[September-2022]Braindump2go SOA-C02 PDF Dumps SOA-C02 266Q Free Download[Q219-Q249]

September/2022 Latest Braindump2go SOA-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SOA-C02 Real Exam Questions!

QUESTION 219
A company’s customers are reporting increased latency while accessing static web content from Amazon S3.
A SysOps administrator observed a very high rate of read operations on a particular S3 bucket.
What will minimize latency by reducing load on the S3 bucket?

A. Migrate the S3 bucket to a region that is closer to end users’ geographic locations
B. Use cross-region replication to replicate all of the data to another region
C. Create an Amazon CloudFront distribution with the S3 bucket as the origin.
D. Use Amazon ElastiCache to cache data being served from Amazon S3

Answer: C

QUESTION 220
A company’s SysOps administrator deploys four new Amazon EC2 instances by using the standard Amazon Linux 2 Amazon Machine Image (AMI). The company needs to be able to use AWS Systems Manager to manage the instances. The SysOps administrator notices that the instances do not appear in the Systems Manager console.
What must the SysOps administrator do to resolve this issue?

A. Connect to each instance by using SSH.
Install Systems Manager Agent on each instance.
Configure Systems Manager Agent to start automatically when the instances start up.
B. Use AWS Certificate Manager (ACM) to create a TLS certificate.
Import the certificate into each instance.
Configure Systems Manager Agent to use the TLS certificate for secure communications.
C. Connect to each instance by using SSH.
Create an ssm-user account.
Add the ssm-user account to the /etcsudoers directory.
D. Attach an IAM instance profile to the instances.
Ensure that the instance profile contains the AmazonSSMManagedinstanceCore policy

Answer: D

QUESTION 221
A SysOps administrator uses AWS Systems Manager Session Manager to connect to instances. After the SysOps administrator launches a new Amazon EC2 instance the EC2 instance does not appear in the Session Manager list of systems that are available for connection. The SysOps administrator verities that Systems Manager Agent is installed updated and running on the EC2 instance. What is the reason for this issue?

A. The SysOps administrator does not have access to the key pair that is required for connection
B. The SysOps administrator has not attached a security group to the EC2 instance to allow SSH on port 22.
C. The EC2 instance does not have an attached IAM role that allows Session Manager to connect to the EC2 instance.
D. The EC2 instance ID has not been entered into the Session Manager configuration

Answer: C

QUESTION 222
A company has an organization in AWS Organizations. The company uses shared VPCs to provide networking resources across accounts. A SysOps administrator has been able to successfully launch and manage Amazon EC2 instances in a participant account. However the SysOps administrator is now receiving an InstanceLimitExceeded error when the SysOps administrator tries to launch a new EC2 instance.
What should the SysOps administrator do to resolve this error?

A. Request an instance quota increase from the account that owns the VPC
B. Launch additional EC2 instances in a different AWS Region
C. Request an instance quota increase from the parte pant account
D. Launch additional EC2 instances by using a different Amazon Machine image (AMI)

Answer: A

QUESTION 223
An environment consists of 100 Amazon EC2 Window* instances. The Amazon CloudWatch agent Is deployed and running on at EC2 instances with a baseline configuration file to capture log files. There is a new requirement to capture the DHCP tog tiles that exist on 50 of the instances. What is the MOST operational efficient way to meet this new requirement?

A. Create an additional CloudWatch agent configuration file to capture the DHCP logs.
Use the AWS Systems Manager Run Command to restart the CloudWatch agent on each EC2 instance with the append-config option to apply the additional configuration file.
B. Log in to each EC2 instance with administrator rights.
Create a PowerShell script to push the needed baseline log files and DHCP log files to CloudWatch
C. Run the CloudWatch agent configuration file wizard on each EC2 instance.
Verify that the base the log files are included and add the DHCP tog files during the wizard creation process.
D. Run the CloudWatch agent configuration file wizard on each EC2 instance and select the advanced detail level.
This wifi capture the operating system log files.

Answer: D

QUESTION 224
A SysOps administrator is reviewing VPC Flow Logs to troubleshoot connectivity issues in a VPC. While reviewing the togs the SysOps administrator notices that rejected traffic is not listed. What should the SysOps administrator do to ensure that all traffic is logged?

