A SysOps administrator is using flaws CloudFormation StackSets to create flaws resources in two flaws Regions in the same flaws account. A stack operation fails in one Region and returns the stack instance status of OUTDATED.
What is the cause of this failure?

A. The CloudFormation template changed on the local disk and has not been submitted to CloudFormation.

B. The CloudFormation template is trying to create a global resource that is not unique.

C. The stack has not yet been deployed to the Region.

D. The SysOps administrator is using an old version of the CloudFormation API.

A SysOps administrator is unable to launch Amazon EC2 instances into a VPC because there are no available private IPv4 addresses in the VPC.
Which combination of actions must the SysOps administrator take to launch the instances? (Choose two.)

A. Associate a secondary IPv4 CIDR block with the VPC.

B. Associate a primary IPv6 CIDR block with the VPC.

C. Create a new subnet for the VPC.

D. Modify the CIDR block of the VPC.

E. Modify the CIDR block of the subnet that is associated with the instances.

Users are reporting consistent forced logouts from a stateful web application. The logouts occur before the expiration of a 15-minute application logout timer.
The web application is hosted on Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Session affinity (sticky sessions) is already enabled on the ALB target group and uses duration-based cookies. The web application generates its own application cookie.
Which combination of actions should a SysOps administrator take to resolve the logout problem? (Choose two.)

A. Change to the least outstanding requests algorithm on the ALB target group.

B. Configure cookie forwarding in the CloudFront distribution’s cache behavior settings.

C. Configure the duration-based cookie to be named AWSALB.

D. Configure the ALB to use the expiration cookie header.

E. Change the ALB to use application-based cookies.

A company deploys a new application on three Amazon EC2 instances across three Availability Zones. The company uses a Network Load Balancer (NLB) to route traffic to the EC2 instances. A SysOps administrator must implement a solution so that the EC2 instances allow traffic from only the NLB.
What should the SysOps administrator do to meet these requirements with the LEAST operational overhead?

A. Configure the security group that is associated with the EC2 instances to allow traffic from only the security group that is associated with the NLB

B. Configure the security group that is associated with the EC2 instances to allow traffic from only the elastic network interfaces that are associated with the NLB

C. Create a network ACL Associate the network ACL with the application subnets. Configure the network ACL to allow inbound traffic from only the CIDR ranges of the NLB

D. Use a third-party firewall solution that is installed on a separate EC2 instance. Configure a firewall rule that allows traffic to the application’s EC2 instances from only the subnets where the NLB is deployed.

A SysOps administrator needs to create an Amazon S3 bucket as a resource in an flaws CloudFormation template. The bucket name must be randomly generated, and the bucket must be encrypted. Other resources in the template will reference the bucket.
Which CloudFormation resource definition should the SysOps administrator use to meet these requirements?

A company has users that deploy Amazon EC2 instances that have more disk performance capacity than is required. A SysOps administrator needs to review all Amazon Elastic Block Store (Amazon EBS) volumes that are associated with the instances and create cost optimization recommendations based on IOPS and throughput.
What should the SysOps administrator do to meet these requirements in the MOST operationally efficient way?

A. Use the monitoring graphs in the EC2 console to view metrics for EBS volumes. Review the consumed space against the provisioned space on each volume. Identify any volumes that have low utilization.

B. Stop the EC2 instances from the EC2 console. Change the EC2 instance type for Amazon EBS-optimized. Start the EC2 instances.

C. Opt in to flaws Compute Optimizer. Allow sufficient time for metrics to be gathered. Review the Compute Optimizer findings for EBS volumes.

D. Install the fio tool onto the EC2 instances and create a .cfg file to approximate the required workloads. Use the benchmark results to gauge whether the provisioned EBS volumes are of the most appropriate type.

A company has an application that is deployed to two flaws Regions in an active-passive configuration. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in each Region. The instances are in an Amazon EC2 Auto Scaling group in each Region. The application uses an Amazon Route 53 hosted zone for DNS. A SysOps administrator needs to configure automatic failover to the secondary Region.
What should the SysOps administrator do to meet these requirements?

A. Configure Route 53 alias records that point to each ALB. Choose a failover routing policy. Set Evaluate Target Health to Yes.

B. Configure CNAME records that point to each ALChoose a failover routing policy. Set Evaluate Target Health to Yes.

C. Configure Elastic Load Balancing (ELB) health checks for the Auto Scaling group. Add a target group to the ALB in the primary Region. Include the EC2 instances in the secondary Region as targets.

