⬆️ Amazon Web Services Certified (AWS Certified) Solutions Architect Associate (SAA-C03) Practice Tests Exams Questions & Answers
❣️ Please support us by purchasing this course on Udemy in an interactive version with the discounted link. If you're working for a company, you could most probably easily claim this expense during preparation for your exam. For us, it's to be, or not to be, in the game.
🛍️ Alternatively, you can buy the PDF with those questions on shop.ditectrev.com or Google Play Books.
✨ This course is unlike any Amazon Web Services Certified (AWS Certified) Solutions Architect Associate (SAA-C03) course you will find online.
✋ Join a live online community and a course taught by industry experts and pass the Amazon Web Services Certified (AWS Certified) Solutions Architect Associate (SAA-C03) confidently. We aim to build an ecosystem of Information Technology (IT) certifications and online courses in cooperation with the technology industry. We believe it will give our students 100% confidence in the pacing market in an open-source environment. We are just at the beginning of our way, so it's even better for you to join now!
- Always happy to answer your questions on Udemy's Q&A's and outside :)
- Failed? Please submit a screenshot of your exam result and request a refund (via our upcoming platform, not possible on Udemy); we'll always accept it.
- Learn about topics, such as:
- Access Control;
- Amazon CloudFront;
- Amazon CloudWatch;
- Amazon DynamoDB;
- Amazon Elastic Block Store (Amazon EBS);
- Amazon Elastic Compute Cloud (Amazon EC2);
- Amazon Elastic MapReduce (Amazon EMR);
- Amazon Redshift;
- Amazon Relational Database Service (Amazon RDS);
- Amazon Resource Names (ARN);
- Amazon Route 53;
- Amazon Simple Storage Service (Amazon S3);
- Amazon Simple Queue Service (Amazon SQS);
- Authentication & Authorization;
- Availability Zones;
- AWS CloudFormation;
- AWS CloudTrail;
- AWS CodeCommit;
- AWS CodeDeploy;
- AWS Direct Connect;
- AWS Identity and Access Management (AWS IAM);
- AWS Key Management Service (AWS KMS);
- AWS Storage Gateway;
- Cloud Concepts;
- Compliancy, Governance, Identity & Privacy;
- Elastic IP (EIP);
- Inbound Data Traffic & Outbound Data Traffic;
- Input/Output operations Per Second (IOPS)
- Public & Private Cloud;
- Service Level Agreement (SLA);
- Software as a Service (SaaS);
- Virtual Private Clouds (VPC);
- Much More!
- Questions are similar to the actual exam, without duplications (like in other courses ;-)).
- The Practice Tests Exams simulate the actual exam's content, timing, and percentage required to pass the exam.
- This course is not an Amazon Web Services Certified (AWS Certified) Solutions Architect Associate (SAA-C03) Exam Dump. Some people use brain dumps or exam dumps, but that's absurd, which we don't practice.
- 710 unique questions.
v1.0.0: August 11, 2023.
- Launch of the course.
v1.0.1: November 8, 2023.
- Fix all remaining typos with support of automated proofreading software.
v1.0.2: January 18, 2024.
- Fix 1 wrong answer.
v1.0.3: February 21, 2024.
- Improve 1 question & fix its wrong answer.
v1.1.0: May 8, 2024.
- Improve multiple questions, typos, and fix broken links.
v2.0.0: June 17, 2024.
- Add 66 new questions, delete 6 duplicated questions, fix multiple questions, and spelling improvements.
We are so thankful for every contribution, which makes sure we can deliver top-notch content. Whenever you find a missing resource, broken link in a Table of Contents, the wrong answer, please submit an issue. Even better would be a Pull Request (PR).
- 👨🎓 Students preparing for the Amazon Web Services Certified (AWS Certified) Solutions Architect Associate (SAA-C03) Exam;
- 👨🎓 Amazon Web Services (AWS) Engineers;
- 👨🎓 Azure Engineers;
- 👨🎓 Cloud Architects;
- 👨🎓 Cloud Engineers;
- 👨🎓 DevOps Engineers;
- 👨🎓 Enterprise Architects;
- 👨🎓 Google Cloud Platform (GCP) Engineers;
- 👨🎓 Infrastructure Engineers;
- 👨🎓 Lead Engineers;
- 👨🎓 Product Architects;
- 👨🎓 Security Engineers;
- 👨🎓 Site Reliability Engineers;
- 👨🎓 Software Developers/Engineers;
- 👨🎓 Solution Architects;
- 👨🎓 Team Leaders.
- 🤩 Excitement to learn!
- 0️⃣ Prior knowledge is required;
- ✅ You can pass the Amazon Web Services Certified (AWS Certified) Solutions Architect Associate (SAA-C03) Exam solely based on our Practice Tests Exams.
- Object lifecycle and service access logging.
- Object versioning and Multi-factor authentication.
- Access controls and server-side encryption.
- Website hosting and Amazon S3 policies.
- One second.
- Five seconds.
- One minute.
- Three minutes.
- Five minutes.
A user has launched an EC2 instance. The instance got terminated as soon as it was launched. Which of the below mentioned options is not a possible reason for this?
- The user account has reached the maximum volume limit.
- The AMI is missing. It is the required part.
- The snapshot is corrupt.
- The user account has reached the maximum EC2 instance limit.
Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video transcoding expertise and it required you may need to pay for a consultant. How do you implement the most cost-efficient architecture without compromising high availability and quality of video delivery'?
- A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queue. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few days. CloudFront to serve HLS transcoded videos from EC2.
- Elastic Transcoder to transcode original high-resolution MP4 videos to HL.
- EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few days. CloudFront to serve HLS transcoded videos from EC2.
- Amazon S3 to host videos with Lifecycle Management to archive original files to Glacier after a few days. CloudFront to serve HLStranscoded videos from S3.
- A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queue. S3 to host videos with Lifecycle Management to archive all files to Glacier after a few days. CloudFront to serve HLS transcoded videos from Glacier.
You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet. Which of the following options would you consider? (Choose 2 answers)
- Implement IDS/IPS agents on each Instance running in VPC.
- Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.
- Implement Elastic Load Balancing with SSL listeners in front of the web applications.
- Implement a reverse proxy layer in front of web servers and configure IDS/ IPS agents on each reverse proxy server.
- Amazon S3 provides read-after-write consistency for any type of PUT or DELETE.
- Consistency is not guaranteed for any type of PUT or DELETE.
- A successful response to a PUT request only occurs when a complete object is saved.
- Partially saved objects are immediately readable with a GET after an overwrite PU.
- S3 provides eventual consistency for overwrite PUTS and DELETE.
How can the domain's zone apex, for example, 'myzoneapexdomain.com', be pointed towards an Elastic Load Balancer?
- By using an Amazon Route 53 Alias record.
- By using an AAAA record.
- By using an Amazon Route 53 CNAME record.
- By using an A record.
- If you have batch-oriented workloads.
- If you use production online transaction processing (OLTP) workloads.
- If you have workloads that are not sensitive to consistent performance.
Your department creates regular analytics reports from your company's log files All log data is collected in Amazon S3 and processed by daily Amazon Elastic MapReduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse. Which of the following alternatives will lower costs without compromising average performance of the system or data integrity for the raw data?
- Use reduced redundancy storage (RRS) for all data in S3. Use a combination of Spot Instances and Reserved Instances for Amazon EMR jobs. Use Reserved Instances for Amazon Redshift.
- Use reduced redundancy storage (RRS) for PDF and .csv data in S3. Add Spot Instances to EMR jobs. Use Spot Instances for Amazon Redshift.
- Use reduced redundancy storage (RRS) for PDF and .csv data in Amazon S3. Add Spot Instances to Amazon EMR jobs. Use Reserved Instances for Amazon Redshift.
- Use reduced redundancy storage (RRS) for all data in Amazon S3. Add Spot Instances to Amazon EMR jobs. Use Reserved Instances for Amazon Redshift.
Because of the extensibility limitations of striped storage attached to Windows Server, Amazon RDS does not currently support increasing storage on a [...] DB Instance.
- SQL Server.
- MySQL.
- Oracle.
In regards to IAM you can edit user properties later, but you cannot use the console to change the [...].
- user name.
- password.
- default group.
- Yes, EC2 Container Service supports any container service you need.
- Yes, EC2 Container Service also supports Microsoft container service.
- No, Docker is the only container platform supported by EC2 Container Service presently.
- Yes, EC2 Container Service supports Microsoft container service and Openstack.
Content and Media Server is the latest requirement that you need to meet for a client. The client has been very specific about his requirements such as low latency, high availability, durability, and access control. Potentially there will be millions of views on this server and because of 'spiky' usage patterns, operations teams will need to provision static hardware, network, and management resources to support the maximum expected need. The Customer base will be initially low but is expected to grow and become more geographically distributed. Which of the following would be a good solution for content distribution?
- Amazon S3 as both the origin server and for caching.
- AWS Storage Gateway as the origin server and Amazon EC2 for caching.
- AWS CloudFront as both the origin server and for caching.
- Amazon S3 as the origin server and Amazon CloudFront for caching.
- None of these.
- Amazon AppStream store.
- Amazon SNS store.
- Amazon Instance Store.
- Only if the tag 'VPC_Change_Group' is true.
- Yes. You can.
- No. You cannot.
- Only if the tag 'VPC Change Group' is true.
- Elastic IP Address.
- Class B IP Address.
- Class A IP Address.
- Dynamic IP Address.
- HTTP or HTTPS.
- TCP/IP.
- HTTP.
- HTTPS.
Which of the following services natively encrypts data at rest within an AWS region? (Choose 2 answers)
- AWS Storage Gateway.
- Amazon DynamoDB.
- Amazon CloudFront.
- Amazon Glacier.
- Amazon Simple Queue Service.
- A web server running in your infrastructure.
- Amazon S3.
- Amazon Glacier.
- A web server running on Amazon EC2 instances.
- possible for EBS volumes.
- reserved for the root device.
- recommended for EBS volumes.
- recommended for instance store volumes.
How can I change the security group membership for interfaces owned by other AWS, such as Elastic Load Balancing?
- By using the service specific console or APICLI commands.
- None of these.
- Using Amazon EC2 API/CLI.
- Using all these methods.
You have created a Route 53 latency record set from your domain to a machine in Northern Virginia and a similar record to a machine in Sydney. When a user located in US visits your domain he will be routed to
- Northern Virginia.
- Sydney.
- Both, Northern Virginia and Sydney.
- Depends on the Weighted Resource Record Sets.
In the context of MySQL, version numbers are organized as MySQL version = X.Y.Z. What does X denote here?
- Release level.
- Minor version.
- Version number.
- Major version.
- Distribution Type.
- Data Transfer Out.
- Dedicated IP SSL Certificates.
- Requests.
Just when you thought you knew every possible storage option on AWS you hear someone mention Reduced Redundancy Storage (RRS) within Amazon S3. What is the ideal scenario to use Reduced Redundancy Storage (RRS)?
- Huge volumes of data.
- Sensitive data.
- Non-critical or reproducible data.
- Critical data.
$ aws sqs receive-message –queue-url https://queue.amazonaws.com/546419318123/Test
- 3.
- 4.
- 2.
- 1.
When running my DB Instance as a Multi-AZ deployment, can I use the standby for read or write operations?
- Yes.
- Only with MSSQL based RDS.
- Only for Oracle RDS instances.
- No.
- Under DB INSTANCE DETAILS.
- Under REVI EW.
- Under MANAGEMENT OPTIONS.
- Under ENGINE SELECTION.
- 20 Gigabit.
- 10 Gigabit.
- Very High but variable.
- 5 Gigabit.
In Amazon EC2, if your EBS volume stays in the detaching state, you can force the detachment by clicking [...].
- Force Detach.
- Detach Instance.
- AttachVolume.
- AttachInstance.
- A predictable and scalable MySQL database.
- A fast and reliable PL/SQL database cluster.
- A standalone Cassandra database, managed by Amazon Web Services.
- A fast, highly scalable managed NoSQL database service.
Security groups act like a firewall at the instance level, whereas [...] are an additional layer of security that act at the subnet level.
- DB Security Groups.
- VPC Security Groups.
- network ACLs.
You have been asked to tighten up the password policies in your organization after a serious security breach, so you need to consider every possible security measure. Which of the following is not an account password policy for IAM Users that can be set?
- Force IAM users to contact an account administrator when the user has allowed his or her password to expire.
- A minimum password length.
- Force IAM users to contact an account administrator when the user has entered his password incorrectly.
- Prevent IAM users from reusing previous passwords.
- is not currently.
- is as of 2013.
- is planned to be in 2014.
- will never be.
- A scalable storage appliance on top of Amazon Web Services.
- An application container on top of Amazon Web Services.
- A service by this name doesn't exist.
- A scalable cluster of EC2 instances.
You need to quickly set up an email-sending service because a client needs to start using it in the next hour. Amazon Simple Email Service (Amazon SES) seems to be the logical choice but there are several options available to set it up. Which of the following options to set up SES would best meet the needs of the client?
- Amazon SES console.
- AWS CloudFormation.
- SMTP Interface.
- AWS Elastic Beanstalk.
A user is observing the EC2 CPU utilization metric on CloudWatch. The user has observed some interesting patterns while filtering over the 1 week period for a particular hour. The user wants to zoom that data point to a more granular period. How can the user do that easily with CloudWatch?
