Spring Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

AWS Certified CloudOps Engineer - Associate Question and Answers

AWS Certified CloudOps Engineer - Associate

Last Update Feb 28, 2026
Total Questions : 165

We are offering FREE SOA-C03 Amazon Web Services exam questions. All you do is to just go and sign up. Give your details, prepare SOA-C03 free exam questions and then go for complete pool of AWS Certified CloudOps Engineer - Associate test questions that will help you more.

SOA-C03 pdf

SOA-C03 PDF

$36.75  $104.99
 Add to Cart
SOA-C03 Engine

SOA-C03 Testing Engine

$43.75  $124.99
 Add to Cart
SOA-C03 PDF + Engine

SOA-C03 PDF + Testing Engine

$57.75  $164.99
 Add to Cart
Questions 1

A CloudOps engineer needs to build an event infrastructure for custom application-specific events. The events must be sent to an AWS Lambda function for processing. The CloudOps engineer must record the events so they can be replayed later by event type or event time.

Which solution will meet these requirements?

Options:

A.  

Create an Amazon EventBridge custom event bus, create an archive, and create a rule to send events to Lambda.

B.  

Create an archive on the default event bus and use pattern matching.

C.  

Create an EventBridge pipe and store events in an archive.

D.  

Create a CloudWatch Logs log group and route events there.

Discussion 0
Questions 2

A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application.

Which combination of actions should a CloudOps engineer take to resolve this problem? (Select TWO.)

Options:

A.  

Change to the least outstanding requests algorithm on the ALB target group.

B.  

Configure cookie forwarding in the CloudFront distribution cache behavior.

C.  

Configure header forwarding in the CloudFront distribution cache behavior.

D.  

Enable group-level stickiness on the ALB listener rule.

E.  

Enable sticky sessions on the ALB target group.

Discussion 0
Questions 3

A multinational company uses an organization in AWS Organizations to manage over 200 member accounts across multiple AWS Regions. The company must ensure that all AWS resources meet specific security requirements.

The company must not deploy any EC2 instances in the ap-southeast-2 Region. The company must completely block root user actions in all member accounts. The company must prevent any user from deleting AWS CloudTrail logs, including administrators. The company requires a centrally managed solution that the company can automatically apply to all existing and future accounts. Which solution will meet these requirements?

Options:

A.  

Create AWS Config rules with remediation actions in each account to detect policy violations. Implement IAM permissions boundaries for the account root users.

B.  

Enable AWS Security Hub across the organization. Create custom security standards to enforce the security requirements. Use AWS CloudFormation StackSets to deploy the standards to all the accounts in the organization. Set up Security Hub automated remediation actions.

C.  

Use AWS Control Tower for account governance. Configure Region deny controls. Use Service Control Policies (SCPs) to restrict root user access.

D.  

Configure AWS Firewall Manager with security policies to meet the security requirements. Use an AWS Config aggregator with organization-wide conformance packs to detect security policy violations.

Discussion 0
Questions 4

A CloudOps engineer is troubleshooting an implementation of Amazon CloudWatch Synthetics. The CloudWatch Synthetics results must be sent to an Amazon S3 bucket.

The CloudOps engineer has copied the configuration of an existing canary that runs on a VPC that has an internet gateway attached. However, the CloudOps engineer cannot get the canary to successfully start on a private VPC that has no internet access.

What should the CloudOps engineer do to successfully run the canary on the private VPC?

Options:

A.  

Ensure that the DNS resolution option and the DNS hostnames option are turned on in the VPC. Add the synthetics:GetCanaryRuns permission to the VPC. On the S3 bucket, add the IgnorePublicAcls permission to the CloudWatch Synthetics role.

B.  

Ensure that the DNS resolution option and the DNS hostnames option are turned off in the VPC. Create a gateway VPC endpoint for Amazon S3. Add the permissions to allow CloudWatch Synthetics to use the S3 endpoint.

C.  

Ensure that the DNS resolution option and the DNS hostnames option are turned off in the VP

C.  

Add a security group to the canary to allow outbound traffic on the DNS port. Add the permissions to allow CloudWatch Synthetics to write to the S3 bucket.

D.  

Ensure that the DNS resolution option and the DNS hostnames option are turned on in the VPC. Create an interface VPC endpoint for CloudWatch. Create a gateway VPC endpoint for Amazon S3. Add the permissions to allow CloudWatch Synthetics to use both endpoints.

Discussion 0
Questions 5

A SysOps administrator needs to encrypt an existing Amazon Elastic File System (Amazon EFS) file system by using an existing AWS KMS customer managed key.

Which solution will meet these requirements?

Options:

A.  

Use Amazon EFS replication to create a new file system. Copy the data and metadata from the existing file system to the new file system. Specify the KMS customer managed key in the replication configuration. When the replication process finishes, fail over to the new encrypted file system.

B.  

Directly modify the file system to use encryption. Specify the KMS customer managed key.

C.  

