๐ŸŽ„

CertoMetrics - 9% OFF Special Discount Offer - Ends In:

0d 00h 00m 00s
Coupon code: SALE2026

Amazon AWS Certified CloudOps Engineer - Associate (SOA-C03)

Get full access to the updated question bank and pass on your first attempt.

Vendor

Amazon

Certification

Associate Certifications

Content

262 Qs

Status

Verified

Updated

18 hours ago

Test the Practice Engine

Experience our real exam environment with free demo questions

Launch Free Demo
Best Value Bundle

Premium Bundle

Complete Success Suite

$108 $69

Save $39 Instantly

  • โœ“
    Full PDF + Interactive Engine Everything you need to pass
  • โœ“
    All Advanced Question Types Drag & Drop, Hotspots, Case Studies
  • โœ“
    Priority 24/7 Expert Support Direct line to certification leads
  • โœ“
    90 Days Free Priority Updates Stay current as exams change

Success Metric

98.4% Pass Rate

Verified by 15k+ Students
Secure Checkout
Popular

Standard Simulation

Practice Engine

$59

One-Time Payment

  • Web-Based (Zero Install)
  • Real Testing Environment Virtual & Practice Modes
  • Interactive Engine Drag & Drop, Hotspots
  • 60 Days Free Updates

Compatible with All Devices

Chrome
Verified Secure Checkout

Basic Tier

PDF Study Guide

$49

Digital Access

  • โœ“ Exam Questions (PDF)
  • โœ“ Mobile Friendly
  • โœ“ 60 Days Updates
Download Free Sample PDF

Verified 53-Question Preview (SOA-C03)

Secure Checkout

Verified Community

The CertoMetrics Standard.

Recommend the #1 platform for verified Amazon certification resources.

Success Network

Help a Colleague Succeed.

Invite a peer to get their own updated SOA-C03 prep kit.

Exam Overview

The AWS Certified CloudOps Engineer - Associate certification validates your expertise in deploying, managing, and operating fault-tolerant, scalable, and highly available systems on the AWS platform. This crucial credential demonstrates your ability to implement best practices for operational excellence, including monitoring, logging, incident response, patching, and backup/restore strategies. Achieving this certification signifies proficiency in automating operational tasks, optimizing resource utilization, and maintaining security and compliance within AWS environments. It's a testament to your capability in keeping cloud infrastructure running smoothly and efficiently, making you an invaluable asset in any organization leveraging AWS for critical workloads. This certification is essential for professionals aiming to elevate their career in cloud operations and DevOps roles by proving hands-on operational management skills.

Questions

65

Passing Score

700/1000

Duration

130 Minutes

Difficulty

Intermediate

Level

Associate

Skills Measured

Monitoring, Logging, and Alerting
Incident Response and Problem Resolution
Patching, Updates, and Upgrades
Backup and Restore Operations
Automation and Optimization

Career Path

Target Roles

Cloud Operations Engineer DevOps Engineer Site Reliability Engineer (SRE)

Common Questions

Is the material up to date?

Yes. We update our question bank weekly to match the latest Amazon standards. You get free updates for 90 days.

What format do I get?

You get instant access to both the **PDF** (for reading) and our **Premium Test Engine** (for exam simulation).

Is there a guarantee?

Absolutely. If you fail the SOA-C03 exam using our materials, we offer a full money-back guarantee.

When do I get the download?

Instantly. The download link is available in your dashboard immediately after payment is confirmed.

Free Study Guide Samples

Previewing updated SOA-C03 bank (53 Questions).

QUESTION 1

A company uses an Amazon Simple Queue Service (Amazon SQS) queue and Amazon EC2 instances in an Auto Scaling group with target tracking to support a web application. The company also collects the ASGAverage Networking metric for the Auto Scaling group. The company notices that EC2 instances are not being scaled in time to keep up with demand. The company investigates the issue and finds a large number of SQS messages in the queue during peak times

A CloudOps engineer needs to reduce the number of messages In the SQS queue.

Which solution Will meet this requirement?

A
Define and use a new custom Amazon CloudWatch metric based on the SQS Approximate Number of Messages Delayed metric in the target tracking policy.
B
Define and use Amazon CloudWatch metric math to calculate the SQS queue backlog for each instance in the target tracking policy.
C
Define and use step scaling by specifying a Change in Capacity value for the FC2 instances.
D
Define and use simple scaling by specifying a Change in Capacity value for the EC2 instances.

Correct Option: B

โœ… Define and use Amazon CloudWatch metric math to calculate the SQS queue backlog for each instance in the target tracking policy.
Description: Amazon CloudWatch metric math allows you to query multiple CloudWatch metrics and use mathematical expressions to create new time series. This capability is essential when the required scaling metric is not directly emitted by a single service but needs to be derived from a combination of existing metrics. For an SQS queue backlog per instance, you would typically need the total number of visible messages in the SQS queue and the current number of instances in the Auto Scaling group.

Why this fits: When scaling an Auto Scaling group based on an SQS queue, the most efficient approach is often to maintain a target number of messages per instance. This directly links the processing capacity to the incoming load. To achieve this with a target tracking policy, you need a custom metric that represents "messages in queue / number of processing instances." CloudWatch metric math provides the functionality to perform this division (e.g., SQS_ApproximateNumberOfMessagesVisible / ASG_GroupInServiceInstances). This calculated metric can then be used as the target for the Auto Scaling target tracking policy, ensuring that the group scales out or in to maintain the desired backlog per instance.

Example: An SQS queue has 1000 visible messages, and an Auto Scaling group has 10 running instances. To scale based on a target of 100 messages per instance, you would create a CloudWatch metric math expression like m1 / m2, where m1 is the ApproximateNumberOfMessagesVisible for the SQS queue and m2 is the GroupInServiceInstances for the Auto Scaling group. If the result (1000/10 = 100) exceeds the target (e.g., 50 messages per instance), the Auto Scaling group will add more instances. If the result falls below the target, instances will be removed, always striving to maintain the defined backlog per instance.

QUESTION 2

An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A CloudOps engineer must ensure that the application can read, write, and delete messages from the SQS queues.

Which solution Will meet these requirements in the MOST secure manner?

A
Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM users credentials in the application's configuration.
B
Create an IAM user with an IAM policy that allows tho sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to th appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.
C
Create and associate an IAM role that allows EC2 instances to call AWS services Attach an IAM policy to the role that allows sqs:*permissions to the appropriate queues.
D
Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.

Correct Option: D

โœ… Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
Description: An IAM role for EC2 instances is a security construct that grants temporary permissions to applications running on an EC2 instance to access other AWS services. When an EC2 instance is launched with an associated IAM role, applications on that instance can automatically obtain temporary security credentials that are regularly rotated by AWS. These credentials can then be used to make API requests to AWS services, eliminating the need to embed or manage long-term static credentials (like access keys and secret access keys) directly on the instance or in application code.

Why this fits: This choice represents the AWS recommended best practice for granting permissions to EC2 instances to interact with other AWS services, such as Amazon SQS. By using an IAM role, you avoid the security risks associated with storing static credentials directly on the instance (as proposed in Choices A and B), which can lead to credential compromise if the instance is compromised. The associated IAM policy adheres to the principle of least privilege by granting only the specific sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage permissions required for the application, rather than broader sqs:* permissions (as in Choice C). This minimizes the potential impact of an attacker gaining control of the instance.