D. Configure EC2 health checks for the Auto Scaling group. Add a target group to the ALB in the primary Region. Include the EC2 instances in the secondary Region as targets.

The security team is concerned because the number of flaws Identity and Access Management (IAM) policies being used in the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in use and the total available IAM policies.
Which flaws service should the administrator use to check how current IAM policy usage compares to current service limits?

A. flaws Trusted Advisor

B. Amazon Inspector

C. flaws Config

D. flaws Organizations

A SysOps administrator is responsible for a company’s security groups. The company wants to maintain a documented trail of any changes that are made to the security groups. The SysOps administrator must receive notification whenever the security groups change.
Which solution will meet these requirements?

A. Set up Amazon Detective to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Queue Service (Amazon SQS) queue for notifications about configuration changes. Subscribe the SysOps administrator’s email address to the SQS queue.

B. Set up flaws Systems Manager Change Manager to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator’s email address to the SNS topic.

C. Set up flaws Config to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator’s email address to the SNS topic.

D. Set up Amazon Detective to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator’s email address to the SNS topic.

A company has a simple web application that runs on a set of Amazon EC2 instances behind an Elastic Load Balancer in the eu-west-2 Region. Amazon Route 53 holds a DNS record for the application with a simple routing policy. Users from all over the world access the application through their web browsers.
The company needs to create additional copies of the application in the us-east-1 Region and in the ap-south-1 Region. The company must direct users to the Region that provides the fastest response times when the users load the application.
What should a SysOps administrator do to meet these requirements?

A. In each new Region, create a new Elastic Load Balancer and a new set of EC2 instances to run a copy of the application. Transition to a geolocation routing policy.

B. In each new Region, create a copy of the application on new EC2 instances. Add these new EC2 instances to the Elastic Load Balancer in eu-west-2. Transition to a latency routing policy.

C. In each new Region, create a copy of the application on new EC2 instances. Add these new EC2 instances to the Elastic Load Balancer in eu-west-2. Transition to a multivalue routing policy.

D. In each new Region, create a new Elastic Load Balancer and a new set of EC2 instances to run a copy of the application. Transition to a latency routing policy.

A SysOps administrator is troubleshooting a VPC with public and private subnets that leverage custom network ACLs. Instances in the private subnet are unable to access the internet. There is an internet gateway attached to the public subnet. The private subnet has a route to a NAT gateway that is also attached to the public subnet. The Amazon EC2 instances are associated with the default security group for the VPC.
What is causing the issue in this scenario?

A. There is a network ACL on the private subnet set to deny all outbound traffic.

B. There is no NAT gateway deployed in the private subnet of the VPC.

C. The default security group for the VPC blocks all inbound traffic to the EC2 instances.

D. The default security group for the VPC blocks all outbound traffic from the EC2 instances.

A SysOps administrator wants to securely share an object from a private Amazon S3 bucket with a group of users who do not have an flaws account.
What is the MOST operationally efficient solution that will meet this requirement?

A. Attach an S3 bucket policy that only allows object downloads from the users’ IP addresses.

B. Create an IAM role that has access to the object. Instruct the users to assume the role.

C. Create an IAM user that has access to the object. Share the credentials with the users.

D. Generate a presigned URL for the object. Share the URL with the users.

A SysOps administrator is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances. The instances all exist in the same VPC across multiple Availability Zones. There are two instances in each Availability Zone. The SysOps administrator must make the file system accessible to each instance with the lowest possible latency.
Which solution will meet these requirements?

A. Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances.

B. Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances.

C. Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance.

D. Create a mount target in each Availability Zone of the VPC. Use the mount target to mount the EFS file system on the instances in the respective Availability Zone.

An Amazon CloudFront distribution has a single Amazon S3 bucket as its origin. A SysOps administrator must ensure that users can access the S3 bucket only through requests from the CloudFront endpoint.
Which solution will meet these requirements?

A. Configure S3 Block Public Access on the S3 bucket. Update the S3 bucket policy to allow the GetObject action from only the CloudFront distribution.

B. Configure Origin Shield in the CloudFront distribution. Update the CloudFront origin to include a custom Origin_Shield header.

C. Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Update the S3 bucket policy to restrict access to the OAI.

D. Create an origin access identity (OAI). Assign the OAI to the S3 bucket. Update the CloudFront origin to include a custom Origin header with the OAI value.

A company needs to monitor the disk utilization of Amazon Elastic Block Store (Amazon EBS) volumes. The EBS volumes are attached to Amazon EC2 Linux instances. A SysOps administrator must set up an Amazon CloudWatch alarm that provides an alert when disk utilization increases to more than 80%.
Which combination of steps must the SysOps administrator take to meet these requirements? (Choose three.)