Use Amazon EFS replication to create a new file system. Copy the data and metadata from the existing file system to the new file system. Generate a new TLS certificate. Specify the TLS certificate in the replication configuration. When the replication process finishes, fail over to the new encrypted file system.

D.  

Create a new EFS file system that is encrypted with the KMS customer managed key. Create an Amazon EC2 instance to copy the files. Mount the encrypted file system and unencrypted file system on the instance. Copy all data from the unencrypted file system to the encrypted file system. Unmount the unencrypted file system and remove the temporary instance.

Discussion 0
Questions 6

A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application’s performance.

A CloudOps engineer must scale the application to meet the increased traffic.

Which solution meets these requirements?

Options:

A.  

Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance if the desired threshold is reached.

B.  

Create an Amazon EventBridge rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.

C.  

Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.

D.  

Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy. Attach the ALB to the Auto Scaling group.

Discussion 0
Questions 7

A CloudOps engineer is maintaining a web application that uses an Amazon CloudFront web distribution, an Application Load Balancer (ALB), Amazon RDS, and Amazon EC2 in a VPC. All services have logging enabled. The CloudOps engineer needs to investigate HTTP Layer 7 status codes from the web application.

Which log sources contain the status codes? (Select TWO.)

Options:

A.  

VPC Flow Logs

B.  

AWS CloudTrail logs

C.  

ALB access logs

D.  

CloudFront access logs

E.  

RDS logs

Discussion 0
Questions 8

A company runs an application on an Amazon EC2 instance. The application uses a MySQL database. The EC2 instance has a General Purpose SSD (gp3) Amazon EBS volume attached. The company wants to perform load testing using a new MySQL database created from an EBS snapshot of the production instance. The new database must perform as similarly as possible to production.

Which solution will meet these requirements in the LEAST amount of time?

Options:

A.  

Use Amazon EBS fast snapshot restore (FSR) to create a new General Purpose SSD volume from the production snapshot.

B.  

Use Amazon EBS fast snapshot restore (FSR) to create a new Provisioned IOPS SSD volume from the production snapshot.

C.  

Use Amazon EBS standard snapshot restore to create a new General Purpose SSD volume from the production snapshot.

D.  

Use Amazon EBS standard snapshot restore to create a new Provisioned IOPS SSD volume from the production snapshot.

Discussion 0
Questions 9

A company uses AWS Systems Manager Session Manager to manage EC2 instances in the eu-west-1 Region. The company wants private connectivity using VPC endpoints.

Which VPC endpoints are required to meet these requirements? (Select THREE.)

Options:

A.  

com.amazonaws.eu-west-1.ssm

B.  

com.amazonaws.eu-west-1.ec2messages

C.  

com.amazonaws.eu-west-1.ec2

D.  

com.amazonaws.eu-west-1.ssmmessages

E.  

com.amazonaws.eu-west-1.s3

F.  

com.amazonaws.eu-west-1.states

Discussion 0
Questions 10

A company uses Amazon ElastiCache (Redis OSS) to cache application data. A CloudOps engineer must implement a solution to increase the resilience of the cache. The solution also must minimize the recovery time objective (RTO).

Which solution will meet these requirements?

Options:

A.  

Replace ElastiCache (Redis OSS) with ElastiCache (Memcached).

B.  

Create an Amazon EventBridge rule to initiate a backup every hour. Restore the backup when necessary.

C.  

Create a read replica in a second Availability Zone. Enable Multi-AZ for the ElastiCache (Redis OSS) replication group.

D.  

Enable automatic backups. Restore the backups when necessary.

Discussion 0
Questions 11

A company is migrating a legacy application to AWS. The application runs on EC2 instances across multiple Availability Zones behind an Application Load Balancer (ALB). The target group routing algorithm is set to weighted random, and the application requires session affinity (sticky sessions).

After deployment, users report random application errors that were not present before migration, even though target health checks are passing.

Which solution will meet this requirement?

Options:

A.  

Set the routing algorithm of the target group to least outstanding requests.

B.  

Turn on anomaly mitigation for the target group.

C.  

Turn off the cross-zone load balancing attribute of the target group.

D.  

Increase the deregistration delay attribute of the target group.

Discussion 0
Questions 12

A company is running an application on premises and wants to use AWS for data backup. All of the data must be available locally. The backup application can write only to block-based storage that is compatible with the Portable Operating System Interface (POSIX).

Which backup solution will meet these requirements?

Options:

A.  

Configure the backup software to use Amazon S3 as the target for the data backups.

B.  

Configure the backup software to use Amazon S3 Glacier Flexible Retrieval as the target for the data backups.

C.  

Use AWS Storage Gateway, and configure it to use gateway-cached volumes.

D.  

Use AWS Storage Gateway, and configure it to use gateway-stored volumes.

Discussion 0
Questions 13

A company hosts a static website in an Amazon S3 bucket, accessed globally via Amazon CloudFront. The Cache-Control max-age header is set to 1 hour, and Maximum TTL is set to 5 minutes. The CloudOps engineer observes that CloudFront is not caching objects for the expected duration.

