-
The ability to horizontally scale Amazon EC2 instances based on demand is an example of which concept? A. Economy of Scale B. Elasticity C. High availability D. Agility
-
A company requires a dashboard for reporting when using a business intelligence solution. Which AWS service can a Cloud Practitioner use? A. Amazon Redshift B. Amazon Kinesis C. Amazon Athena D. Amazon QuickSight
-
A Cloud Practitioner is re-architecting a monolithic application. Which design principles for cloud architecture do AWS recommend? (Select TWO.) A. Implement manual scalability. B. Implement loose coupling. C. Use self-managed servers. D. Reply on individual compenents. E. Design for scalability.
-
According to the shared responsibility model, which security-related task is the responsibility of the customer? A. Maintaining server-side encryption. B. Securing servers and racks at AWS data centers. C. Maintaining firewall configurations at a hardware level. D. Maintaining physical networking configuration.
The correct answer is A. All client-side and server-side encryption is a responsibility of the customer using the AWS Cloud. This can be clearly seen in the shared responsibility model infographic below:
- Which AWS service or feature can be used to restrict the individual API actions that users and roles in each member account can access? A. Amazon Macie B. AWS Organizations C. AWS Shield D. AWS IAM
The correct answer is B AWS Organizations. AWS Organizations offers Service control policies (SCPs) which are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions (API actions) for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled.
- A company needs protection from distributed denial of service (DDoS) attacks on its website and assistance from AWS experts during such events. Which AWS managed service will meet these requirements? A. AWS Shield Advanced B. AWS Firewall Manager C. AWS Web Application Firewall D. Amazon GuardDuty
The correct answer is A. AWS Shield Advanced provides enhanced detection and includes a specialized support team for customers on Enterprise or Business support plans. The AWS DDoS Response Team (DRT) are available 24/7 and can be engaged before, during, or after a DDoS attack. AWS Firewall Manager is used to simplify management of AWS WAF, AWS Shield Advanced, and Amazon VPC security groups. AWS WAF is used for protecting web applications and APIs against malicious attacks. This is not a DDoS prevention service. Amazon GuardDuty is used for continuously monitoring AWS resources for threats. It is not a DDoS prevention service, it uses machine learning and anomaly detection to identify security vulnerabilities in resources.
-
A company needs to publish messages to a thousands of subscribers simultaneously using a push mechanism. Which AWS service should the company use? A. AWS Step Functions B. Amazon Simple Workflow Service (SWF) C. Amazon Simple Notification Service (Amazon SNS) D. Amazon Simple Queue Service (SQS)
-
How can a company separate costs for storage, Amazon EC2, Amazon S3, and other AWS services by department? A. Add department-specific tags to each resource B. Create a separate VPC for each department C. Create a separate AWS account for each department D. Use AWS Organizations
The correct answer is A. A tag is a label that you or AWS assigns to an AWS resource. Each tag consists of a key and a value. For each resource, each tag key must be unique, and each tag key can have only one value. You can use tags to organize your resources, and cost allocation tags to track your AWS costs on a detailed level. After you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report, to make it easier for you to categorize and track your AWS costs. AWS provides two types of cost allocation tags, an AWS generated tags and user-defined tags. AWS defines, creates, and applies the AWS generated tags for you, and you define, create, and apply user-defined tags. You must activate both types of tags separately before they can appear in Cost Explorer or on a cost allocation report.
-
Which AWS Support plan provides access to architectural and operational reviews, as well as 24/7 access to Cloud Support Engineers through email, online chat, and phone? A. Basic B. Business C. Developer D. Enterprise
-
A manager is planning to migrate applications to the AWS Cloud and needs to obtain AWS compliance reports. How can these reports be generated?
A. Download the reports from AWS Secrets Manager. B. Contact the AWS Compliance team. C. Create a support ticket with AWS Support. D. Download the reports from AWS Artifact.
The correct anser is D Download the reports from AWS Artifact. AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.
Reports available in AWS Artifact include Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.
Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).
- A Cloud Practitioner requires point-in-time recovery (PITR) for an Amazon DynamoDB table. Who is responsible for configuring and performing backups?
The anser is B The customer is responsible for configuring and AWS is responsible for performing backups. Point-in-time recovery (PITR) provides continuous backups of your DynamoDB table data. When enabled, DynamoDB maintains incremental backups of your table for the last 35 days until you explicitly turn it off. It is a customer responsibility to enable PITR on and AWS is responsible for actually performing the backups.
- A user has an AWS account with a Business-level AWS Support plan and needs assistance with handling a production service disruption. Which action should the user take? A. Contact the dedicated Technical Account Manager B. Contact the dedicated AWS Concierge Support Team C. Open a business-critical system down support case D. Open a production system down support case
The correct answer is D Open a production system down support case, because ABC is only with Enterprise. The Business support plan provides a service level agreement (SLA) of < 1 hour for production system down support cases. The concierge support team, and Techniical Account Manager, and business-critical system only comes with the Enterprise support plan.
- AWS are able to continue to reduce their pricing due to: A. Pay-as-you go pricing B. The AWS global nfrastructure C. Economies of scale D. Reserved instance pricing
By using cloud computing, you can achieve a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay as-you-go prices.
-
Which of the following is an advantage for a company running workloads in the AWS Cloud vs on-premises? (Select TWO.) A. Less staff time is required to launch new workloads. B. Increased time to market for new application features. C. Higher acquisition costs to support elastic workloads. D. Lower overall utilization of server and storage systems. E. Increased productivity for application development teams.
