A SysOps administrator is optimizing the cost of a workload. The workload is running in multiple flaws Regions and is using flaws Lambda with Amazon EC2 On-Demand Instances for the computer. The overall usage is predictable. The amount of computer that is consumed in each Region varies, depending on the users' locations.
Which approach should the SysOps administrator use to optimize this workload?

A. Purchase Computer Savings Plans based on the usage during the past 30 days.

B. Purchase Convertible Reserved Instances by calculating the usage baseline.

C. Purchase EC2 Instance Savings Plans based on the usage during the past 30 days.

D. Purchase Standard Reserved Instances by calculating the usage baseline.

A SysOps administrator migrates NAT instances to NAT gateways. After the migration, an application that is hosted on Amazon EC2 instances in a private subnet cannot access the internet.
Which of the following are possible reasons for this problem? (Choose two.)

A. The application is using a protocol that the NAT gateway does not support.

B. The NAT gateway is not in a security group.

C. The NAT gateway is in an unsupported Availability Zone.

D. The NAT gateway is not in the Available state.

E. The port forwarding settings do not allow access to internal services from the internet.

A company runs a worker process on three Amazon EC2 instances. The instances are in an Auto Scaling group that is configured to use a simple scaling policy. The instances process messages from an Amazon Simple Queue Service (Amazon SQS) queue.
Random periods of increased messages are causing a decrease in the performance of the worker process. A SysOps administrator must scale the instances to accommodate the increased number of messages.
Which solution will meet these requirements?

A. Use CloudWatch to create a metric math expression to calculate the approximate age of the oldest message in the SQS queue. Create a target tracking scaling policy for the metric math expression to modify the Auto Scaling group.

B. Use CloudWatch to create a metric math expression to calculate the approximate number of messages visible in the SQS queue for each instance. Create a target tracking scaling policy for the metric math expression to modify the Auto Scaling group.

C. Create an Application Load Balancer (ALB). Attach the ALB to the Auto Scaling group. Create a target tracking scaling policy for the ALBRequestCountPerTarget metric to modify the Auto Scaling group.

D. Create an Application Load Balancer (ALB). Attach the ALB to the Auto Scaling group. Create a scheduled scaling policy for the Auto Scaling group.

A company is using an flaws KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.
What is the process to rotate the key?

A. Enable automatic key rotation for the CMK, and specify a period of 6 months.

B. Create a new CMK with new imported material, and update the key alias to point to the new CMK.

C. Delete the current key material, and import new material into the existing CMK.

D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.

A SysOps administrator is designing a solution for an Amazon RDS for PostgreSQL DB instance. Database credentials must be stored and rotated monthly. The applications that connect to the DB instance send write-intensive traffic with variable client connections that sometimes increase significantly in a short period of time.
Which solution should a SysOps administrator choose to meet these requirements?

A. Configure flaws Key Management Service (flaws KMS) to automatically rotate the keys for the DB instance. Use RDS Proxy to handle the increases in database connections.

B. Configure flaws Key Management Service (flaws KMS) to automatically rotate the keys for the DB instance. Use RDS read replicas to handle the increases in database connections.

C. Configure flaws Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS Proxy to handle the increases in database connections.

D. Configure flaws Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS read replicas to handle the increases in database connections.

A SysOps administrator needs to create a report that shows how many bytes are sent to and received from each target group member for an Application Load Balancer (ALB).
Which combination of steps should the SysOps administrator take to meet these requirements? (Choose two.)

A. Enable access logging for the ALB. Save the logs to an Amazon S3 bucket.

B. Install the Amazon CloudWatch agent on the instances in the target group.

C. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the target port field.

D. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the client port field.

E. Create an Amazon CloudWatch dashboard that shows the Sum statistic of the ProcessedBytes metric for the ALB.

A company is planning to host an application on a set of Amazon EC2 instances that are distributed across multiple Availability Zones. The application must be able to scale to millions of requests each second.
A SysOps administrator must design a solution to distribute the traffic to the EC2 instances. The solution must be optimized to handle sudden and volatile traffic patterns while using a single static IP address for each Availability Zone.
Which solution will meet these requirements?