A. Create a new flow log that has a titter setting to capture all traffic.
B. Create a new flow log set the tog record format to a custom format.
Select the proper fields to include in the log
C. Edit the existing flow log.
Change the fitter setting to capture all traffic.
D. Edit the existing flow log.
Set the log record format to a custom format.
Select the proper fields to include in the log.

Answer: A

QUESTION 225
A company uses an Amazon CloudFront distribution to deliver its website. Traffic logs for the website must be centrally stored and all data must be encrypted at rest. Which solution will meet these requirements?

A. Create an Amazon OpenSearch Service (Amazon Elasttcsearch Service) domain with internet access and server-side encryption that uses the default AWS managed key.
Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
B. Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with VPC access and server-side encryption that uses AES-256.
Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elastcsearch Service) domain as a log destination.
C. Create an Amazon S3 bucket that is configured with default server side encryption that uses AES- 256.
Configure CloudFront to use the S3 bucket as a log destination.
D. Create an Amazon S3 bucket that is configured with no default encryption.
Enable encryption in the CloudFront dtstnbubon and use the S3 bucket as a log destination.

Answer: C

QUESTION 226
A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template it installs and configure necessary software through AWS OpsWorks and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours but at limes the process stalls due to installation errors. The SysOps administrator must modify the CloudFormation template so if the process stalls, the entire stack will tail and roil back.
Based on these requirements what should be added to the template?

A. Conditions with a timeout set to 4 hours.
B. CreationPolicy with timeout set to 4 hours.
C. DependsOn a timeout set to 4 hours.
D. Metadata with a timeout set to 4 hours

Answer: B

QUESTION 227
A company uses an Amazon Simple Queue Service (Amazon SQS) standard queue with its application.
The application sends messages to the queue with unique message bodies. The company decides to switch to an SQS FIFO queue.
What must the company do to migrate to an SQS FIFO queue?

A. Create a new SQS FIFO gueue.
Turn on content based deduplication on the new FIFO queue.
Update the application to include a message group ID in the messages.
B. Create a new SQS FIFO queue.
Update the application to include the DelaySeconds parameter in the messages.
C. Modify the queue type from SQS standard to SQS FIFO.
Turn off content-based deduplication on the queue Update the application to include a message group ID in the messages.
D. Modify the queue type from SQS standard to SQS FIFO.
Update the application to send messages with identical message bodies and to include the DelaySeconds parameter in the messages.

Answer: A

QUESTION 228
A database is running on an Amazon RDS Mufti-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted. Which approach will resolve the encryption requirement?

A. Log in to the RDS console and select the encryption box to encrypt the database
B. Create a new encrypted Amazon EBS volume and attach it to the instance
C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
D. Take a snapshot of the RDS instance, copy and encrypt the snapshot and then restore to the new RDS instance

Answer: D

QUESTION 229
A SysOps administrator is tasked with deploying a company’s infrastructure as code. The SysOps administrator want to write a single template that can be reused for multiple environments. How should the SysOps administrator use AWS CloudFormation to create a solution?

A. Use Amazon EC2 user data in a CloudFormation template
B. Use nested stacks to provision resources
C. Use parameters in a CloudFormation template
D. Use stack policies to provision resources

Answer: C
Explanation:
Reuse templates to replicate stacks in multiple environments After you have your stacks and resources set up, you can reuse your templates to replicate your infrastructure in multiple environments. For example, you can create environments for development, testing, and production so that you can test changes before implementing them into production. To make templates reusable, use the parameters, mappings, and conditions sections so that you can customize your stacks when you create them. For example, for your development environments, you can specify a lower-cost instance type compared to your production environment, but all other configurations and settings remain the same.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html#reuse

QUESTION 230
A company’s web application is available through an Amazon CloudFront distribution and directly through an internet-facing Application Load Balancer (ALB). A SysOps administrator must make the application accessible only through the CloudFront distribution and not directly through the ALB. The SysOps administrator must make this change without changing the application code. Which solution will meet these requirements?