-
Under the AWS shared responsibility model, which of the following is an example of security in the AWS Cloud? A. Managing edge locations B. Physical security C. Firewall configuration D. Global infrastructure
-
Which of the following statements is correct about Amazon S3 cross-region replication? A. Both source and destination S3 buckets must have versioning disabled B. The source and destination S3 buckets cannot be in different AWS Regions C. S3 buckets configured for cross-region replication can be owned by a single AWS account or by different accounts D. The source S3 bucket owner must have the source and destination AWS Regions disabled for their account
-
Which tasks can a user complete using the AWS Cost Management tools? A. Delete all of your AWS resources with a single click. B. Create budgets and receive notifications if current or forecasted usage exceeds the budgets. C. Launch either EC2 Spot instances or On-Demand instances based on the current pricing. D. Move data stored in Amazon S3 Standard to an archiving storage class to reduce cost. - ==llifecycle management tools==
-
A company has a website that delivers static content from an Amazon S3 bucket to users from around the world. Which AWS service will deliver the content with low latency? A. AWS Lambda B. Amazon CloudFront C. AWS Elastic Beanstalk D. AWS Global Accelerator
==Amazon CloudFront is a content delivery network (CDN) and can use an Amazon S3 bucket configured as a static website as an origin for the content is caches globally. CloudFront reduces latency for global users by serving the requested content from a local cache.==
-
A cloud practitioner needs to migrate a 70 TB of data from an on-premises data center into the AWS Cloud. The company has a slow and unreliable internet connection. Which AWS service can the cloud practitioner leverage to transfer the data? A. Amazon S3 Glacier B. AWS Snowball C. AWS Storage Gateway D. AWS DataSync
-
Which AWS services can be used as infrastructure automation tools? (Select TWO.) A. AWS CloudFormation B. Amazon CloudFront C. AWS Batch D. AWS OpsWorks E. Amazon QuickSight
AWS CloudFormation provides a common language for you to model and provision AWS and third party application resources in your cloud environment. AWS CloudFormation allows you to use programming languages or a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.
Question 1: What advantages does a database administrator obtain by using the Amazon Relational Database Service (RDS)?
A. RDS provides 99.99999999999% reliability and durability
B. RDS databases automatically scale based on load
C. RDS enables users to dynamically adjust CPU and RAM resources
D. RDS simplifies relational database administration tasks
The correct answer is D. “RDS simplifies relational database administration tasks”.
Explanation:
Amazon RDS is a managed relational database service on which you can run several types of database software. The service is managed so this reduces the database administration tasks an administrator would normally undertake. The managed service includes hardware provisioning, database setup, patching and backups.
A. “RDS provides 99.99999999999% reliability and durability” is incorrect. This is not true of Amazon RDS.
B. “RDS databases automatically scale based on load” is incorrect. This is not true, storage auto scaling is possible but for compute it scales by changing instance type (manual).
C. “RDS enables users to dynamically adjust CPU and RAM resources” is incorrect. You cannot adjust CPU and RAM dynamically, you must change the instance type and reboot the database instance.
References:
https://digitalcloud.training/aws-database-services/
Question 2: A large company is interested in avoiding long-term contracts and moving from fixed costs to variable costs. What is the value proposition of AWS for this company? BD
A. Economies of scale
B. Pay-as-you-go pricing
C. Volume pricing discounts
D. Automated cost optimization
The correct answer is B. “Pay-as-you-go pricing”.
Explanation:
Pay-as-you-go pricing helps companies move away from fixed costs to variable costs in a model in which they only pay for what they actually use. There are no fixed term contracts with AWS so that requirement is also met.
A. “Economies of scale” is incorrect. You do get good pricing because of the economies of scale leveraged by AWS. However, the value proposition for companies wishing to avoid fixed costs is pay-as-you-go pricing. This flexibility can be more important in some cases than the actual cost per unit.
C. “Volume pricing discounts” is incorrect. This is not the value proposition for this company as they are seeking to avoid long-term contracts and fixed costs, not to achieve a discount.
D. “Automated cost optimization” is incorrect. This is a not a feature that relates to the value proposition for this customer.
References:
https://aws.amazon.com/pricing/
Question 3: A customer needs to determine Total Cost of Ownership (TCO) for a workload that requires physical isolation. Which hosting model should be used?
A. Dedicated Hosts
B. Reserved Instances
C. On-Demand Instances
D. Spot Instances
The correct answer is A. “Dedicated Hosts”.
Explanation:
==An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use.== Dedicated Hosts allow you to use your existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and Linux Enterprise Server.
Note that dedicated hosts can be considered “hosting model” as it determines that actual underlying infrastructure that is used for running your workload. All of the other answers are simply pricing plans for shared hosting models.
B. “Reserved Instances” is incorrect as this pricing model does not support physical isolation.
C. “On-Demand Instances” is incorrect as this pricing model does not support physical isolation.
D. “Spot Instances” is incorrect as this hosting pricing does not support physical isolation.
References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html
https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-compute/
Questions 4: Which design principles are enabled by the AWS Cloud to improve the operation of workloads? (Select TWO) AD
A. Minimize platform design
B. Loose coupling
C. Customized hardware
D. Remove single points of failure
E. Minimum viable product
The correct answer is B. “Loose coupling” and D. “Remove single points of failure”.
Explanation:
==Loose coupling is when you break systems down into smaller components that are loosely coupled together. This reduces interdependencies between systems components. This is achieved in the cloud using messages buses, notification and messaging services.==
Removing single points of failure ensures fault tolerance and high availability. This is easily achieved in the cloud as the architecture and features of the cloud support the implementation of highly available and fault tolerant systems.
A. “Minimize platform design” is incorrect. This is not an operational advantage for workloads in the cloud.
C. “Customized hardware” is incorrect. You cannot customize hardware in the cloud.
E. “Minimum viable product” is incorrect. This is not an operational advantage for workloads in the cloud.
References:
https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf
Questions 5: A user is planning to launch three EC2 instances behind a single Elastic Load Balancer. The deployment should be highly available.