What is the reason for this issue?

Options:

A.  

The Expires header has been set to 3 hours.

B.  

Cached assets are not expiring in the edge location.

C.  

Cache invalidation is missing in the CloudFront configuration.

D.  

Cache-duration settings conflict with each other.

Discussion 0
Questions 14

An environment consists of 100 Amazon EC2 Windows instances. The Amazon CloudWatch agent is deployed and running on all EC2 instances with a baseline configuration file to capture log files. There is a new requirement to capture DHCP log files that exist on 50 of the instances.

What is the MOST operationally efficient way to meet this new requirement?

Options:

A.  

Create an additional CloudWatch agent configuration file to capture the DHCP logs. Use AWS Systems Manager Run Command to restart the CloudWatch agent on each EC2 instance with the append-config option.

B.  

Log in to each EC2 instance with administrator rights and create a PowerShell script to push logs to CloudWatch.

C.  

Run the CloudWatch agent configuration wizard on each EC2 instance and add DHCP logs manually.

D.  

Run the CloudWatch agent configuration wizard on each EC2 instance and select the advanced detail level.

Discussion 0
Questions 15

A CloudOps engineer has created an AWS Service Catalog portfolio and shared it with a second AWS account in the company, managed by a different CloudOps engineer.

Which action can the CloudOps engineer in the second account perform?

Options:

A.  

Add a product from the imported portfolio to a local portfolio.

B.  

Add new products to the imported portfolio.

C.  

Change the launch role for the products contained in the imported portfolio.

D.  

Customize the products in the imported portfolio.

Discussion 0
Questions 16

A CloudOps engineer wants to configure observability of specific metrics for a public website that runs on Amazon Elastic Kubernetes Service (Amazon EKS). The CloudOps engineer wants to observe latency, traffic, errors, and saturation metrics. The CloudOps engineer wants to define service level objectives (SLOs) and monitor service level indicators (SLIs). The CloudOps engineer also wants to correlate metrics, logs, and traces to support faster issue resolution.

Which solution will meet these requirements with the LEAST operational effort?

Options:

A.  

Use Amazon CloudWatch Application Signals to automatically collect and monitor the specified metrics for the EKS workloads.

B.  

Configure AWS Distro for OpenTelemetry and use Amazon Managed Service for Prometheus and Amazon Managed Grafana.

C.  

Configure Amazon CloudWatch RUM and CloudWatch Synthetics canaries.

D.  

Configure Amazon CloudWatch Application Insights.

Discussion 0
Questions 17

A company has an application running on EC2 that stores data in an Amazon RDS for MySQL Single-AZ DB instance. The application requires both read and write operations, and the company needs failover capability with minimal downtime.

Which solution will meet these requirements?

Options:

A.  

Modify the DB instance to be a Multi-AZ DB instance deployment.

B.  

Add a read replica in the same Availability Zone where the DB instance is deployed.

C.  

Add the DB instance to an Auto Scaling group that has a minimum capacity of 2 and a desired capacity of 2.

D.  

Use RDS Proxy to configure a proxy in front of the DB instance.

Discussion 0
Questions 18

A SysOps administrator must load test a new Amazon CloudFront distribution to assess data transfer and latency performance. Which solution will meet this requirement?

Options:

A.  

Send client requests from a single geographic region. Configure the load test so that each client makes an identical DNS request. Focus the client requests on the IP address that the DNS returns.

B.  

Send client requests from a single geographic region. Configure the load test so that each client makes an independent DNS request. Spread the client requests across the set of IP addresses that the DNS returns.

C.  

Send client requests from multiple geographic regions. Configure the load test so that each client makes an identical DNS request. Focus the client requests on the IP address that the DNS returns.

D.  

Send client requests from multiple geographic regions. Configure the load test so that each client makes an independent DNS request. Spread the client requests across the set of IP addresses that the DNS returns.

Discussion 0
Questions 19

A company operates compute resources in a VPC and in the company’s on-premises data center. The company already has an AWS Direct Connect connection between the VPC and the on-premises data center.

A CloudOps engineer needs to ensure that Amazon EC2 instances in the VPC can resolve DNS names for hosts in the on-premises data center.

Which solution will meet this requirement with the LEAST amount of ongoing maintenance?

Options:

A.  

Create an Amazon Route 53 private hosted zone. Populate the zone with the hostnames and IP addresses of the hosts in the on-premises data center.

B.  

Create an Amazon Route 53 Resolver outbound endpoint. Add the IP addresses of an on-premises DNS server for the domain names that need to be forwarded.

C.  

Set up a forwarding rule for reverse DNS queries in Amazon Route 53 Resolver. Set the enableDnsHostnames attribute to true for the VP

C.  

D.  

Add the hostnames and IP addresses for the on-premises hosts to the /etc/hosts file of each EC2 instance.

Discussion 0
Questions 20

A company has an internal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A CloudOps engineer must make the application highly available.

