練習できるAWS-SysOps問題には認定ガイド問題と解答とトレーニングを提供しています [Q380-Q403]

練習できるAWS-SysOps問題には認定ガイド問題と解答とトレーニングを提供しています

無料Amazon AWS-SysOpsテスト練習問題試験問題集

質問 # 380
A user has created a VPC with public and private subnets using the VPC wizard. Which of the below
mentioned statements is true in this scenario?

• A. VPC bounds the main route table with a private subnet and a custom route table with a public subnet
• B. The user has to manually create a NAT instance
• C. The AWS VPC will automatically create a NAT instance with the micro size
• D. VPC bounds the main route table with a public subnet and a custom route table with a private subnet

正解：A

解説：
Explanation
Explanation:
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. A user can create a
subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the
instances in the public subnet can receive inbound traffic directly from the internet, whereas the instances in
the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance of a
smaller or higher size, respectively. The VPC has an implied router and the VPC wizard updates the main route
table used with the private subnet, creates a custom route table and associates it with the public subnet.

質問 # 381
A company needs to implement a system for object-based storage in a write-once, read-many (WORM) model.
Objects cannot be deleted or changed after they are stored, even by an AWS account root user or administrators.
Which solution will meet these requirements?

• A. Set up an Amazon S3 Lifecycle policy to move the objects to Amazon S3 Glacier.
• B. Set up Amazon S3 Cross-Region Replication and run daily updates.
• C. Set up Amazon S3 Object Lock in compliance mode with S3 Versioning enabled.
• D. Set up Amazon S3 Object Lock in governance mode with S3 Versioning enabled.

正解：D

解説：
Explanation/Reference: https://aws.amazon.com/blogs/storage/protecting-data-with-amazon-s3-object-lock/

質問 # 382
A user has moved an object to Glacier using the life cycle rules. The user requests to restore the archive after 6 months. When the restore request is completed the user accesses that archive. Which of the below mentioned statements is not true in this condition?

• A. The user needs to pay storage for both RRS (restored) and Glacier (Archive. Rates)
• B. The user can modify the restoration period only by issuing a new restore request with the updated period
• C. The archive will be available as an object for the duration specified by the user during the restoration request
• D. The restored object's storage class will be RRS

正解：D

解説：
Explanation/Reference:
Explanation:
AWS Glacier is an archival service offered by AWS. AWS S3 provides lifecycle rules to archive and restore objects from S3 to Glacier. Once the object is archived their storage class will change to Glacier. If the user sends a request for restore, the storage class will still be Glacier for the restored object. The user will be paying for both the archived copy as well as for the restored object. The object is available only for the duration specified in the restore request and if the user wants to modify that period, he has to raise another restore request with the updated duration.

質問 # 383
A user has launched an EC2 instance from an instance store backed AMI. The user has attached an additional instance store volume to the instance. The user wants to create an AMI from the running instance. Will the AMI have the additional instance store volume data?

• A. No, since this is ephermal storage it will not be a part of the AMI
• B. It is not possible to attach an additional instance store volume to the existing instance store backed AMI instance
• C. No, since the instance store backed AMI can have only the root volume bundled
• D. Yes, the block device mapping will have information about the additional instance store volume

正解：D

解説：
When the user has launched an EC2 instance from an instance store backed AMI and added an instance store volume to the instance in addition to the root device volume, the block device mapping for the new AMI contains the information for these volumes as well. In addition, the block device mappings for the instances those are launched from the new
AMI will automatically contain information for these volumes.

質問 # 384
A SysOps Administrator must ensure all Amazon EBS volumes currently in use, and those created in the future, are encrypted with a specific AWS KMS customer master key (CMK).
What is the MOST efficient way for the Administrator to meet this requirement?

• A. Within AWS Config. configure the encrypted-volumes managed rule and specify the key ID of the CMK.
• B. Create an AWS Lambda function to run on a daily schedule, and have the function run the awa ec2 describe-volumes -filters encrypted command
• C. Log m to the AWS Management Console on a daily schedule then filter the list of volumes by encryption status, then export this list.
• D. Create an AWS Lambda function to run on a daily schedule, and have the function run the aws kms describe-key command

正解：A

質問 # 385
A Systems Administrator is planning to deploy multiple EC2 instances within two separate Availability Zones in
the same AwS Region. The instances cannot be exposed to the Internet, but must be able to exchange traffic
between one another. The data does not need to be encrypted.
What solution meets these requirements while maintaining the lowest cost?

