AWS SysOps TD Quiz 1

An organization hosts an application across multiple Amazon EC2 instances backed by an Amazon Elastic File System (Amazon EFS) file system. While monitoring the instances, the SysOps administrator noticed that the file system's PercentIOLimit metric consistently hit 100% for 20 minutes or longer. This issue resulted in the poor performance of the application that reads and writes data into the file system. The SysOps admin needs to ensure high throughput and IOPS while accessing the file system. What step should the SysOps administrator perform to resolve the high PercentIOLimit metric on the file system?

Build a new EFS file system that is configured with Max I/O performance mode. Utilize AWS DataSync to migrate data to the newly created EFS file system.

A leading tech consultancy firm has an AWS Virtual Private Cloud (VPC) with one public subnet and a new blockchain application that is deployed to an m3.large EC2 instance. After a month, your manager instructed you to ensure that the application can support IPv6 address. Which of the following should you do to satisfy the requirement?

1. Associate an IPv6 CIDR Block with the VPC and Subnets 2. Update the Route Tables 3. Update the Security Group Rules 4. Change the Instance Type to m4.large 5. Assign IPv6 Addresses to the EC2 Instance

A leading media company plans to launch a data analytics application. The SysOps Administrator designed an architecture to use On-Demand EC2 instances in an Auto Scaling group that read messages from an SQS queue. A month after, the new application has been deployed to production but the Operations team noticed that when the incoming message traffic increases, the EC2 instances fall behind and it takes too long to process the messages. How can the SysOps Administrator configure the current cloud architecture to reduce the latency during traffic spikes?

Configure the Auto Scaling group to scale out based on the number of messages in the SQS queue.

A document management system of a legal firm is hosted in AWS Cloud with an S3 bucket as the primary storage service. To comply with the security requirements, you are instructed to ensure that the confidential documents and files stored in AWS are secured. Which features can be used to restrict access to data in S3? (Select TWO.)

Configure the S3 ACL on the bucket of each individual object. Configure the S3 bucket policy to only allow access to authorized personnel.

A leading national bank migrated its on-premises infrastructure to AWS. The SysOps Administrator noticed that the cache hit ratio of the CloudFront web distribution is less than 15%. Which combination of actions should he do to increase the cache hit ratio for the distribution? (Select TWO.)

Configure your origin to add a Cache-Control max-age directive to your objects, and specify the longest practical value for max-age to increase your TTL. In the Cache Behavior settings of your distribution, configure to forward only the query string parameters for which your origin will return unique objects.

A company is setting up a static website in AWS which is written in Angular that allows users to calculate their net worth. The SysOps Administrator uploaded the website's HTML, JavaScript, CSS, and other media files to an S3 bucket and then enabled static website hosting. After a month, the website became a hit globally with over a million users using the site every month. However, there are some complaints about the site loading very slowly in some countries. Which of the following options would the SysOps Administrator use to fix this performance issue?

Create a CloudFront web distribution and set the S3 bucket as the source.

A SysOps team is in the process of automating tasks to expedite the time to recover Amazon instances in the event of underlying hardware failure. The team must ensure that the attached Elastic IP and the private IP address of the original instance are retained after the instance is recovered. Additionally, an automated email notification should be in place to inform everyone in the SysOps team once a recovery process is triggered to run. Which steps should the SysOps team perform to meet the requirements?

Create an Amazon SNS topic and subscribe everyone in the SysOps team using their corporate emails. Then, configure an Amazon CloudWatch alarm for the EC2 instance and specify StatusCheckFailed_System as the metric. Finally, create an alarm notification that publishes a message to the SNS topic that you just created.

A cloud-based pharmaceutical website uses an Elastic Load Balancer to delegate traffic among EC2 instances on an Auto Scaling Group. In addition, the public website provides HTTPS security by adding a TLS certificate on the load balancer. After a year, the website experienced an outage and the new Sysops Administrator noticed that the certificate added on the load balancer expired. She needs to find a solution to automate the renewal of the TLS certificate to prevent this issue from happening again. Which among the options is the MOST operationally efficient approach that meets the requirement?

Go to AWS Certificate Manager (ACM) and request a public certificate from Amazon. Associate the newly requested certificate from ACM with the ELB. No additional configurations are needed since ACM can automatically manage the renewal of certificates.