A. Amazon Simple Queue Service (Amazon SQS) queue

B. Application Load Balancer

C. flaws Global Accelerator

D. Network Load Balancer

A SysOps administrator receives an alert that a production Auto Scaling group has been scaled down to two Amazon EC2 instances. The Auto Scaling group was originally configured with a minimum capacity of three instances. However, the SysOps administrator confirms that the configuration now reflects a minimum capacity of two instances.
Which flaws service will help identify who made the change?

A. flaws Config

B. Amazon Inspector

C. Amazon Macie

D. Amazon Cloud Watch Logs

A company’s SysOps administrator regularly checks the flaws Personal Health Dashboard in each of the company’s accounts. The accounts are part of an organization in flaws Organizations. The company recently added 10 more accounts to the organization. The SysOps administrator must consolidate the alerts from each account’s Personal Health Dashboard.
Which solution will meet this requirement with the LEAST amount of effort?

A. Enable organizational view in flaws Health.

B. Configure the Personal Health Dashboard in each account to forward events to a central flaws CloudTrail log.

C. Create an flaws Lambda function to query the flaws Health API and to write all events to an Amazon DynamoDB table.

D. Use the flaws Health API to write events to an Amazon DynamoDB table.

A company is experiencing issues with legacy software running on Amazon EC2 instances. Errors occur when the total CPU utilization on the EC2 instances exceeds 80%. A short-term solution is required while the software is being rewritten. A SysOps administrator is tasked with creating a solution to restart the instances when the CPU utilization rises above 80%.
Which solution meets these requirements with the LEAST operational overhead?

A. Write a script that monitors the CPU utilization of the EC2 instances and reboots the instances when utilization exceeds 80%. Run the script as a cron job.

B. Add an Amazon CloudWatch alarm for CPU utilization and configure the alarm action to reboot the EC2 instances.

C. Create an Amazon EventBridge rule using the predefined patterns for CPU utilization of the EC2 instances. When utilization exceeds 80%, invoke an flaws Lambda function to restart the instances.

D. Add an Amazon CloudWatch alarm for CPU utilization and configure an flaws Systems Manager Automation runbook to reboot the EC2 instances when utilization exceeds 80%.

A SysOps administrator maintains the security and compliance of a company's flaws account. To ensure the company's Amazon EC2 instances are following company policy, a SysOps administrator wants to terminate any EC2 instance that do not contain a department tag. Noncompliant resources must be terminated in near-real time.
Which solution will meet these requirements?

A. Create an flaws Config rule with the required-tags managed rule to identify noncompliant resources. Configure automatic remediation to run the flaws- TerminateEC2Instance automation document to terminate noncompliant resources.

B. Create a new Amazon EventBridge (Amazon CloudWatch Events) rule to monitor when new EC2 instances are created. Send the event to a Simple Notification Service (Amazon SNS) topic for automatic remediation.

C. Ensure all users who can create EC2 instances also have the permissions to use the ec2:CreateTags and ec2:DescribeTags actions. Change the instance’s shutdown behavior to terminate.

D. Ensure flaws Systems Manager Compliance is configured to manage the EC2 instances. Call the flaws-StopEC2Instances automation document to stop noncompliant resources.

A company uses Amazon S3 to aggregate raw video footage from various media teams across the US. The company recently expanded into new geographies in Europe and Australia. The technical teams located in Europe and Australia reported delays when uploading large video files into the destination S3 bucket in the United States.
What are the MOST cost effective ways to increase upload speeds into the S3 bucket? (Choose two.)

A. Create multiple flaws Direct Connect connections between flaws and branch offices in Europe and Australia for file uploads into the destination S3 bucket.

B. Create multiple flaws Site-to-Site VPN connections between flaws and branch offices in Europe and Australia for file uploads into the destination S3 bucket.

C. Use Amazon S3 Transfer Acceleration for file uploads into the destination S3 bucket.

D. Use flaws Global Accelerator for file uploads into the destination S3 bucket from the branch offices in Europe and Australia.

E. Use multipart uploads for file uploads into the destination S3 bucket from the branch offices in Europe and Australia.

An ecommerce company uses an Amazon ElastiCache for Memcached cluster for in-memory caching of popular product queries on the shopping site. When viewing recent Amazon CloudWatch metrics data for the ElastiCache cluster, the SysOps administrator notices a large number of evictions.
Which of the following actions will reduce these evictions? (Choose two.)

