While setting up an AWS managed VPN connection, a SysOps administrator creates a
customer gateway resource in AWS The customer gateway device resides in a data center
with a NAT gateway in front of it
What address should be used to create the customer gateway resource?

A.

The private IP address of the customer gateway device

B.

The MAC address of the NAT device in front of the customer gateway device

C.

The public IP address of the customer gateway device

D.

The public IP address of the NAT device in front of the customer gateway device

A company's IT department noticed an increase in the spend of their developer AWS account. There are over 50 developers using the account, and the finance team wants to
determine the service costs incurred by each developer.
What should a SysOps administrator do to collect this information? (Select TWO.)

A.

Activate the createdBy tag in the account.

B.

Analyze the usage with Amazon CloudWatch dashboards.

C.

Analyze the usage with Cost Explorer.

D.

Configure AWS Trusted Advisor to track resource usage.

E.

Create a billing alarm in AWS Budgets.

A company monitors its account activity using AWS CloudTrail. and is concerned that some
log files are being tampered with after the logs have been delivered to the account's
Amazon S3 bucket.
Moving forward, how can the SysOps administrator confirm that the log files have not been
modified after being delivered to the S3 bucket?

A.

Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.

B.

Enable log file integrity validation and use digest files to verify the hash value of the log file.

C.

Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.

D.

Enable S3 server access logging to track requests made to the log bucket for security audits.

A SysOps administrator is setting up an automated process to recover an Amazon EC2
instance In the event of an underlying hardware failure. The recovered instance must have
the same private IP address and the same Elastic IP address that the original instance had.
The SysOps team must receive an email notification when the recovery process is initiated.
Which solution will meet these requirements?

A.

Create an Amazon CloudWatch alarm for the EC2 instance, and specify the
SiatusCheckFailedjnstance metric. Add an EC2 action to the alarm to recover the instance.
Add an alarm notification to publish a message to an Amazon Simple Notification Service
(Amazon SNS> topic. Subscribe the SysOps team email address to the SNS topic.

B.

Create an Amazon CloudWatch alarm for the EC2 Instance, and specify the
StatusCheckFailed_System metric. Add an EC2 action to the alarm to recover the instance.
Add an alarm notification to publish a message to an Amazon Simple Notification Service
(Amazon SNS) topic. Subscribe the SysOps team email address to the SNS topic.

C.

Create an Auto Scaling group across three different subnets in the same Availability
Zone with a minimum, maximum, and desired size of 1. Configure the Auto Seating group
to use a launch template that specifies the private IP address and the Elastic IP address.
Add an activity notification for the Auto Scaling group to send an email message to the

D.

Create an Auto Scaling group across three Availability Zones with a minimum,
maximum, and desired size of 1. Configure the Auto Scaling group to use a launch
template that specifies the private IP address and the Elastic IP address. Add an activity
notification for the Auto Scaling group to publish a message to an Amazon Simple
Notification Service (Amazon SNS) topic. Subscribe the SysOps team email address to the
SNS topic.

A company website contains a web tier and a database tier on AWS. The web tier consists
of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones.
The database tier runs on an Amazon ROS for MySQL Multi-AZ DB instance. The
database subnet network ACLs are restricted to only the web subnets that need access to
the database. The web subnets use the default network ACL with the default rules.
The company's operations team has added a third subnet to the Auto Scaling group
configuration. After an Auto Scaling event occurs, some users report that they intermittently
receive an error message. The error message states that the server cannot connect to the
database. The operations team has confirmed that the route tables are correct and that the
required ports are open on all security groups.
Which combination of actions should a SysOps administrator take so that the web servers
can communicate with the DB instance? (Select TWO.)

A.

On the default ACL. create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets.

B.

On the default ACL, create outbound Allow rules of type MySQL/Aurora (3306). Specify
the destinations as the database subnets.

C.

On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet.

D.

On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet.

E.

On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet.

A company is trying to connect two applications. One application runs in an on-premises
data center that has a hostname of hostl .onprem.private. The other application runs on an
Amazon EC2 instance that has a hostname of hostl.awscloud.private. An AWS Site-to-Site
VPN connection is in place between the on-premises network and AWS.
The application that runs in the data center tries to connect to the application that runs on
the EC2 instance, but DNS resolution fails. A SysOps administrator must implement DNS
resolution between on-premises and AWS resources.
Which solution allows the on-premises application to resolve the EC2 instance hostname?

