New Udemy Flashcards
A global technology company has a cloud architecture that uses various VPCs across multiple regions. To monitor their entire system, you were instructed to aggregate the CPU Utilization of their Reserved EC2 instances running in all of their VPCs.
How can you implement this requirement in the easiest way possible with minimal additional costs? (Select TWO.)
Use the AWS Service Health Dashboard to check the aggregated CPU Utilization of all of your EC2 instances in all regions.
Enable basic monitoring for all EC2 instances.
Enable detailed monitoring for all EC2 instances.
Set up a CloudWatch dashboard. Add a widget and select Cross-Region under Graph Metric to aggregate the CPU Utilization of all Reserved EC2 instances in all regions.
Set up a CloudWatch dashboard. Add a widget and choose Math expression under Graph Metric to query and aggregate the CPU Utilization of all Reserved EC2 instances in all regions.
Set up a data dashboard in AWS QuickSight. Add a widget for each region that contains the aggregated CPU utilization for all EC2 instances that are running on a specific region.
Enable detailed monitoring for all EC2 instances.
Set up a CloudWatch dashboard. Add a widget and choose Math expression under Graph Metric to query and aggregate the CPU Utilization of all Reserved EC2 instances in all regions.
You can aggregate the metrics for AWS resources across multiple accounts and Regions. For example, you can aggregate statistics for your EC2 instances that have detailed monitoring enabled. Instances that use basic monitoring are not included. Therefore, you must enable detailed monitoring (at an additional charge), which provides data in 1-minute periods.
An accounting firm has created a set of CloudFormation stacks which are used to deploy various application environments in their VPC. Due to the tax filing season, one of the underlying EC2 Instances which was launched as part of the CloudFormation stack needs to be changed and upgraded to a higher Instance type.
Which of the following is the best way to implement this change?
Launch a new CloudFormation template and deploy it to their VPC.
Directly make the changes to the current CloudFormation stack settings.
Launch a new CloudFormation template to their VPC and delete the older stack.
Launch a new larger EC2 instance and add it to the existing stack.
Directly make the changes to the current CloudFormation stack settings.
When you need to make changes to a stack’s settings or change its resources, you update the stack instead of deleting it and creating a new stack. For example, if you have a stack with an EC2 instance, you can update the stack to change the instance’s AMI ID. When you update a stack, you submit changes, such as new input parameter values or an updated template. AWS CloudFormation compares the changes you submit with the current state of your stack and updates only the changed resources.
When you directly update a stack, you submit changes and AWS CloudFormation immediately deploys them. Use direct updates when you want to quickly deploy your updates.
A company has multiple AWS accounts that are consolidated using AWS Organizations. A Systems Engineer has been tasked to set up a cloud-based single sign-on (SSO) service to centrally manage SSO access to all of the company’s AWS accounts and cloud applications. The Engineer has already created a directory in the master account using the AWS Directory Service. Full access has also been configured by the Engineer in AWS Organizations.
Which of the following should the Engineer configure to complete the setup?
For each member account, set up IAM roles that will be used by AWS SSO. Associate the users with these IAM roles using AWS SSO.
Set up service control policies (SCPs) in AWS Organizations. Associate the SCPs with Directory Service users and groups using the AWS Management Console.
Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups.
Set up permission sets in AWS Organizations. Associate the permission sets with AWS SSO users and groups.
Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups.
AWS SSO manages access to all your AWS Organizations accounts, AWS SSO-integrated applications, and other business applications that support the Security Assertion Markup Language (SAML) 2.0 standard.
You can configure your identity source in AWS SSO to determine where your users and groups are stored. Once configured, you can then look up users or groups in your store to grant them single sign-on access to AWS accounts, cloud applications, or both.
A SysOps Administrator is monitoring and handling groups of EC2 instances using AWS Systems Manager. Whenever there are batch operations such as maintenance and OS patching on these instances, the Administrator can rely on the Systems Manager to automatically perform these activities.
What other tasks can the Administrator perform with automation in Systems Manager? (Select TWO.)
Set synchronized EC2 instance restart times even without proper user access to some instances.
Receive notifications about automation tasks and workflows by using CloudWatch Events.
