Question 1:
A company has an internal web application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A SysOps administrator must make the application highly available.
Which action should the SysOps administrator take to meet this requirement?

1. Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
   B. Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
   C. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.
   D. Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.

Correct Answer: C
Explanation:
To achieve high availability, it’s essential to distribute instances across multiple Availability Zones within the same region. This ensures that if one Availability Zone fails, the application remains accessible through instances in the other zone.

Question 2:
A company hosts a website on multiple Amazon EC2 instances that run in an Auto Scaling group. Users are reporting slow responses during peak times between 6 PM and 11 PM every weekend. A SysOps administrator must implement a solution to improve performance during these peak times.
What is the MOST operationally efficient solution that meets these requirements?

1. Create a scheduled Amazon EventBridge rule to invoke an AWS Lambda function to increase the desired capacity before peak times.
   B. Configure a scheduled scaling action with a recurrence option to change the desired capacity before and after peak times.
   C. Create a target tracking scaling policy to add more instances when memory utilization is above 70%.
   D. Implement a step scaling policy based on CPU utilization thresholds.

Correct Answer: B
Explanation:
Scheduled scaling actions allow you to adjust the desired capacity of your Auto Scaling group based on predictable load patterns. By configuring a recurrence option, you can automatically scale out before peak times and scale in afterward.

Question 3:
A SysOps administrator notices a scale-up event for an Amazon EC2 Auto Scaling group. Amazon CloudWatch shows a spike in the RequestCount metric for the associated Application Load Balancer. The administrator would like to know the IP addresses for the source of the requests.
Where can the administrator find this information?

1. Auto Scaling logs
   B. AWS CloudTrail logs
   C. EC2 instance logs
   D. Elastic Load Balancer access logs

Correct Answer: D
Explanation:
Elastic Load Balancer (ELB) access logs provide detailed information about requests sent to your load balancer. These logs include the client’s IP address, request path, and other valuable data, enabling traffic analysis.

Question 4:
A SysOps administrator has enabled AWS CloudTrail in an AWS account. If CloudTrail is disabled, it must be re-enabled immediately.
What should the SysOps administrator do to meet these requirements WITHOUT writing custom code?

1. Create a CloudWatch alarm that monitors the CloudTrail trail status and triggers an SNS notification if the trail is disabled.
   B. Use AWS Config to monitor the CloudTrail trail configuration and set up a rule to detect changes.
   C. Implement an AWS Lambda function that checks the CloudTrail status and re-enables it if disabled.
   D. Set up an EventBridge rule that triggers when CloudTrail is disabled and invokes a remediation action.

Correct Answer: B
Explanation:
AWS Config monitors the configuration of AWS resources, including CloudTrail trails. A rule can detect changes in the trail’s status and alert administrators without needing custom code.

Question 5:
A SysOps administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error:
AMI [ami-12345678] does not exist
How should the administrator ensure that the CloudFormation template works in every region?

1. Modify the template to use a region-specific AMI ID for each region.
   B. Use AWS Systems Manager Parameter Store to reference the latest AMI ID dynamically.
   C. Copy the AMI to the us-west-2 region and update the template accordingly.
   D. Use a CloudFormation mapping to select the appropriate AMI ID based on the region.

Correct Answer: D
Explanation:
CloudFormation mappings allow region-specific configurations within templates. By defining a mapping of regions to AMI IDs, the correct AMI is selected based on the region where the stack is deployed.

Question 6:
A SysOps administrator must automate the creation of Amazon Machine Images (AMIs) of EC2 instances on a weekly basis.
Which solution will meet this requirement?

1. Create a Lambda function to create an AMI and schedule it with EventBridge.
   B. Use AWS Backup to schedule backups of the EC2 instances.
   C. Use AWS Systems Manager Automation with a scheduled trigger.
   D. Create snapshots of the instance volumes manually.

Correct Answer: C
Explanation:
AWS Systems Manager Automation can schedule the creation of AMIs with less operational overhead and native integration with EC2.

Question 7:
A SysOps administrator needs to prevent developers from creating Amazon EC2 instances larger than a t3.medium size.
What is the MOST operationally efficient solution?

1. Use IAM policies to restrict instance types.
   B. Use AWS Config to enforce the allowed instance types.
   C. Create an SCP (Service Control Policy) in AWS Organizations.
   D. Tag instances and create a compliance rule.

Correct Answer: A
Explanation:
IAM policies can restrict users from launching specific instance types, offering a simple and efficient enforcement method.

Question 8:
A SysOps administrator needs to receive an email when a specific Lambda function fails.
What should the administrator do?

1. Create an Amazon CloudWatch Logs metric filter and alarm.
   B. Enable CloudTrail and monitor function errors.
   C. Enable X-Ray tracing and analyze failures.
   D. Use AWS Config rules.

