1 Flashcards

Question 1

Q

When you define a CIDR block with a IP address range, you can’t use all the IP addresses. AWS reserves a few IP addresses for its own networking purpose. How many IP addresses does AWS reserves?

A.
5

B.
2

C.
3

D.
4

Answer

A

A is correct. AWS reserves the first four and the last IP address of every subnet for internal purpose (4+1=5).

Question 2

Q

You are reviewing Change Control requests and note a change designed to reduce wasted CPU cycles by increasing the value of the VisibilityTimeout attribute. What does this mean?

A.
When the consumer instance polls for new work, the SQS service will allow it to wait a certain amount of time for a message to be available before closing the connection.

B.
While processing a message, a consumer instance can reset the message visibility by restarting the preset timeout counter.

C.
When a consumer instance retrieves a message, that message will be hidden from other consumer instances for a fixed period of time.

D.
While processing a message, a consumer instance can amend the message visibility counter by a fixed amount.

E.
When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period of time.

F.
When the consumer instance polls for new work, the consumer instance will wait a certain amount of time until it has a full workload before closing the connection.

Answer

A

C is correct. When a consumer instance retrieves a message, that message will be hidden from other consumer instances for a fixed period of time. You have the ability to control this timeout period.

A, B, D, E, and F are incorrect because all these options have irrelevant information.

Question 3

Q

You receive a ProvisionedThroughputExceededException error. However, the DynamoDB metrics show that your table or index has not been operating at maximum provisioned throughput. What could this error be caused by?

A.
It is only a warning. DynamoDB’s burst capacity will handle the extra traffic.

B.
The throughput is not balanced across your partitions. One partition is being subjected to a disproportionate amount of the traffic and is therefore exceeding the limits.

C.
The error is caused by excess traffic generated by your local secondary indexes. You should provision units specifically to the local secondary indexes.

D.
It is a transitory error. AWS will adjust the table to accommodate it and reprocess the transaction.

Answer

A

B is correct. In DynamoDB, it is possible that one of the partitions of the table get more traffic whereas others get less traffic. If one partition is getting massive traffic, you will get a ProvisionedThroughputExceededException error. Since the other partitions are not getting a lot of traffic, when you do the average of IO across the partitions for a table, it will not show you are operating at maximum provisioned throughput.

A is incorrect because the question is about an error, not a warning. C is incorrect because the error is about throughput and not excess traffic. D is incorrect because this is not a transitory error.

Question 4

Q

You have been asked by your employer to create an identical copy of your production environment in another region for disaster recovery purposes. Which of the following AWS resources would you NOT need to re-create because they are available universally across the console? (Choose two.)

A.
Elastic Load Balancers

B.
Route 53

C.
Security groups

D.
EC2 key pairs

E.
Identity Access Management roles

Answer

A

B and E are correct. Route 53 and IAM are global services, so it does not matter which region you choose because you can leverage them globally. Conversely, ELB, security groups, and EC2 key pairs are tied to a particular region.

A is incorrect because ELB is a regional service. C is incorrect because security groups are tied to a particular region. D is incorrect because EC2 key pairs are tied to a particular region.

Question 5

Q

Your company provides an online image recognition service and uses SQS to decouple system components. Your EC2 instances poll the image queue as often as possible to keep end-to-end throughput as high as possible, but you realize that all this polling is resulting in both a large number of CPU cycles and skyrocketing costs. How can you reduce cost without compromising service?

A.
Enable short polling by setting ReceiveMessageWaitTimeMinutes to a number greater than 0.

B.
Enable long polling by setting ReceiveMessageWaitTimeSeconds to a number greater than 0.

C.
Enable long polling by setting ReceiveMessageWaitTimeMinutes to a number greater than 0.

D.
Enable short polling by setting ReceiveMessageWaitTimeSeconds to a number greater than 0.

Answer

A

B is correct. SQS long polling doesn’t return a response until a message arrives in the queue, thus reducing your overall cost over time. Short polling WILL return empty responses. In this case, you need to enable long polling since the key is cost control. At the same time, you need to keep the high throughput, so you have to set the wait time in seconds to a number greater than zero. Also, because the max wait time is 20 seconds, the options with “ReceiveMessageWaitTimeMinutes” automatically become invalid.

A, C, and D are incorrect because you need to enable long polling, and ReceiveMessageWaitTimeSeconds should be set to a number greater than zero. All these options have a different value.

Question 6

Q

You are creating a data lake, and one of the criteria you are looking for is faster performance. You want the ability to transform the data directly during the ingestion process to save time and cost. Which AWS service should you choose for this?

A.
Use Kinesis Analytics for transforming the data.

B.
Ingest the data in S3 and then load it in Redshift to transform.

C.
Ingest the data in S3 and then use EMR to transform.

D.
Use Kinesis Firehose.

Answer

A

A is correct. Kinesis Analytics has the ability to transform the data during ingestion.

B, C, and D are incorrect. Loading the data in S3 and then using EMR to transform it is going to take lot of time. You are looking for faster performance. Redshift is a data warehouse solution. Kinesis Firehose can ingest the data, but it does not have any ability to transform the data.

Question 7

Q

A client is concerned that someone other than approved administrators is trying to gain access to the Linux web app instances in their VPC. The client asks what sort of network access logging can be added. Which of the following might you recommend? (Choose two.)

A. Use Event Log filters to trigger alerts that are forwarded to CloudWatch.

B.Set up a Flow Log for the group of instances and forward them to S3.

C.Make use of an OS-level logging tool such as iptables and log events to CloudWatch or S3.

D.Set up a traffic-logging rule on the VPC firewall appliance and direct the log to CloudWatch or S3.

E.Set up a Flow Log for the group of instances and forward them to CloudWatch.

Answer

A

C and E are correct. Since someone is trying to get into the web tier and the app tier, you have to analyze the logs from the operating system, and the Flow Log is going to give you all the information you are looking for.

A is incorrect because the Event Log won’t provide you the required information. B is incorrect because if you forward instances to S3, how do you use the information? D is incorrect because this option is purposely misleading.

Question 8

Q

At the monthly product meeting, one of the product owners proposes an idea to address an immediate shortcoming of the product system: storing a copy of the customer price schedule in the customer record in the database. You know that you can store large text or binary objects in DynamoDB. You give a tentative OK to do a minimum viable product (MVP) test, but you stipulate that it must comply with the size limitation on the attribute name and value. Which is the correct limitation?

A. The name must not exceed 64KB, and the value must not exceed 1024KB.

B.
The name must not exceed 128KB, and the value must not exceed 400KB.

C.
The value and name combined must not exceed 1024KB.

D.
The value and name combined must not exceed 400KB.

E.
The value and name combined must not exceed 500KB.

F.
The name must not exceed 64KB, and the value must not exceed 500KB.

Answer

A

D is correct. The combined size for the name and value can’t exceed 400KB.

A, B, C, E, and F are incorrect because the combined name and value size is more than 400KB.

Question 9

Q

Your application is hosted in EC2 instances, and all the data is stored in EBS volumes. The EBS volumes must be durable and backed up across multiple AZs. What is the most resilient way to back up the EBS volumes?

A.
Encrypt the EBS volumes.

B.
Take regular EBS snapshots.

C.
Mirror data across two EBS volumes by using RAID.

D.
Write a Lambda function to copy all the data from EBS to S3 regularly.

Answer

A

B is correct. By using snapshots, you can back up the EBS volume and you can create the snapshot in a different AZ.

A is incorrect because encrypting the volumes is different from backing up the volumes. Even if you encrypt the volumes, you still need to back them up. C is incorrect because if you mirror the data across two EBS volumes by using RAID, you will have high availability of the data but still you won’t have a backup. Remember, the backup has to be across AZs. If you use RAID and provide high availability to your EBS volumes, that will be still be under the same AZ since EBS volumes can’t be mounted across AZs. D is incorrect because although you can back up all the data to S3 from an EBS volume, that is not backing up the EBS volume. Backing up the volume means that if your primary volume goes down or is bad, you should be able to quickly mount the volume from backup. If you have a snapshot of an EBS volume, you can quickly mount it and have all the data in it. If you back up the data to S3, you need to create a new volume and then copy all the data from S3 to the EBS volume.

Question 10

Q

When editing permissions (policies and ACLs), creating S3 buckets, and performing activities with EC2 instances, to whom does “Owner” generally refer in the context of AWS?

