Cloud Computing




















  • An Application team has asked a SysOps Admin to provision an additional environment for an application in four additional regions. The application is running on more than 100 instances in us-east-1, using fully baked AMIs. An AWS CloudFormation template has been created to deploy resources in us-east-1. To provision the application quickly the SysOps Admin must Run the existing CloudFormation template in each additional region based on the success of the template used currently in us-east-1.

  • A company has a fleet of EC2 instances, and needs to remotely execute scripts for all of the instances. Amazon EC2 System Manager Run Command allows this.

  • A company is creating an application that will keep records. The application will run on Amazon EC2 instances and will use an Amazon Aurora MySQL DB as its data store. To maintain compliance, the application must not retain information that is determined to be sensitive. To detect if sensitive data is being stored in the application a SysOps admin should Export data from the DB by using an AWS Lambda function. Store the data in Amazon S3. Use Amazon Macie to examine the stored data. Examine the report for any sensitive data that is discovered.

  • Access Control List (ACL) is the document that defines who can access a particular bucket or object in Amazon S3. ACLs enable to manage access to buckets and objects. Each bucket and object has an ACL attached to it as a subresource. It defines which AWS accounts or groups are granted access and the type of access.

  • A user is sending custom data metrics to CloudWatch. The allowed time stamp granularity for each data point published for the custom metric is 1 millisecond (ms).
    The user is allowed to send data up to 1,000 of a second. CloudWatch aggregates the data by each minute and generates a metric for that.

  • Dev teams are maintaining several workloads on AWS. Company management is concerned about rising costs and wants the SysOps Admin to configure alerts so teams are notified when spending approaches preset limits. AWS Budgets service will satisfy these requirements.

  • A company has several accounts between different teams and wants to increase its auditing and compliance capabilities. The accounts are managed through AWS Organizations. Management wants to provide the security team with secure access to the account logs while also restricting the possibility for the logs to be modified. A SysOps admin can achieve this with the LEAst amount of operational overhead by From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions. Use IAM roles to restrict access.

  • A launch configuration in Auto Scaling represents a template that the Auto Scaling group uses to launch the Amazon EC2 instances. When create a launch configuration, specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping.

  • AWS CloudWatch is a service used to monitor the AWS resources and the applications running on EC2. It collects and tracks the metrics of various services or applications.

  • A Dev team recently deployed a new version of a web application to production. After the release, penetration testing revealed a cross-site scripting vulnerability that could expose user data. AWS WAF service will mitigate this issue.

  • Every object in Amazon S3 is stored in a Bucket. Before can store data in Amazon S3, must create a bucket.

  • An Auto Scaling group scales up and down based on Average CPU Utilization. The alarm is set to trigger a scaling event when the Average CPU Utilization exceeds 80% for 5 minutes. Currently, the Average CPU has been 95% for over two hours and new instances are not being added. The issue could be The maximum size of the Auto Scaling group is below or at the current group size.

  • AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user has to always include the namespace as a part of the request. However, the other parameters are optional. If the user has uploaded data using CLI, he can view it as a graph inside the console. The data will take around 2 minutes to upload but can be viewed only after around 15 minutes.

  • A popular auctioning platform requires near-real-time access to dynamic bidding information. The platform must be available at all times. The current Amazon RDS instance often reaches 100% CPU utilization during the weekend auction and can no longer be resized. To improve application performance, a sysops admin is evaluating Amazon ElastiCache, and has chosen Redis (cluster mode enabled) instead of Memcached. Reasons for making this choice are Multi-AZ with automatic failover and Online resharding.
    Amazon ElastiCache for Redis supports both Redis cluster and non-cluster modes and provides high availability via support for automatic failover by detecting primary node failures and promoting a replica to be primary with minimal impact.

  • Amazon S3 offer Storage over the Internet. It's a simple web services interface that can use to store and retrieve any amount of data, at any time, from anywhere on the web.

  • To change the Instance type for instances running. In application tier that are using Auto Scaling. Would change the instance type definition in Auto Scaling launch configuration.

  • To generate a report detailing specific cost allocation tags when creating a Monthly Cost Allocation report required steps are:
    • Activate the 'requested' tags by clicking Manage report tags on the Billing Preferences page.
    • Select the checkbox for Cost Allocation Report in the AWS account's Billing Management Console.
Last edited:


  • A company runs a multi-tier web application with two Amazon EC2 instances in one AZ in the us-east-1 Region. A SysOps admin must migrate one of the EC2 instances to a new AZ. Solution will accomplish this by Create an Amazon Machine Image (AMI) from the EC2 instance and launch it in a different AZ. Terminate the original instance.

  • A SysOps Admin has configured health checks on a load balancer. An Amazon EC2 instance attached to this load balancer fails the health check. The EC2 instance will be terminated based on the health check failure. And The load balancer will stop sending traffic to the EC2 instance.

  • Company A purchases company B and inherits three new AWS accounts. Company A would like to centralize billing and reserved instance benefits but wants to keep all other resources separate. This can be accomplished by Configure AWS Organizations Consolidated Billing and provide the finance team with IAM access to the billing console.

  • Amazon Route53 provides a scalable Domain Name System (DNS). It is a highly available and scalable cloud DNS web service. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like into the numeric IP addresses like that computers use to connect to each other. It is fully compliant with IPv6 as well.

  • AWS CloudWatch supports monitoring of the AWS estimated usage charges. When enable the monitoring of estimated charges for AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data.

  • AWS Auto Scaling can launch instances based on certain criteria. This provides cost optimization to the user as it will only launch the instance when required, thereby resulting in cost saving.

  • AWS bills the user on a as pay as you go model. AWS will charge the user once the AWS resource is allocated. Even though the user is not using the resource, AWS will charge if it is in service or allocated. Thus, it is advised that once the user's work is completed he should:
    • Terminate the EC2 instance
    • Delete the EBS volumes
    • Release the unutilized Elastic IPs
    • Delete ELB
The AutoScaling launch configuration does not cost the user. Thus, it will not make any difference to the cost whether it is deleted or not.​
  • Store data in Amazon S3 and retain a copy of frequently accessed data subsets locally.
    In AWS Storage Gateway, Gateway-cached volumes offer a substantial cost savings on primary storage and minimize the need to scale storage on-premises. Also retain low-latency access to frequently accessed data.

  • An Auto Scaling group associated with an Elastic Load Balancer (ELB). Noticed that instances via the Auto Scaling group are being marked unhealthy due to an ELB health check, but these unhealthy instance are not being terminated. To ensure trial instances marked unhealthy by the ELB will be terminated and replaced by Add an ELB health check to Auto Scaling group.
    By default, an Auto Scaling group periodically reviews the results of EC2 instance status to determine the health state of each instance. However, if associated Auto Scaling group with an ELB load balancer, can choose to use the ELB health check. In this case, Auto Scaling determines the health status of instances by checking the results of both the EC2 instance status check and the ELB instance health check.
    For information about EC2 instance status checks, see Monitor Instances With Status Checks in the Amazon EC2 User Guide for Linux Instances. For information about ELB health checks, see Health Check in the ELB Developer Guide.
    Assuming that have created a LB and have registered the LB with Auto Scaling group. If not registered the LB with Auto Scaling group, see Set Up a Scaled and LB Application.
    Auto Scaling marks an instance unhealthy if the calls to the Amazon EC2 action DescribeInstanceStatus return any state other than running, the system status shows impaired, or the calls to ELB action DescribeInstanceHealth returns OutOfService in the instance state field.
    If there are multiple LB associated with Auto Scaling group, Auto Scaling checks the health state of EC2 instances by making health check calls to each LB. For each call, if the ELB action returns any state other than InService, the instance is marked as unhealthy. After Auto Scaling marks an instances as unhealthy, it remains in that state, even if subsequent calls from other LB return an InService state for the same instance.

  • A company would like to review each change in the infrasturcture before deploying updates in its AWS CloudFormation stacks. To understand the impact of these changes before implementation an Admin should Create a change set for the running stack.

  • When the user has launched an EC2 instance from an instance store backed AMI and added an instance store volume to the instance in addition to the root device volume, the block device mapping for the new AMI contains the information for these volumes as well. In addition, the block device mappings for the instances those are launched from the new AMI will automatically contain information for these volumes.

  • A SysOps Admin wants to automate the process of configuration, deployment, and management of Amazon EC2 instances using Chef or Puppet. AWS OpsWorks service will satisfy the requirement.

  • A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve encryption of the EBS vloume. The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool.
    AWS EBS supports encryption of the volume while creating new volumes. It supports encryption of the data at rest, the I/O as well as all the snapshots of the EBS volume. The EBS supports encryption for the selected instance type and the newer generation instances, such as m3, c3, cr1, r3, g2. It is not supported with a micro instance.

  • An application running on Amazon EC2 instances in an Auto Scaling group across multiple AZs was deployed using an AWS CloudFormation template. The SysOps team has patched the AMI version and must update all the EC2 instances to use the new AMI. The SysOps Admin can use CloudFormation to apply the new AMI while maintaining a minimum level of active instances to ensure service continuity by Set an AutoScalingUpdate policy in the CloudFormation template to update the stack.

  • A company is running a popular social media site on EC2 instances. The application stores data in an Amazon RDS for MySQL DB instance and has implemented read caching by using an ElastiCache for Redis (cluster mode enabled) cluster to improve read times. A social event is happening over the weekend, and the SysOps Admin expects website traffic to triple. To ensure improved read times for users during the social event, A SysOps Admin can Add shards to the existing Redis cluster.

  • Running a web-application on AWS consisting of the following components an ELB an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and RDS MySQL. Security measures fall into AWS's responsibility is Protect against IP spoofing or packet sniffing.

  • A SysOps Admin is trying to set up an Amazon Route 53 domain name to route traffic to a website hosted on Amazon S3. The domain name of the website is and the S3 bucket name is anycompany-static. After the record set is set up in Route 53, the domain name does not seem to work, and the static website is not displayed in the browser. A cause of this is The S3 bucket name must match the record set name in Route 53. The name of the bucket must be
Last edited:


  • Design principles, A series of questions, and Six pillars are the components of the AWS Well-Architected Framework.

  • A Multi-AZ deployed DB is synchronous while read replicas are asynchronous.

  • Amazon CloudWatch use to monitor certain metrics of DBs and can set alarms when certain metrics/thresholds are reached.

  • Warm standby DR approach ensures that there is a scaled down, but fully functional, copy of production environment in another Region.

  • DB can be cost effective by Use read replicas and auto scaling.

  • Performance efficiency pillar of the AWS Well-Architected Framework features the 'go global in minutes' design principle.

  • Relational DBs use structured data due to their defined schemas.
    Semi-structured data or All other DBs listed would be considered to use nonrelational DBs,
    and unstructured data may be stored in object storage such as Amazon S3 like mp3 audio files, etc.

  • Amazon Neptune is a full-managed graph DB.

  • A ledger DB use if want a transparent, immutable, and cryptographically verifiable transaction log.

  • The reliability pillar features the 'stop guessing capacity' design principle.

  • Amazon MemoryDB purpose built DB service would choose to implement a fully managed, Redis compatible, durable primary DB solution.
    While Amazon Elasticache for Redis is Redis compatible, it generally requires a primary DB as it is an in-memory cache solution, while Amazon MemoryDB is not a cache.

  • A DB has a table which stores metadata of images as json documents categorize to Semi-structured.

  • Amazon Relational Database Service (Amazon RDS) can run several different engines such as Amazon Aurora, Oracle, PostgreSQL, etc.

  • AWS Schema Conversion Tool (AWS SCT) is recommended to use first for heterogeneous migrations, where migrate between different DB engines. It is designed to help manage migrations by estimating workloads and potential issues. In some cases it can even migrate schemas automatically.

  • The six pillars of the AWS Well-Architected Framework are Security, Reliability, Performance, Operational Excellence, Cost Optimization, and Sustainability.

  • Amazon Redshift is A fast, cloud-centered, fully managed, and secure data warehousing service that houses analytical data for use in complex queries, business intelligence reporting, and machine learning.

  • The Accounting department would like to receive billing updates more than once a month. They would like the updates to be in a format that can easily be viewed with a spreadsheet application. This request can be fulfilled by Set AWS Cost and Usage Reports to publish bills daily to an Amazon S3 bucket in CSV format.

  • A SysOps Admin is managing a large organization with multiple accounts on the Business Support plan all linked to a single payer account. The Admin wants to be notified automatically of AWS Personal Health Dashboard events.
    In the main payer account, the Admin configures Amazon CloudWatch Events triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in the linked accounts failed to trigger. The alerts fail because The AWS Personal Health Dashboard only reports events from one account, not linked accounts.

  • A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance with an elastic IP. If the user is trying to delete the VPC it will not allow as the NAT instance is still running.

  • Amazon RDS supports SSL encryption for SQL Server DB instances. Using SSL, can encrypt connections between applications and SQL Server DB Instances. This is available for all the versions of Microsoft SQL Server.

  • A SysOps admin must run a script on production servers to fix an issue. The company has a policy to block all remote interactive access to production servers. Based on this situation, the admin should run the script by Configure the script to run as a cron job or scheduled task on the EC2 instances.

  • A SysOps Admin has an AWS Direct Connect connection in place in region us-east-1, between an AWS account and a data center. The Admin is now required to connect the data to a VPC in another AWS Region, us-west-2, which must have consistent network performance and low-latency. The MOST efficient and quickest way to establish this connectivity is Use Direct Connect gateway with the existing Direct Connect connection to connect to the Virtual Private Gateway of the VPC in region us-west-2.