Correct Answer: A
Explanation:
A CloudWatch Logs metric filter can detect error patterns and trigger alarms that send email notifications via SNS.

Question 9:
A company needs to archive large amounts of data that is rarely accessed.
Which storage class provides the LOWEST cost for this scenario?

1. Amazon S3 Standard
   B. Amazon S3 Intelligent-Tiering
   C. Amazon S3 Glacier Deep Archive
   D. Amazon S3 One Zone-IA

Correct Answer: C
Explanation:
S3 Glacier Deep Archive offers the lowest cost for long-term, infrequently accessed data.

Question 10:
A SysOps administrator needs to store application logs centrally and ensure they are retained for 7 years to meet compliance requirements.
Which solution is the MOST cost-effective?

1. Store logs in S3 Standard storage class.
   B. Store logs in S3 Glacier Deep Archive with a lifecycle policy.
   C. Store logs in EBS volumes attached to EC2 instances.
   D. Use AWS CloudTrail and CloudWatch Logs indefinitely.

Correct Answer: B
Explanation:
Storing logs in S3 Glacier Deep Archive using lifecycle policies is cost-effective for long-term storage.

Question 11:
A user accidentally deleted an Amazon S3 bucket containing critical data.
How can a SysOps administrator prevent this in the future?

1. Enable versioning and MFA delete on S3 buckets.
   B. Create CloudWatch alarms for delete actions.
   C. Deny DeleteBucket permissions in IAM policy.
   D. Set up an S3 lifecycle rule to archive data.

Correct Answer: A
Explanation:
Versioning and MFA delete provide protection against accidental or malicious deletions.

Question 12:
An application stores images in Amazon S3. The SysOps administrator must reduce the cost while maintaining immediate access to the files.
Which storage class should be used?

1. S3 Standard
   B. S3 One Zone-IA
   C. S3 Intelligent-Tiering
   D. S3 Glacier Instant Retrieval

Correct Answer: C
Explanation:
S3 Intelligent-Tiering automatically moves data between access tiers, optimizing storage costs without impact on retrieval times.

Question 13:
A SysOps administrator must configure monitoring for Amazon RDS instances with minimal operational overhead.
Which solution meets this requirement?

1. Enable enhanced monitoring for RDS.
   B. Install CloudWatch agent on the RDS instance.
   C. Enable detailed monitoring on the RDS instance.
   D. Use AWS X-Ray to monitor RDS.

Correct Answer: A
Explanation:
Enhanced monitoring provides OS-level metrics for RDS instances with minimal management effort.

Question 14:
A SysOps administrator must configure an Amazon CloudFront distribution for a public S3 bucket to deliver content securely.
Which action should be taken?

3. Use signed URLs with CloudFront.
   B. Enable origin access control (OAC) between CloudFront and S3.
   C. Enable public access on the S3 bucket.
   D. Configure a static website hosting endpoint.

Correct Answer: B
Explanation:
Origin Access Control (OAC) allows CloudFront to access private S3 content securely, without exposing it to the public.

Question 15:
A SysOps administrator needs to track API usage across multiple AWS accounts.
What is the MOST efficient way to collect this data centrally?

1. Enable AWS CloudTrail and create a multi-account trail.
   B. Enable VPC flow logs.
   C. Enable S3 access logs.
   D. Enable AWS Config in each account.

Correct Answer: A
Explanation:
AWS CloudTrail multi-account trails consolidate logs from multiple AWS accounts into a single location.

Question 16:
A SysOps administrator needs to encrypt Amazon EBS volumes attached to EC2 instances.
What is the MOST efficient way to achieve this for all new volumes?

1. Encrypt each volume manually.
   B. Set the EBS encryption by default for the account.
   C. Use AWS KMS to encrypt snapshots.
   D. Attach encrypted volumes manually.

Correct Answer: B
Explanation:
Setting EBS encryption by default ensures that all newly created volumes are encrypted automatically without manual intervention.

Question 17:
A company needs to ensure that sensitive data in S3 is automatically encrypted.
Which option provides the SIMPLEST enforcement?

1. Apply an S3 bucket policy requiring encryption.
   B. Enable encryption at rest in S3 settings.
   C. Enable versioning and replicate to an encrypted bucket.
   D. Use AWS Config rules to audit buckets.

Correct Answer: A
Explanation:
A bucket policy can enforce that only encrypted uploads are allowed, ensuring compliance automatically.

Question 18:
A SysOps administrator must restrict outbound internet access from EC2 instances.
Which AWS service should be used?