Example: An EC2 instance hosting a microservice needs to read messages from an SQS queue, process them, and then delete them. Instead of embedding static SQS credentials in the application code or environment variables, an administrator creates an IAM role with an IAM policy allowing sqs:SendMessage, sqs:ReceiveMessage, and sqs:DeleteMessage actions on the specific SQS queue resource. This role is then associated with the EC2 instance at launch. The microservice running on the EC2 instance can then use the AWS SDK to interact with SQS, and the SDK automatically retrieves and uses the temporary credentials provided by the instance's IAM role.

QUESTION 3

A multinational company uses an organization in AWS Organizations to manage over 200 member accounts across multiple AWS Regions. The company must ensure that all AWS resources meet requirements.

The company must not deploy any EC2 instances in the ag-southeast-2 Region. The company must completely block root user actions in all member accounts. The company must prevent any user from deleting AWS CloudTrail logs, including administrators The company requires a centrally managed solution that the company can automatically apply to all existing and future accounts

Which solution Will meet these requirements?

A
Create AWS Config rules with remediation actions in each account to detect policy violations. Implement IAM permissions boundaries for the account root users.
B
Enable AWS Security Hub across the organization- Create custom security standards to enforce the security requirements. Use AWS Cloud Formation Stack Sets to deploy the standards to all the accounts in the organization. Set up Security Hub automated remediation actions.
C
Use AWS Control Tower for account governance. Configure Region deny controls Use service control policies (SCPs) to restrict root user access.
D
Configure AWS Firewall Manager with security policies to meet the security requirements Use an AWS Config aggregator with organization-wide conformance packs to detect security policy violations.

Correct Option: C

โœ… Use AWS Control Tower for account governance. Configure Region deny controls Use service control policies (SCPs) to restrict root user access.
Description: AWS Control Tower provides a centralized management experience for establishing a multi-account AWS environment following best practices. It orchestrates services like AWS Organizations, IAM Identity Center, AWS Config, and AWS CloudTrail to provide guardrails (preventive and detective) and automated account provisioning. Region deny controls are a type of preventive guardrail offered by Control Tower, implemented via Service Control Policies (SCPs) in AWS Organizations, which prevent resource deployment or actions in specific AWS regions. Service Control Policies (SCPs) are management policies that offer central control over the maximum available permissions for all accounts in an AWS Organization. SCPs can be used to restrict access for all principals, including the root user, to specific services or actions.

Why this fits: This choice directly addresses the core requirements for robust account governance, geographic restriction, and the critical security measure of limiting root user access.

  1. AWS Control Tower for account governance: Control Tower automates the setup of a secure, multi-account environment, enforcing guardrails and best practices from day one, which is ideal for central account governance.
  2. Configure Region deny controls: This is a native feature of Control Tower's preventive guardrails, implemented via SCPs, effectively preventing users (including the root user) from provisioning resources in unwanted regions, thereby enforcing data residency and reducing attack surface.
  3. Use service control policies (SCPs) to restrict root user access: SCPs are the most effective and direct way to enforce restrictions on the root user across an entire AWS Organization (and thus across all accounts managed by Control Tower). Unlike IAM policies or permission boundaries, which apply to IAM users and roles, SCPs apply to the account itself and affect all principals within that account, including the root user. This prevents the root user from performing sensitive actions that are not explicitly required, even if they have full IAM permissions within the account.

    Example: An organization uses AWS Control Tower to manage its accounts. An SCP is configured as a preventive guardrail to explicitly deny any action in the eu-west-3 region, ensuring no resources are accidentally or maliciously deployed there. Another SCP is implemented to deny the iam:DeleteAccount action for all principals, including the root user, across all accounts, preventing accidental account termination.
QUESTION 4

A company runs an application on Amazon EC2 instances. The application stores and retrieves data from an Amazon Aurora PostgreSQL database. A developer accidentally drops a table from the database, which causes application errors. Two hours later a CloudOps engineer needs to recover the data and make the application function again Which solution will meet this requirement?

A
Use the Aurora Backtrack feature to rewind the database to a specified time, 2 hours In the past.
B
Perform a point-in-time recovery on the existing database to restore the database to a specified point in time, 2 hours in the past.
C
Perform a point-in-time recovery and create a new database to restore the database to a specified point in time, 2 hours in the past Reconfigure the application to use a new database endpoint.
D
Create a new Aurora cluster Choose the Restore data from S3 bucket option. Choose log files up to the failure time 2 hours in the past.

Correct Option: C

โœ… Perform a point-in-time recovery and create a new database to restore the database to a specified point in time, 2 hours in the past Reconfigure the application to use a new database endpoint.
Description: AWS Aurora automatically performs continuous backups, allowing for point-in-time recovery (PITR). When performing a PITR on an Amazon Aurora database, AWS restores the database to a new, separate Aurora database cluster. This new cluster will have a different endpoint than the original.

Why this fits: This choice accurately reflects the standard procedure for performing a point-in-time recovery with Amazon Aurora. Restoring to a specific point in time always creates a new database instance or cluster. The original database remains untouched, and the application must be updated to connect to the new database cluster's endpoint. This is a critical operational aspect for disaster recovery or rolling back unwanted changes.

Example: An application experienced data corruption at 10:00 AM. To recover to the state just before the corruption, say 8:00 AM, an administrator would initiate a point-in-time recovery. AWS would provision a new Aurora cluster containing the data as it was at 8:00 AM. The application's configuration would then be updated to point to the new cluster's endpoint.

QUESTION 5

A company uses default settings to create an AWS Lambda function. The function needs to access an Amazon RDS database that is in a private subnet of a VPC. The function has the correct IAM permissions to access the database. The private subnet has appropriate routing configurations and is accessible from within the VPC However, the Lambda function is unable to connect to the RDS instance.

What is the likely reason the Lambda function cannot connect to the RDS instance?

A
The company did not set the RDS Instance as the destination for the Lambda function in the function configuration.
B
The Lambda function configuration did not deploy the function in the same VPC that contains the RDS instance.
C
The VPC where the Lambda function is deployed is not peered with the VPC where the RDS instance is deployed.
D
The security group for the Lambda function does not allow outbound access to the RDS instance.

Correct Option: B

โœ… The Lambda function configuration did not deploy the function in the same VPC that contains the RDS instance.
Description: When an AWS Lambda function needs to access resources that are not publicly accessible within a Virtual Private Cloud (VPC), such as an Amazon RDS database instance deployed in private subnets, the Lambda function itself must be configured to run within that same VPC. This means associating the Lambda function with specific subnets and security groups within the target VPC.

Why this fits: By default, Lambda functions run in an AWS-managed execution environment outside of any customer VPCs. If an RDS instance is deployed in private subnets within a VPC and is not configured for public accessibility, it can only be reached by other resources within that same VPC or through explicitly configured network pathways. Attempting to connect to such an RDS instance from a Lambda function not configured for VPC access will result in a network timeout or connection refused error because the Lambda function cannot route to the private IP address of the RDS instance. Deploying the Lambda function into the same VPC allows it to communicate with the RDS instance over the private network using internal IP addresses, assuming appropriate security group and network ACL rules permit the traffic.

Example: A backend Lambda function needs to query an Amazon Aurora database that resides in a private subnet (e.g., subnet-a, subnet-b) within vpc-prod. If the Lambda function is not configured with VPC settings pointing to vpc-prod and associated with subnet-a or subnet-b and a security group, it will fail to establish a connection to the Aurora database. Configuring the Lambda function to operate within vpc-prod (e.g., in subnet-a with a security group allowing outbound traffic to the RDS instance) resolves this connectivity issue.