- The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse.
- The user can zoom a particular period by specifying the aggregation data for that period.
- The user can zoom a particular period by double clicking on that period with the mouse.
- The user can zoom a particular period by specifying the period in the Time Range.
A company is running a batch analysis every hour on their main transactional DB. running on an RDS MySQL instance to populate their central Data Warehouse running on Redshift During the execution of the batch their transactional applications are very slow When the batch completes they need to update the top management dashboard with the new data The dashboard is produced by another system running on-premises that is currently started when a manually-sent email notifies that an update is required The on-premises system cannot be modified because is managed by another team. How would you optimize this scenario to solve performance issues and automate the process as much as possible? How would you optimize this scenario to solve performance issues and automate the process as much as possible?
- Replace RDS with Redshift for the batch analysis and SNS to notify the on-premises system to update the dashboard.
- Replace ROS with Redshift for the oaten analysis and SQS to send a message to the on-premises system to update the dashboard.
- Create an RDS Read Replica for the batch analysis and SNS to notify me on-premises system to update the dashboard.
- Create an RDS Read Replica for the batch analysis and SQS to send a message to the on-premises system to update the dashboard.
You are configuring a new VPC for one of your clients for a cloud migration project, and only a public VPN will be in place. After you created your VPC, you created a new subnet, a new internet gateway, and attached your internet gateway to your VPC. When you launched your first instance into your VPC, you realized that you aren't able to connect to the instance, even if it is configured with an elastic IP. What should be done to access the instance?
- A route should be created as 0.0.0.0/0 and your internet gateway as target.
- Attach another ENI to the instance and connect via new EN.
- A NAT instance should be created and all traffic should be forwarded to NAT instance.
- A NACL should be created that allows all outbound traffic.
You have been asked to build a database warehouse using Amazon Redshift. You know a little about it, including that it is a SQL data warehouse solution, and uses industry standard ODBC and JDBCconnections and PostgreSQL drivers. However you are not sure about what sort of storage it uses for database tables. What sort of storage does Amazon Redshift use for database tables?
- InnoDB Tables.
- NDB data storage.
- Columnar data storage.
- NDB CLUSTER Storage.
A user has attached 1 EBS volume to a VPC instance. The user wants to achieve the best fault tolerance of data possible. Which of the below mentioned options can help achieve fault tolerance?
- Attach one more volume with RAID 1 configuration.
- Attach one more volume with RAID 0 configuration.
- Connect multiple volumes and stripe them with RAI.
- Use the EBS volume as a root device.
- Set an S3 ACL on the bucket or the object.
- Create a CloudFront distribution for the bucket.
- Set an S3 bucket policy.
- Enable IAM Identity Federation.
- Use S3 Virtual l Hosting.
You are in the process of creating a Route 53 DNS failover to direct traffic to two EC2 zones. Obviously, if one fails, you would like Route 53 to direct traffic to the other region. Each region has an ELB with some instances being distributed. What is the best way for you to configure the Route 53 health check?
- Route 53 doesn't support ELB with an internal health check.You need to create your own Route 53 health check of the ELB.
- Route 53 natively supports ELB with an internal health check. Turn 'Evaluate target health' off and 'Associate with Health Check' on and R53 will use the ELB's internal health check.
- Route 53 doesn't support ELB with an internal health check. You need to associate your resource record set for the ELB with your own health check.
- Route 53 natively supports ELB with an internal health check. Turn 'Evaluate target health' on and 'Associate with Health Check' off and R53 will use the ELB's internal health check.
- 5GB.
- 1TB.
- 2TB.
- 500GB.
A user is planning a highly available application deployment with EC2. Which of the below mentioned options will not help to achieve HA?
- Elastic IP address.
- PIOPS.
- AMI.
- Availability Zones.
- Prevents /dev/sdc from creating the instance.
- Prevents /dev/sdc from deleting the instance.
- Set the value of /dev/sdc to 'zero'.
- Prevents /dev/sdc from attaching to the instance.
- You don't need to specify the resource identifier while terminating a resource.
- You can terminate, stop, or delete a resource based solely on its tags.
- You can't terminate, stop, or delete a resource based solely on its tags.
- You don't need to specify the resource identifier while stopping a resource.
You are deploying an application to collect votes for a very popular television show. Millions of users will submit votes using mobile devices. The votes must be collected into a durable, scalable, and highly available data store for real-time public tabulation. Which service should you use?
- Amazon DynamoDB.
- Amazon Redshift.
- Amazon Kinesis.
- Amazon Simple Queue Service.
- Only for Cluster Compute instances.
- Yes for all instance types.
- Only for M3 instance types.
- No.
A [...] for a VPC is a collection of subnets (typically private) that you may want to designate for your backend RDS DB Instances.
- DB Subnet Set.
- RDS Subnet Group.
- DB Subnet Group.
- DB Subnet Collection.
An instance is launched into a VPC subnet with the network ACL configured to al low all inbound traffic and deny all outbound traffic. The instance's security group is configured to allow SSH from any IPaddress and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?
- The out bound security group needs to be modified to allow out bound traffic.
- The outbound network ACL needs to be modified to allow outbound traffic.
- Nothing, it can be accessed from any IP address using SS.
- Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.
You can modify the backup retention period; valid values are 0 (for no backup retention) to a maximum of [...] days.
- 45.
- 35.
- 15.
- 5.
To serve Web traffic for a popular product your chief financial officer and IT director have purchased 10 ml large heavy utilization Reserved Instances (RIs) evenly spread across two Availability Zones: Route 53 is used to deliver the traffic to an Elastic Load Balancer (ELB). After several months, the product grows even more popular and you need additional capacity As a result, your company purchases two C3.2xlarge medium utilization RIs You register the two c3 2xlarge instances with your ELB and quickly find that the ml large instances are at 100% of capacity and the c3 2xlarge instances have significant capacity that's unused Which option is the most cost effective and uses EC2 capacity most effectively?
- Use a separate ELB for each instance type and distribute load to ELBs with Route 53 weighted round robin.
- Configure Autoscaning group and Launch Configuration with ELB to add up to 10 more on-demand ml large instances when triggered by Cloudwatch shut off c3 2xlarge instances.
- Route traffic to EC2 ml large and c3 2xlarge instances directly using Route 53 latency based routing and health checks shut off ELB.
- Configure ELB with two c3 2xiarge Instances and use on-demand Autoscaling group for up to two additional c3.2xlarge instances Shut on mi .large instances.
An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data on an Amazon EBS volume?
- Upload your customer keys to AWS CloudHS.
- Associate the Amazon EBS volume with AWS CloudHS.
- Re-mount the Amazon EBS volume.
- Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
- Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume.
- Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume. Mount the Amazon EBS volume.
A user has launched one EC2 instance in the US West region. The user wants to access the RDS instance launched in the US East region from that EC2 instance. How can the user configure the access for that EC2 instance?
- Configure the IP range of the US West region instance as the ingress security rule of RDS.
- It is not possible to access RDS of the US East region from the US West region.
- Open the security group of the US West region in the RDS security group's ingress rule.
- Create an IAM role which has access to RDS and launch an instance in the US West region with it.
You have been asked to build AWS infrastructure for disaster recovery for your local applications and within that you should use an AWS Storage Gateway as part of the solution. Which of the following best describes the function of an AWS Storage Gateway?
- Accelerates transferring large amounts of data between the AWS cloud and portable storage devices .
- A web service that speeds up distribution of your static and dynamic web content.
- Connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between your on-premises IT environment and AWS's storage infrastructure.
- Is a storage service optimized for infrequently used data, or 'cold data'.
While creating an Amazon RDS DB, your first task is to set up a DB [...] that controls which IP address or EC2 instance can access your DB Instance.
- security token pool.
- security token.
- security pool.
- security group.
You need to import several hundred megabytes of data from a local Oracle database to an Amazon RDS DB instance. What does AWS recommend you use to accomplish this?
- Oracle export/import utilities.
- Oracle SQL Developer.
- Oracle Data Pump.
- DBMS_FILE_TRANSFER.
In the context of AWS support, why must an EC2 instance be unreachable for 20 minutes rather than allowing customers to open tickets immediately?
- Because most reachability issues are resolved by automated processes in less than 20 minutes.
- Because all EC2 instances are unreachable for 20 minutes every day when AWS does routine maintenance.
- Because all EC2 instances are unreachable for 20 minutes when first launched.
- Because of all the reasons listed here.
HTTP Query-based requests are HTTP requests that use the HTTP verb GET or POST and a Query parameter named [...].
- Action.
- Value.
- Reset.
- Retrieve.
A friend tells you he is being charged $100 a month to host his WordPress website, and you tell him you can move it to AWS for him and he will only pay a fraction of that, which makes him very happy. He then tells you he is being charged $50 a month for the domain, which is registered with the same people that set it up, and he asks if it's possible to move that to AWS as well. You tell him you aren't sure, but will look into it. Which of the following statements is true in regards to transferring domain names to AWS?
- You can't transfer existing domains to AWS.
- You can transfer existing domains into Amazon Route 53's management.
- You can transfer existing domains via AWS Direct Connect.
- You can transfer existing domains via AWS Import/Export.
- ec2-deploy-snapshot.
- ec2-fresh-snapshot.
- ec2-create-snapshot.
- ec2-new-snapshot.
All Amazon EC2 instances are assigned two IP addresses at launch, out of which one can only be reached from within the Amazon EC2 network?
- Multiple IP address.
- Public IP address.
- Private IP address.
- Elastic IP Address.
When an EC2 instance that is backed by an S3-based AMI is terminated, what happens to the data on the root volume?
- Data is automatically saved as an EBS snapshot.
- Data is automatically saved as an EBS volume.
- Data is unavailable until the instance is restarted.
- Data is automatically deleted.
You've created your first load balancer and have registered your EC2 instances with the load balancer. Elastic Load Balancing routinely performs health checks on all the registered EC2 instances and automatically distributes all incoming requests to the DNS name of your load balancer across your registered, healthy EC2 instances. By default, the load balancer uses the [...] protocol for checking the health of your instances.
- HTTPS.
- HTTP.
- ICMP.
- IPv6.
Amazon Elastic Load Balancing is used to manage traffic on a fleet of Amazon EC2 instances, distributing traffic to instances across all Availability Zones within a region. Elastic Load Balancing has all the advantages of an on-premises load balancer, plus several security benefits. Which of the following is not an advantage of ELB over an on-premise load balancer?
- ELB uses a four-tier, key-based architecture for encryption.
- ELB offers clients a single point of contact, and can also serve as the first line of defense against attacks on your network.
- ELB takes over the encryption and decryption work from the Amazon EC2 instances and manages it centrally on the load balancer.
- ELB supports end-to-end traffic encryption using TLS (previously SSL) on those networks that use secure HTTP (HTTPS) connections.
A web company is looking to implement an external payment service into their highly available application deployed in a VPC Their application EC2 instances are behind a public lacing ELB Auto scaling is used to add additional instances as traffic increases under normal load the application runs 2 instances in the Auto Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an API. How should they architect their solution?
- Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the MAT instances.
- Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
- Whitelist the ELB IP addresses and route payment requests from the Application servers through the EL.
- Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP address to the payment validation whitelist AP.
You are using Amazon SES as an email solution but are unsure of what its limitations are. Which statement below is correct in regards to that?
- New Amazon SES users who have received production access can send up to 1,000 emails per 24-hour period, at a maximum rate of 10 emails per second.
- Every Amazon SES sender has a the same set of sending limits.
- Sending limits are based on messages rather than on recipients.
- Every Amazon SES sender has a unique set of sending limits.
Your company is getting ready to do a major public announcement of a social media site on AWS. The website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second and relies on an eventual consistency model. After comprehensive tests you discover that there is read contention on RDS MySQL. Which are the best approaches to meet these requirements? (Choose 2 answers)
- Deploy ElasticCache in-memory cache running in each Availability Zone.
- Implement sharding to distribute load to multiple RDS MySQL instances.
- Increase the RDS MySQL Instance size and Implement provisioned IOPS.
- Add an RDS MySQL read replica in each Availability Zone.
- A security group in which only tasks inside can communicate with each other.
- A special type of worker.
- A collection of related Workflows.
- The DNS record for the Amazon SWF service.
The SQL Server [...] feature is an efficient means of copying data from a source database to your DB Instance. It writes the data that you specify to a data file, such as an ASCII file.
- bulk copy.
- group copy.
- dual copy.
- mass copy.
Any person or application that interacts with AWS requires security credentials. AWS uses these credentials to identify who is making the call and whether to allow the requested access. You have just set up a VPC network for a client and you are now thinking about the best way to secure this network. You set up a security group called vpcsecuritygroup. Which following statement is true in respect to the initial settings that will be applied to this security group if you choose to use the default settings for this group?
- Allow all inbound traffic and allow no outbound traffic.
- Allow no inbound traffic and allow all outbound traffic.
- Allow inbound traffic on port 80 only and allow all outbound traffic.
- Allow all inbound traffic and allow all outbound traffic.
- Amazon S3.
- Amazon Glacier.
- Amazon CloudFront.
- Amazon EBS.
You are trying to launch an EC2 instance, however the instance seems to go into a terminated status immediately. What would probably not be a reason that this is happening?