1. AWS WAF
   B. VPC endpoint
   C. VPC NAT gateway
   D. VPC egress-only internet gateway

Correct Answer: B
Explanation:
VPC endpoints allow private connections to AWS services without requiring outbound internet access

Question 19:
A company wants to ensure that only specific IAM roles can access an S3 bucket.
How can this be accomplished?

1. Use an IAM policy attached to roles.
   B. Use an S3 bucket policy restricting access to roles.
   C. Encrypt the bucket using a customer-managed CMK.
   D. Use ACLs to specify permissions.

Correct Answer: B
Explanation:
An S3 bucket policy allows granular control over which IAM roles or users can access the bucket.

Question 20:
A SysOps administrator is asked to create a backup plan for Amazon EBS volumes.
Which service should be used?

1. AWS Backup
   B. Amazon S3
   C. Amazon CloudWatch
   D. Amazon EC2 Auto Recovery

Correct Answer: A
Explanation:
AWS Backup offers centralized, automated backup capabilities for EBS volumes and other AWS services.

Question 21:
A web application deployed on EC2 experiences increased latency during peak hours.
What should the SysOps administrator check FIRST?

1. EC2 instance CPU and memory metrics
   B. EBS volume snapshots
   C. S3 bucket access logs
   D. AWS Config rule evaluations

Correct Answer: A
Explanation:
High CPU or memory usage on EC2 instances is often the root cause of latency issues.

Question 22:
A SysOps administrator must ensure all objects uploaded to an S3 bucket are automatically assigned a storage class of S3 Glacier Flexible Retrieval.
What is the simplest way to achieve this?

1. Enable S3 Intelligent-Tiering.
   B. Set up a lifecycle configuration rule.
   C. Configure default storage class on upload.
   D. Use a bucket policy.

Correct Answer: B
Explanation:
Lifecycle policies can automatically transition objects to S3 Glacier Flexible Retrieval after creation.

Question 23:
A company wants to separate development and production workloads on AWS.
What is the BEST solution?

1. Create separate IAM groups.
   B. Use AWS Organizations to create separate accounts.
   C. Create separate VPCs within the same account.
   D. Use AWS Config rules to tag resources.

Correct Answer: B
Explanation:
Using AWS Organizations to create separate accounts provides strong isolation between environments.

Question 24:
A SysOps administrator wants to ensure that new users automatically receive the same permissions.
What is the BEST approach?

1. Attach policies directly to each new user.
   B. Assign users to a predefined IAM group.
   C. Use service-linked roles.
   D. Enable AWS SSO.

Correct Answer: B
Explanation:
IAM groups allow consistent permission management by attaching policies to the group and adding users to it.

Question 25:
A company must track all modifications to IAM roles in the AWS environment.
Which service will meet this requirement?

1. AWS Config
   B. AWS CloudTrail
   C. IAM Access Analyzer
   D. AWS Organizations

Correct Answer: B
Explanation:
CloudTrail records all API activities, including modifications to IAM roles.

Question 26:
A SysOps administrator is configuring billing alarms.
Which AWS service should they use?

1. Amazon CloudWatch
   B. AWS Budgets
   C. AWS Trusted Advisor
   D. AWS Cost Explorer

Correct Answer: B
Explanation:
AWS Budgets allows users to create cost and usage alarms based on their thresholds.

Question 27:
A SysOps administrator must block a specific IP address from accessing an Application Load Balancer.
What is the simplest solution?

1. Modify the security group of the ALB.
   B. Use AWS WAF with an IP set.
   C. Create a Network ACL rule.
   D. Configure a route table block.

Correct Answer: B
Explanation:
AWS WAF can block requests based on IP addresses at the ALB level.

Question 28:
A SysOps administrator needs to move a large amount of data (100 TB) into AWS.
Which solution is MOST efficient?

1. AWS Snowball
   B. Direct Connect
   C. AWS VPN
   D. Internet upload to S3

Correct Answer: A
Explanation:
AWS Snowball is designed for large-scale offline data transfer to AWS.

Question 29:
A company has a security requirement to encrypt all data at rest on Amazon RDS.
What should a SysOps administrator do?

1. Enable encryption when creating the RDS instance.
   B. Enable encryption on the EC2 instance accessing RDS.
   C. Use AWS Key Management Service with RDS snapshots.
   D. Enable SSL connections to the RDS database.

Correct Answer: A
Explanation:
RDS encryption must be enabled at creation; it cannot be applied to existing unencrypted instances.

Question 30:
A SysOps administrator needs to monitor memory usage on an EC2 instance.
Which solution should be used?

1. Default EC2 metrics in CloudWatch
   B. Install the CloudWatch agent
   C. Enable detailed monitoring
   D. Use AWS Trusted Advisor

Correct Answer: B
Explanation:
Memory metrics require the CloudWatch agent, as default EC2 metrics do not include memory usage.