QUESTION 6

A CloudOps engineer has created an AWS Service Catalog portfolio and has shared the portfolio with a second AWS account in the company. The second account is controlled by a different CloudOps engineer Which action will the CloudOps engineer of the second account be able to perform?

A
Add a product from the Imported portfolio to a local portfolio.
B
Add new products to the imported portfolio.
C
Change the launch role for the products contained in the imported portfolio.
D
Customize the products in the imported portfolio.

Correct Option: A

โœ… Choice A: Add a product from the Imported portfolio to a local portfolio.
Description: In AWS Service Catalog, an imported portfolio is a portfolio that has been shared with your account from another AWS account or organization using AWS Organizations. When a portfolio is imported, it appears in your account as read-only. This means you cannot directly modify the imported portfolio itself or the products within it in its original shared form. To customize or manage these products locally, you must first "adopt" them into a local portfolio within your account.

Why this fits: To gain full control over a product from an imported portfolio, such as customizing its constraints, launch roles, or provisioning parameters, you need to add it to a local portfolio that you own. This effectively creates a copy of the product within your account's manageable scope, allowing you to then apply your own configurations and lifecycle management to it, independent of the original shared portfolio. The imported portfolio itself remains read-only, reflecting its source.

Example: An organization shares a "Standard Compute" portfolio containing an EC2 product. As a consumer account, you import this portfolio. To apply specific regional constraints or a custom launch role for the EC2 product that differs from the shared configuration, you would add the EC2 product from the imported "Standard Compute" portfolio to your own local "My Custom Compute" portfolio. Once it's in your local portfolio, you can modify its constraints, update its launch role, or even customize its associated template without affecting the original shared product or portfolio.

QUESTION 7

A company performs advanced statistical analysis by using custom software. The custom software runs on a cluster of Amazon EC2 Instances and is sensitive to network latency between the nodes. none of the instances are approaching their network throughput limitations.

Which solution will MINIMIZE the network latency?

A
Place all the EC2 Instances Into a cluster placement group.
B
Configure and assign two Elastic IP addresses for each EC2 instance.
C
Configure jumbo frames on all the EC2 instances in the cluster
D
Place all the EC2 instances into a spread placement group in the same AWS Region.

Correct Option: A

โœ… Place all the EC2 Instances Into a cluster placement group.
Description: A cluster placement group is a logical grouping of EC2 instances within a single Availability Zone. AWS places instances in a cluster placement group on the same underlying hardware or in very close proximity to each other.

Why this fits: This type of placement group is specifically designed to achieve low network latency and high network throughput (full-duplex, 10 Gbps or higher) between instances. For applications that require instances to communicate extensively with each other, such as high-performance computing (HPC) applications, big data processing, or large in-memory caches, co-locating them within a cluster placement group significantly optimizes inter-instance communication.

Example: Running a high-performance Apache Cassandra cluster where nodes frequently replicate data among themselves, or a tightly coupled HPC application that requires rapid communication between compute nodes.



QUESTION 8

A company uses an Amazon CloudFront distribution to serve a static website that the company hosts on an Amazon S3 bucket. The S3 bucket is the origin of the CloudFront distribution, The website has users all over the world.

The company updates some content for the website- After the update, users report that they are encountering the previous version of the content.

The company must ensure that website users receive only the most current content.

Which solution will meet this requirement?

A
Use Amazon S3 ACLs to make new content public
B
Reupload the new content. Set up versioning on the origin S3 bucket
C
Upload new content to the same Availability Zone where the CloudFront distribution is located
D
Use CloudFront invalidation when new content IS uploaded.

Correct Option: D

โœ… Use CloudFront invalidation when new content IS uploaded.
Description: CloudFront invalidation is a process that removes cached content from CloudFront edge locations before its natural expiration time (Time-To-Live or TTL). When an object is invalidated, CloudFront no longer serves the cached version, and the next request for that object will cause CloudFront to fetch the latest version from its origin (e.g., an S3 bucket) and then cache this new version.

Why this fits: When new content is uploaded to an origin like an S3 bucket, CloudFront's edge locations will continue to serve the previously cached, older version of that content until its TTL expires. To ensure users immediately see the updated content without waiting for the cache to expire, you must explicitly instruct CloudFront to invalidate the old content. This action forces CloudFront to retrieve the fresh content from the origin upon the next request.

Example: If you update an image file named logo.png in your S3 bucket that is served via CloudFront, users will still see the old logo.png because it's cached at CloudFront's edge locations. To make the new logo.png immediately visible, you would create an invalidation request for /logo.png (or /* for all files if a broad update is needed) within your CloudFront distribution settings.



QUESTION 9

A company runs an application that logs user data to an Amazon CloudWatch Logs group, The company discovers that personal information the application has logged is visible in plan text In the CloudWatch logs. The company needs a solution to redact personal Information in the logs by default Unredacted information must be available only to the company's security team

Which solution Will meet these requirements?

A
Create an Amazon S3 bucket. Create an export task from appropriate log groups In CloudWatch Export the logs to the S3 bucket Configure an Amazon Macie scan to discover personal data In the S3 bucket Invoke an AWS Lambda function to move identified personal data to a second S3 bucket. Update the S3 bucket policies to grant only the security team access to both buckets-
B
Create a customer managed AWS Kb.1S key Configure the KMS key policy to allow only the security team to perform decrypt operations, Associate the KMS key with the application log group.
C
Create an Amazon CloudWatch data protection policy for the application log group. Configure data identifiers for the types of personal information that the application logs. Ensure that the security team has permission to call the unmask API operation on the application log group
D
Create an OpenSearch domain Create an AWS Glue workflow that runs a Detect PII transform Job and streams the output to the OpenSearch domain Configure the CloudWatch log group to stream the logs to AWS Glue. Modify the OpenSearch domain access policy to allow only the security team to access the domain.

Correct Option: C

โœ… Create an Amazon CloudWatch data protection policy for the application log group. Configure data identifiers for the types of personal information that the application logs. Ensure that the security team has permission to call the unmask API operation on the application log group.
Description: Amazon CloudWatch Logs offers a built-in data protection feature that uses machine learning and pattern matching to detect and protect sensitive data (such as Personally Identifiable Information - PII) within log events in near real-time. This functionality is enabled by attaching a data protection policy to a log group, where you specify the types of sensitive data to identify using predefined data identifiers (e.g., EMAIL_ADDRESS, PHONE_NUMBER, IP_ADDRESS, AWS_CREDENTIALS). When sensitive data is detected during log ingestion, it is automatically masked within the log events. Authorized users can then use the logs:Unmask API operation to retrieve the original, unmasked data for specific log events.

Why this fits: This solution directly addresses all requirements efficiently:

  1. Discovering personal data: The CloudWatch data protection policy is specifically designed to detect various types of PII within log data using machine learning.
  2. Protecting personal data: Detected PII is automatically masked (obfuscated) as logs are ingested into CloudWatch.
  3. Security team access to unmasked data: Granting the security team the logs:Unmask permission on the specific log group ensures that only authorized personnel can view the original sensitive information when necessary for investigations or compliance, without exposing it by default to all users with log access.
  4. Integrated and real-time: This is a native CloudWatch Logs feature, providing near real-time protection without requiring complex integration with external services for basic PII masking within logs.

