- (Exam Topic 1)
A company has attached the following policy to an IAM user:


Which of the following actions are allowed for the IAM user?

1. A. Amazon RDS DescribeDBInstances action in the us-east-1 Region
2. B. Amazon S3 Putobject operation in a bucket named testbucket
3. C. Amazon EC2 Describe Instances action in the us-east-1 Region
4. D. Amazon EC2 AttachNetworkinterf ace action in the eu-west-1 Region

Correct Answer: C

- (Exam Topic 1)
A SysOps administrator is helping a development team deploy an application to AWS Trie AWS CloudFormat on temp ate includes an Amazon Linux EC2 Instance an Amazon Aurora DB cluster and a hard coded database password that must be rotated every 90 days
What is the MOST secure way to manage the database password?

1. A. Use the AWS SecretsManager Secret resource with the GenerateSecretString property to automatically generate a password Use the AWS SecretsManager RotationSchedule resource lo define a rotation schedule lor the password Configure the application to retrieve the secret from AWS Secrets Manager access the database
2. B. Use me AWS SecretsManager Secret resource with the SecretStrmg property Accept a password as a CloudFormation parameter Use the AllowedPatteen property of the CloudFormaton parameter to require e minimum length, uppercase and lowercase letters and special characters Configure me application to retrieve the secret from AWS Secrets Manager to access the database
3. C. Use the AWS SSM Parameter resource Accept input as a Qoudformatton parameter to store the parameter as a secure sting Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database
4. D. Use the AWS SSM Parameter resource Accept input as a Cloudf ormetton parameter to store the parameter as a string Configure the application to retrieve the parameter from AWS Systems ManagerParameter Store to access the database

Correct Answer: A

- (Exam Topic 1)
A company hosts a web application on an Amazon EC2 instance. The web server logs are published to Amazon CloudWatch Logs. The log events have the same structure and include the HTTP response codes that are associated with the user requests. The company needs to monitor the number of times that the web server returns an HTTP 404 response.
What is the MOST operationally efficient solution that meets these requirements?

1. A. Create a CloudWatch Logs metric filter that counts the number of times that the web server returns an HTTP 404 response.
2. B. Create a CloudWatch Logs subscription filter that counts the number of times that the web server returns an HTTP 404 response.
3. C. Create an AWS Lambda function that runs a CloudWatch Logs Insights query that counts the number of 404 codes in the log events during the past hour.
4. D. Create a script that runs a CloudWatch Logs Insights query that counts the number of 404 codes in the log events during the past hour.

Correct Answer: A
This is the most operationally efficient solution that meets the requirements, as it will allow the company to monitor the number of times that the web server returns an HTTP 404 response in real-time. The other solutions (creating a CloudWatch Logs subscription filter, an AWS Lambda function, or a script) will require
additional steps and resources to monitor the number of times that the web server returns an HTTP 404 response.
A metric filter allows you to search for specific terms, phrases, or values in your log events, and then to create a metric based on the number of occurrences of those search terms. This allows you to create a CloudWatch Metric that can be used to create alarms and dashboards, which can be used to monitor the number of HTTP 404 responses returned by the web server.

- (Exam Topic 1)
A SysOps administrator recently configured Amazon S3 Cross-Region Replication on an S3 bucket Which of the following does this feature replicate to the destination S3 bucket by default?

1. A. Objects in the source S3 bucket for which the bucket owner does not have permissions
2. B. Objects that are stored in S3 Glacier
3. C. Objects that existed before replication was configured
4. D. Object metadata

Correct Answer: B

- (Exam Topic 1)
A SysOps administrator trust manage the security of An AWS account Recently an IAM users access key was mistakenly uploaded to a public code repository. The SysOps administrator must identity anything that was changed by using this access key.

1. A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all IAM events lo an AWS Lambda function for analysis
2. B. Query Amazon EC2 togs by using Amazon CloudWatch Logs Insights for all events Heated with the compromised access key within the suspected timeframe
3. C. Search AWS CloudTrail event history tor all events initiated with the compromised access key within the suspected timeframe
4. D. Search VPC Flow Logs foe all events initiated with the compromised access key within the suspected Timeframe.

Correct Answer: C