AWS-SysOps Free Practice Test

- (Exam Topic 1)
While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS The customer gateway device resides in a data center with a NAT gateway in front of it
What address should be used to create the customer gateway resource?

1. A. The private IP address of the customer gateway device
2. B. The MAC address of the NAT device in front of the customer gateway device
3. C. The public IP address of the customer gateway device
4. D. The public IP address of the NAT device in front of the customer gateway device

Correct Answer: D

- (Exam Topic 1)
A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application's performance. A SysOps administrator must scale the application to meet the increased traffic.
Which solution meets these requirements?

1. A. Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance If the desired threshold is reached.
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.
3. C. Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy.Attach the ALB to the Auto Scaling group.
4. D. Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy.Attach the ALB to the Auto Scaling group.

Correct Answer: C
docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-target-tracking.html

- (Exam Topic 1)
A company is using Amazon CloudFront to serve static content for its web application to its users. The CloudFront distribution uses an existing on-premises website as a custom origin.
The company requires the use of TLS between CloudFront and the origin server. This configuration has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.
What should a SysOps administrator do to resolve this problem?

1. A. Examine the expiration date on the certificate on the origin sit
2. B. Validate that the certificate has not expire
3. C. Replace the certificate if necessary.
4. D. Examine the hostname on the certificate on the origin sit
5. E. Validate that the hostname matches one of the hostnames on the CloudFront distributio
6. F. Replace the certificate if necessary.
7. G. Examine the firewall rules that are associated with the origin serve
8. H. Validate that port 443 is open for inbound traffic from the interne
9. I. Create an inbound rule if necessary.
10. J. Examine the network ACL rules that are associated with the CloudFront distributio
11. K. Validate that port 443 is open for outbound traffic to the origin serve
12. L. Create an outbound rule if necessary.

Correct Answer: A
HTTP 502 errors from CloudFront can occur because of the following reasons:
There's an SSL negotiation failure because the origin is using SSL/TLS protocols and ciphers that aren't supported by CloudFront.
There's an SSL negotiation failure because the SSL certificate on the origin is expired or invalid, or because the certificate chain is invalid.
There's a host header mismatch in the SSL negotiation between your CloudFront distribution and the custom origin.
The custom origin isn't responding on the ports specified in the origin settings of the CloudFront distribution. The custom origin is ending the connection to CloudFront too quickly.
https://aws.amazon.com/premiumsupport/knowledge-center/resolve-cloudfront-connection-error/

- (Exam Topic 1)
A company hosts a web application on an Amazon EC2 instance in a production VPC. Client connections to the application are failing. A SysOps administrator inspects the VPC flow logs and finds the following entry:
2 111122223333 eni-<###> 192.0.2.15 203.0.113.56 40711 443 6 1 40 1418530010 1418530070 REJECT OK
What is a possible cause of these failed connections?

1. A. A security group is denying traffic on port 443.
2. B. The EC2 instance is shut down.
3. C. The network ACL is blocking HTTPS traffic.
4. D. The VPC has no internet gateway attached.

Correct Answer: A
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-accepted https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#
Accepted and rejected traffic: In this example, RDP traffic (destination port 3389, TCP protocol) to network interface eni-1235b8ca123456789 in account 123456789010 was rejected. 2 123456789010
eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK

- (Exam Topic 1)
A SysOps administrator has Nocked public access to all company Amazon S3 buckets. The SysOps administrator wants to be notified when an S3 bucket becomes publicly readable in the future.
What is the MOST operationally efficient way to meet this requirement?

1. A. Create an AWS Lambda function that periodically checks the public access settings for each S3 bucket.Set up Amazon Simple Notification Service (Amazon SNS) to send notifications.
2. B. Create a cron script that uses the S3 API to check the public access settings for each S3 bucke
3. C. Set up Amazon Simple Notification Service (Amazon SNS) to send notifications
4. D. Enable S3 Event notified tons for each S3 bucke
5. E. Subscribe S3 Event Notifications to an Amazon Simple Notification Service (Amazon SNS) topic.
6. F. Enable the s3-bucket-public-read-prohibited managed rule in AWS Confi
7. G. Subscribe the AWS Config rule to an Amazon Simple Notification Service (Amazon SNS) topic.

Correct Answer: D