A.

Set up an Amazon Route 53 inbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries to the inbound resolver endpoint.

B.

Set up an Amazon Route 53 inbound resolver endpoint. Associate the resolver with the VPC of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the inbound resolver endpoint.

C.

Set up an Amazon Route 53 outbound resolver endpoint with a forwarding rule for the onprem.private hosted zone. Associate the resolver with the AWS Region of the EC2
instance. Configure the on-premises DNS resolver to forward onprem.private DNS queries
to the outbound resolver endpoint.

D.

Set up an Amazon Route 53 outbound resolver endpoint. Associate the resolver with the AWS Region of the EC2 instance. Configure the on-premises DNS resolver to forward awscloud.private DNS queries to the outbound resolver endpoint

A company's backend infrastructure contains an Amazon EC2 instance in a private subnet.
The private subnet has a route to the internet through a NAT gateway in a public subnet.
The instance must allow connectivity to a secure web server on the internet to retrieve data
at regular intervals.
The client software times out with an error message that indicates that the client software
could not establish the TCP connection.
What should a SysOps administrator do to resolve this error?

A.

Add an inbound rule to the security group for the EC2 instance with the following parameters: Type - HTTP, Source - 0.0.0.0/0.

B.

Add an inbound rule to the security group for the EC2 instance with the following parameters: Type - HTTPS, Source - 0.0.0.0/0.

C.

Add an outbound rule to the security group for the EC2 instance with the following parameters: Type - HTTP, Destination - 0.0.0.0/0.

D.

Add an outbound rule to the security group for the EC2 instance with the following parameters: Type - HTTPS. Destination - 0.0.0.0/0.

A company manages an application that uses Amazon ElastiCache for Redis with two extra-large nodes spread across two different Availability Zones. The company's IT team discovers that the ElastiCache for Redis cluster has 75% freeable memory. The application must maintain high availability. What is the MOST cost-effective way to resize the cluster?

A.

Decrease the number of nodes in the ElastiCache for Redis cluster from 2 to 1.

B.

Deploy a new ElastiCache for Redis cluster that uses large node types. Migrate the data from the original cluster to the new cluster. After the process is complete, shut down the original duster.

C.

Deploy a new ElastiCache for Redis cluster that uses large node types. Take a backup from the original cluster, and restore the backup in the new cluster. After the process is complete, shut down the original cluster.

D.

Perform an online resizing for the ElastiCache for Redis cluster. Change the node types from extra-large nodes to large nodes.

A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts. Which solution will meet these requirements?

A.

Purchase RIs in individual member accounts. Disable Rl discount sharing in the management account.

B.

Purchase RIs in individual member accounts. Disable Rl discount sharing in the member accounts.

C.

Purchase RIs in the management account. Disable Rl discount sharing in the
management account.

D.

Purchase RIs in the management account. Disable Rl discount sharing in the member
accounts.

A company has an Amazon CloudFront distribution that uses an Amazon S3 bucket as its origin. During a review of the access logs, the company determines that some requests are
going directly to the S3 bucket by using the website hosting endpoint. A SysOps
administrator must secure the S3 bucket to allow requests only from CloudFront.
What should the SysOps administrator do to meet this requirement?

A.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the
distribution. Remove access to and from other principals in the S3 bucket policy. Update the S3 bucket policy to allow access only from the OAI.

B.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the
distribution. Update the S3 bucket policy to allow access only from the OAI. Create a new
origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use
the new origin. Remove the existing origin.

C.

Create an origin access identity (OAI) in CloudFront. Associate the OAI with the
distribution. Update the S3 bucket policy to allow access only from the OAI. Disable
website hosting. Create a new origin, and specify the S3 bucket as the new origin. Update
the distribution behavior to use the new origin. Remove the existing origin.

D.

Update the S3 bucket policy to allow access only from the CloudFront distribution.
Remove access to and from other principals in the S3 bucket policy. Disable website
hosting. Create a new origin, and specify the S3 bucket as the new origin. Update the
distribution behavior to use the new origin. Remove the existing origin.