A. Modify the ALB type to internal.
Set the distribution’s origin to the internal ALB domain name.
B. Create a Lambda@Edge function.
Configure the function to compare a custom header value in the request with a stored password and to forward the request to the origin in case of a match.
Associate the function with the distribution.
C. Replace the ALB with a new internal ALB.
Set the distribution’s origin to the internal ALB domain name.
Add a custom HTTP header to the origin settings for the distribution.
In the ALB listener add a rule to forward requests that contain the matching custom header and the header’s value.
Add a default rule to return a fixed response code of 403.
D. Add a custom HTTP header to the origin settings for the distribution in the ALB listener add a rule to forward requests that contain the matching custom header and the header’s value.
Add a default rule to return a fixed response code of 403.

Answer: D

QUESTION 231
A compliance team requires all administrator passwords tor Amazon RDS DB instances to be changed at toast annually.
Which solution meets this requirement in the MOST operationally efficient manned?

A. Store the database credentials in AWS Secrets Manager.
Configure automate rotation for the secret every 365 days.
B. Store the database credentials as a parameter in the RDS parameter group.
Create a database trigger to rotate the password every 365 days.
C. Store the database credentials in a private Amazon S3 bucket.
Schedule an AWS Lambda function to generate a new set of credentials every 365 days.
D. Store the database credentials in AWS Systems Manager Parameter.
Store as a secure string parameter.
Configure automatic rotation for the parameter every 365 days/

Answer: A

QUESTION 232
A SysOps administrator is responsible for a large fleet of Amazon EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance. Which option would provide this information with the LEAST administrative overhead?

A. Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring
B. List any instances with failed system status checks using the AWS Management Console
C. Monitor AWS CloudTrail for Stopinstances API calls
D. Review the AWS Personal Health Dashboard

Answer: D

QUESTION 233
A development team recently deployed a new version of a web application to production.
After the release penetration testing revealed a cross-site scripting vulnerability that could expose user data.
Which AWS service will mitigate this issue?

A. AWS Shield Standard
B. AWS WAF
C. Elastic Load Balancing
D. Amazon Cognito

Answer: B

QUESTION 234
A company is running distributed computing software to manage a fleet of 20 Amazon EC2 instances for calculations. The fleet includes 2 control nodes and 18 task nodes to run the calculations. Control nodes can automatically start the task nodes.
Currently, all the nodes run on demand. The control nodes must be available 24 hours a day, 7 days a week. The task nodes run for 4 hours each day. A SysOps administrator needs to optimize the cost of this solution.
Which combination of actions will meet these requirements? (Choose two.)

A. Purchase EC2 Instance Savings Plans for the control nodes.
B. Use Dedicated Hosts for the control nodes.
C. Use Reserved Instances for the task nodes.
D. Use Spot Instances for the control nodes.
Use On-Demand Instances if there is no Spot availability.
E. Use Spot Instances for the task nodes.
Use On-Demand Instances if there is no Spot availability.

Answer: AE
Explanation:
It asks for the most cost effective solution, EC2 instance savings plan is a better option than reserved instance.
https://www.missioncloud.com/blog/ec2-spot-instances-vs-aws-savings-plans-what-are-the-potential-savings

QUESTION 235
A company is supposed to receive a data file every hour in an Amazon S3 bucket. An S3 event notification invokes an AWS Lambda function each time a file arrives. The function processes the data for use by an application.
The application team notices that sometimes the file does not arrive. The application team wants to receive a notification whenever the file does not arrive.
What is the MOST operationally efficient solution that meets these requirements?

A. Add an S3 Lifecycle rule on the S3 bucket with a scope that is limited to objects that were created in the last hour.
Configure another S3 event notification to be invoked by the lifecycle transition when the number of objects transitioned is zero.
Publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team.
B. Configure another S3 event notification to invoke a Lambda function that posts a message to an Amazon Simple Queue Service (Amazon SQS) queue.
Create an Amazon CloudWatch alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team when the ApproximateAgeOfOldestMessage metric of the queue is greater than 1 hour.
C. Create an Amazon CloudWatch alarm to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to alert the application team when the Invocations metric of the Lambda function is zero for an hour.
Configure the alarm to treat missing data as breaching.
D. Create a new Lambda function to get the timestamp of the newest file in the S3 bucket.
If the timestamp is more than 1 hour ago, publish a message to an Amazon Simple Notification Service (Amazon SNS) topic to notify the application team.
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the new function hourly.

