| Question.51 A company needs to track spending in its AWS account. The company must receive a notification when current costs and forecasted costs exceed specific thresholds. Which solution will meet these requirements with the LEAST operational overhead? (A) Create a new IAM role. Attach the AWSPurchaseOrdersServiceRolePolicy AWS managed policy to the role. Check AWS Cost Explorer on a regular basis to monitor current costs and forecasted costs. (B) Create an AWS Cost and Usage Report. Create an AWS Step Functions state machine that runs when a new usage file is generated. Configure the state machine to pass the data to Amazon Forecast and to invoke an AWS Lambda function. Configure the Lambda function to parse the data and to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if costs exceed the thresholds. (C) Create an AWS Cost and Usage Report. Separate the current costs and forecasted costs by service. Schedule the report to be sent to an Amazon Simple Notification Service (Amazon SNS) topic each month. (D) Create a recurring cost budget in AWS Budgets. Create an alert for the actual cost. Create a second alert for the forecasted costs. Configure an Amazon Simple Notification Service (Amazon SNS) topic to receive the alerts. |
51. Click here to View Answer
Answer: C
| Question.52 A company has a policy that all Amazon EC2 instance logs must be published to Amazon CloudWatch Logs. A SysOps administrator is troubleshooting an EC2 instance that is running Amazon Linux 2. The EC2 instance is not publishing logs to CloudWatch Logs. The Amazon CloudWatch agent is running on the EC2 instance, and the agent configuration file is correct. What should the SysOps administrator do to resolve the issue? (A) Configure the AWS CLI on the EC2 instance. Create a cron job that calls the PutLogEvents API operation to push the log files to CloudWatch every 5 minutes. (B) Inspect the retention period of the CloudWatch Logs log group. Ensure that the retention period is set to a value that is greater than 1 day. (C) Set up an Amazon Kinesis data stream that is running in the same AWS Region as the EC2 instance. Configure the CloudWatch agent on the EC2 instance to send CloudWatch events to the data stream. (D) Ensure that the IAM role that is attached to the EC2 instance has permissions in CloudWatch Logs for the CreateLogGroup, CreateLogStream, PutLogEvents, and DescribeLogStreams actions. |
52. Click here to View Answer
Answer: D
| Question.53 A company has set up an IPsec tunnel between its AWS environment and its on-premises data center. The tunnel is reporting as UP, but the Amazon EC2 instances are not able to ping any on-premises resources. What should a SysOps administrator do to resolve this issue? (A) Create a new inbound rule on the EC2 instances security groups to allow ICMP traffic from the on-premises CIDR. (B) Create a peering connection between the IPsec tunnel and the subnet of the EC2 instances. (C) Enable route propagation for the virtual private gateway in the route table that is assigned to the subnet of the EC2 instances. (D) Modify the VPCs DHCP options set. Add the IPsec tunnel to the VPN section. |
53. Click here to View Answer
Answer: C
| Question.54 A company has created a NAT gateway in a public subnet in a VPC. The VPC also contains a private subnet that includes Amazon EC2 instances. The EC2 instances use the NAT gateway to access the internet to download patches and updates. The company has configured a VPC flow log for the elastic network interface of the NAT gateway. The company is publishing the output to Amazon CloudWatch Logs. A SysOps administrator must identify the top five internet destinations that the EC2 instances in the private subnet communicate with for downloads. What should the SysOps administrator do to meet this requirement in the MOST operationally efficient way? (A) Use AWS CloudTrail Insights events to identify the top five internet destinations. (B) Use Amazon CloudFront standard logs (access logs) to identify the top five internet destinations. (C) Use CloudWatch Logs Insights to identify the top five internet destinations. (D) Change the flow log to publish logs to Amazon S3. Use Amazon Athena to query the log files in Amazon S3. |
54. Click here to View Answer
Answer: A
| Question.55 A company requires that all IAM user accounts that have not been used for 90 days or more must have their access keys and passwords immediately disabled. A SysOps administrator must automate the process of disabling unused keys using the MOST operationally efficient method. How should the SysOps administrator implement this solution? (A) Create an AWS Step Functions workflow to identify IAM users that have not been active for 90 days. Run an AWS Lambda function when a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule is invoked to automatically remove the AWS access keys and passwords for these IAM users. (B) Configure an AWS Config rule to identify IAM users that have not been active for 90 days. Set up an automatic weekly batch process on an Amazon EC2 instance to disable the AWS access keys and passwords for these IAM users. (C) Develop and run a Python script on an Amazon EC2 instance to programmatically identify IAM users that have not been active for 90 days. Automatically delete these IAM users. (D) Set up an AWS Config managed rule to identify IAM users that have not been active for 90 days. Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users. |
55. Click here to View Answer
Answer: D