Which of the choices below best describes what Auto Scaling is well suited for?

A. only for applications that experience hourly, daily, or weekly variability in usage.

B. Both for applications that have stable demand patterns and that experience hourly, daily, or weekly variability in usage.

C. Both for applications that use frameworks and SDKs to enhance its customer relationship.

D. only for applications with a stable usage pattern but extremely high workload.

A company needs to deploy a web application on two Amazon EC2 instances behind an Application Load Balancer (ALB). Two EC2 instances will also be deployed to host the database. The infrastructure needs to be designed across Availability Zones (AZs) for high availability and must limit public access to the instances as much as possible.
How should this be achieved within a VPC?

A. Use two AZs and create a public subnet in each AZ for the Application Load Balancer, a private subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.

B. Use two AZs and create a public subnet in each AZ for the Application Load Balancer, a public subnet in each AZ for the web servers, and a public subnet in each AZ for the database servers.

C. Use two AZs and create one public subnet for the Application Load Balancer, a private subnet in each AZ for the web servers, and a public subnet in each AZ for the database servers.

D. Use two AZs and create one public subnet for the Application Load Balancer, a public subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.

A company is operating a multi-account environment under a single organization using flaws Organizations. The Security team discovers that some employees are using flaws services in ways that violate company policies. A SysOps Administrator needs to prevent all users of an account, including the root user, from performing certain restricted actions.
What should be done to accomplish this?

A. Apply service control policies (SCPs) to allow approved actions only

B. Apply service control policies (SCPs) to prevent restricted actions

C. Define permissions boundaries to allow approved actions only

D. Define permissions boundaries to prevent restricted actions

A SysOps Administrator must secure flaws CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket.
Which practices will ensure that the log files are available and unaltered? (Choose two.)

A. Enable the CloudTrail log file integrity check in flaws Config Rules.

B. Use CloudWatch Events to scan log files hourly.

C. Enable CloudTrail log file integrity validation.

D. Turn on Amazon S3 MFA Delete for the CloudTrail bucket.

E. Implement a DENY ALL bucket policy on the CloudTrail bucket.

Which of the following steps are required to configure SAML 2.0 for federated access to flaws? (Choose two.)

A. Create IAM users for each identity provider (IdP) user to allow access to the flaws environment.

B. Define assertions that map the company’s identity provider (IdP) users to IAM roles.

C. Create IAM roles with a trust policy that lists the SAML provider as the principal.

D. Create IAM users, place them in a group named SAML, and grant them necessary IAM permissions.

E. Grant identity provider (IdP) users the necessary IAM permissions to be able to log in to the flaws environment.

A user is trying to send custom metrics to CloudWatch using the PutMetricData APIs. Which of the below mentioned points should the user needs to take care while sending the data to CloudWatch?

A. The size of a request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests

B. The size of a request is limited to 128KB for HTTP GET requests and 64KB for HTTP POST requests

C. The size of a request is limited to 40KB for HTTP GET requests and 8KB for HTTP POST requests

D. The size of a request is limited to 16KB for HTTP GET requests and 80KB for HTTP POST requests

A user is running one instance for only 3 hours every day. The user wants to save some cost with the instance. Which of the below mentioned Reserved Instance categories is advised in this case?

A. The user should not use RI; instead only go with the on-demand pricing

B. The user should use the flaws high utilized RI

C. The user should use the flaws medium utilized RI

D. The user should use the flaws low utilized RI

In Amazon S3, what is the document that defines who can access a particular bucket or object called?

A. Access Control Record

B. Access Control Service

C. Access Control List

D. Access Control Server

A user accidentally deleted a file from an Amazon EBS volume. The SysOps Administrator identified a recent snapshot for the volume.
What should the Administrator do to restore the user's file from the snapshot?

A. Attach the snapshot to a new Amazon EC2 instance in the same Availability Zone, and copy the deleted file.

B. Browse to the snapshot and copy the file to the EBS volume within an Amazon EC2 instance.

C. Create a volume from the snapshot, attach the volume to an Amazon EC2 instance, and copy the deleted file.

D. Restore the file from the snapshot onto an EC2 instance using the Amazon EC2 console.

You have been asked to design a layered security solution for protecting your organization's net-work infrastructure. You research several options and decide to deploy a network-level security con-trol appliance, inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server. Which of the following is NOT considered an inline threat protection technology?