• A. Create 2 public subnets within the same VPC. Communicate between instances using their public IP
  addresses
• B. Create 2 separate VPCs, one for each Availability Zone. Create a private subnet within each VPC. Create a
  static route table pointing the destination CIDR to the other VPC
• C. Create 2 separate VPCs, one for each Availability Zone and create a public subnet in each. Deploy a VPN
  appliance within each VPC and establish a VPN tunnel between them. Communicate between instances by
  routing traffic through the VPN appliances
• D. Create two private subnets within the same VPC. Communicate between instances using their private IP
  addresses

正解：C

質問 # 386
A web service runs on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer.
External clients must whitelist specific public IP addresses in their firewalls to access the service.
What load balancer or ELB feature should be used for this application?

• A. Network Load Balancer
• B. Classic Load Balancer
• C. Application Load Balancer
• D. Load balancer target groups

正解：C

質問 # 387
A user has moved an object to Glacier using the life cycle rules.
The user requests to restore the archive after 6 months.
When the restore request is completed the user accesses that archive.
Which of the below mentioned statements is not true in this condition?

• A. The user needs to pay storage for both RRS (restored. and Glacier (Archive. Rates
• B. The user can modify the restoration period only by issuing a new restore request with the updated period
• C. The archive will be available as an object for the duration specified by the user during the restoration request
• D. The restored object's storage class will be RRS

正解：D

解説：
AWS Glacier is an archival service offered by AWS. AWS S3 provides lifecycle rules to archive and restore objects from S3 to Glacier. Once the object is archived their storage class will change to Glacier. If the user sends a request for restore, the storage class will still be Glacier for the restored object. The user will be paying for both the archived copy as well as for the restored object. The object is available only for the duration specified in the restore request and if the user wants to modify that period, he has to raise another restore request with the updated duration.

質問 # 388
You can create a CloudWatch alarm that watches a single metric. The alarm performs one or more actions
based on the value of the metric relative to a threshold over a number of time periods. Which of the following
states is possible for the CloudWatch alarm?

• A. OK
• B. THRESHOLD
• C. ALERT
• D. ERROR

正解：A

解説：
You can create a CloudWatch alarm that watches a single metric. The alarm performs one or more actions
based on the value of the metric relative to a threshold over a number of time periods. The action can be an
Amazon EC2 action, an Auto Scaling action, or a notification sent to an Amazon SNS topic.
An alarm has three possible states:
OK--The metric is within the defined threshold
ALARM--The metric is outside of the defined threshold
INSUFFICIENT_DATA--The alarm has just started, the metric is not available, or not enough data is available
for the metric to determine the alarm state
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/AlarmThatSendsEmail.html

質問 # 389
A user is trying to setup a scheduled scaling activity using Auto Scaling. The user wants to setup the recurring schedule. Which of the below mentioned parameters is not required in this case?

• A. Recurrence value
• B. Auto Scaling group name
• C. Maximum size
• D. End time

正解：C

解説：
Explanation
When you update a stack with an Auto Scaling group and scheduled action, AWS CloudFormation always sets the min size, max size, and desired capacity properties of your Auto Scaling group to the values that are defined in the AWS::AutoScaling::AutoScalingGroup resource of your template, even if a scheduled action is in effect.
Auto Scaling based on a schedule allows the user to scale the application in response to predictable load changes. The user can also configure the recurring schedule action which will follow the Linux cron format. If the user is setting a recurring event, it is required that the user specifies the Recurrence value (in a cron format., end time (not compulsory but recurrence will stop after this. and the Auto Scaling group for which the scaling activity is to be scheduled.

質問 # 390
A user has launched an EC2 instance from an instance store backed AMI. The user has attached an additional instance store volume to the instance. The user wants to create an AMI from the running instance. Will the AMI have the additional instance store volume data?

• A. No, since this is ephermal storage it will not be a part of the AMI
• B. It is not possible to attach an additional instance store volume to the existing instance store backed AMI instance
• C. No, since the instance store backed AMI can have only the root volume bundled
• D. Yes, the block device mapping will have information about the additional instance store volume

正解：D

解説：
Explanation
When the user has launched an EC2 instance from an instance store backed AMI and added an instance store volume to the instance in addition to the root device volume, the block device mapping for the new AMI contains the information for these volumes as well. In addition, the block device mappings for the instances those are launched from the new AMI will automatically contain information for these volumes.

質問 # 391
A customer enquires about whether all his data is secure on AWS, and is especially concerned about Elastic Map Reduce (EMR). You need to inform him of some of the security features in place for AWS. Which of the below statements is incorrect regarding EMR or S3?

• A. Amazon EMR customers can choose to send data to Amazon S3 using the HTTPS protocol for secure transmission.
• B. Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unauthorized access.
• C. Every packet sent in the AWS network uses Internet Protocol Security (IPsec).
• D. Customers may encrypt the input data before they upload it to Amazon S3.