- The AMI is missing a required part.
- The snapshot is corrupt.
- You need to create storage in EBS first.
- You've reached your volume limit.
A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure mat AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
- Enable Multi-Factor Authentication for your AWS root account.
- Assign an IAM role to the Amazon EC2 instance.
- Store the AWS Access Key ID/Secret Access Key combination in software comments.
- Assign an IAM user to the Amazon EC2 Instance.
- Yes.
- No.
- Only EC2-optimized EBS volumes.
- Only in read mode.
You need to measure the performance of your EBS volumes as they seem to be under performing. You have come up with a measurement of 1,024 KB I/O but your colleague tells you that EBS volume performance is measured in IOPS. How many IOPS is equal to 1,024 KB I/O?
- 16.
- 256.
- 8.
- 4.
Your company produces customer commissioned one-of-a-kind skiing helmets combining nigh fashion with custom technical enhancements Customers can show off their Individuality on the ski slopes and have access to head-up-displays. GPS rear-view cams and any other technical innovation they wish to embed in the helmet. The current manufacturing process is data rich and complex including assessments to ensure that the custom electronics and materials used to assemble the helmets are to the highest standards Assessments are a mixture of human and automated assessments you need to add a new set of assessment to model the failure modes of the custom electronics using GPUs with CUDA, across a cluster of servers with low latency networking. What architecture would allow you to automate the existing process using a hybrid approach and ensure that the architecture can support the evolution of processes over time?
- Use AWS Data Pipeline to manage movement of data & meta-data and assessments Use an autoscaling group of G2 instances in a placement group.
- Use Amazon Simple Workflow (SWF) to manages assessments, movement of data & meta-data Use an auto-scaling group of G2 instances in a placement group.
- Use Amazon Simple Workflow (SWF) to manages assessments movement of data & meta-data Use an auto-scaling group of C3 instances with SR-IOV (Single Root 1/0 Virtualization).
- Use AWS data Pipeline to manage movement of data & meta-data and assessments use autoscaling group of C3 with SR-IOV (Single Root 1/0 virtualization).
You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture. Which alternatives should you consider? (Choose 2 answers)
- Configure a NAT instance in your VPC Create a default route via the NAT instance and associate it with all subnets Configure a DNS A record that points to the NAT instance public IP address.
- Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers Configure a Route 53 CNAME record to your CloudFront distribution.
- Place all your web servers behind EL8 Configure a Route 53 CNAME to point to the ELB DNS name.
- Assign EIPs to all web servers. Configure a Route 53 record set with all EIPs. With health checks and DNS failover.
- Configure ELB with an EIP Place all your Web servers behind ELB Configure a Route 53 A record that points to the EIP.
You need to configure an Amazon S3 bucket to serve static assets for your public-facing web application. Which methods ensure that all objects uploaded to the bucket are set to public read? (Choose 2 answers)
- Set permissions on the object to public read during upload.
- Configure the bucket ACL to set all objects to public read.
- Configure the bucket policy to set all objects to public read.
- Use AWS Identity and Access Management roles to set the bucket to public read.
- Amazon S3 objects default to public read, so no action is needed.
A major customer has asked you to set up his AWS infrastructure so that it will be easy to recover in the case of a disaster of some sort. Which of the following is important when thinking about being able to quickly launch resources in AWS to ensure business continuity in case of a disaster?
- Create and maintain AMIs of key servers where fast recovery is required.
- Regularly run your servers, test them, and apply any software updates and configuration changes.
- All items listed here are important when thinking about disaster recovery.
- Ensure that you have all supporting custom software packages available in AWS.
You are developing a new mobile application and are considering storing user preferences in AWS. This would provide a more uniform cross-device experience to users using multiple mobile devices to access the application. The preference data for each user is estimated to be SOKB in size Additionally 5 million customers are expected to use the application on a regular basis. The solution needs to be cost-effective, highly available, scalable and secure, how would you design a solution to meet the above requirements?
- Setup an RDS MySQL instance in 2 Availability Zones to store the user preference data. Deploy a public facing application on a server in front of the database to manage security and access credentials.
- Setup a DynamoDB table with an item for each user having the necessary attributes to hold the user preferences. The mobile application will query the user preferences directly from the DynamoDB table. Utilize ST.
- Web Identity Federation, and DynamoDB Fine Grained Access Control to authenticate and authorize access.
- Setup an RDS MySQL instance with multiple read replicas in 2 Availability Zones to store the user preference data. The mobile application will query the user preferences from the read replicas. Leverage the MySQL user management and access privilege system to manage security and access credentials.
- Store the user preference data in S3 Setup a DynamoDB table with an item for each user and an item attribute pointing to the user' S3 object. The mobile application will retrieve the S3 URL from DynamoDB and then access the S3 object directly utilize STS, Web identity Federation, and S3 ACLs to authenticate and authorize access.
In the Amazon RDS which uses the SQL Server engine, what is the maximum size for a Microsoft SQL Server DB Instance with SQL Server Express edition?
- 10GB per DB.
- 100GB per DB.
- 2TB per DB.
- 1TB per DB.
You have deployed a web application targeting a global audience across multiple AWS Regions under the domain name.example.com. You decide to use Route 53 Latency-Based Routing to serve web requests to users from the region closest to the user. To provide business continuity in the event of server downtime you configure weighted record sets associated with two web servers in separate Availability Zones per region. Dunning a DR test you notice that when you disable all web servers in one of the regions Route 53 does not automatically direct all users to the other region. What could be happening? (Choose 2 answers)
- Latency resource record sets cannot be used in combination with weighted resource record sets.
- You did not setup an HTTP health check tor one or more of the weighted resource record sets associated with me disabled web servers.
- The value of the weight associated with the latency alias resource record set in the region with the disabled servers is higher than the weight for the other region.
- One of the two working web servers in the other region did not pass its HTTP health check.
- You did not set 'Evaluate Target Health' to 'Yes' on the latency alias resource record set associated with example com in the region where you disabled the servers.
Amazon EBS provides the ability to create backups of any Amazon EC2 volume into what is known as [...].
- snapshots.
- images.
- instance backups.
- mirrors.
You've been hired to enhance the overall security posture for a very large e-commerce site They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3 They are using a combination of RDS and DynamoOB for their dynamic data and then archiving nightly into S3 for further processing with EMR They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access. Which approach provides a cost effective scalable mitigation to this kind of attack?
- Recommend that they lease space at a DirectConnect partner location and establish a lG DirectConnect connection to their vPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC,
- Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier sub net.
- Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host based WAF They would redirect Route 53 to resolve to the new WAF tier ELB The WAF tier wouldthier pass the traffic to the current web tier The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group
- Remove all but TLS 1 2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality.
You are designing the network infrastructure for an application server in Amazon VPC Users will access all the application instances from the Internet as well as from an on-premises network The on-premises network is connected to your VPC over an AWS Direct Connect link. How would you design routing to meet the above requirements?
- Configure a single routing Table with a default route via the Internet gateway Propagate a default route via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPCsubnets.
- Configure a single routing table with a default route via the internet gateway Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router Associatethe routing table with all VPC subnets.
- Configure a single routing table with two default routes: one to the internet via an Internet gateway the other to the on-premises network via the VPN gateway use this routing table across all subnets in your VPC.
- Configure two routing tables one that has a default route via the Internet gateway and another that has a default route via the VPN gateway Associate both routing tables with each VPC subnet.
You have multiple VPN connections and want to provide secure communication between sites using the AWS VPN CloudHub. Which statement is the most accurate in describing what you must do to set this up correctly?
- Create a virtual private gateway with multiple customer gateways, each with unique Border Gateway Protocol (BGP) Autonomous System Numbers (ASNs).
- Create a virtual private gateway with multiple customer gateways, each with a unique set of keys.
- Create a virtual public gateway with multiple customer gateways, each with a unique Private subnet.
- Create a virtual private gateway with multiple customer gateways, each with unique subnet id.
A user is aware that a huge download is occurring on his instance. He has already set the Auto Scaling policy to increase the instance count when the network I/O increases beyond a certain limit. How can the user ensure that this temporary event does not result in scaling?
- The network I/O are not affected during data download.
- The policy cannot be set on the network I/O.
- There is no way the user can stop scaling as it is already configured.
- Suspend scaling.
The Amazon EC2 web service can be accessed using the [...] web services messaging protocol. This interface is described by a Web Services Description Language (WSDL) document.
- SOAP.
- DCOM.
- CORBA.
- XML-RPC.
Which of the following are true regarding encrypted Amazon Elastic Block Store (EBS) volumes? (Choose 2 answers)
- Supported on all Amazon EBS volume types.
- Snapshots are automatically encrypted.
- Available to all instance types.
- Existing volumes can be encrypted.
- Shared volumes can be encrypted.
- Only for Oracle RDS instances.
- Yes.
- No.
- Only in VPC.
- MakeSnapShot.
- FreshSnapshot.
- DeploySnapshot.
- CreateSnapshot.
A customer needs to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements?
- Enable AWS CloudTrail for the load balancer.
- Enable access logs on the load balancer.
- Install the Amazon CloudWatch Logs agent on the load balancer.
- Enable Amazon CloudWatch metrics on the load balancer.
- Only for Oracle RDS types.
- Yes.
- Only if configured at launch.
- No.
If I want my instance to run on a single-tenant hardware, which value do I have to set the instance's tenancy attribute to?
- Dedicated.
- Isolated.
- One.
- Reserved.
- Only in GovCloud.
- Only for S3 not EC2.
- Yes.
- No.
A user wants to increase the durability and availability of the EBS volume. Which of the below mentioned actions should he perform?
- Take regular snapshots.
- Create an AM.
- Create EBS with higher capacity.
- Access EBS regularly.
- Regional Data Server.
- Relational Database Service.
- Nothing.
- Regional Database Service.
You have been asked to set up monitoring of your network and you have decided that Cloudwatch would be the best service to use. Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real-time. You can use CloudWatch to collect and track metrics, which are the variables you want to measure for your resources and applications. Which of the following items listed can AWS Cloudwatch monitor?
- Log files your applications generate.
- All of the items listed on this page.
- System-wide visibility into resource utilization, application performance, and operational health.
- Custom metrics generated by your applications and services.
- 1,000 write capacity units.
- 100,000 write capacity units.
- Dynamic DB is designed to scale without limits, but if you go beyond 10,000 you have to contact AWS first.
- 10,000 write capacity units.
- Yes, they do but only if they are detached from the instance.
- No, you cannot attach EBS volumes to an instance.
- No, they are dependent.
- Yes, they do.
- None of these.
- A list of users that can access Amazon EC2 instances.
- An Access Control List (ACL) for AWS resources.
- A firewall for inbound traffic, built-in around every Amazon EC2 instance.
You need to set up a high level of security for an Amazon Relational Database Service (RDS) you have just built in order to protect the confidential information stored in it. What are all the possible security groups that RDS uses?
- DB security groups, VPC security groups, and EC2 security groups.
- DB security groups only.
- EC2 security groups only.
- VPC security groups, and EC2 security groups.
In the 'Detailed' monitoring data available for your Amazon EBS volumes, Provisioned IOPS volumes automatically send [...] minute metrics to Amazon CloudWatch.
- 3.
- 1.
- 5.
- 2.
You are looking at ways to improve some existing infrastructure as it seems a lot of engineering resources are being taken up with basic management and monitoring tasks and the costs seem to be excessive. You are thinking of deploying Amazon ElasticCache to help. Which of the following statements is true in regards to ElasticCache?
- You can improve load and response times to user actions and queries however the cost associated with scaling web applications will be more.
- You can't improve load and response times to user actions and queries but you can reduce the cost associated with scaling web applications.
- You can improve load and response times to user actions and queries however the cost associated with scaling web applications will remain the same.
- You can improve load and response times to user actions and queries and also reduce the cost associated with scaling web applications.
A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? (Choose 2 answers)
- Use AWS Consolidated Billing and disable AWS root account access for the child accounts.
- Enable IAM cross-account access for all corporate IT administrators in each child account.
- Create separate VPCs for each division within the corporate IT AWS account.
- Use AWS Consolidated Billing to link the divisions' accounts to a parent corporate account.
- Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account's Amazon S3 'Log' bucket.
After creating a new IAM user which of the following must be done before they can successfully make API calls?
- Add a password to the user.
- Enable Multi-Factor Authentication for the user.
- Assign a Password Policy to the user.
- Create a set of Access Keys for the user.
A friend wants you to set up a small BitTorrent storage area for him on Amazon S3. You tell him it is highly unlikely that AWS would allow such a thing in their infrastructure. However you decide to investigate. Which of the following statements best describes using BitTorrent with Amazon S3?
- Amazon S3 does not support the BitTorrent protocol because it is used for pirated software.
- You can use the BitTorrent protocol but only for objects that are less than 100 GB in size.
- You can use the BitTorrent protocol but you need to ask AWS for specific permissions first.
- You can use the BitTorrent protocol but only for objects that are less than 5 GB in size.
IAM's Policy Evaluation Logic always starts with a default [...] for every request, except for those that use the AWS account's root security credentials?
- Permit.
- Deny.
- Cancel.
You have been given a scope to deploy some AWS infrastructure for a large organization. The requirements are that you will have a lot of EC2 instances but may need to add more when the average utilization of your Amazon EC2 fleet is high and conversely remove them when CPU utilization is low. Which AWS services would be best to use to accomplish this?