    Example: An e-commerce application logs user sign-up details, which may include email addresses and phone numbers. A CloudWatch data protection policy is applied to the application's log group, configured with EMAIL_ADDRESS and PHONE_NUMBER data identifiers. If a log entry "User registered: john.doe@example.com, phone: 555-123-4567" is ingested, CloudWatch Logs automatically masks it to "User registered: @., phone: --*". During a security incident, a member of the security team with logs:Unmask permissions can call the Unmask API operation on that specific log event to view the original email address and phone number.
QUESTION 10

A CloudOps engineer has created a VPC that contains a public subnet and a private subnet. Amazon EC2 Instances that were launched in the private subnet cannot access the Internet The default network ACL is active on all subnets in the VPC, and all security groups allow all outbound traffic.

Which solution Will provide the EC2 instances in the private subnet with access to the Internet?

A
Create a NAT gateway in the public subnet Create a route from the private subnet to the NAT gateway
B
Create a NAT gateway in the public subnet Create a route from the public subnet to the NAT gateway
C
Create a NAT gateway in the private subnet Create a route from the public subnet to the NAT gateway
D
Create a NAT gateway in the private subnet, Create a route from the private subnet to the NAT gateway

Correct Option: A

โœ… Create a NAT gateway in the public subnet Create a route from the private subnet to the NAT gateway
Description: A NAT (Network Address Translation) Gateway enables instances in a private subnet to connect to the internet or other AWS services outside the VPC, while preventing unsolicited inbound connections from the internet to those private instances. It facilitates outbound-only internet connectivity for private resources.

Why this fits: For a NAT Gateway to provide internet access to private resources, it must be deployed in a public subnet. A public subnet is directly associated with an Internet Gateway (IGW), which provides the actual connection to the internet. The private subnet's route table then needs a specific route (typically for 0.0.0.0/0, representing all internet-bound traffic) that points to the NAT Gateway as the target. This configuration allows instances in the private subnet to send traffic to the internet via the NAT Gateway, which then uses its public IP address in the public subnet and the IGW to communicate with the outside world.

Example: Consider a web application where EC2 instances in a private subnet host the application backend and need to download software updates or connect to external APIs. By placing a NAT Gateway in a public subnet and configuring the private subnet's route table to direct 0.0.0.0/0 traffic to this NAT Gateway, the private EC2 instances can securely access the internet for their operational needs without being directly exposed.



QUESTION 11

A company runs applications on Amazon EC2 Instances. The company wants to ensure that the SSH ports on the EC2 instances are never open, The company already has enabled AWS Config and has set up the restricted-ssh AWS managed rule.

A CloudOps engineer must Implement a solution to remediate SSH port access for noncompliant security groups of the EC2 instances.

Which solution Will meet this requirement With the MOST operational efficiency?

A
Configure the AWS Config rule to identify noncompliant security groups. Configure the rule to use the AWS-PublishSNSNotification AWS Systems Manager Automaton runbook to send notifications about noncompliant resources.
B
Configure the AWS Config rule to identify noncompliant security groups. Configure the rule to use the AWS-DisablelncomingSSHOnPort22 AWS Systems Manager Automation runbook to remediate noncompliant resources.
C
Make an AWS Config API call to search for noncompliant security groups. Disable SSH access for noncompliant security groups by using a Deny rule.
D
Configure the AWS Config rule to identify noncompliant security groups, manually update each noncompliant security group to remove the Allow rule.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 12

Application A runs on Amazon EC2 Instances behind a Network Load Balancer (NLB). The EC2 Instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB, Other applications from an on-premises environment cannot communicate With Application A on port 8080.

To troubleshoot the issue; a CloudOps engineer analyses the flow logs. The flow logs include the following records:

What is the reason for the rejected traffic?

A
The security group of the EC2 instances has no Allow rule for the traffic from the NLB
B
The security group of the NLB has no Allow rule for the traffic from the on-premises environment
C
The ACL of the on-premises environment does not allow traffic to the AWS environment
D
The network ACL that is associated with the subnet does not allow outbound traffic for the ephemeral port range.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 13

A company is migrating a legacy application to AWS. The company manually installs and configures the legacy application on Amazon EC2 instances across multiple Availability Zones.The company sets up an Application Load Balancer (ALB) for the application. The company sets the target group routing algorithm to weighted random. The application requires session Affinity After the company deploys the application, users report random application errors that were not present in the legacy version of the application. The target group health checks do not show any failures. The company must resolve the application errors.

Which solution will meet this requirement'?

A
Set the routing algorithm of the target group to least outstanding requests-
B
Turn on anomaly mitigation for the target group
C
Turn off the cross-zone load balancing attribute of the target group
D
Increase the deregistration delay attribute of the target group.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 14

A company runs an application on an Amazon EC2 instance. The application uses a MySQL database The EC2 instance has a GeneralPurposeSSDAmazon Elastic Block Store (Amazon EBS) volume attached the company recently made changes to the application code. The company wants to perform load testing to evaluate the effect of the code changes. A CloudOps engineer must create a new MySQL database from an EBS snapshot of the existing EC2 instance- The new database needs to perform as similarly as possible to the production database.

Which solution Will meet these requirements in the LEAST amount of time?

A
Use Amazon EBS fast snapshot restore(FSR) to create a new General Purpose SSD EBS volume from the production snapshot.
B
Use Amazon EBS fast snapshot restore(FSR) to create a new Provisioned IOPS SSD EBS volume from the production snapshot.
C
Use Amazon EBS standard snapshot restore to create a new General Purpose SSD EBS volume from the production snapshot.
D
Use Amazon EBS standard snapshot restore to create a new Provisioned IOPS SSD EBS volume from the production snapshot.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 15

A company needs to enforce tagging requirements for Amazon DynamoDB tables in its AWS accounts. A CloudOps engineer must implement a solution to identify and remediate all DynamoDB tables that do not have the appropriate tags.

Which solution Will meet these requirements With the LEAST operational overhead?

A
Create a custom AWS Lambda function to evaluate and remediate all DynamoDB tables. Create an Amazon EventBridge scheduled rule to Invoke the Lambda function.
B
Create a custom AWS Lambda function to evaluate and remediate all DynamoDB tables. Create an AWS Config custom rule to invoke the Lambda function.
C
Use the required-tags AWS Config managed rule to evaluate all DynamoDB tables for the appropriate tags- Configure an automatic remediation action that uses an AWS Systems Manager Automaton custom runbook.
D
Create an Amazon EventBrjdge managed rule to evaluate all DynamoDB tables for the appropriate tags. Configure the EventBridge rule to run an AWS Systems Manager Automation custom runbook for remediation.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 16

A company uses Amazon ElastiCache (Redis OSS) to cache application data. A CloudOps engineer must implement a solution to increase the resilience of the cache. The solution also must minimize the recovery time objective (RTO).

Which solution Will meet these requirements?

A
Replace ElastiCache (RediS OSS) with ElastiCache (Memcached).
B
Create an Amazon Eventbridge rule to initiate a backup every hour Restore the backup when necessary
C
Create a read replica in a second Availability Zone. Enable Multi-AZ for the ElastiCache (Redis OSS) replication group.
D
Enable automatic backups. Restore the backups when necessary.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 17

A finance company stores confidential data in an Amazon S3 bucket. The company uses Amazon QuickSight to analyze the data and create dashboard reports. The company requires that all data access and connections to QuickSight remain within the company's VPC network boundary.

Which solution will meet these requirements?