正解：C

解説：
Explanation
Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unauthorized access. Unless the customer who is uploading the data specifies otherwise, only that customer can access the data. Amazon EMR customers can also choose to send data to Amazon S3 using the HTTPS protocol for secure transmission. In addition, Amazon EMR always uses HTTPS to send data between Amazon S3 and Amazon EC2. For added security, customers may encrypt the input data before they upload it to Amazon S3 (using any common data compression tool); they then need to add a decryption step to the beginning of their cluster when Amazon EMR fetches the data from Amazon S3. IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. Amazon supports Internet Protocol security (IPsec) VPN connections, but does not protect all data packets at this level.
References:

質問 # 392
A company monitors its account activity using AWS CloudTrail, and is concerned that some log files are being
tampered with after the logs have been delivered to the account's Amazon S3 bucket.
Moving forward, how can the SysOps Administrator confirm that the log files have not been modified after
being delivered to the S3 bucket.

• A. Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
• B. Stream the CloudTrail logs to Amazon CloudWatch to store logs at a secondary location.
• C. Enable log file integrity validation and use digest files to verify the hash value of the log file.
• D. Enable S3 server access logging to track requests made to the log bucket for security audits.

正解：C

解説：
CloudTrail log file integrity validation can be used to check whether a log file was modified, deleted, or
unchanged after CloudTrail delivered it

質問 # 393
The billing process for Amazon EC2 instances was updated as of October 2, 2017. Which of the following statements is true regarding how you pay for Amazon EC2 instances? (Choose 2 answers)

• A. You can pay per hour or per second, depending on the instance AMI's operating system.
• B. You pay for compute capacity by the day; hours are billed in proportion.
• C. Payment does not vary based on the instance AMI's operating system.
• D. You can pay per hour or per second, depending on the instance type.

正解：A、D

解説：
Previously, if you launched an instance for 5 minutes, you would pay for 1 hour. If you launched an instance for 45 minutes, you would also pay for 1 hour. This means that partial hours cost as much as one full hour. Pricing is per instance-hour consumed for each instance, from the time an instance is launched until it is terminated or stopped. Each partial instance-hour consumed will be billed as a full hour.
With EC2 services now billed per-second in some cases, as well as per-hour in others as of October 2, 2017, there is more to consider. Amazon AWS is still based on the concept of pay-as- you-go. You pay Amazon EC2 instances by the second for all instance types except Dedicated Host, which is still billed per instance-hour. You are billed per second when using Linux operating systems with no separate hourly charge, and billed per hour when using Windows operating systems.
Reference: http://aws.amazon.com/ec2/pricing/

質問 # 394
A SysOps Administrator wants to automate the process of configuration, deployment, and management of Amazon EC2 instances using Chef or Puppet.
Which AWS service will satisfy the requirement?

• A. AWS OpsWorks
• B. AWS Config
• C. AWS Elastic Beanstalk
• D. AWS CloudFormation

正解：A

質問 # 395
A SysOps Administrator must ensure all Amazon EBS volumes currently in use, and those created in the future, are encrypted with a specific AWS KMS customer master key (CMK).
What is the MOST efficient way for the Administrator to meet this requirement?

• A. Within Aws Config, configure the encrypted-volumes managed rule and specify the key ID of the CMK.
• B. Create an AWS Lambda function to run on a daily schedule, and have the function run the aws kms describe key command.
• C. Create an AWS Lambda function to run on a daily schedule, and have the function run the aws ec2 describe-volumes --filters encrypted command.
• D. Log in to the AWS Management Console on a daily schedule, then filter the list of volumes by encryption status, then export this list.

正解：D

解説：
Reference: https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html

質問 # 396
An organization stores sensitive customer in S3 buckets protected by bucket policies. recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets.
The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information.
Which steps should a SysOps Administrator take to meet the CISO's requirement? (Choose two.)

• A. Use Amazon Athena to query the S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests.
• B. Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs.
• C. Enable Amazon S3 Analytics on all affected S3 buckets to obtain a report of which buckets are being accessed without authorization.
• D. Use Amazon Athena to query S3 Analytics report for HTTP 403 errors, and determine the IAM user or role making the requests.
• E. Use Amazon Athena to query the S3 Server Access Logs for HTTP 503 errors, and determine the IAM user or role making the requests.

正解：A、B

解説：
Explanation
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html

質問 # 397
A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of the application have been divided in a separate microservice running on a different Amazon EC2 instance. The administrator has been tasked with reconfiguring the infrastructure to support this approach.
How can the administrator accomplish this with the LEAST administrative overhead?

• A. Use Amazon CloudFront to rewrite the header based on the microservice and forward the request.
• B. Use a Network Load Balancer (NLB) and do path-based routing.
• C. Use an Application Load Balancer (ALB) and do path-based routing.
• D. Use Amazon CloudFront to log the URL and forward the request.