Which action should the CloudOps engineer take to meet this requirement?

Options:

A.  

Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.

B.  

Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.

C.  

Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.

D.  

Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.

Discussion 0
Questions 21

A company has deployed Amazon EC2 instances from custom Amazon Machine Images (AMIs) in two AWS Regions. The company registered all the instances with AWS Systems Manager.

The company discovers that the operating system on some instances has a significant zero-day exploit. However, the company does not know how many instances are affected.

A CloudOps engineer must implement a solution to deploy operating system patches for the affected EC2 instances.

Which solution will meet this requirement with the LEAST operational overhead?

Options:

A.  

Define a patch baseline in Systems Manager Patch Manager. Use a Patch Manager scan to identify the affected instances. Use the Patch Now option in each Region to update the affected instances.

B.  

Use AWS Config to identify the affected instances. Define a patch baseline in Systems Manager Patch Manager. Use the Patch Now option in Patch Manager to update the affected instances.

C.  

Create an Amazon EventBridge rule to react to Systems Manager Compliance events. Configure the EventBridge rule to run a patch baseline on the affected instances.

D.  

Use AWS Config to identify the affected instances. Update the existing EC2 AMIs with the desired patch. Manually launch instances from the new AMIs to replace the affected instances in both Regions.

Discussion 0
Questions 22

A company needs to log and audit any principal that publishes messages to Amazon Simple Notification Service (Amazon SNS) topics and Amazon Simple Queue Service (Amazon SQS) queues. The company wants to ensure that all communication with these services uses VPC endpoints.

Which combination of solutions will meet these requirements? (Select TWO.)

Options:

A.  

Use Amazon CloudWatch Logs to collect message content from Amazon SNS and Amazon SQS. Deliver logs to an Amazon S3 bucket for querying.

B.  

Set up AWS CloudTrail. Enable tracking of data events for Amazon SNS and Amazon SQS. Deliver logs to an Amazon S3 bucket for querying.

C.  

Create Amazon EventBridge rules to gather Amazon SNS and Amazon SQS events. Store the events in an Amazon S3 bucket.

D.  

Configure VPC endpoints for Amazon SNS and Amazon SQS. Inspect the vpcEndpointId field in the AWS CloudTrail logs.

E.  

Configure VPC endpoints for Amazon SNS and Amazon SQS. Inspect the vpcEndpoint field in the Amazon CloudWatch logs.

Discussion 0
Questions 23

A company hosts a static website on an Amazon S3 bucket behind an Amazon CloudFront distribution. When the company deploys a new version of the website, users sometimes do not see the new content until the next day.

A CloudOps engineer must implement a solution to display updates to the website as quickly as possible.

Which solution will meet this requirement?

Options:

A.  

Configure the CloudFront distribution to add a custom Cache-Control header to requests for content from the S3 bucket.

B.  

Modify the distribution settings to specify the protocol as HTTPS only.

C.  

Attach the CachingOptimized managed cache policy to the distribution.

D.  

Create a CloudFront invalidation.

Discussion 0
Questions 24

A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals sudden increases in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A CloudOps engineer must find the process ID (PID) of the service or process that is consuming more CPU.

What should the CloudOps engineer do to collect the process utilization information with the LEAST amount of effort?

Options:

A.  

Configure the Amazon CloudWatch agent procstat plugin to capture CPU process metrics.

B.  

Configure an AWS Lambda function to run every minute to capture the PID and send a notification.

C.  

Log in to the EC2 instance each night and run the top command.

D.  

Use the default Amazon CloudWatch CPUUtilization metric.

Discussion 0
Questions 25

A web application runs on Amazon EC2 instances in the us-east-1 Region and the us-west-2 Region. The instances run behind an Application Load Balancer (ALB) in each Region. An Amazon Route 53 hosted zone controls DNS records.

The instances in us-east-1 are production resources. The instances in us-west-2 are for disaster recovery. EC2 Auto Scaling groups are configured based on the ALBRequestCountPerTarget metric in both Regions.

A SysOps administrator must implement a solution that provides failover from us-east-1 to us-west-2. The instances in us-west-2 must be used only for failover.

Which solution will meet these requirements?

Options:

A.  

Implement a Route 53 health check and a failover routing policy for the hosted zone. Configure the failover routing policy to automatically redirect traffic to the resources in us-west-2.

B.  

Implement a Route 53 health check and a latency routing policy for the hosted zone. Configure the latency routing policy to automatically redirect traffic to the resources in us-west-2.

C.  

In us-east-1, create an Amazon CloudWatch alarm that enters ALARM state when an EC2 instance is terminated. In us-west-2, create an AWS Lambda function that modifies the Route 53 hosted zone records to send traffic to us-west-2. Configure the CloudWatch alarm to invoke the Lambda function.

D.  

In us-west-2, create an Amazon CloudWatch alarm that enters ALARM state when resources in us-east-1 cannot be resolved. In us-west-2, create an AWS Lambda function that modifies the Route 53 hosted zone records to send traffic to us-west-2. Configure the CloudWatch alarm to invoke the Lambda function.

