must the SysOps administrator do to use the custom AMI in the additional Regions? Copy the AMI to the additional Regions. Make the AMI public in the Community AMIs section of the AWS Management Console. Share the AMI to the additional Regions. Assign the required access permissions. Copy the AMI to a new Amazon S3 bucket. Assign access permissions to the AMI for the additional Regions. AnyCompany has acquired Example Corp and is attempting to consolidate the business systems of both companies. AnyCompany’s IT department needs to integrate with Example Corp’s IT ticketing system. A SysOps administrator must implement a solution that uses Amazon CloudWatch alarms for Amazon EC2 instances in AnyCompany’s account to create new tickets in Example Corp’s ticketing system. The ticketing system provides an HTTPS endpoint for the creation of new tickets. The ticketing system accepts messages in the following JSON format: { "id": "c4c1c1c9-6542-e61b-6ef0-8c4d36933a92", "time": "2019-10-02T17:04:40Z", "InstanceId": "i-12345678901234567" } Which approach to creating tickets from the CloudWatch alarms will meet these requirements with the LEAST development time? Create an Amazon EventBridge rule that filters appropriate events and specifies EventBridge API destinations as a target. Configure EventBridge API destinations to send events to the HTTPS endpoint. In the EventBridge rule, create an input transformer to convert the source to a compatible output for the ticketing system. Create an Amazon EventBridge rule that filters appropriate events and specifies an Amazon Kinesis data stream as the target. Create an AWS Lambda function to receive events from the Kinesis data stream. Configure the Lambda function to start an AWS Glue job to transform the data and forward the output to the HTTPS endpoint. Create an Amazon EventBridge rule that filters appropriate events and specifies Amazon Simple Notification Service (Amazon SNS) as a target. Configure Amazon SNS to transform the events and send the events to the HTTPS endpoint. Create an Amazon EventBridge rule that filters appropriate events and specifies an AWS Step Functions state machine as a target. Create an AWS Lambda function and an AWS Glue job in Step Functions to transform the events and send the events to the HTTPS endpoint. An AWS CloudFormation template creates an Amazon RDS instance. This template is used to build up development environments as needed and then delete the stack when the environment is no longer required. The RDS-persisted data must be retained for further use, even after the CloudFormation stack is deleted. How can this be achieved in a reliable and efficient way? Write a script to continue backing up the RDS instance every five minutes. Create an AWS Lambda function to take a snapshot of the RDS instance, and manually invoke the function before deleting the stack. Use the Snapshot Deletion Policy in the CloudFormation template definition of the RDS instance. Create a new CloudFormation template to perform backups of the RDS instance, and run this template before deleting the stack. A company website contains a web tier and a database tier on AWS. The web tier consists of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones. The database tier runs on an Amazon RDS for MySQL Multi-AZ DB instance. The database subnet network ACLs are restricted to only the web subnets that need access to the database. The web subnets use the default network ACL with the default rules. The company's operations team has added a third subnet to the Auto Scaling group configuration. After an Auto Scaling event occurs, some users report that they intermittently receive an error message. The error message states that the server cannot connect to the database. The operations team has confirmed that the route tables are correct and that the required ports are open on all security groups. Which combination of actions should a SysOps administrator take so that the web servers can communicate with the DB instance? (Choose two.) On the default ACL, create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets. On the default ACL, create outbound Allow rules of type MySQL/Aurora (3306). Specify the destinations as the database subnets. On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet. On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet. On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet. A SysOps administrator is preparing to deploy an application to Amazon EC2 instances that are in an Auto Scaling group. The application requires dependencies to be installed. Application updates are issued weekly. The SysOps administrator needs to implement a solution to incorporate the application updates on a regular basis. The solution also must conduct a vulnerability scan during Amazon Machine Image (AMI) creation. What is the MOST operationally efficient solution that meets these requirements? Create a script that uses Packer. Schedule a cron job to run the script. Install the application and its dependencies on an EC2 instance. Create an AMI of the EC2 instance. Use EC2 Image Builder with a custom recipe to install the application and its dependencies. Invoke the EC2 CreateImage API operation by using an Amazon EventBridge scheduled rule. A SysOps administrator has been able to consolidate multiple, secure websites onto a single server, and each site is running on a different port. The administrator now wants to start a duplicate server in a second Availability Zone and put both behind a load balancer for high availability. What would be the command line necessary to deploy one of the sites’ certificates to the load balancer? aws kms modify-listener –-load-balancer-name my-load-balancer -–certificates CertificateArn=arn:aws:iam::123456789012:server-certifiate/my-new-server-cert aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer –-load-balancer-port 443 –-ssl-certificate-id arn:aws:iam::123456789012:server-certificate/new-server-cert aws ec2 put-ssl-certificate –-load-balancer-name my-load-balancer –-load-balancer-port 443 –-ssl-certificate-id arn:aws:iam::123456789012:server-certificate/new-server-cert aws acm put-ssl-certificate –-load-balancer-name my-load-balancer –-load-balancer-port 443 –-ssl-certificate-id arn:aws:iam::123456789012:server-certificate/new-server-cert. A company migrates a write-once, ready-many (WORM) drive to an Amazon S3 bucket that has S3 Object Lock