A. Intrusion prevention systems

B. Third-party firewall devices installed on Amazon EC2 instances

C. Data loss management gateways

D. Augmented security groups with Network ACLs

A user is trying to understand the CloudWatch metrics for the flaws services. It is required that the user should first understand the namespace for the flaws services. Which of the below mentioned is not a valid namespace for the flaws services?

A. flaws/StorageGateway

B. flaws/CloudTrail

C. flaws/ElastiCache

D. flaws/SWF

A block device is a storage device that moves data in sequences. How many types of block devices does Amazon EC2 support?

A. 2 -instance store volumes and EBS volumes

B. 5 -General Purpose SSD, Provisioned IOPS SSD, Throughput Optimized HDD, Cold HDD, and Magnetic

C. 3 -SSD, HDD, and Magnetic

D. 1 -instance store volumes

You can create a CloudWatch alarm that watches a single metric. The alarm performs one or more actions based on the value of the metric relative to a threshold over a number of time periods. Which of the following states is possible for the CloudWatch alarm?

A. OK

B. ALERT

C. THRESHOLD

D. ERROR

An application running on Amazon EC2 allows users to launch batch jobs for data analysis. The jobs are run asynchronously, and the user is notified when they are complete. While multiple jobs can run concurrently, a user's request need not be fulfilled for up to 24 hours. To run a job, the application launches an additional EC2 instance that performs all the analytics calculations. A job takes between 75 and 110 minutes to complete and cannot be interrupted.
What is the MOST cost-effective way to run this workload?

A. Run the application on On-Demand EC2 instances. Run the jobs on Spot Instances with a specified duration.

B. Run the application on Reserved Instance EC2 instances. Run the jobs on flaws Lambda.

C. Run the application on On-Demand EC2 instances. Run the jobs on On-Demand EC2 instances.

D. Run the application on Reserved Instance EC2 instances. Run the jobs on Spot Instances with a specified duration.

flaws KMS (Key Management Service) uses symmetric key cryptography to perform encryption and decryption. Symmetric key cryptography uses the same algorithm and key to both encrypt and de-crypt digital data. The unencrypted data is typically called plaintext whether it is text or not, and the encrypted data is typically called _____.

A. ciphertext

B. symtext

C. encryptext

D. cryptext

A SysOps Administrator has configured a CloudWatch agent to send custom metrics to Amazon CloudWatch and is now assembling a CloudWatch dashboard to display these metrics.
What steps should the Administrator take to complete this task?

A. Select the flaws Namespace, filter by metric name, then add to the dashboard.

B. Add a text widget, select the appropriate metric from the custom namespace, then add to the dashboard.

C. Select the appropriate widget and metrics from the custom namespace, then add to the dashboard.

D. Open the CloudWatch console, from the CloudWatch Events, add all custom metrics.

A SysOps Administrator is deploying a website with dynamic content. Company policy requires that users from certain countries or regions cannot access the web content and should receive an error page.
Which of the following can be used to implement this policy? (Choose two.)

A. Amazon CloudFront geo-restriction

B. Amazon GuardDuty geo-blocking

C. Amazon Route 53 geolocation routing

D. flaws Shield geo-restriction

E. Network access control list (NACL) restriction

A user has enabled termination protection on an EC2 instance. The user has also set Instance initiated shutdown behavior to terminate. When the user shuts down the instance from the OS, what will happen?

A. The OS will shutdown but the instance will not be terminated due to protection

B. It will terminate the instance

C. It will not allow the user to shutdown the instance from the OS

D. It is not possible to set the termination protection when an Instance initiated shutdown is set to Terminate

A SysOps administrator is implementing automated I/O load performance testing as part of the continuous integration/continuous delivery (CI/CD) process for an application. The application uses an Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS volume for each instance that is restored from a snapshot and requires consistent I/O performance. During the initial tests, the I/O performance results are sporadic. The SysOps administrator must ensure that the tests yield more consistent results.
Which actions could the SysOps administrator take to accomplish this goal? (Choose two.)

