A company uses flaws Organizations to host several applications across multiple flaws accounts. Several teams are responsible for building and maintaining the infrastructure of the applications across the flaws accounts.
A SysOps administrator must implement a solution to ensure that user accounts and permissions are centrally managed. The solution must be integrated with the company's existing on-premises Active Directory environment. The SysOps administrator already has enabled flaws IAM Identity Center (flaws Single Sign-On) and has set up an flaws Direct Connect connection.
What is the MOST operationally efficient solution that meets these requirements?

A. Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the flaws accounts that the group will manage.

B. Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the flaws accounts that the group will manage.

C. Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the flaws accounts that the group will manage.

D. Use the built-in SSO directory as the identity source for IAM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the flaws accounts that the group will manage.

A company recently acquired another corporation and all of that corporation's flaws accounts. A financial analyst needs the cost data from these accounts. A
SysOps administrator uses Cost Explorer to generate cost and usage reports. The SysOps administrator notices that "No Tagkey" represents 20% of the monthly cost.
What should the SysOps administrator do to tag the "No Tagkey" resources?

A. Add the accounts to flaws Organizations. Use a service control policy (SCP) to tag all the untagged resources.

B. Use an flaws Config rule to find the untagged resources. Set the remediation action to terminate the resources.

C. Use Cost Explorer to find and tag all the untagged resources.

D. Use Tag Editor to find and tag all the untagged resources.

A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances. The instances all exist in the same VPC across multiple Availability Zones. There are two instances in each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.
Which solution will meet these requirements?

A. Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances.

B. Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances.

C. Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance.

D. Create a mount target in each Availability Zone of the VPC. Use the mount target to mount the EFS file system on the instances in the respective Availability Zone.

A company uses Amazon S3 to aggregate raw video footage from various media teams across the US. The company recently expanded into new geographies in Europe and Australia. The technical teams located in Europe and Australia reported delays when uploading large video files into the destination S3 bucket in the United States.
What are the MOST cost effective ways to increase upload speeds into the S3 bucket? (Choose two.)

A. Create multiple flaws Direct Connect connections between flaws and branch offices in Europe and Australia for file uploads into the destination S3 bucket.

B. Create multiple flaws Site-to-Site VPN connections between flaws and branch offices in Europe and Australia for file uploads into the destination S3 bucket.

C. Use Amazon S3 Transfer Acceleration for file uploads into the destination S3 bucket.

D. Use flaws Global Accelerator for file uploads into the destination S3 bucket from the branch offices in Europe and Australia.

E. Use multipart uploads for file uploads into the destination S3 bucket from the branch offices in Europe and Australia.

A company migrates a write-once, ready-many (WORM) drive to an Amazon S3 bucket that has S3 Object Lock configured in governance mode. During the migration, the company copies unneeded data to the S3 bucket.
A SysOps administrator attempts to delete the unneeded data from the S3 bucket by using the flaws CLI. However, the SysOps administrator receives an error.
Which combination of steps should the SysOps administrator take to successfully delete the unneeded data? (Choose two.)

A. Increase the Retain Until Date.

B. Assume a role that has the s3:BypassLegalRetention permission.

C. Assume a role that has the s3:BypassGovernanceRetention permission.

D. Include the x-amz-bypass-governance-retention:true header in the request when issuing the delete command.

E. Include the x-amz-bypass-legal-retention:true header in the request when issuing the delete command.

A SysOps administrator manages a company's Amazon S3 buckets. The SysOps administrator has identified 5 GB of incomplete multipart uploads in an S3 bucket in the company's flaws account. The SysOps administrator needs to reduce the number of incomplete multipart upload objects in the S3 bucket.
Which solution will meet this requirement?

A. Create an S3 Lifecycle rule on the S3 bucket to delete expired markers or incomplete multipart uploads.

B. Require users that perform uploads of files into Amazon S3 to use the S3 TransferUtility.

C. Enable S3 Versioning on the S3 bucket that contains the incomplete multipart uploads.

D. Create an S3 Object Lambda Access Point to delete incomplete multipart uploads.

A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations.
What should a SysOps administrator do to implement this requirement?

A. Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the flaws Management Console.

B. Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an flaws CloudFormation template.

C. Publish a product and launch constraint role for EC2 instances by using flaws Service Catalog. Allow the business units to perform actions in flaws Service Catalog only.

D. Share an flaws CloudFormation template with the business units. Instruct the business units to pass a role to flaws CloudFormation to allow the service to manage EC2 instances.

