Free AWS SOA-C02 Dump

Question #120

A company has an application that is running on Amazon EC2 instances in a VPC. The application needs access to download software updates from the internet. The VPC has public subnets and private subnets. The company’s security policy requires all EC2 instances to be deployed in private subnets.

What should a SysOps administrator do to meet these requirements?

• A. Add an internet gateway to the VPC. In the route table for the private subnets, add a route to the internet gateway.
• B. Add aNAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway.
• C. Add a NAT gateway to public subnet. In the route table for the private subnets, add a route to the NAT gateway.
• D. Add two internet gateways to the VPC. In the route tables for the private subnets and public subnets, add a route to each internet gateway.

Correct Answer: C

Community vote distribution

C (84%)

B (16%)

Question #121

A development team recently deployed a new version of a web application to production. After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data.

Which AWS service will mitigate this issue?

• A. AWS Shield Standard
• B. AWS WAF
• C. Elastic Load Balancing
• D. Amazon Cognito

Correct Answer: B

Community vote distribution

B (100%)

Question #122

A SysOps administrator must configure a resilient tier of Amazon EC2 instances for a high performance computing (HPC) application. The HPC application requires minimum latency between nodes.

Which actions should the SysOps administrator take to meet these requirements? (Choose two.)

• A. Create an Amazon Elastic File System (Amazon EFS) file system. Mount the file system to the EC2 instances by using user data.
• B. Create a Multi-AZ Network Load Balancer in front of the EC2 instances.
• C. Place the EC2 instances in an Auto Scaling group within a single subnet.
• D. Launch the EC2 instances into a cluster placement group.
• E. Launch the EC2 instances into a partition placement group.

Correct Answer: CD

Community vote distribution

CD (77%)

6%

Other

Question #123

A company’s customers are reporting increased latency while accessing static web content from Amazon S3. A SysOps administrator observed a very high rate of read operations on a particular S3 bucket.

What will minimize latency by reducing load on the S3 bucket?

• A. Migrate the S3 bucket to a region that is closer to end users’ geographic locations.
• B. Use cross-region replication to replicate all of the data to another region.
• C. Create an Amazon CloudFront distribution with the S3 bucket as the origin.
• D. Use Amazon ElastiCache to cache data being served from Amazon S3.

Correct Answer: C

Community vote distribution

C (100%)

Question #124

A SysOps administrator needs to develop a solution that provides email notification and inserts a record into a database every time a file is put into an Amazon S3 bucket.

What is the MOST operationally efficient solution that meets these requirements?

• A. Set up an S3 event notification that targets an Amazon Simple Notification Service (Amazon SNS) topic. Create two subscriptions for the SNS topic. Use one subscription to send the email notification. Use the other subscription to invoke an AWS Lambda function that inserts the record into the database.
• B. Set up an Amazon CloudWatch alarm that enters ALARM state whenever an object is created in the S3 bucket. Configure the alarm to invoke an AWS Lambda function that sends the email notification and inserts the record into the database.
• C. Create an AWS Lambda function to send the email notification and insert the record into the database whenever a new object is detected in the S3 bucket. Invoke the function every minute with an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule.
• D. Set up two S3 event notifications. Target a separate AWS Lambda function with each notification. Configure one function to send the email notification. Configure the other function to insert the record into the database.

Correct Answer: A

Community vote distribution

A (100%)

Question #125

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. The application is accessed with a public URL.

A SysOps administrator needs to implement a monitoring solution that checks the availability of the application and follows the same routes and actions as a customer. The SysOps administrator must receive a notification if less than 95% of the monitoring runs find no errors.

Which solution will meet these requirements?

