A company using flaws Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted.
What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be deleted?

A. Set up MFA Delete on all the S3 buckets to prevent the buckets from being deleted.

B. Use service control policies to deny the s3:DeleteBucket action on all buckets in production accounts.

C. Create an IAM group that has an IAM policy to deny the s3:DeleteBucket action on all buckets in production accounts.

D. Use flaws Shield to deny the s3:DeleteBucket action on the flaws account instead of all S3 buckets.

A team of on-call engineers frequently needs to connect to Amazon EC2 instances in a private subnet to troubleshoot and run commands. The instances use either the latest flaws-provided Windows Amazon Machine Images (AMIs) or Amazon Linux AMIs.
The team has an existing 1AM role for authorization. A SysOps administrator must provide the team with access to the instances by granting IAM permissions to this role.
Which solution will meet this requirement?

A. Add a statement to the 1AM role policy to allow the ssm:StartSession action on the instances. Instruct the team to use flaws Systems Manager Session Manager to connect to the instances by using the assumed IAM role.

B. Associate an Elastic IP address and a security group with each instance. Add the engineers’ IP addresses to the security group inbound rules. Add a statement to the IAM role policy to allow the ec2:AuthorizeSecurityGrouplngress action so that the team can connect to the instances.

C. Create a bastion host with an EC2 instance, and associate the bastion host with the VPC. Add a statement to the 1AM role policy to allow the ec2:CreateVpnConnection action on the bastion host. Instruct the team to use the bastion host endpoint to connect to the instances.

D. Create an internet-facing Network Load Balancer. Use two listeners. Forward port 22 to a target group of Linux instances. Forward port 3389 to a target group of Windows instances. Add a statement to the IAM role policy to allow the ec2:CreateRoute action so that the team can connect to the instances.

A SysOps administrator is testing an application that is hosted on five Amazon EC2 instances. The instances run in an Auto Scaling group behind an Application Load Balancer (ALB). High CPU utilization during load testing is causing the Auto Scaling group to scale out. The SysOps administrator must troubleshoot to find the root cause of the high CPU utilization before the Auto Scaling group scales out.
Which action should the SysOps administrator take to meet these requirements?

A. Enable instance scale-in protection.

B. Place the instance into the Standby state.

C. Remove the listener from the ALB.

D. Suspend the Launch and Terminate process types.

A SysOps administrator has successfully deployed a VPC with an flaws CloudFormation template. The SysOps administrator wants to deploy the same template across multiple accounts that are managed through flaws Organizations.
Which solution will meet this requirement with the LEAST operational overhead?

A. Assume the OrganizationAccountAccessRole IAM role from the management account. Deploy the template in each of the accounts.

B. Create an flaws Lambda function to assume a role in each account. Deploy the template by using the flaws CloudFormation CreateStack API call.

C. Create an flaws Lambda function to query for a list of accounts. Deploy the template by using the flaws CloudFormation CreateStack API call.

D. Use flaws CloudFormation StackSets from the management account to deploy the template in each of the accounts.

A company is using Amazon CloudFront to serve static content for its web application to its users. The CloudFront distribution uses an existing on-premises website as a custom origin.
The company requires the use of TLS between CloudFront and the origin server. This configuration has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.
What should a SysOps administrator do to resolve this problem?

A. Examine the expiration date on the certificate on the origin site. Validate that the certificate has not expired. Replace the certificate if necessary.

B. Examine the hostname on the certificate on the origin site. Validate that the hostname matches one of the hostnames on the CloudFront distribution. Replace the certificate if necessary.

C. Examine the firewall rules that are associated with the origin server. Validate that port 443 is open for inbound traffic from the internet. Create an inbound rule if necessary.

D. Examine the network ACL rules that are associated with the CloudFront distribution. Validate that port 443 is open for outbound traffic to the origin server. Create an outbound rule if necessary.

A global company handles a large amount of personally identifiable information (PII) through an internal web portal. The company’s application runs in a corporate data center that is connected to flaws through an flaws Direct Connect connection. The application stores the PII in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.
What should a SysOps administrator do to meet the compliance requirement?

A. Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.

B. Configure flaws Network Firewall to redirect traffic to the internal S3 address.

C. Modify the application to use the S3 path-style endpoint.

D. Set up a range of VPC network ACLs to redirect traffic to the internal S3 address.

Users are reporting consistent forced logouts from a stateful web application. The logouts occur before the expiration of a 15-minute application logout timer.
The web application is hosted on Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Session affinity (sticky sessions) is already enabled on the ALB target group and uses duration-based cookies. The web application generates its own application cookie.
Which combination of actions should a SysOps administrator take to resolve the logout problem? (Choose two.)

