A company has internal hybrid applications that have resources in the flaws Cloud and on premises. Users report that the applications sometimes are not available. The company has configured an Amazon CloudWatch alarm to monitor the tunnel status of its flaws Site-to-Site VPN connection.
A SysOps administrator must implement a solution that creates a high-priority ticket in an internal ticketing tool when the VPN tunnel is down.
Which solution will meet this requirement?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic for the CloudWatch alarm. Subscribe the ticketing tool’s endpoint to the SNS topic.

B. Create an Amazon Simple Queue Service (Amazon SQS) queue as the target for the CloudWatch alarm. Configure the queue to transform messages into tickets and to post the tickets to the ticketing tool’s endpoint.

C. Create an flaws Lambda function. Configure the CloudWatch alarm to directly invoke the Lambda function to create individual tickets in the ticketing tool.

D. Create an Amazon EventBridge rule that monitors the VPN tunnel directly. Configure the ticketing tool’s endpoint as the target of the rule.

A SysOps administrator is troubleshooting an flaws CloudFormation stack creation that failed. Before the SysOps administrator can identify the problem, the stack and its resources are deleted. For future deployments, the SysOps administrator must preserve any resources that CloudFormation successfully created.
What should the SysOps administrator do to meet this requirement?

A. Set the value of the DisableRollback parameter to False during stack creation

B. Set the value of the OnFailure parameter to DO_NOTHING during stack creation

C. Specify a rollback configuration that has a rollback trigger of DO_NOTHING during stack creation

D. Set the value of the OnFailure parameter to ROLLBACK during stack creation

A company needs to implement a solution to install specific software on Amazon EC2 instances when the instances launch.
Which solution will meet this requirement?

A. Configure flaws Systems Manager State Manager associations to bootstrap the EC2 instances with the required software at launch.

B. Use the Amazon CloudWatch agent to detect EC2 InstanceStart events and to inject the required software. Modify the InstanceRole IAM role to add permissions for the StartTask API operation.

C. Use Amazon Inspector to detect EC2 launch events. Configure Amazon Inspector to install the required software as part of lifecycle hooks for theEC2launch events.

D. Use flaws Security Hub remediation actions to install the required software at launch.

A company is using Amazon CloudWatch alarms to monitor Amazon Elastic Kubernetes Service (Amazon EKS) workloads. The alarms are initiated through a threshold definition and are not helping the EKS cluster operate more efficiently.
A SysOps administrator must implement a solution that identifies anomalies and generates recommendations for how to address the anomalies.
Which solution will meet these requirements?

A. Use CloudWatch anomaly detection to identify anomalies and provide recommendations

B. Use CloudWatch Container Insights with Amazon DevOps Guru to identify anomalies and provide recommendations.

C. Use CloudWatch Container Insights to identify anomalies and provide recommendations

D. Use CloudWatch anomaly detection with CloudWatch Container Insights to identify anomalies and provide recommendations

A company deploys a new application on three Amazon EC2 instances across three Availability Zones. The company uses a Network Load Balancer (NLB) to route traffic to the EC2 instances. A SysOps administrator must implement a solution so that the EC2 instances allow traffic from only the NLB.
What should the SysOps administrator do to meet these requirements with the LEAST operational overhead?

A. Configure the security group that is associated with the EC2 instances to allow traffic from only the security group that is associated with the NLB

B. Configure the security group that is associated with the EC2 instances to allow traffic from only the elastic network interfaces that are associated with the NLB

C. Create a network ACL Associate the network ACL with the application subnets. Configure the network ACL to allow inbound traffic from only the CIDR ranges of the NLB

D. Use a third-party firewall solution that is installed on a separate EC2 instance. Configure a firewall rule that allows traffic to the application’s EC2 instances from only the subnets where the NLB is deployed.

A company is using flaws Certificate Manager (ACM) to manage public SSL/TLS certificates. A SysOps administrator needs to send an email notification when a certificate has less than 14 days until expiration.
Which solution will meet this requirement with the LEAST operational overhead?

A. Create an Amazon CloudWatch custom metric to monitor certificate expiration for all ACM certificates. Create an Amazon EventBridge rule that has an event source of flaws.cloudwatch. Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if the DaysToExpiry metric is less than 14. Subscribe the appropriate email addresses to the SNS topic.

B. Create an Amazon EventBridge rule that has an event source of flaws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if DaysToExpiry is less than 14. Subscribe the appropriate email addresses to the SNS topic.