• A. Create an Amazon CloudWatch Synthetics canary with a script that follows customer routes. Schedule the canary to run on a recurring schedule. Create a CloudWatch alarm that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when the SuccessPercent metric is less than 95%.
• B. Create Amazon Route 53 health checks that monitor the availability of the endpoint. Create Amazon CloudWatch alarms that publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when the HealthCheckPercentageHealthy metric is less than 95%.
• C. Create a single AWS Lambda function to check whether the endpoints are available for each customer path. Schedule the Lambda function by using Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda function to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when an endpoint returns an error.
• D. Create an AWS Lambda function for each customer path to check whether that specific endpoint is available. Schedule the Lambda functions by using Amazon EventBridge (Amazon CloudWatch Events). Configure each Lambda function to publish a custom metric to Amazon CloudWatch for the endpoint status. Create CloudWatch alarms based on each custom metric to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when an alarm is in the ALARM state.

Correct Answer: B

Community vote distribution

A (100%)

Question #126

A SysOps administrator uses AWS Systems Manager Session Manager to connect to instances. After the SysOps administrator launches a new Amazon EC2 instance, the EC2 instance does not appear in the Session Manager list of systems that are available for connection. The SysOps administrator verifies that Systems Manager Agent is installed, updated, and running on the EC2 instance.

What is the reason for this issue?

• A. The SysOps administrator does not have access to the key pair that is required for connection.
• B. The SysOps administrator has not attached a security group to the EC2 instance to allow SSH on port 22.
• C. The EC2 instance does not have an attached IAM role that allows Session Manager to connect to the EC2 instance.
• D. The EC2 instance ID has not been entered into the Session Manager configuration.

Correct Answer: C

Community vote distribution

C (100%)

Question #127

A SysOps administrator is unable to launch Amazon EC2 instances into a VPC because there are no available private IPv4 addresses in the VPC.

Which combination of actions must the SysOps administrator take to launch the instances? (Choose two.)

• A. Associate a secondary IPv4 CIDR block with the VPC.
• B. Associate a primary IPv6 CIDR block with the VPC.
• C. Create a new subnet for the VPC.
• D. Modify the CIDR block of the VPC.
• E. Modify the CIDR block of the subnet that is associated with the instances.

Correct Answer: AC

Community vote distribution

AC (100%)

Question #128

A SysOps administrator is creating an Amazon EC2 Auto Scaling group in a new AWS account. After adding some instances, the SysOps administrator notices that the group has not reached the minimum number of instances. The SysOps administrator receives the following error message:

Launching a new EC2 instance. Status Reason: Your quota allows for 0 more running instance(s).

You requested at least 1. Launching EC2 instance failed.

Which action will resolve this issue?

• A. Adjust the account spending limits for Amazon EC2 on the AWS Billing and Cost Management console.
• B. Modify the EC2 quota for that AWS Region in the EC2 Settings section of the EC2 console.
• C. Request a quota increase for the instance type family by using Service Quotas on the AWS Management Console.
• D. Use the Rebalance action in the Auto Scaling group on the AWS Management Console.

Correct Answer: B

Community vote distribution

C (100%)

Question #129

A SysOps administrator is creating two AWS CloudFormation templates. The first template will create a VPC with associated resources, such as subnets, route tables, and an internet gateway. The second template will deploy application resources within the VPC that was created by the first template. The second template should refer to the resources created by the first template.

How can this be accomplished with the LEAST amount of administrative effort?

• A. Add an export field to the outputs of the first template and import the values in the second template.
• B. Create a custom resource that queries the stack created by the first template and retrieves the required values.
• C. Create a mapping in the first template that is referenced by the second template.
• D. Input the names of resources in the first template and refer to those names in the second template as a parameter.

Correct Answer: A

Community vote distribution

A (100%)

Question #130

A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application’s performance. A SysOps administrator must scale the application to meet the increased traffic.

Which solution meets these requirements?

• A. Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance if the desired threshold is reached.
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.
• C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.
• D. Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy. Attach the ALB to the Auto Scaling group.

Correct Answer: C

Community vote distribution

C (93%)

7%

Question #131

A company has a high-performance Windows workload. The workload requires a storage volume that provides consistent performance of 10,000 IOPS. The company does not want to pay for additional unneeded capacity to achieve this performance.