A. Create an IAM role that includes the CloudWatchAgentServerPolicy flaws managed policy. Attach the role to the instances.

B. Create an IAM role that includes the CloudWatchApplicationInsightsReadOnlyAccess flaws managed policy. Attach the role to the instances.

C. Install and start the CloudWatch agent by using flaws Systems Manager or the command line.

D. Install and start the CloudWatch agent by using an IAM role. Attach the CloudWatchAgentServerPolicy flaws managed policy to the role.

E. Configure a CloudWatch alarm to enter ALARM state when the disk_used_percent CloudWatch metric is greater than 80%.

F. Configure a CloudWatch alarm to enter ALARM state when the disk_used CloudWatch metric is greater than 80% or when the disk_free CloudWatch metric is less than 20%.

A company has an existing public web application for www.example.com. The Application Load Balancer (ALB) is configured with a single HTTP 80 listener. A SysOps administrator must ensure that all web requests to www.example.com are encrypted between the client and the ALB.
The SysOps administrator already has requested and validated a public certificate for www.example.com in flaws Certificate Manager (ACM). Existing users of the application must not be required to change the endpoint to which they are connecting.
Which additional set of steps should the SysOps administrator take to meet these requirements?

A. Create an additional ALB listener for HTTPS on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www.example.com as the default SSL certificate.

B. Create an additional ALB listener for HTTPS on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www.example.com as the default SSL certificate. Delete the original HTTP listener on port 80.

C. Modify the ALB default rule for the HTTP port 80 listener. Create a rule in the listener to forward all traffic for the host www example.com to the target group. Specify the ACM certificate that was created for www.example.com as the default SSL certificate.

D. Modify the ALB default rule for the HTTP port 80 listener to redirect to HTTPS on port 443. Create an additional HTTPS listener on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www example.com as the default SSL certificate.

An Amazon RDS for PostgreSQL DB cluster has automated backups turned on with a 7-day retention period. A SysOps administrator needs to create a new RDS DB cluster by using data that is no more than 24 hours old from the original DB cluster.
Which solutions will meet these requirements with the LEAST operational overhead? (Choose two.)

A. Identify the most recent automated snapshot. Restore the snapshot to a new RDS DB cluster.

B. Back up the database to Amazon S3 by using native database backup tools. Create a new RDS DB cluster and restore the data to the new RDS DB cluster.

C. Create a read replica instance in the original RDS DB cluster. Promote the read replica to a standalone DB cluster.

D. Create a new RDS DB cluster. Use flaws Database Migration Service (flaws DMS) to migrate data from the current RDS DB cluster to the newly created RDS DB cluster.

E. Use the pg_dump utility to export data from the original RDS DB cluster to an Amazon EC2 instance. Create a new RDS DB cluster. Use the pg_restore utility to import the data from the EC2 instance to the new RDS DB cluster.

A company has an application that customers use to search for records on a website. The application's data is stored in an Amazon Aurora DB cluster. The application's usage varies by season and by day of the week.
The website's popularity is increasing, and the website is experiencing slower performance because of increased load on the DB cluster during periods of peak activity. The application logs show that the performance issues occur when users are searching for information. The same search is rarely performed multiple times.
A SysOps administrator must improve the performance of the platform by using a solution that maximizes resource efficiency.
Which solution will meet these requirements?

A. Deploy an Amazon ElastiCache for Redis cluster in front of the DB cluster. Modify the application to check the cache before the application issues new queries to the database. Add the results of any queries to the cache.

B. Deploy an Aurora Replica for the DB cluster. Modify the application to use the reader endpoint for search operations. Use Aurora Auto Scaling to scale the number of replicas based on load.

C. Use Provisioned IOPS on the storage volumes that support the DB cluster to improve performance sufficiently to support the peak load on the application.

D. Increase the instance size in the DB cluster to a size that is sufficient to support the peak load on the application. Use Aurora Auto Scaling to scale the instance size based on load.

A SysOps administrator uses flaws Systems Manager Session Manager to connect to instances. After the SysOps administrator launches a new Amazon EC2 instance, the EC2 instance does not appear in the Session Manager list of systems that are available for connection. The SysOps administrator verifies that Systems Manager Agent is installed, updated, and running on the EC2 instance.
What is the reason for this issue?

