01. An application running on Amazon EC2 instances needs to access data stored in an Amazon DynamoDB table. Which solution will grant the application access to the table in the MOST secure manner?
a) Create an IAM group for the application and attach a permissions policy with the necessary privileges. Add the EC2 instances to the IAM group.
b) Create an IAM resource policy for the DynamoDB table that grants the necessary permissions to Amazon EC2.
c) Create an IAM role with the necessary privileges to access the DynamoDB table. Associate the role with the EC2 instances.
d) Create an IAM user for the application and attach a permissions policy with the necessary privileges. Generate an access key and embed the key in the application code.
02. A SysOps team checks their AWS Personal Health Dashboard every week for upcoming AWS hardware maintenance events. Recently, a team member was on vacation and the team missed an event, which resulted in an outage.
The team wants a simple method to ensure that everyone is aware of upcoming events without depending on an individual team member checking the dashboard.
What should be done to address this?
a) Build a web scraper to monitor the Personal Health Dashboard. When new health events are detected, send a notification to an Amazon SNS topic monitored by the entire team.
b) Create an Amazon CloudWatch Events event based off the AWS Health service and send a notification to an Amazon SNS topic monitored by the entire team.
c) Create an Amazon CloudWatch Events event that sends a notification to an Amazon SNS topic monitored by the entire team to remind the team to view the maintenance events on the Personal Health Dashboard.
d) Create an AWS Lambda function that continuously pings all EC2 instances to confirm their health. Alert the team if this check fails.
03. According to the AWS shared responsibility model, for which of the following Amazon EC2 activities is AWS responsible?
(Select TWO.)
a) Configuring network ACLs
b) Maintaining network infrastructure
c) Monitoring memory utilization
d) Patching the guest operating system
e) Patching the hypervisor
04. An application running in a VPC needs to access instances owned by a different account and running in a VPC in a different Region. For compliance purposes, the traffic must not traverse the public internet.
How should an Administrator configure network routing to meet these requirements?
a) Within each account, create a custom routing table containing routes that point to the other account’s virtual private gateway.
b) Within each account, set up a NAT gateway in a public subnet in its respective VPC. Then, using the public IP address from the NAT gateway, enable routing between the two VPCs.
c) From one account, configure a Site-to-Site VPN connection between the VPCs. Within each account, add routes in the VPC route tables that point to the CIDR block of the remote VPC.
d) From one account, create a VPC peering request. After an Administrator from the other account accepts the request, add routes in the route tables for each VPC that point to the CIDR block of the peered VPC.
05. A SysOps Administrator observes a large number of rogue HTTP requests on an Application Load Balancer. The requests originate from various IP addresses. These requests cause increased server load and costs.
What should the SysOps Administrator do to block this traffic?
a) Install Amazon Inspector on Amazon EC2 instances to block the traffic.
b) Use Amazon GuardDuty to protect the web servers from bots and scrapers.
c) Use AWS Lambda to analyze the web server logs, detect bot traffic, and block the IP addresses in the security groups.
d) Use AWS WAF rate-based blacklisting to block the traffic when it exceeds a threshold.
06. An ecommerce company wants to lower costs on its nightly jobs that aggregate the current day's sales and store the results in Amazon S3.
The jobs run on multiple on-demand instances, and the jobs take just under 2 hours to complete. The jobs can run at any time during the night. If the job fails for any reason, it needs to be started from the beginning.
Which solution is the MOST cost-effective based on these requirements?
a) Purchase Reserved Instances.
b) Submit a request for a Spot block.
c) Submit a request for all Spot Instances.
d) Use a mixture of On-Demand and Spot Instances.
07. A third-party service uploads objects to Amazon S3 every night. Occasionally, the service uploads an incorrectly formatted version of an object. In these cases, the SysOps Administrator needs to recover an older version of the object.
What is the MOST efficient way to recover the object without having to retrieve it from the remote service?
a) Enable versioning on the S3 bucket. When bad objects are discovered, access previous versions with the CLI or AWS Management Console.
b) Create an AWS Lambda function that copies the object to an S3 bucket owned by a different account. Trigger the function when new objects are created in S3. When bad objects are discovered, retrieve the previous version from the other account.
c) Create an S3 event on object creation that copies the object to an Amazon Elasticsearch Service (Amazon ES) cluster. When bad objects are discovered, retrieve the previous version from Amazon ES.
d) Configure an Amazon CloudWatch Events scheduled event that triggers an AWS Lambda function that backs up the S3 bucket prior to the nightly job. When bad objects are discovered, restore the backed up version.
08. A Security and Compliance team requires that all Amazon EC2 workloads use approved Amazon Machine Images (AMIs). A SysOps Administrator must implement a process to find EC2 instances launched from unapproved AMIs.
Which solution will meet these requirements?
a) Create a custom report using AWS Systems Manager inventory to identify unapproved AMIs.
b) Run Amazon Inspector on each EC2 instance and flag the instance if it is using unapproved AMIs.
c) Use an AWS Config rule to identify unapproved AMIs.
d) Use AWS Trusted Advisor to identify the EC2 workloads using unapproved AMIs.
09. A SysOps Administrator is implementing security group policies for a web application running on AWS.
An Elastic Load Balancer connects to a fleet of Amazon EC2 instances that connect to an Amazon RDS database over port 1521. The security groups are named elbSG, ec2SG, and rdsSG, respectively.
How should these security groups be implemented?
a) elbSG: allow port 80 and 443 from 0.0.0.0/0;
ec2SG: allow port 443 from elbSG;
rdsSG: allow port 1521 from ec2SG.
b) elbSG: allow port 80 and 443 from 0.0.0.0/0;
ec2SG: allow port 80 and 443 from elbSG and rdsSG;
rdsSG: allow port 1521 from ec2SG.
c) elbSG: allow port 80 and 443 from ec2SG;
ec2SG: allow port 80 and 443 from elbSG and rdsSG;
rdsSG: allow port 1521 from ec2SG.
d) elbSG: allow port 80 and 443 from ec2SG;
ec2SG: allow port 443 from elbSG;
rdsSG: allow port 1521 from elbSG.
10. A company is migrating a legacy web application from a single server to multiple Amazon EC2 instances behind an Application Load Balancer (ALB). After the migration, users report that they are frequently losing their sessions and are being prompted to log in again.
Which action should be taken to resolve the issue reported by users?
a) Confirm that the ALB is not in a multi-AZ configuration.
b) Configure an Amazon CloudFront distribution with the ALB as the origin.
c) Deploy a Network Load Balancer in front of the ALB.
d) Enable sticky sessions for the target group of EC2 instances.