Allow unlimited concurrent automation executions without duration limits.
Create custom workflows or use pre-defined workflows maintained by AWS.
Design Automation documents that are securely tied to the user and cannot be shared to others.
Receive notifications about automation tasks and workflows by using CloudWatch Events.
Create custom workflows or use pre-defined workflows maintained by AWS.
These are the automation capabilities of Systems Manager that you can perform on EC2 instances:
- Build automations to configure and manage instances and AWS resources.
- Create custom runbooks or use pre-defined runbooks maintained by AWS.
- Receive notifications about Automation tasks and runbooks by using Amazon EventBridge.
- Monitor Automation progress and details by using the AWS Systems Manager console.
The option that says: Set synchronized EC2 instance restart times even without proper user access to some instances is incorrect because access to Systems Manager requires credentials. Those credentials must have permissions to access AWS resources for different tasks. You can have valid credentials to authenticate your requests but unless you have permissions, you cannot create or access Systems Manager resources.
The option that says: Allow unlimited concurrent automation executions without duration limits is incorrect because Systems Manager has service limits when it comes to concurrently executing automations (25) and maximum duration an automation execution can run (12 hrs).
A company is using several S3 buckets to store important inventory records of the online supply chain portal. They have an internal management application hosted on a private subnet of the VPC that needs to modify the contents of the S3 bucket and send a report to a partner company via the public Internet. The SysOps Administrator has created a gateway VPC endpoint for S3 as preparation for this requirement.
Which of the following actions should the Administrator do next?
Use a NAT gateway to directly send traffic to the VPC S3 endpoint.
Use a NAT gateway to enable the instance to send traffic to the Internet and VPC S3 endpoint.
Update the private subnet’s route table to directly connect to the S3 VPC endpoint and send the outbound Internet traffic to a NAT gateway.
Update the private subnet’s route table to directly send all traffic to the public VPC endpoint.
Update the private subnet’s route table to directly connect to the S3 VPC endpoint and send the outbound Internet traffic to a NAT gateway.
Route Table Connection:
Source: PrivateLink-ID
Destination: Gateway Endpoint
A SysOps Administrator needs to create Linux EC2 clusters on AWS. As per company policy for security groups of any EC2 instance, the SSH port should not be open to the public and should be configured to listen to a custom port.
How can the Administrator implement a monitoring system that automatically sends a notification when an instance does not follow the configured rules?
Use a CloudWatch custom metric to check if a security group SSH port is open to the public, and then send a notification for non-compliance.
Run a third-party scanning tool on your EC2 instances and have it generate a report of non-compliant instances.
Use a combination of AWS Trusted Advisor and CloudWatch Alarm to flag a security group, which has an SSH port that is open to the public.
Use AWS Config and send a non-compliance notification when a security group SSH port is open to the public.
Use AWS Config and send a non-compliance notification when a security group SSH port is open to the public.
A school is planning on recreating their own website by adding new features to it and making it more interactive for visitors. Because of this, they would like to create subdomains that redirects to the new webpages, while reusing their old parent domain registered in an external DNS service for the main page of the website.
What would be a cost-effective solution for creating subdomains without having to migrate the parent domain?
There is no way to do this in AWS.
Provision EC2 servers with elastic IPs attached to them, and use those to host the new webpages. Then use Route 53 A records to point to the elastic IPs, and create NS records to direct subdomain queries.
Create a Route 53 hosted zone for the subdomain. Add records for the new subdomain to your Route 53 hosted zone. Update the DNS service for the parent domain by adding name server records for the subdomain.
Create a new subdomain in Route 53 by registering a domain and transferring the server records to their current DNS service.
Create a Route 53 hosted zone for the subdomain. Add records for the new subdomain to your Route 53 hosted zone. Update the DNS service for the parent domain by adding name server records for the subdomain.
A social media startup needs to allows users to send pictures, videos, and messages to their contacts. The users should have the ability to log in to their profile using any of their social media accounts and then the app should store the user details on a DynamoDB table.
Which of the following services can satisfy the given requirements? (Select TWO.)