- Auto Scaling, Amazon CloudWatch and AWS Elastic Beanstalk.
- Auto Scaling, Amazon CloudWatch and Elastic Load Balancing.
- Amazon CloudFront, Amazon CloudWatch and Elastic Load Balancing.
- AWS Elastic Beanstalk, Amazon CloudWatch and Elastic Load Balancing.
- It starts when the Status column for your distribution changes from Creating to Deployed.
- It starts as soon as you click the create instance option on the main EC2 console.
- It starts when your instance reaches 720 instance hours.
- It starts when Amazon EC2 initiates the boot sequence of an AMI instance.
A user is storing a large number of objects on AWS S3. The user wants to implement the search functionality among the objects. How can the user achieve this?
- Use the indexing feature of S3.
- Tag the objects with the metadata to search on that.
- Use the query functionality of S3.
- Make your own DB system which stores the S3 metadata for the search functionality.
A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an IPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space (S3) keyspace specific to that user. Which two approaches can satisfy these objectives? (Choose 2 answers)
- Develop an identity broker that authenticates against IAM security Token service to assume a Lam role in order to get temporary AWS security credentials The application calls the identity broker toget AWS temporary security credentials with access to the appropriate S3 bucket.
- The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then ca lls the IAM Security Token Service to assume that IAM role The application can use the temporary credentials to access the appropriate S3 bucket.
- Develop an identity broker that authenticates against LDAP and then calls IAM Security To ken Service to get IAM federated user credentials The application calls the identity broker to get IAMfederated user credentials with access to the appropriate S3 bucket.
- The application authenticates against LDAP the application then calls the AWS identity and Access Management (IAM) Security service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket.
- The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket.
- Yes always.
- No.
- Yes but only if they are using two factor authentication.
- Yes but only in VPC.
- It is not defined.
- Yes.
- It does support in-place non-atomic updates.
- Yes, but each Reserved Instance is associated with a specific Region that cannot be changed.
- Yes, only in US-West-2.
- Yes, only in US-East-1.
- No.
You want to establish a dedicated network connection from your premises to AWS in order to save money by transferring data directly to AWS rather than through your internet service provider. You are sure there must be some other benefits beyond cost savings. Which of the following statements would be the best choice to put your client's mind at rest?
- Different instances running on the same physical machine are isolated from each other via a 256-bit Advanced Encryption Standard (AES-256).
- Different instances running on the same physical machine are isolated from each other via the Xen hypervisor and via a 256-bit Advanced Encryption Standard (AES-256).
- Different instances running on the same physical machine are isolated from each other via the Xen hypervisor.
- Different instances running on the same physical machine are isolated from each other via IAM permissions.
- Yes, You can.
- No. You cannot.
You have launched an Amazon Elastic Compute Cloud (EC2) instance into a public subnet with a primary private I P address assigned, an internet gateway is attached to the VPC, and the public route table is configured to send all Internet-based traffic to the Internet gateway. The instance security group is set to allow all outbound traffic but cannot access the internet. Why is the Internet unreachable from this instance?
- The instance does not have a public IP address.
- The internet gateway security group must allow all outbound traffic.
- The instance security group must allow all inbound traffic.
- The instance 'Source/Destination check' property must be enabled.
Which of the following statements best describes the differences between Elastic Beanstalk and CloudFormation?
- Elastic Beanstalk uses Elastic load balancing and CloudFormation doesn't.
- CloudFormation is faster in deploying applications than Elastic Beanstalk.
- Elastic Beanstalk is faster in deploying applications than CloudFormation.
- CloudFormation is much more powerful than Elastic Beanstalk, because you can actually design and script custom resources.
It is advised that you watch the Amazon CloudWatch [...] metric (available via the AWS Management Console or Amazon Cloud Watch APIs) carefully and recreate the Read Replica should it fall behind due to replication errors.
- Write Lag.
- Read Replica.
- Replica Lag.
- Single Replica.
Your application provides data transformation services. Files containing data to be transformed are first uploaded to Amazon S3 and then transformed by a fleet of spot EC2 instances. Fi les submitted by your premium customers must be transformed with the highest priority. How should you implement such a system?
- Use a DynamoDB table with an attribute defining the priority level. Transformation instances will scan the table for tasks, sorting the results by priority level.
- Use Route 53 latency based-routing to send high priority tasks to the closest transformation instances.
- Use two SQS queues, one for high priority messages, the other for default priority. Transformation instances first poll the high priority queue; if there is no message, they poll the default priority queue.
- Use a single SQS queue. Each message contains the priority level. Transformation instances poll high-priority messages first.
True or False: When you view the block device mapping for your instance, you can see only the EBS volumes, not the instance store volumes.
- Depends on the instance type.
- False.
- Depends on whether you use API call.
- True.
- Yes, AWS CloudFormation supports Amazon EC2 tagging.
- No, CloudFormation doesn't support any tagging.
- No, it doesn't support Amazon EC2 tagging.
- It depends if the Amazon EC2 tagging has been defined in the template.
If I modify a DB Instance or the DB parameter group associated with the instance, should I reboot the instance for the changes to take effect?
- Yes.
- No.
If you are using Amazon RDS Provisioned IOPS storage with MySQL and Oracle database engines, you can scale the throughput of your database Instance by specifying the IOPS rate from [...].
- 1,000 to 100,000.
- 100 to 1,000.
- 10,000 to 100,000.
- 1,000 to 10,000.
To specify a resource in a policy statement, in Amazon EC2, can you use its Amazon Resource Name (ARN)?
- Yes, you can.
- No, you can't because EC2 is not related to AR
- No, you can't because you can't specify a particular Amazon EC2 resource in an IAM policy.
- Yes, you can but only for the resources that are not affected by the action.
An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the 5aa5 vendor cannot be used by any other third party. Which of the following would meet all of these conditions?
- From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
- Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the 5aa5 provider.
- Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
- Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARM to the SaaS provider to use when launching their application instances.
By default what are ENIs that are automatically created and attached to instances using the EC2 console set to do when the attached instance terminates?
- Remain as is.
- Terminate.
- Hibernate.
- Pause.
In EC2, what happens to the data in an instance store if an instance reboots (either intentionally or unintentionally)?
- Data is deleted from the instance store for security reasons.
- Data persists in the instance store.
- Data is partially present in the instance store.
- Data in the instance store will be lost.
You are designing a social media site and are considering how to mitigate distributed denial-of service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
- Add multiple elastic network interfaces (ENis) to each EC2 instance to increase the network bandwidth.
- Use dedicated instances to ensure that each instance has the maximum performance possible.
- Use an Amazon CloudFront distribution for both static and dynamic content.
- Use an Elastic Load Balancer with auto scaling groups at the web. App and Amazon Relational Database Service (RDS) tiers.
- Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
- Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
In Amazon CloudFront, if you use Amazon EC2 instances and other custom origins with CloudFront, it is recommended to [...].
- not use Elastic Load Balancing.
- restrict Internet communication to private instances while allowing outgoing traffic.
- enable access key rotation for CloudWatch metrics.
- specify the URL of the load balancer for the domain name of your origin server.
Which of the following statements is true regarding attaching network interfaces to your instances in your VPC?
- You can attach 5 ENIs per instance type.
- You can attach as many ENIs as you want.
- The number of ENIs you can attach varies by instance type.
- You can attach 100 ENIs total regardless of instance type.
- For security reasons.
- Hardware restrictions.
- Public (IPV4) internet addresses are a scarce resource.
- There are only 5 network interfaces per instance.
- Yes.
- No.
You have an application running on an Amazon Elastic Compute Cloud instance, that uploads 5 GB video objects to Amazon Simple Storage Service (S3). Video uploads are taking longer than expected, resulting in poor application performance. Which method will help improve performance of your application?
- Enable enhanced networking.
- Use Amazon S3 multipart upload.
- Leveraging Amazon CloudFront, use the HTTP POST method to reduce latency.
- Use Amazon Elastic Block Store Provisioned IOPs and use an Amazon EBS-optimized instance.
You have been given a scope to set up an AWS Media Sharing Framework for a new start up photo sharing company similar to flickr. The first thing that comes to mind about this is that it will obviously need a huge amount of persistent data storage for this framework. Which of the following storage options would be appropriate for persistent storage?
- Amazon Glacier or Amazon S3.
- Amazon Glacier or AWS Import/Export.
- AWS Import/Export or Amazon CloudFront.
- Amazon EBS volumes or Amazon S3.
You need a persistent and durable storage to trace call activity of an IVR (Interactive Voice Response) system. Call duration is mostly in the 2-3 minutes timeframe. Each traced call can be either active or terminated. An external application needs to know each minute the list of currently active calls, which are usually a few calls/second. Put once per month there is a periodic peak up to 1000 calls/second for a few hours. The system is open 24/7 and any downtime should be avoided. Historical data is periodically archived to files. Cost saving is a priority for this project. What database implementation would better fit this scenario, keeping costs as low as possible?
- Use RDS Multi-AZ with two tables, one for 'Active calls' and one for 'Terminated calls'. in this way the 'Active calls' table is always small and effective to access.
- Use DynamoDB with a 'Calls' table and a Global Secondary Index on a 'lsActive' attribute that is present for active calls only in this way the Global Secondary index is sparse and more effective.
- Use DynamoDB with a 'Calls' table and a Global secondary index on a 'State' attribute that can equal to 'active' or 'terminated' in this way the Global Secondary index can be used for all Items in the table.
- Use RDS Multi-AZ with a 'CALLS' table and an Indexed 'STATE* field that can be equal to 'ACTIVE' or 'TERMINATED' in this way the SOL query Is optimized by the use of the Index.
If you have chosen Multi-AZ deployment, in the event of a planned or unplanned outage of your primary DB Instance, Amazon RDS automatically switches to the standby replica. The automatic failover mechanism simply changes the record of the main DB Instance to point to the standby DB Instance.
- DNAME.
- CNAME.
- TXT.
- MX.
- 2 Elastic IP addresses.
- A private IP address and an Elastic IP address.
- A public IP address and an Elastic IP address.
- A private IP address and a public IP address.
You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this?
- User data.
- EC2Config service.
- IAM roles.
- AWS Config.
A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and also use this information for their internal security and access audits. Which of the following will meet the Customer requirement?
- Enable AWS CloudTrail to audit all Amazon S3 bucket access.
- Enable server access logging for all required Amazon S3 buckets.
- Enable the Requester Pays option to track access via AWS Billing.
- Enable Amazon S3 event notifications for Put and Post.
- Public DNS name.
- Internal DNS name.
- External DNS name.
- Global DNS name.
An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instance-id. In addition an x 509 certificates must Designed by the customer's Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?
- Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure me Auto Scaling group to launch instances with this role Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
- Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the launched instances generate a certificate signature request with the instance's assigned instance- id to the Key management service for signature.
- Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
- Configure the launched instances to generate a new certificate upon first boot Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature (hat contains the specific instance-id.
A company is storing data on Amazon Simple Storage Service (S3). The company's security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? (Choose 3 answers)
- Use Amazon S3 server-side encryption with AWS Key Management Service managed keys.
- Use Amazon S3 server-side encryption with customer-provided keys.
- Use Amazon S3 server-side encryption with EC2 key pair.
- Use Amazon S3 bucket policies to restrict access to the data at rest.
- Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key.
- Use SSL to encrypt the data while in transit to Amazon S3.
- your EC2 instance is in a running state.
- the instance exits from Amazon S3 console.
- your instance still exits the EC2 console.
- EC2 instances stop.
- Use the IAM based single sign between the AWS resources and the organization application.
- Use the IAM role and assign it to the instance.
- Since the application is hosted on EC2, it does not need credentials to access S3.
- Use the 509 certificates instead of the access and the secret access keys.
In Amazon EC2 Container Service components, what is the name of a logical grouping of container instances on which you can place tasks?
- A cluster.
- A container instance.
- A container.
- A task definition.
You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.
- Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
- Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
- Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master.
- Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts.
- Running.
- Working.
- Progressing.
- Pending.
A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?
- Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VP.
- Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
- Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
- Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.
True or False: Common points of failures like generators and cooling equipment are shared across Availability Zones.
- True.
- False.
A company is building a voting system for a popular TV show, viewers win watch the performances then visit the show's website to vote for their favorite performer. It is expected that in a short period of time after the show has finished the site will receive millions of visitors. The visitors will first login to the site using their Amazon.com credentials and then submit their vote. After the voting is completed the page will display the vote totals. The company needs to build the site such that can handle the rapid influx of traffic while maintaining good performance but also wants to keep costs to a minimum. Which of the design patterns below should they use?
- Use CloudFront and an Elastic Load balancer in front of an auto-scaled set of web servers, the web servers will first can the Login With Amazon service to authenticate the user then process the users vote and store the result into a multi-AZ Relational Database Service instance.
- Use CloudFront and the static website hosting feature of S3 with the Javascript SDK to call the Login With Amazon service to authenticate the user, use IAM Roles to gain permissions to a DynamoDB table to store the users vote.
- Use CloudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login with Amazon service to authenticate the user, the web servers will process the users vote and store the result into a DynamoDB table using IAM Roles for EC2 instances to gain permissions to the DynamoDB table.