A
Create an interface VPC endpoint for QuickSight. Configure the endpoint to connect to QuickSight within the VPC by using AWS PrivateLinK Create a manifest file that points to the S3 data. Grant QuickSight permission to access the S3 bucket.
B
Set up a VPC endpoint for QuickSight. Use an Amazon EC2 instance as a proxy to establish a direct connection between the VPC and QuickSight Create a manifest file that points to the S3 data. Store the manifest on the EC2 instance. Grant QuickSight permission to access the EC2 instance.
C
Configure an Amazon S3 VPC gateway endpoint Route all data from QuickSight through the endpoint to transfer data. Grant QuickSight permission to access the S3 bucket
D
Configure a NAT gateway in the company's VPC. Route all data from QuickSight through the NAT gateway to transfer data. Grant QuickSight permission to access the S3 bucket

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 18

A company has created an AWS CloudFormation template that consists of the resource and a custom CloudFormation resource. The custom CloudFormation resource is an AWS Lambda function that attempts to run automation on the Amazon EC2 instance.

During testing, the Lambda function fails because the Lambda function tries to run before the EC2 Instance IS launched.

Which solution will resolve this issue?

A
Add a Depends On attribute to the custom resource- Specify the EC2 instance in the Depends On attribute.
B
Update the custom resource's service token to point to a valid Lambda function
C
Update the Lambda function to use the cfn-response module to send a response to the custom resource.
D
Use the Fn:: if intrinsic function to check for the EC2 instance before the custom resource runs.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 19

A company requires the rotation of administrative credentials for production workloads on a regular basis. A CloudOps engineer must implement this policy for an Amazon RDS DB instance's master user password.

Which solution Will meet this requirement With the LEAST operational effort?

A
Create an AWS Lambda function to change the RDS master user password. Create an Amazon EventBridge scheduled rule to invoke the Lambda function.
B
Create a new Secure String parameter In AWS Systems Manager Paramotor Store- Encrypt the paramotor With an AWS Koy Management Semco (AWS KMS) key Configure automatic rotation.
C
Create a new String parameter In AWS Systems Manager Parameter Store. Configure automatic rotation.
D
Create a new RDS database secret in AWS Secrets Manager Apply the secret to the RDS DB Instance, Configure automatic rotation.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 20

A company is storing backups in an Amazon S3 bucket The backups must not be deleted for at least 3 months after the backups are created.

What should a CloudOps engineer do to meet this requirement?

A
Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the poli
B
Enable S3 Object Lock on a new S3 bucket in compliance mode Place ail backups in the new S3 bucket with a retention period of 3 months.
C
Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups
D
Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 21

A company uses memory-optimized Amazon EC2 instances behind a Network Load Balancer (NUB) to run an application. The company launched the EC2 instances from an AWS provided Red Hat Enterprise Linux (RHEL) Amazon Machine Image (AMI).

A CloudOps engineer must monitor RAM utilization in 5-minute intervals The CloudOps engineer must ensure that the EC2 instances scale In and out appropriately based on incoming load.

Which solution will meet these requirements?

A
Configure detailed monitoring for the EC2 instances. Configure the Amazon CloudWatch agent on the EC2 Instances- Create an EC2 Auto Scaling group and Auto Scaling policy that IS based on the mem_active metric.
B
Configure detailed monitoring for the EC2 instances. Use the mem_used_percent metric that the detailed monitoring feature provides. Create an IAM role that allows the CloudWatch agent to upload data. Create an EC2 Auto Scaling group and Auto Scaling policy that is based on the mem_used_percent metric.
C
Configure basic monitoring for the FC2 instances- Configure the Amazon CloudWatch agent on the EC2 instances. Create an IAM role that allows the CloudWatch agent to upload data. Create an EC2 Auto Scaling group and Auto Scaling policy that is based on the mem_used_percent metric
D
Configure basic monitoring for the EC2 instances- Use the standard mem_used_percent metric for monitoring Create an EC2 Auto Scaling group and Auto Scaling policy that is based on the mem_used_percent metric.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 22

A company must use AWS Systems Manager Session Manager to manage a fleet of Amazon EC2 instances that run in the eu-west-1 Region.

The company wants to use Session Manager to configure private connectivity that uses VPC endpoints

Which VPC endpoints are required to meet these requirements? (Select THREE)

A
com.amazonaws.eu-west-1.ssm
B
corn.amazonawse.eu-west-1.ec2messages
C
com.amazonaws.eu-west-1.ec2
D
com.amazonaws.eu-west-1.ssmmessages
E
comamazonaws.eu-west-1.s3
F
com amazonaws.eu-west-1.states

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 23

A company has an on-premises DNS solution and wants to resolve DNS records In an Amazon Route 53 private hosted zone for example corn. The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC.A CloudOps engineer must ensure that an on-premises server can query records in the example.com domain.

What should the CloudOps engineer do to meet these requirements?

A
Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
B
Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCPJUDP port 53 to the on-premises DNS servers.
C
Create a Route 53 Resolver outbound endpoint Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
D
Create a Route 53 Resolver outbound endpoint Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 24

A company runs an application on a fleet of Amazon EC2 Instances behind an Elastic Load Balancing (ELB) load balancer. The instances run in an Auto Scaling group. The applications performance remains consistent throughout most of each day However, an increase in user traffic slows the performance during the same 2-hour period each day A CloudOps engineer needs to resolve the application performance issue.

Which solution will meet this requirement with the LEAST operational effort?

A
Adjust the minimum capacity of the Auto Scaling group to the size required to meet the increased demand during the 2-hour period.
B
Adjust the launch template that is associated with the Auto Scaling group to be more sensitive to increases in user traffic.
C
Create a scheduled scaling action to scale out the number of EC2 instances shortly before the increase in user traffic occurs.
D
Manually add a few more EC2 instances to the Auto Scaling group to support the increase in user traffic, Enable instance scale-in protection on the Auto Scaling group.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 25

A company has a workload that is sending log data to Amazon CloudWatch Logs. One of the fields includes a measure of application latency A CloudOps engineer needs to monitor the p90 statistic of this field over time.

What should the CloudOps engineer do to meet this requirement?

A
Create an Amazon CloudWatch Contributor Insights rule on the log data.
B
Create a metric fitter on the log data.
C
Create a subscription filter on the log data.
D
Create an Amazon CloudWatch Application Insights rule for the workload.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 26

A companyโ€™s architecture team must receive immediate email notification whenever new Amazon EC2 instances are launched in the companyโ€™s main AWS production account.

What should a CloudOps engineer do to meet this requirement?

A
Create a user data script that sends an email message through a smart host connector. Include the architecture team's email address in the user data script as the recipient Ensure that all new EC2 instances include the user data script as part of a standardized build process.
B
Create an Amazon Simple Notification Service (Amazon SNS) topic and a subscription that uses the email protocol. Enter the architecture team's email address as the subscriber Create an Amazon EventBridge rule that reacts when EC2 instances are launched. Specify the SNS topic as the rule's target
C
Create an Amazon Simple Queue Service (Amazon SQS) queue and a subscription that uses the email protocol. Enter the architecture team's email address as the subscriber Create an Amazon EventBridge rule that reacts when EC2 Instances are launched Specify the SQS queue as the rule's target.
D
Create an Amazon Simple Notification Service (Amazon SNS) topic Configure AWS Systems Manager to publish EC2 events to the SNS topic. Create an AWS Lambda function to poll the SNS topic Configure the Lambda function to send any messages to the architecture team's email address.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 27

A company deploys an application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The company wants to protect the SQL injection attacks.

Which solution will meet this requirement?

A
Deploy AWS Shield Advanced In front of the ALB Enable SQL injection filtering.
B
Deploy AWS Shield Standard in front of the ALB. Enable SQL injection filtering.
C
Deploy a vulnerability scanner on each EC2 instance- Continuously scan the application code.
D
Deploy AWS WAF in front of the ALB Subscribe to an AWS managed rule for SQL Injection filtering.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 28

A companyโ€™s AWS accounts are in an organization in AWS Organizations. The organization has features enabled. The accounts use Amazon EC2 instances to host applications. The company manages the EC2 instances manually by using the AWS Management Console. The company applies updates to the EC2 instances by using an SSH connection to each EC2 instance.