AWS IAM Roles AWS IAM users Amazon Cognito AWS Single Sign-On AWS Federated Access
Amazon Cognito
AWS IAM Roles
A company registered an account in AWS. After setting up their VPC and launching various AWS resources, you were instructed by the IT Security team to improve its overall security and performance. You must identify the most common security misconfigurations in your cloud resources for you to be able to address and resolve them immediately.
How will you check if you have followed the best practices in cloud security?
Use AWS X-Ray to analyze and debug applications to troubleshoot root causes of performance issues and errors.
Use AWS Config Security Checks to monitor and assess changes in the configurations of AWS resources.
Use AWS Inspector Checks to evaluate whether your assessment targets (your collection of AWS resources) have potential security issues that you need to address.
Use AWS Trusted Advisor Security Checks to inspect your AWS environment and make recommendations on different areas.
Use AWS Trusted Advisor Security Checks to inspect your AWS environment and make recommendations on different areas.
An organization has created block storage volumes using AWS Storage Gateway and mounted them as iSCSI devices to its application servers on-premises. After three months, the organization noticed a performance degradation of its iSCSI devices. The SysOps Administrator has been tasked to check the metrics of each resource. Upon investigation, the Administrator saw that the CacheHitPercent is below 50%, and the CachePercentUsed is above 80%.
Which of the following options should the Administrator do to fix this problem?
Use a larger block size to improve the performance of your tape drives.
Create a snapshot of your volumes and use it to create new volumes.
Launch a new disk with a larger capacity for the cached volume host. Use the AWS Management Console to edit the local disk and configure the new disk as the cached volume.
Implement a RAID 1 configuration in your on-premises environment.
Launch a new disk with a larger capacity for the cached volume host. Use the AWS Management Console to edit the local disk and configure the new disk as the cached volume.
A company that still uses previous generation EC2 instances is currently building an online fashion website which has both development and UAT environments. You deployed the application to an On-Demand m1.small EC2 instance that exists on both environments. While testing the new website, the Operations team noticed performance degradation as they increase network load in the UAT environment.
In this scenario, how would you mitigate these performance issues in the UAT environment?
Use a Reserved m1.small EC2 instance instead of an On-Demand instance.
Change the m1.small EC2 instance to a larger instance type.
Enable Enhanced Networking.
Attach an additional ENI to the EC2 instance in the UAT environment.
Change the m1.small EC2 instance to a larger instance type.
The m1.small instance type has a low network performance due to its size. To fix this issue, you can use a larger EC2 instance type such as m1.medium, m1.large or m1.xlarge.
A company currently has an application which is hosted in an On-Demand EC2 instance in one Availability Zone. You are instructed to redesign the architecture to make it scalable and highly available. Which of the following should you do to accomplish this task?
Launch an Auto Scaling Group with subnets across 3 AWS regions. Set the minimum, desired, and maximum capacity to 2.
Launch an Auto Scaling Group with subnets across 2 AWS regions. Set a minimum, desired, and maximum capacity to 1.
Launch an Auto Scaling Group with subnets across 3 Availability Zones. Set the desired and maximum capacity to 5.
Launch an Auto Scaling Group with subnets across 2 Availability Zones. Set the minimum and maximum capacity to 1.
Launch an Auto Scaling Group with subnets across 3 Availability Zones. Set the desired and maximum capacity to 5.
A company plans to develop a solution to enforce the tagging of all EC2 instances that will be launched in the VPC including all of the EBS volumes that are attached in the instances. This is to allow administrators to easily manage tags on provisioned products with a consistent taxonomy. With this strategy, the company will be able to centrally manage commonly deployed IT services, helping them to achieve consistent governance and meet compliance requirements.
Which of the following is the most suitable solution that they should implement to meet this requirement?
Enable the Cost Allocation Tags feature which will automatically tag your resources.
Manually tag resources using the AWS Tag Editor.
Create a Lambda function that uses the GetResources and TagResources actions of the Resource Groups Tagging API to identify the untagged resources and afterwards, tag them automatically.
Use the AWS Service Catalog TagOption Library.
Use the AWS Service Catalog TagOption Library.
To allow administrators to easily manage tags on provisioned products, AWS Service Catalog provides a TagOption library. A TagOption is a key-value pair managed in AWS Service Catalog. It is not an AWS tag, but serves as a template for creating an AWS tag based on the TagOption.