Which solution will meet these requirements with the LEAST cost?

• A. Use a Provisioned IOPS SSD (io1) Amazon Elastic Block Store (Amazon EBS) volume that is configured with 10,000 provisioned IOPS.
• B. Use a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume that is configured with 10,000 provisioned IOPS.
• C. Use an Amazon Elastic File System (Amazon EFS) file system in Max I/O mode.
• D. Use an Amazon FSx for Windows File Server file system that is configured with 10,000 IOPS.

Correct Answer: D

Community vote distribution

B (77%)

14%

9%

Question #132

A SysOps administrator must create a solution that automatically shuts down any Amazon EC2 instances that have less than 10% average CPU utilization for 60 minutes or more.

Which solution will meet this requirement in the MOST operationally efficient manner?

• A. Implement a cron job on each EC2 instance to run once every 60 minutes and calculate the current CPU utilization. Initiate an instance shutdown if CPU utilization is less than 10%.
• B. Implement an Amazon CloudWatch alarm for each EC2 instance to monitor average CPU utilization. Set the period at 1 hour, and set the threshold at 10%. Configure an EC2 action on the alarm to stop the instance.
• C. Install the unified Amazon CloudWatch agent on each EC2 instance, and enable the Basic level predefined metric set. Log CPU utilization every 60 minutes, and initiate an instance shutdown if CPU utilization is less than 10%.
• D. Use AWS Systems Manager Run Command to get CPU utilization from each EC2 instance every 60 minutes. Initiate an instance shutdown if CPU utilization is less than 10%.

Correct Answer: B

Community vote distribution

B (100%)

Question #133

A SysOps administrator is unable to authenticate an AWS CLI call to an AWS service.

Which of the following is the cause of this issue?

• A. The IAM password is incorrect.
• B. The server certificate is missing.
• C. The SSH key pair is incorrect.
• D. There is no access key.

Correct Answer: D

Community vote distribution

D (100%)

Question #134

A company requires that all IAM user accounts that have not been used for 90 days or more must have their access keys and passwords immediately disabled. A SysOps administrator must automate the process of disabling unused keys using the MOST operationally efficient method.

How should the SysOps administrator implement this solution?

• A. Create an AWS Step Functions workflow to identify IAM users that have not been active for 90 days. Run an AWS Lambda function when a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule is invoked to automatically remove the AWS access keys and passwords for these IAM users.
• B. Configure an AWS Config rule to identify IAM users that have not been active for 90 days. Set up an automatic weekly batch process on an Amazon EC2 instance to disable the AWS access keys and passwords for these IAM users.
• C. Develop and run a Python script on an Amazon EC2 instance to programmatically identify IAM users that have not been active for 90 days. Automatically delete these IAM users.
• D. Set up an AWS Config managed rule to identify IAM users that have not been active for 90 days. Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users.

Correct Answer: D

Community vote distribution

D (100%)

Question #135

A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template. It installs and configures necessary software through AWS OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors.

The SysOps administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back.

Based on these requirements, what should be added to the template?

• A. Conditions with a timeout set to 4 hours.
• B. CreationPolicy with a timeout set to 4 hours.
• C. DependsOn with a timeout set to 4 hours.
• D. Metadata with a timeout set to 4 hours.

Correct Answer: B

Community vote distribution

B (100%)

Question #136

A company runs workloads on 90 Amazon EC2 instances in the eu-west-1 Region in an AWS account. In 2 months, the company will migrate the workloads from eu-west-1 to the eu-west-3 Region.

The company needs to reduce the cost of the EC2 instances. The company is willing to make a 1-year commitment that will begin next week. The company must choose an EC2 instance purchasing option that will provide discounts for the 90 EC2 instances regardless of Region during the 1-year period.

Which solution will meet these requirements?