A. Add an additional node to the ElastiCache cluster.

B. Increase the ElastiCache time to live (TTL).

C. Increase the individual node size inside the ElastiCache cluster.

D. Put an Elastic Load Balancer in front of the ElastiCache cluster.

E. Use Amazon Simple Queue Service (Amazon SQS) to decouple the ElastiCache cluster.

A company’s customers are reporting increased latency while accessing static web content from Amazon S3. A SysOps administrator observed a very high rate of read operations on a particular S3 bucket.
What will minimize latency by reducing load on the S3 bucket?

A. Migrate the S3 bucket to a region that is closer to end users’ geographic locations.

B. Use cross-region replication to replicate all of the data to another region.

C. Create an Amazon CloudFront distribution with the S3 bucket as the origin.

D. Use Amazon ElastiCache to cache data being served from Amazon S3.

A company recently deployed an application in production. The production environment currently runs on a single Amazon EC2 instance that hosts the application's web application and a MariaDB database. Company policy states that all IT production environments must be highly available.
What should a SysOps administrator do to meet this requirement?

A. Migrate the database from the EC2 instance to an Amazon RDS for MariaDB Multi-AZ DB instance. Run the application on EC2 instances that are in an Auto Scaling group that extends across multiple Availability Zones. Place the EC2 instances behind a load balancer.

B. Migrate the database from the EC2 instance to an Amazon RDS for MariaDB Multi-AZ DB instance. Use flaws Application Migration Service to convert the application into an flaws Lambda function. Specify the Multi-AZ option for the Lambda function.

C. Copy the database to a different EC2 instance in a different Availability Zone. Use flaws Backup to create Amazon Machine Images (AMIs) of the application EC2 instance and the database EC2 instance. Create an flaws Lambda function that performs health checks every minute. In case of failure, configure the Lambda function to launch a new EC2 instance from the AMIs that flaws Backup created.

D. Migrate the database to a different EC2 instance. Place the application EC2 instance in an Auto Scaling group that extends across multiple Availability Zones. Create an Amazon Machine Image (AMI) from the database EC2 instance. Use the AMI to launch a second database EC2 instance in a different Availability Zone. Put the second database EC2 instance in the stopped state. Use the second database EC2 instance as a standby.

A SysOps administrator creates two VPCs, VPC1 and VPC2, in a company’s flaws account The SysOps administrator deploys a Linux Amazon EC2 instance in VPC1 and deploys an Amazon RDS for MySQL DB instance in VPC2. The DB instance is deployed in a private subnet. An application that runs on the EC2 instance needs to connect to the database.
What should the SysOps administrator do to give the EC2 instance the ability to connect to the database?

A. Enter the DB instance connection string into the VPC1 route table.

B. Configure VPC peering between the two VPCs.

C. Add the same IPv4 CIDR range for both VPCs.

D. Connect to the DB instance by using the DB instance’s public IP address.

A SysOps administrator needs to provision a new fleet of Amazon EC2 Spot Instances in an Amazon EC2 Auto Scaling group. The Auto Scaling group will use a wide range of instance types. The configured fleet must come from pools that have the most availability for the number of instances that are launched.
Which solution will meet these requirements?

A. Launch the Spot Instances up to the maximum capacity of the Auto Scaling group.

B. Launch the Spot Instances by using the diversified strategy.

C. Launch the Spot Instances by using the capacity optimized strategy.

D. Use the Spot Instance advisor to help determine the best Spot allocation strategy.

A company is expanding its use of flaws services across its portfolios. The company wants to provision flaws accounts for each team to ensure a separation of business processes for security, compliance, and billing. Account creation and bootstrapping should be completed in a scalable and efficient way so new accounts are created with a defined baseline and governance guardrails in place. A SysOps administrator needs to design a provisioning process that saves time and resources.
Which action should be taken to meet these requirements?

A. Automate using flaws Elastic Beanstalk to provision the flaws accounts, set up infrastructure, and integrate with flaws Organizations.

B. Create bootstrapping scripts in flaws OpsWorks and combine them with flaws CloudFormation templates to provision accounts and infrastructure.

C. Use flaws Config to provision accounts and deploy instances using flaws Service Catalog.

D. Use flaws Control Tower to create a template in Account Factory and use the template to provision new accounts.

A company deploys a new application on three Amazon EC2 instances across three Availability Zones. The company uses a Network Load Balancer (NLB) to route traffic to the EC2 instances. A SysOps administrator must implement a solution so that the EC2 instances allow traffic from only the NLB.
What should the SysOps administrator do to meet these requirements with the LEAST operational overhead?