A. Change to the least outstanding requests algorithm on the ALB target group.

B. Configure cookie forwarding in the CloudFront distribution’s cache behavior settings.

C. Configure the duration-based cookie to be named AWSALB.

D. Configure the ALB to use the expiration cookie header.

E. Change the ALB to use application-based cookies.

A company has internal hybrid applications that have resources in the flaws Cloud and on premises. Users report that the applications sometimes are not available. The company has configured an Amazon CloudWatch alarm to monitor the tunnel status of its flaws Site-to-Site VPN connection.
A SysOps administrator must implement a solution that creates a high-priority ticket in an internal ticketing tool when the VPN tunnel is down.
Which solution will meet this requirement?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic for the CloudWatch alarm. Subscribe the ticketing tool’s endpoint to the SNS topic.

B. Create an Amazon Simple Queue Service (Amazon SQS) queue as the target for the CloudWatch alarm. Configure the queue to transform messages into tickets and to post the tickets to the ticketing tool’s endpoint.

C. Create an flaws Lambda function. Configure the CloudWatch alarm to directly invoke the Lambda function to create individual tickets in the ticketing tool.

D. Create an Amazon EventBridge rule that monitors the VPN tunnel directly. Configure the ticketing tool’s endpoint as the target of the rule.

A company has an application that uses an Amazon RDS for MariaDB Multi-AZ database. The application becomes unavailable for several minutes every time the database experiences a failover during a planned maintenance event.
What should a SysOps administrator do to reduce the downtime of the application during failover?

A. Create an RDS for MariaDB DB cluster that has multiple writer instances. Configure the application to retry failed queries on another primary node during maintenance events.

B. Configure the RDS maintenance window settings to pool connections while a failover is in process.

C. Configure an Amazon ElastiCache write-through cache for the database. Configure the application to connect to the cache instead of directly to the database.

D. Create an RDS proxy that is associated with the database. Configure the application to connect to the proxy instead of directly to the database.

A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:
What is a possible cause of these failed connections?

A. A security group deny rule is blocking traffic on port 443.

B. The EC2 instance is shut down.

C. The network ACL is blocking HTTPS traffic.

D. The VPC has no internet gateway attached.

A company needs to enforce tagging requirements for Amazon DynamoDB tables in its flaws accounts. A SysOps administrator must implement a solution to identify and remediate all DynamoDB tables that do not have the appropriate tags.
Which solution will meet these requirements with the LEAST operational overhead?

A. Create a custom flaws Lambda function to evaluate and remediate all DynamoDB tables. Create an Amazon EventBridge scheduled rule to invoke the Lambda function.

B. Create a custom flaws Lambda function to evaluate and remediate ail DynamoDB tables. Create an flaws Config custom rule to invoke the Lambda function.

C. Use the required-tags flaws Config managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure an automatic remediation action that uses an flaws
Systems Manager Automation custom runbook.

D. Create an Amazon EventBridge managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure the EventBridge rule to run an flaws Systems Manager
Automation custom runbook for remediation.

A global gaming company is preparing to launch a new game on flaws. The game runs in multiple flaws Regions on a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group behind an Application Load Balancer (ALB) in each Region. The company plans to use Amazon Route 53 for DNS services. The DNS configuration must direct users to the Region that is closest to them and must provide automated failover.
Which combination of steps should a SysOps administrator take to configure Route 53 to meet these requirements? (Choose two.)

A. Create Amazon CloudWatch alarms that monitor the health of the ALB in each Region. Configure Route 53 DNS failover by using a health check that monitors the alarms.

B. Create Amazon CloudWatch alarms that monitor the health of the EC2 instances in each Region. Configure Route 53 DNS failover by using a health check that monitors the alarms.

C. Configure Route 53 DNS failover by using a health check that monitors the private IP address of an EC2 instance in each Region.

D. Configure Route 53 geoproximity routing. Specify the Regions that are used for the infrastructure.

E. Configure Route 53 simple routing. Specify the continent, country, and state or province that are used for the infrastructure.

A SysOps administrator uses flaws Systems Manager Session Manager to connect to instances. After the SysOps administrator launches a new Amazon EC2 instance, the EC2 instance does not appear in the Session Manager list of systems that are available for connection. The SysOps administrator verifies that Systems Manager Agent is installed, updated, and running on the EC2 instance.
What is the reason for this issue?