A company has an flaws Site-to-Site VPN connection between on-premises resources and resources that are hosted in a VPC. A SysOps administrator launches an Amazon EC2 instance that has only a private IP address into a private subnet in the VPC. The EC2 instance runs Microsoft Windows Server.
A security group for the EC2 instance has rules that allow inbound traffic from the on-premises network over the VPN connection. The on-premises environment contains a third-party network firewall. Rules in the third-party network firewall allow Remote Desktop Protocol (RDP) traffic to flow between the on-premises users over the VPN connection.
The on-premises users are unable to connect to the EC2 instance and receive a timeout error.
What should the SysOps administrator do to troubleshoot this issue?

A. Create Amazon CloudWatch logs for the EC2 instance to check for blocked traffic.

B. Create Amazon CloudWatch logs for the Site-to-Site VPN connection to check for blocked traffic.

C. Create VPC flow logs for the EC2 instance’s elastic network interface to check for rejected traffic.

D. Instruct users to use EC2 Instance Connect as a connection method.

A SysOps administrator is re-architecting an application. The SysOps administrator has moved the database from a public subnet, where the database used a public endpoint, into a private subnet to restrict access from the public network. After this change, an flaws Lambda function that requires read access to the database cannot connect to the database. The SysOps administrator must resolve this issue without compromising security.
Which solution meets these requirements?

A. Create an flaws PrivateLink interface endpoint for the Lambda function. Connect to the database using its private endpoint.

B. Connect the Lambda function to the database VPC. Connect to the database using its private endpoint.

C. Attach an IAM role to the Lambda function with read permissions to the database.

D. Move the database to a public subnet. Use security groups for secure access.

A SysOps administrator is deploying an application on 10 Amazon EC2 instances. The application must be highly available. The instances must be placed on distinct underlying hardware.
What should the SysOps administrator do to meet these requirements?

A. Launch the instances into a cluster placement group in a single flaws Region.

B. Launch the instances into a partition placement group in multiple flaws Regions.

C. Launch the instances into a spread placement group in multiple flaws Regions.

D. Launch the instances into a spread placement group in a single flaws Region.

A development team created and deployed a new flaws Lambda function 15 minutes ago. Although the function was invoked many times, Amazon CloudWatch Logs are not showing any log messages.
What is one cause of this?

A. The developers did not enable log messages for this Lambda function.

B. The Lambda function’s role does not include permissions to create CloudWatch Logs items.

C. The Lambda function raises an exception before the first log statement has been reached.

D. The Lambda functions creates local log files that have to be shipped to CloudWatch Logs first before becoming visible.

A company is running an application on a group of Amazon EC2 instances behind an Application Load Balancer. The EC2 instances run across three Availability Zones. The company needs to provide the customers with a maximum of two static IP addresses for their applications.
How should a SysOps administrator meet these requirement?

A. Add flaws Global Accelerator in front of the Application Load Balancer.

B. Add an internal Network Load Balancer behind the Application Load Balancer.

C. Configure the Application Load Balancer in only two Availability Zones.

D. Create two Elastic IP addresses and assign them to the Application Load Balancer.

A company is rolling out a new version of its website. Management wants to deploy the new website in a limited rollout to 20% of the company’s customers. The company uses Amazon Route 53 for its website’s DNS solution.
Which configuration will meet these requirements?

A. Create a failover routing policy. Within the policy, configure 80% of the website traffic to be sent to the original resource. Configure the remaining 20% of traffic as the failover record that points to the new resource.

B. Create a multivalue answer routing policy. Within the policy, create 4 records with the name and IP address of the original resource. Configure 1 record with the name and IP address of the new resource.

C. Create a latency-based routing policy. Within the policy, configure a record pointing to the original resource with a weight of 80. Configure a record pointing to the new resource with a weight of 20.

D. Create a weighted routing policy. Within the policy, configure a weight of 80 for the record pointing to the original resource. Configure a weight of 20 for the record pointing to the new resource.

A company manages a set of accounts on flaws by using flaws Organizations. The company's security team wants to use a native flaws service to regularly scan all flaws accounts against the Center for Internet Security (CIS) flaws Foundations Benchmark.
What is the MOST operationally efficient way to meet these requirements?

A. Designate a central security account as the flaws Security Hub administrator account. Create a script that sends an invitation from the Security Hub administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure Security Hub to run the CIS flaws Foundations Benchmark scans.