A.
Owner is the IAM role used to create the object via the GUI, CLI, or API.

B.
There is no special concept of “Owner” in AWS.

C.
Owner is the IAM user who created the object via the GUI, CLI, or API.

D.
Owner refers to the root account.

Answer

A

D is correct. Owner in AWS refers to the root account.

A, B, and C are incorrect. In AWS context, the owner of the account is the root account, which needs to be logged in using the username/password combination. When you first create an Amazon Web Services (AWS) account, you begin with a single sign-on identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the e-mail address and password that you used to create the account.

Question 11

Q

You work for a large media organization that has traditionally stored all its media on large SAN arrays. After evaluating AWS, the company has decided to move its storage to the cloud. Staff will store their personal data on S3 and will have to use their Active Directory credentials in order to authenticate. These items will be stored in a single S3 bucket, and each staff member will have their own folder within that bucket named after their employee ID. Which of the following steps should you take in order to help set this up? (Choose three.)

A.
Use the AWS security token service to create temporary tokens.

B.
Create an IAM role.

C.
Tag each folder with the appropriate staff member’s ID.

D.
Create either a federation proxy or identity provider.

E.
Create an IAM user for each member of staff and use their existing Active Directory password for the account.

Answer

A

A, B, and D are correct. You should create either a federation proxy or identity provider and then use the AWS security token service to create temporary tokens. You will then need to create the appropriate IAM role for the users to assume when writing to the S3 bucket.

C is incorrect because you cannot tag individual folders within an S3 bucket. E is incorrect because if you create an individual user for each staff member, there will be no way to keep their Active Directory credentials synched when they change their password.

Question 12

Q

You are in the process of designing a document archive solution for your company. The solution must be cost-effective; therefore, you have selected Glacier. The business wants to have the capability to get a document within 15 minutes of requesting it. Which feature of Amazon Glacier will you choose?

A.
Expedited retrieval

B.
Standard retrieval

C.
Glacier is not the correct solution. You need Amazon S3.

D.
Bulk retrieval

Answer

A

A is correct. Since you are looking for a cost-effective archival solution, Amazon Glacier is the right choice. By using the expedited retrieval option, you should be able to get the file within 5 minutes, which meets your business objective.

B is incorrect because standard retrieval won’t be able to meet the 15-minute SLA. C is incorrect because you are developing an archival solution. If you choose S3, cost will go up. D is incorrect because bulk retrieval won’t be able to meet the 15-minute SLA.

Question 13

Q

You are running a couple of social media websites in AWS, and they use databases hosted in multiple AZs via RDS MySQL. With expansion of number of users, your users have started seeing degraded performance mainly with database reads. What can you do to make sure you get the required performance? (Choose two.)

A.
Use ElastiCache in-memory cache in each AZ hosting the database.

B.
Create read replicas of RDS MySQL to offload read-only traffic.

C.
Migrate the database to the largest box available in RDS.

D.
Migrate the RDS MySQL to an EC2 server.

Answer

A

A and B are correct. The contention is with read-only traffic; therefore, adding a read replica or adding in-memory cache will solve the problem.

C and D are incorrect. Since the contention is with read-only traffic, adding a read replica or an in-memory cache is going to solve the problem. Suppose you have migrated the database to the largest possible box available in RDS, but again the problem occurs. What do you do? In that case, again, you are going to add a read replica or in-memory cache. If you are running a database in RDS, you should not move it to EC2 since you get a lot of operational benefits simply by hosting your database in RDS.

Question 14

Q

You have been engaged by a company to design and lead a migration to an AWS environment. The team is concerned about the capabilities of the new environment, especially when it comes to avoiding all bottlenecks. The design calls for about 20 instances (C3.2xLarge) pulling jobs/messages from SQS. Network traffic per instance is estimated to be around 500Mbps at the beginning and end of each job. Which network configuration should you plan on deploying?

A.
Choose a different instance type that better matched the traffic demand.

B.
Use a second network interface to separate the SQS traffic from the storage traffic.

C.
Deploy as a placement group, as the aggregated burst traffic could be around 10Gbps.

D.
Activate EBS-Optimization on the instance to maximize network throughput.

E.
Spread the instances over multiple AZs to minimize the traffic concentration and maximize the fault tolerance.

Answer

A

E is correct. When considering network traffic, you need to understand the difference between storage traffic and general network traffic, and the ways to address each. The 10Gbps is a red herring, in that the 500Mbps only occurs for short intervals, and therefore your sustained throughput is not 10Gbps. Wherever possible, use simple solutions such as spreading the load out rather than expensive high-tech solutions.

A is incorrect because even if you choose a different instance type, you still won’t be distributing your network traffic. B is incorrect because you can just separate the SQS traffic with a second network card. C is incorrect because the placement group will bring the instance within proximity. D is incorrect because an EBS-optimized instance will not distribute the network traffic.

Question 15

Q

You have an application for which you are thinking of using EC2 to host an Oracle database. The size of the database is 100GB. Since the application needs operating system access in the database tier, you can’t use RDS. The application will be used infrequently; sometimes it will be used during the morning and sometimes during the evening. What is a cost-effective way of designing the storage layer?

A.
Amazon S3

B.
Amazon EBS General Purpose SSD

C.
Amazon EBS Provisioned IOPS SSD

D.
Amazon EBS Throughput Optimized HDD

Answer

A

D is correct. Since the application will be used infrequently and the goal is to use cost-optimized storage, Throughput Optimized HDD is the best choice.

A, B, and C are incorrect. Amazon S3 is an object store, so it can’t be used to host a database. General Purpose SSD and Provisioned IOPS SSD are going to cost lot more than Throughput Optimized HDD.

Question 16

Q

Following advice from your consultant, you have configured your VPC to use Dedicated hosting tenancy. A subsequent change to your application has rendered the performance gains from Dedicated tenancy superfluous, and you would now like to recoup some of these greater costs. How do you revert to Default hosting tenancy? (Choose two.)

A.
Stop each instance, change the hosting attribute, and restart.

B.
Create AMIs of all your instances and use them to create new instances using Default hosting.

C.
Change the hosting attribute and then restart the instance.

D.
Create AMIs of all your instances. Create a new VPC with Default as the hosting tenancy attribute and then use them to create new instances using Default tenancy.

E.
Change tenancy using CLI/SDK.

Answer

A

D and E are correct. Once the VPC is created, the ways to change the tenancy are either create a new VPC with different tenancy and migrate all the instance or use CLI/SDK to change the tenancy.

A, B, and C are incorrect. If you create a VPC with a dedicated hosting type of tenancy, you can’t change it. You can either create a new VPC or drop and re-create the existing one.

Question 17

Q

You are leading a design team to implement an urgently needed collection and analysis project. You will be collecting data for an array of 50,000 anonymous data collectors. This data will be summarized each day and then rarely used again. The data will be pulled from collectors approximately once an hour. The developer responsible for the DynamoDB design is concerned about how to design the partition and local keys to ensure efficient use of the DynamoDB tables. What advice would you provide? (Choose two.)

A.
Use a time-based partition key so that it is easy to query and analyze.

B.
Don’t worry about it; AWS will optimize the table and partitions to meet your needs.

C.
Use a date-based partition key to avoid having to hop from partition to partition.

D.
Create a new table each day and reconfigure the old table for infrequent use after the summation is complete.

E.
Insert a calculated hash in front of the date/time value in the partition key to force DynamoDB to hop from partition to partition.

Answer

A

D and E are correct. There are two issues here: how to handle stale data to avoid paying for high-provisioned throughput for infrequently used data, and how to design a partition key that will distribute IO from sequential data across partitions evenly to avoid performance bottlenecks.

A is incorrect because just creating a partition key is not enough. B is incorrect because you have to design your application. AWS is not going to do it for you. C is incorrect because just creating the partition key won’t solve the problem.

Question 18

Q

You are reviewing Change Control requests and note a proposed change designed to reduce errors due to S3 Eventual Consistency by updating the DelaySeconds attribute. What does this mean?

A.
When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period of time.

B.
When a consumer instance retrieves a message, that message will be hidden in the queue for a fixed period of time.

C.
When the consumer instance polls for new work, the SQS service will allow it to wait a certain amount of time for a message to be available before closing the connection.

D.
When the consumer instance polls for new work, the consumer instance will wait a certain amount of time until it has a full workload before closing the connection.

E.
While processing a message, a consumer instance can reset the message visibility by restarting the preset timeout counter.

F.
While processing a message, a consumer instance can amend the message visibility counter by a fixed amount.

Answer

A

A is correct. When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period of time. Delay queues are a mechanism that lets you postpone delivery of messages if you need to.