A. The SysOps administrator does not have access to the key pair that is required for connection.

B. The SysOps administrator has not attached a security group to the EC2 instance to allow SSH on port 22.

C. The EC2 instance does not have an attached IAM role that allows Session Manager to connect to the EC2 instance.

D. The EC2 instance ID has not been entered into the Session Manager configuration.

A company uses a multi-account structure in the flaws Cloud. The company's environment includes a shared account for common resources. The environment also includes a development account for new application development. The company uses Amazon Route 53 for DNS management. The company manages all its Route 53 hosted zones from the shared account.
A SysOps administrator needs to obtain a new SSL/TLS certificate for an application that is deployed in the development account.
What must the SysOps administrator do to meet this requirement?

A. Create a new flaws Key Management Service (flaws KMS) key in the shared account. Configure the key policy to give read access to the development account’s root principal.

B. Request a new certificate by using flaws Certificate Manager (ACM) from the shared account. Use Route 53 from the shared account to create validation record sets in the relevant hosted zone.

C. Request a new certificate by using flaws Certificate Manager (ACM) from the development account. Use Route 53 from the shared account to create validation record sets in the relevant hosted zone.

D. Create a new flaws Key Management Service (flaws KMS) key in the development account. Configure the key policy to give read access to the shared account’s root principal. Use Route 53 from the shared account to create a validation record set that references the Amazon Resource Name (ARN) of the KMS key.

A company has migrated its legacy on-premises web application to an Amazon EC2 instance. The web application requires a single static public IP address to accept traffic and process requests. End users must be able to reach the web application through the example.com domain. A SysOps administrator must implement a solution that maintains the web application with the least amount of effort.
Which combination of actions will meet these requirements? (Choose two.)

A. Configure an Application Load Balancer (ALB). Add the EC2 instance to a target group that is associated with the ALB.

B. Create an Amazon Route 53 A record for the associated EC2 IP address.

C. Create an Amazon Route 53 CNAME record for the associated EC2 IP address.

D. Create an Elastic IP address, and associate it with the EC2 instance.

E. Create an Auto Scaling group with a minimum capacity of 1 and a maximum capacity of 2.

A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Choose two.)

A. Implement flaws Shield to protect against unencrypted objects stored in S3 buckets.

B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket.

C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored.

D. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted.

E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.

A company’s SysOps administrator regularly checks the flaws Personal Health Dashboard in each of the company’s accounts. The accounts are part of an organization in flaws Organizations. The company recently added 10 more accounts to the organization. The SysOps administrator must consolidate the alerts from each account’s Personal Health Dashboard.
Which solution will meet this requirement with the LEAST amount of effort?

A. Enable organizational view in flaws Health.

B. Configure the Personal Health Dashboard in each account to forward events to a central flaws CloudTrail log.

C. Create an flaws Lambda function to query the flaws Health API and to write all events to an Amazon DynamoDB table.

D. Use the flaws Health API to write events to an Amazon DynamoDB table.

A SysOps administrator is responsible for a company's disaster recovery procedures. The company has a source Amazon S3 bucket in a production account, and it wants to replicate objects from the source to a destination S3 bucket in a nonproduction account. The SysOps administrator configures S3 cross-Region, cross-account replication to copy the source S3 bucket to the destination S3 bucket. When the SysOps administrator attempts to access objects in the destination S3 bucket, they receive an Access Denied error.
Which solution will resolve this problem?

A. Modify the replication configuration to change object ownership to the destination S3 bucket owner.

B. Ensure that the replication rule applies to all objects in the source S3 bucket and is not scoped to a single prefix.

C. Retry the request when the S3 Replication Time Control (S3 RTC) has elapsed.

D. Verify that the storage class for the replicated objects did not change between the source S3 bucket and the destination S3 bucket.

A company uses flaws CloudFormation to deploy its infrastructure. The company recently retired an application. A cloud operations engineer initiates CloudFormation stack deletion, and the stack gets stuck in DELETE_FAILED status.
A SysOps administrator discovers that the stack had deployed a security group. The security group is referenced by other security groups in the environment. The SysOps administrator needs to delete the stack without affecting other applications.
Which solution will meet these requirements in the MOST operationally efficient manner?

A. Create a new security group that has a different name. Apply identical rules to the new security group. Replace all other security groups that reference the new security group Delete the stack.

B. Create a CloudFormation change set to delete the security group. Deploy the change set.

C. Delete the stack again. Specify that the security group be retained.

D. Perform CloudFormation drift detection. Delete the stack.

A company hosts a static website on Amazon S3. The website is served by an Amazon CloudFront distribution with a default TTL of 86,400 seconds.
The company recently uploaded an updated version of the website to Amazon S3. However, users still see the old content when they refresh the site. A SysOps administrator must make the new version of the website visible to users as soon as possible.
Which solution meets these requirements?

