AWS Certified SysOps Administrator – Associate Practice Questions Second Edition Part 4

To launch AWS resources for an application, your team utilizes a CloudFormation template. On the template, the following script is used to initialize files and install packages in EC2 instances:
UserData:
Fn::Base64:
!Sub |
#!/bin/bash -xe
yum update -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v –stack ${AWS::StackName} –resource LaunchConfig –configsets packages_install –region us-east-1
In the us-east-1 region, the CloudFormation template works properly. The cfn-init assistance script returns an error when using the same template in the us-west-1 region. What changes would you make to the script to make the CloudFormation template portable across AWS regions?

Through AWS Security Hub, you are assisting your team in consolidating security discoveries. The security team has requested that you automate the remediation of AWS Security Hub security findings. Which of the following approaches is the best?

In the us-east-1 region, an IT firm has a web server that handles online traffic for all users in North America. In the us-west-1 region, they have introduced a new high-performance web server. According to the IT manager’s instructions, most consumers should prefer a new web server deployed in the us-west-1 zone, but it should not cause additional latency.
To achieve this need, which Amazon Route 53 routing policy can be used?

Your firm has a Microsoft Active Directory on-premises. Some legacy apps will be migrated to AWS, and various AWS services will be used soon. Your firm has decided to deploy AD Connector to allow users to log in using their existing Active Directory credentials to access the AWS Management Console and manage AWS resources. Which of the following is NOT an AD Connector benefit?

On the Amazon EC2 instance, the Development Team has installed a memory-intensive application.
To optimize the application’s performance, the IT Manager wants an AWS Compute Optimizer study based on memory use of the Amazon EC2 instance.
What configuration is required to achieve this criterion?

For efficient capacity management, a mobile application is deployed on Amazon EC2 instances with Amazon EC2 Auto Scaling. Amazon EventBridge rules are written to send terminated instance events generated by Amazon EC2 Auto Scaling to Amazon SNS as a target. According to a junior Sysops administrator, many events are not correctly transmitted to Amazon SNS and are dropped. He is searching for your advice on how to keep these failed events instead of discarding them.
Which of the following Amazon EventBridge setups can be used to achieve this requirement?

You have a software issue with an EC2 instance (i-01234567890123456) in production. To troubleshoot the problem, use AWS CLI to create an AMI from the instance. The instance must not be rebooted while the image is being produced. Scripts that are currently running will be interrupted if this is not done. Which of the AWS CLI commands do you think you would use?

For a custom origin on EC2, you utilize a CloudFront distribution. You should add a secondary origin in the same CloudFront distribution to ensure high availability. CloudFront should immediately switch to the secondary origin if the first origin is unavailable or produces specific HTTP error codes. What would be the best way to set it up?

AWS has been used by your firm to host apps. Your company’s services were recently subjected to a big DDoS attack, resulting in significant financial damage. In the AWS environment, you intend to enable AWS Shield Advanced. Which of the following resource categories can aid in the protection against DDoS attacks? (Choose two options).

In the US-east-2 region, an IT firm plans to deploy a single master Aurora MySQL DB cluster. The Operations Head looks into solutions for a speedy restoration that will have minimum impact on the application’s service.
Which solution should a Sysops Administrator recommend for a rapid restoration?

For an application, your team employs a CloudFormation stack. The CloudFormation template is difficult to manage due to the vast number of AWS resources created in the stack, such as Auto Scaling groups, Lambda functions, Security groups, and Route 53 domain names. You would like to split the template into various sections and inherit the assets. In the meantime, you will want to keep all of your resources in one stack. Which of the following alternatives is the most suitable?

You are a system administrator for a huge financial corporation. You will need to put together the company’s compliance and security requirements, including numerous securities, operational, and cost-cutting inspections in AWS. Operational best practices for logging, S3, and EC2 should all be checked. Which of the following options is best for meeting the requirements?

