An application running on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones was deployed using an AWS CloudFormation template. The SysOps team has patched the Amazon Machine Image (AMI) version and must update all the EC2 instances to use the new AMI.
How can the SysOps Administrator use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity?

A. Run the aws cloudfomation update-stack command with the – rollback-configuration option
B. Update the CloudFormation template with the new AMI ID, then reboot the EC2 instances
C. Deploy a second CloudFormation stack and use Amazon Route 53 to redirect traffic to the new stack
D. Set an AutoScalingRollingUpdatepolicy in the CloudFormation template to update the stack.

A company has a three-tier stateful web application. The application is served through an Amazon CloudFront distribution with default configuration options and an Application Load Balancer (ALB) as the origin. Logged-in users get intermittently logged out and see inconsistent content.
Which action should the company take to ensure a stable user experience during a session?

A. Enable session affinity (sticky sessions) on the ALB. Configure CloudFront to forward all cookies to the origin.
B. Restrict viewer access to signed cookies in CloudFront. Enable session affinity (sticky sessions) on the ALB.
C. Switch from duration-based session affinity (sticky sessions) to application-controlled session affinity (sticky sessions) on the ALB.
D. Configure the CloudFront TTL to be equal to or less than the ALB session duration.

A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53 should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes. All other traffic should be directed to the secondary passive server. The failover record type, set ID, and routing policy have been set appropriately for both primary and secondary servers.
Which next step should be taken to configure Route 53?

A. Create an A record for each server. Associate the records with the Route 53 HTTP health check.
B. Create an A record for each server. Associate the records with the Route 53 TCP health check.
C. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.
D. Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.

A company’s security policy states that connecting to Amazon EC2 instances is not permitted through SSH and RDP. If access is required, authorized staff can connect to instances by using AWS Systems Manager Session Manager.
Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has AWS Systems Manager Agent (SSM Agent) pre-installed. These users are able to use Session Manager to connect to other instances in the same subnet, and they are in an IAM group that has Session Manager permission for all instances.
What should a SysOps administrator do to resolve this issue?

A. Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.
B. Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
C. Configure the SSM Agent to log in with a user name of “ubuntu”.
D. Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.

A company is evaluating solutions for connecting its data centers to a VPC in an AWS Region running a mission-critical application. A secondary Region has already been set up as a disaster recovery solution. The company needs a consistent, low-latency connection of at least 10 Gbps that must be highly resilient and fault tolerant.
Which solution meets these requirements?

A. Set up a 10 Gbps AWS Direct Connect connection at two Direct Connect locations. Use two customer routers and dynamically routed, active/active connections.
B. Set up a 10 Gbps AWS Direct Connect connection. Use a Direct Connect gateway to support both Regions.
C. Establish an AWS Direct Connect connection for the primary connection to the VPC with an AWS-managed VPN connection as a backup.
D. Establish 10 VPN connections to the VPC. Enable the VPN Equal Cost Multipath (ECMP) feature to balance traffic over the active connections.

A company is managing multiple AWS accounts using AWS Organizations. One of these accounts is used only for retaining logs in an Amazon S3 bucket. The company wants to make sure that compute resources cannot be used in the account.
How can this be accomplished with the LEAST administrative effort?

A. Apply an IAM policy to all IAM entities in the account with a statement to explicitly deny NotAction: s3:*.
B. Configure AWS Config to terminate compute resources that have been created in the accounts.
C. Configure AWS CloudTrail to block any action where the event source is not s3:amazonaws.com.
D. Update the service control policy on the account to deny the unapproved services.

A company is managing a website with a global user base hosted on Amazon EC2 with an Application Load Balancer (ALB). To reduce the load on the web servers, a SysOps administrator configures an Amazon CloudFront distribution with the ALB as the origin. After a week of monitoring the solution, the administrator notices that requests are still being served by the ALB and there is no change in the web server load.
What are possible causes for this problem? (Choose two.)

A. CloudFront does not have the ALB configured as the origin access identity.
B. The DNS is still pointing to the ALB instead of the CloudFront distribution.
C. The ALB security group is not permitting inbound traffic from CloudFront.
D. The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution.
E. The target groups associated with the ALB are configured for sticky sessions.

A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance.
Which of the following are possible causes of this issue? (Choose two.)

A. A network ACL associated with the bastion’s subnet is blocking the network traffic.
B. The instance does not have a private IP address.
C. The route table associated with the bastion’s subnet does not have a route to the internet gateway.
D. The security group for the instance does not have an inbound rule on port 22.
E. The security group for the instance does not have an outbound rule on port 3389.

An image processing system runs asynchronously on AWS Lambda. A SysOps administrator is configuring a Lambda function to notify developers when an image falls to process after three attempts. The SysOps administrator has created an Amazon Simple Notification Service (Amazon SNS) topic to notify the developers.
Which additional action should the SysOps administrator take to meet this requirement?

A. Configure an Amazon CloudWatch alarm for errors from the Lambda function, which notifies the Amazon SNS topic.
B. Implement a dead-letter queue targeting the Amazon SNS topic.
C. Modify the Lambda function code to publish failed orders to the Amazon SNS topic before exiting.
D. Subscribe to Lambda function error notifications from the AWS Personal Health Dashboard.

A company has a multi-account AWS environment that includes the following:

• A central identity account that contains all IAM users and groups Several member accounts that contain IAM roles
• A SysOps administrator must grant permissions for a particular IAM group to assume a role in one of the member accounts.

How should the SysOps administrator accomplish this task?

A. In the member account, add sts:AssumeRole permissions to the role’s policy. In the identity account, add a trust policy to the group that specifies the account number of the member account.
B. In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:AssumeRole permissions.
C. In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:PassRole permissions.
D. In the member account, add the group Amazon Resource Name (ARN) to the role’s inline policy. In the identity account, add a trust policy to the group with sts:AssumeRole permissions.