AWS Certified SysOps Administrator Practice Exam Part 2iam.awslagi
Notes: Hi all, AWS Certified SysOps Administrator Associate Practice Exam will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics.
We highly recommend you should take AWS Certified SysOps Administrator Associate Guarantee Part because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.
For PDF Format:
Part 1: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-1
Part 2: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-2
Part 3: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-3
Part 4: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-4
Part 5: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-5
For Audio Version:
For Quiz Format:
Part 1: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-1-quiz
Part 2: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-2-quiz
Part 3: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-3-quiz
41. A fleet of servers must send local logs to Amazon Cloudwatch. How should the servers be configured to meet these requirements ?
A. Configure AWS Config to forward events to cloudwatch
B. Configure a simple network management protocol (SNMP) agent to forward events to Cloudwatch
C. Install and configure the unified Cloudwatch agent
D. Install and configure the Amazon Inspector agent
42. A company data retention policy dictates that backups be stored for exactly two years. After that the data must be deleted. How can Amazon EBS snapshots be managed to conform to this data retention policy?
A. Use an Amazon S3 lifecycle policy to delete snapshots older than two years
B. Configure Amazon Inspector to find and delete old EBS Snapshots
C. Schedule an AWS Lambda function using Cloudwatch events to periodically run a scripts to delete old snapshots
D. Configure an Amazon Cloudwatch Alarm to trigger the launch of an AWS Cloudformation template that will clean the older snapshots
43. In configuring an Amazon Route 53 health check, a SysOps Administrator selects ‘Yes’ to the String Matching option in the Advanced Configuration section. In the Search String box, the Administrator types the following text: /html. This is to ensure that the entire page is loading during the health check. Within 5 minutes of enabling the health check, the Administrator receives an alert stating that the check failed. However, when the Administrator navigates to the page, it loads successfully. What is the Most likely cause of this false alarm?
A. The search string is not HTML encoded
B. The search string must be put in quotes
C. The search string must be escaped with a backslash (\) before the forward slash (/)
D. The search string is not in the first 5120 bytes of the tested page
44. A SysOps Administrator must ensure that AWS Cloudformation deployment changes are properly backend for governance. Which AWS Service should be used to accomplish this?
A. AWS Artifact
B. AWS Config
C. Amazon Inspector
D. AWS Trusted Advisor
45. A Developer created an AWS Lambda function and has asked the SysOps Administrator to make the function run in every 15 minutes . What is the MOST efficient way to accomplish this request?
A. Create an Amazon EC2 instance and schedule a cron to invoke the Lambda function
B. Create a repeat time variable inside the Lambda function to invoke the Lambda function
C. Create a second Lambda function to monitor and invoke the first Lambda function
D. Create an Amazon Cloudwatch scheduled event to invoke the Lambda function
46. A SysOps Administrator is analyzing how Reserved Instance discounts are allocated to Amazon EC2 instances across multiple AWS Account. Which AWS tool will provide the details necessary to understand the billing charges?
A. AWS Budgets
B. AWS Cost and Usage report
C. AWS Trusted Advisor
D. AWS Organizations
47. A SysOps Administrator wants to prevent Developer from accidentally terminating Amazon EC2 instance. How can this be accomplished?
A. Use AWS Systems Manager to restrict EC2 termination
B. Use AWS Config to restrict EC2 termination
C. Application Amazon Cloudwatch event to prevent EC2 termination
D. Enable termination protection on EC2 instances
48. An organization has developed a new memory intensive application that is deployed to a large Amazon EC2. The application is exhaustion, so the development team wants to monitor memory usage by using Amazon Cloudwatch. What is the MOST efficient way to accomplish this goal?
A. Deploy the solution to memory-optimized EC2 instances and use the cloudwatch MemoryUtilization metrics
B. Enable the memory monitoring option by using AWS Config
C. Install the AWS System Manager agent on applicable EC2 instances to monitor memory
D. Monitor memory by using a script within the instance and send it to cloudwatch as a custom metric
49. An organization has been running their website on several m2 Linux instances behind a classic load balancer for two years. Application load has been constant and predictable. What should the organization do to reduce costs?