Answer: C

QUESTION 236
A company recently acquired another corporation and all of that corporation’s AWS accounts. A financial analyst needs the cost data from these accounts. A SysOps administrator uses Cost Explorer to generate cost and usage reports. The SysOps administrator notices that “No Tagkey” represents 20% of the monthly cost.
What should the SysOps administrator do to tag the “No Tagkey” resources?

A. Add the accounts to AWS Organizations. Use a service control policy (SCP) to tag all the untagged resources.
B. Use an AWS Config rule to find the untagged resources. Set the remediation action to terminate the resources.
C. Use Cost Explorer to find and tag all the untagged resources.
D. Use Tag Editor to find and tag all the untagged resources.

Answer: D

QUESTION 237
A company has a web application that is experiencing performance problems many times each night. A root cause analysis reveals sudden increases in CPU utilization that last 5 minutes on an Amazon EC2 Linux instance. A SysOps administrator must find the process ID (PID) of the service or process that is consuming more CPU.
What should the SysOps administrator do to collect the process utilization information with the LEAST amount of effort?

A. Configure the Amazon CloudWatch agent procstat plugin to capture CPU process metrics.
B. Configure an AWS Lambda function to run every minute to capture the PID and send a notification.
C. Log in to the EC2 instance by using a .pem key each night. Then run the top command.
D. Use the default Amazon CloudWatch CPU utilization metric to capture the PID in CloudWatch.

Answer: A
Explanation:
The procstat plugin enables you to collect metrics from individual processes. It is supported on Linux servers and on servers running Windows Server 2012 or later.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-procstat-process-metrics.html

QUESTION 238
A SysOps administrator configured AWS Backup to capture snapshots from a single Amazon EC2 instance that has one Amazon Elastic Block Store (Amazon EBS) volume attached. On the first snapshot, the EBS volume has 10 GiB of data. On the second snapshot, the EBS volume still contains 10 GiB of data, but 4 GiB have changed. On the third snapshot, 2 GiB of data have been added to the volume, for a total of 12 GiB.
How much total storage is required to store these snapshots?

A. 12 GiB
B. 16 GiB
C. 26 GiB
D. 32 GiB

Answer: B

QUESTION 239
A team is managing an AWS account that is a member of an organization in AWS Organizations. The organization has consolidated billing features enabled. The account hosts several applications.
A SysOps administrator has applied tags to resources within the account to reflect the environment. The team needs a report of the breakdown of charges by environment.
What should the SysOps administrator do to meet this requirement?

A. Filter, map, and categorize resource groups in Tag Editor.
B. Ensure that the organization’s service control policies (SCPs) allow access to cost allocation tags.
C. Ensure that the IAM credentials that are used to access Cost Explorer have permissions to group cost by tags.
D. Activate the tag keys for cost allocation on the organization’s management account.

Answer: D
Explanation:
You must activate both types of tags separately before they can appear in Cost Explorer or on a cost allocation report.
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html

QUESTION 240
A company hosts a static website on Amazon S3. The website is served by an Amazon CloudFront distribution with a default TTL of 86,400 seconds.
The company recently uploaded an updated version of the website to Amazon S3. However, users still see the old content when they refresh the site. A SysOps administrator must make the new version of the website visible to users as soon as possible.
Which solution meets these requirements?

A. Adjust the TTL value for the DNS CNAME record that is pointing to the CloudFront distribution.
B. Create an invalidation on the CloudFront distribution for the old S3 objects.
C. Create a new CloudFront distribution.
Update the DNS records to point to the new CloudFront distribution.
D. Update the DNS record for the website to point to the S3 bucket.

Answer: B

QUESTION 241
A SysOps administrator is responsible for managing a company’s cloud infrastructure with AWS CloudFormation. The SysOps administrator needs to create a single resource that consists of multiple AWS services. The resource must support creation and deletion through the CloudFormation console.
Which CloudFormation resource type should the SysOps administrator create to meet these requirements?