A. Adjust the TTL value for the DNS CNAME record that is pointing to the CloudFront distribution.

B. Create an invalidation on the CloudFront distribution for the old S3 objects.

C. Create a new CloudFront distribution. Update the DNS records to point to the new CloudFront distribution.

D. Update the DNS record for the website to point to the S3 bucket.

A company has attached the following policy to an IAM user:
Which of the following actions are allowed for the IAM user?

A. Amazon RDS DescribeDBInstances action in the us-east-1 Region

B. Amazon S3 PutObject operation in a bucket named testbucket

C. Amazon EC2 DescribeInstances action in the us-east-1 Region

D. Amazon EC2 AttachNetworkInterface action in the eu-west-1 Region

A company has a stateless application that is hosted on a fleet of 10 Amazon EC2 On-Demand Instances in an Auto Scaling group. A minimum of 6 instances are needed to meet service requirements.
Which action will maintain uptime for the application MOST cost-effectively?

A. Use a Spot Fleet with an On-Demand capacity of 6 instances.

B. Update the Auto Scaling group with a minimum of 6 On-Demand Instances and a maximum of 10 On-Demand Instances.

C. Update the Auto Scaling group with a minimum of 1 On-Demand Instance and a maximum of 6 On-Demand Instances.

D. Use a Spot Fleet with a target capacity of 6 instances.

A company uses flaws CloudFormation templates to deploy cloud infrastructure. An analysis of all the company's templates shows that the company has declared the same components in multiple templates. A SysOps administrator needs to create dedicated templates that have their own parameters and conditions for these common components.
Which solution will meet this requirement?

A. Develop a CloudFormation change set.

B. Develop CloudFormation macros.

C. Develop CloudFormation nested stacks.

D. Develop CloudFormation stack sets.

A company decides to stop non-production Amazon EC2 instances during the EC2 instances. The company's IT manager must receive notification in near real time whenever an EC2 instance that has an environment type tag value of non-production is started during the night.
Which solution will meet this requirement with the MOST operational efficiency?

A. Configure an flaws Lambda function with an SMTP client library. Subscribe the Lambda function to the flaws Health Dashboard to receive notification whenever an EC2 instance is in the running state. Configure the Lambda function to use Amazon Pinpoint to send email notifications to the IT manager. Deploy a second Lambda function to throttle calls from the first Lambda function during the daytime.

B. Deploy an flaws Lambda function that queries the Amazon EC2 API to determine the state of each EC2 instance. Use the EC2 instance scheduler to configure the Lambda function to run every minute during the night and to send an email notification to the IT manager for each non-production EC2 instance that is in the running state.

C. Create an Amazon EventBridge rule that includes the EC2 Instance State-change Notification event type. Filter the event to capture only the running state. Create an flaws Lambda function as a target of the rule. Configure the Lambda function to check the current time and the EC2 instances’ tags to determine the environment type. Create an Amazon Simple Notification Service (Amazon SNS) topic as a target of the Lambda function for notifications. Subscribe the IT manager’s email address to the SNS topic.

D. Store the EC2 instance metadata, including the environment type, in an Amazon DynamoDB table. Deploy a custom application to an EC2 instance. Configure the custom application to poll the DynamoDB data every minute during the night and to query the Amazon EC2 API to determine the state of each instance. Additionally, configure the custom application to send an email notification to the IT manager for each non-production EC2 instance that is in the running state.

A company needs to deploy a new workload on flaws. The company must encrypt all data at rest and must rotate the encryption keys once each year. The workload uses an Amazon RDS for MySQL Multi-AZ database for data storage.
Which configuration approach will meet these requirements?

A. Enable Transparent Data Encryption (TDE) in the MySQL configuration file. Manually rotate the key every 12 months.

B. Enable RDS encryption on the database at creation time by using the flaws managed key for Amazon RDS.

C. Create a new flaws Key Management Service (flaws KMS) customer managed key. Enable automatic key rotation. Enable RDS encryption on the database at creation time by using the KMS key.

D. Create a new flaws Key Management Service (flaws KMS) customer managed key. Enable automatic key rotation. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the RDS DB instance.

A company uses an flaws Service Catalog portfolio to create and manage resources. A SysOps administrator must create a replica of the company's existing flaws infrastructure in a new flaws account.
What is the MOST operationally efficient way to meet this requirement?