A. Purchase Reserved instances for the specific m2.instances
B. Change the m2 instances to equivalent m5 types, and purchase Reserved instances for the specific m5 instances
C. Change the classic load balancer to an application load balancer and purchase reserved instances for the specific m2 instances
D. Purchase Spot instances for the specific m2 instances
50. A SysOps Administrator has written an AWS Lambda function to launch new Amazon EC2 instances and deployed it in the us-east-1 region. The Administrator tested it by launching a new t2 nano instance in the us-east-1 region and it performed as expected. However, when the region name was updated in the Lambda function to launch an EC2 instance in the us-west-1 region, it failed. What is causing this error?
A. The AMI ID must be updated for the us-west-1 region in the Lambda function as well
B. The Lambda function can only launch EC2 instances in the same region where it is deployed
C. The Lambda function does not have the necessary IAM permission to launch more than one EC2 instance
D. The instance type defined in the Lambda function is not available in the us-west-1 region
51. A Company backs up data from data center using a tape gateway on AWS Storage Gateway. The SysOps Administrator must stop a running storage gateway. What process will protect data integrity?
A. Stop storage gateway and reboot the virtual machine, then restart Storage Gateway
B. Reboot the virtual machine then restart storage gateway
C. Reboot the virtual machine
D. Shutdown the virtual machine and stop storage gateway then turn the virtual machine
52. A SysOps Administrator is responsible for a legacy, CPU heavy application. The application can only be scaled vertical. Currently application running on t2.large Amazon EC2 instance. The system is showing 90% CPU usage and significant performance latency. What change should be made to alleviate the performance problem?
A. Change the EBS volume to provisioned IOPS
B. Upgrade to a compute-optimized instance
C. Add additional t2.large instances to the application
D. Purchase the Reserved Instance
53. A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of the application have been divided in a separate microservice running on a different Amazon EC2 instance. The Administrator has been tasked with reconfiguring the infrastructure to support this approach. How can the Administrator accomplish this with the LEAST administrative overhead?
A. Use Amazon Cloudfront to log the URL and forward the request
B. Use Amazon Cloudfront to rewrite the header base on the micro service and forward the request
C. Use an Application Load Balancer (ALB) and do path-based routing
D. Use a Network Load Balancer (NLB) and do path-based routing
54. An organization is concerned that its Amazon RDS databases are not protected. The solution to address this issue must be low cost, protect against table corruption that could be overlooked for several days, and must offer a 30-day window of protection. How can these requirement must be met?
A. Enable multi-AZ on the RDS Instance to maintain the data in a second Availability Zone
B. Create a Read Replica of the RDS Instance to maintain the data in a second region
C. Ensure that automated backups are enabled and set the appropriate retention period
D. Enable versioning in RDS to recover altered table data when needed
55. A company with a dozens of AWS Account wants to ensure that governance rules are being applied across all accounts. The CIO has recommended that AWS Config rules be deployed using an AWS Cloudformation template. How should the requirements be met?
A. Create the Cloudformation stack set then select Cloudformation template and use it to configure the AWS accounts
B. Write a script that iterates over the Company AWS accounts and executes the Cloudformation template in each account
C. Use AWS Organizations to execute the Cloudformation template in all accounts
D. Create a Cloudformation template in the master account of AWS. Organizations and execute the Cloudformation template to create AWS Config rules in all accounts
56. A Company must ensures that any objects uploaded to an s3 bucket must be encrypted. Which of the following actions will meet the requirement? ( SELECT TWO)
A. Implement AWS Shield to protect again unencrypted objects stored in s3 buckets
B. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket
C. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored
D. Implement Amazon Inspector to inspect objects uploaded to s3 bucket to make sure that they are encrypted
E. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets
57. Based on the AWS Shared Responsibility Model, which of the following actions are the responsibility of the customer for an Aurora database?
A. Performing underlying OS updates
B. Provisioning of storage for database
C. Scheduling maintenance, patches and other updates
D. Executing maintenance, patches and other updates
58. A Company would like to review each change in the infrastructure before deploying updates in its AWS Cloudformation stacks. Which action will allow an Administrator to understand the impact of these changes before implement?