B, C, D, E, and F are incorrect because all these options have irrelevant information.

Question 19

Q

You have created a non-default VPC that contains two web servers. These web servers must be publicly accessible via the Internet and should also be highly resilient. Which of the following configurations should you consider? (Choose two.)
A.
Set up an Elastic Load Balancer and place your two web servers behind it in different Availability Zones. Configure a Route 53 “A” record to point to the IP address of the Elastic Load Balancer.

B.
Set up an Elastic Load Balancer and place your two web servers behind it in different Availability Zones. Configure a Route 53 CNAME to use the public DNS address of the Elastic Load Balancer.

C.
Assign each EC2 instance with an Elastic IP address. Configure Route 53 with both EIPs and set up health checks with DNS failover.

D.
Configure a NAT instance within your VPC. Create a route via the NAT and associate it with all private subnets within your VPC. Create a Route 53 “A” record to point to the public IP address of the NAT.

Answer

A

B and C are correct. You have the option of either using an Elastic Load Balancer or multiple Elastic IP addresses and configuring DNS failover with health checks using Route 53.

A is incorrect because you cannot configure a Route 53 “A” record that points to an ELB. D is incorrect because you can’t use a NAT as a makeshift load balancer.

Question 20

Q

You are designing a media streaming application and need to store over 100,000 videos. Each video will have multiple files associated with it for storing the different resolutions (480p, 720p, 1080p, 4K, and so on). The videos need to be kept in durable storage, but the cost should be kept at a minimum. What storage option should you choose?

A.
Store the main videos in S3 and the different resolution files in Glacier.

B.
Store the main videos in EBS and the different resolution files in S3.

C.
Store the main videos in EFS and the different resolution files in S3.

D.
Store the main videos in S3 and the different resolution files in S3-IA.

Answer

A

D is correct. S3 provides 99.9999999% durability, so that is the best choice for both the main videos and the resolution files.

A, B, and C are incorrect. If you store the files in EBS or EFS, the cost is going to be very high. You can’t store these files in Glacier because it is an archival solution.

Question 21

Q

You have created an S3 bucket for your application and immediately receive over 10,000 PUT requests per second. What should you do to ensure optimal performance?
A.
No need to do anything. S3 will automatically handle this.

B.
Create each file in a separate folder.

C.
Use S3 Infrequent Access.

D.
Add a random prefix to the key names.

Answer

A

D is correct. Also, when you are putting a large number of files, the process should be optimized with multipart uploads, where on the sending side the original file is split into multiple parts and uploaded in parallel, and on the receiving side the file is composed back into a single object.

A, B, and C are incorrect. When doing some optimizations, if you can get better performance, then why not go it? If you create a separate folder for each file, you will create a management nightmare. S3 IA won’t give you better performance.

Question 22

Q

You manage a Ruby on Rails application that lives on a cluster of EC2 instances. Your website occasionally experiences brief, strong, and entirely unpredictable spikes in traffic that overwhelm your EC2 instances’ resources and freeze the application. As a result, you’re losing recently submitted requests from end users. You use Auto Scaling to deploy additional resources to handle the load during spikes, but the new instances don’t spin up fast enough to prevent the existing application servers from freezing. Which of the following actions will provide the most cost-effective solution in preventing the loss of recently submitted requests?
A.
Increase the size of your existing EC2 instances.

B.
Ask AWS support to pre-warm the Elastic Load Balancer.

C.
Keep a large EC2 instance on standby.

D.
Use Amazon SQS to decouple the application components and keep the requests in queue until the extra Auto Scaling instances are available.

Answer

A

D is correct. The cost-effective solution to the unpredictable spike in traffic is to use SQS to decouple the application components.

A is incorrect because increasing the size of EC2 will increase the cost. B is incorrect because pre-warming of the ELB can be done only when the traffic is predictable. C is incorrect because keeping large EC2 servers on standby is going to spike the cost.

Question 23

Q

How is the public IP address managed in an instance session via the instance GUI/RDP or Terminal/SSH session?
A.
The public IP address can be managed via the instance MetaData at http://169.254.169.254/latest/meta-data/local-ipv4.

B.
The public IP address can be managed via the instance MetaData at http://169.254.169.254/latest/meta-data/public-ipv4.

C.
For security reasons, the public IP address is a hidden value.

D.
The public IP address is not managed on the instance; instead, it is an alias applied as a network address translation of the private IP address.

Answer

A

D is correct. When you manage the public IP address in an instance session via the instance GUI/RDP or Terminal/SSH session, it is not managed on the instance. In this case, an alias is applied as a network address translator of the private IP address.

A, B, and C are incorrect. The details are provided in the explanation for answer D.

Question 24

Q

Your server logs are full of what appear to be application-layer attacks, so you deploy AWS Web Application Firewall. Which of the following conditions can you set when configuring AWS WAF? (Choose three.)

A.
URL match conditions

B.
String match conditions

C.
Termination conditions

D.
SQL rejection match conditions

E.
Size constraint conditions

F.
IP match conditions

Answer

A

B, E, and F are correct. In AWS WAF, you can set string match, IP match, and size constraint conditions.

A, C, and D are incorrect because these conditions are not options in WAF.

Question 25

Q

Route 53, the AWS implementation of DNS, supports a number of routing policies. Which of the following are valid policy types? (Choose five.)

A.
Load-Balanced

B.
Weighted

C.
Failover

D.
Simple

E.
Default

F.
Geolocation

G.
Latency

Answer

A

B, C, D, F, and G are correct. The valid routing policies are Weighted, Failover, Simple, Geolocation, and Latency.

A is incorrect because there is no Load-Balanced routing policy. E is incorrect because there is no Default routing policy.

Question 26

Q

Which of the following statements are true regarding SAML-enabled single sign-on? (Choose two.)
A.
After the client browser posts the SAML assertion, AWS sends the sign-in URL as a redirect and then the client browser is redirected to the Console.

B.
The client browser is immediately directed to the AWS Console.

C.
The portal acknowledges a SAML authentication response and then verifies the user’s identity in the organization.

D.
The portal first verifies the user’s identity in the organization and then generates a SAML authentication response.

Answer

A

A and D are correct. With SAML, after the client browser posts the SAML assertion, AWS sends the sign-in URL as a redirect and then the client browser is redirected to the Console. The portal first verifies the user’s identity in the organization and then generates a SAML authentication response.

B and C are incorrect. The true statements regarding SAML-enabled single sign-on are provided in answers A and D.

Question 27

Q

You work for a large software company in Seattle. The company has its production environment provisioned on AWS inside a custom VPC. The VPC contains both a public subnet and a private subnet. The company tests its applications on custom EC2 instances inside a private subnet. There are approximately 500 instances, and they communicate to the outside world via a proxy server. At 3 A.M. every night, the EC2 instances pull down OS updates, which are usually 150MB or so. They then apply these updates and reboot; however, if the software has not downloaded within half an hour, the update will attempt to download the following day. You notice that a number of EC2 instances are continually failing to download the updates in the allotted time. Which of the following answers might explain this failure? (Choose two.)

A.
Your proxy server is blacklisting the address from which the updates are being downloaded, resulting in failed downloads.

B.
The proxy server has only one Elastic IP address added to it. To increase network throughput, you should add additional Elastic IP addresses.

C.
The proxy server is on an inadequately sized EC2 instance and does not have sufficient network throughput to handle all updates simultaneously. You should increase the instance size of the EC2 instance for the proxy server.

D.
The proxy server is in a private subnet and uses a NAT gateway instance to connect to the Internet. However, this instance is too small to handle the required network traffic. You should re-provision the NAT gateway instance so that it’s able to handle the throughput.

E.
The proxy server has an inadequately sized EBS volume attached to it. The network buffer is stored on the EBS volume, and it is running out of disk space when trying to buffer the 500 simultaneous connections. You should provision an EBS volume with provisioned IOPS.

Answer

A

C and D are correct. Network throughput is the obvious bottleneck. You are not told in this question whether the proxy server is in a public or private subnet, so if it is in a public subnet, the proxy server instance size itself is not large enough to cope with the current network throughput. If the proxy server is in a private subnet, then it must be using a NAT gateway in order to communicate out to the Internet. This NAT gateway may also be inadequately provisioned in terms of size. You should therefore increase the size of both the proxy server and the NAT gateway.

A is incorrect because there is no data point stating that the proxy server is blacklisting. B is incorrect because adding elastic IP does not increase network throughput. E is incorrect because there is no data point stating that the EBS volume is running out of space.