A. AWS::EC2::Instance with a cfn-init helper script
B. AWS::OpsWorks::Instance
C. AWS::SSM::Document
D. Custom::MyCustomType

Answer: D
Explanation:
Custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation runs anytime you create, update (if you changed the custom resource), or delete stacks. For example, you might want to include resources that aren’t available as AWS CloudFormation resource types. You can include those resources by using custom resources. That way you can still manage all your related resources in a single stack.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html

QUESTION 242
A company is implementing security and compliance by using AWS Trusted Advisor. The company’s SysOps team is validating the list of Trusted Advisor checks that it can access.
Which factor will affect the quantity of available Trusted Advisor checks?

A. Whether at least one Amazon EC2 instance is in the running state
B. The AWS Support plan
C. An AWS Organizations service control policy (SCP)
D. Whether the AWS account root user has multi-factor authentication (MFA) enabled

Answer: B
Explanation:
https://aws.amazon.com/premiumsupport/plans/

QUESTION 243
A SysOps administrator is using AWS CloudFormation StackSets to create AWS resources in two AWS Regions in the same AWS account.
A stack operation fails in one Region and returns the stack instance status of OUTDATED.
What is the cause of this failure?

A. The CloudFormation template changed on the local disk and has not been submitted to CloudFormation.
B. The CloudFormation template is trying to create a global resource that is not unique.
C. The stack has not yet been deployed to the Region.
D. The SysOps administrator is using an old version of the CloudFormation API.

Answer: B
Explanation:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-troubleshooting.html

QUESTION 244
A SysOps administrator must configure Amazon S3 to host a simple nonproduction webpage. The SysOps administrator has created an empty S3 bucket from the AWS Management Console. The S3 bucket has the default configuration in place.
Which combination of actions should the SysOps administrator take to complete this process? (Choose two.)

A. Configure the S3 bucket by using the “Redirect requests for an object” functionality to point to the bucket root URL.
B. Turn off the “Block all public access” setting.
Allow public access by using a bucket ACL that contains <Permission>WEBSITE</Permission>.
C. Turn off the “Block all public access” setting.
Allow public access by using a bucket ACL that allows access to the AuthenticatedUsers grantee.
D. Turn off the “Block all public access” setting.
Set a bucket policy that allows “Principal”: the s3:GetObject action.
E. Create an index.html document.
Configure static website hosting, and upload the index document to the S3 bucket.

Answer: DE
Explanation:
Step 1: Create a bucket
Step 2: Enable static website hosting
Step 3: Edit Block Public Access settings
Step 4: Add a bucket policy that makes your bucket content publicly available
Step 5: Configure an index document
Step 6: Configure an error document
Step 7: Test your website endpoint
Step 8: Clean up
https://docs.aws.amazon.com/AmazonS3/latest/userguide/HostingWebsiteOnS3Setup.html

QUESTION 245
A user working in the Amazon EC2 console increased the size of an Amazon Elastic Block Store (Amazon EBS) volume attached to an Amazon EC2 Windows instance. The change is not reflected in the file system.
What should a SysOps administrator do to resolve this issue?

A. Extend the file system with operating system-level tools to use the new storage capacity.
B. Reattach the EBS volume to the EC2 instance.
C. Reboot the EC2 instance that is attached to the EBS volume.
D. Take a snapshot of the EBS volume. Replace the original volume with a volume that is created from the snapshot.

Answer: A
Explanation:
After you increase the size of an EBS volume, use the Windows Disk Management utility or PowerShell to extend the disk size to the new size of the volume. You can begin resizing the file system as soon as the volume enters the optimizing state.
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/recognize-expanded-volume-windows.html

QUESTION 246
A SysOps administrator is using Amazon EC2 instances to host an application. The SysOps administrator needs to grant permissions for the application to access an Amazon DynamoDB table.
Which solution will meet this requirement?

A. Create access keys to access the DynamoDB table.
Assign the access keys to the EC2 instance profile.
B. Create an EC2 key pair to access the DynamoDB table.
Assign the key pair to the EC2 instance profile.
C. Create an IAM user to access the DynamoDB table.
Assign the IAM user to the EC2 instance profile.
D. Create an IAM role to access the DynamoDB table.
Assign the IAM role to the EC2 instance profile.

Answer: D
Explanation:
Access to Amazon DynamoDB requires credentials. Those credentials must have permissions to access AWS resources, such as an Amazon DynamoDB table or an Amazon Elastic Compute Cloud (Amazon EC2) instance. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and DynamoDB to help secure access to your resources.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/authentication-and-access-control.html

QUESTION 247
A SysOps administrator wants to protect objects in an Amazon S3 bucket from accidental overwrite and deletion. Noncurrent objects must be kept for 90 days and then must be permanently deleted. Objects must reside within the same AWS Region as the original S3 bucket.
Which solution meets these requirements?

A. Create an Amazon Data Lifecycle Manager (Amazon DLM) lifecycle policy for the S3 bucket.
Add a rule to the lifecycle policy to delete noncurrent objects after 90 days.
B. Create an AWS Backup policy for the S3 bucket.
Create a backup rule that includes a lifecycle to expire noncurrent objects after 90 days.
C. Enable S3 Cross-Region Replication on the S3 bucket.
Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days.
D. Enable S3 Versioning on the S3 bucket.
Create an S3 Lifecycle policy for the bucket to expire noncurrent objects after 90 days.

Answer: D
Explanation:
https://cloudacademy.com/blog/s3-lifecycle-policies-versioning-encryption-aws-security/

QUESTION 248
A company has an application that customers use to search for records on a website. The application’s data is stored in an Amazon Aurora DB cluster. The application’s usage varies by season and by day of the week.
The website’s popularity is increasing, and the website is experiencing slower performance because of increased load on the DB cluster during periods of peak activity. The application logs show that the performance issues occur when users are searching for information. The same search is rarely performed multiple times.
A SysOps administrator must improve the performance of the platform by using a solution that maximizes resource efficiency.
Which solution will meet these requirements?

A. Deploy an Amazon ElastiCache for Redis cluster in front of the DB cluster.
Modify the application to check the cache before the application issues new queries to the database.
Add the results of any queries to the cache.
B. Deploy an Aurora Replica for the DB cluster.
Modify the application to use the reader endpoint for search operations.
Use Aurora Auto Scaling to scale the number of replicas based on load.
C. Use Provisioned IOPS on the storage volumes that support the DB cluster to improve performance sufficiently to support the peak load on the application.
D. Increase the instance size in the DB cluster to a size that is sufficient to support the peak load on the application.
Use Aurora Auto Scaling to scale the instance size based on load.

Answer: B
Explanation:
https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/aurora-replicas-adding.html

QUESTION 249
A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer data. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company.
What is the MOST operationally efficient solution that meets these requirements?

A. Configure AWS CloudTrail in all Regions to record all API activity.
Create an Amazon EventBridge (Amazon CloudWatch Events) rule in all unauthorized Regions for ec2:RunInstances events.
Use AWS Lambda to terminate the launched EC2 instances.
B. In each AWS account, create a managed IAM policy that uses a Region condition to deny the ec2:RunInstances action in all unauthorized Regions.
Attach this policy to all IAM groups in each AWS account.
C. In each AWS account, create an IAM permissions boundary policy that uses a Region condition to deny the ec2:RunInstances action in all unauthorized Regions.
Attach the permissions boundary policy to all IAM users in each AWS account.
D. Create a service control policy (SCP) in AWS Organizations to deny the ec2:RunInstances action in all unauthorized Regions.
Attach this policy to the root level of the organization.

Answer: D


Resources From:

1.2022 Latest Braindump2go SOA-C02 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/soa-c02.html

2.2022 Latest Braindump2go SOA-C02 PDF and SOA-C02 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1SwmRv-OKTAJzLTMirp_O8l8tjGIFElzz?usp=sharing

3.2021 Free Braindump2go SOA-C02 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/SOA-C02-PDF-Dumps(219-249).pdf

Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!