A. Implement a blue/green strategy using AWS Elastic Beanstalk
B. Perform a canary deployment using a Application Load Balancer and target groups
C. Create a change set for the running stack
D. Submit the update using UpdateStack API call.
59. An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps Administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy. What is likely to be the problem?
A. The Amazon Machine Image used is not Available in that region
B. The AWS Cloudformation template needs to be update to the latest version
C. The VPC configurations parameters have changed and must be updated in the template
D. The account has reached the default limit for VPCs allowed
60. A SysOps Administrator found that newly-deployed Amazon EC2 application server is unable to connect to an Amazon RDS database. VPC Flow Logs and confirming that the flow log is active on the console, the log group cannot be located on Amazon Cloudwatch. What are the MOST likely reasons for this situation? (SELECT TWO)
A. The Administrator must configure the VPC Flow Logs to have them sent to AWS CloudTrail
B. The Administrator has waited less than ten minutes for the log group to be created in Cloudwatch
C. The account VPC Flow Logs have been disabled by using a service control policy
D. No relevant traffic has been sent since the VPC Flow Logs were created
E. The account has Amazon Guard Duty enabled.
61. A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API-calls using the CLI. However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA. What additional step must be taken to ensure that API calls are authenticated using MFA?
A. Enable MFA on IAM roles and require IAM users to use role credentials to sign API calls.
B. Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI
C. Restricts the IAM users to use of the console, as MFA is not supported for CLI use
D. Require user to use temporary credentials from the get sessions token command to sign API calls
62.An application running on Amazon EC2 allows users to launch batch jobs for data analysis. The jobs are run asynchronously, and the user is notified when they are complete. While multiple jobs can run concurrently, a user’s request need not be fulfilled for up to 24 hours. To run a job, the application launches an additional EC2 instance that performs all the analytics calculations. A job takes between 75 and 110 minutes to complete and cannot be interrupted. What is the MOST cost-effective way to run this workload?
A. Run the application on-Demand EC2 instances. Run the jobs on spot instances with a specified duration
B. Run the application on Reserved instance EC2 instances. Run the jobs on AWS Lambda
C. Run the application on On-Demand EC2 instances. Run the jobs on On-Demand EC2 instances
D. Run the application on Reserved instance EC2 instances. Run the jobs on spot instances with a specified duration
63. An organization has two AWS accounts Development and Production. A SysOps Administrator manages access via IAM. Users require in Development should have access to certain resource in Production. How can this be accomplished?
A. Create an IAM role in Production account with the Development account as a trusted entity and then allow those users from Development account to assume the Production account IAM role
B. Create a group of IAM users in the Development account and add Production account service ARNs as resources in the IAM policy
C. Establish a federation between the two accounts using the on-premises Microsoft Active Directory and allow development account to access the Production account through this federation
D. Establish an Amazon Cognito Federated Identity between the two accounts and allow the Development account to access the Production account through this federation
64. A SysOps Administrator has been able to consolidate multiple secure websites onto a single servers and each site is running on a different port. The Administrator now wants to start a duplicate server in a second Availability Zone and put both behind a Load Balancer for high availability. What would be the command line necessary to deploy one of the sites certificates to the load balancer?
A. aws kms modify-listener –loadbalancer-name my-loadbalancer –certificates CertificateARN arn:aws:iam::123456:server-certificate/my-new-server-cert
B. aws elb set-load-balancer-listener-ssl-cerficate –load-balancer-name my-load-balancer –load-balaner-port 443 –ssl-cerficate-id arn:aws:iam::123456:server-certificate/new-server-cert
C. aws ec2 put-ssl-certificate –loadbalancer-name my-loadbalancer –load-balaner-port 443 –ssl-cerficate-id arn:aws:iam::123456:server-certificate/new-server-cert
D. aws acm put-ssl-cerficate –loadbalancer-name my-loadbalancer –load-balaner-port 443 –ssl-cerficate-id arn:aws:iam::123456:server-certificate/new-server-cert
65. An application resides on multiple EC2 instances in public subnets in two Availability Zones. To improve security Application Load Balancer (ALB) in separate subnets and pointed the DNS at the ALB instead of EC2 instances. After the change, traffic is not reaching the instances and an error is being returned from the ALB. What steps must a SysOps Administrator take to resolve this issue and improve the security of the application? (SELECT TWO)
A. Add the EC2 instances to the ALB target group, configure the health check and ensure that the instances report healthy
B. Add the EC2 instances to an Auto Scaling group, configure the health check to ensure that the instances report healthy and remove the public IPs from the instances
C. Create a new subnet in which EC2 instances and ALB will reside to ensure that they can communicate and remove the public IPs from the instances
D. Change the security group for the EC2 instances to allow access from only the ALB security group and remove the public IPs from the instances
E. Change the security group to allow access from 0.0.0.0/0 which permits access from the ALB
66. A company is received its latest bill with a large increase in the number of request against Amazon SQS as API call action. Admin need to know of any major changes in it SQS usage. The company is concerned about the cost increase and who or what was missing the calls. What should the SysOps Administrator use to validate the calls made to SQS?