A. The SysOps administrator does not have access to the key pair that is required for connection.

B. The SysOps administrator has not attached a security group to the EC2 instance to allow SSH on port 22.

C. The EC2 instance does not have an attached IAM role that allows Session Manager to connect to the EC2 instance.

D. The EC2 instance ID has not been entered into the Session Manager configuration.

A company analyzes sales data for its customers. Customers upload files to one of the company's Amazon S3 buckets, and a message is posted to an Amazon
Simple Queue Service (Amazon SQS) queue that contains the object Amazon Resource Name (ARN). An application that runs on an Amazon EC2 instance polls the queue and processes the messages. The processing time depends on the size of the file.
Customers are reporting delays in the processing of their files. A SysOps administrator decides to configure Amazon EC2 Auto Scaling as the first step. The
SysOps administrator creates an Amazon Machine Image (AMI) that is based on the existing EC2 instance. The SysOps administrator also creates a launch template that references the AMI.
How should the SysOps administrator configure the Auto Scaling policy to improve the response time?

A. Add several different instance sizes in the launch template. Create an Auto Scaling policy based on the ApproximateNumberOfMessagesVisible metric to select the size of the instance based on the number of messages in the queue.

B. Create an Auto Scaling policy based on the ApproximateNumberOfMessagesDelayed metric to scale the number of instances based on the number of messages in the queue that have been delayed.

C. Create a custom metric based on the ASGAverageCPUUtilization metric and the GroupPendingInstances metric from the Auto Scaling group. Modify the application to calculate the metric and post the metric to Amazon CloudWatch once each minute. Create an Auto Scaling policy based on this metric to scale the number of instances.

D. Create a custom metric based on the ApproximateNumberOfMessagesVisible metric and the number of instances in the InService state in the Auto Scaling group. Modify the application to calculate the metric and post the metric to Amazon CloudWatch once each minute. Create an Auto Scaling policy based on this metric to scale the number of instances.

A company has scientists who upload large data objects to an Amazon S3 bucket. The scientists upload the objects as multipart uploads. The multipart uploads often fail because of poor end-client connectivity.
The company wants to optimize storage costs that are associated with the data. A SysOps administrator must implement a solution that presents metrics for incomplete uploads. The solution also must automatically delete any incomplete uploads after 7 days.
Which solution will meet these requirements?

A. Review the Incomplete Multipart Upload Bytes metric in the S3 Storage Lens dashboard. Create an S3 Lifecycle policy to automatically delete any incomplete multipart uploads after 7 days.

B. Implement S3 Intelligent-Tiering to move data into lower-cost storage classes after 7 days. Create an S3 Storage Lens policy to automatically delete any incomplete multipart uploads after 7 days.

C. Access the S3 console. Review the Metrics tab to check the storage that incomplete multipart uploads are consuming. Create an flaws Lambda function to delete any incomplete multipart uploads after 7 days.

D. Use the S3 analytics storage class analysis tool to identify and measure incomplete multipart uploads. Configure an S3 bucket policy to enforce restrictions on multipart uploads to delete incomplete multipart uploads after 7 days.

A SysOps administrator is building a process for sharing Amazon RDS database snapshots between different accounts associated with different business units within the same company. All data must be encrypted at rest.
How should the administrator implement this process?

A. Write a script to download the encrypted snapshot, decrypt it using the flaws KMS encryption key used to encrypt the snapshot, then create a new volume in each account.

B. Update the key policy to grant permission to the flaws KMS encryption key used to encrypt the snapshot with all relevant accounts, then share the snapshot with those accounts.

C. Create an Amazon EC2 instance based on the snapshot, then save the instance’s Amazon EBS volume as a snapshot and share it with the other accounts. Require each account owner to create a new volume from that snapshot and encrypt it.

D. Create a new unencrypted RDS instance from the encrypted snapshot, connect to the instance using SSH/RDP, export the database contents into a file, then share this file with the other accounts.

A SysOps administrator wants to protect objects in an Amazon S3 bucket from accidental overwrite and deletion. Noncurrent objects must be kept for 90 days and then must be permanently deleted. Objects must reside within the same flaws Region as the original S3 bucket.
Which solution meets these requirements?

A. Create an Amazon Data Lifecycle Manager (Amazon DLM) lifecycle policy for the S3 bucket. Add a rule to the lifecycle policy to delete noncurrent objects after 90 days.

B. Create an flaws Backup policy for the S3 bucket. Create a backup rule that includes a lifecycle to expire noncurrent objects after 90 days.

C. Enable S3 Cross-Region Replication on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days.

D. Enable S3 Versioning on the S3 bucket. Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days.

A SysOps administrator created an flaws CloudFormation template that provisions Amazon EC2 instances, an Elastic Load Balancer (ELB), and an Amazon RDS DB instance. During stack creation, the creation of the EC2 instances and the creation of the ELB are successful. However, the creation of the DB instance fails.
What is the default behavior of CloudFormation in this scenario?

