- (Exam Topic 1)
A database is running on an Amazon RDS Mufti-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted. Which approach will resolve the encryption requirement?

1. A. Log in to the RDS console and select the encryption box to encrypt the database
2. B. Create a new encrypted Amazon EBS volume and attach it to the instance
3. C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
4. D. Take a snapshot of the RDS instance, copy and encrypt the snapshot and then restore to the new RDS instance

Correct Answer: D

- (Exam Topic 1)
A SysOps administrator needs to track the costs of data transfer between AWS Regions. The SysOps administrator must implement a solution to send alerts to an email distribution list when transfer costs reach 75% of a specific threshold.
What should the SysOps administrator do to meet these requirements?

1. A. Create an AWS Cost and Usage Repor
2. B. Analyze the results in Amazon Athen
3. C. Configure an alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when costs reach 75% of the threshol
4. D. Subscribe the email distribution list to the topic.
5. E. Create an Amazon CloudWatch billing alarm to detect when costs reach 75% of the threshold.Configure the alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topi
6. F. Subscribe the email distribution list to the topic.
7. G. Use AWS Budgets to create a cost budget for data transfer cost
8. H. Set an alert at 75% of the budgeted amoun
9. I. Configure the budget to send a notification to the email distribution list when costs reach 75% of the threshold.
10. J. Set up a VPC flow lo
11. K. Set up a subscription filter to an AWS Lambda function to analyze data transfer.Configure the Lambda function to send a notification to the email distribution list when costs reach 75% of the threshold.

Correct Answer: B
The reason is that it uses the Amazon CloudWatch billing alarm which is a built-in service specifically designed to monitor and alert on cost usage of your AWS account, which makes it a more suitable solution for this use case. The alarm can be configured to detect when costs reach 75% of the threshold and when it is triggered, it can publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. The email distribution list can be subscribed to the topic, so that they will receive the alerts when costs reach 75% of the threshold.
AWS Budgets allows you to track and manage your costs, but it doesn't specifically focus on data transfer costs between regions, and it might not provide as much granularity as CloudWatch Alarms.

- (Exam Topic 1)
A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times:
"** Error Establishing a Database Connection
Which of the following may be causes of the connectivity problems? {Select TWO.)

1. A. The security group for the database does not have the appropriate egress rule from the database to the web server.
2. B. The certificate used by the web server is not trusted by the RDS instance.
3. C. The security group for the database does not have the appropriate ingress rule from the web server to the database.
4. D. The port used by the application developer does not match the port specified in the RDS configuration.
5. E. The database is still being created and is not available for connectivity.

Correct Answer: CD

- (Exam Topic 1)
A company is running a flash sale on its website. The website is hosted on burstable performance Amazon EC2 instances in an Auto Scaling group. The Auto Scaling group is configured to launch instances when the CPU utilization is above 70%.
A couple of hours into the sale, users report slow load times and error messages for refused connections. A SysOps administrator reviews Amazon CloudWatch metrics and notices that the CPU utilization is at 20% across the entire fleet of instances.
The SysOps administrator must restore the website's functionality without making changes to the network infrastructure.
Which solution will meet these requirements?

1. A. Activate unlimited mode for the instances in the Auto Scaling group.
2. B. Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group.
3. C. Move the website to a different AWS Region that is closer to the users.
4. D. Reduce the desired size of the Auto Scaling group to artificially increase CPU average utilization.

Correct Answer: B
Implement an Amazon CloudFront distribution to offload the traffic from the Auto Scaling group does not breach the requirement of no changes in the network infrastructure. Reason is that cloudfront is a distribution that allows you to distribute content using a worldwide network of edge locations that provide low latency and high data transfer speeds. It plug in to existing setup, not changes to it.

- (Exam Topic 1)
A SysOps administrator has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC, and all security groups allow all outbound traffic:
Which solution will provide the EC2 instances in the private subnet with access to the internet?

1. A. Create a NAT gateway in the public subne
2. B. Create a route from the private subnet to the NAT gateway.
3. C. Create a NAT gateway in the public subne
4. D. Create a route from the public subnet to the NAT gateway.
5. E. Create a NAT gateway in the private subne
6. F. Create a route from the public subnet to the NAT gateway.
7. G. Create a NAT gateway in the private subne
8. H. Create a route from the private subnet to the NAT gateway.

Correct Answer: A
NAT Gateway resides in public subnet, and traffic should be routed from private subnet to NAT Gateway: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html