A. Launch the instances across multiple Availability Zones in a single AWS Region.
B. Launch the instances as EC2 Spot Instances in the same AWS Region and the same Availability Zone.
C. Launch the instances in multiple AWS Regions, and use Elastic IP addresses.
D. Launch the instances as EC2 Reserved Instances in the same AWS Region, but in different Availability Zones.
The correct answer is A. “Launch the instances across multiple Availability Zones in a single AWS Region.”
Explanation:
To make the deployment highly available the user should launch the instances across multiple Availability Zones in a single AWS Region. Elastic Load Balancers can only serve targets in a single Region so it is not possible to deploy across Regions.
B. “Launch the instances as EC2 Spot Instances in the same AWS Region and the same Availability Zone” is incorrect. The pricing model is not relevant to high availability and deploying in a single AZ does not result in a highly available deployment.
C. “Launch the instances in multiple AWS Regions, and use Elastic IP addresses” is incorrect. You cannot use an ELB with instances in multiple Regions and using an EIP does not help.
D. “Launch the instances as EC2 Reserved Instances in the same AWS Region, but in different Availability Zones” is incorrect. Using reserved instances may not be appropriate as we do not know whether this is going to be a long-term workload or not.
References:
https://aws.amazon.com/about-aws/global-infrastructure/regions_az/
Q 1: According to AWS, what is the benefit of Elasticity?
A. Minimize storage requirements by reducing logging and auditing activities
B. Create systems that scale to the required capacity based on changes in demand
C. Enable AWS to automatically select the most cost-effective services.
D. Accelerate the design process because recovery from failure is automated, reducing the need for testing
Answer – B
Explanation :
The concept of Elasticity is the means of an application having the ability to scale up and scale down based on demand. An example of such a service is the Autoscaling service
For more information on AWS Autoscaling service, please refer to the below URL: https://aws.amazon.com/autoscaling/
A, C and D are incorrect. Elasticity will not have positive effects on storage, cost or design agility.
Q2: Which tool can you use to forecast your AWS spending?
A. AWS Organizations
B. Amazon Dev Pay
C. AWS Trusted Advisor
D. AWS Cost Explorer
Answer – D
Explanation :
The AWS Documentation mentions the following.
Cost Explorer is a free tool that you can use to view your costs. You can view data up to the last 12 months. You can forecast how much you are likely to spend for the next 12 months and get recommendations for what Reserved Instances to purchase. You can use Cost Explorer to see patterns in how much you spend on AWS resources over time, identify areas that need further inquiry, and see trends that you can use to understand your costs. You also can specify time ranges for the data and view time data by day or by month.
For more information on the AWS Cost Explorer, please refer to the below URL: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-explorer-what-is.html
A, B and C are incorrect. These services do not relate to billing and cost.
Q3: A business analyst would like to move away from creating complex database queries and static spreadsheets when generating regular reports for high-level management. They would like to publish insightful, graphically appealing reports with interactive dashboards. Which service can they use to accomplish this?
A. Amazon QuickSight
B. Business intelligence on Amazon Redshift
C. Amazon CloudWatch dashboards
D. Amazon Athena integrated with Amazon Glue
Correct Answer – A
Explanation :
Amazon QuickSight is the most appropriate service in the scenario. It is a fully-managed service that allows for insightful business intelligence reporting with creative data delivery methods, including graphical and interactive dashboards. QuickSight includes machine learning that allows users to discover inconspicuous trends and patterns on their datasets.
AWS Quick Sight tool | Source: aws.amazon.com/quicksight
- Option B is INCORRECT. Amazon Redshift service is a data warehouse and will not meet the requirements of interactive dashboards and dynamic means of delivering reports.
- Option C is INCORRECT. Amazon CloudWatch dashboards will not accomplish the requirements of the scenario. They are used to monitor AWS system resources and infrastructure services, though they are customizable and present information graphically.
- Option D is INCORRECT. Amazon Athena is a query service that allows for easy data analysis in Amazon S3 by using standard SQL. The service does not meet the requirements of the scenario.
Q4. What is the AWS feature that enables fast, easy and secure transfers of files over long distances between your client and your Amazon S3 bucket?
A. File Transfer
B. HTTP Transfer
C. Amazon S3 Transfer Acceleration
D. S3 Acceleration
Answer – C
Explanation :
The AWS Documentation mentions the following.
Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.
For more information on S3 transfer acceleration, please visit the Link: http://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html
Options A, B and D are incorrect. These features deal with transferring data but not between clients and an S3 bucket.
Q5: What best describes the “Principle of Least Privilege”? Choose the correct answer from the options given below.
A. All users should have the same baseline permissions granted to them to use basic AWS services.
B. Users should be granted permission to access only resources they need to do their assigned job.
C. Users should submit all access requests in written form so that there is a paper trail of who needs access to different AWS resources.
D. Users should always have a little more permission than they need.
Answer – B
Explanation :
The principle means giving a user account only those privileges which are essential to perform its intended function. For example, a user account for the sole purpose of creating backups does not need to install the software. Hence, it has rights only to run backup and backup-related applications.
For more information on the principle of least privilege, please refer to the following link: https://en.wikipedia.org/wiki/Principle_of_least_privilege
Options A, C, and D are incorrect. These actions would not adhere to the Principle of Least Privilege.
Q6: A web administrator maintains several public and private web-based resources for an organisation. Which service can they use to keep track of the expiry dates of SSL/TLS certificates as well as updating and renewal?
