AWS Certified SysOps Administrator Practice Exam Part 3iam.awslagi
Notes: Hi all, AWS Certified SysOps Administrator Associate Practice Exam will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics.
We highly recommend you should take AWS Certified SysOps Administrator Associate Guarantee Part because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.
For PDF Format:
Part 1: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-1
Part 2: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-2
Part 3: https://www.awslagi.com/aws-certified-sysops-practice-exam-part-3
For Audio Version:
For Quiz Format:
Part 1: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-1-quiz
Part 2: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-2-quiz
Part 3: https://www.awslagi.com/aws-certified-sysops-administrator-associate-soa-c01-part-3-quiz
81. A Company static website hosted on Amazon S3 was launched recently and is being used. Currently users are experiencing 503 services unavailable errors. Why are these errors occuring?
A. The request rate to Amazon S3 is too high
B. There is an error with the Amazon RDS database.
C. The requests to Amazon S3 do not have the proper permissions
D. The users are in a different geographical region and Amazon Route53 is restricting access
82. A Company is releasing a new static website hosted on Amazon S3. However, upon navigating to the site, the following error messages is received.
403 Forbidden - Access Denied
What change should be made to fix this error?
A. Add a bucket policy that grants everyone read access to the bucket
B. Add a bucket policy that grants everyone read access to the bucket objects
C. Remove the default bucket policy that denies read access to the bucket
D. Configure cross-origin resource sharing (CORS) on the bucket
83. A company has created an online retail application that is hosted on a fleet of EC2 instances behind of ELB application load balancer, authentication is handled at the individual EC2 instance level. Once a user is authenticated, all request have go to the same EC2 instance. What should the SysOps Administrator enable to meet these requirements?
A. ELB TCP listeners
B. ELB Sticky Sessions
C. ELB connection draining
D. ELB cross-zone load balancing
84. A SysOps Administrator is managing a large organization with multiple accounts on the Business Support plan all linked to a single payer account. The Administrator wants to be notified automatically of AWS Personal Health Dashboard events. In the main payer account, the Administrator configures Amazon CloudWatch Events triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in the linked accounts failed to trigger. Why did the alerts fail?
A. Amazon SNS cannot be triggered from the AWS Personal health Dashboard
B. The AWS personal health dashboard only reports events from one a account, not linked account
C. The AWS Personal Health Dashboard must be configured from the payer account only; all events will then roll up into the payer account.
D. AWS Organizations must be used to monitor linked accounts.
85. The security team has decided that there will be no public internet access to HTTP (TCP port 80 ) because it is moving to HTTPS for all incoming web traffic. The team had asked a SysOps Administrator to provide a report on any security groups that are not compliant. What should the AWS SysOps Administrator do to provide near real time compliance reporting?
A. Enable AWS Trusted Advisor and show the security team that the security groups unrestricted access will check alarm
B. Schedule and AWS lambda function to run hourly to scan and evaluate all security groups and send report to the security team.
C. Use AWS config to enable the restricted common port rule and add port 80 to parameters
D. Use Amazon Inspector to evaluate the security groups during scans, and send the completed reports to the Security team.
86. According to the shared responsibility model, for which of the following Amazon EC2 activities is AWS responsible? (Choose two.)
A. Patching the guest operating system
B. Monitoring memory utilization
C. Configuring network ACLs
D. Patching the hypervisor
E. Maintaining network infrastructure
Answer: D E
87. A company use of AWS Cloud services is quickly growing, so a SysOps Administrator has been asked to generate details of daily spending to share with management. Which method should the Administrator choose to produce this data?
A. Share the monthly AWS bill with management.
B. Use AWS CloudTrail Logs to access daily costs in JSON format.
C. Set up daily Cost and Usage Report and download the output from Amazon S3.
D. Monitor AWS costs with Amazon Cloud Watch and create billing alerts and notifications.
88. A SysOps Administrator is managing an application that runs on Amazon EC2 instances behind and application load balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The applications stores data in Amazon RDS MySQL DB instance. The Administrator must ensure that that application stays available if the database becomes unresponsive. How can these requirements be met?
A. Create read replicas for the RDS database and use them in case of a database failure.
B. Create a new RDS instance from the snapshot of the original RDS instance if a failure occurs.
C. Keep a separate RDS database running and switch the endpoint in the web application if a failure occurs.
D. Modify the RDS instance to be a Multi-AZ deployment.
89. A company has Sales department and Marketing department. The company uses one AWS account. There is a need to determine what charges are incurred on the AWS platform by each department. There is also a need to receive notifications when a specified cost level is approached or exceeded. Which two actions must a SysOps Administrator take to achieve both requirements with the LEAST amount of administrative overhead? (Choose two.)