A. Configure the security group that is associated with the EC2 instances to allow traffic from only the security group that is associated with the NLB

B. Configure the security group that is associated with the EC2 instances to allow traffic from only the elastic network interfaces that are associated with the NLB

C. Create a network ACL Associate the network ACL with the application subnets. Configure the network ACL to allow inbound traffic from only the CIDR ranges of the NLB

D. Use a third-party firewall solution that is installed on a separate EC2 instance. Configure a firewall rule that allows traffic to the application’s EC2 instances from only the subnets where the NLB is deployed.

A SysOps administrator must create a solution that immediately notifies software developers if an flaws Lambda function experiences an error.
Which solution will meet this requirement?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic with an email subscription for each developer. Create an Amazon CloudWatch alarm by using the Errors metric and the Lambda function name as a dimension. Configure the alarm to send a notification to the SNS topic when the alarm state reaches ALARM.

B. Create an Amazon Simple Notification Service (Amazon SNS) topic with a mobile subscription for each developer. Create an Amazon EventBridge (Amazon CloudWatch Events) alarm by using the LambdaError as the event pattern and the SNS topic name as a resource. Configure the alarm to send a notification to the SNS topic when the alarm state reaches ALARM.

C. Verify each developer email address in Amazon Simple Email Service (Amazon SES). Create an Amazon CloudWatch rule by using the LambdaError metric and developer email addresses as dimensions. Configure the rule to send an email through Amazon SES when the rule state reaches ALARM.

D. Verify each developer mobile phone in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge (Amazon CloudWatch Events) rule by using Error as the event pattern and the Lambda function name as a resource. Configure the rule to send a push notification through Amazon SES when the rule state reaches ALARM.

A company is managing multiple flaws accounts in flaws Organizations. The company is reviewing internal security of its flaws environment. The company’s security administrator has their own flaws account and wants to review the VPC configuration of developer flaws accounts.
Which solution will meet these requirements in the MOST secure manner?

A. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to an IAM user. Share the user credentials with the security administrator.

B. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions. Assign the policy to an IAM user. Share the user credentials with the security administrator.

C. Create an IAM policy in each developer account that has administrator access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.

D. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.

A SysOps administrator has an Amazon S3 website and wants to restrict access to a single Amazon CloudFront distribution. Visitors to the website should not be able to circumvent CloudFront or view the S3 website directly from the bucket.
Which flaws service or feature will meet these requirements?

A. S3 bucket ACL

B. flaws Firewall Manager

C. Amazon Route 53 private hosted zone

D. Origin access identity (OAI)

A company uses flaws CloudFormation to deploy its application infrastructure. Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application. A SysOps administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources.
Which solution will meet these requirements?

A. Set up an flaws Config rule to alert based on changes to any CloudFormation stack. An flaws Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.

B. Set up an Amazon EventBridge event with a rule to initiate based on any CloudFormation API call. An flaws Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.

C. Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*.

D. Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource Names (ARNs) of the protected resources.

A manufacturing company uses an Amazon RDS DB instance to store inventory of all stock items. The company maintains several flaws Lambda functions that interact with the database to add, update, and delete items. The Lambda functions use hardcoded credentials to connect to the database.
A SysOps administrator must ensure that the database credentials are never stored in plaintext and that the password is rotated every 30 days.
Which solution will meet these requirements in the MOST operationally efficient manner?

A. Store the database password as an environment variable for each Lambda function. Create a new Lambda function that is named PasswordRotate. Use Amazon EventBridge to schedule the PasswordRotate function every 30 days to change the database password and update the environment variable for each Lambda function.

B. Use flaws Key Management Service (flaws KMS) to encrypt the database password and to store the encrypted password as an environment variable for each Lambda function. Grant each Lambda function access to the KMS key so that the database password can be decrypted when required. Create a new Lambda function that is named PasswordRotate to change the password every 30 days.

C. Use flaws Secrets Manager to store credentials for the database. Create a Secrets Manager secret, and select the database so that Secrets Manager will use a Lambda function to update the database password automatically. Specify an automatic rotation schedule of 30 days. Update each Lambda function to access the database password from Secrets Manager.

