AWS-SysOps Free Practice Test

- (Exam Topic 1)
A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company's security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts.
Which solution will meet these requirements in the MOST secure manner?

1. A. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to an IAM use
2. B. Share the user credentials with the security administrator.
3. C. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC action
4. D. Assign the policy to an IAMuse
5. E. Share the user credentials with the security administrator.
6. F. Create an IAM policy in each developer account that has administrator access related to VPC resources.Assign the policy to a cross-account IAM rol
7. G. Ask the security administrator to assume the role from their account.
8. H. Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account.

Correct Answer: D

- (Exam Topic 1)
A SysOps administrator is using AWS Systems Manager Patch Manager to patch a fleet of Amazon EC2 instances. The SysOps administrator has configured a patch baseline and a maintenance window. The SysOps administrator also has used an instance tag to identify which instances to patch.
The SysOps administrator must give Systems Manager the ability to access the EC2 instances. Which additional action must the SysOps administrator perform to meet this requirement?

1. A. Add an inbound rule to the instances' security group.
2. B. Attach an 1AM instance profile with access to Systems Manager to the instances.
3. C. Create a Systems Manager activation Then activate the fleet of instances.
4. D. Manually specify the instances to patch Instead of using tag-based selection.

Correct Answer: A

- (Exam Topic 1)
A company is creating a new multi-account architecture. A Sysops administrator must implement a login solution to centrally manage user access and permissions across all AWS accounts. The solution must be integrated with AWS Organizations and must be connected to a third-party Security Assertion Markup Language (SAML) 2.0 identity provider (IdP).
What should the SysOps administrator do to meet these requirements?

1. A. Configure an Amazon Cognito user poo
2. B. Integrate the user pool with the third-party IdP.
3. C. Enable and configure AWS Single Sign-On with the third-party IdP.
4. D. Federate the third-party IdP with AWS Identity and Access Management (IAM) for each AWS account in the organization.
5. E. Integrate the third-party IdP directly with AWS Organizations.

Correct Answer: A

- (Exam Topic 1)
A SysOps administrator needs to give users the ability to upload objects to an Amazon S3 bucket. The SysOps administrator creates a presigned URL and provides the URL to a user, but the user cannot upload an object to the S3 bucket. The presigned URL has not expired, and no bucket policy is applied to the S3 bucket.
Which of the following could be the cause of this problem?

1. A. The user has not properly configured the AWS CLI with their access key and secret access key.
2. B. The SysOps administrator does not have the necessary permissions to upload the object to the S3 bucket.
3. C. The SysOps administrator must apply a bucket policy to the S3 bucket to allow the user to upload the object.
4. D. The object already has been uploaded through the use of the presigned URL, so the presigned URL is no longer valid.

Correct Answer: B

- (Exam Topic 1)
A company has multiple AWS Site-to-Site VPN connections between a VPC and its branch offices. The company manages an Amazon Elasticsearch Service (Amazon ES) domain that is configured with public
access. The Amazon ES domain has an open domain access policy. A SysOps administrator needs to ensure that Amazon ES can be accessed only from the branch offices while preserving existing data.
Which solution will meet these requirements?

1. A. Configure an identity-based access policy on Amazon E
2. B. Add an allow statement to the policy that includes the Amazon Resource Name (ARN) for each branch office VPN connection.
3. C. Configure an IP-based domain access policy on Amazon E
4. D. Add an allow statement to the policy that includes the private IP CIDR blocks from each branch office network.
5. E. Deploy a new Amazon ES domain in private subnets in a VPC, and import a snapshot from the old domai
6. F. Create a security group that allows inbound traffic from the branch office CIDR blocks.
7. G. Reconfigure the Amazon ES domain in private subnets in a VP
8. H. Create a security group that allows inbound traffic from the branch office CIDR blocks.

Correct Answer: B