Question 28

Q

Your company has a policy of encrypting all data at rest. You host your production environment on EC2 in a non-default VPC. Attached to your EC2 instances are multiple EBS volumes, and you must ensure this data is encrypted. Which of the following options will allow you to do this? (Choose three.)

A.
Use third-party volume encryption tools.

B.
Install SSL certificates on the servers so as to encrypt your data.

C.
EBS volumes are encrypted by default. You do not need to do anything.

D.
Encrypt the data using native encryption tools available in the operating system.

E.
Encrypt the data inside your application, before storing it on EBS.

Answer

A

A, D, and E are correct. These answers cover all the options required to encrypt all the data at rest.

B is incorrect because SSL certificates will only be useful to encrypt data in transit, not data at rest. C is incorrect because EBS volumes are not encrypted by default.

Question 29

Q

You are reviewing Change Control requests and note a change designed to reduce costs by updating the WaitTimeSeconds attribute. What does this mean?

A.
When the consumer instance polls for new work, the SQS service will allow it to wait a certain amount of time for one or more messages to be available before closing the connection.

B.
When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period of time.

C.
While processing a message, a consumer instance can reset the message visibility by restarting the preset timeout counter.

D.
While processing a message, a consumer instance can amend the message visibility counter by a fixed amount.

E.
When a consumer instance retrieves a message, that message will be hidden in the queue for a fixed period of time.

F.
When the consumer instance polls for new work, the consumer instance will wait a certain amount of time until it has a full workload before closing the connection.

Answer

A

A is correct. WaitTimeSeconds means when the consumer instance polls for new work, the SQS service will allow it to wait a certain amount of time for one or more messages to be available before closing the connection.

Question 30

Q

You have created a VPC using the VPC Wizard with the CIDR block 100.0.0.0/16. You have selected a private subnet and VPN connection using the VPC Wizard. You have launched an EC2 instance in the private subnet. Now you need to connect to the EC2 instance via SSH. What do you need to do in order to connect to the EC2 instance?

A.
Allow inbound traffic on port 22 on your network.

B.
Allow inbound traffic on ports 80 and 22 to the private subnet.

C.
Connect to the instance on the private subnet using a NAT instance.

D.
Create a public subnet and from there connect to the EC2 instance.

Answer

A

A is correct. The port where SSH runs is 22; therefore, you need to provide access to port 22.

B, C, and D are incorrect. You have already created a VPN while creating the VPC; therefore, via VPN, the VPC is already connected with your network, so you can reach the private subnet directly from your network.

Question 31

Q

Your company has hired a young and enthusiastic accountant. After reviewing the AWS documentation and usage graphs, he announces that you are wasting vast amounts of the company’s money running servers for a full hour instead of spinning them up only when they are needed and down again as soon as they are idle for 1 minute. He cites the AWS claim that you only pay for what you use, and that as a senior engineer, you should be more conscious of wasting company money. How do you respond?

A.
You thank him for his concern and then implement EC2’s pay-per-minute billing to get the maximum benefit for the company.

B.
You leap across the meeting table and slap him for insulting you in front of your peers.

C.
You grudgingly acknowledge his point and change your scheduling and tuning settings.

D.
You acknowledge the problem and propose that you could downsize the instances so that the workload consumes the full instance capacity for the full hour. You also propose closer monitoring and automation so that you can upsize and/or downsize the instance each hour during the day to match the instance performance to the anticipated workload.

Answer

A

A is correct. AWS has launched a new feature called pay-per-minute, where the billing occurs in increments of 60 seconds for certain types of instances. If cost control is one of your main objectives, it makes sense to stop the instance whenever it is not in use.

B is incorrect because in real life you would never do this. C is incorrect because changing the scheduling won’t help in reducing the cost. D is incorrect because changing the instance size won’t help to reduce the bill if the server is idle for more than a minute.

Question 32

Q

You successfully configure VPC peering between VPC-A and VPC-B. You then establish an IGW and a Direct-Connect connection in VPC-B. Can instances in VPC-A connect to your corporate office via the Direct-Connect service as well as connect to the Internet via the IGW?

A.
Instances in VPC-A will be able to access the corporate office but not the Internet.

B.
Yes, VPC peering is designed to route traffic between the VPCs.

C.
No, VPC peering does not support edge-to-edge routing.

D.
Instances in VPC-A will be able to access the Internet, but not the corporate office.

Answer

A

C is correct. The answer is no because VPC peering does not support edge-to-edge routing. Say, for example, that VPC-A is peered to VPC-B, and VPC-B is peered to VPC-C. In this case, VPC-A and VPC-C won’t be able to talk unless there is a peering between them.

A, B, and D are incorrect. These options are purposefully misleading.

Question 33

Q

Your server logs are full of what appear to be application-layer attacks, so you deploy AWS Web Application Firewall. Which of the following conditions can you set when configuring AWS WAF? (Choose three.)

A.
URL match conditions

B.
String match conditions

C.
Termination conditions

D.
SQL rejection match conditions

E.
Size constraint conditions

F.
IP match conditions

Answer

A

B, E, and F are correct. In AWS WAF, you can set string match, IP match, and size constraint conditions.

A, C, and D are incorrect because these conditions are not options in WAF.

Question 34

Q

You’ve been commissioned to develop a high-availability application with a stateless web tier. Identify the most cost-effective means of reaching this goal.
A.
Use an Elastic Load Balancer, a multi-AZ deployment of an Auto Scaling group of EC2 On-Demand instances (primary) running in tandem with an Auto Scaling group of EC2 Spot instances (secondary), and a multi-AZ deployment of RDS.

B.
Use an Elastic Load Balancer, a multi-AZ deployment of an Auto Scaling group of EC2 Spot instances (primary) running in tandem with an Auto Scaling group of EC2 On-Demand instances (secondary), and a multi-AZ deployment of RDS.

C.
Use an Elastic Load Balancer, a multi-AZ deployment of an Auto Scaling group of EC2 Spot instances (primary) running in tandem with an Auto Scaling group of EC2 On-Demand instances (secondary), and a multi-AZ deployment of DynamoDB.

D.
Use an Elastic Load Balancer, a multi-AZ deployment of an Auto Scaling group of EC2 Spot instances (primary) running in tandem with an Auto Scaling group of EC2 On-Demand instances (secondary), and DynamoDB.

Answer

A

D is correct. With proper scripting and scaling policies, the On-Demand instances behind the Spot instances will deliver the most cost-effective solution because the On-Demand instances will only spin up if the Spot instances are not available. DynamoDB is a regional service; there is no need to explicitly create a multi-AZ deployment. RDS could be used, but DynamoDB lends itself better to supporting stateless web/app installations.

A is incorrect because it uses EC2 On-Demand instances as the primary, which is going to spike the cost. B is incorrect because it uses RDS, which is going to increase the cost. C is incorrect because it uses a multi-AZ deployment of DynamoDB, which is going to increase the cost. DynamoDB comes with built-in HA since it is a managed service.

Question 35

Q

When making use of EC2 instances on dedicated hosting, you are able to transition between which of the following modes of tenacity by stopping an instance and starting it again? (Choose two.)

A.
Default and Dedicated

B.
Host and Default

C.
Dedicated and Host

D.
Host and Dedicated

E.
Dedicated and Default

Answer

A

C and D are correct. If you choose the Dedicated and Host or the Host and Dedicated instance, you can do the transition between by start and the stop of the instance. When you choose the Dedicated tenancy, you own the full physical machine. Therefore, whatever VMs you deploy in this machine, you have to take care of them all.

A, B, and E are incorrect. None of these is the correct choice.

Question 36

Q

You work for a genomics company that is developing a cure for motor neuron disease by using advanced gene therapies. As a part of its research, the company takes extremely large data sets (usually in the terabytes) and analyzes them using Elastic Map Reduce (EMR). In order to keep costs low, the company runs the analysis for only a few hours in the early hours of the morning, using spot instances for the task nodes. The core nodes are on-demand instances. Lately, however, the EMR jobs have been failing. This is due to spot instances being unexpectedly terminated. Which of the following remedies would both keep costs manageable and mitigate the issues caused by terminated spot instances? (Choose two.)

A.
Increase the bid price for the core nodes.

B.
Increase the bid price for the task nodes so that you have a greater threshold before the task nodes are terminated.

C.
Change the task nodes to on-demand instances.

D.
Change the core nodes to spot instances and lower the spot price.

Answer

A

B and C are correct. Task nodes perform the jobs, whereas core nodes provide the pure core for performing the jobs. Even if a core node goes down, the jobs won’t fail.