A. Amazon Cloudtrail
B. Amazon Cloudwatch
C. AWS Cost Explorer
D. Amazon S3 Access logs
67. After a particularly high AWS bill, an organization wants to review the use of AWS Services
What AWS Service will allow the SysOps Administrator to quickly view this information to share it and will also forecast equipment ?
A. AWS Trusted Advisor
B. Amazon QuickSight
C. AWS Cost and Usage Report
D. AWS Cost Explorer
68. A SysOps Administrator must find a way to setup alerts when Amazon EC2 service limit are close to being reached? How can the Administrator achieve this requirement?
A. Use Amazon Inspector and Amazon Cloudwatch Events
B. Use AWS Trusted Advisor and Amazon Cloudwatch Events
C. Use the Personal Health Dashboard and Cloudwatch Events
D. Use AWS CloudTrail and Cloudwatch Events
69. A SysOps Administrator is reviewing AWS Trusted Advisor warnings and encounters a warning for an S3 bucket policy that discussing the issue with the bucket owner, the Administrator realizes the S3 bucket is an origin for an Amazon Cloudfront Which action should the Administrator take to ensure that users access objects in Amazon S3 by using only Cloudfront URL?
A. Encrypt the S3 bucket content with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
B. Create an Origin access identity and grand it permissions to read objects in the S3 buckets
C. Assign an IAM user to the Cloudfront distribution and whitelist the IAM user in the S3 bucket policy
D. Assign an IAM Role to the Cloudfront distribution and whitelist the IAM role in the S3 bucket policy
70. An Auto Scaling group scales up and down based on Average CPU Utilization. The alarms is set to trigger a scaling when CPU exceeds 80% for 5 minutes. Currently, the average CPU has been 95% for over two hours and new instances are not being added What could be the issue?
A. A Scheduled scaling action has not been defined
B. In the field suspend process “ ReplacesUnhealthy” has been selected
C. The maximum size of the Auto Scaling Group is below or at the current group size
D. The HealthCheck Grace Period is set to less than 300 seconds.
71. The Database Administrator team is interested in performing manual backups of an Amazon RDS Oracle DB instance. What step should be taken to perform the backups?
A. Attach Amazon EBS Volume with Oracle RMAN installed to the RDS Instance
B. Take a snapshot of the EBS volume that is attached to the DB instance
C. Install Oracle Secure backup on the RDS instance and backup the Oracle database to Amazon S3
D. Take a snapshot of the DB Instance
72. A Company has created a separate AWS account for all development work to protect the production environment. In the development environment users request permission to manipulate IAM policies and roles. Corporate policies require that developers are blocked from accessing services. What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies?
A. Create a service control policy in AWS Organizations and apply it to the development account
B. Create a customer managed policy in IAM and apply it in to all users within the development account
C. Create a job function policy in IAM and apply it to all users within the development account
D. Create an IAM Policy and apply it in API Gateway to restrict the development account
73. A Company has a web application that runs on both on-premises and on Amazon EC2 instances. Over time both the on-premises server and EC2 instances is crashing. A SysOps Administrator suspects a memory leak in the application and wants unified method to monitor memory utilization. How can the Administrator track both the EC2 memory utilization and on-premises server memory utilization over time?
A. Write a script or use a third-party application to report memory utilization for both EC2 instances and on-premises servers.
