AWS Certified SysOps Administrator – Associate Practice Questions Second Edition Part 3

A new application was just deployed by the deployment team on an Amazon EC2 instance that was launched in an Auto Scaling group. The Amazon EC2 instance is being monitored by the Operations Team using Amazon CloudWatch. Only when numerous metrics are in the ALARM condition should the Team Lead be contacted. Auto-scaling groups should scale in based on CPU use for cost optimization. What kind of alarm can be made to satisfy this need?

A startup company intends to use WordPress to create a blogging platform. This site will be hosted on Amazon EC2 and protected by an ALB. The Sysops Team has configured AWS WAF with Managed rules to secure this site. The Operations Team has noticed that some legitimate traffic to our site is being dropped and is seeking your assistance in resolving the issue. Which of the following can be set up to fix this problem?

You are a system administrator for a huge financial corporation. You will need to put together the company’s compliance and security requirements, including numerous securities, operational, and cost-cutting inspections in AWS. Operational best practices for logging, S3, and EC2 should all be checked. Which of the following options is best for meeting the requirements?

A large financial firm has deployed its stock trading application in an Auto Scaling Group behind Application Load Balancer on an Amazon EC2 instance. The software team has created a new version of this program and is looking for your help to get it into production. The Operations head has ordered an Elastic Beanstalk deployment that will have no effect on the application’s service and will roll back swiftly if something goes wrong during the deployment. After deployment, only 10% of traffic should be diverted to the new version at first. Which deployment policies can be utilized to fulfill the requirement?

The Amazon CloudWatch agent is being used by an IT firm to collect system-level metrics from on-premises Linux servers. On these servers, a new application is installed. In addition to system data, the operations team is searching for particular KPIs for this application. What settings can be made in the Amazon CloudWatch agent to get application-specific metrics?

A startup company intends to save all of its user data in an Amazon S3 bucket. These Amazon S3 buckets will be subject to resource policy. The Operations Head has asked the team to evaluate resource policies before implementing them in production to avoid any negative impact on users. The Operations Team is testing resource policies with the AWS IAM policy simulator. When testing, the operations team receives an error message that says, “Cannot access the resource policy.” To resolve the error message, what checks can be carried out? (Choose two options).

Your team intends to set up an Amazon ElastiCache for Redis distributed in-memory data store. M5 is the Redis node type. Your supervisor has asked you to make sure the Redis datastore is fast and has low network latency. Which of the following options is most helpful in achieving the goal?

You must manage CloudFormation templates used to deploy an application in different AWS Regions as an AWS system administrator. Because the AMI ID varies by area, each AWS region currently has its CloudFormation template. The AMI ID should be parameterized to use the same CloudFormation template for different AWS Regions. Which of the following alternatives is the most appropriate?

Amazon EC2 instances are used to host a critical financial application. Amazon CloudWatch Alarms are used to inform Amazon SNS topics when the CPU utilization of an Amazon EC2 instance surpasses 70%. Before deploying EC2 instances to production, the team leader wants to test these alarms.
How could a Sysops administrator evaluate Amazon CloudWatch Alarms in the most efficient manner possible?

A startup company has set up an Amazon S3 bucket as a static website with the domain name test.com. The deployment team is seeking your input to generate a suitable record in Amazon Route 53. They are also on the lookout for TTL values that can be assigned to these data. Within Amazon Route 53, which of the following can be utilized to create records?

On the Amazon Aurora cluster, an e-commerce company has implemented a query-intensive application. For scalability, Amazon RDS Proxy is utilized in conjunction with the Amazon Aurora cluster. Data from these clusters are being read slowly, according to operations staff. You have been given the task of analyzing and improving read performance. Which of the following services could be developed to make read queries more scalable?

An IT company used an Amazon EC2 instance to deploy web apps. The operations team does not have the authority to restart an Amazon EC2 instance. The Operations Head is looking at a way for team members to restart EC2 instances using AWS Systems Manager runbooks, and he would like your help setting up the necessary rights. There should be no deviations in the least privilege access standards the Security Team defines when issuing permissions. Which permissions must be granted for members to be able to restart the EC2 instance?