A retail company is using AWS Organizations to manage user accounts. The consolidated billing feature is enabled to consolidate billing and payment for multiple AWS accounts. Member account owners requested to get the benefits of Reserved Instances (RIs) but they don't want to share RIs with other members of the AWS Organization. Which steps should the SysOps administrator perform to achieve the requirements?

Go to Billing Preferences in the management account and disable RI discount sharing. Then, purchase the RIs using individual member accounts.

A media organization recently adopted a hybrid cloud architecture to save costs and to avail of the various AWS cloud products. They have a public website which is deployed to two AWS regions: US East (Ohio) and Asia Pacific (Tokyo), to improve their services in Asia. As a SysOps Administrator, which of the following should you implement to ensure that users are consistently directed to the AWS region nearest to them?

Set up a Route 53 Geoproximity routing policy to direct users in Asia to their website.

A government organization has implemented a file gateway to keep copies of the home drives of their employees in a separate S3 bucket. As the SysOps Administrator, you noticed that most files are rarely accessed after 60 days but it is required that the files should still be available immediately in the event of a surprise audit. In this scenario, what can you do to reduce the storage costs while continuing to provide access to the files for the employees?

Set up a lifecycle policy that moves the employee files older than 60 days to Infrequent Access storage class.

A microservice application is being hosted in the ap-southeast-1 and ap-northeast-1 regions. The ap-southeast-1 region accounts for 80% of traffic, with the rest from ap-northeast-1. As part of the company's business continuity plan, all traffic must be rerouted to the other region if one of the regions' servers fails. Which solution can comply with the requirement?

Set up an 80/20 weighted routing policy in AWS Route 53 and enable health checks.

A SysOps Administrator needs to grant a user the ability to pass any of the approved set of roles to the Amazon EC2 service upon launching an instance. This will enable the user to start an EC2 instance with an assigned role. In effect, the applications running on the instance can access temporary credentials for the role through the instance profile metadata. Which of the following options should the Administrator implement together to accomplish this requirement? (Select TWO.)

Set up an IAM permissions policy attached to the IAM Role that determines the actions that it must perform. Afterward, create a trust policy for the role that allows the service to assume the role. Set up an IAM permissions policy attached to the IAM user that allows the user to pass only those roles that are approved. Use the iam:PassRole and iam:GetRole permissions in order for the user to get the details of the role to be passed.

A pharmaceutical company has a hybrid cloud architecture. The company has a fleet of EC2 instances in their VPC and a group of servers on their on-premises data center. The SysOps Administrator is instructed by the manager to set up a unified dashboard monitoring system for both the EC2 instances as well as the on-premises servers. Which of the following options should the Administrator do to satisfy the given requirement? (Select TWO.)

Set up the metrics dashboard in CloudWatch. Install the CloudWatch Agent to both Amazon EC2 Instances and On-Premises servers.

A company has a tagging strategy for controlling access to Amazon EC2 across their AWS Organization units. The system administrator noticed that some tags do not follow the company's naming convention which causes permission issues. Which solution can help the administrator identify the affected resources with non-compliant tags?

Set up the require-tags managed rule in AWS Config

An aerospace engineering company is having some issues in expanding its on-premises storage capabilities. The cost of upgrading their storage servers is too high and they need to find a more cost-effective option. The CTO decided to adopt a hybrid cloud architecture using AWS to extend the storage for their applications. The new storage should be available as an iSCSI target, which should be accessed by the servers in your on-premises data center. Which of the following options would you use to meet this requirement?

Storage Gateway

A real-estate company is hosting a website on a set of Amazon EC2 instances behind an Application Load Balancer. The SysOps administrator used CloudFront for its content distribution and set the ALB as the origin. He also created a CNAME record in Route 53 that sends all traffic through the CloudFront distribution. Users started to report that they are being served with the desktop version of the website when using mobile phones. Which action can help the SysOps administrator resolve the issue?

Update the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers.

A large technology company, which is heavily using AWS for its cloud-based applications to serve its clients, has both private and public application servers that are hosted in over 1000 EC2 Instances. To ensure security, the SysOps Administrator needs to ensure that public SSH is always disabled for the private servers. Which of the following options would be the best way to ensure this security check is in place?