• A. Purchase EC2 Standard Reserved Instances.
• B. Purchase an EC2 Instance Savings Plan.
• C. Purchase EC2 Convertible Reserved Instances.
• D. Purchase a Compute Savings Plan.

Correct Answer: C

Community vote distribution

D (100%)

Question #137

A SysOps administrator has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC, and all security groups allow all outbound traffic.

Which solution will provide the EC2 instances in the private subnet with access to the internet?

• A. Create a NAT gateway in the public subnet. Create a route from the private subnet to the NAT gateway.
• B. Create a NAT gateway in the public subnet. Create a route from the public subnet to the NAT gateway.
• C. Create a NAT gateway in the private subnet. Create a route from the public subnet to the NAT gateway.
• D. Create a NAT gateway in the private subnet. Create a route from the private subnet to the NAT gateway.

Correct Answer: A

Community vote distribution

A (100%)

Question #138

A company plans to run a public web application on Amazon EC2 instances behind an Elastic Load Balancer (ELB). The company’s security team wants to protect the website by using AWS Certificate Manager (ACM) certificates. The ELB must automatically redirect any HTTP requests to HTTPS.

Which solution will meet these requirements?

• A. Create an Application Load Balancer that has one HTTPS listener on port 80. Attach an SSL/TLS certificate to listener port 80. Create a rule to redirect requests from HTTP to HTTPS.
• B. Create an Application Load Balancer that has one HTTP listener on port 80 and one HTTPS protocol listener on port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.
• C. Create an Application Load Balancer that has two TCP listeners on port 80 and port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.
• D. Create a Network Load Balancer that has two TCP listeners on port 80 and port 443. Attach an SSL/TLS certificate to listener port 443. Create a rule to redirect requests from port 80 to port 443.

Correct Answer: B

Community vote distribution

B (100%)

Question #139

A company wants to track its AWS costs in all member accounts that are part of an organization in AWS Organizations. Managers of the member accounts want to receive a notification when the estimated costs exceed a predetermined amount each month. The managers are unable to configure a billing alarm. The IAM permissions for all users are correct.

What could be the cause of this issue?

• A. The management/payer account does not have billing alerts turned on.
• B. The company has not configured AWS Resource Access Manager (AWS RAM) to share billing information between the member accounts and the management/payer account.
• C. Amazon GuardDuty is turned on for all the accounts.
• D. The company has not configured an AWS Config rule to monitor billing.

Correct Answer: A

Community vote distribution

A (86%)

14%

Question #140

A company is using Amazon Elastic Container Service (Amazon ECS) to run a containerized application on Amazon EC2 instances. A SysOps administrator needs to monitor only traffic flows between the ECS tasks.

Which combination of steps should the SysOps administrator take to meet this requirement? (Choose two.)

• A. Configure Amazon CloudWatch Logs on the elastic network interface of each task.
• B. Configure VPC Flow Logs on the elastic network interface of each task.
• C. Specify the awsvpc network mode in the task definition.
• D. Specify the bridge network mode in the task definition.
• E. Specify the host network mode in the task definition.

Correct Answer: AC

Community vote distribution

BC (100%)

Question #141

A company uses AWS Organizations to manage multiple AWS accounts. The company’s SysOps team has been using a manual process to create and manage IAM roles. The team requires an automated solution to create and manage the necessary IAM roles for multiple AWS accounts.

What is the MOST operationally efficient solution that meets these requirements?

• A. Create AWS CloudFormation templates. Reuse the templates to create the necessary IAM roles in each of the AWS accounts.
• B. Use AWS Directory Service with AWS Organizations to automatically associate the necessary IAM roles with Microsoft Active Directory users.
• C. Use AWS Resource Access Manager with AWS Organizations to deploy and manage shared resources across the AWS accounts.
• D. Use AWS CloudFormation StackSets with AWS Organizations to deploy and manage IAM roles for the AWS accounts.

Correct Answer: D

Community vote distribution

D (100%)

Question #142

A SysOps administrator needs to configure automatic rotation for Amazon RDS database credentials. The credentials must rotate every 30 days. The solution must integrate with Amazon RDS.

