- (Exam Topic 1)
A company has a critical serverless application that uses multiple AWS Lambda functions. Each Lambda function generates 1 GB of log data daily in tts own Amazon CloudWatch Logs log group. The company's security team asks for a count of application errors, grouped by type, across all of the log groups.
What should a SysOps administrator do to meet this requirement?

1. A. Perform a CloudWatch Logs Insights query that uses the stats command and count function.
2. B. Perform a CloudWatch Logs search that uses the groupby keyword and count function.
3. C. Perform an Amazon Athena query that uses the SELECT and GROUP BY keywords.
4. D. Perform an Amazon RDS query that uses the SELECT and GROUP BY keywords.

Correct Answer: A

- (Exam Topic 1)
A SysOps administrator is setting up an automated process to recover an Amazon EC2 instance In the event of an underlying hardware failure. The recovered instance must have the same private IP address and the same Elastic IP address that the original instance had. The SysOps team must receive an email notification when the recovery process is initiated.
Which solution will meet these requirements?

1. A. Create an Amazon CloudWatch alarm for the EC2 instance, and specify the SiatusCheckFailedjnstance metri
2. B. Add an EC2 action to the alarm to recover the instanc
3. C. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS> topi
4. D. Subscribe the SysOps team email address to the SNS topic.
5. E. Create an Amazon CloudWatch alarm for the EC2 Instance, and specify the StatusCheckFailed_System metri
6. F. Add an EC2 action to the alarm to recover the instanc
7. G. Add an alarm notification to publish a message to an Amazon Simple Notification Service (Amazon SNS) topi
8. H. Subscribe the SysOps team email address to the SNS topic.
9. I. Create an Auto Scaling group across three different subnets in the same Availability Zone with a minimum, maximum, and desired size of 1. Configure the Auto Seating group to use a launch template that specifies the private IP address and the Elastic IP addres
10. J. Add an activity notification for the Auto Scaling group to send an email message to the SysOps team through Amazon Simple Email Service (Amazon SES).
11. K. Create an Auto Scaling group across three Availability Zones with a minimum, maximum, and desired size of 1. Configure the Auto Scaling group to use a launch template that specifies the private IP addressand the Elastic IP addres
12. L. Add an activity notification for the Auto Scaling group to publish a message to an Amazon Simple Notification Service (Amazon SNS) topi
13. M. Subscribe the SysOps team email address to the SNS topic.

Correct Answer: B
You can create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. Terminated instances cannot be recovered. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. If the impaired instance has a public IPv4 address, the instance retains the public IPv4 address after recovery. If the impaired instance is in a placement group, the recovered instance runs in the placement group. When the StatusCheckFailed_System alarm is triggered, and the recover action is initiated, you will be notified by the Amazon SNS topic that you selected when you created the alarm and associated the recover action. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

- (Exam Topic 1)
A company is partnering with an external vendor to provide data processing services. For this integration, the vendor must host the company's data in an Amazon S3 bucket in the vendor's AWS account. The vendor is allowing the company to provide an AWS Key Management Service (AWS KMS) key to encrypt the company's data. The vendor has provided an IAM role Amazon Resource Name (ARN) to the company for this integration.
What should a SysOps administrator do to configure this integration?

1. A. Create a new KMS ke
2. B. Add the vendor's IAM role ARN to the KMS key polic
3. C. Provide the new KMS key ARN to the vendor.
4. D. Create a new KMS ke
5. E. Create a new IAM use
6. F. Add the vendor's IAM role ARN to an inline policy that is attached to the IAM use
7. G. Provide the new IAM user ARN to the vendor.
8. H. Configure encryption using the KMS managed S3 ke
9. I. Add the vendor's IAM role ARN to the KMS managed S3 key polic
10. J. Provide the KMS managed S3 key ARN to the vendor.
11. K. Configure encryption using the KMS managed S3 ke
12. L. Create an S3 bucke
13. M. Add the vendor's IAM role ARN to the S3 bucket polic
14. N. Provide the S3 bucket ARN to the vendor.

Correct Answer: C

- (Exam Topic 1)
A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?

1. A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR range
2. B. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Log
3. C. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target.
4. D. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instance
5. E. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation document to terminate the instances.
6. F. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requestsfrom noncorporate CIDR range
7. G. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups.
8. H. Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by ta
9. I. Tag the EC2 instances with an identifie
10. J. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.

Correct Answer: C
https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aw

- (Exam Topic 1)
A SysOps administrator uses AWS Systems Manager Session Manager to connect to instances After the SysOps administrator launches a new Amazon EC2 instance the EC2 instance does not appear in the Session Manager list of systems that are available for connection. The SysOps administrator verities that Systems Manager Agent is installed updated and running on the EC2 instance
What is the reason for this issue?

1. A. The SysOps administrator does not have access to the key pair that is required for connection
2. B. The SysOps administrator has not attached a security group to the EC2 instance to allow SSH on port 22.
3. C. The EC2 instance does not have an attached IAM role that allows Session Manager to connect to the EC2 instance.
4. D. The EC2 instance ID has not been entered into the Session Manager configuration

Correct Answer: C