Discussion 0
Questions 26

A company's reporting job that used to run in 15 minutes is now taking an hour to run. An application generates the reports. The application runs on Amazon EC2 instances and extracts data from an Amazon RDS for MySQL database.

A CloudOps engineer checks the Amazon CloudWatch dashboard for the RDS instance and notices that the Read IOPS metrics are high, even when the reports are not running. The CloudOps engineer needs to improve the performance and the availability of the RDS instance.

Which solution will meet these requirements?

Options:

A.  

Configure an Amazon ElastiCache cluster in front of the RDS instance. Update the reporting job to query the ElastiCache cluster.

B.  

Deploy an RDS read replica. Update the reporting job to query the reader endpoint.

C.  

Create an Amazon CloudFront distribution. Set the RDS instance as the origin. Update the reporting job to query the CloudFront distribution.

D.  

Increase the size of the RDS instance.

Discussion 0
Questions 27

A company’s CloudOps engineer monitors multiple AWS accounts in an organization and checks each account’s AWS Health Dashboard. After adding 10 new accounts, the engineer wants to consolidate health alerts from all accounts.

Which solution meets this requirement with the least operational effort?

Options:

A.  

Enable organizational view in AWS Health.

B.  

Configure the Health Dashboard in each account to forward events to a central AWS CloudTrail log.

C.  

Create an AWS Lambda function to query the AWS Health API and write all events to an Amazon DynamoDB table.

D.  

Use the AWS Health API to write events to an Amazon DynamoDB table.

Discussion 0
Questions 28

A company needs to monitor its website's availability to end users. The company needs a solution to provide an Amazon Simple Notification Service (Amazon SNS) notification if the website's uptime decreases to less than 99%. The monitoring must provide an accurate view of the user experience on the website.

Which solution will meet these requirements?

Options:

A.  

Create an Amazon CloudWatch alarm that is based on the website’s logs that are published to a CloudWatch Logs log group. Configure the alarm to publish an SNS notification if the number of HTTP 4xx and 5xx errors exceeds a specified threshold.

B.  

Create an Amazon CloudWatch alarm that is based on the website's published metrics in CloudWatch. Configure the alarm to publish an SNS notification based on anomaly detection.

C.  

Create an Amazon CloudWatch Synthetics heartbeat monitoring canary. Associate the canary with the website’s URL. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.

D.  

Create an Amazon CloudWatch Synthetics broken link checker monitoring canary. Associate the canary with the website’s URL. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.

Discussion 0
Questions 29

A company is migrating its production file server to AWS. All data stored on the file server must remain accessible if an Availability Zone becomes unavailable or during system maintenance. Users must access the file server through the SMB protocol and manage permissions by using Windows ACLs.

Which solution will meet these requirements?

Options:

A.  

Create a single AWS Storage Gateway file gateway.

B.  

Create an Amazon FSx for Windows File Server Multi-AZ file system.

C.  

Deploy two AWS Storage Gateway file gateways in two Availability Zones behind an Application Load Balancer.

D.  

Deploy two Amazon FSx for Windows File Server Single-AZ file systems and configure DFS Replication.

Discussion 0
Questions 30

A CloudOps engineer is creating a simple, public-facing website running on Amazon EC2. The CloudOps engineer created the EC2 instance in an existing public subnet and assigned an Elastic IP address. The CloudOps engineer created a new security group that allows incoming HTTP traffic from 0.0.0.0/0. The CloudOps engineer also created a new network ACL and applied it to the subnet to allow incoming HTTP traffic from 0.0.0.0/0. However, the website cannot be reached from the internet.

What is the cause of this issue?

Options:

A.  

The CloudOps engineer did not create an outbound rule that allows ephemeral port return traffic in the new network ACL.

B.  

The CloudOps engineer did not create an outbound rule in the security group that allows HTTP traffic from port 80.

C.  

The Elastic IP address assigned to the EC2 instance has changed.

D.  

There is an additional network ACL associated with the subnet that denies inbound HTTP traffic.

Discussion 0
Questions 31

A company uses an Amazon Simple Queue Service (Amazon SQS) queue and Amazon EC2 instances in an Auto Scaling group with target tracking for a web application. The company collects the ASGAverageNetworkIn metric but notices that instances do not scale fast enough during peak traffic. There are a large number of SQS messages accumulating in the queue.

A CloudOps engineer must reduce the number of SQS messages during peak periods.

Which solution will meet this requirement?

Options:

A.  

Define and use a new custom Amazon CloudWatch metric based on the SQS ApproximateNumberOfMessagesDelayed metric in the target tracking policy.

B.  

Define and use Amazon CloudWatch metric math to calculate the SQS queue backlog for each instance in the target tracking policy.

C.  

Define and use step scaling by specifying a ChangeInCapacity value for the EC2 instances.

D.  

Define and use simple scaling by specifying a ChangeInCapacity value for the EC2 instances.