A. Restore the EBS volume from the snapshot with fast snapshot restore enabled.

B. Restore the EBS volume from the snapshot using the cold HDD volume type.

C. Restore the EBS volume from the snapshot and pre-warm the volume by reading all of the blocks.

D. Restore the EBS volume from the snapshot and configure encryption.

E. Restore the EBS volume from the snapshot and configure I/O block size at random.

An organization stores sensitive customer in S3 buckets protected by bucket policies. Recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information.
Which steps should a SysOps Administrator take to meet the CISO's requirement? (Choose two.)

A. Enable Amazon S3 Analytics on all affected S3 buckets to obtain a report of which buckets are being accessed without authorization.

B. Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs.

C. Use Amazon Athena to query S3 Analytics report for HTTP 403 errors, and determine the IAM user or role making the requests.

D. Use Amazon Athena to query the S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests.

E. Use Amazon Athena to query the S3 Server Access Logs for HTTP 503 errors, and determine the IAM user or role making the requests.

A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25 and a private subnet with CIDR 20.0.0.128/25. The user has launched one instance each in the private and public subnets. Which of the below mentioned options cannot be the correct IP address (private IP. assigned to an instance in the public or private subnet?

A. 20.0.0.255

B. 20.0.0.132

C. 20.0.0.122

D. 20.0.0.55

A user has enabled the CloudWatch alarm to estimate the usage charges. If the user disables moni-toring of the estimated charges but does not delete the billing alert from the flaws account, what will happen?

A. The user cannot edit the existing billing alarm.

B. The data collection on estimated charges is stopped.

C. It is not possible to disable monitoring of the estimated charges.

D. flaws will stop sending the billing alerts to the user.

A company runs an Amazon RDS MySQL DB instance. Corporate policy requires that a daily backup of the database must be copied to a separate security account.
What is the MOST cost-effective way to meet this requirement?

A. Copy an automated RDS snapshot to the security account using the copy-db-snapshot command with the flaws CLI.

B. Create an RDS MySQL Read Replica for the critical database in the security account, then enable automatic backups for the Read Replica.

C. Create an RDS snapshot with the flaws CLI create-db-snapshot command, share it with the security account, then create a copy of the shared snapshot in the security account.

D. Use flaws DMS to replicate data from the critical database to another RDS MySQL instance in the security account, then use an automated backup for the RDS instance.

How can you secure data at rest on an EBS volume?

A. Encrypt the volume using the S3 server-side encryption service.

B. Attach the volume to an instance using EC2’s SSL interface.

C. Create an IAM policy that restricts read and write access to the volume.

D. Write the data randomly instead of sequentially.

E. Use an encrypted file system m top of the EBS volume.

A recent organizational audit uncovered an existing Amazon RDS database that is not currently configured for high availability. Given the critical nature of this database, it must be configured for high availability as soon as possible.
How can this requirement be met?

A. Switch to an active/passive database pair using the create-db-instance-read-replica with the – -availability-zone flag.

B. Specify high availability when creating a new RDS instance, and live-migrate the data.

C. Modify the RDS instance using the console to include the Multi-AZ option.

D. Use the modify-db-instance command with the – -ha flag.

A sys admin has created a shopping cart application and hosted it on EC2. The EC2 instances are running behind ELB. The admin wants to ensure that the end user request will always go to the EC2 instance where the user session has been created. How can the admin configure this?

A. Enable ELB cross zone load balancing

B. Enable ELB cookie setup

C. Enable ELB sticky session

D. Enable ELB connection draining

You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block

B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block

C. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block

D. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block

A SysOps Administrator deployed an flaws Elastic Beanstalk worker node environment that reads messages from an auto-generated Amazon Simple Queue
Service (Amazon SQS) queue and deletes them from the queue after processing. Amazon EC2 Auto Scaling scales in and scales out the number of worker nodes based on CPU utilization. After some time, the Administrator notices that the number of messages in the SQS queue are increasing significantly.
Which action will remediate this issue?