A is incorrect because it is the task nodes that do all the work; the issue is with the task nodes. D is incorrect because the problem is with the task nodes.

Question 37

Q

You have been engaged as a consultant by a company that generates utility bills and publishes them online. PDF images are generated and then stored on a high-performance RDS instance. Generally, invoices are viewed by customers once per month. Recently, however, the number of customers has increased threefold, and the wait-time necessary to view invoices has increased unacceptably. The CTO is unwilling to alter the codebase more than necessary this quarter, but needs to return performance to an acceptable level before the end-of-the-month print run. Which of the following solutions would you feel comfortable proposing to the CTO and GM? (Choose two.)

A.
Use CloudFront to accelerate the presentation of the PDF images.

B.
Move the images to S3 to reduce database IO.

C.
Install an ElastiCache cluster in front of the RDS installation.

D.
Create RDS read replicas and additional web/app instances across all the available AZs.

E.
Move the metadata to a DynamoDB solution, permitting real-time scaling of read IOPS to match demand.

Answer

A

C and D are correct. In this case, the customer can’t change the architecture immediately so they have to keep the PDFs in RDS. Thus, in order to provide faster read-only performance, you need to create read replicas. ElastiCache in front of RDS is going to provide an additional performance boost.

A is incorrect because, as per the CTO, you can’t change the code. B is incorrect because, as per the CTO, you can’t change the code. E is incorrect because, as per the CTO, you can’t change the code.

Question 38

Q

Your security manager has hired a security contractor to audit your firewall implementation. When the consultant asks for the login details for the firewall appliance, which of the following might you do? (Choose two.)

A.
Tell him the details of the web application firewall.

B.
Create an IAM role with a policy that can read Security Group and Route settings.

C.
Explain that AWS is a cloud service and that AWS manages the network appliances.

D.
Create an IAM role with a policy that can read Security Group and NACL settings.

E.
Explain that AWS implements network security differently and that there is no such thing as a firewall appliance. Create an IAM user with a policy that can read Security Group and Route settings.

Answer

A

A and E are correct. AWS has removed the firewall appliance from the hub of the network and implemented the firewall functionality as stateful Security Groups and stateless subnet NACLs. This is not a new concept in networking.

B is incorrect because you need to create a user with a policy and not a role with a policy. C is incorrect because, although AWS manages the network appliance, you can still give the requested info to the security consultant. D is incorrect because the answer is incomplete.

Question 39

Q

You are reviewing Change Control requests and note a proposed change designed to reduce errors due to S3 Eventual Consistency by updating the DelaySeconds attribute. What does this mean?
A.
When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period of time.

B.
When a consumer instance retrieves a message, that message will be hidden in the queue for a fixed period of time.

C.
When the consumer instance polls for new work, the SQS service will allow it to wait a certain amount of time for a message to be available before closing the connection.

D.
When the consumer instance polls for new work, the consumer instance will wait a certain amount of time until it has a full workload before closing the connection.

E.
While processing a message, a consumer instance can reset the message visibility by restarting the preset timeout counter.

F.
While processing a message, a consumer instance can amend the message visibility counter by a fixed amount.

Answer

A

A is correct. When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period of time. Delay queues are a mechanism that lets you postpone delivery of messages if you need to.

B, C, D, E, and F are incorrect because all these options have irrelevant information.

Question 40

Q

Your company does business in North America, and all your customers are based out of the United States and Canada. You are using us-east as the primary region and using the us-west region for DR. You have a VPC in both the regions for hosting all the applications supporting the business. On weekends, you are seeing a sudden spike in traffic from China. While going through the log files, you find that some users from China are scanning open ports to gain entry to your server. How do you restrict the users from China from connecting to your VPC?
A.
Use a VPC endpoint.

B.
Use CloudTrail.

C.
Use security groups.

D.
Use a network access control list.

Answer

A

D is correct. You can explicitly deny the traffic from a particular IP address or from a CIDR block via an NACL.

A is incorrect because a VPC endpoint is used to communicate privately between a VPC and services like S3 and DynamoDB. B is incorrect because, using CloudTrail, you can find the trail of API activities, but you can’t block any traffic. C is incorrect because, using security group, you can’t explicitly deny traffic.

Question 41

Q

Your company likes the idea of storing files on AWS. However, low-latency service of the majority of files is important to customer service. Which Storage Gateway configuration would you use to achieve both these ends?

A.
Gateway-Cached

B.
Gateway-Stored

C.
Gateway-VTL

D.
Gateway-Snapshot

Answer

A

B is correct. In this case, they key is low latency, and you have to choose the solution based on that. Since you want a low-latency solution, Gateway-Stored is the right way to go.

A is incorrect because Gateway-Cached won’t provide the lowest latency. C is incorrect because Gateway-VTL won’t provide the lowest latency. D is incorrect because Gateway-Snapshot won’t provide the lowest latency.

Question 42

Q

You are running a highly available application in AWS. The business indicates that it needs a very performant file system that can be shared across EC2 servers (web servers). Which AWS service can solve this problem?
A.
Amazon EFS

B.
Amazon EBS

C.
Amazon EC2 Instance Store

D.
Amazon S3

Answer

A

A is correct. Only EFS can be mounted across several EC2 instances at same time. It provides the shared file system capability.

B is incorrect because EBS can be mounted with one EC2 instance at any point in time, but it can’t be mounted across multiple EC2 instances. C is incorrect because the EC2 Instance Store is the local storage within the EC2 server and is also known as ephemeral storage. This can’t be mounted to any other EC2 server. D is incorrect because Amazon S3 is an object store, not a file system, and can’t be mounted to an EC2 server as a file system.

Question 43

Q

Which of the following statements are true regarding SAML-enabled single sign-on? (Choose two.)
A.
After the client browser posts the SAML assertion, AWS sends the sign-in URL as a redirect and then the client browser is redirected to the Console.

B.
The client browser is immediately directed to the AWS Console.

C.
The portal acknowledges a SAML authentication response and then verifies the user’s identity in the organization.

D.
The portal first verifies the user’s identity in the organization and then generates a SAML authentication response.

Answer

A

A and D are correct. With SAML, after the client browser posts the SAML assertion, AWS sends the sign-in URL as a redirect and then the client browser is redirected to the Console. The portal first verifies the user’s identity in the organization and then generates a SAML authentication response.

B and C are incorrect. The true statements regarding SAML-enabled single sign-on are provided in answers A and D.

Question 44

Q

Your application uploads several thousands of files every day. The file sizes range from 500MB to 2GB. Each file is then processed to extract metadata, and the metadata processing takes a few seconds. There is no fixed uploading frequency; sometimes all the files are uploaded at a particular hour, sometimes only a few files are uploaded at a particular hour, and sometimes no uploads occur for a few hours. What is the most cost-effective way of handling this issue?

A.
Use an SQS queue to store the file and then use an EC2 instance to extract the metadata.

B.
Use EFS to store the file and then use multiple EC2 instances to extract the metadata.

C.
Store the files in Amazon S3 and then use an S3 event notification to invoke a Lambda function for extracting the metadata.

D.
Use Amazon Kinesis to store the files and then use Lambda for extracting the metadata.

Answer

A

C is correct. Amazon S3 is the cheapest solution in this case.

A, B, and D are incorrect because the focus is on cost-effectiveness. These answers will result in significantly more cost compared to answer C. Technically, you can use all these options to solve the problem, but they won’t serve the key purpose of cost optimization you are looking for.

Question 45

Q

To establish a successful site-to-site VPN connection from your on-premises network to an AWS virtual private cloud, which of the following must be configured? (Choose three.)

A.
A NAT instance

B.
An on-premises customer gateway

C.
A virtual private gateway

D.
A VPC with hardware VPN access

E.
A private subnet in your VPC

Answer

A

B, C, and D are correct. You must have a VPC with hardware VPN access, an on-premises customer gateway, and a virtual private gateway to make the VPN connection work.

A is incorrect because a NAT instance is not needed for a successful VPN connection. E is incorrect because a private subnet doesn’t have any correlation with a VPN connection.

Question 46

Q

You are running and hosting a web application in AWS. The web server is hosted in an EC2 server in the public subnet, and it is using the Oracle database in RDS in a private subnet. All the users must use SSL to connect to the web server, and only the web server should be able to connect to the database server. Which of the following actions satisfy this condition? (Choose two.)

