Question 54
A company’s security team requested that all Amazon EBS volumes should be encrypted with a specific AWS KMS customer master key (CMK). A SysOps Administrator is tasked with verifying that the security team’s request has been implemented.
What is the MOST efficient way for the Administrator to verify the correct encryption key is being used?
-Use AWS Config to configure the encrypted-volumes managed rule and specify the key ID of the CMK.
Question 41:
A SysOps administrator is monitoring an Amazon CloudWatch alarm that is being constantly triggered. It appears to remain in the ALARM state persistently.
What might explain this behavior?
The evaluated metrics persistently exceed the defined thresholds, keeping the alarm active.
Question 57:
A SysOps Administrator has installed the CloudWatch agent on several Amazon EC2 instances. The agent has been configured to send custom metrics to Amazon CloudWatch. The Administrator needs to create a CloudWatch dashboard to display these metrics.
What steps should the Administrator take to complete this task?
Open the CloudWatch console, then from CloudWatch Events, add all custom metrics
Select the AWS Namespace, filter by metric name, then add to the dashboard
Open the CloudWatch Logs console, create metric filters, and select the custom metrics
Select the appropriate widget and metrics from the custom namespace, then add to the dashboard
Question 63:
An application that uses an Amazon ElastiCache Memcached cluster is receiving a larger increase in traffic. A SysOps Administrator needs to use a larger instance type with more memory. What does the Administrator need to do to implement this change?
Specify a new CacheNodeType with the ModifyCacheParameterGroup API.
Create a new cache cluster with a new node type using the CreateCacheCluster API.
Use the CreateReplicationGroup API and specify a new CacheNodeType.
Modify the existing cache cluster using the ModifyCacheCluster API.
With Amazon ElastiCache Memcached engine you cannot modify the node type. The way to scale up is to create a new cluster and specify the new node type. You can then update the endpoint configuration in your application to point to the new endpoints and then delete the old cache cluster.
Question 2
A SysOps Administrator needs to restrict access to a bucket that is currently accessed by users in other AWS accounts. The Administrator requires that the bucket is only accessible to users in the same account.
How can this be achieved?
Change the bucket access control list (ACL) to restrict access to the bucket owner.
(Correct)
Move the S3 bucket to the S3 One Zone-IA storage class and disable versioning.
Create an object policy that restricts access to only users in the same account.
(Incorrect)
Create Amazon S3 presigned URLs for accessing objects in the bucket.
The bucket ACL can be used to provide cross-account access to an Amazon S3 bucket. To restrict cross-account access that has been granted in this way, simply remove the entry for the other account from the ACL.
Question 8:
The firm requires that EC2 instances should not be accessible to the public via SSH, and the security group rules should be automatically modified to remove this access if it is detected.
What combination of steps?
Use AWS CloudTrail to monitor security group rule changes and send a notification to an Amazon SNS topic.
Use Amazon EventBridge to detect changes in security group rules and trigger an AWS Lambda function to modify the security groups
Implement an AWS Config rule to identify if security groups permit SSH from 0.0.0.0/0.
Set up an Amazon GuardDuty detector to monitor and alert if security groups allow SSH from 0.0.0.0/0.
Create an AWS Systems Manager Automation document to update the identified security group rules.
Implement an AWS Config rule to identify if security groups permit SSH from 0.0.0.0/0.
Create an AWS Systems Manager Automation document to update the identified security group rules.
An application is being deployed that hosts highly sensitive data that must not be leaked outside of the company. A security team has asked a SysOps Administrator to configure the environment to address this concern.
How can the Administrator ensure that the servers in the VPC cannot send traffic to the internet?
Create a blackhole NAT gateway that prevents outbound access.
Launch the EC2 instances in private subnets.
Use instance stores to ensure there is no persistent data.
Ensure that the servers do not have Elastic IP addresses.
Launch the EC2 instances in private subnets.
Question 19
A group of systems administrators use IAM access keys to manage Amazon EC2 instances using the AWS CLI. The company policy mandates that access keys are automatically disabled after 60 days.
Which solution can be used to automate this process?
Create a script that checks the key age and disables keys older than 60 days. Use a cron job on an Amazon EC2 instance to execute the script.
Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation.
Configure Amazon Inspector to provide security best practice recommendations and automatically disable the keys.
Create an Amazon CloudWatch alarm to trigger an AWS Lambda function that disables keys older than 60 days.
Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation.
A company manages a fleet of Amazon EC2 instances in a VPC and wishes to remove their public IP addresses to protect them from internet-based threats. Some applications still require access to Amazon S3 buckets.
TWO.)
Configure the internet gateway to route connections to S3 using private IP addresses.
Set up AWS Direct Connect and configure a virtual interface between the EC2 instances and the S3 buckets.
Deploy a NAT gateway in a public subnet and configure the route tables in the VPC appropriately.
Create a VPC endpoint in the VPC and configure the route tables appropriately.
Add an outbound rule in the security groups of the EC2 instances for Amazon S3 using private IP addresses.
Deploy a NAT gateway in a public subnet and configure the route tables in the VPC appropriately.
Create a VPC endpoint in the VPC and configure the route tables appropriately.