Use AWS Config Rules to check all the configuration of the Security Groups.

A social media company has hired a SysOps Administrator to ensure that all of their CloudFormation stacks use the latest Windows AMI. The solution should have a minimal management overhead as they would need to update their Windows AMI again to get the latest security patches in the future. Which is the most suitable option that will meet the requirement?

Use AWS Systems Manager to achieve this task. Configure the Parameters section in the template to specify the latest version of Windows regional AMI ID.

A known security vulnerability was discovered in the outdated Operating System of your company's EC2 fleet. As the Systems Administrator, you are responsible in mitigating the vulnerability as soon as possible to safeguard your systems from various cyber security attacks. What is the most efficient way to solve this issue?

Use AWS Systems Manager to manage and deploy the security patch for the OS for the entire fleet of EC2 instances.

A company deployed a fleet of Linux-based EC2 instances to run an e-commerce website. The SysOps Administrator needs to monitor the CPU utilization of individual processes that are running in each server. Which of the following options fulfills this requirement?

Use Amazon CloudWatch agent procstat plugin to collect process metrics on EC2 instances.

An enterprise supply chain application uses Glacier in archiving its data. You have to deploy and enforce compliance controls for individual Glacier vaults by specifying controls such as "write once read many" (WORM) in a vault lock policy and lock the policy from future edits for regulatory compliance. This is to ensure that once the Glacier vault is locked, the policy can no longer be changed. Which is the most suitable approach to satisfy the given requirement?

Use Amazon S3 Glacier Vault Lock.

A SysOps Administrator is managing a web application hosted in an Amazon EC2 instance. The security groups and network ACLs are configured to allow HTTP and HTTPS traffic in your instance. A manager has received a report that a customer cannot access the application. The Administrator is instructed to investigate if the traffic is reaching the instance. Which of the following is the best approach to satisfy this requirement?

Use Amazon VPC Flow Logs

A SysOps Administrator has been instructed to handle the deployment of the cloud resources in a single AWS account using CloudFormation. The Administrator must develop a unified template that can be reused for multiple environments instead of manually copying and pasting the same configurations into the template. The dedicated template will be used and referenced from within other templates in the same AWS Region. If the template has been updated, any stack that is referencing it will automatically use the updated configuration. How can the Administrator meet this requirement?

Use Nested Stacks

An online stock trading application is extensively using an S3 bucket to store client data. To comply with the financial regulatory requirements, you need to generate a report on the replication and encryption status of all of the objects stored in your bucket. The report should show which type of server-side encryption is being used by each object. As the Systems Administrator of the company, how can you meet the above requirement with the least amount of effort?

Use S3 Inventory to generate the required report.

A security audit reveals that some security groups used by a company allow inbound SSH traffic from 0.0.0.0/0. The company's system administrator must identify the affected security groups and implement an automated solution that blocks open public-facing SSH ports. Which solution meet the requirements?

Use the restricted-ssh AWS Config managed rule. Create a remediation action using an AWS System Manager automation document that revokes ingress rules that allow SSH traffic from the public.

A security audit reveals that some security groups used by a company allow inbound SSH traffic from 0.0.0.0/0. The company's system administrator must identify the affected security groups and implement an automated solution that blocks open public-facing SSH ports. Which solution meet the requirements?

Use the restricted-ssh AWS Config managed rule. Create a remediation action using an AWS System Manager automation document that revokes ingress rules that allow SSH traffic from the public.

An organization hosts its operating system, database, and application on an Amazon EC2 instance backed by multiple attached Amazon Elastic Block Store (EBS) volumes. The SysOps administrator plans to automate the process of taking daily Amazon Machine Images (AMIs). When performing the backups, he has to ensure the file system integrity of created images. What should the SysOps Administrator do to meet these requirements?

Using the CreateImage API, build a Lambda function that will take an AMI of the EC2 instance and include a reboot parameter. Then, create a rule to invoke the Lambda function daily on Amazon EventBridge (Amazon CloudWatch Events).

A company has several applications and workloads running on AWS that are managed by various teams. The SysOps Administrator has been instructed to configure alerts to notify the teams in the event that the resource utilization exceeded the defined threshold. Which of the following is the MOST suitable AWS service that the Administrator should use?