Which solution will meet these requirements with the LEAST operational overhead?

• A. Store the credentials in AWS Systems Manager Parameter Store as a secure string. Configure automatic rotation with a rotation interval of 30 days.
• B. Store the credentials in AWS Secrets Manager. Configure automatic rotation with a rotation interval of 30 days.
• C. Store the credentials in a file in an Amazon S3 bucket. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.
• D. Store the credentials in AWS Secrets Manager. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.

Correct Answer: B

Community vote distribution

B (100%)

Question #143

A company’s SysOps administrator attempts to restore an Amazon Elastic Block Store (Amazon EBS) snapshot. However, the snapshot is missing because another system administrator accidentally deleted the snapshot. The company needs the ability to recover snapshots for a specified period of time after snapshots are deleted.

Which solution will provide this functionality?

• A. Turn on deletion protection on individual EBS snapshots that need to be kept.
• B. Create an IAM policy that denies the deletion of EBS snapshots by using a condition statement for the snapshot age. Apply the policy to all users.
• C. Create a Recycle Bin retention rule for EBS snapshots for the desired retention period.
• D. Use Amazon EventBridge (Amazon CloudWatch Events) to schedule an AWS Lambda function to copy EBS snapshots to Amazon S3 Glacier.

Correct Answer: C

Community vote distribution

C (100%)

Question #144

A SysOps administrator recently configured Amazon S3 Cross-Region Replication on an S3 bucket.

Which of the following does this feature replicate to the destination S3 bucket by default?

• A. Objects in the source S3 bucket for which the bucket owner does not have permissions
• B. Objects that are stored in S3 Glacier
• C. Objects that existed before replication was configured
• D. Object metadata

Correct Answer: D

Community vote distribution

D (100%)

Question #145

A company has a workload that is sending log data to Amazon CloudWatch Logs. One of the fields includes a measure of application latency. A SysOps administrator needs to monitor the p90 statistic of this field over time.

What should the SysOps administrator do to meet this requirement?

• A. Create an Amazon CloudWatch Contributor Insights rule on the log data.
• B. Create a metric filter on the log data.
• C. Create a subscription filter on the log data.
• D. Create an Amazon CloudWatch Application Insights rule for the workload.

Correct Answer: B

Community vote distribution

B (100%)

Question #146

A company wants to archive sensitive data on Amazon S3 Glacier. The company’s regulatory and compliance requirements do not allow any modifications to the data by any account.

Which solution meets these requirements?

• A. Attach a vault lock policy to an S3 Glacier vault that contains the archived data. Use the lock ID to validate the vault lock policy after 24 hours.
• B. Attach a vault lock policy to an S3 Glacier vault that contains the archived data. Use the lock ID to validate the vault lock policy within 24 hours.
• C. Configure S3 Object Lock in governance mode. Upload all files after 24 hours.
• D. Configure S3 Object Lock in governance mode. Upload all files within 24 hours.

Correct Answer: A

Community vote distribution

B (100%)

Question #147

A company manages an application that uses Amazon ElastiCache for Redis with two extra-large nodes spread across two different Availability Zones. The company’s IT team discovers that the ElastiCache for Redis cluster has 75% freeable memory. The application must maintain high availability.

What is the MOST cost-effective way to resize the cluster?

• A. Decrease the number of nodes in the ElastiCache for Redis cluster from 2 to 1.
• B. Deploy a new ElastiCache for Redis cluster that uses large node types. Migrate the data from the original cluster to the new cluster. After the process is complete, shut down the original cluster.
• C. Deploy a new ElastiCache for Redis cluster that uses large node types. Take a backup from the original cluster, and restore the backup in the new cluster. After the process is complete, shut down the original cluster.
• D. Perform an online resizing for the ElastiCache for Redis cluster. Change the node types from extra-large nodes to large nodes.