B. Run the CIS flaws Foundations Benchmark across all accounts by using Amazon Inspector.

C. Designate a central security account as the Amazon GuardDuty administrator account. Create a script that sends an invitation from the GuardDuty administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure GuardDuty to run the CIS flaws Foundations Benchmark scans.

D. Designate an flaws Security Hub administrator account. Configure new accounts in the organization to automatically become member accounts. Enable CIS flaws Foundations Benchmark scans.

A SysOps administrator has created an flaws Service Catalog portfolio and has shared the portfolio with a second flaws account in the company. The second account is controlled by a different administrator.
Which action will the administrator of the second account be able to perform?

A. Add a product from the imported portfolio to a local portfolio.

B. Add new products to the imported portfolio.

C. Change the launch role for the products contained in the imported portfolio.

D. Customize the products in the imported portfolio.

A company has an encrypted Amazon S3 bucket that is hosted in the ap-southeast-2 Region. Users from the eu-west-2 Region access the S3 bucket over the internet. The users from eu-west-2 need faster transfers to and from the S3 bucket for large files.
Which solution will meet these requirements?

A. Reduce the length of the S3 bucket prefixes within the S3 bucket.

B. Change the server-side encryption on the S3 bucket from AES to RSA.

C. Create a new S3 bucket that has an identical name in eu-west-2. Use the new S3 bucket endpoint’s domain name for access.

D. Enable S3 Transfer Acceleration on the S3 bucket. Use the new s3-accelerate endpoint’s domain name for access.

A company has an application that runs only on Amazon EC2 Spot Instances. The instances run in an Amazon EC2 Auto Scaling group with scheduled scaling actions. However, the capacity does not always increase at the scheduled times, and instances terminate many times a day. A SysOps administrator must ensure that the instances launch on time and have fewer interruptions.
Which action will meet these requirements?

A. Specify the capacity-optimized allocation strategy for Spot Instances. Add more instance types to the Auto Scaling group.

B. Specify the capacity-optimized allocation strategy for Spot Instances. Increase the size of the instances in the Auto Scaling group.

C. Specify the lowest-price allocation strategy for Spot Instances. Add more instance types to the Auto Scaling group.

D. Specify the lowest-price allocation strategy for Spot Instances. Increase the size of the instances in the Auto Scaling group.

A company updates its security policy to clarify cloud hosting arrangements for regulated workloads. Workloads that are identified as sensitive must run on hardware that is not shared with other customers or with other flaws accounts within the company.
Which solution will ensure compliance with this policy?

A. Deploy workloads only to Dedicated Hosts.

B. Deploy workloads only to Dedicated Instances.

C. Deploy workloads only to Reserved Instances.

D. Place all instances in a dedicated placement group.

A company manages its production applications across several flaws accounts. The company hosts the production applications on Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are spread across multiple VPCs. Each VPC uses its own Amazon Route 53 private hosted zone for private DNS.
A VPC from Account A needs to resolve private DNS records from a private hosted zone that is associated with a different VPC in Account

A. What should a SysOps administrator do to meet these requirements?

B. In Account A, create an flaws Systems Manager document that updates the /etc/resolv.conf file across all EC2 instances to point to the flaws provided default DNS resolver for the VPC in Account

C. In Account A, create an flaws CloudFormation template that associates the private hosted zone from Account B with the private hosted zone in Account

D. In Account A, use the flaws CLI to create a VPC association authorization. When the association is created, use the flaws CLI in Account B to associate the VPC from Account A with the private hosted zone in Account

E. In Account B, use the flaws CLI to create a VPC association authorization. When the association is created, use the flaws CLI in Account A to associate the VPC from Account B with the private hosted zone in Account

F.

A company stores sensitive data in an Amazon S3 bucket. The company must log all access attempts to the S3 bucket. The company’s risk team must receive immediate notification about any delete events.
Which solution will meet these requirements?

A. Enable S3 server access logging for audit logs. Set up an Amazon Simple Notification Service (Amazon SNS) notification for the S3 bucket. Select DeleteObject for the event type for the alert system.

B. Enable S3 server access logging for audit logs. Launch an Amazon EC2 instance for the alert system. Run a cron job on the EC2 instance to download the access logs each day and to scan for a DeleteObject event.

C. Use Amazon CloudWatch Logs for audit logs. Use Amazon CloudWatch alarms with an Amazon Simple Notification Service (Amazon SNS) notification for the alert system.