正解：C

解説：
Explanation/Reference:
https://www.fast2test.com/AWS-SysOps-practice-test.html 21
Valid Fast2test AWS-SysOps Exam PDF Dumps - New AWS-SysOps Real Exam Questions

質問 # 398
A root AWS account owner is trying to understand various options to set the permission to AWS S3.
Which of the below mentioned options is not the right option to grant permission for S3?

• A. S3 ACL
• B. User Access Policy
• C. S3 Object Access Policy
• D. S3 Bucket Access Policy

正解：C

解説：
Amazon S3 provides a set of operations to work with the Amazon S3 resources. Managing S3 resource access refers to granting others permissions to work with S3. There are three ways the root account owner can define access with S3:
S3 ACL: The user can use ACLs to grant basic read/write permissions to other AWS accounts.
S3 Bucket Policy: The policy is used to grant other AWS accounts or IAM users permissions for the bucket and the objects in it.
User Access Policy: Define an IAM user and assign him the IAM policy which grants him access to S3.

質問 # 399
Pricing is ____ consumed for EC2 instances.

• A. per instance-minute or instance-hour
• B. per instance-hour only
• C. per instance-second or per instance-hour
• D. per instance-minute only

正解：C

解説：
Explanation
In AWS, you pay only for what you use.
EC2 pricing is per instance-second consumed, or per instance-hour consumed depending on the instance type and operating system for the AMI. For example, spot instances, reserved instances and on-demand instances are billed per-second, while Dedicated instances are billed per hour.
Linux instances can be billed per second, but Microsoft Windows instances are billed per hour.

質問 # 400
A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24. and a public
subnet (20.0.0.0/24.. The user's data centre has CIDR of 20.0.54.0/24 and 20.1.0.0/24. If the private subnet wants to communicate with the data centre, what will happen?

• A. It will not allow traffic with data centre on CIDR 20.1.0.0/24 but allows traffic communication on 20.0.54.0/24
• B. It will allow traffic communication on both the CIDRs of the data centre
• C. It will not allow traffic communication on any of the data centre CIDRs
• D. It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24

正解：D

解説：
VPC allows the user to set up a connection between his VPC and corporate or home network data centre. If the user has an IP address prefix in the VPC that overlaps with one of the networks' prefixes, any traffic to the network's prefix is dropped. In this case CIDR 20.0.54.0/24 falls in the VPC's CIDR range of 20.0.0.0/16. Thus, it will not allow traffic on that IP. In the case of 20.1.0.0/24, it does not fall in the VPC's CIDR range. Thus, traffic will be allowed on it.

質問 # 401
A user has enabled session stickiness with ELB. The user does not want ELB to manage the cookie; instead
he wants the application to manage the cookie. What will happen when the server instance, which is bound to
a cookie, crashes?

• A. The session will not be sticky until a new cookie is inserted
• B. The session will be sticky and ELB will route requests to another server as ELB keeps replicating the
  Cookie
• C. The response will have a cookie but stickiness will be deleted
• D. ELB will throw an error due to cookie unavailability

正解：A

解説：
With Elastic Load Balancer, if the admin has enabled a sticky session with application controlled stickiness, the
load balancer uses a special cookie generated by the application to associate the session with the original
server which handles the request. ELB follows the lifetime of the application-generated cookie corresponding to
the cookie name specified in the ELB policy configuration. The load balancer only inserts a new stickiness
cookie if the application response includes a new application cookie. The load balancer stickiness cookie does
not update with each request. If the application cookie is explicitly removed or expires, the session stops being
sticky until a new application cookie is issued.

質問 # 402
A SysOps Administrator is implementing SSL for a domain of an internet-facing application running behind an Application Load Balancer (ALB). The Administrator decides to use an SSL certificate from Amazon Certificate Manager (ACM) to secure it.
Upon creating a request for the ALB fully qualified domain name (FQDN), it fails, and the error message "Domain Not Allowed" is displayed.
How can the Administrator fix this issue?

• A. Place a new request with the proper domain name instead of the ALB FQDN
• B. Contact AWS Support and verify the request by answering security challenge questions.
• C. Select the certificate request in the ACM console and resend the validation email.
• D. Contact the domain registrar and ask them to provide the verification required by AWS.

正解：C

質問 # 403
......

試験準備には欠かさない！トップクラスのAmazon AWS-SysOps試験アプリ学習ガイドで練習問題最新版：https://www.jpntest.com/shiken/AWS-SysOps-mondaishu

問題集練習試験問題学習ガイドはAWS-SysOps試験：https://drive.google.com/open?id=1v48lO3gu-mwArAygeJZIc3E5hVzArc15