  • A SysOps Admin receives a connection timeout error when attempting to connect to an Amazon EC2 instance from a home network using SSH. The Admin was able to connect to this EC2 instance SSH from their office network in the past. Cause the connection time out is The security group is not allowing inbound traffic from the home network on the SSH port.

  • A user has a refrigerator plant. The user is measuring the temperature of the plant every 15 mins. If the user wants to send the data to CloudWatch to view the data visually, with respect to the information given The user needs to use AWS CLI or API to upload the data.
    AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. While sending the data the user has to include the metric name, namespace, and timezone as part of the request.

  • A company's application running on Amazon EC2 Linux recently crashed because it ran out of available memory. Management wants to be alerted if this ever happens again. Steps will accomplish this are Create an:
    • Amazon CloudWatch dashboard to monitor the memory usage metrics on the instance over time.
    • alarm on the AWS Personal Health Dashboard that publishes an Amazon SNS notification to alert the CIO when the system is out of memory.
  • An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups.
    The user can grant permission to an AWS account by the email address of that account or by the canonical user ID. If the user provides an email in the grant request, Amazon S3 finds the canonical user ID for that account and adds it to the ACL. The resulting ACL will always contain the canonical user ID for the AWS account, and not the AWS account's email address.

  • A company has deployed a NAT instance to allow web servers to obtain software updates from the internet. There is high latency on the NAT instance as the network grows. A SysOps Admin needs to reduce latency on the instance in a manner that is efficient, cost-effective, and allows for scaling with future demand. To accomplish this should Add a second NAT instance and place both instances behind a load balancer.

  • A company's audit shows that users have been changing cost-related tags on Amazon EC2 instances after deployment. The company has an organization in AWS Organizations with many AWS accounts.
    The company needs a solution to detect the EC2 instances automatically. The solution must require the least possible operational overhead. The solution meets these requirements is Use Service Control Policies (SCPs) to track EC2 instances that do not have the required tags.
Last edited:


  • Foreign key is used to create relationships between tables in a relational DB.

  • Structured Query Language (SQL) use to access data in a relational DB.

  • Amazon Aurora, Oracle DB, and PostgreSQL can Amazon RDS run.

  • Can create and modify Amazon RDS DB instances by using the AWS Command Line Interface (CLI), Amazon RDS Application Programming Interface (API), or the console.

  • PostgreSQL and MySQL DB engines are compatible with Amazon Aurora.
    Aurora is not compatible with Oracle DB, Microsoft SQL Server, or Spark SQL. However, can use the AWS Schema Conversion Tool (SCT) and AWS DB Migration Service (DMS) to convert and migrate content within these DBs to Aurora.

  • Amazon Aurora DB automatically maintains six copies of data across three AZs. Can have up to 15 read replicas and is managed by Amazon RDS.

  • Amazon ElastiCache service offers fully managed Redis and Memcached distributed memory caches.

  • Amazon Neptune stores data as nodes and the relationships between each node.

  • Amazon DocumentDB service sets up and scales MongoDB-compatible DBs to the cloud.

  • Table, Attribute, and Item are components of Amazon DynamoDB.

  • Amazon Athena service helps analyze data in Amazon S3 using standard SQL. It can query CloudTrail logs stored in an S3 bucket and extract valuable information from them.


  • Amazon Redshift service acts as a datawarehouse and can access S3 data lakes.

  • A SysOps Admin is reviewing AWS Trusted warnings and encounters a warning for an S3 bucket policy that has open access permissions. While discussing the issue the bucket owner, the Admin realizes the S3 bucket is an origin for an Amazon CloudFront web distribution. To ensure that users access objects in Amazon S3 by using only CloudFront URLs the Admin should Create an origin access identity and grant it permissions to read objects in the S3 bucket.

  • A company wants to launch a group of Amazon EC2 instances that need to communicate with each other with the lowest possible latency. When launching these instances a SysOps admin should Launch instances in a cluster placement group with enhanced networking enabled.

  • A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances. To ensure that all customer data stored on the EFS file system meets the new requirement the SysOps Admin should Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system.

  • Amazon RDS integrates with AWS IAM, a service that lets organization create users and groups under organization's AWS account and assign unique security credentials to each user.

  • A company has a web application that runs both on-premises and on Amazon EC2 instances.
    Over time, both the on-premises servers and EC2 instances begin crashing. A SysOps Admin suspects a memory leak in the application and wants a unified method to monitor memory utilization over time.
    The Admin can track both the EC2 memory utilization and on-premises server memory utilization over time by Use Amazon CloudWatch agent for both Amazon EC2 instances and on-premises servers to report MemoryUtilization metrics to CloudWatch and set a CloudWatch alarm for notifications.

  • Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different AZ. The primary DB instance is synchronously replicated across AZs to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect DB against DB instance failure and AZ disruption. Note that the high-availability feature is not a scaling solution for read-only scenarios; cannot use a standby replica to serve read traffic. To service read-only traffic, should use a read replica.

  • A company using AWS Organizations requires that no Amazon S3 buckets in its production accounts should ever be deleted. The SIMPLEST approach the SysOps Admin can take to ensure S3 buckets in those accounts can never be deleted is Use SCPs to deny the s3: DeleteBucket action on all buckets in production accounts.

  • An application team is using Remote Desktop to connect to its application server and perform admin tasks. After deployment a Windows service an existing subnets, the team discovers that it is unable to communicate with the new servers. A SysOps Admin has obtained the VPC logs as shown in the teble related to the communication to help troubleshooting the problem.

  • Version​
    account id​
    interface id​
    log status​
This issue can be resolved by Ensures that the RDP service and Windows firewall are open and listening on Port 3389 TCP.​
  • A SysAdmin has created the below mentioned policy on an S3 bucket named cloudacademy.
    "Statement": [{
        "Sid": "stmt2499922170942",
        "Effect": "Allow",
        "Principal": {"AWS": "*"},
        "Action": ["s3:GetObjectAcl", "s3:ListBucket"],
         "Resource": ["arn:aws:s3:::cloudacademy]
    It will give an error as no object is defined as part of the policy while the account defines the rule about the object.

  • An application maintain consists of multiple EC2 instances in a default tenancy VPC.
    This application has undergone an internal audit has been determined to require dedicated hardware for one instance.
    Compliance team has given a week to move this instance to single-tenant hardware.
    Process will have minimal impact on application while complying with this requirement is Stop the intance, create an AMI, launch a new instance with tenancy=dedicated, and terminate the old instance.
    Cannot change the tenancy of a default instance after have launched it.
    Can change the tenancy of an instance from 'dedicated' to 'host' after have launched it, and vice versa.

  • A company has an application running on a fleet of Microsoft Windows instances. Patches to the OS need to be applied each month. AWS Systems Manager Patch Manager is used to apply the patches on a schedule.
    When the fleet is being patched, customers complain about delayed service responses. To ensure patches are deployed with MINIMAL customer impact can Configure the maintenance window to patch 10% of the instance in the patch group at a time.
Last edited:


  • A business is currently running their inventory management on premises, but is looking to move into the cloud for increased performance and scalability. >
    For OnLine Transaction Processing (OLTP), and OnLine Analytical Processing (OLAP), DBs using row-based indexing, there is Amazon RDS. Now, this service streamlines setting up, operating, and scaling a relational DB in the cloud. The service provides cost-efficient and scalable capacity while automating many time-consuming admin tasks, such as HW provisioning, DB setup, patching, and backups.

  • A business running a gaming website is noticing that their DB is running slowly because of how rapidly they are growing. >
    Can use Amazon ElastiCache to support data-intensive apps or improve the performance of existing apps by retrieving data from high throughput and low latency in-memory data stores. It's a popular choice for gaming, advertising technology (ad tech), financial service, healthcare, and Internet of Things (IoT) apps. This service offers fully managed Redis and Memcached cache engines.

  • A business needs a solution that lets DB engineers focus their time on customer-facing features instead of routine DB maintenance and administration. >
    Amazon Aurora is a relational DB engine managed by Amazon RDS. It combines the speed and reliability of high-end commercial DBs with the simplicity and cost-effectiveness commonly associated with open-source DB. It's designed to eliminate unneccessary in/output operations to reduce costs and ensure that resources are available for serving read/write traffic. Compute and memory are automatically scaled.

  • A business needs a DB that can rapidly gather customer (shopping cart) data. >
    Amazon DynamoDB can handle more than 10 trillion requests per day and support peaks of more than 20 million requests per second. More than 100,000 AWS customers have chosen its as their key-value DB for mobile, web, gaming, ad tech, IoT, and other applications that need low-latency data access at any scale. It supports Atomicity, Consistency, Isolation, Durability (ACID)-compliant transactions.

  • A business needs a way to load data into a warehouse and archive in storage so they can manage costs. >
    Amazon Redshift uses machine learning, massively parallel query execution, and columnar storage on high-performance disks. Can set up and deploy a new data warehouse in minutes. Run queries across petabytes of data in its data warehouse and exabytes of data directly from data lake built on Amazon S3 with Amazon Redshift Spectrum.

  • A business is working to develop an e-commerce app that specializes in fraud detection. The business needs a solution that can provide near real-time detection of patterns that are defined as suspicious and indicate known fraud activity. >
    Amazon Neptune is a fast, reliable, fully managed graph DB service that makes it easy to build and run applications that work with highly connected datasets used to discover potential fraudulent behavior before it happens. Use cases include social networking, recommendation engines, fraud detection, knowledge graphs, drug discovery, and network security.

  • A business is storing online profiles in which different users provide different types of information. The business is already using MongoDB, but wants to migrate to the cloud. >
    Amazon DocumentDB (with MongoDB compatibility) can run the same application code and use the same drivers and tools that use with MongoDB. It's used for storing semi-structured data as a document, rather than normalizing data across multiple tables, each with a unique and fixed structure, as in a relational DB. Use nested key-value pairs to provide the document's schema.

  • Server-based architecture should be used for
    • tasks that are predictable and compute resources will be in constant use.
    • application requires long-running computations.
  • Serverless architecture should be used for applications that:
    • require no system admin or capacity provisioning use.
    • experience high traffic volumes and require scalability use.
    • Only pay for what use.
    • There is zero server maintenance.
  • Relational DBs rely on tables, fields, and records to hold data.

  • An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps Admin has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy. The problem likely to be The account has reached the default limit for VPCs allowed. The default VPC Limitation per region is 5.

  • Amazon Simple Notification Service (SNS) is a fast, flexible, fully managed push/pub/sub messaging service. It's simple and cost-effective to push to mobile devices such as iPhone, Android, Kindle Fire, and internet connected smart devices, as well as pushing to other distributed services.

  • An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups.
    Amazon S3 has a set of predefined groups. When granting account access to a group, the user can specify one of the URLs of that group instead of a canonical user ID.
    AWS S3 has the following predefined groups:
    • Authenticated Users group: It represents all AWS accounts.
    • All Users group: Access permission to this group allows anyone to access the resource.
    • Log Delivery group: WRITE permission on a bucket enables this group to write server access logs to the bucket.
  • A user has configured Auto Scaling with 3 instances. The user had created a new AMI after updating one of the instances.
    If the user wants to terminate two specific instances to ensure that Auto Scaling launches an instances with the new launch configuration, should run:
    • as-terminate-instance-in-auto-scaling-group <Instance ID> -> will terminate the specific instance ID.
    • --no-decrement-desired-capacity -> to ensure that it launches a new instance from the launch config after terminating the instance.

    • --decrement-desired-capacity -> Auto Scaling will terminate the instance and decrease the desired capacity by 1.
  • A user wants to make so that whenever the CPU utilization of the AWS EC2 instance is above 90%, the redlight of his bedroom turns on. AWS CloudWatch + AWS SNS are helpful for this purpose.
    Amazon SNS can deliver notifications by SMS text message or email to the Amazon SQS queues or to any HTTP endpoint. The user can configure some sensor devices at his home which receives data on the HTTP end point (REST) calls and turn on the red light. The user can configure the CloudWatch alarm to send a notification to the AWS SNS HTTP end point (the sensor device) and it will turn the light red when there is an alarm condition.

  • Malicious traffic is reaching company web servers from a single IP address located in another country. The SysOps Admin is tasked with blocking this IP address. The Admin should implement the restriction by Edit the network Access Control List (ACL) for the web server subnet and add a deny entry for the IP address.
    Need to restrict one IP so Geo restriction can't use and can't deny traffic for one IP in Security Group.

  • A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC. The SIMPLEST method to deploy and update the VPCs in each account is Create an AWS CloudFormation template that defines the VPC. Create an AWS CloudFormation StackSet based on the template, then deploy the template to all accounts using the stack set.
Last edited:


  • A user has configured a VPC with a new subnet. The user has created a security group and wants to configure that instances of the same subnet communicate with each other. The user should Configure the security group itself as the source and allow traffic on all the protocols and ports.
    AWS provides two features that the user can use to increase security in VPC: security groups and network ACLs. Security groups work at the instance level. If the user is using the default security group it will have a rule which allows the instances to communicate with other. For a new security group the user has to specify the rule, add it to define the source as the security group itself, and select all the protocols and ports for that source.

  • A Systems Admin is planning to deploy multiple EC2 instances within two separate AZs in the same AWS Region. The instances cannot be exposed to the Internet, but must be able to exchange traffic between one another. The data does not need to be encrypted. Solution meets these requirements while maintaining the lowest cost is Create two private subnets within the same VPC. Communicate between instances using their private IP addresses.

  • Amazon S3 provides Scalable Storage in the Cloud. Amazon S3 is object storage with a simple web service interface to store and retrieve any amount of data from anywhere on the web. It is designed to deliver 99.999999999% (11 9's) durability, and scale past trillions of objects worldwide.