C. Create an Amazon CloudWatch dashboard that displays the DaysToExpiry metric for all ACM certificates. If DaysToExpiry is less than 14, send an email message to the appropriate email addresses. Send the email message by running a predefined CLI command to publish to an Amazon Simple Notification Service (Amazon SNS) topic.

D. Create an Amazon EventBridge rule that has an event source of flaws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure a target SMS identity that uses a predefined email template. Configure the rule to send an event to the target SMS identity if DaysToExpiry is less than 14.

A company that uses ServiceNow has an flaws account where a sensitive workload runs. The necessary security groups are in place. The company needs to implement a solution to create an incident in ServiceNow every time the rules change in any security group.
Which solution will meet this requirement with the LEAST operational effort?

A. Create an Amazon CloudWatch alarm that enters ALARM state when security groups change. Configure the alarm to invoke an flaws Lambda function that connects to ServiceNow to create an incident.

B. Enable flaws Security Hub. Create an flaws Lambda function that connects to ServiceNow to create an incident. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as Security Hub Findings – Custom Action. Configure the EventBridge rule to invoke the Lambda function.

C. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as flaws API Call via CloudTrail. Configure the EventBridge rule to run the flaws-CreateServiceNowIncidentAWS Systems Manager Automation runbook to create an incident in ServiceNow.

D. Launch an Amazon EC2 instance that has a persistent connection to ServiceNow to detect security group changes. Export flaws CloudTrail logs to the EC2 instance. Write a bash script to run a scheduled cron job every 30 minutes to search the CloudTrail logs for security groups changes. Configure the EC2 instance to create an incident in ServiceNow when a change is detected.

A SysOps administrator created an flaws CloudFormation template that provisions an Amazon EventBridge rule that invokes an flaws Lambda function. The Lambda function is designed to write event details to an Amazon CloudWatch log group. The function has permissions to write events to Amazon CloudWatch Logs. However, the SysOps administrator discovered that the Lambda function is not running.
How should the SysOps administrator resolve the problem?

A. Update the CloudFormation stack to include an flaws::IAM::Role resource with the required IAM permissions for EventBridge to invoke the function. Assign the role to the EventBridge rule.

B. Update the CloudFormation stack to include an flaws::IAM::Role resource with the required IAM permissions for the function. Assign the role as the function execution role.

C. Update the CloudFormation stack with an flaws::Lambda::Permission resource to ensure events.amazonaws.com has permissions to invoke the function.

D. Update the CloudFormation stack with an flaws::Lambda::Permission resource to ensure lambda.amazonaws.com has permissions to invoke the function.

A company needs to enforce tagging requirements for Amazon DynamoDB tables in its flaws accounts. A SysOps administrator must implement a solution to identify and remediate all DynamoDB tables that do not have the appropriate tags.
Which solution will meet these requirements with the LEAST operational overhead?

A. Create a custom flaws Lambda function to evaluate and remediate all DynamoDB tables. Create an Amazon EventBridge scheduled rule to invoke the Lambda function.

B. Create a custom flaws Lambda function to evaluate and remediate ail DynamoDB tables. Create an flaws Config custom rule to invoke the Lambda function.

C. Use the required-tags flaws Config managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure an automatic remediation action that uses an flaws
Systems Manager Automation custom runbook.

D. Create an Amazon EventBridge managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure the EventBridge rule to run an flaws Systems Manager
Automation custom runbook for remediation.

A company has an Amazon EC2 instance that has high CPU utilization. The EC2 instance is a t3.large instance and is running a test web application. The company discovers that the web application would operate better on a compute optimized large instance.
What should a SysOps administrator do to make this change?

A. Migrate the EC2 instance to a compute optimized instance by using flaws VM Import/Export.

B. Enable hibernation on the EC2 instance. Change the instance type to a compute optimized instance. Disable hibernation on the EC2 instance.

C. Stop the EC2 instance. Change the instance type to a compute optimized instance. Start the EC2 instance.

D. Change the instance type to a compute optimized instance while the EC2 instance is running.

A company is preparing for a marketing campaign that will increase traffic to a new web application. The application uses Amazon API Gateway and flaws Lambda for the application logic. The application stores relevant user data in an Amazon Aurora MySQL DB cluster that has one Aurora Replica. Database queries for the application are 5% write and 95% read.
What should a SysOps administrator do to scale the database when traffic increases?

A. Configure Aurora Auto Scaling to add or remove Aurora Replicas in the cluster based on the average CPU utilization of the Aurora Replicas.

B. Configure Aurora Auto Scaling to increase or decrease the size of the Aurora Replicas based on the average CPU utilization of the Aurora Replicas.