configured in governance mode. During the migration, the company copies unneeded data to the S3 bucket. A SysOps administrator attempts to delete the unneeded data from the S3 bucket by using the AWS CLI. However, the SysOps administrator receives an error. Which combination of steps should the SysOps administrator take to successfully delete the unneeded data? (Choose two.) Increase the Retain Until Date. Assume a role that has the s3:BypassLegalRetention permission. Assume a role that has the s3:BypassGovernanceRetention permission. Include the x-amz-bypass-governance-retention:true header in the request when issuing the delete command. Include the x-amz-bypass-legal-retention:true header in the request when issuing the delete command. A company has an application that uses an Amazon Elastic File System (Amazon EFS) file system. A recent incident that involved an application logic error corrupted several files. The company wants to improve its ability to back up and recover the EFS file system. The company must be able to recover individual files rapidly. Which solution meets these requirements MOST cost-effectively? Configure Amazon Data Lifecycle Manager (Amazon DLM) to archive a copy of the data to an Amazon S3 Glacier vault. Use S3 Glacier retrieval requests to retrieve individual files. Create a second EFS file system in another AWS Region. Configure AWS DataSync to copy the data to the backup file system. Recover files by copying them from the backup EFS file system. Enable AWS Backup in Amazon EFS to back up the file system to an Amazon S3 Glacier vault. Use S3 Glacier retrieval requests to retrieve individual files. Enable AWS Backup in Amazon EFS to back up the file system to a backup vault. Use a partial restore job to retrieve individual files. A SysOps administrator is creating a simple, public-facing website running on Amazon EC2. The SysOps administrator created the EC2 instance in an existing public subnet and assigned an Elastic IP address to the instance. Next, the SysOps administrator created and applied a new security group to the instance to allow incoming HTTP traffic from 0.0.0.0/0. Finally, the SysOps administrator created a new network ACL and applied it to the subnet to allow incoming HTTP traffic from 0.0.0.0/0. However, the website cannot be reached from the internet. What is the cause of this issue? The SysOps administrator did not create an outbound rule that allows ephemeral port return traffic in the new network ACL. The SysOps administrator did not create an outbound rule in the security group that allows HTTP traffic from port 80. The Elastic IP address assigned to the EC2 instance has changed. There is an additional network ACL associated with the subnet that includes a rule that denies inbound HTTP traffic from port 80. A SysOps administrator needs to design a disaster recovery (DR) plan for an application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The application uses an Amazon Aurora PostgreSQL database. The recovery time objective (RTO) and recovery point objective (RPO) are 15 minutes each. Which combination of steps should the SysOps administrator take to meet these requirements MOST cost-effectively? (Choose two.) Configure Aurora backups to be exported to the DR Region. Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option. Configure the DR Region with an ALB and an Auto Scaling group. Use the same configuration as in the primary Region. Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group's minimum capacity, maximum capacity, and desired capacity to 1. Manually launch a new ALB and a new Auto Scaling group by using AWS . A SysOps administrator needs to collect the content of log files from a custom application that is deployed across hundreds of Amazon EC2 instances running Ubuntu. The log files need to be stored in Amazon CloudWatch Logs. How should the SysOps administrator collect the application log files with the LOWEST operational overhead? Configure the syslogd service on each EC2 instance to collect and send the application log files to CloudWatch Logs. Install the CloudWatch agent by using the Amazon Linux package manager on each EC2 instance. Configure each agent to collect the application log files. Install the CloudWatch agent on each EC2 instance by using AWS Systems Manager. Create an agent configuration on each instance by using the CloudWatch configuration wizard. Configure each agent to collect the application log files. Store a CloudWatch agent configuration in the AWS Systems Manager Parameter Store. Install the CloudWatch agent on each EC2 instance by using Systems Manager. Configure each agent to collect the application log files. A company manages a set of accounts on AWS by using AWS Organizations. The company's security team wants to use a native AWS service to regularly scan all AWS accounts against the Center for Internet Security (CIS) AWS Foundations Benchmark. What is the MOST operationally efficient way to meet these requirements? Designate a central security account as the AWS Security Hub administrator account. Create a script that sends an invitation from the Security Hub administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure Security Hub to run the CIS AWS Foundations Benchmark scans. Run the CIS AWS Foundations Benchmark across all accounts by using Amazon Inspector. Designate a central security account as the Amazon GuardDuty administrator account. Create a script that sends an invitation from the GuardDuty administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure GuardDuty to run the CIS AWS Foundations Benchmark scans. Designate an AWS Security Hub administrator account. Configure new accounts in the organization to automatically become member accounts. Enable CIS AWS Foundations Benchmark scans. A company has turned on server access logging for all of its existing Amazon S3 buckets. The company wants to implement a solution to monitor the logging settings for new and existing S3 buckets. The solution must remediate any S3 buckets that do not have logging turned on. What should a SysOps administrator do to meet these requirements in the MOST operationally efficient way? Track the logging information by using AWS CloudTrail. Launch an AWS Lambda function for remediation. Configure automatic remediation in AWS Config by using the s3-bucket-logging-enabled rule. Configure AWS Trusted Advisor to monitor the logging configuration