Discussion 0
Questions 32

A CloudOps engineer must ensure that all of a company's current and future Amazon S3 buckets have logging enabled. If an S3 bucket does not have logging enabled, an automated process must enable logging for the S3 bucket.

Which solution will meet these requirements?

Options:

A.  

Use AWS Trusted Advisor to perform a check for S3 buckets that do not have logging enabled. Configure the check to enable logging for S3 buckets that do not have logging enabled.

B.  

Configure an S3 bucket policy that requires all current and future S3 buckets to have logging enabled.

C.  

Use the s3-bucket-logging-enabled AWS Config managed rule. Add a remediation action that uses an AWS Lambda function to enable logging.

D.  

Use the s3-bucket-logging-enabled AWS Config managed rule. Add a remediation action that uses the AWS-ConfigureS3BucketLogging AWS Systems Manager Automation runbook.

Discussion 0
Questions 33

A company hosts a static website in Amazon S3 behind an Amazon CloudFront distribution. When new versions are deployed, users sometimes do not see updated content immediately.

Which solution will meet this requirement?

Options:

A.  

Configure the CloudFront distribution to add a custom Cache-Control header to requests for content from the S3 bucket.

B.  

Modify the distribution settings to specify the protocol as HTTPS only.

C.  

Attach the CachingOptimized managed cache policy to the distribution.

D.  

Create a CloudFront invalidation.

Discussion 0
Questions 34

A company runs applications on Amazon EC2 instances. Many of the instances are not patched. The company has a tagging policy. All the instances are tagged with details about the owners, application, and environment. AWS Systems Manager Agent (SSM Agent) is installed on all the instances.

A SysOps administrator must implement a solution to automatically patch all existing and future instances that have "Prod" in the environment tag. The SysOps administrator plans to create a patch policy in Systems Manager Patch Manager.

Which solution will meet the patching requirements with the LEAST operational overhead?

Options:

A.  

Define targets of the patch policy by specifying node tags that match the company's tagging strategy.

B.  

Configure an AWS Lambda function to scan for new instances and to add the instances to the targets of the patch policy.

C.  

Create resource groups. Add the existing instances to the resource groups. Configure an AWS Lambda function to scan for new instances and to add the instances to the resource groups at regular intervals. Attach the resource groups to the patch policy.

D.  

Create resource groups. Add the existing instances to the resource groups. Create an Amazon EventBridge rule that uses an appropriately defined filter to add new instances to the resource groups. Attach the resource groups to the patch policy.

Discussion 0
Questions 35

A company runs a business application on more than 300 Linux-based instances. Each instance has the AWS Systems Manager Agent (SSM Agent) installed. The company expects the number of instances to grow in the future. All business application instances have the same user-defined tag.

A CloudOps engineer wants to run a command on all the business application instances to download and install a package from a private repository. To avoid overwhelming the repository, the CloudOps engineer wants to ensure that no more than 30 downloads occur at one time.

Which solution will meet this requirement in the MOST operationally efficient way?

Options:

A.  

Use a secondary tag to create 10 batches of 30 instances each. Use a Systems Manager Run Command document to download and install the package. Run each batch one time.

B.  

Use an AWS Lambda function to automatically run a Systems Manager Run Command document. Set reserved concurrency for the Lambda function to 30.

C.  

Use a Systems Manager Run Command document to download and install the package. Use rate control to set concurrency to 30. Specify the target by using the user-defined tag.

D.  

Use a parallel workflow state in AWS Step Functions. Set the number of parallel states to 30.

Discussion 0
Questions 36

A CloudOps engineer must manage the security of an AWS account. Recently, an IAM user’s access key was mistakenly uploaded to a public code repository. The engineer must identify everything that was changed using this compromised key.

How should the CloudOps engineer meet these requirements?

Options:

A.  

Create an Amazon EventBridge rule to send all IAM events to an AWS Lambda function for analysis.

B.  

Query Amazon EC2 logs by using Amazon CloudWatch Logs Insights for all events initiated with the compromised access key within the suspected timeframe.

C.  

Search AWS CloudTrail event history for all events initiated with the compromised access key within the suspected timeframe.

D.  

Search VPC Flow Logs for all events initiated with the compromised access key within the suspected timeframe.

Discussion 0
Questions 37

A company uses AWS Organizations to manage its AWS environment. The company implements a process that uses prebuilt Amazon Machine Images (AMIs) to launch instances as a security measure. All AMIs are tagged automatically with a key named ApprovedAMI.

The company wants to ensure that employees can use only the approved prebuilt AMIs to launch new instances.

Which solution will meet this requirement?

Options:

A.  

Implement a tag policy for the company's organization to require users to set the ApprovedAMI tag to launch new EC2 instances.

B.  

Implement an IAM policy that includes an aws:ResourceTag/ApprovedAMI condition.

C.  

Set up an AWS Config required-tags rule to prevent users from launching any nonapproved AMIs.

D.  

Use Amazon GuardDuty to constantly monitor DefenseEvasion:EC2/UnusualDoHActivity findings.