C. Configure flaws Auto Scaling to monitor the Aurora cluster. Configure flaws Auto Scaling to add or remove Aurora Replicas in the cluster based on the average CPU utilization of the primary instance.

D. Configure flaws Auto Scaling to monitor the Aurora cluster. Configure flaws Auto Scaling to add or remove Aurora Replicas in the cluster based on the average CPU utilization of the existing Aurora Replica.

A development team created and deployed a new flaws Lambda function 15 minutes ago. Although the function was invoked many times, Amazon CloudWatch Logs are not showing any log messages.
What is one cause of this?

A. The developers did not enable log messages for this Lambda function.

B. The Lambda function’s role does not include permissions to create CloudWatch Logs items.

C. The Lambda function raises an exception before the first log statement has been reached.

D. The Lambda functions creates local log files that have to be shipped to CloudWatch Logs first before becoming visible.

A company is using Amazon S3 to set up a temporary static website that is public. A SysOps administrator creates an S3 bucket by using the default settings. The SysOps administrator updates the S3 bucket properties to configure static website hosting. The SysOps administrator then uploads objects that contain content for index html and error html.
When the SysOps administrator navigates to the website URL the SysOps administrator receives an HTTP Status Code 403: Forbidden (Access Denied) error.
What should the SysOps administrator do to resolve this error?

A. Create an Amazon Route 53 DNS entry Point the entry to the S3 bucket.

B. Edit the S3 bucket permissions by turning off Block Public Access settings. Create a bucket policy to allow GetObject access on the S3 bucket.

C. Edit the permissions on the index html and error html files for read access.

D. Edit the S3 bucket permissions by turning off Block Public Access settings. Create a bucket policy to allow PutObject access on the S3 bucket.

A company observes that a newly created Amazon CloudWatch alarm is not transitioning out of the INSUFFICIENT_DATA state. The alarm was created to track the mem_used_percent metric from an Amazon EC2 instance that is deployed in a public subnet.
A review of the EC2 instance shows that the unified CloudWatch agent is installed and is running. However, the metric is not available in CloudWatch. A SysOps administrator needs to implement a solution to resolve this problem.
Which solution will meet these requirements?

A. Enable CloudWatch detailed monitoring for the EC2 instance

B. Create an IAM instance profile that contains CloudWatch permissions. Add the instance profile to the EC2 instance

C. Migrate the EC2 instance into a private subnet

D. Create an IAM user that has an access key ID and a secret access key. Update the unified CloudWatch agent configuration file to use those credentials

A company is uploading important files as objects to Amazon S3. The company needs to be informed if an object is corrupted during the upload.
What should a SysOps administrator do to meet this requirement?

A. Pass the Content-Disposition value as a request body during the object upload

B. Pass the Content-MD5 value as a request header during the object upload

C. Pass x-amz-object-lock-mode as a request header during the object upload

D. Pass x-amz-server-side-encryption-customer-algorithm as a request body during the object upload

A SysOps administrator needs to create a report that shows how many bytes are sent to and received from each target group member for an Application Load Balancer (ALB).
Which combination of steps should the SysOps administrator take to meet these requirements? (Choose two.)

A. Enable access logging for the ALB. Save the logs to an Amazon S3 bucket.

B. Install the Amazon CloudWatch agent on the instances in the target group.

C. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the target port field.

D. Use Amazon Athena to query the ALB logs. Query the table. Use the received_bytes and sent_bytes fields to calculate the total bytes grouped by the client port field.

E. Create an Amazon CloudWatch dashboard that shows the Sum statistic of the ProcessedBytes metric for the ALB.

A company runs thousands of Amazon EC2 instances that are based on the Amazon Linux 2 Amazon Machine Image (AMI). A SysOps administrator must implement a solution to record commands and output from any user that needs an interactive session on one of the EC2 instances. The solution must log the data to a durable storage location. The solution also must provide automated notifications and alarms that are based on the log data.
Which solution will meet these requirements with the MOST operational efficiency?

A. Configure command session logging on each EC2 instance. Configure the unified Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up query filters and alerts by using Amazon Athena.

B. Require all users to use a central bastion host when they need command line access to an EC2 instance. Configure the unified Amazon CloudWatch agent on the bastion host to send session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs.

C. Require all users to use flaws Systems Manager Session Manager when they need command line access to an EC2 instance. Configure Session Manager to stream session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs.

D. Configure command session logging on each EC2 instance. Require all users to use flaws Systems Manager Run Command documents when they need command line access to an EC2 instance. Configure the unified Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up CloudWatch alarms that are based on Amazon Athena query results.