  • An errant process is known to use in an entire processor and run at 100%. A SysOps Admin wants to automate restarting the instance once the problem occurs for more than 2 mins. This can be accomplished by Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance.
    Using Amazon CloudWatch alarm actions, can create alarms that automatically stop, terminate, reboot, or recover instances. Can use the stop or terminate actions to help save money when no longer need an instance to be running. Can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occur.

  • An organization stores sensitive customer information in S3 buckets protected by bucket policies. Recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information. Steps should a SysOps Admin take to meet the CISO's requirement are Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs. And Use Amazon Athena to query S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests.

  • A SysOps Admin launched an Amazon EC2 instance and received a message that the service limit was exceeded for that instance type. To ensure that EC2 instances can be launched the Admin should Open a case with AWS Support requesting an increase of the EC2 instance limit.

  • Only the below services provide full administrative privileges / Root level access:
    • EC2
    • Elastic Beanstalk
    • Elastic MapReduce - Master Node
    • Opswork
  • A company has an AWS account for each department and wants to consolidate billing and reduce overhead. The company wants to make sure that the finance team is denied from accessing services other than Amazon EC2, the security team is denied from accessing services other than AWS CloudTrail, and IT can access any resource. Solition meets these requirements with the LEAST amount of operational overhead is Implement service contol policies within AWS Organizations to determine which resources each department can access.

  • A user has set the Alarm for the CPU utilization > 50%. Due to an internal process, the current CPU utilization will be 80% for 6 hours. The user can ensure that the CloudWatch alarm does not perform any action by disable the alarm using the DisableAlarmActions API or mon-disable-alarm-actions.
    Can enable using EnableAlarmActions API or mon-enable-alarm-actions commands.

  • In a Hardware Security Module (HSM), To reduce the risk of confidential data theft is the function of a Transparent Data Encryption (TDE) by encrypting sensitive data.

  • Mission is to create a lights-out datacenter environment, and plan to use AWS OpsWorks to accomplish this.
    First created a stack and added an App Server layer with an instance running in it.
    Next added an application to the instance, and now need to deploy a MySQL RDS DB instance.
    To add a backend DB server to an OpsWorks stack should:
    • Add a new DB layer and then add recipes to the deploy actions of the DB and App Server layers.
    • The variables that characterize the RDS DB connection--host, user, and so on--are set using the corresponding values from the deploy JSON's [:deploy][:app_name][:database] attributes.
    • Set up the connection between the app server and the RDS layer by using a custom recipe.
      The recipe configures the app server as required, typically by creating a configuration file.
      The recipe gets the connection data such as the host and DB name from a set of attributes in the stack configuration and deployment JSON that AWS OpsWorks installs on every instance.
  • Can graph several metrics over time on the same graph. The user can select metrics such as CPU utilization in % and Network I/O in bytes across resources and graph them on a single graph. It is not required that they should be of the same instance. They can be of different instances with the same AMI or based on some other dimension. Can filter records and plot them all on the same graph.

  • A SysOps Admin is responsible for a legacy, CPU-heavy application. The application can only be scaled vertically. Currently, the application is deployed on a single t2.large Amazon EC2 instance. The system is showing 90% CPU usage and significant performance latency after a few minutes. Change should be made to alleviate the performance problem is Upgrade to a compute-optimized instance.

  • Amazon EC2 supports the following storage options:
    • Amazon Elastic Block Store (EBS)
    • Amazon EC2 Instance Store
    • Amazon Simple Storage Service (S3)
  • A company with dozens of AWS accounts wants to ensure that governance rules are being applied across all accounts. The CIO has recommended that AWS Config rules be deployed using an AWS CloudFormation template. These requirements should be met by Create a CloudFormation stack in the master account of AWS Organizations and execute the CloudFormation template to create AWS Config rules in all accounts.

  • A company is concerned about a security vulnerability impacting its Linux operating system. To alleviate this concern the SysOps Admin should Patch the Linux operating system using AWS Systems Manager.

  • A company has a web application that is deployed in a VPC. Inbound traffic to this web application comes in through an internet gateway and arrives at a Network Load Balancer (NLB).
    From there, the traffic travels to multiple Amazon EC2 instances in two private subnets. The company wants to perform deep packet inspection on the inbound traffic to identify potential hacking attempts. Solution meets these requirements is Set up Traffic Mirroring on an inbound port of the NLB.

  • A sys admin is maintaining an application on AWS. The application is installed on EC2 and user has configured ELB and Auto Scaling. Considering future load increase, the user is planning to launch new servers proactively so that they get registered with ELB. The user can add these instances with Auto Scaling by Increase the desired capacity of the Auto Scaling group.
Last edited:


วันนี้เรามาดูวิธีการปรับขนาด AWS EC2 แบบอัตโนมัติ (Autoscaling) กันนะคับ ว่าคืออะไร มีประโยชน์อย่างไร:
การปรับขนาดแบบอัตโนมัตินั้น ช่วยให้ตัว Application ยังคงมีประสิทธิภาพตามความต้องการของผู้ใช้งาน ด้วยราคาที่ต่ำที่สุดนั่นเอง (Cost Optimization) ไม่ต้อง Deploy Application ทุกครั้งเมื่อมีการเพิ่ม Server เข้ามา และเมื่อมีการปรับขนาดจะมีการแจ้งเตือนไปยัง Email หรือโทรศัพท์อีกด้วย

  • By default, a load balancer routes each request independently to the registered instance with the smallest load. However, can use the sticky session feature (also known as session affinity), which enables the load balancer to bind a user's session to a specific instance. This ensures that all requests from the user during the session are sent to the same instance.

  • A user is receiving a notification from the RDS DB whenever there is a change in the DB security group. The user does not want to receive these notifications for only a month.
    Thus, he does not want to delete the notification. The user can configure this by Change the Enable radio button for notification to 'No' in the RDS console or by setting the Enabled parameter to false using the CLI or Amazon RDS API.
    Amazon RDS uses the Amazon Simple Notification Service (SNS) to provide a notification when an Amazon RDS event occurs. Event notifications are sent to the addresses that the user has provided while creating the subscription. The user can easily turn off without deleting a subscription.

  • A user creates an Auto Scaling group from the Amazon AWS Console and assigned a tag with a key of 'environment' and a value of 'Prod'. The user can assign tags to instances launched in the Auto Scaling group, to organize and manage them.
    Can organize and manage Auto Scaling groups by assigning own metadata to each group in the form of tags. Specify a key and a value for each tag. A key can be a general category, such as 'project', 'owner', or 'environment', with specific associated values.
    By default, the instance will have a tag with the key as 'aws:autoscaling.groupName' and the value as the name of the group.

  • VPC allows the user to set up a connection between his VPC and corporate or home network data centre. If the user has an IP address prefix in the VPC that overlaps with one of the networks' prefixes, any traffic to the network's prefix is dropped. For example, the user's data centre has CIDR of falls in the VPC's CIDR range of Thus, it will not allow traffic on that IP.

  • A company has an Amazon CloudFront distribution that uses an Amazon S3 bucket as its origin. During a review of the access logs, the company determines that some requests are going directly to the S3 bucket by using the website hosting endpoint. A SysOps admin must secure the S3 bucket to allow requests only from CloudFront. To meet this requirement the SysOps admin should Create an Origin Access Identity (OAI) in CloudFront. Associate the OAI with the distribution. Remove access to and from other principles in the S3 bucket policy. Update the S3 bucket policy to allow access only from the OAI.

  • A company is creating a new multi-account architecture. A SysOps admin must implement a login solution to centrally manage user access and permissions across all AWS accounts. The solution must be integrated with AWS Organizations and must be connected to a third-party Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). To meet these requirements the SysOps admin should Configure an Amazon Cognito user pool. Integrate the user pool with the third-party IdP.

  • A SysOps admin has launched a large general purpose Amazon EC2 instance to regularly process large data files. The instance has an attached 1 TB General Purpose SSD (GP2) Amazon Elastic Block Store (EBS) volume. The instance also is EBS-optimized. To save costs, the SysOps admin stops the instance each evening and restarts the instance each morning.
    When data processing is active, Amazon CloudWatch metrics on the instance show a consistent 3,000 VolumeReadOps. The SysOps admin must improve the I/O performance while ensuring data integrity. Action will meet these requirements is Increase the EBS volume to a 2 TB General Purpose SSD (GP2) volume.

  • A company needs to create a daily Amazon Machine Image (AMI) of an existing Amazon Linux EC2 instance that hosts the OS, application, and DB on multiple attached Amazon EBS volumes. File system integrity must be maintained. Solution will meet these requirements is Create an AWS Lambda function to call the CreateImage API operation with the EC2 instance ID and the reboot parameter enabled. Create a daily scheduled Amazon EventBridge (CloudWatch Events) rule that invokes the function.

  • A leading telecommunications company has decided to host their e-commerce website in an Auto Scaling group of EC2 instances and a RDS DB instance for their mobile phone plans. To secure the online transactions, instructed to configure the DB to encrypt the data in transit. To meet the requirements should configure the DB to use SSL and use the certificates which are readily available from AWS based on its respective DB engine.
    Can use SSL from application to encrypt a connection to a DB instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL. Each DB engine has its own process for implementing SSL.
    A root certificate that works for all regions can be downloaded from the AWS website. It is the trusted root entity and should work in most cases but might fail if application doesn't accept certificate chains. If application doesn't accept certificate chains, download the AWS Region-specific certificate from AWS.
    A VPC endpoint is primarily used to privately connect VPC to other AWS services and endpoint services.
    CloudHSM is just a cloud-based Hardware Security Module (HSM) that enables to easily generate and use own encryption keys.
    And RDS does not provide the SSL connection by default.

  • A SysOps admin needs to track the costs of data transfer between AWS Regions. The SysOps admin must implement a solution to send alerts to an email distribution list when transfer costs reach 75% of a specific threshold. To meet these requirements the SysOps admin should Create an Amazon CloudWatch billing alarm to detect when costs reach 75% of the threshold. Configure the alarm to publish a message to an Amazon SNS topic. Subscribe the email distribution list to the topic.
    The reason is that it uses the Amazon CloudWatch billing alarm which is a built-in service specifically designed to monitor and alert on cost usage of AWS account, which makes it a more suitable solution for this use case. The alarm can be configured to detect when costs reach 75% of the threshold and when it is triggered, it can publish a message to an Amazon SNS topic. The email distribution list can be subscribed to the topic, so that they will receive the alerts when costs reach 75% of the threshold.
    AWS Budgets allows to track and manage costs, but it doesn't specifically focus on data transfer costs between regions, and it might not provide as much granularity as CloudWatch Alarms.

  • A company uses an AWS CloudFormation template to provision an Amazon EC2 instance and an Amazon RDS DB instance. A SysOps admin must update the template to ensure that the DB instance is created before the EC2 instance is launched. To meet this requirement the SysOps admin should Add the DependsOn attribute to the EC2 instance resource, and provide the logical name of the RDS resource.
    The DependsOn attribute can take a single string or list of strings.
    "DependsOn" : [ String, ... ]
Last edited:


วันนี้เรามาดูในส่วนของ Streaming กันบ้าง
สถาปัตยกรรมการ Stream ข้อมูลสมัยใหม่เป็นยังไง?

สถาปัตยกรรมการ Stream ข้อมูลที่ทันสมัยช่วยให้เรานำเข้า, ประมวลผล, และวิเคราะห์ข้อมูลความเร็วสูงปริมาณมากจากแหล่งที่มาที่หลากหลายแบบ Real-time เพื่อสร้างประสบการณ์ตอบสนองลูกค้าที่ชาญฉลาดมากขึ้น สถาปัตยกรรมข้อมูลการ Stream สมัยใหม่สามารถออกแบบเป็น Stack ของ Logical Layer 5 ชั้น โดยแต่ละ Layer จะประกอบด้วยส่วนประกอบที่สร้างขึ้นตามวัตถุประสงค์หลายๆ อย่าง เพื่อตอบสนองความต้องการแบบเฉพาะเจาะจง Diagram ด้านล่างนี้จะแสดงสถาปัตยกรรมข้อมูลการ Stream สมัยใหม่

โดยจะมีส่วนประกอบหลักๆ ดังนี้:

  • แหล่งที่มา - แหล่งที่มาของข้อมูลการ Stream จะประกอบด้วยแหล่งข้อมูลต่างๆ เช่น Sensor, social media, อุปกรณ์ IoT, File Log ที่สร้างขึ้นโดย Web และ Application บนมือถือ, อุปกรณ์เคลื่อนที่ที่สร้างข้อมูลกึ่งโครงสร้าง และไม่มีโครงสร้างที่เป็น Stream ต่อเนื่องความเร็วสูง

  • การนำเข้า Stream - Layer การจัดเก็บ Stream ที่สามารถปรับขนาดได้และคุ้มค่า เพื่อจัดเก็บข้อมูลการ Stream โดยที่ข้อมูลการ Stream สามารถจัดเก็บไว้ตามลำดับที่ได้รับมา ตามระยะเวลาที่กำหนด และสามารถเล่นซ้ำได้ไม่จำกัดในช่วงเวลานั้น

  • ที่เก็บข้อมูล Stream - Layer การนำเข้า Stream มีหน้าที่นำเข้าข้อมูลไปยัง Layer ที่เก็บข้อมูล Stream จะมีความสามารถในการรวบรวมข้อมูลจากแหล่งข้อมูลนับหมื่นและนำเข้าในเวลาใกล้เคียง Real-time
  • A global company handles a large amount of Personally Identifiable Information (PII) through an internal web portal. The company's application runs in a corporate data center that is connected to AWS through an AWS Direct Connect connection. The application stores the PII in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet. To meet the compliance requirement a SysOps admin should Configure AWS Network Firewall to redirect traffic to the internal S3 address.