The application servers of a manufacturing company were recently moved to an Amazon EC2 instance. These Amazon EC2 instances are now the primary servers, processing all customer requests, with on-premises datacenter servers serving as backups. The IT Manager is searching for information on upcoming scheduled maintenance activities that Amazon Web Services (AWS) will undertake on AWS resources, which will impact services on certain Amazon EC2 instances. This is necessary to avoid any activity on on-premises backup servers during this time frame and to ensure that application servers do not experience any downtime.
Which of the services listed below can be used for this?

A media company uses AWS KMS to encrypt content stored in Amazon S3 buckets. Millions of images and video files are added to this bucket every day. The Accounts Team has seen a significant increase in costs due to file encryption and is seeking your advice on cutting costs.
Which of the following can be set up to provide a low-cost encryption solution?

The design team has designed a Pilot Light DR (Disaster Recovery) strategy between production servers in the AWS us-east-1 region and backup servers in on-premises datacenters for a new three-tier application. The impact of installing a Pilot Light DR strategy on a network in terms of RTO / RPO must be understood by management.
Which of the following statements is the most appropriate to support this?

A legal business has configured lifecycle policies to shift all outdated files to Amazon S3 Glacier and is storing legal documents in Amazon S3 buckets. Encrypting these files in the Amazon S3 bucket and S3 Glacier is a concern for the Security Team. They are also seeking an audit trail for the CMKs used to access the objects in the S3 bucket and the individuals who use these CMKs.
What kind of encryption may a SysOps administrator use?

An engineering firm saves all project-related documents in multiple Amazon S3 buckets that are exclusively accessible by internal teams. The Operations team uses AWS Config to scan all S3 buckets for public access and flag them as non-compliant. The Security Lead is searching for the most effective and cost-effective solution to remediate all non-compliant Amazon S3 buckets immediately. What steps may be taken to improve public accessibility?

You work for a corporation as a system administrator. You have just provisioned a fleet of EC2 instances in a single subnet, but none of them has a public IP address. What parameters would need to be adjusted for the next fleet of public IP-addressed instances to be created?

You are a SysOps administrator for a large financial institution that uses an AWS EC2 instance to host its extranet applications. Management has decided to automate vulnerability tests for future instance releases to incorporate Amazon Inspector to improve the security of new Linux-based EC2 instances. You are weighing the pros and cons of installing Amazon Inspector on these new EC2 instances, which are launched in huge numbers regularly in response to consumer demand. No additional agent is required as part of the installation process, according to the security team. Which of the following would assist in automatically installing Amazon Inspector most securely with the least amount of effort?

Your on-premises Datacenter was recently moved to AWS. You have deployed applications in an EC2 instance within a VPC and are storing all data in S3 buckets. You had built a customized tool that would log all user activities on servers, a notification service that would notify the Security Team of any changes made to server configuration, and a tool to check unsecured ports on applications that could be accessed from an external network at your on-premises location. Security Chief is seeking similar technologies that can match these needs in AWS infrastructure. To meet this criterion, which of the following tools can be used? (Choose three options)

AWS cloud infrastructure is being used by a large financial institution for its three-tier online application. This is a mission-critical application, and any downtime would result in a significant financial loss for the institute. In us-west1 and ap-northeast-1, they have set up an EC2 instance and Amazon DynamoDB. For the EC2 instance, the infrastructure team already considers high availability. The IT Director needs your help to make database tables fully redundant so that a database failure in one location does not affect the operation of online applications.
Which of the following will give a solution for these two locations to have a highly accessible database?

Your organization has an Amazon Web Services (AWS) account. An external auditor conducted an audit to compile a list of all users and the status of their passwords, access keys, and multi-factor authentication devices. How do you think you would go about collecting this list for them?

Your development team is currently making updates to an AWS-hosted application. The application is currently in Production, with Route 53 serving as the DNS service. After testing, the new version of the program must now be promoted to a different environment. Before the final cutover, they need to divert an initial batch of traffic to the new version of the application for testing. Which of the following recommendations do you think is the best?

Amazon CloudWatch logs are used by a multinational bank to capture logs from an Amazon EC2 instance where a vital banking application is hosted. The operations team designed a metric filter to filter error signals from the logs captured. However, they have noticed that no data is being reported on occasion. The Operation Lead has asked us to double-check the metric filter settings.
What metric filter settings can be used to remedy this issue?