A company that uses flaws Organizations recently implemented flaws Control Towerю The company now needs tofficentralize identity management. A SysOps administrator must federate flaws ШAM Identity Center with an external SAML 2.0 identity provider (IdP) tofficentrally manage access to all the company's accounts and cloud applications.
Which prerequisites must the SysOps administrator have so that the SysOps administrator can connect to the external IdP? (Choose two.)

A. A copy of the IAM identity Center SAML metadata

B. The IdP metadata including the public X 509 certificate

C. The IP address of the IdP

D. Root access to the management account

E. Administrative permissions to the member accounts of the organization

A company recently moved its server infrastructure to Amazon EC2 instances. The company wants to use Amazon CloudWatch Logs to track the instance logs.
What should a SysOps administrator do to meet this requirement in compliance with flaws best practices?

A. Configure CloudWatch from the flaws Management Console for the instances. Wait for flaws to automatically install and configure the agents for the instances

B. Install and configure the CloudWatch agent on the instances. Attach an IAM role to allow the instances to write logs to CloudWatch

C. Install and configure the CloudWatch agent on the instances. Attach an IAM user to allow the instances to write logs to CloudWatch

D. Install and configure the CloudWatch agent on the instances. Attach the necessary security groups to allow the instances to write logs to CloudWatch

A company uses flaws CloudFormation to deploy its infrastructure. The company recently retired an application. A cloud operations engineer initiates CloudFormation stack deletion, and the stack gets stuck in DELETE_FAILED status.
A SysOps administrator discovers that the stack had deployed a security group. The security group is referenced by other security groups in the environment. The SysOps administrator needs to delete the stack without affecting other applications.
Which solution will meet these requirements in the MOST operationally efficient manner?

A. Create a new security group that has a different name. Apply identical rules to the new security group. Replace all other security groups that reference the new security group Delete the stack.

B. Create a CloudFormation change set to delete the security group. Deploy the change set.

C. Delete the stack again. Specify that the security group be retained.

D. Perform CloudFormation drift detection. Delete the stack.

A company needs to monitor its website’s availability to end users. The company needs a solution to provide an Amazon Simple Notification Service (Amazon SNS) notification if the website's uptime decreases to less than 99%. The monitoring must provide an accurate view of the user experience on the website.
Which solution will meet these requirements?

A. Create an Amazon CloudWatch alarm that is based on the website’s logs that are published to a CloudWatch Logs log group. Configure the alarm to publish an SNS notification if the number of HTTP 4xx errors and 5xx errors exceeds a specified threshold.

B. Create an Amazon CloudWatch alarm that is based on the website’s published metrics in CloudWatch. Configure the alarm to publish an SNS notification that is based on anomaly detection.

C. Create an Amazon CloudWatch Synthetics heartbeat monitoring canary. Associate the canary with the website’s URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.

D. Create an Amazon CloudWatch Synthetics broken link checker monitoring canary. Associate the canary with the website’s URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%.

A company needs to track spending in its flaws account. The company must receive a notification when current costs and forecasted costs exceed specific thresholds.
Which solution will meet these requirements with the LEAST operational overhead?

A. Create a new IAM role. Attach the AWSPurchaseOrdersServiceRolePolicy flaws managed policy to the role. Check flaws Cost Explorer on a regular basis to monitor current costs and forecasted costs.

B. Create an flaws Cost and Usage Report. Create an flaws Step Functions state machine that runs when a new usage file is generated. Configure the state machine to pass the data to Amazon Forecast and to invoke an flaws Lambda function. Configure the Lambda function to parse the data and to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if costs exceed the thresholds.

C. Create an flaws Cost and Usage Report. Separate the current costs and forecasted costs by service. Schedule the report to be sent to an Amazon Simple Notification Service (Amazon SNS) topic each month.

D. Create a recurring cost budget in flaws Budgets. Create an alert for the actual cost. Create a second alert for the forecasted costs. Configure an Amazon Simple Notification Service (Amazon SNS) topic to receive the alerts.

A company uses a multi-account structure in the flaws Cloud. The company's environment includes a shared account for common resources. The environment also includes a development account for new application development. The company uses Amazon Route 53 for DNS management. The company manages all its Route 53 hosted zones from the shared account.
A SysOps administrator needs to obtain a new SSL/TLS certificate for an application that is deployed in the development account.
What must the SysOps administrator do to meet this requirement?

A. Create a new flaws Key Management Service (flaws KMS) key in the shared account. Configure the key policy to give read access to the development account’s root principal.

B. Request a new certificate by using flaws Certificate Manager (ACM) from the shared account. Use Route 53 from the shared account to create validation record sets in the relevant hosted zone.

