A company has a new requirement stating that all resources in AWS must be tagged according to a set policy.
Which AWS service should be used to enforce and continually identify all resources that are not in compliance with the
policy?
C
Explanation:
Reference: https://aws.amazon.com/config/
A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB
instance. A SysOps administrator must update the template to ensure that the DB instance is created before the EC2
instance is launched.
What should the SysOps administrator do to meet this requirement?
B
A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of
compliance because it was not encrypted.
Which approach will resolve the encryption requirement?
A
Explanation:
Reference: https://cloudkul.com/blog/how-to-encrypt-aws-rds-database/
A company has an infernal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The
instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A SysOps administrator must make the
application highly available.
Which action should the SysOps administrator take to meet this requirement?
C
A development team recently deployed a new version of a web application to production. After the release, penetration
testing revealed a cross-site scripting vulnerability that could expose user data.
Which AWS service will mitigate this issue?
B
Explanation:
Reference: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-xss-match.html
A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be
deleted.
What is the SIMPLEST approach the SysOps administrator can take to ensure S3 buckets in those accounts can never be
deleted?
B
The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in
the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in
use and the total available IAM policies.
Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?
A
Explanation:
Reference: https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html#iam-policies
An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department,
it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group
membership.
What is the BEST method to allow access using current LDAP credentials?
D
Explanation:
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
A company is testing Amazon Elasticsearch Service (Amazon ES) as a solution for analyzing system logs from a fleet of
Amazon EC2 instances. During the test phase, the domain operates on a singlenode cluster. A SysOps administrator needs
to transition the test domain into a highly available production-grade deployment.
Which Amazon ES configuration should the SysOps administrator use to meet this requirement?
B
A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-
premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53
should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes. All other traffic
should be directed to the secondary passive server. The failover record type, set ID, and routing policy have been set
appropriately for both primary and secondary servers.
Which next step should be taken to configure Route 53?
C
Explanation:
Reference: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-how-route-53-chooses-records.html