- (Exam Topic 1)
A company hosts its website in the us-east-1 Region. The company is preparing to deploy its website into the eu-central-1 Region. Website visitors who are located in Europe should access the website that is hosted in eu-central-1. All other visitors access the website that is hosted in us-east-1. The company uses Amazon Route 53 to manage the website's DNS records.
Which routing policy should a SysOps administrator apply to the Route 53 record set to meet these requirements?

1. A. Geolocation routing policy
2. B. Geoproximity routing policy
3. C. Latency routing policy
4. D. Multivalue answer routing policy

Correct Answer: A
geolocation "Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region."
Could be confused with geoproximity - "Geoproximity routing lets Amazon Route 53 route traffic to your resources based on the geographic location of your users and your resources. You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias. A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource" the use case is not needed as per question.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

- (Exam Topic 1)
A company uses Amazon Elasticsearch Service (Amazon ES) to analyze sales and customer usage data. Members of the company's geographically dispersed sales team are traveling. They need to log in to Kibana by using their existing corporate credentials that are stored in Active Directory. The company has deployed
Active Directory Federation Services (AD FS) to enable authentication to cloud services. Which solution will meet these requirements?

1. A. Configure Active Directory as an authentication provider in Amazon E
2. B. Add the Active Directory server's domain name to Amazon E
3. C. Configure Kibana to use Amazon ES authentication.
4. D. Deploy an Amazon Cognito user poo
5. E. Configure Active Directory as an external identity provider for the user poo
6. F. Enable Amazon Cognito authentication for Kibana on Amazon ES.
7. G. Enable Active Directory user authentication in Kiban
8. H. Create an IP-based custom domain access policy in Amazon ES that includes the Active Directory server's IP address.
9. I. Establish a trust relationship with Kibana on the Active Directory serve
10. J. Enable Active Directory user authentication in Kiban
11. K. Add the Active Directory server's IP address to Kibana.

Correct Answer: B
https://aws.amazon.com/blogs/security/how-to-enable-secure-access-to-kibana-using-aws-single-sign-on/ https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html

- (Exam Topic 1)
A SysOps administrator must ensure that a company's Amazon EC2 instances auto scale as expected The SysOps administrator configures an Amazon EC2 Auto Scaling Lifecycle hook to send an event to Amazon EventBridge (Amazon CloudWatch Events), which then invokes an AWS Lambda function to configure the EC2 distances When the configuration is complete, the Lambda function calls the complete Lifecycle-action event to put the EC2 instances into service. In testing, the SysOps administrator discovers that the Lambda function is not invoked when the EC2 instances auto scale.
What should the SysOps administrator do to reserve this issue?

1. A. Add a permission to the Lambda function so that it can be invoked by the EventBridge (CloudWatch Events) rule.
2. B. Change the lifecycle hook action to CONTINUE if the lifecycle hook experiences a fa* we or timeout.
3. C. Configure a retry policy in the EventBridge (CloudWatch Events) rule to retry the Lambda function invocation upon failure.
4. D. Update the Lambda function execution role so that it has permission to call the complete lifecycle-action event

Correct Answer: D

- (Exam Topic 1)
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS} queues A SysOps administrator must ensure that the application can read, write, and delete messages from the SQS queues
Which solution will meet these requirements in the MOST secure manner?

1. A. Create an IAM user with an IAM policy that allows the sqs SendMessage permission, the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate queues Embed the IAM user's credentials in the application's configuration
2. B. Create an IAM user with an IAM policy that allows the sqs SendMessage permission, the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate queues Export the IAM user's access key and secret access key as environment variables on the EC2 instance
3. C. Create and associate an IAM role that allows EC2 instances to call AWS services Attach an IAM policy to the role that allows sqs." permissions to the appropriate queues
4. D. Create and associate an IAM role that allows EC2 instances to call AWS services Attach an IAM policy to the role that allows the sqs SendMessage permission, the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate queues

Correct Answer: D

- (Exam Topic 1)
A company has multiple AWS Site-to-Site VPN connections between a VPC and its branch offices. The company manages an Amazon Elasticsearch Service (Amazon ES) domain that is configured with public
access. The Amazon ES domain has an open domain access policy. A SysOps administrator needs to ensure that Amazon ES can be accessed only from the branch offices while preserving existing data.
Which solution will meet these requirements?

1. A. Configure an identity-based access policy on Amazon E
2. B. Add an allow statement to the policy that includes the Amazon Resource Name (ARN) for each branch office VPN connection.
3. C. Configure an IP-based domain access policy on Amazon E
4. D. Add an allow statement to the policy that includes the private IP CIDR blocks from each branch office network.
5. E. Deploy a new Amazon ES domain in private subnets in a VPC, and import a snapshot from the old domai
6. F. Create a security group that allows inbound traffic from the branch office CIDR blocks.
7. G. Reconfigure the Amazon ES domain in private subnets in a VP
8. H. Create a security group that allows inbound traffic from the branch office CIDR blocks.

Correct Answer: B