50 aws sysops administrator Practice Questions: Question Bank 2025

An administrator needs to be notified when an Amazon EC2 instance’s CPU utilization stays above 80% for 10 minutes. The notification must be sent by email. Which solution meets this requirement with the LEAST operational effort?

A company must ensure that objects in an Amazon S3 bucket cannot be deleted or overwritten for 5 years for compliance reasons. Which solution meets this requirement?

A web application is behind an Application Load Balancer (ALB) and runs in an Auto Scaling group across multiple Availability Zones. Users report intermittent 502 errors. The ALB target group shows some targets as unhealthy. What is the MOST likely cause?

An administrator wants to reduce the cost of Amazon EBS volumes attached to EC2 instances without changing performance-critical workloads. Which action is a common cost-optimization approach?

A company has an AWS CloudFormation template that creates multiple resources. A stack update fails and leaves some resources updated and others not updated. The administrator wants to ensure future failures automatically roll back changes. What should the administrator do?

An application writes logs to Amazon CloudWatch Logs. The security team requires that logs be retained for 13 months and then deleted automatically. Which solution meets this requirement?

A workload runs on Amazon EC2 instances in a private subnet and must download patches from the internet. The subnet currently has no route to the internet. The company does not want inbound connections from the internet to the instances. Which solution should the administrator implement?

An organization wants to ensure that all new EBS volumes created in an account are encrypted. The solution must be applied account-wide and should not require changes to individual launch templates. What should the administrator do?

A critical application uses an Amazon RDS for MySQL DB instance with Multi-AZ enabled. The company requires the ability to recover from accidental deletion of a table to a point in time within the last 30 days. Which solution meets these requirements?

An Auto Scaling group uses a launch template to deploy EC2 instances. Instances are failing to join the group because the user data script intermittently fails during bootstrapping (for example, package repository timeouts). The administrator needs a solution that automatically retries the bootstrapping steps and marks the instance unhealthy if configuration does not complete successfully. Which approach is BEST?

An Amazon EC2 instance in a private subnet must download security updates from public repositories. The VPC has no NAT gateway and the company wants to avoid adding internet egress. Which solution allows the instance to access AWS-managed repositories without internet access?

A SysOps administrator needs to receive an email when the average CPU utilization of an Auto Scaling group exceeds 80% for 5 minutes. Which AWS service combination meets this requirement?

A company wants to reduce Amazon EBS costs for a data volume that is only accessed a few times per month but must remain attached to an EC2 instance. Which action is MOST appropriate?

Users report intermittent 504 errors from an Application Load Balancer (ALB) in front of an ECS service. Targets appear healthy. The administrator suspects the ALB idle timeout is too low for long-running requests. Where should the administrator change this setting?

An organization must ensure that all new Amazon EBS volumes and snapshots are encrypted. Any noncompliant resource should be detected and administrators notified. Which solution meets this requirement with the LEAST operational effort?

A company uses Amazon Route 53 with an active-passive failover configuration between two Regions. During testing, failover does not occur even though the primary application is unreachable from the internet. What is the MOST likely reason?

A SysOps administrator needs to automatically remediate EC2 instances that have the IAM role removed accidentally. The remediation must reattach the correct instance profile when AWS Config detects noncompliance. Which approach is MOST appropriate?

A team manages infrastructure using AWS CloudFormation. They want to prevent stack updates from accidentally deleting or replacing a critical Amazon RDS DB instance. Which CloudFormation feature should they use?

A company runs a latency-sensitive application on EC2 instances in an Auto Scaling group behind a Network Load Balancer (NLB). During a deployment, instances are terminated before in-flight requests complete, causing client errors. What should the SysOps administrator do to reduce these errors?

A security team requires that all outbound internet traffic from workloads in multiple VPCs be inspected and logged by a centralized egress VPC. The solution must be scalable and minimize administrative overhead. Which design best meets these requirements?

An operations team wants to receive an alert if an EC2 instance fails either of its status checks. The team needs to be notified within 1 minute. Which solution meets this requirement with the LEAST operational overhead?

A SysOps administrator needs to ensure that all EBS snapshots created in an account are automatically tagged with the key "Owner" and a value based on the creator’s IAM principal. What is the MOST operationally efficient way to meet this requirement?

A company uses a Network Load Balancer (NLB) in front of an Auto Scaling group of EC2 instances. Users report intermittent connection failures during scale-in events. Which configuration change will BEST reduce these failures?

A SysOps administrator needs to confirm which security group rule caused a specific inbound connection to be allowed to an EC2 instance. What is the MOST direct way to determine this?

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The team wants to deploy a new AMI version with minimal downtime and the ability to quickly roll back. Which approach is BEST?

A SysOps administrator must ensure that a production S3 bucket containing sensitive logs cannot be deleted, even by administrators, but objects can still be uploaded and lifecycle policies must continue to work. What should the administrator do?

A company has an on-premises DNS server and a VPC with private subnets. The company wants EC2 instances in the VPC to resolve a private on-premises domain name (for example, corp.example.internal) without sending DNS queries over the internet. Which solution should a SysOps administrator implement?