D. Use Amazon CloudWatch Logs for audit logs. Launch an Amazon EC2 instance for the alert system. Run a cron job on the EC2 instance each day to compare the list of the items with the list from the previous day. Configure the cron job to send a notification if an item is missing.

A SysOps administrator migrates NAT instances to NAT gateways. After the migration, an application that is hosted on Amazon EC2 instances in a private subnet cannot access the internet.
Which of the following are possible reasons for this problem? (Choose two.)

A. The application is using a protocol that the NAT gateway does not support.

B. The NAT gateway is not in a security group.

C. The NAT gateway is in an unsupported Availability Zone.

D. The NAT gateway is not in the Available state.

E. The port forwarding settings do not allow access to internal services from the internet.

A company has an application that collects notifications from thousands of alarm systems. The notifications include alarm notifications and information notifications. The information notifications include the system arming processes, disarming processes, and sensor status.
All notifications are kept as messages in an Amazon Simple Queue Service (Amazon SQS) queue. Amazon EC2 instances that are in an Auto Scaling group process the messages. A SysOps administrator needs to implement a solution that prioritizes alarm notifications over information notifications.
Which solution will meet these requirements?

A. Adjust the Auto Scaling group to scale faster when a high number of messages is in the queue.

B. Use the Amazon Simple Notification Service (Amazon SNS) fanout feature with Amazon SQS to send the notifications in parallel to all the C2 instances

C. Add an Amazon DynamoDB stream to accelerate the message processing

D. Create a queue for alarm notifications and a queue for information notifications. Update the application to collect messages from the alarm notifications queue first.

A company creates a new member account by using flaws Organizations. A SysOps administrator needs to add flaws Business Support to the new account.
Which combination of steps must the SysOps administrator take to meet this requirement? (Choose two.)

A. Sign in to the new account by using IAM credentials. Change the support plan.

B. Sign in to the new account by using root user credentials. Change the support plan.

C. Use the flaws Support API to change the support plan.

D. Reset the password of the account root user.

E. Create an IAM user that has administrator privileges in the new account.

A SysOps administrator is testing an application that is hosted on five Amazon EC2 instances. The instances run in an Auto Scaling group behind an Application Load Balancer (ALB). High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.
Which action should the SysOps administrator take to meet these requirements?

A. Enable instance scale-in protection.

B. Place the instance into the Standby state.

C. Remove the listener from the ALB.

D. Suspend the Launch and Terminate process types.

A SysOps administrator needs to implement a backup strategy for Amazon EC2 resources and Amazon RDS resources. The backup strategy must meet the following retention requirements:
• Daily backups: must be kept for 6 days
• Weekly backups: must be kept for 4 weeks:
• Monthly backups: must be kept for 11 months
• Yearly backups: must be kept for 7 years
Which backup strategy will meet these requirements with the LEAST administrative effort?

A. Use Amazon Data Lifecycle Manager to create an Amazon Elastic Block Store (Amazon EBS) snapshot policy. Create tags on each resource that needs to be backed up. Create multiple schedules according to the requirements within the policy. Set the appropriate frequency and retention period.

B. Use flaws Backup to create a new backup plan for each retention requirement with a backup frequency of daily, weekly, monthly, or yearly. Set the retention period to match the requirement. Create tags on each resource that needs to be backed up. Set up resource assignment by using the tags.

C. Create an flaws Lambda function. Program the Lambda function to use native tooling to take backups of file systems in Amazon EC2 and to make copies of databases in Amazon RDS. Create an Amazon EventBridge rule to invoke the Lambda function.

D. Use Amazon Data Lifecycle Manager to create an Amazon Elastic Block Store (Amazon EBS) snapshot policy. Create tags on each resource that needs to be backed up. Set up resource assignment by using the tags. Create multiple schedules according to the requirements within the policy. Set the appropriate frequency and retention period. In Amazon RDS, activate automated backups on the required DB instances.

A company monitors its account activity using flaws CloudTrail, and is concerned that some log files are being tampered with after the logs have been delivered to the account’s Amazon S3 bucket.
Moving forward, how can the SysOps administrator confirm that the log files have not been modified after being delivered to the S3 bucket?

A. Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.

B. Enable log file integrity validation and use digest files to verify the hash value of the log file.

C. Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.

D. Enable S3 server access logging to track requests made to the log bucket for security audits.

An errant process is known to use an entire processor and run at 100%. A SysOps administrator wants to automate restarting an Amazon EC2 instance when the problem occurs for more than 2 minutes.
How can this be accomplished?