The TagOption library makes it easier to enforce the following:
- A consistent taxonomy
- Proper tagging of AWS Service Catalog resources
- Defined, user-selectable options for allowed tags
Administrators can associate TagOptions with portfolios and products. During a product launch (provisioning), AWS Service Catalog aggregates the associated portfolio and product TagOptions, and applies them to the provisioned product, as shown in the following diagram.
A SysOps Administrator launched an EBS-backed On-Demand EC2 Instance to host a web application. However, the instance always terminates after going into the pending state.
Which of the following could be the cause of this issue? (Select TWO.)
The root EBS volume is encrypted and you do not have permissions to access the KMS key for decryption.
The limit for EC2 Instances in your region has already been reached.
AWS does not currently have enough available On-Demand capacity to service your request.
The AMI used is corrupted.
The EBS volume limit has been reached.
The following are a few reasons why your EC2 instance goes from the pending state to the terminated state immediately after restarting it:
- You’ve reached your EBS volume limit.
- An EBS snapshot is corrupt.
- The root EBS volume is encrypted and you do not have permissions to access the KMS key for decryption.
- The instance store-backed AMI that you used to launch the instance is missing a required part (an image.part.xx file).
A startup recently launched a web application that uses Amazon ElastiCache for Memcached to store session state. A SysOps Administrator has been tasked to monitor the ElastiCache performance in Amazon CloudWatch. After checking the cache metric data, the Administrator noticed that the number of evictions in the cluster is increasing.
Which of the following options should the Administrator do to improve the performance of the cluster? (Select TWO.)
Increase the number of nodes in your cluster.
Change the node size of your cluster.
Change the value of your TTL to milliseconds.
Increase the number of shards in your cluster.
Use Amazon SNS to send a notification if the evictions count exceeds your chosen threshold.
Increase the number of nodes in your cluster.
Change the node size of your cluster.
Evictions occur when memory is overfilled or greater than the max memory setting in the cache. The node type and the number of nodes will define the cache memory limit.
The option that says: Increase the number of shards in your cluster is incorrect because this is only applicable to Amazon ElastiCache for Redis, and not for Memcached. By increasing the number of shards, you can increase the number of replicas in a Redis cluster.
A company is heavily using AWS CloudFormation templates to automate the deployment of their cloud resources. The SysOps Administrator needs to write a template that will automatically copy objects from an existing S3 bucket into the new one.
Which of the following is the most suitable configuration for this scenario?
Configure the CloudFormation template to modify the existing S3 bucket to allow cross-origin requests.
Set up the CloudFormation template to use the AWS Data Pipeline CopyActivity object to copy the files from the existing S3 bucket to the new S3 bucket.
Configure the CloudFormation template to enable cross-region replication on the existing S3 bucket and select the new S3 bucket as the destination.
Set up an AWS Lambda function and configure it to perform the copy operation. Integrate the Lambda function to the CloudFormation template as a custom resource.
Set up an AWS Lambda function and configure it to perform the copy operation. Integrate the Lambda function to the CloudFormation template as a custom resource.
In an AWS CloudFormation template, you can specify a Lambda function as the target of a custom resource. Use custom resources to process parameters, retrieve configuration values, or call other AWS services during stack lifecycle events. When you associate a Lambda function with a custom resource, the function is invoked whenever the custom resource is created, updated, or deleted. AWS CloudFormation calls a Lambda API to invoke the function and to pass all the request data (such as the request type and resource properties) to the function. The power and customizability of Lambda functions in combination with AWS CloudFormation enable a wide range of scenarios, such as dynamically looking up AMI IDs during stack creation, or implementing and using utility functions, such as string reversal functions.
A tech startup launched an application using Amazon API Gateway and AWS Lambda. You were required by your manager to trace and analyze user requests as they go through the Amazon API Gateway API’s and eventually to the underlying services.
Which of these options is the most appropriate tool that will meet the requirement?
CloudWatch AWS X-Ray VPC Flow Logs CloudTrail
AWS X-Ray
A leading insurance firm has a VPC in the US East (N. Virginia) region for their head office in New York and another VPC in the US West (N. California) for their regional office in California. There is a requirement to establish a low latency, high-bandwidth connection between their on-premises data center in Chicago and both of their VPCs in AWS.