D. Use flaws Systems Manager Parameter Store to create a secure string to store credentials for the database. Create a new Lambda function called PasswordRotate. Use Amazon EventBridge to schedule the PasswordRotate function every 30 days to change the database password and to update the secret within Parameter Store. Update each Lambda function to access the database password from Parameter Store.

A company needs to view a list of security groups that are open to the internet on port 3389.
What should a SysOps administrator do to meet this requirement?

A. Configure Amazon GuardDuty to scan security groups and report unrestricted access on port 3389.

B. Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389.

C. Use flaws Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389.

D. Use flaws Trusted Advisor to find security groups that allow unrestricted access on port 3389.

A company is using Amazon CloudFront to serve static content for its web application to its users. The CloudFront distribution uses an existing on-premises website as a custom origin.
The company requires the use of TLS between CloudFront and the origin server. This configuration has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.
What should a SysOps administrator do to resolve this problem?

A. Examine the expiration date on the certificate on the origin site. Validate that the certificate has not expired. Replace the certificate if necessary.

B. Examine the hostname on the certificate on the origin site. Validate that the hostname matches one of the hostnames on the CloudFront distribution. Replace the certificate if necessary.

C. Examine the firewall rules that are associated with the origin server. Validate that port 443 is open for inbound traffic from the internet. Create an inbound rule if necessary.

D. Examine the network ACL rules that are associated with the CloudFront distribution. Validate that port 443 is open for outbound traffic to the origin server. Create an outbound rule if necessary.

A company is running Amazon EC2 On-Demand Instances in an Auto Scaling group. The instances process messages from an Amazon Simple Queue Service (Amazon SQS) queue. The Auto Scaling group is set to scale based on the number of messages in the queue. Messages can take up to 12 hours to process completely. A SysOps administrator must ensure that instances are not interrupted during message processing.
What should the SysOps administrator do to meet these requirements?

A. Enable instance scale-in protection for the specific instance in the Auto Scaling group at the start of message processing by calling the Amazon EC2 Auto Scaling API from the processing script. Disable instance scale-in protection after message processing is complete by calling the Amazon EC2 Auto Scaling API from the processing script.

B. Set the Auto Scaling group’s termination policy to OldestInstance.

C. Set the Auto Scaling group’s termination policy to OldestLaunchConfiguration.

D. Suspend the Launch and Terminate scaling processes for the specific instance in the Auto Scaling group at the start of message processing by calling the Amazon EC2 Auto Scaling API from the processing script. Resume the scaling processes after message processing is complete by calling the Amazon EC2 Auto Scaling API from the processing script.

An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application.
What is the MOST scalable storage solution to fulfill this requirement?

A. Connect a large Amazon EBS volume to multiple instances and schedule snapshots.

B. Deploy Amazon EFS in the VPC and create mount targets in multiple subnets.

C. Launch an EC2 instance and share data using SMB/CIFS or NFS.

D. Deploy an flaws Storage Gateway cached volume on Amazon EC2.

A company has a public web application that experiences rapid traffic increases after advertisements appear on local television. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The Auto Scaling group is not keeping up with the traffic surges after an advertisement runs. The company often needs to scale out to 100 EC2 instances during the traffic surges.
The instance startup times are lengthy because of a boot process that creates machine-specific data caches that are unique to each instance. The exact timing of when the advertisements will appear on television is not known. A SysOps administrator must implement a solution so that the application can function properly during the traffic surges.
Which solution will meet these requirements?

A. Create e warm pool. Keep enough instances in the Stopped state to meet the increased demand.

B. Start 100 instances. Allow the boot process to finish running. Store this data on the instance store volume before stopping the instances.

C. Increase the value of the instance warmup time in the scaling policy

D. Use predictive scaling for the Auto Scaling group.

A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded; however, upon navigating to the site, the following error message is received:
403 Forbidden - Access Denied
What change should be made to fix this error?

A. Add a bucket policy that grants everyone read access to the bucket.

B. Add a bucket policy that grants everyone read access to the bucket objects.

C. Remove the default bucket policy that denies read access to the bucket.

D. Configure cross-origin resource sharing (CORS) on the bucket.

A company is implementing a monitoring solution that is based on machine learning. The monitoring solution consumes Amazon EventBridge (Amazon CloudWatch Events) events that are generated by Amazon EC2 Auto Scaling. The monitoring solution provides detection of anomalous behavior such as unanticipated scaling events and is configured as an EventBridge (CloudWatch Events) API destination.
During initial testing, the company discovers that the monitoring solution is not receiving events. However, Amazon CloudWatch is showing that the EventBridge (CloudWatch Events) rule is being invoked. A SysOps administrator must implement a solution to retrieve client error details to help resolve this issue.
Which solution will meet these requirements with the LEAST operational effort?