  • A SysOps admin needs to develop a solution that provides email notification and inserts a record into a DB every time a file is put into an Amazon S3 bucket. The MOST operationally efficient solution that meets these requirements is Create an AWS Lambda function to send the email notification and insert the record into the DB whenever a new object is detected in the S3 bucket invoke the function every minute with an Amazon EventBridge (CloudWatch Events) scheduled rule.

  • Elastic Load Balancing (ELB) provides access logs that capture detailed information about requests sent to LB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. Can use these access logs to analyze traffic patterns and troubleshoot issues.
    The bucket log should be in the same region as the Load Balancer. When enable access logging, must set up a standard S3 bucket for logs.

  • A company plans to launch a static website on its domain and subdomain using Amazon S3. The SysOps admin should meet this requirement by Create two S3 buckets named and Configure the subdomain bucket to redirect requests to the domain bucket.

  • A company is using Amazon Elastic File System (EFS) to share a file system among several Amazon EC2 instances. As usage increses, users report that file retrieval from the EFS file system is slower than normal.
    To improve the performance of the file system a SysOps admin should Configure the file system for Provisioned Throughput.

  • A company is heavily using AWS CloudFormation templates to automate the deployment of their cloud resources. The SysOps Admin needs to write a template that will automatically copy objects from an existing S3 bucket into the new one.
    The most suitable configuration for this scenario is Set up an AWS Lambda function and configure it to perform the copy operation. Integrate the Lambda function to the CloudFormation template as a custom resource.
    CopyActivity does not support copying multipart Amazon S3 files. The most suitable configuration to copy the objects from an existing bucket to a new S3 bucket is to use a custom Lambda resource in CloudFormation.

  • A company is running an application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are launched by an Auto Scaling group and are automatically registered in a target group. A SysOps admin must set up a notification to alert application owners when targets fail health checks. To meet these requirements the SysOps admin should Create an Amazon CloudWatch alarm on the UnHealthyHostCount metric. Configure an action to send an Amazon SNS notification when the metric is greater than 0.

  • AWS CloudHSM:
    • is in VPC and isolated from other AWS networks.
    • storing encryption keys.
  • A company recently purchased Savings Plans. The company wants to receive email notification when the company's utilization drops below 90% for a given day. Solution will meet this requirement is Use AWS Budgets to create a Savings Plans budget to track the daily utilization of the Savings Plans. Configure an Amazon SNS topic for email notification when the utilization drops below 90% for a given day.

  • A company's customers are reporting increased latency while accessing static web content from Amazon S3. A SysOps admin observed a very high rate of read operations on a particular S3 bucket. To minimize latency by reducing load on the S3 bucket should Create an Amazon CloudFront distribution with the S3 bucket as the origin.

  • A company has a stateful web application that is hosted on Amazon EC2 instances in an Auto Scaling group. The instances run behind ALB that has a single target group. The ALB is configured as the origin in an Amazon CloudFront distribution. Users are reporting random logouts from the web application. To resolve this problem a SysOps admin should Configure cookie forwarding in the CloudFront distribution cache behavior and Enable sticky sessions on the ALB target group.

  • When the web servers on a public subnet could not establish communication with the RDS private instance subnet, the Admin should Check that the security group for the DB server is allowing the required inbound communication from the EC2 instance.

  • A large company is using AWS Organizations to manage hundreds of AWS accounts across multiple AWS Regions. The company has turned on AWS Config throughout the organization.
    The company requires all Amazon S3 buckets to block public read access. A SysOps admin must generate a monthly report that shows all the S3 buckets and whether they comply with this requirement.
    To collect this data the SysOps admin should:
    • Edit the AWS Config policy in AWS Organizations. Use the organization's management account to turn on the S3-bucket-public-read-prohibited rule for the entire organization.
    • Use the AWS Config compliance report from the organization's management account. Filter the results by resource, and select Amazon S3.
Last edited:


  • A dev is building a serverless application using AWS Lambda and must create a REST API using an HTTP GET method. To be defined to meet this requirement needs An Amazon API Gateway with a Lambda function and An exposed GET method in Amazon Route 53.

  • An application runs on multiple EC2 instances behind an ELB. The session data best written so that it can be served reliably across multiple requests is Write data to Amazon EC2 Instance Store.

  • A company needs to upload GBs of files every day. The company need to achieve higher throughput and upload speeds to Amazon S3. To meet this requirement a SysOps admin should Enable Amazon S3 Transfer Acceleration and use the acceleration endpoint when uploading files.
    S3 Transfer Acceleration can provide fast and secure transfers over long distance between client and Amazon S3. It uses Amazon CloudFront's globally distributed edge locations.

  • The AWS Task Orchestrator and Executor (AWSTOE) application use to orchestrate complex workflows, modify a particular system configurations for a custom web application suite, and test systems without writing code using a single interface. This application uses a declarative document schema. Because it is a standalone application, it does not require additional server setup.
    This service provide ample integration with the EC2 Image Builder.

  • A SysOps admin applies the following policy to an AWS CloudFormation stack:
      "Statement": [
          "Effect": "Deny",
          "Action": "Update:*",
          "Principal": "*",
          "Resource": ["LogicalResourceID/Production*"]
          "Effect": "Allow",
          "Action": "Update:*",
          "Principal": "*",
          "Resource": "*"
    The result of this policy is Users can update all resources in the stack except for resources that have a logical ID that begins with "Production".

  • A company has deployed AWS Security Hub and AWS Config in a newly implemented organization in AWS Organizations. A SysOps admin must implement a solution to restrict all member accounts in the organization from deploying Amazon EC2 resources in the ap-southeast-2 Region. The solution must be implemented from a single point and must govern an current and future accounts. The use of root credentials also must be restricted in member accounts.
    To meet these requirements the SysOps admin should use AWS Organizations SCPs in efficient way.
    Also if wants to turn on AWS Service in all accounts and regions.

  • Can simply check the Amazon RDS console to view if RDS instance needs OS patching. Periodically, Amazon RDS performs maintenance on Amazon RDS resources. Maintenance most often involves updates to the DB instance's underlying OS or DB engine version. Updates to the OS most often occur for security issues and should be done as soon as possible.


  • A SysOps admin wants to manage a web server application with AWS Elastic Beanstalk. The Elastic Beanstalk service must maintain full capacity for new deployments at all times. The deployment policies satisfy this requirement are Immutable and Rolling with additional batch.

  • A company is planning to host its stateful web-based applications on AWS. A SysOps admin is using an Auto Scaling group of Amazon EC2 instances. The web applications will run 24 hours a day 7 days a week throughout the year. The company must be able to change the instance type within the same instance family later in the year based on the traffic and usage patterns. Convertible Reserved Instances EC2 purchasing option will meet these requirements MOST cost-effectively.

  • To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, can use CloudTrail log file integrity validation. This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. Can use the AWS CLI to validate the files in the location where CloudTrail delivered them.

  • An application team uses an Amazon Aurora MySQL DB cluster with one Aurora Replica. The application team notices that the application read performance degrades when user connections exceed 200. The number of user connections is typically consistent around 180 with occasional sudden increases above 200 connections. The application team wants the application to automatically scale as user demand increases or decreases.
    Solution will meet these requirements is Create an auto scaling policy with a target metric of 195 DatabaseConnections.

  • A company is migrating its production file server to AWS. All data that is stored on the file server must remain accessible if an AZ becomes unavailable or when system maintenance is performed. Users must be able to interact with the file server through the SMB protocol. Users also must have the ability to manage file permissions by using Windows ACLs.
    Solution will meet these requirements is Create an Amazon FSx for Windows File Server Multi-AZ file system.

  • AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between on-premises IT environment and the AWS storage infrastructure. It offers file-based, volume-based - provides block storage to on-premises apps with low-latency via the internet Small Computer System Interface (iSCSI), and tape-based storage solutions.


  • A SW Dev company has multiple dev who work on the same product. Each dev must have their own dev environment, and these dev environments must be identical. Each dev environment consists of Amazon EC2 instances and an Amazon RDS DB instance. The dev environments should be created only when necessary, and they must be terminated each night to minimize costs.
    The MOST operationally efficient solution that meets these requirements is Provide dev with access to the same AWS CloudFormation template so that they can provision their dev environment when necessary. Schedule a nightly Amazon EventBridge (CloudWatch Events) rule to invoke an AWS Lambda function to delete the AWS CloudFormation stacks.

  • A company requires that all IAM user accounts that have not been used for 90 days or more must have their access keys and passwords immediately disabled. A SysOps admin must automate the process of disabling unused keys using the MOST operationally efficient method.
    The SysOps admin should implement this solution by Set up an AWS Config managed rule to identify IAM users that have not been activate for 90 days. Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users.

  • To restrict access to the S3 bucket from Amazon EC2 instance in a single VPC to secure the infrastructure and all network traffic flows over the AWS private network only should Provision a VPC endpoint to allow them to communicate. Configure the S3 bucket's policy to conditionally limit all S3 actions on the bucket if the request is coming from the IP address of the VPC endpoint.

  • A SW company runs a workload on Amazon EC2 instances behind ALB. A SysOps admin needs to define a custom health check for the EC2 instances. The MOST operationally efficient solution is Configure the health check on the ALB and ensure that the HealthCheckPath setting is correct.

  • Amazon Inspector enables to analyse the behavior of AWS resources and helps to identify potential security issues. It also produce a report on multiple activities such as details of communication with other AWS services, use of secure channels, details of the running processes, network traffic among the running processes and many others.
Last edited:


  • A dev is building an application. The application's front end is developed in JavaScript, and the data is stored in an Amazon DynamoDB table. During testing, the application returns an HTTP 5xx error from the strongly consistent reads to the DynamoDB table; "Internal server error (Service: AmazonDynamoDBv2. Status Code: 500; Error Code; InternalServerError)." Actions the developer should take to mitigate this error are Avoid strongly consistent reads and Retry the failed read requests with exponential backoff.

  • A SysOps admin receives notification that an application that is running on Amazon EC2 instances has failed to authenticate to an Amazon RDS DB. To troubleshoot, the SysOps admin needs to investigate AWS Secrets Manager password rotation. Amazon CloudWatch EC2 instance application logs will provide insight into the password rotation.

  • When need to update CloudFormation stack's resources, can modify the stack's template. Don't need to create a new stack and delete the old one. To update a stack, can create a change set by submitting a modified version of the original stack template, different input parameter values, or both. Will be able to preview the proposed changes will be deploy.


  • A company updates its security policy to clarify cloud hosting arrangements for regulated workloads. Workloads that are identified as sensitive must run on hardware that is not shared with other customers or with other AWS accounts within the company. Solution will ensure compliance with this policy is Deploy workloads only to Dedicated Hosts.
    Dedicated Hosts are physical servers that are dedicated to a single customer, ensuring that the customer's workloads are not shared with others. This will ensure that the company's security policy is followed and that sensitive workloads are running on hardware that is not shared with other customers or with other AWS accounts within the company.

  • A SysOps admin has created an AWS Service Catalog portfolio and has shared the portfolio with a second AWS account in the company. The second account is controlled by a different admin.
    The admin of the second account should Add a product from the imported portfolio to a local portfolio.

  • To improve the Amazon EC2 network performance, have to upgrade to a larger instance type. EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give the flexibility to choose the appropriate mix of resources for applications.

  • A SysOps admin is designing a solution for an Amazon RDS for PostgreSQL DB instance. DB credentials must be stored and rotated monthly. The applications that connect to the DB instance send write-intensive traffic with variable client connections that sometimes increase significantly in a short period of time.
    To meet these requirements a SysOps admin should Configure AWS Key Management Service (KMS) to automatically rotate the keys for the DB instance. Use RDS Proxy to handle the increases in DB connections.

  • A SysOps admin has successfully deployed a VPC with an AWS CloudFormation template. The SysOps admin wants to deploy the same template across multiple accounts that are managed through AWS Organizations.
    Solution will meet this requirement with the LEAST operational overhead is Use AWS CloudFormation StackSets from the management account to deploy the template in each of the accounts.
    CloudFormation StackSets extends the capability of stacks by enabling to create, update, or delete stacks across multiple accounts and AWS Regions.

  • A company has a new requirement stating that all resources in AWS must be tagged according to a set policy. To enforce and continually Identify all resources that are not in compliance with the policy should be used AWS Config.

  • AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. It offloads tasks, such as handling operations, backups, restorations, and software upgrades of Puppet Enterprise.


  • A company recently migrated its application to a VPC on AWS. An AWS Site-to-Site VPN connection connects the company's on-premises network to the VPC. The application retrieves customer data from another system that resides on premises. The application uses an on-premises DNS server to resolve domain records. After the migration, the application is not able to connect to the customer data because of name resolution errors.
    Solution will give the application the ability to resolve the internal domain names is Create Amazon Route 53 Resolver outbound endpoint. Configure the outbound endpoint to forward DNS queries against the on-premises domain to the on-premises DNS server.

  • A company runs an application on Amazon EC2 instances. The EC2 instances are in an Auto Scaling group and run behind ALB. The application experiences errors when total requests exceed 100 requests per second. A SysOps admin must collect information about total requests for a 2-week period to determine when requests exceeded this threshold.
    To collect this data the SysOps admin should Use the ALB's RequestCount metric. Configure a time range of 2 weeks and a period of 1 min will ensure that the data can be accurately Examined the chart to determine peak traffic times and volumes.

  • To decrease the time required for EC2 new instances to become available, the SysOps admin should modify the launch configuration to remove the long-running user data script that installs software. Instead, the software should be pre-installed on the AMI used by the Auto Scaling group. This will allow new instances to become available more quickly when website traffic increases.