- Use CloudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login. With Amazon service to authenticate the user, the web servers win process the users vote and store the result into an SQS queue using IAM Roles for EC2 Instances to gain permissions to the SQS queue. A set of application servers will then retrieve the items from the queue and store the result into a DynamoDB table.
You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S3 bucket. Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3. You want to configure security to handle potentially millions of users in the most secure manner possible. What should your server-side application do when a new user registers on the photo sharing mobile application?
- Create a set of long-term credentials using AWS Security Token Service with appropriate permissions Store these credentials in the mobile app and use them to access Amazon S3.
- Record the user's Information in Amazon RDS and create a role in IAM with appropriate permissions. When the user uses their mobile app create temporary credentials using the AWS Security Token Service 'Assume Role' function Store these credentials in the mobile app's memory and use them to access Amazon S3 Generate new credentials the next time the user runs the mobile app.
- Record the user's Information in Amazon DynamoDB.
- When the user uses their mobile app create temporary credentials using AWS Security Token Service with appropriate permissions Store these credentials in the mobile app's memory and use them to access Amazon S3 Generate new credentials the next time the user runs the mobile app.
- Create IAM user. Assign appropriate permissions to the IAM user Generate an access key and secret key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
- Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user Generate an access Key and secret Key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
- Yes for all users.
- Yes for all users except root.
- No.
- Yes unless special permission granted.
- eu-west-1.
- us-east-1.
- us-east-2.
- ap-southeast-1.
Your company hosts a social media site supporting users in multiple countries. You have been asked to provide a highly available design tor the application that leverages multiple regions tor the most recently accessed content and latency sensitive portions of the wet) site The most latency sensitive component of the application involves reading user preferences to support web site personalization and ad selection. In addition to running your application in multiple regions, which option will support this application's requirements?
- Serve user content from S3. CloudFront and use Route 53 latency-based routing between ELBs in each region Retrieve user preferences from a local DynamoDB table in each region and leverage SQS to capture changes to user preferences with 505 workers for propagating updates to each table.
- Use the 53 Copy API to copy recently accessed content to multiple regions and serve user content from S3. CloudFront with dynamic content and an ELB in each region Retrieve user preferences from an ElasticCache cluster in each region and leverage SNS notifications to propagate user preference changes to a worker node in each region.
- Use the 53 Copy API to copy recently accessed content to multiple regions and serve user content from S3 CloudFront and Route 53 latency-based routing Between ELBs in each region Retrieve user preferences from a DynamoDB table and leverage SQS to capture changes to user preferences with 505 workers for propagating DynamoDB updates.
- Serve user content from S3. CloudFront with dynamic content, and an ELB in each region Retrieve user preferences from an ElastiCache cluster in each region and leverage Simple Workflow (SWF) to manage the propagation of user preferences from a centralized OB to each ElastiCache cluster.
- policy.
- permission.
- role.
- resource.
A company wants to implement their website in a virtual private cloud (VPC). The web tier will use an Auto Scaling group across multiple Availability Zones (AZs). The database will use Multi-AZ RDSMySQL and should not be publicly accessible. What is the minimum number of subnets that need to be configured in the VPC?
- 1.
- 2.
- 3.
- 4.
- Yes for all users except root.
- No.
- Yes unless special permission granted.
- Yes for all users.
- True.
- False.
- Amazon EBS-backed instances can be stopped and restarted.
- Instance-store backed instances can be stopped and restarted.
- Auto scaling requires using Amazon EBS-backed instances.
- Virtual Private Cloud requires EBS backed instances.
A major customer has asked you to set up his AWS infrastructure so that it will be easy to recover in the case of a disaster of some sort. Which of the following statements is true of Amazon EC2 security groups?
- Create and maintain AMIs of key servers where fast recovery is required.
- Regularly run your servers, test them, and apply any software updates and configuration changes.
- Ensure that you have all supporting custom software packages available in AWS.
- All items listed here are important when thinking about disaster recovery.
- After you launch an instance in EC2-Classic, you can't change its security groups.
- After you launch an instance in EC2-Classic, you can change its security groups only once.
- After you launch an instance in EC2-Classic, you can only add rules to a security group.
- After you launch an instance in EC2-Classic, you cannot add or remove rules from a security group.
To view information about an Amazon EBS volume, open the Amazon EC2 console at https://console.aws.amazon.com/ec2/, click in the Navigation panel.
- EBS.
- Describe.
- Details.
- Volumes.
True or False: Provisioned IOPS Costs - you are charged for the IOPS and storage whether or not you use them in a given month.
- True.
- False.
You have an EC2 Security Group with several running EC2 instances. You change the Security Group rules to allow inbound traffic on a new port and protocol, and launch several new instances in the same Security Group. The new rules apply:
- Immediately to all instances in the security group.
- Immediately to the new instances only.
- Immediately to the new instances, but old instances must be stopped and restarted before the new rules apply.
- To all instances, but it may take several minutes for old instances to see the changes.
- An edge location is referred to the network configured within a Zone or Region.
- An edge location is an AWS Region.
- An edge location is the location of the data center used for Amazon CloudFront.
- An edge location is a Zone within an AWS Region.
If I want to run a database in an Amazon instance, which is the most recommended Amazon storage option?
- Amazon Instance Storage.
- Amazon EBS.
- You can't run a database inside an Amazon instance.
- Amazon S3.
A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for a web-based property. The customer is storing objects using the Standard Storage class. Where are the customers objects replicated?
- A single facility in eu-west-1 and a single facility in eu-central-1.
- A single facility in eu-west-1 and a single facility in us-east-1.
- Multiple facilities in eu-west-1.
- A single facility in eu-west-1.
You have set up an S3 bucket with a number of images in it and you have decided that you want anybody to be able to access these images, even anonymous users. To accomplish this you create a bucket policy. You will need to use an Amazon S3 bucket policy that specifies a [...] in the principal element, which means anyone can access the bucket.
- hash tag (#).
- anonymous user.
- wildcard (*).
- S3 user.
You try to connect via SSH to a newly created Amazon EC2 instance and get one of the following error messages: 'Network error: Connection timed out' or 'Error connecting to [instance], reason: -> Connection timed out: connect,' You have confirmed that the network and security group rules are configured correctly and the instance is passing status checks. What steps should you take to identify the source of the behavior? (Choose 2 answers)
- Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch.
- Verify that your IAM user policy has permission to launch Amazon EC2 instances.
- Verify that you are connecting with the appropriate user name for your AMI.
- Verify that the Amazon EC2 Instance was launched with the proper IAM role.
- Verify that your federation trust to AWS has been established.
An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto Scaling needs to terminate an EC2 instance by default, AutoScaling will: (Choose 2 answers)
- Allow at least five minutes for Windows/Linux shutdown scripts to complete, before terminating the instance.
- Terminate the instance with the least active network connections. If multiple instances meet this criterion, one will be randomly selected.
- Send an SNS notification, if configured to do so.
- Terminate an instance in the AZ which currently has 2 running EC2 instances.
- Randomly select one of the 3 AZs, and then terminate an instance in that A.
A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?
- SAML-based Identity Federation.
- Cross-Account Access.
- AWS Identity and Access Management roles.
- Web Identity Federation.
- 512 Unicode characters.
- 64 Unicode characters.
- 256 Unicode characters.
- 128 Unicode characters.
Does Amazon RDS allow direct host access via Telnet, Secure Shell (SSH), or Windows Remote Desktop Connection?
- Yes.
- No.
A user wants to achieve High Availability with PostgreSQL DB. Which of the below mentioned functionalities helps achieve HA?
- Multi-AZ.
- Read Replica.
- Multi region.
- PostgreSQL does not support HA.
- Yes, they are allowed but only for selected regions.
- No, they are never allowed.
- Yes, they are allowed without any permission.
- Yes, they are allowed but only with approval.
You are building a system to distribute confidential documents to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly?
- Add the CloudFront account security group 'amazon-cf/amazon-cf-sg' to the appropriate S3 bucket policy.
- Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
- Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
- Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OA.
You require the ability to analyze a large amount of data, which is stored on Amazon S3 using Amazon Elastic MapReduce. You are using the cc2 8x large Instance type, whose CPUs are mostly idle during processing. Which of the below would be the most cost efficient way to reduce the runtime of the job?
- Create more smaller flies on Amazon S3.
- Add additional cc2 8x large instances by introducing a task group.
- Use smaller instances that have higher aggregate 1/0 performance.
- Create fewer, larger fi les on Amazon S3.
What is the name of licensing model in which I can use your existing Oracle Database licenses to run Oracle deployments on Amazon RDS?
- Bring Your Own License.
- Role Bases License.
- Enterprise License.
- License Included.
Which of the following statements are true about Amazon Route 53 resource records? (Choose 2 answers)
- An Alias record can map one DNS name to another Amazon Route 53 DNS name.
- A CNAME record can be created for your zone apex.
- An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
- TIL can be set for an Alias record in Amazon Route 53.
- An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.
Do you need to shutdown your EC2 instance when you create a snapshot of EBS volumes that serve as root devices?
- No, you only need to shutdown an instance before deleting it.
- Yes.
- No, the snapshot would turn off your instance automatically.
- No.
- Yes.
- Only in certain regions.
- Only in VPC.
- No.
- customized deployments.
- AppStream customizations.
- log events.
- Multi-AZ deployments.
True or False: Amazon EC2 has no Amazon Resource Names (ARNs) because you can't specify a particular Amazon EC2 resource in an IAM policy.
- True.
- False.
A major client who has been spending a lot of money on his internet service provider asks you to set up an AWS Direct Connection to try and save him some money. You know he needs high-speed connectivity. Which connection port speeds are available on AWS Direct Connect?
- 500Mbps and 1Gbps.
- 1Gbps and 10Gbps.
- 100Mbps and 1Gbps.
- 1Gbps.
What will be the state of the alarm at the end of 90 minutes, if the CPU utilization is constant at 80%?
- ALERT.
- ALARM.
- OK.
- INSUFFICIENT_DATA.
A 3-tier e-commerce web application is current deployed on-premises and will be migrated to AWS for greater scalability and elasticity The web server currently shares read-only data using a network distributed file system The app server tier uses a clustering mechanism for discovery and shared session state that depends on I P multicast The database tier uses shared-storage clustering to provide database fail over capability, and uses several read slaves for scaling Data on all servers and the distributed file system directory is backed up weekly to off-site tapes. Which AWS storage and database architecture meets the requirements of the application?
- Web servers: store read-only data in S3, and copy from S3 to root volume at boot time. App servers: share state using a combination of DynamoDB and IP unicast. Database: use RDS with multi-AZdeployment and one or more read replicas. Backup: web servers, app servers, and database backed up weekly to Glacier using snapshots.
- Web servers: store read-only data in an EC2 NFS server, mount to each web server at boot time. App servers: share state using a combination of DynamoDB and IP multicast. Database: use RDS with multi-AZ deployment and one or more Read Replicas. Backup: web and app servers backed up weekly via AMIs, database backed up via DB snapshots.
- Web servers: store read-only data in S3, and copy from S3 to root volume at boot time. App servers: share state using a combination of DynamoDB and IP unicast. Database: use RDS with multi-AZ deployment and one or more Read Replicas. Backup: web and app servers backed up weekly via AMIs, database backed up via DB snapshots.
- Web servers: store read-only data in S3, and copy from S3 to root volume at boot time. App servers: share state using a combination of DynamoDB and IP unicast. Database: use RDS with multi-AZdeployment. Backup: web and app servers backed up weekly via AMIs, database backed up via DB snapshots.
- Basic, Developer, Business, Enterprise.
- Basic, Startup, Business, Enterprise.
- Free, Bronze, Silver, Gold.
- All support is free.
- 10.
- 15.
- 2.
- 20.
In the most recent company meeting, your CEO focused on the fact that everyone in the organization needs to make sure that all of the infrastructure that is built is truly scalable. Which of the following statements is incorrect in reference to scalable architecture?
- A scalable service is capable of handling heterogeneity.
- A scalable service is resilient.
- A scalable architecture won't be cost effective as it grows.
- Increasing resources results in a proportional increase in performance.
- Simple Storage Solution.
- Storage Storage Storage (triple redundancy Storage).
- Storage Server Solution.
- Simple Storage Service.
A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS services can accomplish this? (Choose 2 answers)
- Amazon Simple Email Service.
- Amazon CloudWatch.
- Amazon Simple Queue Service.
- Amazon Route 53.
- Amazon Simple Notification Service.
A user has configured ELB with two EBS backed EC2 instances. The user is trying to understand the DNS access and IP support for ELB. Which of the below mentioned statements may not help the user understand the IP mechanism supported by ELB?
- The client can connect over IPV4 or IPV6 using Dualstack.
- Communication between the load balancer and back-end instances is always through IPV4.
- ELB DNS supports both IPV4 and IPV6.
- The ELB supports either IPV4 or IPV6 but not both.
- An AWS developer who is an expert in Amazon RDS using both the Oracle and SQL Server DB engines.
- A graphical Java tool distributed without cost by Oracle.
- It is a variant of the SQL Server Management Studio designed by Microsoft to support Oracle DBMS functionalities.
- A different DBMS released by Microsoft free of cost.
- security groups and multi-factor authentication.
- security groups and 2-Factor authentication.
- security groups and biometric authentication.
- security groups and network ACLs.