A. CloudFormation will roll back the stack and delete the stack.

B. CloudFormation will roll back the stack but will not delete the stack.

C. CloudFormation will prompt the user to roll back the stack or continue.

D. CloudFormation will successfully complete the stack but will report a failed status for the DB instance.

A company's VPC has an existing IPv4 configuration. The IPv4 configuration includes public subnets, private subnets, NAT gateways, default route tables, and ACLs.
The company associates an IPv6 CIDR block with the VPC. The company adds IPv6 allocations to each existing subnet and adds routes to the route tables. The company updates the ACLs to allow all IPv6 traffic.
Public subnets are working as expected, but private subnets are not allowing internet IPv6 connections.
What should a SysOps administrator do to allow outbound-only connectivity for the new IPv6 subnets?

A. Configure an egress-only internet gateway and associate it with the VPC. Create a default route in the route tables that are associated with the private subnets. Configure the default route to point to the egress-only internet gateway.

B. Turn on IPv6 NAT on the NAT gateways. Create a default route in the route tables that are associated with the private subnets. Configure the default route to point to the NAT gateways.

C. Configure a new IPv6-only NAT gateway. Create a default route in the route tables that are associated with the private subnets. Configure the default route to point to the IPv6-only NAT gateway.

D. Create a default route in the route tables that are associated with the private subnets. Configure the default route to point to the existing internet gateway.

A company runs an application on Amazon EC2 instances that are in an Amazon EC2 Auto Scaling group. Scale-out actions take a long time to become complete because of long-running boot scripts. A SysOps administrator must implement a solution to reduce the required time for scale-out actions without overprovisioning the Auto Scaling group.
Which solution will meet these requirements?

A. Change the launch configuration to use a larger instance size.

B. Increase the minimum number of instances in the Auto Scaling group.

C. Add a predictive scaling policy to the Auto Scaling group.

D. Add a warm pool to the Auto Scaling group.

A company has a compliance requirement that no security groups can allow SSH ports to be open to all IP addresses. A SysOps administrator must implement a solution that will notify the company’s SysOps team when a security group rule violates this requirement. The solution also must remediate the security group rule automatically.
Which solution will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an flaws Lambda function when a security group changes. Configure the Lambda function to evaluate the security group for compliance, remove all inbound security group rules on all ports, and notify the SysOps team if the security group is noncompliant.

B. Create an flaws CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm to notify the SysOps team through an Amazon Simple Notification Service (Amazon SNS) topic when the metric is greater than 0. Subscribe an flaws Lambda function to the SNS topic to remediate the security group rule by removing the rule.

C. Activate the flaws Config restricted-ssh managed rule. Add automatic remediation to the flaws Config rule by using the flaws Systems Manager Automation flaws-DisablePublicAccessForSecurityGroup runbook. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the SysOps team when the rule is noncompliant.

D. Create an flaws CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm for when the metric is greater than 0. Add an flaws Systems Manager action to the CloudWatch alarm to suspend the security group by using the Systems Manager Automation flaws-DisablePublicAccessForSecurityGroup runbook when the alarm is in ALARM state. Add an Amazon Simple Notification Service (Amazon SNS) topic as a second target to notify the SysOps team.

A SysOps administrator is examining the following flaws CloudFormation template:
Why will the stack creation fail?

A. The Outputs section of the CloudFormation template was omitted.

B. The Parameters section of the CloudFormation template was omitted.

C. The PrivateDnsName cannot be set from a CloudFormation template.

D. The VPC was not specified in the CloudFormation template.

A company wants to reduce costs for jobs that can be completed at any time. The jobs currently run by using multiple Amazon EC2 On-Demand Instances and the jobs take slightly less than 2 hours to complete. If a job falls for any reason it must be restarted from the beginning.
Which solution will meet these requirements MOST cost-effectively?

A. Purchase Reserved Instances for the jobs.

B. Submit a request for a one-time Spot Instance for the jobs.

C. Submit a request for Spot Instances with a defined duration for the jobs.

D. Use a mixture of On-Demand Instances and Spot Instances for the jobs.

A company creates custom AMI images by launching new Amazon EC2 instances from an flaws CloudFormation template. It installs and configures necessary software through flaws OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors.
The SysOps administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back.
Based on these requirements, what should be added to the template?

A. Conditions with a timeout set to 4 hours.

B. CreationPolicy with a timeout set to 4 hours.

C. DependsOn with a timeout set to 4 hours.

D. Metadata with a timeout set to 4 hours.

A SysOps administrator is preparing to deploy an application to Amazon EC2 instances that are in an Auto Scaling group. The application requires dependencies to be installed. Application updates are issued weekly.
The SysOps administrator needs to implement a solution to incorporate the application updates on a regular basis. The solution also must conduct a vulnerability scan during Amazon Machine Image (AMI) creation.
What is the MOST operationally efficient solution that meets these requirements?