  • The most operationally efficient approach to automate the renewal of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate is to use AWS Certificate Manager (ACM). ACM is a managed service that makes it easy to provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and internal resources. ACM can automatically renew the TLS certificate before its expiry date, limiting the chances of outages due to expired certificates.
    No need Lambda function.


  • An organization created an Amazon EFS volume with a file system ID of fs-85ba4Kc and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted. This be resolved by Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.
    Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and at rest. Can enable encryption of data at rest when creating an Amazon EFS file system. Can enable encryption of data in transit when mount the file system.

  • The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in the environment is increasing. The team tasked a SysOps admin to report on the current number of IAM policies in use and the total available IAM policies.
    To check how current IAM policy usage compares to current service limits the admin should use AWS Trusted Advisor service.
Last edited:


  • Burstable EC2 performance instances, which include T3 and T2 instances, are designed to provide a baseline level of CPU performance with the ability to burst to a higher level when required by workload.
    EC2 T2/T3 Unlimited mode allows users to burst beyond the baseline performance of the instances for as long as workload requires.
    And the benefit of ALB is Support for path-based routing. Can configure rules for listener that forward requests based on the URL in the request.

  • A company has a policy that requires all Amazon EC2 instances to have a specific set of tags. If an EC2 instance does not have the required tags, the noncompliant instance should be terminated.
    The MOST operationally efficient solution that meets these requirements is Create an AWS Config rule to check if the required tags are present. If an EC2 instance is noncompliant, invoke an AWS Systems Manager Automation document to terminate the instance.

  • A company has a mobile app that uses Amazon S3 to store images. The images are popular for a week, and then the number of access requests decreases over time. The images must be Highly Available (HA) and must be immediately accessible upon request. A SysOps admin must reduce S3 storage costs for the company. Solution will meet these requirements MOST cost-effectively is Create an S3 Lifecycle policy to transition the images to S3 Standard-Infrequent Access (S3 Standard-IA) after 7 days.

  • Amazon CloudWatch now includes cross-account cross-region dashboards, which enable to create high-level operational dashboards, and with one click, drill down into more specific dashboards in different AWS accounts without having to log in and out of different accounts or switch AWS Regions.

  • A company's backend infrastructure contains an Amazon EC2 instance in a private subnet. The private subnet has a route to the internet through a NAT gateway in a public subnet. The instance must allow connectivity to a secure web server on the internet to retrieve data at regular intervals.
    The client software times out with an error message that indicates that the client software could not establish the TCP connection. To resolve this error a SysOps admin should Add an outbound rule to the security group for the EC2 instance with the following parameters: Type - HTTPS. Destination -

  • If EC2 instance goes from the pending state to the terminated state immediately after restarting then it could be caused by one of the following reasons:
    • Reached EBS volume limit.
    • An EBS snapshot is corrupt.
    • The root EBS volume is encrypted and do not have permissions to access the KMS key for decryption.
    • The instance store-backed AMI that used to launch the instance is missing a required part (an image.part.xx file).
  • A company stores critical data in Amazon S3 buckets. A SysOps admin must build a solution to record all S3 API activity. Should Create an AWS CloudTrail to log data events for all S3 objects.

  • A company is expanding its fleet of Amazon EC2 instances before an expected increase of traffic. When a SysOps admin attempts to add more instances, an InstanceLimitExceeded error is returned.
    To resolve this error the SysOps admin should Use Service Quotas to request an EC2 quota increase.

  • A SysOps admin has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC, and all security groups allow all outbound traffic.
    Solution will provide the EC2 instances in the private subnet with access to the internet is Create a NAT gateway in the public subnet. Create a route from the private subnet to the NAT gateway.


  • To fix performance issue of an S3 static website about the site loading very slowly in some countries, the SysOps Admin should Create a CloudFront web distribution and set the S3 bucket as the source.

    ElastiCache can indeed be used as an application cache, but this is not enough to satisfy the users.

  • To protect CloudFormation stack resources from update actions, define a stack policy and then set it on stack. It defines the update actions that users can perform and the resources that the actions apply to.


    The IAM policy can only prevent users from updating the resources, but it will still allow users with a higher level of permission to update the resources, not any account.

  • To increase disks' performance of iSCSI devices or the gateway's upload buffer or cache storage capacity, must create a new disk in host and use the AWS Management Console to edit the local disk, and select the new disk as the cached volume. Using a Volume Gateway since the iSCSI protocol is used.


  • A SysOps admin is provisioning an Amazon EFS file system to provide shared storage across multiple Amazon EC2 instances. The instances all exist in the same VPC across multiple AZs. There are two instances in each AZ. The SysOps admin must make the file system accessible to each instance with the lowest possible latency.
    Solution will meet these requirements is Create a mount target in each AZ of the VPC. Use the mount target to mount the EFS file system on the Instances in the respective AZ.

  • A SysOps admin uses AWS Systems Manager Session Manager to connect instances. After the SysOps admin launches a new Amazon EC2 instance the EC2 instance does not appear in the Session Manager list of systems that are available for connection. The SysOps admin verified that System Manager Agent is installed updated and running on the EC2 instance. The reason for this issue is The EC2 instance does not have an attached IAM role that allows Session Manager to connect to the EC2 instance.

  • A company plans to deploy a DB on an Amazon Aurora MySQL DB cluster. The DB will store data for a demonstration environment. The data must be reset on a daily basis.
    The MOST operationally efficient solution that meets these requirements is Set the DB cluster backup retention period to 2 days. Create an Amazon EventBridge (CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to restore the DB cluster to a point in time and then delete the previous DB cluster. As it will does without having to manually.

  • AWS Cloud Trail provide all the activities recorded for each AWS resource. It enables governance, compliance, operational auditing, and risk auditing of AWS account. Can log, continuously monitor, and retain account activitiy related to actions across AWS infrastructure.


  • A SysOps admin is creating two AWS CloudFormation templates. The first template will create a VPC with associated resources, such as subnets, route tables, and an internet gateway. The second template will deploy application resources within the VPC that was created by the first template. The second template should refer to the resources created by the first template.
    This can be accomplished with the LEAST amount of admin effort by Add an export field to the outputs of the first template and import the values in the second template.
Last edited:


  • An application that runs on an Amazon EC2 instance needs to access and make API calls to multiple AWS services. The MOST secure way to provide access to the AWS services with MINIMAL management overhead is Use EC2 instance profiles.

  • A company is storing media content in an Amazon S3 bucket and uses Amazon CloudFront to distribute the content to its users. Due to licensing terms, the company is not authorized to distribute the content in some countries. A SysOps admin must restrict access to certain countries.
    The MOST operationally efficient solution that meets these requirements is Enable the geo restriction feature in the CloudFront distribution to prevent access from unauthorized countries.

  • To set up a unified dashboard monitoring system for hybrid cloud architecture the SysOps Admin should:
    • Set up the metrics dashboard in CloudWatch.
    • Install the CloudWatch Agent to both Amazon EC2 instances and On-Premises servers.
  • A SysOps admin is unable to launch Amazon EC2 instances into a VPC because there are no available private IPv4 addresses in the VPC. To launch the instances the SysOps admin must Create a new subnet for the VPC and Associate a secondary IPv4 CIDR block with the VPC.
    Cannot modify the CIDR of a VPC or subnet.

  • A SysOps admin needs to create alerts that are based on the read and write metrics of Amazon EBS volumes that are attached to an Amazon EC2 instance. The SysOps admin creates and enables Amazon CloudWatch alarms for the DiskReadBytes metric and the DiskWriteBytes metric.
    A custom monitoring tool that is installed on the EC2 instance with the same alarm configuration indicates that the volume metrics have exceeded the threshold. However, the CloudWatch alarms were not in ALARM state.
    To ensure that the CloudWatch alarms function correctly by Install and configure the CloudWatch agent on the EC2 instance to capture the desired metrics.

  • A company uses Amazon Elasticsearch Service (ES) to analyze sales and customer usage data. Members of the company's geographically dispersed sales team are traveling. They need to log in to Kibana by using their existing corporate credentials that are stored in Active Directory (AD). The company has deployed AD Federation Services (FS) to enable authentication to cloud services.
    Solution will meet these requirements is Deploy Amazon Cognito user pool. Configure AD as an external identity provider for the user pool. Enable Amazon Cognito authentication for Kibana on Amazon ES.


  • If EC2 could not establish communication with the RDS instance, Check that the security group for the DB server is allowing the required inbound communication from the EC2 instance.

  • A company has an application that runs only on Amazon EC2 Spot Instances. The instances run in an Amazon EC2 Auto Scaling group with scheduled scaling actions. However, the capacity does not always increase at the scheduled times, and instances terminate many times a day. A SysOps admin must ensure that the instances launch on time and have fewer interruptions.
    Action will meet these requirements is Specify the capacity-optimized allocation strategy for Spot Instances. Add more instance types to the Auto Scaling group.
    Increasing the size of the instances in the Auto Scaling group will not necessarily help with the launch time or reduce interruptions, as the Spot Instances could still be interrupted even with larger instance sizes.

  • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
    AWS WAF can help block common attack petterns to VPC, such as SQL injection, this is still not enough to withstand DDoS attacks.


  • A company is running a website on Amazon EC2 instances behind an ALB. The company configured an Amazon CloudFront distribution and set the ALB as the origin. The company created an Amazon Route 53 CNAME record to send all traffic through the CloudFront distribution. As an unintended side effect, mobile users are now being served the desktop version of the website.
    To resolve this issue a SysOps admin should Configure the CloudFront distribution behavior to forward the User-Agent header.

  • A company hosts a web application on an Amazon EC2 instance. The web server logs are published to Amazon CloudWatch Logs. The log events have the same structure and include the HTTP response codes that are associated with the user requests. The company needs to monitor the number of times that the web server returns an HTTP 404 response.
    The MOST operationally efficient solution that meet these requirements is Create a CloudWatch Logs metric filter that counts the number of times that the web server returns an HTTP 404 response in real-time.
    A metric filter allows to search for specific terms, phrases, or values in log events, and then to create a metric based on the number of occurrences of those search terms. This allows to create a CloudWatch Metric that can be used to create alarms and dashboards, which can be used to monitor the number of HTTP 404 responses returned by the web server.

  • A company is using Amazon Elastic Container Service (ECS) to run a containerized application on Amazon EC2 instances. A SysOps admin needs to monitor only traffic flows between the ECS tasks.
    To meet this requirement the SysOps admin should Configure Amazon CloudWatch Logs on the elastic network interface of each task and Specify the host network mode in the task definition.

  • Apply least-privilege permissions is one of the AWS Security best practices in IAM. When set permissions with IAM policies, grant only the permissions required to perform a task by defining the actions that can be taken on specific resources under specific conditions.

  • A company's SysOps admin attempts to restore an Amazon EBS snapshot. However, the snapshot is missing because another system admin accidentally deleted the snapshot. The company needs the ability to recover snapshots for a specified period of time after snapshots are deleted.
    Solution will provide this functionality is Create an IAM policy that denies the deletion of EBS snapshots by using a condition statement for the snapshot age. Apply the policy to all users.

  • A company uses AWS Organizations to manage multiple AWS accounts with consolidated billing enabled. Organization member account owners want the benefits of Reserved Instances (RIs) but do not want to share RIs with other accounts.
    Solution will meet these requirements is Purchase RIs in individual member accounts. Disable RI discount sharing in the management account.

  • AWS Cost and Usage report provides / tracks cost reports, usage information, estimated charges associated with AWS account, and utilization for VPC.

  • A company has a public website that recently experienced problems. Some links led to missing webpages, and other links rendered incorrect webpages. The application infrastructure was running properly, and all the provisioned resources were healthy. Application logs and dashboards did not show any errors, and no monitoring alarms were raised. Systems admin were not aware of any problems until end users reported the issues.
    The company needs to proactively monitor the website for such issues in the future and must implement a solution ASAP. Solution will meet these requirements with the LEAST operational overhead is Rewrite the application to surface a custom error to the application log when issues occur. Automatically parse logs for errors. Create an Amazon CloudWatch alarm to provide alerts when issues are detected.
Last edited:


  • Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables to decouple and scale microservices, distributed systems, and serverless applications. FIFO queue preserve the order of messages.

  • A SysOps admin needs to configure automatic rotation for Amazon RDS DB credentials. The credentials must rotate every 30 days. The solution must integrate with Amazon RDS.
    Solution will meet these requirements with the LEAST operational overhead is Store the credentials in AWS Secrets Manager. Configure automatic rotation with a rotation interval of 30 days. No need for an additional AWS Lambda function or manual rotation.

  • If some people cannot connect to the game on AWS while others are having no problem connecting at all. Can use VPC Flow Logs to capture information about the IP traffic going to an from network interfaces in VPC.


  • A company is deploying a third-party unit testing solution that is delivered as an Amazon EC2 AMI. All system configuration data is stored in Amazon DynamoDB. The testing results are stored in Amazon S3.
    A minimum of three EC2 instances are required to operate the product. The company's testing team wants to use an additional three EC2 Instances when the Spot Instance prices are at a certain threshold. A SysOps admin must Implement a HA solution that provides this functionality.
    Solution will meet these requirements with the LEAST operational overhead is Define an Amazon EC2 Auto Scaling group by using a launch template. Use the provided AMI In the launch template. Configure three On-Demand Instances and three Spot Instances. Configure a maximum Spot Instance price In the launch template.
    Launch Templates enable a new way of templating launch requests. They reduce the number of steps required to create an instance by capturing all launch parameters within one resource. This make the process easy to reproduce.