By setting an AWS Direct Connect dedicated network connection with the AWS VPN, you assist a team in building up the AWS infrastructure. BGP connections will be established between the AWS Direct Connect and the customer network’s router. Which of the following statements about this network design is correct?

A web application for a global corporation has been launched using AWS Infrastructure. This program is vital to the firm and must be protected from DDOS assaults. The Security Head is looking for worldwide DDOS patterns across AWS resources so that the company’s security requirements may be strengthened and resources can be protected from DDOS attacks. Which of the following can be used to keep track of DDOS attacks?

A large e-commerce furniture manufacturer uses a Web application backed by Application Load Balancer. ALB calls a Lambda function depending on the query parameter key in the client request’s HTTP headers. When customers use this app to search for products with size and color options, they only get results for one of the possibilities, not both. The Marketing Team is working to find a rapid fix for this issue. Which of the following steps can be taken to address the issue?

Your team is working on a new big data analysis software, and they need you to set up an Amazon EFS file system using the General-Purpose performance option. The file system was discovered to have certain performance difficulties during the test. The file system’s PercentIOLimit CloudWatch statistic is usually set to 100 percent. To overcome this, which of the following actions should you take?

You require an AWS service to automate the generation of AMIs through a common process as an AWS System Administrator in a large enterprise. In the images, custom settings and scripts must be set up. Additionally, the photos will be spread across multiple AWS Regions for various AWS accounts. How would you go about putting this into action?

As an AWS system administrator, you must build a new trail in AWS CloudTrail that will capture both management and data events. The trail logs should also be supplied to a new CloudWatch Log group’s log stream. AWS CloudTrail will need to take an IAM role to do so. The IAM role should have which of the following IAM permissions? (Choose two options).

For configuration management, a leading bank has deployed servers utilizing AWS OpsWorks Stacks. These servers have financial software installed, which is crucial for this bank. Users from the operations team working on these servers should only be able to deploy instances in an AWS OpsWorks Stack and not be able to clone stacks, according to security guidelines. To achieve this criterion, what combination of procedures should a Sysops administrator take? (Choose two options).

As a system administrator, you set up several web ACLs in AWS WAF. To see if the ACLs are working as expected, you will need extensive logs of traffic evaluated by the web ACLs. The logs should include request details and the action taken if a request matches a rule. Which of the following sets of tasks must you complete? (Choose two options).

The AWS Fargate Launch type is used to launch an ECS cluster that runs on Docker containers. The Operations Team is looking for traffic logs between each activity and has enlisted your help in gathering them. Which interface should VPC flow logs be applied to meet this requirement?

To deploy mobile applications, a telecom business is leveraging Amazon EBS-backed EC2 instances. As per audit rules, data on EBS volumes must be backed up every week. Every Friday at 10 p.m., the organization intends to perform EBS Snapshots. They intend to use Amazon EventBridge to automate scheduling. Which of the following Amazon EventBridge setups can be used to achieve this requirement?

A pharma business has installed a new web application on many Amazon EC2 instances secured by AWS WAF behind an Application Load Balancer. The Security Operations team noticed spam traffic from a specific IP address and advised you to ban it immediately. Further investigation revealed that this IP address is using the proxy server to access online apps. Which is the most appropriate rule to use to achieve this requirement?

AWS Organizations include Account A, and Account B. Account A’s non-default VPC subnets must be shared with Account B, and the sysops administrator intends to do so using AWS RAM; however, because this is a PoC (proof of concept), the security team has advised against enabling sharing across all accounts within AWS Organizations. What should be done to allow Account A and B to share a subnet?

You want to configure multiple security tools in your AWS account, including Amazon Inspector and Amazon GuardDuty, to defend apps against security assaults and monitor the security state of AWS resources. The security team has several criteria. Which of the following requirements should Amazon Inspector be used for?

You are in charge of keeping AWS resources up to date. Your AWS Organization has enabled CloudTrail, and events have been routed to a CloudWatch Log group. You want to use the CloudTrail logs to track EC2 security group configuration changes, and any security group change events should set off a CloudWatch alarm. What would be the simplest way to set this up?