C. Request a new certificate by using flaws Certificate Manager (ACM) from the development account. Use Route 53 from the shared account to create validation record sets in the relevant hosted zone.

D. Create a new flaws Key Management Service (flaws KMS) key in the development account. Configure the key policy to give read access to the shared account’s root principal. Use Route 53 from the shared account to create a validation record set that references the Amazon Resource Name (ARN) of the KMS key.

A company's SysOps administrator is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs. However, there are no logs in CloudWatch Logs.
What could be blocking the VPC flow logs from being published to CloudWatch Logs?

A. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission

B. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateExportTask permission

C. The VPC is configured for IPv6 addresses

D. The VPC is peered with another VPC in the flaws account

A company uses flaws CloudFormation to deploy its application infrastructure. Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application. A SysOps administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources.
Which solution will meet these requirements?

A. Set up an flaws Config rule to alert based on changes to any CloudFormation stack. An flaws Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.

B. Set up an Amazon EventBridge event with a rule to initiate based on any CloudFormation API call. An flaws Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.

C. Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*.

D. Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource Names (ARNs) of the protected resources.

A global company wants to allow anyone in the world to upload videos from a mobile phone. The company's mobile app uploads the videos across the public internet to an Amazon S3 bucket in the us-east-1 Region for further processing.
Videos that users upload from locations that are distant from us-east-1 have slower upload speeds than videos that users upload from close to us-east-1. In many cases, the slow uploads cause users from the distant locations to cancel their uploads.
Which solution will improve the upload speeds for the users from distant locations?

A. Enable S3 Transfer Acceleration on the S3 bucket. Change the mobile app to use the S3 Transfer Acceleration endpoint for uploads.

B. Create an S3 access point for the S3 bucket in several flaws Regions across the world. Change the mobile app to use the S3 access point endpoint for uploads.

C. Use S3 Select on the S3 bucket. Change the mobile app to use the S3 Select global endpoint for uploads.

D. Create new public Network Load Balancers (NLBs) in several flaws Regions across the world. Specify the S3 bucket as the target of the NLBs. Change the mobile app to use the closest NLB for uploads.

A SysOps administrator has an flaws CloudFormation template of the company's existing infrastructure in us-west-2. The administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives an error message, and then rolls back.
Why would this template fail to deploy? (Choose two.)

A. The template referenced an IAM user that is not available in eu-west-1.

B. The template referenced an Amazon Machine Image (AMI) that is not available in eu-west-1.

C. The template did not have the proper level of permissions to deploy the resources.

D. The template requested services that do not exist in eu-west-1.

E. CloudFormation templates can be used only to update existing services.

An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application.
What is the MOST scalable storage solution to fulfill this requirement?

A. Connect a large Amazon EBS volume to multiple instances and schedule snapshots.

B. Deploy Amazon EFS in the VPC and create mount targets in multiple subnets.

C. Launch an EC2 instance and share data using SMB/CIFS or NFS.

D. Deploy an flaws Storage Gateway cached volume on Amazon EC2.

A company is deploying an ecommerce application to an flaws Region that is located in France. The company wants users from only France to be able to access the first version of the application. The company plans to add more countries for the next version of the application. A SysOps administrator needs to configure the routing policy in Amazon Route 53.
Which solution will meet these requirements?

A. Use a geoproximity routing policy. Select France as the location in the record.

B. Use a geolocation routing policy. Select France as the location in the record.

C. Use an IP-based routing policy. Select all IP addresses that are allocated to France in the record.

D. Use a geoproximity routing policy. Select all IP addresses that are allocated to France in the record.

A SysOps administrator is using IAM credentials to try to upload a file to a customer's Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The SysOps administrator is receiving an AccessDenied message.
Which combination of configuration changes will correct this problem? (Choose two.)

A. Add this IAM policy to the SysOps administrator user:

B. Add this IAM policy to the customer S3 bucket:

C. Add this IAM policy to the SysOps administrator user:

D. Add this IAM policy to the customer account root user:

E. Add this IAM policy to the SysOps administrator account root user:

A company uses flaws Organizations to host several applications across multiple flaws accounts. Several teams are responsible for building and maintaining the infrastructure of the applications across the flaws accounts.
A SysOps administrator must implement a solution to ensure that user accounts and permissions are centrally managed. The solution must be integrated with the company's existing on-premises Active Directory environment. The SysOps administrator already has enabled flaws IAM Identity Center (flaws Single Sign-On) and has set up an flaws Direct Connect connection.
What is the MOST operationally efficient solution that meets these requirements?

A. Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the flaws accounts that the group will manage.

B. Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the flaws accounts that the group will manage.

C. Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the flaws accounts that the group will manage.

D. Use the built-in SSO directory as the identity source for IAM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the flaws accounts that the group will manage.

A company wants to apply an existing Amazon Route 53 private hosted zone to a new VPC to allow for customized resource name resolution within the VPC. The SysOps administrator created the VPC and added the appropriate resource record sets to the private hosted zone.
Which step should the SysOps administrator take to complete the setup?

A. Associate the Route 53 private hosted zone with the VPC.

B. Create a rule in the default security group for the VPC that allows traffic to the Route 53 Resolver.

C. Ensure the VPC network ACLs allow traffic to the Route 53 Resolver.

D. Ensure there is a route to the Route 53 Resolver in each of the VPC route tables.

A company has an flaws Site-to-Site VPN connection between on-premises resources and resources that are hosted in a VPC. A SysOps administrator launches an Amazon EC2 instance that has only a private IP address into a private subnet in the VPC. The EC2 instance runs Microsoft Windows Server.
A security group for the EC2 instance has rules that allow inbound traffic from the on-premises network over the VPN connection. The on-premises environment contains a third-party network firewall. Rules in the third-party network firewall allow Remote Desktop Protocol (RDP) traffic to flow between the on-premises users over the VPN connection.
The on-premises users are unable to connect to the EC2 instance and receive a timeout error.
What should the SysOps administrator do to troubleshoot this issue?

A. Create Amazon CloudWatch logs for the EC2 instance to check for blocked traffic.

B. Create Amazon CloudWatch logs for the Site-to-Site VPN connection to check for blocked traffic.

C. Create VPC flow logs for the EC2 instance’s elastic network interface to check for rejected traffic.

D. Instruct users to use EC2 Instance Connect as a connection method.

A SysOps administrator has set up a new Amazon EC2 instance as a web server in a public subnet. The instance uses HTTP port 80 and HTTPS port 443.
The SysOps administrator has confirmed internet connectivity by downloading operating system updates and software from public repositories. However, the SysOps administrator cannot access the instance from a web browser on the internet.
Which combination of steps should the SysOps administrator take to troubleshoot this issue? (Choose three.)

A. Ensure that the inbound rules of the instance’s security group allow traffic on ports 80 and 443.

B. Ensure that the outbound rules of the instance’s security group allow traffic on ports 80 and 443.

C. Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance’s subnet.

D. Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance’s subnet.

E. Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.

F. Ensure that flaws WAF is turned on for the instance and is blocking web traffic.

A SysOps administrator needs to monitor a process that runs on Linux Amazon EC2 instances. If the process stops, the process must restart automatically. The Amazon CloudWatch agent is already installed on all the EC2 instances.
Which solution will meet these requirements?

A. Add a procstat monitoring configuration to the CloudWatch agent for the process. Create an Amazon EventBridge event rule that initiates an flaws Systems Manager Automation runbook to restart the process after the process stops.

B. Add a StatsD monitoring configuration to the CloudWatch agent for the process. Create a CloudWatch alarm that initiates an flaws Systems Manager Automation runbook to restart the process after the process stops.

C. Add a StatsD monitoring configuration to the CloudWatch agent for the process. Create an Amazon EventBridge event rule that initiates an flaws Systems Manager Automation runbook to restart the process after the process stops.

D. Add a procstat monitoring configuration to the CloudWatch agent for the process. Create a CloudWatch alarm that initiates an flaws Systems Manager Automation runbook to restart the process after the process stops.

A company has an application that uses an Amazon RDS for MariaDB Multi-AZ database. The application becomes unavailable for several minutes every time the database experiences a failover during a planned maintenance event.
What should a SysOps administrator do to reduce the downtime of the application during failover?

A. Create an RDS for MariaDB DB cluster that has multiple writer instances. Configure the application to retry failed queries on another primary node during maintenance events.

B. Configure the RDS maintenance window settings to pool connections while a failover is in process.

C. Configure an Amazon ElastiCache write-through cache for the database. Configure the application to connect to the cache instead of directly to the database.

D. Create an RDS proxy that is associated with the database. Configure the application to connect to the proxy instead of directly to the database.

A SysOps administrator has noticed millions of LIST requests on an Amazon S3 bucket.
Which services or features can the administrator use to investigate where the requests are coming from? (Choose two.)