A. Create an flaws CloudFormation template to use the flaws Service Catalog portfolio in the new flaws account.

B. In the new flaws account, manually create an flaws Service Catalog portfolio that duplicates the original portfolio.

C. Run an flaws Lambda function to create a new flaws Service Catalog portfolio based on the output of the DescribePortfolio API operation.

D. Share the flaws Service Catalog portfolio with the new flaws account. Import the portfolio into the new flaws account.

A SysOps administrator configured VPC flow logs by using the default format. The SysOps administrator specified Amazon CloudWatch Logs as the destination. This solution has worked successfully for several months. However, because of additional troubleshooting requirements, the SysOps administrator needs to include the tcp-flags field on the flow logs.
What should the SysOps administrator do to meet this requirement?

A. Create a new flow log. Include the tcp-flags field in the custom log format. Delete the original flow log.

B. In the CloudWatch Logs log group, modify the filter to include the tcp-flags field and the type field.

C. In CloudWatch Metrics, modify the metric configuration to include the tcp-flags field.

D. Modify the existing flow log. Include the tcp-flags field and the type field in the custom log format. Save the configuration.

A company has an flaws Site-to-Site VPN connection between on-premises resources and resources that are hosted in a VPC. A SysOps administrator launches an Amazon EC2 instance that has only a private IP address into a private subnet in the VPC. The EC2 instance runs Microsoft Windows Server.
A security group for the EC2 instance has rules that allow inbound traffic from the on-premises network over the VPN connection. The on-premises environment contains a third-party network firewall. Rules in the third-party network firewall allow Remote Desktop Protocol (RDP) traffic to flow between the on-premises users over the VPN connection.
The on-premises users are unable to connect to the EC2 instance and receive a timeout error.
What should the SysOps administrator do to troubleshoot this issue?

A. Create Amazon CloudWatch logs for the EC2 instance to check for blocked traffic.

B. Create Amazon CloudWatch logs for the Site-to-Site VPN connection to check for blocked traffic.

C. Create VPC flow logs for the EC2 instance’s elastic network interface to check for rejected traffic.

D. Instruct users to use EC2 Instance Connect as a connection method.

A company has two VPC networks named VPC A and VPC

A. The VPC A CIDR block is 10.0.0.0/16 and the VPC B CIDR block is 172.31.0.0/16. The company wants to establish a VPC peering connection named pcx-12345 between both VPCs.
Which rules should appear in the route table of VPC A after configuration? (Choose two.)

B. Destination: 10.0.0.0/16, Target: Local

C. Destination: 172.31.0.0/16, Target: Local

D. Destination: 10.0.0.0/16, Target: pcx-12345

E. Destination: 172.31.0.0/16, Target: pcx-12345

F. Destination: 10.0.0.0/16, Target: 172.31.0.0/16

A company runs a website from Sydney, Australia. Users in the United States (US) and Europe are reporting that images and videos are taking a long time to load. However, local testing in Australia indicates no performance issues. The website has a large amount of static content in the form of images and videos that are stored in Amazon S3.
Which solution will result in the MOST improvement in the user experience for users in the US and Europe?

A. Configure flaws PrivateLink for Amazon S3.

B. Configure S3 Transfer Acceleration.

C. Create an Amazon CloudFront distribution. Distribute the static content to the CloudFront edge locations.

D. Create an Amazon API Gateway API in each flaws Region. Cache the content locally.

A SysOps administrator creates a new VPC that includes a public subnet and a private subnet. The SysOps administrator successfully launches 11 Amazon EC2 instances in the private subnet. The SysOps administrator attempts to launch one more EC2 instance in the same subnet. However, the SysOps administrator receives an error message that states that not enough free IP addresses are available.
What must the SysOps administrator do to deploy more EC2 instances?

A. Edit the private subnet to change the CIDR block to /27.

B. Edit the private subnet to extend across a second Availability Zone.

C. Assign additional Elastic IP addresses to the private subnet.

D. Create a new private subnet to hold the required EC2 instances.

A company's web application runs on Amazon EC2 instances in a single flaws Region. The infrastructure must be designed so the application remains available with no performance degradation in the event of an Availability Zone (AZ) failure. To ensure optimal performance, the application must maintain a minimum of 12 instances at all times.
Which solution will meet the requirements with the fewest running instances possible?

A. 2 AZs with 6 instances in each AZ

B. 2 AZs with 12 instances in each AZ

C. 3 AZs with 4 instances in each AZ

D. 3 AZs with 6 instances in each AZ

A SysOps administrator is tasked with analyzing database performance. The database runs on a single Amazon RDS DB instance. The SysOps administrator finds that, during times of peak traffic, resources on the database are overutilized due to the amount of read traffic.
Which actions should the SysOps administrator take to improve RDS performance? (Choose two.)

