aws sysops administrator Advanced Practice Exam: Hard Questions 2025

A workload runs on an Auto Scaling group of EC2 instances behind an ALB. The instances are frequently replaced (scale in/out), and the operations team needs a single, queryable place to troubleshoot intermittent 502 errors. They must correlate ALB access logs with application logs and system metrics, and they want automated remediation when 5XX spikes occur. Which solution meets these requirements with the LEAST operational overhead?

A company uses CloudWatch alarms to detect when an EC2 instance becomes impaired. They created an EventBridge rule that triggers an SSM Automation document to recover the instance. However, recovery sometimes fails because the instance is in a private subnet and intermittently cannot reach required AWS APIs. The company must keep the instance private (no public IP) and avoid adding NAT gateways. What is the MOST reliable fix?

An application stores critical objects in an S3 bucket. The business requires that: (1) accidental deletion must be recoverable for 30 days, (2) ransomware-style overwrites must be recoverable for 30 days, (3) administrators must not be able to permanently delete objects during that period, and (4) operational overhead must be minimal. Which configuration BEST meets these requirements?

A company runs a multi-AZ RDS for PostgreSQL database. During a recent AZ outage, the database failed over successfully, but several application instances experienced prolonged connection failures because they cached the old IP address. The company wants to minimize connection disruption during failovers without modifying application code. Which approach is MOST appropriate?

A company uses CloudFormation to deploy a VPC, an Auto Scaling group, and an RDS database. Updates occasionally fail halfway through, leaving resources in an inconsistent state. The company needs a deployment approach that minimizes blast radius, supports safe rollbacks, and allows validation before production changes. Which solution BEST meets these goals?

A company manages hundreds of AWS accounts with AWS Organizations. They need to automatically enforce that all new EBS volumes are encrypted with a customer managed KMS key, and they must prevent users from launching unencrypted volumes even if they have broad EC2 permissions. The solution must work across accounts with minimal per-account management. What should a SysOps administrator do?

An incident responder needs to investigate a suspected credential compromise in an AWS account. They must determine which API calls were made, from which IPs, and whether any S3 objects were accessed. CloudTrail is enabled for management events, but S3 data events were not previously enabled. The company wants to maximize future forensic capability while controlling noise and cost. What is the BEST action plan?

A company has an on-premises data center connected to AWS via Site-to-Site VPN. They add a second VPN tunnel and notice intermittent asymmetric routing and dropped connections for traffic to a private subnet behind an NLB. The NLB targets are EC2 instances in private subnets. The company needs deterministic routing and failover without asymmetric path issues. Which design change BEST addresses the problem?

A company deploys a CloudFront distribution in front of an S3 origin that contains private content. Users authenticate via a custom application. The security team requires that S3 objects are never publicly accessible and that requests must be authorized at CloudFront, not by exposing S3 URLs. Additionally, the company needs to block direct access to the S3 bucket from the internet. What is the MOST secure configuration?

An EC2-based batch processing fleet runs nightly for 6 hours and is idle the rest of the day. Jobs can tolerate interruption and can checkpoint every few minutes to S3. The company has occasional urgent backfills that must finish quickly, but overall they need to minimize compute cost while maintaining acceptable throughput. Which strategy provides the BEST cost/performance trade-off with operational simplicity?