  • AWS Organizations offers policy-based management for multiple AWS accounts. Can create groups of accounts, automate account creation, apply and manage policies for those groups. They enable to centrally manage policies across multiple accounts without requiring custom scripts and manual processes. It allows to create SCPs that centrally control AWS service use across multiple AWS accounts.


  • A company needs to automatically monitor an AWS account for potential unauthorized AWS Management Console logins from multiple geographic locations.
    Solution will meet this requirement is Configure Amazon GuardDuty to monitor the UnauthorizedAccess:IAMUser/ConsoleLoginSuccess finding. It is a threat detection system. Can also monitor malicious activity and anomalous behavior. Multiple AWS accounts and application workloads must be secured, including the data stored in Amazon S3.


  • A company has an Auto Scaling group of Amazon EC2 instances that scale based on average CPU utilization. The Auto Scaling group events log indicates an InsufficientInstanceCapacity error.
    To remediate this issue a SysOps admin should Change the instance type that the company is using and Configure the Auto Scaling group in different AZs.

  • AWS Config can view the configuration of EC2 security groups, including the port rules that were open at a specific time. This information can help determine whether a security group blocked incoming TCP traffic to a specific port.
    Can use to view the IAM policy that was assigned to an IAM user, group, or role at any time in which AWS Config was recording. This information can help determine the permissions that belonged to a user at a specific time: for example, can view whether the user John Doe had permission to modify Amazon VPC settings on Feb 2, 2016.


  • A company is undergoing an external audit of its systems, which run wholly on AWS. A SysOps admin must supply documentation of Payment Card Industry Data Security Standard (PCI DSS) compliance for the infrastructure managed by AWS.
    To meet this requirement the SysOps admin should Download the applicable reports from the AWS Artifact portal and supply these to the auditors.

  • AWS IAM enables to manage access to AWS services and resources securely. Can generate and download a credential report that lists all users in account and the status of their various credentials, including passwords, access keys, and MFA devices. Can get this credential report from the AWS Management Console, the AWS SDKs and Command Line Tools, or the IAM API.


  • A SysOps admin must create an IAM policy for a developer who needs access to specific AWS services. Based on the requirements, the SysOps admin creates the following policy:
      "Version": "2013-11-18",
      "Statement": [
          "Effect": "Allow",
          "Resource": "*"
    This policy allow Describe AWS load balancers and Invoke AWS Lambda function.

  • Amazon CloudFront is a fast Content Delivery Network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. It is a scalable solution to provide faster response time for clients around the globe. Increase the speed of user traffic coming from/into the AWS Cloud.

    It is a web service that speeds up distribution of static and dynamic web content, such as .html, .css, .js, and image files, to users.

  • A company manages an application that uses Amazon ElastiCache for Redis with two extra-large nodes spread across two different AZs. The company's IT team discovers that the ElastiCache for Redis cluster has 75% freeable memory. The application must maintain HA.
    The MOST cost-effective way to resize the cluster is Perform an online resizing for the ElastiCache for Redis cluster. Change the node types from extra-large nodes to large nodes.
    As demand on clusters changes, might decide to improve performance or reduce costs by changing the number of shards in Redis (cluster mode enabled) cluster. Recommend using online horizontal scaling to do so, because it allows cluster to continue serving requests during the scaling process.

  • A company plans to migrate several of its High Performance Computing (HPC) Virtual Machines (VMs) to Amazon EC2 instances on AWS. A SysOps admin must identify a placement group for this deployment. The strategy must minimize network latency and must maximize network throughput between the HPC VMs.
    To meet these requirements the SysOps admin should Deploy the instances in a cluster placement group in one AZ.

  • Amazon CloudWatch now includes cross-account cross-region dashboards, which enable to create high-level operational dashboards, and with one click, drill down into more specific dashboards in different AWS accounts without having to log in and out of different accounts or switch AWS Regions. It has ability to visualize, aggregate, and summarize performance and operational data across accounts and Regions help reduce mean time to resolution by Metric Math to query metrics and apply mathematical operations on these metrics.
    CloudWatch can do this without using Lambda.

Last edited:


Why shouldn't really run DBs on EC2/IaaS:
  • Admin overhead - managing EC2 and DBHost
  • Backup/DR Management
  • EC2 is single AZ
  • Features - some of AWS DB products are amazing
  • EC2 is ON or OFF - no serverless, no easy scaling
  • Replication - skills, setup time, monitoring & effectiveness
  • Performance...AWS invest time into optimisation & features

  • A company maintains a large set of sensitive data in an Amazon S3 bucket. The company's security team asks a SysOps admin to help verify that all current objects in the S3 bucket are encrypted.
    The MOST operationally efficient solution that meets these requirements is Use the AWS CLI to output a list of all objects in the S3 bucket.

  • RDS Proxy makes applications more resilient to DB failures by automatically connecting to a standby DB instance while preserving application connections.
    Solved the 'too many connections' errors.
    With RDS Proxy, failover times for Aurora and RDS DBs are reduced by up to 66%.


    Amazon Cognito identity pools assign authenticated users a set of temporary, limited privilege credentials to access AWS resources. It provides the needed authentication option of utilizing the user's social media accounts.


  • A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company's security admin has their own AWS account and wants to review the VPC configuration of developer AWS accounts.
    Solution will meet these requirements in the MOST secure manner is Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security admin to assume the role from their account.

  • A compliance team requires all admin passwords for Amazon RDS DB instances to be changed at least annually.
    Solution meets this requirement in the MOST operationally efficient manner is Store the DB credentials in AWS Secrets Manager. Configure automatic rotation for the secret every 365 days.

  • A company stores its data in an Amazon S3 bucket. The company is required to classify the data and find any sensitive personal information in its S3 files
    Solution will meet these requirements is Enable Amazon Macie. Create a discovery job that uses the managed data identifier.
    A sensitive data discovery job analyzes objects in Amazon S3 buckets to determine whether the objects contain sensitive data, and it provides detailed reports of the sensitive data that it finds and the analysis that it performs. By creating and running jobs, can automate discovery, logging, and reporting of sensitive data in S3 buckets.

  • To optimize the cost Purchase EC2 Instance Savings Plans for the nodes be available 24 hours a day, 7 days a week. It is better cost effective solution than reserved instance.
    Use Spot Instances for the nodes run for 4 hours each day. Use On-Demand Instances if there is no Spot availability.

  • To copy all the objects from an existing S3 bucket to a new S3 bucket created by the CloudFormation template, need to create a custom Lambda function that can copy the objects from the source bucket to the new S3 bucket. Can also define the options want Amazon S3 to apply during replication, such as server-side encryption, replica ownership, and transitioning replicas to another storage class.


  • A company uses Amazon S3 to aggregate raw video footage from various media teams across the US. The company recently expanded into new geographies in Europe and Australia. The technical teams located in Europe and Australia reported delays when uploading large video files into the destination S3 bucket in the US.
    The MOST cost effective ways to increase upload speeds into the S3 bucket are:
    • Use Amazon S3 Transfer Acceleration for file uploads into the destination S3 bucket. It will only charge if the upload is indeed accelerated.
    • Use multipart uploads for file uploads into the destination S3 bucket from the branch offices in Europe and Australia. It is recommended by AWS when object's size exceeds 100MB. Also, it's recommended to maximise the use of available bandwidth.
  • A company runs an application on an Amazon EC2 instance. A SysOps admin creates an Auto Scaling group and an ALB to handle an increase in demand. However, the EC2 instances are failing tie health check.
    To troubleshoot this issue the SysOps admin should Verify that the application is running on the protocol and the port that the listens is expecting.
    Verify that the target is listening for traffic on the health check port. Can use the ss command on Linux targets to verify which ports server is listening on. For Windows targets, can use the netstat command.

  • A company is using an AWS KMS Customer Master Key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.
    To rotate the key the process is Create a new CMK with new imported material, and update the key alias to point to the new CMK.
    If choose to import keys to AWS KMS or asymmetric keys or use a custom key store, can manually rotate them by creating a new KMS key and mapping an existing key alias from the old KMS key to the new KMS key.

  • A company uses an Amazon EFS file system to share files across many Linux Amazon EC2 instances. A SysOps admin notices that the file system's PercentIOLimit metric is consistently at 100% for 15 mins or longer.
    The SysOps admin also notices that the application that reads and writes to that file system is performing poorly. The application requires high throughput and IOPS while accessing the file system.
    To remediate the consistently high PercentIOLimit metric the SysOps admin should Create a new EFS file system that uses Max I/O performance mode. Use AWS DataSync to migrate data to the new EFS file system.

  • Only S3 can be encrypted on the fly, for EBS, EFS, and RDS, have to take a snapshot, copy, encrypted it and create new resources.

  • Amazon EC2 Auto Scaling helps ensure that there is the correct number of Amazon EC2 instances available to handle the load for application.
    Amazon RDS Multi-AZ deployments provide enhanced availability and durability for DB Instances, making them a natural fit for production DB workloads.


    A NAT gateway is actually much better than a NAT instance in terms of scalability and availability.
    ALB provides better performance, compared to Route53, in evenly distributing the incoming traffic to the EC2 instances.

  • A company has multiple Amazon EC2 instances that run a resource-intensive application in a development environment. A SysOps admin is implementing a solution to stop these EC2 instances when they are not in use.
    Solution will meet this requirement is Create an Amazon CloudWatch alarm to stop the EC2 instances when the average CPU utilization is lower than 5% for a 30-minute period.
    Can create an alarm that stops an Amazon EC2 instance when a certain threshold has been met.
    Can create an alarm that is triggered when the average CPU utilization percentage has been lower than 10% for 24 hours, signaling that it is idle and no longer in use.
Last edited:










  • A company is using an Amazon Aurora MySQL DB cluster that has point-in-time recovery, backtracking, and automatic backup enabled. A SysOps admin needs to be able to roll back the DB cluster to a specific recovery point within the previous 72 hours. Restore must be completed in the same production DB cluster.
    Solution will meet these requirements is Use backtracking to rewind the existing DB cluster to the desired recovery point.

  • AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow to use code to automate the configurations of servers.


  • A company use AWS Organizations to manage its AWS accounts. A SysOps admin must create a backup strategy for all Amazon EC2 instances across all the company's AWS accounts.
    Solution will meet these requirements in the MOST operationally efficient way is Use AWS Backup in the management account to deploy policies for all accounts and resources.
    Can delegate backup policy management in AWS Organizations and cross account monitoring in AWS Backup. This enables delegating backup management to a dedicated backup admin account, removing the need for member accounts to access management accounts for backup admin. Delegated backup admin can create and manage backup policies and monitor backup activity across accounts. Organization-wide backup admin delegation through AWS Organizations enables securely centralized backup management at scale.

  • A SysOps admin has been able to consolidate multiple, secure websites onto a single server, and each site is running on a different port. The admin now wants to start a duplicate server in a second AZ and put both behind a load balancer for HA.
    To deploy one of the sites' certificates to the load balancer the command line necessary would be aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer ? load-balancer-port 443 ?ssl-certificate-id arn:aws:iam::123456789012:server-certificate/new-server-cert.

  • An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, an Amazon RDS PostgreSQL DB, an Amazon EFS file system, and static objects stored in an Amazon S3 bucket.
    The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime.
    To satisfy the requirements, S3 objects within a bucket service can the SysOps Admin enable at-rest encryption on.

  • A SysOps admin noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%.
    To increase the cache hit ratio for the distribution should Increase the CloudFront Time To Live (TTL) settings in the Cache Behavior Settings. Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings. By default, each file automatically expires after 24 hours.

  • The problem of a high volume of transactions exceeding EBS bandwidth capacity can solve by optimizing EBS performance:
    1. Run an instance that supports EBS optimization first to verify if EBS optimization can solve performance requirements.


    2. Increase the number of EBS volumes.
  • A company hosts a web application on Amazon EC2 instances behind an ALB. The company uses Amazon Route 53 to route traffic. The company also has a static website that is configured in an Amazon S3 bucket.
    A SysOps admin must use the static website as a backup to the web application. The failover to the static website must be fully automated. Actions will meet these requirements are:
    • Create a primary failover routing policy record. Configure the value to be the ALB. Associate the record with a Route53 health check.
    • Create a secondary failover routing policy record. Configure the value to be the static website.
  • A company is managing a website with a global user base hosted on Amazon EC2 with an ALB. To reduce the load on the web servers, a SysOps admin configures an Amazon CloudFront distribution with the ALB as the origin. After a week of monitoring the solution, the admin notices that requests are still being served by the ALB and there is no change in the web server load.
    Possible causes for this problem are:
    • The DNS is still pointing to the ALB instead of the CloudFront distribution.
    • The default, mininum, and maximum TTL are set to 0 seconds on the CloudFront distribution.
  • A SysOps admin is using Amazon EC2 instances to host an application. The SysOps admin needs to grant permissions for the application to access an Amazon DynamoDB table.
    Solution will meet this requirement is Create an IAM role to access the DynamoDB table. Assign the IAM role to the EC2 instance profile.
    Access to Amazon DynamoDB requires credentials. Those credentials must have permissions to access AWS resources, such as an Amazon DynamoDB table or an Amazon EC2 instance.