A. Create an EventBridge (CloudWatch Events) archive for the event pattern to replay the events. Increase the logging on the monitoring solution. Use replay to invoke the monitoring solution. Examine the error details.

B. Add an Amazon Simple Queue Service (Amazon SQS) standard queue as a dead-letter queue for the target. Process the messages in the dead-letter queue to retrieve error details.

C. Create a second EventBridge (CloudWatch Events) rule for the same event pattern to target an flaws Lambda function. Configure the Lambda function to invoke the monitoring solution and to record the results to Amazon CloudWatch Logs. Examine the errors in the logs.

D. Configure the EventBridge (CloudWatch Events) rule to send error messages to an Amazon Simple Notification Service (Amazon SNS) topic.

A company’s SysOps administrator deploys four new Amazon EC2 instances by using the standard Amazon Linux 2 Amazon Machine Image (AMI). The company needs to be able to use flaws Systems Manager to manage the instances. The SysOps administrator notices that the instances do not appear in the Systems Manager console.
What must the SysOps administrator do to resolve this issue?

A. Connect to each instance by using SSH. Install Systems Manager Agent on each instance. Configure Systems Manager Agent to start automatically when the instances start up.

B. Use flaws Certificate Manager (ACM) to create a TLS certificate. Import the certificate into each instance. Configure Systems Manager Agent to use the TLS certificate for secure communications.

C. Connect to each instance by using SSH. Create an ssm-user account. Add the ssm-user account to the /etc/sudoers.d directory.

D. Attach an IAM instance profile to the instances. Ensure that the instance profile contains the AmazonSSMManagedInstanceCore policy.

A SysOps administrator is testing an application that is hosted on five Amazon EC2 instances. The instances run in an Auto Scaling group behind an Application Load Balancer (ALB). High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.
Which action should the SysOps administrator take to meet these requirements?

A. Enable instance scale-in protection.

B. Place the instance into the Standby state.

C. Remove the listener from the ALB.

D. Suspend the Launch and Terminate process types.

A SysOps administrator configured VPC flow logs by using the default format. The SysOps administrator specified Amazon CloudWatch Logs as the destination. This solution has worked successfully for several months. However, because of additional troubleshooting requirements, the SysOps administrator needs to include the tcp-flags field on the flow logs.
What should the SysOps administrator do to meet this requirement?

A. Create a new flow log. Include the tcp-flags field in the custom log format. Delete the original flow log.

B. In the CloudWatch Logs log group, modify the filter to include the tcp-flags field and the type field.

C. In CloudWatch Metrics, modify the metric configuration to include the tcp-flags field.

D. Modify the existing flow log. Include the tcp-flags field and the type field in the custom log format. Save the configuration.

A SysOps administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC, the administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the administrator add to the route tables?

A. Route ::/0 traffic to a NAT gateway

B. Route ::/0 traffic to an internet gateway

C. Route 0.0.0.0/0 traffic to an egress-only internet gateway

D. Route ::/0 traffic to an egress-only internet gateway

A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted.
Which approach will resolve the encryption requirement?

A. Log in to the RDS console and select the encryption box to encrypt the database.

B. Create a new encrypted Amazon EBS volume and attach it to the instance.

C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.

D. Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

A company stores files on 50 Amazon S3 buckets in the same flaws Region. The company wants to connect to the S3 buckets securely over a private connection from its Amazon EC2 instances. The company needs a solution that produces no additional cost.
Which solution will meet these requirements?

A. Create a gateway VPC endpoint for each S3 bucket. Attach the gateway VPC endpoints to each subnet inside the VPC.

B. Create an interface VPC endpoint for each S3 bucket. Attach the interface VPC endpoints to each subnet inside the VPC.