A. Create an Amazon CloudWatch alarm for the EC2 instance with basic monitoring. Add an action to restart the instance.

B. Create an Amazon CloudWatch alarm for the EC2 instance with detailed monitoring. Add an action to restart the instance.

C. Create an flaws Lambda function to restart the EC2 instance, invoked on a scheduled basis every 2 minutes.

D. Create an flaws Lambda function to restart the EC2 instance, invoked by EC2 health checks.

A company is storing media content in an Amazon S3 bucket and uses Amazon CloudFront to distribute the content to its users. Due to licensing terms, the company is not authorized to distribute the content in some countries. A SysOps administrator must restrict access tofficertain countries.
What is the MOST operationally efficient solution that meets these requirements?

A. Configure the S3 bucket policy to deny the GetObject operation based on the S3:LocationConstraint condition.

B. Create a secondary origin access identity (OAI). Configure the S3 bucket policy to prevent access from unauthorized countries.

C. Enable the geo restriction feature in the CloudFront distribution to prevent access from unauthorized countries.

D. Update the application to generate signed CloudFront URLs only for IP addresses in authorized counties.

A company is running workloads on premises and on flaws. A SysOps administrator needs to automate tasks across all servers on premises by using flaws services. The SysOps administrator must not install long-term credentials on the on-premises servers.
What should the SysOps administrator do to meet these requirements?

A. Create an IAM role and instance profile that include flaws Systems Manager permissions. Attach the role to the on-premises servers.

B. Create a managed-instance activation in flaws Systems Manager. Install the Systems Manager Agent (SSM Agent) on the on-premises servers. Register the servers with the activation code and ID from the instance activation.

C. Create an flaws managed IAM policy that includes the appropriate flaws Systems Manager permissions. Download the IAM policy to the on-premises servers.

D. Create an IAM user and an access key. Log on to the on-premises servers and install the flaws CLI. Configure the access key in the flaws credentials file after the flaws CLI is successfully installed.

A company hosts several write-intensive applications. These applications use a MySQL database that runs on a single Amazon EC2 instance. The company asks a SysOps administrator to implement a highly available database solution that is ideal for multi-tenant workloads.
Which solution should the SysOps administrator implement to meet these requirements?

A. Create a second EC2 instance for MySQL. Configure the second instance to be a read replica.

B. Migrate the database to an Amazon Aurora DB cluster. Add an Aurora Replica.

C. Migrate the database to an Amazon Aurora multi-master DB cluster.

D. Migrate the database to an Amazon RDS for MySQL DB instance.

A SysOps administrator manages the caching of an Amazon CloudFront distribution that serves pages of a website, The SysOps administrator needs to configure the distribution so that the TTL of individual pages can vary. The TTL of the individual pages must remain within the maximum TLL and the minimum TTL that are set for the distribution.
Which solution will meet these requirements?

A. Create an flaws Lambda function that calls the Createlnvalidation API operation when a change in cache time is necessary.

B. Add a Cache-Control: max-age directive to the object at the origin when content is being returned to CloudFront.

C. Add a no-cache header through a Lambda@Edge function in response to the Viewer response.

D. Add.an Expires header through a CloudFront function in response to the Viewer response.

A company has an application that runs on a fleet of Amazon EC2 instances behind an Elastic Load Balancer. The instances run in an Auto Scaling group. The application's performance remains consistent throughout most of each day. However, an increase in user traffic slows the performance during the same 4-hour period of time each day.
What is the MOST operationally efficient solution that will resolve this issue?

A. Configure a second Elastic Load Balancer in front of the Auto Scaling group with a weighted routing policy.

B. Configure the fleet of EC2 instances to run on larger instance types to support the increase in user traffic.

C. Create a scheduled scaling action to scale out the number of EC2 instances shortly before the increase in user traffic occurs.

D. Manually add a few more EC2 instances to the Auto Scaling group to support the increase in user traffic.

A global company handles a large amount of personally identifiable information (PII) through an internal web portal. The company’s application runs in a corporate data center that is connected to flaws through an flaws Direct Connect connection. The application stores the PII in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.
What should a SysOps administrator do to meet the compliance requirement?

A. Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.

