AWS-SysOps Free Practice Test

- (Exam Topic 1)
A company has an internal web application that runs on Amazon EC2 instances behind an Application Load
Balancer. The instances run in an Amazon EC2 Auto Scaling group in a single Availability Zone. A SysOps administrator must make the application highly available.
Which action should the SysOps administrator take to meet this requirement?

1. A. Increase the maximum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
2. B. Increase the minimum number of instances in the Auto Scaling group to meet the capacity that is required at peak usage.
3. C. Update the Auto Scaling group to launch new instances in a second Availability Zone in the same AWS Region.
4. D. Update the Auto Scaling group to launch new instances in an Availability Zone in a second AWS Region.

Correct Answer: C

- (Exam Topic 1)
A company asks a SysOps administrator to ensure that AWS CloudTrail files are not tampered with after they are created. Currently, the company uses AWS Identity and Access Management (IAM) to restrict access to specific trails. The company's security team needs the ability to trace the integrity of each file.
What is the MOST operationally efficient solution that meets these requirements?

1. A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a new file is delivere
2. B. Configure the Lambda function to compute an MD5 hash check on the file and store the result in an Amazon DynamoDB tabl
3. C. The security team can use the values that are stored in DynamoDB to verify the integrity of the delivered files.
4. D. Create an AWS Lambda function that is invoked each time a new file is delivered to the CloudTrail bucke
5. E. Configure the Lambda function to compute an MD5 hash check on the file and store the result as a tag in an Amazon S3 objec
6. F. The security team can use the information in the tag to verify the integrity of the delivered files.
7. G. Enable the CloudTrail file integrity feature on an Amazon S3 bucke
8. H. Create an IAM policy that grants the security team access to the file integrity logs that are stored in the S3 bucket.
9. I. Enable the CloudTrail file integrity feature on the trai
10. J. The security team can use the digest file that is created by CloudTrail to verify the integrity of the delivered files.

Correct Answer: D
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html "When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers.
Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each. This file is called a digest file. Validated log files are invaluable in security and forensic investigations"

- (Exam Topic 1)
A SysOps administrator needs to configure a solution that will deliver digital content to a set of authorized
users through Amazon CloudFront. Unauthorized users must be restricted from access. Which solution will meet these requirements?

1. A. Store the digital content in an Amazon S3 bucket that does not have public access blocke
2. B. Use signed URLs to access the S3 bucket through CloudFront.
3. C. Store the digital content in an Amazon S3 bucket that has public access blocke
4. D. Use an origin access identity (OAI) to deliver the content through CloudFron
5. E. Restrict S3 bucket access with signed URLs in CloudFront.
6. F. Store the digital content in an Amazon S3 bucket that has public access blocke
7. G. Use an origin access identity (OAI) to deliver the content through CloudFron
8. H. Enable field-level encryption.
9. I. Store the digital content in an Amazon S3 bucket that does not have public access blocke
10. J. Use signed cookies for restricted delivery of the content through CloudFront.

Correct Answer: B

- (Exam Topic 1)
A company updates its security policy to prohibit the public exposure of any data in Amazon S3 buckets in the company's account. What should a SysOps administrator do to meet this requirement?

1. A. Turn on S3 Block Public Access from the account level.
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to enforce that all S3 objects are private.
3. C. Use Amazon Inspector to search for S3 buckets and to automatically reset S3 ACLs if any public S3 buckets are found.
4. D. Use S3 Object Lambda to examine S3 ACLs and to change any public S3 ACLs to private.

Correct Answer: A
Using Amazon S3 Block Public Access
as a centralized way to limit public access. Block Public Access
settings override bucket policies and object permissions. Be sure to enable Block Public Access for all accounts and buckets that you don't want publicly accessible.
https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/#:~:text=Using Amazon%2

- (Exam Topic 1)
A company uses AWS Organizations to manage its AWS accounts. A SysOps administrator must create a backup strategy for all Amazon EC2 instances across all the company's AWS accounts.
Which solution will meet these requirements In the MOST operationally efficient way?

1. A. Deploy an AWS Lambda function to each account to run EC2 instance snapshots on a scheduled basis.
2. B. Create an AWS CloudFormation stack set in the management account to add an AutoBackup=True tag to every EC2 instance
3. C. Use AWS Backup In the management account to deploy policies for all accounts and resources.
4. D. Use a service control policy (SCP) to run EC2 instance snapshots on a scheduled basis in each account.

Correct Answer: B