| Question.26 A company needs to view a list of security groups that are open to the internet on port 3389. What should a SysOps administrator do to meet this requirement? (A) Configure Amazon GuardDuty to scan security groups and report unrestricted access on port 3389. (B) Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389. (C) Use AWS Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389. (D) Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389. |
26. Click here to View Answer
Answer: D
| Question .27 A company needs to implement a solution to install specific software on Amazon EC2 instances when the instances launch. Which solution will meet this requirement? (A) Configure AWS Systems Manager State Manager associations to bootstrap the EC2 instances with the required software at launch. (B) Use the Amazon CloudWatch agent to detect EC2 InstanceStart events and to inject the required software. Modify the InstanceRole IAM role to add permissions for the StartTask API operation. (C) Use Amazon Inspector to detect EC2 launch events. Configure Amazon Inspector to install the required software as part of lifecycle hooks for theEC2launch events. (D) Use AWS Security Hub remediation actions to install the required software at launch. |
27. Click here to View Answer
Answer: A
| Question.28 A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template. It installs and configures necessary software through AWS OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors. The SysOps administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back. Based on these requirements, what should be added to the template? (A) Conditions with a timeout set to 4 hours. (B) CreationPolicy with a timeout set to 4 hours. (C) DependsOn with a timeout set to 4 hours. (D) Metadata with a timeout set to 4 hours. |
28. Click here to View Answer
Answer: B
| Question.29 A company is using AWS Certificate Manager (ACM) to manage public SSL/TLS certificates. A SysOps administrator needs to send an email notification when a certificate has less than 14 days until expiration. Which solution will meet this requirement with the LEAST operational overhead? (A) Create an Amazon CloudWatch custom metric to monitor certificate expiration for all ACM certificates. Create an Amazon EventBridge rule that has an event source of aws.cloudwatch. Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if the DaysToExpiry metric is less than 14. Subscribe the appropriate email addresses to the SNS topic. (B) Create an Amazon EventBridge rule that has an event source of aws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure the rule to send an event to a target Amazon Simple Notification Service (Amazon SNS) topic if DaysToExpiry is less than 14. Subscribe the appropriate email addresses to the SNS topic. (C) Create an Amazon CloudWatch dashboard that displays the DaysToExpiry metric for all ACM certificates. If DaysToExpiry is less than 14, send an email message to the appropriate email addresses. Send the email message by running a predefined CLI command to publish to an Amazon Simple Notification Service (Amazon SNS) topic. (D) Create an Amazon EventBridge rule that has an event source of aws.acm. Configure the rule to evaluate the DaysToExpiry metric for all ACM certificates. Configure a target SMS identity that uses a predefined email template. Configure the rule to send an event to the target SMS identity if DaysToExpiry is less than 14. |
29. Click here to View Answer
Answer: B
| Question.30 A company updates its security policy to prohibit the public exposure of any data in Amazon S3 buckets in the company’s account. What should a SysOps administrator do to meet this requirement? (A) Turn on S3 Block Public Access from the account level. (B) Create an Amazon Event Bridge (Amazon CloudWatch Events) rule to enforce that all S3 objects are private. (C) Use Amazon Inspector to search for S3 buckets and to automatically reset S3 ACLs if any public S3 buckets are found. (D) Use S3 Object Lambda to examine S3 ACLs and to change any public S3 ACLs to private. |
30. Click here to View Answer
Answer: A