B. Configure flaws Network Firewall to redirect traffic to the internal S3 address.

C. Modify the application to use the S3 path-style endpoint.

D. Set up a range of VPC network ACLs to redirect traffic to the internal S3 address.

A SysOps administrator maintains the security and compliance of a company's flaws account. To ensure the company's Amazon EC2 instances are following company policy, a SysOps administrator wants to terminate any EC2 instance that do not contain a department tag. Noncompliant resources must be terminated in near-real time.
Which solution will meet these requirements?

A. Create an flaws Config rule with the required-tags managed rule to identify noncompliant resources. Configure automatic remediation to run the flaws- TerminateEC2Instance automation document to terminate noncompliant resources.

B. Create a new Amazon EventBridge (Amazon CloudWatch Events) rule to monitor when new EC2 instances are created. Send the event to a Simple Notification Service (Amazon SNS) topic for automatic remediation.

C. Ensure all users who can create EC2 instances also have the permissions to use the ec2:CreateTags and ec2:DescribeTags actions. Change the instance’s shutdown behavior to terminate.

D. Ensure flaws Systems Manager Compliance is configured to manage the EC2 instances. Call the flaws-StopEC2Instances automation document to stop noncompliant resources.

A company is using an flaws KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.
What is the process to rotate the key?

A. Enable automatic key rotation for the CMK, and specify a period of 6 months.

B. Create a new CMK with new imported material, and update the key alias to point to the new CMK.

C. Delete the current key material, and import new material into the existing CMK.

D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.

A SysOps administrator wants to provide access to flaws services by attaching an IAM policy to multiple IAM users. The SysOps administrator also wants to be able to change the policy and create new versions.
Which combination of actions will meet these requirements? (Choose two.)

A. Add the users to an IAM service-linked role. Attach the policy to the role.

B. Add the users to an IAM user group. Attach the policy to the group.

C. Create an flaws managed policy.

D. Create a customer managed policy.

E. Create an inline policy.

A SysOps administrator manages policies for many flaws member accounts in an flaws Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other flaws services.
Which solution will meet these requirements?

A. In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.

B. Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization

C. In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.

D. Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.

A company needs to take an inventory of applications that are running on multiple Amazon EC2 instances. The company has configured users and roles with the appropriate permissions for flaws Systems Manager. An updated version of Systems Manager Agent has been installed and is running on every instance. While configuring an inventory collection, a SysOps administrator discovers that not all the instances in a single subnet are managed by Systems Manager.
What must the SysOps administrator do to fix this issue?

A. Ensure that all the EC2 instances have the correct tags for Systems Manager access.

B. Configure flaws Identity and Access Management Access Analyzer to determine and automatically remediate the issue.

C. Ensure that all the EC2 instances have an instance profile with Systems Manager access.

D. Configure Systems Manager to use an interface VPC endpoint.

A company is running distributed computing software to manage a fleet of 20 Amazon EC2 instances for calculations. The fleet includes 2 control nodes and 18 task nodes to run the calculations. Control nodes can automatically start the task nodes.
Currently, all the nodes run on demand. The control nodes must be available 24 hours a day, 7 days a week. The task nodes run for 4 hours each day. A SysOps administrator needs to optimize the cost of this solution.
Which combination of actions will meet these requirements? (Choose two.)

A. Purchase EC2 Instance Savings Plans for the control nodes.

B. Use Dedicated Hosts for the control nodes.

C. Use Reserved Instances for the task nodes.

D. Use Spot Instances for the control nodes. Use On-Demand Instances if there is no Spot availability.

E. Use Spot Instances for the task nodes. Use On-Demand Instances if there is no Spot availability.

A company needs to monitor the disk utilization of Amazon Elastic Block Store (Amazon EBS) volumes. The EBS volumes are attached to Amazon EC2 Linux instances. A SysOps administrator must set up an Amazon CloudWatch alarm that provides an alert when disk utilization increases to more than 80%.
Which combination of steps must the SysOps administrator take to meet these requirements? (Choose three.)

A. Create an IAM role that includes the CloudWatchAgentServerPolicy flaws managed policy. Attach the role to the instances.

B. Create an IAM role that includes the CloudWatchApplicationInsightsReadOnlyAccess flaws managed policy. Attach the role to the instances.

C. Install and start the CloudWatch agent by using flaws Systems Manager or the command line.

D. Install and start the CloudWatch agent by using an IAM role. Attach the CloudWatchAgentServerPolicy flaws managed policy to the role.