To deploy its applications, a startup company uses an Amazon EC2 instance established in Amazon VPC. AWS Systems Manager is being used to view and automate operational tasks for AWS resources. According to the Security Team, all traffic flow between AWS Systems Manager and managed instances launched in AWS must be highly secure. What configuration can be utilized to ensure the security of this connection?

A worldwide pharmaceutical company has implemented multiple three-tier applications on AWS resources in the eu-central-1 region. A new Operations Team has been established to address and investigate all operational and security problems relating to these AWS resources. The Operations Director wants to centralize operational and security issues in one place to make it easier for operations teams to do their jobs. Senior management would also like a report on all AWS resources and accounts for operational and security issues. What services are available to satisfy this need? (Choose three options).

You are utilizing Amazon Elasticsearch Service to set up an Elasticsearch cluster (Amazon ES). You intend to view the data using the default Kibana instance given by Amazon ES once the Amazon ES domain has been configured. The security team expresses concern about how to manage Kibana access. How would you correctly approach the issue?

A startup company launched an application on an EC2 instance with all application data saved on EBS General Purpose volumes. This program will be used in other parts of the world, according to the company. Before deploying to a new region, the IT Manager searches for ideas to make the best use of EBS volumes for the current application and save money. Which of the following services may you use as a Sysops administrator?

Amazon EC2 instances are used to host a key financial application. Amazon CloudWatch Alarms are used to inform Amazon SNS topics when the CPU utilization of an Amazon EC2 instance surpasses 70%. Before deploying EC2 instances to production, the team leader wants to test these alarms. How could a Sysops administrator evaluate Amazon CloudWatch Alarms in the most efficient manner possible?

When accessing the Amazon RDS database data, an online grocery delivery service uses credentials maintained in AWS Secrets Manager. The Security Team intends to start a secret credential rotation for the Amazon RDS database. They are looking for suggestions for a successful complete rotation of secrets for networking preparedness.
Which of the following claims about rotational Secrets networking requirements is TRUE? (Choose two options).

Some of an engineering firm’s services were recently transferred to AWS infrastructure. AWS SSO is required for on-premises AD (Active Directory) users to access AWS resources, business applications, and GitHub. You have been tasked as a Sysops Administrator with establishing connectivity between on-premises AD and AWS SSO. Which of the following actions can be taken to satisfy this criterion? (Choose two options).

By setting an AWS Direct Connect dedicated network connection with the AWS VPN, you assist a team in building up the AWS infrastructure. BGP connections will be established between the AWS Direct Connect and the customer network’s router. Which of the following statements about this network design is correct?

AWS Systems Manager is used by an engineering business to manage Amazon EC2 instance operations. Over the interface VPC endpoint, SSM agents on the EC2 instance communicate with AWS System Manager. Operations teams using Session Manager to connect to an AWS EC2 instance cannot connect to this AWS EC2 instance. You have been tasked with resolving this connectivity issue. To remedy this issue, what extra interface endpoints must be created?

A startup company intends to use WordPress to create a blogging platform. This site will be hosted on Amazon EC2 and protected by an ALB. The Sysops Team has configured AWS WAF with Managed rules to secure this site. The Operations Team has noticed that some legitimate traffic to our site is being dropped and is seeking your assistance in resolving the issue. Which of the following can be set up to fix this problem?

You work for a finance firm as an AWS administrator. You gain access to all of the Trusted Advisor inspections and suggestions with the AWS Business Support package. One month ago, Trusted Advisor detected a security problem with an EC2 instance Security Group. However, it was not until a recent security breach that the team became aware of the problem. You must now set up weekly email notifications for the outcomes of the Trusted Advisor check. Which of the following methods is the easiest to implement?

You have enabled Amazon GuardDuty as an AWS System Administrator to discover and detect security risks in your AWS account continuously. You must also implement appropriate preventive measures in response to various types of security findings. When an EC2 instance is subjected to brute force attacks, the SSH port in the security group is automatically closed as a precaution. What would be the best method to configure numerous precautionary actions?