A. AWS Data Lifecycle Manager
B. AWS License Manager
C. AWS Firewall Manager
D. AWS Certificate Manager
Correct Answer – D
Explanation :
The AWS Certificate Manager allows the web administrator to maintain one or several SSL/TLS certificates, both private and public certificates including their update and renewal so that the administrator does not worry about the imminent expiry of certificates. https://aws.amazon.com/certificate-manager/
-
Option A is INCORRECT. The AWS Lifecycle Manager creates life cycle policies for specified resources to automate operations. https://docs.aws.amazon.com/dlm/?id=docs_gateway
-
Option B is INCORRECT. AWS License Manager serves the purpose of differentiating, maintaining third-party software provisioning vendor licenses. It also decreases the risk of license expirations and the penalties. https://docs.aws.amazon.com/license-manager/?id=docs_gateway
-
Option C is INCORRECT. AWS Firewall Manager aids in the administration of Web Application Firewall (WAF), by presenting a centralised point of setting firewall rules across different web resources. https://docs.aws.amazon.com/firewall-manager/?id=docs_gateway
Q7: Which of the following is the responsibility of the customer to ensure the availability and backup of the EBS volumes?
A. Delete the data and create a new EBS volume.
B. Create EBS snapshots.
C. Attach new volumes to EC2 Instances.
D. Create copies of EBS Volumes.
Answer – B
Explanation :
Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.
When you create an EBS volume based on a snapshot, the new volume begins as an exact replica of the original volume that was used to create the snapshot. The replicated volume loads data in the background so that you can begin using it immediately.
Amazon EBS snapshots | Source: aws.amazon.com
Option A is incorrect because there is no need for backup of the volumes if data is already deleted.
Option C is incorrect because attaching more EBS volumes doesn’t ensure availability, if there is no snapshot then the volume cannot be available to a different availability zone.
Option D is incorrect EBS volumes cannot be copied, they can only be replicated using snapshots.
For more information on EBS Snapshots, please refer to the below URL:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html
Q8: Which of the following services can be used as an application firewall in AWS?
A. AWS Snowball
B. AWS WAF
C. AWS Firewall
D. AWS Protection
Answer – B
Explanation :
The AWS Documentation mentions the following:
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load Balancer. AWS WAF also lets you control access to your content.
AWS Snowball, a part of the AWS Snow Family, is an edge computing, data migration, and edge storage device that comes in two options. Snowball Edge Storage Optimized devices provide both block storage and Amazon S3-compatible object storage, and 40 vCPUs.
For more information on AWS WAF, please refer to the below URL:https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
https://aws.amazon.com/snowball/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc
Q9: Your design team is planning to design an application that will be hosted on the AWS Cloud. One of their main non-functional requirements is given below:
Reduce inter-dependencies so failures do not impact other components.
Which of the following concepts does this requirement relate to?
A. Integration
B. Decoupling
C. Aggregation
D. Segregation
Answer – B
Explanation :
The entire concept of decoupling components ensures that the different components of applications can be managed and maintained separately. If all components are tightly coupled, the entire application would go down when one component goes down. Hence it is always a better practice to decouple application components.
For more information on a decoupled architecture, please refer to the below URL: http://whatis.techtarget.com/definition/decoupled-architecture
Q10: A manufacturing firm has recently migrated their application servers to the Amazon EC2 instance. The IT Manager is looking for the details of upcoming scheduled maintenance activities which AWS would be performing on AWS resources, that may impact the services on these EC2 instances.
Which of the following services can alert you about the changes that can affect resources in your account?
A. AWS Organizations
B. AWS Personal Health Dashboard
C. AWS Trusted Advisor
D. AWS Service Health Dashboard
Answer – B
Explanation :
AWS Personal Health Dashboard provides alerts for AWS services availability & performance which may impact resources deployed in your account. Customers get emails & mobile notifications for scheduled maintenance activities which might impact services on these AWS resources.
Option A is incorrect as AWS Organizations do not provide any notifications for scheduled maintenance activities.
Option C is incorrect as AWS Trusted Advisor will provide notification on AWS resources created within the account for cost optimization, security, fault tolerance, performance, and service limits. It will not provide notification for scheduled maintenance activities performed by AWS on its resources.
Option D is incorrect as Service Health Dashboard displays the general status of all AWS services & will not display scheduled maintenance activities.
For more information on the AWS Organizations, please refer to the below URL: https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/
Q11: Which of the following AWS services can be used to retrieve configuration changes made to AWS resources causing operational issues?
A. Amazon Inspector
B. AWS CloudFormation
C. AWS Trusted Advisor
D. AWS Config
Answer – D
Explanation :
AWS Config can be used to audit, evaluate configurations of AWS resources. If there are any operational issues, AWS config can be used to retrieve configurational changes made to AWS resources that may have caused these issues.
- Option A is incorrect as Amazon Inspector can be used to analyze potential security threats for an Amazon EC2 instance against an assessment template with predefined rules. It does not provide historical data for configurational changes done to AWS resources.
- Option B is incorrect as AWS CloudFormation provided templates to provision and configure resources in AWS.
- Option C is incorrect as AWS Trusted Advisor can help optimize resources with AWS cloud with respect to cost, security, performance, fault tolerance, and service limits. It does not provide historical data for configurational changes done to AWS resources.
For more information on AWS Config, refer to the following URL:https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
Q12: An organization runs several EC2 instances inside a VPC using three subnets, one for Development, one for Test, and one for Production. The Security team has some concerns about the VPC configuration. It requires restricting communication across the EC2 instances using Security Groups.
Which of the following options is true for Security Groups related to the scenario?
A. You can change a Security Group associated with an instance if the instance is in the running state.
B. You can change a Security Group associated with an instance if the instance is in the hibernate state.
C. You can change a Security Group only if there are no instances associated to it.
D. The only Security Group you can change is the Default Security Group.
Answer: A
Explanation :
- Option A is CORRECT because the AWS documentation mentions it in the section called “Changing an Instance’s Security Group” using the following sentence: “After you launch an instance into a VPC, you can change the security groups that are associated with the instance. You can change the security groups for an instance when the instance is in the running or stopped state.”
- Option B is incorrect as You can change the security groups for an instance when the instance is in the running or stopped state, not hibernate state.
- Option C is incorrect because there have to be some instances associated.
- Option D is incorrect because other security groups can also be changed.
Reference: https://docs.aws.amazon.com/en_pv/vpc/latest/userguide/VPC_SecurityGroups.html
Q13: Which of the following features of Amazon RDS allows for better availability of databases? Choose the answer from the options given below.
A. VPC Peering
B. Multi-AZ
C. Read Replicas
D. Data encryption
Answer – B
Explanation :
The AWS Documentation mentions the following.
If you are looking to use replication to increase database availability while protecting your latest database updates against unplanned outages, consider running your DB instance as a Multi-AZ deployment.
For more information on AWS RDS, please visit the FAQ Link:https://aws.amazon.com/rds/faqs/
Q14: Your company wants to move an existing Oracle database to the AWS Cloud. Which of the following services can help facilitate this move?
A. AWS Database Migration Service
B. AWS VM Migration Service
C. AWS Inspector
D. AWS Trusted Advisor
Answer – A
Explanation :
The AWS Documentation mentions the following.
AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. The AWS Database Migration Service can migrate your data to and from the most widely used commercial and open-source databases.
For more information on AWS Database migration, please refer to the below URL:https://aws.amazon.com/dms/
Q15: Which of the following services allows you to analyze EC2 Instances against pre-defined security templates to check for vulnerabilities?
A. AWS Trusted Advisor
B. AWS Inspector
C. AWS WAF
D. AWS Shield
Answer – B
Explanation :
The AWS Documentation mentions the following.
Amazon Inspector enables you to analyze the behavior of your AWS resources and helps you to identify potential security issues. Using Amazon Inspector, you can define a collection of AWS resources that you want to include in an assessment target. You can then create an assessment template and launch a security assessment run of this target.
For more information on AWS Inspector, please refer to the below URL:https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
Q16: A website for an international sport governing body would like to serve its content to viewers from different parts of the world in their vernacular language. Which of the following services provide location-based web personalization using geolocation headers?
A. Amazon CloudFront
B. Amazon EC2 Instance
C. Amazon Lightsail
D. Amazon Route 53
Answer – A
Explanation :
Amazon CloudFront supports country-level location-based web content personalization with a feature called Geolocation Headers.
You can configure CloudFront to add additional geolocation headers that provide more granularity in your caching and origin request policies. The new headers give you more granular control of cache behavior and your origin access to the viewer’s country name, region, city, postal code, latitude, and longitude, all based on the viewer’s IP address.
- Option B is INCORRECT because EC2 is just a distractor, not suitable for routing and delivery.
- Option C is INCORRECT because Amazon Lightsail will primarily allow for developing, deploying, and hosting websites and web applications. The service will not meet the requirements of the scenario.
- Option D is INCORRECT because the geolocation routing policy of Route53 allows different resources to serve content based on the origin of the request. Route 53 does not use geolocation headers.
References:
https://aws.amazon.com/about-aws/whats-new/2020/07/cloudfront-geolocation-headers/
https://aws.amazon.com/blogs/networking-and-content-delivery/leverage-amazon-cloudfront-geolocation-headers-for-state-level-geo-targeting/
Q17: Which of the following can be used to protect against DDoS attacks? Choose 2 answers from the options given below.
A. AWS EC2
B. AWS RDS
C. AWS Shield
D. AWS Shield Advanced
Answer – C and D
Explanation :
The AWS Documentation mentions the following:
AWS Shield – All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications
AWS Shield Advanced – For higher levels of protection against attacks targeting your web applications running on Amazon EC2, Elastic Load Balancing (ELB), CloudFront, and Route 53 resources, you can subscribe to AWS Shield Advanced. AWS Shield Advanced provides expanded DDoS attack protection for these resources.
For more information on AWS Shield, please refer to the below URL:https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html
Q18: Which of the following are the recommended resources to be deployed in the Amazon VPC private subnet?
A. NAT Gateways
B. Bastion Hosts
C. Database Servers
D. Internet Gateways
Answer – C
Explanation :
As Database servers contain confidential information, so for a security perspective, it should be deployed in a Private Subnet.
Amazon Virtual Private Cloud (Amazon VPC) enables the user to launch AWS resources into a virtual network that a user has defined.
Option A is incorrect because NAT devices (NAT Gateway, Nat Instance) allow instances in private subnets to connect to the internet, other VPCs, or on-premises networks. It is deployed in a public subnet.
Option B is incorrect because bastion host is a server whose purpose is to provide access (SSH access) to a private network from an external network, such as the Internet. It is deployed in a public subnet.
Option D is incorrect because an Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
For more information on AWS VPC, please refer to the below URL:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Networking.html
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat.html
https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
Q19: A company wants to utilize AWS storage. For them, low storage cost is paramount. The data is rarely retrieved and a data retrieval time of 13-14 hours is acceptable for them. What is the best storage option to use?
A. Amazon S3 Glacier
B. S3 Glacier Deep Archive
C. Amazon EBS volumes
D. AWS CloudFront
Answer – B
Explanation :
S3 Glacier Deep Archive offers the lowest cost storage in the cloud, at prices lower than storing and maintaining data in on-premises magnetic tape libraries or archiving data offsite.
It expands our data archiving offerings, enabling you to select the optimal storage class based on storage and retrieval costs, and retrieval times.
Option B is correct because S3 Glacier Deep Archive offers low-cost storage and retrieval time doesn’t matter for the company. If the question asks for fast retrieval time then S3 Glacier would be correct.
Option A is incorrect because S3 Glacier is not cheaper than S3 Glacier Deep Archive.
Options C and D are incorrect because they are not suitable for data archive and faster retrieval. Also, the CloudFront is not for storage.
With S3 Glacier, customers can store their data cost-effectively for months, years, or even decades. S3 Glacier enables customers to offload the administrative burdens of operating and scaling storage to AWS, so they don’t have to worry about capacity planning, hardware provisioning, data replication, hardware failure detection, and recovery, or time-consuming hardware migrations.
- Amazon S3 Glacier for archiving data that might infrequently need to be restored within a few hours
- S3 Glacier Deep Archive for archiving long-term backup cycle data that might infrequently need to be restored within 12 hours
| Storage class | Expedited | Standard | Bulk |
| Amazon S3 Glacier | 1–5 minutes | 3–5 hours | 5–12 hours |
| S3 Glacier Deep Archive | Not available | Within 12 hours | Within 48 hours |
Reference:
https://docs.aws.amazon.com/amazonglacier/latest/dev/introduction.html
https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/amazon-s3-glacier.html
https://aws.amazon.com/s3/storage-classes/
Q20: Which AWS service provides a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability?
A. AWS RDS
B. DynamoDB
C. Oracle RDS
D. Elastic Map Reduce
Answer: – B
Explanation :
DynamoDB is a fully managed NoSQL offering provided by AWS. It is now available in most regions for users to consume.
For more information on AWS DynamoDB, please refer to the below URL:http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html
Q21: For which of the following AWS resources, the Customer is responsible for the infrastructure-related security configurations?
A. Amazon RDS
B. Amazon DynamoDB
C. Amazon EC2
D. AWS Fargate
Answer: C
Explanation :
Amazon EC2 is an Infrastructure as a Service (IaaS) for which customers are responsible for the security and the management of guest operating systems.
- Options A, B, and D are incorrect as all these resources are part of abstracted services for which AWS is responsible for the security, & infrastructure layer. Customers are responsible for data that is saved on these resources.
For more information on the Shared responsibility model, refer to the following URL:https://aws.amazon.com/compliance/shared-responsibility-model/
Q22: In the shared responsibility model for infrastructure services, such as Amazon Elastic Compute Cloud, which of the below two are customers responsibility?
A. Network infrastructure
B. Amazon Machine Images (AMIs)
C. Virtualization infrastructure
D. Physical security of hardware
E. Policies and configuration
Answer: B, E
Explanation :
In the shared responsibility model, AWS is primarily responsible for “Security of the Cloud.” The customer is responsible for “Security in the Cloud.” In this scenario, the mentioned AWS product is IAAS (Amazon EC2) and AWS manages the security of the following assets:
– Facilities
– Physical security of hardware
– Network infrastructure
– Virtualization infrastructure
Customers are responsible for the security of the following assets:
– Amazon Machine Images (AMIs)
– Operating systems
– Applications
– Data in transit
– Data at rest
– Data stores
– Credentials
– Policies and configuration
- Option A is incorrect. Refer to the explanation above and link in the references for more details.
- Option B is Correct. Refer to the explanation above and link in the references for more details.
- Option C is incorrect. Refer to the explanation above and link in the references for more details.
- Option D is incorrect. Refer to the explanation above and link in the references for more details.
- Option E is correct. Refer to the explanation above and link in the references for more details.
References:
https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc
Q23: AWS offers two savings plans to enable more savings and flexibility for its customers, namely, compute saving plans and EC2 Instance Savings plans.
Which of the below statement is FALSE regarding Saving Plans?
A. Capacity Reservations are not provided with Saving Plans.
B. Savings Plans are available for all the regions.
C. Savings plans will apply on ‘On-Demand Capacity Reservations’ that customers can allocate for their needs.
D. The prices for Savings Plans do not change based on the amount of hourly commitment.
Answer: B
Explanation :
- Option A is INCORRECT. The given statement is True.
- Option B is CORRECT. The given statement is False. For China Regions, savings plans are not available.
- Option C is INCORRECT. The given statement is True.
- Option D is INCORRECT. The given statement is True.
Reference: https://docs.aws.amazon.com/savingsplans/latest/userguide/what-is-savings-plans.html#sp-ris
Q24: Which of the below-listed services is a region-based AWS service?
A. AWS IAM
B. Amazon EFS
C. Amazon Route 53
D. Amazon CloudFront
Answer: B
Explanation :
- Option A is INCORRECT. AWS IAM is a global service.
- Option B is CORRECT. EFS is a regional service.
- Option C is INCORRECT. Route 53 is a global service.
- Option D is INCORRECT. Amazon Cloudfront is a global service.
References:
https://aws.amazon.com/efs/
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
Q25: Which of the following LightSail Wizard allows the customers to “create a copy of the LightSail instance in EC2”?
A. LightSail Backup
B. LightSail Copy
C. Upgrade to EC2
D. LightSail-EC2 snapshot
Answer: C
Explanation :
- Option A is INCORRECT. LightSail Backup is an invalid option.
- Option B is INCORRECT. LightSail Copy is an invalid option.
- Option C is CORRECT. “Upgrade to EC2” is the feature that allows customers to “create a copy of the LightSail instance in EC2”.
To get started, you need to export your Lightsail instance manual snapshot. You’ll then use the Upgrade to EC2 wizard to create an instance in EC2.
Customers who are comfortable with EC2 can then use the EC2 creation wizard or API to create a new EC2 instance as they would from an existing EC2 AMI. - Option D is INCORRECT. A LightSail-EC2 snapshot is an invalid option.
Reference:
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-exporting-snapshots-to-amazon-ec2
https://aws.amazon.com/lightsail/features/upgrade-to-ec2/
Q26 : Which of the following features of Amazon Connect helps better customer engagement on AWS Cloud ?
A. Push Notification
B. High Quality Audio
C. Mailbox Simulator
D. Reputation Dashboard
Correct Answer: B
Amazon Connect is an omnichannel cloud contact centre which can be setup easily & with low cost. It has following features which helps to provide customers a superior service ,
- Telephone as a service
- High quality Audio
- Omnichannel routing
- Web & Mobile Chat
- Task management
- Contact Centre automation
- Rules Engine.
Option A is incorrect as Push Notification is not a feature of Amazon Connect. It’s one of the features of Amazon Pinpoint.
Option C is incorrect as Mailbox Simulator is not a feature of Amazon Connect. It’s one of the features of Amazon SES.
Option D is incorrect as Reputation Dashboard is not a feature of Amazon Connect. It’s one of the features of Amazon SES.
For more information on Amazon Connect, refer to the following URL: https://aws.amazon.com/connect/features/
Q27: A large IT company is looking to enable its large user base to remotely access Linux desktops from any location. Which service can be used for this purpose ?
A. Amazon Cognito
B. Amazon AppStream 2.0
C. Amazon WorkSpaces
D. Amazon WorkLink
Correct Answer: C
Amazon WorkSpaces provides a secure managed service for virtual desktops for remote users. It supports both Windows & Linux based virtual desktops for a large number of users.
Option A is incorrect as Amazon Cognito can be used to control access to AWS resources from an application.
Option B is incorrect as Amazon AppStream 2.0 can be used to provide access to applications or a non-persistent desktop from any location.
Option D is incorrect as Amazon WorkLink can be used by internal employees to securely access internal websites & applications using mobile phones.
For more information on Amazon WorkSpaces, refer to the following URL: https://aws.amazon.com/workspaces/features/
Q28 : Users in the Developer Team need to deploy a multi-tier web application. Which service can be used to create a customized portfolio that will help users for quick deployment?
A. AWS Config
B. AWS Code Deploy
C. AWS Service Catalog
D. AWS Cloud Formation
Correct Answer: C
AWS Service Catalog can be used to create & deploy portfolio of products within AWS infrastructure. This helps to create consistent resources within AWS infrastructure with quick deployment. These catalogues can be used for deployment of single resource or a multi-tier web application consisting of web, application, & database layer resources.
Option A is incorrect as AWS config is used for evaluating configuration on the resources deployed in AWS cloud. It will not help for creating portfolios of resources for quick deployment.
Option B is incorrect as AWS CodeDeploy is a managed service for automating software deployment on AWS resources & on-premise systems. It is not suitable for creating portfolios of resources for quick deployment.
Option D is incorrect as AWS CloudFormation is a service for provisioning AWS resources using templates.
For more information on AWS Service Catalog, refer to the following URL: https://aws.amazon.com/servicecatalog/features/
Q29 : A large Oil & gas company is planning to deploy a high-volume application on multiple Amazon EC2 instances. Which of the following can help to reduce operational expenses?
A. Deploy Amazon EC2 instance with Auto-scaling
B. Deploy Amazon EC2 instance in multiple AZ’s
C. Deploy Amazon EC2 instance with Amazon instance store-backed AMI
D. Deploy Amazon EC2 instance with Cluster placement group
Correct Answer: A
Using Amazon EC2 Auto-Scaling helps to match the workload on the application with the optimum number of the Amazon EC2 instance. Due to this, during low load on application, Amazon EC2 instances are terminated which reduces operational cost.
Option B is incorrect as deploying an Amazon EC2 instance in a multiple AZ might enhance application availability but will not reduce operational expenses.
Option C is incorrect as deploying an Amazon EC2 instance with Amazon instance store-backed AMI incur charges for Amazon EC2 instance usage & storing AMI in Amazon S3. There will be no impact on operational expense using this AMI type.
Option D is incorrect as deploying an Amazon EC2 instance in a cluster placement group will help to have low latency between instances but will not reduce operational expenses.
For more information on reducing cost using AWS cloud , refer to the following URL: https://aws.amazon.com/economics/
Q30 : Which of the following activities are within the scope of AWS Support?
A. Troubleshooting API issues
B. Code Development
C. Debugging custom software
D. Third-party application configuration on AWS resources
E. Database query tuning
Correct Answers: A and D
As a part of AWS Support following activities are performed,
- Queries regarding all AWS Services & features.
- Best Practices to integrate, deploy & manage applications in the AWS cloud.
- Troubleshooting API & SDK issues.
- Troubleshooting operational issues.
- Issues related to any AWS Tools.
- Problems detected by EC2 health checks
- Third-Party application configuration on AWS resources & products.
AWS Support does not include:
- Code development
- Debugging custom software
- Performing system administration tasks
- Database query tuning
- Cross-Account Support
Option B is incorrect as Code Development is not in the scope of AWS Support. This needs to be taken care of by the customer.
Option C is incorrect as Debugging custom software is not in the scope of AWS Support. This needs to be taken care of by the customer.
Option E is incorrect as Database query tuning is not in the scope of AWS Support. This needs to be taken care of by the customer.
For more information on AWS Support, refer to the following URL: https://aws.amazon.com/premiumsupport/
Q31: I have a huge amount of data (images, documents). I want to store them on AWS storage service S3 and know how S3 is priced to make informed decisions. Which of the following is accounted as a cost for S3 storage? Select TWO.
A. While uploading data to an S3 bucket
B. Lifecycle transition requests
C. Outbound data transfer from S3 in US-West to an EC2 instance in US-West
D. Outbound data transfer to Amazon CloudFront
E. Outbound data transfer from S3 in US-East to an EC2 instance in US-West
Correct Answers: B and E
Explanation:
Option A is incorrect. Data transferred in from the internet to S3 does not incur any charges.