and to turn on access logging if necessary. Track the logging information by using Amazon CloudWatch metrics. Launch an AWS Lambda function for remediation. A SysOps administrator is setting up a fleet of Amazon EC2 instances in an Auto Scaling group for an application. The fleet should have 50% CPU available at all times to accommodate bursts of traffic. The load will increase significantly between the hours of 09:00 and 17:00, 7 days a week. How should the SysOps administrator configure the scaling of the EC2 instances to meet these requirements? Create a target tracking scaling policy that runs when the CPU utilization is higher than 90%. Create a target tracking scaling policy that runs when the CPU utilization is higher than 50%. Create a scheduled scaling policy that ensures that the fleet is available at 09:00. Create a second scheduled scaling policy that scales in the fleet at 17:00. Set the Auto Scaling group to start with 2 instances by setting the desired instances, maximum instances, and minimum instances to 2. Create a scheduled scaling policy that ensures that the fleet is available at 09:00. Create a scheduled scaling policy that ensures that the fleet is available at 09:00. Create a second scheduled scaling policy that scales in the fleet at 17:00. A company recently deployed MySQL on an Amazon EC2 instance with a default boot volume. The company intends to restore a 1.75 TB database. A SysOps administrator needs to provision the correct Amazon Elastic Block Store (Amazon EBS) volume. The database will require read performance of up to 10,000 IOPS and is not expected to grow in size. Which solution will provide the required performance at the LOWEST cost? Deploy a 2 TB Cold HDD (sc1) volume. Deploy a 2 TB Throughput Optimized HDD (st1) volume. Deploy a 2 TB General Purpose SSD (gp3) volume. Set the IOPS to 10,000. Deploy a 2 TB Provisioned IOPS SSD (io2) volume. Set the IOPS to 10,000. A company recently moved its server infrastructure to Amazon EC2 instances. The company wants to use Amazon CloudWatch metrics to track instance memory utilization and available disk space. What should a SysOps administrator do to meet these requirements? Configure CloudWatch from the AWS Management Console for all the instances that require monitoring by CloudWatch. AWS automatically installs and configures the agents for the specified instances. Install and configure the CloudWatch agent on all the instances. Attach an IAM role to allow the instances to write logs to CloudWatch. Install and configure the CloudWatch agent on all the instances. Attach an IAM user to allow the instances to write logs to CloudWatch. Install and configure the CloudWatch agent on all the instances. Attach the necessary security groups to allow the instances to write logs to CloudWatch. A SysOps administrator needs to create alerts that are based on the read and write metrics of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to an Amazon EC2 instance. The SysOps administrator creates and enables Amazon CloudWatch alarms for the DiskReadBytes metric and the DiskWriteBytes metric. A custom monitoring tool that is installed on the EC2 instance with the same alarm configuration indicates that the volume metrics have exceeded the threshold. However, the CloudWatch alarms were not in ALARM state. Which action will ensure that the CloudWatch alarms function correctly? Install and configure the CloudWatch agent on the EC2 instance to capture the desired metrics. Install and configure AWS Systems Manager Agent on the EC2 instance to capture the desired metrics. Reconfigure the CloudWatch alarms to use the VolumeReadBytes metric and the VolumeWriteBytes metric for the EBS volumes. Reconfigure the CloudWatch alarms to use the VolumeReadBytes metric and the VolumeWriteBytes metric for the EC2 instance. A company is migrating its production file server to AWS. All data that is stored on the file server must remain accessible if an Availability Zone becomes unavailable or when system maintenance is performed. Users must be able to interact with the file server through the SMB protocol. Users also must have the ability to manage file permissions by using Windows ACLs. Which solution will meet these requirements? Create a single AWS Storage Gateway file gateway. Create an Amazon FSx for Windows File Server Multi-AZ file system. Deploy two AWS Storage Gateway file gateways across two Availability Zones. Configure an Application Load Balancer in front of the file gateways. Deploy two Amazon FSx for Windows File Server Single-AZ 2 file systems. Configure Microsoft Distributed File System Replication (DFSR). A company's SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instance are encrypted with AWS managed keys. The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI with the company's other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs. Which solution will securely share the AMI with the other AWS accounts? In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with. In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the KMS key. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with. In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the KMS key Modify the permissions on the copied AMI to make it public. In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with. A company's VPC has connectivity to an on-premises data center through an AWS Site-to-Site VPN. The company needs Amazon EC2 instances in the VPC to send DNS queries for example.com to the DNS servers in the data center. Which solution will meet these requirements? Create an Amazon Route 53 Resolver inbound endpoint. Create a conditional forwarding rule on the on-premises DNS servers to forward DNS requests for example.com to the inbound endpoints. Create an Amazon Route 53 Resolver inbound endpoint. Create a forwarding rule on the resolver that sends all queries for example.com to the on-premises DNS servers. Associate this rule with the VPC. Create an Amazon Route 53 Resolver outbound endpoint. Create a conditional forwarding rule on the on-premises DNS servers to forward DNS requests for example.com to the outbound endpoints. Create an Amazon Route 53 Resolver outbound endpoint. Create a forwarding rule on the resolver that sends all queries for example.com to the on-premises DNS servers. Associate this rule with the VPC. A company's SysOps administrator maintains a highly