The company needs a solution that uses AWS Systems Manager to manage all the organization's current and future EC2 instances. The latest version of Systems Manager Agent (SMAgent) is running on the EC2 instances.

Which solution Will meet these requirements?

A
Configure a homo AWS Region in Systems Manager Quick Setup In the organization's management account Deploy the Systems Manager Default Host Management Configuration Quick Setup from the management account.
B
Configure a home AWS Royon in Systems Manager Quick Setup in the organization's management account Create a Systems Manager Run Command command that attaches the AmazonSSMSemcoRoloPolicy IAM policy to every IAM role that the EC2 Instances use. Invoke the command in every account in the organization.
C
Create an AWS CloudFormation stack set that contains a systems Manager parameter to define the Default Host Management Configuration role, Use the organizations management account to deploy the stack set to every account in the organization.
D
Create an AWS CloudFormation stack set that contains an EC2 Instance profile with the AmazonSSMManagedEC21nstanceDefaultPohcy IAM policy attached Use the organization's management account to deploy the stack set to every account in the organization.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 29

A company runs a website on Amazon EC2 instances. Users can upload images to an Amazon S3 bucket and publish the images to the website. The company wants to deploy a serverless image-processing application that uses an AWS Lambda function to resize the uploaded images.

The company's development team has created the Lambda function. A CloudOps engineer must implement a solution to invoke the Lambda function when users upload new images to the S3 bucket.

Which solution will meet this requirement?

A
Configure an Amazon Simple Notification Service (Amazon SNS) topic to invoke the Lambda function when a user uploads a new image to the S3 bucket.
B
Configure an Amazon CloudWatch alarm to invoke the Lambda function when a user uploads a new image to the S3 bucket.
C
Configure S3 Event Notifications to Invoke the Lambda function when a user uploads a new mage to the S3 bucket.
D
Configure an Amazon Simple Queue Service (Amazon SQS) queue to invoke the Lambda function when a user uploads a now imago to the S3 bucket.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 30

A CloudOps engineer is configuring an Amazon CloudFront distribution to use an SSUTLS certificate. The CloudOps engineer must ensure automatic certificate renewal.

Which combination of steps will meet this requirement? (Select mo.)

A
Use a certificate issued by AWS Certificate Manager (ACM)
B
Use a certificate issued by a third-party certificate authority (CA).
C
Configure CloudFront to automatically renew the certificate when the certificate expires,
D
Configure email validation for the certificate.
E
Configure DNS validation for the certificate.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 31

A company uses an organization in AWS Organizations to manage multiple AWS accounts. A CloudOps engineer must identify all IPv4 ports that are open to 0.0.0.0/0 across all accounts in the organization.

Which solution will meet this requirement with the LEAST operational effort?

A
Use the AWS CLI to print all security group rules for review.
B
Review AWS Trusted Advisor findings in an organizational view for the Security Groups - Specific Ports Unrestricted check.
C
Create an AWS Lambda function to gather security group rules from all accounts- Aggregate the findings in an Amazon S3 bucket.
D
Enable Amazon Inspector in each account Run an automated workload discovery job.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 32

A company has an application that runs on Amazon EC2 instances. The application stores data on an Amazon RDS for MySQL Single-AZ DB instance. Requests to the DB instance from the application include reads and writes.

A CloudOps engineer must implement a solution that provides failover for the DB instance. The solution must minimize application downtime.

Which solution will meet these requirements?

A
Modify the DB instance to be a Multi-AZ DB instance deployment.
B
Add a read replica in the same Availability Zone where the DB instance is deployed.
C
Add the DB instance to an Auto Scaling group that has a minimum capacity of 2 and a desired capacity of 2.
D
Use RDS Proxy to configure a proxy in front of the DB Instance.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 33

A CloudOps engineer needs to set up alerting and remediation for a web application. The application consists of Amazon EC2 instances that have AWS Systems Manager Agent (SSM Agent) installed, Each EC2 instance runs a custom web server The EC2 instances run behind a load balancer and write logs locally.

The CloudOps engineer must implement a solution that restarts the web server software automatically if specific web errors are detected in the logs.

Which combination of steps will meet these requirements? (Select THREE)

A
Install the Amazon CloudWatch agent on the EC2 instances.
B
Create an AWS CloudTrail metric filter for the web logs. Configure an alarm for the specific errors.
C
Create an Amazon CloudWatch metric filter for the web logs. Configure an alarm for the specific errors.
D
Publish alarm findings to Amazon Simple Email Service (Amazon SES)- Invoke an AWS Lambda function to restart the web server software.
E
Create an Amazon EventBridge rule that responds to the alarm. Configure the rule to invoke an AWS Systems Manager Automation runbook to restart the web server software.
F
Create an Amazon Simple Notification Service (Amazon SNS) notification that responds to the alarm. Configure the notification to Invoke an AWS Systems Manager Automation runbook to restart the web server software.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 34

A companyโ€™s ecommerce application is running on Amazon EC2 instances that are behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. Customers report that the website is occasionally down. When the website is down, the website returns an HTTP 500 (server error) status message to customer browsers.

The Auto Scaling group's health check is configured for EC2 status checks, and the instances are healthy.

Which solution will resolve the problem?

A
Replace the ALB With a Network Load Balancer
B
Add Elastic Load Balancing (ELB) health checks to the Auto Scaling group.
C
Update the target group configuration on the ALB Enable session affinity (sticky sessions).
D
Install the Amazon CloudWatch agent on all the instances. Configure the agent to reboot the instances.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 35

A CloudOps engineer needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager Specific tags on the EC2 instances have already been added.

Which additional actions should the CloudOps engineer take to control access? (Select WVO.)

A
Attach an IAM policy to the users or groups that require access to the EC2 Instances.
B
Attach an IAM role to control access to the EC2 instances.
C
Create a placement group for the EC2 instances and add a specific tag,
D
Create a service account and attach rt to the EC2 Instances that need to be controlled
E
Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 36

A company is running a stateless application, The application consists of a web server and a PostgreSQL database that run on a single Amazon EC2 instance, The EC2 instance becomes overloaded during times of high application traffic, leading to slow response times.

A CloudOps engineer needs to implement a solution to resolve the application's performance issues, The solution must accommodate increased application traffic as the number of users continues to grow. The solution also must make the application highly available.

Which combination of steps will meet these requirements? (Select TWO)

A
Create an Amazon CloudFront distribution. Specify the EC2 instance as the origin.
B
Configure an EC2 Auto Scaling group of web servers behind an Application Load Balancer
C
Upgrade the existing EC2 instance to a larger instance type with more CPU and memory resources.
D
Use an Amazon RDS for PostgreSQL Multi-AZ deployment for the database. Point the application to the new endpoint,
E
Upgrade the PostgreSQL database on the EC2 instance to a newer version.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 37

A developer enables versioning on an Amazon S3 bucket When the developer attempts to perform a write operation on the bucket, the developer encounters an HTTP 404 NoSuchKey error A CloudOps engineer must resolve this issue.

Which solution will meet this requirement?