  • To protect the data at rest and in-transit in S3 and CloudFront environments should:
    • Enable HTTPS in CloudFront distribution by using an SSL/TLS certificate provided by AWS ACM and
    • Encrypt data in S3 and Glacier using AWS provided encryption services, and store the encryption keys in KMS. Amazon KMS is a service that can manage keys more reliably.
    • Should not store encryption keys together with the data. If one is compromised, then the other is also affected.
    • Storing the encryption keys in an external hardware device might get corrupted or lost, which is problematic.
  • To establish a hybrid cloud architecture that connects on-premises corporate Data Centre (DC) to VPC hosted in AWS:
    • A general term uses AWS Managed VPN connection. It is cheaper than a Direct Connect connection.
    • AWS Direct Connect should only be considered for low latency connections and when willing to bear the high cost.
    • AWS Direct Connect Gateway is best suitable for connecting on-premises DC to multiple Amazon VPCs across different regions or AWS accounts.
    • Code:
Last edited:






  • A company's AWS Lambda function is experiencing performance issues. The Lambda function performs many CPU-intensive operations. The Lambda function is not running fast enough and is creating bottlenecks in the system.
    To resolve this issue a SysOps admin should Increase the amount of memory for the Lambda function.

  • A company's IT Security team is performing an audit of the AWS environment to determine which servers need to be patched and where additional security controls need to be added. The company is responsible for Patching the OS on Amazon EC2 instances and Enabling Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) on S3 objects.
    Amazon RDS manages the work involved in setting up a relational DB: from provisioning the infrastructure capacity request to installing the DB software. Once DB is up and running, Amazon RDS automates common admin tasks such as performing backups and patching the software that powers DB.

  • AWS Auto Scaling is primarily used to optimize the performance and lower the costs of the computing services.

    Services that can do the Auto Scaling: Amazon EC2, EC2 Spot Fleets, ECS, DynamoDB, and Aurora.

  • A company has a simple web application that runs on a set of Amazon EC2 instances behind an ELB in the eu-west-2 Region. Amazon Route 53 holds a DNS record for the application with a simple routing policy.
    Users from all over the world access the application through their web browsers. The company needs to create additional copies of the application in the us-east-1 Region and in the ap-south-1 Region. The company must direct users to the Region that provides the fastest response times when the users load the application.
    To meet these requirements a SysOps admin should Create a new ELB and a new set of EC2 instances in each new Region to run a copy of the application. Transition to a latency routing policy.

  • A company wants to create an automated solution for all accounts manged by AWS Organizations to detect any security groups that use as the source address for inbound traffic. The company also wants to automatically remediate any noncompliant security groups by restricting access to a specific CIDR block that corresponds with the company's intranet.
    To create a solution the SysOps admin should Create an AWS Config rule to detect noncompliant security groups. Set up automatic remediation to change the source address to the approved CIDR block.

  • The users of the S3 bucket should only be able to read and write objects but not delete any objects by Attach an S3 bucket policy.
      "Id": "Policy1685777397664",
      "Version": "2012-10-17",
      "Statement": [
          "Sid": "BucketPolicyDemo",
          "Action": [
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::thaicpe-bucket/*",
          "Principal": {
            "AWS": [
  • A SysOps admin needs to delete an AWS CloudFormation stack that is no longer in use.
    The CloudFormation stack is in the DELETE_FAILED state. The SysOps admin has validated the permissions that are required to delete the CloudFormation stack.
    The possible causes of the DELETE_FAILED state are There are:
    • additional resources associated with a security group in the stack
    • Amazon S3 buckets that still contain objects in the stack.
Some resources must be empty before they can be deleted. For example, must delete all objects in an Amazon S3 bucket or remove all instances in an Amazon EC2 security group before can delete the bucket or security group.​
  • A company has a workload that is sending log data to Amazon CloudWatch Logs. One of the fields includes a measure of application latency. A SysOps admin needs to monitor the p90 statistic of this field over time.
    To meet this requirement the SysOps admin should Create a metric filter on the log data.
    Percentile (p) indicates the relative standing of a value in a dataset. For example, p95 is the 95th percentile and means that 95 percent of the data within the period is lower than this value and 5 percent of the data is higher than this value. p helps to get a better understanding of the distribution of metric data.

  • Amazon Athena is the best tool for S3 log analysis by conducts SQL queries on the log files. It is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.
  • A company uses an Amazon S3 bucket to store data files. The S3 bucket contains hundreds of objects. The company needs to replace a tag on all the objects in the S3 bucket with another tag.
    To meet this requirement the MOST operationally efficient way is Use S3 Batch Operations. Specify the operation to replace all object tags.


  • A company's financial department needs to view the cost details of each project in an AWS account. A SysOps admin must perform the initial configuration that is required to view cost for each project in Cost Explorer.
    Solution will meet this requirement is Activate cost allocation tags. Add a project tag to the appropriate resources.

  • A SysOps admin is notified that an Amazon EC2 instance has stopped responding. The AWS Management Console indicates that the system checks are failing.
    To resolve this issue the admin should Stop and then start the EC2 instance so that it can be launched on a new host.
    instance status check -- reboot.

  • AWS Config enables continuous monitoring of AWS resources, making it simple to assess, audit, and record resource configurations and changes.

  • A company wants to use only IPv6 for all its Amazon EC2 instances. The EC2 instances must not be accessible from the internet, but the EC2 instances must be able to access the internet. The company creates a dual-stack VPC and IPv6-only subnets.
    To meet these requirements a SysOps admin should Create and attach an egress-only internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the egress-only internet gateway. Attach the custom route table to the IPv6-only subnets.
    Only egress-only internet gateway can be used to let instance go to internet without being exposed.

  • A SysOps admin needs to develop a solution that provides email notification and inserts a record into a DB every time a file is put into an Amazon S3 bucket.
    The MOST operationally efficient solution that meets these requirements is Set up an S3 event notification that targets an Amazon SNS topic. Create two subscriptions for the SNS topic. Use one subscription to send the email notification. Use the other subscription to invoke an AWS Lambda function that inserts the record into the DB.
Last edited:


  • RDS is designed for Relational (SQL) model.

  • RDS RR allows the system to scale for READS.

  • RDS MultiAZ feature provides HA Functionality.

  • The standby node of an RDS MultiAZ only accessed after a failover when it becomes the primary instance.

  • AWS DMS can be used to help move data TO or FROM AWS in a controlled and configurable way.

  • If want RDS to be available for up to 1 year should backup by Manual Snapshot.

  • When restoring RDS from a snapshot or backup A different endpoint address is created ... authentication remains the same.

  • Aurora Managed SQL DB in AWS supports 3+ AZ Resilience.

  • Aurora Serverless Managed SQL DB horizontally scales and can reduce to 0 and pause when there is no load.


  • A SysOps admin needs to configure a solution that will deliver digital content to a set of authorized users through Amazon CloudFront. Unauthorized users must be restricted from access.
    Solution will meet these requirements is Store the digital content in an Amazon S3 bucket that has public access blocked. Use an OAI to deliver the content through CloudFront. Restrict S3 bucket access with signed URLs in CloudFront.

  • A web application runs on Amazon EC2 instances behind an ALB. The instances run in an Auto Scaling group across multiple AZs. A SysOps admin notices that some of these EC2 instances show up as healthy in the Auto Scaling group but show up as unhealthy in the ALB target group.
    A possible reason for this issue is The Auto Scaling group health check isn't configured for EC2 status checks.

  • To maximum security for the DB and its connections:
    • Take a snapshot of the created DB and encrypt a copy of the snapshot, cannot encrypt a DB after creation.
    • Create a security group for the servers and another security group for the DB. Configure to only allow inbound traffic from the security group of the server instances to the security group of the DB.

  • A company is using an Amazon DynamoDB table for data. A SysOps admin must configure replication of the table to another AWS Region for disaster recovery.
    To meet this requirement the SysOps admin should Enable Dynamo DB Streams, and add a global teble Region.

  • The InfoSec team has asked the SysOps Admin to perform some hardening on the company Amazon RDS DB instances.
    Based on this requirement, recommended actions for the start of the security review are Review the security group's inbound access rules for least privilege and Report on the Parameter Group settings and ensure that encrypted connections are enforced.

  • Amazon EFS provides file storage in the AWS Cloud. It is accessible to individuals across the organization, and establish permissions for each user and group at the file or directory level. It can share common data sets across multiple EC2 instances in different AZs.
    Amazon EBS can only be assigned to individual EC2 Instance at a time.

  • A company is running Amazon EC2 On-Demand Instances in an Auto Scaling group. The instances process messages from an Amazon SQS queue. The Auto Scaling group is set to scale based on the number of messages in the queue. Messages can take up to 12 hours to process completely. A SysOps admin must ensure that instances are not interrupted during message processing.
    To meet these requirements the SysOps admin should Enable instance scale-in protection for the specific instance in the Auto Scaling group at the start of message processing by calling the Amazon EC2 Auto Scaling API from the processing script.
    Disable instance scale-in protection after message processing is complete by calling the Amazon EC2 Auto Scaling API from the processing script.

  • A new application runs on Amazon EC2 instances and access data in an Amazon RDS DB instance. When fully deployed in production, the application fails. The DB can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times:
    ** Error Establishing a Database Connection
    The causes of the connectivity problems may be The security group for the DB does not have the appropriate ingress rule from the web server to the DB and/or The port used by the application dev does not match the port specified in the RDS configuration.
    Security groups are stateful, so don't have to bother with the egress rules in this situation, as long as have the proper ingress rule.

  • To be able to SSH into EC2 instances, must satisfy the following requirements:
    1. Should have a public IP address or attached an Elastic IP address to instance.
    2. Instances should have passed both system status and instance status checks to know they are working correctly.
    3. Should have an internet gateway attached to VPC to allow instances access to the internet by navigating to the Internet Gateways pane and viewing the VPC column.
    4. Should have a route table that has the appropriate routes entered for all destinations via Internet Gateway. Make sure that there is a default route or a route that specifies desktop's IP address to allow communication between instances in the VPC to the Internet or desktop.
  • A company wants to be alerted through email when IAM CreateUser API calls are made within its AWS account.
    To meet this requirement a SysOps admin should Create an Amazon EventBridge (Amazon CloudWatch Events) rule with AWS CloudTrail as the event source and IAM CreateUser as the specific API call for the event pattern and Use an Amazon SNS topic as an event target with an email subscription.

  • An organization has developed a new memory-intensive application that is deployed to a large Amazon EC2 Linux fleet. There is concern about potential memory exhaustion, so the Dev team wants to monitor memory usage by using Amazon CloudWatch.
    The MOST efficient way to accomplish this goal is Monitor memory by using a script within the instance, and send it to CloudWatch as a custom metric.

  • A SysOps admin is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code:
    AMI [ami-12345678] does not exist
    To ensure that the AWS CloudFormation template is working in every region the Admin should Modify the AWS CloudFormation template by including the AMI IDs in the 'Mappings' section. Refer to the proper mapping within the template for the proper AMI ID.

  • To reduce costs on AWS usage Consider:
    • Purchasing Reserved EC2 instances for specific workloads which are expected to run continuously for more than a year.
    • Deleting idle EBS volumes which are not attached to any EC2 instances.

  • A company is implementing security and compliance by using AWS Trusted Advisor. The company's SysOps team is validating the list of Trusted Advisor checks that it can access.
    The quantity of available Trusted Advisor checks depend on The AWS Support plan.
Last edited:


  • EFS use NFS protocol.

  • EFS support Linux only.

  • EFS is a private AWS Service.

  • EFS is accessible from Inside a VPC or any on-premises locations connected to that VPC.

  • Shared storage across linux instances is use-case is EFS ideally suited for.







  • Users are periodically experiencing slow response times from a relational DB. The DB runs on a burstable Amazon EC2 instance with a 350 GB GP2 Amazon EBS volume. A SysOps admin monitors the EC2 instance in Amazon CloudWatch and observes that the VolumeReadOps metric drops to less than 10% of its peak value during the periods of slow response.
    To ensure consistently high performance the SysOps admin should Activate unlimited mode on the EC2 instance.
    A burstable performance instance configured as unlimited can sustain high CPU utilization for any period of time whenever required. The hourly instance price automatically covers all CPU usage spikes if the average CPU utilization of the instance is at or below the baseline over a rolling 24-hour period or the instance lifetime, whichever is shorter.

  • A data analytics application is running on an Amazon EC2 instance. A SysOps admin must add custom dimensions to the metrics collected by the Amazon CloudWatch agent.
    To meet this requirement the SysOps admin can Create an append_dimensions field in the Amazon CloudWatch agent configuration file to collect the metrics.
    In custom metrics, the --dimensions parameter is common. A dimension further clarifies what the metric is and what data it stores. Can have up to 30 dimensions assigned to one metric, and each dimension is defined by a name and value pair.

  • To achieve MySQL DB HA and scalability on AWS should Use Aurora Auto Scaling to automatically provision Aurora Read Replicas and Create AWS Aurora Clusters of MySQL DB.
    Aurora Auto Scaling dynamically adjusts the number of Aurora Replicas provisioned for an Aurora DB cluster. It enables Aurora DB cluster to handle sudden increases in connectivity or workload. Based on the policy, it adjusts the number of Aurora Replicas up or down in response to actual workloads, determined by using Amazon CloudWatch metrics and target values.


  • A recent organizational audit uncovered an existing Amazon RDS DB that is not currently configured for HA. Given the critical nature of the DB, it must be configured for HA ASAP.
    This requirement can be met by Modify the RDS instance using the console to include the Multi-AZ option.

  • A SysOps admin noticed that a large number of Elastic IP addresses are being created on the company's AWS account, but they are not being associated with Amazon EC2 instance and are incurring Elastic IP address charges in the monthly bill.
    To identify who is creating the Elastic IP addresses the admin should Attach a cost-allocation tag to each requested Elastic IP address with the IAM username of the dev who creates it.

  • AWS CloudTrail is capable of logging & tracking the API calls made to AWS resources. A trail enables CloudTrail to deliver log files of events to an Amazon S3 bucket.

