A user is measuring the CPU utilization of a private data center machine every minute. The machine provides the aggregate
of data every hour, such as Sum of data, Min value, Max value, and Number of Data points.
The user wants to send these values to CloudWatch. How can the user achieve this?
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to
CloudWatch using CLI or APIs. The user can publish the data to CloudWatch as single data points or as an aggregated set
of data points called a statistic set using the command put-metric-data. When sending the aggregate data, the user needs to
send it with the parameter statistic-values:
A SysOps Administrator has an AWS CloudFormation template of the companys existing infrastructure in us-west-2. The
Administrator attempts to use the template to launch a new stack in eu-west-1, but the stack only partially deploys, receives
an error message, and then rolls back.
Why would this template fail to deploy? (Choose two.)
A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the
CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.
What is the process to rotate the key?
Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your
AWS Key Management Service (AWS KMS) customer master keys (CMKs), you can create new CMKs, and then change
your applications or aliases to use the new CMKs. Or, you can enable automatic key rotation for an existing CMK.
When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for
the CMK every year. AWS KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt
data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK. Reference:
An enterprise is using federated Security Assertion Markup Language (SAML) to access the AWS Management Console.
How should the SAML assertion mapping be configured?
A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of
compliance because it was not encrypted.
Which approach will resolve the encryption requirement?
A companys use of AWS Cloud services is quickly growing, so a SysOps Administrator has been asked to generate details
of daily spending to share with management.
Which method should the Administrator choose to produce this data?
Which of the following statements is true of tags and resource identifiers for EC2 instances?
You can assign tags only to resources that already exist. You can't terminate, stop, or delete a re-source based solely on its
tags; you must specify the resource identifier. For example, to delete snap-shots that you tagged with a tag key called
DeleteMe, you must use the DeleteSnapshots action with the resource identifiers of the snapshots, such as snap-
1234567890abcdef0. To identify re-sources by their tags, you can use the DescribeTags action to list all of your tags and
their associated resources.
What should a SysOps Administrator do to ensure a company has visibility into maintenance events performed by AWS?
A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 22.214.171.124/16. The
private subnet uses CIDR 126.96.36.199/24. Which of the below mentioned entries are required in the main route table to allow the
instances in VPC to communicate with each other?
Option A doesn't use standard AWS terminology (you don't route to "VPC"), and because the mask is /24, it would only allow
the instances in the private subnet to communicate with each other, not all the instances in the VPC as the question asked.
Here's an example VPC route table for a public subnet (i.e. it routes to the IGW). Option D is the correct one.
You have set up an IAM policy for your users to access Elastic Load Balancers and you know that an IAM policy is a JSON
document that consists of one or more statements. Which of the following elements is not a part of the statement in an IAM
When you attach a policy to a user or group of users to control access to your load balancer, it al-lows or denies the users
permission to perform the specified tasks on the specified resources.
An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows:
Effect: The effect can be Allow or Deny. By default, IAM users don't have permission to use re-sources and API actions, so
all requests are denied. An explicit allow overrides the default. An ex-plicit deny overrides any allows.
Action: The action is the specific API action for which you are granting or denying permission.
Resource: The resource that's affected by the action. With many Elastic Load Balancing API ac-tions, you can restrict the
permissions granted or denied to a specific load balancer by specifying its Amazon Resource Name (ARN) in this statement.
Otherwise, you can use the * wildcard to specify all of your load balancers. Condition: You can optionally use conditions to
control when your policies in effect.
Network ACLs in a VPC operate at the ______.
Security Groups in VPC operate at the instance level, providing a way to control the incoming and outgoing instance traffic.
In contrast, network ACLs operate at the subnet level, providing a way to control the traffic that flows through the subnets of
A user is launching an instance with EC2. Which options below should the user consider before launching an instance?
Regarding Amazon EC2, when launching an instance, the user needs to select the region the in-stance would be launched
from. While launching, the user needs to plan for the instance type and the OS of the instance. Reference:
An instance has enabled basic monitoring only for CloudWatch. What is the minimum time period available for basic
When a user is setting up an alarm on the EC2 instance metric, the time period should be equal to or more than the metric
frequency. For basic monitoring, the metric is monitored at every 5 minutes (300 seconds). Reference:
A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of
the application have been divided in a separate microservice running on a different Amazon EC2 instance. The Administrator
has been tasked with reconfiguring the infrastructure to support this approach.
How can the Administrator accomplish this with the LEAST administrative overhead?
A companys Marketing department generates gigabytes of assets each day and stores them locally. They would like to
protect the files by backing them up to AWS. All the assets should be stored on the cloud, but the most recent assets should
be available locally for low latency access.
Which AWS service meets the requirements?