A
Disable versioning on the S3 bucket and retry the write operation.
B
Modify the bucket policy to allow write operations on versioned objects.
C
Wait at least 15 minutes after enabling versioning, and then perform the write operation.
D
Enable S3 Transfer Acceleration on the bucket.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 38

A CloudOps engineer has used AWS CloudFormation to deploy a serverless application into a production VPC. The application consists of an AWS Lambda function, an Amazon DynamoDB table, and an Amazon API Gateway API. The CloudOps engineer must delete the AWS CloudFormation stack without deleting the DynamoDB table.

Which action should the CloudOps engineer take before deleting the AWS CloudFormation stack?

A
Add a Retain deletion policy to the DynamoDB resource in the AWS CloudFormation stack,
B
Add a Snapshot deletion policy to the DynamoDB resource in the AWS CloudFormation stack-
C
Enable termination protection on the AWS CloudFormation stack.
D
Update the application's IAM policy with a Deny statement for the dynamodb:DeleteTable action.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 39

An application runs on Amazon EC2 instances that are in an Auto Scaling group. A CloudOps engineer needs to implement a solution that provides a central storage location for errors that the application logs to disk. The solution must provide an alert when the application logs an error.

What should the CloudOps engineer do to meet these requirements?

A
Deploy and configure the Amazon CloudWatch agent on the EC2 instances to log to a CloudWatch log group. Create a metric filter on the target CloudWatch log group. Create a CloudWatch alarm that publishes to an Amazon Simple Notification Service (Amazon SNS) topic that has an email subscription.
B
Create a cron job on the EC2 instances to identify errors and push the errors to an Amazon CloudWatch metric filter Configure the filter to publish to an Amazon Simple Notification Service (Amazon SNS) topic that has an SMS subscription.
C
Deploy an AWS Lambda function that pushes the errors directly to Amazon CloudWatch Logs. Configure the Lambda function to run every time the log file is updated on disk.
D
Create an Auto Scaling lifecycle hook that invokes an EC2 based script to identify errors. Configure the script to push the error messages to an Amazon CloudWatch log group when the EC2 instances scale in. Create a CloudWatch alarm that publishes to an Amazon Simple Notification Service (Amazon SNS) topic that has an email subscription when the number of error messages exceeds a threshold.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 40

A CloudOps engineer needs to quickly resolve issues in an application that runs in a production environment on Amazon EC2 instances. The application uses an Amazon RDS database, To resolve the issues, the CloudOps engineer needs a centralized solution to collect and query logs for both the EC2 instances and the RDS database.

Which solution will meet these requirements?

A
Install and configure the Amazon CloudWatch agent on the EC2 instances to forward ERROR log events to Amazon CloudWatch Logs- Configure the RDS database to export log events to CloudWatch Logs. Use CloudWatch Logs Insights to query the logs.
B
Install and configure the Amazon CloudWatch agent on the EC2 instances to forward INFO log events to an Amazon S3 bucket. Install the CloudWatch agent on the RDS database. Forward ERROR log events to the S3 bucket. Configure S3 Event Notifications to invoke AWS Lambda functions to analyze the logs.
C
Install and configure the Amazon CloudWatch agent on the EC2 instances to forward ERROR log events to Amazon CloudWatch Logs- Use the Logs & events menu to examine log events for the RDS database. Use CloudWatch Logs Insights to query logs only for the EC2 instances.
D
Install and configure the AWS X-Ray agent on the EC2 instances to forward INFO, DEBUG, and latency log events to Amazon CloudWatch Logs. Configure the RDS database to export log events to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the logs.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 41

1234abcd. The application servers need to access a database in a second AWS account named 444455556666.

The company establishes a VPC peering connection named pcx-b04deed9 between the VPC that hosts the application servers and the VPC that hosts the database.

A CloudOps engineer needs to configure the security group for the database to allow new connections only from the application servers

Which solution will meet this requirement?

A Add an inbound rule to the database's security group. Reference 111122223333/sg-1234abcd as the source.

B
Add an inbound rule to the database's security group. Reference pcx-b04deed9/sg-1234abcd as the source.
C
Add an inbound rule to the database's security group. Reference sg-1234abcd as the source.
D
Add an inbound rule to the database's security group. Reference 444455556666/sg-1234abcd as the source.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 42

A CloudOps engineer is troubleshooting a VPC with public and private subnets that leverage custom network ACLs. Instances in the private subnet are unable to access the internet, There is an internet gateway attached to the public subnet The private subnet has a route to a NAT gateway that is also attached to the public subnet. The Amazon EC2 instances are associated with the default security group for the VPC.

What is causing the issue in this scenario?

A
There is a network ACL on the private subnet set to deny all outbound traffic.
B
There is no NAT gateway deployed in the private subnet of the VPC.
C
The default security group for the VPC blocks all inbound traffic to the EC2 instances.
D
The default security group for the VPC blocks all outbound traffic from the EC2 instances.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 43

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs to send specific events from all the accounts in the organization to a new receiver account so an AWS Lambda function can process the events.

A CloudOps engineer needs to configure Amazon EventBridge to route the events to a target event bus in the us-west-2 Region in the new receiver account The CloudOps engineer creates rules in the sender accounts and the receiver account that match the specified events. The rules do not specify an account parameter in the event pattern. The CloudOps engineer creates IAM roles in the sender accounts to allow PutEvents actions on the target event bus.

The first test events that originate from the us-east-I Region are not being processed by the Lambda function in the receiving account.

What is the likely reason the events are not processed?

A
Interface VPC endpoints for EventBridge are required in the sender accounts and receiver accounts.
B
The target Lambda function is in a different AWS Region, which IS not supported by EventBridge,
C
The resource-based policy on the target event bus must be modified to allow PutEvents API calls from the sender accounts.
D
The rule in the receiving account must specify {"account":[sender-account-id']} in its event pattern and must include the receiving account ID

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 44

A CloudOps engineer must create an IAM policy for a developer who needs access to specific AWS services. Based on the requirements, the CloudOps engineer creates the following policy:

 

 

Which actions does this policy allow? (Select TWO.)

A
Create an AWS Storage Gateway.
B
Create an IAM role for an AWS Lambda function.
C
Delete an Amazon SQS queue.
D
Describe AWS load balancers,
E
Invoke an AWS Lambda function.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 45

A company has a VPC that contains a public subnet and a private subnet The company deploys an Amazon EC2 instance that uses an Amazon Linux Amazon Machine Image (AMI) and has the AWS Systems Manager Agent (SSM Agent) installed in the private subnet. The EC2 instance is in a security group that allows only outbound traffic.

A CloudOps engineer needs to give a group of privileged administrators the ability to connect to the instance through SSH without exposing the instance to the internet

Which solution will meet this requirement?

A
Create an EC2 Instance Connect endpoint in the private subnet- Update the security group to allow inbound SSH traffic- Create an IAM group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.
B
Create a systems Manager endpoint in the private subnet. Update the security group to allow SSH traffic from the private network where the Systems Manager endpoint IS connected- Create an IAM group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.
C
Create an EC2 Instance Connect endpoint in the public subnet Update the security group to allow SSH traffic from the private network Create an IAM group for privileged administrators. Assign the PowerUserAccess managed policy to the IAM group.
D
Create a Systems Manager endpoint in the public subnet. Create an IAM role that has the AmazonSSMManagedlnstance Core permission for the EC2 instance- Create an IAM group for privileged administrators. Assign the AmazonEC2ReadOnlyAccess IAM policy to the IAM group.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 46

A company uses a custom Amazon Machine Image (AMI) as part of an EC2 Image Builder pipeline, A CloudOps engineer notices that the custom AMI will reach the end of its support lifespan in few months, The CloudOps engineer needs to update the EC2 Imago Builder pipeline to use tho latestAMl ID.