A significant engineering firm just switched to Amazon FSx for Windows File Server for file storage. Multiple users and external vendors often access this general-purpose file share, and it stores a huge amount of data. The Accounts Team has expressed concern about the high post-migration costs. As a Sysops administrator, Operations Manager has tasked you with examining the Amazon FSx deployment settings to cut costs while maintaining performance.
For this requirement, which of the following can be configured on Amazon FSx for the Windows file server?

On the Amazon EC2 instance, a new gaming application is being deployed. AMI from the marketplace is used to build Amazon EC2 instances. Data is retrieved from various general-purpose EBS volumes attached to this instance by the application. As a disaster recovery step, the application deployment team searches for a backup of all data in these EBS volumes. You intend to utilized Amazon Data Lifecycle Manager to create snapshots of all the EBS volumes attached to the Amazon EC2 instance with a single Amazon Data Lifecycle Manager lifecycle policy as a Sysops administrator.
To achieve this requirement, which of the following parameters should be used when defining the lifetime policy?

In the us-west-1 region, a startup company has deployed a web application on numerous Amazon EC2 machines behind an application load balancer. SSL certificate provisioning and management is handled by ALB, which is connected with AWS ACM (AWS Certificate Manager). In the ap-south-1 region, an identical setup is expected to be implemented. In this region, you are responsible for AWS ACM readiness. What AWS ACM setting will meet this requirement?

Your customers own a SAML 2.0 Active Directory Federation Services (ADFS) server. The customer wants federated users to be able to log in to the AWS Management Console. To configure it, you must create an IAM role that identifies the IdP server for federation reasons. How would you set up the IAM role’s trusted entity principal?

Unexpectedly, the security team discovered that an IAM role is shared with an external organization. Your manager requests that you configure a system for detecting unwanted access to resources and data for IAM, S3, KMS, and Secret Manager to detect similar issues. Which of the AWS services listed below would you use to configure it?

A large financial firm has deployed its stock trading application in an Auto Scaling Group behind Application Load Balancer on an Amazon EC2 instance. The software team has created a new version of this program and is looking for your help to get it into production. The Operations head has ordered an Elastic Beanstalk deployment that will have no effect on the application’s service and will roll back swiftly if something goes wrong during the deployment. After deployment, only 10% of traffic should be diverted to the new version at first.
Which deployment policies can be utilized to fulfill the requirement?

In the us-east-1 area, an engineering business has constructed a centralized Amazon S3 bucket. Users from Europe and North America use this bucket to upload huge project-related documents. These are extremely important project documents. The Project Director has given the order to upload these materials as quickly as possible. Which combination of steps will most effectively optimize data uploading for all users? (Choose two options).

AWS Security Hub must be configured to provide a comprehensive picture of AWS security state and to compare AWS Organizations to industry-based security standards. The CIS AWS Foundations Benchmark and PCI DSS security standards should be included in the Security Hub. Which of the following steps must be completed before AWS Security Hub may be enabled?

A multinational IT organization uses a huge number of AWS accounts for various projects. AWS Organizations encompasses all of these accounts. The Operations Team is having trouble enforcing regulations and finding non-conforming resources across all of these accounts. The Operations team needs your help to automate policy management for this multi-account arrangement.
To achieve this requirement, which of the following services should be used in conjunction with AWS Organizations?

For accessing data from the Amazon RDS database, a mobile application uses credentials maintained in AWS Secrets Manager. The security manager has requested that you adjust the AWS KMS keys to encrypt secrets in AWS Secret Manager to fulfill audit compliance. Using the Secrets Manager console, you changed AWS KMS CMK.
Before new encryption keys may be used, which of the following extra setups must be completed?

AWS KMS is used to encrypt data in AWS RDS and application data in Amazon EBS volumes for a three-tier application. The security staff has been directed to cycle CMKs by activating automated key rotation to comply with security rules. Management is concerned about the workload after the CMKs have been rotated.
Which of the following CMK rotation assertions is TRUE?

For a micro-service application, your team is constructing a Lambda function. Messages must be sent to an SQS queue by the Lambda function. It also pulls messages from the queue and deletes some of them if the data in the messages are wrong. The Lambda IAM execution role should have which of the following SQS permissions? (Choose three options).