available environment. The environment includes Amazon EC2 instances and an Amazon RDS Multi-AZ database. The EC2 instances are in an Auto Scaling group behind an Application Load Balancer. Recently, the company conducted a failover test. The SysOps administrator needs to decrease the failover time of the RDS database by at least 10%. Which solution will meet this requirement? Increase the RDS instance size. Modify the RDS cluster to run in a single Availability Zone. Create a read replica in another AWS Region. Promote the read replica in case of failure. Create an RDS proxy. Point the application to the proxy endpoint. Application A runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2 instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB. Other applications from an on-premises environment cannot communicate with Application A on port 8080. To troubleshoot the issue, a SysOps administrator analyzes the flow logs. The flow logs include the following records: 2 12345678910 eni-1235b8ca123456789 192.168.0.13 172.31.16.139 59003 8080 1 4 336 1432917027 1432917142 ACCEPT OK 2 12345678910 eni-1235b8ca123456789 172.31.16.139 192.168.0.13 8080 59003 1 4 336 1432917094 1432917142 REJECT OK What is the reason for the rejected traffic? The security group of the EC2 instances has no Allow rule for the traffic from the NLB. The security group of the NLB has no Allow rule for the traffic from the on-premises environment. The ACL of the on-premises environment does not allow traffic to the AWS environment. The network ACL that is associated with the subnet does not allow outbound traffic for the ephemeral port range. A SysOps administrator is helping a development team deploy an application to AWS. The AWS CloudFormation template includes an Amazon Linux EC2 instance, an Amazon Aurora DB cluster, and a hardcoded database password that must be rotated every 90 days. What is the MOST secure way to manage the database password? Use the AWS::SecretsManager::Secret resource with the GenerateSecretString property to automatically generate a password. Use the AWS::SecretsManager::RotationSchedule resource to define a rotation schedule for the password. Configure the application to retrieve the secret from AWS Secrets Manager to access the database. Use the AWS::SecretsManager::Secret resource with the SecretString property Accept a password as a CloudFormation parameter Use the AllowedPattern property of the CloudFormation parameter to require a minimum length, uppercase and lowercase letters, and special characters. Configure the application to retrieve the secret from AWS Secrets Manager to access the database. Use the AWS::SSM::Parameter resource. Accept input as a CloudFormation parameter to store the parameter as a secure string. Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database. Use the AWS::SSM::Parameter resource. Accept input as a CloudFormation parameter to store the parameter as a string. Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database. A company uses Amazon S3 to aggregate raw video footage from various media teams across the US. The company recently expanded into new geographies in Europe and Australia. The technical teams located in Europe and Australia reported delays when uploading large video files into the destination S3 bucket in the United States. What are the MOST cost effective ways to increase upload speeds into the S3 bucket? (Choose two.) Create multiple AWS Direct Connect connections between AWS and branch offices in Europe and Australia for file uploads into the destination S3 bucket. Create multiple AWS Site-to-Site VPN connections between AWS and branch offices in Europe and Australia for file uploads into the destination S3 bucket. Use Amazon S3 Transfer Acceleration for file uploads into the destination S3 bucket. Use AWS Global Accelerator for file uploads into the destination S3 bucket from the branch offices in Europe and Australia. Use multipart uploads for file uploads into the destination S3 bucket from the branch offices in Europe and Australia. A SysOps administrator configures an Amazon S3 gateway endpoint in a VPC. The private subnets inside the VPC do not have outbound internet access. User logs in to an Amazon EC2 instance in one of the private subnets and cannot upload a file to an Amazon S3 bucket in the same AWS Region. Which solution will solve this problem? Update the EC2 instance role policy to include s3:PutObject access to the target S3 bucket. Update the EC2 security group to allow outbound traffic to 0.0.0.0/0 for port 80. Update the EC2 subnet route table to include the S3 prefix list destination routes to the S3 gateway endpoint. Update the S3 bucket policy to allow s3:PutObject access from the private subnet CIDR block. A SysOps administrator is building a process for sharing Amazon RDS database snapshots between different accounts associated with different business units within the same company. All data must be encrypted at rest. How should the administrator implement this process? Write a script to download the encrypted snapshot, decrypt it using the AWS KMS encryption key used to encrypt the snapshot, then create a new volume in each account. Update the key policy to grant permission to the AWS KMS encryption key used to encrypt the snapshot with all relevant accounts, then share the snapshot with those accounts. Create an Amazon EC2 instance based on the snapshot, then save the instance's Amazon EBS volume as a snapshot and share it with the other accounts. Require each account owner to create a new volume from that snapshot and encrypt it. Create a new unencrypted RDS instance from the encrypted snapshot, connect to the instance using SSH/RDP, export the database contents into a file, then share this file with the other accounts. A company observes that a newly created Amazon CloudWatch alarm is not transitioning out of the INSUFFICIENT_DATA state. The alarm was created to track the mem_used_percent metric from an Amazon EC2 instance that is deployed in a public subnet. A review of the EC2 instance shows that the unified CloudWatch agent is installed and is running. However, the metric is not available in CloudWatch. A SysOps administrator needs to implement a solution to resolve this problem. Which solution will meet these requirements? Enable CloudWatch detailed monitoring for the EC2 instance. Create an IAM instance profile that contains CloudWatch