A.
Create a security group for the web server. The security group should allow inbound HTTPS traffic on port 443 from 0.0.0.0/0 (anywhere).

B.
Create a security group for the database server. The security group should allow inbound HTTPS traffic from port 443 from the web server security group.

C.
Create an ACL for web server’s subnet that allows HTTPS on port 443 from 0.0.0.0/0 inbound and HTTPS on port 443 to 0.0.0.0/0 outbound.

D.
Create an ACL for database server’s subnet that allows inbound traffic on TCP port 1521 from the web server and denies all outgoing traffic.

E.
Create a security group for the database server. The security group should allow traffic on TCP port 1521 from the web server security group.

Answer

A

A and E are correct. This question has two aspects: First, all users should be able to connect to the web server via SSL mode. Second, the web server should be able to connect to the database server. A is correct because it allows HTTPS traffic to the web server on port 443 from anywhere, and this is how your users are going to connect to the web server from anywhere. E is correct because it states the actual port of the database server, which needs to be open for the web server.

B is incorrect because it specifies from which port the traffic would come but not the port of the database that needs to be open. C is incorrect because it suggests using an ACL, which is used at the subnet level and not at the instance level. D is incorrect because it suggests using an ACL, which is used at the subnet level and not at the instance level.

Question 47

Q

You are running an application on an EC2 server, and you are using the instance store to keep all the application data. One fine day you realize that all the data stored in the instance store is gone. What could be the reason for this? (Choose two.)

A.
You have rebooted the instance.

B.
You have stopped the instance.

C.
You have terminated the instance.

D.
You have configured an ELB with the EC2 server.

Answer

A

B and C are correct. When you store something in the instance store, the data remains in the instance until the instance’s lifetime is over. When you stop the instance, that instance is gone; similarly, when you terminate the instance, it is gone and you lose all your data.

A and D are incorrect. When you reboot or restart the instance, the instance remains active and thus all the data remains stored. As a best practice, you should never store important data in the instance store and should always use an EBS volume to store important data. It does not matter if you add or delete an ELB with the instance; it does not delete any data.

Question 48

Q

Your company likes the idea of storing files on AWS. However, low-latency service for the last few days of files is important to customer service. Which Storage Gateway configuration would you use to achieve both these ends?

A.
Gateway-VTL

B.
Gateway-Snapshot

C.
Gateway-Stored

D.
Gateway-Cached

Answer

A

D is correct. In this scenario, you want to cache the important files for the past few days. It is also important that the latency is low; therefore, you should choose a Gateway-Cached solution.

A is incorrect because Gateway-VTL won’t allow you to cache. B is incorrect because Gateway-Snapshot is a snapshot option. C is incorrect because Gateway-Stored won’t allow you to cache.

Question 49

Q

You have a database-style application that frequently has multiple reads and writes across the data set. Which of the following AWS storage services are capable of hosting this application? (Choose two.)

A.
Glacier

B.
Elastic File Service (EFS)

C.
EBS

D.
S3

Answer

A

B and C are correct. EFS is the shared file system, which can be mounted across any number of EC2 instances, and EBS is the block store. S3 is the object store, and Glacier is the archive of S3, which is also an object store.

A is incorrect because Glacier is an archival solution. D is incorrect because S3 is an object store.

Question 50

Q

You want to deploy a PCI-complaint application on AWS. You would be deploying your application in EC2 servers and would be using RDS to host your database. You have read that the AWS services you are going to use are PCI complaint. What steps do you need to take to make the application PCI complaint?

A.
Nothing. Since AWS is PCI complaint, you don’t have to do anything.

B.
Encrypt the database, which will make sure the application is PCI complaint.

C.
Encrypt the database and the EBS volume from the EC2 server.

D.
You need to follow all the steps, as per the PCI requirements for the application and database, to make the application complaint.

Answer

A

D is correct. AWS follows the shared security model. In this model, AWS is responsible for the security of the cloud, and customers are responsible for the security in the cloud. Just by putting your application on AWS won’t make it PCI complaint. You need to do your part as well.

A, B, and C are incorrect. You need to follow all the steps, as per PCI documentation, to make your application PCI complaint; you can’t just encrypt the database and application and be done with it.

Question 51

Q

Your AWS environment contains several on-demand EC2 instances dedicated to a project that has just been cancelled. Your supervisor does not want to incur charges for these on-demand instances, but also does not want to lose the data just yet because there is a chance the project may be revived in the next few days. What should you do to minimize charges for these instances in the meantime?

A.
Stop the instances.

B.
Terminate the instances.

C.
Create AMIs from the instances and put them on the AWS Marketplace in hopes of recovering some of the cost.

D.
Contact AWS Support and put the instances on courtesy hold.

Answer

A

A is correct. When the data is stored in EBS volumes, it will be stored even if the instances are stopped. The EBS volumes persist the data, so it will always be there. On the other hand, if the data is stored in the instance store and you shut down the instance, you lose everything.

B is incorrect because termination will delete all the data. C is incorrect because creating AMIs from instances will add cost. D is incorrect because no such option exists.

Question 52

Q

You are designing a highly scalable and available web application and are using EC2 instances along with Auto Scaling to host the web application. You want to store the session state data in such a way that it should not impact Auto Scaling. You have not decided yet what service you should be using to store the session state information. What service should you be using to store the session state data? (Choose three.)

A.
Amazon EC2

B.
Amazon RDS

C.
Amazon ElastiCache

D.
Amazon DynamoDB

Answer

A

B, C, and D are correct. You can use RDS, DynamoDB, or ElastiCache to store the session state information.

A is incorrect. If you store the session information in EC2 servers, then you need to wait for all the users to log off before shutting down the instance. In that case, Auto Scaling won’t be able to terminate the instance if even one user is connected. If you do so, EC2 can be started and stopped by Auto Scaling, as per the scaling policies.

Question 53

Q

The risk with spot instances is that you are not guaranteed use of a resource for as long as you might want. Which of the following are scenarios under which AWS might execute a forced shutdown? (Choose four.)

A.
AWS sends a notification of termination, and you receive it 120 seconds before the intended forced shutdown.

B.
AWS sends a notification of termination, but you do not receive it within the 120 seconds and the instance is shut down.

C.
AWS sends a notification of termination, and you receive it 120 seconds before the forced shutdown, but the normal lease expired before the forced shutdown.

D.
AWS sends a notification of termination, and you receive it 120 seconds before the forced shutdown, but you block the shutdown because you used “Termination Protection” when you initialized the instance.

E.
AWS sends a notification of termination, and you receive it 120 seconds before the intended forced shutdown, but AWS does not shut down the instance.

F.
AWS sends a notification of termination, and you receive it 120 seconds before the forced shutdown, but you delay it by sending a “Delay300” instruction before the forced shutdown takes effect.

Answer

A

A, B, C, and E are correct. A is correct because AWS sends a notification of termination, and you receive it 120 seconds before the intended forced shutdown. B is correct because AWS sends a notification of termination, but you do not receive it within the 120 seconds and the instance is shut down. C and E are correct because AWS sends a notification of termination, and you receive it 120 seconds before the forced shutdown, but the normal lease expired before the forced shutdown.

D is incorrect because with this option, force execution will be overridden. F is incorrect because with this option, force execution will be overridden.

Question 54

Q

You are running a website for selling trendy designer clothes. At any point in time the average number of concurrent users on your website is 1000. You are running the website on several EC2 servers with Auto Scaling enabled with ALB. You have announced a sale of 70% off everything on a certain day. On that day, the moment the sale starts, you notice that the number of concurrent users goes over 50,000 in just two minutes, and some users are not able to access the website. Because you have integrated Auto Scaling, you feel that it should take care of handling all the users. What could be the reason for this?

A.
Auto Scaling cannot handle more than 10,000 concurrent users.

B.
Auto Scaling cannot handle more than 100 EC2 instances.

C.
Auto Scaling groups are not intended to handle sudden spikes in traffic.

D.
You should have integrated Network Load Balancer instead of ALB with EC2 instances.

Answer

A

C is correct. Auto Scaling is not really intended to respond to instantaneous spikes in traffic, as it will take some time to spin up the instances that will handle the additional traffic.

A and B is incorrect because there is no limit on the number of EC2 instances Auto Scaling can start. So long as Auto Scaling is not hitting your account limit, you can provision any number of EC2 instances using Auto Scaling. Handling more concurrent users is directly proportional to the number of EC2 instances you have. D is incorrect because NLB can’t be used in this case since it operates at the fourth OSI layer and your application is running at the seventh OSI layer.

