A company has a critical serverless application that uses multiple AWS Lambda functions. Each Lambda function generates 1 GB of log data daily in its own Amazon CloudWatch Logs log group. The company's security team asks for a count of application errors, grouped by type, across all of the log groups.
What should a SysOps administrator do to meet this requirement?
A. Perform a CloudWatch Logs Insights query that uses the stats command and count function. B. Perform a CloudWatch Logs search that uses the groupby keyword and count function. C. Perform an Amazon Athena query that uses the SELECT and GROUP BY keywords. D. Perform an Amazon RDS query that uses the SELECT and GROUP BY keywords.
A. Perform a CloudWatch Logs Insights query that uses the stats command and count function.
Question 292:
A company uses an Amazon CloudFront distribution to deliver its website Traffic togs for the website must be centrally stored and all data must be encrypted at rest.
Which solution will meet these requirements?
A. Create an Amazon OpenSearch Service (Amazon Elasttcsearch Service) domain with internet access and server-side encryption that uses the default AWS managed key Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination B. Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with VPC access and server-side encryption that uses AES-256 Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elastcsearch Service) domain as a log destination C. Create an Amazon S3 bucket that is configured with default server side encryption that uses AES-256 Configure CloudFront to use the S3 bucket as a log destination D. Create an Amazon S3 bucket that is configured with no default encryption Enable encryption in the CloudFront dtstnbubon and use the S3 bucket as a log destination
C. Create an Amazon S3 bucket that is configured with default server side encryption that uses AES-256 Configure CloudFront to use the S3 bucket as a log destination https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html https://stackoverflow.com/questions/52560188/are-my-s3-objects-encrypted-at-rest-or-not
Question 293:
A company has 10 Amazon EC2 instances in its production account. A SysOps administrator must ensure that email notifications are sent to administrators each time there is an EC2 instance state change. Which solution will meet this requirements?
A. Configure an Amazon Route 53 simple routing policy that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when an EC2 instance state changes. This SNS topic then sends notifications to its email subscribers. B. Configure an Amazon Route 53 simple routing policy that publishes a message to an Amazon Simple Queue Service (Amazon SQS) queue when an EC2 instance state changes. This SQS queue then sends notifications to its email subscribers. C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when an EC2 instance state changes. This SNS topic then sends notifications to its email subscribers. D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that publishes a message to an Amazon Simple Queue Service (Amazon SQS) queue when an EC2 instance state changes. This SQS queue then sends notifications to its email subscribers.
C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic when an EC2 instance state changes. This SNS topic then sends notifications to its email subscribers.
Question 294:
A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created. What should a SysOps administrator do to meet this requirement?
A. Configure an IAM policy that denies the s3:DeleteObject action for all users. Three months after an object is written, remove the policy. B. Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months. C. Enable S3 Versioning on the existing S3 bucket. Configure S3 Lifecycle rules to protect the backups. D. Enable S3 Object Lock on a new S3 bucket in governance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
B. Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months. Explanation Explanation/Reference:B. Compliance mode is required for this situation. Comparison and reference below: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html In governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period. In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period.
Question 295:
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS} queues A SysOps administrator must ensure that the application can read, write, and delete messages from the SQS queues
Which solution will meet these requirements in the MOST secure manner?
A. Create an IAM user with an IAM policy that allows the sqs SendMessage permission, the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate queues Embed the IAM user's credentials in the application's configuration B. Create an IAM user with an IAM policy that allows the sqs SendMessage permission, the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate queues Export the IAM user's access key and secret access key as environment variables on the EC2 instance C. Create and associate an IAM role that allows EC2 instances to call AWS services Attach an IAM policy to the role that allows sqs." permissions to the appropriate queues D. Create and associate an IAM role that allows EC2 instances to call AWS services Attach an IAM policy to the role that allows the sqs SendMessage permission, the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate queues
D. Create and associate an IAM role that allows EC2 instances to call AWS services Attach an IAM policy to the role that allows the sqs SendMessage permission, the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate queues
Question 296:
A SysOps administrator noticed that a large number of Elastic IP addresses are being created on the company's AWS account, but they are not being associated with Amazon EC2 instances, and are incurring Elastic IP address charges in the monthly bill.