Which solution will meet this requirement?

A
Create a new version of the existing EC2 Image Builder recipe. Update the AMI ID details. Update the pipeline to use the new recipe version,
B
Disable the AMI in the lifecycle rules for the existing AMI. Update the existing EC2 Image Builder recipe with the latest AMI ID details. Rerun the pipeline.
C
Update the build component to use the latest AMI ID details.
D
Replace the AMI ID in the launch template for the pipeline.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 47

A companyโ€™s security policy states that connecting to Amazon EC2 instances is not permitted through SSH and RDP If access is required, authorized staff can connect to instances by using AWS Systems Manager Session Manager.

Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has AWS Systems ManagerAgent (SSM Agent) pre-installed. These users are able to use Session Manager to connect to other instances in the same subnet and they are in an IAM group that has Session Manager permission for all instances.

What should a CloudOps engineer do to resolve this issue?

A
Add an inbound rule for port 22 in the security group associated With the Ubuntu instance.
B
Assign the AmazonSSMManagedlnstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
C
Configure the SSM Agent to log in with a user name of "ubuntu"
D
Generate a now key pair, configure Session Manager to use this now key pair, and provide the private key to the users.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 48

A CloudOps engineer needs to configure a caching layer for a read-heavy application that uses an Amazon RDS for PostgreSQL database. The application exists across three AWS Regions, Read and write activities occur in the primary Region. In the two secondary Regions, read-only activity occurs on RDS for PostgreSQL cross-Region read replicas.

The cache in each Region must consist of the same data to provide a consistent user experience across Regions.

Which solution for the caching layer will meet these requirements?

A
Set up an Amazon ElastiCache (Redis OSS) global datastore. Include a read and write cluster in the primary Region. Include a read-only cluster in each secondary Region.
B
Set up an Amazon ElastiCache (Memcached) global database. Include a read and write cluster in the primary Region. Include a read-only cluster in each secondary Region.
C
Set up query caching on the RDS for PostgreSQL database in the primary Region. Configure query cache replication to the secondary RDS cross-Region replicas.
D
Set up an Amazon ElastiCache (Memcached) cluster with cluster mode enabled in all three Regions. Set up ElastiCache cross-Region replication from the primary Region to the secondary Regions.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 49

A companyโ€™s developers manually install software modules on Amazon EC2 instances to deploy new versions of a service. A security audit finds that the instances have different combinations of approved modules and unapproved modules.

A CloudOps engineer must create a new instance image that contains only approved software.

Which solution will meet these requirements?

A
Use Amazon Detective to continuously find and uninstall unauthorized modules from the instances.
B
Use Amazon GuardDuty to create and deploy an Amazon Machine Image (AMI) that includes only the approved modules.
C
Use AWS Systems Manager Run Command to install the approved modules on all running instances during an in-place update.
D
Use EC2 Image Builder to create and test an Amazon Machine Image (AMI) that includes only the approved modules, Update the deployment workflow to use the new AMI.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 50

A company has a new security policy that requires all Amazon EBS volumes to be encrypted at rest, The company needs to use a custom key policy to manage access to the encryption keys, The company must rotate the keys once each year.

Which solution will meet these requirements with the LEAST operational overhead?

A
Create AWS KMS symmetric customer managed keys, Enable automatic key rotation,
B
Use AWS owned AWS KMS keys across the company's AWS environment.
C
Create AWS KMS asymmetric customer managed keys. Enable automatic key rotation,
D
Create AWS KMS symmetric customer managed keys by using imported key material. Rotate the keys on a yearly basis.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 51

A global gaming company is preparing to launch a new game on AWS. The game runs in multiple AWS Regions on a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group behind an Application Load Balancer (ALB) in each Region. The company plans to use Amazon Route 53 for DNS services. The DNS configuration must direct users to the Region that is closest to them and must provide automated failover.

Which combination of steps should a CloudOps engineer take to configure Route 53 to meet these requirements? (Select TWO)

A
Croato Amazon CloudWatch alarms that monitor the health of the ALB In each Region Configure Route 53 DNS failover by using a health check that monitors the alarms.
B
Create Amazon CloudWatch alarms that monitor the health of the EC2 instances in each Region Configure Route 53 DNS failover by using a health check that monitors the alarms
C
Configure Route 53 DNS failover by using a health check that monitors the private IP address of an EC2 instance in each Region.
D
Configure Route 53 geoproximity routing Specify the Regions that are used for the infrastructure.
E
Configure Route 53 Simple routing Specify the continent, country, and state or province that are used for the infrastructure.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 52

A company is hosting a public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The company needs the website to support HTTPS connections.

Which solution will meet this requirement?

A
Replace the ALB with a Network Load Balancer.
B
Use AWS Certificate Manager (ACM) to issue a public SSUTLS certificate. Configure the ALB to use the certificate.
C
Import a public SSUTLS certificate into AWS KMS. Configure the ALB to retrieve the certificate from AWS KMS.
D
Attach a public SSLJTLS certificate to the target group that is associated with the ALB.

Premium Solution Locked

Unlock all 262 answers & explanations

QUESTION 53

A company that uses AWS Organizations recently implemented AWS Control Tower. The company now needs to centralize identity management A CloudOps engineer must federate AWS IAM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all the company's accounts and cloud applications.

Which prerequisites must the CloudOps engineer have so that the CloudOps engineer can connect to the external IDP? (Select TWO.)

A
A copy of the IAM Identity Center SAML metadata.
B
The I1dP metadata, including the public X.509 certificate.
C
The IP address of the IdP.
D
Root access to the management account.
E
Administrative permissions to the member accounts of the organization.

Premium Solution Locked

Unlock all 262 answers & explanations

Full Question Bank Locked

You have reached the end of the free study guide preview. Upgrade now to unlock all 262 questions and the full simulation engine.

Certification Path

Related Certifications

Amazon DEA-C01 Updated: Apr 22, 2026 Amazon DVA-C02 Updated: May 01, 2026 Amazon MLA-C01 Updated: Apr 20, 2026 Amazon SAA-C03 Updated: May 06, 2026 Amazon AIF-C01 Updated: Apr 29, 2026 Amazon AIP-C01 Updated: May 07, 2026 Amazon ANS-C01 Updated: May 06, 2026 Amazon CLF-C02 Updated: Apr 04, 2026 Amazon DOP-C02 Updated: May 09, 2026 Amazon MLS-C01 Updated: May 06, 2026 Amazon SAP-C02 Updated: Apr 17, 2026 Amazon SCS-C03 Updated: Apr 04, 2026
View All Amazon Exams →

Customer Reviews

5 / 5
(15,000+ verified)
5
100%
4
0%
3
0%
2
0%
1
0%

Global Community Feedback

DM

David M.

Verified Student

"The practice engine is incredible. It feels exactly like the real testing environment and helped me build so much confidence."

SJ

Sarah J.

Premium Member

"The PDF is very well organized and the explanations for the answers are actually helpful, not just random text."

MC

Michael C.

Verified Buyer

"I was skeptical, but the content is high quality and definitely worth the price. I passed on my first try!"

Need Assistance?

Our expert support team is available to assist you with any inquiries about our exam materials.

Contact Support
Average response: < 24 Hours

Get Exam Updates

Subscribe to receive instant notifications on new questions and exclusive flash sales.

* Join 5,000+ students getting weekly updates

Support Chat โ— Active Now

๐Ÿ‘‹ Hi! How can we help you pass your exam?

Enter email to start chatting