A. Use AWS Trusted Advisor to obtain a report containing the checked items in the Cost Optimization pillar.
B. Download the detailed billing report, upload it to a database, and match the line items with a list of known resources by department.
C. Create a script by using the AWS CLI to automatically apply tags to existing resources to each department. Schedule the script to run weekly.
D. Use AWS Organizations to create a department Organizational Unit and allow only authorized personnel in each department to create resources.
E. Create a Budget from the Billing and Cost Management console. Specify the budget type a Cost, assign tags for each department, define notifications, and specify any other options as required.
Answer: A E
90. On a weekly basis, the Administrator for a photo sharing website receives an archive of all files users have uploaded the previous week. These file archives can be as a large as 10TB in size. For legal reasons, these archives must be saved with no possibility of someone deleting or modifying these archives. Occasionally, there may be a need to view the contents, but it is expected that retrieving them can take three or more hours. What should the Administrator do with the weekly archive?
A. Uploaded the file to Amazon S3 through the AWS management console and apply lifecycle policy to change the storage class to Amazon Glacier.
B. Upload the archive to the Amazon Glacier with the AWS CLI and enable Vault Lock.
C. Create a Linux EC2 instance with an encrypted Amazon EBS volume and copy each weekly archive file for this instance
D. Create a file gateway attached to a file share on an S3 bucket with the storage class S3 Infrequent Access. Upload the archives via the gateway
91. A company wants to ensure that each department operates within their own isolated environment and that they are only able to use pre-approved services. How can this requirement be met?
A. Setup an AWS Organization to create accounts for each department and apply services control policies to control access to AWS services.
B. Create IAM roles for each department, and set policies that grant access to specific AWS services.
C. Use the AWS Service Catalog to create catalogs of AWS services that are approved for use by each department.
D. Request that each department create and manage its own AWS account and the resources within it.
92. An Amazon EC2 instance is unable to connect to an SMTP server in a different subnet. Other instance are successfully communicating with the SMTP server, however VPC flow logs have been enabled on the SMTP server’s network interface and show the following information.
2223342796652 eni-abe77dab 10.1.1.200 10.100.1.10 1123 25 17 70 48252 1515534437 1515535037 REJECT OK
What can be done to correct problem?
A. Add the instance to the security group for the SMTP server and ensure that is permitted to communicate over TCP port 25.
B. Disable the iptables service on the SMTP server so that the instance can properly communicate over the network.
C. Install an email client on the instance to ensure that it communicates correctly on TCP port 25 to the SMTP server.
D. Add a rule to the security group for the instance to explicitly permit TCP port 25 outbound to any address.
93. A web application accepts orders from online users and places the orders into an Amazon SQS queue. Amazon EC2 instances in an EC2 Auto Scaling group read the messages from the queue, process the orders, and email order confirmations to the users. The Auto Scaling group scales up and down based on the queue depth. At the beginning of each business day, users report confirmation emails are delayed. What action will be address this issues?
A. Create a scheduled scaling action to scale up in anticipation of the traffic.
B. Change the Auto Scaling group to scale up and down based on CPU utilization
C. Change the launch configuration to launch larger EC2 instance types
D. Modify the scaling policy to deploy more EC2 instances when scaling up
94. An Applications team has successfully deployed an AWS CloudFormation stack consisting of 30 t2-medium Amazon EC2 instances in the us-west-2 Region. When using the same template to launch a stack in us-east-2, the launch failed and rolled back after launching only 10 EC2 instances. What is a possible cause of this failure?
A. The IAM user did not have privileges to launch the CloudFormation template.
B. The t2 medium EC2 instance service limit was reached
C. An AWS Budgets threshold was breached
D. The application’s Amazon Machine Image (AMI) is not available in us-east-2
95. A SysOps Administrator is receiving multiple reports from customers that they are unable to connect to the company’s website. which is being served through Amazon CloudFront. Customers are receiving HTTP response codes for both 4XX and 5XX errors. Which metric can the Administrator use to monitor the elevated error rates in CloudFront?
96. An organization stores sensitive customer information in S3 buckets protected by bucket policies. Recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information. Which steps should a Sysops administrator take to meet the CISO requirement? ( Select TWO)
A. Enable Amazon S3 Analytics on all affected S3 buckets to obtain a report of which buckets are being accessed without authorization.
B. Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs.
C. Use Amazon Athena to query S3 Analytics reports for HTTP 403 errors, and determine the IAM user or role making the requests.
D. Use Amazon Athena to query the S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests.
E. Use Amazon Athena to query the S3 Server Access Logs for HTTP 503 errors, and determine the IAM user or role making the requests.
Answer: B C
97. A SysOps Administrator is responsible for a large fleet of EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance. Which option would provide this information with the LEAST administrative overhead?
A. Monitor AWS CloudTrail for StopInstances API calls related to upcoming maintenance.
B. Review the Personal Health Dashboard for any scheduled maintenance
C. From the AWS Management Console, list any instances with failed system status checks.
D. Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring.
98. Malicious traffic is reaching company web servers from a single IP address located in another country. The SysOps Administrator is tasked with blocking this IP address. How should the Administrator implement the restriction?
A. Edit the security group for the web servers and add a deny entry for the IP address
B. Edit the network access control list for the web server subnet and add a deny entry for the IP address
C. Edit the VPC route table to route the malicious IP address to a black hole
D. Use Amazon CloudFront’s geo restriction feature to block traffic from the IP address
99. A company website hosts patches for software that is sold globally. The website runs in AWS and performs well until a large software patch is released. The flood of downloads puts a strain on the web servers and leads to a poor customer experience. What can the SysOps Administrator propose to enhance customer experience, create a more available web platform, and keep costs low?
A. Use an Amazon CloudFront distribution to cache static content, including software patches
B. Increase the size of the NAT instance to improve throughput
C. Scale out of web servers in advance of patch releases to reduce Auto Scaling delays
D. Move the content to IO1 and provision additional IOPS to the volume that contains the software patches
100. A website uses Elastic Load Balancing (ELB) in front of several Amazon EC2 instances backed by an Amazon RDS database. The content is dynamically generated for visitors of a webpage based on their geographic location. and is updated daily. Some of the generated objects are large in size and are taking longer to download than they should, resulting in a poor user experience. Which approach will improve the user experience?
A. Implement Amazon ElastiCache to cache the content and reduce the load on the database.
B. Enable an Amazon CloudFront distribution with Elastic Load Balancing as a custom origin.
C. Use Amazon S3 to store and deliver the content.
D. Enable Auto Scaling for the EC2 instances so that they can scale automatically.
101. A workload has been moved from a data center to AWS. Previously, vulnerability scans were performed nightly by an external testing company. There is a mandate to continue the vulnerability scans in the AWS environment with third-party testing occurring at least once each month. What solution allows the vulnerability scans to continue without violating the AWS Acceptable Use Policy?
A. The existing nightly scan can continue with a few changes. The external testing company must be notified of the new IP address of the workload and the security group of the workload must be modified to allow scans from the external company’s IP range .
B. If the external company is a vendor in the AWS Marketplace, notify them of the new IP address of the workload
C. Submit a penetration testing request every 90 days and have the external company test externally when the request is approved.
D. AWS performs vulnerability testing behind the scenes daily and patches instances as needed. If a vulnerability cannot be automatically addressed, a notification email is distributed.
102. A web service runs on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. External clients must whitelist specific public IP addresses in their firewalls to access the service. What load balancer or ELB feature should be used for this application?
A. Network Load Balancer
B. Application Load Balancer
C. Classic Load Balancer
D. Load balancer target groups
103. A SysOps Administrator receives reports of an Auto Scaling group failing to scale when the nodes running Amazon Linux in the cluster are constrained by high memory utilization. What should the Administrator do to enable scaling to better adapt to the high memory utilization?
A. Create a custom script that pipes memory utilization to Amazon S3, then, scale with an AWS Lambda-powered event
B. Install the Amazon CloudWatch memory monitoring scripts, and create a custom metric based on the script’s results
C. Increase the minimum size of the cluster to meet memory and application load demands
D. Deploy an Application Load Balancer to more evenly distribute traffic among nodes
104. A SysOps Administrator attempting to delete an Amazon S3 bucket ran the following command: aws s3 rb s3://mybucket The command failed and bucket still exists. The administrator validated that no files existed in the bucket by running aws s3 1s s3://mybucket and getting an empty response. Why is the Administrator unable to delete the bucket, and what must be done to accomplish this task?
A. The bucket has MFA Delete enabled, and the Administrator must turn it off.
B. The bucket has versioning enabled, and the Administrator must permanently delete the objects’ delete markers.
C. The bucket is storing files in Amazon Glacier, and the Administrator must wait 3-5 hours for the files to delete.
D. The bucket has server-side encryption enabled, and the Administrator must run the aws s3 rb s3://my bucket — sse command.