permissions. Add the instance profile to the EC2 instance. Migrate the EC2 instance into a private subnet. Create an IAM user that has an access key ID and a secret access key. Update the unified CloudWatch agent configuration file to use those credentials. A company is uploading important files as objects to Amazon S3. The company needs to be informed if an object is corrupted during the upload. What should a SysOps administrator do to meet this requirement? Pass the Content-Disposition value as a request body during the object upload Pass the Content-MD5 value as a request header during the object upload Pass x-amz-object-lock-mode as a request header during the object upload Pass x-amz-server-side-encryption-customer-algorithm as a request body during the object upload. A SysOps administrator needs to create a report that shows how many bytes are sent to and received from each target group member for an Application Load Balancer (ALB). Which combination of steps should the SysOps administrator take to meet these requirements? (Choose two.) Enable access logging for the ALB. Save the logs to an Amazon S3 bucket. Install the Amazon CloudWatch agent on the instances in the target group. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the target port field. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the client port field. Create an Amazon CloudWatch dashboard that shows the Sum statistic of the ProcessedBytes metric for the ALB. A company runs thousands of Amazon EC2 instances that are based on the Amazon Linux 2 Amazon Machine Image (AMI). A SysOps administrator must implement a solution to record commands and output from any user that needs an interactive session on one of the EC2 instances. The solution must log the data to a durable storage location. The solution also must provide automated notifications and alarms that are based on the log data. Which solution will meet these requirements with the MOST operational efficiency? Configure command session logging on each EC2 instance. Configure the unified Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up query filters and alerts by using Amazon Athena. Require all users to use a central bastion host when they need command line access to an EC2 instance. Configure the unified Amazon CloudWatch agent on the bastion host to send session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs. Require all users to use AWS Systems Manager Session Manager when they need command line access to an EC2 instance. Configure Session Manager to stream session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs. Configure command session logging on each EC2 instance. Require all users to use AWS Systems Manager Run Command documents when they need command line access to an EC2 instance. Configure the unified Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up CloudWatch alarms that are based on Amazon Athena query results. A company that uses AWS Organizations recently implemented AWS Control Towerю The company now needs to centralize identity management. A SysOps administrator must federate AWS ШAM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all the company's accounts and cloud applications. Which prerequisites must the SysOps administrator have so that the SysOps administrator can connect to the external IdP? (Choose two.) A copy of the IAM identity Center SAML metadata The IdP metadata including the public X 509 certificate The IP address of the IdP Root access to the management account Administrative permissions to the member accounts of the organization. A company uses AWS CloudFormation to deploy its infrastructure. The company recently retired an application. A cloud operations engineer initiates CloudFormation stack deletion, and the stack gets stuck in DELETE_FAILED status. A SysOps administrator discovers that the stack had deployed a security group. The security group is referenced by other security groups in the environment. The SysOps administrator needs to delete the stack without affecting other applications. Which solution will meet these requirements in the MOST operationally efficient manner? Create a new security group that has a different name. Apply identical rules to the new security group. Replace all other security groups that reference the new security group Delete the stack. Create a CloudFormation change set to delete the security group. Deploy the change set. Delete the stack again. Specify that the security group be retained. Perform CloudFormation drift detection. Delete the stack. A company needs to monitor its website’s availability to end users. The company needs a solution to provide an Amazon Simple Notification Service (Amazon SNS) notification if the website's uptime decreases to less than 99%. The monitoring must provide an accurate view of the user experience on the website. Which solution will meet these requirements? Create an Amazon CloudWatch alarm that is based on the website's logs that are published to a CloudWatch Logs log group. Configure the alarm to publish an SNS notification if the number of HTTP 4xx errors and 5xx errors exceeds a specified threshold. Create an Amazon CloudWatch alarm that is based on the website's published metrics in CloudWatch. Configure the alarm to publish an SNS notification that is based on anomaly detection. Create an Amazon CloudWatch Synthetics heartbeat monitoring canary. Associate the canary with the website's URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%. Create an Amazon CloudWatch Synthetics broken link checker monitoring canary. Associate the canary with the website's URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%. A company needs to track spending in its AWS account. The company must receive a notification when current costs and forecasted costs exceed specific thresholds. Which solution will meet these requirements with the LEAST operational overhead? Create a new IAM role. Attach the AWSPurchaseOrdersServiceRolePolicy AWS managed policy to the role. Check AWS Cost Explorer on a regular basis to monitor current costs and forecasted costs. Create an AWS Cost and Usage Report. Create an AWS Step Functions state machine that runs when a new usage file is generated. Configure the state machine to pass the data to Amazon Forecast and to invoke an AWS Lambda function. Configure the Lambda function to parse the data and to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if