C. Create one gateway VPC endpoint for all the S3 buckets. Add the gateway VPC endpoint to the VPC route table.

D. Create one interface VPC endpoint for all the S3 buckets. Add the interface VPC endpoint to the VPC route table.

A company's security policy states that connecting to Amazon EC2 instances is not permitted through SSH and ROP. If access is required, authorized staff can connect to instances by using flaws Systems Manager Session Manager.
Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has flaws Systems Manager Agent (SSM Agent) pre-installed. These users are able to use Session Manager to connect to other instances in the same subnet, and they are in an IAM group that has Session Manager permission for all instances.
What should a SysOps administrator do to resolve this issue?

A. Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.

B. Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.

C. Configure the SSM Agent to log in with a user name of “ubuntu”.

D. Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.

A SysOps administrator is creating an Amazon EC2 Auto Scaling group in a new flaws account. After adding some instances, the SysOps administrator notices that the group has not reached the minimum number of instances. The SysOps administrator receives the following error message:
Launching a new EC2 instance. Status Reason: Your quota allows for 0 more running instance(s).
You requested at least 1. Launching EC2 instance failed.
Which action will resolve this issue?

A. Adjust the account spending limits for Amazon EC2 on the flaws Billing and Cost Management console.

B. Modify the EC2 quota for that flaws Region in the EC2 Settings section of the EC2 console.

C. Request a quota increase for the instance type family by using Service Quotas on the flaws Management Console.

D. Use the Rebalance action in the Auto Scaling group on the flaws Management Console.

A company runs several workloads on flaws. The company identifies five flaws Trusted Advisor service quota metrics to monitor in a specific flaws Region. The company wants to receive email notification each time resource usage exceeds 60% of one of the service quotas.
Which solution will meet these requirements?

A. Create five Amazon CloudWatch alarms, one for each Trusted Advisor service quota metric. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification each time that usage exceeds 60% of one of the service quotas.

B. Create five Amazon CloudWatch alarms, one for each Trusted Advisor service quota metric. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification each time that usage exceeds 60% of one of the service quotas.

C. Use the flaws Service Health Dashboard to monitor each Trusted Advisor service quota metric. Configure an Amazon Simple Queue Service (Amazon SQS) queue for email notification each time that usage exceeds 60% of one of the service quotas.

D. Use the flaws Service Health Dashboard to monitor each Trusted Advisor service quota metric. Configure an Amazon Simple Notification Service (Amazon SNS) topic for email notification each time that usage exceeds 60% of one of the service quotas.

A company is using Amazon Elastic Container Service (Amazon ECS) to run a containerized application on Amazon EC2 instances. A SysOps administrator needs to monitor only traffic flows between the ECS tasks.
Which combination of steps should the SysOps administrator take to meet this requirement? (Choose two.)

A. Configure Amazon CloudWatch Logs on the elastic network interface of each task.

B. Configure VPC Flow Logs on the elastic network interface of each task.

C. Specify the awsvpc network mode in the task definition.

D. Specify the bridge network mode in the task definition.

E. Specify the host network mode in the task definition.

A SysOps administrator needs to implement a backup strategy for Amazon EC2 resources and Amazon RDS resources. The backup strategy must meet the following retention requirements:
• Daily backups: must be kept for 6 days
• Weekly backups: must be kept for 4 weeks:
• Monthly backups: must be kept for 11 months
• Yearly backups: must be kept for 7 years
Which backup strategy will meet these requirements with the LEAST administrative effort?

A. Use Amazon Data Lifecycle Manager to create an Amazon Elastic Block Store (Amazon EBS) snapshot policy. Create tags on each resource that needs to be backed up. Create multiple schedules according to the requirements within the policy. Set the appropriate frequency and retention period.

B. Use flaws Backup to create a new backup plan for each retention requirement with a backup frequency of daily, weekly, monthly, or yearly. Set the retention period to match the requirement. Create tags on each resource that needs to be backed up. Set up resource assignment by using the tags.

C. Create an flaws Lambda function. Program the Lambda function to use native tooling to take backups of file systems in Amazon EC2 and to make copies of databases in Amazon RDS. Create an Amazon EventBridge rule to invoke the Lambda function.

D. Use Amazon Data Lifecycle Manager to create an Amazon Elastic Block Store (Amazon EBS) snapshot policy. Create tags on each resource that needs to be backed up. Set up resource assignment by using the tags. Create multiple schedules according to the requirements within the policy. Set the appropriate frequency and retention period. In Amazon RDS, activate automated backups on the required DB instances.

