AWS-SysOps Free Practice Test

- (Exam Topic 1)
A SysOps administrator is setting up a fleet of Amazon EC2 instances in an Auto Scaling group for an application. The fleet should have 50% CPU available at that times to accommodate bursts of traffic. The load will increase significantly between the hours of 09:00 and 17:00,7 days a week
How should the SysOps administrator configure the scaling of the EC2 instances to meet these requirements?

1. A. Create a target tracking scaling policy that runs when the CPU utilization is higher than 90%
2. B. Create a target tracking scaling policy that runs when the CPU utilization is higher than 50%. Create a scheduled scaling policy that ensures that the fleet is available at 09:00 Create a second scheduled scaling policy that scales in the fleet at 17:00
3. C. Set the Auto Scaling group to start with 2 instances by setting the desired instances maximum instances, and minimum instances to 2 Create a scheduled scaling policy that ensures that the fleet is available at 09:00
4. D. Create a scheduled scaling policy that ensures that the fleet is available at 09.00. Create a second scheduled scaling policy that scales in the fleet at 17:00

Correct Answer: B

- (Exam Topic 1)
A company hosts a web portal on Amazon EC2 instances. The web portal uses an Elastic Load Balancer (ELB) and Amazon Route 53 for its public DNS service. The ELB and the EC2 instances are deployed by way of a single AWS CloudFormation stack in the us-east-1 Region. The web portal must be highly available across multiple Regions.
Which configuration will meet these requirements?

1. A. Deploy a copy of the stack in the us-west-2 Regio
2. B. Create a single start of authority (SOA) record in Route 53 that includes the IP address from each EL
3. C. Configure the SOA record with health check
4. D. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record.
5. E. Deploy a copy of the stack in the us-west-2 Regio
6. F. Create an additional A record in Route 53 that includes the ELB in us-west-2 as an alias targe
7. G. Configure the A records with a failover routing policy and health check
8. H. Use the ELB in us-east-1 as the primary record and the ELB in us-west-2 as the secondary record.
9. I. Deploy a new group of EC2 instances in the us-west-2 Regio
10. J. Associate the new EC2 instances with the existing ELB, and configure load balancer health checks on all EC2 instance
11. K. Configure the ELB to update Route 53 when EC2 instances in us-west-2 fail health checks.
12. L. Deploy a new group of EC2 instances in the us-west-2 Regio
13. M. Configure EC2 health checks on all EC2 instances in each Regio
14. N. Configure a peering connection between the VPC
15. O. Use the VPC in us-east-1 as the primary record and the VPC in us-west-2 as the secondary record.

Correct Answer: B
When you create a hosted zone, Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record for the zone.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html#migrate-dns-crea
https://en.wikipedia.org/wiki/SOA_record

- (Exam Topic 1)
A company needs to restrict access to an Amazon S3 bucket to Amazon EC2 instances in a VPC only. All traffic must be over the AWS private network.
What actions should the SysOps administrator take to meet these requirements?

1. A. Create a VPC endpoint for the S3 bucket, and create an IAM policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
2. B. Create a VPC endpoint for the S3 bucket, and create an S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
3. C. Create a service-linked role for Amazon EC2 that allows the EC2 instances to interact directly with Amazon S3, and attach an IAM policy to the role that allows the EC2 instances full access to the S3 bucket.
4. D. Create a NAT gateway in the VPC, and modify the VPC route table to route all traffic destined for Amazon S3 through the NAT gateway.

Correct Answer: B
While IAM policy (letter A) also can be used, it does not enforce everyone. The only option that enforces everyone is policy configured directly in the bucket S3.

- (Exam Topic 1)
A company is attempting to manage its costs in the AWS Cloud. A SysOps administrator needs specific company-defined tags that are assigned to resources to appear on the billing report.
What should the SysOps administrator do to meet this requirement?

1. A. Activate the tags as AWS generated cost allocation tags.
2. B. Activate the tags as user-defined cost allocation tags.
3. C. Create a new cost categor
4. D. Select the account billing dimension.
5. E. Create a new AWS Cost and Usage Repor
6. F. Include the resource IDs.

Correct Answer: B
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/custom-tags.html "User-defined tags are tags that you define, create, and apply to resources. After you have created and applied the user-defined tags, you can activate by using the Billing and Cost Management console for cost allocation tracking. "
To meet this requirement, the SysOps administrator should activate the company-defined tags as user-defined cost allocation tags. This will ensure that the tags appear on the billing report and that the resources can be tracked with the specific tags. The other options (activating the tags as AWS generated cost allocation tags, creating a new cost category and selecting the account billing dimension, and creating a new AWS Cost and Usage Report and including the resource IDs) will not meet the requirements and are not the correct solutions for this issue.

- (Exam Topic 1)
A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?

1. A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR range
2. B. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Log
3. C. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target.
4. D. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instance
5. E. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation document to terminate the instances.
6. F. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requestsfrom noncorporate CIDR range
7. G. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups.
8. H. Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by ta
9. I. Tag the EC2 instances with an identifie
10. J. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.

Correct Answer: C
https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aw