costs exceed the thresholds. Create an AWS Cost and Usage Report. Separate the current costs and forecasted costs by service. Schedule the report to be sent to an Amazon Simple Notification Service (Amazon SNS) topic each month. Create a recurring cost budget in AWS Budgets. Create an alert for the actual cost. Create a second alert for the forecasted costs. Configure an Amazon Simple Notification Service (Amazon SNS) topic to receive the alerts. A company uses a multi-account structure in the AWS Cloud. The company's environment includes a shared account for common resources. The environment also includes a development account for new application development. The company uses Amazon Route 53 for DNS management. The company manages all its Route 53 hosted zones from the shared account. A SysOps administrator needs to obtain a new SSL/TLS certificate for an application that is deployed in the development account. What must the SysOps administrator do to meet this requirement? Create a new AWS Key Management Service (AWS KMS) key in the shared account. Configure the key policy to give read access to the development account's root principal. Request a new certificate by using AWS Certificate Manager (ACM) from the shared account. Use Route 53 from the shared account to create validation record sets in the relevant hosted zone. Request a new certificate by using AWS Certificate Manager (ACM) from the development account. Use Route 53 from the shared account to create validation record sets in the relevant hosted zone. Create a new AWS Key Management Service (AWS KMS) key in the development account. Configure the key policy to give read access to the shared account’s root principal. Use Route 53 from the shared account to create a validation record set that references the Amazon Resource Name (ARN) of the KMS key. A company's SysOps administrator is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs. However, there are no logs in CloudWatch Logs. What could be blocking the VPC flow logs from being published to CloudWatch Logs? The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateExportTask permission The VPC is configured for IPv6 addresses The VPC is peered with another VPC in the AWS account. A company deploys a new application on three Amazon EC2 instances across three Availability Zones. The company uses a Network Load Balancer (NLB) to route traffic to the EC2 instances. A SysOps administrator must implement a solution so that the EC2 instances allow traffic from only the NLB. What should the SysOps administrator do to meet these requirements with the LEAST operational overhead? Configure the security group that is associated with the EC2 instances to allow traffic from only the security group that is associated with the NLB Configure the security group that is associated with the EC2 instances to allow traffic from only the elastic network interfaces that are associated with the NLB Create a network ACL Associate the network ACL with the application subnets. Configure the network ACL to allow inbound traffic from only the CIDR ranges of the NLB Use a third-party firewall solution that is installed on a separate EC2 instance. Configure a firewall rule that allows traffic to the application's EC2 instances from only the subnets where the NLB is deployed. A company that uses ServiceNow has an AWS account where a sensitive workload runs. The necessary security groups are in place. The company needs to implement a solution to create an incident in ServiceNow every time the rules change in any security group. Which solution will meet this requirement with the LEAST operational effort? Create an Amazon CloudWatch alarm that enters ALARM state when security groups change. Configure the alarm to invoke an AWS Lambda function that connects to ServiceNow to create an incident. Enable AWS Security Hub. Create an AWS Lambda function that connects to ServiceNow to create an incident. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as Security Hub Findings - Custom Action. Configure the EventBridge rule to invoke the Lambda function. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as AWS API Call via CloudTrail. Configure the EventBridge rule to run the AWS-CreateServiceNowIncidentAWS Systems Manager Automation runbook to create an incident in ServiceNow. Launch an Amazon EC2 instance that has a persistent connection to ServiceNow to detect security group changes. Export AWS CloudTrail logs to the EC2 instance. Write a bash script to run a scheduled cron job every 30 minutes to search the CloudTrail logs for security groups changes. Configure the EC2 instance to create an incident in ServiceNow when a change is detected. A company needs to enforce tagging requirements for Amazon DynamoDB tables in its AWS accounts. A SysOps administrator must implement a solution to identify and remediate all DynamoDB tables that do not have the appropriate tags. Which solution will meet these requirements with the LEAST operational overhead? Create a custom AWS Lambda function to evaluate and remediate all DynamoDB tables. Create an Amazon EventBridge scheduled rule to invoke the Lambda function. Create a custom AWS Lambda function to evaluate and remediate all DynamoDB tables. Create an AWS Config custom rule to invoke the Lambda function. Use the required-tags AWS Config managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure an automatic remediation action that uses an AWS Systems Manager Automation custom runbook. Create an Amazon EventBridge managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure the EventBridge rule to run an AWS Systems Manager Automation custom runbook for remediation. . A company is preparing for a marketing campaign that will increase traffic to a new web application. The application uses Amazon API Gateway and AWS Lambda for the application logic. The application stores relevant user data in an Amazon Aurora MySQL DB cluster that has one Aurora Replica. Database queries for the application are 5% write and 95% read. What should a SysOps administrator do to scale the database when traffic increases? Configure Aurora Auto Scaling to add or remove Aurora Replicas in the cluster based on the average CPU utilization of the Aurora Replicas. Configure Aurora Auto Scaling to increase or decrease the size of the Aurora Replicas based on the average CPU utilization of the Aurora Replicas. Configure AWS Auto