Correct Answer: A

Community vote distribution

D (100%)

Question #148

A company must migrate its applications to AWS. The company is using Chef recipes for configuration management. The company wants to continue to use the existing Chef recipes after the applications are migrated to AWS.

What is the MOST operationally efficient solution that meets these requirements?

• A. Use AWS CloudFormation to create an Amazon EC2 instance, install a Chef server, and add Chef recipes.
• B. Use AWS CloudFormation to create a stack and add layers for Chef recipes.
• C. Use AWS Elastic Beanstalk with the Docker platform to upload Chef recipes.
• D. Use AWS OpsWorks to create a stack and add layers with Chef recipes.

Correct Answer: D

Community vote distribution

D (100%)

Question #149

A company uses AWS Organizations to manage its AWS accounts. A SysOps administrator must create a backup strategy for all Amazon EC2 instances across all the company’s AWS accounts.

Which solution will meet these requirements in the MOST operationally efficient way?

• A. Deploy an AWS Lambda function to each account to run EC2 instance snapshots on a scheduled basis.
• B. Create an AWS CloudFormation stack set in the management account to add an AutoBackup=True tag to every EC2 instance.
• C. Use AWS Backup in the management account to deploy policies for all accounts and resources.
• D. Use a service control policy (SCP) to run EC2 instance snapshots on a scheduled basis in each account.

Correct Answer: C

Community vote distribution

C (100%)

Question #150

A SysOps administrator is reviewing VPC Flow Logs to troubleshoot connectivity issues in a VPC. While reviewing the logs, the SysOps administrator notices that rejected traffic is not listed.

What should the SysOps administrator do to ensure that all traffic is logged?

• A. Create a new flow log that has a filter setting to capture all traffic.
• B. Create a new flow log. Set the log record format to a custom format. Select the proper fields to include in the log.
• C. Edit the existing flow log. Change the filter setting to capture all traffic.
• D. Edit the existing flow log. Set the log record format to a custom format. Select the proper fields to include in the log.

Correct Answer: C

Community vote distribution

A (90%)

10%

Question #151

A company is expanding its use of AWS services across its portfolios. The company wants to provision AWS accounts for each team to ensure a separation of business processes for security, compliance, and billing. Account creation and bootstrapping should be completed in a scalable and efficient way so new accounts are created with a defined baseline and governance guardrails in place. A SysOps administrator needs to design a provisioning process that saves time and resources.

Which action should be taken to meet these requirements?

• A. Automate using AWS Elastic Beanstalk to provision the AWS accounts, set up infrastructure, and integrate with AWS Organizations.
• B. Create bootstrapping scripts in AWS OpsWorks and combine them with AWS CloudFormation templates to provision accounts and infrastructure.
• C. Use AWS Config to provision accounts and deploy instances using AWS Service Catalog.
• D. Use AWS Control Tower to create a template in Account Factory and use the template to provision new accounts.

Correct Answer: D

Community vote distribution

D (100%)

Question #152

A SysOps administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%.

Which collection of configuration changes will increase the cache hit ratio for the distribution? (Choose two.)

• A. Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings.
• B. Change the Viewer Protocol Policy to use HTTPS only.
• C. Configure the distribution to use presigned cookies and URLs to restrict access to the distribution.
• D. Enable automatic compression of objects in the Cache Behavior Settings.
• E. Increase the CloudFront time to live (TTL) settings in the Cache Behavior Settings.

Correct Answer: AE

Community vote distribution

AE (100%)

Question #153

A SysOps administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet.

Public Subnet (10.0.1.0/24) Route Table

Destination Target –

10.0.0.0/16 local

0.0.0.0/0 IGW

Private Subnet (10.0.2.0/24) Route Table

Destination Target –

10.0.0.0/16 local

What should be added to the private subnet’s route table in order to address this issue, given the information provided?

