- (Exam Topic 1)
A company has multiple AWS Site-to-Site VPN connections between a VPC and its branch offices. The company manages an Amazon Elasticsearch Service (Amazon ES) domain that is configured with public
access. The Amazon ES domain has an open domain access policy. A SysOps administrator needs to ensure that Amazon ES can be accessed only from the branch offices while preserving existing data.
Which solution will meet these requirements?

1. A. Configure an identity-based access policy on Amazon E
2. B. Add an allow statement to the policy that includes the Amazon Resource Name (ARN) for each branch office VPN connection.
3. C. Configure an IP-based domain access policy on Amazon E
4. D. Add an allow statement to the policy that includes the private IP CIDR blocks from each branch office network.
5. E. Deploy a new Amazon ES domain in private subnets in a VPC, and import a snapshot from the old domai
6. F. Create a security group that allows inbound traffic from the branch office CIDR blocks.
7. G. Reconfigure the Amazon ES domain in private subnets in a VP
8. H. Create a security group that allows inbound traffic from the branch office CIDR blocks.

Correct Answer: B

- (Exam Topic 1)
A company has an Amazon CloudFront distribution that uses an Amazon S3 bucket as its origin. During a review of the access logs, the company determines that some requests are going directly to the S3 bucket by using the website hosting endpoint. A SysOps administrator must secure the S3 bucket to allow requests only from CloudFront.
What should the SysOps administrator do to meet this requirement?

1. A. Create an origin access identity (OAI) in CloudFron
2. B. Associate the OAI with the distributio
3. C. Remove access to and from other principals in the S3 bucket polic
4. D. Update the S3 bucket policy to allow accessonly from the OAI.
5. E. Create an origin access identity (OAI) in CloudFron
6. F. Associate the OAI with the distributio
7. G. Update the S3 bucket policy to allow access only from the OA
8. H. Create a new origin, and specify the S3 bucket as the new origi
9. I. Update the distribution behavior to use the new origi
10. J. Remove the existing origin.
11. K. Create an origin access identity (OAI) in CloudFron
12. L. Associate the OAI with the distributio
13. M. Update the S3 bucket policy to allow access only from the OA
14. N. Disable website hostin
15. O. Create a new origin, and specify the S3 bucket as the new origi
16. P. Update the distribution behavior to use the new origi
17. Q. Remove the existing origin.
18. R. Update the S3 bucket policy to allow access only from the CloudFront distributio
19. S. Remove access to and from other principals in the S3 bucket polic
20. T. Disable website hostin
21. . Create a new origin, and specify the S3 bucket as the new origi
22. . Update the distribution behavior to use the new origi
23. . Remove the existing origin.

Correct Answer: A

- (Exam Topic 1)
A SysOps administrator applies the following policy to an AWS CloudFormation stack:

What is the result of this policy?

1. A. Users that assume an IAM role with a logical ID that begins with "Production" are prevented from running the update-stack command.
2. B. Users can update all resources in the stack except for resources that have a logical ID that begins with "Production".
3. C. Users can update all resources in the stack except for resources that have an attribute that begins with "Production".
4. D. Users in an IAM group with a logical ID that begins with "Production" are prevented from running the update-stack command.

Correct Answer: B

- (Exam Topic 1)
A company recently its server infrastructure to Amazon EC2 instances. The company wants to use Amazon CloudWatch metrics to track instance memory utilization and available disk space.
What should a SysOps administrator do to meet these requirements?

1. A. Configure CloudWatch from the AWS Management Console tor all the instances that require monitoring by CloudWatc
2. B. AWS automatically installs and configures the agents far the specified instances.
3. C. Install and configure the CloudWatch agent on all the instance
4. D. Attach an IAM role to allow theinstances to write logs to CloudWatch.
5. E. Install and configure the CloudWatch agent on all the instance
6. F. Attach an IAM user to allow the instances to write logs to CloudWatch.
7. G. Install and configure the CloudWatch agent on all the instance
8. H. Attach the necessary security groups to allow the instances to write logs to CloudWatch

Correct Answer: C

- (Exam Topic 1)
An errant process is known to use an entire processor and run at 100% A SysOps administrator wants to automate restarting the instance once the problem occurs for more than 2 minutes
How can this be accomplished?

1. A. Create an Amazon CloudWatch alarm for the Amazon EC2 instance with basic monitoring Enable an action to restart the instance
2. B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring Enable an action to restart the instance
3. C. Create an AWS Lambda function to restart the EC2 instance triggered on a scheduled basis every 2 minutes
4. D. Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks

Correct Answer: B