A. Create a script that uses Packer. Schedule a cron job to run the script.

B. Install the application and its dependencies on an EC2 instance. Create an AMI of the EC2 instance.

C. Use EC2 Image Builder with a custom recipe to install the application and its dependencies.

D. Invoke the EC2 CreateImage API operation by using an Amazon EventBridge scheduled rule.

A company has migrated its application to flaws. The company will host the application on Amazon EC2 instances of multiple instance families.
During initial testing, a SysOps administrator identifies performance issues on selected EC2 instances. The company has a strict budget allocation policy, so the
SysOps administrator must use the right resource types with the performance characteristics to match the workload.
What should the SysOps administrator do to meet this requirement?

A. Purchase regional Reserved Instances (RIs) for immediate cost savings. Review and take action on the EC2 rightsizing recommendations in Cost Explorer. Exchange the RIs for the optimal instance family after rightsizing.

B. Purchase zonal Reserved Instances (RIs) for the existing instances. Monitor the RI utilization in the flaws Billing and Cost Management console. Make adjustments to instance sizes to optimize utilization.

C. Review and take action on flaws Compute Optimizer recommendations. Purchase Compute Savings Plans to reduce the cost that is required to run the compute resources.

D. Review resource utilization metrics in the flaws Cost and Usage Report. Rightsize the EC2 instances. Create On-Demand Capacity Reservations for the rightsized resources.

A company hosts several write-intensive applications. These applications use a MySQL database that runs on a single Amazon EC2 instance. The company asks a SysOps administrator to implement a highly available database solution that is ideal for multi-tenant workloads.
Which solution should the SysOps administrator implement to meet these requirements?

A. Create a second EC2 instance for MySQL. Configure the second instance to be a read replica.

B. Migrate the database to an Amazon Aurora DB cluster. Add an Aurora Replica.

C. Migrate the database to an Amazon Aurora multi-master DB cluster.

D. Migrate the database to an Amazon RDS for MySQL DB instance.

A company is managing many accounts by using a single organization in flaws Organizations. The organization has all features enabled. The company wants to turn on flaws Config in all the accounts of the organization and in all flaws Regions.
What should a SysOps administrator do to meet these requirements in the MOST operationally efficient way?

A. Use flaws CloudFormation Stack Sets to deploy stack instances that turn on flaws Config in all accounts and in all Regions.

B. Use flaws CloudFormation Stack Sets to deploy stack policies that turn on flaws Config in all accounts and in all Regions.

C. Use service control policies (SCPs) to configure flaws Config in all accounts and in all Regions.

D. Create a script that uses the flaws CLI to turn on flaws Config in all accounts in the organization. Run the script from the organization’s management account.

A company deployed a new web application on multiple Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run in an Auto Scaling group. Users report that they are frequently being prompted to log in.
What should a SysOps administrator do to resolve this issue?

A. Configure an Amazon CloudFront distribution with the ALB as the origin.

B. Enable sticky sessions (session affinity) for the target group of EC2 instances.

C. Redeploy the EC2 instances in a spread placement group.

D. Replace the ALB with a Network Load Balancer.

A company has a cluster of Linux Amazon EC2 Spot Instances that read many files from and write many files to attached Amazon Elastic Block Store (Amazon EBS) volumes. The EC2 instances are frequently started and stopped. As part of the process when an EC2 instance starts, an EBS volume is restored from a snapshot.
EBS volumes that are restored from snapshots are experiencing initial performance that is lower than expected. The company's workload needs almost all the provisioned IOPS on the attached EBS volumes. The EC2 instances are unable to support the workload when the performance of the EBS volumes is too low. A SysOps administrator must implement a solution to ensure that the EBS volumes provide the expected performance when they are restored from snapshots.
Which solution will meet these requirements?

A. Configure fast snapshot restore (FSR) on the snapshots that are used.

B. Restore each snapshot onto an unencrypted EBS volume. Encrypt the EBS volume when the performance stabilizes.

C. Format the EBS volumes as XFS file systems before restoring the snapshots.

D. Increase the Linux read-ahead buffer to 1 MiB.

A global company operates out of five flaws Regions. A SysOps administrator wants to identify all the company's tagged and untagged Amazon EC2 instances.
The company requires the output to display the instance ID and tags.
What is the MOST operationally efficient way for the SysOps administrator to meet these requirements?

A. Create a tag-based resource group in flaws Resource Groups.

B. Use flaws Trusted Advisor. Export the EC2 On-Demand Instances check results from Trusted Advisor.

C. Use Cost Explorer. Choose a service type of EC2-Instances, and group by Resource.

D. Use Tag Editor in flaws Resource Groups. Select all Regions, and choose a resource type of flaws::EC2::Instance.

A company manages a set of accounts on flaws by using flaws Organizations. The company's security team wants to use a native flaws service to regularly scan all flaws accounts against the Center for Internet Security (CIS) flaws Foundations Benchmark.
What is the MOST operationally efficient way to meet these requirements?