Question 55

Q

What is the range for a CIDR block used inside a VPC?

A.
Between /16 and /28

B.
Between /16 and /30

C.
Between /14 and /24

D.
Between /18 to /24

Answer

A

A is correct. The correct range of a CIDR block inside a VPC is between /16 and /28.

B, C, and D are incorrect. The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).

Question 56

Q

How long can a message be retained in an SQS queue?

A.
1 day

B.
14 days

C.
7 days

D.
10 days

Answer

A

B is correct. The messages are retained in a SQS queue for 14 days.

A, C, and D are incorrect because the retention period is 14 days.

Question 57

Q

Which of the following services should you implement in multiple availability zones in order to achieve high availability? (Choose two.)

A.
DynamoDB

B.
Simple Queue Service

C.
Simple Storage Service

D.
EC2

E.
RDS

Answer

A

D and E are correct. S3, SQS, and DynamoDB are already built in a fault-tolerant fashion, so you do not need to provision these services across multiple availability zones. Therefore, the correct answers are RDS and EC2.

A is incorrect because DynamoDB is a managed service and comes with high availability built in. B is incorrect because SQS is a managed service and comes with high availability built in. C is incorrect because S3 is a managed service and comes with high availability built in.

Question 58

Q

You are in the process of designing a three-tier architecture for a company. The company wants all the components to be redundant, which means all the EC2 servers need to be redundant in different AZs. You are planning to put the web server in the public subnet and then the application and database server in the private subnet. The database will be hosted in EC2 servers, and you are planning to use two AZs for this. To accomplish these goals, what is the minimum number of subnets you need?

A.
Six: One for the web server, one for the application server, and one for the database server in each AZ

B.
Three: One for the web tier, one for the application tier, and one for the database tier

C.
Two: One for the web, application, and database server in each AZ

D.
Four: One for application server and another for the application and database server in each AZ

Answer

A

D is correct. The minimum number of subnets you need is four since you are going put the web server in a public subnet in each AZ and application and database server in private subnet in each AZ. There is no need to create a separate subnet for the database and application tiers since that is going to have manageability overhead.

A, B, and C are incorrect. If you create three subnets, then there is no redundancy If you create two subnets, then you have to put all the servers (that is, web, application and database) in the same subnet, which you can’t do since the web server needs to go to public subnet and the application and database server needs to go to private subnet. Technically, you can create six subnets, but the question is asking for the minimum number of subnets.

Question 59

Q

You are creating a data lake in AWS, and one of the use cases for the data lake is batch jobs. Which AWS service would you use to ingest the data for batch jobs?

A.
Kinesis Streams

B.
Kinesis Analytics

C.
Kinesis Firehose

D.
AWS Lambda

Answer

A

C is correct. Since the use case is batch jobs, Kinesis Firehose should be used for data ingestion.

A is incorrect because Kinesis Steams is used to ingest real-time data and steams of data. B is incorrect because Kinesis Analytics is used to transform the data at the time of ingestion. D is incorrect because AWS Lambda is used to run your code, not to ingest the data. However, you can write a Lambda function to trigger the next step once the data ingestion is complete.

Question 60

Q

When you create an EC2 instance and select “detailed” monitoring, the EBS volume will automatically send metrics every ___ minute(s) to Amazon CloudWatch.
A. 1

B.3

C.5

D.10

Answer

A

A is correct. When detailed monitoring is enabled, the metrics are sent every minute.

B, C, and D are incorrect. The metrics are sent every minute, not every 3, 5, or 10 minutes.

Question 61

Q

Amazon Web Services (AWS) offers four different levels of support. Which of the following are valid support levels? (Choose three.)

A.
Free tier

B.
Business

C.
Developer

D.
Enterprise

E.
Corporate tier

Answer

A

B, C, and D are correct. Business, Developer, and Enterprise are all support level categories in AWS.

A is incorrect because there is no Free tier support level. E is incorrect because there is no Corporate tier support level.

Question 62

Q

What are the workloads you can deploy using Elastic Beanstalk? (Choose two.)

A.
A static website

B.
Storing data lake data for big data processing

C.
A long-running job that runs overnight

D.
A web application

Answer

A

A and D are correct. You can deploy a web application or a static website using Elastic Beanstalk. In addition to Elastic Beanstalk, Amazon S3 is also a great choice for static websites.

B is incorrect because Elastic Beanstalk can’t be used for storing data lake data. Amazon S3 is the right choice for a data lake. C is incorrect because if you have a long-running job that runs overnight, you can use AWS Batch.

Question 63

Q

You are running a media-rich website with a global audience in US-EAST-1 for a customer in the publishing industry. The website updates every 20 minutes. The web-tier of the site sits on three EC2 instances inside an Auto Scaling group. The Auto Scaling group is configured to scale when CPU utilization of the instances is greater than 70%. The Auto Scaling group sits behind an Elastic Load Balancer, and your static content lives in S3 and is distributed globally by CloudFront. Your RDS database is an db.m5.4xlarge instance. CloudWatch metrics show that your RDS instance usually has around 2GB of memory free, and an average CPU utilization of 75%. Currently, it is taking your users in Japan and Australia approximately 3 to 5 seconds to load your website, and you have been asked to help reduce these load times. How might you improve your page load times? (Choose three.)
A.
Change your Auto Scaling group so that it will scale when CPU utilization is only 50%, rather than 70%.

B.
Set up CloudFront with dynamic content support to enable the caching of reusable content from the media-rich website.

C.
Use ElastiCache to cache the most commonly accessed DB queries.

D.
Set up a read replica of your production environment in the Asia Pacific region and configure latency-based routing on Route 53.

E.
Upgrade the RDS instance to a higher memory instance.

Answer

A

B, C, and D are correct. Your RDS instance is already the largest currently offered by AWS, so you cannot upgrade this further. Changing your Auto Scaling policies will not help improve performance times, as it is much more likely that the performance issue is with the database back end rather than the front end.

A is incorrect because scaling when CPU utilization is 50% is going to add more cost and won’t fully leverage the resource of the existing server. E is incorrect because there is no data point that shows the issue is memory related.

Question 64

Q

You are building a custom application to process business data. You have chosen Kinesis Data Streams in order to ingest the data. What are the various destinations where your data can go? (Choose three.)

A.
Amazon S3

B.
Amazon Elastic File System

C.
Amazon EMR

D.
Amazon Redshift

E.
Amazon Glacier

Answer

A

A, C, and D are correct. The destinations for Kinesis Data Streams are services such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon EMR, and AWS Lambda.

B and E are incorrect. Amazon EFS is not a Kinesis Data Streams destination, and you can’t send files to Amazon Glacier directly.

Answer 65

A

D is correct. The minimum number of subnets you need is four since you are going put the web server in a public subnet in each AZ and application and database server in private subnet in each AZ. There is no need to create a separate subnet for the database and application tiers since that is going to have manageability overhead.

A, B, and C are incorrect. If you create three subnets, then there is no redundancy If you create two subnets, then you have to put all the servers (that is, web, application and database) in the same subnet, which you can’t do since the web server needs to go to public subnet and the application and database server needs to go to private subnet. Technically, you can create six subnets, but the question is asking for the minimum number of subnets.

Answer 66

A

D is correct. The entry of “Target Local” allows all the instances in the VPC to communicate with each other.

A, B, and C are incorrect. You need to have the entry for “Target Local” in the route table of the VPC so that all the subnets within it can talk to each other.

Answer 67

A

Here, the determining factor is the requirement of instant access. S3 One Zone-IA will give you that access, at a lower cost than S3 standard and S3-IA. According to AWS, all three classes have the same first byte latency (milliseconds).

Answer 68

A

This is another tough question, especially if both Kinesis and Athena appear in the answer choices. Kinesis handles streams of data and does real-time analytics; Athena is more on the interactive side. Athena analyzes data but allows standard SQL queries. That’s why it’s a better choice than Kinesis with this question.

Answer 69

A

There are four types of policies in IAM: identity based, resource based, organization SCPs, and access control lists (ACLs).

Answer 70

A

First, CloudFront is always a good option. It’s free to move data from EC2 to CloudFront, so that could reduce how far data must travel, and associated costs. Then, private IPs allow for communication that doesn’t route out to the Internet, and generally AWS charges less for communication from private IP to private IP.