Scaling to monitor the Aurora cluster. Configure AWS Auto Scaling to add or remove Aurora Replicas in the cluster based on the average CPU utilization of the primary instance. Configure AWS Auto Scaling to monitor the Aurora cluster. Configure AWS Auto Scaling to add or remove Aurora Replicas in the cluster based on the average CPU utilization of the existing Aurora Replica. A company is using Amazon S3 to set up a temporary static website that is public. A SysOps administrator creates an S3 bucket by using the default settings. The SysOps administrator updates the S3 bucket properties to configure static website hosting. The SysOps administrator then uploads objects that contain content for index html and error html. When the SysOps administrator navigates to the website URL the SysOps administrator receives an HTTP Status Code 403: Forbidden (Access Denied) error. What should the SysOps administrator do to resolve this error? Create an Amazon Route 53 DNS entry Point the entry to the S3 bucket. Edit the S3 bucket permissions by turning off Block Public Access settings. Create a bucket policy to allow GetObject access on the S3 bucket. Edit the permissions on the index html and error html files for read access. Edit the S3 bucket permissions by turning off Block Public Access settings. Create a bucket policy to allow PutObject access on the S3 bucket. A company has internal hybrid applications that have resources in the AWS Cloud and on premises. Users report that the applications sometimes are not available. The company has configured an Amazon CloudWatch alarm to monitor the tunnel status of its AWS Site-to-Site VPN connection. A SysOps administrator must implement a solution that creates a high-priority ticket in an internal ticketing tool when the VPN tunnel is down. Which solution will meet this requirement? Create an Amazon Simple Notification Service (Amazon SNS) topic for the CloudWatch alarm. Subscribe the ticketing tool's endpoint to the SNS topic. Create an Amazon Simple Queue Service (Amazon SQS) queue as the target for the CloudWatch alarm. Configure the queue to transform messages into tickets and to post the tickets to the ticketing tool’s endpoint. Create an AWS Lambda function. Configure the CloudWatch alarm to directly invoke the Lambda function to create individual tickets in the ticketing tool. Create an Amazon EventBridge rule that monitors the VPN tunnel directly. Configure the ticketing tool’s endpoint as the target of the rule. A SysOps administrator is troubleshooting an AWS CloudFormation stack creation that failed. Before the SysOps administrator can identify the problem, the stack and its resources are deleted. For future deployments, the SysOps administrator must preserve any resources that CloudFormation successfully created. What should the SysOps administrator do to meet this requirement? Set the value of the DisableRollback parameter to False during stack creation Set the value of the OnFailure parameter to DO_NOTHING during stack creation Specify a rollback configuration that has a rollback trigger of DO_NOTHING during stack creation Set the value of the OnFailure parameter to ROLLBACK during stack creation. A company needs to implement a solution to install specific software on Amazon EC2 instances when the instances launch. Which solution will meet this requirement? Configure AWS Systems Manager State Manager associations to bootstrap the EC2 instances with the required software at launch. Use the Amazon CloudWatch agent to detect EC2 InstanceStart events and to inject the required software. Modify the InstanceRole IAM role to add permissions for the StartTask API operation. Use Amazon Inspector to detect EC2 launch events. Configure Amazon Inspector to install the required software as part of lifecycle hooks for theEC2launch events. Use AWS Security Hub remediation actions to install the required software at launch. A company is using Amazon CloudWatch alarms to monitor Amazon Elastic Kubernetes Service (Amazon EKS) workloads. The alarms are initiated through a threshold definition and are not helping the EKS cluster operate more efficiently. A SysOps administrator must implement a solution that identifies anomalies and generates recommendations for how to address the anomalies. Which solution will meet these requirements? Use CloudWatch anomaly detection to identify anomalies and provide recommendations Use CloudWatch Container Insights with Amazon DevOps Guru to identify anomalies and provide recommendations. Use CloudWatch Container Insights to identify anomalies and provide recommendations Use CloudWatch anomaly detection with CloudWatch Container Insights to identify anomalies and provide recommendations. A company is deploying an ecommerce application to an AWS Region that is located in France. The company wants users from only France to be able to access the first version of the application. The company plans to add more countries for the next version of the application. A SysOps administrator needs to configure the routing policy in Amazon Route 53. Which solution will meet these requirements? Use a geoproximity routing policy. Select France as the location in the record. Use a geolocation routing policy. Select France as the location in the record. Use an IP-based routing policy. Select all IP addresses that are allocated to France in the record. Use a geoproximity routing policy. Select all IP addresses that are allocated to France in the record. An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application. What is the MOST scalable storage solution to fulfill this requirement? Connect a large Amazon EBS volume to multiple instances and schedule snapshots. Deploy Amazon EFS in the VPC and create mount targets in multiple subnets. Launch an EC2 instance and share data using SMB/CIFS or NFS. Deploy an AWS Storage Gateway cached volume on Amazon EC2. A SysOps administrator has an AWS CloudFormation template of the company's existing infrastructure in us-west-2. The administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back. Why would this template fail to deploy? (Choose two.) The template referenced an IAM user that is not available in eu-west-1. The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1. The template did not have the proper level of permissions to deploy the resources. The template requested services that do not exist in eu-west-1. CloudFormation templates can be used only to update existing services. A company uses AWS CloudFormation to deploy its application infrastructure. Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application. A SysOps administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources. Which solution will meet these requirements? Set up an AWS Config rule to alert based on changes to any CloudFormation stack. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation. Set up an Amazon EventBridge event with a rule to initiate based on any CloudFormation API call. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation. Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*. Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource Names (ARNs) of the protected resources. A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com. The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC. A SysOps administrator must ensure that an on-premises server can query records in the example.com domain. What should the SysOps administrator do to meet these requirements? Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers. A media company hosts a public news and video portal on AWS. The portal uses an Amazon DynamoDB table with provisioned capacity to maintain an index of video files that are stored in an Amazon S3 bucket. During a recent event, millions of visitors came to the portal for news. This increase in traffic caused read requests to be throttled in the DynamoDB table. Videos could not be displayed in the portal. The company's operations team manually increased the provisioned capacity on a temporary basis to meet the demand. The company wants the operations team to receive an alert before the table is throttled in the future. The company has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the operations team's email address to the SNS topic. What should the company do next to meet these requirements? Create an Amazon CloudWatch alarm that uses the ConsumedReadCapacityUnits metric. Set the alarm threshold to a value that is close to the DynamoDB table's provisioned capacity. Configure the alarm to publish notifications to the SNS topic. Turn on auto scaling on the DynamoDB table. Configure an Amazon EventBridge rule to publish notifications to the SNS topic during scaling events. Turn on Amazon CloudWatch Logs for the DynamoDB table. Create an Amazon CloudWatch metric filter to pattern match the THROTTLING_EXCEPTION status code from DynamoDB. Create a CloudWatch alarm for the metric. Select the SNS topic for notifications. Configure the application to store logs in Amazon CloudWatch Logs. Create an Amazon CloudWatch metric filter to pattern match the THROTTLING_EXCEPTION status code from DynamoDB. Create a CloudWatch alarm for the metric. Select the SNS topic for notifications. A company has a cluster of Linux Amazon EC2 Spot Instances that read many files from and write many files to attached Amazon Elastic Block Store (Amazon EBS) volumes. The EC2 instances are frequently started and stopped. As part of the process when an EC2 instance starts, an EBS volume is restored from a snapshot. EBS volumes that are restored from snapshots are experiencing initial performance that is lower than expected. The company's workload needs almost all the provisioned IOPS on the attached EBS volumes. The EC2 instances are unable to support the workload when the performance of the EBS volumes is too low. A SysOps administrator must implement a solution to ensure that the EBS volumes provide the expected performance when they are restored from snapshots. Which solution will meet these requirements? Configure fast snapshot restore (FSR) on the snapshots that are used. Restore each snapshot onto an unencrypted EBS volume. Encrypt the EBS volume when the performance stabilizes. Format the EBS volumes as XFS file systems before restoring the snapshots. Increase the Linux read-ahead buffer to 1 MiB. A SysOps administrator receives an alert that a production Auto Scaling group has been scaled down to two Amazon EC2 instances. The Auto Scaling group was originally configured with a minimum capacity of three instances. However, the SysOps administrator confirms that the configuration now reflects a minimum capacity of two instances. Which AWS service will help identify who made the change? AWS Config Amazon Inspector Amazon Macie Amazon Cloud Watch Logs. A company hosts a continuous integration and continuous delivery (CI/CD) environment on AWS. The CI/CD environment includes a Jenkins server that is hosted on an Amazon EC2 instance. A 500 GB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume is attached to the EC2 instance. Because of disk throughput limitations, the Jenkins server reports performance issues that are resulting in slower builds on the server. The EBS volume needs to sustain 3,000 IOPS while performing nightly build tasks. A SysOps administrator examines the server's history in Amazon CloudWatch. The BurstBalance metric has had a value of 0 during nightly builds. The SysOps administrator needs to improve the performance and meet the sustained throughput requirements. Which solution will meet these requirements MOST cost-effectively? Double the gp2 EBS volume size from 500 GB to 1,000 GB. Change the volume type from gp2 to General Purpose SSD (gp3). Change the volume type from gp2 to Throughput Optimized HDD (st1). Change the volume type from gp2 to Provisioned IOPS SSD (io2). A SysOps administrator is responsible for a company's disaster recovery procedures. The company has a source Amazon S3 bucket in a production account, and it wants to replicate objects from the source to a destination S3 bucket in a nonproduction account. The SysOps administrator configures S3 cross-Region, cross-account replication to copy the source S3 bucket to the destination S3 bucket. When the SysOps administrator attempts to access objects in the destination S3 bucket, they receive an Access Denied error. Which solution will resolve this problem? Modify the replication configuration to change object ownership to the destination S3 bucket owner. Ensure that the replication rule applies to all objects in the source S3 bucket and is not scoped to a single prefix. Retry the request when the S3 Replication Time Control (S3 RTC) has elapsed. Verify that the storage class for the replicated objects did not change between the source S3 bucket and the destination S3 bucket.

Denunciar Test