105. A company has two AWS accounts: development and production. All applications send logs to a specific Amazon S3 bucket for each account, and the Developers are requesting access to the production account S3 buckets to view the logs. Which is the MOST efficient way to provide the Developers with access?
A. Create an AWS Lambda function with an IAM role attached to it that has access to both accounts’ S3 buckets. Pull the logs from the production S3 bucket to the development S3 bucket.
B. Create IAM users for each Developer on the production account, and add the Developers to an IAM group that provides read-only access to the S3 log bucket.
C. Create an Amazon EC2 bastion host with an IAM role attached to it that has access to the production S3 log bucket, and then provision access for the Developers on the host.
D. Create a resource-based policy for the S3 bucket on the production account that grants access to the development account, and then delegate access in the development account.
106. A web application runs on Amazon EC2 instances behind an Elastic Load Balancing Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOps Administrator has notice that some EC2 instances show up healthy in the Auto Scaling console but show up as unhealthy in the ALB target console. What could be the issue?
A. The health check grace period for the Auto Scaling group is set too low; increase it
B. The target group health check is incorrectly configured and needs to be adjusted
C. The user data or AMI used for the Auto Scaling group launch configuration is incorrect
D. The Auto Scaling group health check type is based on EC2 instance health instead of Elastic Load Balancing health checks
107. A company is running critical applications on Amazon EC2 instances. The company needs to ensure its resources are automatically recovered if they become impaired due to an underlying hardware failure. Which service can be used to monitor and recover the EC2 instances?
A. Amazon EC2 Systems Manager
B. Amazon Inspector
C. AWS CloudFormation
D. Amazon CloudWatch
108. A company requires that all access from on-premises applications to AWS services go over its AWS Direct Connect connection rather than the public internet. How would a SysOps Administrator implement this requirement?
A. Implement an IAM policy that uses the aws:sourceConnection condition to allow access for the AWS Direct Connect connection ID only
B. Set up a public virtual interface on the AWS Direct Connect connection
C. Configure AWS Shield to protect the AWS Management Console from being accessed by IP addresses other than those within the data center ranges
D. Update all the VPC network ACLs to allow access from the data center IP ranges
109. A SysOps Administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company’s account. The Administrator must be alerted to potential issues. What should the Administrator do to receive email alerts before low storage space affects EC2 instance performance?
A. Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications
B. Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic
C. Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic
D. Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space
110. A company’s Information Security team has requested information on AWS environment compliance for Payment Card Industry (PCI) workloads. They have requested assistance in understanding what specific areas of the PCI standards are the responsibility of the company. Which AWS tool will provide the necessary information?
A. AWS Macie
B. AWS Artifact
C. AWS OpsWorks
D. AWS Organizations
111. 111. A company uses AWS CloudFormation to deploy its application infrastructure. Recently, a user accidentally changed a property of a database in a CloudFormation template and performed a stack update that caused an interruption to the application. A SysOps Administrator must determine how to modify the deployment process to allow the DevOps team to continue to deploy the infrastructure, but prevent against accidental modifications to specific resources. Which solution will meet these requirements?
A. Set up an AWS Config rule to alert based on changes to any Cloud Formation stack. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
B. Set up an Amazon CloudWatch Events event with a rule to trigger based on any CloudFormation API call. An AWS Lambda function can then describe the stack to determine if any protected resources were modified and cancel the operation.
C. Launch the CloudFormation templates using a stack policy with an explicit allow for all resources and an explicit deny of the protected resources with an action of Update:*
D. Attach an IAM policy to the DevOps team role that prevents a CloudFormation stack from updating, with a condition based on the specific Amazon Resource names (ARNs) of the protected resources.
112. A company recently implemented an Amazon S3 lifecycle rule that accidentally deleted objects from one of its S3 buckets. The bucket has S3 versioning enabled. Which actions will restore the objects? (Choose two.)
A. Use the AWS Management Console to delete the object delete markers.
B. Create a new lifecycle rule to delete the object delete markers that were created.
C. Use the AWS CLI to delete the object delete markers while specifying the version IDs of the delete markers.
D. Modify the existing lifecycle rule to delete the object delete markers that were created.
E. Use the AWS CLI to delete the object delete markers while specifying the name of the objects only.
Answer: A D
113. An application running on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones was deployed using an AWS CloudFormation template. The SysOps team has patched the Amazon Machine Image (AMI) version and must update all the EC2 instances to use the new AMI. How can the SysOps Administrator use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity?