An IT company used multi-node Memcached clusters as a front-end to Amazon DynamoDB to enable caching for their three-tier application. ElastiCache Memcached PHP client, configured in auto-discovery mode, is used. The operations team recently completed the adding of nodes to this cluster. Many cache misses are seen after adding a node to a multi-node Memcached cluster, overwhelming the database.
What can be done to avoid this problem?

External vendors have access to a construction company’s architecture drawings stored in an Amazon S3 bucket. All of these vendors are located all over the world. As a result, a CloudFront distribution with an S3 bucket as the origin is formed to improve download performance. Last week, a vendor made an error and accidentally destroyed a drawing from an S3 bucket. You have been tasked with creating an acceptable policy after discovering that certain users are directly accessing S3 buckets. Which of the following activities will assist you in limiting access to the S3 bucket? (Choose two options).

External vendors have been given access to documents kept in an Amazon S3 bucket owned by an R&D account within the AWS Organizations by a major pharma business. Because the vendors are no longer linked with the company, all access to the bucket must be removed immediately. You implemented SCP at the OU level to which the R&D account belongs, restricting all access to the Amazon S3 bucket as a SysOps administrator. External vendors can still access the S3 bucket, according to AWS CloudTrail logs.
What are the chances that users will still have access to the Amazon S3 bucket?

Your organization is having difficulties expanding its on-premises storage capacities. They are considering using AWS to expand their storage capacity for their apps. The new storage should be available as iSCSI targets that on-premises systems can access. Which of the following do you think you would use for this?

Your organization intends to create many AWS accounts. Certain services and actions must be prohibited across all accounts, according to the IT Security department. What would be the most EFFECTIVE approach to accomplish this?

Convertible Reserved Instance is being used by a media company for its web application. You are presently utilizing the Detailed Billing Report to acquire Reserved Instance pricing information. The Detailed Billing Report has to be changed, according to Senior Management. So, you have decided to switch to AWS Cost and Usage Report. Which of the following is a crucial differentiator for AWS Cost and Usage Report?

Amazon CloudFront is used by a multinational media company to transport content stored in an Amazon S3 bucket. To examine requests made to the CloudFront distribution, the Operations Team requires Amazon CloudFront logs in seconds. This project has a limited budget and requires a cost-effective method for capturing these logs.
What configuration options are available to suit this requirement?

The Development team wants to keep legacy software licensing keys in an encrypted format. For this, the Sysops Team intends to leverage the AWS Systems Manager Parameter Store. A junior Sysops engineer has requested your recommendation to use AWS Systems Manager Parameter Store.
Which parameter is the most appropriate for this requirement?

Your development team has created an EC2 instance for an application. This instance is currently connected to a private network. Kinesis streams must be used in the application. How would you ensure that the app can access the Kinesis streams service?

A set of EC2 Instances is available to your firm. At one-minute intervals, the monitoring department needs dashboard metrics for the CPU consumption of the Instances. You must meet this need most simply and cost-effectively feasible. Which of the following steps would you do if you were in charge? (Choose two options).

You have created a VPC with a 10.0.0.0/16 CIDR block. With CIDR blocks of 10.0.1.0/24 and 10.0.2.0/24, you have created a public and private subnet. An Internet gateway is associated with the VPC. To allow internet access, which of the following changes must be performed to the custom route table for the public subnet?

AWS Organizations are being used by an engineering firm to manage many accounts across several regions. Some important files were recently removed from an Amazon S3 bucket in a member account that the security team cannot locate. Security Head recommends that you configure AWS CloudTrail for all member accounts within AWS Organizations to avoid future concerns.
To achieve this criterion, which of the following steps must be taken?

All of the project materials for a large engineering firm have been transferred to Amazon S3 Glacier. As part of an annual IT audit, this 1 PB of data must be audited by a team of auditors. You have been assigned to provide this information to auditors who will begin working in one week.
Which of the steps below can be utilized to retrieve this data for the least amount of money?