As the SysOps Administrator of the firm, how could you implement this in a cost-effective manner?
Set up an AWS VPN managed connection between the VPC in US East (N. Virginia) region and the on-premises data center in Chicago.
Set up two separate VPC peering connections for the two VPCs and for the on-premises data center.
Establish a Direct Connect connection between the VPC in US East (N. Virginia) region to the on-premises data center in Chicago and then establish another Direct Connect connection between the VPC in US West (N. California) region to the on-premises data center.
Set up an AWS Direct Connect connection to the on-premises data center. Launch a new AWS Direct Connect Gateway with a virtual private gateway and connect the VPCs from US East and US West regions. Integrate the Direct Connect connection to the Direct Connect Gateway.
Set up an AWS Direct Connect connection to the on-premises data center. Launch a new AWS Direct Connect Gateway with a virtual private gateway and connect the VPCs from US East and US West regions. Integrate the Direct Connect connection to the Direct Connect Gateway.
You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different regions. You associate a Direct Connect gateway with the virtual private gateway for the VPC, and then create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway. You can attach multiple private virtual interfaces to your Direct Connect gateway. A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any public region and access it from all other public regions.
A company is using Amazon S3 to serve static content and Amazon CloudFront to speed up content delivery to its users across the globe. For the next business cycle, they plan on improving these services to attract more customers and provide them a better user experience. To plan the next step, the SysOps Administrator will be needing more information regarding the activities that are occurring in their AWS resources. Amazon CloudFront includes a variety of reports that the Administrator can use to see usage and activity that is occurring in the CloudFront distributions.
How will the Administrator utilize these reports for this matter? (Select TWO.)
Use Popular Objects Report to determine what objects are frequently being accessed, and get statistics on those objects.
Use Top Referrers Reports to get statistics on viewer requests grouped by HTTP status code.
Use Cache Statistics Reports to display a list of the 25 website domains that originated the most HTTP and HTTPS requests for objects that CloudFront is distributing for a specified distribution.
Use Usage Reports to know the number of HTTP and HTTPS requests that CloudFront responds to from edge locations in selected regions.
Use Usage Reports to learn about the different types of browsers that your users frequently use to access your content.
Use Usage Reports to know the number of HTTP and HTTPS requests that CloudFront responds to from edge locations in selected regions.
Use Popular Objects Report to determine what objects are frequently being accessed, and get statistics on those objects.
A company has an online stock exchange application with a daily batch job that aggregates all intraday data and stores the result to an existing Amazon EFS. Currently, the batch processing is handled by several On-Demand EC2 instances and takes less than 3 hours to complete to generate a report that will only be used internally in the company. The batch job can be easily and safely re-run in the event that there is a problem in the processing since the data being processed are not mission-critical. To further reduce its operating costs, the company is looking for ways to optimize their current architecture.
As the SysOps Administrator, which is the MOST cost-effective and secure solution that you should implement?
Use Dedicated EC2 Instances to process the batch execution. Create a new EFS file system with encryption at rest enabled then copy all data from the current file system. Use the new EFS file system when storing the results processed by the On-Demand instances.
Request for several Spot EC2 instances and enable termination protection on each instance to process the batch execution. Enable encryption at rest in the existing EFS file system.
Use Scheduled Reserved EC2 Instances to process the batch execution. Enable encryption at rest in the existing EFS file system.
Request for a Spot Block to process the batch execution. Create a new EFS file system with encryption at rest enabled then copy all data from the current file system. After the data is copied over, delete the unencrypted file system. Use the new EFS file system when storing the results processed by the Spot instances.
Request for a Spot Block to process the batch execution. Create a new EFS file system with encryption at rest enabled then copy all data from the current file system. After the data is copied over, delete the unencrypted file system. Use the new EFS file system when storing the results processed by the Spot instances.
Another strategy is to launch Spot Instances with a specified duration (also known as Spot blocks), which are designed not to be interrupted and will run continuously for the duration you select. You can use a duration of 1, 2, 3, 4, 5, or 6 hours. The price that you pay depends on the specified duration.