How can the administrator identify who is creating the Elastic IP addresses?
A. Attach a cost-allocation tag to each requested Elastic IP address with the IAM user name of the developer who creates it. B. Query AWS CloudTrail logs by using Amazon Athena to search for Elastic IP address events. C. Create a CloudWatch alarm on the ElPCreated metric and send an Amazon SNS notification when the alarm triggers. D. Use Amazon Inspector to get a report of all Elastic IP addresses created in the last 30 days.
B. Query AWS CloudTrail logs by using Amazon Athena to search for Elastic IP address events.
Question 297:
A SysOps administrator needs to implement a solution to create backups of an Amazon DynamoDB table. The solution must perform the backups automatically every 24 hours and must move the backups to cold storage after 30 days. The solution also must encrypt the backups by using an AWS Key Management Service (AWS KMS) key that has a customizable key policy.
Which solution will meet these requirements?
A. Configure a DynamoDB table backup job that has a schedule period of 24 hours. Configure the backup job to move backups to cold storage after 30 days. Create a customer managed KMS key. Configure the backup job to use the customer managed KMS key. B. Configure a DynamoDB table backup job that has a schedule period of 24 hours. Configure the backup jewto move backups to cold storage after 30 days. Configure the backup job to use the AWS managed KMS key for DynamoDB. C. Configure AWS Backup for DynamoDB. Create an AWS Backup vault. Create an AWS Backup plan that includes the DynamoDB table with a cold storage lifecyde policy set to 30 days. Create a customer managed KMS key. Configure the AWS Backup vault to use the customer managed KMS key. D. Configure AWS Backup for DynamoDB. Create an AWS Backup vault that includes a cold storage lifecyde policy set to 30 days. Create an AWS Backup plan that includes the DynamoDB table. Configure the AWS Backup vault to use the AWS managed KMS key for DynamoDB.
C. Configure AWS Backup for DynamoDB. Create an AWS Backup vault. Create an AWS Backup plan that includes the DynamoDB table with a cold storage lifecyde policy set to 30 days. Create a customer managed KMS key. Configure the AWS Backup vault to use the customer managed KMS key.
Question 298:
A company uploaded its website files to an Amazon S3 bucket that has S3 Versioning enabled. The company uses an Amazon CloudFront distribution with the S3 bucket as the origin. The company recently modified the tiles, but the object names remained the same. Users report that old content is still appearing on the website.
How should a SysOps administrator remediate this issue?
A. Create a CloudFront invalidation, and add the path of the updated files. B. Create a CloudFront signed URL to update each object immediately. C. Configure an S3 origin access identity (OAI) to display only the updated files to users. D. Disable S3 Versioning on the S3 bucket so that the updated files can replace the old files.
A. Create a CloudFront invalidation, and add the path of the updated files. Explanation Explanation/Reference:By default, CloudFront caches a response from Amazon S3 for 24 hours (Default TTL of 86,400 seconds). If your request lands at an edge location that served the Amazon S3 response within 24 hours, then CloudFront uses the cached response. This happens even if you updated the content in Amazon S3. Use one of the following ways to push the updated Amazon S3 content from CloudFront: 1. Invalidate the Amazon S3 objects. 2. Use object versioning https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serving-outdated-content-s3/
Question 299:
An ecommerce company uses an Amazon ElastiCache (Redis) cluster for in-memory caching of popular product queries on a shopping website. A SysOps administrator views Amazon CloudWatch metrics data for the ElastiCache cluster and notices a large number of evictions. The SysOps administrator needs to implement a solution to reduce the number of evictions. The solution also must keep the popular queries cached.
Which solution will meet these requirements with the LEAST operational overhead?
A. Add another node to the ElastiCache cluster. B. Increase the ElastiCache TTL value. C. Decrease the ElastiCache TTL value. D. Migrate to a new ElastiCache cluster that has larger nodes.
D. Migrate to a new ElastiCache cluster that has larger nodes.
Question 300:
A recent audit found that most resources belonging to the development team were in violation of patch compliance standards The resources were properly tagged.
Which service should be used to quickly remediate the issue and bring the resources back into compliance?
A. AWS Config B. Amazon Inspector C. AWS Trusted Advisor D. AWS Systems Manager
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SOA-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.