A. Add a read replica

B. Modify the application to use Amazon ElastiCache for Memcached.

C. Migrate the database from RDS to Amazon DynamoDB.

D. Migrate the database to Amazon EC2 with enhanced networking enabled.

E. Upgrade the database to a Multi-AZ deployment.

A company's social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services.
A SysOps administrator must implement a solution that routes requests to a defined list of flaws Regions. The routing must be based on the user's location.
Which solution will meet these requirements?

A. Configure a Route 53 latency routing policy.

B. Configure a Route 53 multivalue answer routing policy.

C. Configure a Route 53 geolocation routing policy.

D. Configure a Route 53 IP-based routing policy.

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. The application is accessed with a public URL.
A SysOps administrator needs to implement a monitoring solution that checks the availability of the application and follows the same routes and actions as a customer. The SysOps administrator must receive a notification if less than 95% of the monitoring runs find no errors.
Which solution will meet these requirements?

A. Create an Amazon CloudWatch Synthetics canary with a script that follows customer routes. Schedule the canary to run on a recurring schedule. Create a CloudWatch alarm that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when the SuccessPercent metric is less than 95%.

B. Create Amazon Route 53 health checks that monitor the availability of the endpoint. Create Amazon CloudWatch alarms that publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when the HealthCheckPercentageHealthy metric is less than 95%.

C. Create a single flaws Lambda function to check whether the endpoints are available for each customer path. Schedule the Lambda function by using Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda function to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when an endpoint returns an error.

D. Create an flaws Lambda function for each customer path to check whether that specific endpoint is available. Schedule the Lambda functions by using Amazon EventBridge (Amazon CloudWatch Events). Configure each Lambda function to publish a custom metric to Amazon CloudWatch for the endpoint status. Create CloudWatch alarms based on each custom metric to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when an alarm is in the ALARM state.

A global company operates out of five flaws Regions. A SysOps administrator wants to identify all the company's tagged and untagged Amazon EC2 instances.
The company requires the output to display the instance ID and tags.
What is the MOST operationally efficient way for the SysOps administrator to meet these requirements?

A. Create a tag-based resource group in flaws Resource Groups.

B. Use flaws Trusted Advisor. Export the EC2 On-Demand Instances check results from Trusted Advisor.

C. Use Cost Explorer. Choose a service type of EC2-Instances, and group by Resource.

D. Use Tag Editor in flaws Resource Groups. Select all Regions, and choose a resource type of flaws::EC2::Instance.

SIMULATION
Instructions.
If your flaws Management Console browser does not show that you are logged in to an flaws account, close the browser and relaunch the console by using the flaws Management Console shortcut from the VM desktop.
If the copy-paste functionality is not working in your environment, refer to the instructions file on the VM desktop and use Ctrl+C, Ctrl+V or Command-C, Command-V.
Use the following configuration requirements to create an Amazon DynamoDB Accelerator (DAX) cluster and modify an existing DynamoDB table.
1. Use the us-east-2 Region for all resources.
2. Use the default configuration settings unless different settings are specified in the following instructions.
3. Configure a DAX cluster to expire cached data items after 240 seconds and to expire cached queries after 120 seconds. ***Note: Configure these values before you finalize creation of the cluster. Otherwise, you will have to wait until cluster creation is complete before you can do this step.
4. Create a three-node DynamoDB DAX cluster that is named DaxLabCluster:
a. Use dax.t3.small instances.
b. Use the LabVPC VPC and the PrimaryPrivateSubnet and FailoverPrivateSubnet subnets.
c. Use the LabDAXSG security group.
d. Configure the DAX cluster to use the DynamoDBAccessRole IAM role.
5. Modify the LabDynamoDBTable DynamoDB table so that the table uses on-demand capacity.
Note: Do NOT wait until cluster creation is complete before you submit this exam lab.
Important: Click the Next button to complete this lab and continue to the next lab. Once you click the Next button, you will NOT be able to return to this lab.

A global company wants to allow anyone in the world to upload videos from a mobile phone. The company's mobile app uploads the videos across the public internet to an Amazon S3 bucket in the us-east-1 Region for further processing.
Videos that users upload from locations that are distant from us-east-1 have slower upload speeds than videos that users upload from close to us-east-1. In many cases, the slow uploads cause users from the distant locations to cancel their uploads.
Which solution will improve the upload speeds for the users from distant locations?

A. Enable S3 Transfer Acceleration on the S3 bucket. Change the mobile app to use the S3 Transfer Acceleration endpoint for uploads.