A. Designate a central security account as the flaws Security Hub administrator account. Create a script that sends an invitation from the Security Hub administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure Security Hub to run the CIS flaws Foundations Benchmark scans.

B. Run the CIS flaws Foundations Benchmark across all accounts by using Amazon Inspector.

C. Designate a central security account as the Amazon GuardDuty administrator account. Create a script that sends an invitation from the GuardDuty administrator account and accepts the invitation from the member account. Run the script every time a new account is created. Configure GuardDuty to run the CIS flaws Foundations Benchmark scans.

D. Designate an flaws Security Hub administrator account. Configure new accounts in the organization to automatically become member accounts. Enable CIS flaws Foundations Benchmark scans.

A company has turned on server access logging for all of its existing Amazon S3 buckets. The company wants to implement a solution to monitor the logging settings for new and existing S3 buckets. The solution must remediate any S3 buckets that do not have logging turned on.
What should a SysOps administrator do to meet these requirements in the MOST operationally efficient way?

A. Track the logging information by using flaws CloudTrail. Launch an flaws Lambda function for remediation.

B. Configure automatic remediation in flaws Config by using the s3-bucket-logging-enabled rule.

C. Configure flaws Trusted Advisor to monitor the logging configuration and to turn on access logging if necessary.

D. Track the logging information by using Amazon CloudWatch metrics. Launch an flaws Lambda function for remediation.

A company hosts an internal application on Amazon EC2 On-Demand Instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group. Employees use the application to provide product prices to potential customers. The Auto Scaling group is configured with a dynamic scaling policy and tracks average CPU utilization of the instances.
Employees have noticed that sometimes the application becomes slow or unresponsive. A SysOps administrator finds that some instances are experiencing a high CPU load. The Auto Scaling group cannot scale out because the company is reaching the EC2 instance service quota.
The SysOps administrator needs to implement a solution that provides a notification when the company reaches 70% or more of the EC2 instance service quota.
Which solution will meet these requirements in the MOST operationally efficient manner?

A. Create an flaws Lambda function that lists the EC2 instances, counts the EC2 instances, and compares the total number against the applied quota value by using the Service Quotas API. Configure the Lambda function to publish an Amazon Simple Notification Service (Amazon SNS) notification if the quota utilization is equal to or greater than 70%. Create an Amazon EventBridge rule to invoke the Lambda function.

B. Create an flaws Lambda function that lists the EC2 instances, counts the EC2 instances, and compares the total number against the applied quota value by using the Amazon CloudWatch Metrics API. Configure the Lambda function to publish an Amazon Simple Notification Service (Amazon SNS) notification if the quota utilization is equal to or greater than 70%. Create an Amazon EventBridge rule to invoke the Lambda function.

C. Use the Service Quotas console to create an Amazon CloudWatch alarm for the EC2 instances. Configure the alarm with quota utilization equal to or greater than 70%. Configure the alarm to publish an Amazon Simple Notification Service (Amazon SNS) notification when the alarm enters ALARM state.

D. Create an Amazon CloudWatch alarm. Configure the alarm with a threshold of 70% for the CPUUtilization metric for the EC2 instances. Configure the alarm to publish an Amazon Simple Notification Service (Amazon SNS) notification when the alarm enters ALARM state.

A SysOps administrator is optimizing the cost of a workload. The workload is running in multiple flaws Regions and is using flaws Lambda with Amazon EC2 On-Demand Instances for the computer. The overall usage is predictable. The amount of computer that is consumed in each Region varies, depending on the users' locations.
Which approach should the SysOps administrator use to optimize this workload?

A. Purchase Computer Savings Plans based on the usage during the past 30 days.

B. Purchase Convertible Reserved Instances by calculating the usage baseline.

C. Purchase EC2 Instance Savings Plans based on the usage during the past 30 days.

D. Purchase Standard Reserved Instances by calculating the usage baseline.

A company needs to take an inventory of applications that are running on multiple Amazon EC2 instances. The company has configured users and roles with the appropriate permissions for flaws Systems Manager. An updated version of Systems Manager Agent has been installed and is running on every instance. While configuring an inventory collection, a SysOps administrator discovers that not all the instances in a single subnet are managed by Systems Manager.
What must the SysOps administrator do to fix this issue?

A. Ensure that all the EC2 instances have the correct tags for Systems Manager access.

B. Configure flaws Identity and Access Management Access Analyzer to determine and automatically remediate the issue.

C. Ensure that all the EC2 instances have an instance profile with Systems Manager access.

D. Configure Systems Manager to use an interface VPC endpoint.

A company is running production workloads that use a Multi-AZ deployment of an Amazon RDS for MySQL db.m6g.xlarge (general purpose) standard DB instance. Users report that they are frequently encountering a “too many connections” error. A SysOps administrator observes that the number of connections on the database is high.
The SysOps administrator needs to resolve this issue while keeping code changes to a minimum.
Which solution will meet these requirements MOST cost-effectively?