A. flaws CloudTrail data events

B. Amazon EventBridge

C. flaws Health Dashboard

D. Amazon S3 server access logging

E. flaws Trusted Advisor

A SysOps administrator configures VPC flow logs to publish to Amazon CloudWatch Logs. The SysOps administrator reviews the logs in CloudWatch Logs and notices less traffic than expected. After the SysOps administrator compares the VPC flow logs to logs that were captured on premises, the SysOps administrator believes that the VPC flow logs are incomplete.
Which of the following is a possible reason for the difference in traffic?

A. CloudWatch Logs throttling has been applied.

B. The CloudWatch IAM role does not have a trust relationship with the VPC flow logs service.

C. The VPC flow log is still in the process of being created.

D. VPC flow logs cannot capture traffic from on-premises servers to a VPC.

A company manages its production applications across several flaws accounts. The company hosts the production applications on Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are spread across multiple VPCs. Each VPC uses its own Amazon Route 53 private hosted zone for private DNS.
A VPC from Account A needs to resolve private DNS records from a private hosted zone that is associated with a different VPC in Account

A. What should a SysOps administrator do to meet these requirements?

B. In Account A, create an flaws Systems Manager document that updates the /etc/resolv.conf file across all EC2 instances to point to the flaws provided default DNS resolver for the VPC in Account

C. In Account A, create an flaws CloudFormation template that associates the private hosted zone from Account B with the private hosted zone in Account

D. In Account A, use the flaws CLI to create a VPC association authorization. When the association is created, use the flaws CLI in Account B to associate the VPC from Account A with the private hosted zone in Account

E. In Account B, use the flaws CLI to create a VPC association authorization. When the association is created, use the flaws CLI in Account A to associate the VPC from Account B with the private hosted zone in Account

F.

A company's SysOps administrator uses flaws IAM Identity Center (flaws Single Sign-On) to connect to an Active Directory. The SysOps administrator creates a new account that all the company's users need to access.
The SysOps administrator uses the Active Directory Domain Users group for permissions to the new account because all users are already members of the group. When users try to log in, their access is denied.
Which action will resolve this access issue?

A. Create a new group. Add users to the new group to provide access.

B. Correct the time on the Active Directory domain controllers.

C. Remove the account. Re-add the account to the organization that is integrated with IAM Identity Center.

D. Correct the permissions on the Active Directory group so that IAM Identity Center has read access.

A company has attached the following policy to an IAM user:
Which of the following actions are allowed for the IAM user?

A. Amazon RDS DescribeDBInstances action in the us-east-1 Region

B. Amazon S3 PutObject operation in a bucket named testbucket

C. Amazon EC2 DescribeInstances action in the us-east-1 Region

D. Amazon EC2 AttachNetworkInterface action in the eu-west-1 Region

A SysOps administrator has an Amazon S3 website and wants to restrict access to a single Amazon CloudFront distribution. Visitors to the website should not be able to circumvent CloudFront or view the S3 website directly from the bucket.
Which flaws service or feature will meet these requirements?

A. S3 bucket ACL

B. flaws Firewall Manager

C. Amazon Route 53 private hosted zone

D. Origin access identity (OAI)

A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com. The company has set up an flaws Direct Connect connection for network connectivity between the on-premises network and the VPC. A SysOps administrator must ensure that an on-premises server can query records in the example.com domain.
What should the SysOps administrator do to meet these requirements?

A. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.

B. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.

C. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.

D. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.

A SysOps administrator is responsible for the security of a company's flaws account. The company has a policy that a user may stop or terminate Amazon EC2 instances only when the user is authenticated by using a multi-factor authentication (MFA) device.
Which policy should the SysOps administrator apply to meet this requirement?

Users are reporting consistent forced logouts from a stateful web application. The logouts occur before the expiration of a 15-minute application logout timer.
The web application is hosted on Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Session affinity (sticky sessions) is already enabled on the ALB target group and uses duration-based cookies. The web application generates its own application cookie.
Which combination of actions should a SysOps administrator take to resolve the logout problem? (Choose two.)

A. Change to the least outstanding requests algorithm on the ALB target group.

B. Configure cookie forwarding in the CloudFront distribution’s cache behavior settings.

C. Configure the duration-based cookie to be named AWSALB.

D. Configure the ALB to use the expiration cookie header.

E. Change the ALB to use application-based cookies.

A company's social media application has strict data residency requirements. The company wants to use Amazon Route 53 to provide the application with DNS services.
A SysOps administrator must implement a solution that routes requests to a defined list of flaws Regions. The routing must be based on the user's location.
Which solution will meet these requirements?

