- (Exam Topic 1)
A SysOps administrator configures an Amazon S3 gateway endpoint in a VPC. The private subnets inside the VPC do not nave outbound internet access. A user logs in to an Amazon EC2 instance in one of the private subnets and cannot upload a file to an Amazon S3 bucket in the same AWS Region
Which solution will solve this problem?

1. A. Update the EC2 instance role policy to allow s3:PutObjed access to the target S3 bucket.
2. B. Update the EC2 security group to allow outbound traffic to 0.0.0.070 for port 80.
3. C. Update the EC2 subnet route table to include the S3 prefix list destination routes to the S3 gateway endpoint.
4. D. Update the S3 bucket policy to allow s3 PurObject access from the private subnet CIDR block.

Correct Answer: C

- (Exam Topic 1)
A company uses Amazon Route 53 to manage the public DNS records for the domain example.com. The company deploys an Amazon CloudFront distribution to deliver static assets for a new corporate website. The company wants to create a subdomain that is named "static" and must route traffic for the subdomain to the CloudFront distribution.
How should a SysOps administrator create a new record for the subdomain in Route 53?

1. A. Create a CNAME recor
2. B. Enter static.cloudfront.net as the record nam
3. C. Enter the CloudFront distribution's public IP address as the value.
4. D. Create a CNAME recor
5. E. Enter static.example.com as the record nam
6. F. Enter the CloudFront distribution's private IP address as the value.
7. G. Create an A recor
8. H. Enter static.cloudfront.net as the record nam
9. I. Enter the CloudFront distribution's ID as an alias target.
10. J. Create an A recor
11. K. Enter static.example.com as the record nam
12. L. Enter the CloudFront distribution's domain name as an alias target.

Correct Answer: D
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html

- (Exam Topic 1)
A company updates its security policy to prohibit the public exposure of any data in Amazon S3 buckets in the company's account. What should a SysOps administrator do to meet this requirement?

1. A. Turn on S3 Block Public Access from the account level.
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to enforce that all S3 objects are private.
3. C. Use Amazon Inspector to search for S3 buckets and to automatically reset S3 ACLs if any public S3 buckets are found.
4. D. Use S3 Object Lambda to examine S3 ACLs and to change any public S3 ACLs to private.

Correct Answer: A
Using Amazon S3 Block Public Access
as a centralized way to limit public access. Block Public Access
settings override bucket policies and object permissions. Be sure to enable Block Public Access for all accounts and buckets that you don't want publicly accessible.
https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/#:~:text=Using%20Amazon%2

- (Exam Topic 1)
A SysOps administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%.
Which collection of configuration changes will increase the cache hit ratio for the distribution? (Select TWO.)

1. A. Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings.
2. B. Change the Viewer Protocol Policy to use HTTPS only.
3. C. Configure the distribution to use presigned cookies and URLs to restrict access to the distribution.
4. D. Enable automatic compression of objects in the Cache Behavior Settings.
5. E. Increase the CloudFront time to live (TTL) settings in the Cache Behavior Settings.

Correct Answer: AE
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html#cache-hit-ratio-ht

- (Exam Topic 1)
A development team recently deployed a new version of a web application to production After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data
Which AWS service will mitigate this issue?

1. A. AWS Shield Standard
2. B. AWS WAF
3. C. Elastic Load Balancing
4. D. Amazon Cognito

Correct Answer: B
https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/