• A. 0.0.0.0/0 IGW
• B. 0.0.0.0/0 NAT
• C. 10.0.1.0/24 IGW
• D. 10.0.1.0/24 NAT

Correct Answer: B

Community vote distribution

B (100%)

Question #154

A company is undergoing an external audit of its systems, which run wholly on AWS. A SysOps administrator must supply documentation of Payment Card Industry Data Security Standard (PCI DSS) compliance for the infrastructure managed by AWS.

Which set of actions should the SysOps administrator take to meet this requirement?

• A. Download the applicable reports from the AWS Artifact portal and supply these to the auditors.
• B. Download complete copies of the AWS CloudTrail log files and supply these to the auditors.
• C. Download complete copies of the AWS CloudWatch logs and supply these to the auditors.
• D. Provide the auditors with administrative access to the production AWS account so that the auditors can determine compliance.

Correct Answer: A

Community vote distribution

A (100%)

Question #155

A company has an initiative to reduce costs associated with Amazon EC2 and AWS Lambda.

Which action should a SysOps administrator take to meet these requirements?

• A. Analyze the AWS Cost and Usage Report by using Amazon Athena to identify cost savings.
• B. Create an AWS Budgets alert to alarm when account spend reaches 80% of the budget.
• C. Purchase Reserved Instances through the Amazon EC2 console.
• D. Use AWS Compute Optimizer and take action on the provided recommendations.

Correct Answer: D

Community vote distribution

D (100%)

Question #156

A company wants to use only IPv6 for all its Amazon EC2 instances. The EC2 instances must not be accessible from the internet, but the EC2 instances must be able to access the internet. The company creates a dual-stack VPC and IPv6-only subnets.

How should a SysOps administrator configure the VPC to meet these requirements?

• A. Create and attach a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.
• B. Create and attach an internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway. Attach the custom route table to the IPv6-only subnets.
• C. Create and attach an egress-only internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the egress-only internet gateway. Attach the custom route table to the IPv6-only subnets.
• D. Create and attach an internet gateway and a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway and all IPv4 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.

Correct Answer: D

Community vote distribution

C (100%)

Question #157

A company has an existing web application that runs on two Amazon EC2 instances behind an Application Load Balancer (ALB) across two Availability Zones. The application uses an Amazon RDS Multi-AZ DB Instance. Amazon Route 53 record sets route requests for dynamic content to the load balancer and requests for static content to an Amazon S3 bucket. Site visitors are reporting extremely long loading times.

Which actions should be taken to improve the performance of the website? (Choose two.)

• A. Add Amazon CloudFront caching for static content.
• B. Change the load balancer listener from HTTPS to TCP.
• C. Enable Amazon Route 53 latency-based routing.
• D. Implement Amazon EC2 Auto Scaling for the web servers.
• E. Move the static content from Amazon S3 to the web servers.

Correct Answer: AD

Community vote distribution

AD (87%)

13%

Question #158

A company is running an application on premises and wants to use AWS for data backup. All of the data must be available locally. The backup application can write only to block-based storage that is compatible with the Portable Operating System Interface (POSIX).

Which backup solution will meet these requirements?

• A. Configure the backup software to use Amazon S3 as the target for the data backups.
• B. Configure the backup software to use Amazon S3 Glacier as the target for the data backups.
• C. Use AWS Storage Gateway, and configure it to use gateway-cached volumes.
• D. Use AWS Storage Gateway, and configure it to use gateway-stored volumes.

Correct Answer: D

Community vote distribution

D (90%)

10%

Question #159

A global company handles a large amount of personally identifiable information (PII) through an internal web portal. The company’s application runs in a corporate data center that is connected to AWS through an AWS Direct Connect connection. The application stores the PII in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.

What should a SysOps administrator do to meet the compliance requirement?

• A. Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.
• B. Configure AWS Network Firewall to redirect traffic to the internal S3 address.
• C. Modify the application to use the S3 path-style endpoint.
• D. Set up a range of VPC network ACLs to redirect traffic to the internal S3 address.

Correct Answer: A

Community vote distribution

A (100%)