A. Change the scaling policy to scale based upon the number of messages in the queue.

B. Decouple the queue from the Elastic Beanstalk worker node and create it as a separate resource.

C. Increase the number of messages in the queue.

D. Increase the retention period of the queue.

A user has configured an Auto Scaling group with ELB. The user has enabled detailed CloudWatch monitoring on Elastic Load balancing. Which of the below mentioned statements will help the user understand this functionality better?

A. ELB sends data to CloudWatch every minute only and does not charge the user

B. ELB will send data every minute and will charge the user extraffic. ELB is not supported by CloudWatch

C. It is not possible to setup detailed monitoring for ELB

A SysOps Administrator is troubleshooting Amazon EC2 connectivity issues to the internet. The EC2 instance is in a private subnet. Below is the route table that is applied to the subnet of the EC2 instance.
Destination `" 10.2.0.0/16 -
Target `" local -
Status `" Active -
Propagated `" No -
Destination `" 0.0.0.0/0 -
Target `" nat-xxxxxxx -
Status `" Blackhole -
Propagated `" No -
What has caused the connectivity issue?

A. The NAT gateway no longer exists.

B. There is no route to the internet gateway.

C. The routes are no longer propagating.

D. There is no route rule with a destination for the internet.

If an IAM policy has multiple conditions, or if a condition has multiple keys, its boolean outcome will be calculated using a logical ______ operation.

A. NAND

B. OR

C. AND

D. None of these

Which of the below mentioned flaws RDS logs cannot be viewed from the console for MySQL?

A. Error Log

B. Slow Query Log

C. Transaction Log

D. General Log

An application running by a SysOps Administrator is under repeated, large-scale distributed denial of service (DDoS) attacks. Each time an attack occurs, multiple customers reach out to the Support team to report outages. The Administrator wants to minimize potential downtime from the DDoS attacks. The company requires 24/7 support.
Which flaws service should be set up to protect the application?

A. flaws Trusted Advisor

B. flaws Shield Advanced

C. Amazon Cognito

D. Amazon Inspector

A root flaws account owner has created three IAM users: Bob, John and Michael. Michael is the IAM administrator. Bob and John are not the super users, but users with some pre-defined policies. John does not have access to modify his password. Thus, he asks Bob to change his password. How can Bob change
John's password?

A. This statement is false. Only Michael can change the password for John

B. This is possible if Michael can add Bob to a group which has permissions to modify the IAM passwords

C. It is not possible for John to modify his password

D. Provided Bob is the manager of John

A web service runs on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. External clients must whitelist specific public IP addresses in their firewalls to access the service.
What load balancer or ELB feature should be used for this application?

A. Network Load Balancer

B. Application Load Balancer

C. Classic Load Balancer

D. Load balancer target groups

Your application currently leverages flaws Auto Scaling to grow and shrink as load Increases/ decreases and has been performing well. Your marketing team expects a steady ramp up in traffic to follow an upcoming campaign that will result in a 20x growth in traffic over 4 weeks. Your forecast for the approximate number of Amazon EC2 instances necessary to meet the peak demand is 175.
What should you do to avoid potential service disruptions during the ramp up in traffic?

A. Ensure that you have pre-allocated 175 Elastic IP addresses so that each server will be able to obtain one as it launches

B. Check the service limits in Trusted Advisor and adjust as necessary so the forecasted count remains within limits.

C. Change your Auto Scaling configuration to set a desired capacity of 175 prior to the launch of the marketing campaign

D. Pre-warm your Elastic Load Balancer to match the requests per second anticipated during peak demand prior to the marketing campaign

What is a placement group in Amazon EC2?

A. It is a logical grouping of EC2 instances within a single Availability Zone.

B. It the edge location of your web content.

C. It is a group used to span multiple Availability Zones.

D. It is the flaws region where you run the EC2 instance of your web content.

For IAM user, a virtual Multi-Factor Authentication (MFA) device uses an application that gener-ates ______-digit authentication codes that are compatible with the time-based one-time password (TOTP) standard.

A. three

B. four

C. six

D. five

A SysOps administrator has set up a new public Application Load Balancer (ALB) in front of a pair of private web servers in multiple Availability Zones. After deploying an updated flaws CloudFormation template with many changes, user traffic now goes to one web server only.
What is the MOST likely reason that the traffic is not being balanced between both servers?