A. Modify the RDS for MySQL DB instance to a larger instance size.

B. Modify the RDS for MySQL DB instance to Amazon DynamoDB.

C. Configure RDS Proxy. Modify the application configuration file to use the RDS Proxy endpoint.

D. Modify the RDS for MySQL DB instance to a memory optimized DB instance.

A company hosts a website on multiple Amazon EC2 instances that run in an Auto Scaling group. Users are reporting slow responses during peak times between
6 PM and 11 PM every weekend. A SysOps administrator must implement a solution to improve performance during these peak times.
What is the MOST operationally efficient solution that meets these requirements?

A. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an flaws Lambda function to increase the desired capacity before peak times.

B. Configure a scheduled scaling action with a recurrence option to change the desired capacity before and after peak times.

C. Create a target tracking scaling policy to add more instances when memory utilization is above 70%.

D. Configure the cooldown period for the Auto Scaling group to modify desired capacity before and after peak times.

A company’s financial department needs to view the cost details of each project in an flaws account. A SysOps administrator must perform the initial configuration that is required to view cost for each project in Cost Explorer.
Which solution will meet this requirement?

A. Activate cost allocation tags. Add a project tag to the appropriate resources.

B. Configure consolidated billing. Create flaws Cost and Usage Reports.

C. Use flaws Budgets. Create flaws Budgets reports.

D. Use cost categories to define custom groups that are based on flaws cost and usage dimensions.

When the flaws Cloud infrastructure experiences an event that may impact an organization, which flaws service can be used to see which of the organization's resources are affected?

A. flaws Service Health Dashboard

B. flaws Trusted Advisor

C. flaws Personal Health Dashboard

D. flaws Systems Manager

A company's SysOps administrator is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs. However, there are no logs in CloudWatch Logs.
What could be blocking the VPC flow logs from being published to CloudWatch Logs?

A. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission

B. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateExportTask permission

C. The VPC is configured for IPv6 addresses

D. The VPC is peered with another VPC in the flaws account

AnyCompany has acquired Example Corp and is attempting to consolidate the business systems of both companies. AnyCompany’s IT department needs to integrate with Example Corp’s IT ticketing system.
A SysOps administrator must implement a solution that uses Amazon CloudWatch alarms for Amazon EC2 instances in AnyCompany’s account to create new tickets in Example Corp’s ticketing system. The ticketing system provides an HTTPS endpoint for the creation of new tickets. The ticketing system accepts messages in the following JSON format:
Which approach to creating tickets from the CloudWatch alarms will meet these requirements with the LEAST development time?

A. Create an Amazon EventBridge rule that filters appropriate events and specifies EventBridge API destinations as a target. Configure EventBridge API destinations to send events to the HTTPS endpoint. In the EventBridge rule, create an input transformer to convert the source to a compatible output for the ticketing system.

B. Create an Amazon EventBridge rule that filters appropriate events and specifies an Amazon Kinesis data stream as the target. Create an flaws Lambda function to receive events from the Kinesis data stream. Configure the Lambda function to start an flaws Glue job to transform the data and forward the output to the HTTPS endpoint.

C. Create an Amazon EventBridge rule that filters appropriate events and specifies Amazon Simple Notification Service (Amazon SNS) as a target. Configure Amazon SNS to transform the events and send the events to the HTTPS endpoint.

D. Create an Amazon EventBridge rule that filters appropriate events and specifies an flaws Step Functions state machine as a target. Create an flaws Lambda function and an flaws Glue job in Step Functions to transform the events and send the events to the HTTPS endpoint.

A company wants to apply an existing Amazon Route 53 private hosted zone to a new VPC to allow for customized resource name resolution within the VPC. The SysOps administrator created the VPC and added the appropriate resource record sets to the private hosted zone.
Which step should the SysOps administrator take to complete the setup?

A. Associate the Route 53 private hosted zone with the VPC.

B. Create a rule in the default security group for the VPC that allows traffic to the Route 53 Resolver.

C. Ensure the VPC network ACLs allow traffic to the Route 53 Resolver.

D. Ensure there is a route to the Route 53 Resolver in each of the VPC route tables.

A SysOps administrator manages a company's Amazon S3 buckets. The SysOps administrator has identified 5 GB of incomplete multipart uploads in an S3 bucket in the company's flaws account. The SysOps administrator needs to reduce the number of incomplete multipart upload objects in the S3 bucket.
Which solution will meet this requirement?