Discussion 0
Questions 38

A CloudOps engineer creates a new VPC that contains a private subnet, a security group that allows all outbound traffic, and an endpoint for Amazon EC2 Instance Connect in a private subnet. The CloudOps engineer associates the security group with EC2 Instance Connect.

The CloudOps engineer launches an EC2 instance from an Amazon Linux Amazon Machine Image (AMI) in the private subnet. The CloudOps engineer launches the EC2 instance without an SSH key pair.

The CloudOps engineer tries to connect to the instance by using the EC2 Instance Connect endpoint. However, the connection fails.

How can the CloudOps engineer connect to the instance?

Options:

A.  

Create an inbound rule in the security group to allow HTTPS traffic on port 443 from the private subnet.

B.  

Create an inbound rule in the security group to allow SSH traffic on port 22 from the private subnet.

C.  

Create an IAM instance profile that allows AWS Systems Manager Session Manager to access the EC2 instance. Associate the instance profile with the instance.

D.  

Recreate the EC2 instance. Associate an SSH key pair with the instance.

Discussion 0
Questions 39

A company uses AWS CloudFormation to manage a stack of Amazon EC2 instances. A CloudOps engineer needs to keep the EC2 instances and their data even if the stack is deleted.

Which solution will meet these requirements?

Options:

A.  

Set the DeletionPolicy attribute to Snapshot.

B.  

Use Amazon Data Lifecycle Manager (DLM).

C.  

Create an AWS Backup plan.

D.  

Set the DeletionPolicy attribute to Retain.

Discussion 0
Questions 40

A company is performing deployments of an application at regular intervals. Users report that the application sometimes does not work properly. The company discovers that some users' browsers are fetching previous versions of the JavaScript files. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution.

A SysOps administrator must implement a solution to ensure that CloudFront serves the latest version of the JavaScript files. The solution must not affect application server performance.

Which solution will meet these requirements?

Options:

A.  

Reduce the maximum TTL and default TTL of the CloudFront distribution behavior to 0.

B.  

Add a final step in the deployment process to invalidate all files in the CloudFront distribution.

C.  

Add a final step in the deployment process to invalidate only the changed JavaScript files in the CloudFront distribution.

D.  

Remove CloudFront from the path of serving JavaScript files. Serve the JavaScript files directly through the ALB.

Discussion 0
Questions 41

A company applies user-defined tags to AWS resources. Twenty days after applying the tags, the company notices that the tags cannot be used to filter views in the AWS Cost Explorer console.

What is the reason for this issue?

Options:

A.  

It takes at least 30 days before tags can be used in Cost Explorer.

B.  

The company has not activated the user-defined tags for cost allocation.

C.  

The company has not created an AWS Cost and Usage Report.

D.  

The company has not created a usage budget in AWS Budgets.

Discussion 0
Questions 42

A company has a workload that is sending log data to Amazon CloudWatch Logs. One of the fields includes a measure of application latency. A CloudOps engineer needs to monitor the p90 statistic of this field over time.

What should the CloudOps engineer do to meet this requirement?

Options:

A.  

Create an Amazon CloudWatch Contributor Insights rule on the log data.

B.  

Create a metric filter on the log data.

C.  

Create a subscription filter on the log data.

D.  

Create an Amazon CloudWatch Application Insights rule for the workload.

Discussion 0
Questions 43

A SysOps administrator is configuring an Auto Scaling group of Amazon EC2 instances for an application. The average CPU utilization of the instances in the Auto Scaling group must remain at approximately 40% when the load on the application changes.

Which solution will meet this requirement in the MOST operationally efficient manner?

Options:

A.  

Create a scheduled scaling action. Configure the action to run at times when the application typically experiences an increase in traffic.

B.  

Configure a simple scaling policy. Create an Amazon CloudWatch alarm that enters ALARM state when CPU utilization is greater than 40%. Associate the alarm with the scaling policy.

C.  

Configure a step scaling policy. Create an Amazon CloudWatch alarm that enters ALARM state when CPU utilization is greater than 40%. Associate the alarm with the scaling policy.

D.  

Configure a target tracking scaling policy. Specify a target value of 40 for average CPU utilization.

Discussion 0
Questions 44

A company is using an Amazon Aurora MySQL DB cluster that has point-in-time recovery, backtracking, and automatic backups enabled. A CloudOps engineer needs to be able to roll back the DB cluster to a specific recovery point within the previous 72 hours. Restores must be completed in the same production DB cluster.

Which solution will meet these requirements?

Options:

A.  

Create an Aurora Replica. Promote the replica to replace the primary DB instance.

B.  

Create an AWS Lambda function to restore an automatic backup to the existing DB cluster.

C.  

Use backtracking to rewind the existing DB cluster to the desired recovery point.

D.  

Use point-in-time recovery to restore the existing DB cluster to the desired recovery point.