E. Configure a CloudWatch alarm to enter ALARM state when the disk_used_percent CloudWatch metric is greater than 80%.

F. Configure a CloudWatch alarm to enter ALARM state when the disk_used CloudWatch metric is greater than 80% or when the disk_free CloudWatch metric is less than 20%.

A SysOps administrator has an flaws CloudFormation template that is used to deploy an encrypted Amazon Machine Image (AMI). The CloudFormation template will be used in a second account so the SysOps administrator copies the encrypted AMI to the second account. When launching the new CloudFormation stack in the second account, it fails.
Which action should the SysOps administrator take to correct the issue?

A. Change the AMI permissions to mark the AMI as public.

B. Deregister the AMI in the source account.

C. Re-encrypt the destination AMI with an flaws Key Management Service (flaws KMS) key from the destination account.

D. Update the CloudFormation template with the ID of the AMI in the destination account.

A company stores critical data in Amazon S3 buckets. A SysOps administrator must build a solution to record all S3 API activity.
Which action will meet this requirement?

A. Configure S3 bucket metrics to record object access logs.

B. Create an flaws CloudTrail trail to log data events for all S3 objects.

C. Enable S3 server access logging for each S3 bucket.

D. Use flaws IAM Access Analyzer for Amazon S3 to store object access logs.

A SysOps administrator is using IAM credentials to try to upload a file to a customer's Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The SysOps administrator is receiving an AccessDenied message.
Which combination of configuration changes will correct this problem? (Choose two.)

A. Add this IAM policy to the SysOps administrator user:

B. Add this IAM policy to the customer S3 bucket:

C. Add this IAM policy to the SysOps administrator user:

D. Add this IAM policy to the customer account root user:

E. Add this IAM policy to the SysOps administrator account root user:

A developer creates an flaws Lambda function that runs when an object is put into an Amazon S3 bucket. The function reformats the object and places the object back into the S3 bucket. During testing, the developer notices a recursive invocation loop. The developer asks a SysOps administrator to immediately stop the recursive invocations.
What should the SysOps administrator do to stop the loop without errors?

A. Delete all the objects from the S3 bucket.

B. Set the function’s reserved concurrency to 0.

C. Update the S3 bucket policy to deny access for the function.

D. Publish a new version of the function.

A company has a multi-account environment. Account A has a production application that is hosted on an Amazon EC2 instance. The application needs to query data in an Amazon DynamoDB table that is hosted in Account

A. A SysOps administrator needs to provide the EC2 instance in Account A with access to the DynamoDB table in Account

B. What is the MOST secure solution that will meet these requirements?

C. Update the IAM policy that is attached to the EC2 instance’s IAM role to allow the dynamodb:Query permission on the DynamoDB table in Account

D. Add a policy in Account A to allow the DynamoDB service principal to use the PassRole action to pass the role to Account

E. In Account B, create an IAM role that has permission to query the DynamoDB table. Add the EC2 instance’s IAM role to the trust policy on the newly created IAM role in Account Update the IAM policy that is attached to the EC2 instance’s IAM role to allow the sts:AssumeRole permission on the newly created IAM role in Account

F. Update the IAM policy that is attached to the EC2 instance’s IAM role to allow the dynamodb:Query permission on the DynamoDB table in Account

G. Update the DynamoDB table’s resource policy to allow the query action from the EC2 instance’s IAM role.

H. In Account B, create a static IAM key that has the appropriate permissions to query the DynamoDB table. Embed these credentials into the credentials file on the EC2 instance. Reference the credentials every time the application needs to query the table.

A company is transitioning away from applications that are hosted on Amazon EC2 instances. The company wants to implement a serverless architecture that uses Amazon S3, Amazon API Gateway, flaws Lambda, and Amazon CloudFront. As part of this transition, the company has Elastic IP addresses that are unassociated with any EC2 instances after the EC2 instances are terminated.
A SysOps administrator needs to automate the process of releasing all unassociated Elastic IP addresses that remain after the EC2 instances are terminated.
Which solution will meet this requirement in the MOST operationally efficient way?

A. Activate the eip-attached flaws Config managed rule to run automatically when resource changes occur in the flaws account. Configure automatic remediation for the rule. Specify the flaws-ReleaseElasticIP flaws Systems Manager Automation runbook for remediation. Specify an appropriate role that has permission for the remediation.

B. Create a custom Lambda function that calls the EC2 ReleaseAddress API operation and specifies the Elastic IP address AllocationId. Invoke the Lambda function by using an Amazon EventBridge rule. Specify flaws services as the event source, All Events as the event type, and flaws Trusted Advisor as the target.