A SysOps administrator needs to create an Amazon S3 bucket as a resource in an flaws CloudFormation template. The bucket name must be randomly generated, and the bucket must be encrypted. Other resources in the template will reference the bucket.
Which CloudFormation resource definition should the SysOps administrator use to meet these requirements?

A development team created and deployed a new flaws Lambda function 15 minutes ago. Although the function was invoked many times, Amazon CloudWatch Logs are not showing any log messages.
What is one cause of this?

A. The developers did not enable log messages for this Lambda function.

B. The Lambda function’s role does not include permissions to create CloudWatch Logs items.

C. The Lambda function raises an exception before the first log statement has been reached.

D. The Lambda functions creates local log files that have to be shipped to CloudWatch Logs first before becoming visible.

A company's social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services.
A SysOps administrator must implement a solution that routes requests to a defined list of flaws Regions. The routing must be based on the user's location.
Which solution will meet these requirements?

A. Configure a Route 53 latency routing policy.

B. Configure a Route 53 multivalue answer routing policy.

C. Configure a Route 53 geolocation routing policy.

D. Configure a Route 53 IP-based routing policy.

A SysOps administrator wants to use flaws Systems Manager Patch Manager to automate the process of patching Amazon EC2 Windows instances. The SysOps administrator wants to ensure that patches are auto-approved 2 days after the release date for development instances. Patches also must be auto-approved 5 days after the release date for production instances. Maintenance must occur only during a 2-hour window for all instances.
Which solution will meet these requirements?

A. Use tags to identify development instances and production instances. In Patch Manager, create two patch groups and one patch baseline. Add an auto-approval delay to each patch group. Create a single maintenance window.

B. Use tags to identify development instances and production instances. In Patch Manager, create two patch groups and two patch baselines. Specify an auto-approval delay in each of the patch baselines. Create a single maintenance window.

C. Use tags to identity development instances and production instances. In Patch Manager, create two patch groups and one patch baseline, Create two separate maintenance windows, each with an auto-approval delay.

D. Use tags to identify development instances. In Patch Manager, create one patch group and one patch baseline. Specify auto-approval delays in the patch baseline, Add development instances to the new patch group. Use predefined Patch Manager patch baselines for all remaining instances. Create a single maintenance window.

A company's SysOps administrator is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs. However, there are no logs in CloudWatch Logs.
What could be blocking the VPC flow logs from being published to CloudWatch Logs?

A. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission

B. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateExportTask permission

C. The VPC is configured for IPv6 addresses

D. The VPC is peered with another VPC in the flaws account

A compliance team requires all administrator passwords for Amazon RDS DB instances to be changed at least annually.
Which solution meets this requirement in the MOST operationally efficient manner?

A. Store the database credentials in flaws Secrets Manager. Configure automatic rotation for the secret every 365 days.

B. Store the database credentials as a parameter in the RDS parameter group. Create a database trigger to rotate the password every 365 days.

C. Store the database credentials in a private Amazon S3 bucket. Schedule an flaws Lambda function to generate a new set of credentials every 365 days.

D. Store the database credentials in flaws Systems Manager Parameter Store as a secure string parameter. Configure automatic rotation for the parameter every 365 days.

A global company handles a large amount of personally identifiable information (PII) through an internal web portal. The company’s application runs in a corporate data center that is connected to flaws through an flaws Direct Connect connection. The application stores the PII in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.
What should a SysOps administrator do to meet the compliance requirement?

A. Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.

B. Configure flaws Network Firewall to redirect traffic to the internal S3 address.

C. Modify the application to use the S3 path-style endpoint.

D. Set up a range of VPC network ACLs to redirect traffic to the internal S3 address.

A SysOps administrator needs to design a disaster recovery (DR) plan for an application on flaws. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The application uses an Amazon Aurora PostgreSQL database. The recovery time objective (RTO) and recovery point objective (RPO) are 15 minutes each.
Which combination of steps should the SysOps administrator take to meet these requirements MOST cost-effectively? (Choose two.)

A. Configure Aurora backups to be exported to the DR Region.

B. Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global database option.

C. Configure the DR Region with an ALB and an Auto Scaling group. Use the same configuration as in the primary Region.

D. Configure the DR Region with an ALB and an Auto Scaling group. Set the Auto Scaling group’s minimum capacity, maximum capacity, and desired capacity to 1.

E. Manually launch a new ALB and a new Auto Scaling group by using flaws CloudFormation during a failover activity.