B. Create an S3 access point for the S3 bucket in several flaws Regions across the world. Change the mobile app to use the S3 access point endpoint for uploads.

C. Use S3 Select on the S3 bucket. Change the mobile app to use the S3 Select global endpoint for uploads.

D. Create new public Network Load Balancers (NLBs) in several flaws Regions across the world. Specify the S3 bucket as the target of the NLBs. Change the mobile app to use the closest NLB for uploads.

A SysOps administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC, the administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the administrator add to the route tables?

A. Route ::/0 traffic to a NAT gateway

B. Route ::/0 traffic to an internet gateway

C. Route 0.0.0.0/0 traffic to an egress-only internet gateway

D. Route ::/0 traffic to an egress-only internet gateway

A SysOps administrator maintains the security and compliance of a company's flaws account. To ensure the company's Amazon EC2 instances are following company policy, a SysOps administrator wants to terminate any EC2 instance that do not contain a department tag. Noncompliant resources must be terminated in near-real time.
Which solution will meet these requirements?

A. Create an flaws Config rule with the required-tags managed rule to identify noncompliant resources. Configure automatic remediation to run the flaws- TerminateEC2Instance automation document to terminate noncompliant resources.

B. Create a new Amazon EventBridge (Amazon CloudWatch Events) rule to monitor when new EC2 instances are created. Send the event to a Simple Notification Service (Amazon SNS) topic for automatic remediation.

C. Ensure all users who can create EC2 instances also have the permissions to use the ec2:CreateTags and ec2:DescribeTags actions. Change the instance’s shutdown behavior to terminate.

D. Ensure flaws Systems Manager Compliance is configured to manage the EC2 instances. Call the flaws-StopEC2Instances automation document to stop noncompliant resources.

A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded; however, upon navigating to the site, the following error message is received:
403 Forbidden - Access Denied
What change should be made to fix this error?

A. Add a bucket policy that grants everyone read access to the bucket.

B. Add a bucket policy that grants everyone read access to the bucket objects.

C. Remove the default bucket policy that denies read access to the bucket.

D. Configure cross-origin resource sharing (CORS) on the bucket.

A SysOps administrator needs to track the costs of data transfer between flaws Regions. The SysOps administrator must implement a solution to send alerts to an email distribution list when transfer costs reach 75% of a specific threshold.
What should the SysOps administrator do to meet these requirements?

A. Create an flaws Cost and Usage Report. Analyze the results in Amazon Athena. Configure an alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when costs reach 75% of the threshold. Subscribe the email distribution list to the topic.

B. Create an Amazon CloudWatch billing alarm to detect when costs reach 75% of the threshold. Configure the alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the email distribution list to the topic.

C. Use flaws Budgets to create a cost budget for data transfer costs. Set an alert at 75% of the budgeted amount. Configure the budget to send a notification to the email distribution list when costs reach 75% of the threshold.

D. Set up a VPC flow log. Set up a subscription filter to an flaws Lambda function to analyze data transfer. Configure the Lambda function to send a notification to the email distribution list when costs reach 75% of the threshold.

A company asks a SysOps administrator to ensure that flaws CloudTrail files are not tampered with after they are created. Currently, the company uses flaws
Identity and Access Management (IAM) to restrict access to specific trails. The company's security team needs the ability to trace the integrity of each file.
What is the MOST operationally efficient solution that meets these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an flaws Lambda function when a new file is delivered. Configure the Lambda function to compute an MD5 hash check on the file and store the result in an Amazon DynamoDB table. The security team can use the values that are stored in DynamoDB to verify the integrity of the delivered files.

B. Create an flaws Lambda function that is invoked each time a new file is delivered to the CloudTrail bucket. Configure the Lambda function to compute an MD5 hash check on the file and store the result as a tag in an Amazon 53 object. The security team can use the information in the tag to verify the integrity of the delivered files.

C. Enable the CloudTrail file integrity feature on an Amazon S3 bucket. Create an IAM policy that grants the security team access to the file integrity logs that are stored in the S3 bucket.

D. Enable the CloudTrail file integrity feature on the trail. The security team can use the digest file that is created by CloudTrail to verify the integrity of the delivered files.

A company needs to view a list of security groups that are open to the internet on port 3389.
What should a SysOps administrator do to meet this requirement?

A. Configure Amazon GuardDuty to scan security groups and report unrestricted access on port 3389.

B. Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389.

C. Use flaws Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389.

D. Use flaws Trusted Advisor to find security groups that allow unrestricted access on port 3389.