What is the type of monitoring data (for Amazon EBS volumes) which is available automatically in 5- minute periods at no charge called?
- Basic.
- Primary.
- Detailed.
- Local.
A user comes to you and wants access to Amazon CloudWatch but only wants to monitor a specific LoadBalancer. Is it possible to give him access to a specific set of instances or a specific LoadBalancer?
- No because you can't use IAM to control access to CloudWatch data for specific resources.
- Yes. You can use IAM to control access to CloudWatch data for specific resources.
- No because you need to be Sysadmin to access CloudWatch data.
- Yes. Any user can see all CloudWatch data and needs no access rights.
Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties?
- Instance user data.
- Resource tags.
- Instance metadata.
- Amazon Machine Image.
Making your snapshot public shares all snapshot data with everyone. Can the snapshots with AWS Market place product codes be made public?
- Yes.
- No.
- AWS Access Control Service (ACS).
- AWS Identity and Access Management (IAM).
You have launched an EC2 instance with four (4) 500 GB EBS Provisioned IOPS volumes attached. The EC2 instance is EBS-Optimized and supports 500 Mbps throughput between EC2 and EBS. The four EBS volumes are configured as a single RAID 0 device, and each Provisioned IOPS volume is provisioned with 4,000IOPS (4,000 16KB reads or writes), for a total of 16,000 random IOPS on the instance. The EC2 instance initially delivers the expected 16,000 IOPS random read and write performance. Sometime later, in order to increase the total random I/O performance of the instance, you add an additional two 500 GB EBS Provisioned IOPS volumes to the RAID. Each volume is provisioned to 4,000 IOPs like the original four, for a total of 24,000 IOPS on the EC2 instance. Monitoring shows that the EC2 instance CPU utilization increased from 50% to 70%, but the total random IOPS measured at the instance level does not increase at all. What is the problem and a valid solution?
- Larger storage volumes support higher Provisioned IOPS rates; increase the provisioned volume storage of each of the 6 EBS volumes to 1TB.
- The EBS-Optimized throughput limits the total IOPS that can be utilized; use an EBS Optimized instance that provides larger throughput. Mo
- Small block sizes cause performance degradation, limiting the I/O throughput; configure the instance device driver and filesystem to use 64KB blocks to increase throughput.
- The standard EBS Instance root volume limits the total IOPS rate; change the instance root volume to also be a 500GB 4,000 Provisioned IOPS volume.
- RAID 0 only scales linearly to about 4 devices; use RAID 0 with 4 EBS Provisioned IOPS volumes, but increase each Provisioned IOPS EBS volume to 6,000 IOPS.
A user has configured a website and launched it using the Apache web server on port 80. The user is using ELB with the EC2 instances for Load Balancing. What should the user do to ensure that the EC2 instances accept requests only from ELB?
- Configure the security group of EC2, which allows access to the ELB source security group.
- Configure the EC2 instance so that it only listens on the ELB port.
- Open the port for an ELB static IP in the EC2 security group.
- Configure the security group of EC2, which allows access only to the ELB listener.
You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message 'Certificate: <certificate< span=''>-id> is being used by CloudFront.' Which of the following statements is probably the reason why you are getting this error?
- Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CloudFront certificate.
- You can't delete SSL certificates. You need to request it from AWS.
- Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM. Before you can delete an SSL certificate you need to set up https on your server.
- Before you can delete an SSL certificate you need to set up https on your server.
A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CloudHSM is the best service for this. However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open. Which of the following is correct in regards to those security groups?
- A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network.
- A security group that has no ports open to your network.
- A security group that has only port 3389 (for RDP) open to your network.
- A security group that has only port 22 (for SSH) open to your network.
A web company is looking to implement an intrusion detection and prevention system into their deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC. How should they architect their solution to achieve these goals?
- Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see an traffic across the VPC. Configure servers running in the VPC using the host-based 'route' commands to send all traffic through the platform to a scalable virtualized IDS/IP.
- Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides.
- Configure servers running in the VPC using the host-based 'route' commands to send all traffic through the platform to a scalable virtualized IDS/IP.
- Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.
You run an ad-supported photo sharing website using Amazon S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this?
- Remove public read access and use signed URLs with expiry dates.
- Use CloudFront distributions for static content.
- Block the IPs of the offending websites in Security Groups.
- Store photos on an EBS volume of the web server.
- Frequent snapshots provide a higher level of data durability and they will not degrade the performance of your application while the snapshot is in progress.
- General Purpose (SSD) and Provisioned IOPS (SSD) volumes have a throughput limit of 128 MB/s per volume.
- There is a relationship between the maximum performance of your EBS volumes, the amount of I/O you are driving to them, and the amount of time it takes for each transaction to complete.
- There is a 5 to 50 percent reduction in IOPS when you first access each block of data on a newly created or restored EBS volume.
- from the next billing cycle.
- after 30 minutes.
- immediately.
- after 24 hours.
- regional.
- based on Availability Zone.
- global.
You log in to IAM on your AWS console and notice the following message. 'Delete your root access keys.' Why do you think IAM is requesting this?
- Because the root access keys will expire as soon as you log out.
- Because the root access keys expire after 1 week.
- Because the root access keys are the same for all users.
- Because they provide unrestricted access to your AWS resources.
What is the minimum charge for the data transferred between Amazon RDS and Amazon EC2 Instances in the same Availability Zone?
- USD 0.10 per GB.
- No charge. It is free.
- USD 0.02 per GB
- USD 0.01 per GB.
- In DynamoDB there is no need to grant access.
- Depended to the type of access.
- Yes.
- No.
The common use cases for DynamoDB Fine-Grained Access Control (FGAC) are cases in which the end user wants [...].
- to change the hash keys of the table directly.
- to check if an IAM policy requires the hash keys of the tables directly.
- to read or modify any code commit key of the table directly, without a middle-tier service.
- to read or modify the table directly, without a middle-tier service.
- Allow all inbound traffic and Allow no outbound traffic.
- Al low no inbound traffic and Al low no outbound traffic.
- Al low no inbound traffic and Al low all outbound traffic.
- Allow all inbound traffic and Allow all outbound traffic.
- INSUFFICIENT_DATA.
- ALARM.
- OK.
- STATUS_CHECK_FAILED.
[...] let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
- wildcards.
- pointers.
- tags.
- special filters.
Which of the below mentioned options is not available when an instance is launched by Auto Scaling with EC2 Classic?
- Public IP.
- Elastic IP.
- Private DNS.
- Private IP.
You have a lot of data stored in the AWS Storage Gateway and your manager has come to you asking about how the billing is calculated, specifically the Virtual Tape Shelf usage. What would be a correct response to this?
- You are billed for the virtual tape data you store in Amazon Glacier and are billed for the size of the virtual tape.
- You are billed for the virtual tape data you store in Amazon Glacier and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.
- You are billed for the virtual tape data you store in Amazon S3 and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.
- You are billed for the virtual tape data you store in Amazon S3 and are billed for the size of the virtual tape.
True or False: The new DB Instance that is created when you promote a Read Replica retains the backup window period.
- True.
- False.
- Amazon SNS.
- Amazon SES.
- Amazon SQS.
- Amazon FPS.
You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?
- Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32
- Port Range- 22, Source 72.34.51. 100/32.
- Security Group Inbound Rule: Protocol – UDP, Port Range- 22, Source 72.34.51.100/32.
- Network ACL Inbound Rule: Protocol – UDP, Port Range- 22, Source 72.34.51.100/32.
- Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0.
- Attach the volume to an instance using EC2's SSL interface.
- Write the data randomly instead of sequentially.
- Encrypt the volume using the S3 server-side encryption service.
- Create an IAM policy that restricts read and write access to the volume.
- Use an encrypted file system on top of the EBS volume.
- Only for VPC based instances.
- Yes.
- No.
- Yes but only in certain cases.
- Yes.
- No.
Which services allow the customer to retain full administrative privileges of the underlying EC2 instances? (Choose 2 answers)
- Amazon Relational Database Service.
- Amazon Elastic MapReduce.
- Amazon ElastiCache.
- Amazon DynamoDB.
- AWS Elastic Beanstalk.
- REVIEW.
- DB INSTANCE DETAILS.
- MANAGEMENT OPTIONS.
- ADDITIONAL CONFIGURATION.
You are responsible for a legacy web application whose server environment is approaching end of life. You would like to migrate this application to AWS as quickly as possible, since the application environment currently has the following limitations. The VM's single 10GB VMDK is almost full Me virtual network interface still uses the 10Mbps driver, which leaves your 100Mbps WAN connection completely underutilized. It is currently running on a highly customized. Windows VM within a VMware environment: You do not have me installation media. This is a mission critical application with an RTO (Recovery Time Objective) of 8 hours. RPO (Recovery Point Objective) of 1 hour. How could you best migrate this application to AWS while meeting your business continuity requirements?
- Use the EC2 VM Import Connector for vCenter to import the VM into EC2.
- Use Import/Export to import the VM as an ESS snapshot and attach to EC2.
- Use S3 to create a backup of the VM and restore the data into EC2.
- Use me ec2-bundle-instance API to Import an Image of the VM into EC2.
You are setting up some EBS volumes for a customer who has requested a setup which includes a RAID (redundant array of inexpensive disks). AWS has some recommendations for RAID setups. Which RAID setup is not recommended for Amazon EBS?
- RAID 5 only.
- RAID 5 and RAID 6.
- RAID 1 only.
- RAID 1 and RAID 6.
Much of your company's data does not need to be accessed often, and can take several hours for retrieval time, so it's stored on Amazon Glacier. However someone within your organization has expressed concerns that his data is more sensitive than the other data, and is wondering whether the high level of encryption that he knows is on S3 is also used on the much cheaper Glacier service. Which of the following statements would be most applicable in regards to this concern?
- There is no encryption on Amazon Glacier, that's why it is cheaper.
- Amazon Glacier automatically encrypts the data using AES-128 a lesser encryption method than Amazon S3 but you can change it to AES-256 if you are willing to pay more.
- Amazon Glacier automatically encrypts the data using AES-256, the same as Amazon S3.
- Amazon Glacier automatically encrypts the data using AES-128 a lesser encryption method than Amazon S3.
- Only Oracle based RDS.
- No.
- Only with MSSQL based RDS.
- Yes for all RDS instances.
To ensure failover capabilities, consider using a [...] for incoming traffic on a network interface.
- primary public IP.
- secondary private IP.
- secondary public IP.
- add on secondary IP.
By default, EBS volumes that are created and attached to an instance at launch are deleted when that instance is terminated. You can modify this behavior by changing the value of the flag [...] to false when you launch the instance.
- Delete On Termination.
- Remove On Deletion.
- Remove On Termination.
- Terminate On Deletion.
- AWS Simple Queue Service.
- AWS Simple Notification Service.
- AWS Simple Workflow Service.
- AWS Simple Email Service.
- Amazon EMR customers can choose to send data to Amazon S3 using the HTTPS protocol for secure transmission.
- Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unauthorized access.
- Every packet sent in the AWS network uses Internet Protocol Security (IPsec).
- Customers may encrypt the input data before they upload it to Amazon S3.
- always.
- in some circumstances.
- never.
Is it possible to get a history of all EC2 API calls made on your account for security analysis and operational troubleshooting purposes?
- Yes, by default, the history of your API calls is logged.
- Yes, you should turn on the CloudTrail in the AWS console.
- No, you can only get a history of VPC API calls.
- No, you cannot store history of EC2 API calls on Amazon.
- Security, fault tolerance, high availability, and connectivity.
- Security, access control, high availability, and performance.
- Performance, cost optimization, security, and fault tolerance.
- Performance, cost optimization, access control, and connectivity.
An AWS customer runs a public blogging website. The site users upload two million blog entries a month. The average blog entry size is 200 KB. The access rate to blog entries drops to negligible 6 months after publication and users rarely access a blog entry 1 year after publication. Additionally, blog entries have a high update rate during the first 3 months following publication, this drops to no updates after 6 months. The customer wants to use CloudFront to improve his user's load times. Which of the following recommendations would you make to the customer?
- Duplicate entries into two different buckets and create two separate CloudFront distributions where S3 access is restricted only to CloudFront identity.
- Create a CloudFront distribution with 'US' Europe price class for US/ Europe users and a different CloudFront distribution with Al l Edge Locations' for the remaining users.
- Create a CloudFront distribution with S3 access restricted only to the CloudFront identity and partition the blog entry's location in S3 according to the month it was uploaded to be used withCloudFront behaviors.
- Create a CloudFronl distribution with Restrict Viewer Access Forward Query string set to true and minimum TTL of 0.
Your supervisor has asked you to build a simple file synchronization service for your department. He doesn't want to spend too much money and he wants to be notified of any changes to files by email. What do you think would be the best Amazon service to use for the email solution?
- Amazon SES.
- Amazon CloudSearch.
- Amazon SWF.
- Amazon AppStream.
- They don't exist. The Amazon EC2 AMI tools, instead, are used to manage permissions.
- Command-line tools to the Amazon EC2 web service.
- They are a set of graphical tools to manage EC2 instances.
- They don't exist. The Amazon API tools are a client interface to Amazon Web Services.