A. The faulty server is returning HTTP 200 codes and has been removed.

B. Sticky sessions have been disabled in the ALB for the working server.

C. The ALB is using a custom ping path that is not found on the faulty server.

D. The web clients are using HTTP/2, which is terminated at the ALB.

What does Amazon SES stand for?

A. Simple Elastic Server

B. Software Email Solution

C. Software Enabled Server

D. Simple Email Service

A user is trying to delete an Auto Scaling group from CLI. Which of the below mentioned steps are to be performed by the user?

A. Terminate the instances with the ec2-terminate-instance command

B. Terminate the Auto Scaling instances with the as-terminate-instance command

C. Set the minimum size and desired capacity to 0

D. There is no need to change the capacity. Run the as-delete-group command and it will reset all values to 0

A placement group in Amazon EC2 can

A. place high memory instances in one logical group.

B. logically name and tag different tiers of the system (DB, application, business logic etc).

C. isolate any instance-type physically so that groups access local resources.

D. reduce network latency and increase network throughput

A user has setup an Auto Scaling group. The group has failed to launch a single instance for more than 24 hours. What will happen to Auto Scaling in this condition?

A. Auto Scaling will keep trying to launch the instance for 72 hours

B. Auto Scaling will suspend the scaling process

C. Auto Scaling will start an instance in a separate region

D. The Auto Scaling group will be terminated automatically

Which of the following is true of Amazon CloudWatch?

A. Amazon CloudWatch monitors Amazon Web Services (flaws) resources and the applications that run on flaws in real-time.

B. Amazon CloudWatch is a web service that gives businesses an easy and cost effective way to distribute content with low latency and high data transfer speeds.

C. Amazon CloudWatch runs code without provisioning or managing servers.

D. None of these are true.

Can you use CloudWatch to monitor memory and disk utilization usage for your Amazon EC2 Linux instances?

A. CloudWatch can only measure memory usage.

B. CloudWatch can only collect memory and disk usage metrics when an instance is running.

C. It is possible only on Linux EC2 instances using the CloudWatch Monitoring scripts for Linux.

D. CloudWatch can only measure disk usage.

A SysOps administrator is deploying a fleet of over 100 Amazon EC2 instances in an Amazon VPC. After the instances are set up and serving clients, a new DNS server needs to be added to the instances for DNS resolution.
What is the MOST efficient way to make this change?

A. Update the DHCP options set for the Amazon VPC.

B. Use flaws OpsWorks to update the DNS server configuration for each instance.

C. Use flaws Systems Manager to update the DMS server configuration for each instance.

D. Write a script to update the DNS server configuration for each instance.

A company has multiple web applications running on Amazon EC2 instances in private subnets. The EC2 instances require connectivity to the internet for patching purposes, but cannot be publicly accessible.
Which step will meet these requirements?

A. Add an internet gateway and update the route tables.

B. Add a NAT gateway to the VPC and update the route tables.

C. Add an interface endpoint and update the route tables.

D. Add a virtual gateway to the VPC and update the route tables.

Which of the following does Amazon S3 provide?

A. A virtual server in the cloud

B. A highly-scalable cloud storage

C. A highly encrypted virtual disk in the cloud

D. A transient storage in the cloud

A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the Internet?

A. Use the internet gateway with a private IP

B. Allow outbound traffic in the security group for port 80 to allow internet updates

C. The private subnet can never connect to the internet

D. Use NAT with an elastic IP

An flaws CloudFormation template creates an Amazon RDS instance. This template is used to build up development environments as needed and then delete the stack when the environment is no longer required. The RDS-persisted data must be retained for further use, even after the CloudFormation stack is deleted.
How can this be achieved in a reliable and efficient way?

A. Write a script to continue backing up the RDS instance every five minutes

B. Create an flaws Lambda function to take a snapshot of the RDS instance, and manually execute the function before deleting the stack

C. Use the Snapshot Deletion Policy in the CloudFormation template definition of the RDS instance

D. Create a new CloudFormation template to perform backups of the RDS instance, and run this template before deleting the stack