AWS Budgets

A startup company is planning to build their cloud-based enterprise resource planning application in AWS. You are working as their SysOps Administrator and one of the founders asked you to design and build a cost-effective cloud architecture. After deploying and configuring the resources, you have to ensure that it complies with the AWS best practices. Which of the following services would you use to help you reduce cost, increase performance, and improve the security of your AWS resources?

AWS Trusted Advisor

A company's marketing website utilizes an RDS database instance to store transactional data. As the user visits grow, the IT department decides to implement a caching service for faster database performance and to maintain high availability for the RDS instance. Which combination of steps should the SysOps admin perform to accomplish the requirement? (SELECT TWO.)

Activate Multi-AZ deployment for the data store. Utilize Amazon ElastiCache for Redis data store to support the demands of the database.

A SysOps Administrator needs to install and configure software applications to an EC2 instance that will be deployed using CloudFormation. The Administrator has to ensure that the applications are properly running before the stack creation proceeds. Which of the following options can satisfy the given requirement?

Add a CreationPolicy attribute to the instance then send a success signal after the applications are installed and configured. Use the cfn-signal helper script to signal a resource.

A leading energy company is trying to establish a static VPN connection between an on-premises network and their VPC in AWS. As their SysOps Administrator, you created the required virtual private gateway, customer gateway and the VPN connection, including the router configuration on the customer side. Although the VPN connection status seems okay in the console, the connection is not entirely working when you connect to an EC2 instance in their VPC from one of the on-premises virtual machines. How can you resolve this issue?

Add a Virtual Private Gateway (VGW) route with the destination of your on-premises network in the route table.

A financial company is launching an online web portal that will be hosted in an Auto Scaling group of Amazon EC2 instances across multiple Availability Zones behind an Application Load Balancer (ALB). To allow HTTP and HTTPS traffic, the SysOps Administrator configured the Network ACL and the Security Group of both the ALB and EC2 instances to allow inbound traffic on ports 80 and 443. The EC2 cluster also connects to a third-party API that provides additional information on the site. However, the online portal is still unreachable over the public internet after the deployment. How can the Administrator fix this issue?

Allow ephemeral ports in the Network ACL by adding a new rule to allow outbound traffic on ports 1024 - 65535.

A DevOps Engineer reported a problem accessing his EC2 instance with a private IP address of 172.31.8.11 from his corporate laptop. The EC2 instance is hosting a web application which works well but he is still experiencing an issue establishing a connection to manage the instance. As the SysOps Administrator, which of the following options is the most suitable solution in this scenario based on the VPC flow log entries below? 2 123456789010 eni-abc123de 110.217.100.70 172.31.8.11 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK

Allow incoming RDP traffic in the security group of the EC2 instance including the inbound and outbound rules in the Network ACL.

A digital advertising company has a set of S3 buckets that contains various data such as Ad clickthrough rate (CTR), Cost Per Click (CPC) and many others. The analytics management team needs to analyze the data hosted in the S3 bucket using standard SQL to produce reports. Which of the following AWS services can help meet their demand?

Amazon Athena

A Systems Administrator needs to set up a file system that is accessible to individuals across the organization, and establish permissions for each user and group at the file or directory level. The file system should provide storage to access and share common data sets across multiple EC2 instances in different Availability Zones. Which of the following options should the administrator use to meet this requirement?

Amazon EFS

A company is using IAM policy to manage access to AWS services and resources. Your teammate has recently resigned and handed over a set of CloudFormation templates that she is maintaining to you. You checked the templates and looked at the configured IAM policy for an S3 bucket. What does the following IAM policy allow? (Select TWO.)

An IAM user with this IAM policy is allowed to write objects into the 'tutorialsdojo' S3 bucket. An IAM user with this IAM policy is allowed to read objects from all S3 buckets owned by the account.

A company has a newly-hired DevOps Engineer that will assist the IT Manager in developing a fault-tolerant and highly available architecture, which is comprised of an Elastic Load Balancer and an Auto Scaling group of EC2 instances deployed on multiple AZ's. This will be used by a forex trading application that requires WebSockets, host-based and path-based routing, and support for containerized applications. Which of the following is the most suitable type of Elastic Load Balancer that the DevOps Engineer should recommend to the IT Manager?