Your customer wishes to deploy an enterprise application to AWS which will consist of several web servers, several application servers and a small (50GB) Oracle database information is stored, both in the database and the file systems of the various servers. The backup system must support database recovery whole server and whole disk restores, and individual file restores with a recovery time of no more than two hours. They have chosen to use RDS Oracle as the database. Which backup architecture will meet these requirements?
- Backup RDS using automated daily DB backups Backup the EC2 instances using AMIs and supplement with file-level backup to S3 using traditional enterprise backup software to provide file level restore.
- Backup RDS using a Multi-AZ Deployment Backup the EC2 instances using Amis, and supplement by copying file system data to S3 to provide file-level restore.
- Backup RDS using automated daily DB backups Backup the EC2 instances using EBS snapshots and supplement with file-level backups to Amazon Glacier using traditional enterprise backup software to provide file-level restore.
- Backup RDS database to S3 using Oracle RMAN Backup the EC2 instances using Amis, and supplement with EBS snapshots for individual volume restore.
You are architecting a highly-scalable and reliable web application which will have a huge amount of content. You have decided to use Cloudfront as you know it will speed up distribution of your static and dynamic web content and know that Amazon CloudFront integrates with Amazon CloudWatch metrics so that you can monitor your web application. Because you live in Sydney you have chosen the the Asia Pacific (Sydney) region in the AWS console. However you have set up this up but no CloudFront metrics seem to be appearing in the CloudWatch console. What is the most likely reason from the possible choices below for this?
- Metrics for CloudWatch are available only when you choose the same region as the application you are monitoring.
- You need to pay for CloudWatch for it to become active.
- Metrics for CloudWatch are available only when you choose the US East (Virginia).
- Metrics for CloudWatch are not available for the Asia Pacific region as yet.
- Yes.
- No.
- desk.cpl.
- mstsc.
Which of the following cannot be used in Amazon EC2 to control who has access to specific Amazon EC2 instances?
- Security Groups.
- IAM System.
- SSH keys.
- Windows passwords.
What is the charge for the data transfer incurred in replicating data between your primary and standby?
- Same as the standard data transfer charge.
- Double the standard data transfer charge.
- No charge. It is free.
- Half of the standard data transfer charge.
You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer's DNS name. Which options are probable causes of this behavior? (Choose 2 answers)
- The load balancer was not configured to use a public subnet with an Internet gateway configured.
- The Amazon EC2 instances do not have a dynamically allocated private IP address.
- The security groups or network ACLs are not property configured for web traffic.
- The load balancer is not configured in a private subnet with a NAT instance.
- The VPC does not have a VGW configured.
- Amazon Resource Number.
- Amazon Resource Nametag.
- Amazon Resource Name.
- Amazon Resource Namespace.
- BYOL and Enterprise License.
- BYOL and License Included.
- Enterprise License and License Included.
- Role based License and License Included.
- Security Group and ACL (Access Control List) settings.
- Decommissioning storage devices.
- Patch management on the EC2 instance's operating system.
- Life-cycle management of IAM credentials.
- Controlling physical access to compute resources.
- Encryption of EBS (Elastic Block Storage) volumes.
You have a web application running on six Amazon EC2 instances, consuming about 45% of resources on each instance. You are using auto-scaling to make sure that six instances are running at all times. The number of requests this application processes is consistent and does not experience spikes. The application is critical to your business and you want high availability at all times. You want the load to be distributed evenly between all instances. You also want to use the same Amazon Machine Image (AMI) for all instances. Which of the following architectural choices should you make?
- Deploy 6 EC2 instances in one Availability Zone and use Amazon Elastic Load Balancer.
- Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic Load Balancer.
- Deploy 3 EC2 instances in one Availability Zone and 3 in another Availability Zone and use Amazon Elastic Load Balancer.
- Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.
An ERP application is deployed across multiple AZs in a single region. in the event of failure, the Recovery Time Objective (RTO) must be less than 3 hours, and the Recovery Point Objective (RPO) must be 15 minutes the customer realizes that data corruption occurred roughly 1.5 hours ago. What DR strategy could be used to achieve this RTO and RPO in the event of this kind of failure?
- Take hourly DB backups to S3, with transaction logs stored in S3 every 5 minutes.
- Use synchronous database master-slave replication between two Availability Zones.
- Take hourly DB backups to EC2 Instance store volumes with transaction logs stored in S3 every 5 minutes.
- Take 15 minute DB backups stored in Glacier with transaction logs stored in S3 every 5 minutes.
You have been setting up an Amazon Virtual Private Cloud (Amazon VPC) for your company, including setting up subnets. Security is a concern, and you are not sure which is the best security practice for securing subnets in your VPC. Which statement below is correct in describing the protection of AWS resources in each subnet?
- You can use multiple layers of security, including security groups and network access control lists (ACL).
- You can only use access control lists (ACL).
- You don't need any security in subnets.
- You can use multiple layers of security, including security groups, network access control lists (ACL) and CloudHS.
Amazon EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud-based applications. What is the monthly charge for using the public data sets?
- A 1 time charge of 10$ for all the datasets.
- 1$ per dataset per month.
- 10$ per month for all the datasets.
- There is no charge for using the public data sets.
[...] embodies the 'share-nothing' architecture and essentially involves breaking a large database into several smaller databases. Common ways to split a database include: 1. Splitting tables that are not joined in the same query onto different hosts or 2. Duplicating a table across multiple hosts and then using a hashing algorithm to determine which host receives a given update.
- $harding.
- Fai lure recovery.
- Federation.
- DOL operations.
After deploying a new website for a client on AWS, he asks if you can set it up so that if it fails it can be automatically redirected to a backup website that he has stored on a dedicated server elsewhere. You are wondering whether Amazon Route 53 can do this. Which statement below is correct in regards to Amazon Route 53?
- Amazon Route 53 can't help detect an outage. You need to use another service.
- Amazon Route 53 can help detect an outage of your website and redirect your end users to alternate locations.
- Amazon Route 53 can help detect an outage of your website but can't redirect your end users to alternate locations.
- Amazon Route 53 can't help detect an outage of your website, but can redirect your end users to alternate locations.
Your company plans to host a large donation website on Amazon Web Services (AWS). You anticipate a large and undetermined amount of traffic that will create many database writes. To be certain that you do not drop any writes to a database hosted on AWS. Which service should you use?
- Amazon RDS with provisioned IOPS up to the anticipated peak write throughput.
- Amazon Simple Queue Service (SOS) for capturing the writes and draining the queue to write to the database.
- Amazon ElastiCache to store the writes until the writes are committed to the database.
- Amazon DynamoDB with provisioned write throughput up to the anticipated peak write throughput.
You have set up an Auto Scaling group. The cool down period for the Auto Scaling group is 7 minutes. The first instance is launched after 3 minutes, while the second instance is launched after 4 minutes. How many minutes after the first instance is launched will Auto Scaling accept another scaling activity request?
- 11 minutes.
- 7 minutes.
- 10 minutes.
- 14 minutes.
You are migrating a legacy client-server application to AWS. The application responds to a specific DNS domain (e.g. <www.example.com>) and has a 2-tier architecture, with multiple application servers and a database server. Remote clients use TCP to connect to the application servers. The application servers need to know the IP address of the clients in order to function properly and are currently taking that information from the TCP socket. A Multi-AZ RDS MySQL instance will be used for the database. During the migration you can change the application code, but you have to file a change request. How would you implement the architecture on AWS in order to maximize scalability and high availability?
- File a change request to implement Alias Resource support in the application. Use Route 53 Alias Resource Record to distribute load on two application servers in different AZs.
- File a change request to implement Latency Based Routing support in the application. Use Route 53 with Latency Based Routing enabled to distribute load on two application servers in different AZs.
- File a change request to implement Cross-Zone support in the application. Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in different AZs.
- File a change request to implement Proxy Protocol support in the application. Use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two application servers in different AZs.
- Yes.
- No.
- Only in VPC.
Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances. Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to: Launch, start stop, and terminate development resources. Launch and start production instances.
- Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection.
- Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources.
- Leverage EC2 termination protection and multi-factor authentication, which together require users to authenticate before terminating EC2 instances.
- Create an IAM user and apply an IAM role which prevents users from terminating production EC2 instances.
You have just set up a large site for a client which involved a huge database which you set up with Amazon RDS to run as a Multi-AZ deployment. You now start to worry about what will happen if the database instance fails. Which statement best describes how this database will function if there is a database failure?
- Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.
- Your database will not resume operation without manual administrative intervention.
- Updates to your DB Instance are asynchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.
- Updates to your DB Instance are synchronously replicated across S3 to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.
Your company has an on-premises multi-tier PHP web application, which recently experienced downtime due to a large burst in web traffic due to a company announcement Over the coming days, you are expecting similar announcements to drive similar unpredictable bursts, and are looking to find ways to quickly improve your infrastructures ability to handle unexpected increases in traffic. The application currently consists of 2 tiers a web tier which consists of a load balancer and several Linux Apache web servers as well as a database tier which hosts a Linux server hosting a MySQLdatabase. Which scenario below will provide full site functionality, while helping to improve the ability of your application in the short timeframe required?
- Failover environment: Create an S3 bucket and configure it for website hosting. Migrate your DNS to Route 53 using zone file import, and leverage Route 53 DNS failover to failover to the S3 hosted website.
- Hybrid environment: Create an AMI, which can be used to launch web servers in EC2. Create an Auto Scaling group, which uses the AMI to scale the web tier based on incoming traffic. LeverageElastic Load Balancing to balance traffic between on-premises web servers and those hosted in AWS.
- Offload traffic from on-premises environment: Setup a CloudFront distribution, and configure CloudFront to cache objects from a custom origin. Choose to customize your object cache behavior, and select a TIL that objects should exist in cache.
- Migrate to AWS: Use VM Import/Export to quickly convert an on-premises web server to an AMI.
- Create an Auto Scaling group, which uses the imported AMI to scale the web tier based on incoming traffic. Create an RDS read replica and setup replication between the RDS instance and on-premises MySQL server to migrate the database.
- Paying account and Linked account.
- Parent account and Child account.
- Main account and Sub account.
- Main account and Secondary account.
You have a periodic Image analysis application that gets some files in Input analyzes them and tor each file writes some data in output to a ten file the number of files in input per day is high and concentrated in a few hours of the day. Currently you have a server on EC2 with a large EBS volume that hosts the input data and the results it takes almost 20 hours per day to complete the process What services could be used to reduce the elaboration time and improve the availability of the solution?
- Amazon S3 to store 1/0 files. SQS to distribute elaboration commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the length of the SQS queue.
- EBS with Provisioned IOPS (PIOPS) to store 1/0 files. SNS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group of hosts depending on the number of SNS notifications.
- Amazon S3 to store 1/0 files, SNS to distribute evaporation commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the number of SNS notifications.
- EBS with Provisioned IOPS (PIOPS) to store 1/0 files SOS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group ot hosts depending on the length of the SQS queue.
While controlling access to Amazon EC2 resources, which of the following acts as a firewall that controls the traffic allowed to reach one or more instances?
- A security group.
- An instance type.
- A storage cluster.
- An object.
- http://254.169.169.254/latest/.
- http://169.169.254.254/latest/.
- http://127.0.0.1/latest/.
- http://169.254.169.254/latest/.
While using the EC2 GET requests as URLs, the [...] is the URL that serves as the entry point for the web service.
- token.
- endpoint.
- action.
- None of these.
A user is planning to launch a scalable web application. Which of the below mentioned options will not affect the latency of the application?
- Region.
- Provisioned IOPS.
- Availability Zone.
- Instance size.
Your firm has uploaded a large amount of aerial image data to S3 in the past, in your on-premises environment, you used a dedicated group of servers to oaten process this data and used Rabbit MQAnopen source messaging system to get job information to the servers. Once processed the data would go to tape and be shipped offsite. Your manager told you to stay with the current design, and leverage AWS archival storage and messaging services to minimize cost. Which is correct?
- Use SQS for passing job messages use Cloud Watch alarms to terminate EC2 worker instances when they become idle. Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage.
- Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SOS Once data is processed,
- Change the storage class of the S3 objects to Reduced Redundancy Storage. Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS Once data is processed, change the storage class of the S3 objects to Glacier.
- Use SNS to pass job messages use Cloud Watch alarms to terminate spot worker instances when they become idle. Once data is processed, change the storage class of the S3 object to Glacier.
A user has launched 10 EC2 instances inside a placement group. Which of the below mentioned statements is true with respect to the placement group?
- All instances must be in the same AZ.
- All instances can be across multiple regions.
- The placement group cannot have more than 5 instances.
- All instances must be in the same region.
A user has created a CloudFormation stack. The stack creates AWS services, such as EC2 instances, ELB, AutoScaling, and RDS. While creating the stack it created EC2, ELB and AutoScaling but failed to create RDS. What will CloudFormation do in this scenario?
- Rollback all the changes and terminate all the created services.
- It will wait for the user's input about the error and correct the mistake after the input.
- CloudFormation can never throw an error after launching a few services since it verifies all the steps before launching.
- It will warn the user about the error and ask the user to manually create RDS.
You have been asked to design the storage layer for an application. The application requires disk performance of at least 100,000 IOPS. In addition, the storage layer must be able to survive the loss of an individual disk, EC2 instance, or Availability Zone without any data loss. The volume you provide must have a capacity of at least 3 TB. Which of the following designs will meet these objectives?