B. Use Amazon Cloudwatch agent for both Amazon EC2 instances and on-premises servers to report MemoryUtilization metrics to Cloudwatch and set a Cloudwatch alarm for notifications
C. Use Cloudwatch agent for Amazon EC2 instances to report memory Utilization to Cloudwatch and set Cloudwatch Alarms for notifications. Use a third-party application for the on-premises servers.
D. Configure a load balancer to route traffic to both on-premises servers and EC2 instances, then use cloudwatch as the unified view of the metrics for the load balancer.
74. A SysOps Administrator is using AWS Cloudformation to deploy resources but would like to manually address any errors the template encounters. What should the Administrator add to the template to support the requirement?
A. Enable Termination Protection on the Stack
B. Set the OnFailure parameter to “DO_NOTHING”
C. Restrict the IAM permissions for CloudFormation to delete resources
D. Set the DeleteStack API action to “NO”
75. A Company’s application stores documents within an Amazon S3 bucket. The application is running on Amazon EC2 in a VPC. A recent change in security requirements states that traffic between the company’s application and the S3 bucket must never leave the Amazon network. What AWS feature can provide this functionality?
A. Security Groups
B. NAT gateways
C. Virtual private gateway
D. Amazon VPC endpoints
76. An organization with a large IT department has decided to migrate to AWS . With different jobs functions in departments and is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group membership. What the best method to allow access using current LDAP credentials ?
A. Create an AWS directory service simple AD . Replicate the onpremise LDAP directory to simple AD
B. Create Lambda function to read LDAP groups and automate the creation of IAM users
C. Use AWS Cloud Formations to create IAM roles . Deploy direct connect to allow access to the on-premises LDAP server.
D. Federate the LDAP directory with IAM using SAML. Create different IAM roles correspond to different LDAP group to limit permissions.
77. An Sysops Administrator must set up notifications for whenever combined billing exceeds a certain threshold for all AWS account within company. The Administrator has set up AWS Organizations and enabled Consolidate billing. Which additionals steps must the Administrator perform to setup the billing alerts?
A. On the payer account Enable billing alerts in the Billing and Cost management console ; publish an Amazon SNS message when the billing alerts triggers.
B. On each account Enable billing alerts in the billing and cost management console ; setup a billing alarm in Amazon Cloudwatch; publish an SNS message when the alarm triggers.
C. On the payer account Enable billing alerts in the billing and cost management console; setup a billing alarm in the billing and cost management console to publish an SNS message when the alarm triggers.
D. On the payer account Enable billing alerts in the billing and cost management console; setup billing alarm in Amazon Cloudwatch , publish an SNS message when the alarm triggers.
78. An organization has been running their website on several m2 Linux instance behind a classic load balancer for more than two years. Traffic and utilization have been constant and predictable. What should the organization do to reduce cost ?
A. Purchase reserved instances for the specific m2 instances.
B. Change the m2 instances type to equivalent m5 types and purchase reserved instances for specific m5 instances.
C. Change the classic load balancer to an application load balancer and purchase reserved instances for the specific m2 instances.
D. Purchase spot instances for the specific m2 instances.
79. An application developers are reporting access denied errors when trying to list the content in s3 bucket with IAM Role ARN “arn:aws:iam:11111111:user/application”. The following s3 bucket policy:
How should a SysOps Administrator modify the S3 bucket policy to fix the issue?
A. Change the “Effect” from “Allow” to “Deny”
B. Change the “Action” from “S3:List*” to “S3:ListBucket”
C. Change the “Resource” from “arn:aws:s3:::bucketname/*” to “arn:aws:s3:::bucketname”
D. Change the “Principal” from “arn:aws:iam::11111111:user/application” to “arn:aws:iam:1111111:role/application”
80. A Company creates custom AMI images by launching new Amazon EC2 instance from an Amazon Cloudformation template. AMI images is installed software through AWS OpsWorks and take image of each EC2 instance. The process of installing software take a long times, the process stalls due to installations errors. The SysOps administrator must modify the Cloudformation Template so if the process stalls, stacks will rollback. Based on the requirements, what should be added to the template?
A. Conditions with a timeout set to 4 hours
B. CreationPolicy with a timeout set to 4 hours
C. DependOn with a timeout set to 4 hours
D. MetaData with a timeout set to 4 hours