A. Create an S3 Lifecycle rule on the S3 bucket to delete expired markers or incomplete multipart uploads.

B. Require users that perform uploads of files into Amazon S3 to use the S3 TransferUtility.

C. Enable S3 Versioning on the S3 bucket that contains the incomplete multipart uploads.

D. Create an S3 Object Lambda Access Point to delete incomplete multipart uploads.

A company stores its internal data within an Amazon S3 bucket. All existing data within the S3 bucket is protected by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3). S3 Versioning is enabled. A SysOps administrator must replicate the internal data to another S3 bucket in a different flaws account for disaster recovery. All the existing data is copied from the source S3 bucket to the destination S3 bucket.
Which replication solution is MOST operationally efficient?

A. Add a replication rule to the source bucket and specify the destination bucket. Create a bucket policy for the destination bucket to allow the owner of the source bucket to replicate objects.

B. Schedule an flaws Batch job with Amazon EventBridge to copy new objects from the source bucket to the destination bucket. Create a Batch Operations IAM role in the destination account.

C. Configure an Amazon S3 event notification for the source bucket to invoke an flaws Lambda function to copy new objects to the destination bucket. Ensure that the Lambda function has cross-account access permissions.

D. Run a scheduled script on an Amazon EC2 instance to copy new objects from the source bucket to the destination bucket. Assign cross-account access permissions to the EC2 instance’s role.

A company has an initiative to reduce costs associated with Amazon EC2 and flaws Lambda.
Which action should a SysOps administrator take to meet these requirements?

A. Analyze the flaws Cost and Usage Report by using Amazon Athena to identify cost savings.

B. Create an flaws Budgets alert to alarm when account spend reaches 80% of the budget.

C. Purchase Reserved Instances through the Amazon EC2 console.

D. Use flaws Compute Optimizer and take action on the provided recommendations.

A company that uses flaws Organizations recently implemented flaws Control Towerю The company now needs tofficentralize identity management. A SysOps administrator must federate flaws ШAM Identity Center with an external SAML 2.0 identity provider (IdP) tofficentrally manage access to all the company's accounts and cloud applications.
Which prerequisites must the SysOps administrator have so that the SysOps administrator can connect to the external IdP? (Choose two.)

A. A copy of the IAM identity Center SAML metadata

B. The IdP metadata including the public X 509 certificate

C. The IP address of the IdP

D. Root access to the management account

E. Administrative permissions to the member accounts of the organization

A SysOps administrator has an flaws CloudFormation template of the company's existing infrastructure in us-west-2. The administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back.
Why would this template fail to deploy? (Choose two.)

A. The template referenced an IAM user that is not available in eu-west-1.

B. The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1.

C. The template did not have the proper level of permissions to deploy the resources.

D. The template requested services that do not exist in eu-west-1.

E. CloudFormation templates can be used only to update existing services.

A company has an application that uses an Amazon Elastic File System (Amazon EFS) file system. A recent incident that involved an application logic error corrupted several files. The company wants to improve its ability to back up and recover the EFS file system. The company must be able to recover individual files rapidly.
Which solution meets these requirements MOST cost-effectively?

A. Configure Amazon Data Lifecycle Manager (Amazon DLM) to archive a copy of the data to an Amazon S3 Glacier vault. Use S3 Glacier retrieval requests to retrieve individual files.

B. Create a second EFS file system in another flaws Region. Configure flaws DataSync to copy the data to the backup file system. Recover files by copying them from the backup EFS file system.

C. Enable flaws Backup in Amazon EFS to back up the file system to an Amazon S3 Glacier vault. Use S3 Glacier retrieval requests to retrieve individual files.

D. Enable flaws Backup in Amazon EFS to back up the file system to a backup vault. Use a partial restore job to retrieve individual files.

A company is using flaws Certificate Manager (ACM) to manage public SSL/TLS certificates. A SysOps administrator needs to send an email notification when a certificate has less than 14 days until expiration.
Which solution will meet this requirement with the LEAST operational overhead?

A. Create an Amazon CloudWatch custom metric to monitor certificate expiration for all ACM certificates. Create an Amazon EventBridge rule that has an event source of flaws.cloudwatch. Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if the DaysToExpiry metric is less than 14. Subscribe the appropriate email addresses to the SNS topic.

B. Create an Amazon EventBridge rule that has an event source of flaws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if DaysToExpiry is less than 14. Subscribe the appropriate email addresses to the SNS topic.

C. Create an Amazon CloudWatch dashboard that displays the DaysToExpiry metric for all ACM certificates. If DaysToExpiry is less than 14, send an email message to the appropriate email addresses. Send the email message by running a predefined CLI command to publish to an Amazon Simple Notification Service (Amazon SNS) topic.

D. Create an Amazon EventBridge rule that has an event source of flaws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure a target SMS identity that uses a predefined email template. Configure the rule to send an event to the target SMS identity if DaysToExpiry is less than 14.