Answer 71

A

ElastiCache is an in-memory data store (A) that shards across instances (C). It is not in itself a data distribution mechanism, which is why B is not correct. And it is not a monitoring solution at all (D).

Answer 72

A

Spread placement groups—which are relatively new to AWS—can be placed across multiple availability zones. Cluster placement groups cannot, and placement groups generally refers to cluster placement groups. Cross-region placement groups is a made-up term.

Answer 73

A

All custom VPCs have a route table (so A is false) and a NACL (so C is false) and will not have an internet gateway (D is false). This leaves B, which is true: subnets can communicate with each other across availability zones by default.

Answer 74

A

C. RRS, or reduced redundancy storage, is the predecessor to One Zone-IA but is less durable and currently deprecated. However, it can still show up on exams at odd times. Both its durability and availability are 99.99%. Another way to recall this is to note that all current S3 classes of storage have 11 9s durability, leaving only S3-RRS as a possibility here.

Answer 75

A

AD.
S3 supports two styles of bucket URLs: virtual-hosted-style and path-style URLs. Virtual-hosted-style URLs are of the form http://bucket.s3-aws-region.amazonaws.com, and path-style URLs are the traditional URLs you’ve seen: http://s3-aws-region.amazonaws.com/bucket-name.

Answer 76

A

B. The problem here is trying to tag individual folders. You can use IAM for permissions, but a particular folder cannot be tagged separately from other folders; only an entire bucket can be tagged.

Answer 77

A

B.A subnet cannot span availability zones. It can be added to a single AZ and can only exist within that single AZ.

Answer 78

A

C. You Answered Incorrectly.

A SWF domain is a collection of related workflows.

Answer 79

A

AC.
You Answered Correctly!
You will always need to provide non-root sign-in URLs for new users, so A is essential. The remaining answers are concerned with permissions, and of the choices (B, by the way, isn’t an actual option), the Developer Power User policy is a much better fit than the View-Only User policy.

Answer 80

A

A. Anything related to S3 is going to be storage related. In this case, life cycle management handles transitioning data from one S3 storage class to another.

Answer 81

A

C. “Migration only” is not a pricing model for instances. The only model not mentioned here is dedicated hosts.

Answer 82

A

BC. There are typically a lot of “the database is being overwhelmed” questions on the exam, and this is one of those. The key here is understanding that data is accessed infrequently, meaning that caching solutions (A and D) likely won’t help. Further, the staff is on site, meaning that a customer gateway (C) could be a valid solution. Finally, it’s almost always safe to at least consider upgrading the database instance.

Answer 83

A

D. The only potentially useful answers here are B and D: you need more processing power to handle requests, and you need to deal with nonresponsive instances at peak times. The spot market will do nothing to help here, and pre-warming the load balancer will still not handle traffic when that traffic is sudden and produces a large spike. Of B and D, only D addresses nonresponsiveness. By having requests go to a queue, you should not have users experience a nonresponsive application at all; the SQS queue will scale as needed, and then instances can handle requests as they become available in the queue.

Answer 84

A

AWS Direct Connect is a dedicated high-speed connection between your on-premises network and AWS. Because of this, a direct connect is almost always a better choice than shipping out a Snowball, loading data to it, and then shipping it back.

Answer 85

A

A
AWS Global Accelerator routes traffic between AWS facilities using their internal network and not over the Internet. CloudFront is a content distribution service, and load balancers are not global routing services. Direct Connect is used to access AWS from external facilities and a VPC gateway is an internal exit interface for VPCs

Answer 86

A

Cloud HSM is a dedicated AWS hardware appliance for customers who wish to control their certificate keys in the cloud. Cloud HSM offers security safeguards such as device tampering and unauthorized access.

With Cloud HSM, the private key never leaves the appliance but is used to derive external encryption keys used to encrypt and decrypt data. Server Side Encryption can use the HSM but is not a key management service, SSL/TLS is used for securing data in transport, and Macie is a security service offered by Amazon but not a key management offering.

Answer 87

A

A records are used to point a specific domain or subdomain to an IP address. CNAMEs point to URLs or other domain names. In this case, since you’re pointing at an ELB, you’d need to use a CNAME, as ELBs don’t expose a public IP address.

Answer 88

A

IAM is the best option for handling users, groups, and permissions within AWS. You can then add Cognito to offer single sign-on capabilities to your applications.

Answer 89

A

A VPC gateway allows your EC2 instances to connect to S3 buckets and DynamoDB tables using the internal AWS network so your data never traverses the Internet. Since S3 and Dynamo DB live outside of VPCs, peering and moving them into a VPC are not options. Control Tower is a management and governance service.

Answer 90

A

Read replicas can be in a different region than the primary instance (D), and they replicate all the databases in the primary instance (C). You can have up to five read replicas at a time for a single instance (so A is false). While MySQL and MariaDB are supported (B), Aurora is not.

Answer 91

A

To minimize compute resources, you should avoid EC2 and Lambda. Enabling static website hosting on an S3 bucket is a better option. To use a custom domain, you’d need to also use Route 53 to direct traffic from your custom domain to the S3 bucket.

Answer 92

A

You can only create 5 VPCs per region by default. Creating more requires a request to AWS.

Answer 93

A

BC.All of these are acceptable options, but the best options are to use the existing EC2 instance as a basis for a new Auto Scaling group and to set up demand-based scaling. Anytime you have an existing instance that is working, you can simply start from there, rather than using a launch configuration and duplicating the setup. Demand-based scaling will respond to changing conditions better than having to manually scale up and down or to set a desired capacity (which is unknown based on the question).

Answer 94

A

This is important because it reflects a recent change by AWS. Until 2018, there was a hard limit on S3 of 100 PUTs per second, but that limit has now been raised to 3500 PUTs per second.

Answer 95

A

CloudFront is AWS’s distribution network. It’s a content caching system that is ultimately a networking component of your AWS buildout.

Answer 96

A

Power users can work with managed services, but they cannot create (or otherwise manage) IAM users.

Answer 97

A

B.It is typical to think of a spread placement group as a group spread across availability zones, but that is a misnomer. The spread in spread placement group means that the instances are spread across distinct underlying hardware, and although they can be spread across availability zones, they don’t have to be.

Answer 98

A

Manual scaling allows you to specify a minimum and maximum number of instances as well as a desired capacity. The Auto Scaling policy then handles maintaining that capacity.

Answer 99

A

CloudFront can serve static content from S3 and dynamic content generated by EC2 instances.

Answer 100

A

For a single VPC, you can add one or more subnets to each availability zone within that VPC.

Answer 101

A

Officially, instances can have up to 28 attachments. One of those attachments is the network interface attachment, leaving 27 attachments available for EBS volumes. However, the better approach is to remember that an instance can attach to a root volume and several more volumes (more than two); this eliminates options A and B. Additionally, instances cannot have unlimited attachments. This leaves the correct answer, C.

Answer 102

A

This use case is one where access needs to be minimal, as does cost. If you have infrequently accessed data and cost is a major driver, magnetic drives might be a good option. While throughput-optimized HDDs are still cheaper than SSDs, magnetic is the cheapest option and would work fine for a set of data that is accessed without high performance needs.

Answer 103

A

RDS failover happens automatically in a Multi-AZ configuration; the primary IP address will move from the failed instance to the backup, and Aurora operations will continue in the backup availability zone. There is no need to manually reassign the IP address, open a support ticket, or modify DNS for an RDS failover. There is also no option in the AWS REDS console to perform a failover.

Answer 104

A

A NACL is best for dealing with all traffic at a subnet or VPC level, as it is associated at the subnet level.

Answer 105

A

This is tricky and somewhat un-intuitive. Only the root account can enable MFA Delete. Even the console user that created the bucket—if it isn’t the root user—cannot enable MFA Delete on a bucket.

Answer 106

A

B and D are correct. SSDs provide high performance, and the database is partitioned; these two aspects combined provide the promised level of performance for DynamoDB.

A is incorrect because DynamoDB can’t be configured with EBS-optimized instances. C is incorrect because, by default, caching is not enabled.

Answer 107

A

B is correct. It is important to code for strong consistency. If you don’t code for strong consistency, you will end up having stale data, and depending on what you are trying to do, this may have an impact since you won’t be able to make decisions on real-time data.

A is incorrect because successful completion of the code doesn’t guarantee strongly consistent reads. C is incorrect because it impacts the budget. D is incorrect because a maintenance task will only check for consistency but won’t fix it.

Brainscape's Knowledge GenomeTM

1 Flashcards

Brainscape's Knowledge Genome^TM