A. Run the aws cloudformation update-stack command with the – rollback-configuration option
B. Update the CloudFormation template with the new AMI ID, then reboot the EC2 instances
C. Deploy a second CloudFormation stack and use Amazon Route 53 to redirect traffic to the new stack
D. Set an AutoScalingUpdate policy in the CloudFormation template to update the stack.
114. An AWS CodePipeline in us-east-1 returns “InternalError” with the code “JobFailed” when launching a deployment using an artifact from an Amazon S3 bucket in us-west-1. What is causing this error?
A. S3 Transfer Acceleration is not enabled.
B. The S3 bucket is not in the appropriate region.
C. The S3 bucket is being throttled.
D. There are insufficient permissions on the artifact in Amazon S3.
115. A SySOps Administrator is managing an AWS account where Developers are authorized to launch Amazon EC2 instances to test new code. To limit costs, the Administrator must ensure that the EC2 instances in the account are terminated 24 hours after launch. How should the Administrator meet these requirements?
A. Create an Amazon CloudWatch alarm based on the CPUUtilization metric. When the metric is 0% for 24 hours, trigger an action to terminate the EC2 instance when the alarm is triggered.
B. Create an AWS Lambda function to check all EC2 instances and terminate instances running more than 24 hours. Trigger the function with an Amazon CloudWatch Events event every 15 minutes.
C. Add an action to AWS Trusted Advisor to turn off EC2 instances based on the Low Utilization Amazon EC2 Instances check, terminating instances identified by Trusted Advisor as running for more than 24 hours.
D. Install the unified Amazon CloudWatch agent on every EC2 instance. Configure the agent to terminate instances after they have been running for 24 hours.
116. A SysOps Administrator created an Application Load balancer (ALB) and placed two Amazon EC2 instances in the same subnet behind the ALB. During monitoring, the Administrator observes HealthyHostCount drop to 1 in Amazon CloudWatch. What is MOST likely causing this issue?
A. The EC2 instances are in the same Availability Zone, causing contention between the two.
B. The route tables are not updated to allow traffic to flow between the ALB and the EC2 instances.
C. The ALB health check has failed, and the ALB has taken EC2 instances out of service.
D. The Amazon Route 53 health check has failed, and the ALB has taken EC2 instances out of service.
117. A company has centralized all its logs into one Amazon CloudWatch Logs log group. The SysOps Administrator is to alert different teams of any issues relevant to them. What is the MOST efficient approach to accomplish this?
A. Write a AWS lambda function that will query the logs every minute and contain the logic of which team to notify on which patterns and issues.
B. Set up different metric filters for each team based on patterns and alerts. Each alarm will notify the appropriate notification list.
C. Redesign the aggregation of logs so that each team’s relevant parts are sent to a separate log group, then subscribe each team to its respective log group.
D. Create an AWS Auto Scaling group of Amazon EC2 instances that will scale based on the amount of ingested log entries. This group will pull streams, look for patterns, and send notifications to relevant teams.
118. An Amazon S3 bucket in a SysOps Administrator account can be accessed by users in other SWS accounts. How can the Administrator ensure that the bucket is only accessible to members of the Administrator’s AWS account?
A. Move the S3 bucket from a public subnet to a private subnet in the Amazon VPC.
B. Change the bucket access control list (ACL) to restrict access to the bucket owner.
C. Enable server-side encryption for all objects in the bucket.
D. Use only Amazon S3 presigned URLs for accessing objects in the bucket.
119. A company received its latest bill with a large increase in the number of requests against Amazon SQS as compared to the month prior. The company is not aware of any changes in its SQS usage. The company is concerned about the cost increase and who or what was making these calls. What should the SysOps Administrator use to validate the calls made to SQS?
A. AWS CloudTrail
B. Amazon CloudWatch
C. AWS Cost Explorer
D. Amazon S3 server access logs
120. A SysOps Administrator responsible for an e-commerce web application observes the application does not launch new Amazon EC2 instances at peak times, even though the maximum capacity of the Auto Scaling group has not been reached. What should the Administrator do to identify the underlying problem? (Choose two.)
A. Monitor service limits in AWS trusted Advisor.
B. Analyze VPC Flow Logs.
C. Monitor limits in AWS Systems Manager.
D. Use Amazon inspector to gather performance information.
E. Check the response for RunInstance requests in AWS CloudTrail logs.
Answer: A E