Discussion 0
Questions 45

A company runs an application that logs user data to an Amazon CloudWatch Logs log group. The company discovers that personal information the application has logged is visible in plain text in the CloudWatch logs.

The company needs a solution to redact personal information in the logs by default. Unredacted information must be available only to the company's security team. Which solution will meet these requirements?

Options:

A.  

Create an Amazon S3 bucket. Create an export task from appropriate log groups in CloudWatch. Export the logs to the S3 bucket. Configure an Amazon Macie scan to discover personal data in the S3 bucket. Invoke an AWS Lambda function to move identified personal data to a second S3 bucket. Update the S3 bucket policies to grant only the security team access to both buckets.

B.  

Create a customer managed AWS KMS key. Configure the KMS key policy to allow only the security team to perform decrypt operations. Associate the KMS key with the application log group.

C.  

Create an Amazon CloudWatch data protection policy for the application log group. Configure data identifiers for the types of personal information that the application logs. Ensure that the security team has permission to call the unmask API operation on the application log group.

D.  

Create an OpenSearch domain. Create an AWS Glue workflow that runs a Detect PII transform job and streams the output to the OpenSearch domain. Configure the CloudWatch log group to stream the logs to AWS Glue. Modify the OpenSearch domain access policy to allow only the security team to access the domain.

Discussion 0
Questions 46

A SysOps administrator needs to give an existing AWS Lambda function access to an existing Amazon S3 bucket. Traffic between the Lambda function and the S3 bucket must not use public IP addresses. The Lambda function has been configured to run in a VPC.

Which solution will meet these requirements?

Options:

A.  

Configure VPC sharing between the Lambda VPC and the S3 bucket.

B.  

Attach a transit gateway to the Lambda VPC to allow the Lambda function to connect to the S3 bucket.

C.  

Create a NAT gateway. Associate the NAT gateway with the subnet where the Lambda function is configured to run.

D.  

Create an S3 interface endpoint. Change the Lambda function to use the new S3 DNS name.

Discussion 0
Questions 47

A company plans to run a public web application on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. The company’s security team wants to protect the website by using AWS Certificate Manager (ACM) certificates. The load balancer must automatically redirect any HTTP requests to HTTPS.

Which solution will meet these requirements?

Options:

A.  

Create an Application Load Balancer that has one HTTPS listener on port 80. Attach an SSL/TLS certificate to port 80.

B.  

Create an Application Load Balancer that has one HTTP listener on port 80 and one HTTPS listener on port 443. Attach an SSL/TLS certificate to port 443. Create a rule to redirect requests from port 80 to port 443.

C.  

Create an Application Load Balancer that has two TCP listeners on ports 80 and 443. Attach an SSL/TLS certificate to port 443.

D.  

Create a Network Load Balancer with TCP listeners on ports 80 and 443. Attach an SSL/TLS certificate to port 443.

Discussion 0
Questions 48

A media company hosts a public news and video portal on AWS. The portal uses an Amazon DynamoDB table with provisioned capacity to maintain an index of video files that are stored in an Amazon S3 bucket. During a recent event, millions of visitors came to the portal for news. This increase in traffic caused read requests to be throttled in the DynamoDB table. Videos could not be displayed in the portal.

The company's operations team manually increased the provisioned capacity on a temporary basis to meet the demand. The company wants the operations team to receive an alert before the table is throttled in the future. The company has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the operations team's email address to the SNS topic.

What should the company do next to meet these requirements?

Options:

A.  

Create an Amazon CloudWatch alarm that uses the ConsumedReadCapacityUnits metric. Set the alarm threshold to a value that is close to the DynamoDB table's provisioned capacity. Configure the alarm to publish notifications to the SNS topic.

B.  

Turn on auto scaling on the DynamoDB table. Configure an Amazon EventBridge rule to publish notifications to the SNS topic during scaling events.

C.  

Turn on Amazon CloudWatch Logs for the DynamoDB table. Create an Amazon CloudWatch metric filter to pattern match the THROTTLING_EXCEPTION status code from DynamoDB. Create a CloudWatch alarm for the metric. Select the SNS topic for notifications.

D.  

Configure the application to store logs in Amazon CloudWatch Logs. Create an Amazon CloudWatch metric filter to pattern match the THROTTLING_EXCEPTION status code from DynamoDB. Create a CloudWatch alarm for the metric. Select the SNS topic for notifications.

Discussion 0
Questions 49

A company moves workloads from public subnets to private subnets to improve security. During testing, servers in the private subnets cannot reach an external API. The VPC has a CIDR block of 10.0.0.0/16, two public subnets, two private subnets, one internet gateway, and a NAT gateway in each private subnet.

The company must ensure that workloads in the private subnets can reach the external API.

Which solution will meet this requirement?

Options:

A.  

Deploy an outbound-only internet gateway and update route tables.

B.  

Create an Amazon API Gateway HTTP API as a proxy.

C.  

Deploy a NAT gateway in each public subnet and update private subnet route tables.

D.  

Create a VPC interface endpoint and update route tables.

Discussion 0