- (Exam Topic 1)
A Sysops administrator has created an Amazon EC2 instance using an AWS CloudFormation template in the us-east-I Region. The administrator finds that this
template has failed to create an EC2 instance in the us-west-2 Region. What is one cause for this failure?

1. A. Resource tags defined in the CloudFormation template are specific to the us-east-I Region.
2. B. The Amazon Machine Image (AMI) ID referenced in the CloudFormation template could not be found in the us-west-2 Region.
3. C. The cfn-init script did not run during resource provisioning in the us-west-2 Region.
4. D. The IAM user was not created in the specified Region.

Correct Answer: B
One possible cause for the failure of the CloudFormation template to create an EC2 instance in the us-west-2 Region is that the Amazon Machine Image (AMI) ID referenced in the template could not be found in the us-west-2 Region. This could be due to the fact that the AMI is not available in that region, or the credentials used to access the AMI were not configured properly. The other options (resource tags defined in the CloudFormation template are specific to the us-east-I Region, the cfn-init script did not run during resource provisioning in the us-west-2 Region, and the IAM user was not created in the specified Region) are not valid causes for this failure.

- (Exam Topic 1)
A company has a public website that recently experienced problems. Some links led to missing webpages, and other links rendered incorrect webpages. The application infrastructure was running properly, and all the provisioned resources were healthy. Application logs and dashboards did not show any errors, and no monitoring alarms were raised. Systems administrators were not aware of any problems until end users reported the issues.
The company needs to proactively monitor the website for such issues in the future and must implement a solution as soon as possible.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Rewrite the application to surface a custom error to the application log when issues occur.Automatically parse logs for error
2. B. Create an Amazon CloudWatch alarm to provide alerts when issues are detected.
3. C. Create an AWS Lambda function to test the websit
4. D. Configure the Lambda function to emit an Amazon CloudWatch custom metric when errors are detecte
5. E. Configure a CloudWatch alarm to provide alerts when issues are detected.
6. F. Create an Amazon CloudWatch Synthetics canar
7. G. Use the CloudWatch Synthetics Recorder plugin to generate the script for the canary ru
8. H. Configure the canary in line with requirement
9. I. Create an alarm to provide alerts when issues are detected.

Correct Answer: A

- (Exam Topic 1)
A company hosts a database on an Amazon RDS Multi-AZ DB instance. The database is not encrypted. The company's new security policy requires all AWS resources to be encrypted at rest and in transit.
What should a SysOps administrator do to encrypt the database?

1. A. Configure encryption on the existing DB instance.
2. B. Take a snapshot of the DB instanc
3. C. Encrypt the snapsho
4. D. Restore the snapshot to the same DB instance.
5. E. Encrypt the standby replica in a secondary Availability Zon
6. F. Promote the standby replica to the primary DB instance.
7. G. Take a snapshot of the DB instanc
8. H. Copy and encrypt the snapsho
9. I. Create a new DB instance by restoring the encrypted copy.

Correct Answer: B

- (Exam Topic 1)
A company has an Amazon CloudFront distribution that uses an Amazon S3 bucket as its origin. During a review of the access logs, the company determines that some requests are going directly to the S3 bucket by using the website hosting endpoint. A SysOps administrator must secure the S3 bucket to allow requests only from CloudFront.
What should the SysOps administrator do to meet this requirement?

1. A. Create an origin access identity (OAI) in CloudFron
2. B. Associate the OAI with the distributio
3. C. Remove access to and from other principals in the S3 bucket polic
4. D. Update the S3 bucket policy to allow accessonly from the OAI.
5. E. Create an origin access identity (OAI) in CloudFron
6. F. Associate the OAI with the distributio
7. G. Update the S3 bucket policy to allow access only from the OA
8. H. Create a new origin, and specify the S3 bucket as the new origi
9. I. Update the distribution behavior to use the new origi
10. J. Remove the existing origin.
11. K. Create an origin access identity (OAI) in CloudFron
12. L. Associate the OAI with the distributio
13. M. Update the S3 bucket policy to allow access only from the OA
14. N. Disable website hostin
15. O. Create a new origin, and specify the S3 bucket as the new origi
16. P. Update the distribution behavior to use the new origi
17. Q. Remove the existing origin.
18. R. Update the S3 bucket policy to allow access only from the CloudFront distributio
19. S. Remove access to and from other principals in the S3 bucket polic
20. T. Disable website hostin
21. . Create a new origin, and specify the S3 bucket as the new origi
22. . Update the distribution behavior to use the new origi
23. . Remove the existing origin.

Correct Answer: A

- (Exam Topic 1)
A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance.
Which of the following are possible causes of this issue? (Choose two.)

1. A. A network ACL associated with the bastion's subnet is blocking the network traffic.
2. B. The instance does not have a private IP address.
3. C. The route table associated with the bastion's subnet does not have a route to the internet gateway.
4. D. The security group for the instance does not have an inbound rule on port 22.
5. E. The security group for the instance does not have an outbound rule on port 3389.

Correct Answer: AC