C. Create an Amazon EventBridge rule. Specify flaws services as the event source, Instance State-change Notification as the event type, and Amazon EC2 as the service. Invoke a Lambda function that extracts the Elastic IP address from the notification. Use flaws CloudFormation to release the address by specifying the AllocationId as an input parameter.

D. Create a custom Lambda function that calls the EC2 ReleaseAddress API operation and specifies the Elastic IP address AllocationId. Invoke the Lambda function by using an Amazon EventBridge rule. Specify flaws services as the event source, Instance State-change Notification as the event type, and Amazon EC2 as the service.

A company's social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services.
A SysOps administrator must implement a solution that routes requests to a defined list of flaws Regions. The routing must be based on the user's location.
Which solution will meet these requirements?

A. Configure a Route 53 latency routing policy.

B. Configure a Route 53 multivalue answer routing policy.

C. Configure a Route 53 geolocation routing policy.

D. Configure a Route 53 IP-based routing policy.

A company has developed a service that is deployed on a fleet of Linux-based Amazon EC2 instances that are in an Auto Scaling group. The service occasionally fails unexpectedly because of an error in the application code. The company's engineering team determines that resolving the underlying cause of the service failure could take several weeks.
A SysOps administrator needs to create a solution to automate recovery if the service crashes on any of the EC2 instances.
Which solutions will meet this requirement? (Choose two.)

A. Install the Amazon CloudWatch agent on the EC2 instances. Configure the CloudWatch agent to monitor the service. Set the CloudWatch action to restart if the service health check fails.

B. Tag the EC2 instances. Create an flaws Lambda function that uses flaws Systems Manager Session Manager to log in to the tagged EC2 instances and restart the service. Schedule the Lambda function to run every 5 minutes.

C. Tag the EC2 instances. Use flaws Systems Manager State Manager to create an association that uses the flaws-RunShellScript document. Configure the association command with a script that checks if the service is running and that starts the service if the service is not running. For targets, specify the EC2 instance tag. Schedule the association to run every 5 minutes.

D. Update the EC2 user data that is specified in the Auto Scaling group’s launch template to include a script that runs on a cron schedule every 5 minutes. Configure the script to check if the service is running and to start the service if the service is not running. Redeploy all the EC2 instances in the Auto Scaling group with the updated launch template.

E. Update the EC2 user data that is specified in the Auto Scaling group’s launch template to ensure that the service runs during startup. Redeploy all the EC2 instances in the Auto Scaling group with the updated launch template.

A global company operates out of five flaws Regions. A SysOps administrator wants to identify all the company's tagged and untagged Amazon EC2 instances.
The company requires the output to display the instance ID and tags.
What is the MOST operationally efficient way for the SysOps administrator to meet these requirements?

A. Create a tag-based resource group in flaws Resource Groups.

B. Use flaws Trusted Advisor. Export the EC2 On-Demand Instances check results from Trusted Advisor.

C. Use Cost Explorer. Choose a service type of EC2-Instances, and group by Resource.

D. Use Tag Editor in flaws Resource Groups. Select all Regions, and choose a resource type of flaws::EC2::Instance.

A company deploys a new application to Amazon EC2 instances. The application code is stored in an flaws CodeCommit repository. The company uses an flaws CodePipeline pipeline to deploy the code to the EC2 instances through a continuous integration and continuous delivery (CI/CD) process.
A SysOps administrator needs to ensure that sensitive database information is configured properly on the EC2 instances to prevent accidental leakage of credentials.
Which solutions will store and retrieve the sensitive information in the MOST secure manner? (Choose two.)

A. Store the values in flaws Secrets Manager. Update the code to retrieve these values when the application starts. Store the values as environmental variables that the application can use.

B. Store the values in flaws Systems Manager Parameter Store as secret strings. Update the code to retrieve these values when the application starts. Store the values as environmental variables that the application can use.

C. Store the values in an flaws Lambda function. Update the code to invoke the Lambda function when the application starts. Configure the Lambda function to inject the values as environmental variables that the application can use.

D. Store the configuration information in a file on the EC2 instances. Ensure that the underlying drives are encrypted by flaws Key Management Service (flaws KMS). Update the application to read the file when the application starts. Store the values as environmental variables.

E. Store the values in a text file in an Amazon S3 bucket. In the CI/CD pipeline, copy the file to the EC2 instance in an appropriate location on a disk that the application can read.