Application Load Balancer

A startup is using Amazon CloudWatch to monitor the workload of its website running on an EC2 instance. The CloudWatch Logs Agent has been set up on the instance to publish application logs. Despite having full access to the AWS account, the administrator is still unable to view the logs in the CloudWatch Logs Console. Which solution would most likely solve the issue?

Attach an IAM role with sufficient CloudWatch Logs permission to the instance profile of the EC2 instance

A company plans to develop a NodeJS application that will be hosted on AWS. The application needs to send messages across various sub-components that are hosted in an Auto Scaling group of EC2 instances in which the order of the messages should be preserved. Which of the following options should be provisioned for this requirement?

SQS FIFO queue

An IT solutions company offers a service that allows users to upload and download files when needed. The files are retrievable for one year and are stored in Amazon S3 Standard. The SysOps administrator noticed that users frequently accessed their files over the first 30 days, and from then on, the files are only accessed twice a month. The SysOps administrator needs to implement a cost-effective S3 Lifecycle policy that maintains the object availability for users. Which action should the SysOps administrator perform to achieve the requirements?

Configure all buckets to transition objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.

A company has recently adopted a hybrid cloud infrastructure. They plan to establish a dedicated connection between their on-premises network and their Amazon VPC. In the next couple of months, they will migrate their applications and move their data from their on-premises network to AWS, which is why they need a more consistent network experience than Internet-based connections. Which of the following options should be implemented for this scenario?

Set up a Direct Connect connection

A digital advertising company is planning to migrate its web-based data analytics application from its on-premises data center to AWS. You designed the architecture to use an Application Load Balancer and an Auto Scaling group of On-Demand EC2 Instances which are deployed on a private subnet. The instances will be fetching data analytics from various API services over the Internet every 5 minutes. For security reasons, the EC2 instances should not allow any connections initiated from the Internet. Which of the following options is the most scalable and highly available solution which should be implemented?

Set up a NAT Gateway in the public subnet.

A stock brokerage company is setting up a PostgreSQL database on a large Reserved EC2 Instance for its online stock trading platform. Since the database is hosting critical financial data, you are instructed to ensure that the database tier is fault tolerant. Which of the following options would you implement to satisfy this requirement in the MOST cost-effective manner?

Set up a RAID 1 configuration with multiple EBS volumes together.

A live chat application is hosted in AWS which can be embedded as a widget in any website. It uses WebSockets to provide full-duplex communication between the users. The application is hosted on an Auto Scaling group of On-Demand EC2 instances across multiple Availability Zones with an Application Load Balancer in front to balance the incoming traffic. As part of the security audit of the company, there is a requirement that the client's IP address, latencies, request paths, and server responses are properly logged. How can you meet the given requirement in this scenario? (Select TWO.)

Enable access logging for the Application Load Balancer. Set up a standard S3 bucket where the load balancer will store the logs.

A large insurance firm heavily uses AWS as its cloud infrastructure. Your manager instructed you to set up a monitoring system to ensure that the operations team can quickly respond to any incidents that may affect the production environment. There should be a dashboard that contains the CPUUtilization, DiskReadOps, NetworkIn, and other metrics for all EC2 instances at one-minute intervals. Which of the following should you do to properly implement this system? (Select TWO.)

Enable detailed monitoring for the EC2 instances. Set up a CloudWatch dashboard.

A company has a new policy to encrypt all Amazon Elastic Block Store (Amazon EBS) volumes in the us-east-2 and us-west-2 AWS regions. To help enforce this policy, the company's administrator needs to come up with a solution for automatically encrypting newly created EBS volumes. Which method will meet the requirement in the most efficient way?

Enable the default EBS encryption setting in the Amazon EC2 Console of each AWS region

A cloud-based pharmaceutical website uses an Elastic Load Balancer to delegate traffic among EC2 instances on an Auto Scaling Group. In addition, the public website provides HTTPS security by adding a TLS certificate on the load balancer. After a year, the website experienced an outage and the new Sysops Administrator noticed that the certificate added on the load balancer expired. She needs to find a solution to automate the renewal of the TLS certificate to prevent this issue from happening again. Which among the options is the MOST operationally efficient approach that meets the requirement?

