| Question.81 A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted. Which approach will resolve the encryption requirement? (A) Log in to the RDS console and select the encryption box to encrypt the database. (B) Create a new encrypted Amazon EBS volume and attach it to the instance. (C) Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance. (D) Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance. |
81. Click here to View Answer
Answer: D
| Question.82 A company’s SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instance are encrypted with AWS managed keys. The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI with the company’s other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs. Which solution will securely share the AMI with the other AWS accounts? (A) In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with. (B) In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the KMS key. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with. (C) In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the KMS key Modify the permissions on the copied AMI to make it public. (D) In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with. |
82. Click here to View Answer
Answer: C
| Question.83 A company needs to monitor its websites availability to end users. The company needs a solution to provide an Amazon Simple Notification Service (Amazon SNS) notification if the website’s uptime decreases to less than 99%. The monitoring must provide an accurate view of the user experience on the website. Which solution will meet these requirements? (A) Create an Amazon CloudWatch alarm that is based on the website’s logs that are published to a CloudWatch Logs log group. Configure the alarm to publish an SNS notification if the number of HTTP 4xx errors and 5xx errors exceeds a specified threshold. (B) Create an Amazon CloudWatch alarm that is based on the website’s published metrics in CloudWatch. Configure the alarm to publish an SNS notification that is based on anomaly detection. (C) Create an Amazon CloudWatch Synthetics heartbeat monitoring canary. Associate the canary with the website’s URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%. (D) Create an Amazon CloudWatch Synthetics broken link checker monitoring canary. Associate the canary with the website’s URL for end users. Create a CloudWatch alarm for the canary. Configure the alarm to publish an SNS notification if the value of the SuccessPercent metric is less than 99%. |
83. Click here to View Answer
Answer: C
| Question.84 A company that uses AWS Organizations recently implemented AWS Control Tower The company now needs to centralize identity management. A SysOps administrator must federate AWS AM Identity Center with an external SAML 2.0 identity provider (IdP) to centrally manage access to all the company’s accounts and cloud applications. Which prerequisites must the SysOps administrator have so that the SysOps administrator can connect to the external IdP? (Choose two.) (A) A copy of the IAM identity Center SAML metadata (B) The IdP metadata including the public X 509 certificate (C) The IP address of the IdP (D) Root access to the management account (E) Administrative permissions to the member accounts of the organization |
84. Click here to View Answer
Answer: BE
| Question.85 A SysOps administrator needs to configure an Amazon S3 bucket to host a web application. The SysOps administrator has created the S3 bucket and has copied the static files for the web application to the S3 bucket. The company has a policy that all $3 buckets must not be public. What should the SysOps administrator do to meet these requirements? (A) Create an Amazon CloudFront distribution. Configure the S3 bucket as an origin with an origin access identity (OAI). Give the OAI the s3:GetObject permission in the S3 bucket policy. (B) Configure static website hosting in the S3 bucket. Use Amazon Route 53 to create a DNS CNAME to point to the S3 website endpoint. (C) Create an Application Load Balancer (ALB). Change the protocol to HTTPS in the ALB listener configuration. Forward the traffic to the S3 bucket. (D) Create an accelerator in AWS Global Accelerator. Set up a listener configuration for port 443. Set the endpoint type to forward the traffic to the S3 bucket. |
85. Click here to View Answer
Answer: A