Question 51
A SysOps administrator is examining the following AWS CloudFormation template:
Why will the stack creation fail?
A. The Outputs section of the CloudFormation template was omitted.
B. The Parameters section of the CloudFormation template was omitted.
C. The PrivateDnsName cannot be set from a CloudFormation template.
D. The VPC was not specified in the CloudFormation template.
Question 52
A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times:
*** Error Establishing a Database ConnectionWhich of the following may be causes of the connectivity problems? (Choose two.)
A. The security group for the database does not have the appropriate egress rule from the database to the web server.
B. The certificate used by the web server is not trusted by the RDS instance.
C. The security group for the database does not have the appropriate ingress rule from the web server to the database.
D. The port used by the application developer does not match the port specified in the RDS configuration.
E. The database is still being created and is not available for connectivity.
Question 53
A compliance team requires all administrator passwords for Amazon RDS DB instances to be changed at least annually.
Which solution meets this requirement in the MOST operationally efficient manner?
A. Store the database credentials in AWS Secrets Manager. Configure automatic rotation for the secret every 365 days.
B. Store the database credentials as a parameter in the RDS parameter group. Create a database trigger to rotate the password every 365 days.
C. Store the database credentials in a private Amazon S3 bucket. Schedule an AWS Lambda function to generate a new set of credentials every 365 days.
D. Store the database credentials in AWS Systems Manager Parameter Store as a secure string parameter. Configure automatic rotation for the parameter every 365 days.
Question 54
A SysOps administrator is responsible for managing a fleet of Amazon EC2 instances. These EC2 instances upload build artifacts to a third-party service. The third-party service recently implemented a strict IP allow list that requires all build uploads to come from a single IP address.
What change should the systems administrator make to the existing build fleet to comply with this new requirement?
A. Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service.
B. Move all of the EC2 instances behind an internet gateway and provide the gateway IP address to the service.
C. Move all of the EC2 instances into a single Availability Zone and provide the Availability Zone IP address to the service.
D. Move all of the EC2 instances to a peered VPC and provide the VPC IP address to the service.
Question 55
A company uses an Amazon CloudFront distribution to deliver its website. Traffic logs for the website must be centrally stored, and all data must be encrypted at rest.
Which solution will meet these requirements?
A. Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with internet access and server-side encryption that uses the default AWS managed customer master key (CMK). Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
B. Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with VPC access and server-side encryption that uses AES-256. Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
C. Create an Amazon S3 bucket that is configured with default server-side encryption that uses AES-256. Configure CloudFront to use the S3 bucket as a log destination.
D. Create an Amazon S3 bucket that is configured with no default encryption. Enable encryption in the CloudFront distribution, and use the S3 bucket as a log destination.
Question 56
An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted.
How can this be resolved?
A. Enable encryption on each host's connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect.
B. Enable encryption on the existing EFS volume by using the AWS Command Line Interface.
C. Enable encryption on each host's local drive. Restart each host to encrypt the drive.
D. Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.