Go to AWS Certificate Manager (ACM) and request a public certificate from Amazon. Associate the newly requested certificate from ACM with the ELB. No additional configurations are needed since ACM can automatically manage the renewal of certificates.

As part of the yearly AWS data cleanup, you need to delete all unused S3 buckets and their contents. The tutorialsdojo bucket, which contains several educational video files, has both the Versioning and MFA Delete features enabled. One of your Systems Engineers who have an Administrator account tried to delete an S3 bucket using the aws s3 rb s3://tutorialsdojo command. However, the operation fails even after repeated attempts. Which of the following are valid options that you can implement to properly delete the bucket? (Select TWO.)

Have the root account owner suspend MFA and versioning in the bucket. Configure a lifecycle rule to expire current object versions and permanently remove non-current object versions. Permanently purge all objects and delete markers then delete your bucket again. Remove the policy that requires MFA Delete on your S3 bucket. Use the AWS SDK to remove all of the bucket's delete markers and object versions. Delete the bucket again using the same CLI command that you used before.

An administrator has launched new AWS accounts. Management wants that IAM users across all accounts be able to sign in using a single login URL as shown below: https://tutorialsdojo.signin.aws.amazon.com/console How can the administrator meet the requirement?

Having a single login URL for different AWS accounts is not possible.

A leading commercial bank discovered an issue with their online banking system that is hosted on their Auto Scaling group and scaled out to over 60 EC2 instances. The Auto Scaling group is taking multiple nodes offline at the same time whenever you update the Launch Configuration. To update the system, the development team decided to use AWS CloudFormation by changing a parameter to the latest version of the code. What can you do to limit the impact on customers while the update is being performed?

In the CloudFormation template, add the UpdatePolicy attribute and then enable the WaitOnResourceSignals property. In the user data script, append a health check to signal CloudFormation that the update has been successfully completed.

A SysOps Administrator needs to create a CloudFormation template that should automatically rollback in the event that the entire stack failed to launch. The application stack requires the pre-requisite packages to be installed first in order for it to run properly, which could take about an hour or so to complete. What should the Administrator add in the template to accomplish this requirement?

In the ResourceSignal parameter of the CreationPolicy resource attribute, add a Timeout property with a value of 2 hours.

A company uses Amazon Route 53 to register the domain name of an online timesheet application named: "www.tutorialsdojo-timesheet.com" and deployed the application on ECS. After a few months, a new version of the timesheet application is ready to be deployed which contains bug fixes and new features. The DevOps team launched a separate ECS instance for the new version and they instructed you to direct the initial set of traffic to the new version so they can do their production verification tests. Once verified that the new version is working, you can now totally route all traffic coming from the www.tutorialsdojo-timesheet.com domain to the new ECS instance. Which of the following would you do to smoothly deploy the new application version?

Launch 2 resource records based on the Weighted Routing policy

A financial start-up has recently adopted a hybrid cloud infrastructure with AWS Cloud. They are planning to migrate their online payments system that supports an IPv6 address and uses an Oracle database in a RAC configuration. As the AWS Consultant, you have to make sure that the application can initiate outgoing traffic to the Internet but blocks any incoming connection from the Internet. Which of the following options would you do to properly migrate the application to AWS?]

Migrate the Oracle database to an EC2 instance. Launch the application on a separate EC2 instance and then set up an egress-only Internet gateway.

A real-estate company is leveraging an Elastic Load Balancer that uses a TLS certificate to provide HTTPS security to its website visitors. Users reported outages because of the TLS certificate expiry, and the SysOps administrator needs to find a solution that automates the renewal of the certificate. What is the MOST operationally efficient approach to perform the automation required?

Register a public certificate via AWS Certificate Manager (ACM). Associate the newly registered certificate from ACM to the ELB. ACM automatically handles certificate renewal so there's no need for further configuration

An internal data analytics application is deployed on six interdependent EC2 instances in a default VPC. The application can only be accessed by several employees to analyze financial data sets. The SysOps Administrator noticed high latency in responses as data is transferred between the EC2 instances. Which of the following is the MOST effective way to solve this issue?

Relaunch the EC2 instances in a placement group.