On an EC2 instance, a web application is deployed behind ELB. Any attacks on this software will result in a significant financial loss. To secure this web application, you will need a specialized solution. The Security Team constantly shares a list of blocked IP addresses and dangerous SQL code to be prevented to secure online applications. A highly competent crew is monitoring traffic and applying this filter to block attacks as quickly as possible. Which of the following solutions can be used to protect web applications from outside attacks?

Amazon EC2 Instances in us-east-1 and us-west-1 have been launched by an engineering firm. The CloudWatch agent configuration file is used to collect metrics. According to the operations team, all metrics for these instances must be delivered to a central site in the us-west-1 zone.
What configuration settings must be made in the CloudWatch Agent configuration file?

To the existing single-master Aurora DB cluster, a large-size Aurora replica is added. There is already a primary DB instance and four Aurora Replicas in this cluster. Tier-4 priority settings are applied to all existing Read replicas. If the primary instance fails, a newly constructed Aurora duplicate should not be promoted to primary. What settings on the new Aurora Replica can be changed to suit the requirement?

Your organization intends to use a set of EC2 Instances to run a web application. Based on the first response, it has been decided to introduce a service that would assist in traffic distribution among a group of EC2 Instances hosting the application. The service must be able to scale to a million requests per second, among other things. Which of the following would you use to fulfill this requirement?

A new web application for medical students has been developed by an online educational institute. This web application is front-ended by Application Load Balancer and deployed on EC2 instances in several AZs in the us-west-1 region. The Security team requires an IP address for all students utilizing this application for auditing purposes. You have been assigned to enable access logs and create an Amazon S3 bucket to store these logs.
Which of the following factors must be considered when constructing an Amazon S3 bucket to store Access logs?

The S3 bucket “test_bucket” was created by a startup company. Only user ABC in AWS account 123456789012 should have access to the contents of this bucket. Which of the following S3 bucket policy statements should be used to comply with the least privileges security guidelines?

You create a CloudFormation template to deploy an application package and construct a group of EC2 instances. You must ensure that the stack is successful only if the software package is successfully installed. What method can you use to verify this?

You work for a huge IT corporation as a SysOps administrator. You propose to set up Systems Manager for 50 database servers installed in the corporate Data Centre after successfully setting up the Systems Manager on EC2 instance across all regions. Which of the following steps must be completed to finish the Systems Manager installation on these servers? (Choose four options).

You have created a new VPC and assigned it to a subnet. You have set up an Internet gateway and connected it to the virtual private network (VPC). You verified that DNS Resolution and hostnames are allowed in the VPC. You created an EC2 instance, assigned it a public IP address, and configured security groups and NACLs for access. However, you are still unable to connect to the Instance. Which of the additional steps listed below must be completed?

For business-critical data storage, a financial institution intends to employ Amazon EFS. According to the most recent security audit, some Amazon EFS file systems are not secured. The Security Team has been told to put in place a policy that only allows encrypted file systems to be launched to address this problem. All data in transit should also be encrypted as an extra security step.
Which of the following can be used to encrypt data effectively?

In the us-west-1 region, a financial institute uses Amazon EFS for file storage. Multiple accounts share this storage space within this firm for file storage. For data protection, this storage must be transferred to the Amazon S3 bucket launched in another area, us-east-1. This data transmission will be handled by the sysops team using AWS DataSync. You have been given the responsibility of creating an AWS DataSync task.
Which of the following should be taken into account while designing a task?

A group of people has created an application that uses a DynamoDB table. The application will now be hosted on an Amazon EC2 instance. Which of the following would you use to ensure the application has the necessary rights to access the DynamoDB table?

AWS infrastructure is being used by a large telecom corporation for its online and data storage applications. As a SysOps Administrator, you have built a separate IAM user group for each company’s department. Previously, DevOps users would launch an EC2 instance and save all data to the EFS store. Users are requested to save all data in S3 buckets rather than EFS as a cost-cutting exercise. Users in the DevOps team should establish an EC2 instance with roles that allow them to access S3 buckets for saving files. Additional roles from these EC2 instances should not be granted to these users. Which of the following Policy statements can be set up to allow the least amount of access?