- Instantiate a c3.8xlarge instance in us-east-1. Provision 4x1TB EBS volumes, attach them to the instance, and configure them as a single RAID 5 volume. Ensure that EBS snapshots are performed every 15 minutes.
- Instantiate a c3.8xlarge instance in us-east-1. Provision 3xlTB EBS volumes, attach them to the Instance, and configure them as a single RAID 0 volume. Ensure that EBS snapshots are performed every 15 minutes.
- Instantiate an i2.8xlarge instance in us-east-1a. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instance. Provision 3x1TB EBS volumes, attach them to the instance, and configure them as a second RAID 0 volume. Configure synchronous, block-level replication from the ephemeral-backed volume to the EBS-backed volume.
- Instantiate a c3.8xlarge instance in us-east-1. Provision an AWS Storage Gateway and configure it for 3 TB of storage and 100,000 IOPS. Attach the volume to the instance.
- Instantiate an i2.8xlarge instance in us-east-1a. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instance. Configure synchronous, block-level replication to an identically configured instance in us-east-1b.
A company is preparing to give AWS Management Console access to developers Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? (Choose 2 answers)
- AWS Directory Service AD Connector.
- AWS Directory Service Simple AD.
- AWS Identity and Access Management groups.
- AWS identity and Access Management roles.
- AWS identity and Access Management users.
Your startup wants to implement an order fulfillment process for selling a personalized gadget that needs an average of 3-4 days to produce with some orders taking up to 6 months you expect 10orders per day on your first day. 1000 orders per day after 6 months and 10,000 orders after 12 months. Orders coming in are checked for consistency men dispatched to your manufacturing plant for production quality control packaging shipment and payment processing If the product does not meet the quality standards at any stage of the process employees may force the process to repeat a step Customers are notified via email about order status and any critical issues with their orders such as payment failure. Your case architecture includes AWS Elastic Beanstalk for your website with an RDS MySQL instance for customer data and orders. How can you implement the order fulfillment process while making sure that the emails are delivered reliably?
- Add a business process management application to your Elastic Beanstalk app servers and re-use the ROS database for tracking order status use one of the Elastic Beanstalk instances to send emails to customers.
- Use SWF with an Auto Scaling group of activity workers and a decider instance in another Auto Scaling group with min/max=l Use the decider instance to send emails to customers.
- Use SWF with an Auto Scaling group of activity workers and a decider instance in another Auto Scaling group with min/max=l use SES to send emails to customers.
- Use an SQS queue to manage all process tasks Use an Auto Scaling group of EC2 Instances that poll the tasks and execute them. Use SES to send emails to customers.
- user.
- AWS Account.
- group.
- role.
A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40. Which one is a secure way to configure that the instance can be accessed only from this IP?
- In the security group, open port 22 for IP 10.20.30.40.
- In the security group, open port 22 for IP 10.20.30.40/32.
- In the security group, open port 22 for IP 10.20.30.40/24.
- In the security group, open port 22 for IP 10.20.30.40/0.
Read Replicas require a transactional storage engine and are only supported for the [...] storage engine.
- OracleISAM.
- MSSQLDB.
- InnoDB.
- MyISAM.
- You mean Amazon 'Iceberg': it's a low-cost storage service.
- A security tool that allows to 'freeze' an EBS volume and perform computer forensics on it.
- A low-cost storage service that provides secure and durable storage for data archiving and backup.
- It's a security tool that allows to 'freeze' an EC2 instance and perform computer forensics on it.
You have a content management system running on an Amazon EC2 instance that is approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance?
- Create a load balancer, and register the Amazon EC2 instance with it.
- Create a CloudFront distribution, and configure the Amazon EC2 instance as the origin.
- Create an Auto Scaling group from the instance using the Create AutoScaling Group action.
- Create a launch configuration from the instance using the Create launch Configuration action.
- Only in certain regions.
- Only in VPC.
- Yes.
- No.
When controlling access to Amazon EC2 resources, each Amazon EBS Snapshot has a [...] attribute that controls which AWS accounts can use the snapshot.
- createVolumePermission.
- LaunchPermission.
- SharePermission.
- RequestPermission.
You have decided to change the instance type for instances running in your application tier that is using Auto Scaling. In which area below would you change the instance type definition?
- Auto Scaling policy.
- Auto Scaling group.
- Auto Scaling tags.
- Auto Scaling launch configuration.
- The launch configuration can be created only using the Query APIs.
- Auto Scaling automatically creates a launch configuration directly from an EC2 instance.
- A user should manually create a launch configuration before creating an Auto Scaling group.
- The launch configuration should be created manually from the AWS CL.
Your company has multiple IT departments, each with their own VPC. Some VPCs are located within the same AWS account, and others in a different AWS account. You want to peer together all VPCs to enable the IT departments to have full access to each others' resources. There are certain limitations placed on VPC peering. Which of the following statements is incorrect in relation to VPC peering?
- Private DNS values cannot be resolved between instances in peered VPCs.
- You can have up to 3 VPC peering connections between the same two VPCs at the same time.
- You cannot create a VPC peering connection between VPCs in different regions.
- You have a limit on the number active and pending VPC peering connections that you can have per VP.
A gaming company comes to you and asks you to build them infrastructure for their site. They are not sure how big they will be as with all start ups they have limited money and big ideas. What they do tell you is that if the game becomes successful, like one of their previous games, it may rapidly grow to millions of users and generate tens (or even hundreds) of thousands of writes and reads per second. After considering all of this, you decide that they need a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Which of the following databases do you think would best fit their needs?
- Amazon DynamoDB.
- Amazon Redshift.
- Any non-relational database.
- Amazon SimpleDB.
- security group.
- ACL.
- IAM.
- private IP Addresses.
Your manager has just given you access to multiple VPN connections that someone else has recently set up between all your company's offices. She needs you to make sure that the communication between the VPNs is secure. Which of the following services would be best for providing a low-cost hub-and-spoke model for primary or backup connectivity between these remote offices?
- Amazon CloudFront.
- AWS Direct Connect.
- AWS CloudHSM.
- AWS VPN CloudHub.
You need to create a management network using network interfaces for a virtual private cloud (VPC) network. Which of the following statements is incorrect pertaining to Best Practices for ConfiguringNetwork Interfaces.
- You can detach secondary (ethN) network interfaces when the instance is running or stopped. However, you can't detach the primary (eth0) interface.
- Launching an instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of the instance.
- You can attach a network interface in one subnet to an instance in another subnet in the same VPC, however, both the network interface and the instance must reside in the same Availability Zone.
- Attaching another network interface to an instance is a valid method to increase or double the network bandwidth to or from the dual-homed instance.
A user has launched 10 EC2 instances inside a placement group. Which of the following statements is true in regards to what ability launching your instances into a VPC instead of EC2-Classic gives you?
- All of the things listed here.
- Change security group membership for your instances while they're running.
- Assign static private IP addresses to your instances that persist across starts and stops.
- Define network interfaces, and attach one or more network interfaces to your instances.
In the HQ region you run an hourly batch process reading data from every region to compute cross regional reports that are sent by email to all offices this batch process must be completed as fast as possible to quickly optimize logistics how do you build the database architecture in order to meet the requirements'?
- For each regional deployment, use RDS MySQL with a master in the region and a read replica in the HQ region.
- For each regional deployment, use MySQL on EC2 with a master in the region and send hourly EBS snapshots to the HQ region.
- For each regional deployment, use RDS MySQL with a master in the region and send hourly RDS snapshots to the HQ region.
- For each regional deployment, use MySQL on EC2 with a master in the region and use S3 to copy data files hourly to the HQ region.
- Use Direct Connect to connect all regional MySQL deployments to the HQ region and reduce network latency for the batch process.
What is the average IOPS that the user will get for most of the year as per EC2 SLA if the instance is attached to the EBS optimized instance?
- 950.
- 990.
- 1000.
- 900.
You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier?
- Amazon Glacier multipart upload.
- AWS Storage Gateway.
- VM Import/Export.
- AWS Import/Export.
Your manager has asked you to set up a public subnet with instances that can send and receive internet traffic, and a private subnet that can't receive traffic directly from the internet, but can initiate traffic to the internet (and receive responses) through a NAT instance in the public subnet. Hence, the following 3 rules need to be allowed: Inbound SSH traffic. Web servers in the public subnet to read and write to MS SQL servers in the private subnet. Inbound RDP traffic from the Microsoft Terminal Services gateway in the public private subnet. What are the respective ports that need to be opened for this?
- Ports 22, 1433, 3389.
- Ports 21, 1433, 3389.
- Ports 25, 1433, 3389.
- Ports 22, 1343, 3999.
An EC2 instance is connected to an ENI (Elastic Network Interface) in one subnet. What happens to the data on an instance if the instance reboots (intentionally or unintentionally)?
- Data will be lost.
- Data persists.
- Key pairs.
- Elastic IP addresses.
- Placement groups.
- Amazon EBS snapshots.
Without [...] you must either create multiple AWS accounts-each with its own billing and subscriptions to AWS products-or your employees must share the security credentials of a single AWS account.
- Amazon RDS.
- Amazon Glacier.
- Amazon EMR.
- Amazon IAM.
An EC2 instance is connected to an ENI (Elastic Network Interface) in one subnet. What happens when you attach an ENI of a different subnet to this EC2 instance?
- The EC2 instance follows the rules of the older subnet.
- The EC2 instance follows the rules of both the subnets.
- Not possible, cannot be connected to 2 ENIs.
- The EC2 instance follows the rules of the newer subnet.
You have deployed a three-tier web application in a VPC with a CIDR block of 10.0.0.0/28. You initially deploy two web servers, two application servers, two database servers and one NAT instance tor a total of seven EC2 instances. The web, application and database servers are deployed across two Availability Zones (AZs). You also deploy an ELB in front of the two web servers, and use Route 53 for DNS Web. Raffle gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load unfortunately some of these new instances fail to launch.Which of the following could be the root caused? (Choose 2 answers)
- AWS reserves the first and the last private IP address in each subnet's CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.
- The Internet Gateway (IGW) of your VPC has scaled-up, adding more instances to handle the traffic spike, reducing the number of available private IP addresses for new instance launches.
- The ELB has scaled-up, adding more instances to handle the traffic spike, reducing the number of available private IP addresses for new instance launches.
- AWS reserves one IP address in each subnet's CIDR block for Route 53 so you do not have enough addresses left to launch all of the new EC2 instances.
- AWS reserves the first four and the last IP address in each subnet's CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.
- You change storage type from standard to PIOPS, and Apply Immediately is set to true.
- You change the DB instance class, and Apply Immediately is set to false.
- You change a static parameter in a DB parameter group.
- You change the backup retention period for a DB instance from 0 to a nonzero value or from a nonzero value to 0, and Apply Immediately is set to false.
- Asynchronously.
- Synchronously.
You are tasked with moving a legacy application from a virtual machine running Inside your datacenter to an Amazon VPC Unfortunately this app requires access to a number of on-premises services and no one who configured the app still works for your company. Even worse there's no documentation for it. What will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured? (Choose 3 answers)
- An AWS Direct Connect link between the VPC and the network housing the internal services.
- An Internet Gateway to allow a VPN connection.
- An Elastic IP address on the VPC instance.
- An IP address space that does not conflict with the one on-premises.
- Entries in Amazon Route 53 that allow the Instance to resolve its dependencies' IP addresses.
- A VM Import of the current virtual machine.
A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
- Create a new IAM role and associated policies within the new region.
- Assign the existing IAM role to the Amazon EC2 instances in the new region.
- Copy the IAM role and associated policies to the new region and attach it to the instances.
- Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature.
If you want to launch Amazon Elastic Compute Cloud (EC2) instances and assign each instance a predetermined private IP address you should:
- Launch the instance from a private Amazon Machine Image (AMI).
- Assign a group of sequential Elastic IP address to the instances.
- Launch the instances in the Amazon Virtual Private Cloud (VPC).
- Launch the instances in a Placement Group.
- Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already.
When automatic failover occurs, Amazon RDS will emit a DB Instance event to inform you that automatic failover occurred. You can use the [...] to return information about events related to your DB Instance.
- FetchFailure.
- DescriveFailure.
- DescribeEvents.
- FetchEvents.
You have a Business support plan with AWS. One of your EC2 instances is running Microsoft Windows Server 2008 R2 and you are having problems with the software. Can you receive support from AWS for this software?
- Yes.
- No, AWS does not support any third-party software.
- No, Microsoft Windows Server 2008 R2 is not supported.
- No, you need to be on the enterprise support plan.
A newspaper organization has a on-premises application which allows the public to search its back catalogue and retrieve individual newspaper pages via a website written in Java They have scanned the old newspapers into JPEGs (approx 17TB) and used Optical Character Recognition (OCR) to populate a commercial search product. The hosting platform and software are now end of life and the organization wants to migrate Its archive to AWS and produce a cost efficient architecture and still be designed for availability and durability. Which is the most appropriate?
- Use S3 with reduced redundancy to store and serve the scanned files, install the commercial search application on EC2 Instances and configure with auto-scaling and an Elastic Load Balancer.
- Model the environment using CloudFormation use an EC2 instance running Apache webserver and an open source search application, stripe multiple standard EB5 volumes together to store the JPEGs and search index.
- Use S3 with standard redundancy to store and serve the sca