A. Configure a Route 53 latency routing policy.

B. Configure a Route 53 multivalue answer routing policy.

C. Configure a Route 53 geolocation routing policy.

D. Configure a Route 53 IP-based routing policy.

A company has a cluster of Linux Amazon EC2 Spot Instances that read many files from and write many files to attached Amazon Elastic Block Store (Amazon EBS) volumes. The EC2 instances are frequently started and stopped. As part of the process when an EC2 instance starts, an EBS volume is restored from a snapshot.
EBS volumes that are restored from snapshots are experiencing initial performance that is lower than expected. The company's workload needs almost all the provisioned IOPS on the attached EBS volumes. The EC2 instances are unable to support the workload when the performance of the EBS volumes is too low. A SysOps administrator must implement a solution to ensure that the EBS volumes provide the expected performance when they are restored from snapshots.
Which solution will meet these requirements?

A. Configure fast snapshot restore (FSR) on the snapshots that are used.

B. Restore each snapshot onto an unencrypted EBS volume. Encrypt the EBS volume when the performance stabilizes.

C. Format the EBS volumes as XFS file systems before restoring the snapshots.

D. Increase the Linux read-ahead buffer to 1 MiB.

A company recently deployed an application in production. The production environment currently runs on a single Amazon EC2 instance that hosts the application's web application and a MariaDB database. Company policy states that all IT production environments must be highly available.
What should a SysOps administrator do to meet this requirement?

A. Migrate the database from the EC2 instance to an Amazon RDS for MariaDB Multi-AZ DB instance. Run the application on EC2 instances that are in an Auto Scaling group that extends across multiple Availability Zones. Place the EC2 instances behind a load balancer.

B. Migrate the database from the EC2 instance to an Amazon RDS for MariaDB Multi-AZ DB instance. Use flaws Application Migration Service to convert the application into an flaws Lambda function. Specify the Multi-AZ option for the Lambda function.

C. Copy the database to a different EC2 instance in a different Availability Zone. Use flaws Backup to create Amazon Machine Images (AMIs) of the application EC2 instance and the database EC2 instance. Create an flaws Lambda function that performs health checks every minute. In case of failure, configure the Lambda function to launch a new EC2 instance from the AMIs that flaws Backup created.

D. Migrate the database to a different EC2 instance. Place the application EC2 instance in an Auto Scaling group that extends across multiple Availability Zones. Create an Amazon Machine Image (AMI) from the database EC2 instance. Use the AMI to launch a second database EC2 instance in a different Availability Zone. Put the second database EC2 instance in the stopped state. Use the second database EC2 instance as a standby.

A company is running workloads on premises and on flaws. A SysOps administrator needs to automate tasks across all servers on premises by using flaws services. The SysOps administrator must not install long-term credentials on the on-premises servers.
What should the SysOps administrator do to meet these requirements?

A. Create an IAM role and instance profile that include flaws Systems Manager permissions. Attach the role to the on-premises servers.

B. Create a managed-instance activation in flaws Systems Manager. Install the Systems Manager Agent (SSM Agent) on the on-premises servers. Register the servers with the activation code and ID from the instance activation.

C. Create an flaws managed IAM policy that includes the appropriate flaws Systems Manager permissions. Download the IAM policy to the on-premises servers.

D. Create an IAM user and an access key. Log on to the on-premises servers and install the flaws CLI. Configure the access key in the flaws credentials file after the flaws CLI is successfully installed.

A company has deployed an application on flaws. The application runs on a fleet of Linux Amazon EC2 instances that are in an Auto Scaling group. The Auto Scaling group is configured to use launch templates. The launch templates launch Amazon Elastic Block Store (Amazon EBS) backed EC2 instances that use General Purpose SSD (gp3) EBS volumes for primary storage.
A SysOps administrator needs to implement a solution to ensure that all the EC2 instances can share the same underlying files. The solution also must ensure that the data is consistent.
Which solution will meet these requirements?

A. Create an Amazon Elastic File System (Amazon EFS) file system. Create a new launch template version that includes user data that mounts the EFS file system. Update the Auto Scaling group to use the new launch template version to cycle in newer EC2 instances and to terminate the older EC2 instances.

B. Enable Multi-Attach on the EBS volumes. Create a new launch template version that includes user data that mounts the EBS volume. Update the Auto Scaling group to use the new template version to cycle in newer EC2 instances and to terminate the older EC2 instances.

C. Create a cron job that synchronizes the data between the EBS volumes for all the EC2 instances in the Auto Scaling group. Create a lifecycle hook during instance launch to configure the cron job on all the EC2 instances. Rotate out the older EC2 instances.

D. Create a new launch template version that creates an Amazon Elastic File System (Amazon EFS) file system. Update the Auto Scaling group to use the new template version to cycle in newer EC2 instances and to terminate the older EC2 instances.