Happy to Announce Our New Discussion Forum | Join Now

Some Exam Questions


I failed today’s SysOps AA exam, many questions are similar to the practice tests but still need deep knowledge of some areas, I will study hard and try again. Some questions like:

  1. Setup VPN, but NAT in front of Customer Gateway. Something like this:
    A. Using MAC address from Customer device
    B. Using NAT device public IP
    C. Using Customer gateway IP
    forgot others…

Got any idea how to setup VPN if NAT in front of Customer Gateway?

  1. Here is another question for restricted port reporting to show boss you will get the alert and have complied. Trust Advisor or AWS Config?

  2. You have setup S3 and VPC Endpoint, but having problem to put file in there. What issue might be?
    A. S3 Bucket Policy and S3 Access Control List.
    B. S3 Bucket Policy and EndPoint Policy
    C. Security Group and EndPoint Policy
    D. Security Group and S3 Bucket Policy
    (I’m thinking B is correct answer?)

  3. How do we update/install SSL certificate over Classic Load Balancer to make sure can connect/support to older web server?


Here are the rest I can remember. Hope that help other!

  • One Aurora question
  • RDS Oracle backup question
  • 2-3 Spot Instance vs other types especially the answer does not list Schedule RI, so I guess it’s RI means Standard RI that Spot might be better in some case…
  • S3 resources based policy
  • Schedule to run instance maintenance scenario
  • One Bastion question
  • Route 53 Weight routing question
  • One EFS question
  • One AWS WAF question
  • A couple questions for AMI, copy to another region and use it scenario, and billingproduct code AMI.
  • One Lost SSH keypair question: make sure you read carefully instance store-backed instance or EBS-backed Linux instance
  • 2-3 MFA and S3 related questions
  • One CloudHSM question
  • One SAML, AD question
  • 2-3 ASW System Manager
  • One troubleshooting S3 getting 5xx put/delete error something like that
  • One Athena question
  • A couple RSD, elasticache, multi-AZ questions
  • A couple Tag, billing questions
  • A couple AWS organization questions
  • 2-3 Cloudwatch metric questions
  • On increase instance IOPS C.large ->c.xlarge something like that
  • One AWS Budgets question
  • 1-2 AWS Glacier questions, restore files, expedite retrieval
  • 1-2 CouldFront questions

Here are some from my exam areas as well:

  1. CDIR block needs minimum 30 IPs: should go for subnet /27 (32 IPs) or subnet /26 (64 IPs) since AWS 5 IP cannot be used? I forgot the detail question, but something like that.

  2. On premise hard coded IP for DNS question, I don’t get it.

  3. Unable to access Windows server. Show the VPC Flowlog log and identify the problem like Security Group, NACL, Windows firewall? The log shows both VPC subnet “Accept” status, source/dest IP, ports are looking good, so no sure what’s the problem unless VPN Flowlog cannot see Windows firewall listening port might block them?

  4. Instancelimitexceeded error, how to resolve it: A tricky one? B might be the one due to AWS doc.
    A. User request too many instance and should request few.
    B. Concurrent instance has reached limit and need to be filed to increase limit by AWS Support.

  5. Cloudformation: 3 questions
    5.1 To review the update infrastructure before implementing - Create Change Sets?
    5.2 To reuse the code/script - nested stack?
    5.3 To use many small files - stackset?

  6. On premise want to use storage through NFTS - Storage volume gateway?


Did you use the practice exams? How close were they to the concepts tested?


Yes, although some questions similar, unfortunately I was still like 2-3 questions short to get pass. Few questions I recalled I did not read carefully (or tricky questions) and might answer the wrong one, and few others I do not know the answer which might need in depth knowledge or somewhat. I am reviewing and studying more to nail it next time. Overall Whizlab practice tests are awesome, and I have learned a lot.



Were all questons come from practice test paper?

What did you refer while preparing the exam?


Have you retake the exam?


Not yet, I will try again end of the month.

Answer the previous question @Akanksha, not all but some of them similar to the practice test. I am using ACG course and Whizlabs as prep materials, I am going through AWS again and reading more…will see how it goes.


I also scheduled the exam end of Dec again. But I am thinking will we face similar set of questions or new set questions in the retake exam?

Btw, I faced the similar questions as you mentioned in the first attempt.


I guess if same day if you are giving exam then paper will be same.That’s how happenend with me and my friend.


@saleng76 ACG is Cloud guru right.Between am also planning to give the exam where is the study material.Can you share with me please?



Yes @Akanksha, Just A Cloud Guru and the practice tests here.


@Akanksha and @saleng76

so we should face different question sets in the retake exam, Keep it up!!!


Is that AWS asssociate it’s not easy?
Can anyone tell me is that fine if I will go through only AWS documentations for all services and then buy practise test from Whizlabs?


There is one question comes like how both instance communicate with each other ,i don’t remeber the question exactly.but anyone can help or clarify on this?


I took, and failed the exam yesterday. The questions I had were the same as those you’ve mentioned above.


Thank you so much @dakopraz and congrats! I will try again 2nd attempts soon. I had similar questions like yours as well. Below are few I still need some guidance, please advise.

“For example, one question I recall was something about c4.large with EBS io1 Provisioned IOPS and disk read and write performance issues. Have already tried 1000 iops, tried 2000 iops, but the performance problem remains. What should you do next?”

Should it B) Convert to c4.xlarge the right choice?

“M2 with classic load balancer and predictable steady load. how to reduce costs? Can we even get m2 reserved instances? is alb cheaper than classic load balancer? Is m5 cheaper than m2?”

I guess ALB cheaper since it asked for steady load, although M5 has RI and M2 does not.

RDS for Oracle - there was a backup questions specific to Oracle that I didn’t know. Think they were trying to throw me off by saying Oracle. Not specific to Oracle, remember the two ways that RDS backups: 1) automated during user specified window. 2) DB snapshots.

I don’t member if other options are auto backup or snapshots but I do remember something like RMANBackup command option.
If you chose to install the Oracle Secure Backup Cloud Module, the Quick Start performs an initial, complete backup of your database to the S3 bucket you specified in the Quick Start parameters.
You can use the /tmp/rmanbackup.cmd script to perform new backups or to schedule backup tasks and customize the settings for your needs.
You can also schedule your backups by using Crontab or another scheduling tool.

“VPC Flow logs - always questions on these and what exactly can be enabled: vpc, subnet, eni and how to read them. One question said RDC didn’t work but the flow logs showed send OK, receive OK, so what’s wrong? The answer must be the NACL on the bastion subnet deny the return traffic. This one was very tricky.”

I picked the Window firewall issue since I thought we cannot see windows log in VPN Flow logs, so I guess I got this one wrong ;(


@saleng76 and @dakopraz

If the NACL block the return traffic, how the VPC flow log receive the “receive OK”?


ALB: $0.0225 per Application Load Balancer-hour (or partial hour)
CLB: $0.025 per Classic Load Balancer-hour (or partial hour)

Same region


The packet leave the bastion host and goes first past its own security group which allows all outbound, then its own subnets NACL which allows the packet out, then into the target subnet NACL which allows it through, then to the target security group which allows it, then the return packet goes out the target security group which is stateful and allows the return traffic no matter what if it got in, then hits the target NACL for egress trip, and NACL are stateless so it won’t go by just b/c it got in, but this gets allowed, then hits the bastion NACL and can be DENIED there by either source or port. With VPC flow log, if its logging at the target subnet level, it would see the packet enter and exit and wouldn’t know that the bastion subnet NACL denied it.


I also got similar questions in the exam today and i failed.

Passed AWS SysOps Exam Dec 29th