  • A SysOps admin needs to delete an AWS CloudFormation stack that is no longer in use. The CloudFormation stack is in the DELETE_FAILED state. The SysOps admin has validated the permissions that are required to delete the CloudFormation stack.
    The possible causes should be There are:
    • additional resources associated with a security group in the stack.
    • Amazon S3 buckets that still contain objects in the stack.
Some resources must be empty before they can be deleted. For example, must delete all objects in an Amazon S3 bucket or remove all instances in an Amazon EC2 security group before can delete the bucket or security group.​
  • To enforce server-side encryption on all new objects uploaded to the thaicpe-encrypted bucket. There are two solutions:
    1. Enable default encryption on the bucket (not the objects).
    2. Add the following policy statement:
        "Version": "2012-10-17",
        "Id": "PutObjPolicy",
        "Statement": [
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::thaicpe-encrypted/*",
            "Condition": {
              "Null": {
                "s3:x-amz-server-side-encryption": "true"
  • An Amazon S3 Inventory report reveals that more than 1 million objects in an S3 bucket are not encrypted. These objects must be encrypted, and all future objects must be encrypted at the time they are written.
    To meet these requirements a SysOps admin should Edit the properties of the S3 bucket to enable default server-side encryption and Use S3 Event Notifications to invoke an AWS Lambda function on all new object-created events for the S3 bucket. Configure the Lambda function to check whether the object is encrypted and to run an AWS Systems Manager Automation document to encrypt the object in place when an unencrypted object is found.

  • The SysOps Admin must integreate an existing on-premises asymmetrical key management system into an AWS services platform.
    To meet this requirement the Admin should Implement AWS CloudHSM and integrate it with the existing key management infrastructure.
  • A company must ensure that any objects uploaded to an S3 bucket are encrypted.
    To meet this requirement should Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored and S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.
    In order to enforce object encryption, create an S3 bucket policy that denies any S3. Put request that does not include the x-amz-server-side-encryption header. There are two possible values for the x-amz-server-side-encryption header: AES256, which tells S3 to use S3-managed keys, and aws:kms, which tells S3 to use AWS KMS-managed keys.

  • To improve performance and scalability is to cache the static content in Amazon CloudFront. This will improve response times for the static content, especially for global users who are farther from the Region where the data is hosted.

  • A gaming application is deployed on four Amazon EC2 instances in a default VPC. The SysOps admin has noticed consistently high latency in responses as data is transferred among the four instances. There is no way for the admin to alter the application code.
    The MOST effective way to reduce latency is to relaunch the EC2 instances in a placement group.

  • Can access Amazon S3 from VPC using gateway VPC endpoints. It is not requiring an internet gateway or NAT device, and with no additional cost.

Last edited:





Manual install Wordpress on single EC2:

Issue: take time & when rebooted, the EC2 public IP changed.
  • A company runs an application that hosts critical data for several clients. The company uses AWS CloudTrail to track user activities on various AWS resources. To meet new security requirements, the company needs to protect the CloudTrail log files from being modified, deleted, or forged.
    Solution will meet these requirement is Enable CloudTrail log file integrity validation.
    Validated log files are especially valuable in security and forensic investigations. For example, a validated log file enables to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets know if a log file has been deleted or changed, or assert positively that no log files were delivered to account during a given period of time. It uses industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally unfeasible to modify, delete or forge CloudTrail log files without detection.

  • A company is releasing a new static website hosted on Amazon S3. The static website hosting feature was enabled on the bucket and content was uploaded: however, upon navigating to the site, the following error message is received:
    403 Forbidden - Access Denied
    To fix this error should Add a bucket policy that grants everyone read access to the bucket objects.

  • To prevent an attack uses mulformed HTTP headers from reaching the EC2 instances, can use the ALB attribute 'Drop Invalid Header Fields' setting to control if invalid header fields are removed by the load balancer.


    AWS WAF cannot be used to protect EC2 instances directly. It can be used in front of CloudFront distributions, ALBs and API Gateways.

  • A SysOps admin needs to design a Disaster Recovery (DR) plan for an application on AWS. The application runs on Amazon EC2 instances behind an ALB. The instances are in an Auto Scaling Group (ASG). The application uses an Amazon Aurora PostgreSQL DB. The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are 15 mins each.
    To meet these requirements MOST cost-effectively the SysOps admin should Configure the Aurora cluster to replicate data to the DR Region by using the Aurora global DB option and DR Region with an ALB and an ASG. Use the same configuration as in the primary Region.

  • A SysOps admin must create a solution that immediately notifies software dev if an AWS Lambda function experiences an error.
    Solution will meet this requirement is Create an Amazon SNS topic with an email subscription for each dev. Create an Amazon CloudWatch alarm by using the Errors metric and the Lambda function name as a dimension. Configure the alarm to send a notification to the SNS topic when the alarm state reaches ALARM.


  • By default, can only have up to five nondefault VPCs per AWS account per AWS Region. If want more, complete a form to request a limit increase.

  • A SysOps admin is deploying an application on 10 Amazon EC2 instances. The application must be HA. The instances must be placed on distinct underlying hardware.
    To meet these requirements the SysOps admin should Launch the instances into a spread placement group in a single AWS Region.

  • A company runs its entire suite of applications on Amazon EC2 instances. The company plans to move the applications to containers and AWS Fargate. Within 6 months, the company plans to retire its EC2 instances and use only Fargate. The company has been able to estimate its future Fargate costs. A SysOps admin needs to choose a purchasing option to help the company minimize costs. The SysOps admin must maximize any discounts that are available and must ensure that there are no unused reservations.
    To meet these requirements should use EC2 Instance Savings Plans for 1 year with the All Upfront payment option.

  • A company is running an application on premises and wants to use AWS for data backup. All of the data must be available locally. The backup application can write only to block-based storage that is compatible with the Portable Operating System interface (POSIX).
    To meet these requirements should Use AWS Storage Gateway, and configure it to use gateway-stored volumes.
    Stored volumes make entire data available locally on the gateway, while maintaining an asynchronous copy in the S3 bucket. Cached volumes store the full volume in the S3 bucket, while only keeping the recently used data in local cache.

  • A company uses AWS Organizations to manage multiple AWS accounts. The company's SysOps team has been using a manual process to create and manage IAM roles. The team requires an automated solution to create and manage the necessary IAM roles for multiple AWS accounts.
    The MOST operationally efficient solution that meets these requirements is Use AWS CloudFormation StackSets with AWS Organizations to deploy and manage IAM roles for the AWS accounts.

  • Amazon EventBridge can be used to schedule automated actions that trigger at certain times using cron or rate expressions. To scheduling the Lambda function to run at the end of each day, should create rule that uses a scheduled pattern, setting the Lambda function as a target.

  • A company is storing backups in an Amazon S3 bucket. The backups must not be deleted for at least 3 months after the backups are created.
    To meet this requirement a SysOps admin should Enable S3 Object Lock on a new S3 bucket in compliance mode. Place all backups in the new S3 bucket with a retention period of 3 months.
    In governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. Protect objects against being deleted by most users but can still grant some users permission to alter the retention settings or delete the object if necessary. Can also use to test retention-period settings before creating a compliance-mode retention period. A protected object version can't be overwritten or deleted by any user, including the root user in AWS account. When an object is locked, its retention mode can't be changed, and its retention period can't be shortened. It helps ensure that an object version can't be overwritten or deleted for the duration of the retention period.

  • A SysOps Admin is responsible for the admin of a web application that is hosted on Amazon EC2 instances and is protected by an ALB. The instances are managed as part of an EC2 Auto Scaling group. The admin wishes to establish a notification system for when all target instances linked with the ALB become unhealthy.
    AWS/ApplicationELB HealthyHostCount <=0 condition should be utilized in conjunction with the alarm.
Last edited:


ด้วย AWS เราสามารถที่จะสร้าง Launch Template ขึ้นมาได้ ไม่ต้องคอย Manual ใส่เองทีละ Command ให้เสียเวลา มีระบบ Version ให้อีกด้วย เวลามีแก้ไข:

แล้วถ้าเราใช้ DB ที่ AWS เป็นคนจัดการเองล่ะ จะเร็วกว่ามั้ย เราไม่ต้องติดตั้งเอง ก็สามารถใช้ได้เลย Migrate from VM DB to RDS กันไปเลย:

ถัดมาเรามาแยก Storage ออกมาเพิ่มจาก EC2 ด้วย EFS กัน และทำ HA ให้ด้วย:

แล้วเราก็มาทำ HA ให้ Website / Frontend ของเรากัน โดยใช้ ALB สำหรับ Load balance และ Health Check:

  • A company has a stateful, long-running workload on a single xlarge general purpose Amazon EC2 On-Demand Instance Metrics show that the service is always using 80% of its available memory and 40% of its available CPU. A SysOps admin must reduce the cost of the service without negatively affecting performance.
    To meet these requirements should Change to one large memory optimized On-Demand Instance.

  • A SysOps admin needs to automate the invocation of an AWS Lambda function. The Lambda function must run at the end of each day to generate a report on data that is stored in an Amazon S3 bucket.
    The MOST operationally efficient solution that meets these requirements is Create an Amazon EventBridge (Amazon CloudWatch Events) rule that has a schedule and the Lambda function as a target.
    S3 Event notification has nothing to do here since the Lambda will be triggered based on a daily schedule not every time an object is uploaded.

  • A web application will be deployed that uses separate microservices running on different Amazon EC2 instances. A SysOps admin has been tasked with configuring the infrastructure to route connection requests to the appropriate EC2 endpoints.
    Can configure rules for ALB listener that forward requests based on the URL in the request / path-based routing. This enables to structure application as smaller services, and route requests to the correct service based on the content of the URL.
    Cannot do path-based routing with an NLB.

  • To install an up to date version of the application on new EC2 instances. A simple solution for this is to run a script that downloads the latest binaries for the application and installs it through EC2 user data. This will ensure that all new instances have the latest software installed.
    Cannot use CloudFormation change sets to deploy applications to newly created instances.

  • A company has a hybrid environment. The company has set up an AWS Direct Connect connection between the company's on-premises data center and a workload that runs in a VPC. The company uses Amazon Route 53 for DNS on AWS. The company uses a private hosted zone to manage DNS names for a set of services that are hosted on AWS. The company wants the on-premises servers to use Route 53 for DNS resolution of the private hosted zone.
    Solution will meet these requirements is Create a Route 53 inbound endpoint. Ensure that security groups and routing allow the traffic from the on-premises data center. Configure the DNS server on the on-premises network to conditionally forward DNS queries for the private hosted zone's domain name to the IP addresses of the inbound endpoint.

  • A mobile application must allow users to securely access their own content stored in a shared Amazon S3 bucket.
    To enable this access should be used IAM roles and Amazon Cognito.

  • A SysOps admin configured AWS Backup to capture snapshots from a single Amazon EC2 instance that has one Amazon EBS volume attached. On the first snapshot, the EBS volumes has 10 GiB of data. On the second snapshot, the EBS volume still contains 10 GiB of data, but 4 GiB have changed. On the third snapshot, 2 GiB of data have been added to the volume, for a total of 12 GiB.
    10 + 4 + 2 = 16 GiB total storage is required to store these snapshots.
  • To identify potential cost savings for EC2 can use AWS Cost Explorer to generate Amazon EC2 resource optimization recommendations. It will identify idle and underutilized instances across accounts and regions.

  • The s3:ListBucket action must be allowed at the bucket level.

  • With the threat of ransomware viruses encrypting and holding company data hostage, to protect an Amazon S3 bucket should Enable Amazon S3 versioning on the bucket.

  • An application is running on Amazon EC2 instances behind a Classic Load Balancer (CLB). The instances run in an Auto Scaling group across multiple AZs. Occasionally multiple incoming requests will receive a 5xx HTTP response when making a request to the CLB. From the Amazon CloudWatch metrics, a SysOps Admin observes the ELB SpillOverCount metric to be greater than zero during these occasions.
    These errors can be avoided by triggering scaling actions on SurgeQueueLength ELB metric.

  • By default, updating a stack set updates all stack instances. If have 20 accounts each in two regions, will have 40 stack instances, and all will be updated when update the stack set. AWS recommends that to test the updated version of a template, Create a separate stack set to test the update.

  • A company needs to view a list of security groups that are open to the internet on port 3389.
    To meet this requirement a SysOps admin should Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389.

  • To make the web application accessible from the internet should:
    • Create a security group and network ACL for the load balancer allowing inbound traffic on port 80 and
    • Add a rule to the network ACL allowing outbound traffic on ports 1,024 through 65,535.
Network ACLs are stateless firewalls which means need a rule for each connection - inbound and outbound, while Security groups are stateful.​
  • An application uploads periodic logs to an Amazon S3 bucket. The logs must be immediately available (so Glacier cannot be used) but are not frequently accessed. To save cost, can move the files to S3 Standard-IA. Before transition objects from the S3 Standard or S3 Standard-IA storages classes to S3 Standard-IA or S3 One Zone-IA, must store them at least 30 days in the S3 Standard storage class.

  • An ecommerce company use an Amazon ElastiCache for Memcached cluster for in-memory caching of popular product queries on the shopping site. When viewing recent Amazon CloudWatch metrics data for the ElastiCache cluster, the SysOps admin notices a large number of evictions.
    The actions will reduce these evictions are Add an additional node (Scale Out) and Increase the individual node size (Scale Up) inside the ElastiCache cluster.

  • A company's SysOps admin deploys a public NLB in front of the copany's web application. The web application does not use any Elastic IP addresses. Users must access the web application by using the company's domain name. The SysOps admin needs to configure Amazon Route 53 to route traffic to the NLB.
    Solution will meet these requirements MOST cost-effectively is Create a Route 53 alias record for the NLB.
Last edited: