Question 1
Under the shared responsibility model,
which of the following is the customer responsible for?
A)
Ensuring that disk drives are wiped after use.
B) Ensuring
that firmware is updated on hardware devices.
C) Ensuring
that data is encrypted at rest.
D) Ensuring that network
cables are category six or higher.
A) Ensuring that disk drives are wiped after use.
B)
Ensuring that firmware is updated on hardware devices.
C) Ensuring that data is encrypted at rest.
D) Ensuring that network cables are category six or
higher.
Data configuration (i.e. encrypting data at rest and in transit)
is responsibility of the customer"
Question 2
Which allows companies to track and
categorize spending on a detailed level?
A) Cost
allocation tags
B) Consolidated billing
C) AWS
Budgets
D) AWS Marketplace
A) Cost allocation tags
B) Consolidated billing
C) AWS Budgets
D)
AWS Marketplace
After you activate cost allocation tags, AWS uses the cost
allocation tags to organize your resource costs on your cost allocation
report, to make it easier for you to categorize and track your AWS
costs"
Question 3
Stores objects, provides real-time access
to those objects, and offers versioning and lifecycle capabilities:
A)
Amazon Glacier
B) AWS Storage Gateway
C) Amazon
S3
D) Amazon EBS
A) Amazon Glacier
B) AWS Storage Gateway
C) Amazon S3
D) Amazon EBS
Compared to block storage, object storage is much newer. With
object storage, data is bundled with customizable metadata tags and a
unique identifier to form objects. The metadata tags are a key advantage
with object storage — they allow for much better identification and
classification of data.
Example of object storage: Amazon
S3
Versioning in Amazon S3 is a means of keeping multiple
variants of an object in the same bucket. You can use the S3 Versioning
feature to preserve, retrieve, and restore every version of every object
stored in your buckets. With versioning you can recover more easily from
both unintended user actions and application failures. After versioning
is enabled for a bucket, if Amazon S3 receives multiple write requests
for the same object simultaneously, it stores all of those objects.
Answer
is NOT EBS because that stores blocks, not objects
Block
storage is the oldest and simplest form of data storage. Block storage
stores data in fixed-sized chunks called — you guessed it — ‘blocks’. By
itself, a block typically only houses a portion of the data."
Question 4
What AWS team assists customers with
accelerating cloud adoption through paid engagements in any of several
specialty practice areas?
A) AWS Enterprise Support
B)
AWS Solutions Architects
C) AWS Professional Services
D)
AWS Account Managers
A) AWS Enterprise Support
B) AWS Solutions
Architects
C) AWS Professional Services
D) AWS Account Managers
The AWS Professional Services organization is a global team of
experts that can help you realize your desired business outcomes when
using the AWS Cloud. We work together with your team and your chosen
member of the AWS Partner Network (APN) to execute your enterprise cloud
computing initiatives.
Our team provides assistance through a
collection of offerings which help you achieve specific outcomes related
to enterprise cloud adoption. We also deliver focused guidance through
our global specialty practices, which cover a variety of solutions,
technologies, and industries. In addition to working alongside our
customers, we share our experience through tech talk webinars, White
Papers, and blog posts that are available to anyone. "
Question 5
A customer would like to design and build a
new workload on AWS Cloud but does not have the AWS-related software
technical expertise in-house. Which of the following AWS programs can a
customer take advantage of to achieve that outcome?
A)
AWS Partner Network Technology Partners
B) AWS
Marketplace
C) AWS Partner Network Consulting Partners
D)
AWS Service Catalogue
A) AWS Partner Network Technology Partners
B) AWS
Marketplace
C) AWS Partner Network Consulting Partners
D) AWS Service Catalogue
APN Consulting Partners are professional services firms that help
customers of all types and sizes design, architect, build, migrate, and
manage their workloads and applications on AWS, accelerating their
journey to the cloud.
-INCORRECT ANSWERS-
-APN
Technology Partners provide specific solutions such as SAP, Tableau, and
Infor. The question says that the company lacks of cloud expertise and
the support APN Tech Partners can make is limited. APN Consulting
Partners can give wider range of support in that they can provide
architecturing, implementation, and so on…"
Question 6
Distributing workloads across multiple
Availability Zones supports which cloud architecture design
principle?
A) Implement automation.
B)
Design for agility.
C) Design for failure.
D)
Implement elasticity.
A) Implement automation.
B) Design for agility.
C) Design for failure.
D) Implement elasticity.
Using multiple-AZs removes single points of failure, which is part
of design for failure (part of ‘Reliability Design Principles and Best
Practices’)
Each Availability Zone is engineered to be
independent from failures in other Availability Zones.
An
example of a implementation designed for failure:
A fleet of
application servers can be distributed across multiple Availability
Zones and be attached to ELB.
When the EC2 instances of a
particular Availability Zone fail their health checks, ELB stops sending
traffic to those nodes.
In addition, AWS Auto Scaling ensures
that the correct number of EC2 instances are available to run your
application, launching and terminating instances based on demand and
defined by your scaling policies."
Question 7
Which AWS services can host a Microsoft SQL
Server database?(choose two)
A) Amazon EC2
B)
Amazon Relational Database Service (Amazon RDS)
C) Amazon
Aurora
D) Amazon Redshift
E) Amazon S3
A) Amazon EC2
B) Amazon Relational Database Service (Amazon RDS)
C) Amazon Aurora
D) Amazon Redshift
E)
Amazon S3
EC2 can run any database
RDS can use Amazon Aurora,
PostgreSQL, MySQL, MariaDB, Oracle Database, and Microsoft SQL
Server.
-INCORRECT ANSWERS—
Aurora only supports
MySql and PostgreSQL"
Question 8
Which of the following inspects AWS
environments to find opportunities that can save money for users and
also improve system performance?
A) AWS Cost
Explorer
B) AWS Trusted Advisor
C) Consolidated
billing
D) Detailed billing
A) AWS Cost Explorer
B) AWS Trusted Advisor
C) Consolidated billing
D) Detailed billing
AWS Trusted Advisor is an application that draws upon best
practices learned from AWS' aggregated operational history of serving
hundreds of thousands of AWS customers. Trusted Advisor inspects your
AWS environment and makes recommendations for saving money, improving
system performance, or closing security gaps."
Question 9
Which of the following Amazon EC2 pricing
models allow customers to use existing server-bound software
licenses?
A) Spot Instances
B) Reserved
Instances
C) Dedicated Hosts
D) On-Demand
Instances
A) Spot Instances
B) Reserved Instances
C) Dedicated Hosts
D) On-Demand Instances
A Dedicated Host is a physical EC2 server dedicated for your use.
Dedicated Hosts can help you reduce costs by allowing you to use your
existing server-bound software licenses, including Windows Server, SQL
Server, and SUSE Linux Enterprise Server (subject to your license
terms), and can also help you meet compliance requirements."
Question 10
Which AWS characteristics make AWS cost
effective for a workload with dynamic user demand? (Choose two.)
A)
High availability
B) Shared security model
C)
Elasticity
D) Pay-as-you-go pricing
E)
Reliability
A) High availability
B) Shared security model
C) Elasticity
D) Pay-as-you-go pricing
E) Reliability
6 Advantages of Cloud Computing
-Trade capital expense
for variable expense (Pay-as-you-go model - make payment based on usage
only)
-Benefit from massive economies of scale
-Stop guessing
about capacity (i.e. elasticity makes it feasible to add/remove required
resources as needed)
-Increased speed and agility
-Stop
spending money running and maintaining data centres
-Go global in
minutes "
Question 11
Which service enables risk auditing by
continuously monitoring and logging account activity, including user
actions in the AWS Management Console and AWS SDKs?
A)
Amazon CloudWatch
B) AWS CloudTrail
C) AWS
Config
D) AWS Health
A) Amazon CloudWatch
B) AWS CloudTrail
C) AWS Config
D) AWS Health
CloudTrail - Track user activity and API usage. Helps you enable
governance, compliance, and operational and risk auditing of your AWS
account. Actions taken by a user, role, or an AWS service are recorded
as events in CloudTrail. Events include actions taken in the AWS
Management Console, AWS Command Line Interface, and AWS SDKs and
APIs.
-INCORRECT ANSWERS—
-CloudWatch Logs -
reports on application logs.
-CloudWatch Events - is a near
real time stream of system events describing changes to your AWS
resources.
-AWS Health - provides ongoing visibility into
your resource performance and the availability of your AWS services and
accounts. You can use AWS Health events to learn how service and
resource changes might affect your applications running on AWS. AWS
Health provides relevant and timely information to help you manage
events in progress. AWS Health also helps you be aware of and to prepare
for planned activities. The service delivers alerts and notifications
triggered by changes in the health of AWS resources, so that you get
near-instant event visibility and guidance to help accelerate
troubleshooting."
Question 12
Which of the following are characteristics
of Amazon S3? (Choose two.)
A) A global file system
B)
An object store
C) A local file store
D) A
network file system
E) A durable storage system
A) A global file system
B) An object store
C) A local file store
D) A network file
system
E) A durable storage system
S3 is a global service (available on every region however it is
not truly global because while you can replicate your buckets/objects
across regions for reliability & disaster recovery purposes, by default
S3 objects sit only in one region though they are stored on multiple
devices across multiple Availability Zones.
S3 provides
developers and IT teams with secure, durable, highly-scalable binary
object storage.
It has a simple, easy to use, web services
interface to store and retrieve any amount of data from anywhere on the
web.
S3 is a safe Object-based storage for e.g. picture, text
files, videos NOT databases, application or OS.
S3 is
99.999999999% Designed for durability
-INCORRECT ANSWERS-
-It
is not global because while you can replicate your buckets/objects
across regions for reliability & disaster recovery purposes, by default
S3 objects sit only in one region though they are stored on multiple
devices across multiple Availability Zones.
-Definitely not a
local file store
-S3 is not a file system. It’s a binary
object store that stores data in key-value pairs. It’s essentially a
type of NoSQL database. Each bucket is a new database, with keys being
your folder path and values being the binary objects (files). It’s
presented like a file system and people tend to use it like one.
Underneath, however, it’s not a file system at all and lacks many of the
common traits of a file system."
Question 13
Which services can be used across hybrid
AWS Cloud architectures? (Choose two.)
A) Amazon Route
53
B) Virtual Private Gateway
C) Classic Load
Balancer
D) Auto Scaling
E) Amazon CloudWatch
default metrics
A) Amazon Route 53
B) Virtual Private Gateway
C) Classic Load Balancer
D) Auto Scaling
E)
Amazon CloudWatch default metrics
Route 53: Inbound query capability is provided by Route 53
Resolver Endpoints, allowing DNS queries that originate on-premises to
resolve AWS hosted domains.
Virtual Private Gateway: Its the
anchor of a VPN connection on AWS side. This making it possible for a
VPN connection to be established between AWS and on premises.
-INCORRECT
ANSWERS—
-CloudWatch can be used for on-premise metrics or
AWS metrics, however it is not used across the hybrid architecture
-Application
load balancers may be suitable but not classic load balancers"
Question 14
What costs are included when comparing AWS
Total Cost of Ownership (TCO) with on-premises TCO?
A)
Project management
B) Antivirus software licensing
C)
Data center security
D) Software development
A) Project management
B) Antivirus software
licensing
C) Data center security
D) Software development
Security and Compliance is a shared responsibility between AWS and
the customer.
This shared model can help relieve the
customer’s operational burden as AWS operates, manages and controls the
components from the host operating system and virtualization layer down
to the physical security of the facilities in which the service
operates.
The nature of this shared responsibility also
provides the flexibility and customer control that permits the
deployment.
This differentiation of responsibility is
commonly referred to as Security of the Cloud versus Security in the
Cloud."
Question 15
A company is considering using AWS for a
self-hosted database that requires a nightly shutdown for maintenance
and cost-saving purposes. Which service should the company use?
A)
Amazon Redshift
B) Amazon DynamoDB
C) Amazon
Elastic Compute Cloud (Amazon EC2) with Amazon EC2 instance store
D)
Amazon EC2 with Amazon Elastic Block Store (Amazon EBS)
A) Amazon Redshift
B) Amazon DynamoDB
C)
Amazon Elastic Compute Cloud (Amazon EC2) with Amazon EC2 instance
store
D) Amazon EC2 with Amazon Elastic Block Store (Amazon
EBS)
Amazon Elastic Block Store (EBS) is an easy to use,
high-performance, block-storage service designed for use with Amazon
Elastic Compute Cloud (EC2) for both throughput and transaction
intensive workloads at any scale. A broad range of workloads, such as
relational and non-relational databases, enterprise applications,
containerized applications, big data analytics engines, file systems,
and media workflows are widely deployed on Amazon EBS.
You
can choose from different volume types to balance optimal price and
performance. You can achieve single-digit-millisecond latency for
high-performance database workloads or gigabyte per second throughput
for large, sequential workloads. You can change volume types, tune
performance, or increase volume size without disrupting your critical
applications, so you have cost-effective storage when you need it.
EBS
volumes preserve their data through instance stops and terminations, can
be easily backed up with EBS snapshots, can be removed from one instance
and reattached to another, and support full-volume encryption.
-INCORRECT
ANSWERS-
Some Amazon Elastic Compute Cloud (Amazon EC2) instance
types come with a form of directly attached, block-device storage known
as the instance store. The instance store is ideal for temporary
storage, because the data stored in instance store volumes is not
persistent through instance stops, terminations, or hardware failures.
Instance store is ephemeral in other words."
Question 16
Which of the following is a correct
relationship between regions, Availability Zones, and edge locations?
A)
Data centers contain regions.
B) Regions contain
Availability Zones.
C) Availability Zones contain edge
locations.
D) Edge locations contain regions.
A) Data centers contain regions.
B) Regions contain Availability Zones.
C) Availability Zones contain edge locations.
D)
Edge locations contain regions.
Region is a geographical area that has two or more Availability
Zones. Each Region is completely independent.
Availability
Zone (AZ) is an area with either one or more discrete Data Centres
(building filled with servers), each with redundant power, networking,
and connectivity, housed in separate facilities. If there are more than
one data centre, they are counted as one AZ because they are located
close together. Each Availability Zone is isolated, but the Availability
Zones in a Region are connected through low-latency links.
-NOTES-
-Edge
Locations are endpoints used for caching content. They are located in
most of the major cities around the world and are specifically used by
CloudFront to distribute AWS content closer to end-users to reduce
latency."
Question 17
Which AWS tools assist with estimating
costs? (Choose three.)
A) Detailed billing report
B)
Cost allocation tags
C) AWS Pricing Calculator
D)
AWS Total Cost of Ownership (TCO) Calculator
E) Cost
Estimator
A) Detailed billing report
B) Cost allocation tags
C) AWS Pricing Calculator
D) AWS Total Cost of Ownership (TCO) Calculator
E) Cost Estimator
B - To forecast your costs, use the AWS Cost Explorer. Use cost
allocation tags to divide your resources into groups, and then estimate
the costs for each group.
C - To estimate a bill, use the AWS
Pricing Calculator (formerly AWS Simply Monthly Calculator)
D
- AWS Total Cost of Ownership (TCO) Calculator to compare the cost of
running your applications in an on-premises or colocation environment to
AWS.
-INCORRECT ANSWERS—
E - Likely a trick to
make people think of Cost Explorer, I don’t think there is such a thing
as ‘Cost Estimator’"
Question 18
Which of the following are advantages of
AWS consolidated billing? (Choose two.)
A) The ability
to receive one bill for multiple accounts
B) Service limits
increasing by default in all accounts
C) A fixed discount on
the monthly bill
D) Potential volume discounts, as usage in
all accounts is combined
E) The automatic extension of the
master account's AWS support plan to all accounts
A) The ability to receive one bill for multiple
accounts
B) Service limits increasing by default in all accounts
C)
A fixed discount on the monthly bill
D) Potential volume discounts, as usage in all accounts is
combined
E) The automatic extension of the master account's AWS
support plan to all accounts
AWS Organizations is an account management service that lets you
consolidate multiple AWS accounts into an organization that you create
and centrally manage.
Allows you to:
-programmatically
create new AWS accounts and allocate resources
-group accounts to
organize your workflows
-apply policies to accounts or groups for
governance
-define central configurations and audit requirements
-simplify
billing by centralising it and using a single payment method for all of
your account. These account management and consolidated billing
capabilities enable you to better meet the budgetary, security, and
compliance needs of your business.
-control access, manage
compliance, coordinate security mechanisms (including restricting the
AWS services, resources, and individual API actions accessible by
specific users, groups and roles)
-share resources across your AWS
accounts.
-combine usage from all accounts in the organization to
qualify you for volume pricing discounts. If you have multiple
standalone accounts, your charges might decrease if you add the accounts
to an organization.
Incorrect answers:
AWS Support
plans on the master account of an organization do not automatically
apply to member accounts in the organization"
Question 19
Which of the following Reserved Instance
(RI) pricing models provides the highest average savings compared to
On-Demand pricing?
A) One-year, No Upfront, Standard
RI pricing
B) One-year, All Upfront, Convertible RI
pricing
C) Three-year, All Upfront, Standard RI pricing
D)
Three-year, No Upfront, Convertible RI pricing
A) One-year, No Upfront, Standard RI pricing
B)
One-year, All Upfront, Convertible RI pricing
C) Three-year, All Upfront, Standard RI pricing
D) Three-year, No Upfront, Convertible RI pricing
Standard Reserved Instances provide you with a significant
discount compared to On-Demand Instance pricing, and can be purchased
for a 1-year or 3-year term. Customers have the flexibility to change
the Availability Zone, the instance size, and networking type of their
Standard Reserved Instances.
Purchase Convertible Reserved
Instances if you need additional flexibility, such as the ability to use
different instance families, operating systems, or tenancies over the
Reserved Instance term.
Convertible Reserved Instances
provide you with a smaller discount compared to Standard Reserved
Instances
-STANDARD RESERVED INSTANCES PRICING-
Reserved
instances savings (up to):
Standard one-year
-all
upfront = approx. 41%
-partial upfront = approx. 40%
-no
upfront = approx. 37%
Standard three-years:
-all upfront
= approx. 62%
-partial upfront = approx. 60%
-no upfront =
approx. 57%"
Question 20
Compared with costs in traditional and
virtualized data centers, AWS has:
A) greater variable
costs and greater upfront costs.
B) fixed usage costs and
lower upfront costs.
C) lower variable costs and greater
upfront costs.
D) lower variable costs and lower upfront
costs.
A) greater variable costs and greater upfront costs.
B)
fixed usage costs and lower upfront costs.
C) lower variable
costs and greater upfront costs.
D) lower variable costs and lower upfront costs.
The cloud allows you to trade high initial CapEx (such as data
centers and physical servers) for a variable OpEx model, and only pay
for IT as you consume it. Plus, the variable OpEx expenses are much
lower than what you would pay to do it yourself because of the massive
economies of scale that AWS has created."
Question 21
A characteristic of edge locations is that
they:
A) host Amazon EC2 instances closer to users.
B)
help lower latency and improve performance for users.
C)
cache frequently changing data without reaching the origin server.
D)
refresh data changes daily.
A) host Amazon EC2 instances closer to users.
B) help lower latency and improve performance for
users.
C) cache frequently changing data without reaching the
origin server.
D) refresh data changes daily.
The edge locations help to improve performance for your users
while lowering the operational burden and cost of scaling your origin
resources.
Edge Locations are endpoints used for caching
content. They are located in most of the major cities around the world
and are specifically used by CloudFront to distribute AWS content closer
to end-users to reduce latency."
Question 22
Which of the following can limit Amazon
Storage Service (Amazon S3) bucket access to specific users?
A)
A public and private key-pair
B) Amazon Inspector
C)
AWS Identity and Access Management (IAM) policies
D)
Security Groups
A) A public and private key-pair
B) Amazon
Inspector
C) AWS Identity and Access Management (IAM) policies
D) Security Groups
You manage access in AWS by creating policies and attaching them
to IAM identities (users, groups of users, or roles) or AWS
resources.
A policy is an object in AWS that, when associated
with an identity or resource, defines their permissions. AWS evaluates
these policies when an IAM principal (user or role) makes a request.
Permissions
in the policies determine whether the request is allowed or denied. Most
policies are stored in AWS as JSON documents.
Incorrect
answers:
-A- A key pair, consisting of a private key and a
public key, is a set of security credentials that you use to prove your
identity when connecting to an instance
-B- Amazon Inspector is an
automated security assessment service that helps improve the security
and compliance of applications deployed on AWS
-D- A security group
acts as a virtual firewall for your EC2 instances to control incoming
and outgoing traffic."
Question 23
Which of the following security-related
actions are available at no cost?
A) Calling AWS
Support
B) Contacting AWS Professional Services to request a
workshop
C) Accessing forums, blogs, and whitepapers
D)
Attending AWS classes at a local university
A) Calling AWS Support
B) Contacting AWS Professional
Services to request a workshop
C) Accessing forums, blogs, and whitepapers
D) Attending AWS classes at a local university
Free Basic support only provides:
-Customer Service and
Communities - 24x7 access to customer service, documentation,
whitepapers, and support forums.
-AWS Trusted Advisor - Access to
the 7 core Trusted Advisor checks and guidance to provision your
resources following best practices to increase performance and improve
security.
-AWS Personal Health Dashboard
Incorrect
answers:
-A-Developer, Business, and Enterprise support
levels (which are paid-for engagements) can only call AWS support
-D-Attending
an Aws class at a local university would likely cost money"
Question 24
Which of the Reserved Instance (RI)
pricing models can change the attributes of the RI as long as the
exchange results in the creation of RIs of equal or greater value?
A)
Dedicated RIs
B) Scheduled RIs
C) Convertible
RIs
D) Standard RIs
A) Dedicated RIs
B) Scheduled RIs
C) Convertible RIs
D) Standard RIs
Convertible RIs provide a discount and the capability to change
the attributes of the RI as long as the exchange results in the creation
of Reserved Instances of equal or greater value. Like Standard RIs,
Convertible RIs are best suited for steady-state usage."
Question 25
Which AWS feature will reduce the
customer's total cost of ownership (TCO)?
A) Shared
responsibility security model
B) Single tenancy
C)
Elastic computing
D) Encryption
A) Shared responsibility security model
B) Single
tenancy
C) Elastic computing
D) Encryption
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible.
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is has too many resources of which some are
being under-utilised or if you have too few resources and your solution
is running out of processing power.
A core reason
organizations adopt a cloud IT infrastructure is to save money. The
traditional approach of analyzing Total Cost of Ownership no longer
applies when you move to the cloud. Cloud services provide the
opportunity for you to use only what you need and pay only for what you
use. We refer to this new paradigm as the Total Cost of Operation. You
can use Total Cost of Operation (TCO) analysis methodologies to compare
the costs of owning a traditional data center with the costs of
operating your environment using AWS Cloud services."
Question 26
Which of the following services will
automatically scale with an expected increase in web traffic?
A)
AWS CodePipeline
B) Elastic Load Balancing
C)
Amazon EBS
D) AWS Direct Connect
A) AWS CodePipeline
B) Elastic Load Balancing
C) Amazon EBS
D) AWS Direct Connect
Elastic Load Balancing automatically distributes incoming
application traffic across multiple targets, such as Amazon EC2
instances, containers, IP addresses, Lambda functions, and virtual
appliances. It can handle the varying load of your application traffic
in a single Availability Zone or across multiple Availability Zones.
Elastic Load Balancing offers four types of load balancers that all
feature the high availability, automatic scaling, and robust security
necessary to make your applications fault tolerant.
Incorrect
answers:
-A & C - has nothing to do with web traffic
-D-
Direct Connect is a network connection, which is more about just
enabling private network traffic between AWS and an on-premises location
in the first place"
Question 27
Where are AWS compliance documents, such
as an SOC 1 report, located?
A) Amazon Inspector
B)
AWS CloudTrail
C) AWS Artifact
D) AWS
Certificate Manager
A) Amazon Inspector
B) AWS CloudTrail
C) AWS Artifact
D) AWS Certificate Manager
AWS Artifact is your go-to, central resource for
compliance-related information that matters to you. It provides
on-demand access to AWS' security and compliance reports and select
online agreements. Reports available in AWS Artifact include our Service
Organization Control (SOC) reports, Payment Card
Industry (PCI)
reports, and certifications from accreditation bodies across geographies
and compliance verticals that validate the implementation and operating
effectiveness of AWS security controls. Agreements available in AWS
Artifact include the Business Associate Addendum (BAA) and the
Nondisclosure Agreement
(NDA)."
Question 28
Under the AWS shared responsibility model,
which of the following activities are the customer's responsibility?
(Choose two.)
A) Patching operating system components
for Amazon Relational Database Server (Amazon RDS)
B)
Encrypting data on the client-side
C) Training the data
center staff
D) Configuring Network Access Control Lists
(ACL)
E) Maintaining environmental controls within a data
center
A) Patching operating system components for Amazon Relational
Database Server (Amazon RDS)
B) Encrypting data on the client-side
C) Training the data center staff
D) Configuring Network Access Control Lists (ACL)
E) Maintaining environmental controls within a data
center
-B-
Data configuration is the responsibility of the customer
(i.e. encrypting data at rest and in transit)
-D-
A
network access control list (ACL) is an optional layer of security for
your VPC that acts as a firewall for controlling traffic in and out of
one or more subnets. You might set up network ACLs with rules similar to
your security groups in order to add an additional layer of security to
your VPC. ACLs are the customer’s responsibility.
Notes:
-You
might set up network ACLs with rules similar to your security groups in
order to add an additional layer of security to your VPC. Security
groups and ACLs are different things."
Question 29
Which is a recommended pattern for
designing a highly available architecture on AWS?
A)
Ensure that components have low-latency network connectivity.
B)
Run enough Amazon EC2 instances to operate at peak load.
C)
Ensure that the application is designed to accommodate failure of any
single component.
D) Use a monolithic application that
handles all operations.
A) Ensure that components have low-latency network
connectivity.
B) Run enough Amazon EC2 instances to operate
at peak load.
C) Ensure that the application is designed to accommodate
failure of any single component.
D) Use a monolithic application that handles all
operations.
Highly available systems are reliable in the sense that they
continue operating even when critical components fail. They are also
resilient, meaning that they are able to simply handle failure without
service disruption or data loss, and seamlessly recover from such
failure."
Question 30
According to best practices, how should an
application be designed to run in the AWS Cloud?
A)
Use tighly coupled components.
B) Use loosely coupled
components.
C) Use infrequently coupled components.
D)
Use frequently coupled components.
A) Use tighly coupled components.
B) Use loosely coupled components.
C) Use infrequently coupled components.
D) Use
frequently coupled components.
Loose coupling - As application complexity increases, a desirable
attribute of an IT system is that it can be broken into smaller, loosely
coupled components. This means that IT systems should be designed in a
way that reduces interdependencies—a change or a failure in one
component should not cascade to other components."
Question 31
AWS supports which of the following
methods to add security to Identity and Access Management (IAM) users?
(Choose two.)
A) Implementing Amazon Rekognition
B)
Using AWS Shield-protected resources
C) Blocking access with
Security Groups
D) Using Multi-Factor Authentication
(MFA)
E) Enforcing password strength and expiration
A) Implementing Amazon Rekognition
B) Using AWS
Shield-protected resources
C) Blocking access with Security
Groups
D) Using Multi-Factor Authentication (MFA)
E) Enforcing password strength and expiration
IAM Best Practices - To help secure your AWS resources, follow
these recommendations for the AWS Identity and Access Management (IAM)
service:
-Lock away your AWS account root user access keys
-Create
individual IAM users
-Use groups to assign permissions to IAM
users
-Grant least privilege
-Get started using permissions
with AWS managed policies
-Use customer managed policies instead of
inline policies
-Use access levels to review IAM permissions
-Configure
a strong password policy for your users
-Enable MFA – These are not
physical MFA tokens typically
-Use roles for applications that run
on Amazon EC2 instances
-Use roles to delegate permissions
-Do
not share access keys
-Rotate credentials regularly
-Remove
unnecessary credentials
-Use policy conditions for extra
security
-Monitor activity in your AWS account"
Question 32
Which AWS services should be used for
read/write of constantly changing data? (Choose two.)
A)
Amazon Glacier
B) Amazon RDS
C) AWS Snowball
D)
Amazon Redshift
E) Amazon EFS
A) Amazon Glacier
B) Amazon RDS
C) AWS Snowball
D) Amazon Redshift
E) Amazon EFS
Data that must be updated very frequently might be best served by
a storage solution with lower read/write latencies, such as Amazon EBS,
Amazon RDS, Amazon EFS, Amazon DynamoDB, or relational databases running
on Amazon EC2.
-RDS is a managed service for relational
databases like MySQL and MariaDB. Simple and fast to setup and scale.
-EFS
is a cloud native service for network attachable storages to mount on
multiple EC2 instances. It is one of the most expensive storage options
on AWS but it is a managed service, is fault tolerant and with ‘Amazon
EFS Infrequent Access’ it is can be more affordable.
Incorrect
answers:
Amazon Glacier is a data archiving service with
relatively slow data retrieval times"
Question 33
What is one of the advantages of the
Amazon Relational Database Service (Amazon RDS)?(choose three)
A)
It simplifies relational database administration tasks.
B)
It provides 99.99999999999% reliability and durability.
C)
It automatically scales databases for loads.
D) It enabled
users to dynamically adjust CPU and RAM resources.
A) It simplifies relational database administration
tasks.
B) It provides 99.99999999999% reliability and
durability.
C) It automatically scales databases for loads.
D) It enabled users to dynamically adjust CPU and RAM
resources.
A - RDS makes it easy to set up, operate, and scale a relational
database in the cloud. It provides cost-efficient and resizable capacity
while automating time-consuming administration tasks, such as, hardware
provisioning, database setup, patching and backups.
C -
Amazon RDS now supports Storage Auto Scaling
D - You can
scale the compute and memory resources powering your deployment up or
down, up to a maximum of 32 vCPUs and 244 GiB of RAM. Compute scaling
operations typically complete in a few minutes.
Incorrect
answers:
B - is S3 reliability and durability figures"
Question 34
A customer needs to run a MySQL database
that easily scales. Which AWS service should they use?
A)
Amazon Aurora
B) Amazon Redshift
C) Amazon
DynamoDB
D) Amazon ElastiCache
A) Amazon Aurora
B)
Amazon Redshift
C) Amazon DynamoDB
D) Amazon
ElastiCache
Amazon Aurora supports MySQL and will automatically grow the size
of your database volume as your database storage needs grow, up to a
maximum of 64 TB or a maximum you define."
Question 35
Which of the following components of the
AWS Global Infrastructure consists of one or more discrete data centers
interconnected through low latency links?
A)
Availability Zone
B) Edge location
C)
Region
D) Private networking
A) Availability Zone
B)
Edge location
C) Region
D) Private networking
An Availability Zone (AZ) is one or more discrete data centers
with redundant power, networking, and connectivity in an AWS Region."
Question 36
Which of the following is a shared control
between the customer and AWS?
A) Providing a key for
Amazon S3 client-side encryption
B) Configuration of an
Amazon EC2 instance
C) Environmental controls of physical
AWS data centers
D) Awareness and training
A) Providing a key for Amazon S3 client-side encryption
B)
Configuration of an Amazon EC2 instance
C) Environmental
controls of physical AWS data centers
D) Awareness and training
AWS trains AWS employees, but a customer must train their own
employees."
Question 37
How many Availability Zones should compute
resources be provisioned across to achieve high availability?
A)
A minimum of one
B) A minimum of two
C) A
minimum of three
D) A minimum of four or more
A) A minimum of one
B) A minimum of two
C) A minimum of three
D) A minimum of four or
more
Most providers of real-time communications align with service
levels that provide availability from 99.9% to 99.999%. Depending on the
degree of high availability (HA) that you want, you must take
increasingly sophisticated measures along the full lifecycle of the
application. We recommend following these guidelines to achieve a robust
degree of high availability:
-Design the system to have no single
point of failure. Use automated monitoring, failure detection, and
failover mechanisms for both stateless and stateful components
-Single
points of failure (SPOF) are commonly eliminated with an N+1 or 2N
redundancy configuration, where N+1 is achieved via load balancing among
active–active nodes, and 2N is achieved by a pair of nodes in
active–standby configuration.
-AWS has several methods for
achieving HA through both approaches, such as through a scalable, load
balanced cluster or assuming an active–standby pair.
-Correctly
instrument and test system availability.
-Prepare operating
procedures for manual mechanisms to respond to, mitigate, and recover
from the failure."
Question 38
One of the advantages to moving
infrastructure from an on-premises data center to the AWS Cloud is:
A)
it allows the business to eliminate IT bills.
B) it allows
the business to put a server in each customer's data center.
C)
it allows the business to focus on business activities.
D)
it allows the business to leave servers unpatched.
A) it allows the business to eliminate IT bills.
B)
it allows the business to put a server in each customer's data
center.
C) it allows the business to focus on business
activities.
D) it allows the business to leave servers unpatched.
Stop spending money running and maintaining datacenters – Focus on
projects that differentiate your business, not the infrastructure. Cloud
computing lets you focus on your own customers, rather than on the heavy
lifting of racking, stacking, and powering servers."
Question 39
What is the lowest-cost, durable storage
option for retaining database backups for immediate retrieval?
A)
Amazon S3
B) Amazon Glacier
C) Amazon EBS
D)
Amazon EC2 Instance Store
A) Amazon S3
B)
Amazon Glacier
C) Amazon EBS
D) Amazon EC2
Instance Store
Amazon Simple Storage Service (Amazon S3) provides developers and
IT teams secure, durable, highly scalable object storage at a very low
cost. You can store and retrieve any amount of data, at any time, from
anywhere on the web through a simple web service interface. You can
write, read, and delete objects containing from zero to 5 TB of data.
Amazon S3 is highly scalable, allowing concurrent read or write access
to data by many separate clients or application threads
S3
Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access and S3
One Zone- Infrequent Access all have millisecond first byte latency
Traffic
between Amazon EC2 and Amazon S3 can leverage up to 100 Gbps of
bandwidth to VPC endpoints and public IPs in the same Region.
Incorrect
Answers:
-EBS would require constant running of an EC2 instance to
achieve the same retrieval speeds. Multiple EBS volume snapshots would
need to be utilised to achieve the same reliability and durability as
S3. Overall the cost would be higher.
-Glacier is also wrong,
because it is compared to S3 ultra slow to restore your backup from
there as fast data retrieval times are traded off for a lower price.
-EC2
Instance store is only ideal for temporary storage, because the data
stored in instance store volumes is not persistent through instance
stops, terminations, or hardware failures."
Question 40
Which AWS IAM feature allows developers to
access AWS services through the AWS CLI?
A) API
keys
B) Access keys
C) User names/Passwords
D)
SSH keys
A) API keys
B) Access keys
C) User names/Passwords
D) SSH keys
IAM users can be assigned an access key ID and secret access key
for programmatic access to the AWS API (Application Programme
Interface), CLI (Command Line Interface), SDK (Software Development
Kit), and other development tools.
Access keys consist of an
access key ID and secret access key, which are used to sign programmatic
requests that you make to AWS. If you don't have access keys, you can
create them from the AWS Management Console. The only time that you can
view or download the secret access key is when you create the keys. You
cannot recover them later. However, you can create new access keys at
any time.
Incorrect Answers:
-D-SSH keys is needed
to direct connect and login into an EC2 instance and not to access AWS
services. SSH is not required to use AWS CLI."
Question 41
Which of the following is a fast and
reliable NoSQL database service?
A) Amazon Redshift
B)
Amazon RDS
C) Amazon DynamoDB
D) Amazon S3
A) Amazon Redshift
B) Amazon RDS
C) Amazon DynamoDB
D) Amazon S3
Amazon DynamoDB is a fast and flexible NoSQL database service for
any scale. It is a key-value and document database that delivers
single-digit millisecond performance at any scale. It's a fully managed,
multiregion, multimaster, durable database with built-in security,
backup and restore, and in-memory caching for internet-scale
applications"
Question 42
What is an example of agility in the AWS
Cloud?
A) Access to multiple instance types
B)
Access to managed services
C) Using Consolidated Billing to
produce one bill
D) Decreased acquisition time for new
compute resources
A) Access to multiple instance types
B) Access to
managed services
C) Using Consolidated Billing to produce
one bill
D) Decreased acquisition time for new compute
resources
Agility is the practice of building in the ability to change
quickly and inexpensively.
The cloud not only makes these
other practices practical but provides agility on its own.
Infrastructure can be provisioned in minutes instead of months, and
de-provisioned or changed just as quickly."
Question 43
Which service should a customer use to
consolidate and centrally manage multiple AWS accounts?
A)
AWS IAM
B) AWS Organizations
C) AWS Schema
Conversion Tool
D) AWS Config
A) AWS IAM
B) AWS Organizations
C) AWS Schema Conversion Tool
D) AWS Config
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization."
Question 44
What approach to transcoding a large
number of individual video files adheres to AWS architecture
principles?
A) Using many instances in parallel
B)
Using a single large instance during off-peak hours
C) Using
dedicated hardware
D) Using a large GPU instance type
A) Using many instances in parallel
B) Using a single large instance during off-peak hours
C)
Using dedicated hardware
D) Using a large GPU instance
type
A is correct because it is aligned with the reliability Design
Principles and Best Practices of scaling horizontally.
Reliability
Design Principles and Best Practices
…
Scale horizontally: to
increase aggregate workload availability. Replace one large resource
with multiple small resources to reduce the impact of a single failure
on the overall workload. Distribute requests across multiple, smaller
resources to ensure that they don’t share a common point of failure."
Question 45
For which auditing process does AWS have
sole responsibility?
A) AWS IAM policies
B)
Physical security
C) Amazon S3 bucket policies
D)
AWS CloudTrail Logs
A) AWS IAM policies
B) Physical security
C) Amazon S3 bucket policies
D) AWS CloudTrail
Logs
AWS responsibility Security of the Cloud - AWS is responsible for
protecting the infrastructure that runs all of the services offered in
the AWS Cloud. This infrastructure is composed of the physical hardware,
software, networking, and facilities that run AWS Cloud services."
Question 46
Which feature of the AWS Cloud will
support an international company's requirement for low latency to all of
its customers?
A) Fault tolerance
B)
Global reach
C) Pay-as-you-go pricing
D) High
availability
A) Fault tolerance
B) Global reach
C) Pay-as-you-go pricing
D) High
availability
The AWS Global Infrastructure is built for performance. AWS
Regions offer low latency, low packet loss, and high overall network
quality. This is achieved with a fully redundant 100 GbE fiber network
backbone, often providing many terabits of capacity between Regions. AWS
Local Zones and AWS Wavelength, with our telco providers, provide
performance for applications that require single-digit millisecond
latencies by delivering AWS infrastructure and services closer to
end-users and 5G connected devices. Whatever your application needs, you
can quickly spin up resources as you need them, deploying hundreds or
even thousands of servers in minutes.
Incorrect Answers:
-Higher
availability – this question isn’t related to availability, as the
resources for higher availability are triggered only during a failure."
Question 47
Which of the following is the customer's
responsibility under the AWS shared responsibility model?
A)
Patching underlying infrastructure
B) Physical security
C)
Patching Amazon EC2 instances
D) Patching network
infrastructure
A) Patching underlying infrastructure
B) Physical
security
C) Patching Amazon EC2 instances
D) Patching network infrastructure
Customer responsibility will be determined by the AWS Cloud
services that a customer selects. This determines the amount of
configuration work the customer must perform as part of their security
responsibilities. For example, a service such as Amazon Elastic Compute
Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS)
and, as such, requires the customer to perform all of the necessary
security configuration and management tasks. Customers that deploy an
Amazon EC2 instance are responsible for management of the guest
operating system (including updates and security patches), any
application software or utilities installed by the customer on the
instances, and the configuration of the AWS-provided firewall (called a
security group) on each instance. For abstracted services, such as
Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer,
the operating system, and platforms, and customers access the endpoints
to store and retrieve data. Customers are responsible for managing their
data (including encryption options), classifying their assets, and using
IAM tools to apply the appropriate permissions."
Question 48
A customer is using multiple AWS accounts
with separate billing. How can the customer take advantage of volume
discounts with minimal impact to the AWS resources?
A)
Create one global AWS acount and move all AWS resources to that
account.
B) Sign up for three years of Reserved Instance
pricing up front.
C) Use the consolidated billing feature
from AWS Organizations.
D) Sign up for the AWS Enterprise
support plan to get volume discounts.
A) Create one global AWS acount and move all AWS resources to
that account.
B) Sign up for three years of Reserved
Instance pricing up front.
C) Use the consolidated billing feature from AWS
Organizations.
D) Sign up for the AWS Enterprise support plan to get
volume discounts.
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization."
Question 49
Which of the following is an AWS managed
Domain Name System (DNS) web service?
A) Amazon Route
53
B) Amazon Neptune
C) Amazon SageMaker
D)
Amazon Lightsail
A) Amazon Route 53
B)
Amazon Neptune
C) Amazon SageMaker
D) Amazon
Lightsail
Amazon Route 53 is a highly available and scalable cloud Domain
Name System (DNS) web service. It is designed to give developers and
businesses an extremely reliable and cost effective way to route end
users to Internet applications by translating names like www.example.com
into the numeric IP addresses like 192.0.2.1 that computers use to
connect to each other."
Question 50
A customer is deploying a new application
and needs to choose an AWS Region. Which of the following factors could
influence the customer's decision? (Choose two.)
A)
Reduced latency to users
B) The application's presentation
in the local language
C) Data sovereignty compliance
D)
Cooling costs in hotter climates
E) Proximity to the
customer's office for on-site visits
A) Reduced latency to users
B) The application's presentation in the local language
C) Data sovereignty compliance
D) Cooling costs in hotter climates
E)
Proximity to the customer's office for on-site visits
- Costs of the AWS Services can be different for each region
because the cost, taxes, manpower, etc for the physical infrastructure
and data centers are different from Region to Region.
-Latency
depends on physical location. When your application is being accessed by
your users, it should be blazing fast. So you need to identify the
locations of your target audience and choose the region having a smaller
latency for your customers.
-Data sovereignty compliance differs
across the nations of the world. Considerations will need to be taken
when using AWS in an unfamiliar location.
-Most of the AWS Services
and features are Region dependent, and just a few ones are Region
independent. Also, sometimes it happens that some services are not
available in all the regions"
Question 51
Which storage service can be used as a
low-cost option for hosting static websites?
A) Amazon
Glacier
B) Amazon DynamoDB
C) Amazon Elastic
File System (Amazon EFS)
D) Amazon Simple Storage Service
(Amazon S3)
A) Amazon Glacier
B) Amazon DynamoDB
C)
Amazon Elastic File System (Amazon EFS)
D) Amazon Simple Storage Service (Amazon S3)
You can use Amazon S3 to host a static website. On a static
website, individual webpages include static content. They might also
contain client-side scripts.
By contrast, a dynamic website
relies on server-side processing, including server-side scripts such as
PHP, JSP, or ASP.NET. Amazon S3 does not support server-side scripting,
but AWS has other resources for hosting dynamic websites."
Question 52
Which Amazon EC2 instance pricing model
can provide discounts of up to 90%?
A) Reserved
Instances
B) On-Demand
C) Dedicated Hosts
D)
Spot Instances
A) Reserved Instances
B) On-Demand
C)
Dedicated Hosts
D) Spot Instances
Spot - Up to 90% discount
Reserved - Up to 75% discount
On-demand
– Full price
Dedicated hosts – Higher cost than on-demand"
Question 53
What is the AWS customer responsible for
according to the AWS shared responsibility model?
A)
Physical access controls
B) Data encryption
C)
Secure disposal of storage devices
D) Environmental risk
management
A) Physical access controls
B) Data encryption
C) Secure disposal of storage devices
D)
Environmental risk management
The customer:
-assumes responsibility and management of the
guest operating system (including updates and security patches), other
associated application software as well as the configuration of the AWS
provided security group firewall.
-should carefully consider the
services they choose as their responsibilities vary depending on the
services used, the integration of those services into their IT
environment, and applicable laws and regulations.
-is responsible
for data configuration (i.e. encrypting data at rest and in transit)"
Question 54
Which of the following AWS Cloud services
can be used to run a customer-managed relational database?
A)
Amazon EC2
B) Amazon Route 53
C) Amazon
ElastiCache
D) Amazon DynamoDB
A) Amazon EC2
B)
Amazon Route 53
C) Amazon ElastiCache
D) Amazon
DynamoDB
Key phrase is ‘customer-managed’
EC2 can be used to run
a relational database on whatever operating system the EC2 instance is
using e.g. Microsoft SQL Server running on Microsoft Windows Server
2016.
Incorrect Answers:
-DynamoDB is NOSQL type,
not a relational database and so is not a correct answer
-Route
53 is a DNS service, nothing related to databases
-Elasticache
relates to in-memory data stores in the cloud, not really to do with
databases at all"
Question 55
A company is looking for a scalable data
warehouse solution. Which of the following AWS solutions would meet the
company's needs?
A) Amazon Simple Storage Service
(Amazon S3)
B) Amazon DynamoDB
C) Amazon
Kinesis
D) Amazon Redshift
A) Amazon Simple Storage Service (Amazon S3)
B)
Amazon DynamoDB
C) Amazon Kinesis
D) Amazon Redshift
With Redshift, you can query and combine exabytes of structured
and semi-structured data across your data warehouse, operational
database, and data lake using standard SQL. Redshift lets you easily
save the results of your queries back to your S3 data lake using open
formats, like Apache Parquet, so that you can do additional analytics
from other analytics services like Amazon EMR, Amazon Athena, and Amazon
SageMaker."
Question 56
Which statement best describes Elastic
Load Balancing?
A) It translates a domain name into an
IP address using DNS.
B) It distributes incoming application
traffic across one or more Amazon EC2 instances.
C) It
collects metrics on connected Amazon EC2 instances.
D) It
automatically adjusts the number of Amazon EC2 instances to support
incoming traffic.
A) It translates a domain name into an IP address using DNS.
B) It distributes incoming application traffic across one or
more Amazon EC2 instances.
C) It collects metrics on connected Amazon EC2
instances.
D) It automatically adjusts the number of Amazon
EC2 instances to support incoming traffic.
Elastic Load Balancing automatically distributes incoming
application traffic across multiple targets, such as Amazon EC2
instances, containers, IP addresses, Lambda functions, and virtual
appliances. It can handle the varying load of your application traffic
in a single Availability Zone or across multiple Availability Zones.
Elastic Load Balancing offers four types of load balancers that all
feature the high availability, automatic scaling, and robust security
necessary to make your applications fault tolerant. Elastic Load
Balancing scales with web traffic.
Incorrect answers:
-D-
This is related to AutoScaling and not Load Balancing"
Question 57
Which of the following are valid ways for
a customer to interact with AWS services? (Choose two.)
A)
Command line interface
B) On-premises
C)
Software Development Kits
D) Software-as-a-service
E)
Hybrid
A) Command line interface
B) On-premises
C) Software Development Kits
D) Software-as-a-service
E) Hybrid
There are three ways to interact with AWS Services:
-AWS
Management Console - Graphical interface to access AWS features)
-Command
Line Interface (CLI) - Lets you control AWS services from command
line
-Software Development Kits (SDK) - Enable you to access
AWS using a variety of popular programming languages"
Question 58
The AWS Cloud's multiple Regions are an
example of:
A) agility.
B) global
infrastructure.
C) elasticity.
D) pay-as-you-go
pricing.
A) agility.
B) global infrastructure.
C) elasticity.
D) pay-as-you-go pricing.
Global infrastructure > Regions > Availability Zones
The
AWS Global Cloud Infrastructure is the most secure, extensive, and
reliable cloud platform, offering over 200 fully featured services from
data centers globally. Whether you need to deploy your application
workloads across the globe in a single click, or you want to build and
deploy specific applications closer to your end-users with single-digit
millisecond latency, AWS provides you the cloud infrastructure where and
when you need it.
With millions of active customers and tens
of thousands of partners globally, AWS has the largest and most dynamic
ecosystem. Customers across virtually every industry and of every size,
including start-ups, enterprises, and public sector organizations, are
running every imaginable use case on AWS
25 regions
80
availability zones
230+ points of presence"
Question 59
Which of the following AWS services can be
used to serve large amounts of online video content with the lowest
possible latency? (Choose two.)
A) AWS Storage
Gateway
B) Amazon S3
C) Amazon Elastic File
System (EFS)
D) Amazon Glacier
E) Amazon
CloudFront
A) AWS Storage Gateway
B) Amazon S3
C) Amazon Elastic File System (EFS)
D) Amazon
Glacier
E) Amazon CloudFront
Amazon CloudFront is a fast content delivery network (CDN) service
that securely delivers data, videos, applications, and APIs to customers
globally with low latency, high transfer speeds, all within a
developer-friendly environment.
CloudFront offers the most
advanced security capabilities, including field level encryption and
HTTPS support, seamlessly integrated with AWS Shield, AWS Web
Application Firewall and Route 53 to protect against multiple types of
attacks including network and application layer DDoS attacks. These
services co-reside at edge networking locations – globally scaled and
connected via the AWS network backbone – providing a more secure,
performant, and available experience for your users.
CloudFront
works seamlessly with any AWS origin, such as Amazon S3, Amazon EC2,
Elastic Load Balancing, or with any custom HTTP origin. You can
customize your content delivery through CloudFront using the secure and
programmable edge computing feature AWS Lambda@Edge."
Question 60
Web servers running on Amazon EC2 access a
legacy application running in a corporate data center. What term would
describe this model?
A) Cloud-native
B)
Partner network
C) Hybrid architecture
D)
Infrastructure as a service
A) Cloud-native
B) Partner network
C) Hybrid architecture
D) Infrastructure as a service
Hybrid cloud - Mix of public and private cloud"
Question 61
What is the benefit of using AWS managed
services, such as Amazon ElastiCache and Amazon Relational Database
Service (Amazon RDS)?
A) They require the customer to
monitor and replace failing instances.
B) They have better
performance than customer-managed services.
C) They simplify
patching and updating underlying OSs.
D) They do not require
the customer to optimize instance type or size selections.
A) They require the customer to monitor and replace failing
instances.
B) They have better performance than
customer-managed services.
C) They simplify patching and updating underlying OSs.
D) They do not require the customer to optimize instance
type or size selections.
"AWS Managed Services takes care of all of your patching and
backup activities to help keep your resources current and secure. When
updates or patches are released by OS vendors, AWS Managed Services
applies them in a timely and consistent manner to minimize the impact on
your business
Critical security patches are applied
immediately, while others are applied based on the patch schedule you
request. Backups of Stacks are automated using Amazon Elastic Block
Store (EBS) and RDS snapshots, and can be restored in the event of a
failure or outage, ensuring business continuity.
(https://aws.amazon.com/managed-services/features/)"
Question 62
Which service provides a virtually
unlimited amount of online highly durable object storage?
A)
Amazon Redshift
B) Amazon Elastic File System (Amazon
EFS)
C) Amazon Elastic Container Service (Amazon ECS)
D)
Amazon S3
A) Amazon Redshift
B) Amazon Elastic File System
(Amazon EFS)
C) Amazon Elastic Container Service (Amazon
ECS)
D) Amazon S3
Amazon S3 is object storage built to store and retrieve any amount
of data from anywhere on the Internet. It’s a simple storage service
that offers an extremely durable, highly available, and infinitely
scalable data storage infrastructure at very low costs.
…
Size
limit is for individual item (5TB) not for the whole S3 capacity, which
is unlimited"
Question 63
Which of the following Identity and Access
Management (IAM) entities is associated with an access key ID and secret
access key when using AWS Command Line Interface (AWS CLI)?
A)
IAM group
B) IAM user
C) IAM role
D)
IAM policy
A) IAM group
B) IAM user
C) IAM role
D) IAM policy
Access keys are long-term credentials for an IAM user or the AWS
account root user. You can use access keys to sign programmatic requests
to the AWS CLI or AWS API (directly or using the AWS SDK).
Incorrect
Answers:
-IAM policies don't have access keys. The only way
you will ever get an Access key is to create them from an IAM user to
use."
Question 64
Which of the following security-related
services does AWS offer? (Choose two.)
A) Multi-factor
authentication physical tokens
B) AWS Trusted Advisor
security checks
C) Data encryption
D) Automated
penetration testing
E) Amazon S3 copyrighted content
detection
A) Multi-factor authentication physical tokens
B) AWS Trusted Advisor security checks
C) Data encryption
D) Automated penetration testing
E) Amazon S3
copyrighted content detection
-B-
Trust Advisor gives recommendations on performance,
service quotas, cost optimisation, security and fault tolerance
-C-
"AWS
offers you the ability to add a layer of security to your data at rest
in the cloud, providing scalable and efficient encryption features.
These include:
-Data at rest encryption capabilities available in
most AWS services, such as Amazon EBS, Amazon S3, Amazon RDS, Amazon
Redshift, Amazon ElastiCache, AWS Lambda, and Amazon SageMaker
-Flexible
key management options, including AWS Key Management Service, that allow
you to choose whether to have AWS manage the encryption keys or enable
you to keep complete control over your own keys
-Dedicated,
hardware-based cryptographic key storage using AWS CloudHSM, allowing
you to help satisfy your compliance requirements
-Encrypted message
queues for the transmission of sensitive data using server-side
encryption (SSE) for Amazon SQS
-APIs for you to integrate
encryption and data protection with any of the services you develop or
deploy in an AWS environment."
Incorrect Answers:
A
is incorrect because it uses the word "Physical" which is not correct -
you don't get anything physical delivered to your house with MFA - MFA
is purely virtual"
Question 65
Which AWS managed service is used to host
databases?
A) AWS Batch
B) AWS Artifact
C)
AWS Data Pipeline
D) Amazon RDS
A) AWS Batch
B) AWS Artifact
C) AWS Data
Pipeline
D) Amazon RDS
Amazon Relational Database Service (Amazon RDS) makes it easy to
set up, operate, and scale a relational database in the cloud. It
provides cost-efficient and resizable capacity while automating
time-consuming administration tasks such as hardware provisioning,
database setup, patching and backups. It frees you to focus on your
applications so you can give them the fast performance, high
availability, security and compatibility they need."
Question 66
Which AWS service provides a simple and
scalable shared file storage solution for use with Linux-based AWS and
on-premises servers?
A) Amazon S3
B)
Amazon Glacier
C) Amazon EBS
D) Amazon EFS (need
low latency, which this provides for linux workloads)
A) Amazon S3
B) Amazon Glacier
C) Amazon
EBS
D) Amazon EFS (need low latency, which this provides for
linux workloads)
Amazon Elastic File System (Amazon EFS) provides a simple,
scalable, fully managed elastic NFS file system for use with AWS Cloud
services and on-premises resources. It is built to scale on demand to
petabytes without disrupting applications, growing and shrinking
automatically as you add and remove files, eliminating the need to
provision and manage capacity to accommodate growth.
Amazon EFS is
designed to provide the throughput, IOPS, and low latency needed for
Linux workloads. Throughput and IOPS scale as a file system grows and
can burst to higher throughput levels for short periods of time to
support the unpredictable performance needs of file workloads. For the
most demanding workloads, Amazon EFS can support performance over 10
GB/sec and up to 500,000 IOPS.
Incorrect Answers:
S3
is durable, global, object storage, not File Storage. File Storage =
EFS"
Question 67
When architecting cloud applications,
which of the following are a key design principle?
A)
Use the largest instance possible
B) Provision capacity for
peak load
C) Use the Scrum development process
D)
Implement elasticity
A) Use the largest instance possible
B) Provision
capacity for peak load
C) Use the Scrum development
process
D) Implement elasticity
AWS encourages elasticity and not specifically provisioning for
peak traffic.
6 Advantages of Cloud Computing:
-Trade
capital expense for variable expense
-Benefit from massive
economies of scale
-Stop guessing about capacity (i.e.
elasticity)
-Increased speed and agility
-Stop spending money
running and maintaining data centres
-Go global in minutes
Another
way you can save money with AWS is by taking advantage of the platform’s
elasticity. Plan to implement Auto Scaling for as many Amazon EC2
workloads as possible, so that you horizontally scale up when needed and
scale down and automatically reduce your spending when you don’t need
that capacity anymore. In addition, you can automate turning off
non-production workloads when not in use. Ultimately, consider which
compute workloads you could implement on AWS Lambda so that you never
pay for idle or redundant resources."
Question 68
Which AWS service should be used for
long-term, low-cost storage of data backups?
A) Amazon
RDS
B) Amazon Glacier
C) AWS Snowball
D)
AWS EBS
A) Amazon RDS
B) Amazon Glacier
C) AWS Snowball
D) AWS EBS
Amazon S3 Glacier is a secure, durable, and low-cost storage class
of S3 for data archiving and long-term backup. Customers can store large
or small amounts of data for as little as $0.004 per gigabyte per month.
The S3 Glacier storage class is ideal for archives where data is
regularly retrieved and some of the data may be needed in minutes.
Incorrect
Answers:
Amazon RDS is a relational database service that
hosts databases. It helps you create and manage databases.
Amazon
Snowball is a petabyte-scale data transfer service that provides cost
efficient data transfer to AWS from tamper proof physical devices.
Elastic
block storage offers persistent block storage volumes for EC2
instances."
Question 69
Under the shared responsibility model,
which of the following is a shared control between a customer and
AWS?
A) Physical controls
B) Patch
management
C) Zone security
D) Data center
auditing
A) Physical controls
B) Patch management
C) Zone security
D) Data center auditing
Shared Controls:
-Controls which apply to both the
infrastructure layer and customer layers, but in completely separate
contexts or perspectives. In a shared control, AWS provides the
requirements for the infrastructure and the customer must provide their
own control implementation within their use of AWS services. Examples
include:
-Patch Management – AWS is responsible for patching
and fixing flaws within the infrastructure, but customers are
responsible for patching their guest OS and applications.
-Configuration
Management – AWS maintains the configuration of its infrastructure
devices, but a customer is responsible for configuring their own guest
operating systems, databases, and applications.
-Awareness &
Training - AWS trains AWS employees, but a customer must train their own
employees."
Question 70
Which AWS service allows companies to
connect an Amazon VPC to an on-premises data center?
A)
AWS VPN
B) Amazon Redshift
C) API Gateway
D)
Amazon Connect
A) AWS VPN
B)
Amazon Redshift
C) API Gateway
D) Amazon
Connect
There are two ways to connect on-premises to cloud.
Over
internet using VPN connection
Over physical fiber cable using
DirectConnect
AWS Virtual Private Network (VPN) solutions
establish secure connections via the public internet between your
on-premises networks, remote offices, client devices, and the AWS global
network.
Incorrect answers:
-D-This is not Amazon
DirectConnect. Amazon Connect is a different service entirely. Amazon
Connect is an easy to use omnichannel cloud contact center that helps
you provide superior customer service at a lower cost."
Question 71
A company wants to reduce the physical
compute footprint that developers use to run code.Which service would
meet that need by enabling serverless architectures?
A)
Amazon Elastic Compute Cloud (Amazon EC2)
B) AWS Lambda
C)
Amazon DynamoDB
D) AWS CodeCommit
A) Amazon Elastic Compute Cloud (Amazon EC2)
B) AWS Lambda
C) Amazon DynamoDB
D) AWS CodeCommit
AWS Lambda is a compute service that lets you run code without
provisioning or managing servers. Lambda runs your code only when needed
and scales automatically, from a few requests per day to thousands per
second. You pay only for the compute time that you consume—there is no
charge when your code is not running. With Lambda, you can run code for
virtually any type of application or backend service, all with zero
administration. Lambda runs your code on a high-availability compute
infrastructure and performs all of the administration of the compute
resources, including server and operating system maintenance, capacity
provisioning and automatic scaling, code monitoring and logging."
Question 72
Which AWS service provides alerts when an
AWS event may impact a company's AWS resources?
A) AWS
Personal Health Dashboard
B) AWS Service Health Dashboard
C)
AWS Trusted Advisor
D) AWS Infrastructure Event
Management
A) AWS Personal Health Dashboard
B) AWS Service Health Dashboard
C) AWS Trusted
Advisor
D) AWS Infrastructure Event Management
AWS Personal Health Dashboard provides alerts and remediation
guidance when AWS is experiencing events that may impact you.
Incorrect
answers:
While the Service Health Dashboard displays the
general status of AWS services, Personal Health Dashboard gives you a
personalized view into the performance and availability of the AWS
services underlying your AWS resources."
Question 73
Which of the following are categories of
AWS Trusted Advisor? (Choose two.)
A) Fault
Tolerance
B) Instance Usage
C)
Infrastructure
D) Performance
E) Storage
Capacity
A) Fault Tolerance
B)
Instance Usage
C) Infrastructure
D) Performance
E) Storage Capacity
Like your customized cloud expert, AWS Trusted Advisor analyzes
your AWS environment and provides best practice recommendations in five
categories: cost optimization, performance, security, fault tolerance
and service limits."
Question 74
Which task is AWS responsible for in the
shared responsibility model for security and compliance?
A)
Granting access to individuals and services
B) Encrypting
data in transit
C) Updating Amazon EC2 host firmware
D)
Updating operating systems
A) Granting access to individuals and services
B)
Encrypting data in transit
C) Updating Amazon EC2 host firmware
D) Updating operating systems
Host firmware is the full responsibility of AWS as it is part of
the host OS on EC2 that AWS manages
Security and Compliance
is a shared responsibility between AWS and the customer. This shared
model can help relieve the customer’s operational burden as AWS
operates, manages and controls the components from the host operating
system and virtualization layer down to the physical security of the
facilities in which the service operates.
AWS responsibility
Security of the Cloud - AWS is responsible for protecting the
infrastructure that runs all of the services offered in the AWS Cloud.
This infrastructure is composed of the hardware, software, networking,
and facilities that run AWS Cloud services."
Question 75
Where should a company go to search
software listings from independent software vendors to find, test, buy
and deploy software that runs on AWS?
A) AWS
Marketplace
B) Amazon Lumberyard
C) AWS
Artifact
D) Amazon CloudSearch
A) AWS Marketplace
B)
Amazon Lumberyard
C) AWS Artifact
D) Amazon
CloudSearch
The AWS Marketplace enables qualified partners to market and sell
their software to AWS Customers. AWS Marketplace is an online software
store that helps customers find, buy, and immediately start using the
software and services that run on AWS.
AWS Marketplace is
designed for Independent Software Vendors (ISVs), Value-Added Resellers
(VARs), and Systems Integrators (SIs) who have software products they
want to offer to customers in the cloud. Partners use AWS Marketplace to
be up and running in days and offer their software products to customers
around the world.
Customers can quickly launch pre-configured
software with just a few clicks, and choose software solutions in Amazon
Machine Images (AMIs) and software as a service (SaaS) formats, as well
as other formats. Additionally, you can browse and subscribe to data
products. Flexible pricing options include free trial, hourly, monthly,
annual, multi-year, and BYOL (Bring Your Own License), and get billed
from one source. AWS handles billing and payments, and charges appear on
customers’ AWS bill."
Question 76
Which of the following is a benefit of
using the AWS Cloud?
A) Permissive security removes
the administrative burden.
B) Ability to focus on
revenue-generating activities.
C) Control over cloud network
hardware.
D) Choice of specific cloud hardware vendors.
A) Permissive security removes the administrative burden.
B) Ability to focus on revenue-generating activities.
C) Control over cloud network hardware.
D)
Choice of specific cloud hardware vendors.
AWS does the heavy lifting of data center operations like racking,
stacking, and powering servers. It also removes the operational burden
of managing operating systems and applications with managed services.
This allows you to focus on your customers and business projects rather
than on IT infrastructure."
Question 77
When performing a cost analysis that
supports physical isolation of a customer workload, which compute
hosting model should be accounted for in the Total Cost of Ownership
(TCO)?
A) Dedicated Hosts
B) Reserved
Instances
C) On-Demand Instances
D) No Upfront
Reserved Instances
A) Dedicated Hosts
B)
Reserved Instances
C) On-Demand Instances
D) No
Upfront Reserved Instances
Use Dedicated Hosts to launch Amazon EC2 instances on physical
servers that are dedicated for your use. Dedicated Hosts give you
additional visibility and control over how instances are placed on a
physical server, and you can reliably use the same physical server over
time. As a result, Dedicated Hosts enable you to use your existing
server-bound software licenses like Windows Server and address corporate
compliance and regulatory requirements."
Question 78
Which AWS service provides the ability to
manage infrastructure as code?
A) AWS CodePipeline
B)
AWS CodeDeploy
C) AWS Direct Connect
D) AWS
CloudFormation
A) AWS CodePipeline
B) AWS CodeDeploy
C)
AWS Direct Connect
D) AWS CloudFormation
AWS CloudFormation provides a common language for you to describe
and provision all the infrastructure resources in your cloud
environment. CloudFormation allows you to use a simple text file to
model and provision, in an automated and secure manner, all the
resources needed for your applications across all regions and accounts.
This file serves as the single source of truth for your cloud
environment."
Question 79
If a customer needs to audit the change
management of AWS resources, which of the following AWS services should
the customer use?
A) AWS Config
B) AWS
Trusted Advisor
C) Amazon CloudWatch
D) Amazon
Inspector
A) AWS Config
B)
AWS Trusted Advisor
C) Amazon CloudWatch
D)
Amazon Inspector
AWS Config is a service that enables you to assess, audit, and
evaluate the configurations of your AWS resources. Config continuously
monitors and records your AWS resource configurations and allows you to
automate the evaluation of recorded configurations against desired
configurations. With Config, you can review changes in configurations
and relationships between AWS resources, dive into detailed resource
configuration histories, and determine your overall compliance against
the configurations specified in your internal guidelines. This enables
you to simplify compliance auditing, security analysis, change
management, and operational troubleshooting.
Incorrect
Answers:
-B- AWS Trusted Advisor : best practice assessments,
wrong.
-C- Amazon CloudWatch : performance monitoring, wrong.
-D-
Amazon Inspector : automated security assessments, wrong."
Question 80
What is Amazon CloudWatch?
A)
A code repository with customizable build and team commit features.
B)
A metrics repository with customizable notification thresholds and
channels.
C) A security configuration repository with threat
analytics.
D) A rule repository of a web application
firewall with automated vulnerability prevention features.
A) A code repository with customizable build and team commit
features.
B) A metrics repository with customizable notification
thresholds and channels.
C) A security configuration repository with threat
analytics.
D) A rule repository of a web application
firewall with automated vulnerability prevention features.
Amazon CloudWatch is a monitoring and observability service built
for DevOps engineers, developers, site reliability engineers (SREs), and
IT managers.
CloudWatch provides you with data and actionable
insights to monitor your applications, respond to system-wide
performance changes, optimize resource utilization, and get a unified
view of operational health.
You can use CloudWatch to detect
anomalous behavior in your environments, set alarms, visualize logs and
metrics side by side, take automated actions, troubleshoot issues, and
discover insights to keep your applications running smoothly.
CloudWatch
collects monitoring and operational data in the form of logs, metrics,
and events, providing you with a unified view of AWS resources,
applications, and services that run on AWS and on-premises servers.
Notes:
If question mentions metrics then CloudWatch is likely the answer. If
question mentions APIs then the answer is likely CloudTrail"
Question 81
Which service allows a company with
multiple AWS accounts to combine its usage to obtain volume
discounts?
A) AWS Server Migration Service
B)
AWS Organizations
C) AWS Budgets
D) AWS Trusted
Advisor
E) Amazon Quicksight
F) Amazon
Forecast
A) AWS Server Migration Service
B) AWS Organizations
C) AWS Budgets
D) AWS Trusted Advisor
E)
Amazon Quicksight
F) Amazon Forecast
Use the consolidated billing feature in AWS Organizations to
consolidate billing and payment for multiple AWS accounts. Every
organization in AWS Organizations has a master account that pays the
charges of all the member accounts.
Consolidated billing has the
following benefits:
✑ One bill - You get one bill for multiple
accounts.
✑ Easy tracking - You can track the charges across
multiple accounts and download the combined cost and usage data.
✑
Combined usage - You can combine the usage across all accounts in the
organization to share the volume pricing discounts and Reserved Instance
discounts. This can result in a lower charge for your project,
department, or company than with individual standalone accounts.
✑
No extra fee - Consolidated billing is offered at no additional cost."
Question 82
Which of the following services could be
used to deploy an application to servers running on-premises? (Choose
two.)
A) AWS Elastic Beanstalk
B) AWS
OpsWorks
C) AWS CodeDeploy
D) AWS Batch
E)
AWS X-Ray
A) AWS Elastic Beanstalk
B) AWS OpsWorks
C) AWS CodeDeploy
D) AWS Batch
E) AWS X-Ray
AWS OpsWorks: lets you use Chef and Puppet to automate how servers
are configured, deployed, and managed across your Amazon EC2 instances
or on-premises compute environments.
AWS CodeDeploy: is a
fully managed deployment service that automates software deployments to
a variety of compute services such as Amazon EC2, AWS Fargate, AWS
Lambda, and your on-premises servers."
Question 83
Which Amazon EC2 pricing model adjusts
based on supply and demand of EC2 instances?
A)
On-Demand Instances
B) Reserved Instances
C)
Spot Instances
D) Convertible Reserved Instances
A) On-Demand Instances
B) Reserved Instances
C) Spot Instances
D) Convertible Reserved Instances
With Spot Instances, you pay the Spot price that's in effect for
the time period your instances are running. Spot Instance prices are set
by Amazon EC2 and adjust gradually based on long-term trends in supply
and demand for Spot Instance capacity.
Spot Instances are
available at a discount of up to 90% off compared to On-Demand
pricing.
Incorrect answers:
The price per second
for a running On-Demand Instance is fixed"
Question 84
Which design principles for cloud
architecture are recommended when re-architecting a large monolithic
application? (Choose two.)
A) Use manual
monitoring.
B) Use fixed servers.
C) Implement
loose coupling.
D) Rely on individual components.
E)
Design for scalability.
A) Use manual monitoring.
B) Use fixed servers.
C) Implement loose coupling.
D) Rely on individual components.
E) Design for scalability.
Cloud-native technologies empower organizations to build and run
scalable applications in modern, dynamic environments such as public,
private and hybrid clouds. Containers, service meshes, microservices,
immutable infrastructure and declarative APIs exemplify this
approach.
These techniques enable loosely coupled systems
that are resilient, manageable and observable. Combined with robust
automation, they allow engineers to make high-impact changes frequently
and predictably with minimal toil.
Loose coupling is a
fundamental design approach, that means any one layer is not affected by
another. Therefore, increased fault tolerance.
Scalability is
the ability of a software system to increase workload size without
application service interruption or performance impact."
Question 85
Which is the MINIMUM AWS Support plan that
allows for one-hour target response time for support cases?
A)
Enterprise
B) Business
C) Developer
D)
Basic
A) Enterprise
B) Business
C) Developer
D) Basic
Enterprise: As little as 15 mins
Business: As little as 1
hour
Developer: As little as 12 hours
Notes: These times
are for the most urgent cases for each support level. See
(https://aws.amazon.com/premiumsupport/plans/) for more information."
Question 86
Where can AWS compliance and certification
reports be downloaded?
A) AWS Artifact
B)
AWS Concierge
C) AWS Certificate Manager
D) AWS
Trusted Advisor
A) AWS Artifact
B)
AWS Concierge
C) AWS Certificate Manager
D) AWS
Trusted Advisor
AWS Artifact is your go-to, central resource for
compliance-related information that matters to you. It provides
on-demand access to AWS's security and compliance reports and select
online agreements."
Question 87
Which AWS service provides a customized
view of the health of specific AWS services that power a customer's
workloads running on AWS?
A) AWS Service Health
Dashboard
B) AWS X-Ray
C) AWS Personal Health
Dashboard
D) Amazon CloudWatch
A) AWS Service Health Dashboard
B) AWS X-Ray
C) AWS Personal Health Dashboard
D) Amazon CloudWatch
Keyword is "customized" here. Service Health dashboard doesn't
allow you to customize view.
The difference between Personal
and Health dashboards is that the "Service Health Dashboard" provides
the "generic status of overall AWS services, whereas the "Personal
Health Dashboard" provides status of services pertaining to "subscribed"
AWS services. Hence the name "Personal"
(AWS) Personal Health
Dashboard (PHD) - All customers can use this, it is powered by the AWS
Health API. A personalized view of the health of AWS services, and
alerts when your resources are impacted. It provides alerts and
remediation guidance when AWS is experiencing events that may impact
you. Personal Health Dashboard gives you a personalized view into the
performance and availability of the AWS services underlying your AWS
resources. The dashboard requires no setup, and it's ready to use for
authenticated AWS users."
Question 88
Which of the following is an advantage of
consolidated billing on AWS?
A) Volume pricing
qualification
B) Shared access permissions
C)
Multiple bills per account
D) Eliminates the need for
tagging
A) Volume pricing qualification
B) Shared access permissions
C) Multiple bills
per account
D) Eliminates the need for tagging
If you have multiple standalone accounts, your charges might
decrease if you add the accounts to an organization. AWS combines usage
from all accounts in the organization to qualify you for volume pricing
discounts."
Question 89
Which of the following steps should be
taken by a customer when conducting penetration testing on an AWS ?
A)
Conduct penetration testing using Amazon Inspector, and then notify AWS
support.
B) Request and wait for approval from the
customer's internal security team, and then conduct testing.
C)
Notify AWS support, and then conduct testing immediately.
D)
Request and wait for approval from AWS support, and then conduct
testing.
A) Conduct penetration testing using Amazon Inspector, and then
notify AWS support.
B) Request and wait for approval from the customer's
internal security team, and then conduct testing.
C) Notify AWS support, and then conduct testing
immediately.
D) Request and wait for approval from AWS
support, and then conduct testing.
No need prior approval from AWS for below services. Once approval
received from internal security team the testing can go ahead (as long
as the service is on this list, otherwise see ‘Notes’ section below)
======
Permitted
Services.
======
Amazon EC2 instances, NAT Gateways, and
Elastic Load Balancers
Amazon RDS
Amazon CloudFront
Amazon
Aurora
Amazon API Gateways
AWS Lambda and Lambda Edge
functions
Amazon Lightsail resources
Amazon Elastic Beanstalk
environments
========
AWS customers are welcome to carry
out security assessments or penetration tests against their AWS
infrastructure without prior approval for 8 Permitted Services.
Please
ensure that these activities are aligned with the policy set out below.
Note: Customers are not permitted to conduct any security assessments of
AWS infrastructure, or the AWS services themselves. If you discover a
security issue within any AWS services in the course of your security
assessment, please contact AWS Security immediately.
If AWS
receives an abuse report for activities related to your security
testing, we will forward it to you. When responding, please provide the
root cause of the reported activity, and detail what you’ve done to
prevent the reported issue from recurring. Learn more here.
Resellers
of AWS services are responsible for their customer’s security testing
activity.
Notes:
Requesting Authorization for
Other Simulated Events - Please submit a Simulated Events form to
contact us directly. Be sure to include dates, accounts involved, assets
involved, and contact information, including phone number and detailed
description of planned events. You should expect to receive a
non-automated response to your initial contact within 2 business days
confirming receipt of your request."
Question 90
Which of the following AWS features
enables a user to launch a pre-configured Amazon Elastic Compute Cloud
(Amazon EC2) instance?
A) Amazon Elastic Block Store
(Amazon EBS)
B) Amazon Machine Image
C) Amazon
EC2 Systems Manager
D) Amazon AppStream 2.0
A) Amazon Elastic Block Store (Amazon EBS)
B) Amazon Machine Image
C) Amazon EC2 Systems Manager
D) Amazon
AppStream 2.0
An Amazon Machine Image is a special type of virtual appliance
that is used to create a virtual machine within the Amazon Elastic
Compute Cloud. It serves as the basic unit of deployment for services
delivered using EC2.
An Amazon Machine Image (AMI) provides
the information required to launch an instance. You must specify an AMI
when you launch an instance. You can launch multiple instances from a
single AMI when you need multiple instances with the same configuration.
You can use different AMIs to launch instances when you need instances
with different configurations."
Question 91
How would an AWS customer easily apply
common access controls to a large set of users?
A)
Apply an IAM policy to an IAM group.
B) Apply an IAM policy
to an IAM role.
C) Apply the same IAM policy to all IAM
users with access to the same workload.
D) Apply an IAM
policy to an Amazon Cognito user pool.
A) Apply an IAM policy to an IAM group.
B) Apply an IAM policy to an IAM role.
C)
Apply the same IAM policy to all IAM users with access to the same
workload.
D) Apply an IAM policy to an Amazon Cognito user
pool.
Instead of defining permissions for individual IAM users, it's
usually more convenient to:
-create IAM groups that relate to job
functions (administrators, developers, accounting, etc.).
-Next,
define the relevant permissions for each group.
-Assign IAM users
to those groups.
-All the users in an IAM group inherit the
permissions assigned to the group. That way, you can make changes for
everyone in a group in just one place.
-As people move around in
your company, you can simply change what IAM group their IAM user
belongs to.
Notes:
-User: Permanent named operator
(human or machine)
-Group: Collection of users
-Role:
Authentication method, not permissions. A role is an operator (human or
machine). Credentials are temporary
-Policy docs: Permissions
attached to any of the previous 3. Lists specific APIs that are
allowed."
Question 92
What technology enables compute capacity
to adjust as loads change?
A) Load balancing
B)
Automatic failover
C) Round robin
D) Auto
Scaling
A) Load balancing
B) Automatic failover
C)
Round robin
D) Auto Scaling
Load balancers distribute workloads across several instances , it
only distribute to instances available (it doesn't add or change) but
with auto scaling when the traffic gets too high it automatically add
more instances to handle the traffic and vice versa"
Question 93
Which AWS services are defined as global
instead of regional? (Choose two.)
A) Amazon Route
53
B) Amazon EC2
C) Amazon S3
D)
Amazon CloudFront
E) Amazon DynamoDB
A) Amazon Route 53
B)
Amazon EC2
C) Amazon S3
D) Amazon CloudFront
E) Amazon DynamoDB
-A—
Using a global anycast network of DNS servers around the
world, Amazon Route 53 is designed to automatically route your users to
the optimal location depending on network conditions. As a result, the
service offers low query latency for your end users, as well as low
update latency for your DNS record management needs.
-D-
Amazon
CloudFront is a fast content delivery network (CDN) service that
securely delivers data, videos, applications, and APIs to customers
globally with low latency, high transfer speeds, all within a
developer-friendly environment.
Incorrect answers:
S3
– Has a global reach but data is stored regionally. S3 buckets are
created within the selected region. Objects stored are replicated across
Availability Zones to provide high durability but are not cross region
replicated unless done explicitly."
Question 94
Under the shared responsibility model,
which of the following tasks are the responsibility of the AWS customer?
(Choose two.)
A) Ensuring that application data is
encrypted at rest
B) Ensuring that AWS NTP servers are set
to the correct time
C) Ensuring that users have received
security training in the use of AWS services
D) Ensuring
that access to data centers is restricted
E) Ensuring that
hardware is disposed of properly
A) Ensuring that application data is encrypted at rest
B) Ensuring that AWS NTP servers are set to the correct
time
C) Ensuring that users have received security training in
the use of AWS services
D) Ensuring that access to data centers is restricted
E)
Ensuring that hardware is disposed of properly
-A-
The customer:
-assumes responsibility and management
of the guest operating system (including updates and security patches),
other associated application software as well as the configuration of
the AWS provided security group firewall.
-should carefully
consider the services they choose as their responsibilities vary
depending on the services used, the integration of those services into
their IT environment, and applicable laws and regulations.
-is
responsible for data configuration (i.e. encrypting data at rest and in
transit)
-C-
"Shared Controls – Controls which apply to
both the infrastructure layer and customer layers, but in completely
separate contexts or perspectives. In a shared control, AWS provides the
requirements for the infrastructure and the customer must provide their
own control implementation within their use of AWS services. Examples
include:
-Patch Management – AWS is responsible for patching and
fixing flaws within the infrastructure, but customers are responsible
for patching their guest OS and applications.
-Configuration
Management – AWS maintains the configuration of its infrastructure
devices, but a customer is responsible for configuring their own guest
operating systems, databases, and applications.
-Awareness &
Training - AWS trains AWS employees, but a customer must train their own
employees.""
Question 95
Which AWS service can be used to manually
launch instances based on resource requirements?
A)
Amazon EBS
B) Amazon S3
C) Amazon EC2
D)
Amazon ECS
A) Amazon EBS
B) Amazon S3
C) Amazon EC2
D) Amazon ECS
Keyword is instances.
Customer can launch from a huge
variety of EC2 instance types depending on exactly what they require,
e.g. OS, RAM, storage space, security controls, etc…"
Question 96
A company is migrating an application that
is running non-interruptible workloads for a three-year time frame.
Which pricing construct would provide the MOST cost-effective
solution?
A) Amazon EC2 Spot Instances
B)
Amazon EC2 Dedicated Instances
C) Amazon EC2 On-Demand
Instances
D) Amazon EC2 Reserved Instances
A) Amazon EC2 Spot Instances
B) Amazon EC2 Dedicated
Instances
C) Amazon EC2 On-Demand Instances
D) Amazon EC2 Reserved Instances
A Reserved Instance is a reservation of resources and capacity,
for either one or three years, for a particular Availability Zone within
a region. When you purchase a reservation, you commit to paying for all
of the hours of the 1- or 3-year term; in exchange, the hourly rate is
lowered significantly.
Amazon EC2 Reserved Instances (RI)
provide a significant discount (up to 72%) compared to On-Demand pricing
and provide a capacity reservation when used in a specific Availability
Zone. AWS Billing automatically applies your RI’s discounted rate when
attributes of EC2 instance usage match attributes of an active RI.
Incorrect
answers:
-A-Spot instances can be stopped at any time by AWS
so this is not suitable
-B-Dedicated Instances are Amazon EC2
instances that run in a VPC on hardware that's dedicated to a single
customer. You will pay a premium for this feature and so unless it is
specifically required it will not be the most economical for this
reason.
-C-On-demand instances will stay online constantly,
with no risk of being stopped, however they are less economical than
reserved instances"
Question 97
The financial benefits of using AWS are:
(Choose two.)
A) reduced Total Cost of Ownership
(TCO).
B) increased capital expenditure (capex).
C)
reduced operational expenditure (opex).
D) deferred payment
plans for startups.
E) business credit lines for
startups.
A) reduced Total Cost of Ownership (TCO).
B) increased capital expenditure (capex).
C) reduced operational expenditure (opex).
D) deferred payment plans for startups.
E)
business credit lines for startups.
CapEx (capital expenditure) is defined as business expenses
incurred in order to create long-term benefits in the future, such as
purchasing fixed assets like a building or equipment. Some examples of
IT items that fall under this category would be whole systems and
servers, printers and scanners, or air conditioners and generators. You
buy these items once and they benefit your business for many, many
years. Maintenance of such items is also considered CapEx, as it extends
their lifetime and usefulness. Capex can also be defined as Total Cost
of Ownership (TCO).
OpEx (operating expenditure), the
expenses to run day-to-day business, like services and consumable items
that get used up and are paid for according to use. This includes
printer cartridges and paper, electricity, and even yearly services like
website hosting or domain registrations. These things are necessary for
your business’s success but are not considered major long-term
investments like CapEx items.
The cloud allows you to trade
high initial CapEx (such as data centers and physical servers) for a
variable OpEx model, and only pay for IT as you consume it. Plus, the
variable OpEx expenses are much lower than what you would pay to do it
yourself because of the massive economies of scale that AWS has
created.
-A-
TCO is reduced to zero with AWS because you
do no purchase any hardward, building space, etc… Your initial
investment is basically £0
-C-
When you start using AWS
your OpEx actually reduces because AWS allows for elasticity, so you pay
for what you use, unlike if you have to use own resources where your
OpEx never reduces. Also because of the huge economies of scale that AWS
employs, you will benefit from lower OpEx because AWS will make savings
through this, which are passed onto the customer."
Question 98
Which AWS Cost Management tool allows you
to view the most granular data about your AWS bill?
A)
AWS Cost Explorer
B) AWS Budgets
C) AWS Cost and
Usage report
D) AWS Billing dashboard
A) AWS Cost Explorer
B) AWS Budgets
C) AWS Cost and Usage report
D) AWS Billing dashboard
The Cost & Usage Report is your one-stop-shop for accessing the
most granular data about your AWS costs and usage. You can also load
your cost and usage information into Amazon Athena, Amazon Redshift, AWS
QuickSight, or a tool of your choice."
Question 99
Which of the following can an AWS customer
use to launch a new Amazon Relational Database Service (Amazon RDS)
cluster? (Choose two.)
A) AWS Concierge
B)
AWS CloudFormation
C) Amazon Simple Storage Service (Amazon
S3)
D) Amazon EC2 Auto Scaling
E) AWS Management
Console
A) AWS Concierge
B) AWS CloudFormation
C) Amazon Simple Storage Service (Amazon S3)
D)
Amazon EC2 Auto Scaling
E) AWS Management Console
-B-
Cloudformation - Speed up cloud provisioning with
infrastructure as code. Gives you an easy way to model a collection of
related AWS and third-party resources, provision them quickly and
consistently, and manage them throughout their lifecycles, by treating
infrastructure as code (IaC).
-E-
AWS Management Console
- Graphical interface to access AWS features
Incorrect
answers:
"Your AWS Concierge is a senior customer service
agent who is assigned to your account when you subscribe to an
Enterprise or qualified Reseller Support plan." – nothing to do with
launching databases"
Question 100
Which of the following is an AWS Cloud
architecture design principle?
A) Implement single
points of failure.
B) Implement loose coupling.
C)
Implement monolithic design.
D) Implement vertical
scaling.
A) Implement single points of failure.
B) Implement loose coupling.
C) Implement monolithic design.
D) Implement
vertical scaling.
Loose coupling is a part of the ‘Reliability Design Principles and
Best Practices’
In computing and systems design a loosely
coupled system is one in which each of its components has, or makes use
of, little or no knowledge of the definitions of other separate
components. Subareas include the coupling of classes, interfaces, data,
and services.
…
Loose coupling between services can also be
done through asynchronous integration. It involves one component that
generates events and another that consumes them. The two components do
not integrate through direct point-to-point interaction, but usually
through an intermediate durable storage layer. This approach decouples
the two components and introduces additional resiliency. So, for
example, if a process that is reading messages from the queue fails,
messages can still be added to the queue to be processed when the system
recovers."
Question 101
Which of the following security measures
protect access to an AWS account? (Choose two.)
A)
Enable AWS CloudTrail.
B) Grant least privilege access to
IAM users.
C) Create one IAM user and share with many
developers and users.
D) Enable Amazon CloudFront.
E)
Activate multi-factor authentication (MFA) for privileged users.
A) Enable AWS CloudTrail.
B) Grant least privilege access to IAM users.
C) Create one IAM user and share with many developers and
users.
D) Enable Amazon CloudFront.
E) Activate multi-factor authentication (MFA) for privileged
users.
If you decided to create service accounts (that is, accounts used
for programmatic access by applications running outside of the AWS
environment) and generate access keys for them, you should create a
dedicated service account for each use case. This will allow you to
restrict the associated policy to only the permissions needed for the
particular use case, limiting the blast radius if the credentials are
compromised. For example, if a monitoring tool and a release management
tool both require access to your AWS environment, create two separate
service accounts with two separate policies that define the minimum set
of permissions for each tool.
AWS Multi-Factor Authentication
(MFA) is a simple best practice that adds an extra layer of protection
on top of your user name and password. With MFA enabled, when a user
signs in to an AWS Management Console, they will be prompted for their
user name and password (the first factor—what they know), as well as for
an authentication code from their AWS MFA device (the second factor—what
they have). Taken together, these multiple factors provide increased
security for your AWS account settings and resources.
Note:
While
granting least priviledge will not prevent unauthorised access, it will
minimise the damage caused by that unauthorised access, so for this
reason least priviledge protects access from the resources that it does
not have access to."
Question 102
Which service provides a hybrid storage
service that enables on-premises applications to seamlessly use cloud
storage?
A) Amazon Glacier
B) AWS
Snowball
C) AWS Storage Gateway
D) Amazon
Elastic Block Storage (Amazon EBS)
A) Amazon Glacier
B) AWS Snowball
C) AWS Storage Gateway
D) Amazon Elastic Block Storage (Amazon EBS)
AWS Storage Gateway is a hybrid cloud storage service that gives
you on-premises access to virtually unlimited cloud storage. Customers
use Storage Gateway to simplify storage management and reduce costs for
key hybrid cloud storage use cases. These include moving tape backups to
the cloud, reducing on-premises storage with cloud-backed file shares,
providing low latency access to data in AWS for on-premises
applications, as well as various migration, archiving, processing, and
disaster recovery use cases."
Question 103
Which of the following services falls
under the responsibility of the customer to maintain operating system
configuration, security patching, and networking?
A)
Amazon RDS
B) Amazon EC2
C) Amazon
ElastiCache
D) AWS Fargate
A) Amazon RDS
B) Amazon EC2
C) Amazon ElastiCache
D) AWS Fargate
The customer is responsible for managing, support, patching and
control of the guest operating system and AWS services provided like
EC2."
Question 104
Which of the following is an important
architectural design principle when designing cloud applications?
A)
Use multiple Availability Zones.
B) Use tightly coupled
components.
C) Use open source software.
D)
Provision extra capacity.
A) Use multiple Availability Zones.
B) Use tightly coupled components.
C) Use open
source software.
D) Provision extra capacity.
This relates to ‘Reliability Design Principles and Best
Practices’
Each availability zone runs on its own physically
distinct, independent infrastructure, and is engineered to be highly
reliable. In case of an infrastructure failure in one availability zone,
the provision of resources other multiple availability zones will
minimise impact of the failure and allow your workload to operate with
minimal business impact."
Question 105
Amazon Relational Database Service
(Amazon RDS) offers which of the following benefits over traditional
database management?
A) AWS manages the data stored in
Amazon RDS tables.
B) AWS manages the maintenance of the
operating system.
C) AWS automatically scales up instance
types on demand.
D) AWS manages the database type.
A) AWS manages the data stored in Amazon RDS tables.
B) AWS manages the maintenance of the operating
system.
C) AWS automatically scales up instance types on
demand.
D) AWS manages the database type.
AWS Managed Services (such as AWS RDS) automates common
activities, such as change requests, monitoring, patch management,
security, and backup services, and provides full-lifecycle services to
provision, run, and support your infrastructure.
Incorrect
Answers:
-C-While instance types can be scaled up, it is not
automatic it must be performed by the user."
Question 106
Which service is best for storing common
database query results, which helps to alleviate database access
load?
A) Amazon Machine Learning
B) Amazon
SQS
C) Amazon ElastiCache
D) Amazon EC2 Instance
Store
A) Amazon Machine Learning
B) Amazon SQS
C) Amazon ElastiCache
D) Amazon EC2 Instance Store
ElastiCache can serve frequently requested items at sub-
millisecond response times, and enables you to easily scale for higher
loads without growing the costlier backend databases. Database query
results caching, persistent session caching, and full-page caching are
all popular examples of caching."
Question 107
Which of the following is a component of
the shared responsibility model managed entirely by AWS?
A)
Patching operating system software
B) Encrypting data
C)
Enforcing multi-factor authentication
D) Auditing physical
data center assets
A) Patching operating system software
B) Encrypting
data
C) Enforcing multi-factor authentication
D) Auditing physical data center assets
Amazon is responsible for auditing physical data center assets and
resources since it is the property of Amazon Inc. Customers have no
access to physical sites, hence they are not responsible for maintaining
physical data center assets."
Question 108
Which options does AWS make available for
customers who want to learn about security in the cloud in an
instructor-led setting? (Choose two.)
A) AWS Trusted
Advisor
B) AWS Online Tech Talks
C) AWS Blog
D)
AWS Forums
E) AWS Classroom Training
A) AWS Trusted Advisor
B) AWS Online Tech Talks
C) AWS Blog
D) AWS Forums
E) AWS Classroom Training
Key term is instructor-led
-B-
Join us for online
presentations led by AWS solutions architects and engineers. AWS Online
Tech Talks cover a range of topics and expertise levels, and feature
technical deep dives, demonstrations, customer examples, and live Q&A
with AWS experts.
-E-
Amazon offer both digital and
classroom training including private on-site training. You can choose to
learn online at your own pace or learn from an accredited AWS
instructor. Whether you're just starting out, building on existing IT
skills, or sharpening your cloud knowledge, AWS Training and
Certification can help you be more effective and do more in the
cloud.
Incorrect Answers:
-A-AWS Trusted Advisor
is an online tool that provides you real time guidance to help you
provision your resources following AWS best practices.
-C-AWS
Blog is not instructor led training
-D-AWS Forums is not
instructor led training"
Question 109
Which of the following features can be
configured through the Amazon Virtual Private Cloud (Amazon VPC)
Dashboard? (Choose two.)
A) Amazon CloudFront
distributions
B) Amazon Route 53
C) Security
Groups
D) Subnets
E) Elastic Load Balancing
A) Amazon CloudFront distributions
B) Amazon Route
53
C) Security Groups
D) Subnets
E)
Elastic Load Balancing
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a
logically isolated section of the AWS Cloud where you can launch AWS
resources in a virtual network that you define. You have complete
control over your virtual networking environment, including selection of
your own IP address range, creation of subnets, and configuration of
route tables and network gateways. You can use both IPv4 and IPv6 in
your VPC for secure and easy access to resources and applications.
You
can easily customize the network configuration for your Amazon VPC. For
example, you can create a public-facing subnet for your web servers that
has access to the Internet, and place your backend systems such as
databases or application servers in a private-facing subnet with no
Internet access. You can leverage multiple layers of security, including
security groups and network access control lists, to help control access
to Amazon EC2 instances in each subnet."
Question 110
If each department within a company has
its own AWS account, what is one way to enable consolidated billing?
A)
Use AWS Budgets on each account to pay only to budget.
B)
Contact AWS Support for a monthly bill.
C) Create an AWS
Organization from the payer account and invite the other accounts to
join.
D) Put all invoices into one Amazon Simple Storage
Service (Amazon S3) bucket, load data into Amazon Redshift, and then run
a billing report.
A) Use AWS Budgets on each account to pay only to budget.
B)
Contact AWS Support for a monthly bill.
C) Create an AWS Organization from the payer account and
invite the other accounts to join.
D) Put all invoices into one Amazon Simple Storage Service
(Amazon S3) bucket, load data into Amazon Redshift, and then run a
billing report.
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization."
Question 111
How do customers benefit from Amazon's
massive economies of scale?
A) Periodic price
reductions as the result of Amazon's operational efficiencies
B)
New Amazon EC2 instance types providing the latest hardware
C)
The ability to scale up and down when needed
D) Increased
reliability in the underlying hardware of Amazon EC2 instances
A) Periodic price reductions as the result of Amazon's
operational efficiencies
B) New Amazon EC2 instance types providing the latest
hardware
C) The ability to scale up and down when needed
D)
Increased reliability in the underlying hardware of Amazon EC2
instances
Benefit from massive economies of scale – By using cloud
computing, you can achieve a lower variable cost than you can get on
your own. Because usage from hundreds of thousands of customers is
aggregated in the cloud, providers such as AWS can achieve higher
economies of scale, which translates into lower pay as-you-go prices."
Question 112
Which AWS services can be used to gather
information about AWS account activity? (Choose two.)
A)
Amazon CloudFront
B) AWS Cloud9
C) AWS
CloudTrail
D) AWS CloudHSM
E) Amazon
CloudWatch
A) Amazon CloudFront
B) AWS Cloud9
C) AWS CloudTrail
D) AWS CloudHSM
E) Amazon CloudWatch
-C-
AWS Cloudtrail - track user activity and API usage. Helps
you enable governance, compliance, and operational and risk auditing of
your AWS account. Actions taken by a user, role, or an AWS service are
recorded as events in CloudTrail. Events include actions taken in the
AWS Management Console, AWS Command Line Interface, and AWS SDKs and
APIs.
-E-
You can use CloudWatch queries to search API
history beyond the last 90 days.
Note: You must have a trail
created and configured to log to Amazon CloudWatch Logs. For more
information, see Creating a trail.
Open the CloudWatch
console, and then choose Logs.
-In Log Groups, choose your log
group.
-Choose Search Log Group.
-In Filter events, enter a
query similar to the following ({ $.userIdentity.userName = Alice }) to
search logs for a user's API calls, and then choose the refresh icon.
-You
can also query for specific API actions. This example query searches for
the API action DescribeInstances - { ($.eventName = DescribeInstances")
&& ($.requestParameters.userName = Alice" ) }"
Question 113
Which of the following common IT tasks
can AWS cover to free up company IT resources? (Choose two.)
A)
Patching databases software
B) Testing application
releases
C) Backing up databases
D) Creating
database schema
E) Running penetration tests
A) Patching databases software
B) Testing application releases
C) Backing up databases
D) Creating database schema
E) Running
penetration tests
If taking RDS as example, both patching and backups are
covered.
RDS makes it easy to set up, operate, and scale a
relational database in the cloud. It provides cost-efficient and
resizable capacity while automating time-consuming administration tasks
such as hardware provisioning, database setup, patching and backups. It
frees you to focus on your applications so you can give them the fast
performance, high availability, security and compatibility they need.
Incorrect
answers:
Pen testing is performed by the customer on 8 main
services without need to alert Amazon. Other than those 8 though, the
customer must submit an application to proceed with testing and wait for
a response from AWS."
Question 114
In which scenario should Amazon EC2 Spot
Instances be used?
A) A company wants to move its main
website to AWS from an on-premises web server.
B) A company
has a number of application services whose Service Level Agreement (SLA)
requires 99.999% uptime.
C) A company's heavily used legacy
database is currently running on-premises.
D) A company has
a number of infrequent, interruptible jobs that are currently using
On-Demand Instances.
A) A company wants to move its main website to AWS from an
on-premises web server.
B) A company has a number of
application services whose Service Level Agreement (SLA) requires
99.999% uptime.
C) A company's heavily used legacy database
is currently running on-premises.
D) A company has a number of infrequent, interruptible jobs
that are currently using On-Demand Instances.
Amazon EC2 Spot Instances let you take advantage of unused EC2
capacity in the AWS cloud. Spot Instances are available at up to a 90%
discount compared to On-Demand prices. You can use Spot Instances for
various stateless, fault-tolerant, or flexible applications such as big
data, containerized workloads, CI/CD, web servers, high-performance
computing (HPC), and test & development workloads. Because Spot
Instances are tightly integrated with AWS services such as Auto Scaling,
EMR, ECS, CloudFormation, Data Pipeline and AWS Batch, you can choose
how to launch and maintain your applications running on Spot
Instances.
AWS can reclaim the instances back with
two-minutes of notice
Moreover, you can easily combine Spot
Instances with On-Demand, RIs and Savings Plans Instances to further
optimize workload cost with performance. Due to the operating scale of
AWS, Spot Instances can offer the scale and cost savings to run
hyper-scale workloads. You also have the option to hibernate, stop or
terminate your Spot Instances when AWS reclaims the capacity back with
two-minutes of notice. Only on AWS, you have easy access to unused
compute capacity at such massive scale - all at up to a 90% discount.
The
Spot prices are determined by 'supply and demand' for Amazon EC2 spare
capacity. The price per second for a running On-Demand Instance is
fixed"
Question 115
Which AWS feature should a customer
leverage to achieve high availability of an application?
A)
AWS Direct Connect
B) Availability Zones
C) Data
centers
D) Amazon Virtual Private Cloud (Amazon VPC)
A) AWS Direct Connect
B) Availability Zones
C) Data centers
D) Amazon Virtual Private
Cloud (Amazon VPC)
This is to achieve High Availability for any web application
deployed in AWS. The following features will be present:
✑ High
availability across multiple instances/multiple availability zones.
✑
Auto Scaling of instances (scale up and scale down) based on number of
requests coming in
✑ Additional Security to the instances/database
that are in production
✑ No impact to end users during newer
version of code deployment
✑ No Impact during patching the
instances"
Question 116
Which is the minimum AWS Support plan
that includes Infrastructure Event Management without additional
costs?
A) Enterprise
B) Business
C)
Developer
D) Basic
A) Enterprise
B)
Business
C) Developer
D) Basic
Enterprise support: Infrastructure Event Management included as
standard.
Incorrect answers:
-Business
support: Access to Infrastructure Event Management for additional fee."
Question 117
Which AWS service can serve a static
website?
A) Amazon S3
B) Amazon Route
53
C) Amazon QuickSight
D) AWS X-Ray
A) Amazon S3
B)
Amazon Route 53
C) Amazon QuickSight
D) AWS
X-Ray
You can host a static website on Amazon Simple Storage Service
(Amazon S3). On a static website, individual webpages include static
content. They might also contain client-side scripts. By contrast, a
dynamic website relies on server-side processing, including server-side
scripts such as PHP, JSP, or ASP.NET. Amazon S3 does not support
server-side scripting."
Question 118
How does AWS shorten the time to
provision IT resources?
A) It supplies an online IT
ticketing platform for resource requests.
B) It supports
automatic code validation services.
C) It provides the
ability to programmatically provision existing resources.
D)
It automates the resource request process from a company's IT vendor
list.
A) It supplies an online IT ticketing platform for resource
requests.
B) It supports automatic code validation
services.
C) It provides the ability to programmatically provision
existing resources.
D) It automates the resource request process from a
company's IT vendor list.
AWS CloudFormation gives you an easy way to model a collection of
related AWS and third-party resources, provision them quickly and
consistently, and manage them throughout their lifecycles, by treating
infrastructure as code. A CloudFormation template describes your desired
resources and their dependencies so you can launch and configure them
together as a stack. You can use a template to create, update, and
delete an entire stack as a single unit, as often as you need to,
instead of managing resources individually. You can manage and provision
stacks across multiple AWS accounts and AWS Regions.
In this
same regard, AWS Lambda can fulfil this same requirement -
https://aws.amazon.com/blogs/mt/automate-account-creation-and-resource-provisioning-using-aws-service-catalog-aws-organizations-and-aws-lambda/"
Question 119
What can AWS edge locations be used for?
(Choose two.)
A) Hosting applications
B)
Delivering content closer to users
C) Running NoSQL database
caching services
D) Reducing traffic on the server by
caching responses
E) Sending notification messages to end
users
A) Hosting applications
B) Delivering content closer to users
C) Running NoSQL database caching services
D)
Reducing traffic on the server by caching responses
E) Sending notification messages to end users
Edge Locations are endpoints used for caching content. They are
located in most of the major cities around the world and are
specifically used by CloudFront to distribute AWS content closer to
end-users to reduce latency.
Incorrect answers:
C
-is
not correct because the NoSQL database caching services (most likely
this is hinting at Elasticache) do not run at edge locations.
-Elasticache
simply uses redis and memcached to improve the performance of web
applications by allowing you to retrieve information from fast, managed,
in-memory data stores, instead of relying entirely on slower disk-based
databases.
-These are not at edge locations and instead will be at
the original content location"
Question 120
Which of the following can limit Amazon
Simple Storage Service (Amazon S3) bucket access to specific users?
A)
A public and private key-pair
B) Amazon Inspector
C)
AWS Identity and Access Management (IAM) policies
D)
Security Groups
A) A public and private key-pair
B) Amazon
Inspector
C) AWS Identity and Access Management (IAM) policies
D) Security Groups
To allow users to perform S3 actions on the bucket from the VPC
endpoints or IP addresses, you must explicitly grant those user-level
permissions. You can grant user-level permissions on either an AWS
Identity and Access Management (IAM) policy or another statement in the
bucket policy."
Question 121
A solution that is able to support growth
in users, traffic, or data size with no drop in performance aligns with
which cloud architecture principle?
A) Think
parallel
B) Implement elasticity
C) Decouple
your components
D) Design for failure
A) Think parallel
B) Implement elasticity
C) Decouple your components
D) Design for
failure
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is running out of processing power."
Question 122
A company will be moving from an
on-premises data center to the AWS Cloud. What would be one financial
difference after the move?
A) Moving from variable
operational expense (opex) to upfront capital expense (capex).
B)
Moving from upfront capital expense (capex) to variable capital expense
(capex).
C) Moving from upfront capital expense (capex) to
variable operational expense (opex).
D) Elimination of
upfront capital expense (capex) and elimination of variable operational
expense (opex)
A) Moving from variable operational expense (opex) to upfront
capital expense (capex).
B) Moving from upfront capital
expense (capex) to variable capital expense (capex).
C) Moving from upfront capital expense (capex) to variable
operational expense (opex).
D) Elimination of upfront capital expense (capex) and
elimination of variable operational expense (opex)
The cloud allows you to trade high initial CapEx (such as data
centers and physical servers) for a variable OpEx model, and only pay
for IT as you consume it. Plus, the variable OpEx expenses are much
lower than what you would pay to do it yourself because of the massive
economies of scale that AWS has created."
Question 123
How should a customer forecast the future
costs for running a new web application?
A) Amazon
Aurora Backtrack
B) Amazon CloudWatch Billing Alarms
C)
AWS Pricing Calculator
D) AWS Cost and Usage report
A) Amazon Aurora Backtrack
B) Amazon CloudWatch
Billing Alarms
C) AWS Pricing Calculator
D) AWS Cost and Usage report
AWS Pricing Calculator - Configure a cost estimate that fits your
unique business or personal needs with AWS products and services.
Previously known as Simply Monthly Calculator. Transparent pricing lets
you see the math behind the price for your service configurations. View
prices per service or per group of services to analyse your architecture
costs.
Configure services, or groups of services, in multiple
AWS Regions. Prices and availability of AWS services vary per Region.
See
and analyse service costs grouped by different parts of your
architecture.
Incorrect answers:
Cost and Usage
report – AWS Cost and Usage Reports tracks your AWS usage and provides
estimated charges associated with your account. Each report contains
line items for each unique combination of AWS products, usage type, and
operation that you use in your AWS account. – this is more for tracking
costs accrued rather than forecasting ahead to estimate future costs."
Question 124
Which is the MINIMUM AWS Support plan
that provides technical support through phone calls?
A)
Enterprise
B) Business
C) Developer
D)
Basic
A) Enterprise
B) Business
C) Developer
D) Basic
Business: 24x7 phone, email, and chat access to Cloud Support
Engineers
Incorrect Answers:
Enterprise: Also
provides the above services (and additional services such as AWS
Concierge and a Designated Technical Account Manager), however at a much
higher cost.
Developer: No access to technical support
through phone calls, with this support plan it is only email technical
assistance"
Question 125
Which of the following tasks is the
responsibility of AWS?
A) Encrypting client-side
data
B) Configuring AWS Identity and Access Management (IAM)
roles
C) Securing the Amazon EC2 hypervisor
D)
Setting user password policies
A) Encrypting client-side data
B) Configuring AWS
Identity and Access Management (IAM) roles
C) Securing the Amazon EC2 hypervisor
D) Setting user password policies
In EC2, everything from the physical servers to the hypervisor is
AWS's responsibility. A customer's has responsibility for the
applications, operating systems, and other software running on the
hypervisor."
Question 126
One benefit of On-Demand Amazon Elastic
Compute Cloud (Amazon EC2) pricing is:
A) the ability
to bid for a lower hourly cost.
B) paying a daily rate
regardless of time used.
C) paying only for time used.
D)
pre-paying for instances and paying a lower hourly rate.
A) the ability to bid for a lower hourly cost.
B)
paying a daily rate regardless of time used.
C) paying only for time used.
D) pre-paying for instances and paying a lower hourly
rate.
On-Demand Instances let you pay for compute capacity by the hour
or second (minimum of 60 seconds) with no long-term commitments. You
have full control over its lifecycle—you decide when to launch, stop,
hibernate, start, reboot, or terminate it. This frees you from the costs
and complexities of planning, purchasing, and maintaining hardware and
transforms what are commonly large fixed costs into much smaller
variable costs."
Question 127
An administrator needs to rapidly deploy
a popular IT solution and start using it immediately where can the
administrator find assistance?
A) AWS Well-Architected
Framework documentation
B) Amazon CloudFront
C)
AWS CodeCommit
D) AWS Quick Start reference deployments
A) AWS Well-Architected Framework documentation
B)
Amazon CloudFront
C) AWS CodeCommit
D) AWS Quick Start reference deployments
Quick Starts are built by AWS solutions architects and partners to
help you deploy popular technologies on AWS, based on AWS best practices
for security and high availability. These accelerators reduce hundreds
of manual procedures into just a few steps, so you can build your
production environment quickly and start using it immediately."
Question 128
Which of the following services is in the
category of AWS serverless platform?
A) Amazon EMR
B)
Elastic Load Balancing
C) AWS Lambda
D) AWS
Mobile Hub
A) Amazon EMR
B) Elastic Load Balancing
C) AWS Lambda
D) AWS Mobile Hub
AWS provides a set of fully managed services that you can use to
build and run serverless applications. Serverless applications don't
require provisioning, maintaining, and administering servers for backend
components such as compute, databases, storage, stream processing,
message queueing, and more. You also no longer need to worry about
ensuring application fault tolerance and availability. Instead, AWS
handles all of these capabilities for you. Serverless platform
includes:
-AWS Lambda, Amazon S3, Amazon Athena, DynamoDB,
API gateway, Amazon SNS, Amazon SQS, AWS step functions, Amazon kinesis
and developing tools and services."
Question 129
Which services are parts of the AWS
serverless platform?
A) Amazon EC2, Amazon S3, Amazon
Athena
B) Amazon Kinesis, Amazon SQS, Amazon EMR
C)
AWS Step Functions, Amazon DynamoDB, Amazon SNS
D) Amazon
Athena, Amazon Cognito, Amazon EC2
A) Amazon EC2, Amazon S3, Amazon Athena
B) Amazon
Kinesis, Amazon SQS, Amazon EMR
C) AWS Step Functions, Amazon DynamoDB, Amazon SNS
D) Amazon Athena, Amazon Cognito, Amazon EC2
AWS provides a set of fully managed services that you can use to
build and run serverless applications. Serverless applications don't
require provisioning, maintaining, and administering servers for backend
components such as compute, databases, storage, stream processing,
message queueing, and more. You also no longer need to worry about
ensuring application fault tolerance and availability. Instead, AWS
handles all of these capabilities for you. Serverless platform
includes:
-AWS Lambda, Amazon S3, Amazon Athena, DynamoDB,
API gateway, Amazon SNS, Amazon SQS, AWS step functions, Amazon kinesis
and developing tools and services."
Question 130
According to the AWS shared
responsibility model, what is the sole responsibility of AWS?
A)
Application security
B) Edge location management
C)
Patch management
D) Client-side data
A) Application security
B) Edge location management
C) Patch management
D) Client-side data
Edge location management - this out of the control of the
customer, AWS is responsible for it as it is part of their physical
infrastructure.
Security and Compliance is a shared
responsibility between AWS and the customer. This shared model can help
relieve the customer’s operational burden as AWS operates, manages and
controls the components from the host operating system and
virtualization layer down to the physical security of the facilities in
which the service operates.
Incorrect answers:
-Client-side
data and application security are the sole responsibility of the
customer
-Patch management is a shared responsibility"
Question 131
Which AWS IAM feature is used to
associate a set of permissions with multiple users?
A)
Multi-factor authentication
B) Groups
C)
Password policies
D) Access keys
A) Multi-factor authentication
B) Groups
C) Password policies
D) Access keys
An IAM group is a collection of IAM users. You can use groups to
specify permissions for a collection of users, which can make those
permissions easier to manage. For example, you could have a group called
Admins and give that group the types of permissions that administrators
typically need."
Question 132
Which of the following are benefits of
the AWS Cloud? (Choose two.)
A) Unlimited uptime
B)
Elasticity
C) Agility
D) Colocation
E)
Capital expenses
A) Unlimited uptime
B) Elasticity
C) Agility
D)
Colocation
E) Capital expenses
-B-
The most celebrated benefit of AWS cloud is elasticity
since you can expand the services when you experience more traffic.
In
cloud computing, elasticity is defined as "the degree to which a system
is able to adapt to workload changes by provisioning and de-provisioning
resources in an autonomic manner, such that at each point in time the
available resources match the current demand as closely as possible
-C-
Agile
developments in AWS Cloud through strategies are day by day becoming
more established within the enterprises across the world. With so much
improvement and call for optimization in the cloud, it is necessary that
these strategies get established from the ground up within the
organizations.
Agile is a time boxed, iterative approach to
software delivery that builds software incrementally from the start of
the project, instead of trying to deliver it all at once near the
end.
The requirements might need to change. We are not
talking about growth here but a change of way of doing things. May be
they started with a static webpage and it turned out they now need a
database instead. This is not elasticity. They don't need more computing
power, they need an agile solution that can change overtime.
Agility
is the practice of building in the ability to change quickly and
inexpensively. The cloud not only makes these other practices practical
but provides agility on its own. Infrastructure can be provisioned in
minutes instead of months, and de-provisioned or changed just as
quickly."
Question 133
Which of the following can a customer use
to enable single sign-on (SSO) to the AWS Console?
A)
Amazon Connect
B) AWS Directory Service
C)
Amazon Pinpoint
D) Amazon Rekognition
A) Amazon Connect
B) AWS Directory Service
C) Amazon Pinpoint
D) Amazon Rekognition
Single sign-on only works when used on a computer that is joined
to the AWS Directory Service directory. It cannot be used on computers
that are not joined to the directory.
AWS SSO is an AWS
service that enables you to use your existing credentials from your
Microsoft Active Directory to access your cloud-based applications."
Question 134
What are the multiple, isolated locations
within an AWS Region that are connected by low-latency networks
called?
A) AWS Direct Connects
B) Amazon
VPCs
C) Edge locations
D) Availability Zones
A) AWS Direct Connects
B) Amazon VPCs
C)
Edge locations
D) Availability Zones
Each Region is completely independent. Each Availability Zone is
isolated, but the Availability Zones in a Region are connected through
low-latency links. "
Question 135
Which of the following benefits does the
AWS Compliance program provide to AWS customers? (Choose two.)
A)
It verifies that hosted workloads are automatically compliant with the
controls of supported compliance frameworks.
B) AWS is
responsible for the maintenance of common compliance framework
documentation.
C) It assures customers that AWS is
maintaining physical security and data protection.
D) It
ensures the use of compliance frameworks that are being used by other
cloud providers.
E) It will adopt new compliance frameworks
as they become relevant to customer workloads.
A) It verifies that hosted workloads are automatically compliant
with the controls of supported compliance frameworks.
B) AWS is responsible for the maintenance of common
compliance framework documentation.
C) It assures customers that AWS is maintaining physical
security and data protection.
D) It ensures the use of compliance frameworks that are
being used by other cloud providers.
E) It will adopt new
compliance frameworks as they become relevant to customer workloads.
-AWS continuously tries to audit and improve their compliance with many,
many compliance frameworks, laws and such…
-This will help
customers’ to trust AWS’s ability to maintain physical security and data
protection (as well as meet a lot of other compliance and legal
requirements) as these audits and checks are non-stop and are be quite
specific on the requirements AWS must fulfil.
-Everything is
available on AWS Artifact for customers to view every time a compliance
report is produced
B, C
-B-
AWS Artifact is a
no cost self-service portal for on-demand access to AWS compliance
reports. When new reports are released, they are made available in AWS
Artifact, allowing customers to continuously monitor the security and
compliance of AWS with immediate access to new reports.
-C-
The
AWS Compliance Program helps customers to understand the robust controls
in place at AWS to maintain security and compliance in the cloud. By
tying together governance-focused, audit-friendly service features with
applicable compliance or audit standards, AWS Compliance Enablers build
on traditional programs, helping customers to establish and operate in
an AWS security control environment.
…
AWS manages dozens of
compliance programs in its infrastructure. This means that segments of
your compliance have already been completed.
…
By reason of
inheritance, all hosted workloads inherit the hardware and
infrastructure compliance certification which is one of the benefits
enjoyed towards customer process certification.
Incorrect
answers:
-A-Compliance doesn’t end just at AWS, the customer
must work to ensure they also comply with frameworks and laws.
Therefore, the idea of ‘automatic compliance’ is incorrect.
-E—No
guarantee that AWS will adopt new frameworks based on customer’s
workloads, it is possible but I’d not go for it as an answer
More
Info:
https://d1.awsstatic.com/whitepapers/compliance/AWS_Compliance_Quick_Reference.pdf"
Question 136
Which of the following services provides
on-demand access to AWS compliance reports?
A) AWS
IAM
B) AWS Artifact
C) Amazon GuardDuty
D)
AWS KMS
A) AWS IAM
B) AWS Artifact
C) Amazon GuardDuty
D) AWS KMS
AWS Artifact is your go-to, central resource for
compliance-related information that matters to you. It provides
on-demand access to AWS' security and compliance reports and select
online agreements. Reports available in AWS Artifact include our Service
Organization Control (SOC) reports, Payment Card
Industry (PCI)
reports, and certifications from accreditation bodies across geographies
and compliance verticals that validate the implementation and operating
effectiveness of AWS security controls. Agreements available in AWS
Artifact include the Business Associate Addendum (BAA) and the
Nondisclosure Agreement (NDA)."
Question 137
As part of the AWS shared responsibility
model, which of the following operational controls do users fully
inherit from AWS?
A) Security management of data
center
B) Patch management
C) Configuration
management
D) User and access management
A) Security management of data center
B) Patch management
C) Configuration
management
D) User and access management
AWS presumes that users "inherit" the physical security attributes
of its data centers. AWS manages these variables, which include physical
controls, such as locked doors and video surveillance, and environmental
controls, such as temperature and humidity."
Question 138
When comparing AWS Cloud with on-premises
Total Cost of Ownership, which expenses must be considered? (Choose
two.)
A) Software development
B) Project
management
C) Storage hardware
D) Physical
servers
E) Antivirus software license
A) Software development
B) Project management
C) Storage hardware
D) Physical servers
E) Antivirus software license
Storage hardware and physical server TCO will vary depending on
the hosting environment that is chosen.
CapEx (capital
expenditure) is defined as business expenses incurred in order to create
long-term benefits in the future, such as purchasing fixed assets like a
building or equipment. Some examples of IT items that fall under this
category would be whole systems and servers, printers and scanners, or
air conditioners and generators. You buy these items once and they
benefit your business for many, many years. Maintenance of such items is
also considered CapEx, as it extends their lifetime and usefulness.
Capex can also be defined as Total Cost of Ownership (TCO).
Incorrect
answers:
-Regardless of where you host your workload you will still
need software development, project management and (most likely) an
antivirus software license."
Question 139
Under the shared responsibility model,
which of the following tasks are the responsibility of the customer?
(Choose two.)
A) Maintaining the underlying Amazon EC2
hardware.
B) Managing the VPC network access control
lists.
C) Encrypting data in transit and at rest.
D)
Replacing failed hard disk drives.
E) Deploying hardware in
different Availability Zones.
A) Maintaining the underlying Amazon EC2 hardware.
B)
Managing the VPC network access control lists.
C) Encrypting data in transit and at rest.
D) Replacing failed hard disk drives.
E) Deploying hardware in different Availability Zones.
-B-
VPC network access control lists is something a customer
has to do himself to secure the applications.
A network
access control list (ACL) is an optional layer of security for your VPC
that acts as a firewall for controlling traffic in and out of one or
more subnets. You might set up network ACLs with rules similar to your
security groups in order to add an additional layer of security to your
VPC.
-C-
Encrypting data in transit and at rest is a
shared responsibility in which both customer and AWS play a part.
Also,
note that the customer:
-assumes responsibility and management of
the guest operating system (including updates and security patches),
other associated application software as well as the configuration of
the AWS provided security group firewall.
-should carefully
consider the services they choose as their responsibilities vary
depending on the services used, the integration of those services into
their IT environment, and applicable laws and regulations.
-is
responsible for data configuration (i.e. encrypting data at rest and in
transit)
Incorrect answers:
All hardware related
jobs have nothing to do with the customer, they are the sole
responsibility of AWS."
Question 140
Which scenarios represent the concept of
elasticity on AWS? (Choose two.)
A) Scaling the number
of Amazon EC2 instances based on traffic.
B) Resizing Amazon
RDS instances as business needs change.
C) Automatically
directing traffic to less-utilized Amazon EC2 instances.
D)
Using AWS compliance documents to accelerate the compliance process.
E)
Having the ability to create and govern environments using code.
A) Scaling the number of Amazon EC2 instances based on
traffic.
B) Resizing Amazon RDS instances as business needs
change.
C) Automatically directing traffic to less-utilized Amazon
EC2 instances.
D) Using AWS compliance documents to
accelerate the compliance process.
E) Having the ability to
create and govern environments using code.
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is has too many resources of which some are
being under-utilised or if you have too few resources and your solution
is running out of processing power.
Elasticity involves
vertical (increasing size of an item) and horizontal (increase number of
items) scaling.
Incorrect answers:
-C- Distributing load
is more about using the resources you already have to maintain a high
availability and failure tolerance. You are not changing the provisioned
resources, therefore elasticity is not applicable here."
Question 141
When is it beneficial for a company to
use a Spot Instance?
A) When there is flexibility in
when an application needs to run
B) When there are
mission-critical workloads.
C) When dedicated capacity is
needed.
D) When an instance should not be stopped.
A) When there is flexibility in when an application needs to
run
B) When there are mission-critical workloads.
C)
When dedicated capacity is needed.
D) When an instance
should not be stopped.
Spot Instance prices are set by Amazon EC2 and adjust gradually
based on long-term trends in supply and demand for Spot Instance
capacity. When you request Spot Instances, we recommend that you use the
default maximum price (the On-Demand price). When your request is
fulfilled, your Spot Instances launch at the current Spot price, not
exceeding the On-Demand price. If you want to specify a maximum price,
we recommend that you first review the Spot price history.
Rather
than allowing these computing resources to go to waste, AWS offers them
at a substantially discounted rate, with the understanding that if
someone needs those resources for running a normal EC2 instance, that
instance will take priority over spot instances that are using the
hardware resources at a discounted rate.
In fact, spot
instances will be stopped if the resources are needed elsewhere.
Spot
instance based workloads must be able to be ran flexibly as the exact
timing of when suitably priced spot instances become available is
unpredictable. Also spot instance workloads must be interruptible
because AWS can reclaim the spot instance capacity if it is needed
elsewhere."
Question 142
A company is considering moving its
on-premises data center to AWS. What factors should be included in doing
a Total Cost of Ownership (TCO) analysis? (Choose two.)
A)
Amazon EC2 instance availability
B) Power consumption of the
data center
C) Labor costs to replace old servers
D)
Application developer time
E) Database engine capacity
A) Amazon EC2 instance availability
B) Power consumption of the data center
C) Labor costs to replace old servers
D) Application developer time
E) Database
engine capacity
The idea behind this question is what costs to consider if the
company leaves its IT resources on-premises. B & C are exclusively
on-premeses expenses that will not be incurred when using AWS
services.
Incorrect answers:
-A- EC2 instance
availability will not be a concern for customers, AWS handles
provisioning new hardware to ensure there is always adequate EC2
capacity
-D- Regardless of hosting environment application
developer time will still be required
-E- Database engine capacity
will be the same regardless of the hosting environment e.g. Microsoft
SQL server will have a file size limit of 16 terabytes regardless where
it is hosted"
Question 143
How does AWS charge for AWS Lambda?
A)
Users bid on the maximum price they are willing to pay per hour.
B)
Users choose a 1-, 3- or 5-year upfront payment term.
C)
Users pay for the required permanent storage on a file system or in a
database.
D) Users pay based on the number of requests and
consumed compute resources.
A) Users bid on the maximum price they are willing to pay per
hour.
B) Users choose a 1-, 3- or 5-year upfront payment
term.
C) Users pay for the required permanent storage on a
file system or in a database.
D) Users pay based on the number of requests and consumed
compute resources.
AWS Lambda is charging its users by the number of requests for
their functions and by the duration, which is the time the code needs to
execute. When code starts running in response to an event, AWS Lambda
counts a request. It will charge the total number of requests across all
of the functions used. Duration is calculated by the time when your code
started executing until it returns or until it is terminated, rounded up
near to 100ms. The AWS Lambda pricing depends on the amount of memory
that the user used to allocate to the function."
Question 144
What function do security groups serve
related Amazon Elastic Compute Cloud (Amazon EC2) instance security?
A)
Act as a virtual firewall for the Amazon EC2 instance.
B)
Secure AWS user accounts with AWS identity and Access Management (IAM)
policies.
C) Provide DDoS protection with AWS Shield.
D)
Use Amazon CloudFront to protect the Amazon EC2 instance.
A) Act as a virtual firewall for the Amazon EC2
instance.
B) Secure AWS user accounts with AWS identity and Access
Management (IAM) policies.
C) Provide DDoS protection with
AWS Shield.
D) Use Amazon CloudFront to protect the Amazon
EC2 instance.
AWS Security Groups act like a firewall for your Amazon EC2
instances controlling both inbound and outbound traffic. When you launch
an instance on Amazon EC2, you need to assign it to a particular
security group. After that, you can set up ports and protocols, which
remain open for users and computers over the internet.
AWS
Security Groups are very flexible. You can use the default security
group and still customize it according to your liking (although we don't
recommend this practice because groups should be named according to
their purpose.) Or you can create a security group that you want for
your specific applications. To do this, you can write the corresponding
code or use the Amazon EC2 console to make the process easier."
Question 145
Which disaster recovery scenario offers
the lowest probability of down time?
A) Backup and
restore
B) Pilot light
C) Warm standby
D)
Multi-site active-active
A) Backup and restore
B) Pilot light
C)
Warm standby
D) Multi-site active-active
✑ Backup and Restore: a simple, straightforward, cost-effective
method that backs up and restores data as needed. Keep in mind that
because none of your data is on standby, this method, while cheap, can
be quite time-consuming.
✑ Pilot Light: This method keeps critical
applications and data at the ready so that it can be quickly retrieved
if needed.
✑ Warm Standby: This method keeps a duplicate version of
your business' core elements running on standby at all times, which
makes for a little downtime and an almost seamless transition.
✑
Multi-Site Solution: Also known as a Hot Standby, this method fully
replicates your company's data/applications between two or more active
locations and splits your traffic/usage between them. If a disaster
strikes, everything is simply rerouted to the unaffected area, which
means you'll suffer almost zero downtime. However, by running two
separate environments simultaneously, you will obviously incur much
higher costs."
Question 146
What will help a company perform a cost
benefit analysis of migrating to the AWS Cloud?
A)
Cost Explorer
B) AWS Total Cost of Ownership (TCO)
Calculator
C) AWS Pricing Calculator
D) AWS
Trusted Advisor
A) Cost Explorer
B) AWS Total Cost of Ownership (TCO) Calculator
C) AWS Pricing Calculator
D) AWS Trusted
Advisor
The question is talking about a company trying to understand what
their cost benefit would be by moving from on premise IT infrastructure
over to the AWS cloud. The TCO calculator is the tool that will perform
this function so B is the correct answer.
The TCO (Total Cost
of Ownership) tool makes a comparison between On Premise IT
infrastructure expense the equivalent expense that would exist in the
AWS cloud. It then lets the customer know what their cost savings would
be if they decided to move their existing IT infrastructure to the AWS
cloud.
Incorrect answers:
-C- is incorrect because
the AWS Pricing Calculator will not calculate the difference between
on-premise IT and AWS infrastructure costs. AWS Pricing Calculator is a
tool that does not come into play until the customer has already
committed to moving over to the cloud or they have already moved over to
the cloud, where all Cloud services, region locations, data usage, EC2
instance data, network and other service usages can be calculated."
Question 147
Which of the following provides the
ability to share the cost benefits of Reserved Instances across AWS
accounts?
A) AWS Cost Explorer between AWS accounts
B)
Linked accounts and consolidated billing
C) Amazon Elastic
Compute Cloud (Amazon EC2) Reserved Instance Utilization Report
D)
Amazon EC2 Instance Usage Report between AWS accounts
A) AWS Cost Explorer between AWS accounts
B) Linked accounts and consolidated billing
C) Amazon Elastic Compute Cloud (Amazon EC2) Reserved
Instance Utilization Report
D) Amazon EC2 Instance Usage
Report between AWS accounts
The way that Reserved Instance discounts apply to accounts in an
organization's consolidated billing family depends on whether Reserved
Instance sharing is turned on or off for the account. By default,
Reserved Instance sharing for all accounts in an organization is turned
on. You can change this setting by Turning Off Reserved Instance Sharing
for an account.
…
The capacity reservation for a Reserved
Instance applies only to the account the Reserved Instance was purchased
on, regardless of whether Reserved Instance sharing is turned on or
off."
Question 148
A company has multiple AWS accounts and
wants to simplify and consolidate its billing process. Which AWS service
will achieve this?
A) AWS Cost and Usage Reports
B)
AWS Organizations
C) AWS Cost Explorer
D) AWS
Budgets
A) AWS Cost and Usage Reports
B) AWS Organizations
C) AWS Cost Explorer
D) AWS Budgets
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization."
Question 149
A company is designing an application
hosted in a single AWS Region serving end-users spread across the world.
The company wants to provide the end-users low latency access to the
application data. Which of the following services will help fulfill this
requirement?
A) Amazon CloudFront
B) AWS
Direct Connect
C) Amazon Route 53 global DNS
D)
Amazon Simple Storage Service (Amazon S3) transfer acceleration
A) Amazon CloudFront
B)
AWS Direct Connect
C) Amazon Route 53 global DNS
D)
Amazon Simple Storage Service (Amazon S3) transfer acceleration
Cloudfront enables low-latency delivery to the end users by
caching the frequently used data to the edge locations
Incorrect
answers:
AWS Direct Connect lets you establish a dedicated
network connection between your network and one of the AWS Direct
Connect locations."
Question 150
Which of the following deployment models
enables customers to fully trade their capital IT expenses for
operational expenses?
A) On-premises
B)
Hybrid
C) Cloud
D) Platform as a service
A) On-premises
B) Hybrid
C) Cloud
D) Platform as a service
The cloud allows you to trade capital expenses (such as data
centers and physical servers) for variable expenses, and only pay for IT
as you consume it. Plus, the variable expenses are much lower than what
you would pay to do it yourself because of the economies of scale."
Question 151
How is asset management on AWS easier
than asset management in a physical data center?
A)
AWS provides a Configuration Management Database that users can
maintain.
B) AWS performs infrastructure discovery scans on
the customer's behalf.
C) Amazon EC2 automatically generates
an asset report and places it in the customer's specified Amazon S3
bucket.
D) Users can gather asset metadata reliably with a
few API calls.
A) AWS provides a Configuration Management Database that
users can maintain.
B) AWS performs infrastructure discovery scans on the
customer's behalf.
C) Amazon EC2 automatically generates an
asset report and places it in the customer's specified Amazon S3
bucket.
D) Users can gather asset metadata reliably with a
few API calls.
AWS assets are centrally managed through an inventory management
system that stores and tracks owner, location, status, maintenance, and
descriptive information for AWS-owned assets. Following procurement,
assets are scanned and tracked, and assets undergoing maintenance are
checked and monitored for ownership, status, and resolution
…
To
build your own asset management database on AWS here are the
prerequisites:
-Configure AWS System Manager to start collecting
the software inventory and store in designated Amazon S3 bucket.
-In
each of the ‘Resource’ account(s), execute the following steps to set up
AWS Systems Manager to collect the inventory information from all
Systems Manager managed instances, and use AWS Systems Manager Resource
Data Sync to send inventory data collected from managed instances to the
Amazon S3 bucket created in Step 1. Please make sure that you are logged
in to the same region where the S3 bucket is created…
Successful
implementation and execution of service asset and configuration
management processes should be seen as a shared responsibility that can
be achieved through the right commitment by IT organizations, enabled by
the AWS platform.
-B- Sounds like a very possible answer,
however nowhere in the literature online I could find mention of
infrastructure discovery scans that AWS performs. Answer A is documented
online and is much more solidly explained that this one."
Question 152
What feature of Amazon RDS helps to
create globally redundant databases?
A)
Snapshots
B) Automatic patching and updating
C)
Cross-Region read replicas
D) Provisioned IOPS
A) Snapshots
B) Automatic patching and updating
C) Cross-Region read replicas
D) Provisioned IOPS
Read Replicas - You can use this feature to implement a
cross-region disaster recovery model, scale out globally, or migrate an
existing database to a new region:
Improve Disaster Recovery
– You can operate a read replica in a region different from your master
database region. In case of a regional disruption, you can promote the
replica to be the new master and keep your business in operation.
Scale
Out Globally – If your application has a user base that is spread out
all over the planet, you can use Cross Region Read Replicas to serve
read queries from an AWS region that is close to the user.
Migration
Between Regions – Cross Region Read Replicas make it easy for you to
migrate your application from one AWS region to another. Simply create
the replica, ensure that it is current, promote it to be a master
database instance, and point your application at it."
Question 153
Which methods can be used to identify AWS
costs by departments? (Choose two.)
A) Enable
multi-factor authentication for the AWS account root user.
B)
Create separate accounts for each department.
C) Use
Reserved Instances whenever possible.
D) Use tags to
associate each instance with a particular department.
E) Pay
bills using purchase orders.
A) Enable multi-factor authentication for the AWS account root
user.
B) Create separate accounts for each department.
C) Use Reserved Instances whenever possible.
D) Use tags to associate each instance with a particular
department.
E) Pay bills using purchase orders.
-B-
Create separate accounts and join them together using AWS
Organizations.
-D-
Tags are key-value pairs that allow
you to organize your AWS resources into groups. You can use tags to:
✑
Visualize information about tagged resources in one place, in
conjunction with Resource Groups.
✑ View billing information using
Cost Explorer and the AWS Cost and Usage report.
✑Send
notifications about spending limits using AWS Budgets.
…
Use
logical groupings of your resources that make sense for your
infrastructure or business. For example, you could organize your
resources by:
✑ Project
✑ Cost center
✑ Development
environment
✑ Application
✑ Department"
Question 154
Under the AWS shared responsibility
model, customer responsibilities include which one of the following?
A)
Securing the hardware, software, facilities, and networks that run all
products and services.
B) Providing certificates, reports,
and other documentation directly to AWS customers under NDA.
C)
Configuring the operating system, network, and firewall.
D)
Obtaining industry certifications and independent third-party
attestations.
A) Securing the hardware, software, facilities, and networks that
run all products and services.
B) Providing certificates,
reports, and other documentation directly to AWS customers under NDA.
C) Configuring the operating system, network, and
firewall.
D) Obtaining industry certifications and independent
third-party attestations.
In EC2, everything from the physical servers to the hypervisor is
AWS's responsibility. A customer's assumes responsibility and management
of the guest operating system (including updates and security patches),
other associated application software as well as the configuration of
the AWS provided security group firewall.
Incorrect
answers:
-A—Customers do not have AWS site access"
Question 155
Which managed AWS service provides
real-time guidance on AWS security best practices?
A)
AWS X-Ray
B) AWS Trusted Advisor
C) Amazon
CloudWatch
D) AWS Systems Manager
A) AWS X-Ray
B) AWS Trusted Advisor
C) Amazon CloudWatch
D) AWS Systems Manager
AWS Trusted Advisor is an online tool that provides you real time
guidance to help you provision your resources following AWS best
practices. Trusted Advisor checks help optimize your AWS infrastructure,
increase security and performance, reduce your overall costs, and
monitor service limits. Whether establishing new workflows, developing
applications, or as part of ongoing improvement, take advantage of the
recommendations provided by Trusted Advisor on a regular basis to help
keep your solutions provisioned optimally."
Question 156
Which feature adds elasticity to Amazon
EC2 instances to handle the changing demand for workloads?
A)
Resource groups
B) Lifecycle policies
C)
Application Load Balancer
D) Amazon EC2 Auto Scaling
A) Resource groups
B) Lifecycle policies
C)
Application Load Balancer
D) Amazon EC2 Auto Scaling
Amazon EC2 Auto Scaling helps you maintain application
availability and allows you to automatically add or remove EC2 instances
according to conditions you define. You can use the fleet management
features of EC2 Auto Scaling to maintain the health and availability of
your fleet."
Question 157
Under the AWS shared responsibility
model, customers are responsible for which aspects of security in the
cloud? (Choose two.)
A) Visualization management
B)
Hardware management
C) Encryption management
D)
Facilities management
E) Firewall management
A) Visualization management
B) Hardware management
C) Encryption management
D) Facilities management
E) Firewall management
With the basic Cloud infrastructure secured and maintained by AWS,
the responsibility for what goes into the cloud falls on you. This
covers both client and server side encryption and network traffic
protection, security of the operating system, network, and firewall
configuration, followed by application security and identity and access
management.
…
Firewall configuration remains the
responsibility of the end user, which integrates at the platform and
application management level. For example, RDS utilizes security groups,
which you would be responsible for configuring and implementing."
Question 158
Which AWS hybrid storage service enables
on-premises applications to seamlessly use AWS Cloud storage through
standard file-storage protocols?
A) AWS Direct
Connect
B) AWS Snowball
C) AWS Storage
Gateway
D) AWS Snowball Edge
A) AWS Direct Connect
B) AWS Snowball
C) AWS Storage Gateway
D) AWS Snowball Edge
The AWS Storage Gateway service enables hybrid cloud storage
between on-premises environments and the AWS Cloud. It seamlessly
integrates on-premises enterprise applications and workflows with
Amazon's block and object cloud storage services through industry
standard storage protocols. It provides low-latency performance by
caching frequently accessed data on premises, while storing data
securely and durably in Amazon cloud storage services. It provides an
optimized data transfer mechanism and bandwidth management, which
tolerates unreliable networks and minimizes the amount of data being
transferred. It brings the security, manageability, durability, and
scalability of AWS to existing enterprise environments through native
integration with AWS encryption, identity management, monitoring, and
storage services. Typical use cases include backup and archiving,
disaster recovery, moving data to S3 for in-cloud workloads, and tiered
storage."
Question 159
What is a responsibility of AWS in the
shared responsibility model?
A) Updating the network
ACLs to block traffic to vulnerable ports.
B) Patching
operating systems running on Amazon EC2 instances.
C)
Updating the firmware on the underlying EC2 hosts.
D)
Updating the security group rules to block traffic to the vulnerable
ports.
A) Updating the network ACLs to block traffic to vulnerable
ports.
B) Patching operating systems running on Amazon EC2
instances.
C) Updating the firmware on the underlying EC2 hosts.
D) Updating the security group rules to block traffic to
the vulnerable ports.
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve customer's operational
burden as AWS operates, manages and controls the components from the
host operating system and virtualization layer down to the physical
security of the facilities in which the service operates. The customer
assumes responsibility and management of the guest operating system
(including updates and security patches), other associated application
software as well as the configuration of the AWS provided security group
firewall."
Question 160
Which architectural principle is used
when deploying an Amazon Relational Database Service (Amazon RDS)
instance in Multiple Availability Zone mode?
A)
Implement loose coupling.
B) Design for failure.
C)
Automate everything that can be automated.
D) Use services,
not servers.
A) Implement loose coupling.
B) Design for failure.
C) Automate everything that can be automated.
D)
Use services, not servers.
When you provision a Multi-AZ DB Instance, Amazon RDS
automatically creates a primary DB Instance and synchronously replicates
the data to a standby instance in a different Availability Zone (AZ).
Each AZ runs on its own physically distinct, independent infrastructure,
and is engineered to be highly reliable. In case of an infrastructure
failure, Amazon RDS performs an automatic failover to the standby (or to
a read replica in the case of Amazon Aurora), so that you can resume
database operations as soon as the failover is complete. Since the
endpoint for your DB Instance remains the same after a failover, your
application can resume database operation without the need for manual
administrative intervention."
Question 161
What does it mean to grant least
privilege to AWS IAM users?
A) It is granting
permissions to a single user only.
B) It is granting
permissions using AWS IAM policies only.
C) It is granting
Administrator Access policy permissions to trustworthy users.
D)
It is granting only the permissions required to perform a given task.
A) It is granting permissions to a single user only.
B)
It is granting permissions using AWS IAM policies only.
C)
It is granting Administrator Access policy permissions to trustworthy
users.
D) It is granting only the permissions required to perform a
given task.
When you create IAM policies, follow the standard security advice
of granting least privilege, or granting only the permissions required
to perform a task.
Determine what users (and roles) need to do and
then craft policies that allow them to perform only those tasks."
Question 162
A director has been tasked with
investigating hybrid cloud architecture. The company currently accesses
AWS over the public internet. Which service will facilitate private
hybrid connectivity?
A) Amazon Virtual Private Cloud
(Amazon VPC) NAT Gateway
B) AWS Direct Connect
C)
Amazon Simple Storage Service (Amazon S3) Transfer Acceleration
D)
AWS Web Application Firewall (AWS WAF)
A) Amazon Virtual Private Cloud (Amazon VPC) NAT Gateway
B) AWS Direct Connect
C) Amazon Simple Storage Service (Amazon S3) Transfer
Acceleration
D) AWS Web Application Firewall (AWS WAF)
Amazon VPC provides multiple network connectivity options for you
to leverage depending on your current network designs and requirements.
These connectivity options include leveraging either the internet (VPN)
or a dedicated private AWS Direct Connect connection as the network
backbone and terminating the connection into either AWS or user-managed
network endpoints.
Additionally, with AWS, you can choose how
network routing is delivered between Amazon VPC and your networks,
leveraging either AWS or user-managed network equipment and routes."
Question 163
A company's web application currently has
tight dependencies on underlying components, so when one component fails
the entire web application fails. Applying which AWS Cloud design
principle will address the current design issue?
A)
Implementing elasticity, enabling the application to scale up or scale
down as demand changes.
B) Enabling several EC2 instances to
run in parallel to achieve better performance.
C) Focusing
on decoupling components by isolating them and ensuring individual
components can function when other components fail.
D)
Doubling EC2 computing resources to increase system fault tolerance.
A) Implementing elasticity, enabling the application to scale up
or scale down as demand changes.
B) Enabling several EC2
instances to run in parallel to achieve better performance.
C) Focusing on decoupling components by isolating them and
ensuring individual components can function when other components
fail.
D) Doubling EC2 computing resources to increase system
fault tolerance.
Loose coupling - IT systems should ideally be designed in a way
that reduces inter-dependencies. Your components need to be loosely
coupled to avoid changes or failure in one of the components from
affecting others.
Your infrastructure also needs to have well
defined interfaces that allow the various components to interact with
each other only through specific, technology- agnostic interfaces.
Modifying any underlying operations without affecting other components
should be made possible."
Question 164
How can a customer increase security to
AWS account logons? (Choose two.)
A) Configure AWS
Certificate Manager
B) Enable Multi-Factor Authentication
(MFA)
C) Use Amazon Cognito to manage access
D)
Configure a strong password policy
E) Enable AWS
Organizations
A) Configure AWS Certificate Manager
B) Enable Multi-Factor Authentication (MFA)
C) Use Amazon Cognito to manage access
D) Configure a strong password policy
E) Enable AWS Organizations
-B-
AWS Multi-Factor Authentication (MFA) is a simple best
practice that adds an extra layer of protection on top of your user name
and password. With MFA enabled, when a user signs in to an AWS
Management Console, they will be prompted for their user name and
password (the first factor—what they know), as well as for an
authentication code from their AWS MFA device (the second factor—what
they have). Taken together, these multiple factors provide increased
security for your AWS account settings and resources.
-D-
If
you allow users to change their own passwords, create a custom password
policy that requires them to create strong passwords and rotate their
passwords periodically. On the Account Settings page of the IAM console,
you can create a custom password policy for your account. You upgrade
from the AWS default password policy to define password requirements,
such as minimum length, whether it requires nonalphabetic characters,
and how frequently it must be rotated. For more information, see Setting
an account password policy for IAM users.
Incorrect
answers:
-C- Amazon Cognito generates unique identifiers for your
users to allow them have access to your web and mobile apps quickly and
easily. Just like logging in to another app using your Facebook or
Google sign-in credentials"
Question 165
What AWS service would be used to
centrally manage AWS access across multiple accounts?
A)
AWS Service Catalog
B) AWS Config
C) AWS Trusted
Advisor
D) AWS Organizations
A) AWS Service Catalog
B) AWS Config
C)
AWS Trusted Advisor
D) AWS Organizations
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization."
Question 166
Which AWS service can a customer use to
set up an alert notification when the account is approaching a
particular dollar amount?
A) AWS Cost and Usage
reports
B) AWS Budgets
C) AWS Cost Explorer
D)
AWS Trusted Advisor
A) AWS Cost and Usage reports
B) AWS Budgets
C) AWS Cost Explorer
D) AWS Trusted Advisor
AWS Budgets gives you the ability to set custom budgets that alert
you when your costs or usage exceed (or are forecasted to exceed) your
budgeted amount. You can also use AWS Budgets to set reservation
utilization or coverage targets and receive alerts when your utilization
drops below the threshold you define."
Question 167
What can users access from AWS
Artifact?
A) AWS security and compliance documents
B)
A download of configuration management details for all AWS resources
C)
Training materials for AWS services
D) A security assessment
of the applications deployed in the AWS Cloud
A) AWS security and compliance documents
B) A download of configuration management details for all
AWS resources
C) Training materials for AWS services
D)
A security assessment of the applications deployed in the AWS Cloud
AWS Artifact is your go-to, central resource for
compliance-related information that matters to you. It provides
on-demand access to AWS' security and compliance reports and select
online agreements. Reports available in AWS Artifact include our Service
Organization Control (SOC) reports, Payment Card
Industry (PCI)
reports, and certifications from accreditation bodies across geographies
and compliance verticals that validate the implementation and operating
effectiveness of AWS security controls. Agreements available in AWS
Artifact include the Business Associate Addendum (BAA) and the
Nondisclosure Agreement
(NDA)."
Question 168
Which of the following is an AWS
Well-Architected Framework design principle related to reliability?
A)
Deployment to a single Availability Zone
B) Ability to
recover from failure
C) Design for cost optimization
D)
Perform operations as code
A) Deployment to a single Availability Zone
B) Ability to recover from failure
C) Design for cost optimization
D) Perform
operations as code
There are five design principles for reliability in the cloud:
-Automatically
recover from failure
-Scale horizontally to increase aggregate
system availability
-Stop guessing capacity
-Manage change in
automation
-Test recovery procedures - Use automation to simulate
different failures or to recreate scenarios that led to failures before"
Question 169
Which type of AWS storage is ephemeral
and is deleted when an instance is stopped or terminated?
A)
Amazon EBS
B) Amazon EC2 instance store
C)
Amazon EFS
D) Amazon S3
A) Amazon EBS
B) Amazon EC2 instance store
C) Amazon EFS
D) Amazon S3
When you stop or terminate an EC2 instance, every block of storage
in the instance store is reset. Therefore, your data cannot be accessed
through the instance store of another instance."
Question 170
What is an advantage of using the AWS
Cloud over a traditional on-premises solution?
A)
Users do not have to guess about future capacity needs.
B)
Users can utilize existing hardware contracts for purchases.
C)
Users can fix costs no matter what their traffic is.
D)
Users can avoid audits by using reports from AWS.
A) Users do not have to guess about future capacity
needs.
B) Users can utilize existing hardware contracts for
purchases.
C) Users can fix costs no matter what their
traffic is.
D) Users can avoid audits by using reports from
AWS.
6 Advantages of Cloud Computing:
-Trade capital expense for
variable expense
-Benefit from massive economies of scale
-Stop
guessing about capacity (i.e. elasticity)
-Increased speed and
agility
-Stop spending money running and maintaining data
centres
-Go global in minutes"
Question 171
Which of the following is an AWS-managed
compute service?
A) Amazon SWF
B) Amazon
EC2
C) AWS Lambda
D) Amazon Aurora
A) Amazon SWF
B) Amazon EC2
C) AWS Lambda
D) Amazon Aurora
AWS Managed Services is a set of services and tools that automate
infrastructure management tasks for Amazon Web Services (AWS)
deployments.
AWS Lambda is a serverless compute service that
lets you run code without provisioning or managing servers, creating
workload-aware cluster scaling logic, maintaining event integrations, or
managing runtimes. With Lambda, you can run code for virtually any type
of application or backend service - all with zero administration. Just
upload your code as a ZIP file or container image, and Lambda
automatically and precisely allocates compute execution power and runs
your code based on the incoming request or event, for any scale of
traffic. You can set up your code to automatically trigger from 140 AWS
services or call it directly from any web or mobile app. You can write
Lambda functions in your favorite language (Node.js, Python, Go, Java,
and more) and use both serverless and container tools, such as AWS SAM
or Docker CLI, to build, test, and deploy your functions.
Incorrect
answers:
-B-EC2 is self-managed"
Question 172
Which of the following is an important
architectural principle when designing cloud applications?
A)
Store data and backups in the same region.
B) Design tightly
coupled system components.
C) Avoid multi-threading.
D)
Design for failure
A) Store data and backups in the same region.
B)
Design tightly coupled system components.
C) Avoid
multi-threading.
D) Design for failure
There are six design principles for operational excellence in the
cloud:
✑ Perform operations as code
✑ Annotate
documentation
✑ Make frequent, small, reversible changes
✑
Refine operations procedures frequently
✑ Anticipate failure
✑
Learn from all operational failures
Design for failure or
otherwise you will be designing a failure"
Question 173
Which mechanism allows developers to
access AWS services from application code?
A) AWS
Software Development Kit
B) AWS Management Console
C)
AWS CodePipeline
D) AWS Config
A) AWS Software Development Kit
B) AWS Management Console
C) AWS
CodePipeline
D) AWS Config
With SDKs access and manage AWS services with your preferred
development language or platform"
Question 174
Which Amazon EC2 pricing model is the
MOST cost efficient for an uninterruptible workload that runs once a
year for 24 hours?
A) On-Demand Instances
B)
Reserved Instances
C) Spot Instances
D)
Dedicated Instances
A) On-Demand Instances
B) Reserved Instances
C) Spot Instances
D)
Dedicated Instances
Question states 24 hours once a year meaning just one specific day
of the year so 1 year reserved instance will make 364 days a waste.
"Uninterruptible
workload" so the answer can't be spot instances.
Dedicated
instances are more expensive than on-demand instances
With
On-Demand instances, you pay for compute capacity by the hour or the
second depending on which instances you run. No longer-term commitments
or upfront payments are needed. You can increase or decrease your
compute capacity depending on the demands of your application and only
pay the specified per hourly rates for the instance you use."
Question 175
Which of the following services allows
running of a MySQL-compatible database that automatically grows storage
as needed? (Choose two)
A) Amazon Elastic Compute
Cloud (Amazon EC2)
B) Amazon Relational Database Service
(Amazon RDS) for MySQL
C) Amazon Lightsail
D)
Amazon Aurora
A) Amazon Elastic Compute Cloud (Amazon EC2)
B) Amazon Relational Database Service (Amazon RDS) for
MySQL
C) Amazon Lightsail
D) Amazon Aurora
-B—
RDS MySQL has an autoscaling option enabled by default at
1TB (Max 64TB)
-D-
Aurora storage automatically grows in
increments of 10GB, up to 64 TB."
Question 176
Which Amazon Virtual Private Cloud
(Amazon VPC) feature enables users to connect two VPCs together?
A)
Amazon VPC endpoints
B) Amazon Elastic Compute Cloud (Amazon
EC2) ClassicLink
C) Amazon VPC peering
D) AWS
Direct Connect
A) Amazon VPC endpoints
B) Amazon Elastic Compute
Cloud (Amazon EC2) ClassicLink
C) Amazon VPC peering
D) AWS Direct Connect
A VPC peering connection is a networking connection between two
VPCs that enables you to route traffic between them using private IPv4
addresses or IPv6 addresses. Instances in either VPC can communicate
with each other as if they are within the same network. You can create a
VPC peering connection between your own VPCs, or with a VPC in another
AWS account. The VPCs can be in different regions (also known as an
inter-region VPC peering connection)."
Question 177
Which service's PRIMARY purpose is
software version control?
A) Amazon CodeStar
B)
AWS Command Line Interface (AWS CLI)
C) Amazon Cognito
D)
AWS CodeCommit
A) Amazon CodeStar
B) AWS Command Line Interface (AWS
CLI)
C) Amazon Cognito
D) AWS CodeCommit
AWS CodeCommit is a version control service hosted by Amazon Web
Services that you can use to privately store and manage assets (such as
documents, source code, and binary files) in the cloud."
Question 178
A company is considering migrating its
applications to AWS. The company wants to compare the cost of running
the workload on-premises to running the equivalent workload on the AWS
platform. Which tool can be used to perform this comparison?
A)
AWS Pricing Calculator
B) AWS Total Cost of Ownership (TCO)
Calculator
C) AWS Billing and Cost Management console
D)
Cost Explorer
A) AWS Pricing Calculator
B) AWS Total Cost of Ownership (TCO) Calculator
C) AWS Billing and Cost Management console
D)
Cost Explorer
TCO calculator compare the cost of running your applications in an
on-premises or colocation environment to AWS."
Question 179
Which AWS service provides a secure,
fast, and cost-effective way to migrate or transport exabyte-scale
datasets into AWS?
A) AWS Batch
B) AWS
Snowball
C) AWS Migration Hub
D) AWS
Snowmobile
A) AWS Batch
B) AWS Snowball
C) AWS
Migration Hub
D) AWS Snowmobile
AWS Snowmobile is an exabyte-scale data transfer service that can
move extremely large amounts of data to AWS in a fast, secure, and
cost-effective manner.
You can transfer up to 100PB per
Snowmobile, a 45-foot long ruggedized shipping container, pulled by a
semi-trailer truck. Snowmobile makes it easy to move massive volumes of
data to the cloud, including video libraries, image repositories, or
even a complete data center migration. All data is encrypted with
256-bit encryption and you can manage your encryption keys with AWS Key
Management Service (AWS KMS). Snowmobile includes GPS tracking, alarm
monitoring,
24/7 video surveillance and an optional escort security
vehicle while in transit."
Question 180
Which of the following BEST describe the
AWS pricing model? (Choose two.)
A) Fixed-term
B)
Pay-as-you-go
C) Colocation
D) Planned
E)
Variable cost
A) Fixed-term
B) Pay-as-you-go
C) Colocation
D) Planned
E) Variable cost
Pricing that is used by AWS is pay for what you use which is pay
as you go.
Variable cost refers to the cost that changes
based on quantity of service consumed"
Question 181
Which load balancer types are available
with Elastic Load Balancing (ELB)? (Choose two.)
A)
Public load balancers with AWS Application Auto Scaling capabilities
B)
F5 Big-IP and Citrix NetScaler load balancers
C) Classic
Load Balancers
D) Cross-zone load balancers with public and
private IPs
E) Application Load Balancers
A) Public load balancers with AWS Application Auto Scaling
capabilities
B) F5 Big-IP and Citrix NetScaler load
balancers
C) Classic Load Balancers
D) Cross-zone load balancers with public and private
IPs
E) Application Load Balancers
Elastic Load Balancing supports the following types of load
balancers: Application Load Balancers, Network Load Balancers, and
Classic Load Balancers."
Question 182
Why should a company choose AWS instead
of a traditional data center?
A) AWS provides users
with full control over the underlying resources.
B) AWS does
not require long-term contracts and provides a pay-as-you-go model.
C)
AWS offers edge locations in every country, supporting global reach.
D)
AWS has no limits on the number of resources that can be created.
A) AWS provides users with full control over the underlying
resources.
B) AWS does not require long-term contracts and provides a
pay-as-you-go model.
C) AWS offers edge locations in every country, supporting
global reach.
D) AWS has no limits on the number of
resources that can be created.
AWS offers you a pay-as-you-go approach for pricing for over 160
cloud services. With AWS you pay only for the individual services you
need, for as long as you use them, and without requiring long-term
contracts or complex licensing. AWS pricing is similar to how you pay
for utilities like water and electricity. You only pay for the services
you consume, and once you stop using them, there are no additional costs
or termination fees."
Question 183
Which solution provides the FASTEST
application response times to frequently accessed data to users in
multiple AWS Regions?
A) AWS CloudTrail across
multiple Availability Zones
B) Amazon CloudFront to edge
locations
C) AWS CloudFormation in multiple regions
D)
A virtual private gateway over AWS Direct Connect
A) AWS CloudTrail across multiple Availability Zones
B) Amazon CloudFront to edge locations
C) AWS CloudFormation in multiple regions
D) A
virtual private gateway over AWS Direct Connect
You can deliver content and decrease end-user latency of your web
application using Amazon CloudFront. CloudFront speeds up content
delivery by leveraging its global network of data centers, known as edge
locations, to reduce delivery time by caching your content close to your
end users.
CloudFront fetches your content from an origin,
such as an Amazon S3 bucket, an Amazon EC2 instance, an Amazon Elastic
Load Balancing load balancer or your own web server, when it's not
already in an edge location. CloudFront can be used to deliver your
entire website or application, including dynamic, static, streaming, and
interactive content."
Question 184
Which of the following AWS services can
be used to run a self-managed database?
A) Amazon
Route 53
B) AWS X-Ray
C) AWS Snowmobile
D)
Amazon Elastic Compute Cloud (Amazon EC2)
A) Amazon Route 53
B) AWS X-Ray
C) AWS
Snowmobile
D) Amazon Elastic Compute Cloud (Amazon EC2)
Customers can use EC2 instances to install their DB of choice and
self-manage it."
Question 185
What exclusive benefit is provided to
users with Enterprise Support?
A) Access to a
Technical Project Manager
B) Access to a Technical Account
Manager
C) Access to a Cloud Support Engineer
D)
Access to a Solutions Architect
A) Access to a Technical Project Manager
B) Access to a Technical Account Manager
C) Access to a Cloud Support Engineer
D)
Access to a Solutions Architect
TAM (technical account manager) - it's a feature unique to the
Enterprise support.
With Enterprise Support, you get 24x7
technical support from high-quality engineers, tools and technology to
automatically manage health of your environment, consultative
architectural guidance delivered in the context of your applications and
use-cases, and a designated Technical Account Manager (TAM) to
coordinate access to proactive / preventative programs and AWS subject
matter experts
Incorrect answers:
-Access to support
engineers is as well provided with the Business support plan"
Question 186
How can a user protect against AWS
service disruptions if a natural disaster affects an entire geographic
area?
A) Deploy applications across multiple
Availability Zones within an AWS Region.
B) Use a hybrid
cloud computing deployment model within the geographic area.
C)
Deploy applications across multiple AWS Regions.
D) Store
application artifacts using AWS Artifact and replicate them across
multiple AWS Regions.
A) Deploy applications across multiple Availability Zones within
an AWS Region.
B) Use a hybrid cloud computing deployment
model within the geographic area.
C) Deploy applications across multiple AWS Regions.
D) Store application artifacts using AWS Artifact and
replicate them across multiple AWS Regions.
Disaster Recovery (DR) Using AWS regions:
Most organizations
try to implement High Availability (HA) instead of DR to guard them
against any downtime of services. In case of HA, we ensure there exists
a fallback mechanism for our services. The service that runs in HA is
handled by hosts running in different availability zones but in the same
geographical region. This approach, however, does not guarantee that our
business will be up and running in case the entire region goes down. DR
takes things to a completely new level, wherein you need to be able to
recover from a different region that’s separated by over 250 miles. Our
DR implementation is an Active/Passive model, meaning that we always
have minimum critical services running in different regions, but a major
part of the infrastructure is launched and restored when required."
Question 187
How does AWS MOST effectively reduce
computing costs for a growing start-up company?
A) It
provides on-demand resources for peak usage.
B) It automates
the provisioning of individual developer environments.
C) It
automates customer relationship management.
D) It implements
a fixed monthly computing budget.
A) It provides on-demand resources for peak usage.
B) It automates the provisioning of individual developer
environments.
C) It automates customer relationship
management.
D) It implements a fixed monthly computing
budget.
The cloud allows you to trade fixed expenses (such as data centers
and physical servers) for variable expenses, and only pay for IT as you
consume it. And, because of the economies of scale, the variable
expenses are much lower than what you would pay to do it yourself
In
cloud computing, elasticity is defined as "the degree to which a system
is able to adapt to workload changes by provisioning and de-provisioning
resources in an autonomic manner, such that at each point in time the
available resources match the current demand as closely as possible
AWS
enables you to take control of cost and continuously optimize your
spend, while building modern, scalable applications to meet your needs.
AWS's breadth of services and pricing options offer the flexibility to
effectively manage your costs and still keep the performance and
capacity you require
You can continue to optimize your spend
and keep your development costs low by making sure you revisit your
architecture often, to adjust to your startup growth.
Manage
your cost further by leveraging different options such as S3 CloudFront
for caching & offloading to reduce cost of EC2 computing, as well as
Elastic Load Balancing which prepares you for massive scale, high
reliability and uninterrupted growth. Another way to keep costs down is
to use AWS Identity and Access Management solutions (IAM) to manage
governance of your cost drivers effectively and by the right teams."
Question 188
A startup is working on a new application
that needs to go to market quickly. The application requirements may
need to be adjusted in the near future. Which of the following is a
characteristic of the AWS Cloud that would meet this specific need?
A)
Elasticity
B) Reliability
C) Performance
D)
Agility
A) Elasticity
B) Reliability
C)
Performance
D) Agility
Agile is a time boxed, iterative approach to software delivery
that builds software incrementally from the start of the project,
instead of trying to deliver it all at once near the end.
The
requirements might need to change. We are not talking about growth here
but a change of way of doing things. May be they started with a static
webpage and it turned out they now need a database instead. This is not
elasticity. They don't need more computing power, they need an agile
solution that can change overtime."
Question 189
Which AWS Support plan provides a full
set of AWS Trusted Advisor checks?
A) Business and
Developer Support
B) Business and Basic Support
C)
Enterprise and Developer Support
D) Enterprise and Business
Support
A) Business and Developer Support
B) Business and
Basic Support
C) Enterprise and Developer Support
D) Enterprise and Business Support
AWS Basic Support and AWS Developer Support customers get access
to 6 security checks (S3 Bucket Permissions, Security Groups - Specific
Ports Unrestricted, IAM Use, MFA on Root Account, EBS Public Snapshots,
RDS Public Snapshots) and 50 service limit checks. AWS Business Support
and AWS Enterprise Support customers get access to all 115 Trusted
Advisor checks (14 cost optimization, 17 security, 24 fault tolerance,
10 performance, and 50 service limits) and recommendations."
Question 190
Which of the following services have
Distributed Denial of Service (DDoS) mitigation features through Amazon
Shield Standard? (Choose two.)
A) AWS WAF
B)
Amazon DynamoDB
C) Amazon EC2
D) Amazon
CloudFront
E) Amazon Inspector
A) AWS WAF
B)
Amazon DynamoDB
C) Amazon EC2
D) Amazon CloudFront
E) Amazon Inspector
AWS provides flexible infrastructure and services that help
customers implement strong DDoS mitigations and create highly available
application architectures that follow AWS Best Practices for DDoS
Resiliency. These include services such as Amazon Route 53, Amazon
CloudFront, Elastic Load Balancing, and AWS WAF to control and absorb
traffic, and deflect unwanted requests. These services integrate with
AWS Shield, a managed DDoS protection service that provides always-on
detection and automatic inline mitigations to safeguard web applications
running on AWS. This document describes common DDoS attack types and
provides AWS customers with best practices and strategies for protecting
applications from a DDoS attack.
-C- EC2 also supports DDOS
mitigation through Amazon Shield, however this is through Amazon Shield
Advanced only."
Question 191
When building a cloud Total Cost of
Ownership (TCO) model, which cost elements should be considered for
workloads running on AWS? (Choose three.)
A) Compute
costs
B) Facilities costs
C) Storage costs
D)
Data transfer costs
E) Network infrastructure costs
F)
Hardware lifecycle costs
A) Compute costs
B)
Facilities costs
C) Storage costs
D) Data transfer costs
E) Network infrastructure costs
F) Hardware
lifecycle costs
Compute costs, storage costs and data transfer costs are all
charges that are incurred by using AWS
There are three
fundamental drivers of cost with AWS: compute, storage, and outbound
data transfer. These characteristics vary somewhat, depending on the AWS
product and pricing model you choose. In most cases, there is no charge
for inbound data transfer or for data transfer between other AWS
services within the same Region. There are some exceptions, so be sure
to verify data transfer rates before beginning. Outbound data transfer
is aggregated across services and then charged at the outbound data
transfer rate. This charge appears on the monthly statement as AWS Data
Transfer Out. The more data you transfer, the less you pay per GB. For
compute resources, you pay hourly from the time you launch a resource
until the time you terminate it, unless you have made a reservation for
which the cost is agreed upon beforehand. For data storage and transfer,
you typically pay per GB.
Incorrect answers:
-It cannot
be E, AWS itself owns and operates the data network infrastructure i.e.
cables and routers. It is part of their datacenters and they do not
charge the customer for it (not directly at least)
-Cannot be F,
AWS is in charge of hardware costs
-Cannot be B, AWS is in charge
of facilities costs"
Question 192
What time-savings advantage is offered
with the use of Amazon Rekognition?
A) Amazon
Rekognition provides automatic watermarking of images.
B)
Amazon Rekognition provides automatic detection of objects appearing in
pictures.
C) Amazon Rekognition provides the ability to
resize millions of images automatically.
D) Amazon
Rekognition uses Amazon Mechanical Turk to allow humans to bid on object
detection jobs.
A) Amazon Rekognition provides automatic watermarking of
images.
B) Amazon Rekognition provides automatic detection of
objects appearing in pictures.
C) Amazon Rekognition provides the ability to resize
millions of images automatically.
D) Amazon Rekognition uses
Amazon Mechanical Turk to allow humans to bid on object detection
jobs.
Amazon Rekognition is an image recognition service that detects
objects, scenes, and faces; extracts text; recognizes celebrities; and
identifies inappropriate content in images. It also allows you to search
and compare faces. Rekognition Image is based on the same proven, highly
scalable, deep learning technology developed by Amazon's computer vision
scientists to analyze billions of images daily for Prime Photos."
Question 193
When comparing AWS with on-premises Total
Cost of Ownership (TCO), what costs are included?
A)
Data center security
B) Business analysis
C)
Project management
D) Operating system administration
A) Data center security
B) Business analysis
C) Project management
D)
Operating system administration
AWS provides Data centre security included in the price, while the
other 3 options are customers' costs (regardless if on AWS or
on-premises)"
Question 194
According to the AWS shared
responsibility model, what is AWS responsible for?
A)
Configuring Amazon VPC
B) Managing application code
C)
Maintaining application traffic
D) Managing the network
infrastructure
A) Configuring Amazon VPC
B) Managing application
code
C) Maintaining application traffic
D) Managing the network infrastructure
AWS is responsible for protecting the infrastructure that runs all
of the services offered in the AWS Cloud. This infrastructure is
composed of the hardware, software, networking, and facilities that run
AWS Cloud services."
Question 195
Which service should be used to estimate
the costs of running a new project on AWS?
A) AWS TCO
Calculator
B) AWS Pricing Calculator
C) AWS Cost
Explorer API
D) AWS Budgets
A) AWS TCO Calculator
B) AWS Pricing Calculator
C) AWS Cost Explorer API
D) AWS Budgets
"AWS Pricing Calculator lets you explore AWS services and create
an estimate for the cost of your use cases on AWS. You can model your
solutions before building them, explore the price points and
calculations behind your estimate, and find the available instance types
and contract terms that meet your needs. This enables you to make
informed decisions about using AWS. You can plan your AWS costs and
usage or price out setting up a new set of instances and services."
Incorrect
answers:
-"AWS Cost Explorer has an easy-to-use interface that lets
you visualize, understand, and manage your AWS costs and usage over
time." - i.e. for existing services you are using
-AWS TCO
calculator is for comparing price difference before migrating to an AWS
environment."
Question 196
Which AWS tool will identify security
groups that grant unrestricted Internet access to a limited list of
ports?
A) AWS Organizations
B) AWS Trusted
Advisor
C) AWS Usage Report
D) Amazon EC2
dashboard
A) AWS Organizations
B) AWS Trusted Advisor
C) AWS Usage Report
D) Amazon EC2 dashboard
Trusted advisor…Checks security groups for rules that allow
unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access
increases opportunities for malicious activity (hacking,
denial-of-service attacks, loss of data). The ports with highest risk
are flagged red, and those with less risk are flagged yellow. Ports
flagged green are typically used by applications that require
unrestricted access, such as HTTP and SMTP"
Question 197
Which AWS service can be used to generate
alerts based on an estimated monthly bill?
A) AWS
Config
B) Amazon CloudWatch
C) AWS X-Ray
D)
AWS CloudTrail
A) AWS Config
B) Amazon CloudWatch
C) AWS X-Ray
D) AWS CloudTrail
You can monitor your estimated AWS charges by using Amazon
CloudWatch. When you enable the monitoring of estimated charges for your
AWS account, the estimated charges are calculated and sent several times
daily to CloudWatch as metric data.
Billing metric data is
stored in the US East (N. Virginia) Region and represents worldwide
charges. This data includes the estimated charges for every service in
AWS that you use, in addition to the estimated overall total of your AWS
charges."
Question 198
Which Amazon EC2 pricing model offers the
MOST significant discount when compared to On-Demand Instances?
A)
Partial Upfront Reserved Instances for a 1-year term
B) All
Upfront Reserved Instances for a 1-year term
C) All Upfront
Reserved Instances for a 3-year term
D) No Upfront Reserved
Instances for a 3-year term
A) Partial Upfront Reserved Instances for a 1-year term
B)
All Upfront Reserved Instances for a 1-year term
C) All Upfront Reserved Instances for a 3-year term
D) No Upfront Reserved Instances for a 3-year term
Reserved instances savings (up to):
-Standard one-year
--all
upfront = approx. 41%
--partial upfront = approx. 40%
--no
upfront = approx. 37%
-Standard three-years:
--all
upfront = approx. 62%
--partial upfront = approx. 60%
--no
upfront = approx. 57%"
Question 199
Which of the following is the
responsibility of AWS?
A) Setting up AWS Identity and
Access Management (IAM) users and groups
B) Physically
destroying storage media at end of life
C) Patching guest
operating systems
D) Configuring security settings on Amazon
EC2 instances
A) Setting up AWS Identity and Access Management (IAM) users and
groups
B) Physically destroying storage media at end of life
C) Patching guest operating systems
D)
Configuring security settings on Amazon EC2 instances
Media storage devices used to store customer data are classified
by AWS as Critical and treated accordingly, as high impact, throughout
their life-cycles. AWS has exacting standards on how to install,
service, and eventually destroy the devices when they are no longer
useful. When a storage device has reached the end of its useful life,
AWS decommissions media using techniques detailed in NIST 800-88. Media
that stored customer data is not removed from AWS control until it has
been securely decommissioned."
Question 200
Which of the following is an advantage of
using AWS?
A) AWS audits user data.
B)
Data is automatically secure.
C) There is no guessing on
capacity needs.
D) AWS manages compliance needs.
A) AWS audits user data.
B) Data is automatically
secure.
C) There is no guessing on capacity needs.
D) AWS manages compliance needs.
6 Advantages of Cloud Computing:
-Trade capital expense for
variable expense
-Benefit from massive economies of scale
-Stop
guessing about capacity (i.e. elasticity)
-Increased speed and
agility
-Stop spending money running and maintaining data
centres
-Go global in minutes
Stop guessing capacity –
Eliminate guessing on your infrastructure capacity needs. When you make
a capacity decision prior to deploying an application, you often end up
either sitting on expensive idle resources or dealing with limited
capacity. With cloud computing, these problems go away. You can access
as much or as little capacity as you need, and scale up and down as
required with only a few minutes’ notice."
Question 201
Which AWS service would a customer use
with a static website to achieve lower latency and high transfer
speeds?
A) AWS Lambda
B) Amazon DynamoDB
Accelerator
C) Amazon Route 53
D) Amazon
CloudFront
A) AWS Lambda
B) Amazon DynamoDB Accelerator
C)
Amazon Route 53
D) Amazon CloudFront
Amazon CloudFront is a fast content delivery network (CDN) service
that securely delivers data, videos, applications, and APIs to customers
globally with low latency, high transfer speeds, all within a
developer-friendly environment.
Amazon CloudFront can speed
up the delivery of your websites, whether its static objects (e.g.,
images, style sheets, JavaScript, etc.) or dynamic content (e.g.,
videos, audio, motion graphics, etc.), to viewers across the globe."
Question 202
Which services manage and automate
application deployments on AWS? (Choose two.)
A) AWS
Elastic Beanstalk
B) AWS CodeCommit
C) AWS Data
Pipeline
D) AWS CloudFormation
E) AWS Config
A) AWS Elastic Beanstalk
B) AWS CodeCommit
C) AWS Data Pipeline
D) AWS CloudFormation
E)
AWS Config
-A-
-AWS Elastic Beanstalk - as the deployment target for the
sample app. Your completed pipeline will be able to detect changes made
to the source repository containing the sample app and then
automatically update your live sample app.
-B-
-AWS
Codestar services - enables you to quickly develop, build, and deploy
applications on AWS by providing a unified user interface, enabling you
to easily manage your software development activities in one place. You
can set up your entire continuous delivery toolchain in minutes,
allowing you to start releasing code faster. Makes it easy for your
whole team to work together securely, allowing you to easily manage
access and add owners, contributors, and viewers to your projects.
--AWS
CodePipeline, a service that builds, tests, and deploys your code every
time there is a code change
--AWS CodeCommit repository as the
source location for the sample app’s code
Incorrect
answers:
-AWS Data Pipeline: web service that helps you reliably
process and move data between different AWS compute and storage
services, as well as on-premises data sources
-AWS Config: service
that enables you to assess, audit, and evaluate the configurations of
your AWS resources
-AWS Cloud Formation is for infrastructure
deployment."
Question 203
Which principles are used to architect
applications for reliability on the AWS Cloud? (Choose three.)
A)
Design for automated failure recovery
B) Use multiple
Availability Zones
C) Manage changes via documented
processes
D) Test for moderate demand to ensure
reliability
E) Backup recovery to an on-premises
environment
A) Design for automated failure recovery
B) Use multiple Availability Zones
C) Manage changes via documented processes
D) Test for moderate demand to ensure reliability
E)
Backup recovery to an on-premises environment
-A-
"There are five design principles for reliability in the
cloud:
-Automatically recover from failure
-Scale horizontally
to increase aggregate system availability
-Stop guessing
capacity
-Manage change in automation
-Test recovery
procedures - Use automation to simulate different failures or to
recreate scenarios that led to failures before
-B-
Wherever
there is a multi-AZ configuration present, additional reliability is
achieved as the entire Availability Zone itself is ruled out as a single
point of failure.
Availability zones are highly available
data centers within each AWS region. A region represents a separate
geographic area. Each availability zone has independent power, cooling
and networking. When an entire availability zone goes down, AWS is able
to failover workloads to one of the other zones in the same region, a
capability known as Multi-AZ redundancy.
-C-
Change
Management: Changes to your workload or its environment must be
anticipated and accommodated to achieve reliable operation of the
workload. Changes include those imposed on your workload, such as spikes
in demand, as well as those from within, such as feature deployments and
security patches. Using AWS, you can monitor the behaviour of a workload
and automate the response to these changes. With monitoring in place,
your team will be automatically alerted when KPIs deviate from expected
norms. Automatic logging of changes to your environment allows you to
audit and identify actions that might have impacted reliability.
-Changes
to your infrastructure should be made using automation. The changes that
need to be managed include changes to the automation, which then can be
tracked and reviewed."
(https://d1.awsstatic.com/whitepapers/architecture/AWS-Reliability-Pillar.pdf)"
Question 204
What tasks should a customer perform when
that customer suspects an AWS account has been compromised? (Choose
two.)
A) Rotate passwords and access keys.
B)
Remove MFA tokens.
C) Move resources to a different AWS
Region.
D) Delete AWS CloudTrail Resources.
E)
Contact AWS Support.
A) Rotate passwords and access keys.
B) Remove MFA tokens.
C) Move resources to a
different AWS Region.
D) Delete AWS CloudTrail Resources.
E) Contact AWS Support.
-Change your AWS account root user password.
-Rotate and
delete all root and AWS Identity and Access Management (IAM) access
keys.
-Delete any potentially unauthorized IAM users, and then
change the password for all other IAM users.
-Delete any resources
on your account that you didn't create, such as Amazon Elastic Compute
Cloud (Amazon EC2) instances and AMIs, Amazon Elastic Block Store
(Amazon EBS) volumes and snapshots, and IAM users.
-Respond to the
notifications that you received from AWS Support through the AWS Support
Center."
Question 205
What is an example of high availability
in the AWS Cloud?
A) Consulting AWS technical support
at any time day or night
B) Ensuring an application remains
accessible, even if a resource fails
C) Making any AWS
service available for use by paying on demand
D) Deploying
in any part of the world using AWS Regions
A) Consulting AWS technical support at any time day or night
B) Ensuring an application remains accessible, even if a
resource fails
C) Making any AWS service available for use by paying on
demand
D) Deploying in any part of the world using AWS
Regions
Deploying application redundancy in multiple AZ is enough to keep
the app available should one resource fail.
Anytime you read
about "availability" in a question, the first thing to look for in your
answer should be related to "failure" and vice versa."
Question 206
Which AWS security service protects
applications from distributed denial of service attacks with always-on
detection and automatic inline mitigations?
A) Amazon
Inspector
B) AWS Web Application Firewall (AWS WAF)
C)
Elastic Load Balancing (ELB)
D) AWS Shield
A) Amazon Inspector
B) AWS Web Application Firewall
(AWS WAF)
C) Elastic Load Balancing (ELB)
D) AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS)
protection service that safeguards applications running on AWS. AWS
Shield provides always-on detection and automatic inline mitigations
that minimize application downtime and latency, so there is no need to
engage AWS Support to benefit from DDoS protection. There are two tiers
of AWS Shield - Standard and Advanced."
Question 207
A company wants to monitor the CPU usage
of its Amazon EC2 resources. Which AWS service should the company
use?
A) AWS CloudTrail
B) Amazon
CloudWatch
C) AWS Cost and Usage report
D)
Amazon Simple Notification Service (Amazon SNS)
A) AWS CloudTrail
B) Amazon CloudWatch
C) AWS Cost and Usage report
D) Amazon Simple
Notification Service (Amazon SNS)
CloudWatch collects monitoring and operational data in the form of
logs, metrics, and events, and visualizes it using automated dashboards
so you can get a unified view of your AWS resources, applications, and
services that run in AWS and on-premises
With Basic
monitoring you get data on your CloudWatch metrics every 5 minutes.
Enabling detailed monitoring, you will get the data every one minute.
To
check if detailed monitoring is enabled, on your EC2 Console, Select the
instance, on the lower plane, Select Monitoring."
Question 208
What is an AWS Identity and Access
Management (IAM) role?
A) A user associated with an
AWS resource
B) A group associated with an AWS resource
C)
An entity that defines a set of permissions for use with an AWS
resource
D) An authentication credential associated with a
multi-factor authentication (MFA) token
A) A user associated with an AWS resource
B) A group
associated with an AWS resource
C) An entity that defines a set of permissions for use with
an AWS resource
D) An authentication credential associated with a
multi-factor authentication (MFA) token
An IAM role is an IAM entity that defines a set of permissions for
making AWS service requests. IAM roles are not associated with a
specific user or group. Instead, trusted entities assume roles, such as
IAM users, applications, or AWS services such as EC2"
Question 209
What are the advantages of Reserved
Instances? (Choose two.)
A) They provide a discount
over on-demand pricing.
B) They provide access to additional
instance types.
C) They provide additional networking
capability.
D) Customers can upgrade instances as new types
become available.
E) Customers can reserve capacity in an
Availability Zone.
A) They provide a discount over on-demand pricing.
B) They provide access to additional instance types.
C)
They provide additional networking capability.
D) Customers
can upgrade instances as new types become available.
E) Customers can reserve capacity in an Availability
Zone.
-A-
A Reserved Instance is a reservation of resources and
capacity, for either one or three years, for a particular Availability
Zone within a region. When you purchase a reservation, you commit to
paying for all of the hours of the 1- or 3-year term; in exchange, the
hourly rate is lowered significantly.
Amazon EC2 Reserved
Instances (RI) provide a significant discount (up to 72%) compared to
On-Demand pricing and provide a capacity reservation when used in a
specific Availability Zone. AWS Billing automatically applies your RI’s
discounted rate when attributes of EC2 instance usage match attributes
of an active RI.
-E-
A zonal Reserved Instance—a
Reserved Instance that is purchased for a specific Availability Zone—
provides capacity reservation as well as a discount."
Question 210
How do Amazon EC2 Auto Scaling groups
help achieve high availability for a web application?
A)
They automatically add more instances across multiple AWS Regions based
on global demand of the application.
B) They automatically
add or replace instances across multiple Availability Zones when the
application needs it.
C) They enable the application's
static content to reside closer to end users.
D) They are
able to distribute incoming requests across a tier of web server
instances.
A) They automatically add more instances across multiple AWS
Regions based on global demand of the application.
B) They automatically add or replace instances across
multiple Availability Zones when the application needs it.
C) They enable the application's static content to reside
closer to end users.
D) They are able to distribute incoming
requests across a tier of web server instances.
Amazon EC2 Auto Scaling can detect when an instance is unhealthy,
terminate it, and launch an instance to replace it. You can also
configure Amazon EC2 Auto Scaling to use multiple Availability Zones. If
one Availability Zone becomes unavailable, Amazon EC2 Auto Scaling can
launch instances in another one to compensate."
Question 211
How can one AWS account use Reserved
Instances from another AWS account?
A) By using Amazon
EC2 Dedicated Instances
B) By using AWS Organizations
consolidated billing
C) By using the AWS Cost Explorer
tool
D) By using AWS Budgets
A) By using Amazon EC2 Dedicated Instances
B) By using AWS Organizations consolidated billing
C) By using the AWS Cost Explorer tool
D) By
using AWS Budgets
For billing purposes, the consolidated billing feature of AWS
Organizations treats all the accounts in the organization as one
account. This means that all accounts in the organization can receive
the hourly cost benefit of Reserved Instances that are purchased by any
other account.
The account that originally purchased the
Reserved Instance receives the discount first. If the purchasing account
doesn't have any instances that match the terms of the Reserved
Instance, the discount for the Reserved Instance is assigned to any
matching usage on another account in the organization."
Question 212
A customer runs an On-Demand Amazon Linux
EC2 instance for 3 hours, 5 minutes, and 6 seconds. For how much time
will the customer be billed?
A) 3 hours, 5 minutes
B)
3 hours, 5 minutes, and 6 seconds
C) 3 hours, 6 minutes
D)
4 hours
A) 3 hours, 5 minutes
B) 3 hours, 5 minutes, and 6 seconds
C) 3 hours, 6 minutes
D) 4 hours
Pricing is per instance-hour consumed for each instance, from the
time an instance is launched until it is terminated or stopped. Each
partial instance-hour consumed will be billed per-second for Linux
Instances and as a full hour for all other instance types."
Question 213
Which of the following AWS services
provide compute resources? (Choose two.)
A) AWS
Lambda
B) Amazon Elastic Container Service (Amazon ECS)
C)
AWS CodeDeploy
D) Amazon Glacier
E) AWS
Organizations
A) AWS Lambda
B) Amazon Elastic Container Service (Amazon ECS)
C) AWS CodeDeploy
D) Amazon Glacier
E)
AWS Organizations
Here is a full list of Compute Services:
Amazon EC2
Amazon
EC2 Auto Scaling
Amazon Elastic Container Registry
Amazon
Elastic Container Service
Amazon Elastic Kubernetes Service
Amazon
Lightsail
AWS Batch
AWS Elastic Beanstalk
AWS Fargate
AWS
Lambda
AWS Serverless Application Repository
AWS Outposts
VMware
Cloud on AWS"
Question 214
Which AWS service enables users to deploy
infrastructure as code by automating the process of provisioning
resources?
A) Amazon GameLift
B) AWS
CloudFormation
C) AWS Data Pipeline
D) AWS
Glue
A) Amazon GameLift
B) AWS CloudFormation
C) AWS Data Pipeline
D) AWS Glue
AWS CloudFormation provides a common language for you to model and
provision AWS and third party application resources in your cloud
environment. AWS. CloudFormation allows you to use programming languages
or a simple text file to model and provision, in an automated and secure
manner, all the resources needed for your applications across all
regions and accounts. This gives you a single source of truth for your
AWS and third party resources."
Question 215
Which AWS services provide a way to
extend an on-premises architecture to the AWS Cloud? (Choose two.)
A)
Amazon EBS
B) AWS Direct Connect
C) Amazon
CloudFront
D) AWS Storage Gateway
E) Amazon
Connect
F) AWS VPN
G) CloudHSM
A) Amazon EBS
B) AWS Direct Connect
C) Amazon CloudFront
D) AWS Storage Gateway
E) Amazon Connect
F) AWS VPN
G)
CloudHSM
-B-
AWS Direct Connect is a cloud service solution that makes
it easy to establish a dedicated network connection from your premises
to AWS. Using AWS Direct Connect, you can establish private connectivity
between AWS and your datacenter, office, or colocation environment,
which in many cases can reduce your network costs, increase bandwidth
throughput, and provide a more consistent network experience than
Internet-based connections.
-F—
AWS Virtual Private
Network (VPN) solutions establish secure connections via the public
internet between your on-premises networks, remote offices, client
devices, and the AWS global network. You can connect your Amazon VPC to
remote networks and users using the following VPN connectivity
options:
Incorrect answers:
-D-This is more about
simply using cloud storage than extending the entire system architecture
between cloud and on-premises. AWS Storage Gateway is a hybrid cloud
storage service that gives you on-premises access to virtually unlimited
cloud storage. Customers use Storage Gateway to simplify storage
management and reduce costs for key hybrid cloud storage use cases.
These include moving backups to the cloud, using on-premises file shares
backed by cloud storage, and providing low latency access to data in AWS
for on-premises applications.
-G-CloudHSM - helps you meet
corporate, contractual, and regulatory compliance requirements for data
security by using dedicated Hardware Security Module (HSM) instances
within the AWS cloud. AWS and AWS Marketplace partners offer a variety
of solutions for protecting sensitive data within the AWS platform, but
for some applications and data subject to contractual or regulatory
mandates for managing cryptographic keys, additional protection may be
necessary."
Question 216
Which services use AWS edge locations?
(Choose two.)
A) Amazon CloudFront
B) AWS
Shield
C) Amazon EC2
D) Amazon RDS
E)
Amazon ElastiCache
A) Amazon CloudFront
B) AWS Shield
C)
Amazon EC2
D) Amazon RDS
E) Amazon
ElastiCache
-A-
Amazon CloudFront can be used to deliver your entire
website, including dynamic, static, streaming, and interactive content
using a global network of edge locations. Requests for your content are
automatically routed to the nearest edge location, so content is
delivered with the best possible performance
-B-
AWS
Shield Advanced is available globally on all Amazon CloudFront, AWS
Global Accelerator, and Amazon Route 53 edge locations
Incorrect
answers:
-Elasticache is improving the performance of you
application, where the cached data is stored in memory data stores on
the original server, which are not located at edge locations"
Question 217
Which service would provide network
connectivity in a hybrid architecture that includes the AWS Cloud?
A)
Amazon VPC
B) AWS Direct Connect
C) AWS
Directory Service
D) Amazon API Gateway
A) Amazon VPC
B) AWS Direct Connect
C) AWS Directory Service
D) Amazon API
Gateway
Hybrid architecture may include VPC and VPC has to rely on
something else to get connected to the on-premises data. That
connectivity can be realized by VPN or Direct Connect.
AWS
has more compute, networking, storage, security and identity, data
integration, management, monitoring, and operations services than any
other cloud provider to help companies build hybrid cloud architectures
for their specific use cases and requirements. Services, like Amazon VPC
which allows you to provision a logically isolated, virtual network in
AWS that is an extension of your on-premises network, AWS Direct Connect
which allows you to establish private connectivity to AWS, and AWS
Storage Gateway which allows your on-premises applications to use AWS
cloud storage, make it as seamless as possible for customers to run
their on-premises infrastructure alongside AWS.
Incorrect
answers:
-Amazon Virtual Private Cloud (Amazon VPC) lets you
provision a logically isolated section of the AWS Cloud where you can
launch AWS resources in a virtual network that you define."
Question 218
What is the value of using third-party
software from AWS Marketplace instead of installing third-party software
on Amazon EC2? (Choose two.)
A) Users pay for software
by the hour or month depending on licensing.
B) AWS
Marketplace enables the user to launch applications with 1-Click.
C)
AWS Marketplace data encryption is managed by a third-party vendor.
D)
AWS Marketplace eliminates the need to upgrade to newer software
versions.
E) Users can deploy third-party software without
testing.
A) Users pay for software by the hour or month depending on
licensing.
B) AWS Marketplace enables the user to launch applications
with 1-Click.
C) AWS Marketplace data encryption is managed by a
third-party vendor.
D) AWS Marketplace eliminates the need
to upgrade to newer software versions.
E) Users can deploy
third-party software without testing.
Customers can quickly launch pre-configured software with just a
few clicks, and choose software solutions in Amazon Machine Images
(AMIs) and software as a service (SaaS) formats, as well as other
formats. Additionally, you can browse and subscribe to data products.
Flexible pricing options include free trial, hourly, monthly, annual,
multi-year, and BYOL (Bring Your Own License), and get billed from one
source. AWS handles billing and payments, and charges appear on
customers’ AWS bill."
Question 219
Which of the following is a cloud
architectural design principle?
A) Scale up, not
out.
B) Loosely couple components.
C) Build
monolithic systems.
D) Use commercial database software.
A) Scale up, not out.
B) Loosely couple components.
C) Build monolithic systems.
D) Use commercial
database software.
Loosely coupled architectures reduce interdependencies, so that a
change or failure in a component does not cascade to other components."
Question 220
Under the shared responsibility model;
which of the following areas are the customer's responsibility? (Choose
two.)
A) Firmware upgrades of network
infrastructure
B) Patching of operating systems
C)
Patching of the underlying hypervisor
D) Physical security
of data centers
E) Configuration of the security group
A) Firmware upgrades of network infrastructure
B) Patching of operating systems
C) Patching of the underlying hypervisor
D)
Physical security of data centers
E) Configuration of the security group
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve the customer’s
operational burden as AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates. The
customer assumes responsibility and management of the guest operating
system (including updates and security patches), other associated
application software as well as the configuration of the AWS provided
security group firewall."
Question 221
Which AWS service identifies security
groups that allow unrestricted access to a user's AWS resources?
A)
AWS CloudTrail
B) AWS Trusted Advisor
C) Amazon
CloudWatch
D) Amazon Inspector
A) AWS CloudTrail
B) AWS Trusted Advisor
C) Amazon CloudWatch
D) Amazon Inspector
Trusted Advisor - AWS Basic Support and AWS Developer Support
customers get access to 6 security checks (S3 Bucket Permissions,
Security Groups - Specific Ports Unrestricted, IAM Use, MFA on Root
Account, EBS Public Snapshots, RDS Public Snapshots)
Incorrect
answers:
-Amazon Inspector assesses vulnerabilities of the
applications, not the infrastructure."
Question 222
According to the AWS shared
responsibility model, who is responsible for configuration
management?
A) It is solely the responsibility of the
customer.
B) It is solely the responsibility of AWS.
C)
It is shared between AWS and the customer.
D) It is not part
of the AWS shared responsibility model.
A) It is solely the responsibility of the customer.
B)
It is solely the responsibility of AWS.
C) It is shared between AWS and the customer.
D) It is not part of the AWS shared responsibility
model.
AWS maintains the configuration of its infrastructure devices, but
a customer is responsible for configuring their own guest operating
systems, databases, and applications."
Question 223
Which AWS service is a content delivery
network that securely delivers data, video, and applications to users
globally with low latency and high speeds?
A) AWS
CloudFormation
B) AWS Direct Connect
C) Amazon
CloudFront
D) Amazon Pinpoint
A) AWS CloudFormation
B) AWS Direct Connect
C) Amazon CloudFront
D) Amazon Pinpoint
Amazon CloudFront is a fast content delivery network (CDN) service
that securely delivers data, videos, applications, and APIs to customers
globally with low latency, high transfer speeds, all within a
developer-friendly environment. CloudFront is integrated with AWS ""
both physical locations that are directly connected to the AWS global
infrastructure, as well as other AWS services."
Question 224
Which benefit of the AWS Cloud supports
matching the supply of resources with changing workload demands?
A)
Security
B) Reliability
C) Elasticity
D)
High availability
A) Security
B) Reliability
C) Elasticity
D) High availability
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is running out of processing power."
Question 225
A user is running an application on AWS
and notices that one or more AWS-owned IP addresses is involved in a
distributed denial-of-service (DDoS) attack. Who should the user contact
FIRST about this situation?
A) AWS Premium Support
B)
AWS Technical Account Manager
C) AWS Solutions Architect
D)
AWS Trust & Safety Team
A) AWS Premium Support
B) AWS Technical Account
Manager
C) AWS Solutions Architect
D) AWS Trust & Safety Team
If you suspect that AWS resources are used for abusive purposes,
contact the AWS Trust & Safety Team (formerly AWS Abuse team) using the
Report Amazon AWS abuse form"
Question 226
Which of the following are benefits of
hosting infrastructure in the AWS Cloud? (Choose two.)
A)
There are no upfront commitments.
B) AWS manages all
security in the cloud.
C) Users have the ability to
provision resources on demand.
D) Users have access to free
and unlimited storage.
E) Users have control over the
physical infrastructure.
A) There are no upfront commitments.
B) AWS manages all security in the cloud.
C) Users have the ability to provision resources on
demand.
D) Users have access to free and unlimited storage.
E)
Users have control over the physical infrastructure.
-There are no upfront commitments (AWS is on-demand)
-Users
can provision resources as and how they see fit.
6 Advantages
of Cloud Computing:
-Trade capital expense for variable expense
-Benefit
from massive economies of scale
-Stop guessing about capacity (i.e.
elasticity)
-Increased speed and agility
-Stop spending money
running and maintaining data centres
-Go global in minutes
Incorrect
answers:
-AWS does not manage all security in the cloud, it is a
shared responsibility model
-Users have NO control over the
physical infrastructure
-Users do not get free unlimited storage,
there are free tiers however they are capped at 12 months of usage"
Question 227
What is AWS Trusted Advisor?
A)
It is an AWS staff member who provides recommendations and best
practices on how to use AWS.
B) It is a network of AWS
partners who provide recommendations and best practices on how to use
AWS.
C) It is an online tool with a set of automated checks
that provides recommendations on cost optimization, performance, and
security.
D) It is another name for AWS Technical Account
Managers who provide recommendations on cost optimization, performance,
and security.
A) It is an AWS staff member who provides recommendations and
best practices on how to use AWS.
B) It is a network of AWS
partners who provide recommendations and best practices on how to use
AWS.
C) It is an online tool with a set of automated checks that
provides recommendations on cost optimization, performance, and
security.
D) It is another name for AWS Technical Account Managers
who provide recommendations on cost optimization, performance, and
security.
AWS Trusted Advisor is an online tool that provides you real time
guidance to help you provision your resources following AWS best
practices. Whether establishing new workflows, developing applications,
or as part of ongoing improvement, take advantage of the recommendations
provided by Trusted Advisor on a regular basis to help keep your
solutions provisioned optimally.
Checks are for:
-Performance
-Service
Quotas
-Cost optimization
-Security
-Fault Tolerance"
Question 228
Which AWS service or feature allows a
company to visualize, understand, and manage AWS costs and usage over
time?
A) AWS Budgets
B) AWS Cost
Explorer
C) AWS Organizations
D) Consolidated
billing
A) AWS Budgets
B) AWS Cost Explorer
C) AWS Organizations
D) Consolidated
billing
AWS Cost Explorer has an easy-to-use interface that lets you
visualize, understand, and manage your AWS costs and usage over time."
Question 229
Which AWS service offers on-demand access
to AWS security and compliance reports?
A) AWS
CloudTrail
B) AWS Artifact
C) AWS Health
D)
Amazon CloudWatch
A) AWS CloudTrail
B) AWS Artifact
C) AWS Health
D) Amazon CloudWatch
AWS Artifact is your go-to, central resource for
compliance-related information that matters to you. It provides
on-demand access to AWS' security and compliance reports and select
online agreements. Reports available in AWS Artifact include our Service
Organization Control (SOC) reports, Payment Card
Industry (PCI)
reports, and certifications from accreditation bodies across geographies
and compliance verticals that validate the implementation and operating
effectiveness of AWS security controls. Agreements available in AWS
Artifact include the Business Associate Addendum (BAA) and the
Non-Disclosure Agreement (NDA)"
Question 230
Which of the following are features of
Amazon CloudWatch Logs? (Select TWO.)
A) Summaries by
Amazon Simple Notification Service (Amazon SNS)
B) Free
Amazon Elasticsearch Service analytics
C) Provided at no
charge
D) Real-time monitoring
E) Adjustable
retention
A) Summaries by Amazon Simple Notification Service (Amazon
SNS)
B) Free Amazon Elasticsearch Service analytics
C)
Provided at no charge
D) Real-time monitoring
E) Adjustable retention
CloudWatch Logs Features:
- Query Your Log Data
-
Monitor Logs from Amazon EC2 Instances
- Monitor AWS CloudTrail
Logged Events
-Log Retention – By default, logs are kept
indefinitely and never expire. You can adjust the retention policy for
each log group, keeping the indefinite retention, or choosing a
retention period between 10 years and one day.
-Archive Log Data
-Log
Route 53 DNS Queries
With CloudWatch Logs, you can
monitor your logs, in NEAR real-time, for specific phrases, values or
patterns. For example, you could set an alarm on the number of errors
that occur in your system logs or view graphs of latency of web requests
from your application logs. You can then view the original log data to
see the source of the problem. Log data can be stored and accessed
indefinitely in highly durable, low-cost storage so you don’t have to
worry about filling up hard drives."
Question 231
Which of the following are valid ways for
a customer to interact with AWS services? (Select TWO.)
A)
Command line interface
B) On-premises
C)
Software Development Kits
D) Software-as-a-service
E)
Hybrid
A) Command line interface
B) On-premises
C) Software Development Kits
D) Software-as-a-service
E) Hybrid
You can access the AWS platform in 3 ways:
-Using the Console
- Graphical interface to access AWS features
-Using the CLI
(command line interface) - Lets you control AWS services
programmatically from command line
-Using the SDK - Enable you to
access AWS using a variety of popular programming languages
"
Question 232
Which of the following AWS services can
be used to serve large amounts of online video content with the lowest
possible latency? (Select TWO.)
A) AWS Storage
Gateway
B) Amazon S3
C) Amazon Elastic File
System (EFS)
D) Amazon Glacier
E) Amazom
CloudFront
A) AWS Storage Gateway
B) Amazon S3
C) Amazon Elastic File System (EFS)
D) Amazon
Glacier
E) Amazom CloudFront
You can configure your application to deliver static content and
decrease the end-user latency using Amazon S3 and Amazon CloudFront.
High-resolution images, videos, and other static files can be stored in
Amazon S3. CloudFront speeds up content delivery by leveraging its
global network of data centers, known as edge locations, to reduce
delivery time by caching your content close to your end-users.
CloudFront
fetches your content from an origin, such as an Amazon S3 bucket, an
Amazon EC2 instance, an Amazon Elastic Load Balancing load balancer or
your own web server, when it's not already in an edge location.
CloudFront can be used to deliver your entire website or application,
including dynamic, static, streaming, and interactive content. You can
set your Amazon S3 bucket as the origin of your CloudFront web
distribution."
Question 233
Which of the following security-related
services does AWS offer? (Select TWO.)
A) Multi-factor
authentication physical tokens
B) AWS Trusted Advisor
security checks
C) Data encryption
D) Automated
penetration testing
E) Amazon S3 copyrighted content
detection
A) Multi-factor authentication physical tokens
B) AWS Trusted Advisor security checks
C) Data encryption
D) Automated penetration testing
E) Amazon S3
copyrighted content detection
-B-
AWS Trusted Advisor is an application that draws upon
best practices learned from AWS’ aggregated operational history of
serving hundreds of thousands of AWS customers. Trusted Advisor inspects
your AWS environment and makes recommendations for saving money,
improving system performance, or closing security gaps.
-C-
Encryption
of Data at Rest: You can create an encrypted file system so all your
data and metadata is encrypted at rest using an industry-standard
AES-256 encryption algorithm. Encryption and decryption is handled
automatically and transparently, so you don’t have to modify your
applications. If your organization is subject to corporate or regulatory
policies that require encryption of data and metadata at rest, we
recommend creating an encrypted file system.
…
Encryption of
Data in Transit: You can mount a file system so all NFS traffic is
encrypted in transit using Transport Layer Security 1.2 (TLS, formerly
called Secure Sockets Layer ) with an industry-standard AES-256 cipher.
TLS is a set of industry-standard cryptographic protocols used for
encrypting information that is exchanged over the wire. AES-256 is a
256-bit encryption cipher used for data transmission in TLS. If your
organization is subject to corporate or regulatory policies that require
encryption of data and metadata in transit, we recommend setting up
encryption in transit on every client accessing the file system.
…
You
have the following options for protecting data at rest in Amazon S3:
Server-Side
Encryption – Request Amazon S3 to encrypt your object before saving it
on disks in its data centers and then decrypt it when you download the
objects.
Client-Side Encryption – Encrypt data client-side and
upload the encrypted data to Amazon S3. In this case, you manage the
encryption process, the encryption keys, and related tools.
Incorrect
answers:
-A-AWS does provide MFA tokens but they are not physical
typically
-D-Penetration testing is not correct, because it is done
by customers themselves and is not automated by AWS
-E-Amazon
Rekognition is used for detecting inappropriate or offensive content
detection but it is more often used for detecting explicit or suggestive
adult content, violent content, weapons, visually disturbing content,
drugs, alcohol, tobacco, hate symbols, gambling, and rude gestures.
Copyrighted content is not detected using this service."
Question 234
Which of the following are categories of
AWS Trusted Advisor? (Select TWO.)
A) Fault
Tolerance
B) Instance Usage
C)
Infrastructure
D) Performance
E) Storage
Capacity
A) Fault Tolerance
B)
Instance Usage
C) Infrastructure
D) Performance
E) Storage Capacity
Trusted advisor categories:
-Cost optimization
-Performance
-Security
-Fault
tolerance
-Service limits"
Question 235
Which of the following services could be
used to deploy an application to servers running on-premises? (Select
TWO.)
A) AWS Elastic Beanstalk
B) AWS
OpsWorks
C) AWS CodeDeploy
D) AWS Batch
E)
AWS X-Ray
A) AWS Elastic Beanstalk
B) AWS OpsWorks
C) AWS CodeDeploy
D) AWS Batch
E) AWS X-Ray
-B-
AWS OpsWorks is a configuration management service that
provides managed instances of Chef and Puppet. OpsWorks lets you use
Chef and Puppet to automate how servers are configured, deployed, and
managed across your Amazon EC2 instances or on-premises compute
environments.
-C-
AWS CodeDeploy is a service that
automates code deployments to Elastic Compute Cloud (EC2) and
on-premises servers. Accelerating how fast a developer can release code
allows him to release new features for an application faster and avoid
deployment errors in complex applications.
Incorrect
answers:
-A- Elastic Beanstalk - to deploy on AWS only"
Question 236
Which design principles for cloud
architecture are recommended when re-architecting a large monolithic
application? (Select TWO.)
A) Use manual
monitoring.
B) Use fixed servers.
C) Implement
loose coupling.
D) Rely on individual components.
E)
Design for scalability.
A) Use manual monitoring.
B) Use fixed servers.
C) Implement loose coupling.
D) Rely on individual components.
E) Design for scalability.
Loose coupling - is one of the key cloud design principles. Your
components need to be loosely coupled to avoid changes or failure in one
of the components from affecting others.
Being adaptive and
elastic - is one of the key cloud design principles. The AWS cloud
architecture should be such that it support growth of users, traffic, or
data size with no drop in performance. It should also allow for linear
scalability when and where an additional resource is added. The system
needs to be able to adapt and proportionally serve additional load.
Whether the AWS cloud architecture includes vertical scaling, horizontal
scaling or both; it is up to the designer, depending on the type of
application or data to be stored. But your design should be equipped to
take maximum advantage of the virtually unlimited on-demand capacity of
cloud computing. Also, knowing when to engage stateless applications,
stateful applications, stateless components and distributed processing,
makes your cloud very effective in its storage.
More info:
(https://www.botmetric.com/blog/aws-cloud-architecture-design-principles/)"
Question 237
Which AWS services are defined as global
instead of regional? (Select TWO.)
A) Amazon Route
53
B) Amazon EC2
C) Amazon S3
D)
Amazon CloudFront
E) Amazon DynamoDB
A) Amazon Route 53
B)
Amazon EC2
C) Amazon S3
D) Amazon CloudFront
E) Amazon DynamoDB
-Route53 – Global - Route53 services are offered at AWS edge
locations and are global
-CloudFront – Global - CloudFront is
the global content delivery network (CDN) services are offered at AWS
edge locations
Incorrect answers:
-B- EC2 - Instances –
Availability Zone - An instance is tied to the Availability Zones in
which you launched it. However, note that its instance ID is tied to the
region. Various other EC2 components vary from availability zone (EBS
Volumes, Cluster Placement Groups) to regional (Resource Identifiers,
EBS Snapshot) classification.
-C- S3-Global but Data is Regional.
S3 buckets are created within the selected region. Objects stored are
replicated across Availability Zones to provide high durability but are
not cross region replicated unless done explicitly.
-E- DynamoDb –
Regional - All data objects are stored within the same region and
replicated across multiple Availability Zones in the same region. Data
objects can be explicitly replicated across regions using cross-region
replication
More info: Check out this website
(https://jayendrapatil.com/aws-global-vs-regional-vs-az-resources) to
see each service's classification."
Question 238
The financial benefits of using AWS are:
(Select TWO.)
A) reduced Total Cost of Ownership
(TCO).
B) increased capital expenditure (capex).
C)
reduced operational expenditure (opex).
D) deferred payment
plans for startups.
E) business credit lines for
stratups.
A) reduced Total Cost of Ownership (TCO).
B) increased capital expenditure (capex).
C) reduced operational expenditure (opex).
D) deferred payment plans for startups.
E)
business credit lines for stratups.
A pay-as-you-go model reduces investments in large capital
expenditures. In addition, you can reduce the operating expense (OpEx)
costs involved with the management and maintenance of data, this is
partly due to the large economies of scale AWS can take advantage of."
Question 239
Which of the following can an AWS
customer use to launch a new Amazon Relational Database Service (Amazon
RDS) cluster? (Select TWO.)
A) AWS Concierge
B)
AWS CloudFormation
C) Amazon Simple Storage Service (Amazon
S3)
D) Amazon EC2 Auto Scaling
E) AWS Management
Console
A) AWS Concierge
B) AWS CloudFormation
C) Amazon Simple Storage Service (Amazon S3)
D)
Amazon EC2 Auto Scaling
E) AWS Management Console
-B-
AWS CloudFormation gives you an easy way to model a
collection of related AWS and third-party resources, provision them
quickly and consistently, and manage them throughout their lifecycles,
by treating infrastructure as code. A CloudFormation template describes
your desired resources and their dependencies so you can launch and
configure them together as a stack. You can use a template to create,
update, and delete an entire stack as a single unit, as often as you
need to, instead of managing resources individually. You can manage and
provision stacks across multiple AWS accounts and AWS Regions.
-E-
The
AWS Management Console offers over 150 services you can configure,
launch, and test to get hands-on experience with AWS. With the Console’s
automated wizards and workflows, it’s even easier to quickly deploy and
test common workloads. There’s also a resource library featuring
articles and tips from AWS experts, Getting Started tutorials, on-demand
webinars, reference deployment templates, and more…
Incorrect
answers:
-A - Your AWS Concierge is a senior customer service agent
who is assigned to your account when you subscribe to an Enterprise or
qualified Reseller Support plan."
Question 240
Which of the following security measures
protect access to an AWS account? (Select TWO.)
A)
Enable AWS CloudTrail.
B) Grant least privilege access to
IAM users.
C) Create one IAM user and share with many
developers and users.
D) Enable Amazon CloudFront.
E)
Activate multi-factor authentication (MFA) for privileged users.
A) Enable AWS CloudTrail.
B) Grant least privilege access to IAM users.
C) Create one IAM user and share with many developers and
users.
D) Enable Amazon CloudFront.
E) Activate multi-factor authentication (MFA) for privileged
users.
-B-
Granting least privilege minimises ‘blast radius’ in
event of a security breach.
The Principle of Least Privilege
states that a subject should be given only those privileges needed for
it to complete its task. If a subject does not need an access right, the
subject should not have that access right.
…
This principle
limits the damage that can result from an accident or error. It also
reduces the number of potential interactions among privileged programs
to the minimum for correct operation, so that unintentional, unwanted,
or improper uses of privilege are less likely to occur.
-E-
MFA
adds extra security because it requires users to provide unique
authentication from an AWS supported MFA mechanism in addition to their
regular sign-in credentials when they access AWS websites or services
Incorrect
answers:
-A - CloudTrail provides EVENT HISTORY, doesn't protect
access, but it will record the damage that is caused should the account
be compromised
-C – This is the opposite of the right way
-D –
CloudFront has nothing to do with security"
Question 241
Which of the following features can be
configured through the Amazon Virtual Private Cloud (Amazon VPC)
Dashboard? (Select TWO.)
A) Amazon CloudFront
distributions
B) Amazon Route 53
C) Security
Groups
D) Subnets
E) Elastic Load Balancing
A) Amazon CloudFront distributions
B) Amazon Route
53
C) Security Groups
D) Subnets
E)
Elastic Load Balancing
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a
logically isolated section of the AWS Cloud where you can launch AWS
resources in a virtual network that you define. You have complete
control over your virtual networking environment, including selection of
your own IP address range, creation of subnets, and configuration of
route tables and network gateways. You can use both IPv4 and IPv6 in
your VPC for secure and easy access to resources and applications.
You
can easily customize the network configuration for your Amazon VPC. For
example, you can create a public-facing subnet for your web servers that
has access to the Internet, and place your backend systems such as
databases or application servers in a private-facing subnet with no
Internet access. You can leverage multiple layers of security, including
security groups and network access control lists, to help control access
to Amazon EC2 instances in each subnet."
Question 242
Which AWS services can be used to gather
information about AWS account activity? (Select TWO.)
A)
Amazon CloudFront
B) AWS Cloud9
C) AWS
CloudTrail
D) AWS CloudHSM
E) Amazon
CloudWatch
A) Amazon CloudFront
B) AWS Cloud9
C) AWS CloudTrail
D) AWS CloudHSM
E) Amazon CloudWatch
-C-
AWS offers a solution that uses AWS CloudTrail to log
account activity, Amazon Kinesis to compute and stream metrics in
real-time, and Amazon DynamoDB to durably store the computed data.
Metrics are calculated for create, modify, and delete API calls for more
than 60 supported AWS services. The solution also features a dashboard
that visualizes your account activity in real-time.
-E-
You
can use CloudWatch queries to search API history beyond the last 90
days.
…
You must have a trail created and configured to log to
Amazon CloudWatch Logs
Incorrect answers:
-CloudFront is
a fast content delivery network service that securely delivers data,
videos, etc and does NOT track account activity"
Question 243
What can AWS edge locations be used for?
(Select TWO.)
A) Hosting applications
B)
Delivering content closer to users
C) Running NoSQL database
caching services
D) Reducing traffic on the server by
caching responses
E) Sending notification messages to end
users
A) Hosting applications
B) Delivering content closer to users
C) Running NoSQL database caching services
D) Reducing traffic on the server by caching responses
E) Sending notification messages to end users
-B-
CloudFront delivers your content through a worldwide
network of data centers called edge locations which are closer to the
end users than the original servers where the content is permanently
hosted.
-D-
Because when you use CloudFront, it caches
your content at AWS Edge locations to serve them to your users faster.
For example, this blog’s original AWS region is Europe Frankfurt
(eu-central-1) that is the closest region to my location. If I did not
place Amazon CloudFront in front of my S3 bucket, all requests to this
blog will be served from Frankfurt. As you would guess, this would cause
slower pages for most of my readers all around the World.
Luckily,
I have an Amazon CloudFront distribution in front of my blog. So, only
the first reader close to an AWS Edge location will be served from this
region. All subsequent requests around that Edge location will be served
directly from the Edge location’s cache.
However, you will
also need to update your website content. So, from time to time,
CloudFront needs to expire your content on the Edge location’s cache,
and check whether it was updated from the original location."
Question 244
Access keys in AWS Identity and Access
Management (IAM) are used to:
A) log in to the AWS
Management Console.
B) sign programmatic requests to the AWS
CLI or AWS API
C) log in to Amazon EC2 instances.
D)
authenticate to AWS CodeCommit repositories.
A) log in to the AWS Management Console.
B) sign programmatic requests to the AWS CLI or AWS
API
C) log in to Amazon EC2 instances.
D)
authenticate to AWS CodeCommit repositories.
Access keys are long-term credentials for an IAM user or the AWS
account root user. You can use access keys to sign programmatic requests
to the AWS CLI or AWS API (directly or using the AWS SDK)."
Question 245
What are the benefits of using the AWS
Cloud for companies with customers in many countries around the world?
(Choose two.)
A) Companies can deploy applications in
multiple AWS Regions to reduce latency.
B) Amazon Translate
automatically translates third-party website interfaces into multiple
languages.
C) Amazon CloudFront has multiple edge locations
around the world to reduce latency.
D) Amazon Comprehend
allows users to build applications that can respond to user requests in
many languages.
E) Elastic Load Balancing can distribute
application web traffic to multiple AWS Regions around the world, which
reduces latency.
A) Companies can deploy applications in multiple AWS Regions
to reduce latency.
B) Amazon Translate automatically translates third-party
website interfaces into multiple languages.
C) Amazon CloudFront has multiple edge locations around the
world to reduce latency.
D) Amazon Comprehend allows users to build applications
that can respond to user requests in many languages.
E)
Elastic Load Balancing can distribute application web traffic to
multiple AWS Regions around the world, which reduces latency.
-A-
Mutli-region deployments reduce latency by allow closer
processing and serving non-static data without incurring the overhead of
long network hops.
(https://aws.amazon.com/blogs/apn/architecting-multi-region-saas-solutions-on-aws/)
-C-
When
your web traffic is geo-dispersed, it's not always feasible and
certainly not cost effective to replicate your entire infrastructure
across the globe.
A content delivery network (CDN) provides
you the ability to utilize its global network of edge locations to
deliver a cached copy of web content such as videos, webpages, images
and so on to your customers. To reduce response time, the CDN utilizes
the nearest edge location to the customer or originating request
location in order to reduce the response time. Throughput is
dramatically increased given that the web assets are delivered from
cache. For dynamic data, many CDNs can be configured to retrieve data
from the origin servers.
Incorrect answers:
-B-Amazon
Translate is viable answer as well, but not a key AWS cloud specific
advantage. Amazon Translate is a neural machine translation service that
delivers fast, high-quality, and affordable language translation. Neural
machine translation is a form of language translation automation that
uses deep learning models to deliver more accurate and more natural
sounding translation than traditional statistical and rule-based
translation algorithms.
-D-Amazon Comprehend is for analyzing text,
but this is not a key AWS cloud specific advantage. Amazon Comprehend is
a natural language processing (NLP) service that uses machine learning
to find insights and relationships in text. No machine learning
experience required. There is a treasure trove of potential sitting in
your unstructured data. Customer emails, support tickets, product
reviews, social media, even advertising copy represents insights into
customer sentiment that can be put to work for your business. The
question is how to get at it? As it turns out, Machine learning is
particularly good at accurately identifying specific items of interest
inside vast swathes of text (such as finding company names in analyst
reports), and can learn the sentiment hidden inside language
(identifying negative reviews, or positive customer interactions with
customer service agents), at almost limitless scale."
Question 246
Which AWS service handles the deployment
details of capacity provisioning, load balancing, Auto Scaling, and
application health monitoring?
A) AWS Config
B)
AWS Elastic Beanstalk
C) Amazon Route 53
D)
Amazon CloudFront
A) AWS Config
B) AWS Elastic Beanstalk
C) Amazon Route 53
D) Amazon CloudFront
Upload your code and Elastic Beanstalk automatically handles the
deployment, from capacity provisioning, load balancing, auto-scaling to
application health monitoring. At the same time, you retain full control
over the AWS resources powering your application and can access the
underlying resources at any time."
Question 247
Which AWS service provides inbound and
outbound network ACLs to harden external connectivity to Amazon EC2?
A)
AWS IAM
B) Amazon Connect
C) Amazon VPC
D)
Amazon API Gateway
A) AWS IAM
B) Amazon Connect
C) Amazon VPC
D) Amazon API Gateway
A network access control list (ACL) is an optional layer of
security for your VPC that acts as a firewall for controlling traffic in
and out of one or more subnets. You might set up network ACLs with rules
similar to your security groups in order to add an additional layer of
security to your VPC."
Question 248
When a company provisions web servers in
multiple AWS Regions, what is being increased?
A)
Coupling
B) Availability
C) Security
D)
Durability
A) Coupling
B) Availability
C) Security
D) Durability
High availability - In the event of resources failing
unexpectedly, protect against regional, data center, availability zone,
server, network and storage subsystem single points of failure to keep
your business running without downtime.
Each AWS Region
consists of multiple, isolated, and physically separate AZ's within a
geographic area. Unlike other cloud providers, who often define a region
as a single data center, the multiple AZ design of every AWS Region
offers advantages for customers. Each AZ has independent power, cooling,
and physical security and is connected via redundant, ultra-low-latency
networks. AWS customers focused on high availability can design their
applications to run in multiple AZ's to achieve even greater
fault-tolerance. AWS infrastructure Regions meet the highest levels of
security, compliance, and data protection.
Large scale
disaster recovery using AWS regions - Most organizations try to
implement High Availability (HA) instead of Disaster Recovery (DR) to
guard them against any downtime of services. In case of HA, we ensure
there exists a fallback mechanism for our services. The service that
runs in HA is handled by hosts running in different availability zones
but in the same geographical region. This approach, however, does not
guarantee that our business will be up and running in case the entire
region goes down. DR takes things to a completely new level, wherein you
need to be able to recover from a different region that’s separated by
over 250 miles. Our DR implementation is an Active/Passive model,
meaning that we always have minimum critical services running in
different regions, but a major part of the infrastructure is launched
and restored when required."
Question 249
The pay-as-you-go pricing model for AWS
services (choose two):
A) reduces capital
expenditures.
B) requires payment up front for AWS
services.
C) is relevant only for Amazon EC2, Amazon S3, and
Amazon RDS.
D) reduces operational expenditures.
A) reduces capital expenditures.
B) requires payment up front for AWS services.
C)
is relevant only for Amazon EC2, Amazon S3, and Amazon RDS.
D) reduces operational expenditures.
Capex (capital expenditures) reduced to practically zero as AWS
owns the datacentres, network infrastructure and other expenses.
Opex
(operational expenditures) reduced generally as AWS enables savings
through huge economies of scale."
Question 250
Under the AWS shared responsibility
model, AWS is responsible for which security-related task?
A)
Lifecycle management of IAM credentials
B) Physical security
of global infrastructure
C) Encryption of Amazon EBS
volumes
D) Firewall configuration
A) Lifecycle management of IAM credentials
B) Physical security of global infrastructure
C) Encryption of Amazon EBS volumes
D)
Firewall configuration
Only AWS can provide access to its physical infrastructure.
AWS
provides physical data center access only to approved employees. All
employees who need data center access must first apply for access and
provide a valid business justification. These requests are granted based
on the principle of least privilege, where requests must specify to
which layer of the data center the individual needs access, and are
time-bound. Requests are reviewed and approved by authorized personnel,
and access is revoked after the requested time expires. Once granted
admittance, individuals are restricted to areas specified in their
permissions."
Question 251
Under the AWS shared responsibility
model, which of the following is an example of security in the AWS
Cloud?
A) Managing edge locations
B)
Physical security
C) Firewall configuration
D)
Global infrastructure
A) Managing edge locations
B) Physical security
C) Firewall configuration
D) Global infrastructure
'Security in the Cloud' relates to customer security like
configuring firewalls.
'Security of the Cloud' relates to AWS
security such as physical access to infrastructure.
Security
and Compliance is a shared responsibility between AWS and the customer.
This shared model can help relieve the customer’s operational burden as
AWS operates, manages and controls the components from the host
operating system and virtualization layer down to the physical security
of the facilities in which the service operates. The customer assumes
responsibility and management of the guest operating system (including
updates and security patches), other associated application software as
well as the configuration of the AWS provided security group firewall.
Customers should carefully consider the services they choose as their
responsibilities vary depending on the services used, the integration of
those services into their IT environment, and applicable laws and
regulations. The nature of this shared responsibility also provides the
flexibility and customer control that permits the deployment."
Question 252
How can an AWS user with an AWS Basic
Support plan obtain technical assistance from AWS (chose two)?
A)
AWS Senior Support Engineers
B) AWS Technical Account
Managers
C) AWS Trusted Advisor
D) AWS
Discussion Forums
A) AWS Senior Support Engineers
B) AWS Technical
Account Managers
C) AWS Trusted Advisor
D) AWS Discussion Forums
Basic Support is included for all AWS customers and includes:
-Customer
Service and Communities - 24x7 access to customer service,
documentation, whitepapers, and support forums.
-AWS Trusted
Advisor - Access to the 7 core Trusted Advisor checks and guidance to
provision your resources following best practices to increase
performance and improve security.
-AWS Personal Health Dashboard -
A personalized view of the health of AWS services, and alerts when your
resources are impacted.
Incorrect answers:
-A-Support
Engineers are only available to Business and Enterprise support
customers
-B-Technical Account Managers are only available to
Enterprise support customers"
Question 253
Which of the following are pillars of the
AWS Well-Architected Framework? (Choose two.)
A)
Multiple Availability Zones
B) Performance efficiency
C)
Security
D) Encryption usage
E) High
availability
A) Multiple Availability Zones
B) Performance efficiency
C) Security
D)
Encryption usage
E) High availability
5 basic pillars according to AWS are:
1- Operational
excellence
2- Security
3- Reliability
4- Performance
efficiency
5- Cost optimization"
Question 254
After selecting an Amazon EC2 Dedicated
Host reservation, which pricing option would provide the largest
discount?
A) No upfront payment
B) Hourly
on-demand payment
C) Partial upfront payment
D)
All upfront payment
A) No upfront payment
B) Hourly on-demand payment
C)
Partial upfront payment
D) All upfront payment
You can choose between three payment options when you purchase a
Standard or Convertible Reserved Instance. With the All Upfront option,
you pay for the entire Reserved Instance term with one upfront payment.
This option provides you with the largest discount compared to On-Demand
Instance pricing"
Question 255
What is an advantage of deploying an
application across multiple Availability Zones?
A)
There is a lower risk of service failure if a natural disaster causes a
service disruption in a given AWS Region.
B) The application
will have higher availability because it can withstand a service
disruption in one Availability Zone.
C) There will be better
coverage as Availability Zones are geographically distant and can serve
a wider area.
D) There will be decreased application latency
that will improve the user experience.
A) There is a lower risk of service failure if a natural disaster
causes a service disruption in a given AWS Region.
B) The application will have higher availability because it
can withstand a service disruption in one Availability Zone.
C) There will be better coverage as Availability Zones are
geographically distant and can serve a wider area.
D) There
will be decreased application latency that will improve the user
experience.
Unlike other technology infrastructure providers, each AWS Region
has multiple AZ’s. As we’ve learned from running the leading cloud
infrastructure technology platform since 2006, customers who care about
the availability and performance of their applications want to deploy
these applications across multiple AZ’s in the same region for fault
tolerance and low latency. AZ’s are connected to each other with fast,
private fiber-optic networking, enabling you to easily architect
applications that automatically fail-over between AZ’s without
interruption.
Notes:
-Availability Zones are multiple,
isolated locations within each Region. If a Natural disaster affects a
Region then it may impact all Availability zones. If the entire region
fails and you are only deployed to that one region, your availability
will be compromised."
Question 256
A Cloud Practitioner is asked how to
estimate the cost of using a new application on AWS. What is the MOST
appropriate response?
A) Inform the user that AWS
pricing allows for on-demand pricing.
B) Direct the user to
the AWS Pricing Calculator for an estimate.
C) Use Amazon
QuickSight to analyze current spending on-premises.
D) Use
Amazon AppStream 2.0 for real-time pricing analytics.
A) Inform the user that AWS pricing allows for on-demand
pricing.
B) Direct the user to the AWS Pricing Calculator for an
estimate.
C) Use Amazon QuickSight to analyze current spending
on-premises.
D) Use Amazon AppStream 2.0 for real-time
pricing analytics.
The AWS Pricing Calculator is an easy-to-use online tool that
enables you to estimate the monthly cost of AWS services for your use
case based on your expected usage. The AWS Pricing Calculator is
continuously updated with the latest pricing for all AWS services in all
Regions."
Question 257
A company wants to migrate its
applications to a VPC on AWS. These applications will need to access
on-premises resources. What combination of actions will enable the
company to accomplish this goal? (Choose two.)
A) Use
the AWS Service Catalog to identify a list of on-premises resources that
can be migrated.
B) Build a VPN connection between an
on-premises device and a virtual private gateway in the new VPC.
C)
Use Amazon Athena to query data from the on-premises database
servers.
D) Connect the company's on-premises data center to
AWS using AWS Direct Connect.
E) Leverage Amazon CloudFront
to restrict access to static web content provided through the company's
on-premises web servers.
A) Use the AWS Service Catalog to identify a list of on-premises
resources that can be migrated.
B) Build a VPN connection between an on-premises device and
a virtual private gateway in the new VPC.
C) Use Amazon Athena to query data from the on-premises
database servers.
D) Connect the company's on-premises data center to AWS
using AWS Direct Connect.
E) Leverage Amazon CloudFront to restrict access to static
web content provided through the company's on-premises web servers.
To provide connectivity between AWS and on-premisis.
Amazon
VPC provides multiple network connectivity options for you to leverage
depending on your current network designs and requirements. These
connectivity options include leveraging either the internet (VPN) or a
dedicated private AWS Direct Connect connection as the network backbone
and terminating the connection into either AWS or user-managed network
endpoints.
Incorrect answers:
-A- The purpose of the
service catalogue stated in the question is not its actual purpose. AWS
Service Catalog - Create, organize, and govern your curated catalog of
AWS products – This service allows organizations to create and manage
catalogs of IT services that are approved for use on AWS. These IT
services can include everything from virtual machine images, servers,
software, and databases to complete multi-tier application
architectures. AWS Service Catalog allows you to centrally manage
deployed IT services and your applications, resources, and metadata.
This helps you achieve consistent governance and meet your compliance
requirements, while enabling users to quickly deploy only the approved
IT services they need."
Question 258
A web application running on AWS has been
spammed with malicious requests from a recurring set of IP addresses.
Which AWS service can help secure the application and block the
malicious traffic?
A) AWS IAM
B) Amazon
GuardDuty
C) Amazon Simple Notification Service (Amazon
SNS)
D) AWS WAF
A) AWS IAM
B) Amazon GuardDuty
C) Amazon
Simple Notification Service (Amazon SNS)
D) AWS WAF
AWS WAF is a web application firewall that helps protect web
applications from common web exploits that could affect application
availability, compromise security, or consume excessive resources. You
can use AWS WAF to define customizable web security rules that control
which traffic accesses your web applications.
AWS WAF gives
you control over how traffic reaches your applications by enabling you
to create security rules that block common attack patterns, such as SQL
injection or cross-site scripting, and rules that filter out specific
traffic patterns you define. You can monitor many attributes of traffic,
such as, IP addresses, URI strings, HTTP headers and HTTP methods
If
you use AWS Shield Advanced, you can use AWS WAF at no extra cost for
those protected resources and can engage the DDoS Response Team (DRT) to
create WAF rules."
Question 259
Treating infrastructure as code in the
AWS Cloud allows users to:
A) automate migration of
on-premises hardware to AWS data centers.
B) let a third
party automate an audit of the AWS infrastructure.
C) turn
over application code to AWS so it can run on the AWS infrastructure.
D)
automate the infrastructure provisioning process.
A) automate migration of on-premises hardware to AWS data
centers.
B) let a third party automate an audit of the AWS
infrastructure.
C) turn over application code to AWS so it
can run on the AWS infrastructure.
D) automate the infrastructure provisioning process.
AWS CloudFormation gives you an easy way to model a collection of
related AWS and third-party resources, provision them quickly and
consistently, and manage them throughout their lifecycles, by treating
infrastructure as code. A CloudFormation template describes your desired
resources and their dependencies so you can launch and configure them
together as a stack. You can use a template to create, update, and
delete an entire stack as a single unit, as often as you need to,
instead of managing resources individually. You can manage and provision
stacks across multiple AWS accounts and AWS Regions."
Question 260
A company requires a dedicated network
connection between its on-premises servers and the AWS Cloud. Which AWS
service should be used?
A) AWS VPN
B) AWS
Direct Connect
C) Amazon API Gateway
D) Amazon
Connect
A) AWS VPN
B) AWS Direct Connect
C) Amazon API Gateway
D) Amazon Connect
Both AWS VPN and AWS Direct Connect give connections between the
on premise servers and the AWS cloud, however, Direct Connect is a more
dedicated solution (physical fiber optic connection vs A VPN network
connection over the internet)
…
You can use AWS Direct Connect
to establish a private virtual interface from your on-premise network
directly to your Amazon VPC, providing you with a private, high
bandwidth network connection between your network and your VPC. With
multiple virtual interfaces, you can even establish private connectivity
to multiple VPCs while maintaining network isolation."
Question 261
Which AWS service can be used to query
stored datasets directly from Amazon S3 using standard SQL?
A)
AWS Glue
B) AWS Data Pipeline
C) Amazon
CloudSearch
D) Amazon Athena
A) AWS Glue
B) AWS Data Pipeline
C)
Amazon CloudSearch
D) Amazon Athena
Amazon Athena is defined as "an interactive query service that
makes it easy to analyse data directly in Amazon Simple Storage Service
(Amazon S3) using standard SQL." This is very similar to other SQL query
engines, such as Apache Drill. But unlike Apache Drill, Athena is
limited to data only from Amazon's own S3 storage service. However,
Athena is able to query a variety of file formats, including, but not
limited to CSV, Parquet, JSON, etc…"
Question 262
AWS CloudFormation is designed to help
the user:
A) model and provision resources.
B)
update application code.
C) set up data lakes.
D)
create reports for billing.
A) model and provision resources.
B) update application code.
C) set up data
lakes.
D) create reports for billing.
AWS CloudFormation provides a common language for you to model and
provision AWS and third party application resources in your cloud
environment. AWS CloudFormation allows you to use programming languages
or a simple text file to model and provision, in an automated and secure
manner, all the resources needed for your applications across all
regions and accounts. This gives you a single source of truth for your
AWS and third party resources."
Question 263
A Cloud Practitioner must determine if
any security groups in an AWS account have been provisioned to allow
unrestricted access for specific ports. What is the SIMPLEST way to do
this?
A) Review the inbound rules for each security
group in the Amazon EC2 management console to check for port
0.0.0.0/0.
B) Run AWS Trusted Advisor and review the
findings.
C) Open the AWS IAM console and check the inbound
rule filters for open access.
D) In AWS Config, create a
custom rule that invokes an AWS Lambda function to review rules for
inbound access.
A) Review the inbound rules for each security group in the Amazon
EC2 management console to check for port 0.0.0.0/0.
B) Run AWS Trusted Advisor and review the findings.
C) Open the AWS IAM console and check the inbound rule
filters for open access.
D) In AWS Config, create a custom
rule that invokes an AWS Lambda function to review rules for inbound
access.
Trusted Advisor Security Summary - Improve the security of your
application by closing gaps, enabling various AWS security features, and
examining your permissions:
-Security groups - Specific ports
unrestricted (free)
--Checks security groups for rules that allow
unrestricted access (0.0.0.0/0) to specific ports.
--Unrestricted
access increases opportunities for malicious activity (hacking,
denial-of-service attacks, loss of data).
--The ports with highest
risk are flagged red, and those with less risk are flagged yellow. Ports
flagged green are typically used by applications that require
unrestricted access, such as HTTP and SMTP.
--If you have
intentionally configured your security groups in this manner, we
recommend using additional security measures to secure your
infrastructure (such as IP tables)."
Question 264
What are the benefits of developing and
running a new application in the AWS Cloud compared to on-premises?
(Choose two.)
A) AWS automatically distributes the
data globally for higher durability.
B) AWS will take care
of operating the application.
C) AWS makes it easy to
architect for high availability.
D) AWS can easily
accommodate application demand changes.
E) AWS takes care
application security patching.
A) AWS automatically distributes the data globally for higher
durability.
B) AWS will take care of operating the
application.
C) AWS makes it easy to architect for high
availability.
D) AWS can easily accommodate application demand
changes.
E) AWS takes care application security patching.
Key benefits of cloud computing include:
-C-
High
availability - AWS delivers the highest network availability of any
cloud provider. Each region is fully isolated and comprised of multiple
AZs, which are fully isolated partitions of our infrastructure. To
better isolate any issues and achieve high availability, you can
partition applications across multiple AZs in the same region. In
addition, AWS control planes and the AWS management console are
distributed across regions, and include regional API endpoints, which
are designed to operate securely for at least 24 hours if isolated from
the global control plane functions without requiring customers to access
the region or its API endpoints via external networks during any
isolation.
-D-
Elasticity – In cloud computing,
elasticity is defined as "the degree to which a system is able to adapt
to workload changes by provisioning and de-provisioning resources in an
autonomic manner, such that at each point in time the available
resources match the current demand as closely as possible. Some cloud
solutions can also be automatically adjusted to meet these needs. This
means you can set them up to scale up or down automatically based on
certain conditions, like when your cloud solution is running out of
processing power."
Question 265
A user needs an automated security
assessment report that will identify unintended network access to Amazon
EC2 instances and vulnerabilities on those instances. Which AWS service
will provide this assessment report?
A) EC2 security
groups
B) AWS Config
C) Amazon Macie
D)
Amazon Inspector
A) EC2 security groups
B) AWS Config
C)
Amazon Macie
D) Amazon Inspector
Amazon Inspector is an automated security assessment service that
helps improve the security and compliance of applications deployed on
AWS. Amazon Inspector automatically assesses applications for exposure,
vulnerabilities, and deviations from best practices. After performing an
assessment, Amazon Inspector produces a detailed list of security
findings prioritized by level of severity. These findings can be
reviewed directly or as part of detailed assessment reports which are
available via the Amazon Inspector console or API. Amazon Inspector
security assessments help you check for unintended network accessibility
of your Amazon EC2 instances and for vulnerabilities on those EC2
instances. Amazon Inspector assessments are offered to you as
pre-defined rules packages mapped to common security best practices and
vulnerability definitions. Examples of built-in rules include checking
for access to your EC2 instances from the internet, remote root login
being enabled, or vulnerable software versions installed. These rules
are regularly updated by AWS security researchers.
Incorrect
answers:
-B is almost a viable answer but not quite, AWS Config can
tell you if there are security vulnerabilities but the question asks for
identifying actual unintended network access that have happened, these
are two different things. Data from AWS Config enables you to
continuously monitor the configurations of your resources and evaluate
these configurations for potential security weaknesses. Changes to your
resource configurations can trigger Amazon Simple Notification Service
(SNS) notifications, which can be sent to your security team to review
and take action. After a potential security event, Config enables you to
review the configuration history of your resources and examine your
security posture."
Question 266
How can a company isolate the costs of
production and non-production workloads on AWS?
A)
Create Identity and Access Management (IAM) roles for production and
non-production workloads.
B) Use different accounts for
production and non-production expenses.
C) Use Amazon EC2
for non-production workloads and other services for production
workloads.
D) Use Amazon CloudWatch to monitor the use of
services.
A) Create Identity and Access Management (IAM) roles for
production and non-production workloads.
B) Use different accounts for production and non-production
expenses.
C) Use Amazon EC2 for non-production workloads and other
services for production workloads.
D) Use Amazon CloudWatch
to monitor the use of services.
AWS Organisations can be used to consolidate the billing.
Given
that most companies have different policy requirements for production
workloads, infrastructure and security can have nested organizational
units (OU) for non-production (SDLC - Software Development Life Cycle)
and production (Prod). Accounts in the SDLC OU host non-production
workloads and therefore should not have production dependencies from
other accounts.
An organizational unit (OU) is a logical
grouping of accounts in your AWS organization. OUs enable you to
organize your accounts into a hierarchy, and make it easier for you to
apply management controls. AWS Organizations policies are what you use
to apply such controls. A Service Control Policy (SCP) is a policy that
defines the AWS service actions, such as Amazon EC2 run instance, that
accounts in your organization can perform.
More Info:
https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/"
Question 267
Where can users find a catalog of
AWS-recognized providers of third-party security solutions?
A)
AWS Service Catalog
B) AWS Marketplace
C) AWS
Quick Start
D) AWS CodeDeploy
A) AWS Service Catalog
B) AWS Marketplace
C) AWS Quick Start
D) AWS CodeDeploy
AWS Marketplace is a curated digital catalog customers can use to
find, buy, deploy, and manage third-party software, data, and services
that customers need to build solutions and run their businesses. AWS
Marketplace includes thousands of software listings from popular
categories such as security, networking, storage, machine learning,
business intelligence, database, as well as related professional
services to help you manage and support those solutions. AWS Marketplace
also simplifies software licensing and procurement with flexible pricing
options and multiple deployment methods. In addition, AWS Marketplace
includes data products available from AWS Data Exchange.
Customers
can quickly launch preconfigured software with just a few clicks, and
choose software solutions in Amazon Machine Images (AMIs), software as a
service (SaaS), and other formats. You can browse and find professional
services related to the software. You can browse and subscribe to data
products. Flexible pricing options include free trial, hourly, monthly,
annual, multi-year, and BYOL, and get billed from one source. AWS
handles billing and payments, and charges appear on customers’ AWS
bill.
Every software product on AWS Marketplace has been
through a curation process.
Incorrect answers:
-AWS
Service Catalog allows organizations to create and manage catalogs of IT
services that are approved for use on AWS. These IT services can include
everything from virtual machine images, servers, software, and databases
to complete multi-tier application architectures. AWS Service Catalog
allows you to centrally manage deployed IT services and your
applications, resources, and metadata. This helps you achieve consistent
governance and meet your compliance requirements, while enabling users
to quickly deploy only the approved IT services they need. achieve
consistent governance and meet compliance requirements while enabling
users to self-provision approved services. – Very close to be the
correct answer, however it is more of a curated catalog of existing
services that are provided by AWS services and AWS Marketplace already.
I think likely the answer they are going for is simply just AWS
Marketplace."
Question 268
A Cloud Practitioner needs to store data
for 7 years to meet regulatory requirements. Which AWS service will meet
this requirement at the LOWEST cost?
A) Amazon S3
B)
AWS Snowball
C) Amazon Redshift
D) Amazon S3
Glacier
A) Amazon S3
B) AWS Snowball
C) Amazon
Redshift
D) Amazon S3 Glacier
Glacier provides cheap long term storage. Often used to store data
we want to keep just in case, rather than deleting.
Amazon S3
Glacier and S3 Glacier Deep Archive are a secure, durable, and extremely
low-cost Amazon S3 cloud storage classes for data archiving and
long-term backup. They are designed to deliver 99.999999999% durability,
and provide comprehensive security and compliance capabilities that can
help meet even the most stringent regulatory requirements. Customers can
store data for as little as $1 per terabyte per month, a significant
savings compared to on-premises solutions. To keep costs low yet
suitable for varying retrieval needs, Amazon S3 Glacier provides three
options for access to archives, from a few minutes to several hours, and
S3 Glacier Deep Archive provides two access options ranging from 12 to
48 hours."
Question 269
What are the immediate benefits of using
the AWS Cloud? (Choose two.)
A) Increased IT staff.
B)
Capital expenses are replaced with variable expenses.
C)
User control of infrastructure.
D) Increased agility.
E)
AWS holds responsibility for security in the cloud.
A) Increased IT staff.
B) Capital expenses are replaced with variable
expenses.
C) User control of infrastructure.
D) Increased agility.
E) AWS holds responsibility for security in the cloud.
-B—
Trade capital expense for variable expense – Instead of
having to invest heavily in data centers and servers before you know how
you’re going to use them, you can pay only when you consume computing
resources, and pay only for how much you consume.
-D-
Increase
speed and agility – In a cloud computing environment, new IT resources
are only a click away, which means that you reduce the time to make
those resources available to your developers from weeks to just minutes.
This results in a dramatic increase in agility for the organization,
since the cost and time it takes to experiment and develop is
significantly lower.
Incorrect answers:
AWS
Infrastructure is not controlled by user"
Question 270
Which security service automatically
recognizes and classifies sensitive data or intellectual property on
AWS?
A) Amazon GuardDuty
B) Amazon
Macie
C) Amazon Inspector
D) AWS Shield
A) Amazon GuardDuty
B) Amazon Macie
C) Amazon Inspector
D) AWS Shield
Amazon Macie is a security service that uses machine learning to
automatically discover, classify, and protect sensitive data in AWS.
Macie recognizes sensitive data such as personally identifiable
information (PII) or intellectual property. It provides you with
dashboards and alerts that give visibility into how this data is being
accessed or moved."
Question 271
What is the purpose of AWS Storage
Gateway?
A) It ensures on-premises data storage is
99.999999999% durable.
B) It transports petabytes of data to
and from AWS.
C) It connects to multiple Amazon EC2
instances.
D) It connects on-premises data storage to the
AWS Cloud.
A) It ensures on-premises data storage is 99.999999999%
durable.
B) It transports petabytes of data to and from
AWS.
C) It connects to multiple Amazon EC2 instances.
D) It connects on-premises data storage to the AWS
Cloud.
Moving data to the cloud is not quite as simple as flipping a
switch. For companies that have managed their own data centers or server
rooms for decades, there are a few steps to consider - and it's not
always wise to pull the plug on an internal infrastructure quite so
quickly. If a startup uses on-premise business servers and then
experiences unexpected growth, abandoning those servers doesn't make
sense (even if the long-term plan is to do exactly that).
AWS
Storage Gateway is a way to bridge this gap for companies of any size.
It's a hybrid storage option that connects on-premise storage including
age-old tape backup systems to the cloud in a way that also provides one
console to access all storage configurations."
Question 272
What should users do if they want to
install an application in geographically isolated locations?
A)
Install the application using multiple internet gateways.
B)
Deploy the application to an Amazon VPC.
C) Deploy the
application to multiple AWS Regions.
D) Configure the
application using multiple NAT gateways.
A) Install the application using multiple internet gateways.
B)
Deploy the application to an Amazon VPC.
C) Deploy the application to multiple AWS Regions.
D) Configure the application using multiple NAT
gateways.
AWS has the concept of a Region, which is a physical location
around the world where we cluster data centers. We call each group of
logical data centers an Availability Zone. Each AWS Region consists of
multiple, isolated, and physically separate AZ's within a geographic
area."
Question 273
A system in the AWS Cloud is designed to
withstand the failure of one or more components. What is this an example
of?
A) Elasticity
B) Availability
C)
Scalability
D) Agility
A) Elasticity
B) Availability
C) Scalability
D) Agility
Availability - The percentage of time that a workload is available
for use, where "available for use" means that it performs its agreed
function when required. Availability (also known as service
availability) is a commonly used metric to quantitatively measure
reliability
In any system of reasonable complexity, it is
expected that failures will occur. Reliability requires that your
workload be aware of failures as they occur and take action to avoid
impact on availability. Workloads must be able to both withstand
failures and automatically repair issues:
True high
availability means that a resource is available from at least three
different availability zones, however AWS currently only guarantees that
a resource can be reached at two different availability zones."
Question 274
A Cloud Practitioner needs a consistent
and dedicated connection between AWS resources and an on-premises
system. Which AWS service can fulfill this requirement?
A)
AWS Direct Connect
B) AWS VPN
C) Amazon
Connect
D) AWS Data Pipeline
A) AWS Direct Connect
B)
AWS VPN
C) Amazon Connect
D) AWS Data
Pipeline
AWS Direct Connect is a cloud service solution that makes it easy
to establish a dedicated network connection from your premises to AWS.
Using AWS Direct Connect, you can establish private connectivity between
AWS and your datacenter, office, or colocation environment, which in
many cases can reduce your network costs, increase bandwidth throughput,
and provide a more consistent network experience than Internet-based
connections."
Question 275
Within the AWS shared responsibility
model, who is responsible for security and compliance?
A)
The customer is responsible.
B) AWS is responsible.
C)
AWS and the customer share responsibility.
D) AWS shares
responsibility with the relevant governing body.
A) The customer is responsible.
B) AWS is
responsible.
C) AWS and the customer share responsibility.
D) AWS shares responsibility with the relevant governing
body.
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve the customer's
operational burden as AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates.
The
customer assumes responsibility and management of the guest operating
system (including updates and security patches), other associated
application software as well as the configuration of the AWS provided
security group firewall.
The customer should carefully
consider the services they choose as their responsibilities vary
depending on the services used, the integration of those services into
their IT environment, and applicable laws and regulations."
Question 276
To use the AWS CLI, users are required to
generate:
A) a password policy.
B) an
access/secret key.
C) a managed policy.
D) an
API key.
A) a password policy.
B) an access/secret key.
C) a managed policy.
D) an API key.
For general use, the AWS configure command is the fastest way to
set up your AWS CLI installation. When you enter this command, the AWS
CLI prompts you for four pieces of information:
-Access key
ID
-Secret access key
-AWS Region
-Output format
The
AWS CLI stores this information in a profile (a collection of settings)
named default in the credentials file. By default, the information in
this profile is used when you run an AWS CLI command that doesn't
explicitly specify a profile to use."
Question 277
Which AWS service is used to provide
encryption for Amazon EBS?
A) AWS Certificate
Manager
B) AWS Systems Manager
C) AWS KMS
D)
AWS Config
A) AWS Certificate Manager
B) AWS Systems Manager
C) AWS KMS
D) AWS Config
AWS Key Management Service (KMS) makes it easy for you to create
and manage cryptographic keys and control their use across a wide range
of AWS services and in your applications. AWS KMS is a secure and
resilient service that uses hardware security modules that have been
validated under FIPS 140-2, or are in the process of being validated, to
protect your keys. AWS KMS is integrated with AWS CloudTrail to provide
you with logs of all key usage to help meet your regulatory and
compliance needs."
Question 278
How does AWS charge for AWS Lambda usage
once the free tier has been exceeded? (Choose two.)
A)
By the time it takes for the Lambda function to execute.
B)
By the number of versions of a specific Lambda function.
C)
By the number of requests made for a given Lambda function.
D)
By the programming language that is used for the Lambda function.
E)
By the total number of Lambda functions in an AWS account.
A) By the time it takes for the Lambda function to
execute.
B) By the number of versions of a specific Lambda
function.
C) By the number of requests made for a given Lambda
function.
D) By the programming language that is used for the Lambda
function.
E) By the total number of Lambda functions in an
AWS account.
With AWS Lambda, you pay only for what you use. You are charged
based on the number of requests for your functions and the duration, the
time it takes for your code to execute."
Question 279
Which of the following describes the
relationships among AWS Regions, Availability Zones, and edge locations?
(Choose two.)
A) There are more AWS Regions than
Availability Zones.
B) There are more edge locations than
AWS Regions.
C) An edge location is an Availability Zone.
D)
There are more AWS Regions than edge locations.
E) There are
more Availability Zones than AWS Regions.
A) There are more AWS Regions than Availability Zones.
B) There are more edge locations than AWS Regions.
C) An edge location is an Availability Zone.
D)
There are more AWS Regions than edge locations.
E) There are more Availability Zones than AWS Regions.
AWS has:
-25 geographic regions (with plans to launch five
more AWS Regions)
-80 Availability Zones across (with plans to
launch 15 more)
-177 Edge Locations and 11 Regional Edge Caches in
70 cities across 31 countries.
A Region is a geographical
area that has two or more Availability Zones. Each Region is completely
independent.
…
An Availability Zone (AZ) is an area with
either one or more discrete Data Centres (building filled with servers),
each with redundant power, networking, and connectivity, housed in
separate facilities. If there are more than one data centre, they are
counted as one AZ because they are located close together. Each
Availability Zone is isolated, but the Availability Zones in a Region
are connected through low-latency links.
…
An Edge Location is
an endpoint used for caching content. They are located in most of the
major cities around the world and are specifically used by CloudFront to
distribute AWS content closer to end-users to reduce latency."
Question 280
What does AWS Shield Standard provide?
A)
WAF rules
B) DDoS protection
C) Identity and
Access Management (IAM) permissions and access to resources
D)
Data encryption
A) WAF rules
B) DDoS protection
C) Identity and Access Management (IAM) permissions and
access to resources
D) Data encryption
AWS Shield Standard provides protection for all AWS customers from
common, most frequently occurring network and transport layer DDoS
attacks that target your web site or application at no additional
charge."
Question 281
A company wants to build its new
application workloads in the AWS Cloud instead of using on-premises
resources. What expense can be reduced using the AWS Cloud?
A)
The cost of writing custom-built Java or Node .js code
B)
Penetration testing for security
C) hardware required to
support new applications
D) Writing specific test cases for
third-party applications.
A) The cost of writing custom-built Java or Node .js code
B)
Penetration testing for security
C) hardware required to support new applications
D) Writing specific test cases for third-party
applications.
The cloud allows you to trade high initial CapEx (such as data
centers and physical servers) for a variable OpEx model, and only pay
for IT as you consume it. Plus, the variable OpEx expenses are much
lower than what you would pay to do it yourself because of the massive
economies of scale that AWS has created."
Question 282
What does AWS Marketplace allow users to
do? (Choose two.)
A) Sell unused Amazon EC2 Spot
Instances.
B) Sell solutions to other AWS users.
C)
Buy third-party software that runs on AWS.
D) Purchase AWS
security and compliance documents.
E) Order AWS Snowball.
A) Sell unused Amazon EC2 Spot Instances.
B) Sell solutions to other AWS users.
C) Buy third-party software that runs on AWS.
D) Purchase AWS security and compliance documents.
E)
Order AWS Snowball.
AWS Marketplace is a curated digital catalog that makes it easy
for customers to find, buy, consume, and manage third-party software,
services, and data that customers need to build solutions and run their
businesses. AWS Marketplace includes thousands of software listings from
popular categories such as security, networking, storage, machine
learning, business intelligence, database, and devOps and simplifies
software licensing and procurement with flexible pricing options and
multiple deployment methods.
AWS Marketplace features many
software categories including databases, application servers, testing
tools, monitoring tools, content management, and business intelligence.
You can select commercial software from well-known vendors, as well as
many widely used open source offerings
...
The AWS Marketplace
helps enable qualified partners to market and sell their software to AWS
customers. AWS Marketplace is an online software store that helps
customers find, buy, and immediately start using software and services
that run on AWS.
AWS Marketplace is designed for Independent
Software Vendors (ISVs), Value-Added Resellers (VARs), and Systems
Integrators (SIs) who have software products they want to offer to
customers in the cloud. Partners use AWS Marketplace to be up and
running in days and offer their software products to customers around
the world"
Question 283
What does it mean if a user deploys a
hybrid cloud architecture on AWS?
A) All resources run
using on-premises infrastructure.
B) Some resources run
on-premises and some run in a colocation center.
C) All
resources run in the AWS Cloud.
D) Some resources run
on-premises and some run in the AWS Cloud.
A) All resources run using on-premises infrastructure.
B)
Some resources run on-premises and some run in a colocation center.
C)
All resources run in the AWS Cloud.
D) Some resources run on-premises and some run in the AWS
Cloud.
Hybrid cloud – Mix of public and private cloud i.e. some resources
are on deployed privately (e.g. a private on-premsis data centre) and
some are on the public cloud (e.g. AWS)"
Question 284
Which AWS service allows users to
identify the changes made to a resource over time?
A)
Amazon Inspector
B) AWS Config
C) AWS Service
Catalog
D) AWS IAM
A) Amazon Inspector
B) AWS Config
C) AWS Service Catalog
D) AWS IAM
AWS Config is a service that enables you to assess, audit, and
evaluate the configurations of your AWS resources. Config continuously
monitors and records your AWS resource configurations and allows you to
automate the evaluation of recorded configurations against desired
configurations. With Config, you can review changes in configurations
and relationships between AWS resources, dive into detailed resource
configuration histories, and determine your overall compliance against
the configurations specified in your internal guidelines. This enables
you to simplify compliance auditing, security analysis, change
management, and operational troubleshooting."
Question 285
How can a company reduce its Total Cost
of Ownership (TCO) using AWS?
A) By minimizing large
capital expenditures
B) By having no responsibility for
third-party license costs
C) By having no operational
expenditures
D) By having AWS manage applications
A) By minimizing large capital expenditures
B) By having no responsibility for third-party license
costs
C) By having no operational expenditures
D)
By having AWS manage applications
AWS helps you reduce Total Cost of Ownership (TCO) by reducing the
need to invest in large capital expenditures and providing a
pay-as-you-go model that empowers you to invest in the capacity you need
and use it only when the business requires it."
Question 286
Which activity is a customer
responsibility in the AWS Cloud according to the AWS shared
responsibility model?
A) Ensuring network connectivity
from AWS to the internet
B) Patching and fixing flaws within
the AWS Cloud infrastructure
C) Ensuring the physical
security of cloud data centers
D) Ensuring Amazon EBS
volumes are backed up
A) Ensuring network connectivity from AWS to the internet
B)
Patching and fixing flaws within the AWS Cloud infrastructure
C)
Ensuring the physical security of cloud data centers
D) Ensuring Amazon EBS volumes are backed up
You have to configure EBS volumes for backup
You can
back up the data on your Amazon EBS volumes to Amazon S3 by taking
point-in-time snapshots. Snapshots are incremental backups, which means
that only the blocks on the device that have changed after your most
recent snapshot are saved. This minimizes the time required to create
the snapshot and saves on storage costs by not duplicating data. Each
snapshot contains all of the information that is needed to restore your
data (from the moment when the snapshot was taken) to a new EBS volume."
Question 287
What are the advantages of the AWS Cloud?
(Choose two.)
A) Fixed rate monthly cost
B)
No need to guess capacity requirements
C) Increased speed to
market
D) Increased upfront capital expenditure
E)
Physical access to cloud data centers
A) Fixed rate monthly cost
B) No need to guess capacity requirements
C) Increased speed to market
D) Increased upfront capital expenditure
E)
Physical access to cloud data centers
Advantages of Cloud Computing
-Trade capital expense for
variable expense
-Benefit from massive economies of scale
-Stop
guessing about capacity (elasticity)
-Increased speed and
agility
-Stop spending money running and maintaining data
centres
-Go global in minutes"
Question 288
When comparing the total cost of
ownership (TCO) of an on-premises infrastructure to a cloud
architecture, what costs should be considered? (Choose two.)
A)
The credit card processing fees for application transactions in the
cloud.
B) The cost of purchasing and installing server
hardware in the on-premises datacentre.
C) The cost of
administering the infrastructure, including operating system and
software installations, patches, backups, and recovering from
failures.
D) The costs of third-party penetration
testing.
E) The advertising costs associated with an ongoing
enterprise-wide campaign.
A) The credit card processing fees for application transactions
in the cloud.
B) The cost of purchasing and installing server hardware in
the on-premises datacentre.
C) The cost of administering the infrastructure, including
operating system and software installations, patches, backups, and
recovering from failures.
D) The costs of third-party penetration testing.
E)
The advertising costs associated with an ongoing enterprise-wide
campaign.
-B-
The key benefit between traditional computing deployments
and cloud computing deployments is that the customer no longer needs to
expend large sums for hardware, infrastructure, building space and other
up-front expenses, i.e. with cloud computing the CapEx (capital expense)
is reduced to zero.
-C-
Another associated benefit is
that OpEx (operational expense) is greatly reduced as the cost of
administering the infrastructure is also greatly reduced due to the
cloud provider’s being able to take advantage of a huge economy of
scale.
Both these factors combine to give a lower overall
cost to cloud computing compared to traditional on-premesis
deployments."
Question 289
Which AWS feature allows a company to
take advantage of usage tiers for services across multiple member
accounts?
A) Service control policies (SCPs)
B)
Consolidated billing
C) All Upfront Reserved Instances
D)
AWS Cost Explorer
A) Service control policies (SCPs)
B) Consolidated billing
C) All Upfront Reserved Instances
D) AWS Cost
Explorer
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows
you to:
-programmatically create new AWS accounts and allocate
resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization.
Incorrect
answers:
Service control policies (SCPs) are a type of organization
policy that you can use to manage permissions in your organization. SCPs
offer central control over the maximum available permissions for all
accounts in your organization. SCPs help you to ensure your accounts
stay within your organization’s access control guidelines."
Question 290
What is one of the customer's
responsibilities according to the AWS shared responsibility model?
A)
Virtualization infrastructure
B) Network infrastructure
C)
Application security
D) Physical security of hardware
A) Virtualization infrastructure
B) Network
infrastructure
C) Application security
D) Physical security of hardware
Customer responsibility Security in the Cloud – Customer
responsibility will be determined by the AWS Cloud services that a
customer selects. This determines the amount of configuration work the
customer must perform as part of their security responsibilities. For
example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is
categorized as Infrastructure as a Service (IaaS) and, as such, requires
the customer to perform all of the necessary security configuration and
management tasks. Customers that deploy an Amazon EC2 instance are
responsible for management of the guest operating system (including
updates and security patches), any application software or utilities
installed by the customer on the instances, and the configuration of the
AWS-provided firewall (called a security group) on each instance. For
abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates
the infrastructure layer, the operating system, and platforms, and
customers access the endpoints to store and retrieve data. Customers are
responsible for managing their data (including encryption options),
classifying their assets, and using IAM tools to apply the appropriate
permissions.
Incorrect answers:
-Not virtualisation
infrastructure because AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates."
Question 291
What helps a company provide a lower
latency experience to its users globally?
A) Using an
AWS Region that is central to all users
B) Using a second
Availability Zone in the AWS Region that is using used
C)
Enabling caching in the AWS Region that is being used
D)
Using edge locations to put content closer to all users
A) Using an AWS Region that is central to all users
B)
Using a second Availability Zone in the AWS Region that is using used
C)
Enabling caching in the AWS Region that is being used
D) Using edge locations to put content closer to all
users
Edge locations cache responses reducing traffic on the server and
delivering content closer to users
When a user requests
content that you're serving with CloudFront, the request is routed to
the edge location that provides the lowest latency (time delay), so that
content is delivered with the best possible performance.
Incorrect
answers:
-Using an AWS region central to all users – This answer is
incorrect because even if this single region is located centrally to all
global users it can still be far from some users on the periphery.
Ideally multiple regional deployments would need to be used to provide
low latency performance globally."
Question 292
How can the AWS Cloud increase user
workforce productivity after migration from an on-premises data
center?
A) Users do not have to wait for
infrastructure provisioning.
B) The AWS Cloud infrastructure
is much faster than an on-premises data center infrastructure.
C)
AWS takes over application configuration management on behalf of
users.
D) Users do not need to address security and
compliance issues.
A) Users do not have to wait for infrastructure
provisioning.
B) The AWS Cloud infrastructure is much faster than an
on-premises data center infrastructure.
C) AWS takes over
application configuration management on behalf of users.
D)
Users do not need to address security and compliance issues.
Increase speed and agility – In a cloud computing environment, new
IT resources are only a click away, which means that you reduce the time
to make those resources available to your developers from weeks to just
minutes. This results in a dramatic increase in agility for the
organization, since the cost and time it takes to experiment and develop
is significantly lower."
Question 293
Which AWS service provides a quick and
automated way to create and manage AWS accounts?
A)
AWS QuickSight
B) Amazon Lightsail
C) AWS
Organizations
D) Amazon Connect
A) AWS QuickSight
B) Amazon Lightsail
C) AWS Organizations
D) Amazon Connect
AWS Organizations is an account management service that enables
you to consolidate multiple AWS accounts into an organization that you
create and centrally manage. AWS Organizations includes account
management and consolidated billing capabilities that enable you to
better meet the budgetary, security, and compliance needs of your
business. As an administrator of an organization, you can create
accounts in your organization and invite existing accounts to join the
organization.
…
You can automate the creation of new AWS
accounts when you need to quickly launch new workloads, adding them to
user-defined groups in your organization for instant security policy
application, touchless infrastructure deployments and auditing. For
example, you can create separate groups to categorize development and
production accounts, and then use AWS CloudFormation StackSets to
provision services and permissions to each group."
Question 294
Which Amazon RDS feature can be used to
achieve high availability?
A) Multiple Availability
Zones
B) Amazon Reserved Instances
C)
Provisioned IOPS storage
D) Enhanced monitoring
A) Multiple Availability Zones
B) Amazon Reserved Instances
C) Provisioned
IOPS storage
D) Enhanced monitoring
Amazon RDS provides high availability and failover support for DB
instances using Multi-AZ deployments. Amazon RDS uses several different
technologies to provide failover support. Multi-AZ deployments for
Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon's
failover technology. SQL Server DB instances use SQL Server Database
Mirroring (DBM)."
Question 295
Where should users report that AWS
resources are being used for malicious purposes?
A)
AWS Trust & Safety team
B) AWS Shield
C) AWS
Support
D) AWS Developer Forums
A) AWS Trust & Safety team
B) AWS Shield
C) AWS Support
D)
AWS Developer Forums
If you suspect that AWS resources are used for abusive purposes,
contact the AWS Trust & Safety team (formerly AWS Abuse team) using the
Report Amazon AWS abuse form, or by contacting abuse@amazonaws.com.
Provide all the necessary information, including logs in plaintext,
email headers, and so on, when you submit your request."
Question 296
Which AWS service needs to be enabled to
track all user account changes within the AWS Management Console?
A)
AWS CloudTrail
B) Amazon Simple Notification Service (Amazon
SNS)
C) VPC Flow Logs
D) AWS CloudHSM
A) AWS CloudTrail
B)
Amazon Simple Notification Service (Amazon SNS)
C) VPC Flow
Logs
D) AWS CloudHSM
AWS CloudTrail is a service that enables governance, compliance,
operational auditing, and risk auditing of your AWS account. With
CloudTrail, you can log, continuously monitor, and retain account
activity related to actions across your AWS infrastructure. CloudTrail
provides event history of your AWS account activity, including actions
taken through the AWS Management Console, AWS SDKs, command line tools,
and other AWS services. This event history simplifies security analysis,
resource change tracking, and troubleshooting. In addition, you can use
CloudTrail to detect unusual activity in your AWS accounts. These
capabilities help simplify operational analysis and troubleshooting."
Question 297
What is an AWS Cloud design best
practice?
A) Tight coupling of components
B)
Single point of failure
C) High availability
D)
Overprovisioning of resources
A) Tight coupling of components
B) Single point of
failure
C) High availability
D) Overprovisioning of resources
Availability refers to the percentage of time that the
infrastructure, system or a solution remains operational under normal
circumstances in order to serve its intended purpose. For cloud
infrastructure solutions, availability relates to the time that the
datacenter is accessible or delivers the intended IT service as a
proportion of the duration for which the service is purchased. The
mathematical formula for Availability is as follows:
Percentage of
availability = (total elapsed time – sum of downtime)/total elapsed
time
…
True high availability means that a resource is
available from at least three different availability zones, however AWS
currently only guarantees that a resource can be reached at two
different availability zones.
How do you design your workload
to withstand component failures?
…
-Workloads with a
requirement for high availability and low mean time to recovery (MTTR)
must be architected for resiliency.
-Use multiple AWS Direct
Connect (DX) connections or VPN tunnels between separately deployed
private networks.
-If using multiple AWS Regions, ensure redundancy
in at least two of them.
-If you use AWS Marketplace appliances,
deploy redundant instances for high availability in different
Availability Zones."
Question 298
Which of the following is an example of
how moving to the AWS Cloud reduces upfront cost?
A)
By replacing large variable costs with lower capital investments
B)
By replacing large capital investments with lower variable costs
C)
By allowing the provisioning of compute and storage at a fixed level to
meet peak demand
D) By replacing the repeated scaling of
virtual servers with a simpler fixed-scale model
A) By replacing large variable costs with lower capital
investments
B) By replacing large capital investments with lower
variable costs
C) By allowing the provisioning of compute and storage at
a fixed level to meet peak demand
D) By replacing the
repeated scaling of virtual servers with a simpler fixed-scale model
The key benefit between traditional computing deployments and
cloud computing deployments is that the customer no longer needs to
expend large sums for hardware, infrastructure, building space and other
up-front expenses, i.e. with cloud computing the CapEx (capital expense)
is reduced to zero.
Another associated benefit is that OpEx
(operational expense) is greatly reduced as the cost of administering
the infrastructure is also greatly reduced due to the cloud provider’s
being able to take advantage of a huge economy of scale.
Both
these factors combine to give a lower overall cost to cloud computing
compared to traditional on-premesis deployments"
Question 299
When designing a typical three-tier web
application, which AWS services and/or features improve availability and
reduce the impact failures? (Choose two.)
A) AWS Auto
Scaling for Amazon EC2 instances
B) Amazon VPC subnet ACLs
to check the health of a service
C) Distributed resources
across multiple Availability Zones
D) AWS Server Migration
Service (AWS SMS) to move Amazon EC2 instances into a different
Region
E) Distributed resources across multiple AWS points
of presence
A) AWS Auto Scaling for Amazon EC2 instances
B) Amazon VPC subnet ACLs to check the health of a
service
C) Distributed resources across multiple Availability
Zones
D) AWS Server Migration Service (AWS SMS) to move Amazon
EC2 instances into a different Region
E) Distributed
resources across multiple AWS points of presence
-A-
Amazon EC2 Auto Scaling helps to maintain your Amazon EC2
instance availability. Whether you are running one Amazon EC2 instance
or thousands, you can use Amazon EC2 Auto Scaling to detect impaired
Amazon EC2 instances, and replace the instances without intervention.
This ensures that your application has the compute capacity that you
expect
-C-
Deploying across multiple Availability Zones
protects against failure in a single availability zone, this provides
‘high availability’.
Incorrect answers:
-ACL are for
security mainly. A network access control list (ACL) is an optional
layer of security for your VPC that acts as a firewall for controlling
traffic in and out of one or more subnets. You might set up network ACLs
with rules similar to your security groups in order to add an additional
layer of security to your VPC
(https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html).
-Point
of Presence consists of Edge Locations and Regional Edge Cache and are
used by CloudFront for CDN purpose
More information:
-3
tier applications mostly require multiple server to perform well."
Question 300
Which cloud design principle aligns with
AWS Cloud best practices?
A) Create fixed dependencies
among application components
B) Aggregate services on a
single instance
C) Deploy applications in a single
Availability Zone
D) Distribute the compute load across
multiple resources
A) Create fixed dependencies among application components
B)
Aggregate services on a single instance
C) Deploy
applications in a single Availability Zone
D) Distribute the compute load across multiple
resources
This is horizontal scaling by other words.
A
"horizontally scalable" system is one that can increase capacity by
adding more resources (i.e. computers) to the system. This is in
contrast to a "vertically scalable" system, which is constrained to
running its processes on only one computer.
In vertically
scaled systems the only way to increase performance is to add more
resources into one computer in the form of faster (or more) CPUs, memory
or storage.
Horizontally scalable systems are oftentimes able
to outperform vertically scalable systems by enabling parallel execution
of workloads and distributing those across many different computers."
Question 301
Which of the following are recommended
practices for managing IAM users? (Choose two.)
A)
Require IAM users to change their passwords after a specified period of
time
B) Prevent IAM users from reusing previous passwords
C)
Recommend that the same password be used on AWS and other sites
D)
Require IAM users to store their passwords in raw text
E)
Disable multi-factor authentication (MFA) for IAM users
A) Require IAM users to change their passwords after a
specified period of time
B) Prevent IAM users from reusing previous passwords
C) Recommend that the same password be used on AWS and
other sites
D) Require IAM users to store their passwords in
raw text
E) Disable multi-factor authentication (MFA) for
IAM users
Security best practices in IAM:
-Lock away your AWS account
root user access keys
-Create individual IAM users
-Use groups
to assign permissions to IAM users
-Grant least privilege
-Get
started using permissions with AWS managed policies
-Validate your
policies
-Use customer managed policies instead of inline
policies
-Use access levels to review IAM permissions
-Configure
a strong password policy for your users
-Enable MFA
-Use roles
for applications that run on Amazon EC2 instances
-Use roles to
delegate permissions
-Do not share access keys
-Rotate
credentials regularly
-Remove unnecessary credentials
-Use
policy conditions for extra security
-Monitor activity in your AWS
account
Default password policy - If an administrator does
not set a custom password policy, IAM user passwords must meet the
default AWS password policy. The default password policy enforces the
following conditions:
-Minimum password length of 8 characters and
a maximum length of 128 characters
-Minimum of three of the
following mix of character types: uppercase, lowercase, numbers, and ! @
# $ % ^ & * ( ) _ + - = [ ] { } | ' symbols
-Not be identical to
your AWS account name or email address
Custom password policy
options - When you configure a custom password policy for your account,
you can specify the following conditions:
-Password minimum length
– You can specify a minimum of 6 characters and a maximum of 128
characters.
-Password strength – You can select any of the
following check boxes to define the strength of your IAM user
passwords:
-Require at least one uppercase letter from Latin
alphabet (A–Z)
-Require at least one lowercase letter from Latin
alphabet (a–z)
-Require at least one number
-Require at least
one nonalphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '
-Enable
password expiration – You can select and specify a minimum of 1 and a
maximum of 1,095 days that IAM user passwords are valid after they are
set. For example, after 90 days a user's password expires and they must
set a new password before accessing the AWS Management Console. The AWS
Management Console warns IAM users when they are within 15 days of
password expiration. IAM users can change their password at any time if
they have permission. When they set a new password, the expiration
period for that password starts over. An IAM user can have only one
valid password at a time.
-Password expiration requires
administrator reset – Select this option to prevent IAM users from
updating their own passwords after the password expires. Before you
select this option, confirm that your AWS account has more than one user
with administrative permissions to reset IAM user passwords. Also
consider providing access keys to allow administrators to reset IAM user
passwords programmatically. If you clear this check box, IAM users with
expired passwords must still set a new password before they can access
the AWS Management Console.
-Allow users to change their own
password – You can permit all IAM users in your account to use the IAM
console to change their own passwords, as described in Permitting IAM
users to change their own passwords. Alternatively, you can allow only
some users to manage passwords, either for themselves or for others. To
do so, you clear this check box. For more information about using
policies to limit who can manage passwords, see Permitting IAM users to
change their own passwords.
-Prevent password reuse – You can
prevent IAM users from reusing a specified number of previous passwords.
You can specify a minimum number of 1 and a maximum number of 24
previous passwords that can't be repeated.
More info:
https://docs.aws.amazon.com/IAM/latest/UserGuide/iam-ug.pdf#IAMBestPracticesAndUseCases
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
Question 302
A company is migrating from on-premises
data centers to the AWS Cloud and is looking for hands-on help with the
project. How can the company get this support? (Choose two.)
A)
Ask for a quote from the AWS Marketplace team to perform a migration
into the company's AWS account.
B) Contact AWS Support and
open a case for assistance
C) Use AWS Professional Services
to provide guidance and to set up an AWS Landing Zone in the company's
AWS account
D) Select a partner from the AWS Partner Network
(APN) to assist with the migration
E) Use Amazon Connect to
create a new request for proposal (RFP) for expert assistance in
migrating to the AWS Cloud.
A) Ask for a quote from the AWS Marketplace team to perform a
migration into the company's AWS account.
B) Contact AWS
Support and open a case for assistance
C) Use AWS Professional Services to provide guidance and to
set up an AWS Landing Zone in the company's AWS account
D) Select a partner from the AWS Partner Network (APN) to
assist with the migration
E) Use Amazon Connect to create a new request for proposal
(RFP) for expert assistance in migrating to the AWS Cloud.
The AWS Professional Services organization is a global team of
experts that can help you realize your desired business outcomes when
using the AWS Cloud.
We work together with your team and your
chosen member of the AWS Partner Network (APN) to execute your
enterprise cloud computing initiatives. Some AWS partners specialize in
migrating to AWS and can assist the customer with their migration as a
pro services engagement."
Question 303
How does the AWS Enterprise Support
Concierge team help users?
A) Supporting application
development
B) Providing architecture guidance
C)
Answering billing and account inquires
D) Answering
questions regarding technical support cases
A) Supporting application development
B) Providing
architecture guidance
C) Answering billing and account inquires
D) Answering questions regarding technical support
cases
Your AWS Concierge is a senior customer service agent who is
assigned to your account when you subscribe to an Enterprise or
qualified Reseller Support plan. This Concierge agent is your primary
point of contact for billing or account inquiries; when you don’t know
whom to call, they will find the right people to help. In most cases,
the AWS Concierge is available during regular business hours in your
headquarters’ geography. Outside of business hours, the global customer
service team can assist you 24x7x365. The best way to contact the AWS
Concierge is through the AWS Support Center."
Question 304
An application designed to span multiple
Availability Zones is described as:
A) being highly
available
B) having global reach
C) using an
economy of scale
D) having elasticity
A) being highly available
B) having global reach
C) using an economy of
scale
D) having elasticity
High availability. Protect against data center, availability zone,
server, network and storage subsystem failures to keep your business
running without downtime.
Availability Zones are connected to
each other with fast, private fiber-optic networking, enabling you to
architect applications that automatically fail-over between AZs without
interruption. These AZs offer AWS customers an easier and more effective
way to design and operate applications and databases, making them more
highly available, fault tolerant, and scalable than traditional single
data center infrastructures or multi-data center infrastructures.
We
recommend following these guidelines to achieve a robust degree of high
availability:
-Design the system to have no single point of
failure. Use automated monitoring, failure detection, and failover
mechanisms for both stateless and stateful components
-Single
points of failure (SPOF) are commonly eliminated with an N+1 or 2N
redundancy configuration, where N+1 is achieved via load balancing among
active–active nodes, and 2N is achieved by a pair of nodes in
active–standby configuration.
-AWS has several methods for
achieving HA through both approaches, such as through a scalable, load
balanced cluster or assuming an active–standby pair.
-Correctly
instrument and test system availability.
-Prepare operating
procedures for manual mechanisms to respond to, mitigate, and recover
from the failure."
Question 305
A new service using AWS must be highly
available. Yet, due to regulatory requirements, all of its Amazon EC2
instances must be located in a single geographic area. According to best
practices, to meet these requirements, the EC2 instances must be placed
in at least two:
A) AWS Regions
B)
Availability Zones
C) subnets
D) placement
groups
A) AWS Regions
B) Availability Zones
C) subnets
D) placement groups
Each Region is a separate geographic area. Each Region has
multiple, isolated locations known as Availability Zones.
To
have high availability and protect against data center, availability
zone, server, network and storage subsystem failures to keep your
business running without downtime it is necessary to be deployed to
multiple availability zones."
Question 306
A company has multiple AWS accounts
within AWS Organizations and wants to apply the Amazon EC2 Reserved
Instances benefit to a single account only. Which action should be
taken?
A) Purchase the Reserved Instances from master
payer account and turn off Reserved Instance sharing.
B)
Enable billing alerts in the AWS Billing and Cost Management console.
C)
Purchase the Reserved Instances in individual linked accounts and turn
off Reserved Instance sharing from the payer level.
D)
Enable Reserved Instance sharing in the AWS Billing and Cost Management
console.
A) Purchase the Reserved Instances from master payer account and
turn off Reserved Instance sharing.
B) Enable billing alerts
in the AWS Billing and Cost Management console.
C) Purchase the Reserved Instances in individual linked
accounts and turn off Reserved Instance sharing from the payer
level.
D) Enable Reserved Instance sharing in the AWS Billing and
Cost Management console.
If Reserved Instance sharing is turned off for an account in an
organization. Reserved Instance discounts apply only to the account that
purchased the Reserved Instance.
Incorrect answers:
-A
is not correct. You can’t buy resources from the master payer account,
resources should only be linked to your sub accounts."
Question 307
Which situation should be reported to the
AWS Trust & Safety team?
A) In Availability Zone has a
service disruption
B) An intrusion attempt is made from an
AWS IP address
C) A user has trouble accessing an Amazon S3
bucket from an AWS IP address
D) A user needs to change
payment methods due to a compromise
A) In Availability Zone has a service disruption
B) An intrusion attempt is made from an AWS IP address
C) A user has trouble accessing an Amazon S3 bucket from
an AWS IP address
D) A user needs to change payment methods
due to a compromise
If you suspect that AWS resources are used for abusive purposes,
contact the AWS Trust & Safety team using the Report Amazon AWS abuse
form, or by contacting abuse@amazonaws.com. Provide all the necessary
information, including logs in plaintext, email headers, and so on, when
you submit your request."
Question 308
A company is planning to launch an
ecommerce site in a single AWS Region to a worldwide user base. Which
AWS services will allow the company to reach users and provide low
latency and high transfer speeds? (Choose two.)
A)
Application Load Balancer
B) AWS Global Accelerator
C)
AWS Direct Connect
D) Amazon CloudFront
E) AWS
Lambda
A) Application Load Balancer
B) AWS Global Accelerator
C) AWS Direct Connect
D) Amazon CloudFront
E) AWS Lambda
-B-
AWS Global Accelerator is a service in which you
create accelerators to improve availability and performance of your
applications for local and global users. Global Accelerator directs
traffic to optimal endpoints over the AWS global network. This improves
the availability and performance of your internet applications that are
used by a global audience. Global Accelerator is a global service that
supports endpoints in multiple AWS Regions, which are listed in the AWS
Region Table.
-D-Amazon CloudFront is a web service that
speeds up distribution of your static and dynamic web content, such as
.html, .css, .js, and image files, to your users. CloudFront delivers
your content through a worldwide network of data centers called edge
locations. When a user requests content that you're serving with
CloudFront, the request is routed to the edge location that provides the
lowest latency (time delay), so that content is delivered with the best
possible performance."
Question 309
Which AWS service or resource is
serverless?
A) AWS Lambda
B) Amazon EC2
instances
C) Amazon Lightsail
D) Amazon
ElastiCache
A) AWS Lambda
B)
Amazon EC2 instances
C) Amazon Lightsail
D)
Amazon ElastiCache
Serverless services: AWS Lambda, Amazon Fargate, Amazon
EventBridge, AWS Step Functions, Amazon SQS, Amazon SNS, Amazon API
Gateway, AWS AppSync, Amazon S3, Amazon DynamoDB, Amazon RDS Proxy,
Amazon Aurora Serverless"
Question 310
Which of the following are components of
Amazon VPC? (Choose two.)
A) Objects
B)
Subnets
C) Buckets
D) Internet gateways
E)
Access key
A) Objects
B) Subnets
C) Buckets
D) Internet gateways
E) Access key
A virtual private cloud (VPC) is a virtual network dedicated to
your AWS account. It is logically isolated from other virtual networks
in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2
instances, in a virtual network that you define. You have complete
control over your virtual networking environment, including selection of
your own IP address range, creation of subnets, associate security
groups, modifying access control lists and configuration of route tables
and network gateways.
An internet gateway is a horizontally
scaled, redundant, and highly available VPC component that allows
communication between your VPC and the internet."
Question 311
AWS Budgets can be used to:
A)
prevent a given user from creating a resource
B) send an
alert when the utilization of Reserved Instances drops below a certain
percentage
C) set resource limits in AWS accounts to prevent
overspending
D) split an AWS bill across multiple forms of
payment
A) prevent a given user from creating a resource
B) send an alert when the utilization of Reserved Instances
drops below a certain percentage
C) set resource limits in AWS accounts to prevent
overspending
D) split an AWS bill across multiple forms of
payment
AWS Budgets lets customers set custom budgets and receive alerts
if their costs or usage exceed (or are forecasted to exceed) their
budgeted amount.
…
Customers can monitor and receive alerts
when their Reserved Instance (RI) utilization falls below the threshold
they define
Incorrect answers:
-Not C because budgets
does not turn things off when you hit a limit."
Question 312
Which of the following will enhance the
security of access to the AWS Management Console? (Choose two.)
A)
AWS Secrets Manager
B) AWS Certificate Manager
C)
AWS Multi-Factor Authentication (AWS MFA)
D) Security
groups
E) Password policies
A) AWS Secrets Manager
B) AWS Certificate Manager
C) AWS Multi-Factor Authentication (AWS MFA)
D) Security groups
E) Password policies
Security best practices in IAM:
-Lock away your AWS account
root user access keys
-Create individual IAM users
-Use groups
to assign permissions to IAM users
-Grant least privilege
-Get
started using permissions with AWS managed policies
-Validate your
policies
-Use customer managed policies instead of inline
policies
-Use access levels to review IAM permissions
-Configure
a strong password policy for your users
-Enable MFA
-Use roles
for applications that run on Amazon EC2 instances
-Use roles to
delegate permissions
-Do not share access keys
-Rotate
credentials regularly
-Remove unnecessary credentials
-Use
policy conditions for extra security
-Monitor activity in your AWS
account
Incorrect answers:
-Not A because Secrets
Manager is an AWS service. It enables you to replace hardcoded
credentials in your code, including passwords, with an API call to
Secrets Manager to retrieve the secret programmatically."
Question 313
The AWS Trusted Advisor checks include
recommendations regarding which of the following? (Choose two.)
A)
Information on Amazon S3 bucket permissions
B) AWS service
outages
C) Multi-factor authentication enabled on the AWS
account root user
D) Available software patches
E)
Number of users in the account
A) Information on Amazon S3 bucket permissions
B) AWS service outages
C) Multi-factor authentication enabled on the AWS account
root user
D) Available software patches
E) Number of
users in the account
AWS Basic Support and AWS Developer Support customers get access
to 6 security checks (listed below) and 50 service limit checks (to see
how close you are to exceeding use quotas):
-S3 Bucket
Permissions
-Security Groups – Specific Ports Unrestricted
-IAM
Use
-MFA on Root Account
-EBS Public Snapshots
-RDS
Public Snapshots
-A-Amazon S3 bucket permissions
Checks
buckets in Amazon Simple Storage Service (Amazon S3) that have open
access permissions. Bucket permissions that grant List access to
everyone can result in higher than expected charges if objects in the
bucket are listed by unintended users at a high frequency. Bucket
permissions that grant Upload/Delete access to everyone create potential
security vulnerabilities by allowing anyone to add, modify, or remove
items in a bucket. This check examines explicit bucket permissions and
associated bucket policies that might override the bucket
permissions.
-C-
Multi-factor authentication on root
account (free)
Checks the root account and warns if multi-factor
authentication (MFA) is not enabled. For increased security, we
recommend that you protect your account by using MFA, which requires a
user to enter a unique authentication code from their MFA hardware or
virtual device when interacting with the AWS console and associated
websites.
For full list of all Trusted Advisor best practices
see here:
https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/"
Question 314
Which functions can users perform using
AWS KMS?
A) Create and manage AWS access keys for the
AWS account root user
B) Create and manage AWS access keys
for an AWS account IAM user
C) Create and manage keys for
encryption and decryption of data
D) Create and manage keys
for multi-factor authentication
A) Create and manage AWS access keys for the AWS account root
user
B) Create and manage AWS access keys for an AWS account
IAM user
C) Create and manage keys for encryption and decryption of
data
D) Create and manage keys for multi-factor
authentication
AWS Key Management Service (KMS) makes it easy for you to create
and manage cryptographic keys and control their use across a wide range
of AWS services and in your applications. AWS KMS is a secure and
resilient service that uses hardware security modules that have been
validated under FIPS 140-2, or are in the process of being validated, to
protect your keys. AWS KMS is integrated with AWS CloudTrail to provide
you with logs of all key usage to help meet your regulatory and
compliance needs."
Question 315
How does AWS Trusted Advisor provide
guidance to users of the AWS Cloud? (Choose two.)
A)
It identifies software vulnerabilities in applications running on AWS
B)
It provides a list of cost optimization recommendations based on current
AWS usage
C) It detects potential security vulnerabilities
caused by permissions settings on account resources
D) It
automatically corrects potential security issues caused by permissions
settings on account resources
E) It provides proactive
alerting whenever an Amazon EC2 instance has been compromised
A) It identifies software vulnerabilities in applications running
on AWS
B) It provides a list of cost optimization recommendations
based on current AWS usage
C) It detects potential security vulnerabilities caused by
permissions settings on account resources
D) It automatically corrects potential security issues
caused by permissions settings on account resources
E) It
provides proactive alerting whenever an Amazon EC2 instance has been
compromised
AWS Trusted Advisor is an online tool that provides you real time
guidance to help you provision your resources following AWS best
practices. Trusted Advisor checks help optimize your AWS infrastructure,
increase security and performance, reduce your overall costs, and
monitor service limits. Whether establishing new workflows, developing
applications, or as part of ongoing improvement, take advantage of the
recommendations provided by Trusted Advisor on a regular basis to help
keep your solutions provisioned optimally.
Incorrect
answers:
-D – It only provides guidance, it is up to the user to
take the recommended actions"
Question 316
Which of the following are advantages of
the AWS Cloud? (Choose two.)
A) AWS manages the
maintenance of the cloud infrastructure
B) AWS manages the
security of applications built on AWS
C) AWS manages
capacity planning for physical servers
D) AWS manages the
development of applications on AWS
E) AWS manages cost
planning for virtual servers
A) AWS manages the maintenance of the cloud
infrastructure
B) AWS manages the security of applications built on
AWS
C) AWS manages capacity planning for physical servers
D) AWS manages the development of applications on AWS
E)
AWS manages cost planning for virtual servers
6 Advantages of Cloud Computing:
-Trade capital expense for
variable expense
-Benefit from massive economies of scale
-Stop
guessing about capacity
-Increased speed and agility
-Stop
spending money running and maintaining data centres
-Go global in
minutes"
Question 317
A user deploys an Amazon RDS DB instance
in multiple Availability Zones. This strategy involves which pillar of
the AWS Well-Architected Framework?
A) Performance
efficiency
B) Reliability
C) Cost
optimization
D) Security
A) Performance efficiency
B) Reliability
C) Cost optimization
D) Security
Amazon RDS Multi-AZ deployments provide enhanced availability and
durability for RDS database (DB) instances, making them a natural fit
for production database workloads. When you provision a Multi-AZ DB
Instance, Amazon RDS automatically creates a primary DB Instance and
synchronously replicates the data to a standby instance in a different
Availability Zone (AZ). Each AZ runs on its own physically distinct,
independent infrastructure, and is engineered to be highly reliable."
Question 318
Which AWS services provide a user with
connectivity between the AWS Cloud and on-premises resources? (Choose
two.)
A) AWS VPN
B) Amazon Connect
C)
Amazon Cognito
D) AWS Direct Connect
E) AWS
Managed Services
A) AWS VPN
B)
Amazon Connect
C) Amazon Cognito
D) AWS Direct Connect
E) AWS Managed Services
Amazon VPC provides multiple network connectivity options for you
to leverage depending on your current network designs and requirements.
These connectivity options include leveraging either the internet (VPN)
or an AWS Direct Connect connection as the network backbone and
terminating the connection into either AWS or user-managed network
endpoints."
Question 319
Which AWS service is used to pay AWS
bills, and monitor usage and budget costs?
A) AWS
Billing and Cost Management
B) Consolidated billing
C)
Amazon CloudWatch
D) Amazon QuickSight
A) AWS Billing and Cost Management
B) Consolidated billing
C) Amazon
CloudWatch
D) Amazon QuickSight
AWS Billing and Cost Management is a web service that provides
features that helps you monitor your costs and pay your bill. Amazon Web
Services (AWS) bills your account for usage, which ensures that you pay
only for what you use. Included in this service are: -‘Cost Explorer’ -
which allows you to view your AWS cost data as a graph. With Cost
Explorer, you can filter graphs by values such as API operation,
Availability Zone, AWS service, custom cost allocation tag, Amazon EC2
instance type, purchase option, AWS Region, usage type, usage type
group, and more. If you use consolidated billing, you can also filter by
member account. In addition, you can see a forecast of future costs
based on your historical cost data.
-AWS Budgets - You can use AWS
Budgets to track your AWS usage and costs. Budgets use the cost
visualization provided by Cost Explorer to show you the status of your
budgets. This provides forecasts of your estimated costs and tracks your
AWS usage, including your free tier usage. You can also use budgets to
create Amazon Simple Notification Service (Amazon SNS) notifications
that tell you when you go over your budgeted amounts, or when your
estimated costs exceed your budgets."
Question 320
Which element of the AWS global
infrastructure consists of one or more discrete data centers, each with
redundant power, networking, and connectivity, which are housed in
separate facilities?
A) AWS Regions
B)
Availability Zones
C) Edge locations
D) Amazon
CloudFront
A) AWS Regions
B) Availability Zones
C) Edge locations
D) Amazon CloudFront
Availability Zones consist of one or more discrete data centers,
each with redundant power, networking, and connectivity, housed in
separate facilities."
Question 321
Which Amazon VPC feature enables users to
capture information about the IP traffic that reaches Amazon EC2
instances?
A) Security groups
B) Elastic
network interfaces
C) Network ACLs
D) VPC Flow
Logs
A) Security groups
B) Elastic network interfaces
C)
Network ACLs
D) VPC Flow Logs
VPC Flow Logs is a feature that enables you to capture information
about the IP traffic going to and from network interfaces in your VPC"
Question 322
Which AWS service can be used to
automatically scale an application up and down without making capacity
planning decisions?
A) Amazon AutoScaling
B)
Amazon Redshift
C) AWS CloudTrail
D) AWS
Lambda
A) Amazon AutoScaling
B)
Amazon Redshift
C) AWS CloudTrail
D) AWS
Lambda
AWS Auto Scaling monitors your applications and automatically
adjusts capacity to maintain steady, predictable performance at the
lowest possible cost. Using AWS Auto Scaling, it’s easy to setup
application scaling for multiple resources across multiple services in
minutes. With AWS Auto Scaling, your applications always have the right
resources at the right time.
The service provides a simple,
powerful user interface that lets you build scaling plans for resources.
AWS Auto Scaling makes scaling simple with recommendations that allow
you to optimize performance, costs, or balance between them.
Application
Auto Scaling is a service for developers and system administrators who
need a solution for automatically scaling their scalable resources for
individual AWS services beyond Amazon EC2. If you’re already using
Amazon EC2 Auto Scaling to dynamically scale your Amazon EC2 instances,
you can now combine it with AWS Auto Scaling to scale additional
resources for other AWS services.
Application Auto Scaling
allows you to configure automatic scaling for the following
resources:
-AppStream 2.0 fleets
-Aurora replicas
-Amazon
Comprehend document classification and entity recognizer endpoints
-DynamoDB
tables and global secondary indexes
-Amazon Elastic Container
Service (ECS) services
-Amazon EMR clusters
-Amazon Keyspaces
(for Apache Cassandra) tables
-Lambda function provisioned
concurrency
-Amazon Managed Streaming for Apache Kafka (MSK) broker
storage
-SageMaker endpoint variants
-Spot Fleet requests
-Custom
resources provided by your own applications or services
Notes:
-D
– this is a correct answer also technically, as AWS Lambda can use the
Application Auto Scaling API and create a scaling policy to scale
resources automatically. However, I think the answer they are looking
for is Amazon Autoscaling, as it is ultimately the service that carries
out the autoscaling operations."
Question 323
AWS Enterprise Support users have access
to which service or feature that is not available to users with other
AWS Support plans?
A) AWS Trusted Advisor
B)
AWS Support case
C) Concierge team
D) Amazon
Connect
A) AWS Trusted Advisor
B) AWS Support case
C) Concierge team
D) Amazon Connect
Your AWS Concierge is a senior customer service agent who is
assigned to your account when you subscribe to an Enterprise or
qualified Reseller Support plan.
This Concierge agent is your
primary point of contact for billing or account inquiries; when you
don’t know whom to call, they will find the right people to help.
In
most cases, the AWS Concierge is available during regular business hours
in your headquarters’ geography. Outside of business hours, the global
customer service team can assist you 24x7x365. The best way to contact
the AWS Concierge is through the AWS Support Center.
More
info: https://aws.amazon.com/premiumsupport/plans/"
Question 324
A company wants to migrate a MySQL
database to AWS but does not have the budget for Database Administrators
to handle routine tasks including provisioning, patching, and performing
backups. Which AWS service will support this use case?
A)
Amazon RDS
B) Amazon DynamoDB
C) Amazon
DocumentDB
D) Amazon ElastiCache
A) Amazon RDS
B)
Amazon DynamoDB
C) Amazon DocumentDB
D) Amazon
ElastiCache
RDS makes it easy to set up, operate, and scale a relational
database in the cloud. It provides cost-efficient and resizable capacity
while automating time-consuming administration tasks such as hardware
provisioning, database setup, patching and backups. It frees you to
focus on your applications so you can give them the fast performance,
high availability, security and compatibility they need.
Amazon
RDS is available on several database instance types - optimized for
memory, performance or I/O - and provides you with six familiar database
engines to choose from, including Amazon Aurora, PostgreSQL, MySQL,
MariaDB, Oracle Database, and SQL Server. You can use the AWS Database
Migration Service to easily migrate or replicate your existing databases
to Amazon RDS."
Question 325
A company wants to expand from one AWS
Region into a second AWS Region. What does the company need to do to
start supporting the new Region?
A) Contact an AWS
Account Manager to sign a new contract
B) Move an
Availability Zone to the new Region
C) Begin deploying
resources in the second Region
D) Download the AWS
Management Console for the new Region
A) Contact an AWS Account Manager to sign a new contract
B)
Move an Availability Zone to the new Region
C) Begin deploying resources in the second Region
D) Download the AWS Management Console for the new
Region
You select the region from the management console and start
deployment
Incorrect answers:
-A – No new contract is
needed, resource provision can be started immediately using the existing
account and setup
-C – An availability centre cannot be moved to a
new region by a customer as it is a datacentre located at a physical
location
-D - There is no such thing as downloading the AWS
management console, it is a web interface to manage AWS resources"
Question 326
A user must meet compliance and software
licensing requirements that state a workload must be hosted on a
physical server. Which Amazon EC2 instance pricing option will meet
these requirements?
A) Dedicated Hosts
B)
Dedicated Instances
C) Spot Instances
D)
Reserved Instances
A) Dedicated Hosts
B)
Dedicated Instances
C) Spot Instances
D)
Reserved Instances
Amazon EC2 Dedicated Hosts allow you to use your eligible software
licenses from vendors such as Microsoft and Oracle on Amazon EC2, so
that you get the flexibility and cost effectiveness of using your own
licenses, but with the resiliency, simplicity and elasticity of AWS. An
Amazon EC2 Dedicated Host is a physical server fully dedicated for your
use, so you can help address corporate compliance requirements. A
dedicated host is a complete physical machine with a single
partition.
Notes:
-Dedicated instances and dedicated
hosts are separate offerings.
-Dedicated Instances are Amazon
EC2 instances that run in a VPC on hardware that's dedicated to a single
customer.
--Your Dedicated instances are physically isolated at the
host hardware level from instances that belong to other AWS accounts.
This means that no other AWS Account will run an instance on the same
Host, but other instances (both dedicated and non-dedicated) from the
same AWS Account might run on the same Host.
--A dedicated instance
is partitioned under a hypervisor on a shared server
-A
dedicated host is a complete physical machine with a single partition
that is dedicated to a single customer.
-Other important
differences between a Dedicated Host and a Dedicated instance is that a
Dedicated Host gives you additional visibility and control over how
instances are placed on a physical server, you have visibility over
physical cores and visibility over socket usage. Also, you can
consistently deploy your instances to the same physical server over
time.
--As a result, Dedicated Hosts enable you to use your
existing server-bound software licenses (from vendors such as Microsoft
and Oracle) and address corporate compliance and regulatory
requirements.
--Amazon EC2 Dedicated Hosts allow you to get the
flexibility and cost effectiveness of using your own licenses, but with
the resiliency, simplicity and elasticity of AWS.
--Amazon EC2
Dedicated Host is also integrated with AWS License Manager (see
below)
--In some cases due to licensing restrictions some software
isn’t allowed to be run on a shared tenancy model. For instance if
you’re trying to use Bring Your Own License (BYOL) to AWS, some licenses
are based on the Socket model where the number of hosts sockets are used
for licensing. In other circumstances, regulatory compliance may dictate
that you can’t use the shared model.
--Dedicated Hosts and
Dedicated Instances can both be used to launch Amazon EC2 instances onto
physical servers that are dedicated for your use. There are no
performance, security, or physical differences between Dedicated
Instances and instances on Dedicated Hosts"
Question 327
Which AWS service will provide a way to
generate encryption keys that can be used to encrypt data? (Choose
two.)
A) Amazon Macie
B) AWS Certificate
Manager
C) AWS Key Management Service (AWS KMS)
D)
AWS Secrets Manager
E) AWS CloudHSM
A) Amazon Macie
B) AWS Certificate Manager
C) AWS Key Management Service (AWS KMS)
D) AWS Secrets Manager
E) AWS CloudHSM
-C-
AWS Key Management Service (KMS) is an Amazon Web
Services product that allows administrators to create, delete and
control keys that encrypt data stored in AWS databases and products
-E-
AWS
CloudHSM is a cloud-based hardware security module (HSM) that enables
you to easily generate and use your own encryption keys on the AWS
Cloud."
Question 328
A company is planning to migrate from
on-premises to the AWS Cloud. Which AWS tool or service provides
detailed reports on estimated cost savings after migration?
A)
AWS Total Cost of Ownership (TCO) Calculator
B) Cost
Explorer
C) AWS Budgets
D) AWS Migration Hub
A) AWS Total Cost of Ownership (TCO) Calculator
B) Cost Explorer
C) AWS Budgets
D)
AWS Migration Hub
Use AWS Total Cost of Ownership (TCO) Calculator to compare the
cost of running your applications in an on-premises or colocation
environment to
AWS. Describe your on-premises or colocation
configuration to produce a detailed cost comparison with AWS.
Incorrect
answers:
-The AWS Hub is for importing information about the
on-prem servers and applications to track the status of migration. Its a
Project Management tool, not for costing."
Question 329
What can assist in evaluating an
application for migration to the cloud? (Choose two.)
A)
AWS Trusted Advisor
B) AWS Professional Services
C)
AWS Systems Manager
D) AWS Partner Network (APN)
E)
AWS Secrets Manager
A) AWS Trusted Advisor
B) AWS Professional Services
C) AWS Systems Manager
D) AWS Partner Network (APN)
E) AWS Secrets Manager
AWS Professional Services helps you automate and accelerate the
migration of large numbers of workloads to the AWS Cloud.
…
We
work together with your team and your chosen member of the AWS Partner
Network (APN) to execute your enterprise cloud computing initiatives.
Some AWS partners specialize in migrating to AWS and can assist the
customer with their migration as a pro services engagement."
Question 330
Which AWS service helps users meet
contractual and regulatory compliance requirements for data security by
using dedicated hardware appliances within the AWS Cloud?
A)
AWS Secrets Manager
B) AWS CloudHSM
C) AWS Key
Management Service (AWS KMS)
D) AWS Directory Service
A) AWS Secrets Manager
B) AWS CloudHSM
C) AWS Key Management Service (AWS KMS)
D) AWS
Directory Service
(AWS) CloudHSM (Hardware Security Module) service helps you meet
corporate, contractual, and regulatory compliance requirements for data
security by using dedicated Hardware Security Module (HSM) instances
within the AWS cloud. AWS and AWS Marketplace partners offer a variety
of solutions for protecting sensitive data within the AWS platform, but
for some applications and data subject to contractual or regulatory
mandates for managing cryptographic keys, additional protection may be
necessary.
CloudHSM complements existing data protection
solutions and allows you to protect your encryption keys within HSMs
that are designed and validated to government standards for secure key
management. CloudHSM allows you to securely generate, store, and manage
cryptographic keys used for data encryption in a way that keys are
accessible only by you.
A Hardware Security Module (HSM)
provides secure key storage and cryptographic operations within a
tamper-resistant hardware device. HSMs are designed to securely store
cryptographic key material and use the key material without exposing it
outside the cryptographic boundary of the hardware."
Question 331
Under the AWS shared responsibility
model, the customer manages which of the following? (Choose two.)
A)
Decommissioning of physical storage devices
B) Security
group and ACL configuration
C) Patch management of an Amazon
RDS instance operating system
D) Controlling physical access
to data centers
E) Patch management of an Amazon EC2
instance operating system
A) Decommissioning of physical storage devices
B) Security group and ACL configuration
C) Patch management of an Amazon RDS instance operating
system
D) Controlling physical access to data centers
E) Patch management of an Amazon EC2 instance operating
system
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve the customer’s
operational burden as AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates. The
nature of this shared responsibility also provides the flexibility and
customer control that permits the deployment.
You're
responsible for the security of:
-The software running on your
instances, including the guest operating system (including updates and
security patches) and application security updates.
-Security
groups and network access control lists (NACLs). Security groups control
access to your instances and elastic load balancers. NACLs control
access to individual subnets within a VPC.
-The network
architecture within your VPC, including configuration of the AWS
provided security group firewall. In each region, AWS provides a default
VPC that's preconfigured. You can use the default VPC as-is, but you
don't have to. You can reconfigure it, or just create a new custom VPC
from scratch. Either way, it's up to you to make sure the VPC is
secure."
Question 332
Which AWS service is suitable for an
event-driven workload?
A) Amazon EC2
B)
AWS Elastic Beanstalk
C) AWS Lambda
D) Amazon
Lumberyard
A) Amazon EC2
B) AWS Elastic Beanstalk
C) AWS Lambda
D) Amazon Lumberyard
An event-driven architecture uses events to trigger and
communicate between decoupled services and is common in modern
applications built with microservices. An event is a change in state, or
an update, like an item being placed in a shopping cart on an e-commerce
website. Events can either carry the state (the item purchased, its
price, and a delivery address) or events can be identifiers (a
notification that an order was shipped).
Event-driven
architectures have three key components: event producers, event routers,
and event consumers. A producer publishes an event to the router, which
filters and pushes the events to consumers. Producer services and
consumer services are decoupled, which allows them to be scaled,
updated, and deployed independently.
AWS Lambda is an
event-driven, serverless computing platform provided by Amazon as a part
of Amazon Web Services. It is a computing service that runs code in
response to events and automatically manages the computing resources
required by that code
Incorrect answers:
-Amazon
Lumberyard is a game engine developed by Amazon. he engine features
integration with Amazon Web Services to allow developers to build or
host their games on Amazon's servers, as well as support for
livestreaming via Twitch.
-AWS Elastic Beanstalk can be used as
part of an event-driven architecture, however it requires the use also
of Amazon EventBridge or Amazon Simple Notification Service to route the
events. In these cases it is not full event-driven workload service but
simply an event producer."
Question 333
What is a value proposition of the AWS
Cloud?
A) AWS is responsible for security in the AWS
Cloud
B) No long-term contract is required
C)
Provision new servers in days
D) AWS manages user
applications in the AWS Cloud
A) AWS is responsible for security in the AWS Cloud
B) No long-term contract is required
C) Provision new servers in days
D) AWS
manages user applications in the AWS Cloud
AWS offers you a pay-as-you-go approach for pricing for over 160
cloud services. With AWS you pay only for the individual services you
need, for as long as you use them, and without requiring long-term
contracts or complex licensing. AWS pricing is similar to how you pay
for utilities like water and electricity. You only pay for the services
you consume, and once you stop using them, there are no additional costs
or termination fees."
Question 334
What is a characteristic of Amazon S3
cross-region replication?
A) Both source and
destination S3 buckets must have versioning disabled
B) The
source and destination S3 buckets cannot be in different AWS Regions
C)
S3 buckets configured for cross-region replication can be owned by a
single AWS account or by different accounts
D) The source S3
bucket owner must have the source and destination AWS Regions disabled
for their account
A) Both source and destination S3 buckets must have versioning
disabled
B) The source and destination S3 buckets cannot be
in different AWS Regions
C) S3 buckets configured for cross-region replication can be
owned by a single AWS account or by different accounts
D) The source S3 bucket owner must have the source and
destination AWS Regions disabled for their account
Replication enables automatic, asynchronous copying of objects
across Amazon S3 buckets. Buckets that are configured for object
replication can be owned by the same AWS account or by different
accounts. Object may be replicated to a single destination bucket or
multiple destination buckets. Destination buckets can be in different
AWS Regions or within the same Region as the source bucket.
Amazon
S3 cross-region replication Requirements:
-Both source and
destination buckets must have versioning enabled.
-The source
bucket owner must have the source and destination AWS Regions enabled
for their account. The destination bucket owner must have the
destination Region-enabled for their account. For more information about
enabling or disabling an AWS Region, see AWS Service Endpoints in the
AWS General Reference.
-If the source bucket has S3 Object Lock
enabled, the destination bucket must also have S3 Object Lock enabled
-Amazon
S3 must have permissions to replicate objects from the source bucket to
the destination bucket on your behalf.
-If the owner of the source
bucket doesn't own the object in the bucket, the object owner must grant
the bucket owner READ and READ_ACP permissions with the object access
control list (ACL)"
Question 335
What is a user responsible for when
running an application in the AWS Cloud?
A) Managing
physical hardware
B) Updating the underlying hypervisor
C)
Providing a list of users approved for data center access
D)
Managing application software updates
A) Managing physical hardware
B) Updating the
underlying hypervisor
C) Providing a list of users approved
for data center access
D) Managing application software updates
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve the customer’s
operational burden as AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates. The
nature of this shared responsibility also provides the flexibility and
customer control that permits the deployment.
Also, note that
the customer:
-assumes responsibility and management of the guest
operating system (including updates and security patches), other
associated application software as well as the configuration of the AWS
provided security group firewall.
-should carefully consider the
services they choose as their responsibilities vary depending on the
services used, the integration of those services into their IT
environment, and applicable laws and regulations.
-is responsible
for data configuration (i.e. encrypting data at rest and in transit)"
Question 336
A company that does business online needs
to quickly deliver new functionality in an iterative manner, minimizing
the time to market. Which AWS Cloud feature can provide this?
A)
Elasticity
B) High availability
C)
Agility
D) Reliability
A) Elasticity
B) High availability
C) Agility
D) Reliability
Agility is the practice of building in the ability to change
quickly and inexpensively. The cloud not only makes these other
practices practical but provides agility on its own. Infrastructure can
be provisioned in minutes instead of months, and de-provisioned or
changed just as quickly."
Question 337
Which features or services can be used to
monitor costs and expenses for an AWS account? (Choose two.)
A)
AWS Cost and Usage report
B) AWS product pages
C)
AWS Pricing Calculator
D) Billing alerts and Amazon
CloudWatch alarms
E) AWS Price List API
A) AWS Cost and Usage report
B) AWS product pages
C) AWS Pricing
Calculator
D) Billing alerts and Amazon CloudWatch alarms
E) AWS Price List API
-A-
The AWS Cost and Usage Reports contains the most
comprehensive set of cost and usage data available. AWS Cost and Usage
Reports tracks your AWS usage and provides estimated charges associated
with your account. Each report contains line items for each unique
combination of AWS products, usage type, and operation that you use in
your AWS account. You can use Cost and Usage Reports to publish your AWS
billing reports to an Amazon Simple Storage Service (Amazon S3) bucket
that you own.
-D-
You can monitor your estimated
AWS charges by using Amazon CloudWatch. When you enable the monitoring
of estimated charges for your AWS account, the estimated charges are
calculated and sent several times daily to CloudWatch as metric data.
Billing
metric data is stored in the US East (N. Virginia) Region and represents
worldwide charges. This data includes the estimated charges for every
service in AWS that you use, in addition to the estimated overall total
of your AWS charges.
Alerts and alarms can be set up to
notify you when you have reached a specific usage cost in your AWS
account. It’s a notification that you will receive automatically when a
certain level of AWS spend has been reached. This can be set up globally
in your AWS account in the Billing & Cost Management Dashboard and
region specific in the CloudWatch service."
Question 338
Amazon Route 53 enables users to:
A)
encrypt data in transit
B) register DNS domain names
C)
generate and manage SSL certificates
D) establish a
dedicated network connection to AWS
A) encrypt data in transit
B) register DNS domain names
C) generate and manage SSL certificates
D)
establish a dedicated network connection to AWS
Amazon Route 53 is a highly available and scalable cloud Domain
Name System (DNS) web service. It is designed to give developers and
businesses an extremely reliable and cost effective way to route end
users to Internet applications by translating names like www.example.com
into the numeric IP addresses like 192.0.2.1 that computers use to
connect to each other. Amazon Route 53 is fully compliant with IPv6 as
well.
Amazon Route 53 effectively connects user requests to
infrastructure running in AWS – such as Amazon EC2 instances, Elastic
Load Balancing load balancers, or Amazon S3 buckets – and can also be
used to route users to infrastructure outside of AWS. You can use Amazon
Route 53 to configure DNS health checks to route traffic to healthy
endpoints or to independently monitor the health of your application and
its endpoints.
Amazon Route 53 also offers Domain Name
Registration – you can purchase and manage domain names such as
example.com and Amazon Route 53 will automatically configure DNS
settings for your domains."
Question 339
Which AWS service helps identify
malicious or unauthorized activities in AWS accounts and workloads?
A)
Amazon Rekognition
B) AWS Trusted Advisor
C)
Amazon GuardDuty
D) Amazon CloudWatch
A) Amazon Rekognition
B) AWS Trusted Advisor
C) Amazon GuardDuty
D) Amazon CloudWatch
Amazon GuardDuty is a threat detection service that continuously
monitors for malicious activity and unauthorized behavior to protect
your AWS accounts, workloads, and data stored in Amazon S3.
With
the cloud, the collection and aggregation of account and network
activities is simplified, but it can be time consuming for security
teams to continuously analyze event log data for potential threats. With
GuardDuty, you now have an intelligent and cost-effective option for
continuous threat detection in AWS.
The service uses machine
learning, anomaly detection, and integrated threat intelligence to
identify and prioritize potential threats. GuardDuty analyzes tens of
billions of events across multiple AWS data sources, such as AWS
CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.
With
a few clicks in the AWS Management Console, GuardDuty can be enabled
with no software or hardware to deploy or maintain. By integrating with
Amazon CloudWatch Events, GuardDuty alerts are actionable, easy to
aggregate across multiple accounts, and straightforward to push into
existing event management and workflow systems."
Question 340
A company wants to try a third-party
ecommerce solution before deciding to use it long term. Which AWS
service or tool will support this effort?
A) AWS
Marketplace
B) AWS Partner Network (APN)
C) AWS
Managed Services
D) AWS Service Catalog
A) AWS Marketplace
B)
AWS Partner Network (APN)
C) AWS Managed Services
D)
AWS Service Catalog
The AWS Marketplace enables qualified partners to market and sell
their software to AWS Customers. AWS Marketplace is an online software
store that helps customers find, buy, and immediately start using the
software and services that run on AWS.
AWS Marketplace is designed
for Independent Software Vendors (ISVs), Value-Added Resellers (VARs),
and Systems Integrators (SIs) who have software products they want to
offer to customers in the cloud. Partners use AWS Marketplace to be up
and running in days and offer their software products to customers
around the world.
Some products listed on AWS Marketplace
offer free trials. The free trial enables you to try-before-you-buy
software. Free trials are limited to a certain amount of free usage."
Question 341
Which AWS service is a managed NoSQL
database?
A) Amazon Redshift
B) Amazon
DynamoDB
C) Amazon Aurora
D) Amazon RDS for
MariaDB
A) Amazon Redshift
B) Amazon DynamoDB
C) Amazon Aurora
D) Amazon RDS for MariaDB
Amazon DynamoDB - Fast and flexible NoSQL database service for any
scale. A key-value and document database that delivers single-digit
millisecond performance at any scale. It's a fully managed, multiregion,
multimaster, durable database with built-in security, backup and
restore, and in-memory caching for internet-scale applications. DynamoDB
can handle more than 10 trillion requests per day and can support peaks
of more than 20 million requests per second."
Question 342
Which AWS service should be used to
create a billing alarm?
A) AWS Trusted Advisor
B)
AWS CloudTrail
C) Amazon CloudWatch
D) Amazon
QuickSight
A) AWS Trusted Advisor
B) AWS CloudTrail
C) Amazon CloudWatch
D) Amazon QuickSight
You can monitor your estimated AWS charges by using Amazon
CloudWatch. When you enable the monitoring of estimated charges for your
AWS account, the estimated charges are calculated and sent several times
daily to CloudWatch as metric data.
Billing metric data is
stored in the US East (N. Virginia) Region and represents worldwide
charges. This data includes the estimated charges for every service in
AWS that you use, in addition to the estimated overall total of your AWS
charges.
Alerts and alarms can be set up to notify you when
you have reached a specific usage cost in your AWS account. It’s a
notification that you will receive automatically when a certain level of
AWS spend has been reached. This can be set up globally in your AWS
account in the Billing & Cost Management Dashboard and region specific
in the CloudWatch service."
Question 343
A company is hosting a web application in
a Docker container on Amazon EC2. AWS is responsible for which of the
following tasks?
A) Scaling the web application and
services developed with Docker
B) Provisioning or scheduling
containers to run on clusters and maintain their availability
C)
Performing hardware maintenance in the AWS facilities that run the AWS
Cloud
D) Managing the guest operating system, including
updates and security patches
A) Scaling the web application and services developed with
Docker
B) Provisioning or scheduling containers to run on
clusters and maintain their availability
C) Performing hardware maintenance in the AWS facilities
that run the AWS Cloud
D) Managing the guest operating system, including updates
and security patches
AWS is responsible for operating and maintaining the
infrastructure that runs all of the services offered in the AWS Cloud.
This infrastructure is composed of the hardware, software, networking,
and facilities that run AWS Cloud services.
AWS provides
physical data center access only to approved employees. All employees
who need data center access must first apply for access and provide a
valid business justification. These requests are granted based on the
principle of least privilege, where requests must specify to which layer
of the data center the individual needs access, and are time-bound.
Requests are reviewed and approved by authorized personnel, and access
is revoked after the requested time expires. Once granted admittance,
individuals are restricted to areas specified in their permissions.
Notes:
A container is a standard unit of software that packages up code and all
its dependencies so the application runs quickly and reliably from one
computing environment to another."
Question 344
Users are reporting latency when
connecting to a website with a global customer base. Which AWS service
will improve the customer experience by reducing latency?
A)
Amazon CloudFront
B) AWS Direct Connect
C)
Amazon EC2 Auto Scaling
D) AWS Transit Gateway
A) Amazon CloudFront
B)
AWS Direct Connect
C) Amazon EC2 Auto Scaling
D)
AWS Transit Gateway
Amazon CloudFront - When your web traffic is geo-dispersed, it's
not always feasible and certainly not cost effective to replicate your
entire infrastructure across the globe. A content delivery network (CDN)
provides you the ability to utilize its global network of edge locations
to deliver a cached copy of web content such as videos, webpages, images
and so on to your customers. To reduce response time, the CDN utilizes
the nearest edge location to the customer or originating request
location in order to reduce the response time. Throughput is
dramatically increased given that the web assets are delivered from
cache. For dynamic data, many CDNs can be configured to retrieve data
from the origin servers."
Question 345
Which actions represent best practices
for using AWS IAM? (Choose two.)
A) Configure a strong
password policy
B) Share the security credentials among
users of AWS accounts who are in the same Region
C) Use
access keys to log in to the AWS Management Console
D)
Rotate access keys on a regular basis
E) Avoid using IAM
roles to delegate permissions
A) Configure a strong password policy
B) Share the security credentials among users of AWS
accounts who are in the same Region
C) Use access keys to
log in to the AWS Management Console
D) Rotate access keys on a regular basis
E) Avoid using IAM roles to delegate permissions
Security best practices in IAM:
-Lock away your AWS account
root user access keys
-Create individual IAM users
-Use groups
to assign permissions to IAM users
-Grant least privilege
-Get
started using permissions with AWS managed policies
-Validate your
policies
-Use customer managed policies instead of inline
policies
-Use access levels to review IAM permissions
-Configure
a strong password policy for your users
-Enable MFA
-Use roles
for applications that run on Amazon EC2 instances
-Use roles to
delegate permissions
-Do not share access keys
-Rotate
credentials regularly
-Remove unnecessary credentials
-Use
policy conditions for extra security
-Monitor activity in your AWS
account
More information:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Notes:
Access keys can be eventually figured out by a good hacker so rotate
them."
Question 346
Which AWS feature or service can be used
to capture information about incoming and outgoing traffic in an AWS VPC
infrastructure?
A) AWS Config
B) VPC Flow
Logs
C) AWS Trusted Advisor
D) AWS CloudTrail
A) AWS Config
B) VPC Flow Logs
C) AWS Trusted Advisor
D) AWS CloudTrail
VPC Flow Logs is a feature that enables you to capture information
about the IP traffic going to and from network interfaces in your VPC.
Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.
After you've created a flow log, you can retrieve and view its data in
the chosen destination. Flow logs can help you with a number of tasks,
such as:
-Diagnosing overly restrictive security group rule
-Monitoring
the traffic that is reaching your instance
-Determining the
direction of the traffic to and from the network interfaces
-Flow
log data is collected outside of the path of your network traffic, and
therefore does not affect network throughput or latency. You can create
or delete flow logs without any risk of impact to network performance."
Question 347
A company wants to use an AWS service to
monitor the health of application endpoints, with the ability to route
traffic to healthy regional endpoints to improve application
availability. Which service will support these requirements?
A)
Amazon Inspector
B) Amazon CloudWatch
C) AWS
Global Accelerator
D) Amazon CloudFront
A) Amazon Inspector
B) Amazon CloudWatch
C) AWS Global Accelerator
D) Amazon CloudFront
AWS Global Accelerator uses the AWS global network to optimize the
path from your users to your applications, improving the performance of
your traffic by as much as 60%. AWS Global Accelerator continually
monitors the health of your application endpoints and redirects traffic
to healthy endpoints in less than 30 seconds."
Question 348
According to the AWS Well-Architected
Framework, what change management steps should be taken to achieve
reliability in the AWS Cloud? (Choose two.)
A) Use AWS
Config to generate an inventory of AWS resources
B) Use
service limits to prevent users from creating or making changes to AWS
resources
C) Use AWS CloudTrail to record AWS API calls into
an auditable log file
D) Use AWS Certificate Manager to
whitelist approved AWS resources and services
E) Use Amazon
GuardDuty to validate configuration changes made to AWS resources
A) Use AWS Config to generate an inventory of AWS
resources
B) Use service limits to prevent users from creating or
making changes to AWS resources
C) Use AWS CloudTrail to record AWS API calls into an
auditable log file
D) Use AWS Certificate Manager to whitelist approved AWS
resources and services
E) Use Amazon GuardDuty to validate
configuration changes made to AWS resources
Reliability Design Principles and Best Practices
Change
Management: Changes to your workload or its environment must be
anticipated and accommodated to achieve reliable operation of the
workload. Changes include those imposed on your workload, such as spikes
in demand, as well as those from within, such as feature deployments and
security patches. Using AWS, you can monitor the behaviour of a workload
and automate the response to these changes. With monitoring in place,
your team will be automatically alerted when KPIs deviate from expected
norms.
Automatic logging of changes to your environment
allows you to audit and identify actions that might have impacted
reliability.
AWS Config continuously monitors and records
your AWS resource configurations. It can detect drift and trigger AWS
Systems Manager Automation to fix it and raise alarms.
AWS
CloudTrail tracks user activity and API usage. Helps you enable
governance, compliance, and operational and risk auditing of your AWS
account. Actions taken by a user, role, or an AWS service are recorded
as events in CloudTrail. Events include actions taken in the AWS
Management Console, AWS Command Line Interface, and AWS SDKs and
APIs.
Incorrect answers:
-Amazon GuardDuty is a threat
detection service that continuously monitors for malicious activity and
unauthorized behavior to protect your AWS accounts, workloads, and data
stored in Amazon S3."
Question 349
Which service can be used to monitor and
receive alerts for AWS account root user AWS Management Console sign-in
events?
A) Amazon CloudWatch
B) AWS
Config
C) AWS Trusted Advisor
D) AWS IAM
A) Amazon CloudWatch
B)
AWS Config
C) AWS Trusted Advisor
D) AWS IAM
Amazon CloudWatch - Typical runthrough of how this would
happen:
-An Amazon CloudWatch Events rule detects any AWS account
root user API events.
-It triggers an AWS Lambda function.
-The
Lambda function then processes the root API event. It also publishes a
message to an Amazon SNS topic, where the subject contains the AWS
account ID or AWS account alias where the root API call was detected and
the type of API activity.
-The SNS topic then sends notifications
to its email subscribers about this event."
Question 350
Which design principle should be
considered when architecting in the AWS Cloud?
A)
Think of servers as non-disposable resources
B) Use
synchronous integration of services
C) Design loosely
coupled components
D) Implement the least permissive rules
for security groups
A) Think of servers as non-disposable resources
B)
Use synchronous integration of services
C) Design loosely coupled components
D) Implement the least permissive rules for security
groups
As application complexity increases, a desirable attribute of an
IT system is that it can be broken into smaller, loosely coupled
components. This means that IT systems should be designed in a way that
reduces interdependencies—a change or a failure in one component should
not cascade to other components.
Your infrastructure also
needs to have well defined interfaces that allow the various components
to interact with each other only through specific, technology- agnostic
interfaces. Modifying any underlying operations without affecting other
components should be made possible."
Question 351
Which AWS services can be used to move
data from on-premises data centers to AWS? (Choose two.)
A)
AWS Snowball
B) AWS Lambda
C) AWS ElastiCache
D)
AWS Database Migration Service (AWS DMS)
E) Amazon API
Gateway
A) AWS Snowball
B)
AWS Lambda
C) AWS ElastiCache
D) AWS Database Migration Service (AWS DMS)
E) Amazon API Gateway
-A-
AWS Snowball:
Petabyte-scale data transport with
on-board storage and compute capabilities
part of the AWS Snow
Family, is an edge computing, data migration, and edge storage
device.
-You can use these devices for data collection, machine
learning and processing, and storage in environments with intermittent
connectivity (like manufacturing, industrial, and transportation) or in
extremely remote locations (like military or maritime operations) before
shipping them back to AWS.
-These devices may also be rack mounted
and clustered together to build larger temporary installations.
-D-
(AWS)
Database Migration Service:
AWS Database Migration Service helps
you migrate databases to AWS quickly and securely. The source database
remains fully operational during the migration, minimizing downtime to
applications that rely on the database. The AWS Database Migration
Service can migrate your data to and from most widely used commercial
and open-source databases.
-AWS Database Migration Service supports
homogeneous migrations such as Oracle to Oracle, as well as
heterogeneous migrations between different database platforms, such as
Oracle or Microsoft SQL Server to Amazon Aurora. With AWS Database
Migration Service, you can continuously replicate your data with high
availability and consolidate databases into a petabyte-scale data
warehouse by streaming data to Amazon Redshift and Amazon S3.
-When
migrating databases to Amazon Aurora, Amazon Redshift, Amazon DynamoDB
or Amazon DocumentDB (with MongoDB compatibility) you can use DMS free
for six months.
-The only requirement to use AWS DMS is that one of
your endpoints must be on an AWS service. You can't use AWS DMS to
migrate from an on-premises database to another on-premises database."
Question 352
A batch workload takes 5 hours to finish
on an Amazon EC2 instance. The amount of data to be processed doubles
monthly and the processing time is proportional. What is the best cloud
architecture to address this consistently growing demand?
A)
Run the application on a bigger EC2 instance size.
B) Switch
to an EC2 instance family that better matches batch requirements.
C)
Distribute the application across multiple EC2 instances and run in
parallel.
D) Run the application on a bare metal EC2
instance.
A) Run the application on a bigger EC2 instance size.
B)
Switch to an EC2 instance family that better matches batch
requirements.
C) Distribute the application across multiple EC2 instances
and run in parallel.
D) Run the application on a bare metal EC2 instance.
Scale horizontally: to increase aggregate workload availability.
Replace one large resource with multiple small resources to reduce the
impact of a single failure on the overall workload. Distribute requests
across multiple, smaller resources to ensure that they don’t share a
common point of failure."
Question 353
Each department in a company has its own
independent AWS account and its own payment method. New company
leadership wants to centralize departmental governance and consolidate
payments. How can this be achieved using AWS services & features?
A)
Forward monthly invoices for each account. Then create IAM roles to
allow cross-account access.
B) Create a new AWS account.
Then configure AWS Organizations and invite all existing accounts to
join.
C) Configure AWS Organizations in each of the existing
accounts. Then link all accounts together.
D) Use Cost
Explorer to combine costs from all accounts. Then replicate IAM policies
across accounts.
A) Forward monthly invoices for each account. Then create IAM
roles to allow cross-account access.
B) Create a new AWS account. Then configure AWS
Organizations and invite all existing accounts to join.
C) Configure AWS Organizations in each of the existing
accounts. Then link all accounts together.
D) Use Cost
Explorer to combine costs from all accounts. Then replicate IAM policies
across accounts.
(AWS) Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization."
Question 354
The ability to horizontally scale Amazon
EC2 instances based on demand is an example of which concept in the AWS
Cloud value proposition?
A) Economy of scale
B)
Elasticity
C) High availability
D) Agility
A) Economy of scale
B) Elasticity
C) High availability
D) Agility
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible.
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is running out of processing power."
Question 355
An ecommerce company anticipates a huge
increase in web traffic for two very popular upcoming shopping holidays.
Which AWS service or feature can be configured to dynamically adjust
resources to meet this change in demand?
A) AWS
CloudTrail
B) Amazon EC2 Auto Scaling
C) Amazon
Forecast
D) AWS Config
A) AWS CloudTrail
B) Amazon EC2 Auto Scaling
C) Amazon Forecast
D) AWS Config
The goal of an Auto Scaling Group (ASG) is to:
-Scale out
(add EC2 instances) to match an increased load
-Scale in (remove
EC2 instances) to match a decreased load
-Ensure we have a minimum
and a maximum number of machines running
-Automatically register
new instances to a load balancer
-Replace unhealthy instances
Amazon
EC2 Auto Scaling can detect when an instance is unhealthy, terminate it,
and launch an instance to replace it. You can also configure Amazon EC2
Auto Scaling to use multiple Availability Zones. If one Availability
Zone becomes unavailable, Amazon EC2 Auto Scaling can launch instances
in another one to compensate."
Question 356
Which AWS service enables users to
securely connect to AWS resources over the public internet?
A)
Amazon VPC peering
B) AWS Direct Connect
C) AWS
Client VPN
D) Amazon Pinpoint
A) Amazon VPC peering
B) AWS Direct Connect
C) AWS Client VPN
D) Amazon Pinpoint
Amazon VPC provides multiple network connectivity options for you
to leverage depending on your current network designs and requirements.
These connectivity options include leveraging either the internet (VPN)
or a dedicated private AWS Direct Connect connection as the network
backbone and terminating the connection into either AWS or user-managed
network endpoints.
A VPC VPN Connection utilizes IPSec to
establish encrypted network connectivity between your intranet and
Amazon VPC over the Internet. VPN Connections can be configured in
minutes and are a good solution if you have an immediate need, have low
to modest bandwidth requirements, and can tolerate the inherent
variability in Internet-based connectivity.
AWS Direct
Connect does not involve the Internet; instead, it uses dedicated,
private network connections between your intranet and Amazon VPC."
Question 357
Which tool is used to forecast AWS
spending?
A) AWS Trusted Advisor
B) AWS
Organizations
C) Cost Explorer
D) Amazon
Inspector
A) AWS Trusted Advisor
B) AWS Organizations
C) Cost Explorer
D) Amazon Inspector
The AWS Billing and Cost Management console includes the no-cost
Cost Explorer tool for viewing your AWS cost data as a graph. With Cost
Explorer, you can filter graphs by values such as API operation,
Availability Zone, AWS service, custom cost allocation tag, Amazon EC2
instance type, purchase option, AWS Region, usage type, usage type
group, and more. If you use consolidated billing, you can also filter by
member account. In addition, you can see a forecast of future costs
based on your historical cost data.
Cost Explorer: Forecast
usage up to 3 months based on previous usage. Forecast Estimate your
resource utilization and spend with forecast dashboards that you create
(Self-Service)"
Question 358
A company is running an ecommerce
application hosted in Europe. To decrease latency for users who access
the website from other parts of the world, the company would like to
cache frequently accessed static content closer to the users. Which AWS
service will support these requirements?
A) Amazon
ElastiCache
B) Amazon CloudFront
C) Amazon
Elastic File System (Amazon EFS)
D) Amazon Elastic Block
Store (Amazon EBS)
A) Amazon ElastiCache
B) Amazon CloudFront
C) Amazon Elastic File System (Amazon EFS)
D)
Amazon Elastic Block Store (Amazon EBS)
Amazon CloudFront employs a global network of edge locations and
regional edge caches that cache copies of your content close to your
viewers. Amazon CloudFront ensures that end-user requests are served by
the closest edge location. As a result, viewer requests travel a short
distance, improving performance for your viewers. For files not cached
at the edge locations and the regional edge caches, Amazon CloudFront
keeps persistent connections with your origin servers so that those
files can be fetched from the origin servers as quickly as possible."
Question 359
Which of the following is a component of
the AWS Global Infrastructure?
A) Amazon Alexa
B)
AWS Regions
C) Amazon Lightsail
D) AWS
Organizations
A) Amazon Alexa
B) AWS Regions
C) Amazon Lightsail
D) AWS Organizations
AWS Global Infrastructure:
↓
AWS Regions
↓
AWS
Availability Zones
↓
AWS Data Centers
AWS
Global Infrastructure is comprised of AWS Regions"
Question 360
Which AWS service will help users
determine if an application running on an Amazon EC2 instance has
sufficient CPU capacity?
A) Amazon CloudWatch
B)
AWS Config
C) AWS CloudTrail
D) Amazon
Inspector
A) Amazon CloudWatch
B)
AWS Config
C) AWS CloudTrail
D) Amazon
Inspector
The CloudWatch metric for CPU utilization will report 100%
utilization if the instance bursts so much that it exceeds its available
CPU resources during that CloudWatch monitored minute. CloudWatch
reporting 100% CPU utilization is your signal that you should consider
scaling – manually or via Auto Scaling – up to a larger instance type or
scale out to multiple Micro instances."
Question 361
Why is it beneficial to use Elastic Load
Balancers with applications?
A) They allow for the
conversion from Application Load Balancers to Classic Load Balancers.
B)
They are capable of handling constant changes in network traffic
patterns.
C) They automatically adjust capacity.
D)
They are provided at no charge to users.
A) They allow for the conversion from Application Load Balancers
to Classic Load Balancers.
B) They are capable of handling constant changes in network
traffic patterns.
C) They automatically adjust capacity.
D) They
are provided at no charge to users.
Elastic Load Balancing automatically distributes incoming
application traffic across multiple targets, such as Amazon EC2
instances, containers, IP addresses, Lambda functions, and virtual
appliances. It can handle the varying load of your application traffic
in a single Availability Zone or across multiple Availability Zones.
Elastic Load Balancing assist with maintaining high availability,
automatic scaling, and robust security necessary to make your
applications fault tolerant. Elastic Load Balancing scales with web
traffic"
Question 362
Which tasks are the customer's
responsibility in the AWS shared responsibility model? (Choose two.)
A)
Infrastructure facilities access management
B) Cloud
infrastructure hardware lifecycle management
C)
Configuration management of user's applications
D)
Networking infrastructure protection
E) Security groups
configuration
A) Infrastructure facilities access management
B)
Cloud infrastructure hardware lifecycle management
C) Configuration management of user's applications
D) Networking infrastructure protection
E) Security groups configuration
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve the customer’s
operational burden as AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates. The
nature of this shared responsibility also provides the flexibility and
customer control that permits the deployment. This differentiation of
responsibility is commonly referred to as Security of the Cloud versus
Security in the Cloud.
Also, note that the customer:
-assumes
responsibility and management of the guest operating system (including
updates and security patches), other associated application software as
well as the configuration of the AWS provided security group
firewall.
-should carefully consider the services they choose as
their responsibilities vary depending on the services used, the
integration of those services into their IT environment, and applicable
laws and regulations.
-is responsible for data configuration (i.e.
encrypting data at rest and in transit)"
Question 363
IT systems should be designed to reduce
interdependencies, so that a change or failure in one component does not
cascade to other components. This is an example of which principle of
cloud architecture design?
A) Scalability
B)
Loose coupling
C) Automation
D) Automatic
scaling
A) Scalability
B) Loose coupling
C) Automation
D) Automatic scaling
Loose coupling - As application complexity increases, a desirable
attribute of an IT system is that it can be broken into smaller, loosely
coupled components. This means that IT systems should be designed in a
way that reduces interdependencies—a change or a failure in one
component should not cascade to other components.
Your
infrastructure also needs to have well defined interfaces that allow the
various components to interact with each other only through specific,
technology- agnostic interfaces. Modifying any underlying operations
without affecting other components should be made possible."
Question 364
Which AWS service or feature can enhance
network security by blocking requests from a particular network for a
web application on AWS? (Choose two.)
A) AWS WAF
B)
AWS Trusted Advisor
C) AWS Direct Connect
D) AWS
Organizations
E) Network ACLs
A) AWS WAF
B) AWS
Trusted Advisor
C) AWS Direct Connect
D) AWS
Organizations
E) Network ACLs
AWS WAF is a web application firewall that helps protect your web
applications or APIs against common web exploits that may affect
availability, compromise security, or consume excessive resources. AWS
WAF gives you control over how traffic reaches your applications by
enabling you to create security rules that block common attack patterns,
such as SQL injection or cross-site scripting, and rules that filter out
specific traffic patterns you define. You can many monitor attributes of
traffic, such as, IP addresses, URI strings, HTTP headers and HTTP
methods.
Network ACLs are an optional layer of security for
your VPC that acts as a firewall for controlling traffic in and out of
one or more subnets.
You might set up network ACLs with rules
similar to your security groups in order to add an additional layer of
security to your VPC.
Your VPC automatically comes with a
modifiable default network ACL. By default, it allows all inbound and
outbound IPv4 traffic and, if applicable, IPv6 traffic.
To
allow or block specific IP addresses for your EC2 instances, use a
network Access Control List (ACL) or security group rules in your VPC.
Network ACLs and security group rules act as firewalls allowing or
blocking IP addresses from accessing your resources. Network ACLs
control inbound and outbound traffic at the subnet level. Security group
rules act as a firewall for associated Amazon EC2 instances, controlling
both inbound and outbound traffic at the instance level."
Question 365
An application runs on multiple Amazon
EC2 instances that access a shared file system simultaneously. Which AWS
storage service should be used?
A) Amazon EBS
B)
Amazon EFS
C) Amazon S3
D) AWS Artifact
E)
Amazon EC2 instance store
A) Amazon EBS
B) Amazon EFS
C) Amazon S3
D) AWS Artifact
E)
Amazon EC2 instance store
The EFS file system can be used by multiple EC2 instances from
different data centers in parallel. Additionally, the data of the EFS
file system is replicated among multiple data centers & Availability
Zones (AZ). Also it remains available even if a whole data center
suffers from an outage, which isn’t true for EBS and Instance Store.
Incorrect
answers:
-A-Using block storage would have been an option, but it
won’t allow access to files from multiple machines in parallel. Also an
EBS volume is tied to a data center, also called Availability Zone (AZ),
and can only be attached over the network to a single EC2 Instance from
the same data center. Usually EBS volume are used as the root volumes,
which contain the operating system, or for relational database systems
to store the state.
-C-Many legacy applications store state in
files on disk. Therefore, using Amazon S3, an object store, is
impossible by default.
-E- An Instance Store consists of a hard
drive directly attached to the hardware which the virtual machine is
running on. Amazon EC2 instance store can be regarded ephemeral storage
and so is unsuitable."
Question 366
A web application is hosted on AWS using
an Elastic Load Balancer, multiple Amazon EC2 instances, and Amazon RDS.
Which security measures fall under the responsibility of AWS? (Choose
two.)
A) Running a virus scan on EC2 instances
B)
Protecting against IP spoofing and packet sniffing
C)
Installing the latest security patches on the RDS instance
D)
Encrypting communication between the EC2 instances and the Elastic Load
Balancer
E) Configuring a security group and a network
access control list (NACL) for EC2
A) Running a virus scan on EC2 instances
B) Protecting against IP spoofing and packet sniffing
C) Installing the latest security patches on the RDS
instance
D) Encrypting communication between the EC2 instances and
the Elastic Load Balancer
E) Configuring a security group
and a network access control list (NACL) for EC2
-B-
AWS utilizes a wide variety of automated monitoring
systems to provide a high level of service performance and availability.
These tools monitor server and network usage, port scanning activities,
application usage, and unauthorized intrusion attempts. The tools have
the ability to set custom performance metrics thresholds for unusual
activity. AWS network provides protection against traditional network
security issues:
-DDOS – AWS uses proprietary DDoS mitigation
techniques. Additionally, AWS’s networks are multi-homed across a number
of providers to achieve Internet access diversity.
-Man in the
Middle attacks – AWS APIs are available via SSL-protected endpoints
which provide server authentication
-IP spoofing – AWS-controlled,
host-based firewall infrastructure will not permit an instance to send
traffic with a source IP or MAC address other than its own.
-Port
Scanning – Unauthorized port scans by Amazon EC2 customers are a
violation of the AWS Acceptable Use Policy. When unauthorized port
scanning is detected by AWS, it is stopped and blocked.
Penetration/Vulnerability testing can be performed only on your own
instances, with mandatory prior approval, and must not violate the AWS
Acceptable Use Policy.
-Packet Sniffing by other tenants – It is
not possible for a virtual instance running in promiscuous mode to
receive or sniff traffic that is intended for a different virtual
instance. While you can place your interfaces into promiscuous mode, the
hypervisor will not deliver any traffic to them that is not addressed to
them. Even two virtual instances that are owned by the same customer
located on the same physical host cannot listen to each other’s
traffic.
Source
(https://jayendrapatil.com/aws-security-whitepaper-overview/)
-C-
RDS
is managed database service, AWS will take care of security patches
Managed
Services – is a cloud feature that you can use without having to take
care of the underlying hardware’s administration. In managed services
common activities are automated and implemented according to best
practices, such as change requests, monitoring, patch management,
security, and backup services. AWS Managed Services provide
full-lifecycle services to provision, run, and support your
infrastructure; and thus unburdens you from infrastructure operations so
you can direct resources toward differentiating your business.
Incorrect
answers:
-A - Virus scanning on EC2 is customer’s responsibility,
AWS will only take care of physical hardward to hypervisor level.
Anything else is customer’s responsibility.
-D - Encrypting
communications between EC2 and ELB requires customer to apply
certificates and also to configure the instances and ELB for
encryption
-E - Security group & NACL are customer’s responsibility
to configure"
Question 367
What is the benefit of elasticity in the
AWS Cloud?
A) Ensure web traffic is automatically
spread across multiple AWS Regions.
B) Minimize storage
costs by automatically archiving log data.
C) Enable AWS to
automatically select the most cost-effective services.
D)
Automatically adjust the required compute capacity to maintain
consistent performance.
A) Ensure web traffic is automatically spread across multiple AWS
Regions.
B) Minimize storage costs by automatically
archiving log data.
C) Enable AWS to automatically select
the most cost-effective services.
D) Automatically adjust the required compute capacity to
maintain consistent performance.
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible.
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is running out of processing power.
Elasticity:
once a system is scalable, elasticity means that there will be some
auto-scaling so that the system can scale based on the load. This is
cloud-friendly: pay-per-use, match demand, optimize costs"
Question 368
The continual reduction of AWS Cloud
pricing is due to:
A) pay-as-you go pricing
B)
the AWS global infrastructure
C) economies of scale
D)
reserved storage pricing
A) pay-as-you go pricing
B) the AWS global
infrastructure
C) economies of scale
D) reserved storage pricing
Because usage from hundreds of thousands of customers is
aggregated in the cloud, providers such as AWS can achieve higher
economies of scale, which translates into lower pay as-you-go prices."
Question 369
A company needs an Amazon S3 bucket that
cannot have any public objects due to compliance requirements. How can
this be accomplished?
A) Enable S3 Block Public Access
from the AWS Management Console.
B) Hold a team meeting to
discuss the importance if only uploading private S3 objects.
C)
Require all S3 objects to be manually approved before uploading.
D)
Create a service to monitor all S3 uploads and remove any public
uploads.
A) Enable S3 Block Public Access from the AWS Management
Console.
B) Hold a team meeting to discuss the importance if only
uploading private S3 objects.
C) Require all S3 objects to
be manually approved before uploading.
D) Create a service
to monitor all S3 uploads and remove any public uploads.
There is an option for S3 to Block Public Access from the AWS
Management Console.
…Today we are making it easier for you to
protect your buckets and objects with the introduction of Amazon S3
Block Public Access. This is a new level of protection that works at the
account level and also on individual buckets, including those that you
create in the future. You have the ability to block existing public
access (whether it was specified by an ACL or a policy) and to ensure
that public access is not granted to newly created items."
Question 370
A Cloud Practitioner identifies a billing
issue after examining the AWS Cost and Usage report in the AWS
Management Console. Which action can be taken to resolve this?
A)
Open a detailed case related to billing and submit it to AWS Support for
help.
B) Upload data describing the issue to a new object in
a private Amazon S3 bucket.
C) Create a pricing application
and deploy it to a right-sized Amazon EC2 instance for more
information.
D) Proceed with creating a new dashboard in
Amazon QuickSight.
A) Open a detailed case related to billing and submit it to
AWS Support for help.
B) Upload data describing the issue to a new object in a
private Amazon S3 bucket.
C) Create a pricing application
and deploy it to a right-sized Amazon EC2 instance for more
information.
D) Proceed with creating a new dashboard in
Amazon QuickSight.
Contacting AWS Support is the fastest and most direct method for
communicating with an AWS associate about your questions. AWS Support
does not publish a direct phone number for reaching a support
representative. You can use the following process to have an associate
reach out to you by email or phone instead.
Cost and billing
support is available to all AWS customers even those who do not have a
support plan.
To contact AWS Support
-Sign in and
navigate to the AWS Support Center. If prompted, enter the email address
and password for your account.
-Choose Create case.
-On the
Create case page, choose Account and billing support and fill in the
required fields on the form.
-After you complete the form, under
Contact options, choose either Web for an email response, or Phone to
request a telephone call from an AWS Support representative. Instant
messaging support is not available for billing inquiries."
Question 371
What does the AWS Pricing Calculator
do?
A) Compares on-premises costs to colocation
environments
B) Estimates monthly billing based on projected
usage
C) Estimates power consumption at existing data
centers
D) Estimates CPU utilization
A) Compares on-premises costs to colocation environments
B) Estimates monthly billing based on projected usage
C) Estimates power consumption at existing data centers
D)
Estimates CPU utilization
AWS Pricing Calculator - Configure a cost estimate that fits your
unique business or personal needs with AWS products and services.
Previously known as Simply Monthly Calculator. Transparent pricing lets
you see the math behind the price for your service configurations. View
prices per service or per group of services to analyse your architecture
costs.
Configure services, or groups of services, in multiple
AWS Regions. Prices and availability of AWS services vary per Region.
See
and analyse service costs grouped by different parts of your
architecture.
Export your estimate to a .csv file to quickly
share and analyse your proposed architecture spend."
Question 372
Who is responsible for patching the guest
operating system for Amazon RDS?
A) The customer
Database Administrator
B) Managed partners
C)
AWS
A) The customer Database Administrator
B) Managed
partners
C) AWS
RDS is a managed database service, AWS will take care of security
patches
Managed Services – is a cloud feature that you can
use without having to take care of the underlying hardware’s
administration. In managed services common activities are automated and
implemented according to best practices, such as change requests,
monitoring, patch management, security, and backup services. AWS Managed
Services provide full-lifecycle services to provision, run, and support
your infrastructure; and thus unburdens you from infrastructure
operations so you can direct resources toward differentiating your
business."
Question 373
Which AWS services may be scaled using
AWS Auto Scaling? (Choose two.)
A) Amazon EC2
B)
Amazon DynamoDB
C) Amazon S3
D) Amazon Route
53
E) Amazon Redshift
A) Amazon EC2
B) Amazon DynamoDB
C) Amazon S3
D) Amazon Route 53
E)
Amazon Redshift
Amazon EC2 for the compute layer, and DynamoDB for the data layer.
In this case, AWS Auto Scaling will scale one or more EC2 Auto Scaling
groups and DynamoDB tables that are powering the application in response
to the demand curve
AWS Auto Scaling monitors your
applications and automatically adjusts capacity to maintain steady,
predictable performance at the lowest possible cost. Using AWS Auto
Scaling, it’s easy to setup application scaling for multiple resources
across multiple services in minutes. The service provides a simple,
powerful user interface that lets you build scaling plans for resources
including Amazon EC2 instances and Spot Fleets, Amazon ECS tasks, Amazon
DynamoDB tables and indexes, and Amazon Aurora Replicas. AWS Auto
Scaling makes scaling simple with recommendations that allow you to
optimize performance, costs, or balance between them. If you’re already
using Amazon EC2 Auto Scaling to dynamically scale your Amazon EC2
instances, you can now combine it with AWS Auto Scaling to scale
additional resources for other AWS services. With AWS Auto Scaling, your
applications always have the right resources at the right time."
Question 374
Which of the following are benefits of
AWS Global Accelerator? (Choose two.)
A) Reduced cost
to run services on AWS
B) Improved availability of
applications deployed on AWS
C) Higher durability of data
stored on AWS
D) Decreased latency to reach applications
deployed on AWS
E) Higher security of data stored on AWS
A) Reduced cost to run services on AWS
B) Improved availability of applications deployed on
AWS
C) Higher durability of data stored on AWS
D) Decreased latency to reach applications deployed on
AWS
E) Higher security of data stored on AWS
If local and global traffic to your application’s single Region is
left on the public internet, it can be negatively impacted by internet
congestion and local outages. AWS Global Accelerator is a networking
service that sends your user’s traffic through Amazon Web Service’s
global network infrastructure, through 80+ global edge locations, then
directed to your application origins, improving your internet user
performance by up to 60%. When the internet is congested, Global
Accelerator’s automatic routing optimizations will help keep your packet
loss, jitter, and latency consistently low.
With Global
Accelerator, you are provided two global static customer facing IPs to
simplify traffic management. On the back end, add or remove your AWS
application origins, such as Network Load Balancers, Application Load
Balancers, Elastic IPs, and EC2 Instances, without making user facing
changes.
To mitigate endpoint failure Global Accelerator
continually monitors the health of your application endpoints and
redirects traffic to healthy endpoints, failover between application
origins happens automatically and in less than 30 seconds.
It
can be used regardless of how many AWS Regions you are deployed in."
Question 375
A user who wants to get help with billing
and reactivate a suspended account should submit an account and billing
request to:
A) the AWS Support forum
B)
AWS Abuse
C) an AWS Solutions Architect
D) AWS
Support
A) the AWS Support forum
B) AWS Abuse
C)
an AWS Solutions Architect
D) AWS Support
Contacting AWS Support is the fastest and most direct method for
communicating with an AWS associate about your questions. AWS Support
does not publish a direct phone number for reaching a support
representative. You can use the following process to have an associate
reach out to you by email or phone instead.
Cost and billing
support is available from AWS Support to all AWS customers even those
who do not have a support plan.
To contact AWS Support:
-Sign
in and navigate to the AWS Support Center. If prompted, enter the email
address and password for your account.
-Choose Create case.
-On
the Create case page, choose Account and billing support and fill in the
required fields on the form.
-After you complete the form, under
Contact options, choose either Web for an email response, or Phone to
request a telephone call from an AWS Support representative. Instant
messaging support is not available for billing inquiries.
For
90 days after you close your account, you can contact AWS Support to
reopen your account using these steps:
-Sign in to your account.
-Check
that a valid default payment method is associated with your account.
-Open
a support case.
-In the Create case section, select Account and
billing support, and fill out all the required details.
-If your
need is urgent, choose the Phone contact method. An AWS Support agent
contacts you by phone to help you reopen your account."
Question 376
Which AWS Cloud best practice uses the
elasticity and agility of cloud computing?
A)
Provision capacity based on past usage and theoretical peaks
B)
Dynamically and predictively scale to meet usage demands
C)
Build the application and infrastructure in a data center that grants
physical access
D) Break apart the application into loosely
coupled components
A) Provision capacity based on past usage and theoretical
peaks
B) Dynamically and predictively scale to meet usage
demands
C) Build the application and infrastructure in a data
center that grants physical access
D) Break apart the
application into loosely coupled components
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is running out of processing power.
Agility
is the practice of building in the ability to change quickly and
inexpensively. The cloud not only makes these other practices practical
but provides agility on its own. Infrastructure can be provisioned in
minutes instead of months, and de-provisioned or changed just as
quickly."
Question 377
Which method helps to optimize costs of
users moving to the AWS Cloud?
A) Paying only for what
is used
B) Purchasing hardware before it is needed
C)
Manually provisioning cloud resources
D) Purchasing for the
maximum possible load
A) Paying only for what is used
B) Purchasing hardware before it is needed
C)
Manually provisioning cloud resources
D) Purchasing for the
maximum possible load
AWS offers you a pay-as-you-go approach for pricing for over 160
cloud services. With AWS you pay only for the individual services you
need, for as long as you use them, and without requiring long-term
contracts or complex licensing. AWS pricing is similar to how you pay
for utilities like water and electricity. You only pay for the services
you consume, and once you stop using them, there are no additional costs
or termination fees."
Question 378
Under the AWS shared responsibility
model, which of the following is a customer responsibility?
A)
Installing security patches for the Xen and KVM hypervisors
B)
Installing operating system patches for Amazon DynamoDB
C)
Installing operating system security patches for Amazon EC2 database
instances
D) Installing operating system security patches
for Amazon RDS database instances
A) Installing security patches for the Xen and KVM hypervisors
B)
Installing operating system patches for Amazon DynamoDB
C) Installing operating system security patches for Amazon
EC2 database instances
D) Installing operating system security patches for Amazon
RDS database instances
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve the customer’s
operational burden as AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates. The
nature of this shared responsibility also provides the flexibility and
customer control that permits the deployment. This differentiation of
responsibility is commonly referred to as Security of the Cloud versus
Security in the Cloud. Note that the customer:
-assumes
responsibility and management of the guest operating system (including
updates and security patches), other associated application software as
well as the configuration of the AWS provided security group
firewall.
-should carefully consider the services they choose as
their responsibilities vary depending on the services used, the
integration of those services into their IT environment, and applicable
laws and regulations.
-is responsible for data configuration (i.e.
encrypting data at rest and in transit)
Incorrect answers:
-The
hypervisors are AWS responsibility
-DynamoDB & RDS are both fully
managed services so AWS is responsible for them"
Question 379
The AWS Cost Management tools give users
the ability to do which of the following? (Choose two.)
A)
Terminate all AWS resources automatically if budget thresholds are
exceeded.
B) Break down AWS costs by day, service, and
linked AWS account.
C) Create budgets and receive
notifications if current of forecasted usage exceeds the budgets.
D)
Switch automatically to Reserved Instances or Spot Instances, whichever
is most cost-effective.
E) Move data stored in Amazon S3 to
a more cost-effective storage class.
A) Terminate all AWS resources automatically if budget thresholds
are exceeded.
B) Break down AWS costs by day, service, and linked AWS
account.
C) Create budgets and receive notifications if current of
forecasted usage exceeds the budgets.
D) Switch automatically to Reserved Instances or Spot
Instances, whichever is most cost-effective.
E) Move data
stored in Amazon S3 to a more cost-effective storage class.
AWS has a set of solutions to help you with cost management and
optimization. This includes services, tools, and resources to organize
and track cost and usage data, enhance control through consolidated
billing and access permission, enable better planning through budgeting
and forecasts, and further lower cost with resources and pricing
optimizations.
The AWS Cost and Usage Reports contains the
most comprehensive set of cost and usage data available.
You can
receive reports that break down your costs by the hour or day, by
product or product resource, or by tags that you define yourself.
You
can use AWS Budgets to track your AWS usage and costs. Budgets use the
cost visualization provided by Cost Explorer to show you the status of
your budgets. This provides forecasts of your estimated costs and tracks
your AWS usage, including your free tier usage. You can also use budgets
to create Amazon Simple Notification Service (Amazon SNS) notifications
that tell you when you go over your budgeted amounts, or when your
estimated costs exceed your budgets."
Question 380
Under the AWS shared responsibility
model, the security and patching of the guest operating system is the
responsibility of:
A) AWS Support
B) the
customer
C) AWS Systems Manager
D) AWS Config
A) AWS Support
B) the customer
C) AWS Systems Manager
D) AWS Config
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve the customer’s
operational burden as AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates. The
nature of this shared responsibility also provides the flexibility and
customer control that permits the deployment. This differentiation of
responsibility is commonly referred to as Security of the Cloud versus
Security in the Cloud. Also, note that the customer:
-assumes
responsibility and management of the guest operating system (including
updates and security patches), other associated application software as
well as the configuration of the AWS provided security group
firewall.
-should carefully consider the services they choose as
their responsibilities vary depending on the services used, the
integration of those services into their IT environment, and applicable
laws and regulations.
-is responsible for data configuration (i.e.
encrypting data at rest and in transit)"
Question 381
Which AWS service makes it easy to create
and manage AWS users and groups, and provide them with secure access to
AWS resources at no charge?
A) AWS Direct Connect
B)
Amazon Connect
C) AWS Identity and Access Management
(IAM)
D) AWS Firewall Manager
A) AWS Direct Connect
B) Amazon Connect
C) AWS Identity and Access Management (IAM)
D) AWS Firewall Manager
AWS Identity and Access Management (IAM) enables you to manage
access to AWS services and resources securely. Using IAM, you can create
and manage AWS users and groups, and use permissions to allow and deny
their access to AWS resources. IAM is a feature of your AWS account
offered at no additional charge. You will be charged only for use of
other AWS services by your users."
Question 382
Which AWS service can be used to turn
text into life-like speech?
A) Amazon Polly
B)
Amazon Transcribe
C) Amazon Rekognition
D)
Amazon Lex
A) Amazon Polly
B)
Amazon Transcribe
C) Amazon Rekognition
D)
Amazon Lex
Amazon Polly - is a service that turns text into lifelike speech,
allowing you to create applications that talk, and build entirely new
categories of speech-enabled products. Polly's Text-to-Speech (TTS)
service uses advanced deep learning technologies to synthesize natural
sounding human speech. With dozens of lifelike voices across a broad set
of languages, you can build speech-enabled applications that work in
many different countries.
In addition to Standard TTS voices,
Amazon Polly offers Neural Text-to-Speech (NTTS) voices that deliver
advanced improvements in speech quality through a new machine learning
approach. Polly’s Neural TTS technology also supports two speaking
styles that allow you to better match the delivery style of the speaker
to the application: a Newscaster reading style that is tailored to news
narration use cases, and a Conversational speaking style that is ideal
for two-way communication like telephony applications. Finally, Amazon
Polly Brand Voice can create a custom voice for your organization. This
is a custom engagement where you will work with the Amazon Polly team to
build an NTTS voice for the exclusive use of your organization."
Question 383
What is one of the core principles to
follow when designing a highly available application in the AWS
Cloud?
A) Design using a serverless architecture
B)
Assume that all components within an application can fail
C)
Design AWS Auto Scaling into every application
D) Design all
components using open-source code
A) Design using a serverless architecture
B) Assume that all components within an application can
fail
C) Design AWS Auto Scaling into every application
D)
Design all components using open-source code
Reliability Design Principles and Best Practices
…
Failure
Management / automatically recover from failure: In any system of
reasonable complexity, it is expected that failures will occur.
Reliability requires that your workload be aware of failures as they
occur and take action to avoid impact on availability. Workloads must be
able to both withstand failures and automatically repair issues"
Question 384
A user needs to generate a report that
outlines the status of key security checks in an AWS account. The report
must include:
A) Amazon QuickSight dashboard
B)
AWS CloudTrail trails
C) AWS Trusted Advisor report
D)
IAM credential report
A) Amazon QuickSight dashboard
B) AWS CloudTrail
trails
C) AWS Trusted Advisor report
D) IAM credential report
AWS Basic Support and AWS Developer Support customers get access
to 6 Trusted Advisor security checks (S3 Bucket Permissions, Security
Groups - Specific Ports Unrestricted, IAM Use, MFA on Root Account, EBS
Public Snapshots, RDS Public Snapshots) and 50 service limit checks.
AWS
Business Support and AWS Enterprise Support customers get access to all
115 Trusted Advisor checks (14 cost optimization, 17 security, 24 fault
tolerance, 10 performance, and 50 service limits) and recommendations.
For a complete list of checks and descriptions, explore Trusted Advisor
Best Practices."
Question 385
Which Amazon EC2 pricing model should be
used to comply with per-core software license requirements?
A)
Dedicated Hosts
B) On-Demand Instances
C) Spot
Instances
D) Reserved Instances
A) Dedicated Hosts
B)
On-Demand Instances
C) Spot Instances
D)
Reserved Instances
Amazon EC2 Dedicated Hosts allow you to use your eligible software
licenses from vendors such as Microsoft and Oracle on Amazon EC2, so
that you get the flexibility and cost effectiveness of using your own
licenses, but with the resiliency, simplicity and elasticity of AWS. An
Amazon EC2 Dedicated Host is a physical server fully dedicated for your
use, so you can help address corporate compliance requirements. A
dedicated host is a complete physical machine with a single
partition.
Notes:
-Dedicated instances and dedicated
hosts are separate offerings.
-Dedicated Instances are Amazon
EC2 instances that run in a VPC on hardware that's dedicated to a single
customer.
--Your Dedicated instances are physically isolated at the
host hardware level from instances that belong to other AWS accounts.
This means that no other AWS Account will run an instance on the same
Host, but other instances (both dedicated and non-dedicated) from the
same AWS Account might run on the same Host.
--A dedicated instance
is partitioned under a hypervisor on a shared server
-A
dedicated host is a complete physical machine with a single partition
that is dedicated to a single customer.
-Other important
differences between a Dedicated Host and a Dedicated instance is that a
Dedicated Host gives you additional visibility and control over how
instances are placed on a physical server, you have visibility over
physical cores and visibility over socket usage. Also, you can
consistently deploy your instances to the same physical server over
time.
--As a result, Dedicated Hosts enable you to use your
existing server-bound software licenses (from vendors such as Microsoft
and Oracle) and address corporate compliance and regulatory
requirements.
--Amazon EC2 Dedicated Hosts allow you to get the
flexibility and cost effectiveness of using your own licenses, but with
the resiliency, simplicity and elasticity of AWS.
--Amazon EC2
Dedicated Host is also integrated with AWS License Manager (see
below)
-In some cases due to licensing restrictions some
software isn’t allowed to be run on a shared tenancy model. For instance
if you’re trying to use Bring Your Own License (BYOL) to AWS, some
licenses are based on the Socket model where the number of hosts sockets
are used for licensing. In other circumstances, regulatory compliance
may dictate that you can’t use the shared model.
-Dedicated Hosts
and Dedicated Instances can both be used to launch Amazon EC2 instances
onto physical servers that are dedicated for your use. There are no
performance, security, or physical differences between Dedicated
Instances and instances on Dedicated Hosts"
Question 386
Which of the AWS global infrastructure is
used to cache copies of content for faster delivery to users across the
globe?
A) AWS Regions
B) Availability
Zones
C) Edge locations
D) Data centers
A) AWS Regions
B) Availability Zones
C) Edge locations
D) Data centers
When your web traffic is geo-dispersed, it's not always feasible
and certainly not cost effective to replicate your entire infrastructure
across the globe. A CDN provides you the ability to utilize its global
network of edge locations to deliver a cached copy of web content such
as videos, webpages, images and so on to your customers. To reduce
response time, the CDN utilizes the nearest edge location to the
customer or originating request location in order to reduce the response
time. Throughput is dramatically increased given that the web assets are
delivered from cache. For dynamic data, many CDNs can be configured to
retrieve data from the origin servers."
Question 387
Using AWS Config to record, audit, and
evaluate changes to AWS resources to enable traceability is an example
of which AWS Well-Architected Framework pillar?
A)
Security
B) Operational excellence
C)
Performance efficiency
D) Cost optimization
A) Security
B)
Operational excellence
C) Performance efficiency
D)
Cost optimization
From the Security section of Well-Architected_Framework:
Enable
traceability: Monitor, alert, and audit actions and changes to your
environment in real time. Integrate log and metric collection with
systems to automatically investigate and take action.""
Question 388
A user needs to quickly deploy a
non-relational database on AWS. The user does not want to manage the
underlying hardware or the database software. Which AWS service can be
used to accomplish this?
A) Amazon RDS
B)
Amazon DynamoDB
C) Amazon Aurora
D) Amazon
Redshift
A) Amazon RDS
B) Amazon DynamoDB
C) Amazon Aurora
D) Amazon Redshift
Fast and flexible NoSQL database service for any scale. A
key-value and document database that delivers single-digit millisecond
performance at any scale. It's a fully managed, multiregion,
multimaster, durable database with built-in security, backup and
restore, and in-memory caching for internet-scale applications. DynamoDB
can handle more than 10 trillion requests per day and can support peaks
of more than 20 million requests per second.
Notes:
A
NoSQL (originally referring to "non-SQL" or "non-relational") database
provides a mechanism for storage and retrieval of data that is modeled
in means other than the tabular relations used in relational databases."
Question 389
A Cloud Practitioner is developing a
disaster recovery plan and intends to replicate data between multiple
geographic areas. Which of the following meets these requirements?
A)
AWS Accounts
B) AWS Regions
C) Availability
Zones
D) Edge locations
A) AWS Accounts
B) AWS Regions
C) Availability Zones
D) Edge locations
Disaster Recovery (DR) Using AWS regions: Most organizations try
to implement High Availability (HA) instead of DR to guard them against
any downtime of services.
In case of HA, we ensure there
exists a fallback mechanism for our services. The service that runs in
HA is handled by hosts running in different availability zones but in
the same geographical region. This approach, however, does not guarantee
that our business will be up and running in case the entire region goes
down.
DR takes things to a completely new level, wherein you
need to be able to recover from a different region that’s separated by
over 250 miles. Our DR implementation is an Active/Passive model,
meaning that we always have minimum critical services running in
different regions, but a major part of the infrastructure is launched
and restored when required."
Question 390
Which features and benefits does the AWS
Organizations service provide? (Choose two.)
A)
Establishing real-time communications between members of an internal
team
B) Facilitating the use of NoSQL databases
C)
Providing automated security checks
D) Implementing
consolidated billing
E) Enforcing the governance of AWS
accounts
A) Establishing real-time communications between members of an
internal team
B) Facilitating the use of NoSQL databases
C)
Providing automated security checks
D) Implementing consolidated billing
E) Enforcing the governance of AWS accounts
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization"
Question 391
Which AWS service is used to automate
configuration management using Chef and Puppet?
A) AWS
Config
B) AWS OpsWorks
C) AWS CloudFormation
D)
AWS Systems Manager
A) AWS Config
B) AWS OpsWorks
C) AWS CloudFormation
D) AWS Systems
Manager
AWS OpsWorks is a configuration management service that provides
managed instances of Chef and Puppet.
Chef and Puppet are
automation platforms that allow you to use code to automate the
configurations of your servers. OpsWorks lets you use Chef and Puppet to
automate how servers are configured, deployed, and managed across your
Amazon EC2 instances or on-premises compute environments.
You
model your application as a stack, consisting of various layers. These
layers are like blueprints detailing how to setup and configure a set of
EC2 instances and related resources. There are prebuilt layers for
common components. Chef recipes detail your layout and configuration.
Automatically and manually scalable. Essentially opsworks automates your
infrastructure deployment.
OpsWorks comes at no additional
cost, you pay only for the resources and services you use to run your
applications.
OpsWorks has three offerings, AWS Opsworks for
Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks
Stacks."
Question 392
Which tool is best suited for combining
the billing of AWS accounts that were previously independent from one
another?
A) Detailed billing report
B)
Consolidated billing
C) AWS Cost and Usage report
D)
Cost allocation report
A) Detailed billing report
B) Consolidated billing
C) AWS Cost and Usage report
D) Cost
allocation report
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization."
Question 393
The AWS Total Cost of Ownership (TCO)
Calculator is used to:
A) receive reports that break
down AWS Cloud compute costs by duration, resource, or tags
B)
estimate savings when comparing the AWS Cloud to an on-premises
environment
C) estimate a monthly bill for the AWS Cloud
resources that will be used
D) enable billing alerts to
monitor actual AWS costs compared to estimated costs
A) receive reports that break down AWS Cloud compute costs by
duration, resource, or tags
B) estimate savings when comparing the AWS Cloud to an
on-premises environment
C) estimate a monthly bill for the AWS Cloud resources
that will be used
D) enable billing alerts to monitor actual
AWS costs compared to estimated costs
Total Cost of Ownership (TCO) calculator makes a comparison
between On Premise IT infrastructure expense the equivalent expense that
would exist in the AWS cloud. It then lets the customer know what their
cost savings would be if they decided to move their existing IT
infrastructure to the AWS cloud."
Question 394
Under the AWS shared responsibility
model, which of the following are customer responsibilities? (Choose
two.)
A) Setting up server-side encryption on an
Amazon S3 bucket
B) Amazon RDS instance patching
C)
Network and firewall configurations
D) Physical security of
data center facilities
E) Compute capacity availability
A) Setting up server-side encryption on an Amazon S3
bucket
B) Amazon RDS instance patching
C) Network and firewall configurations
D) Physical security of data center facilities
E)
Compute capacity availability
-A-
Security and Compliance is a shared responsibility
between AWS and the customer. This shared model can help relieve the
customer’s operational burden as AWS operates, manages and controls the
components from the host operating system and virtualization layer down
to the physical security of the facilities in which the service
operates. The nature of this shared responsibility also provides the
flexibility and customer control that permits the deployment. This
differentiation of responsibility is commonly referred to as Security of
the Cloud versus Security in the Cloud. Also, note that the customer:
-assumes
responsibility and management of the guest operating system (including
updates and security patches), other associated application software as
well as the configuration of the AWS provided security group
firewall.
-should carefully consider the services they choose as
their responsibilities vary depending on the services used, the
integration of those services into their IT environment, and applicable
laws and regulations.
-is responsible for data configuration (i.e.
encrypting data at rest and in transit)
-C-
When you use
server-side encryption, Amazon S3 encrypts an object before saving it to
disk and decrypts it when you download the objects.
To set up
default encryption on a bucket, you can use the Amazon S3 console, AWS
CLI, AWS SDKs, or the REST API
With Amazon S3 default
encryption, you can set the default encryption behavior for an S3 bucket
so that all new objects are encrypted when they are stored in the
bucket. The objects are encrypted using server-side encryption with
either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs)
stored in AWS Key Management Service (AWS KMS) (SSE-KMS).
When
you configure your bucket to use default encryption with SSE-KMS, you
can also enable S3 Bucket Keys to decrease request traffic from Amazon
S3 to AWS Key Management Service (AWS KMS) and reduce the cost of
encryption
-NOTES-
For E - ‘Compute capacity
availability’, it is not stated if this is for the customer’s compute
capacity or for AWS’s available compute capacity. If it is for the
customer’s compute capacity this may have been a viable answer, as the
customer is in charge of provisioning the correct kind of compute
instances and services to ensure their applications work reliably.
However, because it doesn’t explicitly state exactly what it refers to I
have avoided this answer."
Question 395
What is the MINIMUM AWS Support plan
level that will provide users with access to the AWS Support API?
A)
Developer
B) Enterprise
C) Business
D)
Basic
A) Developer
B) Enterprise
C) Business
D) Basic
Support API only available to business and enterprise support
levels only
-MORE INFO—
https://aws.amazon.com/premiumsupport/plans/"
Question 396
A company has deployed several relational
databases on Amazon EC2 instances. Every month, the database software
vendor releases new security patches that need to be applied to the
databases. What is the MOST efficient way to apply the security
patches?
A) Connect to each database instance on a
monthly basis, and download and apply the necessary security patches
from the vendor.
B) Enable automatic patching for the
instances using the Amazon RDS console.
C) In AWS Config,
configure a rule for the instances and the required patch level.
D)
Use AWS Systems Manager to automate database patching according to a
schedule.
A) Connect to each database instance on a monthly basis, and
download and apply the necessary security patches from the vendor.
B)
Enable automatic patching for the instances using the Amazon RDS
console.
C) In AWS Config, configure a rule for the
instances and the required patch level.
D) Use AWS Systems Manager to automate database patching
according to a schedule.
Because the customer has deployed the DB software on EC2 the
customer is solely responsible for keeping it updated. If the databases
were deployed on RDS the software would be managed by AWS but this is
not the case in this scenario. So we are looking for an efficient way to
patch the software installed on EC2. System Manager provides the
facility we need.
AWS Systems Manager Maintenance Windows let
you define a schedule for when to perform potentially disruptive actions
on your instances such as patching an operating system, updating
drivers, or installing software or patches.
Use Maintenance
Windows to set up recurring schedules for managed instances to run
administrative tasks like installing patches and updates without
interrupting business-critical operations."
Question 397
A company wants to use Amazon Elastic
Compute Cloud (Amazon EC2) to deploy a global commercial application.
The deployment solution should be built with the highest redundancy and
fault tolerance. Based on this situation, the Amazon EC2 instances
should be deployed:
A) in a single Availability Zone
in one AWS Region
B) with multiple Elastic Network
Interfaces belonging to different subnets
C) across multiple
Availability Zones in one AWS Region
D) across multiple
Availability Zones in two AWS Regions
A) in a single Availability Zone in one AWS Region
B)
with multiple Elastic Network Interfaces belonging to different
subnets
C) across multiple Availability Zones in one AWS
Region
D) across multiple Availability Zones in two AWS
Regions
Disaster Recovery (DR) Using AWS regions: Most organizations try
to implement High Availability (HA) instead of Disaster Recovery to
guard them against any downtime of services.
In case of High
Availability, we ensure there exists a fallback mechanism for our
services. The service that runs in High Availability is handled by hosts
running in different availability zones but in the same geographical
region. This approach, however, does not guarantee that our business
will be up and running in case the entire region goes down.
Disaster
Recovery takes things to a completely new level, wherein you need to be
able to recover from a different region that’s separated by over 250
miles. Our Disaster Recovery implementation is an Active/Passive model,
meaning that we always have minimum critical services running in
different regions, but a major part of the infrastructure is launched
and restored when required.
Therefore because of this
multiple regions are required for the highest redundancy and fault
tolerance protections, whilst multiple availability zones will safeguard
high availability. Overall, the more redundant systems we have the
better, however it is also important where these systems are located."
Question 398
A company has an application with users
in both Australia and Brazil. All the company infrastructure is
currently provisioned in the Asia Pacific (Sydney) Region in Australia,
and Brazilian users are experiencing high latency. What should the
company do to reduce latency?
A) Implement AWS Direct
Connect for users in Brazil
B) Provision resources in the
South America (Sao Paulo) Region in Brazil
C) Use AWS
Transit Gateway to quickly route users from Brazil to the application
D)
Launch additional Amazon EC2 instances in Sydney to handle the demand
A) Implement AWS Direct Connect for users in Brazil
B) Provision resources in the South America (Sao Paulo)
Region in Brazil
C) Use AWS Transit Gateway to quickly route users from
Brazil to the application
D) Launch additional Amazon EC2
instances in Sydney to handle the demand
With B, you can provision more resources to Brazil and alleviate
the high latency, this would make the deployment a multi-region
architecture.
(https://read.acloud.guru/why-and-how-do-we-build-a-multi-region-active-active-architecture-6d81acb7d208):
"Why
bother with multi-region architectures?
Good question and glad you
asked! There are basically three reasons why you would want to have a
multi-region architecture.
1-Improve latency for end-users,
2-Disaster
recovery,
3-Business requirements
1. Improve latency for
end-users
The idea is very simple and is related to the speed of
light, which no one has yet managed to crack. The closer your backend
origin is to end-users, the better the experience. Content Delivery
Networks (CDN) like Amazon CloudFront have successfully been used to
speed up the delivery of content, especially static one (e.g., images,
videos, JavaScript libraries, etc.) to end-users across the globe. Using
a globally-distributed network of caching servers, static content is
served as if it was local to consumers, thus improving the delivery of
that static content. However, even if CloudFront solves the problem for
much of your content, some more dynamic calls still need to be done on
the backend, and it could be far away, adding precious milliseconds to
the request."
-INCORRECT ANSWERS—
-AWS Transit
Gateway and Direct Connect are about the client connecting to VPCs,
nothing about their customers here, so A & C are wrong.
-D is wrong
because, it is Brazilian users who are experiencing latency therefore
adding more resources to Sydney will not reduce the latency in Brazil."
Question 399
An Amazon EC2 instance runs only when
needed yet must remain active for the duration of the process. What is
the most appropriate purchasing option?
A) Dedicated
Instances
B) Spot Instances
C) On-Demand
Instances
D) Reserved Instances
A) Dedicated Instances
B) Spot Instances
C) On-Demand Instances
D) Reserved Instances
We recommend that you use On-Demand Instances for applications
with short-term, irregular workloads that cannot be interrupted.
-INCORRECT
ANSWERS—
A - Dedicated instances would also work for
workloads that must remain active for the duration of the process,
however there is a premium added to the cost of dedicated instances
because Dedicated Instances are Amazon EC2 instances that run in a
virtual private cloud (VPC) on hardware that's dedicated to a single
customer.
B - Amazon EC2 Spot Instances let you take
advantage of unused EC2 capacity in the AWS cloud. Spot Instances are
available at up to a 90% discount compared to On-Demand prices. However,
a caveat is that AWS can reclaim your Spot Instances within two-minutes
of notice if they require them. For this reason they are not suitable
for this situation.
D - Reserved instances charge for the
whole contract term e.g. 1 year or 3 years, and if the EC2 instance is
only going to be run briefly when needed it may result in large periods
of time when the instances are being paid for but not used. This would
be bad value for money."
Question 400
Which AWS dashboard displays relevant and
timely information to help users manage events in progress, and provides
proactive notifications to help plan for scheduled activities?
A)
AWS Service Health Dashboard
B) AWS Personal Health
Dashboard
C) AWS Trusted Advisor dashboard
D)
Amazon CloudWatch dashboard
A) AWS Service Health Dashboard
B) AWS Personal Health Dashboard
C) AWS Trusted Advisor dashboard
D) Amazon
CloudWatch dashboard
AWS Personal Health Dashboard - A personalized view of the health
of AWS services, and alerts when your resources are impacted. AWS
Personal Health Dashboard provides alerts and remediation guidance when
AWS is experiencing events that may impact you. The dashboard displays
relevant and timely information to help you manage events in progress,
and provides proactive notification to help you plan for scheduled
activities. With Personal Health Dashboard, alerts are triggered by
changes in the health of AWS resources, giving you event visibility, and
guidance to help quickly diagnose and resolve issues.
While
the Service Health Dashboard displays the general status of AWS
services."
Question 401
Which AWS hybrid storage service enables
a user's on-premises applications to seamlessly use AWS Cloud
storage?
A) AWS Backup
B) Amazon
Connect
C) AWS Direct Connect
D) AWS Storage
Gateway
A) AWS Backup
B) Amazon Connect
C) AWS
Direct Connect
D) AWS Storage Gateway
AWS Storage Gateway is a hybrid cloud storage service that gives
you on-premises access to virtually unlimited cloud storage.
-Customers
use Storage Gateway to simplify storage management and reduce costs for
key hybrid cloud storage use cases. These include moving backups to the
cloud, using on-premises file shares backed by cloud storage, and
providing low latency access to data in AWS for on-premises
applications, as well as various migration, backup, archiving,
processing, moving data to S3 for in-cloud workloads and tiered storage;
and disaster recovery use cases.
-It seamlessly integrates
on-premises enterprise applications and workflows with Amazon's block
and object cloud storage services through industry standard file-storage
protocols.
-It provides low-latency performance by caching
frequently accessed data on premises, while storing data securely and
durably in Amazon cloud storage services. It provides an optimized data
transfer mechanism and bandwidth management, which tolerates unreliable
networks and minimizes the amount of data being transferred.
-It
brings the security, manageability, durability, and scalability of AWS
to existing enterprise environments through native integration with AWS
encryption, identity management, monitoring, and storage services."
Question 402
Which of the following acts as a virtual
firewall at the Amazon EC2 instance level to control traffic for one or
more instances?
A) Access keys
B) Virtual
private gateways
C) Security groups
D) Access
Control Lists (ACL)
A) Access keys
B) Virtual private gateways
C) Security groups
D) Access Control Lists (ACL)
A security group acts as a virtual firewall for your instance to
control inbound and outbound traffic. When you launch an instance in a
VPC, you can assign up to five security groups to the instance. Security
groups act at the instance level, not the subnet level. Therefore, each
instance in a subnet in your VPC can be assigned to a different set of
security groups."
Question 403
What is the most efficient way to
establish network connectivity from on-premises to multiple VPCs in
different AWS Regions?
A) Use AWS Direct Connect
B)
Use AWS VPN
C) Use AWS Client VPN
D) Use an AWS
Transit Gateway
A) Use AWS Direct Connect
B) Use AWS VPN
C)
Use AWS Client VPN
D) Use an AWS Transit Gateway
Transit Gateway is for having transitive peering between thousands
of VPC and on-premises, hub-and-spoke (star) connection.
Transit
Gateway abstracts away the complexity of maintaining VPN connections
with hundreds of VPCs.
AWS Transit Gateway now supports the
ability to establish peering connections between Transit Gateways in
different AWS Regions. Transit Gateway is a service that enables
customers to connect thousands of Amazon Virtual Private Clouds (Amazon
VPCs) and their on-premises networks using a single gateway. With AWS
Transit Gateway, customers only have to create and manage a single
connection from a central regional gateway to each Amazon VPC, on
premises data center, or remote office across their networks.
The
ability to peer Transit Gateways between different AWS Regions enables
customers to extend this connectivity and build global networks spanning
multiple AWS Regions. Traffic using inter-region Transit Gateway peering
always stays on the AWS global network and never traverses the public
internet, thereby reducing threat vectors, such as common exploits and
DDoS attacks. Inter-region Transit Gateway peering encrypts inter-region
traffic with no single point of failure.
(https://aws.amazon.com/about-aws/whats-new/2019/12/aws-transit-gateway-supports-inter-region-peering/)"
Question 404
Which AWS Support plan provides access to
architectural and operational reviews, as well as 24/7 access to Senior
Cloud Support Engineers through email, online chat, and phone?
A)
Basic
B) Business
C) Developer
D)
Enterprise
A) Basic
B) Business
C)
Developer
D) Enterprise
Only with Business and Enterprise support do you get 24x7 phone,
email, and chat access to Cloud Support Engineers
Architectural
and operational reviews are only included with an Enterprise support
plan:
-AWS Infrastructure Event Management (IEM) offers
architecture and scaling guidance and operational support during the
preparation and execution of planned events, such as shopping holidays,
product launches, and migrations. For these events, AWS Infrastructure
Event Management will help you assess operational readiness, identify
and mitigate risks, and execute your event confidently with AWS experts
by your side. The program is included in the Enterprise Support plan and
is available to Business Support customers for an additional fee."
Question 405
Which AWS service or feature helps
restrict the AWS services, resources, and individual API actions the
users and roles in each member account can access?
A)
Amazon Cognito
B) AWS Organizations
C) AWS
Shield
D) AWS Firewall Manager
A) Amazon Cognito
B) AWS Organizations
C) AWS Shield
D) AWS Firewall Manager
AWS Organizations helps you centrally manage and govern your
environment as you grow and scale your AWS resources. As an
administrator of an organization, you can create accounts in your
organization and invite existing accounts to join the organization.
Allows you to:
-programmatically create new AWS accounts and
allocate resources
-group accounts to organize your workflows
-apply
policies to accounts or groups for governance
-define central
configurations and audit requirements
-simplify billing by
centralising it and using a single payment method for all of your
account. These account management and consolidated billing capabilities
enable you to better meet the budgetary, security, and compliance needs
of your business.
-control access, manage compliance, coordinate
security mechanisms (including restricting the AWS services, resources,
and individual API actions accessible by specific users, groups and
roles)
-share resources across your AWS accounts.
-combine
usage from all accounts in the organization to qualify you for volume
pricing discounts. If you have multiple standalone accounts, your
charges might decrease if you add the accounts to an organization."
Question 406
Which Amazon S3 storage class is
optimized to provide access to data with lower resiliency requirements,
but rapid access when needed such as duplicate backups?
A)
Amazon S3 Standard
B) Amazon S3 Glacier Deep Archive
C)
Amazon S3 One Zone-Infrequent Access
D) Amazon S3 Glacier
A) Amazon S3 Standard
B) Amazon S3 Glacier Deep
Archive
C) Amazon S3 One Zone-Infrequent Access
D) Amazon S3 Glacier
S3 One Zone-IA (Infrequent Access) is for data that is accessed
less frequently, but requires rapid access when needed. Unlike other S3
Storage Classes which store data in a minimum of three Availability
Zones (AZs), S3 One Zone-IA stores data in a single AZ and costs 20%
less than S3 Standard-IA. S3 One Zone-IA is ideal for customers who want
a lower-cost option for infrequently accessed data but do not require
the availability and resilience of S3 Standard or S3 Standard-IA. It’s a
good choice for storing secondary backup copies of on-premises data or
easily re-creatable data. You can also use it as cost-effective storage
for data that is replicated from another AWS Region using S3
Cross-Region Replication.
S3 One Zone-IA offers the same high
durability, high throughput, and low latency of S3 Standard, with a low
per GB storage price and per GB retrieval fee. S3 Storage Classes can be
configured at the object level, and a single bucket can contain objects
stored across S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and
S3 One Zone-IA. You can also use S3 Lifecycle policies to automatically
transition objects between storage classes without any application
changes."
Question 407
What is an Availability Zone in AWS?
A)
One or more physical data centers
B) A completely isolated
geographic location
C) One or more edge locations based
around the world
D) A data center location with a single
source of power and networking
A) One or more physical data centers
B) A completely isolated geographic location
C)
One or more edge locations based around the world
D) A data
center location with a single source of power and networking
Availability Zone (AZ) is an area with either one or more discrete
Data Centres (building filled with servers), each with redundant power,
networking, and connectivity, housed in separate facilities. If there
are more than one data centre, they are counted as one AZ because they
are located close together. Each Availability Zone is isolated, but the
Availability Zones in a Region are connected through low-latency links."
Question 408
Which AWS services can be used as
infrastructure automation tools? (Choose two.)
A) AWS
CloudFormation
B) Amazon CloudFront
C) AWS
Batch
D) AWS OpsWorks
E) Amazon QuickSight
A) AWS CloudFormation
B)
Amazon CloudFront
C) AWS Batch
D) AWS OpsWorks
E) Amazon QuickSight
-A-
CloudFormation - Speed up cloud provisioning with
infrastructure as code. Gives you an easy way to model a collection of
related AWS and third-party resources, provision them quickly and
consistently, and manage them throughout their lifecycles, by treating
infrastructure as code (IaC). A CloudFormation template describes your
desired resources and their dependencies so you can launch and configure
them together as a stack. You can use a template to create, update, and
delete an entire stack as a single unit, as often as you need to,
instead of managing resources individually. You can manage and provision
stacks across multiple AWS accounts and AWS Regions. The CloudFormation
template acts as a single source of truth for an AWS cloud
environment.
-D-
AWS OpsWorks is a configuration
management service that provides managed instances of Chef and
Puppet.
Chef and Puppet are automation platforms that allow
you to use code to automate the configurations of your servers. OpsWorks
lets you use Chef and Puppet to automate how servers are configured,
deployed, and managed across your Amazon EC2 instances or on-premises
compute environments.
You model your application as a stack,
consisting of various layers. These layers are like blueprints detailing
how to setup and configure a set of EC2 instances and related resources.
There are prebuilt layers for common components. Chef recipes detail
your layout and configuration. Automatically and manually scalable.
Essentially opsworks automates your infrastructure deployment.
-INCORRECT
ANSWERS—
-C - AWS Batch enables developers, scientists, and
engineers to easily and efficiently run hundreds of thousands of batch
computing jobs on AWS. AWS Batch dynamically provisions the optimal
quantity and type of compute resources (e.g., CPU or memory optimized
instances) based on the volume and specific resource requirements of the
batch jobs submitted. With AWS Batch, there is no need to install and
manage batch computing software or server clusters that you use to run
your jobs, allowing you to focus on analyzing results and solving
problems. AWS Batch plans, schedules, and executes your batch computing
workloads across the full range of AWS compute services and features,
such as AWS Fargate, Amazon EC2 and Spot Instances. There is no
additional charge for AWS Batch. You only pay for the AWS resources
(e.g. EC2 instances or Fargate jobs) you create to store and run your
batch jobs."
Question 409
Which AWS service enables users to create
copies of resources across AWS Regions?
A) Amazon
ElastiCache
B) AWS CloudFormation
C) AWS
CloudTrail
D) AWS Systems Manager
A) Amazon ElastiCache
B) AWS CloudFormation
C) AWS CloudTrail
D) AWS Systems Manager
AWS CloudFormation helps AWS customers implement an Infrastructure
as Code model. Instead of setting up their environments and applications
by hand, they build a template and use it to create all of the necessary
resources, collectively known as a CloudFormation stack. This
infrastructure as code model is easily exported to other regions.
Benefits are the removal of opportunities for manual error, an increased
efficiency and certainty of consistent configurations over across
deployments and over time."
Question 410
A user would like to encrypt data that is
received, stored, and managed by AWS CloudTrail. Which AWS service will
provide this capability?
A) AWS Secrets Manager
B)
AWS Systems Manager
C) AWS Key Management Service (AWS
KMS)
D) AWS Certificate Manager
A) AWS Secrets Manager
B) AWS Systems Manager
C) AWS Key Management Service (AWS KMS)
D) AWS Certificate Manager
By default, the log files delivered by CloudTrail to your bucket
are encrypted by Amazon server-side encryption with Amazon S3-managed
encryption keys (SSE-S3). To provide a security layer that is directly
manageable, you can instead use server-side encryption with AWS
KMS–managed keys (SSE-KMS) for your CloudTrail log files.
AWS
Key Management Service (KMS) – Easily create and control the customer
master keys (CMKs), the encryption keys used to encrypt or digitally
sign your data. Makes it easy for you to create and manage cryptographic
keys and control their use across a wide range of AWS services and in
your applications. AWS KMS is a secure and resilient service that uses
hardware security modules that have been validated under FIPS 140-2, or
are in the process of being validated, to protect your keys. AWS KMS is
integrated with AWS CloudTrail to provide you with logs of all key usage
to help meet your regulatory and compliance needs."
Question 411
Which AWS Cloud benefit eliminates the
need for users to try estimating future infrastructure usage?
A)
Easy and fast deployment of applications in multiple Regions around the
world
B) Security of the AWS Cloud
C) Elasticity
of the AWS Cloud
D) Lower variable costs due to massive
economies of scale
A) Easy and fast deployment of applications in multiple Regions
around the world
B) Security of the AWS Cloud
C) Elasticity of the AWS Cloud
D) Lower variable costs due to massive economies of
scale
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is running out of processing power."
Question 412
What credential components are required
to gain programmatic access to an AWS account? (Choose two.)
A)
An access key ID
B) A primary key
C) A secret
access key
D) A user ID
E) A secondary key
A) An access key ID
B)
A primary key
C) A secret access key
D) A user ID
E) A secondary key
Access keys are long-term credentials for an IAM user or the AWS
account root user. You can use access keys to sign programmatic requests
to the AWS CLI (Command Line Interface), SDK (Software Development Kit),
and other development tools.
IAM policies don't have access keys.
The only way you will ever get an Access key is to create them from an
IAM user.
Access keys consist of an access key ID and secret access
key, which are used to sign programmatic requests that you make to AWS.
If you don't have access keys, you can create them from the AWS
Management Console. The only time that you can view or download the
secret access key is when you create the keys. You cannot recover them
later. However, you can create new access keys at any time.
The AWS
CLI requires four pieces of information to be used:
-Access key
ID
-Secret access key
-AWS Region
-Output format"
Question 413
Which of the following are AWS compute
services? (Select two.)
A) Amazon Lightsail
B)
AWS Systems Manager
C) AWS CloudFormation
D) AWS
Batch
E) Amazon Inspector
A) Amazon Lightsail
B)
AWS Systems Manager
C) AWS CloudFormation
D) AWS Batch
E) Amazon Inspector
A list of compute services:
-Amazon EC2
-Amazon EC2 Auto
Scaling
-Amazon Elastic Container Registry
-Amazon Elastic
Container Service
-Amazon Elastic Kubernetes Service
-Amazon
Lightsail
-AWS Batch
-AWS Elastic Beanstalk
-AWS
Fargate
-AWS Lambda
-AWS Serverless Application Repository
-AWS
Outposts
-VMware Cloud on AWS
-A-
Amazon Lightsail
is the easiest way to get started with AWS for developers, small
businesses, students, and other users who need a solution to build and
host their applications on cloud. Lightsail provides developers compute,
storage, and networking capacity and capabilities to deploy and manage
websites and web applications in the cloud. Lightsail includes
everything you need to launch your project quickly – virtual machines,
containers, databases, CDN, load balancers, DNS management etc. – for a
low, predictable monthly price.
-D-
AWS Batch enables
developers, scientists, and engineers to easily and efficiently run
hundreds of thousands of batch computing jobs on AWS. AWS Batch
dynamically provisions the optimal quantity and type of compute
resources (e.g., CPU or memory optimized instances) based on the volume
and specific resource requirements of the batch jobs submitted. With AWS
Batch, there is no need to install and manage batch computing software
or server clusters that you use to run your jobs, allowing you to focus
on analyzing results and solving problems. AWS Batch plans, schedules,
and executes your batch computing workloads across the full range of AWS
compute services and features, such as AWS Fargate, Amazon EC2 and Spot
Instances.
There is no additional charge for AWS Batch. You
only pay for the AWS resources (e.g. EC2 instances or Fargate jobs) you
create to store and run your batch jobs."
Question 414
Which AWS service provides the ability to
detect inadvertent data leaks of personally identifiable information
(PII) and user credential data?
A) Amazon GuardDuty
B)
Amazon Inspector
C) Amazon Macie
D) AWS
Shield
A) Amazon GuardDuty
B) Amazon Inspector
C) Amazon Macie
D) AWS Shield
Amazon Macie is a fully managed data security and data privacy
service that uses machine learning and pattern matching to discover,
classify and protect your sensitive data in AWS.
-Macie recognizes
sensitive data such as personally identifiable information (PII) or
intellectual property. It provides you with dashboards and alerts that
give visibility into how this data is being accessed or moved.
-As
organizations manage growing volumes of data, identifying and protecting
their sensitive data at scale can become increasingly complex,
expensive, and time-consuming. Amazon Macie automates the discovery of
sensitive data at scale and lowers the cost of protecting your data.
-Macie
automatically provides an inventory of Amazon S3 buckets including a
list of unencrypted buckets, publicly accessible buckets, and buckets
shared with AWS accounts outside those you have defined in AWS
Organizations. Then, Macie applies machine learning and pattern matching
techniques to the buckets you select to identify and alert you to
sensitive data.
-Macie’s alerts, or findings, can be searched and
filtered in the AWS Management Console and sent to Amazon EventBridge,
for easy integration with existing workflow or event management systems,
or to be used in combination with AWS services, such as AWS Step
Functions to take automated remediation actions.
-All this can help
you meet regulations, such as the Health Insurance Portability and
Accountability Act (HIPAA) and General Data Privacy Regulation (GDPR)."
Question 415
Which tool can be used to monitor AWS
service limits?
A) AWS Total Cost of Ownership (TCO)
Calculator
B) AWS Trusted Advisor
C) AWS
Personal Health Dashboard
D) AWS Cost and Usage report
A) AWS Total Cost of Ownership (TCO) Calculator
B) AWS Trusted Advisor
C) AWS Personal Health Dashboard
D) AWS Cost
and Usage report
Trusted Adviser analyse your AWS account and provides
recommendation:
1) Cost Optimization
2) Performance
3)
Security
4) Fault Tolerance
5) Service Limits
They
are called service quotas now instead though
AWS Trusted
Advisor can improve the performance of your service by checking your
service limits, ensuring you take advantage of provisioned throughput,
and monitoring for overutilized instances.
AWS maintains
service quotas (formerly called service limits) for each account to help
guarantee the availability of AWS resources and prevent accidental
provisioning of more resources than needed.
Some service
quotas are raised automatically over time as you use AWS. However, most
AWS services require that you request quota increases manually. You can
use AWS Service Quotas console to view and request increases for most
AWS quotas."
Question 416
Which of the following describes a
security best practice that can be implemented using AWS IAM?
A)
Disable AWS Management Console access for all users
B)
Generate secret keys for every IAM user
C) Grant permissions
to users who are required to perform a given task only
D)
Store AWS credentials within Amazon EC2 instances
A) Disable AWS Management Console access for all users
B)
Generate secret keys for every IAM user
C) Grant permissions to users who are required to perform a
given task only
D) Store AWS credentials within Amazon EC2 instances
To help secure your AWS resources, follow these recommendations
for the AWS Identity and Access Management (IAM) service.
-Lock
away your AWS account root user access keys
-Create individual IAM
users
-Use groups to assign permissions to IAM users
-Grant
least privilege
-Get started using permissions with AWS managed
policies
-Use customer managed policies instead of inline
policies
-Use access levels to review IAM permissions
-Configure
a strong password policy for your users
-Enable MFA – These are not
physical MFA tokens typically
-Use roles for applications that run
on Amazon EC2 instances
-Use roles to delegate permissions
-Do
not share access keys
-Rotate credentials regularly
-Remove
unnecessary credentials
-Use policy conditions for extra
security
-Monitor activity in your AWS account
The
Principle of Least Privilege states that a subject should be given only
those privileges needed for it to complete its task. If a subject does
not need an access right, the subject should not have that access
right.
Determine what users (and roles) need to do and then
craft policies that allow them to perform only those tasks.
Start
with a minimum set of permissions and grant additional permissions as
necessary. Doing so is more secure than starting with permissions that
are too lenient and then trying to tighten them later.
This
principle limits the damage that can result from an accident or error.
It also reduces the number of potential interactions among privileged
programs to the minimum for correct operation, so that unintentional,
unwanted, or improper uses of privilege are less likely to occur."
Question 417
What can be used to automate and manage
secure, well-architected, multi-account AWS environments?
A)
AWS shared responsibility model
B) AWS Control Tower
C)
AWS Security Hub
D) AWS Well-Architected Tool
A) AWS shared responsibility model
B) AWS Control Tower
C) AWS Security Hub
D) AWS Well-Architected
Tool
Control Tower automates the process of setting up a new baseline
multi-account AWS environment that is secure, well-architected, and
ready to use.
If you're an enterprise with multiple AWS
accounts and teams, cloud setup and governance can be complex and time
consuming, slowing down the very innovation you’re trying to speed up.
AWS Control Tower provides the easiest way to set up and govern a new,
secure, multi-account AWS environment based on best practices
established through AWS’ experience working with thousands of
enterprises as they move to the cloud. With AWS Control Tower, builders
can provision new AWS accounts in a few clicks, while you have peace of
mind knowing your accounts conform to your company-wide policies."
Question 418
Which AWS service or feature allows a
user to easily scale connectivity among thousands of VPCs?
A)
VPC peering
B) AWS Transit Gateway
C) AWS Direct
Connect
D) AWS Global Accelerator
A) VPC peering
B) AWS Transit Gateway
C) AWS Direct Connect
D) AWS Global
Accelerator
Transit Gateway is for having transitive peering between thousands
of VPC and on-premises, hub-and-spoke (star) connection. Transit Gateway
abstracts away the complexity of maintaining VPN connections with
thousands of VPCs.
-INCORRECT ANSWERS-
-A - VPC peering
max limit is 125 peering connections per VPC."
Question 419
A company needs protection from expanded
distributed denial of service (DDoS) attacks on its website and
assistance from AWS experts during such events. Which AWS managed
service will meet these requirements?
A) AWS Shield
Advanced
B) AWS Firewall Manager
C) AWS WAF
D)
Amazon GuardDuty
A) AWS Shield Advanced
B) AWS Firewall Manager
C) AWS WAF
D)
Amazon GuardDuty
AWS Shield Advanced - For higher levels of protection against
attacks targeting your applications running on Amazon Elastic Compute
Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global
Accelerator and Amazon Route 53 resources, you can subscribe to AWS
Shield Advanced. In addition to the network and transport layer
protections that come with Standard, AWS Shield Advanced provides
additional detection and mitigation against large and sophisticated DDoS
attacks, near real-time visibility into attacks, and integration with
AWS WAF, a web application firewall. AWS WAF is included with AWS Shield
Advanced at no additional cost. AWS Shield Advanced also gives you 24x7
access to the AWS DDoS Response Team (DRT) and protection against DDoS
related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load
Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon
Route 53 charges."
Question 420
Under the AWS shared responsibility
model, what are the customer's responsibilities? (Choose two.)
A)
Physical and environmental security
B) Physical network
devices including firewalls
C) Storage device
decommissioning
D) Security of data in transit
E)
Data integrity authentication
A) Physical and environmental security
B) Physical
network devices including firewalls
C) Storage device
decommissioning
D) Security of data in transit
E) Data integrity authentication
For certain compliance requirements, you might require an
additional layer of protection between the services from AWS and your
operating systems and platforms, where your applications and data
reside. You can impose additional controls, such as protection of data
at rest, and protection of data in transit, or introduce a layer of
opacity between services from AWS and your platform. The opacity layer
can include data encryption, data integrity authentication, software-
and data-signing, secure time-stamping, and more.
(https://d1.awsstatic.com/whitepapers/aws-security-best-practices.pdf)"
Question 421
A cloud practitioner has a data analysis
workload that is infrequently executed and can be interrupted without
harm. To optimize for cost, which Amazon EC2 purchasing option should be
used?
A) On-Demand Instances
B) Reserved
Instances
C) Spot Instances
D) Dedicated
Hosts
A) On-Demand Instances
B) Reserved Instances
C) Spot Instances
D) Dedicated Hosts
Amazon EC2 Spot Instances let you take advantage of unused EC2
capacity in the AWS cloud. Spot Instances are available at up to a 90%
discount compared to On-Demand prices. You can use Spot Instances for
various stateless, fault-tolerant, or flexible applications such as big
data, containerized workloads, CI/CD, web servers, high-performance
computing (HPC), and test & development workloads. Because Spot
Instances are tightly integrated with AWS services such as Auto Scaling,
EMR, ECS, CloudFormation, Data Pipeline and AWS Batch, you can choose
how to launch and maintain your applications running on Spot
Instances.
When you use Spot Instances, you must be prepared
for interruptions. Amazon EC2 can interrupt your Spot Instance when the
demand for Spot Instances rises, when the supply of Spot Instances
decreases, or when the Spot price exceeds your maximum price. When
Amazon EC2 interrupts a Spot Instance, it provides a Spot Instance
interruption notice, which gives the instance a two-minute warning
before Amazon EC2 interrupts it. You can't enable termination protection
for Spot Instances.
Moreover, you can easily combine Spot
Instances with On-Demand, RIs and Savings Plans Instances to further
optimize workload cost with performance. Due to the operating scale of
AWS, Spot Instances can offer the scale and cost savings to run
hyper-scale workloads. You also have the option to hibernate, stop or
terminate your Spot Instances when EC2 reclaims the capacity back with
two-minutes of notice. Only on AWS, you have easy access to unused
compute capacity at such massive scale - all at up to a 90% discount.
The
Spot prices are determined by 'supply and demand' for Amazon EC2 spare
capacity. The price per second for a running On-Demand Instance is
fixed
-INCORRECT ANSWERS-
-‘Infrequently executed’ means
that reserved instances is not a viable answer"
Question 422
Which AWS container service will help a
user install, operate, and scale the cluster management
infrastructure?
A) Amazon Elastic Container Registry
(Amazon ECR)
B) AWS Elastic Beanstalk
C) Amazon
Elastic Container Service (Amazon ECS)
D) Amazon Elastic
Block Store (Amazon EBS)
A) Amazon Elastic Container Registry (Amazon ECR)
B)
AWS Elastic Beanstalk
C) Amazon Elastic Container Service (Amazon ECS)
D) Amazon Elastic Block Store (Amazon EBS)
"Amazon Elastic Container Service (Amazon ECS) allows you to
easily run, scale, and secure Docker container applications on AWS.
Applications packaged as containers locally will deploy and run in the
same way as containers managed by Amazon ECS. Amazon ECS eliminates the
need to install, operate, and scale your own container orchestration and
cluster management infrastructure, and allows you to focus on the
resource needs and availability requirements of your containerized
application."
Question 423
Which of the following allows an
application running on an Amazon EC2 instance to securely write data to
an Amazon S3 bucket without using long term credentials?
A)
Amazon Cognito
B) AWS Shield
C) AWS IAM role
D)
AWS IAM user access key
A) Amazon Cognito
B) AWS Shield
C) AWS IAM role
D) AWS IAM user access key
"You can and should use an IAM role to manage temporary
credentials for applications that run on an EC2 instance. When you use a
role, you don't have to distribute long-term credentials (such as a user
name and password or access keys) to an EC2 instance. Instead, the role
supplies temporary permissions that applications can use when they make
calls to other AWS resources. When you launch an EC2 instance, you
specify an IAM role to associate with the instance. Applications that
run on the instance can then use the role-supplied temporary credentials
to sign API requests.
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)"
Question 424
A company with a Developer-level AWS
Support plan provisioned an Amazon RDS database and cannot connect to
it. Who should the developer contact for this level of support?
A)
AWS Support using a support case
B) AWS Professional
Services
C) AWS technical account manager
D) AWS
consulting partners
A) AWS Support using a support case
B) AWS Professional Services
C) AWS technical
account manager
D) AWS consulting partners
For technical support, all AWS customers have access to AWS
documentation, the AWS Knowledge Center, AWS whitepapers, and support
forums.
You can also subscribe to a Developer, Business or
Enterprise Support plan to receive one-on-one fast-response support from
experienced technical support engineers. With these Support plans, you
get pay-by-the-month pricing and unlimited support cases. If you have
operational issues or technical questions, you can contact a team of
support engineers and receive predictable response times and
personalized support.
If you have signed up for a Developer,
Business, or Enterprise Support plan, you can open a technical support
case by doing the following:
-Open the AWS Support Center
-Choose
Create case.
-On the Create case page, select Technical support.
-Enter
the required information.
-Choose Submit.
-To learn more about
the types of technical issues that are supported by AWS, see Scope of
AWS Support.
To get personalized technical support, you must
sign up for a Developer, Business, or Enterprise Support plan. All AWS
customers receive support for account and billing questions and service
quota increases.
If you have a Basic Support plan and require
one-on-one technical support, you can upgrade your Support plan."
Question 425
What is the purpose of having an internet
gateway within a VPC?
A) To create a VPN connection to
the VPC
B) To allow communication between the VPC and the
Internet
C) To impose bandwidth constraints on internet
traffic
D) To load balance traffic from the Internet across
Amazon EC2 instances
A) To create a VPN connection to the VPC
B) To allow communication between the VPC and the
Internet
C) To impose bandwidth constraints on internet traffic
D)
To load balance traffic from the Internet across Amazon EC2 instances
An internet gateway is a horizontally scaled, redundant, and
highly available VPC component that allows communication between your
VPC and the internet."
Question 426
A company must ensure that its endpoint
for a database instance remains the same after a single Availability
Zone service interruption. The application needs to resume database
operations without the need for manual administrative intervention. How
can these requirements be met?
A) Use multiple Amazon
Route 53 routes to the standby database instance endpoint hosted on AWS
Storage Gateway.
B) Configure Amazon RDS Multi-Availability
Zone deployments with automatic failover to the standby.
C)
Add multiple Application Load Balancers and deploy the database instance
with AWS Elastic Beanstalk.
D) Deploy a single Network Load
Balancer to distribute incoming traffic across multiple Amazon
CloudFront origins.
A) Use multiple Amazon Route 53 routes to the standby database
instance endpoint hosted on AWS Storage Gateway.
B) Configure Amazon RDS Multi-Availability Zone deployments
with automatic failover to the standby.
C) Add multiple Application Load Balancers and deploy the
database instance with AWS Elastic Beanstalk.
D) Deploy a
single Network Load Balancer to distribute incoming traffic across
multiple Amazon CloudFront origins.
Amazon RDS Multi-AZ deployments provide enhanced availability and
durability for RDS database (DB) instances, making them a natural fit
for production database workloads. When you provision a Multi-AZ DB
Instance, Amazon RDS automatically creates a primary DB Instance and
synchronously replicates the data to a standby instance in a different
Availability Zone (AZ). Each AZ runs on its own physically distinct,
independent infrastructure, and is engineered to be highly reliable. In
case of an infrastructure failure, Amazon RDS performs an automatic
failover to the standby (or to a read replica in the case of Amazon
Aurora), so that you can resume database operations as soon as the
failover is complete. Since the endpoint for your DB Instance remains
the same after a failover, your application can resume database
operation without the need for manual administrative intervention.
(https://aws.amazon.com/rds/features/multi-az/)"
Question 427
Which AWS managed service can be used to
distribute traffic between one or more Amazon EC2 instances?
A)
NAT gateway
B) Elastic Load Balancing
C) Amazon
Athena
D) AWS PrivateLink
A) NAT gateway
B) Elastic Load Balancing
C) Amazon Athena
D) AWS PrivateLink
Elastic Load Balancing automatically distributes incoming
application traffic across multiple targets, such as Amazon EC2
instances, containers, IP addresses, Lambda functions, and virtual
appliances. It can handle the varying load of your application traffic
in a single Availability Zone or across multiple Availability Zones.
Elastic Load Balancing offers four types of load balancers that all
feature the high availability, automatic scaling, and robust security
necessary to make your applications fault tolerant. Elastic Load
Balancing scales with web traffic."
Question 428
AWS Trusted Advisor provides
recommendations on which of the following? (Choose two.)
A)
Cost optimization
B) Auditing
C) Serverless
architecture
D) Performance
E) Scalability
A) Cost optimization
B)
Auditing
C) Serverless architecture
D) Performance
E) Scalability
AWS Trusted Advisor analyzes your AWS environment and provides
best practice recommendations in five categories:
-Performance: AWS
Trusted Advisor can improve the performance of your service by checking
your service limits, ensuring you take advantage of provisioned
throughput, and monitoring for overutilized instances.
-Service
Quotas: AWS maintains service quotas (formerly called service limits)
for each account to help guarantee the availability of AWS resources and
prevent accidental provisioning of more resources than needed.
-Cost
optimization/Reduction: AWS Trusted Advisor can save you money on AWS by
eliminating unused and idle resources or by making commitments to
reserved capacity.
-Security: AWS Trusted Advisor can improve the
security of your application by closing gaps, enabling various AWS
security features, and examining your permissions.
-Fault
Tolerance: AWS Trusted Advisor can increase the availability and
redundancy of your AWS application by take advantage of auto scaling,
health checks, multi AZ, and backup capabilities."
Question 429
Which of the following tasks can only be
performed after signing in with AWS account root user credentials?
(Choose two.)
A) Closing an AWS account
B)
Creating a new IAM policy
C) Changing AWS Support plans
D)
Attaching a role to an Amazon EC2 instance
E) Generating
access keys for IAM users
A) Closing an AWS account
B) Creating a new IAM policy
C) Changing AWS Support plans
D) Attaching a role to an Amazon EC2 instance
E)
Generating access keys for IAM users
Tasks that require root user credentials. We recommend that you
use an IAM user with appropriate permissions to perform tasks and access
AWS resources. However, you can perform the tasks listed below only when
you sign in as the root user of an account:
-Change your account
settings. This includes the account name, email address, root user
password, and root user access keys. Other account settings, such as
contact information, payment currency preference, and Regions, do not
require root user credentials.
-Restore IAM user permissions. If
the only IAM administrator accidentally revokes their own permissions,
you can sign in as the root user to edit policies and restore those
permissions.
-Activate IAM access to the Billing and Cost
Management console.
-View certain tax invoices. An IAM user with
the aws-portal:ViewBilling permission can view and download VAT invoices
from AWS Europe, but not AWS Inc or Amazon Internet Services Pvt. Ltd
(AISPL).
-Close your AWS account.
-Change your AWS Support
plan or Cancel your AWS Support plan.
-Register as a seller in the
Reserved Instance Marketplace.
-Configure an Amazon S3 bucket to
enable MFA (multi-factor authentication) Delete.
-Edit or delete an
Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint
ID.
-Sign up for GovCloud.
(https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root)"
Question 430
Fault tolerance refers to:
A)
the ability of an application to accommodate growth without changing
design
B) how well and how quickly an application's
environment can have lost data restored
C) how secure your
application is
D) the built-in redundancy of an
application's components
A) the ability of an application to accommodate growth without
changing design
B) how well and how quickly an application's
environment can have lost data restored
C) how secure your
application is
D) the built-in redundancy of an application's
components
Fault-tolerance is the ability for a system to remain in operation
even if some of the components used to build the system fail.
...
Amazon
Web Services (AWS) provides a platform that is ideally suited for
building fault-tolerant software systems.
(https://docs.aws.amazon.com/whitepapers/latest/fault-tolerant-components/fault-tolerant-components.pdf)
The
objective of creating a fault-tolerant system is to prevent disruptions
arising from a single point of failure, ensuring the high availability
and business continuity of mission-critical applications or systems.
Fault-tolerant
systems use backup components that automatically take the place of
failed components, ensuring no loss of service."
Question 431
A company operating in the AWS Cloud
requires separate invoices for specific environments, such as
development, testing, and production. How can this be achieved?
A)
Use multiple AWS accounts
B) Use resource tagging
C)
Use multiple VPCs
D) Use Cost Explorer
A) Use multiple AWS accounts
B) Use resource tagging
C) Use multiple
VPCs
D) Use Cost Explorer
The only way you can do this is by having the instance in a
separate AWS account. An AWS account is a billing boundary. Using
multiple AWS accounts does not cost any more than using a single account
and you can pay via a single bill & payment method but get separate
billing details for your instance. There is no lower limit on the number
of resources in an AWS account.
(https://www.quora.com/Can-I-have-a-separate-billing-profile-for-a-specific-server-instance-on-Amazon-web-services-AWS#:~:text=The%20only%20way%20you%20can,billing%20details%20for%20your%20instance)
Incorrect
Answers:
-B-You cannot have "separate invoices" by only tagging
resources."
Question 432
Which AWS service can be used in the
application deployment process?
A) AWS AppSync
B)
AWS Batch
C) AWS CodePipeline
D) AWS DataSync
A) AWS AppSync
B) AWS Batch
C) AWS CodePipeline
D) AWS DataSync
AWS CodePipeline is a fully managed continuous delivery service
that helps you automate your release pipelines for fast and reliable
application and infrastructure updates. CodePipeline automates the
build, test, and deploy phases of your release process every time there
is a code change, based on the release model you define."
Question 433
What can be used to reduce the cost of
running Amazon EC2 instances? (Choose two.)
A) Spot
Instances for stateless and flexible workloads
B) Memory
optimized instances for high-compute workloads
C) On-Demand
Instances for high-cost and sustained workloads
D) Reserved
Instances for sustained workloads
E) Spend limits set using
AWS Budgets
A) Spot Instances for stateless and flexible workloads
B) Memory optimized instances for high-compute
workloads
C) On-Demand Instances for high-cost and sustained
workloads
D) Reserved Instances for sustained workloads
E) Spend limits set using AWS Budgets
-A—
Amazon EC2 Spot Instances let you take advantage of
unused EC2 capacity in the AWS cloud. Spot Instances are available at up
to a 90% discount compared to On-Demand prices. You can use Spot
Instances for various stateless, fault-tolerant, or flexible
applications such as big data, containerized workloads, CI/CD, web
servers, high-performance computing (HPC), and test & development
workloads. Because Spot Instances are tightly integrated with AWS
services such as Auto Scaling, EMR, ECS, CloudFormation, Data Pipeline
and AWS Batch, you can choose how to launch and maintain your
applications running on Spot Instances.
-D-
A
Reserved Instance is a reservation of resources and capacity, for either
one or three years, for a particular Availability Zone within a region.
When you purchase a reservation, you commit to paying for all of the
hours of the 1- or 3-year term; in exchange, the hourly rate is lowered
significantly.
Amazon EC2 Reserved Instances (RI) provide a
significant discount (up to 72%) compared to On-Demand pricing and
provide a capacity reservation when used in a specific Availability
Zone
(https://support.cloudability.com/hc/en-us/articles/204307758-AWS-101-Reserved-Instances)"
Question 434
Which AWS service or feature allows the
user to manager cross-region application traffic?
A)
Amazon AppStream 2.0
B) Amazon VPC
C) Elastic
Load Balancer
D) Amazon Route 53
A) Amazon AppStream 2.0
B) Amazon VPC
C)
Elastic Load Balancer
D) Amazon Route 53
"Amazon Route 53 provides a global DNS service that can be used as
a public or private endpoint for (real-time communication) RTC clients
to register and connect with media applications. With Amazon Route 53,
DNS health checks can be configured to route traffic to healthy
endpoints or to independently monitor the health of your application.
The Amazon Route 53 Traffic Flow feature makes it easy for you to manage
traffic globally through a variety of routing types, including
latency-based routing, geo DNS, geoproximity, and weighted round
robin—all of which can be combined with DNS Failover to enable a variety
of low-latency, fault-tolerant architectures. The Amazon Route 53
Traffic Flow simple visual editor allows you to manage how your end
users are routed to your application’s endpoints—whether in a single AWS
Region or distributed around the globe."
(https://docs.aws.amazon.com/whitepapers/latest/real-time-communication-on-aws/cross-region-dns-based-load-balancing-and-failover.html)"
Question 435
Which AWS service can be used to track
unauthorized API calls?
A) AWS Config
B)
AWS CloudTrail
C) AWS Trusted Advisor
D) Amazon
Inspector
A) AWS Config
B) AWS CloudTrail
C) AWS Trusted Advisor
D) Amazon Inspector
AWS CloudTrail - Track user activity and API usage. Helps you
enable governance, compliance, and operational and risk auditing of your
AWS account. Actions taken by a user, role, or an AWS service are
recorded as events in CloudTrail. Events include actions taken in the
AWS Management Console, AWS Command Line Interface, and AWS SDKs and
APIs."
Question 436
A user needs to regularly audit and
evaluate the setup of all AWS resources, identify non-compliant
accounts, and be notified when a resource changes. Which AWS service can
be used to meet these requirements?
A) AWS Trusted
Advisor
B) AWS Config
C) AWS Resource Access
Manager
D) AWS Systems Manager
A) AWS Trusted Advisor
B) AWS Config
C) AWS Resource Access Manager
D) AWS Systems
Manager
AWS Config is a service that enables you to assess, audit, and
evaluate the configurations of your AWS resources.
Config
continuously monitors and records your AWS resource configurations and
allows you to automate the evaluation of recorded configurations against
desired configurations.
With Config, you can review changes
in configurations and relationships between AWS resources, dive into
detailed resource configuration histories, and determine your overall
compliance against the configurations specified in your internal
guidelines. This enables you to simplify compliance auditing, security
analysis, change management, and operational troubleshooting.
(AWS)
Config continuously monitors and records your AWS resource
configurations. It can detect drift and trigger (AWS) Systems Manager
Automation to fix it and raise alarms."
Question 437
A user is planning to launch two
additional Amazon EC2 instances to increase availability. Which action
should the user take?
A) Launch the instances across
multiple Availability Zones in a single AWS Region.
B)
Launch the instances as EC2 Reserved Instances in the same AWS Region
and the same Availability Zone.
C) Launch the instances in
multiple AWS Regions, but in the same Availability Zone.
D)
Launch the instances as EC2 Spot Instances in the same AWS Region, but
in different Availability Zones.
A) Launch the instances across multiple Availability Zones
in a single AWS Region.
B) Launch the instances as EC2 Reserved Instances in the
same AWS Region and the same Availability Zone.
C) Launch
the instances in multiple AWS Regions, but in the same Availability
Zone.
D) Launch the instances as EC2 Spot Instances in the
same AWS Region, but in different Availability Zones.
Launching across multiple Availability Zones in a single AWS
Region is a good approach for availability, as if an availability zone
goes down there will be other resources are available in other
availability zones to continue the workload.
Most
organizations try to implement High Availability (HA) to guard them
against any downtime of services. In case of HA, we ensure there exists
a fallback mechanism for our services. The service that runs in HA is
handled by hosts running in different availability zones but in the same
geographical region
-INCORRECT ANSWERS—
-B – Launching
in the same AWS Region and the same Availability Zone is not a good
approach for availability as if that availability zone goes down then
all resources are unavailable
-C - It is not physically possible to
launch in multiple AWS Regions, but in the same Availability Zone
-D-Spot
instances should not be used to help with availability as these can be
reclaimed by Amazon at two minutes notice"
Question 438
A company must store critical business
data in Amazon S3 with a backup to another AWS Region. How can this be
achieved?
A) Use an Amazon CloudFront Content Delivery
Network (CDN) to cache data globally
B) Set up Amazon S3
cross-region replication to another AWS Region
C) Configure
the AWS Backup service to back up to the data to another AWS Region
D)
Take Amazon S3 bucket snapshots and copy that data to another AWS
Region
A) Use an Amazon CloudFront Content Delivery Network (CDN) to
cache data globally
B) Set up Amazon S3 cross-region replication to another AWS
Region
C) Configure the AWS Backup service to back up to the data
to another AWS Region
D) Take Amazon S3 bucket snapshots and
copy that data to another AWS Region
S3 Replication enables automatic, asynchronous copying of objects
across Amazon S3 buckets. Buckets that are configured for object
replication can be owned by the same AWS account or by different
accounts. There are two kinds of S3 replication:
-Cross Region
Replication (CRR). When an item has been uploaded to a primary bucket is
replicated to a secondary bucket in a different AWS Region.
-Same-Region
replication (SRR) is used to copy objects across Amazon S3 buckets in
the same AWS Region."
Question 439
Which AWS Cloud service can send alerts
to customers if custom spending thresholds are exceeded?
A)
AWS Budgets
B) AWS Cost Explorer
C) AWS Cost
Allocation Tags
D) AWS Organizations
A) AWS Budgets
B)
AWS Cost Explorer
C) AWS Cost Allocation Tags
D)
AWS Organizations
AWS Budgets gives you the ability to set custom budgets that alert
you when your costs or usage exceed (or are forecasted to exceed) your
budgeted amount. You can also use AWS Budgets to set reservation
utilization or coverage targets and receive alerts when your utilization
drops below the threshold you define."
Question 440
Which components are required to build a
successful site-to-site VPN connection on AWS? (Choose two.)
A)
Internet gateway
B) NAT gateway
C) Customer
gateway
D) Virtual private gateway
A) Internet gateway
B) NAT gateway
C) Customer gateway
D) Virtual private gateway
AWS Virtual Private Network (VPN) solutions establish secure
connections via the public internet between your on-premises networks,
remote offices, client devices, and the AWS global network. You can
connect your Amazon VPC to remote networks and users using the following
VPN connectivity options:
-AWS Site-to-Site VPN: creates
encrypted tunnels between your network and your Amazon Virtual Private
Clouds. A VPN Connection utilizes IPSec to establish encrypted network
connectivity between your intranet and Amazon VPC.
--On the AWS
side of the Site-to-Site VPN connection, a virtual private gateway or
transit gateway provides two VPN endpoints (tunnels) for automatic
failover.
--You configure your customer gateway device on the
remote side of the Site-to-Site VPN connection.
-AWS Client
VPN: a managed client-based VPN service that enables you to securely
access your AWS resources or your on-premises network. With AWS Client
VPN, you configure an endpoint to which your users can connect to
establish a secure TLS VPN session. This enables clients to access
resources in AWS or a non-premises from any location using an Open
VPN-based VPN client.
-AWS VPN CloudHub: If you have
more than one remote network (for example, multiple branch offices), you
can create multiple AWS Site-to-Site VPN connections via your virtual
private gateway to enable communication between these networks
-Third
party software VPN appliance: You can create a VPN connection to your
remote network by using an Amazon EC2 instance in your VPC that's
running a third party software VPN appliance. AWS does not provide or
maintain third party software VPN appliances; however, you can choose
from a range of products provided by partners and open source
communities. You can find third party software VPN appliances on the AWS
Marketplace."
Question 441
Which Amazon EC2 pricing option is best
suited for applications with short-term, spiky, or unpredictable
workloads that cannot be interrupted?
A) Spot
Instances
B) Dedicated Hosts
C) On-Demand
Instances
D) Reserved Instances
A) Spot Instances
B) Dedicated Hosts
C) On-Demand Instances
D) Reserved Instances
On-Demand Instances let you pay for compute capacity by the hour
or second (minimum of 60 seconds) with no long-term commitments. You
have full control over its lifecycle—you decide when to launch, stop,
hibernate, start, reboot, or terminate it. This frees you from the costs
and complexities of planning, purchasing, and maintaining hardware and
transforms what are commonly large fixed costs into much smaller
variable costs.
Pricing is per instance-hour consumed for
each instance, from the time an instance is launched until it is
terminated or stopped. Each partial instance-hour consumed will be
billed per-second for Linux Instances and as a full hour for all other
instance types.
There is no long-term commitment required
when you purchase On-Demand Instances. You pay only for the seconds that
your On-Demand Instances are in the running state. The price per second
for a running On-Demand Instance is fixed.
We recommend that
you use On-Demand Instances for applications with short-term, irregular
workloads that cannot be interrupted.
For significant savings
over On-Demand Instances, use AWS Savings Plans, Spot Instances, or
Reserved Instances."
Question 442
What is the MOST effective resource for
staying up to date on AWS security announcements?
A)
AWS Personal Health Dashboard
B) AWS Secrets Manager
C)
AWS Security Bulletins
D) Amazon Inspector
A) AWS Personal Health Dashboard
B) AWS Secrets
Manager
C) AWS Security Bulletins
D) Amazon Inspector
AWS Security Bulletins - No matter how carefully engineered the
services are, from time to time it may be necessary to notify customers
of security and privacy events with AWS services. We will publish
security bulletins online to update our customers of any changes.
(https://aws.amazon.com/security/security-bulletins/)"
Question 443
Which AWS service offers persistent
storage for a file system?
A) Amazon S3
B)
Amazon EC2 instance store
C) Amazon Elastic Block Store
(Amazon EBS)
D) Amazon ElastiCache
A) Amazon S3
B) Amazon EC2 instance store
C) Amazon Elastic Block Store (Amazon EBS)
D) Amazon ElastiCache
Amazon EBS delivers high-availability block-level storage volumes
for Amazon Elastic Compute Cloud (EC2) instances. It stores data on a
file system which is retained after the EC2 instance is shut down.
Amazon EFS offers scalable file storage, also optimized for EC2. It can
be used as a common data source for any application or workload that
runs on numerous instances. Using an EFS file system, you may configure
instances to mount the file system.
The main differences
between EBS and EFS is that EBS is only accessible from a single EC2
instance in your particular AWS region, while EFS allows you to mount
the file system across multiple regions and instances.
(https://www.missioncloud.com/blog/resource-amazon-ebs-vs-efs-vs-s3-picking-the-best-aws-storage-option-for-your-business#:~:text=Amazon%20EBS%20delivers%20high%2Davailability,EC2%20instance%20is%20shut%20down.&text=It%20can%20be%20used%20as,that%20runs%20on%20numerous%20instances.)"
Question 444
Which of the following allows AWS users
to manage cost allocations for billing?
A) Tagging
resources
B) Limiting who can create resources
C)
Adding a secondary payment method
D) Running all operations
on a single AWS account
A) Tagging resources
B)
Limiting who can create resources
C) Adding a secondary
payment method
D) Running all operations on a single AWS
account
Cost allocation tags – are key-value pairs that allow you to
organize your AWS resources into groups. For each resource, each tag key
must be unique, and each tag key can have only one value. AWS provides
two types of cost allocation tags, an AWS generated tags and
user-defined tags. You can use tags to:
-organize your resources,
and cost allocation tags to track your AWS costs on a detailed level
-Visualize
information about tagged resources in one place, in conjunction with
Resource Groups.
-View billing information using Cost Explorer and
the AWS Cost and Usage report.
-Send notifications about spending
limits using AWS Budgets.
-Use logical groupings of your resources
that make sense for your infrastructure or business. For example, you
could organize your resources by:
--Project
--Cost center
--Development
environment
--Application
--Department"
Question 445
Which requirement must be met for a
member account to be unlinked from an AWS Organizations account?
A)
The linked account must be actively compliant with AWS System and
Organization Controls (SOC).
B) The payer and the linked
account must both create AWS Support cases to request that the member
account be unlinked from the organization.
C) The member
account must meet the requirements of a standalone account.
D)
The payer account must be used to remove the linked account from the
organization.
A) The linked account must be actively compliant with AWS System
and Organization Controls (SOC).
B) The payer and the linked
account must both create AWS Support cases to request that the member
account be unlinked from the organization.
C) The member account must meet the requirements of a
standalone account.
D) The payer account must be used to remove the linked
account from the organization.
You can remove an account from your organization only if the
account has the information that is required for it to operate as a
standalone account. When you create an account in an organization using
the AWS Organizations console, API, or AWS CLI commands, all the
information that is required of standalone accounts is not automatically
collected. For each account that you want to make standalone, you must
choose a support plan, provide and verify the required contact
information, and provide a current payment method. AWS uses the payment
method to charge for any billable (not AWS Free Tier) AWS activity that
occurs while the account isn't attached to an organization.
-To
remove an account that you created in the organization, you must wait
until at least seven days after the account was created. Invited
accounts aren't subject to this waiting period.
-At the moment the
account successfully leaves the organization, the owner of the AWS
account becomes responsible for all new AWS costs accrued, and the
account's payment method is used. The management account of the
organization is no longer responsible.
-The account that you want
to remove must not be a delegated administrator account for any AWS
service enabled for your organization. If the account is a delegated
administrator, you must first change the delegated administrator account
to another account that is remaining in the organization. For more
information about how to disable or change the delegated administrator
account for an AWS service, see the documentation for that service
-Even
after the removal of created accounts (accounts created using the AWS
Organizations console or the CreateAccount API) from within an
organization, (i) created accounts are governed by the terms of the
creating management account's agreement with us, and (ii) the creating
management account remains jointly and severally liable for any actions
taken by its created accounts. Customers' agreements with us, and the
rights and obligations under those agreements, cannot be assigned or
transferred without our prior consent. To obtain our consent, contact us
at https://aws.amazon.com/contact-us/.
-When a member account
leaves an organization, that account no longer has access to cost and
usage data from the time range when the account was a member of the
organization. However, the management account of the organization can
still access the data. If the account rejoins the organization, the
account can access that data again.
-When a member account leaves
an organization, all tags attached to the account are deleted.
(https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#orgs_manage_accounts_remove-from-master)"
Question 446
What AWS benefit refers to a customer's
ability to deploy applications that scale up and down the meet variable
demand?
A) Elasticity
B) Agility
C)
Security
D) Scalability
A) Elasticity
B) Agility
C)
Security
D) Scalability
What is the difference between scalability and elasticity?
The
purpose of elasticity is to match the resources allocated with actual
amount of resources needed at any given point in time. Scalability
handles the changing needs of an application within the confines of the
infrastructure via statically adding or removing resources to meet
applications demands if needed
Scalability is a
characteristic of a software architecture related to serving higher
amount if workload, where elasticity is a characteristic of the physical
layer below, entirely related to hardware budget optimizations"
Question 447
During a compliance review, one of the
auditors requires a copy of the AWS SOC 2 report. Which service should
be used to submit this request?
A) AWS Personal Health
Dashboard
B) AWS Trusted Advisor
C) AWS
Artifact
D) Amazon S3
A) AWS Personal Health Dashboard
B) AWS Trusted
Advisor
C) AWS Artifact
D) Amazon S3
SOC 2: Security, Availability & Confidentiality - A description of
the AWS controls environment and external audit of AWS controls that
meet the AICPA Trust Services Security, Availability, and
Confidentiality Principles and Criteria
AWS Artifact is your
go-to, central resource for compliance-related information that matters
to you. It provides on-demand access to AWS' security and compliance
reports and select online agreements. Reports available in AWS Artifact
include our Service Organization Control (SOC) reports, Payment Card
Industry (PCI) reports, and certifications from accreditation bodies
across geographies and compliance verticals that validate the
implementation and operating effectiveness of AWS security controls.
Agreements available in AWS Artifact include the Business Associate
Addendum (BAA) and the Nondisclosure Agreement
(NDA)."
Question 448
A company wants to set up a highly
available workload in AWS with a disaster recovery plan that will allow
the company to recover in case of a regional service interruption. Which
configuration will meet these requirements?
A) Run on
two Availability Zones in one AWS Region, using the additional
Availability Zones in the AWS Region for the disaster recovery site.
B)
Run on two Availability Zones in one AWS Region, using another AWS
Region for the disaster recovery site.
C) Run on two
Availability Zones in one AWS Region, using a local AWS Region for the
disaster recovery site.
D) Run across two AWS Regions, using
a third AWS Region for the disaster recovery site.
A) Run on two Availability Zones in one AWS Region, using the
additional Availability Zones in the AWS Region for the disaster
recovery site.
B) Run on two Availability Zones in one AWS Region, using
another AWS Region for the disaster recovery site.
C) Run on two Availability Zones in one AWS Region, using
a local AWS Region for the disaster recovery site.
D) Run
across two AWS Regions, using a third AWS Region for the disaster
recovery site.
Disaster Recovery (DR) Using AWS regions: Most organizations try
to implement High Availability (HA) instead of DR to guard them against
any downtime of services.
In case of HA, we ensure there
exists a fallback mechanism for our services. The service that runs in
HA is handled by hosts running in different availability zones but in
the same geographical region. This approach, however, does not guarantee
that our business will be up and running in case the entire region goes
down.
DR takes things to a completely new level, wherein you
need to be able to recover from a different region that’s separated by
over 250 miles. Our DR implementation is an Active/Passive model,
meaning that we always have minimum critical services running in
different regions, but a major part of the infrastructure is launched
and restored when required."
Question 449
Which AWS service can run a managed
PostgreSQL database that provides online transaction processing
(OLTP)?
A) Amazon DynamoDB
B) Amazon
Athena
C) Amazon RDS
D) Amazon EMR
A) Amazon DynamoDB
B) Amazon Athena
C) Amazon RDS
D) Amazon EMR
OLTP (Online Transactional Processing) is a category of data
processing that is focused on transaction-oriented tasks. OLTP typically
involves inserting, updating, and/or deleting small amounts of data in a
database. OLTP mainly deals with large numbers of transactions by a
large number of users.
Amazon Relational Database Service
(Amazon RDS) makes it easy to set up, operate, and scale a relational
database in the cloud. It provides cost-efficient and resizable capacity
while managing time-consuming database administration tasks, freeing you
to focus on your applications and business.
Amazon RDS gives
you access to several familiar database engines, including Amazon
Aurora, MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server. This means
that the code, applications, and tools you already use with your
existing databases can be used with Amazon RDS.
Amazon RDS
automatically patches the database software and backs up your database,
storing the backups for a user-defined retention period and enabling
point-in-time recovery. You benefit from the flexibility of being able
to scale the compute resources or storage capacity associated with your
Database Instance (DB Instance) via a single API call.
Amazon
RDS DB Instances can be provisioned with either General Purpose (SSD),
Provisioned IOPS (SSD) or standard (magnetic) storage. Amazon RDS
Provisioned IOPS is a storage option designed to deliver fast,
predictable, and consistent I/O performance, and is optimized for
I/O-intensive, transactional (OLTP) database workloads.
Amazon
RDS for MySQL, MariaDB, and PostgreSQL also enable you to create Read
Replicas to scale out beyond the capacity of a single database
deployment for read-heavy database workloads. As with all Amazon Web
Services, there are no up-front investments required, and you pay only
for the resources you use."
Question 450
Which of the following assist in
identifying costs by department? (Choose two.)
A)
Using tags on resources
B) Using multiple AWS accounts
C)
Using an account manager
D) Using AWS Trusted Advisor
E)
Using Consolidated Billing
A) Using tags on resources
B) Using multiple AWS accounts
C) Using an account manager
D) Using AWS
Trusted Advisor
E) Using Consolidated Billing
The key is identifying the costs by department
-A-
Cost
allocation tags – are key-value pairs that allow you to organize your
AWS resources into groups. For each resource, each tag key must be
unique, and each tag key can have only one value. AWS provides two types
of cost allocation tags, an AWS generated tags and user-defined tags.
You can use tags to:
-organize your resources, and cost allocation
tags to track your AWS costs on a detailed level
-Visualize
information about tagged resources in one place, in conjunction with
Resource Groups.
-View billing information using Cost Explorer and
the AWS Cost and Usage report.
-Send notifications about spending
limits using AWS Budgets.
-Use logical groupings of your resources
that make sense for your infrastructure or business. For example, you
could organize your resources by:
--Project
--Cost center
--Development
environment
--Application
--Department
-B-
The
only other way you can do this is by having the resources in a separate
AWS accounts. An AWS account is a billing boundary. Using multiple AWS
accounts does not cost any more than using a single account and with AWS
Organizations you can pay via a single bill & payment method but get
separate billing details for your resources. There is no lower limit on
the number of resources in an AWS account.
(https://www.quora.com/Can-I-have-a-separate-billing-profile-for-a-specific-server-instance-on-Amazon-web-services-AWS#:~:text=The%20only%20way%20you%20can,billing%20details%20for%20your%20instance)"
Question 451
A company wants to allow full access to
an Amazon S3 bucket for a particular user. Which element in the S3
bucket policy holds the user details that describe who needs access to
the S3 bucket?
A) Principal
B)
Action
C) Resource
D) Statement
A) Principal
B)
Action
C) Resource
D) Statement
In its most basic sense, a policy contains the following
elements:
-Resources – Buckets, objects, access points, and jobs
are the Amazon S3 resources for which you can allow or deny permissions.
In a policy, you use the Amazon Resource Name (ARN) to identify the
resource.
-Actions – For each resource, Amazon S3 supports a set of
operations. You identify resource operations that you will allow (or
deny) by using action keywords. For example, the s3:ListBucket
permission allows the user to use the Amazon S3 GET Bucket (List
Objects) operation.
-Effect – What the effect will be when the user
requests the specific action—this can be either allow or deny. If you do
not explicitly grant access to (allow) a resource, access is implicitly
denied. You can also explicitly deny access to a resource. You might do
this to make sure that a user can't access the resource, even if a
different policy grants access.
-Principal – The account or user
who is allowed access to the actions and resources in the statement. In
a bucket policy, the principal is the user, account, service, or other
entity that is the recipient of this permission.
-Condition –
Conditions for when a policy is in effect. You can use AWS‐wide keys and
Amazon S3‐specific keys to specify conditions in an Amazon S3 access
policy."
Question 452
A company is piloting a new
customer-facing application on Amazon Elastic Compute Cloud (Amazon EC2)
for one month. What pricing model is appropriate?
A)
Reserved Instances
B) Spot Instances
C)
On-Demand Instances
D) Dedicated Hosts
A) Reserved Instances
B) Spot Instances
C) On-Demand Instances
D) Dedicated Hosts
On-Demand Instances let you pay for compute capacity by the hour
or second (minimum of 60 seconds) with no long-term commitments. You
have full control over its lifecycle—you decide when to launch, stop,
hibernate, start, reboot, or terminate it. This frees you from the costs
and complexities of planning, purchasing, and maintaining hardware and
transforms what are commonly large fixed costs into much smaller
variable costs.
Pricing is per instance-hour consumed for
each instance, from the time an instance is launched until it is
terminated or stopped. Each partial instance-hour consumed will be
billed per-second for Linux Instances and as a full hour for all other
instance types.
There is no long-term commitment required
when you purchase On-Demand Instances. You pay only for the seconds that
your On-Demand Instances are in the running state. The price per second
for a running On-Demand Instance is fixed.
We recommend that
you use On-Demand Instances for applications with short-term, irregular
workloads that cannot be interrupted.
For significant savings
over On-Demand Instances, use AWS Savings Plans, Spot Instances, or
Reserved Instances.
Incorrect answers:
-The application
is customer-facing so spot instances are not suitable because their
workloads can be interrupted and the instance reclaimed by AWS with only
two minutes notice which would make them unsuitable."
Question 453
Under the AWS shared responsibility
model, which of the following is a responsibility of AWS?
A)
Enabling server-side encryption for objects stored in S3
B)
Applying AWS IAM security policies
C) Patching the operating
system on an Amazon EC2 instance
D) Applying updates to the
hypervisor
A) Enabling server-side encryption for objects stored in S3
B)
Applying AWS IAM security policies
C) Patching the operating system on an Amazon EC2
instance
D) Applying updates to the hypervisor
With AWS everything from the physical servers to the hypervisor
layer is AWS’s responsibility, anything below that layer is the
customer’s responsibility. A customer’s poorly coded applications,
misconfigured operating systems, or insecure firewall settings will not
affect the hypervisor, it will only affect the customer’s virtual
machines running on that hypervisor. It remains the customer’s
responsibility to ensure the integrity, confidentiality, and
availability of the systems, applications, and data that they host on
EC2.
(https://www.mindpointgroup.com/blog/the-aws-shared-responsibility-model-part-1-security-in-the-cloud/)"
Question 454
Performing operations as code is a design
principle that supports which pillar of the AWS Well-Architected
Framework?
A) Performance efficiency
B)
Operational excellence
C) Reliability
D)
Security
A) Performance efficiency
B) Operational excellence
C) Reliability
D) Security
Operational Excellence Design Principles and Best Practices
…
Perform
operations as code: In the cloud, you can apply the same engineering
discipline that you use for application code to your entire environment.
You can define your entire workload (applications, infrastructure) as
code and update it with code. You can implement your operations
procedures as code and automate their execution by triggering them in
response to events. By performing operations as code, you limit human
error and enable consistent responses to events."
Question 455
Which design principle is achieved by
following the reliability pillar of the AWS Well-Architected
Framework?
A) Vertical scaling
B) Manual
failure recovery
C) Testing recovery procedures
D)
Changing infrastructure manually
A) Vertical scaling
B) Manual failure recovery
C) Testing recovery procedures
D) Changing infrastructure manually
Reliability Design Principles and Best Practices
…
Failure
Management / automatically recover from failure: In any system of
reasonable complexity, it is expected that failures will occur.
Reliability requires that your workload be aware of failures as they
occur and take action to avoid impact on availability. Workloads must be
able to both withstand failures and automatically repair issues:
-With
AWS, you can take advantage of automation to react to monitoring data.
For example, when a particular metric crosses a threshold, you can
trigger an automated action to remedy the problem. Also, rather than
trying to diagnose and fix a failed resource that is part of your
production environment, you can replace it with a new one and carry out
the analysis on the failed resource out of band.
-Since the cloud
enables you to stand up temporary versions of a whole system at low
cost, you can use automation to simulate different failures or to
recreate scenarios that led to failures before (chaos engineering) and
observe the full recovery processes
-Regularly back up your data
and test your backup files to ensure that you can recover from both
logical and physical errors.
-Tracking KPIs will help you identify
and mitigate single points of failure.
-These approaches expose
failure pathways that you can test and fix before a real failure
scenario occurs, thus reducing risk."
Question 456
What is a characteristic of Convertible
Reserved Instances (RIs)?
A) Users can exchange
Convertible RIs for other Convertible RIs from a different instance
family.
B) Users can exchange Convertible RIs for other
Convertible RIs in different AWS Regions.
C) Users can sell
and buy Convertible RIs on the AWS Marketplace.
D) Users can
shorten the term of their Convertible RIs by merging them with other
Convertible RIs.
A) Users can exchange Convertible RIs for other Convertible
RIs from a different instance family.
B) Users can exchange Convertible RIs for other
Convertible RIs in different AWS Regions.
C) Users can sell
and buy Convertible RIs on the AWS Marketplace.
D) Users can
shorten the term of their Convertible RIs by merging them with other
Convertible RIs.
These provide a discount (up to 54% off On-Demand) and the
capability to change the attributes of the RI (instance family,
operating system, and tenancy) as long as the exchange results in the
creation of Reserved Instances of equal or greater value (even if this
means switching RIs to a different instance family). There are no limits
to how many times you perform an exchange. Like Standard RIs,
Convertible RIs are best suited for steady-state usage."
Question 457
The user is fully responsible for which
action when running workloads on AWS?
A) Patching the
infrastructure components
B) Implementing controls to route
application traffic
C) Maintaining physical and
environmental controls
D) Maintaining the underlying
infrastructure components
A) Patching the infrastructure components
B) Implementing controls to route application traffic
C) Maintaining physical and environmental controls
D)
Maintaining the underlying infrastructure components
A route table contains a set of rules, called routes, that are
used to determine where network traffic from your subnet or gateway is
directed.
Your VPC has an implicit router (AWS manages this),
and you use route tables to control where network traffic is directed.
Each subnet in your VPC must be associated with a route table, which
controls the routing for the subnet (subnet route table). You can
explicitly associate a subnet with a particular route table. Otherwise,
the subnet is implicitly associated with the main route table. A subnet
can only be associated with one route table at a time, but you can
associate multiple subnets with the same subnet route table.
You
can optionally associate a route table with an internet gateway or a
virtual private gateway (gateway route table). This enables you to
specify routing rules for inbound traffic that enters your VPC through
the gateway.
There is a quota on the number of route tables
that you can create per VPC. There is also a quota on the number of
routes that you can add per route table."
Question 458
Which are benefits of using Amazon RDS
over Amazon EC2 when running relational databases on AWS? (Choose
two.)
A) Automated backups
B) Schema
management
C) Indexing of tables
D) Software
patching
E) Extract, transform, and load (ETL) management
A) Automated backups
B)
Schema management
C) Indexing of tables
D) Software patching
E) Extract, transform, and load (ETL) management
Amazon Relational Database Service (Amazon RDS) makes it easy to
set up, operate, and scale a relational database in the cloud. It
provides cost-efficient and resizable capacity while automating
time-consuming administration tasks such as hardware provisioning,
database setup, patching and backups. It frees you to focus on your
applications so you can give them the fast performance, high
availability, security and compatibility they need.
Amazon
RDS is available on several database instance types - optimized for
memory, performance or I/O - and provides you with six familiar database
engines to choose from, including Amazon Aurora, PostgreSQL, MySQL,
MariaDB, Oracle Database, and SQL Server. You can use the AWS Database
Migration Service to easily migrate or replicate your existing databases
to Amazon RDS."
Question 459
What does the Amazon S3
Intelligent-Tiering storage class offer?
A) Payment
flexibility by reserving storage capacity
B) Long-term
retention of data by copying the data to an encrypted Amazon Elastic
Block Store (Amazon EBS) volume
C) Automatic cost savings by
moving objects between tiers based on access pattern changes
D)
Secure, durable, and lowest cost storage for data archival
A) Payment flexibility by reserving storage capacity
B)
Long-term retention of data by copying the data to an encrypted Amazon
Elastic Block Store (Amazon EBS) volume
C) Automatic cost savings by moving objects between tiers
based on access pattern changes
D) Secure, durable, and lowest cost storage for data
archival
Amazon S3 Intelligent-Tiering - Automatic cost savings by moving
objects between tiers based on access pattern changes.
S3
Intelligent-Tiering is a new Amazon S3 storage class designed for
customers who want to optimize storage costs automatically when data
access patterns change, without performance impact or operational
overhead. S3 Intelligent-Tiering is the first cloud object storage class
that delivers automatic cost savings by moving data between two access
tiers — frequent access and infrequent access — when access patterns
change, and is ideal for data with unknown or changing access patterns."
Question 460
A company has multiple data sources
across the organization and wants to consolidate data into one data
warehouse. Which AWS service can be used to meet this requirement?
A)
Amazon DynamoDB
B) Amazon Redshift
C) Amazon
Athena
D) Amazon QuickSight
A) Amazon DynamoDB
B) Amazon Redshift
C) Amazon Athena
D) Amazon QuickSight
Key is Data Warehouse -> More or less always this will correspond
to Amazon Redshift.
Amazon Redshift –is the most widely used
cloud data warehouse. It makes it fast, simple and cost-effective to
analyze all your data using standard SQL and your existing Business
Intelligence (BI) tools. It allows you to run complex analytic queries
against terabytes to petabytes of structured and semi-structured data,
using sophisticated query optimization, columnar storage on
high-performance storage, and massively parallel query execution. Most
results come back in seconds.
Amazon Redshift manages the
work needed to set up, operate, and scale a data warehouse. For example,
provisioning the infrastructure capacity, automating ongoing
administrative tasks such as backups, and patching, and monitoring nodes
and drives to recover from failures. Redshift also has automatic tuning
capabilities, and surfaces recommendations for managing your warehouse
in Redshift Advisor. For Redshift Spectrum, Amazon Redshift manages all
the computing infrastructure, load balancing, planning, scheduling and
execution of your queries on data stored in Amazon S3."
Question 461
A user has underutilized on-premises
resources. Which AWS Cloud concept can BEST address this issue?
A)
High availability
B) Elasticity
C)
Security
D) Loose coupling
A) High availability
B) Elasticity
C) Security
D) Loose coupling
In cloud computing, elasticity is defined as "the degree to which
a system is able to adapt to workload changes by provisioning and
de-provisioning resources in an autonomic manner, such that at each
point in time the available resources match the current demand as
closely as possible
Some cloud solutions can also be
automatically adjusted to meet these needs. This means you can set them
up to scale up or down automatically based on certain conditions, like
when your cloud solution is has too many resources of which some are
being under-utilised or if you have too few resources and your solution
is running out of processing power."
Question 462
A user has a stateful workload that will
run on Amazon EC2 for the next 3 years. What is the MOST cost-effective
pricing model for this workload?
A) On-Demand
Instances
B) Reserved Instances
C) Dedicated
Instances
D) Spot Instances
A) On-Demand Instances
B) Reserved Instances
C) Dedicated Instances
D) Spot Instances
A Reserved Instance is a reservation of resources and capacity,
for either one or three years, for a particular Availability Zone within
a region. When you purchase a reservation, you commit to paying for all
of the hours of the 1- or 3-year term; in exchange, the hourly rate is
lowered significantly.
Amazon EC2 Reserved Instances (RI)
provide a significant discount (up to 72%) compared to On-Demand pricing
and provide a capacity reservation when used in a specific Availability
Zone
(https://support.cloudability.com/hc/en-us/articles/204307758-AWS-101-Reserved-Instances
-NOTES—
Stateful
applications and processes, however, are those that can be returned to
again and again, like online banking or email. They’re performed with
the context of previous transactions and the current transaction may be
affected by what happened during previous transactions. For these
reasons, stateful apps use the same servers each time they process a
request from a user.
If a stateful transaction is
interrupted, the context and history have been stored so you can more or
less pick up where you left off. Stateful apps track things like window
location, setting preferences, and recent activity. You can think of
stateful transactions as an ongoing periodic conversation with the same
person.
The majority of applications we use day to day are
stateful, but as technology advances, microservices and containers make
it easier to build and deploy applications in the cloud.
(https://www.redhat.com/en/topics/cloud-native-apps/stateful-vs-stateless)"
Question 463
A cloud practitioner needs an Amazon EC2
instance to launch and run for 7 hours without interruptions. What is
the most suitable and cost-effective option for this task?
A)
On-Demand Instance
B) Reserved Instance
C)
Dedicated Host
D) Spot Instance
A) On-Demand Instance
B)
Reserved Instance
C) Dedicated Host
D) Spot
Instance
On-Demand Instances let you pay for compute capacity by the hour
or second (minimum of 60 seconds) with no long-term commitments. You
have full control over its lifecycle—you decide when to launch, stop,
hibernate, start, reboot, or terminate it. This frees you from the costs
and complexities of planning, purchasing, and maintaining hardware and
transforms what are commonly large fixed costs into much smaller
variable costs.
Pricing is per instance-hour consumed for
each instance, from the time an instance is launched until it is
terminated or stopped. Each partial instance-hour consumed will be
billed per-second for Linux Instances and as a full hour for all other
instance types.
There is no long-term commitment required
when you purchase On-Demand Instances. You pay only for the seconds that
your On-Demand Instances are in the running state. The price per second
for a running On-Demand Instance is fixed.
We recommend that
you use On-Demand Instances for applications with short-term, irregular
workloads that cannot be interrupted."
Question 464
Which of the following are benefits of
using AWS Trusted Advisor? (Choose two.)
A) Providing
high-performance container orchestration
B) Creating and
rotating encryption keys
C) Detecting underutilized
resources to save costs
D) Improving security by proactively
monitoring the AWS environment
E) Implementing enforced
tagging across AWS resources
A) Providing high-performance container orchestration
B)
Creating and rotating encryption keys
C) Detecting underutilized resources to save costs
D) Improving security by proactively monitoring the AWS
environment
E) Implementing enforced tagging across AWS resources
AWS Trusted Advisor analyzes your AWS environment and provides
best practice recommendations in five categories:
-Performance: AWS
Trusted Advisor can improve the performance of your service by checking
your service limits, ensuring you take advantage of provisioned
throughput, and monitoring for overutilized instances.
-Service
Quotas: AWS Trusted Advisor checks for service usage that is more than
80% of the service quota.
-Cost optimization/Reduction: AWS Trusted
Advisor can save you money on AWS by eliminating unused and idle
resources or by making commitments to reserved capacity.
-Security:
AWS Trusted Advisor can improve the security of your application by
closing gaps, enabling various AWS security features, and examining your
permissions.
-Fault Tolerance: AWS Trusted Advisor can increase the
availability and redundancy of your AWS application by take advantage of
auto scaling, health checks, multi AZ, and backup capabilities."
Question 465
A developer has been hired by a large
company and needs AWS credentials. Which are security best practices
that should be followed? (Choose two.)
A) Grant the
developer access to only the AWS resources needed to perform the job.
B)
Share the AWS account root user credentials with the developer.
C)
Add the developer to the administrator's group in AWS IAM.
D)
Configure a password policy that ensures the developer's password cannot
be changed.
E) Ensure the account password policy requires a
minimum length.
A) Grant the developer access to only the AWS resources
needed to perform the job.
B) Share the AWS account root user credentials with the
developer.
C) Add the developer to the administrator's group
in AWS IAM.
D) Configure a password policy that ensures the
developer's password cannot be changed.
E) Ensure the account password policy requires a minimum
length.
To help secure your AWS resources, follow these recommendations
for the AWS Identity and Access Management (IAM) service.
-Lock
away your AWS account root user access keys
-Create individual IAM
users
-Use groups to assign permissions to IAM users
-Grant
least privilege
-Get started using permissions with AWS managed
policies
-Use customer managed policies instead of inline
policies
-Use access levels to review IAM permissions
-Configure
a strong password policy for your users
-Enable MFA – These are not
physical MFA tokens typically
-Use roles for applications that run
on Amazon EC2 instances
-Use roles to delegate permissions
-Do
not share access keys
-Rotate credentials regularly
-Remove
unnecessary credentials
-Use policy conditions for extra
security
-Monitor activity in your AWS account"
Question 466
A user is planning to migrate an
application workload to the AWS Cloud. Which control becomes the
responsibility of AWS once the migration is complete?
A)
Patching the guest operating system
B) Maintaining physical
and environmental controls
C) Protecting communications and
maintaining zone security
D) Patching specific
applications
A) Patching the guest operating system
B) Maintaining physical and environmental controls
C) Protecting communications and maintaining zone
security
D) Patching specific applications
Security and Compliance is a shared responsibility between AWS and
the customer. This shared model can help relieve the customer’s
operational burden as AWS operates, manages and controls the components
from the host operating system and virtualization layer down to the
physical security of the facilities in which the service operates. The
nature of this shared responsibility also provides the flexibility and
customer control that permits the deployment. As shown in the chart
above, this differentiation of responsibility is commonly referred to as
Security of the Cloud versus Security in the Cloud.
AWS data
centers are secure by design and our controls make that possible. Before
we build a data center, we spend countless hours considering potential
threats and designing, implementing, and testing controls to ensure the
systems, technology, and people we deploy counteract risk. To help you
fulfill your own audit and regulatory requirements, we are providing you
with insight into some of our physical and environmental controls
below…."