- (Exam Topic 1)
A company maintains a large set of sensitive data in an Amazon S3 bucket. The company's security team asks a SyeOps administrator to help verify that all current objects in the S3 bucket are encrypted.
What is the MOST operationally efficient solution that meets these requirements?

1. A. Create a script that runs against the S3 bucket and outputs the status of each object.
2. B. Create an S3 Inventory configuration on the S3 bucket Induce the appropriate status fields.
3. C. Provide the security team with an IAM user that has read access to the S3 bucket.
4. D. Use the AWS CLI to output a list of all objects in the S3 bucket.

Correct Answer: D

- (Exam Topic 1)
An environment consists of 100 Amazon EC2 Windows instances The Amazon CloudWatch agent Is deployed and running on at EC2 instances with a baseline configuration file to capture log files There is a new requirement to capture the DHCP tog tiles that exist on 50 of the instances
What is the MOST operational efficient way to meet this new requirement?

1. A. Create an additional CloudWatch agent configuration file to capture the DHCP logs Use the AWS Systems Manager Run Command to restart the CloudWatch agent on each EC2 instance with the append-config option to apply the additional configuration file
2. B. Log in to each EC2 instance with administrator rights Create a PowerShell script to push the needed baseline log files and DHCP log files to CloudWatch
3. C. Run the CloudWatch agent configuration file wizard on each EC2 instance Verify that the base the log files are included and add the DHCP tog files during the wizard creation process
4. D. Run the CloudWatch agent configuration file wizard on each EC2 instance and select the advanced detail leve
5. E. This wifi capture the operating system log files.

Correct Answer: A

- (Exam Topic 1)
A company's web application is available through an Amazon CloudFront distribution and directly through an internet-facing Application Load Balancer (ALB) A SysOps administrator must make the application accessible only through the CloudFront distribution and not directly through the ALB. The SysOps administrator must make this change without changing the application code
Which solution will meet these requirements?

1. A. Modify the ALB type to internal Set the distribution's origin to the internal ALB domain name
2. B. Create a Lambda@Edge function Configure the function to compare a custom header value in the request with a stored password and to forward the request to the origin in case of a match Associate the function with the distribution.
3. C. Replace the ALB with a new internal ALB Set the distribution's origin to the internal ALB domain name Add a custom HTTP header to the origin settings for the distribution In the ALB listener add a rule to forward requests that contain the matching custom header and the header's value Add a default rule to return a fixed response code of 403.
4. D. Add a custom HTTP header to the origin settings for the distribution in the ALB listener add a rule to forward requests that contain the matching custom header and the header's value Add a default rule to return a fixed response code of 403.

Correct Answer: D
To make the application accessible only through the CloudFront distribution and not directly through the Application Load Balancer (ALB), you can add a custom HTTP header to the origin settings for the CloudFront distribution. You can then create a rule in the ALB listener to forward requests that contain the matching custom header and its value to the origin. You can also add a default rule to the ALB listener to return a fixed response code of 403 for requests that do not contain the matching custom header. This will allow you to redirect all requests to the CloudFront distribution and block direct access to the application through the ALB.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

- (Exam Topic 1)
A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template it installs and configure necessary software through AWS OpsWorks and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours but at limes the process stalls due to installation errors.
The SysOps administrator must modify the CloudFormation template so if the process stalls, the entire stack will tail and roil back.
Based on these requirements what should be added to the template?

1. A. Conditions with a timeout set to 4 hours.
2. B. CreationPolicy with timeout set to 4 hours.
3. C. DependsOn a timeout set to 4 hours.
4. D. Metadata with a timeout set to 4 hours

Correct Answer: B

- (Exam Topic 1)
A company applies user-defined tags to resources that are associated with me company's AWS workloads Twenty days after applying the tags, the company notices that it cannot use re tags to filter views in the AWS Cost Explorer console.
What is the reason for this issue?

1. A. It lakes at least 30 days to be able to use tags to filter views in Cost Explorer.
2. B. The company has not activated the user-defined tags for cost allocation.
3. C. The company has not created an AWS Cost and Usage Report
4. D. The company has not created a usage budget in AWS Budgets

Correct Answer: B