A company uses Amazon RDS for MySQL in a Multi-AZ deployment. The primary instance fails and the application experiences extended downtime because the database endpoint did not update in the application configuration. Which change will BEST prevent this issue in the future?

A SysOps administrator is investigating unusually high data transfer costs between an application in private subnets and Amazon S3. The application uses S3 over a NAT gateway. The company wants to reduce data transfer charges and keep traffic on the AWS network. Which solution is BEST?

A company uses AWS Systems Manager to run commands across a fleet of EC2 instances. Some instances in private subnets show as "Not managed" in Systems Manager. The instances use an IAM role with AmazonSSMManagedInstanceCore, and security groups allow outbound HTTPS. There is no internet gateway or NAT gateway. What should the SysOps administrator do to make these instances managed WITHOUT adding internet access?

An operations team wants to automatically remediate EC2 instances that become unreachable. When an instance fails status checks for 10 consecutive minutes, the team wants the instance to be automatically recovered on new hardware without changing the instance ID. Which solution meets these requirements with the LEAST operational overhead?

A company wants to ensure that all new EBS volumes created in an AWS account are encrypted. The security team also wants to prevent users from creating unencrypted volumes. Which combination of actions meets these requirements? (Choose one.)

A SysOps administrator needs to quickly identify which IAM principal made a change to a security group rule last week. The administrator needs details of the API call and the source IP address. Which AWS service should be used?

A workload runs on EC2 instances in private subnets and must download OS updates from the internet. The company wants to minimize cost and avoid exposing the instances to inbound internet traffic. Which solution should a SysOps administrator implement?

A company requires that CloudTrail logs are stored in an S3 bucket that cannot be deleted or overwritten for 1 year, even by an administrator with S3 permissions. What should a SysOps administrator do to meet this requirement?

A SysOps administrator needs to roll out a new version of an application to hundreds of EC2 instances across multiple Availability Zones. The update must run the same set of commands, report success or failure, and allow a controlled rollout (for example, 10% at a time). Which AWS service and feature should be used?

An application behind an Application Load Balancer (ALB) must route requests to different target groups based on the HTTP Host header and URL path (for example, api.example.com/* vs www.example.com/*). Which ALB feature should be configured?

A company has an RPO requirement of 15 minutes for an Amazon EFS file system used by multiple EC2 instances. The company also wants the ability to restore individual files from a point in time. Which solution meets these requirements?

A SysOps administrator observes frequent scaling events for an Auto Scaling group that uses CPU utilization as the only scaling metric. Instances scale out during short CPU spikes and then immediately scale in, causing instability. What configuration change will MOST effectively reduce this flapping while still allowing the group to scale as needed?

A company uses AWS Organizations and wants to ensure that no IAM user in any member account can disable or delete AWS Config rules or stop the configuration recorder. The security team must enforce this restriction even if an account administrator attempts to change local IAM policies. What should the SysOps administrator implement?

A SysOps administrator needs to notify an on-call engineer whenever an EC2 instance transitions to the "stopped" state. The solution must not require installing agents on the instances. Which solution should be used?

An application runs on a single EC2 instance with an EBS volume. The instance was accidentally terminated. The administrator must restore the data as quickly as possible. Which action should be taken?

A company wants to enforce that all objects uploaded to an S3 bucket are encrypted at rest with SSE-KMS. The requirement must be enforced even if users forget to specify encryption. What should a SysOps administrator do?

An administrator uses CloudFormation to deploy an application stack. A nested stack fails to create due to a missing IAM permission. The parent stack is now in UPDATE_ROLLBACK_FAILED. The administrator has fixed the IAM permission and needs the stack to roll back cleanly. What should the administrator do?

An application behind an Application Load Balancer (ALB) in two Availability Zones intermittently returns 504 errors. Target group health checks are passing. CloudWatch metrics show an increase in TargetResponseTime and a spike in 5XX errors from targets. What is the MOST likely cause and first action?

A company has multiple AWS accounts in an organization. The security team needs an automated way to detect and remediate S3 buckets that have public access enabled. The solution should apply consistently across accounts. What should a SysOps administrator implement?

A company connects its on-premises network to AWS using a Site-to-Site VPN. The tunnel is up, but on-premises hosts cannot resolve private Route 53 hosted zone records. The company uses its on-premises DNS servers. What should the administrator do to enable DNS resolution for the private hosted zone from on premises?

An organization runs a steady-state workload on a group of EC2 instances. The workload uses no local NVMe instance store and can tolerate instance replacement with minimal disruption. The company wants to reduce costs without changing instance types. Which approach should the SysOps administrator recommend?

A company must ensure that EBS snapshots are not publicly shared and are encrypted. The company also needs to prevent users from disabling EBS encryption or sharing snapshots outside the organization accounts. Which solution meets these requirements with the LEAST operational overhead?

A multi-tier application uses EC2 instances in private subnets. Outbound internet access is required only to download OS updates. The current design uses a single NAT gateway in one Availability Zone, and the company experienced loss of outbound connectivity during an AZ outage. What is the BEST redesign to improve availability while keeping the instances in private subnets?