- (Exam Topic 1)
A company hosts several write-intensive applications. These applications use a MySQL database that runs on a single Amazon EC2 instance. The company asks a SysOps administrator to implement a highly available database solution that is ideal for multi-tenant workloads.
Which solution should the SysOps administrator implement to meet these requirements?

1. A. Create a second EC2 instance for MySQ
2. B. Configure the second instance to be a read replica.
3. C. Migrate the database to an Amazon Aurora DB cluste
4. D. Add an Aurora Replica.
5. E. Migrate the database to an Amazon Aurora multi-master DB cluster.
6. F. Migrate the database to an Amazon RDS for MySQL DB instance.

Correct Answer: C

- (Exam Topic 1)
A company wants to create an automated solution for all accounts managed by AWS Organizations to detect any worry groups that urn 0.0.0.0/0 as the source address for inbound traffic. The company also wants to automatically remediate any noncompliant security groups by restricting access to a specific CIDR block corresponds with the company's intranet.

1. A. Create an AWS Config rule to detect noncompliant security group
2. B. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDK block.
3. C. Create an IAM policy to deny the creation of security groups that have 0.0.0.0/0 as the source address Attach this 1AM policy to every user in the company.
4. D. Create an AWS Lambda function to inspect now and existing security groups check for a noncompliant 0.0.0.0A) source address and change the source address to the approved CIDR block.
5. E. Create a service control policy (SCP) for the organizational unit (OU) to deny the creation of security groups that have the 0.0.0.0/0 source addres
6. F. Set up automatic remediation to change Vie 0.0.0.0/0 source address to the approved CIDR block.

Correct Answer: A

- (Exam Topic 1)
A SysOps administrator is building a process for sharing Amazon RDS database snapshots between different accounts associated with different business units within the same company. All data must be encrypted at rest.
How should the administrator implement this process?

1. A. Write a script to download the encrypted snapshot, decrypt it using the AWS KMS encryption key usedto encrypt the snapshot, then create a new volume in each account.
2. B. Update the key policy to grant permission to the AWS KMS encryption key used to encrypt the snapshot with all relevant accounts, then share the snapshot with those accounts.
3. C. Create an Amazon EC2 instance based on the snapshot, then save the instance's Amazon EBS volume as a snapshot and share it with the other account
4. D. Require each account owner to create a new volume from that snapshot and encrypt it.
5. E. Create a new unencrypted RDS instance from the encrypted snapshot, connect to the instance using SSH/RD
6. F. export the database contents into a file, then share this file with the other accounts.

Correct Answer: B

- (Exam Topic 1)
The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in use and the total available IAM policies.
Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?

1. A. AWS Trusted Advisor
2. B. Amazon Inspector
3. C. AWS Config
4. D. AWS Organizations

Correct Answer: A

- (Exam Topic 1)
A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.
Which solution will meet this requirement?

1. A. Create a new security group to block traffic to the external IP addres
2. B. Assign the new security group to the EC2 instance.
3. C. Use VPC flow logs with Amazon Athena to block traffic to the external IP address.
4. D. Create a network AC
5. E. Add an outbound deny rule for traffic to the external IP address.
6. F. Create a new security group to block traffic to the external IP addres
7. G. Assign the new security group to the entire VPC.

Correct Answer: C
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html