Option B is CORRECT. Lifecycle data transfers between the storage classes can be considered as GET/PUT operations from the source storage class to the target storage class which will incur cost.
Option C is incorrect. Outbound data transfers from S3 within the same Region (including a different AWS account) do not incur any charges.
Option D is incorrect. Data transferred out to Amazon CloudFront performed as a request by CloudFront to the Origin server (S3) for caching content does not incur any charges.
Option E is CORRECT since the Outbound data transfer is done out of the region where the S3 bucket resides.
References:
- https://aws.amazon.com/s3/pricing/
- http://pragmaticnotes.com/2020/04/22/s3-to-glacier-lifecycle-transition-see-if-its-worth-it/
Q32: I am using the Amazon Simple Notification Service to send notifications to alert admins whenever the CPU utilization of an EC2 instance crosses 70%. Which of the following can be subscribers to an SNS Topic? (Select TWO)
A. Email
B. Amazon S3
C. AWS Lambda
D. Amazon CloudWatch
E. Amazon DynamoDB streams
Correct Answers: A and C
Explanation:
SNS is extremely useful for the fan-out types of applications, i.e., multiple clients that push messages to an SNS topic & multiple listeners can be notified when a message arrives at the Topic.
Option A is CORRECT. SNS messages can be sent to registered addresses as Email (text-based or Object) who act as subscribers to the notification
Option B is incorrect. S3 acts as a publisher of SNS notifications. When a file is uploaded to S3, it can publish an event that can then be subscribed to & acted upon
Option C is CORRECT. A lambda function can subscribe to an SNS Topic and can act on any events that are published to that Topic. An S3 PUT or CREATE event for uploading documents can have a Lambda subscriber that can pull out metadata information contained within the documents & store it in a Dynamo DB database.
Option D is incorrect. CloudWatch will act as a publisher of events using alarms. Getting back to our scenario, we can set CloudWatch alarms on the CPU utilization metrics of the EC2 instance. The alarms can then be published to an SNS Topic for notifying users.
Option E is incorrect. Dynamo DB streams are events that are emitted when record modifications occur on a Dynamo DB table like INSERT, UPDATE, etc. They are extremely useful to create informative dashboards in real-time. Dynamo DB streams can trigger a lambda function that can publish a message to an SNS Topic. So we can see here that Dynamo DB stream acts as a publisher of events.
References:
- https://docs.aws.amazon.com/sns/latest/dg/welcome.html
- https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html
Domain: Technology
Q 33: I require different levels of access for my application that is installed on an EC2 instance. I have configured an ENI for the same purpose. Which of the following statement is incorrect?
A. I can detach the primary ENI of my EC2 instance and connect it to another instance for moving its Elastic IP
B. I can configure a Security Group for my ENI and restrict traffic to the EC2 instance
C. I can detach a secondary ENI containing a Private IP from one EC2 instance and attach it to another
D. I can attach an Elastic IP to an EC2 instance in another subnet by releasing it from the ENI in the current subnet to which it is currently attached to
Correct Answer: A
Explanation:
Option A is CORRECT. The primary ENI of an instance cannot be detached from the instance. By default, the primary ENI is created with the creation of the EC2 instance & deleted when the instance is terminated
Option B is incorrect since an EC2 instance may require restricted access to certain IP addresses. This can be achieved by creating a new ENI & attaching a Public IP & Security Group restricting permissions.
Option C is incorrect. Secondary ENI’s that are created can be detached from the instance to which it is attached to & attached to another instance within the same subnet. The Private IP then gets allocated to the second instance to which it is attached currently
Option D is incorrect. ENI’s are subnet specific. So for attaching an Elastic IP to an instance in a different subnet, I need to first release it to the pool by dissociating it from an attached instance. This way, I can attach the Elastic IP to an instance in a different subnet.
References:
Domain: Security
Q 34: To make programmatic calls to AWS, a user was provided an access key ID and secret access key. However, the user has now forgotten the shared credentials and cannot make the required programmatic calls.
How can an access key ID and secret access key be provided to the user?
A. Use the “Forgot Password” Option
B. Use “Create New Access Key” by logging in to AWS Management Console as the root user
C. Credentials cannot be generated
D. Raise a ticket with AWS Support
Correct Answer: B
Explanation:
Option A is INCORRECT. This is an invalid option.
Option B is CORRECT.
Option C is INCORRECT. This is an incorrect option. We can create a new access key by logging in to Management Console as a root user.
Option D is INCORRECT. This is an incorrect option. We can create a new access key by logging in to Management Console as a root user.
https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
Q 34: Which of the following statements accurately describe a function of AWS Secrets Manager? [Select Two]
A. Encrypts authentication information in code, ensuring that it is unreadable, that is, not in plain-text.
B. Replaces the need to hardcode authentication credentials in code.
C. Makes it possible to include an API call in code that retrieves authentication information from a central repository.
D. Automatically rotates and updates the code in the application build, ensuring that repositories are kept up to date.
E. Facilitates the embedding of authentication information in code during runtime.
Correct Answer: B and C
Explanation:
AWS Secrets Manager allows users to replace authentication information in code with an API call to Secrets Manager. This API call then retrieves the secret programmatically. This safeguards the secret from being compromised since the secret is removed from the code. AWS Secrets Manager automatically rotates the secret in accordance with specified schedules which allows the implementation of more secure short-term secrets. These, in turn, reduce the risk of authentication information in code being compromised.
Option A is INCORRECT because AWS Secrets Manager does not encrypt authentication information whilst it is in the code.
Option D is INCORRECT because AWS Secrets Manager does not automatically rotate or update the application code. Rather, it automatically rotates the secret in accordance with specified schedules.
Option E is INCORRECT because AWS Secrets Manager does not facilitate embedding authentication information in code during runtime. Developers do not need to hard-code authentication information in code.
Reference:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html